Thursday, August 2, 2018

Mirai - Decoding Encoded Strings

In initial stages Mirai malware was seen using the credentials used for brute-forcing in plain text. But Mirai has evolved since then and has started encoding the strings. These encoded strings are just simple XOR encoding and can easily be decoded.

Checking the strings of the Mirai malware we can see that it doesn't make any sense with the encoding,

Find the decoding routine is very simple. All we got to do is find the code that's referencing these encoded strings and follow it to identify the code that decodes the strings.

In this blog post an ARM binary is being analyzed. So to find the routine that's responsible for decoding search the code for the XOR opcode instead of following the instruction sequence manually. In case of ARM architecture the XOR operation is represented using EOR opcode. Searching the EOR opcode in the code return a very modest result.

In the search results one specific instruction stands out,

EOR R3, R3, #0x54

Finding where the code is being used reveals that this instruction is used in a loop,

The above sequence of instruction makes it clear that the XOR key is 0x54. We can quickly write a IDA Python script to decode the bytes at a given address.

Thus revealing the credentials used for brute-forcing remote telnet services.

No comments:

Post a Comment