Malware, Encryption, and Rerandomization – Everything Is Under Attack
A malware author constructing malware wishes to infect a specific location in the network. The author will then infect n initial nodes with n different variations of his malicious code. The malware continues to infect subsequent nodes in the network by making similar copies of itself. An analyst defending M nodes in the network observes N infected nodes with some malware and wants to know if any sample is targeting any of his nodes. To reduce his work, the analyst need only look at unique malware samples. We show that by encrypting the malware payload and using rerandomization to replicate malware, we can make the N observed malware samples distinct and increase the analyst’s work factor substantially.
KeywordsMalicious cryptography Environmental keys Rerandomization Provable security
We would like to thank Adam Young for helpful discussions and comments. We would also like to thank the anonymous reviewers for helpful comments.
- 2.Canetti, R., Krawczyk, H., Nielsen, J.: Relaxing chosen-ciphertext security. Cryptology ePrint Archive, Report 2003/174 (2003). http://eprint.iacr.org/
- 3.Filiol, E.: Strong cryptography armoured computer viruses forbidding code analysis: the bradley virus. Research Report RR-5250, INRIA (2004)Google Scholar
- 4.Filiol, E.: Malicious cryptography techniques for unreversable (malicious or not) binaries. CoRR, abs/1009.4000 (2010)Google Scholar
- 5.Futoransky, A., Kargieman, E., Sarraute, C., Waissbein, A.: Foundations and applications for secure triggers. Cryptology ePrint Archive, Report 2005/284 (2005). http://eprint.iacr.org/
- 8.Kaspersky Lab Global Research and Analysis Team. Gauss: Abnormal distribution. In-depth research analysis report, KasperSky Lab, 9 August 2012. http://www.securelist.com/en/analysis/204792238/gauss_abnormal_distribution
- 10.Shoup, V.: Sequences of games: a tool for taming complexity in security proofs. Cryptology ePrint Archive, Report 2004/332 (2004)Google Scholar
- 11.Skoudis, E., Zeltser, L.: Malware: Fighting Malicious Code. Prentice Hall PTR, Upper Saddle River (2003)Google Scholar
- 12.Young, A., Yung, M.: Cryptovirology: extortion-based security threats and countermeasures. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 129–140, May 1996Google Scholar
- 13.Young, A., Yung, M.: Malicious Cryptography: Exposing Cryptovirology. Wiley, Hoboken (2004)Google Scholar
- 14.Young, A., Yung, M.: The drunk motorcyclist protocol for anonymous communication. In: 2014 IEEE Conference on, Communications and Network Security (CNS), pp. 157–165, October 2014Google Scholar