- Malware often encrypt content (strings, content sent to C&C)
- A reversible cipher uses the same function to encode and decode
Detecting cryptography in malware
Strings and Imports
- Presence of typical strings (e.g. "OpenSSL 1.0.0a", "SSLv3 part of OpenSSL 1.0.0a", ...)
- Presence of typical imports (e.g. CryptAcquireContext, CryptCreateHash, ...)
Some algorithm can't be detected from constants because they build their structures on the fly. This is the case for the International Data Encryption Algorithm (IDEA) and the RC4 algorithms.
You can search for high-entropy content to detect such algorithms using IDA Entropy Plugin:
- Revealing base64 encoding with high 6-bit entropy in the data section (64-bit (0x40) chunk size with maximum entropy of 5.95)
- Revealing AES encryption with high 8-bit entropy in the rdata section (256-bit (0x100) chunk size with maximum entropy of 7.9)
Decryption in practice
Suppose we are analyzing a malware that encrypts an image file (a bmp file) using a complex encryption mechanism and that the encryption routine is reversible (same routine to encrypt and decrypt). We can use modify the flow in the malware to decrypt encrypted content. Below is an example.
Let's setup 2 breakpoints in OllyDbg:
- At offset 0x401880, just before the content is encrypted
- At offset 0x40190A, just after the file is written
Once the program has reached our first breakpoint (0x401880), the arguments on the stack represent the buffer that is about to be encrypted:
With python scripting in Immunity Debugger
This category has the following 8 subcategories, out of 8 total.
Pages in category "Encryption"
The following 16 pages are in this category, out of 16 total.