Monday, May 19, 2014

Kovter Ransomware Grows

Ransomware is not new to the malware game but there is one especially dirty player that is surfacing more frequently. Damballa’s threat research team has seen infections related to the Kovter malware double over the past month – up from 7,000 infections to about 15,000 infections. As with many other varieties of Ransomware, the threat operator takes control of your computer and displays a message saying you broke the law. The ‘ransom’ is to pay a fine (typically around $300) to regain normal use of your computer. The warning states you will face severe fines and prison time if you don’t pay the fine before the deadline.
In the US, Kovter uses the prepaid card MoneyPak as the payment method of choice while Ukash and paysafecard are used for victims in other locations. These payment methods give attackers untraceable, readily accessible funds in electronic cash with no red tape.

Thursday, May 8, 2014

Analysis of Cryptlocker

Cryptlocker

Environment: Sandbox without internet in my xp.

MD5: 444C339F422420BC317711DAC06F3545



Behavior:

Run the file in my sandboxie.
It drops exe files in appdata location,which is started execution and the target file gets terminated.

Run entry created as :

HKEY_USERS\Sandbox_xxxxxxxxxxx_DefaultBox\user\current\software\Microsoft\Windows\CurrentVersion\Run
 value part as cryptoLocker and the data part points to the file dropped in app data "C:\Documents and Settings\xxxxxxxxxxx\Application Data\Ctzwwvskobndnvbt.exe".

Memory strings of the running file:
GetWindowTextLengthW
DestroyWindow
USER32.dll
CryptExportKey
CryptAcquireContextW
CryptSetKeyParam
CryptGetKeyParam
CryptReleaseContext
CryptImportKey
CryptEncrypt
CryptGenKey
CryptDestroyKey
CryptDecrypt
CryptGetHashParam
CryptCreateHash
CryptDestroyHash
CryptHashData
RegCreateKeyExW
RegCloseKey
RegQueryValueExW
RegQueryInfoKeyW
RegDeleteKeyW
RegDeleteValueW
RegEnumValueW
RegOpenKeyExW
RegFlushKey
RegEnumKeyExW
RegSetValueExW


Plenty of crpyt related strings are found in the dropped file.

And some strings relates to requesting the server:
HttpSendRequestExA
HttpQueryInfoA
InternetConnectA
InternetReadFile
InternetWriteFile
HttpOpenRequestA
HttpEndRequestA
HttpAddRequestHeadersA
InternetOpenA
InternetCloseHandle
WININET.dll
GdiplusShutdown
GdipSaveImageToStream
GdipFree
GdipCreateBitmapFromStream

And some more crypt strings:

CryptStringToBinaryA
CryptDecodeObjectEx
CryptImportPublicKeyInfo
CRYPT32.dll


Regarding more about encryption and about moneypak is found in the memory strings:


{\rtf1\ansi\ansicpg1252\deff0\deftab708{\fonttbl{\f0\fnil\fcharset0 Tahoma;}}
{\colortbl ;\red0\green0\blue0;\red0\green176\blue80;\red0\green0\blue255;\red240\green0\blue0;}
\viewkind4\uc1\pard\nowidctlpar\cf1\lang9\f0\fs20 Your important files \b encryption\b0  produced on this computer: photos, videos, documents, etc. \cf2\ul\b{\field{\*\fldinst{HYPERLINK "viewfiles"}}{\fldrslt{Here}}}\cf1\ulnone\b0\f0\fs20  is a complete list of encrypted files, and you can personally verify this.\par
\par
Encryption was produced using a \b unique\b0  public key \cf2\ul\b{\field{\*\fldinst{HYPERLINK "http://en.wikipedia.org/wiki/RSA_%28algorithm%29"}}{\fldrslt{RSA-2048}}}\cf1\ulnone\b0\f0\fs20  generated for this computer. To decrypt files you need to obtain the \b private key.\par
\b0\par
The \b single copy \b0 of the private key, which will allow you to decrypt the files, located on a secret server on the Internet; the server will \b destroy\b0  the key after a time specified in this window. After that, \b nobody and never will be able\b0  to restore files...\par
\par
\b To obtain\b0  the private key for this computer, which will automatically decrypt files, you need to pay \b %AMOUNT_USD% USD\b0  / \b %AMOUNT_EUR% EUR\b0  / similar amount in another currency.\par
\par
Click \'abNext\'bb to select the method of payment.\par
\par
\cf4\b Any attempt to remove or damage this software will lead to the immediate destruction of the private key by server.\b0\par
{\rtf1\ansi\ansicpg1252\deff0\deftab708{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset2 Symbol;}}
{\colortbl ;\red240\green0\blue0;\red0\green0\blue0;\red0\green176\blue80;\red0\green0\blue255;}
\viewkind4\uc1\pard\nowidctlpar\cf1\lang1033\kerning1\b\f0\fs20 It was not able to find payment receipt server on the Internet. This could happen due to following reasons:\par
\cf0\par
\pard{\pntext\f1\'B7\tab}{\*\pn\pnlvlblt\pnf1\pnindent0{\pntxtb\'B7}}\nowidctlpar\fi-360\li720\cf2\b0 You are disconnected from the Internet. Check your connection!\b\par
\pard\nowidctlpar\par
\pard{\pntext\f1\'B7\tab}{\*\pn\pnlvlblt\pnf1\pnindent0{\pntxtb\'B7}}\nowidctlpar\fi-360\li720\b0 Make sure your current time/date is set properly (used for server search).\b\par
\pard\nowidctlpar\par
\pard{\pntext\f1\'B7\tab}{\*\pn\pnlvlblt\pnf1\pnindent0{\pntxtb\'B7}}\nowidctlpar\fi-360\li720\b0 Your ISP has blocked an access to this server. Try to use another ISP, or \cf3\ul\b{\field{\*\fldinst{HYPERLINK "proxysettings"}}{\fldrslt{configure}}}\cf2\ulnone\b0\f0\fs20  proxy server to bypass this limitation.\b\par
\pard\nowidctlpar\par
\pard{\pntext\f1\'B7\tab}{\*\pn\pnlvlblt\pnf1\pnindent0{\pntxtb\'B7}}\nowidctlpar\fi-360\li720\b0 Server is temporarily blocked due to complaints of malware researchers. Keep waiting, this will get back to work soon!\b\par
\pard\nowidctlpar\par
\b0 Anyway, do not worry for your files, if you entered payment details correctly, your key will not be destructed until your computer payment status is confirmed.\par
\b\par
\cf1 This message will disappear within 5-10 minutes, after you eliminate the error cause.\cf0\lang9\kerning0\b0\par
{\rtf1\ansi\ansicpg1252\deff0\deftab708{\fonttbl{\f0\fnil\fcharset0 Tahoma;}}
{\colortbl ;\red0\green0\blue0;\red0\green0\blue255;\red0\green176\blue80;}
\viewkind4\uc1\pard\nowidctlpar\cf1\lang9\kerning1\f0\fs20 MoneyPak is an easy and convenient way to send money to where you need it. The MoneyPak works as a \lquote cash top-up card\rquote . \par
\par
You have to purchase MoneyPak card, load it with \b $%AMOUNT_USD%\b0  and enter the MoneyPak number on the next page.\par
\b\par
Where can wepurchase a MoneyPak?\b0\par
MoneyPak can be purchased at thousands of stores nationwide, including major retailers such as Walmart, Walgreens, CVS/pharmacy, Rite Aid, Kmart and Kroger. Click {\field{\*\fldinst{HYPERLINK "https://www.moneypak.com/StoreLocator.aspx" }}{\fldrslt{\cf3\ul\b here}}}\cf1\ulnone\b0\f0\fs20  to find a store near you.\par
\par
\b How do webuy a MoneyPak at the store?\b0\par
Pick up a MoneyPak from the Prepaid Product Section or Green Dot display and take it to the register. The cashier will collect your cash and load it onto the MoneyPak.\par
\par
\cf3\b{\field{\*\fldinst{HYPERLINK "https://www.moneypak.com/"}}{\fldrslt{\ul Home Page}}}\ulnone\f0\fs20\par
{\field{\*\fldinst{HYPERLINK "https://www.moneypak.com/StoreLocator.aspx"}}{\fldrslt{\ul MoneyPak Store Locator}}}\cf1\kerning0\ulnone\b0\f0\fs20\par
\par
{\rtf1\ansi\ansicpg1252\deff0\deftab708{\fonttbl{\f0\fnil\fcharset0 Tahoma;}}
{\colortbl ;\red0\green0\blue0;\red0\green0\blue255;\red0\green176\blue80;}
\viewkind4\uc1\pard\nowidctlpar\cf1\lang9\f0\fs20 Bitcoin is a cryptocurrency where the creation and transfer of bitcoins is based on an open-source cryptographic protocol that is independent of any central authority. Bitcoins can be transferred through a computer or smartphone without an intermediate financial institution.\par
\par
You have to send \b %AMOUNT_BTC% BTC\b0  to Bitcoin address \b{\field{\*\fldinst{HYPERLINK "bitcoin:%BITCOIN_ADDRESS%?amount=%AMOUNT_BTC%"}}{\fldrslt{%BITCOIN_ADDRESS%}}}\b0\f0\fs20  and specify the Transaction ID on the next page, which will be verified and confirmed.\par
\par
\pard\cf3\b{\field{\*\fldinst{HYPERLINK "http://bitcoin.org/en/"}}{\fldrslt{\ul Home Page}}}\ulnone\f0\fs20\par
{\field{\*\fldinst{HYPERLINK "http://bitcoin.org/en/getting-started"}}{\fldrslt{\ul Getting started with Bitcoin}}}\cf1\ulnone\b0\f0\fs20\par
\pard\nowidctlpar\par
<?xml version='1.0' encoding='UTF-8' standalone='yes'?><assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'><dependency><dependentAssembly><assemblyIdentity type='win32' name='Microsoft.Windows.Common-Controls' version='6.0.0.0' processorArchitecture='*' publicKeyToken='6595b64144ccf1df' language='*'/></dependentAssembly></dependency></assembly>
<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel level='asInvoker' uiAccess='false' />
</requestedPrivileges>
</security>
</trustInfo>



(File in the Appdata)
Ctzwwvskobndnvbt.exe 2340
Ctzwwvskobndnvbt.exe 2380

Process: Ctzwwvskobndnvbt.exe Pid: 2380

Type Name
Desktop \Default
Directory \Windows
Directory \BaseNamedObjects
Directory \KnownDlls
Event \Sandbox\xxxxxxxxxxx\DefaultBox\Session_0\BaseNamedObjects\crypt32LogoffEvent
File C:\Sandbox\xxxxxxxxxxx\DefaultBox\user\current\Application Data





Operating system - Part 1:

 In our blog, we published several articles on OS concepts which mostly on the perspective for malware analysis/security research. In few in...