Principles and Practice of X-raying
-
Upload
shafira-franco -
Category
Documents
-
view
31 -
download
0
description
Transcript of Principles and Practice of X-raying
![Page 1: Principles and Practice of X-raying](https://reader035.fdocuments.us/reader035/viewer/2022062301/56813211550346895d9869d6/html5/thumbnails/1.jpg)
2004 Symantec Corporation, All Rights Reserved
Principles and Practice ofX-raying
Frédéric PerriotPeter FerrieSymantec Security Response
![Page 2: Principles and Practice of X-raying](https://reader035.fdocuments.us/reader035/viewer/2022062301/56813211550346895d9869d6/html5/thumbnails/2.jpg)
2 – 2004 Symantec Corporation, All Rights Reserved
What is x-raying?
A detection method based on breaking the encryption of the virus
Works for weak encryption methods– Recent real-world examples among win32 viruses
– Applicable to worms as well
Similar to a ‘known plaintext attack’
![Page 3: Principles and Practice of X-raying](https://reader035.fdocuments.us/reader035/viewer/2022062301/56813211550346895d9869d6/html5/thumbnails/3.jpg)
3 – 2004 Symantec Corporation, All Rights Reserved
Example of a ‘known plaintext attack’
From: Peter
?
KEY is rot13!
Known plaintext
From: Peter
Subject: Hello VB2004
Decrypted message
Corresponding ciphertext
Sebz: Crgre
Fhowrpg: Uryyb IOZZVI
Message encryptedwith unknown Caesar cipher
![Page 4: Principles and Practice of X-raying](https://reader035.fdocuments.us/reader035/viewer/2022062301/56813211550346895d9869d6/html5/thumbnails/4.jpg)
4 – 2004 Symantec Corporation, All Rights Reserved
Differences between x-raying and‘known plaintext attacks’
X-raying has lower complexity– Simpler ciphers
– Simpler breaking
More constraints for AV than cryptanalysis– Time constraints
– Space (memory usage) constraints
Some specific x-raying techniques– Sliding: consider several ciphertexts
– Hybrid approaches (using decryptor parsing)
– Encryption algorithm not fixed (XOR or ADD or ROL…)
![Page 5: Principles and Practice of X-raying](https://reader035.fdocuments.us/reader035/viewer/2022062301/56813211550346895d9869d6/html5/thumbnails/5.jpg)
5 – 2004 Symantec Corporation, All Rights Reserved
Analogous to hidden patterns in pictures
Inverted colors
Stereograms
Images d’Épinal
![Page 6: Principles and Practice of X-raying](https://reader035.fdocuments.us/reader035/viewer/2022062301/56813211550346895d9869d6/html5/thumbnails/6.jpg)
6 – 2004 Symantec Corporation, All Rights Reserved
X-raying ‘xor 0xFF’
![Page 7: Principles and Practice of X-raying](https://reader035.fdocuments.us/reader035/viewer/2022062301/56813211550346895d9869d6/html5/thumbnails/7.jpg)
7 – 2004 Symantec Corporation, All Rights Reserved
Typical encryption methods
Fixed op and fixed key
A few ops among a set and fixed keys
Multiple layers
Running keys
No key (RDA)
Strong crypto (IDEA virus)– No x-ray but the crypto itself may be
detectable!
x
x
x
![Page 8: Principles and Practice of X-raying](https://reader035.fdocuments.us/reader035/viewer/2022062301/56813211550346895d9869d6/html5/thumbnails/8.jpg)
8 – 2004 Symantec Corporation, All Rights Reserved
A more complex encryption: stereograms
cheep,cheep
![Page 9: Principles and Practice of X-raying](https://reader035.fdocuments.us/reader035/viewer/2022062301/56813211550346895d9869d6/html5/thumbnails/9.jpg)
9 – 2004 Symantec Corporation, All Rights Reserved
Equivalent to X-raying for stereograms
The encryption method is a special projection of a 3D object onto a 2D image
The decryption key is the divergence angle between the direction of the eyes of the observer
Infinite number of keys (!)
Seeing a stereogram is hard the first time
![Page 10: Principles and Practice of X-raying](https://reader035.fdocuments.us/reader035/viewer/2022062301/56813211550346895d9869d6/html5/thumbnails/10.jpg)
10 – 2004 Symantec Corporation, All Rights Reserved
Sliding x-ray
Multiple potential ciphertexts distinguishesx-raying from a regular known plaintext attack
Virus hidden somewhere in the host program– Exact position might not be known because the
decryptor is inaccessible (too much I/O)
Often need to x-ray more than one spot– Determine an x-ray region based on geometry of the
virus infection method
![Page 11: Principles and Practice of X-raying](https://reader035.fdocuments.us/reader035/viewer/2022062301/56813211550346895d9869d6/html5/thumbnails/11.jpg)
11 – 2004 Symantec Corporation, All Rights Reserved
Arriving to the enchanted forest,Feared retreat of two dark giants,A valiant knight provokes them in combat :But the hidden giants do not answer him
Practice your sliding x-ray on thisImage d’Épinal
![Page 12: Principles and Practice of X-raying](https://reader035.fdocuments.us/reader035/viewer/2022062301/56813211550346895d9869d6/html5/thumbnails/12.jpg)
12 – 2004 Symantec Corporation, All Rights Reserved
Approaches to X-raying (theory)
42 = 6 * ?
Key recovery– Attempts to recover the encryption key
– May be necessary for host repair
Key validation– Attempts to prove that a valid (sub)key exists
Invariant scanning– Reduces the ciphertext to patterns independent from
the encryption key
is 7394502 prime? which is divisible by 3: 29369, 117, 3514?
![Page 13: Principles and Practice of X-raying](https://reader035.fdocuments.us/reader035/viewer/2022062301/56813211550346895d9869d6/html5/thumbnails/13.jpg)
13 – 2004 Symantec Corporation, All Rights Reserved
Approaches to X-raying (real-world uses)
Key recovery– W32/Magistr
– W32/Perenast (aka W32/Stepar)
Key validation– W32/Bagif (useful for variants detection)
Invariant scanning– W32/Efish
– W32/Perenast
![Page 14: Principles and Practice of X-raying](https://reader035.fdocuments.us/reader035/viewer/2022062301/56813211550346895d9869d6/html5/thumbnails/14.jpg)
14 – 2004 Symantec Corporation, All Rights Reserved
Anatomy of a sample x-ray
Substitution cipher
Used by W32/Efish
Simple and homophonic
![Page 15: Principles and Practice of X-raying](https://reader035.fdocuments.us/reader035/viewer/2022062301/56813211550346895d9869d6/html5/thumbnails/15.jpg)
15 – 2004 Symantec Corporation, All Rights Reserved
Can you catch Efish?
![Page 16: Principles and Practice of X-raying](https://reader035.fdocuments.us/reader035/viewer/2022062301/56813211550346895d9869d6/html5/thumbnails/16.jpg)
16 – 2004 Symantec Corporation, All Rights Reserved
What about variable plaintext?
So far we assumed plaintext was fixed
Wildcards are possible (see Bagif)
What if the majority of the plaintext varies?
I am a bad virus, boo
I am a bad virus, boo
I am a bad virus, boo
I am a bad virus, boo
I am a mad virus, boo
I am a sad virus, boo
I am a bad virus, boo
I, virus am a bad boo
Bad am I a boo, virus
![Page 17: Principles and Practice of X-raying](https://reader035.fdocuments.us/reader035/viewer/2022062301/56813211550346895d9869d6/html5/thumbnails/17.jpg)
17 – 2004 Symantec Corporation, All Rights Reserved
Anamorphosis (‘catoptric’)What would metamorphism look like?
![Page 18: Principles and Practice of X-raying](https://reader035.fdocuments.us/reader035/viewer/2022062301/56813211550346895d9869d6/html5/thumbnails/18.jpg)
18 – 2004 Symantec Corporation, All Rights Reserved
DIY catoptric anamorphosis(no assembly required)
![Page 19: Principles and Practice of X-raying](https://reader035.fdocuments.us/reader035/viewer/2022062301/56813211550346895d9869d6/html5/thumbnails/19.jpg)
19 – 2004 Symantec Corporation, All Rights Reserved
Anamorphosis without a complexoptical system (‘oblique’)
“The Ambassadors”
Hans Holbein the younger, 1533
![Page 20: Principles and Practice of X-raying](https://reader035.fdocuments.us/reader035/viewer/2022062301/56813211550346895d9869d6/html5/thumbnails/20.jpg)
20 – 2004 Symantec Corporation, All Rights Reserved
What to do about metamorphism?
X-raying a metamorphic virus is a little likelooking at a stereogram of an anamorphosis
You need to close one eye
You need to diverge your eyes
It’s hard to do both at the same time!
Open question to the audience
![Page 21: Principles and Practice of X-raying](https://reader035.fdocuments.us/reader035/viewer/2022062301/56813211550346895d9869d6/html5/thumbnails/21.jpg)
2004 Symantec Corporation, All Rights Reserved
Gunax lbh!Frédéric [email protected] [email protected]