It’s ransomware… It’s VIRLOCK
Craciun-etal-VB2015 Craciun-etal-VB2015
It’s a file infector… It’s ransomware… It’s VIRLOCK Vlad Craciun Mihail Andronic Andrei Nacu 30.09.2015 © www.bitdefender.com 1
- Page 2 and 3: Overview • Ransomwares and file i
- Page 4 and 5: Ransomwares and file infectors •
- Page 6 and 7: Ransomwares and file infectors •
- Page 8 and 9: Ransomwares and file infectors •
- Page 10 and 11: Ransomwares and file infectors •
- Page 12 and 13: Introducing Virlock • Screen lock
- Page 14 and 15: Reversing Virlock o Malware install
- Page 16 and 17: Malware installation • Executing
- Page 18 and 19: Account password brute-force • Ma
- Page 20 and 21: Infected files • Clean files are
- Page 22 and 23: Anti-analysis tricks • Anti emula
- Page 24 and 25: Anti-analysis tricks • Decrypt E
- Page 26 and 27: Different malware versions • [Has
- Page 28 and 29: Tricking users • Why does my pict
- Page 30 and 31: Statistics • Infected systems by
- Page 32 and 33: Conclusions • We face new generat
<strong>It’s</strong> a file infector…<br />
<strong>It’s</strong> <strong>ransomware…</strong><br />
<strong>It’s</strong> <strong>VIRLOCK</strong><br />
Vlad Craciun<br />
Mihail Andronic<br />
Andrei Nacu<br />
30.09.2015 © www.bitdefender.com 1
Overview<br />
• Ransomwares and file infectors<br />
• Introducing Virlock<br />
• Reversing Virlock<br />
• Statistics<br />
• Conclusions<br />
30.09.2015 www.bitdefender.com<br />
2
Background<br />
• Most malware on today market, combine all<br />
sort of mechanisms to collect/damage user<br />
data or to deploy other kinds of malware<br />
• Virlock = Ransomware + Fileinfector<br />
• Damaged files and no PC access?<br />
30.09.2015 www.bitdefender.com 3
Ransomwares and file infectors<br />
• Ransomwares<br />
• Purpose<br />
• Get money by blocking data or account access<br />
• Behavior<br />
• File-lockers<br />
• Screen-lockers<br />
30.09.2015 www.bitdefender.com 4
Ransomwares and file infectors<br />
Screen locker – ICEPOL<br />
30.09.2015 www.bitdefender.com 5
Ransomwares and file infectors<br />
• File locker – A custom one, similar to Cryptowall<br />
30.09.2015 www.bitdefender.com 6
Ransomwares and file infectors<br />
• Both file and screen locker - ACCDFISA<br />
30.09.2015 www.bitdefender.com 7
Ransomwares and file infectors<br />
• File infectors<br />
• Purpose<br />
• Delivery and persistence of malware<br />
• Behavior<br />
• Alters the legit file by adding the malware payload<br />
30.09.2015 www.bitdefender.com 8
Ransomwares and file infectors<br />
• A simple fileinfector: Pioneer<br />
30.09.2015 www.bitdefender.com 9
Ransomwares and file infectors<br />
• A more complex one: Sality<br />
30.09.2015 www.bitdefender.com 10
Introducing Virlock<br />
• Virlock<br />
– hybrid money hunter<br />
• How?<br />
– Using ransomware screen-locking features<br />
– Using a well designed infection mechanism<br />
30.09.2015 www.bitdefender.com 11
Introducing Virlock<br />
• Screen locking feature similar to ACCDFISA, ICEPOL, etc.<br />
30.09.2015 www.bitdefender.com 12
Introducing Virlock<br />
File infection techniques<br />
• Make files harder to recover<br />
• Increases chances to persist and spread<br />
30.09.2015 www.bitdefender.com 13
Reversing Virlock<br />
o Malware installation<br />
o Account password brute-force<br />
o Infected files<br />
o Anti-analysis tricks<br />
o Polymorphic engine<br />
o Different malware versions<br />
o Tricking users<br />
30.09.2015 www.bitdefender.com 14
Malware installation<br />
• Setting up the execution environment<br />
30.09.2015 www.bitdefender.com 15
Malware installation<br />
• Executing a fresh infected file<br />
30.09.2015 www.bitdefender.com 16
Malware installation<br />
• Getting to the embedded clean file<br />
30.09.2015 www.bitdefender.com 17
Account password brute-force<br />
• Malware is trying some kind of dictionary brute<br />
force attack in an attempt to gain administrative<br />
privileges<br />
• It creates it’s own account after that<br />
30.09.2015 www.bitdefender.com 18
Account password brute-force<br />
• A couple of tried passwords<br />
1qaz@WSX<br />
12345678<br />
changeme<br />
P@ssword<br />
Password!<br />
Passw0rd<br />
1q2w3e4r<br />
Password01<br />
Password<br />
P@ssw0rd<br />
Password1<br />
12345<br />
123456789<br />
1234<br />
123456<br />
Admin<br />
Passw0rd<br />
p@ssw0rd<br />
Pa$$w0rd<br />
Abc123<br />
Qwerty<br />
Master<br />
Password1<br />
welcome<br />
orig_Administrator<br />
operator123<br />
N0th1n9<br />
1q2w3e4r5t6y7u8i<br />
abcd12345<br />
Administrator<br />
Q1w2e3r4<br />
q1w2e3r4t5<br />
30.09.2015 www.bitdefender.com 19
Infected files<br />
• Clean files are embedded inside the malware<br />
• The path to the clean file is obfuscated<br />
• Similar to Sality<br />
30.09.2015 www.bitdefender.com 20
Anti-analysis tricks<br />
• Detecting the debugger presence<br />
30.09.2015 www.bitdefender.com 21
Anti-analysis tricks<br />
• Anti emulation tricks!<br />
30.09.2015 www.bitdefender.com 22
Anti-analysis tricks<br />
• Decrypt Execute Re-Encrypt<br />
30.09.2015 www.bitdefender.com 23
Anti-analysis tricks<br />
• Decrypt Execute Re-Encrypt<br />
30.09.2015 www.bitdefender.com 24
Polymorphic engine<br />
• Basic reshape technique<br />
30.09.2015 www.bitdefender.com 25
Different malware versions<br />
• [Hash encrypted code, compare hash] - template<br />
30.09.2015 www.bitdefender.com 26
Different malware versions<br />
• Similar code within 2 different families<br />
30.09.2015 www.bitdefender.com 27
Tricking users<br />
• Why does my pictures have an exe extension?<br />
30.09.2015 www.bitdefender.com 28
Statistics<br />
• Spreading of Win32.Virlock.Gen.1/3 until September<br />
2015<br />
30.09.2015 www.bitdefender.com 29
Statistics<br />
• Infected systems by Win32.Virlock.Gen.1/3<br />
Virlock.Gen.1<br />
China<br />
Russia<br />
USA<br />
Germany<br />
Iran<br />
Romania<br />
UK<br />
Canada<br />
Vietnam<br />
Virlock.Gen.3<br />
Canada<br />
UK<br />
USA<br />
Australia<br />
Iran<br />
Romania<br />
Vietnam<br />
Germany<br />
30.09.2015 www.bitdefender.com 30
Statistics<br />
• Areas with an increased number of affected files<br />
Country Gen.1 Gen.2 Gen.3 Gen.4 Gen.5<br />
Canada 17.9% 0.07% 42.6% 0.07% -<br />
Vietnam 5.6% - 0.27% - 0.03%<br />
Iran 6.2% 0.02% 1.9% 0.45% -<br />
France 2.11% - - 0.36% -<br />
Netherlands 2.04% - - - -<br />
United Kingdom 1.96% - 2.22% - -<br />
30.09.2015 www.bitdefender.com 31
Conclusions<br />
• We face new generations of file infectors<br />
• Most of them include compiler technologies ,<br />
multi stage unpacking and anti-analysis tricks to<br />
block analysis be it static or dynamic<br />
• Virlock is among the first malwares to combine<br />
ransomware and file infection technologies<br />
• All these changes provides us with a clear picture<br />
of even more hybrid malware technologies,<br />
working together to persist longer<br />
30.09.2015 www.bitdefender.com 32
?<br />
30.09.2015 www.bitdefender.com 33