Crypto virology
A marriage of Computer Viruses and Cryptography
Introduction
When the internet was in its infancy, security and privacy of
transmitted data were second thoughts to the close nit academic
community that was pioneering what would one day be the most important
communications system on the planet. As the internet spread its web
around the world, private data actually being transmitted privately was
to become a bigger and bigger issue; and the best place to look for a
solid answer was the good old mathematical standby of cryptography. For
centuries it had been
used as a defensive means to insure that communications that were meant to private, did indeed stay that way over long distances. With the power of high performance encryption techniques and the then revolutionary concept of public and private keys, new cryptography methods could also insure that said data was almost unbreakable and thus ensuring data security.
Though as much of a blessing as cryptography is to internet communications, anything as powerful as the encryption techniques of modern times can of course be harnessed in malicious ways by anyone with the right set of tools and knowledge, more specifically: virus writers. The marriage of the cryptography (a field of study used for defense against outside eyes i.e. Antivirus) and computer virology (malicious software), was inevitable. To fully understand the field of crypto virology (the study of virus that implement cryptography techniques), one must first understand the basics of cryptography and computer virology. This paper will at first give a brief overview of cryptography as it pertains to the internet and computer age, give a brief history and overview of computer viruses, the basics of crypto virology, and measures you can take to prevent crypto virology attacks on you networks. Cryptography and the Computer For cryptography to work, one must first encrypt the data by some means. This message is then delivered and decoded on the other side by the receiving party; traditionally this one done with symmetric-key coding which dates back to the days of the Roman Empire (Informatic, 2007). Symmetric-key coding relies, however, that a previously defined decryption key be delivered as to both parties to decrypt incoming messages. These keys can change as often as one would like, provided that each user is using the right decryption scheme at the same time. This is dangerous as the same key is used encryption and decryption of the same message. Should it fall into unwanted hands, granted that have you code scheme book, your information is quickly decrypted and read (Ryan 2007). Examples of this kind of code breaking took place heavily in World War II. Nazi German had become far in advanced in the war with cryptography when they developed the Enigma machine. The enigma machine made use of electro-mechanical polyalphabetic ciphers which were extremely hard to break if not used in conjunction with the code books. When books and machines were eventually captured by Allied Forces, messages decrypted led to great tactical advantages against the Axis, and perhaps was one of the biggest factors in the eventual allied victory (Sale, 2007). After World War II, the age of the computer began, and with it the capacity to make and break symmetric code even faster, more complex, and more efficiently than ever before. However, with more complex code came even more complex key management systems. With communications spreading around the world with the predecessor to the internet (ARPANET), finding efficient secret ways of privately spreading these keys was a problem as well. Whitfield Diffie, and Martin Hellman helped solve this problem in 1970 with their paper discussing the then revolutionary idea of public key cryptography (Informatics, 2007). Instead of using just one private key to decrypt messages; a pair of keys is used. The private key remains secret and the public key is distributed. The private key and public keys are related mathematically; however the private cannot be derived from the public key. Data transmitted with a public key cannot be decrypted by anyone except the person in possession of the private key (Wikipedia 2007). Since WWII cryptography had been heavily regulated by governments with the mindset that it would play still important rolls in conflicts in the future. The National Security Administration even went as far as to suggest a bugging chip be placed on all voice and data communications devices which would allow them to, if necessary, listen in on communications. The Clipper Chip, as it was named, was invented to set cryptography standards in the US, though not jeopardize national security. Needless to say, it was not embraced by the private or public sectors of the communications industry. Access to high quality cryptography was restricted to the public until a 1995 lawsuit filed by Daniel Bernstien stating that restrictions on such things were against free speech. The courts agreed and soon source code from cryptographic algorithms and systems were available to anyone that wanted to make use of them (Akdeniz, 1996). With relaxation of cryptography laws, the invention of such things as SSL, SSH, WEP, and RSA, high quality cryptography was finding ways of making communications, more specifically the internet a safer place to transmit critical data. As software manufactures found ways to implement it in their applications such as web browsers and email clients, it was only a matter of time before virus writers did the same. Viruses With the creation of anything good, there is always something else created alongside it for malicious purposes. So is the creation of computer programs, and their malicious counterparts: computer viruses. Computer viruses at first were spread mainly on removable media before the spread of the internet around the world. The traditional computer virus emerged in the 1980s and spread the use of Bulletin Board Systems, modems, and software sharing. Now days it is more common to hear of them spreading through email, instant messaging, or infected files on peer to peer networks. We will discuss in this paper exactly the logic behind the most advanced form of virus writing: Metamorphic Code. As with any project you slave over, the survivability of the viruses is a writer’s code is a top priority. They are packed with a series of different characteristics to help ensure that these viruses do indeed survive in their host environment. These include the avoidance of undesirable hosts, stealth, self-modification, encryption, polymorphic and metamorphic code. Over the years antivirus software has gotten leaps better at identifying problems on the system, meaning that viruses must get better at avoiding detection. With the advent of metamorphic code, a virus can in essence rewrite it codes to avoid pattern detection. To accomplish this, the virus will usually make a temporary version of itself, edits that version, and then encrypts itself back into normal code. Since this done by the virus, all parts of the virus including the metamorphic engine are also re-encrypted. This helps to avoid pattern recognition of anti-virus software better than it predecessor polymorphic code. Polymorphic code’s encrypted each time the code of the main body of the virus is rewritten, but the engine, even though it is rewritten, is never actually encrypted again until the virus replicates. With the basics of metamorphic code down, we can now see how cryptography and computer virology have come together (Jordan, 2002). Crypto virology Computer viruses typically share a lot of the same characteristics. They are first of all programs, and will steal system resources from the PC, more specifically CPU cycles. They will typically modify their code and the system code in order to operate to capacity. The virus’s third characteristic is perhaps the virus’s greatest vulnerability: the ability to be analyzed by the user of the system. No virus can hide forever, and viruses can and are routine frozen and backed up for later analyses by computer professionals. Crypto virology however, studies how you can get around this vulnerability and implement a virus with a high survivability rate that will in turn give the virus writer the upper hand with critical data. The best way to do such is by thing is by using forms of codependence (Young and Yung, 1996). We make a virus that will cause the host system with critical information that’s survival is dependent on the virus. Using cryptography methods one can insure that the effects of virus can be reversible only by virus writer. Simply put, if you delete the virus, you are in fact deleting vital information and resources for decryption of your (Balepin, 2006). Crypto virlogical Attacks “A crypto virus is a computer virus that uses a public key generated by the author to encrypt data that resides on the host system, in such a way that the data can only be recovered by the author of the virus possessing the private key”(Young and Yung, 1996).We will now take a look at some of the different ways a crypto virus might try to hold information ransom via denial of service attacks for monetary or information extortion. Denial of Service Attack Following the encryption of vital data with a public key, the crypto virus will notify the host user, and demand that they somehow contact the virus writer. This contact can be done in various anonymous ways to insure that the author is kept secret from average users. Message boards, instant messages, and email can do this fairly easily. Once contacted, the author of the virus agrees to give the private key needed for decryption in exchange for a ransom. A drawback to this is that the virus writer could potentially be freeing other victims of the same virus by handing out this private key. To solve this, a virus could carry multiple public keys, but actually encrypting a file directly with a public key is very slow. To solve this you can use a faster session encryption key method to encrypt the data. Session key encryption is loads faster to encrypt in than public key encryption but at the same is easier to break. However, if we were to encrypt the data with a session key, and then encrypt that session key with a public key, we have a stronger chance that each victim will have to have different keys for their data. As for the dependence of the host on the virus, if we delete the virus then (assuming that no backups exist) we are also deleting the unique public key for the data encryption, and thus a very important part of the decryption process. This denial of service attack differs from a traditional denial of service attack, because the author of the virus communicates with the victim to re-supply the data denied as opposed to just deleting it (Young and Yung 1996). Information Extortion Attack As before with a denial of service crypto virus, this crypto virus goes through the same process of encryption, but at the same time it calculates a checksum of a different data file that may be targeted and more highly prized by the virus author. In order for the user to retrieve the locked data, he must send the author the requested data, and a encrypted text of the checksum generated by the virus. If the checksum calculated and the data checksum received match, then the victim will then receive the private key necessary for decryption. This kind of virus helps to insure that the author receives the right data before giving a private key away (Balepin, 2006). Countering Cryptovirological Threats As any information technology professional can tell you having a high quality, dependable anti-virus on your machine to protect your network is vital. As discussed above, metamorphism is a common form of virus reproduction and mutation. Luckily for system administrators it is also the common form that many crypto viruses use as well, and a simple sweep of the system by an antivirus can usually find them just as well as any other virus out there. This will help most antiviruses detect viruses before and immediately after an infection occurs on you system through pattern recognition of older virtues that were implemented the same way (Jordan, 2002). Since a virus that includes all the necessary tools for encryption would make it large, and thus easy to detect, the virus must make use of the necessary tools on the victims system. Monitoring cryptographic tools, will lead you to identify misuse of the cryptographic and in turn identify possible viruses on the system, and maybe even virus writers on your own network. If regular backups are not currently being utilized on a system, they should be immediately. Even though a virus may have encrypted and infected the current form of the data on the hard drive or network, it does not mean that it has gotten a previous version of the data on a backup copy. Finally, a great way to protect your critical data is to employ public key cryptography on it yourself prior to infection. Access to a critical files will do an author no good if it is encrypted and not allowed access to it due to a lack of a private key (Young and Yung, 1996). Conclusion Since the beginning of civilization, people have been using cryptography for the defense of vital data and communications. Though as hand written codes are made by humans and far less complex than what a computer can generate, most could be easily broken and not even thought of as capable of malicious activity for that very reason. Though as shown, with the advent of computers and such malicious activities as denial of service attacks to critical information; malicious activity is indeed now possible in ridiculously complex ways. Though, with the right amount of preparation and protection, administrators can successfully minimize the possibilities and the capabilities of a cryptovirologic attack on their system. References Akdeniz, Yaman (1996). PRETTY GOOD PRIVACY & CLIPPER CHIP & ITAR. Retrieved December 11, 2007, from www.cyber-rights.com Web site: http://www.cyber-rights.org/crypto/pgp&itar.htm Balepin, Ivan (2006). Superworms and Cryptovirology: A Deadly Combination. Jordan, Myles (2002 Oct 1). Anti-Virus Research: Dealing With Metamorphism . Retrieved December 11, 2007, from CA Web site: http://www.ca.com/us/securityadvisor/newsinfo/collateral.aspx?cid=48051 Ryan, Mark (2007). Symmetric-key cryptography. Retrieved December 11, 2007, from Dr. Mark Ryan School of Computer Science University of Birmingham Web site: http://www.cs.bham.ac.uk/~mdr/teaching/modules/security/lectures/symmetric-key.html Sale, Tony (2007). The Engima Cipher Machine. Retrieved December 11, 2007, from CodesandCiphers.org Web site: http://www.codesandciphers.org.uk/enigma/ Young, Adam, & Yung, Moti (1996). Cryptovirology: Extortion-Based Secrurity Threats and Countermeasures.Yorktown Heights: IBM T.J. Watson Research Center. Wikipedia, (2007). Computer Virus. Retrieved December 11, 2007, from Wikipedia Web site: http://en.wikipedia.org/wiki/Computer_virus Wikipedia, (2007). Public_Key Cryptography. Retrieved December 11, 2007, from Wikipedia Web site: http://en.wikipedia.org/wiki/Public_key_cryptosystem
used as a defensive means to insure that communications that were meant to private, did indeed stay that way over long distances. With the power of high performance encryption techniques and the then revolutionary concept of public and private keys, new cryptography methods could also insure that said data was almost unbreakable and thus ensuring data security.
Though as much of a blessing as cryptography is to internet communications, anything as powerful as the encryption techniques of modern times can of course be harnessed in malicious ways by anyone with the right set of tools and knowledge, more specifically: virus writers. The marriage of the cryptography (a field of study used for defense against outside eyes i.e. Antivirus) and computer virology (malicious software), was inevitable. To fully understand the field of crypto virology (the study of virus that implement cryptography techniques), one must first understand the basics of cryptography and computer virology. This paper will at first give a brief overview of cryptography as it pertains to the internet and computer age, give a brief history and overview of computer viruses, the basics of crypto virology, and measures you can take to prevent crypto virology attacks on you networks. Cryptography and the Computer For cryptography to work, one must first encrypt the data by some means. This message is then delivered and decoded on the other side by the receiving party; traditionally this one done with symmetric-key coding which dates back to the days of the Roman Empire (Informatic, 2007). Symmetric-key coding relies, however, that a previously defined decryption key be delivered as to both parties to decrypt incoming messages. These keys can change as often as one would like, provided that each user is using the right decryption scheme at the same time. This is dangerous as the same key is used encryption and decryption of the same message. Should it fall into unwanted hands, granted that have you code scheme book, your information is quickly decrypted and read (Ryan 2007). Examples of this kind of code breaking took place heavily in World War II. Nazi German had become far in advanced in the war with cryptography when they developed the Enigma machine. The enigma machine made use of electro-mechanical polyalphabetic ciphers which were extremely hard to break if not used in conjunction with the code books. When books and machines were eventually captured by Allied Forces, messages decrypted led to great tactical advantages against the Axis, and perhaps was one of the biggest factors in the eventual allied victory (Sale, 2007). After World War II, the age of the computer began, and with it the capacity to make and break symmetric code even faster, more complex, and more efficiently than ever before. However, with more complex code came even more complex key management systems. With communications spreading around the world with the predecessor to the internet (ARPANET), finding efficient secret ways of privately spreading these keys was a problem as well. Whitfield Diffie, and Martin Hellman helped solve this problem in 1970 with their paper discussing the then revolutionary idea of public key cryptography (Informatics, 2007). Instead of using just one private key to decrypt messages; a pair of keys is used. The private key remains secret and the public key is distributed. The private key and public keys are related mathematically; however the private cannot be derived from the public key. Data transmitted with a public key cannot be decrypted by anyone except the person in possession of the private key (Wikipedia 2007). Since WWII cryptography had been heavily regulated by governments with the mindset that it would play still important rolls in conflicts in the future. The National Security Administration even went as far as to suggest a bugging chip be placed on all voice and data communications devices which would allow them to, if necessary, listen in on communications. The Clipper Chip, as it was named, was invented to set cryptography standards in the US, though not jeopardize national security. Needless to say, it was not embraced by the private or public sectors of the communications industry. Access to high quality cryptography was restricted to the public until a 1995 lawsuit filed by Daniel Bernstien stating that restrictions on such things were against free speech. The courts agreed and soon source code from cryptographic algorithms and systems were available to anyone that wanted to make use of them (Akdeniz, 1996). With relaxation of cryptography laws, the invention of such things as SSL, SSH, WEP, and RSA, high quality cryptography was finding ways of making communications, more specifically the internet a safer place to transmit critical data. As software manufactures found ways to implement it in their applications such as web browsers and email clients, it was only a matter of time before virus writers did the same. Viruses With the creation of anything good, there is always something else created alongside it for malicious purposes. So is the creation of computer programs, and their malicious counterparts: computer viruses. Computer viruses at first were spread mainly on removable media before the spread of the internet around the world. The traditional computer virus emerged in the 1980s and spread the use of Bulletin Board Systems, modems, and software sharing. Now days it is more common to hear of them spreading through email, instant messaging, or infected files on peer to peer networks. We will discuss in this paper exactly the logic behind the most advanced form of virus writing: Metamorphic Code. As with any project you slave over, the survivability of the viruses is a writer’s code is a top priority. They are packed with a series of different characteristics to help ensure that these viruses do indeed survive in their host environment. These include the avoidance of undesirable hosts, stealth, self-modification, encryption, polymorphic and metamorphic code. Over the years antivirus software has gotten leaps better at identifying problems on the system, meaning that viruses must get better at avoiding detection. With the advent of metamorphic code, a virus can in essence rewrite it codes to avoid pattern detection. To accomplish this, the virus will usually make a temporary version of itself, edits that version, and then encrypts itself back into normal code. Since this done by the virus, all parts of the virus including the metamorphic engine are also re-encrypted. This helps to avoid pattern recognition of anti-virus software better than it predecessor polymorphic code. Polymorphic code’s encrypted each time the code of the main body of the virus is rewritten, but the engine, even though it is rewritten, is never actually encrypted again until the virus replicates. With the basics of metamorphic code down, we can now see how cryptography and computer virology have come together (Jordan, 2002). Crypto virology Computer viruses typically share a lot of the same characteristics. They are first of all programs, and will steal system resources from the PC, more specifically CPU cycles. They will typically modify their code and the system code in order to operate to capacity. The virus’s third characteristic is perhaps the virus’s greatest vulnerability: the ability to be analyzed by the user of the system. No virus can hide forever, and viruses can and are routine frozen and backed up for later analyses by computer professionals. Crypto virology however, studies how you can get around this vulnerability and implement a virus with a high survivability rate that will in turn give the virus writer the upper hand with critical data. The best way to do such is by thing is by using forms of codependence (Young and Yung, 1996). We make a virus that will cause the host system with critical information that’s survival is dependent on the virus. Using cryptography methods one can insure that the effects of virus can be reversible only by virus writer. Simply put, if you delete the virus, you are in fact deleting vital information and resources for decryption of your (Balepin, 2006). Crypto virlogical Attacks “A crypto virus is a computer virus that uses a public key generated by the author to encrypt data that resides on the host system, in such a way that the data can only be recovered by the author of the virus possessing the private key”(Young and Yung, 1996).We will now take a look at some of the different ways a crypto virus might try to hold information ransom via denial of service attacks for monetary or information extortion. Denial of Service Attack Following the encryption of vital data with a public key, the crypto virus will notify the host user, and demand that they somehow contact the virus writer. This contact can be done in various anonymous ways to insure that the author is kept secret from average users. Message boards, instant messages, and email can do this fairly easily. Once contacted, the author of the virus agrees to give the private key needed for decryption in exchange for a ransom. A drawback to this is that the virus writer could potentially be freeing other victims of the same virus by handing out this private key. To solve this, a virus could carry multiple public keys, but actually encrypting a file directly with a public key is very slow. To solve this you can use a faster session encryption key method to encrypt the data. Session key encryption is loads faster to encrypt in than public key encryption but at the same is easier to break. However, if we were to encrypt the data with a session key, and then encrypt that session key with a public key, we have a stronger chance that each victim will have to have different keys for their data. As for the dependence of the host on the virus, if we delete the virus then (assuming that no backups exist) we are also deleting the unique public key for the data encryption, and thus a very important part of the decryption process. This denial of service attack differs from a traditional denial of service attack, because the author of the virus communicates with the victim to re-supply the data denied as opposed to just deleting it (Young and Yung 1996). Information Extortion Attack As before with a denial of service crypto virus, this crypto virus goes through the same process of encryption, but at the same time it calculates a checksum of a different data file that may be targeted and more highly prized by the virus author. In order for the user to retrieve the locked data, he must send the author the requested data, and a encrypted text of the checksum generated by the virus. If the checksum calculated and the data checksum received match, then the victim will then receive the private key necessary for decryption. This kind of virus helps to insure that the author receives the right data before giving a private key away (Balepin, 2006). Countering Cryptovirological Threats As any information technology professional can tell you having a high quality, dependable anti-virus on your machine to protect your network is vital. As discussed above, metamorphism is a common form of virus reproduction and mutation. Luckily for system administrators it is also the common form that many crypto viruses use as well, and a simple sweep of the system by an antivirus can usually find them just as well as any other virus out there. This will help most antiviruses detect viruses before and immediately after an infection occurs on you system through pattern recognition of older virtues that were implemented the same way (Jordan, 2002). Since a virus that includes all the necessary tools for encryption would make it large, and thus easy to detect, the virus must make use of the necessary tools on the victims system. Monitoring cryptographic tools, will lead you to identify misuse of the cryptographic and in turn identify possible viruses on the system, and maybe even virus writers on your own network. If regular backups are not currently being utilized on a system, they should be immediately. Even though a virus may have encrypted and infected the current form of the data on the hard drive or network, it does not mean that it has gotten a previous version of the data on a backup copy. Finally, a great way to protect your critical data is to employ public key cryptography on it yourself prior to infection. Access to a critical files will do an author no good if it is encrypted and not allowed access to it due to a lack of a private key (Young and Yung, 1996). Conclusion Since the beginning of civilization, people have been using cryptography for the defense of vital data and communications. Though as hand written codes are made by humans and far less complex than what a computer can generate, most could be easily broken and not even thought of as capable of malicious activity for that very reason. Though as shown, with the advent of computers and such malicious activities as denial of service attacks to critical information; malicious activity is indeed now possible in ridiculously complex ways. Though, with the right amount of preparation and protection, administrators can successfully minimize the possibilities and the capabilities of a cryptovirologic attack on their system. References Akdeniz, Yaman (1996). PRETTY GOOD PRIVACY & CLIPPER CHIP & ITAR. Retrieved December 11, 2007, from www.cyber-rights.com Web site: http://www.cyber-rights.org/crypto/pgp&itar.htm Balepin, Ivan (2006). Superworms and Cryptovirology: A Deadly Combination. Jordan, Myles (2002 Oct 1). Anti-Virus Research: Dealing With Metamorphism . Retrieved December 11, 2007, from CA Web site: http://www.ca.com/us/securityadvisor/newsinfo/collateral.aspx?cid=48051 Ryan, Mark (2007). Symmetric-key cryptography. Retrieved December 11, 2007, from Dr. Mark Ryan School of Computer Science University of Birmingham Web site: http://www.cs.bham.ac.uk/~mdr/teaching/modules/security/lectures/symmetric-key.html Sale, Tony (2007). The Engima Cipher Machine. Retrieved December 11, 2007, from CodesandCiphers.org Web site: http://www.codesandciphers.org.uk/enigma/ Young, Adam, & Yung, Moti (1996). Cryptovirology: Extortion-Based Secrurity Threats and Countermeasures.Yorktown Heights: IBM T.J. Watson Research Center. Wikipedia, (2007). Computer Virus. Retrieved December 11, 2007, from Wikipedia Web site: http://en.wikipedia.org/wiki/Computer_virus Wikipedia, (2007). Public_Key Cryptography. Retrieved December 11, 2007, from Wikipedia Web site: http://en.wikipedia.org/wiki/Public_key_cryptosystem
No comments:
Post a Comment