Identifying Encryption

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with

Already have an account? Sign In »

3 hours 41 minutes
Video Transcription
Okay, so let's look at our last challenge as it relates to encoding, which is identifying encryption. Now, I should mention that in this session will learn how to find encryption in your malware. But the reverse engineering of encryption will be presented in a later, more advanced Siri's.
Generally malware authors will use simple encoding techniques in their malware, but depending on their technical expertise, they may also use encryption.
There's a couple of approaches you can use to identify cryptographic functions in a binary.
First, you could look for strings or imports that reference different types of cryptographic libraries or functions.
Another technique you could use is to scan the binary for different types of well known cryptographic constance.
And lastly, you could scan the binary for sequences or instructions used by different types of cryptographic routines.
Now, as a review of some terms, when we're talking about encryption, the plane tax refers to any encrypted message as a review of some terms. When we're talking about encryption, the plane tax refers toe, any encrypted message that the malware uses during its execution. This isn't limited to just a text string.
This could be network traffic or second stage content, additional files,
anything that the malware wants to encrypt.
The cipher text refers to the encrypted message. This could be an encrypted command being sent to a C two server, an encrypted file or any piece of content the malware received from the command and Control server to assist in its execution
to encrypt data. The encryption function present in Mauer takes the plain text and passes it through the encryption function along with the key. This produces the cipher text
on the other end. Now where might receive content or configuration files and pass it through its own description function, along with the cipher text and the key to decrypt the content.
To understand how something is decrypted, you'll want to focus on identifying the encryption or decryption function as well as the key.
Once you've identified the function that's performing, the encryption or decryption thes could give you an idea as to how the content is being decrypted or encrypted. The'keeper's used and the algorithm used to perform these operations
a very useful tool that we can use in our lab to search for cryptographic signatures in a binary is signed search. This tool relies on the signature filed toe identify these signatures,
which comes bundled with software. It's got a myriad of helpful options. Let's look at two.
The first is to scan the sample you're interested in using D dash E Option.
Using this option, the tool displays the virtual address of where the signature was detected. The binary.
As you can see signs search detects the E s algorithm being used at virtual address. 0040 c nine away.
Once you know the address of where the indicator is, you can use Ida Pro to go to the address.
So let's load the binary in Ida pro. And here in our graph, you can press the G button.
This will jump you to a specific address.
So here in this box, we can type the address of the function that we've identified, which is at address 40 C nine a. Wait and then we click. Okay,
Now I know pro takes us to the address containing the indicator, which is a reference. If you want to know where this reference is being used throughout the program, you can use the cross references a shortcut similarly to as we did previously and jump into the function.
Now this is pretty useful, as we can examine how this function is being used during our static analysis, as the virtual address can be used while we are debugging a program.
Another option we have with Sign search is to use the dash option.
So if we run, sign search with the Dash F option. This will also identify the crypto functions. But instead of having us to navigate around the code, this option will give us the address of the function of where the indicator is located.
This gives us an address of 401 e nine to.
And so now that we have the address, we can navigate toothy function in Ida Pro. And if we navigate to the top, you can see terms that deal with photography, indicating we're probably on the right track.
All right, so now that we've looked at different ways to identify encryption, let's wrap up this module by detail ing some other Mauer challenges in the form of anti analysis techniques
Up Next
Advanced Malware Analysis: Redux

In this course, we introduce new techniques to help speed up analysis and transition students from malware analyst to reverse engineer. We skip the malware analysis lab set up and put participants hands on with malware analysis.

Instructed By