It’s a file infector… It’s ransomware… It’s VIRLOCK · Background •Most malware on...
Transcript of It’s a file infector… It’s ransomware… It’s VIRLOCK · Background •Most malware on...
![Page 1: It’s a file infector… It’s ransomware… It’s VIRLOCK · Background •Most malware on today market, combine all sort of mechanisms to collect/damage user data or to deploy](https://reader030.fdocuments.in/reader030/viewer/2022040705/5e0335fcd9e2ea2f2042469a/html5/thumbnails/1.jpg)
30.09.2015 © www.bitdefender.com 1
It’s a file infector… It’s ransomware… It’s VIRLOCK
Vlad Craciun Mihail Andronic Andrei Nacu
![Page 2: It’s a file infector… It’s ransomware… It’s VIRLOCK · Background •Most malware on today market, combine all sort of mechanisms to collect/damage user data or to deploy](https://reader030.fdocuments.in/reader030/viewer/2022040705/5e0335fcd9e2ea2f2042469a/html5/thumbnails/2.jpg)
Overview
• Ransomwares and file infectors
• Introducing Virlock
• Reversing Virlock
• Statistics
• Conclusions
30.09.2015 2 www.bitdefender.com
![Page 3: It’s a file infector… It’s ransomware… It’s VIRLOCK · Background •Most malware on today market, combine all sort of mechanisms to collect/damage user data or to deploy](https://reader030.fdocuments.in/reader030/viewer/2022040705/5e0335fcd9e2ea2f2042469a/html5/thumbnails/3.jpg)
Background
• Most malware on today market, combine all sort of mechanisms to collect/damage user data or to deploy other kinds of malware
• Virlock = Ransomware + Fileinfector
• Damaged files and no PC access?
30.09.2015 www.bitdefender.com 3
![Page 4: It’s a file infector… It’s ransomware… It’s VIRLOCK · Background •Most malware on today market, combine all sort of mechanisms to collect/damage user data or to deploy](https://reader030.fdocuments.in/reader030/viewer/2022040705/5e0335fcd9e2ea2f2042469a/html5/thumbnails/4.jpg)
Ransomwares and file infectors
• Ransomwares
• Purpose
• Get money by blocking data or account access
• Behavior
• File-lockers
• Screen-lockers
30.09.2015 www.bitdefender.com 4
![Page 5: It’s a file infector… It’s ransomware… It’s VIRLOCK · Background •Most malware on today market, combine all sort of mechanisms to collect/damage user data or to deploy](https://reader030.fdocuments.in/reader030/viewer/2022040705/5e0335fcd9e2ea2f2042469a/html5/thumbnails/5.jpg)
Ransomwares and file infectors
Screen locker – ICEPOL
30.09.2015 www.bitdefender.com 5
![Page 6: It’s a file infector… It’s ransomware… It’s VIRLOCK · Background •Most malware on today market, combine all sort of mechanisms to collect/damage user data or to deploy](https://reader030.fdocuments.in/reader030/viewer/2022040705/5e0335fcd9e2ea2f2042469a/html5/thumbnails/6.jpg)
Ransomwares and file infectors
• File locker – A custom one, similar to Cryptowall
30.09.2015 www.bitdefender.com 6
![Page 7: It’s a file infector… It’s ransomware… It’s VIRLOCK · Background •Most malware on today market, combine all sort of mechanisms to collect/damage user data or to deploy](https://reader030.fdocuments.in/reader030/viewer/2022040705/5e0335fcd9e2ea2f2042469a/html5/thumbnails/7.jpg)
Ransomwares and file infectors
• Both file and screen locker - ACCDFISA
30.09.2015 www.bitdefender.com 7
![Page 8: It’s a file infector… It’s ransomware… It’s VIRLOCK · Background •Most malware on today market, combine all sort of mechanisms to collect/damage user data or to deploy](https://reader030.fdocuments.in/reader030/viewer/2022040705/5e0335fcd9e2ea2f2042469a/html5/thumbnails/8.jpg)
Ransomwares and file infectors
• File infectors
• Purpose
• Delivery and persistence of malware
• Behavior
• Alters the legit file by adding the malware payload
30.09.2015 www.bitdefender.com 8
![Page 9: It’s a file infector… It’s ransomware… It’s VIRLOCK · Background •Most malware on today market, combine all sort of mechanisms to collect/damage user data or to deploy](https://reader030.fdocuments.in/reader030/viewer/2022040705/5e0335fcd9e2ea2f2042469a/html5/thumbnails/9.jpg)
Ransomwares and file infectors
• A simple fileinfector: Pioneer
30.09.2015 www.bitdefender.com 9
![Page 10: It’s a file infector… It’s ransomware… It’s VIRLOCK · Background •Most malware on today market, combine all sort of mechanisms to collect/damage user data or to deploy](https://reader030.fdocuments.in/reader030/viewer/2022040705/5e0335fcd9e2ea2f2042469a/html5/thumbnails/10.jpg)
Ransomwares and file infectors
• A more complex one: Sality
30.09.2015 www.bitdefender.com 10
![Page 11: It’s a file infector… It’s ransomware… It’s VIRLOCK · Background •Most malware on today market, combine all sort of mechanisms to collect/damage user data or to deploy](https://reader030.fdocuments.in/reader030/viewer/2022040705/5e0335fcd9e2ea2f2042469a/html5/thumbnails/11.jpg)
Introducing Virlock
• Virlock – hybrid money hunter
• How? – Using ransomware screen-locking features – Using a well designed infection mechanism
30.09.2015 www.bitdefender.com 11
![Page 12: It’s a file infector… It’s ransomware… It’s VIRLOCK · Background •Most malware on today market, combine all sort of mechanisms to collect/damage user data or to deploy](https://reader030.fdocuments.in/reader030/viewer/2022040705/5e0335fcd9e2ea2f2042469a/html5/thumbnails/12.jpg)
Introducing Virlock
• Screen locking feature similar to ACCDFISA, ICEPOL, etc.
30.09.2015 www.bitdefender.com 12
![Page 13: It’s a file infector… It’s ransomware… It’s VIRLOCK · Background •Most malware on today market, combine all sort of mechanisms to collect/damage user data or to deploy](https://reader030.fdocuments.in/reader030/viewer/2022040705/5e0335fcd9e2ea2f2042469a/html5/thumbnails/13.jpg)
Introducing Virlock
File infection techniques
• Make files harder to recover
• Increases chances to persist and spread
30.09.2015 www.bitdefender.com 13
![Page 14: It’s a file infector… It’s ransomware… It’s VIRLOCK · Background •Most malware on today market, combine all sort of mechanisms to collect/damage user data or to deploy](https://reader030.fdocuments.in/reader030/viewer/2022040705/5e0335fcd9e2ea2f2042469a/html5/thumbnails/14.jpg)
Reversing Virlock
o Malware installation
o Account password brute-force
o Infected files
o Anti-analysis tricks
o Polymorphic engine
o Different malware versions
o Tricking users
30.09.2015 www.bitdefender.com 14
![Page 15: It’s a file infector… It’s ransomware… It’s VIRLOCK · Background •Most malware on today market, combine all sort of mechanisms to collect/damage user data or to deploy](https://reader030.fdocuments.in/reader030/viewer/2022040705/5e0335fcd9e2ea2f2042469a/html5/thumbnails/15.jpg)
Malware installation
30.09.2015 www.bitdefender.com 15
• Setting up the execution environment
![Page 16: It’s a file infector… It’s ransomware… It’s VIRLOCK · Background •Most malware on today market, combine all sort of mechanisms to collect/damage user data or to deploy](https://reader030.fdocuments.in/reader030/viewer/2022040705/5e0335fcd9e2ea2f2042469a/html5/thumbnails/16.jpg)
Malware installation
• Executing a fresh infected file
30.09.2015 www.bitdefender.com 16
![Page 17: It’s a file infector… It’s ransomware… It’s VIRLOCK · Background •Most malware on today market, combine all sort of mechanisms to collect/damage user data or to deploy](https://reader030.fdocuments.in/reader030/viewer/2022040705/5e0335fcd9e2ea2f2042469a/html5/thumbnails/17.jpg)
Malware installation
• Getting to the embedded clean file
30.09.2015 www.bitdefender.com 17
![Page 18: It’s a file infector… It’s ransomware… It’s VIRLOCK · Background •Most malware on today market, combine all sort of mechanisms to collect/damage user data or to deploy](https://reader030.fdocuments.in/reader030/viewer/2022040705/5e0335fcd9e2ea2f2042469a/html5/thumbnails/18.jpg)
Account password brute-force
• Malware is trying some kind of dictionary brute force attack in an attempt to gain administrative privileges
• It creates it’s own account after that
30.09.2015 www.bitdefender.com 18
![Page 19: It’s a file infector… It’s ransomware… It’s VIRLOCK · Background •Most malware on today market, combine all sort of mechanisms to collect/damage user data or to deploy](https://reader030.fdocuments.in/reader030/viewer/2022040705/5e0335fcd9e2ea2f2042469a/html5/thumbnails/19.jpg)
Account password brute-force
• A couple of tried passwords
30.09.2015 www.bitdefender.com 19
1qaz@WSX 12345678 changeme P@ssword Password! Passw0rd 1q2w3e4r Password01
Passw0rd p@ssw0rd Pa$$w0rd Abc123 Qwerty Master Password1 welcome
orig_Administrator operator123 N0th1n9 1q2w3e4r5t6y7u8i abcd12345 Administrator Q1w2e3r4 q1w2e3r4t5
Password P@ssw0rd Password1 12345 123456789 1234 123456 Admin
![Page 20: It’s a file infector… It’s ransomware… It’s VIRLOCK · Background •Most malware on today market, combine all sort of mechanisms to collect/damage user data or to deploy](https://reader030.fdocuments.in/reader030/viewer/2022040705/5e0335fcd9e2ea2f2042469a/html5/thumbnails/20.jpg)
Infected files • Clean files are embedded inside the malware
• The path to the clean file is obfuscated
• Similar to Sality
30.09.2015 www.bitdefender.com 20
![Page 21: It’s a file infector… It’s ransomware… It’s VIRLOCK · Background •Most malware on today market, combine all sort of mechanisms to collect/damage user data or to deploy](https://reader030.fdocuments.in/reader030/viewer/2022040705/5e0335fcd9e2ea2f2042469a/html5/thumbnails/21.jpg)
Anti-analysis tricks
• Detecting the debugger presence
30.09.2015 www.bitdefender.com 21
![Page 22: It’s a file infector… It’s ransomware… It’s VIRLOCK · Background •Most malware on today market, combine all sort of mechanisms to collect/damage user data or to deploy](https://reader030.fdocuments.in/reader030/viewer/2022040705/5e0335fcd9e2ea2f2042469a/html5/thumbnails/22.jpg)
Anti-analysis tricks
• Anti emulation tricks!
30.09.2015 www.bitdefender.com 22
![Page 23: It’s a file infector… It’s ransomware… It’s VIRLOCK · Background •Most malware on today market, combine all sort of mechanisms to collect/damage user data or to deploy](https://reader030.fdocuments.in/reader030/viewer/2022040705/5e0335fcd9e2ea2f2042469a/html5/thumbnails/23.jpg)
Anti-analysis tricks
• Decrypt Execute Re-Encrypt
30.09.2015 www.bitdefender.com 23
![Page 24: It’s a file infector… It’s ransomware… It’s VIRLOCK · Background •Most malware on today market, combine all sort of mechanisms to collect/damage user data or to deploy](https://reader030.fdocuments.in/reader030/viewer/2022040705/5e0335fcd9e2ea2f2042469a/html5/thumbnails/24.jpg)
Anti-analysis tricks
• Decrypt Execute Re-Encrypt
30.09.2015 www.bitdefender.com 24
![Page 25: It’s a file infector… It’s ransomware… It’s VIRLOCK · Background •Most malware on today market, combine all sort of mechanisms to collect/damage user data or to deploy](https://reader030.fdocuments.in/reader030/viewer/2022040705/5e0335fcd9e2ea2f2042469a/html5/thumbnails/25.jpg)
Polymorphic engine
• Basic reshape technique
30.09.2015 www.bitdefender.com 25
![Page 26: It’s a file infector… It’s ransomware… It’s VIRLOCK · Background •Most malware on today market, combine all sort of mechanisms to collect/damage user data or to deploy](https://reader030.fdocuments.in/reader030/viewer/2022040705/5e0335fcd9e2ea2f2042469a/html5/thumbnails/26.jpg)
Different malware versions
• [Hash encrypted code, compare hash] - template
30.09.2015 www.bitdefender.com 26
![Page 27: It’s a file infector… It’s ransomware… It’s VIRLOCK · Background •Most malware on today market, combine all sort of mechanisms to collect/damage user data or to deploy](https://reader030.fdocuments.in/reader030/viewer/2022040705/5e0335fcd9e2ea2f2042469a/html5/thumbnails/27.jpg)
Different malware versions
• Similar code within 2 different families
30.09.2015 www.bitdefender.com 27
![Page 28: It’s a file infector… It’s ransomware… It’s VIRLOCK · Background •Most malware on today market, combine all sort of mechanisms to collect/damage user data or to deploy](https://reader030.fdocuments.in/reader030/viewer/2022040705/5e0335fcd9e2ea2f2042469a/html5/thumbnails/28.jpg)
Tricking users
• Why does my pictures have an exe extension?
30.09.2015 www.bitdefender.com 28
![Page 29: It’s a file infector… It’s ransomware… It’s VIRLOCK · Background •Most malware on today market, combine all sort of mechanisms to collect/damage user data or to deploy](https://reader030.fdocuments.in/reader030/viewer/2022040705/5e0335fcd9e2ea2f2042469a/html5/thumbnails/29.jpg)
Statistics
• Spreading of Win32.Virlock.Gen.1/3 until September 2015
30.09.2015 www.bitdefender.com 29
![Page 30: It’s a file infector… It’s ransomware… It’s VIRLOCK · Background •Most malware on today market, combine all sort of mechanisms to collect/damage user data or to deploy](https://reader030.fdocuments.in/reader030/viewer/2022040705/5e0335fcd9e2ea2f2042469a/html5/thumbnails/30.jpg)
Statistics
30.09.2015 www.bitdefender.com 30
• Infected systems by Win32.Virlock.Gen.1/3
Virlock.Gen.1
China
Russia
USA
Germany
Iran
Romania
UK
Canada
Vietnam
Virlock.Gen.3
Canada
UK
USA
Australia
Iran
Romania
Vietnam
Germany
![Page 31: It’s a file infector… It’s ransomware… It’s VIRLOCK · Background •Most malware on today market, combine all sort of mechanisms to collect/damage user data or to deploy](https://reader030.fdocuments.in/reader030/viewer/2022040705/5e0335fcd9e2ea2f2042469a/html5/thumbnails/31.jpg)
Statistics
• Areas with an increased number of affected files
30.09.2015 www.bitdefender.com 31
Country Gen.1 Gen.2 Gen.3 Gen.4 Gen.5
Canada 17.9% 0.07% 42.6% 0.07% -
Vietnam 5.6% - 0.27% - 0.03%
Iran 6.2% 0.02% 1.9% 0.45% -
France 2.11% - - 0.36% -
Netherlands 2.04% - - - -
United Kingdom 1.96% - 2.22% - -
![Page 32: It’s a file infector… It’s ransomware… It’s VIRLOCK · Background •Most malware on today market, combine all sort of mechanisms to collect/damage user data or to deploy](https://reader030.fdocuments.in/reader030/viewer/2022040705/5e0335fcd9e2ea2f2042469a/html5/thumbnails/32.jpg)
Conclusions
• We face new generations of file infectors
• Most of them include compiler technologies , multi stage unpacking and anti-analysis tricks to block analysis be it static or dynamic
• Virlock is among the first malwares to combine ransomware and file infection technologies
• All these changes provides us with a clear picture of even more hybrid malware technologies, working together to persist longer
30.09.2015 www.bitdefender.com 32
![Page 33: It’s a file infector… It’s ransomware… It’s VIRLOCK · Background •Most malware on today market, combine all sort of mechanisms to collect/damage user data or to deploy](https://reader030.fdocuments.in/reader030/viewer/2022040705/5e0335fcd9e2ea2f2042469a/html5/thumbnails/33.jpg)
? 30.09.2015 www.bitdefender.com 33