The story of grandma and the encrypted granddaughter pictures.
In this presentation we explained how ransomware creators think, what's their goals and methods of achieving them. Then we described the research we've done on the Dircrypt ransomeware, and how we found errors in their encryption implementation - allowing us to decipher most of the encrypted information, without paying off the criminals.
A full article can be found here: https://www.checkpoint.com/download/public-files/TCC_WP_Hacking_The_Hacker.pdf
1. Fighting back against the DirCrypt bully
Nitay Artenstein
Michael Shalyt
HACKING THE HACKER
2. BLACK HAT
“A ‘black hat’ hacker is a hacker who violates computer
security for little reason beyond maliciousness or for
personal gain“ - Wikipedia.
3. WHITE HAT
“A ’white hat’ hacker breaks
security for non-malicious
reasons… The term "white hat"
in Internet slang refers to
an ethical hacker.” - Wikipedia.
4. WHITE HAT
“A ’white hat’ hacker breaks
security for non-malicious
reasons… The term "white hat"
in Internet slang refers to
an ethical hacker.” - Wikipedia.
29. CRYPTERS ARE WRONGER
• “Innocence based” attacks.
• Scare tactics.
• The victim pays the price, unlike banking trojans.
30. CRYPTERS ARE WRONGER
• “Innocence based” attacks.
• Scare tactics.
• The victim pays the price, unlike banking trojans.
• Highschool bully – crypters will evolve and spread as
long as victims pay the ransom instead of resisting.
31. AND NOW FOR THE GOOD PART…
• It‘s hard to implement a secure cryptographic protocol
• Many malware writers are not exactly masters of secure
coding
• What if we can hack the hackers and save Grandma?
33. WHAT IS REVERSE ENGINEERING?
• The malware executable holds some of the secrets we
need to uncover:
34.
35. MALWARE RESEARCHER == DETECTIVE
• A malware binary is like a crime scene
• Through skill and experience, a reverse engineer
develops a “nose for mystery”
• A bunch of tools help us rise above the bits and bytes,
and make it easier to connect the dots
42. IMAGINE YOU WERE A HACKER…
• Where would you hide the key?
• Your options: the registry, a hidden file, or only on the
C&C server
• There is always a compromise
48. ATTACKING KEY REUSE
• Which files will always be on Windows?
• We need the largest file possible. Sample videos?
49. ATTACKING KEY REUSE
• Which files will always be on Windows?
• We need the largest file possible. Sample videos?
• The max size decryptable will be the size of that file
50. ATTACKING KEY REUSE
• Which files will always be on Windows?
• We need the largest file possible. Sample videos?
• The max size decryptable will be the size of that file