B. Efforts to combat the trojan

advertisement
CE 706
CRYPTOVIROLOGY
CRYPTOVIROLOGY
Patel Parth (06/CE/69)
Charotar Institute of Technology,
U & P U Patel Department of Computer Engineering,
Gujarat University, India
Parthpatel002@yahoo.com
Abstract:Traditionally, cryptography and its applications
are defensive in nature, and provide privacy,
authentication, and security to users. In this paper we
present the idea of Cryptovirology which employs a twist on
cryptography, showing that it can also be used offensively.
By being offensive we mean that it can be used to mount
extortion based attacks that cause loss of access to
information, loss of confidentiality, and information
leakage, tasks which cryptography typically prevents. In
this paper we analyze potential threats and attacks that
rogue use of cryptography can cause when combined with
rogue software (viruses, Trojan horses), and demonstrate
them experimentally by presenting an implementation of a
cryptovirus that we have tested (we took careful
precautions in the process to insure that the virus remained
contained). Public-key cryptography is essential to the
attacks that we demonstrate (which we call
"cryptovirological
attacks").
We
also
suggest
countermeasures and mechanisms to cope with and prevent
such attacks. These attacks have implications on how the
use of cryptographic tools should be managed and audited
in general purpose computing environments, and imply that
access to cryptographic tools should be well controlled. The
experimental virus demonstrates how cryptographic
packages can be condensed into a small space, which may
have independent applications (e.g., cryptographic module
design in small mobile devices).
I. INTRODUCTION
Cryptology: Cryptology is subdivided into two disciplines,
Cryptography and Cryptanalysis. Cryptography is the science
of making the secret unintelligible and cryptanalysis is the
science of retrieving the secret from the unintelligible data.
Virus: A computer virus is a program or piece of code written
with malicious intent, soto alter the normal working of the
computer and is done without the knowledge orpermission of
the legitimate user.
Worms: A worm is a piece of code that uses security flaws to
create copies of it. The copy will then look forward to replicate
itself by looking for other vulnerable machines.This process
continues until all the system resources are consumed thus
rendering it useless for any other work.
Trojan: A Trojan is a piece of code that claims to be something
desirable but in practice is malicious. Once a user is tricked into
running a trojan, it acts as a backdoor to the computer on which
it is running. Trojans can be potentially malicious and may
cause widespread damage such as erasing files, stealing of
passwords and so on.
Cryptovirology: Cryptovirology is the term coined to the use
and study of cryptology in virus writing in a variety of novel
ways for malicious intent namely
- Give malicious software (malware) enhanced privacy and
robustness against reverse engineering.
- Give the attacker enhanced anonymity when communicating
with the malware.
- Improve the ability to steal data and carry out extortion and so
on.
Cryptovirus: A cryptovirus is a virus that makes use of a
cryptographic public key known to the author of the
cryptovirus. Cryptoworms and CryptoTrojans are same as
CryptoViruses except that they are worms and trojans.
TRNG: A TRNG is a True Random Number Generator. Given
any sequence or set of sequences generated by a TRNG, it is
impossible to derive any further or previous sequence.
IV: Initialization Vector (IV) is a pseudo random number used
in a cryptographic mode known as chaining.
CBC: Cipher Block Chain (CBC) is a chaining mode that
prevents the same plaintext from encrypting to the same
ciphertext under the same encryption key.
Cryptovirology is a field that studies how to use
cryptographycrto design powerful malicious software. The field
was born with the observation that public key cryptography can
1
CE 706
be used to break the symmetry between what an antivirus
analyst sees regarding a virus and what the virus writer sees.
The former only sees a public key whereas the latter sees a
public key and corresponding private key. The first attack that
was identified in the field is called "cryptoviral extortion". In
this attack a virus,worm or torjan hybrid encrypts the victim's
files and the user must pay the malware author to receive the
needed session key (which is encrypted under the author's
public key that is contained in the malware) if the user does not
have backups and needs the files back.
The field also encompasses covert attacks in which the attacker
secretly steals private information such as private keys. An
example of the latter type of attack are asymmetric backdoor
asymmetric backdoor is a backdoor (e.g., in a cryptosystem)
that can be used only by the attacker, even after it is found. This
contrasts with the traditional backdoor that is symmetric, i.e.,
anyone that finds it can use it.kleptography a subfield of
cryptovirology, is concerned with the study of asymmetric back
doors in key generation algorithms, digital signature
algorithms, key exchanges, and so on.
Kleptography The notion of an asymmetric backdoor was
introduced in [YY96b]. A kleptographic attack is an attack in
which a malicious designer deploys an asymmetric backdoor.
In a kleptographic attack, there is an explicit distinction
between confidentiality of the messages (e.g., the private keys
of the users) and awareness that the attack is taking place. A
secure kleptographic attack is undetectable as long as the
cryptosystem is a black-box. Also, if the black-box is opened, it
may be evident that a kleptographic attack is underway, but
confidentiality is preserved. In other words, a kleptographic
attack is an asymmetric backdoor that can only be used by the
designer that carries out the attack. This subject of research is
called Kleptography: the study of stealing information securely
and
subliminally
(see
also
[YY97b,WL02,CS03]).
Kleptography is a natural extension of the theory of subliminal
channels.
Prior to the advent of asymmetric backdoors, scientific research
on backdoors in cryptosystems was conducted. An early
scientific paper on building a backdoor into RSA key
generation is [An93]. In hindsight, Anderson's construction is a
symmetric backdoor, meaning that a successful reverseengineer will be able to use the backdoor. Anderson's
construction was subsequently cryptanalyzed in [Ka93]. In
contrast, a kleptographic backdoor is an asymmetric backdoor,
meaning that a reverse-engineer that expends considerable
effort breaching the black-box that houses the backdoor still
CRYPTOVIROLOGY
cannot use the backdoor (in general, the reverse-engineer finds
the attacker's public key, not the needed private decryption
key).
Kleptographic attacks often utilize subliminal channels to
transmit things like: private signing keys, private decryption
keys, symmetric keys, etc. outside of a cryptosystem (e.g.,
smartcard). The requirement that kleptographic attacks have
that exceeds the requirements of a subliminal channel is
robustness against reverse-engineering. A kleptographic attack
is only secure if the confidentiality of the subliminal messages
holds even after the black-box is opened and inspected. This
must hold for all previously transmitted messages as well as
future subliminal messages that may be sent. Asymmetric
cryptography is used to achieve this type of confidentiality. It is
this added robustness in confidentiality that makes
kleptographic attacks more attractive to carry out in practice.
An example will go a long way to explain what a kleptographic
attack is. A kleptographic attack against a software-based RSA
cryptosystem like PGP has been demonstrated [YY96b,YY04].
In this attack, RSA keys are not generated normally. However,
the RSA public modulus n is still the product of two primes p
and q. The modulus n is generated such that its upper order bits
effectively constitute the asymmetric encryption of a value that
allows n to be efficiently factored. Computing such composites
n is possible using a well known subliminal channel in the
products of two primes. The asymmetric encryption is
computed using the public key of the attacker that is embedded
in the RSA key generation algorithm. As a result, a database of
public keys (i.e., the CA) is a database of public keys and
ciphertexts of the corresponding private keys from the
perspective of the attacker.
The novelty in this kleptographic attack is the following. It can
be deployed in software in a single binary program (that may be
code-signed) such that everyone obtains the same copy. The
key pairs that the program outputs do not reveal that a
kleptographic attack is occurring (they appear to be normal). If
a reverse-engineer examines the key generation code then he or
she will learn that a kleptographic attack is underway. However
the reverse-engineer will still be out of luck in actually learning
the private key of anyone who uses the binary.

2
CE 706
II. General information of Cryptovirology
Cryptovirology was born in academia. However, practitioners
have recently expanded the scope of the field to include the
analysis of cryptographic algorithms used by malware writers,
attacks on these algorithms using automated methods (such as
X-raying) and analysis of viruses' and packers' encryptors. Also
included is the study of cryptography-based techniques (such as
"delayed code") developed by malware writers to hamper
malware analysis.
A "questionable encryption scheme", which was introduced by
Young and Yung, is an attack tool in cryptovirology.
Informally speaking, a questionable encryption scheme is a
public key cryptosystem(3-tuple of algorithms) with two
supplementary algorithms, forming a 5-tuple of algorithms. It
includes a deliberately bogus yet carefully designed key pair
generation algorithm that produces a "fake" public key. The
corresponding private key (witness of non-encryption) cannot
be used to decipher data "encrypted" using the fake public key.
By supplying the key pair to an efficient verification predicate
(the 5th algorithm in the 5-tuple) it is proven whether the public
key is real or fake. When the public key is fake, it follows that
no one can decipher data "enciphered" using the fake public
key. A questionable encryption scheme has the property that
real public keys are computationally indistinguishable from
fake public keys when the private key is not available. The
private key forms a poly-sized witness of decipherability or
indecipherability, whichever may be the case.
An application of a questionable encryption scheme is a torjan
that gathers plaintext from the host, "encrypts" it using the
trojan's own public key (which may be real or fake), and then
exfiltrates the resulting "ciphertext". In this attack it is
thoroughly intractable to prove that data theft has occurred.
This holds even when all core dumps of the trojan and all the
information that it broadcasts is entered into evidence. An
analyst that jumps to the conclusion that the trojan "encrypts"
data risks being proven wrong by the malware author (e.g.,
anonymously).
When the public key is fake, the attacker gets no plaintext from
the trojan. So what's the use? A spoofing attack is possible in
which some trojans are released that use real public keys and
steal data and some trojans are released that use fake public
keys and do not steal data. Many months after the trojans are
discovered and analayzed, the attacker anonymously posts the
witnesses of non-encryption for the fake public keys. This
proves that those trojans never in fact exfiltrated data. This
CRYPTOVIROLOGY
casts doubt on the true nature of future strains of malware that
contain such "public keys", since the keys could be real or fake.
This attack implies a fundamental limitation on proving data
theft.There are many other attacks in the field of cryptovirology
that are not mentioned here.
Cryptoviral extortion, which uses public key cryptography, is a
denial of resources attack that was introduced in [YY96a]. It is
a three-round protocol that is carried out by an attacker against
a victim. The attack is carried out via a cryptovirus that uses a
hybrid cryptosystem to encrypt host data while deleting or
overwriting the original data in the process. The protocol is as
follows: (protocol setup phase) An asymmetric key pair is
generated by the virus author on a smartcard and the public key
is placed within the virus. The private key is designated as
"non-exportable" so that even the virus author cannot obtain it's
bit representation. Thus, the private key is generated, stored,
and used on the smartcard. Ideally, the smartcard will
implement two-factor security: something the virus author
knows (a PIN number) and something the virus writer has (the
smartcard that contains the private key). Also, the card will
ideally be immune to differential power analysis, timing
attacks, etc. to prevent the virus author from ever learning the
bits of the private key. A standards-based approach can be used,
e.g., the use of an approved FIPS 140-2 level 2 or higher device
(e.g., when it is level 4 the private key will be destroyed if the
casing is breached). In the U.S. the virus author cannot be
forced to bear witness against himself or herself (Fifth
Amendment) and so the PIN can remain confidential. The
purpose of this setup phase is to limit the effectiveness of
seizing and analyzing the smartcard under subpoena or warrant
(competent evidence).
1) (virus author -> victim) The virus author deploys the
cryptovirus. At a later time the virus activates on what could be
tens or even hundreds of thousands of machines. The remainder
of this description will cover the protocol for just one such
machine. When the virus activates, it uses a true random bit
generator (TRBG) to generate a symmetric key and
initialization vector (IV) uniformly at random. It is essential
that the TRBG produce truly random bits to prevent the
symmetric key and IV from being guessed or otherwise
determined by the victim at a later date. The virus then encrypts
host data with this random symmetric key and IV (e.g., using
cipher-block chaining (CBC) mode). The virus concatenates the
IV with the symmetric key and then encrypts the resulting
string using the public key of the virus author (e.g., using RSAOAEP). The encrypted plaintext is then held ransom. The virus
notifies the victim that the attack has occurred (e.g., via a dialog
3
CE 706
CRYPTOVIROLOGY
box on the victim's screen) and states that the asymmetric
ciphertext will be needed to restore the data. The virus author
states his or her demands in return for the data. The virus author
and victim can send asymmetrically encrypted messages to
each other via a public bulletin board to try to preserve the
attacker's anonymity. Alternatively, digital pseudonyms and
mix-networks can be used.
This attack is often performed with the aid of URL phissing,
which exploits web browser bugs in order to display incorrect
URLs in the browsers location bar; or with DNS cache
poisoning in order to direct the user away from the legitimate
site and to the fake one. Once the user puts in their password,
the attack-code reports a password error, then redirects the user
back to the legitimate site.
2) (victim -> virus author) If the victim complies by paying
the ransom and transmitting the asymmetric ciphertext to the
virus author then the virus author decrypts the ciphertext using
the private key that only the virus author has access to (the one
on his or her smartcard). This reveals the symmetric key and IV
that was used in the attack
C. Referer spoofing
III. Spoofing attack
In the context of network security, a spoofing attack is a
situation in which one person or program successfully
masquerades as another by falsifying data and thereby gaining
an illegitimate advantage.
A. Man-in-the-middle attack and internet protocol spoofing
An example from cryptography is the man-in-middle-attack, in
which an attacker spoofs Alice into believing the attacker is
Bob, and spoofs Bob into believing the attacker is Alice, thus
gaining access to all messages in both directions without the
trouble of any cryptanalytic effort.The attacker must monitor
the packets sent from Alice to Bob and then guess the sequence
number of the packets. Then the attacker knocks out Alice with
a SYN attack and injects his own packets, claiming to have the
address of Alice. Alice's firewall can defend against some spoof
attacks when it has been configured with knowledge of all the
IP addresses connected to each of its interfaces. It can then
detect a spoofed packet if it arrives at an interface that is not
known to be connected to the IP address.Many carelessly
designed protocols are subject to spoof attacks, including many
of those used on the Internet. See internet spoofing attack.
B.URL spoofing and phishing
Another kind of spoofing is "webpage spoofing," also known as
phissing. In this attack, a legitimate web page such as a bank's
site is reproduced in "look and feel" on another server under
control of the attacker. The main intent is to fool the users into
thinking that they are connected to a trusted site, for instance to
harvest user names and passwords.
Some websites, especially pornographic paysites, allow access
to their materials only from certain approved (login-) pages.
This is enforced by checking the referer header of the HTTP
request. This referrer header however can be changed (known
as "Referer spoofing" or "Ref-tar spoofing"), allowing users to
gain unauthorized access to the materials.
D.Poisoning of file-sharing networks
"Spoofing" can also refer to copyright holders placing distorted
or unlistenable versions of works on file-sharing networks, to
discourage downloading from these sources.
E.Caller ID spoofing
Main article: caller id spoofing
In public telephone networks, it has for a long while been
possible to find out who is calling you by looking at the caller
ID information that is transmitted with the call. There are
technologies that transmit this information on landlines, on
cellphones and also withVoIP. Unfortunately, there are now
technologies (especially associated with VoIP) that allow
callers to lie about their identity, and present false names and
numbers, which could of course be used as a tool to defraud or
harass. Because there are services and gateways that
interconnect VoIP with other public phone networks, these
false Caller IDs can be transmitted to any phone on the planet,
which makes the whole Caller ID information now next to
useless. Due to the distributed geographic nature of the Internet,
VoIP calls can be generated in a different country to the
receiver, which means that it is very difficult to have a legal
framework to control those who would use fake Caller IDs as
part of a scam.
F. E-mail address spoofing
4
CE 706
CRYPTOVIROLOGY
The sender information shown in e-mails(the "From" field) can
be spoofed easily. This technique is commonly used by
spammers to hide the origin of their e-mails and leads to
problems such as misdirected bounces(i.e. e-mail spam
backscatter).
E-mail address spoofing is done in quite the same way as
writing a forged return address using snailmail. As long as the
letter fits the protocol, (ie. stamp, postal code) the SMTP
protocol will send the message. It can be done using a mail
server with telnet.
V .Examples of viruses with cryptography
While viruses in the wild have used cryptography in the past,
the only purpose of such usage of cryptography was to avoid
detection by antivirus software. For e.g., the tremor virus used
polymorphism as a defensive technique in an attempt to avoid
detection by anti-virus software. Though cryptography does
assist in such cases to enhance the longevity of a virus, the
capabilities of cryptography are not used in the payload. The
one-half virus was amongst the first viruses known to have
encrypted affected files. However, the one_half virus was not
ransomware, that is it did not demand any ransom for
decrypting the files that it has encrypted. It also did not use
public key cryptography. An example of a virus that informs
the owner of the infected machine to pay a ransom is the virus
nicknamed Tro_Ransom.A. This virus asks the owner of the
infected machine to send $10.99 to a given account through
WesternUnion.
Virus.Win32.Gpcode.ag is a classic cryptovirus. This virus
partially uses a version of 660-bit RSA and encrypts files with
many different extensions. It instructs the owner of the machine
to email a given mail ID if the owner desires the decryptor. If
contacted by email, the user will be asked to pay a certain
amount as ransom in return for the decryptor.
PGPCoder or GPCode is a trojan that encrypts files on the
infected computer and then asks for a fee in order to release
these files, a type of behavior dubbed ransomware or
cryptography.
A.Trojan
Once installed on a computer, the trojan creates two registry
keys: one to ensure it is run on every system startup, and the
Figure.1 example of virus detection
second to monitor the progress of the trojan in the infected
computer, counting the number of files that have been analyzed
by the malicious code.
Once it has been run, the trojan embarks on its mission, which
is to encrypt, using a digital encryption key, all the files it finds
on computer drives with extensions corresponding to those
listed in its code. These extensions include .doc, .html, .jpg,
.xls, .zip and .rar.
The blackmail is completed with the trojan dropping a text file
in each directory, with instructions to the victim of what to do.
An email address is supplied through which users are supposed
to request for their files to be released after paying a ransom of
$100-200 to an e-gold account.
B. Efforts to combat the trojan
While a few Gpcode variants have been successfully
implemented, many variants have flaws that allow users to
recover data without paying the ransom fee. The first versions
of Gpcode used a custom-written encryption routine that was
easily broken. Variant Gpcode.ak writes the encrypted file to a
new location, and deletes the unencrypted file, and this allows
5
CE 706
CRYPTOVIROLOGY
an undeletion utility to recover some of the files. Once some
encrypted+unencrypted pairs have been found, this sometimes
gives enough information to decrypt other files. Variant
Gpcode.am uses symmetric encryption, which made key
recovery very easy.
Kaspersky Lab has been able to make contact with the author of
the program, and verify that they are the real author, but have
so far been unable to determine his real world identity.
VI.creation of viruses
To successfully write a cryptovirus, a thorough knowledge of
the various cryptographic primitive such as random number
generator, proper recommended cipher text chaining modes etc
are necessary. Wrong choices can lead to poor cryptographic
strength. So, usage of preexisting routines would be ideal.
Microsoft’s Cryptographic API(CAPI), is a possible tool for
the same. It has been demonstrated that using just 8 different
calls to this API, a cryptovirus can satisfy all its encryption
needs.Cryptographic primitives are well-established, lowlevel cryptographic algorithms that are frequently used to build
computer security systems. These routines include, but are not
limited to, one-way hash function andencryption function.
When creating cryptographic system, designers use
cryptographic primitives as their most basic building blocks.
Because of this, cryptographic primitives are designed to do
one very specific task in a highly reliable fashion. They include
encryption schemes, hash function and digital signature
schemes.
Since cryptographic primitives are used as building blocks, they
must be very reliable, i.e. perform according to their
specification. E.g. if an encryption routine claims to be only
breakable with X number of computer operations, then if it can
be broken with significantly less than X operations, that
cryptographic primitive is said to fail. If a cryptographic
primitive is found to fail, almost every protocol that uses it
becomes vulnerable. Since creating cryptographic routines is
very hard, and testing them to be reliable takes a long time, it is
essentially never sensible (nor secure) to design a new
cryptographic primitive to suit the needs of a new
cryptographic system. The reasons include:



The designer might not be competent in the
mathematical and practical considerations involved in
cryptographic primitives
Designing a new cryptographic primitive is very timeconsuming and very error prone, even for those expert
in the field
Since algorithms in this field are not only required to
be designed well, but also need to be tested well by the
cryptologist community, even if a cryptographic
routine looks good from a design point of view it
might still contain errors. Successfully withstanding
such scrutiny gives some confidence (in fact, so far,
the only confidence) that the algorithm is indeed
secure enough to use; security proofs for
cryptographic primitives are generally not available.
Cryptographic primitives are similar in some ways to
programming language. A computer programmer rarely invents
a new programming language while writing a new program;
instead, he or she will use one of the already established
programming languages to program in.
Cryptographic primitives are one of the building block of every
crypto system, e.g., TLS, SSL, SSH, etc. Crypto system
designers, not being in a position to definitively prove their
security, must take the primitives they use as secure. Choosing
the best primitive available for use in a protocol usually
provides the best available security. However, compositional
weaknesses are possible in any crypto system and it is the
responsibility of the designer(s) to avoid them.
Figure.2 digital signature
Combining cryptographic primitives:Cryptographic primitives,
on their own, are quite limited. They cannot be considered,
properly, to be a cryptographic system. For instance, a bare
encryption algorithm will provide no authentication
mechanism, nor any explicit message integrity checking. Only
6
CE 706
when combined in security protocols, can more than one
security requirement be addressed. For example, to transmit a
message that is not only encoded but also protected from
tinkering (i.e. it is confidencial and integrated-protected), an
encoding routine, such as DES, and a hash-routine such as
SHA-1 can be used in combination. If the attacker does not
know the encryption key, he can not modify the message so that
message digest values can't be successfully faked.
Combining cryptographic primitives to make a protocol is itself
an entire specialization. Most exploitable errors (ie, insecurities
in crypto systems) are due not to design errors in the primitives
(assuming always that they were chosen with care), but to the
way they are used, i.e. bad protocol design and buggy or not
careful enough implementation. Mathematical analysis of
protocols is, at the time of this writing, not mature. There are
some basic properties that can be verified with automated
methods, such as BAN LOGIC. There are even methods for full
verification (e.g. the SPI calculas) but they are extremely
cumbersome and cannot be automated. Protocol design is an art
requiring deep knowledge and much practice; even then
mistakes are common. An illustrative example, for a real
system, can be seen on the openssl vulnerability news page at.
VII. Other uses of cryptography enabled malware
Apart from cryptoviral extortion, there are other potential uses
of cryptoviruses. They are used in deniable password snatching,
used with cryptocounters, used with private information
retrieval and used in secure communication between different
instances of a distributed cryptovirus.The Cryptographic
Application Programming Interface (also known variously as
CryptoAPI, Microsoft Cryptography API, or simply CAPI) is
an application interface programming included with Microsoft
Window’s operating system that provides services to enable
developers to secure Windows-based applications using
cryptography. It is a set of dynamically link library that
provides an abstraction layer which isolates programmers from
the code used to encrypt the data.CryptoAPI supports both
public key and symmatry key cryptography. It includes
functionality for encrypting and decrypting data and for
authentication using digital certificates. It also includes a
cryptographically secure pseudorandom number generator
function CryptGenRandom.CryptoAPI works with a number of
CSPs (cryptographic’s service provider) installed on the
machine. CSPs are the modules that do the actual work of
encoding and decoding data by performing the cryptographic
CRYPTOVIROLOGY
functions.Window vista features an update to the Crypto API
known as Cryptography API: Next Generation (CNG). It has
better API factoring to allow the same functions to work using
a wide range of cryptographic algorithms, and the inclusion of a
number of newer algorithms that are part of the National
security agency (NSA)suite B. It is also flexible, featuring
support for plugging in custom cryptographic APIs into the
CNG runtime. CNG works in both user and Kernel mode, and
also supports all of the algorithms from the CryptoAPI. The
Microsoft provider that implements CNG is housed in
Bcrypt.dll.CNG also supports elliptic curve cryptography which
is also secure and uses shorter keys than RSA. The CNG API
integrates with the smart card subsystem by including a Base
Smart Card Cryptographic Service Provider (Base CSP)
module which encapsulates the smart card API. Smart card
manufacturers just have to make their devices compatible with
this, rather than provide a from-scratch solution.
VIII.counter measure
1. Permanent and direct memory monitoring is necessary to
catch self encrypting,polymorphic cryproviruses.
2. Passwords alone are inherently weak to authenticate to a host
or computer system.Two factor authentication, first with the
password and the second with a biometric entity such as the
users fingerprint, iris scan and so on should be used.
3. Use of up-to-date anti-virus machinery, since cryptoviruses
spread the same way as normal viruses does.
4. Access control to cryptographic tools and API’s. It is
strongly encouraged to audit cryptographic utilities. This is one
of the major issues that are commonly overlooked. This will
help the system administrator to identify suspicious
cryptographic usage.
5. We note that if strong cryptographic routines and good
pseudo random number generators are available, it makes the
virus smaller and simpler to code and faster to execute if the
code is optimal. Incorporating strong cryptographic tools into
the operating systems may increase system security but makes
it vulnerable since viruses can make calls to these operation
system routines. It is hence essential to monitor the processes
invoking the cryptographic routines and try to prevent and
log processes that do not have sufficient access privileges to
call the crypto toolkit/library.
6. Use of Firewall and Intrusion Detection System to protect
single and networked systems.
7.Applying patches as soon as it is made available and
watching out for zero day exploits.
7
CE 706
CRYPTOVIROLOGY
IX.CONCLUSION
Cryptography with virology is a deadly combination.The battle
between Virus writers and anti virus vendors is raging hard.The
use of cryptography in virology is one such tool used by virus
writers to win the battle Anti-virus vendors do not have any
answer for such threats as of now and they may come up with
remedies.The cycle continues……We have seen that
cryptographic tools can be used to create a new class of viruses:
crypto viruses
REFERENCES
[1]. http://wikipedia.org/cryptovirology
[2]. www.cryptovirology.com/cryptovfiles/cryptovirologyfaqver
1.html
[3]. http://www.google.co.in
[4]. www.textbooksrus.com/search/bookdetail/default.aspx?isb
n...
[5]. http://csl.stanford.edu/ pal/pubs/tinyos-programming.pdf
8
Download