hacking the hacker
TRANSCRIPT
![Page 1: Hacking The Hacker](https://reader038.vdocument.in/reader038/viewer/2022102712/55cdebf1bb61ebc5048b487f/html5/thumbnails/1.jpg)
Fighting back against the DirCrypt bully
Nitay Artenstein
Michael Shalyt
HACKING THE HACKER
![Page 2: Hacking The Hacker](https://reader038.vdocument.in/reader038/viewer/2022102712/55cdebf1bb61ebc5048b487f/html5/thumbnails/2.jpg)
BLACK HAT
“A ‘black hat’ hacker is a hacker who violates computer security for little reason beyond maliciousness or for personal gain“ - Wikipedia.
![Page 3: Hacking The Hacker](https://reader038.vdocument.in/reader038/viewer/2022102712/55cdebf1bb61ebc5048b487f/html5/thumbnails/3.jpg)
WHITE HAT
“A ’white hat’ hacker breaks security for non-malicious reasons… The term "white hat" in Internet slang refers to an ethical hacker.” - Wikipedia.
![Page 4: Hacking The Hacker](https://reader038.vdocument.in/reader038/viewer/2022102712/55cdebf1bb61ebc5048b487f/html5/thumbnails/4.jpg)
WHITE HAT
“A ’white hat’ hacker breaks security for non-malicious reasons… The term "white hat" in Internet slang refers to an ethical hacker.” - Wikipedia.
![Page 5: Hacking The Hacker](https://reader038.vdocument.in/reader038/viewer/2022102712/55cdebf1bb61ebc5048b487f/html5/thumbnails/5.jpg)
THE GRANDMA
![Page 6: Hacking The Hacker](https://reader038.vdocument.in/reader038/viewer/2022102712/55cdebf1bb61ebc5048b487f/html5/thumbnails/6.jpg)
THE GRANDDAUGHTER
![Page 7: Hacking The Hacker](https://reader038.vdocument.in/reader038/viewer/2022102712/55cdebf1bb61ebc5048b487f/html5/thumbnails/7.jpg)
THE GRANDDAUGHTER
![Page 8: Hacking The Hacker](https://reader038.vdocument.in/reader038/viewer/2022102712/55cdebf1bb61ebc5048b487f/html5/thumbnails/8.jpg)
![Page 9: Hacking The Hacker](https://reader038.vdocument.in/reader038/viewer/2022102712/55cdebf1bb61ebc5048b487f/html5/thumbnails/9.jpg)
![Page 10: Hacking The Hacker](https://reader038.vdocument.in/reader038/viewer/2022102712/55cdebf1bb61ebc5048b487f/html5/thumbnails/10.jpg)
![Page 11: Hacking The Hacker](https://reader038.vdocument.in/reader038/viewer/2022102712/55cdebf1bb61ebc5048b487f/html5/thumbnails/11.jpg)
![Page 12: Hacking The Hacker](https://reader038.vdocument.in/reader038/viewer/2022102712/55cdebf1bb61ebc5048b487f/html5/thumbnails/12.jpg)
![Page 13: Hacking The Hacker](https://reader038.vdocument.in/reader038/viewer/2022102712/55cdebf1bb61ebc5048b487f/html5/thumbnails/13.jpg)
![Page 14: Hacking The Hacker](https://reader038.vdocument.in/reader038/viewer/2022102712/55cdebf1bb61ebc5048b487f/html5/thumbnails/14.jpg)
![Page 15: Hacking The Hacker](https://reader038.vdocument.in/reader038/viewer/2022102712/55cdebf1bb61ebc5048b487f/html5/thumbnails/15.jpg)
WHAT JUST HAPPENED?
![Page 16: Hacking The Hacker](https://reader038.vdocument.in/reader038/viewer/2022102712/55cdebf1bb61ebc5048b487f/html5/thumbnails/16.jpg)
WHAT JUST HAPPENED?
![Page 17: Hacking The Hacker](https://reader038.vdocument.in/reader038/viewer/2022102712/55cdebf1bb61ebc5048b487f/html5/thumbnails/17.jpg)
WHAT JUST HAPPENED?
![Page 18: Hacking The Hacker](https://reader038.vdocument.in/reader038/viewer/2022102712/55cdebf1bb61ebc5048b487f/html5/thumbnails/18.jpg)
CRYPTERS IN THE WILD
![Page 19: Hacking The Hacker](https://reader038.vdocument.in/reader038/viewer/2022102712/55cdebf1bb61ebc5048b487f/html5/thumbnails/19.jpg)
CRYPTERS IN THE WILD
![Page 20: Hacking The Hacker](https://reader038.vdocument.in/reader038/viewer/2022102712/55cdebf1bb61ebc5048b487f/html5/thumbnails/20.jpg)
CRYPTERS IN THE WILD
![Page 21: Hacking The Hacker](https://reader038.vdocument.in/reader038/viewer/2022102712/55cdebf1bb61ebc5048b487f/html5/thumbnails/21.jpg)
CRYPTERS IN THE WILD
![Page 22: Hacking The Hacker](https://reader038.vdocument.in/reader038/viewer/2022102712/55cdebf1bb61ebc5048b487f/html5/thumbnails/22.jpg)
CRYPTERS IN THE WILD
![Page 23: Hacking The Hacker](https://reader038.vdocument.in/reader038/viewer/2022102712/55cdebf1bb61ebc5048b487f/html5/thumbnails/23.jpg)
FOR EXAMPLE: DIRCRYPT
![Page 24: Hacking The Hacker](https://reader038.vdocument.in/reader038/viewer/2022102712/55cdebf1bb61ebc5048b487f/html5/thumbnails/24.jpg)
ENCRYPTION DEMO
![Page 25: Hacking The Hacker](https://reader038.vdocument.in/reader038/viewer/2022102712/55cdebf1bb61ebc5048b487f/html5/thumbnails/25.jpg)
CRYPTO 101
![Page 26: Hacking The Hacker](https://reader038.vdocument.in/reader038/viewer/2022102712/55cdebf1bb61ebc5048b487f/html5/thumbnails/26.jpg)
CRYPTERS ARE WRONGER
![Page 27: Hacking The Hacker](https://reader038.vdocument.in/reader038/viewer/2022102712/55cdebf1bb61ebc5048b487f/html5/thumbnails/27.jpg)
CRYPTERS ARE WRONGER
• “Innocence based” attacks.
![Page 28: Hacking The Hacker](https://reader038.vdocument.in/reader038/viewer/2022102712/55cdebf1bb61ebc5048b487f/html5/thumbnails/28.jpg)
CRYPTERS ARE WRONGER
• “Innocence based” attacks.
• Scare tactics.
![Page 29: Hacking The Hacker](https://reader038.vdocument.in/reader038/viewer/2022102712/55cdebf1bb61ebc5048b487f/html5/thumbnails/29.jpg)
CRYPTERS ARE WRONGER
• “Innocence based” attacks.
• Scare tactics.
• The victim pays the price, unlike banking trojans.
![Page 30: Hacking The Hacker](https://reader038.vdocument.in/reader038/viewer/2022102712/55cdebf1bb61ebc5048b487f/html5/thumbnails/30.jpg)
CRYPTERS ARE WRONGER
• “Innocence based” attacks.
• Scare tactics.
• The victim pays the price, unlike banking trojans.
• Highschool bully – crypters will evolve and spread as long as victims pay the ransom instead of resisting.
![Page 31: Hacking The Hacker](https://reader038.vdocument.in/reader038/viewer/2022102712/55cdebf1bb61ebc5048b487f/html5/thumbnails/31.jpg)
AND NOW FOR THE GOOD PART…
• It‘s hard to implement a secure cryptographic protocol
• Many malware writers are not exactly masters of secure coding
• What if we can hack the hackers and save Grandma?
![Page 32: Hacking The Hacker](https://reader038.vdocument.in/reader038/viewer/2022102712/55cdebf1bb61ebc5048b487f/html5/thumbnails/32.jpg)
LOOKS LIKE A JOB FOR A REVERSER
![Page 33: Hacking The Hacker](https://reader038.vdocument.in/reader038/viewer/2022102712/55cdebf1bb61ebc5048b487f/html5/thumbnails/33.jpg)
WHAT IS REVERSE ENGINEERING?
• The malware executable holds some of the secrets we need to uncover:
![Page 34: Hacking The Hacker](https://reader038.vdocument.in/reader038/viewer/2022102712/55cdebf1bb61ebc5048b487f/html5/thumbnails/34.jpg)
![Page 35: Hacking The Hacker](https://reader038.vdocument.in/reader038/viewer/2022102712/55cdebf1bb61ebc5048b487f/html5/thumbnails/35.jpg)
MALWARE RESEARCHER == DETECTIVE
• A malware binary is like a crime scene
• Through skill and experience, a reverse engineer develops a “nose for mystery”
• A bunch of tools help us rise above the bits and bytes, and make it easier to connect the dots
![Page 36: Hacking The Hacker](https://reader038.vdocument.in/reader038/viewer/2022102712/55cdebf1bb61ebc5048b487f/html5/thumbnails/36.jpg)
THE GOAL: MOVE FROM THIS…
![Page 37: Hacking The Hacker](https://reader038.vdocument.in/reader038/viewer/2022102712/55cdebf1bb61ebc5048b487f/html5/thumbnails/37.jpg)
TO THIS
![Page 38: Hacking The Hacker](https://reader038.vdocument.in/reader038/viewer/2022102712/55cdebf1bb61ebc5048b487f/html5/thumbnails/38.jpg)
FROM PLAINTEXT TO CIPHER
![Page 39: Hacking The Hacker](https://reader038.vdocument.in/reader038/viewer/2022102712/55cdebf1bb61ebc5048b487f/html5/thumbnails/39.jpg)
![Page 40: Hacking The Hacker](https://reader038.vdocument.in/reader038/viewer/2022102712/55cdebf1bb61ebc5048b487f/html5/thumbnails/40.jpg)
![Page 41: Hacking The Hacker](https://reader038.vdocument.in/reader038/viewer/2022102712/55cdebf1bb61ebc5048b487f/html5/thumbnails/41.jpg)
![Page 42: Hacking The Hacker](https://reader038.vdocument.in/reader038/viewer/2022102712/55cdebf1bb61ebc5048b487f/html5/thumbnails/42.jpg)
IMAGINE YOU WERE A HACKER…
• Where would you hide the key?
• Your options: the registry, a hidden file, or only on the C&C server
• There is always a compromise
![Page 43: Hacking The Hacker](https://reader038.vdocument.in/reader038/viewer/2022102712/55cdebf1bb61ebc5048b487f/html5/thumbnails/43.jpg)
A FEW SLEEPLESS NIGHTS LATER…
![Page 44: Hacking The Hacker](https://reader038.vdocument.in/reader038/viewer/2022102712/55cdebf1bb61ebc5048b487f/html5/thumbnails/44.jpg)
SO NOW WE HAVE A HINT
![Page 45: Hacking The Hacker](https://reader038.vdocument.in/reader038/viewer/2022102712/55cdebf1bb61ebc5048b487f/html5/thumbnails/45.jpg)
THE UNBEARABLE LIGHTNESS OF KEY REUSE
![Page 46: Hacking The Hacker](https://reader038.vdocument.in/reader038/viewer/2022102712/55cdebf1bb61ebc5048b487f/html5/thumbnails/46.jpg)
ATTACKING KEY REUSE
![Page 47: Hacking The Hacker](https://reader038.vdocument.in/reader038/viewer/2022102712/55cdebf1bb61ebc5048b487f/html5/thumbnails/47.jpg)
ATTACKING KEY REUSE
• Which files will always be on Windows?
![Page 48: Hacking The Hacker](https://reader038.vdocument.in/reader038/viewer/2022102712/55cdebf1bb61ebc5048b487f/html5/thumbnails/48.jpg)
ATTACKING KEY REUSE
• Which files will always be on Windows?
• We need the largest file possible. Sample videos?
![Page 49: Hacking The Hacker](https://reader038.vdocument.in/reader038/viewer/2022102712/55cdebf1bb61ebc5048b487f/html5/thumbnails/49.jpg)
ATTACKING KEY REUSE
• Which files will always be on Windows?
• We need the largest file possible. Sample videos?
• The max size decryptable will be the size of that file
![Page 50: Hacking The Hacker](https://reader038.vdocument.in/reader038/viewer/2022102712/55cdebf1bb61ebc5048b487f/html5/thumbnails/50.jpg)
ATTACKING KEY REUSE
• Which files will always be on Windows?
• We need the largest file possible. Sample videos?
• The max size decryptable will be the size of that file
![Page 51: Hacking The Hacker](https://reader038.vdocument.in/reader038/viewer/2022102712/55cdebf1bb61ebc5048b487f/html5/thumbnails/51.jpg)
READY TO SOLVE THE PUZZLE?
![Page 52: Hacking The Hacker](https://reader038.vdocument.in/reader038/viewer/2022102712/55cdebf1bb61ebc5048b487f/html5/thumbnails/52.jpg)
THAT AWKWARD MOMENT
WriteToFile(hFile, SymmetricKey, 10);
![Page 53: Hacking The Hacker](https://reader038.vdocument.in/reader038/viewer/2022102712/55cdebf1bb61ebc5048b487f/html5/thumbnails/53.jpg)
![Page 54: Hacking The Hacker](https://reader038.vdocument.in/reader038/viewer/2022102712/55cdebf1bb61ebc5048b487f/html5/thumbnails/54.jpg)
DECRYPTION DEMO
![Page 55: Hacking The Hacker](https://reader038.vdocument.in/reader038/viewer/2022102712/55cdebf1bb61ebc5048b487f/html5/thumbnails/55.jpg)
DECRYPTION… CHECK
![Page 56: Hacking The Hacker](https://reader038.vdocument.in/reader038/viewer/2022102712/55cdebf1bb61ebc5048b487f/html5/thumbnails/56.jpg)
GRANDMA IS HAPPY AGAIN
![Page 57: Hacking The Hacker](https://reader038.vdocument.in/reader038/viewer/2022102712/55cdebf1bb61ebc5048b487f/html5/thumbnails/57.jpg)
![Page 58: Hacking The Hacker](https://reader038.vdocument.in/reader038/viewer/2022102712/55cdebf1bb61ebc5048b487f/html5/thumbnails/58.jpg)
![Page 59: Hacking The Hacker](https://reader038.vdocument.in/reader038/viewer/2022102712/55cdebf1bb61ebc5048b487f/html5/thumbnails/59.jpg)
![Page 60: Hacking The Hacker](https://reader038.vdocument.in/reader038/viewer/2022102712/55cdebf1bb61ebc5048b487f/html5/thumbnails/60.jpg)
![Page 61: Hacking The Hacker](https://reader038.vdocument.in/reader038/viewer/2022102712/55cdebf1bb61ebc5048b487f/html5/thumbnails/61.jpg)
![Page 62: Hacking The Hacker](https://reader038.vdocument.in/reader038/viewer/2022102712/55cdebf1bb61ebc5048b487f/html5/thumbnails/62.jpg)
![Page 63: Hacking The Hacker](https://reader038.vdocument.in/reader038/viewer/2022102712/55cdebf1bb61ebc5048b487f/html5/thumbnails/63.jpg)
![Page 64: Hacking The Hacker](https://reader038.vdocument.in/reader038/viewer/2022102712/55cdebf1bb61ebc5048b487f/html5/thumbnails/64.jpg)
![Page 65: Hacking The Hacker](https://reader038.vdocument.in/reader038/viewer/2022102712/55cdebf1bb61ebc5048b487f/html5/thumbnails/65.jpg)