Malware, Encryption, and Rerandomization – Everything Is Under Attack

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10311)


A malware author constructing malware wishes to infect a specific location in the network. The author will then infect n initial nodes with n different variations of his malicious code. The malware continues to infect subsequent nodes in the network by making similar copies of itself. An analyst defending M nodes in the network observes N infected nodes with some malware and wants to know if any sample is targeting any of his nodes. To reduce his work, the analyst need only look at unique malware samples. We show that by encrypting the malware payload and using rerandomization to replicate malware, we can make the N observed malware samples distinct and increase the analyst’s work factor substantially.


Malicious cryptography Environmental keys Rerandomization Provable security 



We would like to thank Adam Young for helpful discussions and comments. We would also like to thank the anonymous reviewers for helpful comments.


  1. 1.
    Boneh, D.: The decision Diffie-Hellman problem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 48–63. Springer, Heidelberg (1998). doi: 10.1007/BFb0054851 CrossRefGoogle Scholar
  2. 2.
    Canetti, R., Krawczyk, H., Nielsen, J.: Relaxing chosen-ciphertext security. Cryptology ePrint Archive, Report 2003/174 (2003).
  3. 3.
    Filiol, E.: Strong cryptography armoured computer viruses forbidding code analysis: the bradley virus. Research Report RR-5250, INRIA (2004)Google Scholar
  4. 4.
    Filiol, E.: Malicious cryptography techniques for unreversable (malicious or not) binaries. CoRR, abs/1009.4000 (2010)Google Scholar
  5. 5.
    Futoransky, A., Kargieman, E., Sarraute, C., Waissbein, A.: Foundations and applications for secure triggers. Cryptology ePrint Archive, Report 2005/284 (2005).
  6. 6.
    Golle, P., Jakobsson, M., Juels, A., Syverson, P.: Universal re-encryption for mixnets. In: Okamoto, T. (ed.) CT-RSA 2004. LNCS, vol. 2964, pp. 163–178. Springer, Heidelberg (2004). doi: 10.1007/978-3-540-24660-2_14 CrossRefGoogle Scholar
  7. 7.
    Hohl, F.: Time limited blackbox security: protecting mobile agents from malicious hosts. In: Vigna, G. (ed.) Mobile Agents and Security. LNCS, vol. 1419, pp. 92–113. Springer, Heidelberg (1998). doi: 10.1007/3-540-68671-1_6 CrossRefGoogle Scholar
  8. 8.
    Kaspersky Lab Global Research and Analysis Team. Gauss: Abnormal distribution. In-depth research analysis report, KasperSky Lab, 9 August 2012.
  9. 9.
    Riordan, J., Schneier, B.: Environmental key generation towards clueless agents. In: Vigna, G. (ed.) Mobile Agents and Security. LNCS, vol. 1419, pp. 15–24. Springer, Heidelberg (1998). doi: 10.1007/3-540-68671-1_2 CrossRefGoogle Scholar
  10. 10.
    Shoup, V.: Sequences of games: a tool for taming complexity in security proofs. Cryptology ePrint Archive, Report 2004/332 (2004)Google Scholar
  11. 11.
    Skoudis, E., Zeltser, L.: Malware: Fighting Malicious Code. Prentice Hall PTR, Upper Saddle River (2003)Google Scholar
  12. 12.
    Young, A., Yung, M.: Cryptovirology: extortion-based security threats and countermeasures. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 129–140, May 1996Google Scholar
  13. 13.
    Young, A., Yung, M.: Malicious Cryptography: Exposing Cryptovirology. Wiley, Hoboken (2004)Google Scholar
  14. 14.
    Young, A., Yung, M.: The drunk motorcyclist protocol for anonymous communication. In: 2014 IEEE Conference on, Communications and Network Security (CNS), pp. 157–165, October 2014Google Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  1. 1.Department of Mathematical SciencesNTNU – Norwegian University of Science and TechnologyTrondheimNorway

Personalised recommendations