CE 706 CRYPTOVIROLOGY CRYPTOVIROLOGY Patel Parth (06/CE/69) Charotar Institute of Technology, U & P U Patel Department of Computer Engineering, Gujarat University, India Parthpatel002@yahoo.com Abstract:Traditionally, cryptography and its applications are defensive in nature, and provide privacy, authentication, and security to users. In this paper we present the idea of Cryptovirology which employs a twist on cryptography, showing that it can also be used offensively. By being offensive we mean that it can be used to mount extortion based attacks that cause loss of access to information, loss of confidentiality, and information leakage, tasks which cryptography typically prevents. In this paper we analyze potential threats and attacks that rogue use of cryptography can cause when combined with rogue software (viruses, Trojan horses), and demonstrate them experimentally by presenting an implementation of a cryptovirus that we have tested (we took careful precautions in the process to insure that the virus remained contained). Public-key cryptography is essential to the attacks that we demonstrate (which we call "cryptovirological attacks"). We also suggest countermeasures and mechanisms to cope with and prevent such attacks. These attacks have implications on how the use of cryptographic tools should be managed and audited in general purpose computing environments, and imply that access to cryptographic tools should be well controlled. The experimental virus demonstrates how cryptographic packages can be condensed into a small space, which may have independent applications (e.g., cryptographic module design in small mobile devices). I. INTRODUCTION Cryptology: Cryptology is subdivided into two disciplines, Cryptography and Cryptanalysis. Cryptography is the science of making the secret unintelligible and cryptanalysis is the science of retrieving the secret from the unintelligible data. Virus: A computer virus is a program or piece of code written with malicious intent, soto alter the normal working of the computer and is done without the knowledge orpermission of the legitimate user. Worms: A worm is a piece of code that uses security flaws to create copies of it. The copy will then look forward to replicate itself by looking for other vulnerable machines.This process continues until all the system resources are consumed thus rendering it useless for any other work. Trojan: A Trojan is a piece of code that claims to be something desirable but in practice is malicious. Once a user is tricked into running a trojan, it acts as a backdoor to the computer on which it is running. Trojans can be potentially malicious and may cause widespread damage such as erasing files, stealing of passwords and so on. Cryptovirology: Cryptovirology is the term coined to the use and study of cryptology in virus writing in a variety of novel ways for malicious intent namely - Give malicious software (malware) enhanced privacy and robustness against reverse engineering. - Give the attacker enhanced anonymity when communicating with the malware. - Improve the ability to steal data and carry out extortion and so on. Cryptovirus: A cryptovirus is a virus that makes use of a cryptographic public key known to the author of the cryptovirus. Cryptoworms and CryptoTrojans are same as CryptoViruses except that they are worms and trojans. TRNG: A TRNG is a True Random Number Generator. Given any sequence or set of sequences generated by a TRNG, it is impossible to derive any further or previous sequence. IV: Initialization Vector (IV) is a pseudo random number used in a cryptographic mode known as chaining. CBC: Cipher Block Chain (CBC) is a chaining mode that prevents the same plaintext from encrypting to the same ciphertext under the same encryption key. Cryptovirology is a field that studies how to use cryptographycrto design powerful malicious software. The field was born with the observation that public key cryptography can 1 CE 706 be used to break the symmetry between what an antivirus analyst sees regarding a virus and what the virus writer sees. The former only sees a public key whereas the latter sees a public key and corresponding private key. The first attack that was identified in the field is called "cryptoviral extortion". In this attack a virus,worm or torjan hybrid encrypts the victim's files and the user must pay the malware author to receive the needed session key (which is encrypted under the author's public key that is contained in the malware) if the user does not have backups and needs the files back. The field also encompasses covert attacks in which the attacker secretly steals private information such as private keys. An example of the latter type of attack are asymmetric backdoor asymmetric backdoor is a backdoor (e.g., in a cryptosystem) that can be used only by the attacker, even after it is found. This contrasts with the traditional backdoor that is symmetric, i.e., anyone that finds it can use it.kleptography a subfield of cryptovirology, is concerned with the study of asymmetric back doors in key generation algorithms, digital signature algorithms, key exchanges, and so on. Kleptography The notion of an asymmetric backdoor was introduced in [YY96b]. A kleptographic attack is an attack in which a malicious designer deploys an asymmetric backdoor. In a kleptographic attack, there is an explicit distinction between confidentiality of the messages (e.g., the private keys of the users) and awareness that the attack is taking place. A secure kleptographic attack is undetectable as long as the cryptosystem is a black-box. Also, if the black-box is opened, it may be evident that a kleptographic attack is underway, but confidentiality is preserved. In other words, a kleptographic attack is an asymmetric backdoor that can only be used by the designer that carries out the attack. This subject of research is called Kleptography: the study of stealing information securely and subliminally (see also [YY97b,WL02,CS03]). Kleptography is a natural extension of the theory of subliminal channels. Prior to the advent of asymmetric backdoors, scientific research on backdoors in cryptosystems was conducted. An early scientific paper on building a backdoor into RSA key generation is [An93]. In hindsight, Anderson's construction is a symmetric backdoor, meaning that a successful reverseengineer will be able to use the backdoor. Anderson's construction was subsequently cryptanalyzed in [Ka93]. In contrast, a kleptographic backdoor is an asymmetric backdoor, meaning that a reverse-engineer that expends considerable effort breaching the black-box that houses the backdoor still CRYPTOVIROLOGY cannot use the backdoor (in general, the reverse-engineer finds the attacker's public key, not the needed private decryption key). Kleptographic attacks often utilize subliminal channels to transmit things like: private signing keys, private decryption keys, symmetric keys, etc. outside of a cryptosystem (e.g., smartcard). The requirement that kleptographic attacks have that exceeds the requirements of a subliminal channel is robustness against reverse-engineering. A kleptographic attack is only secure if the confidentiality of the subliminal messages holds even after the black-box is opened and inspected. This must hold for all previously transmitted messages as well as future subliminal messages that may be sent. Asymmetric cryptography is used to achieve this type of confidentiality. It is this added robustness in confidentiality that makes kleptographic attacks more attractive to carry out in practice. An example will go a long way to explain what a kleptographic attack is. A kleptographic attack against a software-based RSA cryptosystem like PGP has been demonstrated [YY96b,YY04]. In this attack, RSA keys are not generated normally. However, the RSA public modulus n is still the product of two primes p and q. The modulus n is generated such that its upper order bits effectively constitute the asymmetric encryption of a value that allows n to be efficiently factored. Computing such composites n is possible using a well known subliminal channel in the products of two primes. The asymmetric encryption is computed using the public key of the attacker that is embedded in the RSA key generation algorithm. As a result, a database of public keys (i.e., the CA) is a database of public keys and ciphertexts of the corresponding private keys from the perspective of the attacker. The novelty in this kleptographic attack is the following. It can be deployed in software in a single binary program (that may be code-signed) such that everyone obtains the same copy. The key pairs that the program outputs do not reveal that a kleptographic attack is occurring (they appear to be normal). If a reverse-engineer examines the key generation code then he or she will learn that a kleptographic attack is underway. However the reverse-engineer will still be out of luck in actually learning the private key of anyone who uses the binary. 2 CE 706 II. General information of Cryptovirology Cryptovirology was born in academia. However, practitioners have recently expanded the scope of the field to include the analysis of cryptographic algorithms used by malware writers, attacks on these algorithms using automated methods (such as X-raying) and analysis of viruses' and packers' encryptors. Also included is the study of cryptography-based techniques (such as "delayed code") developed by malware writers to hamper malware analysis. A "questionable encryption scheme", which was introduced by Young and Yung, is an attack tool in cryptovirology. Informally speaking, a questionable encryption scheme is a public key cryptosystem(3-tuple of algorithms) with two supplementary algorithms, forming a 5-tuple of algorithms. It includes a deliberately bogus yet carefully designed key pair generation algorithm that produces a "fake" public key. The corresponding private key (witness of non-encryption) cannot be used to decipher data "encrypted" using the fake public key. By supplying the key pair to an efficient verification predicate (the 5th algorithm in the 5-tuple) it is proven whether the public key is real or fake. When the public key is fake, it follows that no one can decipher data "enciphered" using the fake public key. A questionable encryption scheme has the property that real public keys are computationally indistinguishable from fake public keys when the private key is not available. The private key forms a poly-sized witness of decipherability or indecipherability, whichever may be the case. An application of a questionable encryption scheme is a torjan that gathers plaintext from the host, "encrypts" it using the trojan's own public key (which may be real or fake), and then exfiltrates the resulting "ciphertext". In this attack it is thoroughly intractable to prove that data theft has occurred. This holds even when all core dumps of the trojan and all the information that it broadcasts is entered into evidence. An analyst that jumps to the conclusion that the trojan "encrypts" data risks being proven wrong by the malware author (e.g., anonymously). When the public key is fake, the attacker gets no plaintext from the trojan. So what's the use? A spoofing attack is possible in which some trojans are released that use real public keys and steal data and some trojans are released that use fake public keys and do not steal data. Many months after the trojans are discovered and analayzed, the attacker anonymously posts the witnesses of non-encryption for the fake public keys. This proves that those trojans never in fact exfiltrated data. This CRYPTOVIROLOGY casts doubt on the true nature of future strains of malware that contain such "public keys", since the keys could be real or fake. This attack implies a fundamental limitation on proving data theft.There are many other attacks in the field of cryptovirology that are not mentioned here. Cryptoviral extortion, which uses public key cryptography, is a denial of resources attack that was introduced in [YY96a]. It is a three-round protocol that is carried out by an attacker against a victim. The attack is carried out via a cryptovirus that uses a hybrid cryptosystem to encrypt host data while deleting or overwriting the original data in the process. The protocol is as follows: (protocol setup phase) An asymmetric key pair is generated by the virus author on a smartcard and the public key is placed within the virus. The private key is designated as "non-exportable" so that even the virus author cannot obtain it's bit representation. Thus, the private key is generated, stored, and used on the smartcard. Ideally, the smartcard will implement two-factor security: something the virus author knows (a PIN number) and something the virus writer has (the smartcard that contains the private key). Also, the card will ideally be immune to differential power analysis, timing attacks, etc. to prevent the virus author from ever learning the bits of the private key. A standards-based approach can be used, e.g., the use of an approved FIPS 140-2 level 2 or higher device (e.g., when it is level 4 the private key will be destroyed if the casing is breached). In the U.S. the virus author cannot be forced to bear witness against himself or herself (Fifth Amendment) and so the PIN can remain confidential. The purpose of this setup phase is to limit the effectiveness of seizing and analyzing the smartcard under subpoena or warrant (competent evidence). 1) (virus author -> victim) The virus author deploys the cryptovirus. At a later time the virus activates on what could be tens or even hundreds of thousands of machines. The remainder of this description will cover the protocol for just one such machine. When the virus activates, it uses a true random bit generator (TRBG) to generate a symmetric key and initialization vector (IV) uniformly at random. It is essential that the TRBG produce truly random bits to prevent the symmetric key and IV from being guessed or otherwise determined by the victim at a later date. The virus then encrypts host data with this random symmetric key and IV (e.g., using cipher-block chaining (CBC) mode). The virus concatenates the IV with the symmetric key and then encrypts the resulting string using the public key of the virus author (e.g., using RSAOAEP). The encrypted plaintext is then held ransom. The virus notifies the victim that the attack has occurred (e.g., via a dialog 3 CE 706 CRYPTOVIROLOGY box on the victim's screen) and states that the asymmetric ciphertext will be needed to restore the data. The virus author states his or her demands in return for the data. The virus author and victim can send asymmetrically encrypted messages to each other via a public bulletin board to try to preserve the attacker's anonymity. Alternatively, digital pseudonyms and mix-networks can be used. This attack is often performed with the aid of URL phissing, which exploits web browser bugs in order to display incorrect URLs in the browsers location bar; or with DNS cache poisoning in order to direct the user away from the legitimate site and to the fake one. Once the user puts in their password, the attack-code reports a password error, then redirects the user back to the legitimate site. 2) (victim -> virus author) If the victim complies by paying the ransom and transmitting the asymmetric ciphertext to the virus author then the virus author decrypts the ciphertext using the private key that only the virus author has access to (the one on his or her smartcard). This reveals the symmetric key and IV that was used in the attack C. Referer spoofing III. Spoofing attack In the context of network security, a spoofing attack is a situation in which one person or program successfully masquerades as another by falsifying data and thereby gaining an illegitimate advantage. A. Man-in-the-middle attack and internet protocol spoofing An example from cryptography is the man-in-middle-attack, in which an attacker spoofs Alice into believing the attacker is Bob, and spoofs Bob into believing the attacker is Alice, thus gaining access to all messages in both directions without the trouble of any cryptanalytic effort.The attacker must monitor the packets sent from Alice to Bob and then guess the sequence number of the packets. Then the attacker knocks out Alice with a SYN attack and injects his own packets, claiming to have the address of Alice. Alice's firewall can defend against some spoof attacks when it has been configured with knowledge of all the IP addresses connected to each of its interfaces. It can then detect a spoofed packet if it arrives at an interface that is not known to be connected to the IP address.Many carelessly designed protocols are subject to spoof attacks, including many of those used on the Internet. See internet spoofing attack. B.URL spoofing and phishing Another kind of spoofing is "webpage spoofing," also known as phissing. In this attack, a legitimate web page such as a bank's site is reproduced in "look and feel" on another server under control of the attacker. The main intent is to fool the users into thinking that they are connected to a trusted site, for instance to harvest user names and passwords. Some websites, especially pornographic paysites, allow access to their materials only from certain approved (login-) pages. This is enforced by checking the referer header of the HTTP request. This referrer header however can be changed (known as "Referer spoofing" or "Ref-tar spoofing"), allowing users to gain unauthorized access to the materials. D.Poisoning of file-sharing networks "Spoofing" can also refer to copyright holders placing distorted or unlistenable versions of works on file-sharing networks, to discourage downloading from these sources. E.Caller ID spoofing Main article: caller id spoofing In public telephone networks, it has for a long while been possible to find out who is calling you by looking at the caller ID information that is transmitted with the call. There are technologies that transmit this information on landlines, on cellphones and also withVoIP. Unfortunately, there are now technologies (especially associated with VoIP) that allow callers to lie about their identity, and present false names and numbers, which could of course be used as a tool to defraud or harass. Because there are services and gateways that interconnect VoIP with other public phone networks, these false Caller IDs can be transmitted to any phone on the planet, which makes the whole Caller ID information now next to useless. Due to the distributed geographic nature of the Internet, VoIP calls can be generated in a different country to the receiver, which means that it is very difficult to have a legal framework to control those who would use fake Caller IDs as part of a scam. F. E-mail address spoofing 4 CE 706 CRYPTOVIROLOGY The sender information shown in e-mails(the "From" field) can be spoofed easily. This technique is commonly used by spammers to hide the origin of their e-mails and leads to problems such as misdirected bounces(i.e. e-mail spam backscatter). E-mail address spoofing is done in quite the same way as writing a forged return address using snailmail. As long as the letter fits the protocol, (ie. stamp, postal code) the SMTP protocol will send the message. It can be done using a mail server with telnet. V .Examples of viruses with cryptography While viruses in the wild have used cryptography in the past, the only purpose of such usage of cryptography was to avoid detection by antivirus software. For e.g., the tremor virus used polymorphism as a defensive technique in an attempt to avoid detection by anti-virus software. Though cryptography does assist in such cases to enhance the longevity of a virus, the capabilities of cryptography are not used in the payload. The one-half virus was amongst the first viruses known to have encrypted affected files. However, the one_half virus was not ransomware, that is it did not demand any ransom for decrypting the files that it has encrypted. It also did not use public key cryptography. An example of a virus that informs the owner of the infected machine to pay a ransom is the virus nicknamed Tro_Ransom.A. This virus asks the owner of the infected machine to send $10.99 to a given account through WesternUnion. Virus.Win32.Gpcode.ag is a classic cryptovirus. This virus partially uses a version of 660-bit RSA and encrypts files with many different extensions. It instructs the owner of the machine to email a given mail ID if the owner desires the decryptor. If contacted by email, the user will be asked to pay a certain amount as ransom in return for the decryptor. PGPCoder or GPCode is a trojan that encrypts files on the infected computer and then asks for a fee in order to release these files, a type of behavior dubbed ransomware or cryptography. A.Trojan Once installed on a computer, the trojan creates two registry keys: one to ensure it is run on every system startup, and the Figure.1 example of virus detection second to monitor the progress of the trojan in the infected computer, counting the number of files that have been analyzed by the malicious code. Once it has been run, the trojan embarks on its mission, which is to encrypt, using a digital encryption key, all the files it finds on computer drives with extensions corresponding to those listed in its code. These extensions include .doc, .html, .jpg, .xls, .zip and .rar. The blackmail is completed with the trojan dropping a text file in each directory, with instructions to the victim of what to do. An email address is supplied through which users are supposed to request for their files to be released after paying a ransom of $100-200 to an e-gold account. B. Efforts to combat the trojan While a few Gpcode variants have been successfully implemented, many variants have flaws that allow users to recover data without paying the ransom fee. The first versions of Gpcode used a custom-written encryption routine that was easily broken. Variant Gpcode.ak writes the encrypted file to a new location, and deletes the unencrypted file, and this allows 5 CE 706 CRYPTOVIROLOGY an undeletion utility to recover some of the files. Once some encrypted+unencrypted pairs have been found, this sometimes gives enough information to decrypt other files. Variant Gpcode.am uses symmetric encryption, which made key recovery very easy. Kaspersky Lab has been able to make contact with the author of the program, and verify that they are the real author, but have so far been unable to determine his real world identity. VI.creation of viruses To successfully write a cryptovirus, a thorough knowledge of the various cryptographic primitive such as random number generator, proper recommended cipher text chaining modes etc are necessary. Wrong choices can lead to poor cryptographic strength. So, usage of preexisting routines would be ideal. Microsoft’s Cryptographic API(CAPI), is a possible tool for the same. It has been demonstrated that using just 8 different calls to this API, a cryptovirus can satisfy all its encryption needs.Cryptographic primitives are well-established, lowlevel cryptographic algorithms that are frequently used to build computer security systems. These routines include, but are not limited to, one-way hash function andencryption function. When creating cryptographic system, designers use cryptographic primitives as their most basic building blocks. Because of this, cryptographic primitives are designed to do one very specific task in a highly reliable fashion. They include encryption schemes, hash function and digital signature schemes. Since cryptographic primitives are used as building blocks, they must be very reliable, i.e. perform according to their specification. E.g. if an encryption routine claims to be only breakable with X number of computer operations, then if it can be broken with significantly less than X operations, that cryptographic primitive is said to fail. If a cryptographic primitive is found to fail, almost every protocol that uses it becomes vulnerable. Since creating cryptographic routines is very hard, and testing them to be reliable takes a long time, it is essentially never sensible (nor secure) to design a new cryptographic primitive to suit the needs of a new cryptographic system. The reasons include: The designer might not be competent in the mathematical and practical considerations involved in cryptographic primitives Designing a new cryptographic primitive is very timeconsuming and very error prone, even for those expert in the field Since algorithms in this field are not only required to be designed well, but also need to be tested well by the cryptologist community, even if a cryptographic routine looks good from a design point of view it might still contain errors. Successfully withstanding such scrutiny gives some confidence (in fact, so far, the only confidence) that the algorithm is indeed secure enough to use; security proofs for cryptographic primitives are generally not available. Cryptographic primitives are similar in some ways to programming language. A computer programmer rarely invents a new programming language while writing a new program; instead, he or she will use one of the already established programming languages to program in. Cryptographic primitives are one of the building block of every crypto system, e.g., TLS, SSL, SSH, etc. Crypto system designers, not being in a position to definitively prove their security, must take the primitives they use as secure. Choosing the best primitive available for use in a protocol usually provides the best available security. However, compositional weaknesses are possible in any crypto system and it is the responsibility of the designer(s) to avoid them. Figure.2 digital signature Combining cryptographic primitives:Cryptographic primitives, on their own, are quite limited. They cannot be considered, properly, to be a cryptographic system. For instance, a bare encryption algorithm will provide no authentication mechanism, nor any explicit message integrity checking. Only 6 CE 706 when combined in security protocols, can more than one security requirement be addressed. For example, to transmit a message that is not only encoded but also protected from tinkering (i.e. it is confidencial and integrated-protected), an encoding routine, such as DES, and a hash-routine such as SHA-1 can be used in combination. If the attacker does not know the encryption key, he can not modify the message so that message digest values can't be successfully faked. Combining cryptographic primitives to make a protocol is itself an entire specialization. Most exploitable errors (ie, insecurities in crypto systems) are due not to design errors in the primitives (assuming always that they were chosen with care), but to the way they are used, i.e. bad protocol design and buggy or not careful enough implementation. Mathematical analysis of protocols is, at the time of this writing, not mature. There are some basic properties that can be verified with automated methods, such as BAN LOGIC. There are even methods for full verification (e.g. the SPI calculas) but they are extremely cumbersome and cannot be automated. Protocol design is an art requiring deep knowledge and much practice; even then mistakes are common. An illustrative example, for a real system, can be seen on the openssl vulnerability news page at. VII. Other uses of cryptography enabled malware Apart from cryptoviral extortion, there are other potential uses of cryptoviruses. They are used in deniable password snatching, used with cryptocounters, used with private information retrieval and used in secure communication between different instances of a distributed cryptovirus.The Cryptographic Application Programming Interface (also known variously as CryptoAPI, Microsoft Cryptography API, or simply CAPI) is an application interface programming included with Microsoft Window’s operating system that provides services to enable developers to secure Windows-based applications using cryptography. It is a set of dynamically link library that provides an abstraction layer which isolates programmers from the code used to encrypt the data.CryptoAPI supports both public key and symmatry key cryptography. It includes functionality for encrypting and decrypting data and for authentication using digital certificates. It also includes a cryptographically secure pseudorandom number generator function CryptGenRandom.CryptoAPI works with a number of CSPs (cryptographic’s service provider) installed on the machine. CSPs are the modules that do the actual work of encoding and decoding data by performing the cryptographic CRYPTOVIROLOGY functions.Window vista features an update to the Crypto API known as Cryptography API: Next Generation (CNG). It has better API factoring to allow the same functions to work using a wide range of cryptographic algorithms, and the inclusion of a number of newer algorithms that are part of the National security agency (NSA)suite B. It is also flexible, featuring support for plugging in custom cryptographic APIs into the CNG runtime. CNG works in both user and Kernel mode, and also supports all of the algorithms from the CryptoAPI. The Microsoft provider that implements CNG is housed in Bcrypt.dll.CNG also supports elliptic curve cryptography which is also secure and uses shorter keys than RSA. The CNG API integrates with the smart card subsystem by including a Base Smart Card Cryptographic Service Provider (Base CSP) module which encapsulates the smart card API. Smart card manufacturers just have to make their devices compatible with this, rather than provide a from-scratch solution. VIII.counter measure 1. Permanent and direct memory monitoring is necessary to catch self encrypting,polymorphic cryproviruses. 2. Passwords alone are inherently weak to authenticate to a host or computer system.Two factor authentication, first with the password and the second with a biometric entity such as the users fingerprint, iris scan and so on should be used. 3. Use of up-to-date anti-virus machinery, since cryptoviruses spread the same way as normal viruses does. 4. Access control to cryptographic tools and API’s. It is strongly encouraged to audit cryptographic utilities. This is one of the major issues that are commonly overlooked. This will help the system administrator to identify suspicious cryptographic usage. 5. We note that if strong cryptographic routines and good pseudo random number generators are available, it makes the virus smaller and simpler to code and faster to execute if the code is optimal. Incorporating strong cryptographic tools into the operating systems may increase system security but makes it vulnerable since viruses can make calls to these operation system routines. It is hence essential to monitor the processes invoking the cryptographic routines and try to prevent and log processes that do not have sufficient access privileges to call the crypto toolkit/library. 6. Use of Firewall and Intrusion Detection System to protect single and networked systems. 7.Applying patches as soon as it is made available and watching out for zero day exploits. 7 CE 706 CRYPTOVIROLOGY IX.CONCLUSION Cryptography with virology is a deadly combination.The battle between Virus writers and anti virus vendors is raging hard.The use of cryptography in virology is one such tool used by virus writers to win the battle Anti-virus vendors do not have any answer for such threats as of now and they may come up with remedies.The cycle continues……We have seen that cryptographic tools can be used to create a new class of viruses: crypto viruses REFERENCES [1]. http://wikipedia.org/cryptovirology [2]. www.cryptovirology.com/cryptovfiles/cryptovirologyfaqver 1.html [3]. http://www.google.co.in [4]. www.textbooksrus.com/search/bookdetail/default.aspx?isb n... [5]. http://csl.stanford.edu/ pal/pubs/tinyos-programming.pdf 8