Most typical modern malware variants tend to hide critical parts of their functionality (strings, URLs/IPs of its dodgy servers, etc.) using some form of encryption. In most cases only trivial algorithms are used. However, these suffice as the intention is usually not to create unbreakable encryption, but merely to obscure their malicious intent from anti-virus engines.
Although some authors choose to cloak their malware in complete paranoia, such as the ZBot family that encrypts everything with an industry-standard RC4 implementation with enormously long keys, typically, you would not find anything more serious (such as AES, or BlowFish) even in the most complex of polymorphic viruses.
The most overwhelmingly-common method of string encryption is to use an XOR operation with a key. A big appeal of this technique is that the same simple operation can be used to perform both encryption and subsequently decryption of the data, ie: E[i] = (E[i] Xor Key) Xor Key.
But sometimes it is not just simple, its even more than simple – where there is no need for ANY decryption key to decrypt data!
While analyzing one of the recent samples, I found a very curious encrypted string (hexadecimal representation):
67 02 11 17 0C 01 08 0F 0E 49 5E 18 18
In the line above there is one single encrypted string. You don’t need any additional key to decrypt it – it is all available using a very simple algorithm. The decrypted string is:
67 65 74 63 6F 6E 66 69 67 2E 70 68 70 ; getconfig.php
To transform this string from the original, each byte is decoded by performing an xor operation with the previous byte (first one is not encrypted); so:
0x67 xor 0x02 = 0x65 (“e”), 0x65 xor 0x11 = 0x74 (“t”), …
Brilliantly simple although this will not hamper Sophos detecting it (Troj/Agent-OFC).
PS Other strings from this malware which uses this encryption technique include:
ntd11.dll ; (sic)
Error setting admin rights
… and so on (about ~100 different strings)