Aligot: Cryptographic function identification in obfuscated binary programs

Proceedings of the ACM Conference on Computer and Communications Security

Volumn , Issue , 2012, Pages 169-182

  Calvet, Joan ^a   Fernandez, José M ^b   Marion, Jean Yves ^a  

^a UNIVERSITÉ DE LORRAINE   (France)

^b ÉCOLE POLYTECHNIQUE DE MONTRÉAL   (Canada)

Author keywords

Binary program analysis; Cryptography; Malware

Indexed keywords

ASYMMETRIC CIPHERS; BASIC OPERATION; BINARY PROGRAMS; COMMERCIAL GRADE; CRYPTOGRAPHIC FUNCTIONS; CRYPTOGRAPHIC IMPLEMENTATION; CRYPTOGRAPHIC PRIMITIVES; EXPERIMENTAL EVALUATION; IDENTIFICATION TOOLS; INPUT-OUTPUT; INTEGRAL PART; MALWARE ANALYSIS; MALWARES; STATIC FEATURES;

COMPUTER WORMS; SECURITY OF DATA;

CRYPTOGRAPHY;

EID: 84869451078     PISSN: 15437221     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/2382196.2382217     Document Type: Conference Paper

References (37)

1. AsProtect packer. http://www.aspack.com/asprotect.html.
2. Polar SSL library Web site. http://polarssl.org.
3. A. Aho, J. Ullman, and S. Biswas. Principles of Compiler Design. Addison-Wesley, 1977.
4. L. Auriemma. Signsrch tool. http://aluigi.altervista.org/mytoolz.htm.
5. F. Boldewin. Peacomm.c Cracking the nutshell. http://www.reconstructer. org/papers/Peacomm.C-Crackingthenutshell.zip.
6. J. Caballero, P. Poosankam, C. Kreibich, and D. Song. Dispatcher: Enabling active botnet infiltration using automatic protocol reverse-engineering. In Proc. 16th ACM Conf. on Computer and Communications Security (CCS), pages 621-634, 2009.
7. J. Calvet, C. Davis, and P. Bureau. Malware authors don't learn, and that's good! In Proc. 4th Int. Conf. on Malicious and Unwanted Software (MALWARE), pages 88-97. IEEE, 2009.
8. J. Daemen and V. Rijmen. The design of Rijndael: AES-the advanced encryption standard. Springer-Verlag, 2002.
9. N. Fallière. Reversing Trojan.Mebroot's Obfuscation. In Reverse Engineering Conference (REcon), 2010.
10. F. Gröbert, C. Willems, and T. Holz. Automated identification of cryptographic primitives in binary programs. In Proc. Recent Advances in Intrusion Detection (RAID), pages 41-60. Springer, 2011.
11. J. Halderman, S. Schoen, N. Heninger, W. Clarkson, W. Paul, J. Calandrino, A. Feldman, J. Appelbaum, and E. Felten. Lest we remember: cold-boot attacks on encryption keys. Comm. of the ACM, 52(5):91-98, 2009.
12. S. Henson et al. OpenSSL library.http://openssl.org.
13. J. Hopcroft, R. Motwani, and J. Ullman. Introduction to automata theory, languages, and computation. Addison-Wesley, 2007.
14. M. Kobayashi. Dynamic characteristics of loops. IEEE Trans. on Computers, 100(2):125-132, 1984.
15. I. O. Levin. Draft crypto analyzer (draca). http://www.literatecode.com/ draca.
16. D. Litzenberger. PyCrypto - The python cryptography toolkit, 2011.
17. C. Luk, R. Cohn, R. Muth, H. Patil, A. Klauser, G. Lowney, S. Wallace, V. Reddi, and K. Hazelwood. Pin: building customized program analysis tools with dynamic instrumentation. ACM SIGPLAN Notices, 40:190-200, 2005.
18. N. Lutz. Towards revealing attacker's intent by automatically decrypting network traffic. Master's thesis, ETH Zürich, Switzerland, 2008.
19. C. Maartmann-Moe, S. Thorkildsen, and A. Arnes. The persistence of memory: Forensic identification and extraction of cryptographic keys. Digital Investigation, 6:S132-S140, 2009.
20. P. Montgomery. Modular multiplication without trial division. Mathematics of Computation, 44(170):519-521, 1985.
21. M. Morgenstern and H. Pilz. Useful and useless statistics about viruses and anti-virus programs. In Proc. CARO Workshop, 2010.
22. L. O Murchu. Trojan.silentbanker decryption. http://www.symantec.com/ connect/blogs/trojansilentbanker-decryption.
23. R. Rivest. RFC 1321: The MD5 message-digest algorithm. Internet Activities Board, 143, 1992.
24. R. Rivest, A. Shamir, and L. Adleman. A method for obtaining digital signatures and public-key cryptosystems. Comm. of the ACM, 21(2):120-126, 1978.
25. C. E. Shannon. Communication theory of secrecy systems. Bell System Technical Journal, 28(4):656-715, 1949.
26. N. Stewart. Inside the storm: Protocols and encryption of the Storm botnet. In Black Hat Technical Security Conference, 2008.
27. S. Trilling. Project Green Bay - Calling a Blitz on Packers. In CIO Digest: Strategies and Analysis from Symantec, 2008.
28. J. Tubella and A. González. Control speculation in multithreaded processors through dynamic loop detection. In Proc. 4th Int. Symp. on High-Performance Computer Architecture, pages 14-23. IEEE, 1998.
29. VeriSign. Silentbanker analysis. http://www.verisign.com/static/043671. pdf.
30. Russian TEA assembly code. http://www.xakep.ru/post/22086/default.asp.
31. C. Wang, J. Hill, J. Knight, and J. Davidson. Software tamper resistance: Obstructing static analysis of programs. Technical Report CS-2000-12, University of Virginia, 2000.
32. Z. Wang, X. Jiang, W. Cui, X. Wang, and M. Grace. ReFormat: Automatic reverse engineering of encrypted messages. In Proc. ESORICS, pages 200-215, 2009.
33. PEiD Krypto Analyzer (kanal). http://www.peid.info.
34. RC4 source code. http://cypherpunks.venona.com/date/1994/09/msg00304. html.
35. D. Wheeler and R. Needham. TEA, a tiny encryption algorithm. In Proc. Fast Software Encryption, pages 363-366. Springer, 1995.
36. V. Zakorzhevsky. A new version of Sality at large. http://www.securelist. com/en/blog/180/A-new-version-of-Sality-at-large.
37. R. Zhao, D. Gu, J. Li, and R. Yu. Detection and analysis of cryptographic data inside software. Information Security, pages 182-196, 2011.