Professional Documents
Culture Documents
Outline
Introduction to CryptoVirology
I d i C Vi l
CryptoVirological Attacks and Scenarios
CRYPTOVIROLOGY Latest Events
à GPcode
à Conficker
Countermeasures
Conclusion
Introduction H‐SS Virus
H Virus
Nature of Cryptography –
N fC h Purportedly
P dl Based on Biological Organisms ‐
Based on Biological Organisms Derivation of H‐S
Derivation of H S
Defensive: Wait n watch! concept.
CryptoVirology
CryptoVirology ‐ An Approximation: At least
An Approximation: At least
This highly defensive solution to protect
h h hl d f l create an effect such that the infected host
information has a Twist in the way it has been becomes dependent on the Virus itself!
used since its origin –
d i it i i Use Cryptography in
U C t h i How it all started
building High Sustainability Viruses. à Monomorphic Viruses – Antiquated
Defined as the study of the applications of
D fi d th t d f th li ti f à Polymorphic Viruses –
Polymorphic Viruses In response to anti virus
In response to anti virus
scanners based on search strings
cryptography to computer viruses.
Field called Viral Polymorphism
à Survivable Virus – Based on the approximation.
3 4
We are the champions..
We’ve
We ve been there and yes we use CRYPTO!!
been there and yes we use CRYPTO!! Attacking Methodology of a
Attacking Methodology of a
One‐Half Virus – Manages private key within, Crypto‐Virological Attack
damage can be undone.
damage can be undone Setup a reversible DOS attack ‐‐
S ibl DOS k ask for
kf
LZR Virus – Controls reads and writes to disk using Ransom in return for private key.
unknown system calls.
unknown system calls.
Disclosure ‐‐
l A problem for the attacker here!
bl f h k h !
AIDS Information Trojan –Encrypts hard drive after
90 reboots, Exact cipher still unknown.
, p There exists a solution, and this one would
make the attacker stronger and the attacks
KOH Virus – Used to encrypt host system in
deadlier!
background –
g Uses IDEA cryptosystem and is sold
yp y
commercially. Use Hybrid Cryptosystems.
CryZip – Archive set of files and makes it password
protected.
MayArchive – Same as above 5 6
Lethal Attack Scenarios –
Attack Scenarios
Attack Scenarios Exploiting the Distributed Environment
Exploiting the Distributed Environment
Theft: Used for stealing information from a
g Secret Sharing Virus
Secret Sharing Virus – Virus itself manages the
Virus itself manages the
remote machine! Private Key – Key Splitter.
Information Extortion Attack(espionage and
( p g
information warfare) while maintaining integrity
Dynamically Distributed Virus – Dynasties and
of the data being extorted!
Hierarchies of Viral generations sharing
Hierarchies of Viral generations sharing
à User could try to cheat the attacker too, but with a
very low probability.
Cryptographic information using the Famous All
or Nothing Concept!!
or Nothing Concept!!
à BIG THREAT TO ELECTRONIC MONEY – Search for E‐
money and encrypt it.
7 8
Secret Sharing Virus
g Secret Sharing Virus
Secret Sharing Virus
Virus manages the private key (instead of author)
Virus manages the private key (instead of author) ElGamal Encryption Scheme!
Encryption Scheme!
– Could be subject to user analysis. Encryption
Approach Each virus publishes its y
Each virus publishes its yi anonymously over a public
anonymously over a public
à Consider the host to consist of the entire network channel(bulletin board)
à Use distributed environment to hide the key in virus
Each virus then reads public channel and computes:
Cannot store entire key in single node, User of
Cannot store entire key in single node User of à Encryption Key = Y = y1 * y2 * … * ym(mod p)
that node could retrieve the key.
Decryption
Exploits the access controls between network
à Each virus reveals their secret xi
Each virus reveals their secret xi
nodes as nodes don’t have access to each others
d d d ’ h h h
data. Split Private Key amongst m nodes in a à Decryption key = X = x1 + x2 + … + xm (mod p – 1)
network, m>1 Need to notify host to avoid deletion of single virus
9 10
Exploit user’s trust over each other. Instead of
E l it ’ t t h th I t d f Each victim then needs m‐1 xi
Each victim then needs m 1 xi’ss in order to get the
in order to get the
distributing the key amongst a network of information back. Yi’s were disclosed anonymously so
computers in close proximity, spread it
computers in close proximity, spread it Victim’s have no idea which of the other n‐1 nodes contain
the xi’s needed.
globally to a set N. Each virus programmed to
Some users may be untrustworthy, may give out bogus xi’s or
infect exactly two other nodes.
maybe competitors – crux is not everyone will get their
maybe competitors – crux is not everyone will get their
After publishing yi’s, each virus could compute information back!
y, and produce Children – L and R! Once resident, the L and R viral generation starts generating
Children of a node p are sent randomly new xi’s and calculates the corresponding new yi’s. – But
chosen from the set N‐{p}. what about the original M victims?
Attack
A k L –
L not sure, flips a coin , R –
not sure flips a coin R not given original xi’s by their
not given original xi’s by their
parents. A new generation is born again..and again..and the
11 cycle continues!! 12
LATEST EVENTS
PCODE
Gpcode
Conficker
13 14
Asks for a fee to decrypt the files. We are writing to you regarding the resume you have posted on
the job.ru website. I have a vacancy that is suitable for you. ADC
Virus spreads through e‐mail. Marketing LTD (UK) is opening an office in Moscow and I am
searching for appropriate candidates I will soon be asking you to
searching for appropriate candidates. I will soon be asking you to
come in for an interview at a mutually convenient time. If you are
interested in my offer, please fill out the attached form related to
compensation issues and email the results to me.
Sincerely,
Viktor Pavlov
HR manager
15 16
How Gpcode spreads..
How Gpcode GPcode
email has an MS word .doc file called anketa.doc
email has an MS word doc file called anketa doc scans all accessible directories and encrypts files with
scans all accessible directories and encrypts files with
attached. (Anketa is the Russian for application certain extensions such as .txt, .xls, .rar, .doc, .html,
form) .pdf etc.
File contains a malicious program called Trojan‐ also encrypts mail client databases.
l t il li t d t b
Dropper.MSWord.Tored.a. Gpcode and the other trojans self destruct.
On opening the file , a malicious macro installs
On opening the file a malicious macro installs Leave behind a file in each directory which has an
Leave behind a file in each directory which has an
another Trojan ‐ Trojan‐ encrypted file with README.txt
Downloader.Win32.Small.crb ‐ on the victim Some files are coded by RSA method.
machine.
machine To buy decoder mail: k47674@mail ru
To buy decoder mail: k47674@mail.ru
This Trojan then downloads Gpcode from with subject: REPLY
[skip].msk.ru/services.txt and installs it to the WaterLilles.jpg — original file
victim machine.
h WaterLilles.jpg._CRYPT
ill j — encrypted file
d fil
17 18
Virus payload
Virus payload Cryptanalysis
Initially 56‐bit RSA key was used.
I i i ll 56 bi RSA k d
• Generate a random RC4 machine key KM
• For every file f : 660‐bit key was cracked by Kaspersky Labs.
• Generate random file nonce Nf à The technique used was never published (trade
• Derive an RC4 file key Kf from Nf and KM secret!)
• Encrypt the file using K
Encrypt the file using Kf and prepend
and prepend Nf to the
to the
ciphertext – Delete original file • Now, Gpcode
N G d uses 1024‐bit .
1024 bit
• Encrypt Km under an embedded 1024‐bit RSA public key GPCODE.AK CRYPTOGRAPHIC CHALLENGE
and write it to READ ME !.txt
and write it to _READ_ME_!.txt x Kaspersky
p y Lab has issued a call for Cryptanalysis.
yp y
• Forget Km x Published the public keys and the RSA exponent.
• All in 8030 bytes.
• Uses Windows CryptoAPI.
U Wi d C API
19 20
GPCODE.AK CRYTOGRAPHIC CHALLENGE
CONTROVERSIES
ONFICKER
There's some debate over whether people
Th ' d b h h l
should bother cracking it
à How do we know the attacker won't change the
H d k h k ' h h
key before we're done?
à these 1024‐bit RSA public keys may actually be
these 1024‐bit RSA public keys may actually be
copies of someone else's public keys.
they could be copies of a root signing key of a
y p g g y
prominent certificate authority!!!!
21 22
$$$$$$$$$$$$$$$$$$$$ TIMELINE
Microsoft is offering a
Mi f i ff i Win32/Conficker.A
Wi 32/C fi k A ‐ November 21, 2008.
N b 21 2008
$250,000 reward for Win32/Conficker.B ‐ December 29, 2008.
information leading to
information leading to Win32/Conficker.C ‐ February 20, 2009.
the arrest and
Win32/Conficker.D ‐ March 4, 2009.
conviction of the
conviction of the
individuals behind the Win32/Conficker.E ‐ April 8, 2009.
creation and/or
creation and/or
distribution of
Conficker!!!!!
23 24
Initial Infection
Initial Infection Payload Propagation
Payload Propagation
Variant A generates a list of 250 domain names every day
Variant A generates a list of 250 domain names every day
Variants A, B, C and E exploit a vulnerability in
V i A B C dE l i l bili i across five TLDs.
the Server Service on Windows computers Variant B increases the number of TLDs to eight
à has a generator tweaked to produce domain names disjoint from
has a generator tweaked to produce domain names disjoint from
In the source computer, the worm runs an
h h those of A.
HTTP server on a port between 1024 and Variant D generates a daily pool of 50000 domains across
110 TLDs, from which it randomly chooses 500 to attempt
, y p
10000 for that day.
The target shellcode connects back to this Variant C creates a named pipe, over which it can push URLs
for downloadable payloads to other infected hosts on a local
HTTP
HTTP server to download a copy of the worm
t d l d f th area network.
in DLL form, which it then attaches to a Variants D and E create an ad‐hoc peer‐to‐peer network to
push and pull payloads over the wider Internet.
running service
running service.
25 26
variant A payloads are first SHA1‐hashed and
i A l d fi SHA1 h h d d Conficker
C fi k implements its own random
i l t it d
RC4‐encrypted with the 512‐bit hash as a key. number generator.
The hash is then RSA‐signed with a 1024‐bit
h h h h d h b Selectively chooses between its own function
Selectively chooses between its own function
private key. generate_random() and system rand()
function.
Variant C uses MD6 for hashing the payload.
A top‐level domain (TLD) suffix chosen
à To increase the RSA key to 4096 bits!! randomly between .com, .net, .org, .info, and
.biz is then appended to the domain name.
Conficker B includes additional TLD suffixes
(
(.ws, .cn, .cc).
)
27 28
Random Number Generation
Random Number Generation Random Number Generation
Random Number Generation
Subroutine : query_search_engines_set_time()
Subroutine : query search engines set time() • generate_random() functions are essentially identical
t d () f ti ti ll id ti l
The first block uses rand() except that A uses a constant value of 0x64236735 in
à one of six search engines (w3.org, ask.com, msn.com,
g ( g its floating point computation, which is replaced by
gp p , p y
yahoo.com, google.com and baidu.com). 0x53125624 in Conficker B.
• invokes subroutine get_date_from_url(), which generates
an HTTP GET request to obtain the time from the remote
an HTTP GET request to obtain the time from the remote • As the query returns only the day, month, and year
web server. values, repeated queries on the same day would yield
• used to compute lpsystemtime (number of 100‐ the same result.
nanosecond intervals since 1601)
nanosecond intervals since 1601).
This is divided by 0x58028e44000 (number of nanoseconds in a
week), multiplied by 0x464da5676 and added to 0xb46a7637
(the final two constants are replaced by 0x352c94565 and
0xa3596526 in Conficker B).
29 30
Conficker
C fi k probes the daily set of Internet
b h d il fI
rendezvous points for a new Windows
executable file to download and execute
executable file to download and execute.
Binary updating service is similar to that of
other traditional botnets.
th t diti lb t t
Both A and B clients incorporate a validation
mechanism
h i
à To ensure that the downloaded binary has been
signed by the Conficker authors.
signed by the Conficker authors
31 32
Binary Validation
Binary Validation
Compute a 512‐bit hash M of the windows binary
Compute a 512 bit hash M of the windows binary
Binary is then encrypted using the symmetric
stream cipher RC4 algorithm with password M.
stream cipher RC4 algorithm with password M
Digital signature is computed using an RSA
encryption scheme.
à M^epriv mod N = Sig
N is a public modulus that is embedded in all Conficker
client binaries
client binaries.
à Sig is then appended to the encrypted binary, and
together they can be pushed to all infected Conficker
clients
33 34
Binary Validation
Binary Validation Defenses against Conficker
Defenses against Conficker
The client recovers M from the signature using N
The client recovers M from the signature using N Efforts are on to stop the worm
Eff h
and the public exponent epub, which is à Conficker cabal
embedded in the Conficker client binary.
y
Conficker
C fi k C and D downloads daily from any 500 of
C dDd l d d il f 500 f
M = Sig^epub mod N. 50000 pseudorandom domains over 110 TLDs
Client then decrypts the binary using password Conficker D uses custom protocol to scan for infected
D uses custom protocol to scan for infected
M, and confirms its integrity by comparing its peers via UDP, then transfer via TCP
hash to M à ICANN has sought preemptive barring of domain
Hash integrity check succeeds
H h i t it h k d transfers and registrations from all TLD registries
à the binary is then stored and executed via Windows affected by the worm's domain generator.
shellexec()
à Tools available for removal of the virus.
Tools available for removal of the virus
à Otherwise the binary is discarded
35 36
Countermeasures Conclusion
Backups
B k Cryptographic tools can be used to create a
C hi l b d
Anti‐virus software : Implement mechanisms new class of viruses: Cryptoviruses
to detect viruses immediately after
to detect viruses immediately after Author need not be aware of underlying
h d b f d l
infiltration. cryptography – use available functions
Access control to cryptographic tools
Access control to cryptographic tools
Gives the virus writer an extortion method
à If strong crypto ciphers and random number
generators are available to user processes, then Better to make attacks publicly known than to
they are available to viruses. wait for attacks to occur
On‐line proactive anti‐viral measures –
theoretic for now
theoretic for now.
37 38
References
Cryptovirology: Extortion‐Based Security Threats and
Countermeasures
Cryptanalysis of the Gpcode.ak ransomware virus, Eran Tromer ,
MIT
An Analysis of Conficker's Logic and Rendezvous Points: Phillip
Porras, Hassen Saidi, and Vinod Yegneswaran
http://mtc.sri.com/Conficker
C fi k C Analysis: Phillip Porras, Hassen
Conficker C A l i Philli P H S idi d Vi d
Saidi, and Vinod
Yegneswaran
http://www.viruslist.com/en/viruses/encyclopedia?virusid=313
444
http://en.wikipedia.org/wiki/Gpcode
How to Withstand mobile virus attacks by Ostrovsky and Yung.
39