1.3.3 NULL Ignoring XOR Encoding

In XOR encoding, when a null byte (0x00) is XORed with a key, you get back the key as shown here:

>>> ch = 0x00
>>> key = 4
>>> ch ^ key
4

What this means is that whenever a buffer containing a large number of null bytes is encoded, the single byte xor key becomes clearly visible. In the following example, the plaintext variable is assigned a string containing three null bytes at the end, which is encrypted with a key 0x4b  (character K), and the encrypted output is printed both in hex string format and text format. Note how the three null bytes in plaintext variable are translated to XOR key values 0x4b 0x4b 0x4b or (KKK) in the encrypted content. This property of XOR makes it easy to spot the key if the null bytes are not ignored:

>>> plaintext = "hellox00x00x00"
>>> key = 0x4b   
>>> enc_text = ""
>>> for ch in plaintext:
        x = ord(ch) ^ key
        enc_hex += hex(x) + " "
        enc_text += chr(x)

>>> print enc_hex
0x23 0x2e 0x27 0x27 0x24 0x4b 0x4b 0x4b
>>> print enc_text
#.''$KKK

The following screenshot shows the XOR-encrypted communication of a malware sample (HeartBeat RAT). Note the presence of the byte 0x2 spread all over the place; this is due to malware encrypting a large buffer (containing null bytes) with the XOR key of 0x2. For more information on the reverse engineering of this malware, refer to the author's Cysinfo meet presentation at https://cysinfo.com/session-10-part-1-reversing-decrypting-communications-of-heartbeat-rat/:

To avoid the null byte problem, malware authors ignore the null byte (0x00) and the encryption key during encryption, as shown in the commands mentioned here. Note that, in the following code, the plaintext characters are encrypted with the key 0x4b, except the null byte (0x00) and the encryption key byte (0x4b); as a result of this, in the encrypted output, the null bytes are preserved without giving away the encryption key. As you can see, when an attacker uses this technique, it is not easy to determine the key just by looking at the encrypted content:

>>> plaintext = "hellox00x00x00"
>>> key = 0x4b
>>> enc_text = ""
>>> for ch in plaintext:
        if ch == "x00" or ch == chr(key):
           enc_text += ch
        else:
           enc_text += chr(ord(ch) ^ key)

>>> enc_text
"#.''$x00x00x00"
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.224.37.68