Binary Analysis
Dynamic decryption procedures in malware Sep 24 2006 12:16AM
Omar Herrera (oherrera prodigy net mx)
I wrote a paper on dynamic decryption procedures in malicious software which
can be found here:

Although the use of these techniques might prevent traditional computer
viruses and worms from spreading, they seem particularly useful for targeted
using certain types of malware (e.g. trojans and spyware). However, they
increase the analysis of malware considerably.

With the increase of targeted attacks and the development of more complex
malware, malware analysts and computer forensic investigators should be
prepared to handle these threats (theory on these attacks dates from 1998 so
it wouldn't be strange that they are being employed already in the wild).

After discussing this threat with several malware researchers for some time
I've seen different responses. Some malware researchers accept that this
might be an issue while others don't believe it is practical. The purpose of
the paper is to show that these techniques are indeed practical and useful
for attackers: malware analysts and forensic investigators should always be
able to identify the use of cryptography to conceal part of the code, but
they can't access the whole code within a reasonable time frame (i.e. know
exactly what every part of the malware does) in all cases. More research in
this area is therefore essential.

There is a small POC at the end of the paper to show how easy this thing is
to implement for you to play with (tested with DevC++ and OpenSSL libraries
on Windows XP). The chosen key in the example should be easy to brute force
but the idea is to give you a feeling of what it would look like to analyze
malware implementing such techniques.


Omar Herrera

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus