How Malware Uses Encryption to Hide
by Robert Bond
How Malware Uses Encryption to Evade Cyber Defense
Encryption has been around for a very long time. Early forms included Caesar’s Box, a simple cipher used by Julius Caesar to securely communicate with his generals while in the field.
Since then, cryptography has improved dramatically. With a greater understanding of mathematics and the principles of information security, cryptographers have been able to design ciphers that are both functional and secure.
The modern ciphers that we use every day are designed to be impossible to break with current technology. Without knowledge of the secret key, it’s impossible to read the encrypted data. This is very useful for legitimate purposes, like protecting sensitive data as it is stored and moves across the Internet. However, not all uses of cryptography are benign,
Cryptography and Malware
The main purpose of cryptography is to keep secrets, and malware authors have a lot of secrets to keep. Malware is designed for a variety of purposes, but all of these purposes are not in the best interests of the malware’s target. As a result, people actively try to search for and destroy any malware on their systems.
In order to protect their operations, malware authors often incorporate encryption into several stages of the malware infection lifecycle. Common uses of malware include aiding in delivery and execution of the malicious code, concealing the command and control communications channels between the malware and its operator, and helping to protect the malware’s ability to achieve its operational objectives.
Delivery and Execution
Most people don’t want malware on their computers – obviously. As a result, individuals and organizations deploy antivirus, firewalls, and other cyber defense solutions in order to minimize the probability that they’ll be infected. While these solutions aren’t always effective, they work fairly effectively against many known threats.
This creates a high bar for malware authors, who not only need to get their malware into a target network but also need to be able to execute it on the target systems once it’s there. Malware is delivered in a variety of different ways, everything from phishing emails to infected USB drives to network worms that spread themselves by exploiting vulnerabilities in network-facing services.
Encryption plays a key role in the success of many malware variants trying to perform this initial step of delivery and execution. Most antiviruses work based off of signature matching, which attempts to identify certain bits of code or text in the malware sample. By encrypting the majority of the sample and leaving just enough code unencrypted to decrypt and run the code, malware authors can make their software that much harder to detect.
This behavior is extremely important when malware is attempting to evade the protections provided by Intrusion Detection Systems and similar cybersecurity solutions. The alerts provided by these systems and computer system logs are regularly monitored and reviewed by security teams as part of their detection strategy. By encrypting the malware as it moves to the machine (and its later communications), malware operators decrease the probability that useful data will be captured in these alerts or log files.
Command and Control
Most malware is not designed to operate completely independent of its owner. Once malware manages to establish itself on a target machine, it often opens up a communications channel to servers under the attacker’s control. This allows the malware to receive additional commands from the operator and send data back to the hacker. As a result, the operator can provide a hacking experience customized to the compromised machine and the data stored on it.
Command and control (C2) communications are the most common place for malware to use encryption. Many organizations deploy network-based cybersecurity defenses that examine all traffic going to and from computers within the network. If these defenses can recognize the malware’s C2 communications, they can block them and take action to remove the malware.
Malware C2 can either be designed to use the encryption already available on the Internet or include their own.
Many legitimate communications use Transport Level Security (TLS) to protect their communications (it’s the protocol that secures HTTPS). One TLS session looks a lot like the other, so using TLS and a common port (like 443) allows malware C2 to blend into the crowd.
Malware can also use a custom encryption solution to protect its communications. Most standardized encryption algorithms (like AES and RSA) are published with code samples freely available. A well-designed and implemented encryption solution can make malware C2 communications impossible to crack, but a mistake here can make the malware’s use of encryption completely worthless.
Once malware is successfully installed on its target and has established a C2 connection with its operator, it’s time for it to start working on its objectives. Malware authors typically have a reason for trying to breach a computer, and the details of this depends on the target, malware family, objective, etc.
Encryption may even be a core component of the malware’s primary objection. For example, ransomware or cryptolocker types of malware like Wannacry and Locky uses it to deny users access to their files by encrypting them and demanding a ransom.
However, the use of encryption is common here as well due to the importance to the malware author of keeping C2 communications secure. If an organization detects the exfiltration of their data or can read the C2 instructions from the hacker, it’s easier for them to detect and eradicate the infection. As a result, hackers will commonly encrypt this data and do whatever they can to hide it, whether it’s blending in by using common, encrypted protocols for C2 or developing a covert C2 channel designed to slip under the defender’s radar.
Seeing Past the Crypto
One of the biggest pros and cons of encryption technology is that it works well. If properly designed and implemented, an encryption system can make it impossible for an unauthorized party to view the protected data. This is a huge asset when dealing with sensitive data but is a significant threat with regard to malware.
The problem with malware’s use of encryption is that, done correction, it’s impossible to decrypt the data and understand what the malware is doing. This is what makes it so vital to ensure that malware doesn’t manage to install itself on your systems in the first place, and, if it does, to have the resources necessary to detect and eradicate it as soon as possible.
Malware can be installed on a system in a variety of different ways, so it is important to have a comprehensive and strong cyber defense program. This should include the use of penetration testing and vulnerability scanning to help identify and close potential infection vectors, continuous monitoring to ensure that intrusions are detected as soon as possible, and cyberawareness training to ensure that employees know how to identify and respond to potential attacks.
Malware takes advantage of encryption technology in a variety of different ways. It can be used throughout the malware infection lifecycle to protect the privacy of any data that the malware author does not wish to be shared with the network defenders. Since modern encryption technology is designed to be secure, this can be a significant problem for cyber defenders because this protected data can be vital to understanding and eradicating the infection. Malware’s use of encryption makes it even more important to take action to detect and protect against malware before it enters and installs itself on the network.
May 21, 2020