Building a Cryptovirus Using Microsoft's Cryptographic API

This paper presents the experimental results that were obtained by implementing the payload of a cryptovirus on the Microsoft Windows platform. A novel countermeasure against cryptoviral extortion is presented that forces the API caller to demonstrate that an authorized party can recover the asymmetrically encrypted data. The attack is based entirely on the Microsoft Cryptographic API and the needed API calls are covered in detail. The exact sequence of API calls that is used for both the viral payload and the code for key generation, decryption, and so on is given. More specifically, it is shown that by using 8 types of API calls and 72 lines of ANSI C code, the payload can hybrid encrypt sensitive data and hold it hostage on the host computer system. These findings demonstrate the ease with which one can apply cryptography to devise the payload of a cryptovirus when a cryptographic API is readily available on host machines.

[1]  Mihir Bellare,et al.  Optimal Asymmetric Encryption , 1994, EUROCRYPT.

[2]  Markus Jakobsson,et al.  A Practical Mix , 1998, EUROCRYPT.

[3]  Kaisa Nyberg,et al.  Advances in Cryptology — EUROCRYPT'98 , 1998 .

[4]  Moti Yung,et al.  Cryptovirology: extortion-based security threats and countermeasures , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[5]  Alfredo De Santis,et al.  Advances in Cryptology — EUROCRYPT'94 , 1994, Lecture Notes in Computer Science.

[6]  David Chaum,et al.  Untraceable electronic mail, return addresses, and digital pseudonyms , 1981, CACM.

[7]  Dan Boneh,et al.  Almost entirely correct mixing with applications to voting , 2002, CCS '02.

[8]  Gene Tsudik,et al.  Mixing E-mail with Babel , 1996, Proceedings of Internet Society Symposium on Network and Distributed Systems Security.

[9]  Michael D. Smith,et al.  How Much Security Is Enough to Stop a Thief?: The Economics of Outsider Theft via Computer Systems and Networks , 2003, Financial Cryptography.

[10]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.