Malware authors are only human: stupid encryption mistakes

Malware authors are only human: stupid encryption mistakes – ITS Insider – Confluence

Go to start of metadata

Criminal developers eager to deploy their latest nefarious wares will often cut corners on Q&A offering hope to observant Security Professionals.  Probably the last thing many criminal malware developers have is time or resources to bug check and regression test their code.  Often relying on tool kits and plagiarism they’ll cobble together a “solution” without the tedious attention to quality design and performance.

In the case of crypto-ransomware, these shortcuts (when applied to the delicate nuances required for deploying quality encryption) can be their undoing.  In a recent paper presented at Virus Bulletin conference in Denver, Check Point’s Yaniv Balmas and Ben Herzog document their analysis of many shortcuts taken by these criminal masterminds.  Lets look at the top encryption blunders made by these developers:

Lack of Understanding

Malware authors compose primitives based on gut feeling and superstition; jump with eagerness at opportunities to poorly reinvent the wheel; with equal eagerness, at opportunities to use ready-made code that perfectly solves the wrong problem,” – Balmas and Herzog

Encryption is difficult and if you only have a cursory understanding of the principles needed for reliable encryption techniques you make amateur mistakes.  Analysis shows that many malware authors have trouble using encryption effectively which may allow security defenders to break the encryption and stop the malware.

Cargo cult programming

We’ve all done this; take working code, tweaking it a bit then re-purpose it for another use.  Its like those Thanksgiving left-overs that become a great casserole a week later; it gets the job done.  But if you are trying to make something criminally impenetrable and foolproof why would you just take random parts and piece them together?  Criminals who use bits and pieces from previously identified ransomware (e.g., the makers of CryptoDefense used parts from CryptoLocker) are ensuring that they get stopped because the Defenders already know how to identify the means to decrypt files.

Something old something new

If you are writing software for an international criminal mastermind don’t instantiate statically linked third party code into your solution.  Syndication has it upsides but when you’re a criminal those business relationships are not that strong; no SLAs here.  It was discovered that the groups who created Petya and DirCrypt to attack nuclear power plants used an operation on a remote server that made a bonehead mathematical mistake effectively rendering the encryption keys useless by setting the key size to “0”.

“Its all pretend”

Why spend anytime crafting an impenetrable solution when you can just fake it?  The makers of Nemucod decided to just threaten their victims with a ransom note before actually encrypting their files.  Any AntiMalware worth it salt could recognize the creation of the ransom note file and prevent any further downloads.  Researchers noted that Neumucod “sets the gold standard for minimal effort”.  Moreover, the creators of Poshcoder used symmetric AES encryption while threatening to have used asymmetric RSA-2048 and RSA-4069 encryption.  Just to explain, higher keys size (e.g., 2048, 4096, etc.) means harder to decrypt.

If the security community is willing to take the time to analyze these common mistakes we may just get away from these traps but until then we can rest assured that most of these bad guys are only human.