Presentation is loading. Please wait.

Presentation is loading. Please wait.

2004 Symantec Corporation, All Rights Reserved Principles and Practice of X-raying Frédéric Perriot Peter Ferrie Symantec Security Response.

Published byBenedict Terry Modified over 8 years ago

Similar presentations

Presentation on theme: "2004 Symantec Corporation, All Rights Reserved Principles and Practice of X-raying Frédéric Perriot Peter Ferrie Symantec Security Response."— Presentation transcript:

1 2004 Symantec Corporation, All Rights Reserved Principles and Practice of X-raying Frédéric Perriot Peter Ferrie Symantec Security Response

2 2 – 2004 Symantec Corporation, All Rights Reserved What is x-raying?  A detection method based on breaking the encryption of the virus  Works for weak encryption methods –Recent real-world examples among win32 viruses –Applicable to worms as well  Similar to a ‘known plaintext attack’

3 3 – 2004 Symantec Corporation, All Rights Reserved Example of a ‘known plaintext attack’ From: Peter ? KEY is rot13! Known plaintext From: Peter Subject: Hello VB2004 Decrypted message Corresponding ciphertext Sebz: Crgre Fhowrpg: Uryyb IOZZVI Message encrypted with unknown Caesar cipher

4 4 – 2004 Symantec Corporation, All Rights Reserved Differences between x-raying and ‘known plaintext attacks’  X-raying has lower complexity –Simpler ciphers –Simpler breaking  More constraints for AV than cryptanalysis –Time constraints –Space (memory usage) constraints  Some specific x-raying techniques –Sliding: consider several ciphertexts –Hybrid approaches (using decryptor parsing) –Encryption algorithm not fixed (XOR or ADD or ROL…)

5 5 – 2004 Symantec Corporation, All Rights Reserved Analogous to hidden patterns in pictures  Inverted colors  Stereograms  Images d’Épinal

6 6 – 2004 Symantec Corporation, All Rights Reserved X-raying ‘xor 0xFF’

7 7 – 2004 Symantec Corporation, All Rights Reserved Typical encryption methods  Fixed op and fixed key  A few ops among a set and fixed keys  Multiple layers  Running keys  No key (RDA)  Strong crypto (IDEA virus) –No x-ray but the crypto itself may be detectable!   x  x x

8 8 – 2004 Symantec Corporation, All Rights Reserved A more complex encryption: stereograms cheep, cheep

9 9 – 2004 Symantec Corporation, All Rights Reserved Equivalent to X-raying for stereograms  The encryption method is a special projection of a 3D object onto a 2D image  The decryption key is the divergence angle between the direction of the eyes of the observer  Infinite number of keys (!)  Seeing a stereogram is hard the first time

10 10 – 2004 Symantec Corporation, All Rights Reserved Sliding x-ray  Multiple potential ciphertexts distinguishes x-raying from a regular known plaintext attack  Virus hidden somewhere in the host program –Exact position might not be known because the decryptor is inaccessible (too much I/O)  Often need to x-ray more than one spot –Determine an x-ray region based on geometry of the virus infection method

11 11 – 2004 Symantec Corporation, All Rights Reserved Arriving to the enchanted forest, Feared retreat of two dark giants, A valiant knight provokes them in combat : But the hidden giants do not answer him Practice your sliding x-ray on this Image d’Épinal

12 12 – 2004 Symantec Corporation, All Rights Reserved Approaches to X-raying (theory) 42 = 6 * ?  Key recovery –Attempts to recover the encryption key –May be necessary for host repair  Key validation –Attempts to prove that a valid (sub)key exists  Invariant scanning –Reduces the ciphertext to patterns independent from the encryption key is 7394502 prime? which is divisible by 3: 29369, 117, 3514?

13 13 – 2004 Symantec Corporation, All Rights Reserved Approaches to X-raying (real-world uses)  Key recovery –W32/Magistr –W32/Perenast (aka W32/Stepar)  Key validation –W32/Bagif (useful for variants detection)  Invariant scanning –W32/Efish –W32/Perenast

14 14 – 2004 Symantec Corporation, All Rights Reserved Anatomy of a sample x-ray  Substitution cipher  Used by W32/Efish  Simple and homophonic

15 15 – 2004 Symantec Corporation, All Rights Reserved Can you catch Efish?

16 16 – 2004 Symantec Corporation, All Rights Reserved What about variable plaintext?  So far we assumed plaintext was fixed  Wildcards are possible (see Bagif)  What if the majority of the plaintext varies? I am a bad virus, boo I am a mad virus, boo I am a sad virus, boo I am a bad virus, boo I, virus am a bad boo Bad am I a boo, virus

17 17 – 2004 Symantec Corporation, All Rights Reserved Anamorphosis (‘catoptric’) What would metamorphism look like?

18 18 – 2004 Symantec Corporation, All Rights Reserved DIY catoptric anamorphosis (no assembly required)

19 19 – 2004 Symantec Corporation, All Rights Reserved Anamorphosis without a complex optical system (‘oblique’) “The Ambassadors” Hans Holbein the younger, 1533

20 20 – 2004 Symantec Corporation, All Rights Reserved What to do about metamorphism?  X-raying a metamorphic virus is a little like looking at a stereogram of an anamorphosis  You need to close one eye  You need to diverge your eyes  It’s hard to do both at the same time!  Open question to the audience

21 2004 Symantec Corporation, All Rights Reserved Gunax lbh! Frédéric Perriot fperriot@symantec.com Peter Ferrie pferrie@symantec.com

Download ppt "2004 Symantec Corporation, All Rights Reserved Principles and Practice of X-raying Frédéric Perriot Peter Ferrie Symantec Security Response."

Similar presentations

Using Cryptography to Secure Information. Overview Introduction to Cryptography Using Symmetric Encryption Using Hash Functions Using Public Key Encryption.

Using Cryptography to Secure Information. Overview Introduction to Cryptography Using Symmetric Encryption Using Hash Functions Using Public Key Encryption.
“Advanced Encryption Standard” & “Modes of Operation”

“Advanced Encryption Standard” & “Modes of Operation”
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.

1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.
Cryptology  Terminology  plaintext - text that is not encrypted.  ciphertext - the output of the encryption process.  key - the information required.

Cryptology  Terminology  plaintext - text that is not encrypted.  ciphertext - the output of the encryption process.  key - the information required.
Intro 1 Introduction Intro 2 Good Guys and Bad Guys  Alice and Bob are the good guys  Trudy is the bad guy  Trudy is our generic “intruder”

Intro 1 Introduction Intro 2 Good Guys and Bad Guys  Alice and Bob are the good guys  Trudy is the bad guy  Trudy is our generic “intruder”
Cryptography Introduction Last Updated: Aug 20, 2013.

Cryptography Introduction Last Updated: Aug 20, 2013.
Cryptography and Network Security Chapter 3

Cryptography and Network Security Chapter 3
Computer Science CSC 405By Dr. Peng Ning1 CSC 405 Introduction to Computer Security Topic 2. Basic Cryptography (Part II)

Computer Science CSC 405By Dr. Peng Ning1 CSC 405 Introduction to Computer Security Topic 2. Basic Cryptography (Part II)
Introduction to Cryptography and Security Mechanisms: Unit 5 Theoretical v Practical Security Dr Keith Martin McCrea 34901784 443099

Introduction to Cryptography and Security Mechanisms: Unit 5 Theoretical v Practical Security Dr Keith Martin McCrea
Block Ciphers 1 Block Ciphers Block Ciphers 2 Block Ciphers  Modern version of a codebook cipher  In effect, a block cipher algorithm yields a huge.

Block Ciphers 1 Block Ciphers Block Ciphers 2 Block Ciphers  Modern version of a codebook cipher  In effect, a block cipher algorithm yields a huge.
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
Akelarre 1 Akelarre Akelarre 2 Akelarre  Block cipher  Combines features of 2 strong ciphers o IDEA — “mixed mode” arithmetic o RC5 — keyed rotations.

Akelarre 1 Akelarre Akelarre 2 Akelarre  Block cipher  Combines features of 2 strong ciphers o IDEA — “mixed mode” arithmetic o RC5 — keyed rotations.
Cryptography (continued). Enabling Alice and Bob to Communicate Securely m m m Alice Eve Bob m.

Cryptography (continued). Enabling Alice and Bob to Communicate Securely m m m Alice Eve Bob m.
Chapter 3 – Block Ciphers and the Data Encryption Standard Jen-Chang Liu, 2004 Adopted from lecture slides by Lawrie Brown.

Chapter 3 – Block Ciphers and the Data Encryption Standard Jen-Chang Liu, 2004 Adopted from lecture slides by Lawrie Brown.
ICS 454: Principles of Cryptography

ICS 454: Principles of Cryptography
HUNTING FOR METAMORPHIC ENGINES Mark Stamp & Wing Wong August 5, 2006.

HUNTING FOR METAMORPHIC ENGINES Mark Stamp & Wing Wong August 5, 2006.
Session 6: Introduction to cryptanalysis part 1. Contents Problem definition Symmetric systems cryptanalysis Particularities of block ciphers cryptanalysis.

Session 6: Introduction to cryptanalysis part 1. Contents Problem definition Symmetric systems cryptanalysis Particularities of block ciphers cryptanalysis.
Lecture 23 Symmetric Encryption

Lecture 23 Symmetric Encryption
CS526Topic 2: Classical Cryptography1 Information Security CS 526 Topic 2 Cryptography: Terminology & Classic Ciphers.

CS526Topic 2: Classical Cryptography1 Information Security CS 526 Topic 2 Cryptography: Terminology & Classic Ciphers.

Similar presentations

Ads by Google