DobReXor - Work in progress (Thread)

[D1N]

I posted some information regarding this project in my blog here on tuts4you. I thought I would share it here as well to hopefully gain some support. The main goal of this project is to improve the quality of scanning techniques used in anti-virus software. The issue I have is that there are not methods of "detecting the usage of strong cryptography, secure key management, and obfuscation that can be used inside malware. I have a lot of love for the researchers and I know they work extremely hard and are very talented. The issue I have is that there is a lot of room for improvement and I would like to see that improvement made. We need stronger methods of attacking cryptographic malware. If anyone has any thoughts or suggestions please feel free to post. This section could use some volunteers!

Cheers,

- D1N

I plan on releasing more information related to this project in the next couple of weeks. I started developing DobReXor back in mid December. It's made a lot of progress and I've managed to port the code over to Linux. The application is supported on both Windows and Linux. It was a tough decision for me because I wanted to make my first cryptographic project unique, but I also wanted to focus on two topics of interest to me, obfuscation being one of them and malware being the other and how they can be used together or for better lack of words cryptovirology, but not in terms of what we have seen in the past. This is different. Like I said, I was shooting for something creative and unique. Possibly something that can be used in presentations. We hear a lot about software being exploited, protocol vulnerabilities being discovered which in turn eventually improves the quality and usability of the product or service. This tool was designed to be an attack tool for the purpose of researching weaknesses in anti-virus software. The goal is to improve anti-virus software. The issue here is that most (not all - there are some exceptions) modern anti-virus vendors are not prepared to deal strong cryptography and secure key management used in conjunction with malicious software. It's simple to use heuristics, signatures, emulation to detect a file and define it as being malicious. However, when you add secure key management and self decrypting files where parts of the secure key can be split up and stored somewhere until decryption in which case each part is reconstructed thus allowing the file decryption to take place makes detection very difficult and not just from anti-virus but a forensic standpoint as well. This tool may also serve as a good example for people with questions about obfuscating character sequences. I've seen this topic come up a lot in the past so hopefully my work can be used as an example. I'm open to anyone who would like to join me and improve this tool.

I will be posting updates soon. The project will be open source.

Thank you for all the support! - D1N

Usage

Examples of obfuscated strings based on different user input

Edited January 12, 2009 by D1N

[D1N]

Update:

Just a quick little update for those of you who are interested in the project.

The project is using the Crypto++

[D1N]

Just a few updates on DobReXor, I've managed to finish one of the most important classes which executes the following instructions. I will explain more in detail next week when time permits. I have attached the encrypted, decrypted, files along with the public and private keys for anyone who wants to analyse them. Please send all questions here or feel free to comment on my blog.

D1N

Target - notes.txt

AES/RSA/Encryption/Decryption usage

Result - notes.enc

RSA Algorithm

Key Generation:

1. Generate two large random primes, p and q, of approximately equal size such that their product n = pq is of the required bit length, e.g. 1024 bits. [see note 1].

2. Compute n = pq and (φ) phi = (p-1)(q-1).

3. Choose an integer e, 1 < e < phi, such that gcd(e, phi) = 1. [see note 2].

4. Compute the secret exponent d, 1 < d < phi, such that ed ≡ 1 (mod phi). [see note 3].

5. The public key is (n, e) and the private key is (n, d). Keep all the values d, p, q and phi secret.

* n is known as the modulus.

* e is known as the public exponent or encryption exponent or just the exponent.

* d is known as the secret exponent or decryption exponent.

File Encryption

Sender A does the following:-

1. Obtains the recipient B's public key (n, e).

2. Represents the plaintext message as a positive integer m [see note 4].

3. Computes the ciphertext c = me mod n.

4. Sends the ciphertext c to B.

File Decryption

Recipient B does the following:-

1. Uses his private key (n, d) to compute m = cd mod n.

2. Extracts the plain-text from the message representative m.

sample_dob.tar.gz

[D1N]

I have received a few questions regarding the usage and some requests for a GUI/FE. Now that most of the functions and data types are finished and working! I decided to devote some time to the interface. I have decided to add a plug-in feature for the Windows version, which will be useful for me and other coders. This idea was mainly in part due to the decrypting stub, some people may want to develop addons which they do not want to share their source so this is a happy medium for people who want to keep their work private. Komodo is being compiled and designed using CodeGear RAD Studio for MS Windows. The LINUX version will most likely be developed using Qt for application development, this may take a bit longer as I'm going in for a crash course on Qt, I don't think it will be too difficult. I have a book and there is plenty of help in the docs and free pizza.

Will Komodo/DobReXor support compression for exe files?

Yes, the Windows version will support compression (based on aPLib v0.44 compression library) and expect it to have some bugs as well. I need to speak with ap0x about anti-debugging before Komodo will support any tricks.

The string obfuscation is using a simple XOR which is then HexEncoded, hope to add one more extra layer of protection - That's a surprise. ;-)

DobReXor [console] should be out for testing soon, the FE will take a bit but be patient as the wait will be well worth it.

Komodo/DobReXor

* Packing EXEs

* Encrypting, Signing, Decrypting, Verification,

* AES

* RSA

* string to XOR to HexEncoder / HexDecoder to XOR to string.

Currently working on GUI and Plug-in manager.

D1N

Edited February 1, 2009 by D1N

[D1N]

Project Links

Komodo PGMP
http://code.google.com/p/komodopgmp/
http://sourceforge.net/projects/komodopgmp/Komodo PGMP Grouphttp://groups.google.com/group/komodopgmpsvn repository# Non-members may check out a read-only working copy anonymously over HTTP.
svn checkout http://komodopgmp.googlecode.com/svn/trunk/ komodopgmp-read-onlyLatest Buildhttp://komodopgmp.googlecode.com/files/komodopgmp-build-win-current.ziphttp://komodopgmp.googlecode.com/files/dobrexor-beta-build-win-current.ziphttp://komodopgmp.googlecode.com/files/dobrexor-beta-build-linux-current.zip

[Nooby]

good work that you get the whole encrypting scheme working.

but as you said you want to support encrypting executables, what's the point that makes it different from xor encryption?

Edited February 3, 2009 by Nooby