New global encoder attack described by Doctor Web

Written on:June 28, 2017
Comments
Add One

June 28, 2017

Doctor Web specialists examine Trojan.Encoder.12544, a new ransomware Trojan, also know as Petya, Petya.A, ExPetya or WannaCry-2 in some media sources. Based on the preliminary analysis of the malicious program, Doctor Web presents recommendations on how to avoid the infection, advises what to do if the infection has already happened and provides technical details on this attack.

Trojan.Encoder.12544 poses a serious threat to the Windows-running computers. Various sources call it a modification of the Trojan known as Petya (Trojan.Ransom.369), however, Trojan.Encoder.12544 only slightly resembles the mentioned Trojan. This malicious program has infected the information systems of government institutions, banks, and commercial organizations. It has also infected user computers in several countries.

At the moment, it is known that the Trojan infected computers using the same vulnerabilities that were previously used by cybercriminals during the WannaCry attack. The spread of Trojan.Encoder.12544 started in the morning of June 27. Once launched on an attacked computer, the Trojan looks for available computers in the local network using several methods. Then, the Trojan starts scanning 445 and 139 ports. Once the machines with open ports are found, Trojan.Encoder.12544 attempts to infect them via a widely known SMB protocol vulnerability (MS17-10).

In its body, the Trojan contains four compressed resources. Two of these resources are 32-bit and 64-bit versions of the Mimikatz tool, which is designed for interception of passwords of open Windows sessions. Depending on the operating system capacity, the Trojan unpacks the necessary version of the Mimikatz tool, saves it to the temporary folder and runs the Mimikatz tool. Trojan.Encoder.12544 gets the list of local and domain users authorized on an infected computer using Mimikatz and some other methods. Then, the Trojan looks for the network folders available for writing, attempts to open them using the received data and saved its copy in these folders. To infect computers to which it has received an access, Trojan.Encoder.12544 uses the PsExec tool designed for remote computer management or standard console tool to call the Wmic.exe objects.

The encoder checks its second launch using the file that it has saved to the C:\Windows\ folder. The file name matches the Trojan’s name without the extension. Since the worm sample spreading at the moment is named perfc.dat, the file preventing its launch is C:\Windows\perfc. However, if cybercriminals change the original Trojan’s name, creating the file C:\Windows\perfc (as many anti-virus developers advise) will not save the computer from the infection. In addition, the Trojan checks the existence of the file only if it has enough privileges to do that.

Once launched, the Trojan set its privileges, loads its copy to the memory, and grants control to the copy. Then, the encoder overwrites its own file with the trash data and removes the file. Firstly, Trojan.Encoder.12544 damages VBR (Volume Boot Record) of the C drive, and the first drive sector is filled with the trash data. Then, the encoder copies the original Windows boot record encrypted with the XOR algorithm to another drive part and overwrites the original record with its own boot record. Then it creates a task to reboot the computer and starts encrypting all files with the following extensions: .3ds, .7z, .accdb, .ai, .asp, .aspx, .avhd, .back, .bak, .c, .cfg, .conf, .cpp, .cs, .ctl, .dbf, .disk, .djvu, .doc, .docx, .dwg, .eml, .fdb, .gz, .h, .hdd, .kdbx, .mail, .mdb, .msg, .nrg, .ora, .ost, .ova, .ovf, .pdf, .php, .pmf, .ppt, .pptx, .pst, .pvi, .py, .pyc, .rar, .rtf, .sln, .sql, .tar, .vbox, .vbs, .vcb, .vdi, .vfd, .vmc, .vmdk, .vmsd, .vmx, .vsdx, .vsv, .work, .xls, .xlsx, .xvd, .zip.

The Trojan encrypts files only on the fixed drives. The data on each drive is encrypted in a separate thread. The files are encrypted using the AES-128-CBC algorithm; a separate key is created for each drive (a characteristic feature of the Trojan that has not been noted by other specialists). This key is encrypted with the RSA-2048 algorithm (other researchers say that the 800-bit key is used) and is saved to the file named README.TXT to the root folder of the system drive. An additional extension is not added to the encrypted files.

After the computer is rebooted according to the created task, the control is granted to the Trojan boot record. It shows the text similar to the text of the CHDISK standard tool on the screen of the infected computer.

screenshot Trojan.Encoder.12544 #drweb

Meanwhile, Trojan.Encoder.12544 encrypts MFT (Master File Table). Once Trojan.Encoder.12544 completes the encryption, it displays a ransom demand on the screen.

screenshot Trojan.Encoder.12544 #drweb

Power down the computer without any delay if you see the CHDISK text on the system startup. In this case, the boot records will be damaged, but it can be repaired using the Windows recovery tool or Recovery Console if you boot the computer using the distribution disc. Normally, the recovery of the boot record is possible in Windows 7 and the later operating systems if the hidden part with the critical data backup copy is present on the drive. You can also use Dr.Web LiveDisk; create a boot disc or a boot USB, start the operating system from this boot removable media, run the Dr.Web scanner, check the infected drive, and choose the Neutralize action for the detected threats.

According to some resources, the only email address used by Trojan.Encoder.12544 cybercriminals is blocked. That’s why cybercriminals cannot communicate with their victims (for example, to offer the decryption of the files).

To avoid the infection by Trojan.Encoder.12544, Doctor Web recommends to create backup copies for all critical data on the independent removable media and use the Data loss prevention function of Dr.Web Security Space. In addition, it is recommended to install all security updates for your operating system. Meanwhile, Doctor Web specialists continue examining the Trojan.Encoder.12544 encoder.

Instruction for victims of Trojan.Encoder.12544.

New global encoder attack described by Doctor Web

Written on:June 28, 2017
New global encoder attack described by Doctor Web

June 28, 2017

Doctor Web specialists examine Trojan.Encoder.12544, a new ransomware Trojan, also know as Petya, Petya.A, ExPetya or WannaCry-2 in some media sources. Based on the preliminary analysis of the malicious program, Doctor Web presents recommendations on how to avoid the infection, advises what to do if the infection has already happened and provides technical details on this attack.

Trojan.Encoder.12544 poses a serious threat to the Windows-running computers. Various sources call it a modification of the Trojan known as Petya (Trojan.Ransom.369), however, Trojan.Encoder.12544 only slightly resembles the mentioned Trojan. This malicious program has infected the information systems of government institutions, banks, and commercial organizations. It has also infected user computers in several countries.

At the moment, it is known that the Trojan infected computers using the same vulnerabilities that were previously used by cybercriminals during the WannaCry attack. The spread of Trojan.Encoder.12544 started in the morning of June 27. Once launched on an attacked computer, the Trojan looks for available computers in the local network using several methods. Then, the Trojan starts scanning 445 and 139 ports. Once the machines with open ports are found, Trojan.Encoder.12544 attempts to infect them via a widely known SMB protocol vulnerability (MS17-10).

In its body, the Trojan contains four compressed resources. Two of these resources are 32-bit and 64-bit versions of the Mimikatz tool, which is designed for interception of passwords of open Windows sessions. Depending on the operating system capacity, the Trojan unpacks the necessary version of the Mimikatz tool, saves it to the temporary folder and runs the Mimikatz tool. Trojan.Encoder.12544 gets the list of local and domain users authorized on an infected computer using Mimikatz and some other methods. Then, the Trojan looks for the network folders available for writing, attempts to open them using the received data and saved its copy in these folders. To infect computers to which it has received an access, Trojan.Encoder.12544 uses the PsExec tool designed for remote computer management or standard console tool to call the Wmic.exe objects.

The encoder checks its second launch using the file that it has saved to the C:\Windows\ folder. The file name matches the Trojan’s name without the extension. Since the worm sample spreading at the moment is named perfc.dat, the file preventing its launch is C:\Windows\perfc. However, if cybercriminals change the original Trojan’s name, creating the file C:\Windows\perfc (as many anti-virus developers advise) will not save the computer from the infection. In addition, the Trojan checks the existence of the file only if it has enough privileges to do that.

Once launched, the Trojan set its privileges, loads its copy to the memory, and grants control to the copy. Then, the encoder overwrites its own file with the trash data and removes the file. Firstly, Trojan.Encoder.12544 damages VBR (Volume Boot Record) of the C drive, and the first drive sector is filled with the trash data. Then, the encoder copies the original Windows boot record encrypted with the XOR algorithm to another drive part and overwrites the original record with its own boot record. Then it creates a task to reboot the computer and starts encrypting all files with the following extensions: .3ds, .7z, .accdb, .ai, .asp, .aspx, .avhd, .back, .bak, .c, .cfg, .conf, .cpp, .cs, .ctl, .dbf, .disk, .djvu, .doc, .docx, .dwg, .eml, .fdb, .gz, .h, .hdd, .kdbx, .mail, .mdb, .msg, .nrg, .ora, .ost, .ova, .ovf, .pdf, .php, .pmf, .ppt, .pptx, .pst, .pvi, .py, .pyc, .rar, .rtf, .sln, .sql, .tar, .vbox, .vbs, .vcb, .vdi, .vfd, .vmc, .vmdk, .vmsd, .vmx, .vsdx, .vsv, .work, .xls, .xlsx, .xvd, .zip.

The Trojan encrypts files only on the fixed drives. The data on each drive is encrypted in a separate thread. The files are encrypted using the AES-128-CBC algorithm; a separate key is created for each drive (a characteristic feature of the Trojan that has not been noted by other specialists). This key is encrypted with the RSA-2048 algorithm (other researchers say that the 800-bit key is used) and is saved to the file named README.TXT to the root folder of the system drive. An additional extension is not added to the encrypted files.

After the computer is rebooted according to the created task, the control is granted to the Trojan boot record. It shows the text similar to the text of the CHDISK standard tool on the screen of the infected computer.

screenshot Trojan.Encoder.12544 #drweb

Meanwhile, Trojan.Encoder.12544 encrypts MFT (Master File Table). Once Trojan.Encoder.12544 completes the encryption, it displays a ransom demand on the screen.

screenshot Trojan.Encoder.12544 #drweb

Power down the computer without any delay if you see the CHDISK text on the system startup. In this case, the boot records will be damaged, but it can be repaired using the Windows recovery tool or Recovery Console if you boot the computer using the distribution disc. Normally, the recovery of the boot record is possible in Windows 7 and the later operating systems if the hidden part with the critical data backup copy is present on the drive. You can also use Dr.Web LiveDisk; create a boot disc or a boot USB, start the operating system from this boot removable media, run the Dr.Web scanner, check the infected drive, and choose the Neutralize action for the detected threats.

According to some resources, the only email address used by Trojan.Encoder.12544 cybercriminals is blocked. That’s why cybercriminals cannot communicate with their victims (for example, to offer the decryption of the files).

To avoid the infection by Trojan.Encoder.12544, Doctor Web recommends to create backup copies for all critical data on the independent removable media and use the Data loss prevention function of Dr.Web Security Space. In addition, it is recommended to install all security updates for your operating system. Meanwhile, Doctor Web specialists continue examining the Trojan.Encoder.12544 encoder.

Instruction for victims of Trojan.Encoder.12544.

Read more...

Wikileaks – The Elsa malware allows CIA to locate users via WiFi-enabled devices

Written on:June 28, 2017
Wikileaks – The Elsa malware allows CIA to locate users via WiFi-enabled devices

WikiLeaks published the manual of the ELSA malware, a tool allegedly used by the U.S. CIA to track people’s locations via their WiFi-enabled devices. WikiLeaks has published a document detailing a tool allegedly used by the U.S. CIA to track people’s locations via their WiFi-enabled devices. The malware code-named Elsa implements geolocation feature, it scans visible WiFi […]

The post Wikileaks – The Elsa malware allows CIA to locate users via WiFi-enabled devices appeared first on Security Affairs.

Read more...

This is why AI shouldn’t design inspirational posters – CNET

Written on:June 28, 2017
This is why AI shouldn’t design inspirational posters     – CNET

The results are kind of like if Commander Data from Star Trek tried to be your motivational therapist.

Read more...

Google must yank search results globally, says Canada court – CNET

Written on:June 28, 2017
Google must yank search results globally, says Canada court     – CNET

In a case involving pirated goods, the country’s top court says removing results only on Google’s Canada site isn’t enough. But critics worry about free speech.

Read more...

Here’s what the Galaxy Note 8’s back could look like – CNET

Written on:June 28, 2017
Here’s what the Galaxy Note 8’s back could look like     – CNET

Note 8 renders are coming in force. Here’s how some predict the back of Samsung’s next big phone will look.

Read more...

Twitter has issues, and President Trump is on the cover – CNET

Written on:June 28, 2017
Twitter has issues, and President Trump is on the cover     – CNET

Twitter users react to the president’s fake Time magazine cover by making a pile of parody versions.

Read more...

Ford issues three recalls, two of which cover fewer than five cars – Roadshow

Written on:June 28, 2017
Ford issues three recalls, two of which cover fewer than five cars     – Roadshow

The first recall makes up for the other two, though, since it covers 400,000 vehicles.

Read more...

Which of Amazon’s new Prime-only phones should you buy? – CNET

Written on:June 28, 2017
Which of Amazon’s new Prime-only phones should you buy?     – CNET

OK, that’s kind of a loaded question, but it’s a discussion worth having: The reseller now offers 10 models priced between $50 and $200. Plus: Get Portal 2 for just 2 bucks!

Read more...

Experts found a critical remote buffer overflow vulnerability in Skype

Written on:June 28, 2017
Experts found a critical remote buffer overflow vulnerability in Skype

The security expert Benjamin Kunz-Mejri from security firm Vulnerability Lab discovered a remote zero-day stack buffer overflow vulnerability in Skype. The security expert Benjamin Kunz-Mejri from security firm Vulnerability Lab discovered a Skype zero-day stack buffer overflow vulnerability, tracked as CVE-2017-9948, that could be exploited by a remote attacker to execute malicious code. Vulnerability Lab reported the […]

The post Experts found a critical remote buffer overflow vulnerability in Skype appeared first on Security Affairs.

Read more...