Cryptovirology
Encyclopedia
Cryptovirology is a field that studies how to use cryptography
to design powerful malicious software
. The field was born with the observation that public-key cryptography
can be used to break the symmetry between what an antivirus analyst sees regarding a virus and what the virus writer sees. The former only sees a public key whereas the latter sees a public key and corresponding private key. The first attack that was identified in the field is called "cryptoviral extortion". In this attack a virus
, worm
, or trojan
hybrid encrypts the victim's files and the user must pay the malware author to receive the needed session key (which is encrypted under the author's public key that is contained in the malware) if the user does not have backups and needs the files back.
The field also encompasses covert attacks in which the attacker secretly steals private information such as private keys. An example of the latter type of attack are asymmetric backdoors. An asymmetric backdoor is a backdoor (e.g., in a cryptosystem) that can be used only by the attacker, even after it is found. This contrasts with the traditional backdoor that is symmetric, i.e., anyone that finds it can use it. Kleptography
, a subfield of cryptovirology, is concerned with the study of asymmetric back doors in key generation algorithms, digital signature algorithms, key exchanges, and so on.
of viruses' and packers' encryptors. Also included is the study of cryptography-based techniques (such as "delayed code") developed by malware writers to hamper malware analysis.
A "questionable encryption scheme", which was introduced by Young and Yung, is an attack tool in cryptovirology. Informally speaking, a questionable encryption scheme is a public key cryptosystem (3-tuple of algorithms) with two supplementary algorithms, forming a 5-tuple of algorithms. It includes a deliberately bogus yet carefully designed key pair generation algorithm that produces a "fake" public key. The corresponding private key (witness of non-encryption) cannot be used to decipher data "encrypted" using the fake public key. By supplying the key pair to an efficient verification predicate (the 5th algorithm in the 5-tuple) it is proven whether the public key is real or fake. When the public key is fake, it follows that no one can decipher data "enciphered" using the fake public key. A questionable encryption scheme has the property that real public keys are computationally indistinguishable from fake public keys when the private key is not available. The private key forms a poly-sized
witness of decipherability or indecipherability, whichever may be the case.
An application of a questionable encryption scheme is a trojan
that gathers plaintext
from the host, "encrypts" it using the trojan's own public key (which may be real or fake), and then exfiltrates the resulting "ciphertext". In this attack it is thoroughly intractable to prove that data theft has occurred. This holds even when all core dumps of the trojan and all the information that it broadcasts is entered into evidence. An analyst that jumps to the conclusion that the trojan "encrypts" data risks being proven wrong by the malware author (e.g., anonymously).
When the public key is fake, the attacker gets no plaintext from the trojan. So what's the use? A spoofing attack
is possible in which some trojans are released that use real public keys and steal data and some trojans are released that use fake public keys and do not steal data. Many months after the trojans are discovered and analyzed, the attacker anonymously posts the witnesses of non-encryption for the fake public keys. This proves that those trojans never in fact exfiltrated data. This casts doubt on the true nature of future strains of malware that contain such "public keys", since the keys could be real or fake. This attack implies a fundamental limitation on proving data theft.
There are many other attacks in the field of cryptovirology that are not mentioned here.
. For example, the tremor virus used polymorphism as a defensive technique in an attempt to avoid detection by anti-virus software. Though cryptography does assist in such cases to enhance the longevity of a virus, the capabilities of cryptography are not used in the payload. The One-half virus was amongst the first viruses known to have encrypted affected files. However, the One_half virus was not ransomware
, that is it did not demand any ransom for decrypting the files that it has encrypted. It also did not use public key cryptography.
An example of a virus that informs the owner of the infected machine to pay a ransom is the virus nicknamed Tro_Ransom.A. This virus asks the owner of the infected machine to send $10.99 to a given account through Western Union
.
Virus.Win32.Gpcode.ag is a classic cryptovirus. This virus partially uses a version of 660-bit RSA and encrypts files with many different extensions. It instructs the owner of the machine to email a given mail ID if the owner desires the decryptor. If contacted by email, the user will be asked to pay a certain amount as ransom in return for the decryptor.
s such as random number generators, proper recommended cipher text chaining modes etc. are necessary. Wrong choices can lead to poor cryptographic strength. So, usage of preexisting routines would be ideal. Microsoft
's Cryptographic API (CAPI), is a possible tool for the same. It has been demonstrated that using just 8 different calls to this API, a cryptovirus can satisfy all its encryption needs.
used with private information retrieval
and used in secure communication between different instances of a distributed cryptovirus.
Cryptography
Cryptography is the practice and study of techniques for secure communication in the presence of third parties...
to design powerful malicious software
Malware
Malware, short for malicious software, consists of programming that is designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, or gain unauthorized access to system resources, or that otherwise exhibits abusive behavior...
. The field was born with the observation that public-key cryptography
Public-key cryptography
Public-key cryptography refers to a cryptographic system requiring two separate keys, one to lock or encrypt the plaintext, and one to unlock or decrypt the cyphertext. Neither key will do both functions. One of these keys is published or public and the other is kept private...
can be used to break the symmetry between what an antivirus analyst sees regarding a virus and what the virus writer sees. The former only sees a public key whereas the latter sees a public key and corresponding private key. The first attack that was identified in the field is called "cryptoviral extortion". In this attack a virus
Computer virus
A computer virus is a computer program that can replicate itself and spread from one computer to another. The term "virus" is also commonly but erroneously used to refer to other types of malware, including but not limited to adware and spyware programs that do not have the reproductive ability...
, worm
Computer worm
A computer worm is a self-replicating malware computer program, which uses a computer network to send copies of itself to other nodes and it may do so without any user intervention. This is due to security shortcomings on the target computer. Unlike a computer virus, it does not need to attach...
, or trojan
Trojan horse (computing)
A Trojan horse, or Trojan, is software that appears to perform a desirable function for the user prior to run or install, but steals information or harms the system. The term is derived from the Trojan Horse story in Greek mythology.-Malware:A destructive program that masquerades as a benign...
hybrid encrypts the victim's files and the user must pay the malware author to receive the needed session key (which is encrypted under the author's public key that is contained in the malware) if the user does not have backups and needs the files back.
The field also encompasses covert attacks in which the attacker secretly steals private information such as private keys. An example of the latter type of attack are asymmetric backdoors. An asymmetric backdoor is a backdoor (e.g., in a cryptosystem) that can be used only by the attacker, even after it is found. This contrasts with the traditional backdoor that is symmetric, i.e., anyone that finds it can use it. Kleptography
Kleptography
Kleptography is the study of stealing information securely and subliminally. Kleptography is a subfield of cryptography and cryptovirology, and is a natural extension of the theory of subliminal channels that was pioneered by Gus Simmons...
, a subfield of cryptovirology, is concerned with the study of asymmetric back doors in key generation algorithms, digital signature algorithms, key exchanges, and so on.
General information
Cryptovirology was born in academia. However, practitioners have recently expanded the scope of the field to include the analysis of cryptographic algorithms used by malware writers, attacks on these algorithms using automated methods (such as X-raying) and analysisof viruses' and packers' encryptors. Also included is the study of cryptography-based techniques (such as "delayed code") developed by malware writers to hamper malware analysis.
A "questionable encryption scheme", which was introduced by Young and Yung, is an attack tool in cryptovirology. Informally speaking, a questionable encryption scheme is a public key cryptosystem (3-tuple of algorithms) with two supplementary algorithms, forming a 5-tuple of algorithms. It includes a deliberately bogus yet carefully designed key pair generation algorithm that produces a "fake" public key. The corresponding private key (witness of non-encryption) cannot be used to decipher data "encrypted" using the fake public key. By supplying the key pair to an efficient verification predicate (the 5th algorithm in the 5-tuple) it is proven whether the public key is real or fake. When the public key is fake, it follows that no one can decipher data "enciphered" using the fake public key. A questionable encryption scheme has the property that real public keys are computationally indistinguishable from fake public keys when the private key is not available. The private key forms a poly-sized
Polynomial
In mathematics, a polynomial is an expression of finite length constructed from variables and constants, using only the operations of addition, subtraction, multiplication, and non-negative integer exponents...
witness of decipherability or indecipherability, whichever may be the case.
An application of a questionable encryption scheme is a trojan
Trojan horse (computing)
A Trojan horse, or Trojan, is software that appears to perform a desirable function for the user prior to run or install, but steals information or harms the system. The term is derived from the Trojan Horse story in Greek mythology.-Malware:A destructive program that masquerades as a benign...
that gathers plaintext
Plaintext
In cryptography, plaintext is information a sender wishes to transmit to a receiver. Cleartext is often used as a synonym. Before the computer era, plaintext most commonly meant message text in the language of the communicating parties....
from the host, "encrypts" it using the trojan's own public key (which may be real or fake), and then exfiltrates the resulting "ciphertext". In this attack it is thoroughly intractable to prove that data theft has occurred. This holds even when all core dumps of the trojan and all the information that it broadcasts is entered into evidence. An analyst that jumps to the conclusion that the trojan "encrypts" data risks being proven wrong by the malware author (e.g., anonymously).
When the public key is fake, the attacker gets no plaintext from the trojan. So what's the use? A spoofing attack
Spoofing attack
In the context of network security, a spoofing attack is a situation in which one person or program successfully masquerades as another by falsifying data and thereby gaining an illegitimate advantage.- Spoofing and TCP/IP :...
is possible in which some trojans are released that use real public keys and steal data and some trojans are released that use fake public keys and do not steal data. Many months after the trojans are discovered and analyzed, the attacker anonymously posts the witnesses of non-encryption for the fake public keys. This proves that those trojans never in fact exfiltrated data. This casts doubt on the true nature of future strains of malware that contain such "public keys", since the keys could be real or fake. This attack implies a fundamental limitation on proving data theft.
There are many other attacks in the field of cryptovirology that are not mentioned here.
Examples of viruses with cryptography and ransom capabilities
While viruses in the wild have used cryptography in the past, the only purpose of such usage of cryptography was to avoid detection by antivirus softwareAntivirus software
Antivirus or anti-virus software is used to prevent, detect, and remove malware, including but not limited to computer viruses, computer worm, trojan horses, spyware and adware...
. For example, the tremor virus used polymorphism as a defensive technique in an attempt to avoid detection by anti-virus software. Though cryptography does assist in such cases to enhance the longevity of a virus, the capabilities of cryptography are not used in the payload. The One-half virus was amongst the first viruses known to have encrypted affected files. However, the One_half virus was not ransomware
Ransomware (malware)
Ransomware is computer malware which holds a computer system, or the data it contains, hostage against its user by demanding a ransom for its restoration.- Operation :...
, that is it did not demand any ransom for decrypting the files that it has encrypted. It also did not use public key cryptography.
An example of a virus that informs the owner of the infected machine to pay a ransom is the virus nicknamed Tro_Ransom.A. This virus asks the owner of the infected machine to send $10.99 to a given account through Western Union
Western Union
The Western Union Company is a financial services and communications company based in the United States. Its North American headquarters is in Englewood, Colorado. Up until 2006, Western Union was the best-known U.S...
.
Virus.Win32.Gpcode.ag is a classic cryptovirus. This virus partially uses a version of 660-bit RSA and encrypts files with many different extensions. It instructs the owner of the machine to email a given mail ID if the owner desires the decryptor. If contacted by email, the user will be asked to pay a certain amount as ransom in return for the decryptor.
Creation of cryptoviruses
To successfully write a cryptovirus, a thorough knowledge of the various cryptographic primitiveCryptographic primitive
Cryptographic primitives are well-established, low-level cryptographic algorithms that are frequently used to build computer security systems. These routines include, but are not limited to, one-way hash functions and encryption functions.- Rationale :...
s such as random number generators, proper recommended cipher text chaining modes etc. are necessary. Wrong choices can lead to poor cryptographic strength. So, usage of preexisting routines would be ideal. Microsoft
Microsoft
Microsoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...
's Cryptographic API (CAPI), is a possible tool for the same. It has been demonstrated that using just 8 different calls to this API, a cryptovirus can satisfy all its encryption needs.
Other uses of cryptography enabled malware
Apart from cryptoviral extortion, there are other potential uses of cryptoviruses. They are used in deniable password snatching, used with cryptocounters,used with private information retrieval
Private information retrieval
In cryptography, a private information retrieval protocol allows a user to retrieve an item from a server in possession of a database without revealing which item they are retrieving...
and used in secure communication between different instances of a distributed cryptovirus.
External links
- Cryptovirology Labs - site to discuss about malware development and cryptovirology, contains weekly videos, site maintained by "xor"
- Cryptovirology Labs - site maintained by Adam Young and Moti Yung
- Cryptography and cryptovirology articles at VX Heavens
- Cryzip Trojan Encrypts Files, Demands Ransom
- Can a virus lead an enterprise to court?
- A student report entitled Superworms and Cryptovirology
- Next Virus Generation: an Overview (cryptoviruses) by Angelo P. E. Rosiello