Threat Research

Symbian malware uses a 91-byte XOR key

By Axelle Apvrille | November 08, 2011

It's high time the Crypto Girl talks about Crypto, isn't it?

A few days ago, I analyzed a malicious Opera Updater, named SymbOS/OpFake.A!tr.dial, and was surprised to discover it uses a** 91-byte XOR key** to conceal one of its configuration file. 91 bytes?! Yes, bytes, so 728 bits. This is quite a lot. AES only uses keys up to 256 bits, though I do not mean it would be less secure than this XOR. But it is a first for mobile malware where we had only seen XOR used with a single byte key. Have a look at the disassembled decryption routine below.

Actually, this is another confirmation to my talk at RSA Conference Europe, where I explained that 1-byte key XOR encryption is still very popular among malware authors but that they are gradually shifting to more complicated algorithms. Actually, I had meant algorithms such as AES ;) but a 91-byte key for XOR is another way of complicating things... Feel free to check my slides or the demo video below.

Fortunately, for SymbOS/OpFake.A!tr.dial, the key was provided at the beginning of the encrypted file. First the key length (0x5b = 91), then the key, then the ciphertext.

-- the Crypto Girl

References: F-Secure's blog post on OpFake


Join the Discussion