2004 Symantec Corporation, All Rights Reserved Principles and Practice of X-raying Frédéric Perriot Peter Ferrie Symantec Security Response.

Slides:



Advertisements
Similar presentations
Using Cryptography to Secure Information. Overview Introduction to Cryptography Using Symmetric Encryption Using Hash Functions Using Public Key Encryption.
Advertisements

“Advanced Encryption Standard” & “Modes of Operation”
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.
Cryptology  Terminology  plaintext - text that is not encrypted.  ciphertext - the output of the encryption process.  key - the information required.
Intro 1 Introduction Intro 2 Good Guys and Bad Guys  Alice and Bob are the good guys  Trudy is the bad guy  Trudy is our generic “intruder”
Cryptography Introduction Last Updated: Aug 20, 2013.
Cryptography and Network Security Chapter 3
Computer Science CSC 405By Dr. Peng Ning1 CSC 405 Introduction to Computer Security Topic 2. Basic Cryptography (Part II)
Introduction to Cryptography and Security Mechanisms: Unit 5 Theoretical v Practical Security Dr Keith Martin McCrea
Block Ciphers 1 Block Ciphers Block Ciphers 2 Block Ciphers  Modern version of a codebook cipher  In effect, a block cipher algorithm yields a huge.
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
Akelarre 1 Akelarre Akelarre 2 Akelarre  Block cipher  Combines features of 2 strong ciphers o IDEA — “mixed mode” arithmetic o RC5 — keyed rotations.
Cryptography (continued). Enabling Alice and Bob to Communicate Securely m m m Alice Eve Bob m.
Chapter 3 – Block Ciphers and the Data Encryption Standard Jen-Chang Liu, 2004 Adopted from lecture slides by Lawrie Brown.
ICS 454: Principles of Cryptography
HUNTING FOR METAMORPHIC ENGINES Mark Stamp & Wing Wong August 5, 2006.
Session 6: Introduction to cryptanalysis part 1. Contents Problem definition Symmetric systems cryptanalysis Particularities of block ciphers cryptanalysis.
Lecture 23 Symmetric Encryption
CS526Topic 2: Classical Cryptography1 Information Security CS 526 Topic 2 Cryptography: Terminology & Classic Ciphers.
Cryptography Introduction, continued. Sufficient key space principle If an encryption scheme has a key space that is too small, then it will be vulnerable.
Computer Security CS 426 Lecture 3
Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.
History and Background Part 1: Basic Concepts and Monoalphabetic Substitution CSCI 5857: Encoding and Encryption.
Cryptanalysis of Modern Symmetric-Key Block Ciphers [Based on “A Tutorial on Linear and Differential Cryptanalysis” by Howard Heys.] Modern block ciphers.
Chapter 2 Basic Encryption and Decryption. csci5233 computer security & integrity 2 Encryption / Decryption encrypted transmission AB plaintext ciphertext.
CIS 5371 Cryptography Introduction.
CSCI 5857: Encoding and Encryption
Chapter 2 – Elementary Cryptography  Concepts of encryption  Cryptanalysis  Symmetric (secret key) Encryption (DES & AES)(DES & AES)  Asymmetric (public.
Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship between the difference of two inputs and the difference.
1 Part I PS 3 discussion of SPINS paper CS 588 February 22, 2005
Chapter 17 Security. Information Systems Cryptography Key Exchange Protocols Password Combinatorics Other Security Issues 12-2.
CSCI 5857: Encoding and Encryption
Cryptography Lynn Ackler Southern Oregon University.
Elementary Cryptography  Concepts of encryption  Symmetric (secret key) Encryption (DES & AES)(DES & AES)  Asymmetric (public key) Encryption (RSA)(RSA)
Information Security By:-H.M.Patel. Information security There are three aspects of information security Security service Security mechanism Security.
Modes of Usage Dan Fleck CS 469: Security Engineering These slides are modified with permission from Bill Young (Univ of Texas) 11 Coming up: Modes of.
Traditional Symmetric-Key Ciphers
Merkle-Hellman Knapsack Cryptosystem
1 Network Security Basics. 2 Network Security Foundations: r what is security? r cryptography r authentication r message integrity r key distribution.
Security School of Business Eastern Illinois University © Abdou Illia, Fall 2002 (Week 12, Wednesday 11/13/2002)
Cryptography 1 Crypto Cryptography 2 Crypto  Cryptology  The art and science of making and breaking “secret codes”  Cryptography  making “secret.
Lecture 23 Symmetric Encryption
Symmetric Encryption Lesson Introduction ●Block cipher primitives ●DES ●AES ●Encrypting large message ●Message integrity.
The Storyboard stage. Mention what will be your animation medium: 2D or 3D Mention the software to be used for animation development: JAVA, Flash, Blender,
Computer and Network Security Rabie A. Ramadan Lecture 3.
n Just as a human virus is passed from person from person, a computer virus is passed from computer to computer. n A virus can be attached to any file.
Chapter 2 Symmetric Encryption.
DES Analysis and Attacks CSCI 5857: Encoding and Encryption.
CS555Spring 2012/Topic 31 Cryptography CS 555 Topic 3: One-time Pad and Perfect Secrecy.
Invitation to Computer Science 5 th Edition Chapter 8 Information Security.
1 CIS 5371 Cryptography 1.Introduction. 2 Prerequisites for this course  Basic Mathematics, in particular Number Theory  Basic Probability Theory 
Introduction to Cryptology Fall Definitions Digital encryption techniques are used to protect data in two ways: to maintain privacy and to prove.
Block Ciphers and the Data Encryption Standard. Modern Block Ciphers  One of the most widely used types of cryptographic algorithms  Used in symmetric.
ROT13 cipher. The ROT13 cipher is a substitution cipher with a specific key where the letters of the alphabet are offset 13 places. Example: all 'A's.
Lecture 3 Page 1 CS 236 Online Introduction to Cryptography CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
CS526Topic 2: Classical Cryptography1 Information Security CS 526 Topic 2 Cryptography: Terminology & Classic Ciphers.
CST 312 Pablo Breuer. A block of plaintext is treated as a whole and used to produce a ciphertext block of equal length Typically a block size of 64 or.
1 CIS 5371 Cryptography 1.Introduction. 2 Prerequisites for this course  Basic Mathematics, in particular Number Theory  Basic Probability Theory 
หัวข้อบรรยาย Stream cipher RC4 WEP (in)security LFSR CSS (in)security.
Chapter 2 Basic Encryption and Decryption
Chapter 3:Cryptography (16M)
Double Transpositions
Basics Of Symmetric Encryption
Symmetric Encryption or conventional / private-key / single-key
Presentation transcript:

2004 Symantec Corporation, All Rights Reserved Principles and Practice of X-raying Frédéric Perriot Peter Ferrie Symantec Security Response

2 – 2004 Symantec Corporation, All Rights Reserved What is x-raying?  A detection method based on breaking the encryption of the virus  Works for weak encryption methods –Recent real-world examples among win32 viruses –Applicable to worms as well  Similar to a ‘known plaintext attack’

3 – 2004 Symantec Corporation, All Rights Reserved Example of a ‘known plaintext attack’ From: Peter ? KEY is rot13! Known plaintext From: Peter Subject: Hello VB2004 Decrypted message Corresponding ciphertext Sebz: Crgre Fhowrpg: Uryyb IOZZVI Message encrypted with unknown Caesar cipher

4 – 2004 Symantec Corporation, All Rights Reserved Differences between x-raying and ‘known plaintext attacks’  X-raying has lower complexity –Simpler ciphers –Simpler breaking  More constraints for AV than cryptanalysis –Time constraints –Space (memory usage) constraints  Some specific x-raying techniques –Sliding: consider several ciphertexts –Hybrid approaches (using decryptor parsing) –Encryption algorithm not fixed (XOR or ADD or ROL…)

5 – 2004 Symantec Corporation, All Rights Reserved Analogous to hidden patterns in pictures  Inverted colors  Stereograms  Images d’Épinal

6 – 2004 Symantec Corporation, All Rights Reserved X-raying ‘xor 0xFF’

7 – 2004 Symantec Corporation, All Rights Reserved Typical encryption methods  Fixed op and fixed key  A few ops among a set and fixed keys  Multiple layers  Running keys  No key (RDA)  Strong crypto (IDEA virus) –No x-ray but the crypto itself may be detectable!   x  x x

8 – 2004 Symantec Corporation, All Rights Reserved A more complex encryption: stereograms cheep, cheep

9 – 2004 Symantec Corporation, All Rights Reserved Equivalent to X-raying for stereograms  The encryption method is a special projection of a 3D object onto a 2D image  The decryption key is the divergence angle between the direction of the eyes of the observer  Infinite number of keys (!)  Seeing a stereogram is hard the first time

10 – 2004 Symantec Corporation, All Rights Reserved Sliding x-ray  Multiple potential ciphertexts distinguishes x-raying from a regular known plaintext attack  Virus hidden somewhere in the host program –Exact position might not be known because the decryptor is inaccessible (too much I/O)  Often need to x-ray more than one spot –Determine an x-ray region based on geometry of the virus infection method

11 – 2004 Symantec Corporation, All Rights Reserved Arriving to the enchanted forest, Feared retreat of two dark giants, A valiant knight provokes them in combat : But the hidden giants do not answer him Practice your sliding x-ray on this Image d’Épinal

12 – 2004 Symantec Corporation, All Rights Reserved Approaches to X-raying (theory) 42 = 6 * ?  Key recovery –Attempts to recover the encryption key –May be necessary for host repair  Key validation –Attempts to prove that a valid (sub)key exists  Invariant scanning –Reduces the ciphertext to patterns independent from the encryption key is prime? which is divisible by 3: 29369, 117, 3514?

13 – 2004 Symantec Corporation, All Rights Reserved Approaches to X-raying (real-world uses)  Key recovery –W32/Magistr –W32/Perenast (aka W32/Stepar)  Key validation –W32/Bagif (useful for variants detection)  Invariant scanning –W32/Efish –W32/Perenast

14 – 2004 Symantec Corporation, All Rights Reserved Anatomy of a sample x-ray  Substitution cipher  Used by W32/Efish  Simple and homophonic

15 – 2004 Symantec Corporation, All Rights Reserved Can you catch Efish?

16 – 2004 Symantec Corporation, All Rights Reserved What about variable plaintext?  So far we assumed plaintext was fixed  Wildcards are possible (see Bagif)  What if the majority of the plaintext varies? I am a bad virus, boo I am a mad virus, boo I am a sad virus, boo I am a bad virus, boo I, virus am a bad boo Bad am I a boo, virus

17 – 2004 Symantec Corporation, All Rights Reserved Anamorphosis (‘catoptric’) What would metamorphism look like?

18 – 2004 Symantec Corporation, All Rights Reserved DIY catoptric anamorphosis (no assembly required)

19 – 2004 Symantec Corporation, All Rights Reserved Anamorphosis without a complex optical system (‘oblique’) “The Ambassadors” Hans Holbein the younger, 1533

20 – 2004 Symantec Corporation, All Rights Reserved What to do about metamorphism?  X-raying a metamorphic virus is a little like looking at a stereogram of an anamorphosis  You need to close one eye  You need to diverge your eyes  It’s hard to do both at the same time!  Open question to the audience

2004 Symantec Corporation, All Rights Reserved Gunax lbh! Frédéric Perriot Peter Ferrie

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.