Index > Course > 2021-02-18: New Chapter: Data Encoding / Encrypting
There’s some base64 coming up yoooo
Malware uses encoding and encryption to:
Our attack process is:
Malware likes ‘poor’ encryption algorithms, because:
Malware authors don’t expect to be immune from analysis, they’re just looking for a quick and easy way to evade detection.
Prior to execution, malware creates two files in a browser cache directory:
Prof. notes that the tool “redshot” would help us identify this. redshot takes a snapshot before a binary is run, then compares the state afterwards to show you what changed.
A hexdump of the gif file shows that there is no recognizable header, and there are a lot of 0x12’s.
Assuming the file uses XOR encryption with a single-byte key, then we can easily check all 255 possible keys. Using the key 0x12 reveals an MZ header, and all those 0x12s of the plaintext become zeros.
Defenders can create xor single-byte encrypted signatures - they can now detect xor’d samples, and immediately know they key used.
if( buf[i] != 0 && buf[i] != key ){
buf[i] ^= key;
}
Binaries have lots of zeros in them. By not XORing the zeros, we make the key less obvious, and make pre-baked signatures harder to make.
XOR decryption is an XOR command inside a small loop. In an ‘ida code’ window, use search text for ‘xor’. Make sure to check ‘detect all occurrences’.
XORs appear in three forms:
Index > Course > 2021-02-18: New Chapter: Data Encoding / Encrypting