View
39
Download
0
Category
Preview:
DESCRIPTION
Principles and Practice of X-raying. Fr é d é ric Perriot Peter Ferrie Symantec Security Response. What is x-raying?. A detection method based on breaking the encryption of the virus Works for weak encryption methods Recent real-world examples among win32 viruses - PowerPoint PPT Presentation
Citation preview
2004 Symantec Corporation, All Rights Reserved
Principles and Practice ofX-raying
Frédéric PerriotPeter FerrieSymantec Security Response
2 – 2004 Symantec Corporation, All Rights Reserved
What is x-raying?
A detection method based on breaking the encryption of the virus
Works for weak encryption methods– Recent real-world examples among win32 viruses
– Applicable to worms as well
Similar to a ‘known plaintext attack’
3 – 2004 Symantec Corporation, All Rights Reserved
Example of a ‘known plaintext attack’
From: Peter
?
KEY is rot13!
Known plaintext
From: Peter
Subject: Hello VB2004
Decrypted message
Corresponding ciphertext
Sebz: Crgre
Fhowrpg: Uryyb IOZZVI
Message encryptedwith unknown Caesar cipher
4 – 2004 Symantec Corporation, All Rights Reserved
Differences between x-raying and‘known plaintext attacks’
X-raying has lower complexity– Simpler ciphers
– Simpler breaking
More constraints for AV than cryptanalysis– Time constraints
– Space (memory usage) constraints
Some specific x-raying techniques– Sliding: consider several ciphertexts
– Hybrid approaches (using decryptor parsing)
– Encryption algorithm not fixed (XOR or ADD or ROL…)
5 – 2004 Symantec Corporation, All Rights Reserved
Analogous to hidden patterns in pictures
Inverted colors
Stereograms
Images d’Épinal
6 – 2004 Symantec Corporation, All Rights Reserved
X-raying ‘xor 0xFF’
7 – 2004 Symantec Corporation, All Rights Reserved
Typical encryption methods
Fixed op and fixed key
A few ops among a set and fixed keys
Multiple layers
Running keys
No key (RDA)
Strong crypto (IDEA virus)– No x-ray but the crypto itself may be
detectable!
x
x
x
8 – 2004 Symantec Corporation, All Rights Reserved
A more complex encryption: stereograms
cheep,cheep
9 – 2004 Symantec Corporation, All Rights Reserved
Equivalent to X-raying for stereograms
The encryption method is a special projection of a 3D object onto a 2D image
The decryption key is the divergence angle between the direction of the eyes of the observer
Infinite number of keys (!)
Seeing a stereogram is hard the first time
10 – 2004 Symantec Corporation, All Rights Reserved
Sliding x-ray
Multiple potential ciphertexts distinguishesx-raying from a regular known plaintext attack
Virus hidden somewhere in the host program– Exact position might not be known because the
decryptor is inaccessible (too much I/O)
Often need to x-ray more than one spot– Determine an x-ray region based on geometry of the
virus infection method
11 – 2004 Symantec Corporation, All Rights Reserved
Arriving to the enchanted forest,Feared retreat of two dark giants,A valiant knight provokes them in combat :But the hidden giants do not answer him
Practice your sliding x-ray on thisImage d’Épinal
12 – 2004 Symantec Corporation, All Rights Reserved
Approaches to X-raying (theory)
42 = 6 * ?
Key recovery– Attempts to recover the encryption key
– May be necessary for host repair
Key validation– Attempts to prove that a valid (sub)key exists
Invariant scanning– Reduces the ciphertext to patterns independent from
the encryption key
is 7394502 prime? which is divisible by 3: 29369, 117, 3514?
13 – 2004 Symantec Corporation, All Rights Reserved
Approaches to X-raying (real-world uses)
Key recovery– W32/Magistr
– W32/Perenast (aka W32/Stepar)
Key validation– W32/Bagif (useful for variants detection)
Invariant scanning– W32/Efish
– W32/Perenast
14 – 2004 Symantec Corporation, All Rights Reserved
Anatomy of a sample x-ray
Substitution cipher
Used by W32/Efish
Simple and homophonic
15 – 2004 Symantec Corporation, All Rights Reserved
Can you catch Efish?
16 – 2004 Symantec Corporation, All Rights Reserved
What about variable plaintext?
So far we assumed plaintext was fixed
Wildcards are possible (see Bagif)
What if the majority of the plaintext varies?
I am a bad virus, boo
I am a bad virus, boo
I am a bad virus, boo
I am a bad virus, boo
I am a mad virus, boo
I am a sad virus, boo
I am a bad virus, boo
I, virus am a bad boo
Bad am I a boo, virus
17 – 2004 Symantec Corporation, All Rights Reserved
Anamorphosis (‘catoptric’)What would metamorphism look like?
18 – 2004 Symantec Corporation, All Rights Reserved
DIY catoptric anamorphosis(no assembly required)
19 – 2004 Symantec Corporation, All Rights Reserved
Anamorphosis without a complexoptical system (‘oblique’)
“The Ambassadors”
Hans Holbein the younger, 1533
20 – 2004 Symantec Corporation, All Rights Reserved
What to do about metamorphism?
X-raying a metamorphic virus is a little likelooking at a stereogram of an anamorphosis
You need to close one eye
You need to diverge your eyes
It’s hard to do both at the same time!
Open question to the audience
2004 Symantec Corporation, All Rights Reserved
Gunax lbh!Frédéric Perriotfperriot@symantec.comPeter Ferriepferrie@symantec.com
Recommended