The Latest in IT Security

Symbian malware uses a 91-byte XOR key


It’s high time the Crypto Girl talks about Crypto, isn’t it?

A few days ago, I analyzed a malicious Opera Updater, named SymbOS/OpFake.A!tr.dial, and was surprised to discover it uses a 91-byte XOR key to conceal one of its configuration file. 91 bytes?! Yes, bytes, so 728 bits. This is quite a lot. AES only uses keys up to 256 bits, though I do not mean it would be less secure than this XOR. But it is a first for mobile malware where we had only seen XOR used with a single byte key. Have a look at the disassembled decryption routine below.

Actually, this is another confirmation to my talk at RSA Conference Europe, where I explained that 1-byte key XOR encryption is still very popular among malware authors but that they are gradually shifting to more complicated algorithms. Actually, I had meant algorithms such as AES 😉 but a 91-byte key for XOR is another way of complicating things… Feel free to check my slides or the demo video below.

Fortunately, for SymbOS/OpFake.A!tr.dial, the key was provided at the beginning of the encrypted file. First the key length (0x5b = 91), then the key, then the ciphertext.

– the Crypto Girl

References: F-Secure’s blog post on OpFake

Leave a reply


TUESDAY, MAY 26, 2020

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...



Latest Comments