Gone are the days of clear text malware command and control communication. It wasn’t that long ago that even complex banking Trojans, such as Citigal, didn’t encrypt it’s Command and Control (C2) communication. With limited monitoring capabilities and over-reliance on firewalls of organizations, additional efforts for attackers to encrypt communications added little value. However, most organizations today understand the importance of advanced monitoring and thus are spending time and money to gain visibility into their network traffic. This in turn has forced threat actors and malware to be more secretive, which has created complications for organizations who want to gain insight into a threat actor’s command and control infrastructure.
In this three part series we will examine the common methods used by malware for C2 encryption. First off, we will go into detail on how the different encryption schemes work. Part 2 will focus on tools and techniques to detect and analyze C2 communication, and Part 3 will go over custom C2 communication.
Encryption Basics
The below terms are common cryptography terms to know. Also, when dealing with cryptography functions, it is important to remember that upper and lower case values do matter.
Plaintext: Unencrypted content/values
Ciphertext: Encrypted contents/values of plaintext
Key/Password: A Secret value used to transform plaintext into ciphertext
Cipher: Cryptographic algorithm that takes plaintext and uses a key/password to create ciphertext
Common C2 Encryption Methods
The methods we will go over are, Rotate on Left (ROL), Rotate by X (ROTX), Exclusive Or (XOR), Rivest Cipher 4 (RC4) and Advanced Encryption Standard (AES). The below examples use binary and hexadecimal representation to illustrate how the encryption works. If you are unfamiliar or need a brush up, a great reference for understanding ASCII, decimal, binary and hexadecimal representations work is at http://www.codeproject.com/Articles/4069/Learning-Binary-and-Hexadecimal.
Rotate on Left (ROL)
Rotate on Left (ROL) is one of the more simple methods in which all it does is rotates the binary bits to the left by a specified amount. Figure 1 illustrates how the ASCII Character “A”, which translates to “01000001“ in binary, is rotated on left by 2 and as a result turns out to be “00000101”.
Figure 1: Rotate On Left by 2
Rotate by X (ROTX)
ROTX is considered a letter substitution algorithm in which each character X in a word is replaced by another character that is a predetermined number of letters from where X lies in the alphabet. Figure 2, shows how the word “BAD” can be encrypted using the most common implementation of ROT, which is ROT13. On the left hand side is the normal alphabet and on the right hand side is the transformed ROT13 alphabet. The transformation for ROT13 goes as follows, starting with the letter A, count 13 letters from A to get to N. N is now the new start of the alphabet and you list the rest of the alphabet in sequential order going to A after Z and stopping at M, which is the last letter before N (duh). Now, by matching the normal alphabet letters with their corresponding rotated alphabet you can produce the cipher text. In the below example, you can see how “BAD” is encrypted to “ONQ”.
Figure 2: Resulting Ciphertext of “ BAD” using ROT13 Encryption |
Exclusive OR (XOR)
Exclusive OR (XOR) is a type of Boolean expression (TRUE/FALSE). Before we go over “XOR”, lets go over some other boolean expressions, “AND” and “OR” first. “AND” and “OR” statements evaluate multiple variables to return its output. For a “AND” expression to be TRUE, all of the variables must be TRUE and for an “OR” expression, only one of the variables has to be TRUE. The best way to illustrate this is to consider the statement, “At the grocery store, pick up milk and cookies”. In order for this to be a TRUE “AND” expression, you would have to come back from the grocery store with both milk and cookies. For this to be a TRUE “OR” statement all you need to do is at the least bring back milk or cookies. The only thing that would cause the “OR” statement to be FALSE is if you came back empty handed (your significant other wouldn’t be happy either).
A “XOR” expression is very similar to a “OR” except it is FALSE when it also satisfies a “AND” condition, meaning if you were to bring home milk and cookies then this would be a FALSE XOR. However, if you brought home either one of milk or cookies then the “XOR” would be TRUE.
If we use the same logic as above but then apply it to the binary representation of numbers, we get the below tables. The way to read the tables are to think of A and B as the variables that have to either be TRUE or FALSE in the expression, which would be the cookies and milk from our above example. The binary value 1 represents a TRUE value and the 0 represents a FALSE.
A (Cookies) |
B (Milk) |
A and B (Result) |
1 |
1 |
1 |
1 |
0 |
0 |
0 |
1 |
0 |
0 |
0 |
0 |
Table 1: Boolean AND Table
A (Cookies) |
B (Milk) |
A OR B (Result) |
1 |
1 |
1 |
1 |
0 |
1 |
0 |
1 |
1 |
0 |
0 |
0 |
Table 2: Boolean OR Table
A (Cookies) |
B (Milk) |
A XOR B (Result) |
1 |
1 |
0 |
1 |
0 |
1 |
0 |
1 |
1 |
0 |
0 |
0 |
Table 3: Boolean XOR Table
To encrypt using XOR, lets again look to the ASCII character, “A” which translates to “01000001“ in binary. If we were to XOR “01000001” with a XOR key of 0x33, we would first convert the hex value 33 to its binary representation, which is, “00110011”. Next we would XOR each bit of the ASCII character “A” or “01000001” in sequential order with the corresponding bit of the XOR key, 0x33 or “00110011”. Refer to Figure 3 for a representation of how this works.
Figure 3: XOR Encryption |
Rivest Cipher 4 (RC4)
Ron Rivest of RSA Security created the Rivest Cipher 4 (RC4) in 1987. It is a widely used stream cipher. A stream cipher is a type of encryption method in which encryption is applied at a bit by bit level just as we did in the above XOR example. This is opposed to a block cipher in which an encryption algorithm is applied to a “block” of bits.
There are three major components to the RC4 encryption process:
- The secret key
- The key-scheduling algorithm (KSA)
- The pseudo-random generation algorithm (PRGA).
The RC4 algorithm can be implemented in the four steps described below. Figure 4 shows a representation.
Step 1: Secret key is created, which at it simplest term is a password.
Step 2: The secret key is used to generate the state table using the KSA algorithm.
Step 3: The state table is used to generate a random pseudo bit stream using the PRGA algorithm.
Step 4: The random pseudo bit stream is XOR’d with the plaintext to create the ciphertext
Figure 4: RC4 Encryption Description
Advanced Encryption Standard (AES)
The Advanced Encryption Standard (AES) is based on the Rijndael cipher and developed by Joan Daemen and Vincent Rijmen.
AES is a block cipher that takes either 16, 24, or 32 bytes at a time. A representation of a 16 byte AES block or “state table” is shown below. Each block is equivalent to one byte of data.
t | h | i | s |
i | s | j | u |
s | t | a | n |
t | e | s | t |
Table 4: Plaintext AES State Table
AES consist of 10, 12 or 14 rounds with each round containing the below four steps.
- Byte Substitution
- Shift Rows
- Mix Columns
- Round Key Addition
Step 1 – Byte Substitution: In the first stage, byte substitution, the values in the Initial state table are replaced or substituted with another pre-determined value using a S-Box. Figure 5 shows how this is done. For simplicity, I have used 4 byte block even though AES at a minimum works with 16 Bytes. To perform the substitution, you will take the value of each byte in the Initial State Table and use that value as the y and x axis for the S-Box table to find the corresponding value. For example, the first byte of the Initial State Table is hex value “0x21”, to find the corresponding value in the S-Box, split the 2 and 1. The 2 will be the y-axis (vertical) and the 1 will be the x-axis (horizontal). Using those positions you will find the hex value “0x44”. This is how S-Boxes are used.
Figure 5: AES Substitution (S-Box)
Step 2 – Shift Rows: The next step is row shifting. In this step, the first row of the state table is not shifted while the other rows are shifted in a defined manner.
Step 3 – Mix Columns: In this step, each column of the state table is mixed up using Linear Transformation.
Step 4 – Round Key Addition: This is the final step of the round in which a sub-key is XOR’d against the state table from the Mix Columns step resulting in the cipher text. The sub-key is computed from the original key.
Conclusion
In this part of the series we have gone over how the encryption methods ROL, ROT, XOR, RC4 and AES work. These are very common methods in which malware uses for communication. In the next series we will go over how to analyze this type of communication.
For any questions or comments please email ACDForensics@rsa.com.