Using a Cryptographic Weakness for Malware Traffic Clustering and IDS Rule Generation

Botconf 2019
2023-04-24 | 14:00 – 14:30

Matthijs Bomhoff 🗣 | Saskia Hoogma 🗣

Encrypted C&C data can make the life of malware analysts and incident handlers a lot harder, as it can make C&C traffic a lot harder to recognise, when done right. Fortunately, not every malware author is able to implement encryption in a secure way. A well-known vulnerability in the use of cryptography (that also led to attacks on older standards for Wi-Fi protection) is still present in a number of wide-spread malware families. In this presentation we show how this cryptographic weakness can be used for several analysis purposes. We show how the presence of the weakness can be detected using traffic gathered in sandboxes. We also show how clustering can be applied to encrypted data to group different variants (with potentially different and unknown encryption keys) of the same malware together while at the same time gathering structural information about the plaintext. And finally, we show how information on the plaintext structure of a malware family can in some cases be used to automatically generate IDS signatures for new variants using only a single ciphertext and without extracting the key itself from the binary.

Scroll to Top