{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,3,27]],"date-time":"2025-03-27T11:27:19Z","timestamp":1743074839858,"version":"3.40.3"},"publisher-location":"Berlin, Heidelberg","reference-count":35,"publisher":"Springer Berlin Heidelberg","isbn-type":[{"type":"print","value":"9783662449516"},{"type":"electronic","value":"9783662449523"}],"license":[{"start":{"date-parts":[[2014,1,1]],"date-time":"2014-01-01T00:00:00Z","timestamp":1388534400000},"content-version":"tdm","delay-in-days":0,"URL":"http:\/\/www.springer.com\/tdm"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2014]]},"DOI":"10.1007\/978-3-662-44952-3_9","type":"book-chapter","created":{"date-parts":[[2014,10,9]],"date-time":"2014-10-09T12:38:21Z","timestamp":1412858301000},"page":"117-132","source":"Crossref","is-referenced-by-count":1,"title":["Analysis of the Use of XOR as an Obfuscation Technique in a Real Data Corpus"],"prefix":"10.1007","author":[{"given":"Carolina","family":"Zarate","sequence":"first","affiliation":[]},{"given":"Simson","family":"Garfinkel","sequence":"additional","affiliation":[]},{"given":"Aubin","family":"Heffernan","sequence":"additional","affiliation":[]},{"given":"Scott","family":"Horras","sequence":"additional","affiliation":[]},{"given":"Kyle","family":"Gorak","sequence":"additional","affiliation":[]}],"member":"297","reference":[{"key":"9_CR1","unstructured":"aeon, MemoryDump (\n \n www.woodmann.com\/collaborative\/tools\/index.php\/MemoryDump\n \n \n ), 2009."},{"key":"9_CR2","volume-title":"Symbian malware uses a 91-byte XOR key","author":"A. Apvrille","year":"2012","unstructured":"A. Apvrille, Symbian malware uses a 91-byte XOR key, Fortinet, Sunnyvale, California (\n \n http:\/\/blog.fortinet.com\/symbian-malware-uses-a-91-byte-xor-key\n \n \n ), 2012."},{"key":"9_CR3","volume-title":"Frank Boldewin\u2019s www.reconstructer.org","author":"F. Boldewin","year":"2009","unstructured":"F. Boldewin, Frank Boldewin\u2019s www.reconstructer.org (\n \n www.reconstructer.org\/code.html\n \n \n ), 2009."},{"issue":"1","key":"9_CR4","first-page":"1","volume":"21","author":"S. Brenner","year":"2004","unstructured":"S. Brenner, B. Carrier and J. Henninger, The Trojan horse defense in cybercrime cases, Santa Clara High Technology Law Journal, vol. 21(1), pp. 1\u201353, 2004.","journal-title":"Santa Clara High Technology Law Journal"},{"key":"9_CR5","volume-title":"Nowhere to hide: Three methods of XOR obfuscation","author":"J. Cannell","year":"2013","unstructured":"J. Cannell, Nowhere to hide: Three methods of XOR obfuscation, Malwarebytes, San Jose, California (\n \n http:\/\/blog.malwarebytes.org\/intelligence\/2013\/05\/nowhere-to-hide-three-methods-of-xor-obfuscation\n \n \n ), 2013."},{"key":"9_CR6","volume-title":"Obfuscation: Malware\u2019s best friend","author":"J. Cannell","year":"2013","unstructured":"J. Cannell, Obfuscation: Malware\u2019s best friend, Malwarebytes, San Jose, California (\n \n http:\/\/blog.malwarebytes.org\/intelligence\/2013\/03\/obfuscation-malwares-best-friend\n \n \n ), 2013."},{"key":"9_CR7","volume-title":"The Sleuth Kit","author":"B. Carrier","year":"2013","unstructured":"B. Carrier, The Sleuth Kit (\n \n www.sleuthkit.org\/sleuthkit\n \n \n ), 2013."},{"issue":"4","key":"9_CR8","doi-asserted-by":"publisher","first-page":"34","DOI":"10.1145\/1013886.1007518","volume":"29","author":"M. Christodorescu","year":"2004","unstructured":"M. Christodorescu and S. Jha, Testing malware detectors, ACM SIGSOFT Software Engineering Notes, vol. 29(4), pp. 34\u201344, 2004.","journal-title":"ACM SIGSOFT Software Engineering Notes"},{"key":"9_CR9","unstructured":"M. Christodorescu, J. Kinder, S. Jha, S. Katzenbeisser and H. Veith, Malware Normalization, Technical Report #1539, Deparment of Computer Sciences, University of Wisconsin, Madison, Wisconsin (\n \n ftp:\/\/ftp.cs.wisc.edu\/pub\/techreports\/2005\/TR1539.pdf\n \n \n ), 2005."},{"issue":"3","key":"9_CR10","doi-asserted-by":"publisher","first-page":"269","DOI":"10.1109\/76.911155","volume":"11","author":"G. Conklin","year":"2001","unstructured":"G. Conklin, G. Greenbaum, K. Lillevold, A. Lippman and Y. Reznik, Video coding for streaming media delivery on the Internet, IEEE Transactions on Circuits and Systems for Video Technology, vol. 11(3), pp. 269\u2013281, 2001.","journal-title":"IEEE Transactions on Circuits and Systems for Video Technology"},{"key":"9_CR11","unstructured":"Cyber Engineering Services, Malware obfuscated within PNG files, Columbia, Maryland (\n \n www.cyberengineeringservices.com\/malware-obfuscated-within-png-files\n \n \n ), 2011."},{"key":"9_CR12","unstructured":"Cyber Engineering Services, Malware obfuscated within PNG files > Sample 2, Columbia, Maryland (\n \n www.cyberengineeringservices.com\/malware-obfuscated-within-png-files-sample-2-2\n \n \n ), 2011."},{"key":"9_CR13","unstructured":"M. Dudek, Hexplorer (\n \n http:\/\/sourceforge.net\/projects\/hexplorer\n \n \n ), 2013."},{"key":"9_CR14","unstructured":"G. Edwards, NoMoreXOR (\n \n http:\/\/github.com\/hiddenillusion\/NoMoreXOR\n \n \n ), 2013."},{"key":"9_CR15","unstructured":"J. Esparza, XORBruteForcer (\n \n http:\/\/eternal-todo.com\/var\/scripts\/xorbruteforcer\n \n \n ), 2008."},{"key":"9_CR16","volume-title":"W32.Stuxnet Dossier","author":"N. Falliere","year":"2011","unstructured":"N. Falliere, L. O\u2019Murchu and E. Chien, W32.Stuxnet Dossier, Symantec, Mountain View, California, 2011."},{"issue":"S","key":"9_CR17","doi-asserted-by":"publisher","first-page":"2","DOI":"10.1016\/j.diin.2009.06.016","volume":"6","author":"S. Garfinkel","year":"2009","unstructured":"S. Garfinkel, P. Farrell, V. Roussev and G. Dinolt, Bringing science to digital forensics with standardized forensic corpora, Digital Investigation, vol. 6(S), pp. S2\u2013S11, 2009.","journal-title":"Digital Investigation"},{"key":"9_CR18","doi-asserted-by":"publisher","first-page":"56","DOI":"10.1016\/j.cose.2012.09.011","volume":"32","author":"S. Garfinkel","year":"2013","unstructured":"S. Garfinkel, Digital media triage with bulk data analysis and bulk_extractor, Computers and Security, vol. 32, pp. 56\u201372, 2013.","journal-title":"Computers and Security"},{"key":"9_CR19","unstructured":"Google, Safe Browsing API, Mountain View, California (\n \n http:\/\/developers.google.com\/safe-browsing\n \n \n ), 2013."},{"key":"9_CR20","unstructured":"A. Hanel, iheartxor (\n \n http:\/\/hooked-on-mnemonics.blogspot.com\/p\/iheartxor.html\n \n \n ), 2012."},{"key":"9_CR21","unstructured":"Hexacorn, DeXRAY, Hong Kong, China (\n \n www.hexacorn.com\/blog\/category\/software-releases\/dexray\n \n \n ), 2012."},{"key":"9_CR22","unstructured":"B. Hussey, Decoding data exfiltration \u2013 Reversing XOR encryption, Crucial Security Forensics Blog (\n \n http:\/\/crucialsecurityblog.harris.com\/2011\/07\/06\/decoding-data-exfiltration-%E2%80%93-reversing-xor-encryption\n \n \n ), 2011."},{"key":"9_CR23","unstructured":"Internot\u00a0Security Team, Bypassing anti-virus scanners (\n \n http:\/\/dl.packetstormsecurity.net\/papers\/bypass\/bypassing-av.pdf\n \n \n ), 2011"},{"key":"9_CR24","first-page":"23","volume-title":"Proceedings of the Fourth International Symposium on Information, Computer and Communications Security","author":"B. Kang","year":"2009","unstructured":"B. Kang, E. Chan-Tin, C. Lee, J. Tyra, H. Kang, C. Nunnery, Z. Wadler, G. Sinclair, N. Hopper, D. Dagon and Y. Kim, Towards complete node enumeration in a peer-to-peer botnet, Proceedings of the Fourth International Symposium on Information, Computer and Communications Security, pp. 23\u201334, 2009."},{"key":"9_CR25","unstructured":"Kimberly, Analysis of imm32.dll \u2013 Trojan.Win32.Patched.mc, StopMalvertising (\n \n http:\/\/stopmalvertising.com\/malware-reports\/analysis-of-imm32.dll-trojan.win32.patched.mc.html\n \n \n ), 2011."},{"key":"9_CR26","unstructured":"Malware Tracker, Cryptam document scanner, North Grenville, Canada (\n \n http:\/\/malwaretracker.com\/doc.php\n \n \n ), 2012."},{"key":"9_CR27","unstructured":"Malware Tracker, New malware document scanner tool released, North Grenville, Canada (\n \n http:\/\/blog.malwaretracker.com\/2012\/02\/new-malware-document-scanner-tool.html\n \n \n ), 2012."},{"key":"9_CR28","unstructured":"McAfee, TrustedSource \u2013 Check Single URL, Santa Clara, California (\n \n www.trustedsource.org\/en\/feedback\/url?action=checksingle\n \n \n ), 2011."},{"key":"9_CR29","unstructured":"L. Mueller, XOR entire file or selected text, ForensicKB (\n \n www.forensickb.com\/2008\/03\/xor-entire-file-or-selected-text.html\n \n \n ), 2008."},{"key":"9_CR30","unstructured":"D. Stevens, XORSearch and XORStrings (\n \n http:\/\/blog.didierstevens.com\/programs\/xorsearch\n \n \n ), 2007."},{"key":"9_CR31","unstructured":"D. Stevens, Translate (\n \n http:\/\/blog.didierstevens.com\/programs\/translate\n \n \n ), 2008."},{"key":"9_CR32","unstructured":"D. Stevens, New tool: XORStrings (\n \n http:\/\/blog.didierstevens.com\/?s=xorstrings\n \n \n ), 2013."},{"key":"9_CR33","unstructured":"Systweak CheckFileName, View Nero Premium Details (\n \n www.checkfilename.com\/view-details\/Nero-Premium\n \n \n ), 2013."},{"issue":"12","key":"9_CR34","first-page":"61","volume":"1","author":"I. Venkata Sai Manoj","year":"2010","unstructured":"I.\u00a0Venkata\u00a0Sai Manoj, Cryptography and steganography, Internal Journal of Computer Applications, vol. 1(12), pp. 61\u201365, 2010.","journal-title":"Internal Journal of Computer Applications"},{"key":"9_CR35","first-page":"248","volume-title":"Proceedings of the Eighth International Conference on Availability, Reliability and Security","author":"N. Virvilis","year":"2013","unstructured":"N. Virvilis and D. Gritzalis, The big four \u2013 What we did wrong in advanced persistent threat detection? Proceedings of the Eighth International Conference on Availability, Reliability and Security, pp. 248\u2013254, 2013."}],"container-title":["IFIP Advances in Information and Communication Technology","Advances in Digital Forensics X"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-662-44952-3_9","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2019,5,20]],"date-time":"2019-05-20T14:06:34Z","timestamp":1558361194000},"score":1,"resource":{"primary":{"URL":"http:\/\/link.springer.com\/10.1007\/978-3-662-44952-3_9"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2014]]},"ISBN":["9783662449516","9783662449523"],"references-count":35,"URL":"https:\/\/doi.org\/10.1007\/978-3-662-44952-3_9","relation":{},"ISSN":["1868-4238","1868-422X"],"issn-type":[{"type":"print","value":"1868-4238"},{"type":"electronic","value":"1868-422X"}],"subject":[],"published":{"date-parts":[[2014]]}}}