Wednesday 4 October 16:30 - 17:00, Red room
Julia Karpin (F5 Networks)
Anna Dorfman (F5 Networks)
A significant part of the malware research process is dedicated to reversing cryptographic algorithms in order to extract the decrypted content. Revealing this content provides access to the heart of the malware: all the strings, Windows API calls, DGA algorithms, communication protocols, and when focusing on financial malware, the list of targeted institutions and webinjects. Malware authors know that we're after this data, which is why they put considerable effort into constantly changing their encryption routines and designing customized implementation algorithms. Even the smallest change requires significant work on the part of the malware researcher: reversing has to be applied to reconstruct the encryption scheme.
Over the years, numerous plug-ins and tools have been developed to solve this problem. Some have been highly academic endeavours that relied on complicated algorithms to identify cryptography, but which were not adapted for real-world usage; others relied on signature checks to locate specific algorithms. We wanted to find a lightweight and practical implementation that would effectively speed up the research process. That’s why we developed an automated approach, based on a heuristic way of detecting such cryptographic algorithms regardless of the type of algorithm used, that extracts their plain text output. The implementation of this approach saves a lot of valuable research time.
Our implementation, "Crypton", works by unpacking the malware, then following injected code and memory allocations in order to identify blocks of cryptographic code, and inspecting the allocations for decrypted data. Our tool will follow all the processes created and injected by the malware as the decryption may happen in any one of them - therefore we must follow any execution flow.
We plan to give some insights into our work with the latest financial malware, their internals and their usage of cryptographic algorithms, compression routines and pseudo random generators. We will describe the idea and the architecture of the Crypton tool and present a demo with live malware and our complementary IDA-python script that identifies all crypto blocks inside a memory dump.
Julia Karpin has been a financial malware researcher for most of the current decade. Having started as a malware reverser at Trusteer (now an IBM company), Julia is currently a senior malware researcher at F5 Networks.
Julia graduated from Israel's institute of technology (Technion) in 2012, during her studies she worked as a security analyst at Check Point Software Technologies.
Anna Dorfman is a malware reverser who's also a cryptography enthusiast. She is currently a malware researcher at F5 Networks.
Anna graduated with a B.Sc. in computer science from the University of Bar-Ilan at 2013. Her previous roles include software engineering at Versafe (now F5 Networks).
Tiberius Axinte (Bitdefender)
This paper provides an in-depth analysis of the macOS version of the APT28 component known as XAgent. We will dissect the…
John Graham-Cumming (Cloudflare)
In February 2017, Cloudflare was revealed to have been leaking private information including HTTP headers, cookies and POST data…
Juan Andres Guerrero-Saade (Kaspersky Lab)
Costin Raiu (Kaspersky Lab)
Attribution is complicated under the best of circumstances. Sparse attributory indicators and the possibility of overt…