In “A Review Report on Cryptovirology and Cryptography” the authors Abidin, Kumar, and Tiwari give a brief introduction to Cryptovirology which is the study of the applications of Cryptography, traditionally used for defense of computers, to malware. The authors start out by defining that a cryptovirus is a virus that “contains and uses a public key”. They mean by this statement that the virus uses a public key cipher. A short explanation of a public key cipher is a cipher in which each person has an encryption and decryption key. Any person wanting to send a particular person an encrypted message simply encrypts the message with the encryption key (which is posted to the public, thus the name public key) and then the person who the message is intended for receives the encrypted message and decrypts it with the decryption key (which is kept private).
The authors then go through ways that adding cryptography to malware makes the malware much stronger. The first is that a common method to analyzing malware (and thus creating antivirus software to prevent them) is to catch “frozen” snapshots of the malware in memory and analyze it (a process called reverse-engineering). However, if that malware is encrypted then the malware cannot be analyzed through this method (at least without a great deal of additional effort to break the encryption). Another way that cryptography makes malware stronger is that it enables the programs to establish secure links/communication channels to receive new information or instructions from the creator of the malware.
The authors then briefly note that while these are concerning advantages for malware to have there are several security measures that are out there than can be used to prevent cryptoviruses since these spread the same way as regular viruses. The author gives two references where one can find these security measures.
The next section discusses one of the main points of the article, that the access to the cryptographic tool/code on a computer should be limited to, perhaps, administrators only. This would make sure that viruses cannot simple access pre-written cryptographic tools on a computer and use them for malicious purposes. It is also worth noting that this would make the virus much smaller since there would be no need for the virus to contain the code for the cryptographic tools it uses if it can access ones already installed on the system.
As just mentioned the article states that the access to cryptographic tools should be limited to administrators. I would like to say something that I mentioned in my previous post on Kak’s Lecture Notes on Computer Viruses and Worms: that on, for example Windows computers, many users leave their computer in administrator mode so the solution that the authors present here may not help much, at least on personal computers. This method of restricting access could help on computer networks in companies/organizations since the majority of computers would have restricted rights/privileges (with the tech department, usually, being the only ones with full administrator access).
The final section gives a brief mention of a “tool to combat the cryptovirologic super worm” that the authors envision. This tool is an automated response-enabled Intrusion Detection System (IDS) (Note this is still being developed/worked on). The authors describe this as a detection system that will “quickly generate signatures of unknown attacks and communicate them to their peers before the worm” spreads to their computers as well. This would allow information about new malware to quickly spread across a network and possible prevent that malware from infecting some of the machines on the network (depending on how fast the malware travels compared to how fast the IDS can generate and send the signature of the attack).
One of the major assumptions that this article makes is that the reader is already familiar with cryptography and its applications to computer security and defending against malware. The assumption that the reader knows how cryptography works is essential for the reader to understand why it can make malware much stronger than it already is. The second major assumption made is that the reader is familiar with some of the basics of malware already, though the article does explain some of the basics but in terms of cryptoviruses (such as basic properties of viruses and reverse engineering).
Image may be NSFW.
Clik here to view.
Image may be NSFW.Clik here to view.
