CIS: The Crypto Intelligence System for automatic detection and localization of cryptographic functions in current malware

Finding and extracting crypto algorithms in binary code is often a tedious reverse engineering task. A significant amount of manual work is required when unknown implementations are used. This is especially true for malware that contains variants of existing or even completely new algorithms. So far, no flexible and generic crypto detection framework exists that can support analysts in this task. The framework must be able to handle various heuristics that each are ideal to detect specific types of cryptographic algorithms. In addition, a suitable set of heuristics must be selected that can identify a wide range of crypto algorithms from various classes since the type of crypto implemented in a binary is not always known. In this paper, we present the architecture of CIS, the Crypto Intelligence System, that fulfills the requirements for such a framework. Furthermore, we evaluate different heuristics for the real-world usage in the framework. The overall evaluation, using real programs, shows that CIS simplifies the job of an analysts significantly with a high detection and low false positive ratio.