Jump to content
Tuts 4 You

DobReXor - Work in progress (Thread)


D1N

Recommended Posts

I posted some information regarding this project in my blog here on tuts4you. I thought I would share it here as well to hopefully gain some support. The main goal of this project is to improve the quality of scanning techniques used in anti-virus software. The issue I have is that there are not methods of "detecting the usage of strong cryptography, secure key management, and obfuscation that can be used inside malware. I have a lot of love for the researchers and I know they work extremely hard and are very talented. The issue I have is that there is a lot of room for improvement and I would like to see that improvement made. We need stronger methods of attacking cryptographic malware. If anyone has any thoughts or suggestions please feel free to post. This section could use some volunteers!

Cheers,

- D1N

I plan on releasing more information related to this project in the next couple of weeks. I started developing DobReXor back in mid December. It's made a lot of progress and I've managed to port the code over to Linux. The application is supported on both Windows and Linux. It was a tough decision for me because I wanted to make my first cryptographic project unique, but I also wanted to focus on two topics of interest to me, obfuscation being one of them and malware being the other and how they can be used together or for better lack of words cryptovirology, but not in terms of what we have seen in the past. This is different. Like I said, I was shooting for something creative and unique. Possibly something that can be used in presentations. We hear a lot about software being exploited, protocol vulnerabilities being discovered which in turn eventually improves the quality and usability of the product or service. This tool was designed to be an attack tool for the purpose of researching weaknesses in anti-virus software. The goal is to improve anti-virus software. The issue here is that most (not all - there are some exceptions) modern anti-virus vendors are not prepared to deal strong cryptography and secure key management used in conjunction with malicious software. It's simple to use heuristics, signatures, emulation to detect a file and define it as being malicious. However, when you add secure key management and self decrypting files where parts of the secure key can be split up and stored somewhere until decryption in which case each part is reconstructed thus allowing the file decryption to take place makes detection very difficult and not just from anti-virus but a forensic standpoint as well. This tool may also serve as a good example for people with questions about obfuscating character sequences. I've seen this topic come up a lot in the past so hopefully my work can be used as an example. I'm open to anyone who would like to join me and improve this tool.

I will be posting updates soon. The project will be open source.

Thank you for all the support! - D1N

dobrexor757.png

Usage

usage351.png

Examples of obfuscated strings based on different user input

dobrexor-strings474.png

Edited by D1N
Link to comment

Just a few updates on DobReXor, I've managed to finish one of the most important classes which executes the following instructions. I will explain more in detail next week when time permits. I have attached the encrypted, decrypted, files along with the public and private keys for anyone who wants to analyse them. Please send all questions here or feel free to comment on my blog.

D1N

Target - notes.txt

target114.png

AES/RSA/Encryption/Decryption usage

client972.png

Result - notes.enc

result887.png

RSA Algorithm

Key Generation:

1. Generate two large random primes, p and q, of approximately equal size such that their product n = pq is of the required bit length, e.g. 1024 bits. [see note 1].

2. Compute n = pq and (φ) phi = (p-1)(q-1).

3. Choose an integer e, 1 < e < phi, such that gcd(e, phi) = 1. [see note 2].

4. Compute the secret exponent d, 1 < d < phi, such that ed ≡ 1 (mod phi). [see note 3].

5. The public key is (n, e) and the private key is (n, d). Keep all the values d, p, q and phi secret.

* n is known as the modulus.

* e is known as the public exponent or encryption exponent or just the exponent.

* d is known as the secret exponent or decryption exponent.

File Encryption

Sender A does the following:-

1. Obtains the recipient B's public key (n, e).

2. Represents the plaintext message as a positive integer m [see note 4].

3. Computes the ciphertext c = me mod n.

4. Sends the ciphertext c to B.

File Decryption

Recipient B does the following:-

1. Uses his private key (n, d) to compute m = cd mod n.

2. Extracts the plain-text from the message representative m.

sample_dob.tar.gz

Link to comment

I have received a few questions regarding the usage and some requests for a GUI/FE. Now that most of the functions and data types are finished and working! I decided to devote some time to the interface. I have decided to add a plug-in feature for the Windows version, which will be useful for me and other coders. This idea was mainly in part due to the decrypting stub, some people may want to develop addons which they do not want to share their source so this is a happy medium for people who want to keep their work private. Komodo is being compiled and designed using CodeGear RAD Studio for MS Windows. The LINUX version will most likely be developed using Qt for application development, this may take a bit longer as I'm going in for a crash course on Qt, I don't think it will be too difficult. I have a book and there is plenty of help in the docs and free pizza.

Will Komodo/DobReXor support compression for exe files?

Yes, the Windows version will support compression (based on aPLib v0.44 compression library) and expect it to have some bugs as well. I need to speak with ap0x about anti-debugging before Komodo will support any tricks.

The string obfuscation is using a simple XOR which is then HexEncoded, hope to add one more extra layer of protection - That's a surprise. ;-)

DobReXor [console] should be out for testing soon, the FE will take a bit but be patient as the wait will be well worth it.

Komodo/DobReXor

* Packing EXEs

* Encrypting, Signing, Decrypting, Verification,

* AES

* RSA

* string to XOR to HexEncoder / HexDecoder to XOR to string.

Currently working on GUI and Plug-in manager.

D1N

Edited by D1N
Link to comment
  • 2 weeks later...

Project Links

Komodo PGMP
http://code.google.com/p/komodopgmp/
http://sourceforge.net/projects/komodopgmp/Komodo PGMP Grouphttp://groups.google.com/group/komodopgmpsvn repository# Non-members may check out a read-only working copy anonymously over HTTP.
svn checkout http://komodopgmp.googlecode.com/svn/trunk/ komodopgmp-read-onlyLatest Buildhttp://komodopgmp.googlecode.com/files/komodopgmp-build-win-current.ziphttp://komodopgmp.googlecode.com/files/dobrexor-beta-build-win-current.ziphttp://komodopgmp.googlecode.com/files/dobrexor-beta-build-linux-current.zip
Link to comment

good work that you get the whole encrypting scheme working.

but as you said you want to support encrypting executables, what's the point that makes it different from xor encryption?

Edited by Nooby
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...