A Survey of XOR as a Digital Obfuscation Technique in a Corpus of Real Data
Loading...
Authors
Zarate, Carolina
Garfinkel, Simson L.
Heffernan, Aubin
Gorak, Kyle
Horras, Scott
Subjects
Advisors
Date of Issue
2014-01-17
Date
Publisher
Monterey, California. Naval Postgraduate School
Language
en_US
Abstract
To determine the usage of XOR and the need to adapt additional tools, we analyzed 2,411 drive images from devices acquired
around the world for the use of bytewise XOR as an obfuscation technique. Using a modified version of the open source
digital forensics tool bulk˙extractor, evidence of XOR obfuscation was found on 698 drive images, with a maximum of 21,031
XOR-obfuscated features on a single drive. XOR usage in our corpus was observed in files with timestamps between the years
1995 and 2009, but the majority use was found in unallocated space. On the corpus tested, XOR obfuscation was used to
circumvent malware detection and reverse engineering, to hide information that was apparently being exfiltrated, and by
malware detection tools for their quarantine directory and to distribute malware signatures. We conclude that XOR
obfuscation is important to consider when performing malware investigations.
Type
Technical Report
Description
Series/Report No
Department
Computer Science
Identifiers
NPS Report Number
NPS-CS-13-005
Sponsors
The Department of the Navy
Funder
Format
Citation
Distribution Statement
Approved for public release; distribution is unlimited.
Rights
This publication is a work of the U.S. Government as defined in Title 17, United States Code, Section 101. Copyright protection is not available for this work in the United States.