You are browsing the archive for DeXRAY.

DeXRAY – Decrypting VBN files, Part 2

September 21, 2012 in DeXRAY, Software Releases

A few months back I posted about DeXRAY -  a generic script/file carver that tries to decrypt various Quarantine files + PE files hidden inside other files under a simple layer of a single-byte xor encryption.

Some time later, in one of my other posts I mentioned that newer VBN files used by Symantec Quarantine use a different encryption scheme; instead of using well-known xor with a 0x5A key, they now use 0xA5 key.

Turns out that I was right about it, but only partially as there is a twist to it – not only these files are encrypted, but they are also divided into chunks separated by a 5 byte ‘chunk divider’ in a form of 0xF6 0x?? 0x?? 0xFF 0xFF. So, to reconstruct the encrypted Quarantine files, one needs to decrypt them with 0xA5 first and then remove the chunk dividers.

Simple, isn’t?

I updated DeXRAY.pl to handle this (quick & dirty patch, but it should work). If you find some VBN files that don’t get decrypted at all or get corrupted after decryption, please let me know.

I bet Symantec guys added this to prevent accidental detection of Quarantine files by theirs and other AV companies’ scanners; the way I think it goes is that many AV companies use X-rays technique during scans (that is, they may find malware even if it is encrypted with a single byte xor) and they could potentially/accidentally decrypt and detect the Quarantine file during scans. That could potentially lead to some ‘funny’ results (recursive detection, etc.); introducing ‘chunk divider’ breaks the file format of the encrypted file and AV scans no longer can ‘understand’ the corrupted file structure (especially if it is an encrypted PE file).

Download a new version from here:  DeXRAY.pl

 

DeXRAY – simple XORcarver

January 5, 2012 in DeXRAY, Software Releases

It is a well-known fact that the most common encryption algorithm used by malware authors relies on an eXclusive OR (a.k.a. XOR) operation using a static, one byte long key. It is used so often that many researchers already have their own scripts and tools that attempt to cryptanalyse encrypted files and discover hidden data. And in case you don’t – you will now have one as well :-).

DeXRAY

DeXRAY is a simple perl script that tries to discover encrypted executables and DLLs (or, more generically – Portable Executables a.k.a. PE) within a given data file e.g. it could be an encrypted PE that is embedded inside a malicious dropper (including non-PE files e.g. PDFs) or network traffic.

How it works

DeXRAY relies on a simple technique known as X-RAY. The technique is probably as old as an antivirus industry itself and relies on a simple fact that xoring two values from analyzed data will produce the same result as the result obtained from xoring these values if they have been previously encrypted with a static key.

A xor B = (A xor key) xor (B xor key) = same value

Since all Portable Executables start with letters ‘M’ and ‘Z’, xoring ‘M’ and ‘Z’ will produce the same value as xoring (‘M’ xor key) with (‘Z’ xor key)

‘M’ xor ‘Z’ = (‘M’ xor key) xor (‘Z’ xor key) = 0×17

In other words, it is a known plain-text attack.

Supported files

DeXRAY attempts to decrypt

  • Any binary file (using X-RAY)
  • Symantec Quarantine files (VBN/QBD)
  • McAfee Quarantine files (BUP)

Quarantine files are supported specifically for a very simple reason: they often rely on a XOR-based encryption algorithm and X-RAY is a very suitable technique to decrypt them. To make things easier, DeXRAY recognizes file extensions of known Quarantine files and uses (widely) known hard coded keys to decrypt these files while maintaining some flexibility in case some keys have changed.

Usage:

perl DeXRAY.pl <filename or directory>

What is the output?

If it works, you will get files saved as <original filename.XXXXXXXX.YY.out>

where:

  • XXXXXXXX is the offset (hexadecimal) where the file starts in the original file
  • YY is the encryption key (hexadecimal)

There may be more files than one. In some cases the log from the script may show two output files with the same name (one obtained from de-xoring with a hard coded value and second one from X-RAY; in such case, only one file is produced).

Examples and Notes

  • Symantec Quarantine files (.VBN) – xor 0x5A

DeXRAY won’t work with some Symantec Quarantine files. As far as I can tell, it is because not all VBN files are actualy encrypted, so it’s worth looking at a hex dump of such files first. It may also not work if the Quarantined file is not Portable Executable – X-RAY only supports Portable Executable. Adding support for other files (e.g. Flash, PDF) is trivial. Finally, note that there are often two VBN files associated with one Quarantine entry – one contains some metadata, second is the actual encrypted file and is located in a Quarantine subdirectory named similarly to the first VBN file.

The content of the decryptable VBN file is metadata at the top of the file (clear text and strings visible, but header format is unknown) that is followed by the encrypted content we want to grab. One more note here – the location of the encrypted data within the VBN file is not static as some blogs suggest. DeXRAY script is trying to ‘guess’ the offset to the encrypted by reading first 32-bit value from the file (while it is not documented, it appears to be actually pointing to the encrypted content).

  • Symantec/Norton Quarantine files (.QBD) – xor 0xB3 / xor 0x4C

DeXRAY decrypts the whole file using static key 0xB3. This allows to decrypt the metadata at the top of the file. It then uses X-RAY and finds the encrypted malware (it’s encrypted with the key 0x4C)

  • McAfee Quarantine (.BUP) – xor 0x6A

DeXRAY decrypts the whole file using static key 0x6A. This allows to decrypt the metadata at the top of the file. It then relies on X-RAY to find and extract the encrypted malware

  • only PE files are supported by X-RAY, but adding support for known malicious files is trivial and you could add it yourself, or drop me a line and I will add it.

I am not sure if all static keys are always correct as I didn’t have enough samples to test, but it seemed to work in all tests. If you come across files that you know for sure they should be containing malware and DeXRAY fails to decrypt them, feel free to send them over and I will have a look.

Download