Skip to main content
SpringerLink
Log in

Deobfuscating Embedded Malware Using Probable-Plaintext Attacks

  • Conference paper
Research in Attacks, Intrusions, and Defenses (RAID 2013)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8145))

Included in the following conference series:

Abstract

Malware embedded in documents is regularly used as part of targeted attacks. To hinder a detection by anti-virus scanners, the embedded code is usually obfuscated, often with simple Vigenère ciphers based on XOR, ADD and additional ROL instructions. While for short keys these ciphers can be easily cracked, breaking obfuscations with longer keys requires manually reverse engineering the code or dynamically analyzing the documents in a sandbox. In this paper, we present Kandi, a method capable of efficiently decrypting embedded malware obfuscated using Vigenère ciphers. To this end, our method performs a probable-plaintext attack from classic cryptography using strings likely contained in malware binaries, such as header signatures, library names and code fragments. We demonstrate the efficacy of this approach in different experiments. In a controlled setting, Kandi breaks obfuscations using XOR, ADD and ROL instructions with keys up to 13 bytes in less than a second per file. On a collection of real-world malware in Word, Powerpoint and RTF files, Kandi is able to expose obfuscated malware from every fourth document without involved parsing.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Bencsáth, B., Pék, G., Felegyhazi, L.B., Duqu, M.: Analysis, detection, and lessons learned. In: European Workshop on System Security (EUROSEC) (2012)

    Google Scholar 

  2. Bergen, H.A., Caelli, W.J.: File security in WordPerfect 5.0. Cryptologia 15(1), 57–66 (1991)

    Article  Google Scholar 

  3. Boldewin, F.: OfficeMalScanner, http://www.reconstructer.org/code.html

  4. Calvet, J., Fernandez, J.M., Marion, J.Y.: Aligot: Cryptographic function identification in obfuscated binary programs. In: ACM Conference on Computer and Communications Security (CCS), pp. 169–182 (2012)

    Google Scholar 

  5. Cova, M., Kruegel, C., Vigna, G.: Detection and analysis of drive-by-download attacks and malicious JavaScript code. In: International World Wide Web Conference (WWW), pp. 281–290 (2010)

    Google Scholar 

  6. CrySyS Malware Intelligence Team: Miniduke: Indicators. Budapest University of Technology and Economics (February 2013)

    Google Scholar 

  7. Dinaburg, A., Royal, P., Sharif, M., Lee, W.: Ether: Malware analysis via hardware virtualization extensions. In: ACM Conference on Computer and Communications Security (CCS), pp. 51–62 (2008)

    Google Scholar 

  8. Engelberth, M., Willems, C., Holz, T.: MalOffice: Detecting malicious documents with combined static and dynamic analysis. In: Virus Bulletin Conference (2009)

    Google Scholar 

  9. Friedman, W.: The index of coincidence and its applications in cryptology. Tech. rep., Riverbank Laboratories, Department of Ciphers (1922)

    Google Scholar 

  10. Friedman, W., Callimahos, L.: Military Cryptanalytics. Aegean Park Press (1985)

    Google Scholar 

  11. Jacob, G., Comparetti, P.M., Neugschwandtner, M., Kruegel, C., Vigna, G.: A static, packer-agnostic filter to detect similar malware samples. In: Flegel, U., Markatos, E., Robertson, W. (eds.) DIMVA 2012. LNCS, vol. 7591, pp. 102–122. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  12. Kasiski, F.W.: Die Geheimschriften und die Dechiffrir-Kunst. E. S. Mittler und Sohn (1863)

    Google Scholar 

  13. Laskov, P., Šrndić, N.: Static detection of malicious JavaScript-bearing PDF documents. In: Annual Computer Security Applications Conference (ACSAC), pp. 373–382 (2011)

    Google Scholar 

  14. Lewand, R.: Cryptological mathematics. Classroom Resource Materials, The Mathematical Association of America (2000)

    Google Scholar 

  15. Li, W.J., Stolfo, S., Stavrou, A., Androulaki, E., Keromytis, A.D.: A study of malcode-bearing documents. In: Hämmerli, B.M., Sommer, R. (eds.) DIMVA 2007. LNCS, vol. 4579, pp. 231–250. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  16. Malware Tracker Ltd.: Cryptam, http://www.cryptam.com (visited June 2013)

  17. Martignoni, L., Christodeorescu, M., Jha, S.: OmniUnpack: Fast, generic, and safe unpacking of malware. In: Annual Computer Security Applications Conference (ACSAC), pp. 431–441 (2007)

    Google Scholar 

  18. Royal, P., Halpin, M., Dagon, D., Edmonds, R., Lee, W.: PolyUnpack: Automating the hidden-code extraction of unpack-executing malware. In: Annual Computer Security Applications Conference (ACSAC), pp. 289–300 (2006)

    Google Scholar 

  19. Schneier, B.: Applied Cryptography. John Wiley and Sons (1996)

    Google Scholar 

  20. Schreck, T., Berger, S., Göbel, J.: BISSAM: Automatic vulnerability identification of office documents. In: Flegel, U., Markatos, E., Robertson, W. (eds.) DIMVA 2012. LNCS, vol. 7591, pp. 204–213. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  21. Shafiq, M.Z., Khayam, S.A., Farooq, M.: Embedded malware detection using markov n-grams. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 88–107. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  22. Sharif, M., Lanzi, A., Giffin, J., Lee, W.: Automatic reverse engineering of malware emulators. In: IEEE Symposium on Security and Privacy, pp. 94–109 (2009)

    Google Scholar 

  23. Smutz, C., Stavrou, A.: Malicious PDF detection using metadata and structural features. In: Annual Computer Security Applications Conference (ACSAC), pp. 239–248 (2012)

    Google Scholar 

  24. Stay, M.: ZIP attacks with reduced known plaintext. In: Matsui, M. (ed.) FSE 2001. LNCS, vol. 2355, p. 125. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  25. Stevens, D.: Malicious PDF documents explained. IEEE Security & Privacy 9(1), 80–82 (2011)

    Article  Google Scholar 

  26. Stevens, D.: XORSearch, http://blog.didierstevens.com/programs/xorsearch/ (visited June 2013)

  27. Stolfo, S., Wang, K., Li, W.J.: Towards stealthy malware detection. In: Christodorescu, M., Jha, S., Maughan, D., Song, D., Wang, C. (eds.) Malware Detection. Advances in Information Security, vol. 27, pp. 231–249. Springer, US (2007)

    Chapter  Google Scholar 

  28. The Taidoor campaign: An in-depth analysis. Trend Micro Incorporated (2012)

    Google Scholar 

  29. Šrndić, N., Laskov, P.: Detection of malicious PDF files based on hierarchical document structure. In: Network and Distributed System Security Symposium (NDSS) (2013)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. idalab GmbH, Germany

    Christian Wressnegger

  2. University of Göttingen, Germany

    Christian Wressnegger & Konrad Rieck

Authors
  1. Christian Wressnegger
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Frank Boldewin
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Konrad Rieck
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science, Columbia University, 1214 Amsterdam Avenue, 10027, NY, USA

    Salvatore J. Stolfo

  2. Department of Computer Science, George Mason University, 22030, Fairfax, VA, USA

    Angelos Stavrou

  3. Department of Computer Science, Portland State University, 97201, Portland, OR, USA

    Charles V. Wright

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Wressnegger, C., Boldewin, F., Rieck, K. (2013). Deobfuscating Embedded Malware Using Probable-Plaintext Attacks. In: Stolfo, S.J., Stavrou, A., Wright, C.V. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2013. Lecture Notes in Computer Science, vol 8145. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-41284-4_9

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-41284-4_9

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-41283-7

  • Online ISBN: 978-3-642-41284-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation