Tag Archives: CryptoWall

Jan 06 2016
Leave a comment
Incident Handling and Hacker Techniques, Intrusion Analysis, Malware Analysis, Security Monitoring

Neutrino Exploit Kit

[First of all Happy New Year to all the readers!
In this summary I would like to briefly describe one component that is part of many parts which form the Internet malware industrial complex. The Exploit Kits (EK’s) which impact users and corporations of all sizes on a daily basis. The article below was possible due to the insights and knowledge received from @Kafeine. ~LR]

The EK’s are powerful and modular weapons that deliver malware in an automated fashion to the endpoint by taking advantage of client side vulnerabilities.

Exploit Kits are not new and have been around at least for the past 10 years or so. Nonetheless, they have evolved and are now more sophisticated than ever. The malware authors behind them enforce sophisticated capabilities that evade detection, thwart analysis and deliver reliable exploits. Basically, by introducing malicious code in a web server an attacker can turn a legitimate web server into a mechanism to deliver malicious code by taking advantaged of client-side vulnerabilities against unpatched browsers and applications. This attack vector is known as watering hole or strategic web compromise when it targets a trustworthy web site. In recent years the Exploit Kits have evolved and became very sophisticated weapons and profitable business for the ones involved. The malware authors continue to develop sophisticated capabilities to prevent detection, analysis and deploy exploits for new vulnerabilities in a very reliable manner.

In the last days I had the chance to look at one recent campaign of drive by download that leverages the Neutrino Exploit Kit to infect systems with CryptoWall. The diagram below illustrates the different components of the Neutrino Exploit Kit and how they work together.

neutrinoframework

 

  • User browses to the compromised web server.
  • Web server contacts the backend infrastructure in order perform various check and to generate malicious java script code. These checks include things like verification of victim IP address and its Geo-location. Furthermore within the malicious JavaScript code there are new domain names and URLs that are generated dynamically by the backend.
  • The browser processes and decodes the malicious JS. In the observed infection the malicious JavaScript checks the browser version and if it matches the desired version, it stores a cookie and processes a HTML iframe tag.
  • The iframe tag triggers the browser to perform a request to another URL which is the Neutrino Exploit Kit landing page.
  • The landing page is hosted in a randomly generated host using DGA which needs to be resolved via DNS. The authoritative domain to answer these domains are owned by the threat actor. The answers received by the DNS server have a time to live (TTL) of a few seconds. The domains are registered on freely available country code top level domains (ccTLD).
  • The victim then lands in the exploit kit landing page which by its turn delivers a small HTML page with an object tag defined in its body. This object tag directs the browser to load Adobe Flash Player and then use it to play the SWF file specified in the URL. In case the victim does not have Adobe Flash player installed, the browser is instructed to download it.
  • The browser as instructed by the object tag, downloads the malicious Flash file.
  • The obfuscated and encrypted SWF file is played by the Flash Player and exploits are triggered based on available vulnerabilities. The Flash file contains exploits for CVE-2013-2551, CVE-2014-6332, CVE-2015-2419 affecting Internet Explorer and CVE-2014-0569, CVE-2015-7645 affecting Adobe Flash.
  • If the exploitation is successful, shellcode is executed and the malware is downloaded and launched. In this case we observed that the malware delivered has been CryptoWall.

The threat actors behind Neutrino are finding vulnerable websites in order to host their malicious JS  content globally in a repeatable and automated fashion. Furthermore, In the last few days Neutrino has been abusing the registration of free domains registered inside the country code top level domains (ccTLD) such as  .top, .pw, .xyz, .ml, .space and others. The different landing pages have been pointing to a server hosted in Germany and in another cases in Netherlands. In another blog post I will go into more details about it.

 

References:
https://www.trustwave.com/Resources/SpiderLabs-Blog/Neutrino-Exploit-Kit-%E2%80%93-One-Flash-File-to-Rule-Them-All/
http://research.zscaler.com/2015/08/neutrino-campaign-leveraging-wordpress.html
http://www.cert.gov.uk/wp-content/uploads/2015/12/Demystifying-the-exploit kit.pdf
http://www.malware-traffic-analysis.net/2015/09/17/index.html
http://malwageddon.blogspot.ch/2015/03/data-obfuscation-now-you-see-me-now-you.html
http://malware.dontneedcoffee.com/2014/11/neutrino-come-back.html

Tagged , , , , , ,
Nov 07 2015
1 Comment
Incident Handling and Hacker Techniques

CryptoWall Strikes Back!

A new variant of Cryptowall ransomware has been observed in recent phishing campaigns by the security community. The image below illustrates one of these emails where the sender falsely states that your domain name is going to be suspended due to abuse policy. This email attempt to lure the recipient into clicking into the link.

cryptowall3

The link points to a compromised web server using a scheme like http://www.site.com/abuse.php?domain.com

When clicking on the link the HTTP answer uses a Content-Disposition field. Using this technique the answer to the PHP request will be a file. Download of content like executables is does not need this field  but in this way the malware authors attempt to camouflage the file in the GET request.

cryptowall

When executed, CryptoWall uses several memory management techniques to inject into benign processes. It starts by making a copy of itself and then invoking a new explorer.exe process which by its turn will invoke a new svchost.exe. These two new processes (see below figure) are valid process initiated using the legitimate system binary but have been injected with malicious code using hollowing technique. Svchost.exe in this case is invoked “-k netsvcs” but the process parent is  not services.exe which should always be the case.

cryptowallprocess

Before the encryption starts,  it will execute three commands that will make recovery of files even more difficult. It starts by deleting all Volume Shadow Copies that exists on the system by running the following command:

  • vssadmin.exe Delete Shadows /All /Quiet

Then runs the following commands in order to disable the Windows Error Recovery during startup:

  • bcdedit /set {default} recoveryenabled No
  • bcdedit /set {default} bootstatuspolicy ignoreallfailures

To achieve persistence, a copy of the malware is placed into a directory named with a random hexadecimal  number under c:\. The Hidden attribute is set to the folder. Inside will store the malicious executable using a an equal filename e.g., c:\826a933e\826a933e.exe. It addition another copy of the malware is placed into the directory %APPDATA%\Roaming. Then it creates a Run key under HKLM or HKCU registry hive (depending on the admin rights) that points to this executable. This will make sure the executable is launched either during boot or during user login.

cryptowallreg

CryptoWall then starts its communications and will determine the victim public IP address and its geo-location using sites like curlmyip.com, myexternalip.com and ip-addr.es. Following that will try to reach out one of the many C&C addresses that are hard-coded into the binary.

The following picture illustrates the messages that are sent over HTTP on TCP port 80.

cryptowallcomms

After the encryption process is finished the user is presented with the ransom messages. For each folder that CryptoWall processes it will leave its ransom note on the following files HELP_YOUR_FILES.HTML, HELP_YOUR_FILES.PNG, HELP_YOUR_FILES.TXT. One example is below.

cryptowall1

If the user follows the ransom note instructions he will be redirected to the decryption service and is prompted to pay in Bitcoins. The decryption service will allow to decrypt one file for free.

cryptowall4

What can you do? The most effective defense against these type of threats is to have proper backups. This type of malware has the capability to encrypt any attached storage such as USB drives or network drives – make sure you do your backups and keep that external drive disconnected. You back up your data once a day, right? at least weekly? maybe monthly? For enterprises the tools and processes used to backup and restore information in a timely manner need to be in place. Please note that Windows has a feature called Volume Shadow Copy that allows you to restore files to their previous state however the newer variants of this malware delete shadow copies and disable the service prior to encrypting the files.

Other things can be done, like educating users to not open attachments or links in emails from unknown senders and be suspicious about unexpected attachments and links from known senders. Also make sure to keep your software updated. Other techniques might include hardening your system using Microsoft AppLocker to introduce software whiltelisting.

MD5 of the malware used in this article:
3548959f1100a0d818f91b6502a7fdd3 ab-cp.com_copy_of_complaints.pdf.scr

At this stage the majority of the web filtering vendors have categorized the C&C addresses as malicious. This will prevent an infected computer  from becoming encrypted if you prevent your users to surf to malicious websites. For example the malicious binary used in this exercise had 58 C&C hard-coded.

Tagged
Dec 15 2014
Leave a comment
Security Essentials

Your data has been taken hostage!

ransomwareOn December 1989, several thousand diskettes labeled “AIDS Information – Introductory Diskette Version 2.0” were delivered to users around Europe luring the users to install a software that contained information about AIDS/HIV claimed to come from PC Cyborg Corporation. After installing the software the trojan horse would start encrypting sections of the hard drive using substitution ciphers.  Following a reboot a message would be shown to the user that the software license had expired and the user would need to send 189$ to a post box in Panama to get his files back.  This was the first extortion based attack relying on cryptography. Not long after a decryption routine was made available to help users get their files back. This was possible because the trojan horse relied on weak symmetric encryption [1].

Malicious cryptography evolved and back in 1996, Adam Young and Moti Yung published a paper on the 17th IEEE Symposium named Cryptovirology: Extorsion based security threats and countermeasures. A influential paper that presented the idea of cryptovirology and demonstrated the offensive side of cryptography using asymmetric encryption. One of the offensive method described in the paper consists of an extortion based attack that will result in loss of access to information.   This is accomplished by the cryptovirus:  A cryptovirus (cryptotrojan) is a computer virus (Trojan horse) that uses a public key generated by the author to encrypt data that resides on the host system, in such a way that can only be recovered by the author of the virus (assuming no fresh backup exists).  Years after, the security industry started to see more of this type of extortion based attacks such as the GpCode trojan initially seen in 2004 by security software company Kaspersky. Some variants claimed to be using strong asymmetric algorithms such as RSA but they used weak algorithms allowing researchers to retrieve the users files.  Michael Ligh had a nice write up on one of these variants here and more recently the security researcher XyliBox also dissected one of these samples.

Last year and this year the security industry saw a uptick in malware connoted as ransomware such as variants of Cryptolocker, CryptoDefense and Cryptowall. Dell SecureWorks Counter Threat Unit have great write up here and here about these threats. These extortion based attacks gained popularity due to its spread using effective phishing campaigns – check Brian Krebs on Operation Torvar – and new techniques relying on strong encryption to make your most important files useless. New variants of ransomware even take advantage of asymmetric cryptographic protocol ECDH – Elliptic curve Diffie–Hellman.  Essentially the files are encrypted with a symmetric key and this key is then encrypted with a public key which can only be decrypted by a private key belonging to the attacker. To get this key the users are persuaded to pay a bounty using virtual currencies such as Bitcoin. The security company Bromium recently published an interesting analysis report about the crypto malware families seen in the past 18 months.

What can you do? The most effective defense against these type of threats is to have proper backups. This type of malware has the capability to encrypt any attached storage such as USB drives or network drives – make sure you do your backups and keep that external drive disconnected. You back up your data once a day, right? at least weekly? maybe monthly? For enterprises the tools and processes used to backup and restore information in a timely manner need to be in place. Please note that Windows has a feature called Volume Shadow Copy that allows you to restore files to their previous state however the newer variants of this malware delete shadow copies and disable the service prior to encrypting the files.

Other things can be done, like educating users to not open attachments or links in emails from unknown senders and be suspicious about unexpected attachments and links from known senders. Also make sure to keep your software updated. Other techniques might include hardening your system using Microsoft AppLocker to introduce software whiltelisting.

[1] Szor, Peter (2004) The Art of Computer Virus Research and Defense. Addison-Wesley

Tagged , , , , , , , ,