This article can also be found in the Premium Editorial Download "Information Security magazine: What are botnets and how can you prepare for them?."

Download it now to read this article plus other related content.

Planning for the Inevitable
Should a virus pierce your enterprise's defenses and launch its cryptographic payload, there's little you can do to recover. Factoring 1024-bit RSA keys or cracking 128-bit or larger AES keys is nearly impossible, so breaking the encryption isn't a likely option (see "Time to Decrypt").

Working in enterprises' favor is the carelessness and poor craftsmanship of malware writers, especially when working with cryptography. Such mistakes are common in malware, including the most prolific and destructive samples. Sasser, Blaster and Nimda are among the many malware outbreaks blunted by their own shoddily written code. Merging cryptography and malicious code requires a high degree of knowledge, planning and skill. Malware creators have rarely demonstrated these abilities.

A common example of a malware writer's cryptographic mistake is the 1994 One-half virus, which used a rudimentary crypto scheme to encrypt all data on floppy disks and hard drives in infected machines. The One-half creator made the mistake of leaving the symmetric encryption key in the code, allowing AV software to decrypt the data and remove the virus.

Another thing boding well for enterprises is that cryptovirology is just a payload; it remains dependent upon the same transport mechanisms we face today--viruses, worms and Trojans. Conventional AV signature scanners and heuristics will still be

    Requires Free Membership to View

able to detect malware based on its signatures, propagation mechanisms and social-engineering techniques. Heuristics are also fairly effective at identifying suspect encrypted code based on its unusual behavior on the system.

Enterprises should incorporate the cryptovirology threat into their virus contingency and disaster recovery planning. Conducting regular data backups and holding redundant data storage facilities will minimize the impact of a cryptovirology infection. Maintaining a copy of vital data on a separate, protected backup means enterprises won't have to succumb to an extortionist's demands. Of course, this doesn't mitigate the threat of an attacker disclosing data to third parties, but redundant storage systems will help maintain normal business operations.

If you find yourself a victim of a cryptovirological attack, you should have a contact plan in place. This would include knowing whom--such as senior management, law enforcement and your ISP--and when to notify if an attack is discovered. Many of these potential crypto attacks will likely rely on public newsgroups and related channels for communicating and storing pilfered data. You may not be able to recover your data, but you may be able to prevent it from being leaked by working with ISPs to shut down malicious sites.

When will such attacks happen? It's hard to say. But as the success rate of DDoS extortion schemes continues to climb, it's likely that the bad guys will look for stealthier, more efficient means to conduct such attacks. Cryptovirology will be an attractive weapon in their arsenals.

This was first published in March 2005

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: