210 likes | 302 Views
Principles and Practice of X-raying. Fr é d é ric Perriot Peter Ferrie Symantec Security Response. What is x-raying?. A detection method based on breaking the encryption of the virus Works for weak encryption methods Recent real-world examples among win32 viruses
E N D
Principles and Practice ofX-raying Frédéric Perriot Peter Ferrie Symantec Security Response
What is x-raying? • A detection method based on breaking the encryption of the virus • Works for weak encryption methods • Recent real-world examples among win32 viruses • Applicable to worms as well • Similar to a ‘known plaintext attack’
Corresponding ciphertext Sebz: Crgre Fhowrpg: Uryyb IOZZVI Message encrypted with unknown Caesar cipher Decrypted message From: Peter Subject: Hello VB2004 Example of a ‘known plaintext attack’ Known plaintext From: Peter ? KEY is rot13!
Differences between x-raying and‘known plaintext attacks’ • X-raying has lower complexity • Simpler ciphers • Simpler breaking • More constraints for AV than cryptanalysis • Time constraints • Space (memory usage) constraints • Some specific x-raying techniques • Sliding: consider several ciphertexts • Hybrid approaches (using decryptor parsing) • Encryption algorithm not fixed (XOR or ADD or ROL…)
Analogous to hidden patterns in pictures • Inverted colors • Stereograms • Images d’Épinal
Typical encryption methods • Fixed op and fixed key • A few ops among a set and fixed keys • Multiple layers • Running keys • No key (RDA) • Strong crypto (IDEA virus) • No x-ray but the crypto itself may be detectable! x x x
cheep, cheep A more complex encryption: stereograms
Equivalent to X-raying for stereograms • The encryption method is a special projection of a 3D object onto a 2D image • The decryption key is the divergence angle between the direction of the eyes of the observer • Infinite number of keys (!) • Seeing a stereogram is hard the first time
Sliding x-ray • Multiple potential ciphertexts distinguishesx-raying from a regular known plaintext attack • Virus hidden somewhere in the host program • Exact position might not be known because the decryptor is inaccessible (too much I/O) • Often need to x-ray more than one spot • Determine an x-ray region based on geometry of the virus infection method
Practice your sliding x-ray on thisImage d’Épinal Arriving to the enchanted forest, Feared retreat of two dark giants, A valiant knight provokes them in combat : But the hidden giants do not answer him
42 = 6 * ? is 7394502 prime? which is divisible by 3: 29369, 117, 3514? Approaches to X-raying (theory) • Key recovery • Attempts to recover the encryption key • May be necessary for host repair • Key validation • Attempts to prove that a valid (sub)key exists • Invariant scanning • Reduces the ciphertext to patterns independent from the encryption key
Approaches to X-raying (real-world uses) • Key recovery • W32/Magistr • W32/Perenast (aka W32/Stepar) • Key validation • W32/Bagif (useful for variants detection) • Invariant scanning • W32/Efish • W32/Perenast
Anatomy of a sample x-ray • Substitution cipher • Used by W32/Efish • Simple and homophonic
I am a bad virus, boo I, virus am a bad boo Bad am I a boo, virus I am a bad virus, boo I am a mad virus, boo I am a sad virus, boo I am a bad virus, boo I am a bad virus, boo I am a bad virus, boo What about variable plaintext? • So far we assumed plaintext was fixed • Wildcards are possible (see Bagif) • What if the majority of the plaintext varies?
Anamorphosis (‘catoptric’) What would metamorphism look like?
Anamorphosis without a complexoptical system (‘oblique’) “The Ambassadors” Hans Holbein the younger, 1533
What to do about metamorphism? • X-raying a metamorphic virus is a little likelooking at a stereogram of an anamorphosis • You need to close one eye • You need to diverge your eyes • It’s hard to do both at the same time! • Open question to the audience
Gunax lbh! Frédéric Perriot fperriot@symantec.com Peter Ferrie pferrie@symantec.com