Could cryptography be the next destructive malware payload?
|Malware: Malicious Moneymakers|
Researchers have talked for years about the threat of polymorphic malware that uses encryption to conceal its malicious intent and stealthily replicates itself in undetectable forms.
But what if encryption wasn't just a malware camouflage or propagation mechanism? What if malware writers could apply encryption in a payload to hold data for ransom, extorting victim enterprises?
It's more than theory. Conditions are ripe for a new class of malware: crypto-viruses. These yet-to-be-seen-in-the-wild contagions have the potential to hold critical data hostage, anonymously leaking it to third parties and making it nearly impossible to prove that valuable data was stolen. Malware writers are already using encryption as a means of concealing their creations, and research and proof-of-concept worms have shown that cryptography can be used as a weapon. If you're not prepared, you could lose your data.
The cryptovirology theory is simple: An attacker generates a public/private key pair for the purpose of holding the victim's data ransom. The public key is placed within the virus, and the private key is kept secret by the attacker. The virus queries the host operating system's random number generator for a symmetric key, such as a 128-bit AES key. The virus encrypts the host's data files, possibly including sensitive financial, research or other crucial information. The symmetric key is then encrypted with the virus's public key. In cryptography circles, this process is known as hybrid encryption and is the basis for virtually all e-mail encryption applications.
Next, the virus overwrites the symmetric key in memory and securely deletes all copies of the plaintext, ensuring that none of the compromised host's original files are accessible. The attacker then demands a ransom in exchange for the the private key to decrypt the data held hostage.
While it's relatively trivial to combine the power of cryptography with malware, conditions for exploiting the dangerous combination haven't been favorable until now. An attacker can encrypt data and create backdoors, but still needs a way of extorting his victims without getting caught. Anonymizing services, which form the basis for several e-mail systems, e-voting protocols and private Web-surfing services, provide an extortion mechanism. Also, as we've seen with DDoS extortion threats, phishing schemes and identity theft, the bad guys have created effective money-laundering mechanisms and have started working with organized criminal groups. Incorporating cryptography into these extortion schemes is highly likely. (See "Malicious Moneymakers.")
Likewise, other obfuscation techniques, such as having a cryptovirus post stolen, or encrypted data posted to a public bulletin board, make it much more difficult to trace an attacker. By posting encrypted data to a popular public Web site or newsgroup, anyone can see what's posted, but only the attacker can decrypt the package. Sorting out the actual attacker from the multitude of innocent visitors would be difficult. Disgruntled insiders, malicious social activists and cyberterrorists could use cryptovirology to destroy a company or operation.
Probable Crypto Attacks
Research conducted by Adam Young, a senior managing consultant at LEGC, and Moti Yung, a senior researcher at Columbia University, has identified myriad probable attack scenarios using malicious cryptography. Though plausible, none have yet been reported outside lab environments. The following are a sampling of possible cryptovirology attack scenarios:
Deniable Password Snatching. This attack combines public-key cryptography with a password-stealing Trojan. After grabbing passwords from a victim machine through keystroke logging, sniffing and/or cracking, the Trojan asymmetrically encrypts the recovered login/ password pairs using the attacker's public key. Only the attacker can decrypt the passwords with his private key. The Trojan writes a file with the encrypted passwords to all removable and writable media (such as USB hard drives, hundreds of users' home directories and networked machines), and possibly even sends the encrypted password file to hundreds or thousands of e-mail addresses, Web sites and newsgroups.
This attack maintains tight control over the stolen passwords, giving only the attacker access to them. It also diffuses culpability by giving the encrypted password file to anyone and anything that comes in contact with the compromised host, making the identification of an attacker extremely difficult.
Private Information Retrieval. This attack stealthily searches a victim's databases and servers for specific pieces of information, and steals them without revealing what the malware was searching for (the tag string) or what was stolen (the sensitive data). It's relatively easy to design code that scans a database for a specific data set, such as a person's name, and then use that string to find a corresponding piece of information, like the person's salary. To conceal the malicious activity, the attacker can use a crypto algorithm to cloak the database search. The malware then encrypts the stolen data, making it impossible to tell what was taken even if the enterprise intercepts the malware. The attacker is then free to use his private key to decrypt the pilfered data.
Questionable Encryption. This technique is designed to cast doubt on whether an attack has occurred. The attacker allows the victims to watch the asymmetrically encrypted data get transmitted to multiple sites and copied to tens of thousands of machines. After a certain period of time, the attacker anonymously reveals a bogus private key that has nothing to do with the encrypted data. The victim enterprise then uses this fake key to decrypt the data into bogus plaintext messages, which are intended to make the enterprise believe that the attacker was merely bluffing and didn't steal anything. Yet, with the proper private key, the attacker would still have access to all of the data.
There are numerous other possible variations of these attacks, some that open enterprises to extortion, others that leak sensitive information and a few that are designed to break down the integrity of victim systems.
While plausible, pulling off these attacks isn't trivial. To leverage public keys and other encryption schemes as malicious tools, the attacker needs in-depth knowledge of the implementation of public/private keys and nearly flawless code to ensure reliable execution. This is perhaps one of the reasons why no such attacks have been witnessed (or at least reported) in the wild. Still, with solid, open-source crypto packages available for download, malware employing these capabilities is very likely in the near future.
Planning for the Inevitable
Should a virus pierce your enterprise's defenses and launch its cryptographic payload, there's little you can do to recover. Factoring 1024-bit RSA keys or cracking 128-bit or larger AES keys is nearly impossible, so breaking the encryption isn't a likely option (see "Time to Decrypt").
Working in enterprises' favor is the carelessness and poor craftsmanship of malware writers, especially when working with cryptography. Such mistakes are common in malware, including the most prolific and destructive samples. Sasser, Blaster and Nimda are among the many malware outbreaks blunted by their own shoddily written code. Merging cryptography and malicious code requires a high degree of knowledge, planning and skill. Malware creators have rarely demonstrated these abilities.
A common example of a malware writer's cryptographic mistake is the 1994 One-half virus, which used a rudimentary crypto scheme to encrypt all data on floppy disks and hard drives in infected machines. The One-half creator made the mistake of leaving the symmetric encryption key in the code, allowing AV software to decrypt the data and remove the virus.
Another thing boding well for enterprises is that cryptovirology is just a payload; it remains dependent upon the same transport mechanisms we face today--viruses, worms and Trojans. Conventional AV signature scanners and heuristics will still be able to detect malware based on its signatures, propagation mechanisms and social-engineering techniques. Heuristics are also fairly effective at identifying suspect encrypted code based on its unusual behavior on the system.
Enterprises should incorporate the cryptovirology threat into their virus contingency and disaster recovery planning. Conducting regular data backups and holding redundant data storage facilities will minimize the impact of a cryptovirology infection. Maintaining a copy of vital data on a separate, protected backup means enterprises won't have to succumb to an extortionist's demands. Of course, this doesn't mitigate the threat of an attacker disclosing data to third parties, but redundant storage systems will help maintain normal business operations.
If you find yourself a victim of a cryptovirological attack, you should have a contact plan in place. This would include knowing whom--such as senior management, law enforcement and your ISP--and when to notify if an attack is discovered. Many of these potential crypto attacks will likely rely on public newsgroups and related channels for communicating and storing pilfered data. You may not be able to recover your data, but you may be able to prevent it from being leaked by working with ISPs to shut down malicious sites.
When will such attacks happen? It's hard to say. But as the success rate of DDoS extortion schemes continues to climb, it's likely that the bad guys will look for stealthier, more efficient means to conduct such attacks. Cryptovirology will be an attractive weapon in their arsenals.