User: Password:
Subscribe / Log in / New account

Security quotes of the week

Security quotes of the week

Posted Aug 23, 2012 10:38 UTC (Thu) by reddit (guest, #86331)
Parent article: Security quotes of the week

How can "decryption" be possibly hard?!?

I mean, just run it in an emulator or virtual machine, and wait until the payload is executed...

If you can't figure out when the payload is executed, modify the emulator to track which memory locations contain data that depends on the encrypted data (similar to how Valgrind propagates validity bits), and then stop the first time a jump is done to one of them.

If the problem is that they can't trigger execution of the payload because it uses a key computed from data only present on unknown target systems, then decryption is simply impossible if the malware is properly written (because they would need to reverse a strong cypher).

(Log in to post comments)

Security quotes of the week

Posted Aug 23, 2012 11:58 UTC (Thu) by spender (subscriber, #23067) [Link]

Obviously, you answered your own question.


Security quotes of the week

Posted Aug 23, 2012 12:03 UTC (Thu) by ekj (guest, #1524) [Link]

Even then, not *impossible*, because the "data only present on unknown systems" is likely not random, thus you can guesstimate it in less time than brute-forcing the key.

Besides, it should be possible to see where it -attempts- to get the data (and fails), then investigate what is at that location for potential targets.

Security quotes of the week

Posted Aug 23, 2012 12:39 UTC (Thu) by redden0t8 (guest, #72783) [Link]

Kaspersky has already done that - it's looking for a specific registry key. The problem is, they've tried every plausible value they can think of.

Assuming this payload is along the same lines as Stuxnet, I think the answer is pretty obvious: it's looking for a registry key associated with someone's specifically customized SCADA software. The key's probably in some non-English language and has never been seen outside the campus of the target.

Security quotes of the week

Posted Aug 23, 2012 12:51 UTC (Thu) by ekj (guest, #1524) [Link]

That makes sense. Or the key could be the hash of some executable or something of that order, that the software checks to ensure the integrity of the file - if so that's equivalent to a random number (aslong as you don't have that specific file, I mean)

Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds