Full Text

Int. J. Inf. Secur. (2006) 5(2): 6776

DOI 10.1007/s10207-006-0082-7SPECIAL ISSUE PAPERAdam L. YoungCryptoviral extortion using Microsofts Crypto APICan Crypto APIs help the enemy?Published online: 8 March 2006

cSpringer-Verlag 2006Abstract This paper presents the experimental results that

were obtained by implementing the payload of a cryptovirus

on the Microsoft Windows platform. The attack is based entirely on the Microsoft Cryptographic API and the needed

API calls are covered in detail. More specifically, it is shown

that by using eight types of API calls and 72 lines of C

code, the payload can hybrid encrypt sensitive data and hold

it hostage. Benchmarks are also given. A novel countermeasure against cryptoviral extortion attacks is shown that

forces the API caller to demonstrate that an authorized party

can recover the asymmetrically encrypted data.Keywords Cryptovirus Public key cryptography Hybrid

encryption Cryptographic API RSA1 IntroductionToday, computer viruses, Trojan horses, and worms are very

much alive in modern computing machinery. This makes it

critical for the computing community to have a thorough understanding of malicious software and related countermeasures. A cryptoviral extortion attack is a significant form of

threat against modern computer systems. It is a denial of resources attack in which data that the victim has legitimate

access to rendered inaccessible to the victim. In short, the

cryptovirus hybrid encrypts the victims data and holds it

for ransom. Analysis of the virus reveals the public key, not

the needed private decryption key. To be effective, the attack

relies on the nonexistence of backups for mission critical information on the host system. So, likely victims include realtime systems and users that do not carefully archive data.

The need for asymmetric cryptography to securely carry out

this type of denial of resource attack is well-known [17].In this paper the feasibility of applying cryptography

to carry out extortion is investigated. An experimental implementation of the payload portion of such an attack isA. L. Young (B)

23 Dudley Court, Sterling, VA 20165, USA

E-mail: [email protected]

described. The present work expands upon previous work[16] by covering the history of malware that maliciously encrypts host data and by providing benchmarks of the running time of the experimental virus payload. It is hoped that

this deeper investigation will further illuminate the relative

difficulty of implementing cryptoviral extortion on...