principles and practice of x-raying

2004 Symantec Corporation, All Rights Reserved

Principles and Practice ofX-raying

Frédéric PerriotPeter FerrieSymantec Security Response

2 – 2004 Symantec Corporation, All Rights Reserved

What is x-raying?

A detection method based on breaking the encryption of the virus

Works for weak encryption methods– Recent real-world examples among win32 viruses

– Applicable to worms as well

Similar to a ‘known plaintext attack’


Example of a ‘known plaintext attack’

From: Peter

?

KEY is rot13!

Known plaintext

From: Peter

Subject: Hello VB2004

Decrypted message

Corresponding ciphertext

Sebz: Crgre

Fhowrpg: Uryyb IOZZVI

Message encryptedwith unknown Caesar cipher


Differences between x-raying and‘known plaintext attacks’

X-raying has lower complexity– Simpler ciphers

– Simpler breaking

More constraints for AV than cryptanalysis– Time constraints

– Space (memory usage) constraints

Some specific x-raying techniques– Sliding: consider several ciphertexts

– Hybrid approaches (using decryptor parsing)

– Encryption algorithm not fixed (XOR or ADD or ROL…)


Analogous to hidden patterns in pictures

Inverted colors

Stereograms

Images d’Épinal


X-raying ‘xor 0xFF’


Typical encryption methods

Fixed op and fixed key

A few ops among a set and fixed keys

Multiple layers

Running keys

No key (RDA)

Strong crypto (IDEA virus)– No x-ray but the crypto itself may be

detectable!

x

x

x


A more complex encryption: stereograms

cheep,cheep


Equivalent to X-raying for stereograms

The encryption method is a special projection of a 3D object onto a 2D image

The decryption key is the divergence angle between the direction of the eyes of the observer

Infinite number of keys (!)

Seeing a stereogram is hard the first time


Sliding x-ray

Multiple potential ciphertexts distinguishesx-raying from a regular known plaintext attack

Virus hidden somewhere in the host program– Exact position might not be known because the

decryptor is inaccessible (too much I/O)

Often need to x-ray more than one spot– Determine an x-ray region based on geometry of the

virus infection method


Arriving to the enchanted forest,Feared retreat of two dark giants,A valiant knight provokes them in combat :But the hidden giants do not answer him

Practice your sliding x-ray on thisImage d’Épinal


Approaches to X-raying (theory)

42 = 6 * ?

Key recovery– Attempts to recover the encryption key

– May be necessary for host repair

Key validation– Attempts to prove that a valid (sub)key exists

Invariant scanning– Reduces the ciphertext to patterns independent from

the encryption key

is 7394502 prime? which is divisible by 3: 29369, 117, 3514?


Approaches to X-raying (real-world uses)

Key recovery– W32/Magistr

– W32/Perenast (aka W32/Stepar)

Key validation– W32/Bagif (useful for variants detection)

Invariant scanning– W32/Efish

– W32/Perenast


Anatomy of a sample x-ray

Substitution cipher

Used by W32/Efish

Simple and homophonic


Can you catch Efish?


What about variable plaintext?

So far we assumed plaintext was fixed

Wildcards are possible (see Bagif)

What if the majority of the plaintext varies?

I am a bad virus, boo




I am a mad virus, boo

I am a sad virus, boo


I, virus am a bad boo

Bad am I a boo, virus


Anamorphosis (‘catoptric’)What would metamorphism look like?


DIY catoptric anamorphosis(no assembly required)


Anamorphosis without a complexoptical system (‘oblique’)

“The Ambassadors”

Hans Holbein the younger, 1533


What to do about metamorphism?

X-raying a metamorphic virus is a little likelooking at a stereogram of an anamorphosis

You need to close one eye

You need to diverge your eyes

It’s hard to do both at the same time!

Open question to the audience

principles and practice of x-raying

Documents