{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,11,13]],"date-time":"2025-11-13T12:25:57Z","timestamp":1763036757062,"version":"build-2065373602"},"reference-count":41,"publisher":"MDPI AG","issue":"2","license":[{"start":{"date-parts":[[2013,4,25]],"date-time":"2013-04-25T00:00:00Z","timestamp":1366848000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/3.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Future Internet"],"abstract":"<jats:p>This article presents and explains a methodology based on cryptanalytic and reverse engineering techniques that can be employed to quickly recover information from encrypted files generated by malware. The objective of the methodology is to minimize the effort with static and dynamic analysis, by using cryptanalysis and related knowledge as much as possible. In order to illustrate how it works, we present three case studies, taken from a big Brazilian company that was victimized by directed attacks focused on stealing information from a special purpose hardware they use in their environment.<\/jats:p>","DOI":"10.3390\/fi5020140","type":"journal-article","created":{"date-parts":[[2013,4,25]],"date-time":"2013-04-25T10:35:11Z","timestamp":1366886111000},"page":"140-167","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":3,"title":["A Methodology for Retrieving Information from Malware Encrypted Output Files: Brazilian Case Studies"],"prefix":"10.3390","volume":"5","author":[{"given":"Nelson","family":"Uto","sequence":"first","affiliation":[{"name":"GSeg (Information Security Department), CPqD, Rua Dr. Ricardo Benetton Martins, 13086-902 Campinas, Brazil"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"1968","published-online":{"date-parts":[[2013,4,25]]},"reference":[{"key":"ref_1","unstructured":"Falliere, N., Murchu, L.O., and Chien, E. (2011). W32.Stuxnet Dossier-Version 1.4, Symantec. Symantec Security Response Technical Report."},{"key":"ref_2","unstructured":"(2012). sKyWIper (a.k.a. Flame a.k.a. Flamer): A Complex Malware for Targeted Attacks, Technical Report for Laboratory of Cryptography and System Security (CrySyS Lab)."},{"key":"ref_3","doi-asserted-by":"crossref","unstructured":"Rivest, R.L. (1992). RFC 1321\u2013The MD5 Message-Digest Algorithm, MIT Laboratory for Computer Science and RSA Data Security, Inc.","DOI":"10.17487\/rfc1321"},{"key":"ref_4","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1007\/978-3-540-72540-4_1","article-title":"Chosen-prefix collisions for MD5 and colliding X.509 certificates for different identities","volume":"4515","author":"Stevens","year":"2007","journal-title":"Lect. Notes Comput. Sci."},{"key":"ref_5","unstructured":"Menezes, A., van Oorschot, P., and Vanstone, S. (2001). Handbook of Applied Cryptography, CRC Press. [5th ed.]."},{"key":"ref_6","unstructured":"Friedman, W.F. (1922). The Index of Coincidence and Its Applications in Cryptology, Department of Ciphers Publ 22, Riverbank Laboratories."},{"key":"ref_7","doi-asserted-by":"crossref","first-page":"120","DOI":"10.1145\/359340.359342","article-title":"A method for obtaining digital signatures and public-key cryptosystems","volume":"21","author":"Rivest","year":"1978","journal-title":"Commun. ACM"},{"key":"ref_8","unstructured":"Sikorski, M., and Honig, A. (2012). Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software, No Starch Press. [1st ed.]."},{"key":"ref_9","doi-asserted-by":"crossref","first-page":"118","DOI":"10.1007\/3-540-48390-X_9","article-title":"Playing \u201chide and seek\u201d with stored keys","volume":"1648","author":"Shamir","year":"1999","journal-title":"Lect. Notes Comput. Sci."},{"key":"ref_10","unstructured":"(1999). Data Encryption Standard (DES), National Institute of Standards and Technology. FIPS Pub 46-3."},{"key":"ref_11","unstructured":"(2001). Advanced Encryption Standard (AES), National Institute of Standards and Technology. FIPS Pub 197."},{"key":"ref_12","unstructured":"Eilam, E. (2005). Reversing: Secrets of Reverse Engineering, Wiley."},{"key":"ref_13","unstructured":"VirusTotal. Available online: https:\/\/www.virustotal.com\/en\/."},{"key":"ref_14","unstructured":"PE iDentifier. Available online: http:\/\/www.peid.info."},{"key":"ref_15","unstructured":"Zimmerman, M.W. (1998). Microsoft Visual Basic 6.0: Programmer\u2019s Guide, Microsoft Press."},{"key":"ref_16","unstructured":"Pacheco, X. (2001). Borland Delphi 6 Developer\u2019s Guide, Sams."},{"key":"ref_17","doi-asserted-by":"crossref","unstructured":"Barker, W.C., and Barker, E. (2012). Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher, National Institute of Standards and Technology. NIST SP 800-67, Revision 1.","DOI":"10.6028\/NIST.SP.800-67r1"},{"key":"ref_18","doi-asserted-by":"crossref","first-page":"267","DOI":"10.1007\/3-540-39118-5_24","article-title":"Fast data encipherment algorithm FEAL","volume":"304","author":"Shimizu","year":"1988","journal-title":"Lect. Notes Comput. Sci."},{"key":"ref_19","doi-asserted-by":"crossref","first-page":"389","DOI":"10.1007\/3-540-46877-3_35","article-title":"A proposal for a new block encryption standard","volume":"473","author":"Lai","year":"2006","journal-title":"Lect. Notes Comput. Sci."},{"key":"ref_20","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1007\/3-540-58108-1_1","article-title":"SAFER K-64: A byte-oriented block-ciphering algorithm","volume":"809","author":"Massey","year":"1994","journal-title":"Lect. Notes Comput. Sci."},{"key":"ref_21","doi-asserted-by":"crossref","first-page":"86","DOI":"10.1007\/3-540-60590-8_7","article-title":"The RC5 encryption algorithm","volume":"1008","author":"Rivest","year":"1995","journal-title":"Lect. Notes Comput. Sci."},{"key":"ref_22","doi-asserted-by":"crossref","first-page":"229","DOI":"10.1007\/BFb0030364","article-title":"LOKI\u2013A cryptographic primitive for authentication and secrecy applications","volume":"453","author":"Brown","year":"1990","journal-title":"Lect. Notes Comput. Sci."},{"key":"ref_23","doi-asserted-by":"crossref","first-page":"191","DOI":"10.1007\/3-540-58108-1_24","article-title":"Description of a new variable-length key, 64-bit block cipher (Blowfish)","volume":"809","author":"Schneier","year":"1994","journal-title":"Lect. Notes Comput. Sci."},{"key":"ref_24","doi-asserted-by":"crossref","first-page":"272","DOI":"10.1007\/978-3-642-04138-9_20","article-title":"KATAN and KTANTAN\u2014A family of small and efficient hardware-oriented block ciphers","volume":"5747","author":"Dunkelman","year":"2009","journal-title":"Lect. Notes Comput. Sci."},{"key":"ref_25","unstructured":"OllyDbg. Available online: http:\/\/www.ollydbg.de\/."},{"key":"ref_26","doi-asserted-by":"crossref","first-page":"200","DOI":"10.1007\/978-3-642-04444-1_13","article-title":"ReFormat: Automatic reverse engineering of encrypted messages","volume":"5789","author":"Wang","year":"2009","journal-title":"Lect. Notes Comput. Sci."},{"key":"ref_27","doi-asserted-by":"crossref","unstructured":"Caballero, J., Poosankam, P., and Kreibich, C. (2009, January 10\u201312). Dispatcher: Enabling Active Botnet Infiltration Using Automatic Protocol Reverse-Engineering. Proceedings of the 2009 ACM Conference on Computer and Communications Security, Sydney, Australia.","DOI":"10.1145\/1653662.1653737"},{"key":"ref_28","unstructured":"Cho, C.Y., Caballero, J., Grier, C., Paxson, V., and Song, D. (2010, January 27). Insights from the Inside: A View of Botnet Management from Infiltration. Proceedings of the 3rd USENIX Workshop on Large-Scale Exploits and Emergent Threats, San Jose, CA, USA."},{"key":"ref_29","doi-asserted-by":"crossref","first-page":"41","DOI":"10.1007\/978-3-642-23644-0_3","article-title":"Automated identification of cryptographic primitives in binary programs","volume":"6961","author":"Willems","year":"2011","journal-title":"Lect. Notes Comput. Sci."},{"key":"ref_30","unstructured":"Luk, C., Cohn, R.S., Muth, R., Patil, H., Klauser, A., Lowney, P.G., Wallace, S., Reddi, V.J., and Hazelwood, K.M. (2005, January 12\u201315). Pin: Building Customized Program Analysis Tools with Dynamic Instrumentation. Proceedings of the ACM SIGPLAN 2005 Conference on Programming Language Design and Implementation, Chicago, IL, USA."},{"key":"ref_31","doi-asserted-by":"crossref","unstructured":"Calvet, J., Fernandez, J.M., and Marion, J. (2012, January 2\u20134). Aligot: Cryptographic Function Identification in Obfuscated Binary Programs. Proceedings of the ACM Conference on Computer and Communications Security, CCS \u201912, Seoul, Korea.","DOI":"10.1145\/2382196.2382217"},{"key":"ref_32","unstructured":"ASProtect. Available online: http:\/\/www.aspack.com\/asprotect.html."},{"key":"ref_33","unstructured":"Holz, T., Steiner, M., Dahl, F., Biersack, E., and Freiling, F.C. (2008, January 15). Measurements and Mitigation of Peer-to-Peer-Based Botnets: A Case Study on Storm Worm. Proceedings of the First USENIX Workshop on Large-Scale Exploits and Emergent Threats, San Francisco, CA, USA."},{"key":"ref_34","unstructured":"Levin, I., and Yarochkin, F. Draft Crypto Analyzer (DRACA). Available online: http:\/\/www.literatecode.com\/draca."},{"key":"ref_35","unstructured":"Krypto Analyzer (KANAL). Available online: http:\/\/www.peid.info."},{"key":"ref_36","unstructured":"Auriemma, L. Signsrch. Available online: http:\/\/aluigi.altervista.org\/mytoolz.htm."},{"key":"ref_37","unstructured":"Loki SnD Crypto Scanner. Available online: http:\/\/www.woodmann.com\/collaborative\/tools\/index.php\/SnD_Crypto_Scanner_(Olly\/Immunity_Plugin)."},{"key":"ref_38","doi-asserted-by":"crossref","first-page":"81","DOI":"10.1007\/3-540-57220-1_54","article-title":"HAVAL\u2014A One-way hashing algorithm with variable length of output","volume":"718","author":"Zheng","year":"1993","journal-title":"Lect. Notes Comput. Sci."},{"key":"ref_39","doi-asserted-by":"crossref","first-page":"17","DOI":"10.1007\/s001450010015","article-title":"How to protect DES against exhaustive key search (an analysis of DESX)","volume":"14","author":"Kilian","year":"2001","journal-title":"J. Cryptol."},{"key":"ref_40","unstructured":"Aoki, K., Ichikawa, T., Kanda, M., Matsui, M., Moriai, S., Nakajima, J., and Tokita, T. (2000). Specification of Camellia\u2013a 128-bit Block Cipher, Technical Report for Nippon Telegraph and Telephone Corporation."},{"key":"ref_41","unstructured":"IDA. Available online: https:\/\/www.hex-rays.com\/products\/ida\/index.shtml."}],"container-title":["Future Internet"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/1999-5903\/5\/2\/140\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T21:46:23Z","timestamp":1760219183000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/1999-5903\/5\/2\/140"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2013,4,25]]},"references-count":41,"journal-issue":{"issue":"2","published-online":{"date-parts":[[2013,6]]}},"alternative-id":["fi5020140"],"URL":"https:\/\/doi.org\/10.3390\/fi5020140","relation":{},"ISSN":["1999-5903"],"issn-type":[{"type":"electronic","value":"1999-5903"}],"subject":[],"published":{"date-parts":[[2013,4,25]]}}}