Great Crypto Failures – When Malware Goes Wrong

Yesterday at the Virus Bulletin conference in Denver, Check Point researchers Yaniv Balmas and Ben Herzog presented “Great Crypto Failures”, a lecture about the cryptography mishaps made by cyber criminals. Cryptography is a major part of many malware functionalities today. It’s used to disguise malware, allow it to bypass security measures, create a communication channel with Command and Control (C&C) servers, and lately, to extort victims.

While encryption is growing more prominent in malware’s operation, not all writers succeed in their efforts to employ it. Encryption errors can happen to experienced and meticulous developers – let alone amateurish malware writers. This causes a large number and variety of cryptography errors. In their talk, Yaniv and Ben elaborated on the main types of cryptography errors, and their origins.

Common Types of Cryptography Failure

The first type of crypto failure is “voodoo programing”, which displays a deep misunderstanding of the cryptography being used. The C&C communication method used by the infamous Zeus malware is a good example of such a failure, which is commonly found in many malware. To secure their communication, Zeus’ authors used the RC4 stream cipher only they decided to take it a step further. After the traffic is encrypted using RC4, they XOR each byte with the next to produce the final ciphertext. The new encryption “method” adds nothing to the security of the traffic, as it stays identical to the plain RC4, but it does show the limited knowledge of its authors.

The second class of flaw is the “copy paste” technique. Some malware writers use code they found online, but implement it without fully understanding its real nature, causing embarrassing results. One such result was displayed by CryptoDefense, an early ransomware strain. While most of the tactics were successfully copied from CryptoLocker, it used a low-level cryptographic API offered by Windows OS to do the actual encryption. As failsafe as this may sound, they copied it too closely from the Microsoft Developer Network, which is designed to save the “secret” private key in the local key-storage. This meant the ransomware was ineffective, since all victims could decrypt their machines without paying the ransom.

Another type of flaw is caused by authors trying to “reinvent the square wheel”. This refers to malware authors who attempted to solve programming problems by improvising. Perhaps the most amusing case of this flaw is that of the late Nuclear Exploit Kit. To obfuscate its exploit delivery, the authors of Nuclear used the Diffie-Hellman Key Exchange to encrypt information passed to exploits during execution. The implementation of the key exchange however was absurd. The secret key was set to 0, rendering the entire process useless.

The last class of crypto failure is the “bluffing malware”, proving that what you see is not always what you get. When the Nemucod Trojan transformed into a ransomware, it told victims that their files are encrypted with RSA-1024. This statement contained two major lies. First, at the time of the announcement the encryption didn’t even begin. In many cases the actual encryption process was blocked, and the sole result of Nemucod was renaming the file extensions. Second, even if the encryption did initiate, it included a simple rotating XOR cipher, far from the promised RSA-1024.

Realizing that malware authors do not necessarily understand encryption can allow us to defeat them on several fronts, from breaking ransomware to deciphering their communications. That said, malware authors are improving their use of encryption, and once they master it, it’s going to be a completely different playing field. Until that day however, opportunities to defeat cyber criminals will abound, and malware analysts should keep their eyes open and search for any opportunity to defeat them.

To learn more, download the Great Crypto Failures whitepaper here.