Building a Cryptovirus Using Microsoft’s Cryptographic API

  • Adam L. Young
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3650)


This paper presents the experimental results that were obtained by implementing the payload of a cryptovirus on the Microsoft Windows platform. A novel countermeasure against cryptoviral extortion is presented that forces the API caller to demonstrate that an authorized party can recover the asymmetrically encrypted data. The attack is based entirely on the Microsoft Cryptographic API and the needed API calls are covered in detail. The exact sequence of API calls that is used for both the viral payload and the code for key generation, decryption, and so on is given. More specifically, it is shown that by using 8 types of API calls and 72 lines of ANSI C code, the payload can hybrid encrypt sensitive data and hold it hostage on the host computer system. These findings demonstrate the ease with which one can apply cryptography to devise the payload of a cryptovirus when a cryptographic API is readily available on host machines.


Cryptovirus hybrid encryption public key cryptography RSA symmetric cryptography MS CAPI hash function mix networks 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Apple Computer. Apple Cryptographic Service Provider Functional Specification (March 10, 2005), Downloaded from
  2. 2.
    Bellare, M., Rogaway, P.: Optimal Asymmetric Encryption. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 92–111. Springer, Heidelberg (1995)CrossRefGoogle Scholar
  3. 3.
    Chaum, D.: Untraceable electronic mail, return addresses, and digital pseudonyms. Communications of the ACM 24(2), 84–88 (1981)CrossRefGoogle Scholar
  4. 4.
    DoD 5220.22-M. National Industrial Security Program Operating Manual, 01/1995. Chapter 8: Automated Information System SecurityGoogle Scholar
  5. 5.
    National Institute of Standards and Technology (NIST). Secure Hash Standard (SHS), FIPS PUB 180-2. In Federal Register (August 2002) Google Scholar
  6. 6.
    Golle, P., Boneh, D.: Almost Entirely Correct Mixing with Applications to Voting. In: Ninth ACM CCS, pp. 59–68 (2002)Google Scholar
  7. 7.
    Gülcü, C., Tsudik, G.: Mixing e-mail with Babel. In: Symposium on Network and Distributed System Security, pp. 2–16. Internet Society, San Diego (1996)CrossRefGoogle Scholar
  8. 8.
    General Services Administration, Washington, D.C. Telecommunications: Compatibility Requirements for Use of the Data Encryption Standard. Proposed Federal Standard 1026 (October 1977) Google Scholar
  9. 9.
    Jakobsson, M.: A Practical Mix. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 448–461. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  10. 10.
    Microsoft Corporation. Microsoft Developer Network. Available on the web at,
  11. 11.
    PKCS #1 v2.1: RSA Cryptography Standard. RSA Labs (June 14, 2002)Google Scholar
  12. 12.
    Rivest, R., Shamir, A., Adleman, L.: A Method for Obtaining Digital Signatures and Public-Key Cryptosystems. CACM 21(2), 120–126 (1978)zbMATHMathSciNetGoogle Scholar
  13. 13.
    Schechter, S., Smith, M.: How Much Security is Enough to Stop a Thief? In: Proceedings of Financial Crypto, pp. 122–137 (2003)Google Scholar
  14. 14.
    Slade, R.M.: REVIEW: Malicious Cryptography, Adam L. Young/Moti Yung. Post to the Usenet newsgroups: alt.comp.virus,, and by rslade at (December 20, 2004)Google Scholar
  15. 15.
    Young, A., Yung, M.: Cryptovirology: Extortion-Based Security Threats and Countermeasures. In: IEEE Symp. on Security & Privacy, pp. 129–141 (1996)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Adam L. Young
    • 1
  1. 1.No institute given 

Personalised recommendations