VX Heavens

Understanding the possible extent of the future attacks is the key to successfully protecting against them. Designers of protection mechanisms need to keep in mind the potential ferocity and sophistication of viruses that are just around the corner. That is why we think that the potential destructive capabilities of fast spreading worms like the Warhol worm, Flash worm and Curious Yellow need to be explored to the maximum extent possible. While re-visiting some techniques of viruses from the past, we can come across some that utilize cryptographic tools in their malicious activity. That alarming property, combined with the speed of the so-called "superworms", is explored in the present work. Suggestions for countermeasures and future work are given.

As technology has evolved, more opportunities have become available for virus writers to express their imagination in malicious code. The introduction of cryptography into virus writing has become a necessity in order for virus writers to protect their code against external factors that might reveal its malicious intentions - such as anti-virus programs.

This report presents a new class of techniques which allow either the attack of a computer or to catch the keys of a cryptosystem by using a pair of (or combined) viruses, one of them being hidden by the attacker in ciphertext. These techniques are valid for any operating system and can be effciently implemented in any programming language and for any operating system. In order to avoid detection, the viral infection is very limited and uses polymorphic techniques. Moreover the main virus erases itself after the payload action. The general structure of the two viruses is presented and the problem of protection against such attacks is onally envisaged.

Imagining what the nature of future viral attacks might look like is the key to successfully protecting against them. This paper discusses how cryptography and key management techniques may definitively checkmate antiviral analysis and mechanisms. We present a generic virus, denoted BRADLEY which protects its code with a very secure, ultra-fast symmetric encryption. Since the main drawback of using encryption in that case lies on the existence of the secret key or information about it within the viral code, we show how to bypass this limitation by using suitable key management techniques. Finally, we show that the complexity of the BRADLEY code analysis is at least as high as that of the cryptanalysis of its underlying encryption algorithm.

This paper presents a mechanism for containing the spread of computer viruses by detecting at run-time whether or not an executable has been modified since its installation. The detection strategy uses encryption and is held to be better for virus containment than conventional computer security mechanisms which are based on the incorrect assumption that preventing modification of executables by unauthorized users is sufficient. Although this detection mechanism is most effective when all executables in a system are encrypted, a scheme is presented that shows the usefulness of the encryption approach when this is not the case. The detection approach is also better suited for use in untrusted computer systems. The protection of this mechanism in untrusted computing environments is addressed.

This paper will focus on the history of the use of cryptographic methods in malicious code, most of which consists of extremely basic encryption, permutation and transposition, and information hiding that is reminiscent of the steganography used to hide data from humans - although it is different in that its goal is to evade computers. The technical detail will be minimal, but some familiarity with assembly programming may be helpful in reading the few code examples provided, as well as the discussions of architecture details. Other topics will include detection of polymorphic and metamorphic viruses and some discussion of how cryptographic methods are used to ensure integrity and security of data.

The relationship between cryptography and virus prevention is anything but simple. Since the beginning of the computer virus problem, people have proposed solutions involving some form of cryptography; but cryptography plays only a minor role in the solutions we actually use today. Encryption can also make virus prevention more difficult, by providing viral hiding places inside the objects that it protects. This paper will provide an overview of the ways that encryption technology impinges on virus protection and related security efforts, and provide some understanding of how encryption can help, or hurt, the efforts of the `good guys'.

An old anti-virus (AV) technique that is over looked by most virus writers is X-Ray Detection. X-Ray detection is a simple method for detecting encrypted viruses and works on more than 50% of existing encrypted viruses today. Have you ever wondered why your new polymorphic, entry point obscuring virus is detected by the AV software? The chances are that they have found a X-Ray for your encryption scheme. These methods are called X-Rays because they enable the AV software to see the insides of your virus encryption protection without having to emulate your virus.

Conventional protection methods against software piracy and computer viruses are limited in their effectiveness and timeliness. A cryptographic method, introduced in this paper, can stop the spread of viruses of all kinds, stop software piracy, and can be ideal for organisational purposes. Computer use within an organisation is completely unaffected.

Traditionally, cryptography and its applications are defensive in nature, and provide privacy, authentication, and security to users. In this paper we present the idea of Cryptovirology which employs a twist on cryptography, showing that it can also be used offensively. By being offensive we mean that it can be used to mount extortion based attacks that cause loss of access to information, loss of confidentiality, and information leakage, tasks which cryptography typically prevents. In this paper we analyze potential threats and attacks that rogue use of cryptography can cause when combined with rogue software (viruses, Trojan horses), and demonstrate them experimentally by presenting an implementation of a cryptovirus that we have tested (we took careful precautions in the process to insure that the virus remained contained). Public-key cryptography is essential to the attacks that we demonstrate (which we call "cryptovirological attacks"). We also suggest countermeasures and mechanisms to cope with and prevent such attacks. These attacks have implications on how the use of cryptographic tools should be managed and audited in general purpose computing environments, and imply that access to cryptographic tools should be well controlled. The experimental virus demonstrates how cryptographic packages can be condensed into a small space, which may have independent applications (e.g., cryptographic module design in small mobile devices).