Schneier on Security

Sophisticated? • June 22, 2019 12:05 AM

From the ARStechnica post,

features that made Triada so sophisticated. For one, it used XOR encoding and ZIP files to encrypt communications.

ZIP file and XOR encoding is sophisticated? Since when?

Whilst the order you apply compression (ZIP) and stream encryption (XOR encoding) is important, it’s not exactly new or for that matter sophisticated. Using compression to “flatten the statistics” prior to encryption has been a recomendation since before @Bruce wrote his first cryto book with the blue cover back last century.

As for using “XOR encoding” it can mean little or nothing for encoding through to everything for encryption, it all depends on what you XOR with.

If you just XOR the plaintext byte by byte with the same value, such encoding is barely different from a Ceaser Cipher or the much mentioned in jokes ROT13. However using a string of truly random numbers is almost the equivalent of a One Time Pad, it’s security rests on the size of the pad, reuse and access to the pad.

Even using a complex encryption algorithm to generate a “Key Stream” is not exactly appropriate for malware use security wise. Because all the parts including the key are often embedded in some way into the malware code or downloaded thus available to malware researchers.

But for those who know how the XOR gate works this from a researcher must surely raise a wry smile,

“The apps were downloaded from the C&C server, and the communication with the C&C was encrypted using the same custom encryption routine using double XOR and zip,” Siewierski wrote.

For those old enough to know what “.com” files were and who “Dr Solomon” was back in the 1980’s the use of XOR encoding was one of the first ways used to “morph malware”[1]. Back then it was considered “the new way” to avoid the then common “signature” based Anti-Virus detection. It was thus only used for obfuscation not secrecy of any kind.

I would have hoped the world has kind of moved on a bit since then or has such knowledge in effect become “forgotten knowledge”?

So if it is “forgotten” the question is by who?

That is, is it the researchers, journalists, both or worse it’s not been taught to several generations of software writers. Because people have treated it like “Forbidden Fruit” knowledge. If the latter it’s realy a little pointless because it’s neither difficult to find the parts of the information or for someone with a slight degree of curiosity to work it out.

[1] A “.com” file was a hang over from the C/PM days of the 1970’s, put simply, in essense it was a memory image of the executable code that got loaded directly into memory at a known offset (100h). MS-DOS then jumped to that address and started executing the code. Thus all a malware writer had to do was start the .com code with a three byte jump instruction to get past a block of “random bytes” to the start of the XOR decryption engine. The block of random bytes could likewise be any length even random as it’s length could be easily calculated from the the jump address. The decryption engine then walked it’s way down the image in memory decrypting it’s self as it went repeatedly using the “random bytes”. Thus the payload would be decrypted and then executed. In turn the first payload could be a “Run Length Decoder” or similar to expand a second payload, as long as it all stayed within the 64Kbyte limit it would work. Most ASM programers of the time –and if you wrote PC Code back then you were an ASM programer– could cut their own version of such XOR code in at most an afternoon using debug.com[2] and the run length coder in a day as it was most certainly not “Rocket Science”.

[2] Like much else Microsoft sold debug.com was not originally developed or even purchased by them. It was written in 1980 by Tim Paterson who put it into the public domain. So Microsoft just used it in MS-DOS 2.X onwards, with as far as I remember no acknowledgment at all. For those of use that knew that, the Bill Gates “rant” letter about people copying BASIC struck us as hypocritical at best.