By: Julia karpin, Anna Dorfman

Scheduled on: June 18 at 11:00

As malware researchers, a significant part of our research process is dedicated to reversing cryptographic algorithms for extracting the decrypted content. Revealing this content provides an access to the heart of the malware: all the strings, Windows API calls, DGA Algorithms, communication protocols, and while focusing on financial malware – the list of targeted institutions and webinjects.

Malware authors put considerable effort into constantly changing their encryption routines and designing customized implementation algorithms. Even the smallest change requires significant work from the malware researcher: revesring has to be applied to reconstruct the encryption scheme.

Our motivation was to find lightweight and practical implementation that can effectively speed up the research process.

That’s why we developed an automation approach, based on a heuristic way of detecting such cryptographic algorithms regardless of the type of algorithm used that extracts their plain text output. The implementation of this approach saves a lot of valuable research time by letting the malware do the job for us!

During the lecture, we plan to give some basic background on our work with financial malware and their internals. We will describe the idea and the architecture of the Crypton tool and present a demo with live malware.