A Survey of XOR as a Digital Obfuscation Technique in a Corpus of Real Data

Abstract

To determine the usage of XOR and the need to adapt additional tools, we analyzed 2,411 drive images from devices acquired around the world for the use of bytewise XOR as an obfuscation technique. Using a modified version of the open source digital forensics tool bulk extractor, evidence of XOR obfuscation was found on 698 drive images, with a maximum of 21,031 XOR-obfuscated features on a single drive. XOR usage in our corpus was observed in files with timestamps between the years 1995 and 2009, but the majority use was found in unallocated space. On the corpus tested, XOR obfuscation was used to circumvent malware detection and reverse engineering, to hide information that was apparently being exfiltrated, and by malware detection tools for their quarantine directory and to distribute malware signatures. We conclude that XOR obfuscation is important to consider when performing malware investigations.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Jan 17, 2014
Accession Number
ADA592678

Entities

People

  • Aubin Heffernan
  • Carolina Zarate
  • Kyle Gorak
  • Scott Horras
  • Simson Garfinkel

Organizations

  • Naval Postgraduate School

Tags

Communities of Interest

  • Cyber

DTIC Thesaurus Topics

  • Algorithms
  • Anti-Virus Software
  • Coding
  • Computational Forensics
  • Computer Programs
  • Computer Science
  • Computers
  • Cryptography
  • Data Sets
  • Department Of Defense
  • Detection
  • Digital Media
  • Electronic Mail
  • Engineering
  • Malware
  • Reverse Engineering
  • Word Processors

Fields of Study

  • Computer science

Readers

  • Computer Vision.
  • Cybersecurity.

Technology Areas

  • Cyber
  • Space
  • Space - Spacecraft Maneuvers