The following is an interview to Elia Florio, a Symantec Security Response Engineer, about the interactions between two apparently disjoint areas: cryptography and virology.

 

In particular, this work originates from the idea that, in a practical context, it is appreciable to have feedbacks from the wild, instead of being limited to a theoretical model. And it's just because of the chaos present in the security outlook that I thought it was useful to show the confluence points of these two subjects, giving particular attention to their implementations.

 

I would like to thank Elia Florio for his precious collaboration, and Andrea Lelli for his help.

 

 

Keywords: cryptography, cryptovirology, polymorphic virus, crypto-counters, ransomwares

 

 

 

 

With the evolution of the defense techniques available to modern computers (antivirus, firewalls and so on), it come spontaneous to think that there has been a parallel development also in the intrusion and anti-detection ones present in malwares. In which way a field like cryptography contributed in both this changes? Can you outline an historical reference?

 

Cryptography is the art of protecting data and keeping secrets. It is a powerful data defence technique in digital ages; however it could be used in good ways but also in bad ways. Every person uses crypto applications everyday to protect passwords, credit cards, bank transactions. In the same way computer viruses and hackers employ modern crypto algorithms to hide code, to steal confidential data and to communicate securely without being observed.
We usually think of cryptography only with modern Windows viruses, but old MS-DOS viruses first used cryptography long time ago. Cascade, Flip, Tequila and many old MS-DOS viruses were using encryption methods to obfuscate their code back in 1980s years. Initially viruses started to use simple static encryption algorithm just to hide text and strings. Next, virus writers moved to variable-key encryption algorithms to obfuscate the whole virus body and to generate different variants by changing the encryption key after each infection. Finally in 1990s we observed the raise of polymorphic virus, a combination of variable-key encryption with code permutation and manipulation techniques. Modern viruses still use similar encryption techniques, but ported to Windows world.

 

 

 

Lately, over the well known polymorphic virus, we hear more often about crypto-viruses. They are a sort of malwares which employ the asymmetric key cryptography for fraudulent purposes; one of the more famous peculiarity is that of encrypting private data with the public key contained inside them and demand for a ransom in return of the matching secret key.
There are a lot of metropolitan legends about the spreading of this kind of prototypes; do you know any reliable information about them? Do they relate to private or far-reaching (banks etc.) organizations?

 

 

Unfortunately those types of malware are not just a legend. They are in the wild and we usually they are called “ransomware”. Those malicious programs are special Trojans that once executed attempt to encrypt many important files on the local hard drive and ask for money. It’s a kind of digital ransom where users’ files are held in hostage by the creator of the Trojan. Here a brief description of the most common ransomware malware observed in the wild recently:

Trojan.Gpcoder – one of the first ransomware observed. It encrypts several types of files and next ask user to send an email to a specific address to obtain the decryption tool;
Trojan.Cryzip – encrypts files by creating a password protected zip file. The password is hardcoded in the Trojan code.
Trojan.Skowr – encrypts files and also attempts to change Administrator password of the machine.
Trojan.Randsom.A – this Trojan does not encrypt file; instead it display a message saying that it will delete one file every 30 minutes and will stop only when the user digits a specific unlock code. To obtain the unlock code, users were asked to pay $10,99 to a specific account.
 

 

 

And what about the other theoretical schemes which employ cryptography? One of the more famous is that used in crypto-counters, particular counters accessible to the virus for writing but illegible by the other users/processes aside from its programmer. In the practical outlook, are they employed?

 

 

I’m not aware of any practical crypto-counters implementation in recent viruses. Some viruses may use simple counters to track and eventually stop the propagation after a specific number of infections, but nothing really sophisticated as crypto-counters. In the past we’ve seen a variant of Sober worm using a crypto-algorithm to generate pseudo-random URLs where the next version of the worm would be downloaded from. The algorithm was able to generate URLs based on the date and this trick was challenging AV researchers to track the exact site where the next variant of Sober would be released. In this example only the author was able to pre-calculate the URL for any date and he has been known exactly where and when the next variant should be released.

 

 

One of the problems that features practical implementations in the cryptology fields is the tradeoff efficiency-velocity. In the viruses that use cryptography this relation seems to me absolutely decisive, in which way it can be solved? What are the most frequent algorithms?

 

 

Simple mathematical operators (e.g. XOR, ADD/SUB, ROL/ROR), substitution and permutation ciphers are probably the most used functions for encryption by common malware. However we’ve seen recently also samples using common algorithms like ROT13, RC4, TEA, DES and also RSA.
For example Trojan.Linkoptimizer gained some popularity because every single text string included in the body was encrypted with RC4 and using a different 8-bit key.

 

 

What are the future developments expected in the interactions between cryptology and virology fields? 

 

 

It’s difficult to make exact predictions, since the computer world is always in rapid evolution. I think we will see Backdoor threats incrementing the usage of asymmetric cryptography which effectively helps hackers to avoid to be caught and keeps the communication channel safe and secret. Probably there would be also developments in banking Trojans families which constantly look for new methods to break or compromise the security layers introduced by the banks to protect online transactions. In addition to this the distribution of 64-bit platforms and the increase of computational power in next years will allow virus to use more complex encryption algorithms.