Cryptovirology: the use of cryptography in virus attacks

Cryptovirology: Extortion-based security threats and countermeasures by Adam Young and Moti Yung

Overview of talk
Introduce

cryptovirology Background on viruses High survivability viruses Cryptovirus Types of attacks

Extortion Information extortion Secret sharing virus in a distributed system
Conclusion

Cryptovirology what is it?

Study

of applications of cryptography to computer viruses How to use crypto tools as weapons in virus attacks Crypto has good intentions in mind
Typically associated with improving systems / user security We will see that certain cryptographic tools can be used to degrade security

Background on viruses
Trojan

Virus

Program within another program executing commands without the owners knowledge Defense: confine programs into small domains with rights appropriate to their intended use Program that can infect other programs by modifying them to include a, possibly evolved, copy of itself Typically perform some disturbing / annoying actions Virus that creates offspring with object code different from that of its parent Developed in response to how virus scanners work (identify viruses by searching for identifying strings)

horse

Polymorphic

virus

Properties of a virus
1) 2)

Consume CPU time and occupy space Need to modify code in host system
Such as to gain control of the program

3)

Are vulnerable to user analysis

System can be frozen and virus can be dissected Potentially allowing for recovery by victim

With cryptoviruses, we will bypass the 3rd property

How viruses attach

Virus Code

Virus Code

Original program

Original program

High survivability (HS) virus

Attempt

to make the infected host dependent on the virus

Survival of virus depends on survival of host If user wants to rid his machine of the virus, he will lose access to the infected resource If this resource is vital to operation of system, then user loses access to system

No

such virus has been created yet

Can devise an approximation to HS

Approximation to HS virus
Very

difficult to construct a pure HS virus

It needs to gain access to data without being detected Needs to be immune to all user analysis Left as an open problem
Approximation

Virus effects can only be removed by virus author (so it is survivable) Based on computational intractable problem Virus has public key, author has private key

Cryptographical attack
Definition:

A denial of service attack using public key cryptosystems performed by a crypto virus/trojan

Attack

Cryptovirus

Computer virus that uses a public key generated by the virus author to encrypt data that resides on the host system The data can only be restored by the virus author (assuming no backup exists) Is survivable

Setting for a DoS cryptoattack

1) 2) 3)

Encrypt data on host using some public key cryptosystem Notify user of attack and demand that he contact the virus author Author demands a ransom in return of the private (decryption) key User either:
Pays ransom, retrieves data Denies ransom, loses data Has a backup, ignores ransom

Corresponds to Extortion

Problems and Solution (from authors perspective)

Problems
Cannot free one victim (reveal private key) without possibly freeing all victims
Victim

could publish decryption key

Decryption of data using public key crypto is slow

Solution
Hybrid cryptosystem: combine public and secret key crypto schemes Encrypt data using symmetric crypto scheme (with a session key) Encrypt session key using public crypto scheme Private key is never revealed

Why not simply use a symmetric cryptoscheme?

Specs for attack

Cryptovirus

will need access to:

Random number generator -> random session key Random seed generator -> Initialization Vector (IV)
Notations

Ks = random session key IV = random IV M = {IV, Ks} = plaintext M = {m}Kz = ciphertext

Kz = public key Kw = secret key z = virus w = virus author

Basic Extortion Attack

1)

Encrypt data D using session key (symmetric) D = {D}Ks Delete D Create M = {IV, Ks}Kz Notify host/victim display M and contact info Victim gives M and ransom to virus author Author decrypts: D(M )= M = {IV, Ks} and sends M to victim

2) 3) 4) 5)

Information extortion attack

Idea:

Attacker will force victim to reveal some desired information H

Attacker will be able to verify the authenticity of H

Attack

is only successful if the cryptovirus can attack critical information for which no backup exists can

Attack

Extort information Be used as tool for espionage and information warfare

Information extortion attack continued

Extension: create checksum of the file to be requested (through extortion) Virus looks for critical data D and desired data H Virus encrypts: D = {D}Ks Checksum: ChkSum = checksum(D, IV, Ks) Plaintext: m = {ChkSum, IV, Ks} Ciphertext: m = {m}Kz Notify user: Display m and request for H Virus author gets H, compares ChkSum, frees victim

Information attack = $
If

electronic money is implemented

Virus searches for e-money notes and encrypts them Demand half the money

If

victim had previously encrypted e-money

Does not help: virus encrypted e-notes are useless Assumes that no e-money revocation system exists

This

information attack translates directly into the loss of $ to the victim

Secret Sharing Virus

Setting:

Distributed System Virus will manage private key (instead of author)

Subject to user analysis
Approach

Consider the host to consist of the entire network Use distributed environment to hide the key in virus copies (each node)
Cannot

store entire key in single node access control between network nodes

User of that node could potentially retrieve the key

Assume

Nodes dont have access to each others data

Secret sharing scheme continued

El

Gamal based secret sharing

Large prime: Generator: Private exponent: Public residue: p g x y = gx mod p

Each

Knows: p, g Creates: xi, yi = gXi mod p Will collaborate to create encryption and decryption keys
Y

instance of virus

= encryption, X = decryption

Encryption / Decryption in Secret Sharing Scheme

Encryption
Each virus publishes its yi anonymously over a public channel (bulletin board) Each virus then reads public channel and computes: Encryption Key = Y = y1 * y2 * * ym (mod p)

Decryption
Each virus reveals their secret xi Decryption key = X = x1 + x2 + + xm (mod p 1) Note: shared decryption is now revealed

Each virus can encrypt data on host

Need to notify host to avoid deletion of single virus

Stealing Attack

Securely steal information from a remote location Depend on spread of virus as the communication medium How it works
Virus encrypts data D = D Virus appends D to itself Do not notify the user Kills any ancestor that does not have D Lucky virus author will encounter virus offspring with D and decrypt it

Why not just post information online as in the secret sharing virus?

A few things to note

Virus

only needs to have access to cryptographic tools

Does not necessarily need to have tools implemented in its code Use OS functions such as provided by Microsofts Cryptographic API This means that the virus writer need not fully understand cryptography to create virus

Preventions against cryptoattacks?

Anti-virus

software

Cryptoviruses propagate in the same way as traditional viruses Same detection methods apply
Access

control to cryptographic tools

If strong crypto ciphers and random number generators are available to user processes, then they are available to viruses

Conclusion
We

have seen that cryptographic tools can be used to create a new class of viruses: cryptoviruses need not be aware of underlying cryptography use available functions the virus writer an extortion method

Author

Gives

Authors:

better to make attacks publicly known than to wait for attacks to occur