2. Malware Encryption
Malware authors often use simple encoding techniques, because it is just enough to obscure the data, but sometimes, attackers also use encryption. To identify the use of cryptographic functionality in the binary, you can look for cryptographic indicators (signatures) such as:
- Strings or imports that reference cryptographic functions
- Cryptographic constants
- Unique sequences of instructions used by cryptographic routines
2.1 Identifying Crypto Signatures Using Signsrch
A useful tool to search for the cryptographic signatures in a file or process is Signsrch, which can be downloaded from http://aluigi.altervista.org/mytoolz.htm. This tool relies on cryptographic signatures to detect encryption algorithms. The cryptographic signatures are located in a text file, signsrch.sig
. In the following output, when signsrch
is run with the -e
option, it displays the relative virtual addresses where the DES
signatures were detected in the binary:
C:\signsrch>signsrch.exe -e kav.exe...