-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'm working on a open source project using Crypto++, the project will be supported on both LINUX and WINDOWS. The concept behind my project is to improve the quality of future Anti Virus and Intrusion Detection products by testing our current state of detection mechanisms such as heuristics, emulation, signatures and reverse code engineering against malicious software samples using cryptology to evade detection. My product is in its very beginning stages and I have a lot of work to do but progress has been made and the theoretical is possible. I believe in our current state we are not prepared for Cryptovirology. I am currently not aware of any AV vendors who support any true methods of detecting cryptographic malware. I envision a future where Anti Virus companies will need to start thinking of new ways to detect malware using cryptography and how to protect customers. There are plenty of AV vendors dominating the market with great heuristics and advanced methods of taking snapshots of memory and spotting malicious behavior through emulation and debugging. Sure once the file has decrypted itself in memory or on disk but what if the file has not been defined? How do you define something encrypted/self decrypting files as being malicious in the first place? If the file is obfuscated, encrypted and signed with a stub binary for instance, handling the decryption, verification and execution do you flag the stub at the EOF or do you flag the signature of the sample (say for instance the malware binary was signed using a public key). I think the first step is to prove AV software, in it's current state is no challenge against cryptography or even detecting a valid RSA key with a bit length of 1024, 2048, 4096 embedded inside say the .rsrc section of an EXE. However, if vendors start thinking of methods for verification of encrypted files and then design a method to implement a concept to detect stubs containing functions that verify, decrypt, unpack and execute payload we may have a defense against it. I also believe vendors need to "define" these viruses, trojans, worms, bots, rootkits, malice BHOs, spyware, adware, shellcode etc... that are using cryptology with something that identifies them as being encrypted in the first place. A file named infected.exe for instance could be defined as variant foo.rsa.xyz or foo.aes.rsa.signed.xyz variant. I don't think it's ethical for anti virus to not disclose to it's customers that a file may possibly contain cryptographic functions which could be considered harmful to their machine, the fact that having a file like foo.rsa.xyz containing high grade crypto could actually be a violation of export outside of the United States of America. Sure, one might argue that they didn't have any idea variant foo.rsa.xyz contained crypto that under certain laws requires an export license before exporting it outside of the US but are there laws protecting the unknowing victim from this? I have many questions but the ones that concern me the most are related to the failure in our current detection techniques in regards to cryptographic malware. We have a hard enough time as it is defeating anti-debugging tricks, compression from various packers, code obfuscation, etc... I will summarize my statements with this, will we wait until it's to late? What will they do when PGP for rootkits is released? It's time these vendors who we put our trust in start working on the issue. Thank you to all who have taken the time to read this and to all who respond.
Thanks Wei for Crypto++ I hope to do something useful with your library. Regards, Dillon Beresford -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkl4jF8ACgkQRnxC5lZRuuFqqACbBtBNWhZSJwisOsJgL+uVaDxy yrsAn1KagFVEwlgWBW3B+IbNeQ8/GYx6 =XA6w -----END PGP SIGNATURE----- --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the "Crypto++ Users" Google Group. To unsubscribe, send an email to [email protected]. More information about Crypto++ and this group is available at http://www.cryptopp.com. -~----------~----~----~----~------~----~------~--~---
0x5651BAE1.asc
Description: application/pgp-keys
