Malicious Cryptography

Hey there guys… !!!

I’m back after a long long time….. Those who know me, know the reason for this outage….. And for those who are new to this site… well.. this is Ne0.

So let me now start with my today’s post… As you all might have already read the title…. Malicious Cryptography… or Cryptovirology. Ever heard this word before ??? Those who are aware of this term, must be aware of its concept and working. And those who are unaware, read on…………..

cryptography

Almost everyone of us is aware of cryptography, what it is and how it works. But have you ever wondered that cryptography can be used in malicious ways also !! Though traditionally, cryptography is used to stop malicious activities. But in this concept, it is used to hide the malicious intents..

In order for you all to proceed further, I assume that you are familiar with basic definitions about malware (virus, worms, trojan horses…) and antiviral techniques. We just recall the following starting definition of armoured codes.

An armoured code is a program which contains instructions whose goal is to delay, complicate or forbid its own analysis during either its execution or through its disassembly.

The best known example is probably the Whale virus which appeared in September 1990. The virus did actually represent a very limited risk but it intended obviously to make its analysis very difficult. Its code contains roughly a dozen of program traps and tricks hampering trace, disassembling and code analysis: dynamic decryption/encryption, code obfuscation, code nesting…Once activated, the viral code tries to detect the potential use of a debugger and consequently freezes the keyboard. Using polymorphism techniques, about 30 different random variants were possible for an infected file. What the Whale virus easily managed to cause is not a terrific epidemic but a waste of anti-virus experts’ time and a nearly three-day delay to eradicate it. Nowadays, the main part of the viral action is completed during the first thirty minutes after the beginning of the infection (a good example could be the Slammer worm which appeared in January 2003); therefore, such a delay in code analysis cannot be acceptable. That is the reason why armouring code techniques must be seriously taken into account.

Now let me take you a step further to core of this post… virus

Combination of cryptographic techniques with viral technologies led in 1996 to the concept of “Cryptovirology” . Cryptovirology consists in applying cryptography tools to malicious codes in order to strengthen, improve or develop such codes. Or say to develop armoured codes.

Since not very long virus writers have started using cryptography to hide or protect their program’s pay-load (“virus”) from being detected by other malicious softwares (“Anti-Virus Programs”). Some of them even have the capability to remain resident in the system after detection !! Four notable rogue programs have appeared in the wild that seem to reflect the intention of remaining resident after detection. These programs are the One-Half virus, the LZR virus, the AIDS Information Trojan, and the KOH virus.

The One-Half virus operates by encrypting the hard drive starting from the last cylinder and slowly moving forward over time. The One-Half virus uses a symmetric cipher, and stores the secret key within itself. To rid the host of the effect of the virus, the key can be obtained from the virus code, and the damage undone.

The LZR virus is even closer to a h-s computer virus. LZR takes control of reads and writes to the hard disk using a relatively unknown system call [DB95]. LZR writes error correction information to the disk, even though error correction is not usually performed by the operating system. As information is written to the disk, the data is followed by the error correction data of the viruses’ choosing. If the virus is removed, the viral routine will not be called, and the files will be rendered incomprehensible to user programs. The damage caused by LZR can be undone by copying all of the damaged files to floppy disks and then disinfecting the virus with an appropriate antiviral program. This disinfection works because the error correction routine is not invoked when writes are made to floppy disks. Even if this error correction mechanism worked with floppy disks, it would be possible to write an antiviral program that would repair all the data over a period of time.

Though not a virus, the AIDS Information Trojan nonetheless exhibits traits similar to that of a h-s computer virus. It provides information on the users risk of contracting AIDS, and at the same time encrypts the users hard drive after 90 reboots. The user is then informed that a license fee must be paid in return for the decryption key. This Trojan is one of the first extortion attempts made using rogue programs. Unfortunately, we do not know the exact cipher used by the AIDS Information Trojan. It can be considered a step in the direction of a h-s virus.

The KOH virus is a virus that is used to encrypt the data on a host system. The motivation for the virus is to allow encryption to be performed in the background, so that user intervention is not required. This virus incorporates the use of the IDEA cryptosystem and is sold commercially.

I do hope that you find this post a good read.. Your every suggestions / inputs are highly appreciable.

Thank you !

N-Joy !!!!

Similar Posts you might be interested in:

Share and Enjoy:
  • Digg
  • Sphinn
  • del.icio.us
  • Facebook
  • Mixx
  • Google Bookmarks
  • LinkedIn
  • MySpace

categories Cryptography | Ne0 | January 9, 2009

categories , ,

One Response to “Malicious Cryptography”

  1. CasperDT says:
    January 27, 2009 at 3:59 pm

    i really enjoy it. the new generation of viruses are really good business haha.

    Thank you

Leave a Reply