As malware researchers, a significant part of our research process is
dedicated to reversing cryptographic algorithms for extracting the
decrypted content. Revealing this content provides an access to the heart
of the malware: all the strings, Windows API calls, DGA Algorithms,
communication protocols, and while focusing on financial malware – the list
of targeted institutions and webinjects.Malware authors put considerable effort into constantly changing their
encryption routines and designing customized implementation algorithms.
Even the smallest change requires significant work from the malware
researcher: revesring has to be applied to reconstruct the encryption
scheme.Our motivation was to find lightweight and practical implementation that
can effectively speed up the research process.That’s why we developed an automation approach, based on a heuristic way
of detecting such cryptographic algorithms regardless of the type of
algorithm used that extracts their plain text output. The implementation of
this approach saves a lot of valuable research time by letting the malware
do the job for us!During the lecture, we plan to give some basic background on our work with
financial malware and their internals. We will describe the idea and the
architecture of the Crypton tool and present a demo with live malware.