This document discusses creating a cryptovirus for Symfony applications as a proof of concept. It explains how a cryptovirus could work by getting a public key from a hacker server to encrypt data in the infected app, then paying to get the private key to decrypt the data. It covers relevant cryptography concepts like public key cryptography and OpenSSL. It also discusses techniques for hiding the virus from antivirus software like polymorphic code, gzip/base64 encoding, and checking file integrity with hash functions.
4. • Cryptovirology studies how to use
cryptography to design malicious
software.
• Closely related to ransomware and
private information retrieval.
• A fundamental twist in cryptography.
CRYPTOVIROLOGY
6. • This is not a real virus, just a proof of concept.
• I chose Symfony just because is my favourite
framework. It can be applied to any other
PHP framework.
• We assume that the virus is already in the
target computer.
• NOT AN EXPERT
7. #1 Get public key from the hacker server
GET public_key
Hacker serverApp server
OUR CRYPTOVIRUS
9. #3 Use the public key to encrypt data
app[_dev].php
bootstrap.php.cache
Kernel events
Database
User uploads
Logs
…
OUR CRYPTOVIRUS
10. #4 Pay to get the private key to decrypt data
GET private_key
Hacker serverApp server
OUR CRYPTOVIRUS
11. #3 (b) Intercept user/passwords and save them encrypted
app[_dev].php
bootstrap.php.cache
Kernel events
raul
Submit
User
*****Password
OUR CRYPTOVIRUS
12. #4 (b) Get user/password pairs using a backdoor
GET users
Hacker serverApp server
OUR CRYPTOVIRUS
14. • Public key (asymmetric) cryptography requires
two different keys: public and private.
• Based on one-way functions (trapdoors), which
are easy to compute in one direction, but
believed to be difficult to find its inverse.
• Most used one-way functions: integer
factorization, discrete logarithm and elliptic
curves.
PUBLIC KEY CRYPTOGRAPHY
16. p = 115307171677547
q = 190761112638809
n = p * q
= 21996124364443030184426121523
Having p and q, calculate n Having n, calculate p and q
Multiplication Factorization
SlowFast
not in Polinomial time
n = 21996124364443030184426121523
= p * q
= …
= 115307171677547 * 190761112638809
PUBLIC KEY CRYPTOGRAPHY
17. • Open Source toolkit for SSL/TLS, as well
as a full-strength general purpose
cryptography library.
• PHP extension: php-openssl.
OPENSSL
18. $config = array(
"digest_alg" => "sha512",
"private_key_bits" => 4096,
"private_key_type" => OPENSSL_KEYTYPE_RSA,
);
// Create the private and public key
$resource = openssl_pkey_new($config);
// Extract the private key
openssl_pkey_export($resource, $privKey);
// Extract the public key
$pubKey = openssl_pkey_get_details($res);
$pubKey = $pubKey[“key"];
PHP + OPENSSL
20. $data = “Creating a cryptovirus for Symfony2 apps”;
// Encrypt the data
openssl_public_encrypt($data, $encrypted, $pubKey);
// Decrypt the encrypted data
openssl_private_decrypt($encrypted, $decrypted,
$privKey);
PHP + OPENSSL
23. • kernel.request is dispatched as soon as
the request arrives. Listeners can return a
Response and “end” the execution.
• kernel.controller is dispatched once the
controller has been resolved. Listeners
can manipulate the Controller callable.
KERNEL EVENTS
24. • kernel.view is dispatched only if the
Controller does not return a Response
object.
• kernel.response allows to modify or
replace the Response object after its
creation.
KERNEL EVENTS
25. • kernel.exception is dispatched if there is
an uncaught exception. Last chance to
convert an Exception object into a
Response object.
• kernel.terminate is dispatched once the
response has been sent. Allows to run
expensive post-response jobs.
KERNEL EVENTS
26. • The bootstrap.php.cache file is created
to improve performance, reducing IO
operations and autoload lookups.
• Just a copy&paste of common classes
and interfaces that will be used for sure.
BOOTSTRAP FILE
29. • Virus definitions. Antivirus software scans
files to find matches. Useful for known
malware (up-to-date antivirus).
• Heuristics allow antivirus software to identify
new or modified malware, even without virus
definition files. Based on system calls,
network packets, kernel events…
ANTIVIRUS
33. • Polymorphic code is code that uses a
polymorphic engine to mutate while
keeping the original algorithm intact.
• Makes it difficult for antivirus software to
recognise the code as it constantly
changes.
• Emulation (sandbox) may be used.
POLYMORPHIC CODE
37. • The goal would be to create a
polymorphic engine that generates
different code in each infection
randomly.
• Really difficult to get random numbers in
computers, as they can be predictable.
POLYMORPHIC CODE
39. • Computational methods are not considered
true random number generators. In practice,
they are sufficient for most tasks.
• Physical methods use physical phenomenon
expected to be random. For example,
atmospheric noise (random.org), radioactive
decay, radio noise or even a coin flipping.
RANDOM NUMBERS
42. • Before the infection: security measures,
restrictive permissions, disable php-
openssl if we don’t need it,
allow_url_fopen, read-only code…
• Once the app has been infected, we want
to know it as soon as possible, checking
its integrity.
PROTECTING US
43. Hash functions create a fixed-length digest
from data of arbitrary length.
Easy to compute.
Infeasible to generate a message that has a
given hash.
Infeasible to modify a message without
changing the hash.
Infeasible to find two different messages
with the same hash.
HASH FUNCTIONS
44. Tiny changes in source generate (with high
probability) big changes in the digest.
HASH FUNCTIONS
45. • md5() is not collision resistant. It is
possible to create two files that share the
same checksum.
• We can include the checksum of the
whole project in the build process and
check it regularly.
HASH FUNCTIONS
46. use SymfonyComponentFinderFinder;
$finder = new Finder();
$finder->in(__DIR__ . ‘/project')
->files()
->name('*.php');
$hashes = '';
foreach ($finder as $file) {
$hashes .= sha1($file->getContents());
}
// hash of the whole project
$hash = sha1($hashes);
HASH FUNCTIONS
48. • The PHAR extension provides a way to
put entire PHP applications into a single
file.
• Equivalent to Java JAR files.
• PHAR files can contain a signature
(checksum) of the included files.
PHAR SIGNATURES
49. Stub
Manifest
File contents
Signature
Actual contents of the files
Describes the contents of the files:
filename, size, timestamp, CRC32…
Phar Signature in MD5, SHA1,
SHA256 or SHA512
__HALT_COMPILER();
Usually contains loader functionality
PHAR SIGNATURES