Whether it's to obfuscate their work, avoid detection, communicate securely with command-and-control servers or extort victims with ransomware, many malware developers rely on encryption to achieve their nefarious goals.
At its best, encryption is virtually impossible to crack. At its worst, it's hard not to “crack up,” as in have a hearty laugh at the expense of cybercriminals who haven't quite mastered the art of cryptography. At least, that's what Check Point Software Technologies researchers Ben Herzog and Yaniv Balmas have done in their new white paper “Great Crypto Failures,” which lightheartedly analyzes recent malware encryption blunders and what caused them.
According to the paper, officially presented Wednesday at the Virus Bullet Conference in Denver, most malware authors “are on a tight schedule, they have no customers to answer to, and they only care about quality design or implementation insofar as either of these things affect their bottom line... This cocktail of constraints pushes malware authors into committing a class of errors that one would be hard-pressed to find in legitimate software of any repute.”
Balmas, team leader of Check Point's Malware Research Team, told SCMagazine.com in an email interview that the research's key takeaway is that "defeating malware cryptography is possible and anyone can do it. You don't need to be a certified crypto analyst or have a Ph.D. in mathematics. All you need is to understand that the crytographic bug is almost always not in the algorithm, but is a product of the people implementing them."
In their paper and accompanying blog post, the Check Point researchers generally classified encryption errors into four categories.
The first is “Voodoo Programming,” the implementation of a tool or code that might seem powerful, but in truth, the developer doesn't truly understand its purpose or functionality. For example, the developers of Linux.Encoder.1 malware leveraged the rand() function to create pseudo-ransom numbers for encryption purposes, but they used it in conjunction with the victim's current timestamp to generate a ransom seed. This seemingly clever technique was found to be insecure because the timestamp was “invariably close to the victim file's ‘last modified timestamp,'” making it susceptible to cracking, the report stated.
"The Linux.Encoder example is my personal favorite, because it has so many layers of failures built one on the top of the other. Every time the malware authors understood their previous problem and fixed it they introduced a completely new problem," said Balmas. "It really teaches us a lot about possible failures and about the state of mind of these malware programmers."
Another common mistake is the act of cutting and pasting crypto code from rival malware programs or other online resources – because it may not work as desired. Developers of the ransomware CryptoDefense, which was heavily inspired by CryptoLocker, committed this fatal error when they borrowed a low-level cryptographic API from Microsoft Windows to perform the encryption. Unfortunately for the perpetrators, the copied code was designed to save the private encryption key in the local key-storage, leaving it accessible to the infected victim, the researchers explained.
Herzog and Balmas also noted in their paper that malware developers have a tendency to improvise code when encountering a programming problem, instead of using more legitimate software that could potentially expose the malware or bloat its size. The researchers called this gaffe “Reinventing the Square Wheel.” As a prime example, the report cites the Nuclear Exploit Kit, whose authors used the Diffie-Hellman Key Exchange algorithm to obfuscate its exploit delivery. But a faulty implementation by the programmers at one point resulted in the malware mistakenly interpreting the infected client's secret key simply as the value 0.
Finally, the report called out malware authors for outright lying. In an attempt to bluff their victims, cybercriminals sometimes claim they are using unbreakable encryption when in reality they're using weak ciphers. For instance, when a Nemucod ransomware variant emerged in early 2016, its ransom note boasted RSA-1024 encryption, when in fact it used a simple rotating XOR cipher. Moreover, the malware would display its message before the infected machine's files were even encrypted; in some cases, the victim's antivirus program was actually able to snuff out the ransomware before it altered a single file's contents, leaving the recipient with a mere empty threat.
Despite poking fun at these malware mishaps, the researchers did caution in their report that one day, malware authors “are going to collectively figure out how to use encryption properly – and when they do, it's going to be a completely different playing field.”
But today is not that day. "On one hand, some of the more prominent malware are showing much better use of cryptography these days, and as a result finding bugs in their code is becoming much harder and sometimes even impossible," said Balmas to SCMagazine.com. "On the other hand, the malware scene is constantly flooded with new malware and new variants, which often present non-mature encryption implementations that quite often lead to bugs that can be used against them."