Ben H.

DGAs (Domain Generation Algorithms) have become a trusty fallback mechanism for malware that’s a headache to deal with, but they have one big drawback – they draw a lot of attention to themselves with their many DNS request for gibberish domains.

When basic entropy-based Machine Learning methods rose to the challenge of automatically detecting DGAs, DGAs responded by subtly changing their output to be /just/ plausible enough to fool those methods. In this talk we’ll harness the might of the English dictionary, cut corners to achieve sane running times for insane computations, and use fancy Machine Learning® methods – all in order to build a classifier with a higher standard for gibberish plausibility. In recent years, there has been a rising trend in malware’s use of Domain Generation Algorithms (DGAs) as a fallback mechanism in case the campaign is shut down at the DNS level. DGAs are a headache to deal with, but they have one big drawback – they make a lot of noise. To be more precise, they generate a very large amount of DNS requests for domains, and the domains are often complete gibberish. This situation looks ripe to be exploited with your favorite Cyber™ Machine Learning® Big Data© solution; and indeed, advances were made by basic language processing methods that could detect and stop the outright complete gibberish. These worked well, until DGAs mutated, and started producing more reasonable gibberish. A milestone in this regard was the introduction of KWYJIBO, a DGA that generates gibberish where every other letter is a vowel (e. g. „garolimoja“), which stumps the old methods completely. How do you thwart KWYJIBO and other DGAs of its sophistication? How do you look for meaninglessness in string-space? In this talk we’ll harness the might of the English dictionary; cheat mathematics to cut running times from impossible to reasonable; and demonstrate a fancy Cyber™ Machine Learning® Big Data© tool based on all the above to tell apart meaningful domain names from nonsense. Where is this arms race going, anyway? Is there such a thing as undetectable gibberish?

Using the same stream cipher key twice is known to be a Very Bad Idea, but keystream-resuse vulnerabilities are still very much a thing of the present - both in legitimate software and in the malware landscape. We describe a heuristic algorithm which can detect vulnerabilities of this kind. We explain the inner workings of the algorithm and demonstrate a proof-of-concept attack on sevreral examples of vulnerable data, including files encrypted by the DirCrypt malware and encrypted traffic generated by malware such as variants of Zeus and Ramnit.

When operating a stream cipher, reusing a keystream introduces a critical weakness to the resulting ciphertext: the encryption becomes vulnerable to easy (and sometimes /very/ easy) cryptographic attacks. This is due to the encryption's linear nature - for instance, XORing a plaintext with the corresponding ciphertext yields keystream bytes. While key reuse is a widely known issue, it's an issue that keeps arising in practice. The soviets did it during WWII, Microsoft did it in the implementation of Word 2003 document encryption, and malware authors did it when designing variants of Zeus, DirCrypt and Ramnit. To exploit a vulnerability, you must first realize it's there. Unfortunately, many instances of homebrew crypto operate on the "security by obscurity" principle, and don't reveal their implementation details. As a result, detecting key reuse often requires trial and error, an accidental epiphany or a night spent reverse engineering - and in all these cases, luck and human effort. In this presentation we show an approach to automating this task - based on the linear properties of stream ciphers, redundancy in the text and Bayesian reasoning. Finally, we demonstrate the algorithm's operation in several real-world use cases. Math Ph.D. not required.