1 / 21

Principles and Practice of X-raying

Principles and Practice of X-raying. Fr é d é ric Perriot Peter Ferrie Symantec Security Response. What is x-raying?. A detection method based on breaking the encryption of the virus Works for weak encryption methods Recent real-world examples among win32 viruses

Download Presentation

Principles and Practice of X-raying

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Principles and Practice ofX-raying Frédéric Perriot Peter Ferrie Symantec Security Response

  2. What is x-raying? • A detection method based on breaking the encryption of the virus • Works for weak encryption methods • Recent real-world examples among win32 viruses • Applicable to worms as well • Similar to a ‘known plaintext attack’

  3. Corresponding ciphertext Sebz: Crgre Fhowrpg: Uryyb IOZZVI Message encrypted with unknown Caesar cipher Decrypted message From: Peter Subject: Hello VB2004 Example of a ‘known plaintext attack’ Known plaintext From: Peter ? KEY is rot13!

  4. Differences between x-raying and‘known plaintext attacks’ • X-raying has lower complexity • Simpler ciphers • Simpler breaking • More constraints for AV than cryptanalysis • Time constraints • Space (memory usage) constraints • Some specific x-raying techniques • Sliding: consider several ciphertexts • Hybrid approaches (using decryptor parsing) • Encryption algorithm not fixed (XOR or ADD or ROL…)

  5. Analogous to hidden patterns in pictures • Inverted colors • Stereograms • Images d’Épinal

  6. X-raying ‘xor 0xFF’

  7. Typical encryption methods  • Fixed op and fixed key • A few ops among a set and fixed keys • Multiple layers • Running keys • No key (RDA) • Strong crypto (IDEA virus) • No x-ray but the crypto itself may be detectable!  x x  x

  8. cheep, cheep A more complex encryption: stereograms

  9. Equivalent to X-raying for stereograms • The encryption method is a special projection of a 3D object onto a 2D image • The decryption key is the divergence angle between the direction of the eyes of the observer • Infinite number of keys (!) • Seeing a stereogram is hard the first time 

  10. Sliding x-ray • Multiple potential ciphertexts distinguishesx-raying from a regular known plaintext attack • Virus hidden somewhere in the host program • Exact position might not be known because the decryptor is inaccessible (too much I/O) • Often need to x-ray more than one spot • Determine an x-ray region based on geometry of the virus infection method

  11. Practice your sliding x-ray on thisImage d’Épinal Arriving to the enchanted forest, Feared retreat of two dark giants, A valiant knight provokes them in combat : But the hidden giants do not answer him

  12. 42 = 6 * ? is 7394502 prime? which is divisible by 3: 29369, 117, 3514? Approaches to X-raying (theory) • Key recovery • Attempts to recover the encryption key • May be necessary for host repair • Key validation • Attempts to prove that a valid (sub)key exists • Invariant scanning • Reduces the ciphertext to patterns independent from the encryption key

  13. Approaches to X-raying (real-world uses) • Key recovery • W32/Magistr • W32/Perenast (aka W32/Stepar) • Key validation • W32/Bagif (useful for variants detection) • Invariant scanning • W32/Efish • W32/Perenast

  14. Anatomy of a sample x-ray • Substitution cipher • Used by W32/Efish • Simple and homophonic

  15. Can you catch Efish?

  16. I am a bad virus, boo I, virus am a bad boo Bad am I a boo, virus I am a bad virus, boo I am a mad virus, boo I am a sad virus, boo I am a bad virus, boo I am a bad virus, boo I am a bad virus, boo What about variable plaintext? • So far we assumed plaintext was fixed • Wildcards are possible (see Bagif) • What if the majority of the plaintext varies?

  17. Anamorphosis (‘catoptric’) What would metamorphism look like?

  18. DIY catoptric anamorphosis(no assembly required)

  19. Anamorphosis without a complexoptical system (‘oblique’) “The Ambassadors” Hans Holbein the younger, 1533

  20. What to do about metamorphism? • X-raying a metamorphic virus is a little likelooking at a stereogram of an anamorphosis • You need to close one eye • You need to diverge your eyes • It’s hard to do both at the same time! • Open question to the audience

  21. Gunax lbh! Frédéric Perriot fperriot@symantec.com Peter Ferrie pferrie@symantec.com

More Related