- Apr 25, 2013
- 5,355
In our analysis, we had samples of both encrypted and plaintext versions of the same files. As the encryption was done by combining the keystream with the plaintext file using the XOR operation, we were able to recover the keystream used to encrypt those files by simply applying XOR between the encrypted file and the plaintext file. We tested this with several samples of the affected files we had and realized that the malware program uses the same keystream to encrypt all the files within the same infection. This was a cryptographic mistake on the malware author's part, as you should never use the keystream more than once.
Further analysis of the encrypted files also revealed that the malware program added 264 bytes of extra data to the end of each encrypted file, and that it only encrypts the first 2MB of the file, leaving the rest intact. If the size of the original file is less then 2MB and if the size is not multiple of 16 bytes, the malware program leaves a few bytes from the end of the file unencrypted (file size modulo 16 to be exact). Only encrypting 2MB from the beginning of the file has probably been a conscious decision of the malware author as it makes it faster to render more files unusable. At the same time it also makes recovering files much easier.
In practice this means that if you have both the original and the encrypted version of a single file that is over 2MB in size the entire keystream can be recovered, which makes it possible to recover all your files encrypted by TorrentLocker.
The exact purpose of the extra 264 bytes that the malware program adds at the end of each file is still unknown, but it seems to be unique for each infection. As it is unique, it allowed us to write a software program that automatically recognizes which keystream has been used to encrypt the files. If the keystream is known then the program can automatically decrypt all the files.
Full Article
Further analysis of the encrypted files also revealed that the malware program added 264 bytes of extra data to the end of each encrypted file, and that it only encrypts the first 2MB of the file, leaving the rest intact. If the size of the original file is less then 2MB and if the size is not multiple of 16 bytes, the malware program leaves a few bytes from the end of the file unencrypted (file size modulo 16 to be exact). Only encrypting 2MB from the beginning of the file has probably been a conscious decision of the malware author as it makes it faster to render more files unusable. At the same time it also makes recovering files much easier.
In practice this means that if you have both the original and the encrypted version of a single file that is over 2MB in size the entire keystream can be recovered, which makes it possible to recover all your files encrypted by TorrentLocker.
The exact purpose of the extra 264 bytes that the malware program adds at the end of each file is still unknown, but it seems to be unique for each infection. As it is unique, it allowed us to write a software program that automatically recognizes which keystream has been used to encrypt the files. If the keystream is known then the program can automatically decrypt all the files.
Full Article