Use of cryptography in malware obfuscation

IF 1.5 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Journal of Computer Virology and Hacking Techniques Pub Date : 2023-09-25 DOI:10.1007/s11416-023-00504-y

Hassan Jameel Asghar, Benjamin Zi Hao Zhao, Muhammad Ikram, Giang Nguyen, Dali Kaafar, Sean Lamont, Daniel Coscia

{"title":"Use of cryptography in malware obfuscation","authors":"Hassan Jameel Asghar, Benjamin Zi Hao Zhao, Muhammad Ikram, Giang Nguyen, Dali Kaafar, Sean Lamont, Daniel Coscia","doi":"10.1007/s11416-023-00504-y","DOIUrl":null,"url":null,"abstract":"Malware authors often use cryptographic tools such as XOR encryption and block ciphers like AES to obfuscate part of the malware to evade detection. Use of cryptography may give the impression that these obfuscation techniques have some provable guarantees of success. In this paper, we take a closer look at the use of cryptographic tools to obfuscate malware. We first find that most techniques are easy to defeat (in principle), since the decryption algorithm and the key is shipped within the program. In order to clearly define an obfuscation technique’s potential to evade detection we propose a principled definition of malware obfuscation, and then categorize instances of malware obfuscation that use cryptographic tools into those which evade detection and those which are detectable. We find that schemes that are hard to de-obfuscate necessarily rely on a construct based on environmental keying. We also show that cryptographic notions of obfuscation, e.g., indistinghuishability and virtual black box obfuscation, may not guarantee evasion detection under our model. However, they can be used in conjunction with environmental keying to produce hard to de-obfuscate version of programs.","PeriodicalId":15545,"journal":{"name":"Journal of Computer Virology and Hacking Techniques","volume":null,"pages":null},"PeriodicalIF":1.5000,"publicationDate":"2023-09-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Computer Virology and Hacking Techniques","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1007/s11416-023-00504-y","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Malware authors often use cryptographic tools such as XOR encryption and block ciphers like AES to obfuscate part of the malware to evade detection. Use of cryptography may give the impression that these obfuscation techniques have some provable guarantees of success. In this paper, we take a closer look at the use of cryptographic tools to obfuscate malware. We first find that most techniques are easy to defeat (in principle), since the decryption algorithm and the key is shipped within the program. In order to clearly define an obfuscation technique’s potential to evade detection we propose a principled definition of malware obfuscation, and then categorize instances of malware obfuscation that use cryptographic tools into those which evade detection and those which are detectable. We find that schemes that are hard to de-obfuscate necessarily rely on a construct based on environmental keying. We also show that cryptographic notions of obfuscation, e.g., indistinghuishability and virtual black box obfuscation, may not guarantee evasion detection under our model. However, they can be used in conjunction with environmental keying to produce hard to de-obfuscate version of programs.

查看原文本刊更多论文

在恶意软件混淆中使用加密技术

恶意软件作者经常使用加密工具，如异或加密和块密码，如AES来混淆部分恶意软件，以逃避检测。使用密码学可能会给人这样的印象:这些混淆技术有一些可证明的成功保证。在本文中，我们将仔细研究使用加密工具来混淆恶意软件。我们首先发现，大多数技术都很容易被攻破(原则上)，因为解密算法和密钥是在程序中提供的。为了明确定义混淆技术逃避检测的潜力，我们提出了恶意软件混淆的原则定义，然后将使用加密工具的恶意软件混淆实例分为逃避检测的和可检测的。我们发现难以去混淆的方案必然依赖于基于环境键控的构造。我们还表明，在我们的模型下，混淆的密码学概念，例如，不可分辨性和虚拟黑盒混淆，可能无法保证逃避检测。然而，它们可以与环境键结合使用，以产生难以消除混淆的程序版本。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Journal of Computer Virology and Hacking Techniques COMPUTER SCIENCE, INFORMATION SYSTEMS-

CiteScore

4.00

自引率

13.30%

发文量

期刊介绍： The field of computer virus prevention has rapidly taken an important position in our technological and information society. Viral attacks increase year after year, and antiviral efforts continually face new challenges. Beneficial applications of technologies based on scientific computer virology are still very limited. The theoretical aspects of the virus problem are only rarely considered, although many interesting and important open problems still exist. Little proactive research is focused on predicting the future of viral attacks.The Journal of Computer Virology and Hacking Techniques is an independent scientific and technical journal dedicated to viral and antiviral computer technologies. Both theoretical and experimental aspects will be considered; papers emphasizing the theoretical aspects are especially welcome. The topics covered by this journal include, but are certainly not limited to:- Mathematical aspects and theoretical fundamentals of computer virology - Algorithmics and computer virology - Computer immunology and biological models for computers - Reverse engineering (hardware and software) - Viral and antiviral technologies - Cryptology and steganography tools and techniques - Applications in computer virology - Virology and IDS - Hardware hacking, and free and open hardware - Operating system, network, and embedded systems security - Social engineeringIn addition, since computational problems are of practical interest, papers on the computational aspects of computer virology are welcome. It is expected that the areas covered by this journal will change as new technologies, methodologies, challenges and applications develop. Hacking involves understanding technology intimately and in depth in order to use it in an operational way. Hackers are complementary to academics in that they favour the result over the methods and over the theory, while academics favour the formalization and the methods -- explaining is not operating and operating is not explaining. The aim of the journal in this respect is to build a bridge between the two communities for the benefit of technology and science.The aim of the Journal of Computer Virology and Hacking Techniques is to promote constructive research in computer virology by publishing technical and scientific results related to this research area. Submitted papers will be judged primarily by their content, their originality and their technical and scientific quality. Contributions should comprise novel and previously unpublished material.However, prior publication in conference proceedings of an abstract, summary, or other abbreviated, preliminary form of the material should not preclude publication in this journal when notice of such prior or concurrent publication is given with the submission. In addition to full-length theoretical and technical articles, short communications or notes are acceptable. Survey papers will be accepted with a prior invitation only. Special issues devoted to a single topic are also planned.The policy of the journal is to maintain strict refereeing procedures, to perform a high quality peer-review of each submitted paper, and to send notification to the author(s) with as short a delay as possible. Accepted papers will normally be published within one year of submission at the latest. The journal will be published four times a year. Note: As far as new viral techniques are concerned, the journal strongly encourages authors to consider algorithmic aspects rather than the actual source code of a particular virus. Nonetheless, papers containing viral source codes may be accepted provided that a scientific approach is maintained and that inclusion of the source code is necessary for the presentation of the research. No paper containing a viral source code will be considered or accepted unless the complete source code is communicated to the Editor-in-Chief. No publication will occur before antiviral companies receive this source code to update/upgrade their products.The final objective is, once again, proactive defence.This journal was previously known as Journal in Computer Virology. It is published by Springer France.