Cryptanalytic: Professionally Trace and Get Rid of the Malware in the System using CipherXray
Abstract— Malwares is software which compromises computer functions, bypass access controls, steal data, or otherwise harm the host computer. More and more malwares are using various cryptographic algorithms (e.g., encrypting, packing, C&C communication) to secure themselves from being analyzed. An enormous amount of time and resources is saved by prioritizing samples to analyze, either to avoid the variants and innovative malwares or to re-analyze to have better insight on their evolution. The use of cryptographic secrets and algorithms inside the malware binary introduce a key obstacle to effective malware analysis. To enable more effective malware analysis, forensics, and reverse engineering, CipherXray, a novel binary analysis framework that can automatically identify and recover the cryptographic operations and transient secrets from the execution of the potentially obfuscated binary executables. Based on the avalanche effect of cryptographic functions, it can accurately pinpoint the boundary of cryptographic operation and recover truly transient cryptographic secrets that only exist in memory for one instant in between multiple nested cryptographic operations. Further identifies certain operation modes (e.g., ECB, CBC, CFB) of the identified block cipher and report whether the identified block cipher operation is encryption or decryption in certain cases. CipherXray is able to identify various cryptographic operations and recover cryptographic secrets that exist in memory for only a few microseconds. The results demonstrate that current software implementations of cryptographic algorithms hardly achieve any secrecy if their execution is monitored and get rid of the malware completely.
Index Terms — Binary Executables, C&C commun ication, Cryptographic Operations, Transient Secrets.
Click Here
International Journal for Trends in Technology & Engineering © 2015 IJTET JOURNAL