Title :
Finding and extracting crypto routines from malware
Author :
Leder, Felix ; Martini, Peter ; Wichmann, Andre
Author_Institution :
Inst. of Comput. Sci. IV, Univ. of Bonn, Bonn, Germany
Abstract :
In this paper we present a new approach for identifying the crypto routines in different types of malware. In traditional malware analysis, like sandboxing, network data is examined as seen on the wire or data is collected as it is written to a file. The use of proprietary binary formats, obfuscation, or encryption hides important details, which are necessary for investigating malicious behavior. It is hardly possible to create decryptors just from monitored sandbox data. Our approach not only examines the data when leaving or entering the malware but also correlates it with information from inside the malware. By monitoring the data at I/O interfaces as well as data dependencies our approach automatically reveals the data origin. Knowing the data origin enables an analyst to easily find the crypto functions. Using this approach, we were able to identify the encryption, decryption, and command parser in different malware samples each within minutes. In our evaluation, we present the results for the Kraken command&control protocol encryption and for the file encryption of the Srvcp trojan.
Keywords :
cryptographic protocols; grammars; input-output programs; invasive software; system monitoring; I/O interfaces; Kraken command&control protocol encryption; Srvcp trojan; command parser; crypto routines; data dependencies; data origin; decryption; encryption; file encryption; malware; Computer science; Computerized monitoring; Cryptography; Data mining; Decoding; Performance analysis; Protocols; Reverse engineering; Telecommunication traffic; Wire;
Conference_Titel :
Performance Computing and Communications Conference (IPCCC), 2009 IEEE 28th International
Conference_Location :
Scottsdale, AZ
Print_ISBN :
978-1-4244-5737-3
DOI :
10.1109/PCCC.2009.5403858
