Post on 14-Aug-2015
Fighting back against the DirCrypt bully
Nitay Artenstein
Michael Shalyt
HACKING THE HACKER
BLACK HAT
“A ‘black hat’ hacker is a hacker who violates computer security for little reason beyond maliciousness or for personal gain“ - Wikipedia.
WHITE HAT
“A ’white hat’ hacker breaks security for non-malicious reasons… The term "white hat" in Internet slang refers to an ethical hacker.” - Wikipedia.
WHITE HAT
“A ’white hat’ hacker breaks security for non-malicious reasons… The term "white hat" in Internet slang refers to an ethical hacker.” - Wikipedia.
THE GRANDMA
THE GRANDDAUGHTER
THE GRANDDAUGHTER
WHAT JUST HAPPENED?
WHAT JUST HAPPENED?
WHAT JUST HAPPENED?
CRYPTERS IN THE WILD
CRYPTERS IN THE WILD
CRYPTERS IN THE WILD
CRYPTERS IN THE WILD
CRYPTERS IN THE WILD
FOR EXAMPLE: DIRCRYPT
ENCRYPTION DEMO
CRYPTO 101
CRYPTERS ARE WRONGER
CRYPTERS ARE WRONGER
• “Innocence based” attacks.
CRYPTERS ARE WRONGER
• “Innocence based” attacks.
• Scare tactics.
CRYPTERS ARE WRONGER
• “Innocence based” attacks.
• Scare tactics.
• The victim pays the price, unlike banking trojans.
CRYPTERS ARE WRONGER
• “Innocence based” attacks.
• Scare tactics.
• The victim pays the price, unlike banking trojans.
• Highschool bully – crypters will evolve and spread as long as victims pay the ransom instead of resisting.
AND NOW FOR THE GOOD PART…
• It‘s hard to implement a secure cryptographic protocol
• Many malware writers are not exactly masters of secure coding
• What if we can hack the hackers and save Grandma?
LOOKS LIKE A JOB FOR A REVERSER
WHAT IS REVERSE ENGINEERING?
• The malware executable holds some of the secrets we need to uncover:
MALWARE RESEARCHER == DETECTIVE
• A malware binary is like a crime scene
• Through skill and experience, a reverse engineer develops a “nose for mystery”
• A bunch of tools help us rise above the bits and bytes, and make it easier to connect the dots
THE GOAL: MOVE FROM THIS…
TO THIS
FROM PLAINTEXT TO CIPHER
IMAGINE YOU WERE A HACKER…
• Where would you hide the key?
• Your options: the registry, a hidden file, or only on the C&C server
• There is always a compromise
A FEW SLEEPLESS NIGHTS LATER…
SO NOW WE HAVE A HINT
THE UNBEARABLE LIGHTNESS OF KEY REUSE
ATTACKING KEY REUSE
ATTACKING KEY REUSE
• Which files will always be on Windows?
ATTACKING KEY REUSE
• Which files will always be on Windows?
• We need the largest file possible. Sample videos?
ATTACKING KEY REUSE
• Which files will always be on Windows?
• We need the largest file possible. Sample videos?
• The max size decryptable will be the size of that file
ATTACKING KEY REUSE
• Which files will always be on Windows?
• We need the largest file possible. Sample videos?
• The max size decryptable will be the size of that file
READY TO SOLVE THE PUZZLE?
THAT AWKWARD MOMENT
WriteToFile(hFile, SymmetricKey, 10);
DECRYPTION DEMO
DECRYPTION… CHECK
GRANDMA IS HAPPY AGAIN