[Fabian Wosar]

Not directly related to CryptoLocker, but a US company is currently creating a lot of PR buzz around a different crypto malware, calling it a CryptoLocker copycat. Based on the little technical information they shared, the malware they describe sounds suspiciously like the CryFile crypto malware family which has been around since at least July 2013. I have attached one of the most recent samples.

The crypto component the malware uses can be found here:
http://sourceforge.net/projects/tplockbox/

The group behind the malware seems to call itself "No Problem Bro" and they have been around for a while. Their web presence (noproblembro.com) is pretty much empty. Just hints here and there what they are up to.

The malware is VM aware, checking user names used, running processes, as well as various registry locations. The checks are located at 0x57F47C, 0x57FC9C, and 0x57FB28. Once it was made sure that the malware isn't running inside a VM, it will create an autorun key inside HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce as AdobeUpdate, pointing towards an AdobeSystem.exe file located inside the user profile directory. At least on my systems however, the malware doesn't copy itself there. I didn't look into whether or not that's a bug inside the malware. It is also possible that the sample is part of a larger dropper that actually takes care of placing the file inside that directory under the correct name.

The only other interesting aspect is the fact that crypto malware authors seem to pick up on the existence of shadow volumes. It is quite common for crypto malware authors to add shadow volume snapshot deletion in one of the later revisions of their malware, as that is usually one of the first things admins or malware removal techs try, but this particular sample shipped with some code to delete shadow copies right from the get go back in July.

I haven't looked into the encryption details yet but from the first look it seems to be reversible. Will take a closer look at it after a couple of hours of sleep.

[Grinler]

Thanks for the sample Fabian. Have had a few people hit by this at BC.

[Fabian Wosar]

As promised yesterday, I took a closer look at the malware today. To be more precise I looked into the AES password generation to figure out whether or not decryption is feasible. Password generation takes place inside the function located at 0x0058072C. The password generation is done using the stock Delphi random number generation functions. Essentially the Delphi RNG is seeded using QueryPerformanceCounter or GetTickCount if the former is unavailable. The Random function itself is a simple linear congruential generator using the factor 0x08088405. The password generation algorithm looks like this:

Code: Select all

for i := 0 to 249 do
begin
  if Random(2) = 1
    then Password := Password + Char(Random(93) + 33)
    else Password := Password + IntToStr(Random(10));
end;

The randomly generated key is then sent via email to "specialist2@noproblembro.com". Emails look like this:

Code: Select all

From: "informator@noproblembro.com" <informator@noproblembro.com>
Subject: Locked:WORKSTATION(2966044196)
To: specialist2@noproblembro.com
Date: Sun, 15 Dec 2013 12:06:18 -0200

PC: WORKSTATION
ID: 2966044196A
Password: 2/-5=EC,94=,yebt;0303L9Y0=W7dD3;8r)1682Rz5A2P>a{1'D8n`(78q59|f4e#171176381i0%Q4c1s&v53')7"z7t+Q4909(57?8166)9\R97UO>y4W,2Gux0834@6029lx5A6;1078`X403895J2wqA278l}H7-9<524"7441C37137120957506620$/4I66F8b*3Z[35A53<220]776kl47-88h315U0`44Y87/{6;D{{5*822&
Expire: 12/17/2013
IP: 127.0.0.1
TS: 12:06:18 AM

The 250 character key may look intimidating at first, but based on how the key is generated, decryption should be possible as a brute force attack against all possible 4294967296 keys seems feasible within a couple of hours or days depending on your processor. Maybe a mathematician or cryptographer with more experience in LCGs may find a more efficient attack.

[CloneRanger]

@ Fabian Wosar

Thanx for the new info.

More details here -

No problem bro – ransom decryption service

August 20th, 2013

http://blog.avast.com/2013/08/20/no-pro ... on-service

[Grinler]

Fabian, any chance you have a copy of this with the anti-vm protection bypassed?

[Cody Johnston]

Fabian, any chance you have a copy of this with the anti-vm protection bypassed?

All you need to do is change the following registry key:

Code: Select all

HKLM\Hardware\ACPI\DSDT\VBOX__

Rename the VBOX__ key to anything other than VBOX and the sample Fabian posted will run.

[Grinler]

Terrific. Thanks!

[Cody Johnston]

CryptoLocker 2.0 Cleaned up and mostly deobfuscated

http://www.welivesecurity.com/2013/12/1 ... r-copycat/



MD5 4f6011ff98c257441ed388c607c5c7fe

Only ESET detects :) (1/47):
https://www.virustotal.com/en/file/3d9a ... 387566697/

This one gets more file extensions:

Code: Select all

this.string_0 = "3fr, accdb, txt, ai, arw, bay, cdr, cer, cr2, eps, erf, indd, mp3, mp4, jpe, jpg, kdc, mdb, mdf, mef, mrw, nef, crt, crw, dbf, dcr, der, dng, doc, docm, docx, dwg, dxf, dxg, rwl, srf, srw, wb2, wpd, wps, xlk, nrw, odb, odm, odp, ods, odt, orf, p12, p7b, p7c, pdd, xls, xlsb, xlsm, xlsx, pef, pem, pfx, ppt, pptm, pptx, psd, pst, ptx, r3d, raf, raw, rtf";

Also has DDoS functionality as well:

Code: Select all

str1 = "Error: DDoS failed due to invalid URL";

[TwinHeadedEagle]

Anyone got this sample?

http://blog.trendmicro.com/trendlabs-se ... le-drives/

[Grinler]

Anyone got this sample?

http://blog.trendmicro.com/trendlabs-se ... le-drives/

I am pretty sure this CryptoLocker 2.0 posted above.