Not directly related to CryptoLocker, but a US company is currently creating a lot of PR buzz around a different crypto malware, calling it a CryptoLocker copycat. Based on the little technical information they shared, the malware they describe sounds suspiciously like the CryFile crypto malware family which has been around since at least July 2013. I have attached one of the most recent samples.
The crypto component the malware uses can be found here:
http://sourceforge.net/projects/tplockbox/
The group behind the malware seems to call itself "No Problem Bro" and they have been around for a while. Their web presence (noproblembro.com) is pretty much empty. Just hints here and there what they are up to.
The malware is VM aware, checking user names used, running processes, as well as various registry locations. The checks are located at 0x57F47C, 0x57FC9C, and 0x57FB28. Once it was made sure that the malware isn't running inside a VM, it will create an autorun key inside HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce as AdobeUpdate, pointing towards an AdobeSystem.exe file located inside the user profile directory. At least on my systems however, the malware doesn't copy itself there. I didn't look into whether or not that's a bug inside the malware. It is also possible that the sample is part of a larger dropper that actually takes care of placing the file inside that directory under the correct name.
The only other interesting aspect is the fact that crypto malware authors seem to pick up on the existence of shadow volumes. It is quite common for crypto malware authors to add shadow volume snapshot deletion in one of the later revisions of their malware, as that is usually one of the first things admins or malware removal techs try, but this particular sample shipped with some code to delete shadow copies right from the get go back in July.
I haven't looked into the encryption details yet but from the first look it seems to be reversible. Will take a closer look at it after a couple of hours of sleep.
The crypto component the malware uses can be found here:
http://sourceforge.net/projects/tplockbox/
The group behind the malware seems to call itself "No Problem Bro" and they have been around for a while. Their web presence (noproblembro.com) is pretty much empty. Just hints here and there what they are up to.
The malware is VM aware, checking user names used, running processes, as well as various registry locations. The checks are located at 0x57F47C, 0x57FC9C, and 0x57FB28. Once it was made sure that the malware isn't running inside a VM, it will create an autorun key inside HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce as AdobeUpdate, pointing towards an AdobeSystem.exe file located inside the user profile directory. At least on my systems however, the malware doesn't copy itself there. I didn't look into whether or not that's a bug inside the malware. It is also possible that the sample is part of a larger dropper that actually takes care of placing the file inside that directory under the correct name.
The only other interesting aspect is the fact that crypto malware authors seem to pick up on the existence of shadow volumes. It is quite common for crypto malware authors to add shadow volume snapshot deletion in one of the later revisions of their malware, as that is usually one of the first things admins or malware removal techs try, but this particular sample shipped with some code to delete shadow copies right from the get go back in July.
I haven't looked into the encryption details yet but from the first look it seems to be reversible. Will take a closer look at it after a couple of hours of sleep.
Attachments
Password: infected
(547.95 KiB) Downloaded 164 times
(547.95 KiB) Downloaded 164 times