Kaspersky Lab has added more detail on the fiendish 'Onion' (aka 'Critroni') ransom Trojan that uses the Tor anonymity service to hide its command and control (C&C) as well as displaying a level of thoughtfulness about its encryption design that bodes ill for future attacks.
CryptoLocker was bad but with the program that kicked off the peak of the ransom malware age now largely neutered thanks to police intervention the criminals have already moved on to the next set of innovations.
As Kaspersky researcher Fedor Sinitsyn explains, recent crypto malware will use a cunning mixture of public key (i.e. asymmetric) RSA encryption to generate a primary key used to encrypt the AES (i.e symmetric) key used to scramble each file on a victim's system.
That's already quite a grown-up if logical way to attack a user's PC because it means that even with huge amounts of processing horsepower the symmetric key can't be attacked because anyone doing this will first have to get hold of the criminal's private key.
Onion could have used RSA or Diffie-Hellman for the public key encryption part of its nastiness but the criminals behind it decided to showboat a bit and use the more advanced Elliptic Curve Diffie-Hellman (ECDH) instead. The significance of this? Kaspersky's blog on the topic dodges that but the over-riding reason must have something to do with the key efficiency of elliptic curve.
Securing a 128-bit AES key using RSA would ideally require a 3,072-bit key; doing the same using ECDH drops that to 256-bits. Put another way, the same level of security can be reached with fewer cycles. The temptation for anyone exploiting this aspect of ECDH would be, one assumes, to ramp up the key sizes to boost security even further.
Or it could be that the criminals are testing their smarts for a new generation of crypto malware that will up the ante to silly levels far beyond law enforcement. That suggests a wider interest beyond conning consumers and small businesses out of a heap of Bitcoins, the currency demanded by Onion.
To make matters worse, the designers of Onion repeated this ECDH design when encrypting the traffic to and from their server which itself is hosted inside Tor. Using Tor is to cover C&C is not new for botnets although none of the common ransom Trojans have tried this approach until Onion appeared.
There are pros and cons to this. Tor should in theory slow down to the to and fro of traffic but it also buys some time. Researchers will take a lot longer to trace C&C servers if they are hidden within Tor and for the criminals that is worth a lot for a business built on milking victims in days and weeks rather than months.
Sign up for CIO Asia eNewsletters.