Skip to content

Travails of Cryptovirology


Cryptovirology is known as the younger evil sibling of Cryptography. It is a field devoted to the study of using cryptography for designing powerful malicious software. It was observed that Public-key  Cryptography can be used to break the symmetry between what an antivirus analyst sees: regarding what the virus writer sees. The former only sees a public key whereas the latter sees public key and a corresponding private key. ‘Cryptoviral Extortion’ was the first attack identified in the field of cryptovirology. In this attack, a virus, worm or hybrid encrypts the victim’s files and the user must pay the malware author to receive the needed session key (which is encrypted under the author’s Public key that is contained in the malware) if the user does not have backups and needs the files back.

The field of cryptovirology also encompasses ‘covert attack in which the attacker secretly steals private information such as private keys. An example of the latter type of attack are asymmetric backdoors. An asymmetric backdoor is a backdoor (e.g.. In a cryptosystem) that can be used only by the attacker, even after it is found. This contrasts with the traditional backdoor that is symmetric, that is, anyone that finds it can use it.

Kleptography, a subfield of cryptovirology, is concerned with the study of asymmetric backdoors in key generation algorithms, digital signature algorithms, key exchanges and so on. The term is commonly used to describe the software such as’cryptovirus’. However, the field known as cryptovirology predates the term A ‘questionable encryption scheme’, introduced by Young and Yung, is an attack tool in cryptovirology. In simple terms, a questionable encryption scheme is a public-key cryptosystem. It includes a deliberately bogus yet carefully designed key pair generation algorithm that produces a ‘fake’ public key. The corresponding private key (witness of non-encryption) cannot be used to decipher data ‘encrypted’ using the fake public key.

An application of a questionable encryption scheme is a that gathers plaintext from the host, ‘encrypts’ it using the own public key (which may be real or fake) and then ex-filtrates the resulting ‘ciphertext’. In this attack it is thoroughly intractable to prove that data theft has occurred. This holds even when all core dumps of the and all the information that it broadcasts is entered into evidence. An analyst that jumps to the conclusion that the ‘encrypts’ data risks being proven wrong by the malware author (e.g.. Anonymously).

Using Microsoft’s Cryptographic Application Programming Interface (CryptoAPl), tools can be built to light cryptovirus, If is an APT included with Microsoft Windows operating systems (OSs). It provides services to enable developers to secure Windows-based applications using cryptography, It is a set of dynamically-linked libraries that provides an abstraction layer which isolates programmers from the code used to encrypt the data. CryptoAPl supports both Public-key and symmetric key cryptography. It includes functionality for encrypting and decrypting data and for authentication using digital certificates. It also includes a cryptographically secure pseudorandom number generator function  CryptGenRandom


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: