CryptoWall: How It Works

1. CryptoWall 3.0: How It Works Term Project CS690 Network Security Tandhy Simanjuntak
2. History Infection Tools Analysis Conclusion Agenda
3. History
4. File-encrypting ransomware Q1 2014 (Nov 2013) [5] CryptoClone, CryptoDefense [5] Encrypted environments •TOR network •Bitcoin CryptoWall
5. Infection
6. Infection attachments links downloadrequest (a) (b) Browser exploit kits Drive-by download
7. Infection Link
8. Infection USPS – Your package is available for pickup (Parcel 173145820507) Fwd: IMG01041_6706015_m.zip FW: Invoice <random number> My resume ADP payroll: Account Charge Alert New Voicemail Message Important – attached form Important – New Outlook Settings FW: Last Month Remit Scan Data McAfee Always On Protection Reactivation New contract agreement Scanned Image from a Xerox WorkCentre Important Notice – Incoming Money Transfer Payroll Invoice Payment Overdue – Please respond Email
9. Infection Upatre downloader • June 5th 2014: largest single-day infection • Legitimate cloud hosting: Dropbox, Cubby, and MediaFire • Banking Trojan: Gameover Zeus, Dyre
10. Tools
11. Tools Dynamic Analysis • Process Explorer • Process Monitor • Wireshark • RegShot / captureBAT Static Analysis • REMnux: pyew, Strings, pescanner, densityScout, trid • Hex Editor
12. Tools Forensic • Scalpel • EnCase Forensic Hardware • Host: Kali Linux • VM: Windows XP
13. Analysis
14. Analysis Create files • Cryptowall.exe  C:Documents and Settings<user>%AppData%<random name>.exe" • Kdtsndl.exe  C:Documents and Settings<user>%AppData%key.dat • Kdtsndl.exe  C:Documents and Settings<user>Desktoplog.html Dynamic Analysis
15. Key.datAnalysis 114GCa7RevREjed65TRCepdLPPpbxh7Pa4 Create Files
16. Analysis Key.dat
17. Analysis Creates registry values HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunmscfg: "C:Documents and SettingswinXPApplication Datakdtsndl.exe" HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunOnce*mscfg: "C:Documents and SettingswinXPApplication Datakdtsndl.exe"
18. Analysis Deletes original • Deletes from original location : Desktop Delete shadow copies
19. Analysis Encryption 2550 4446 2d31 2e35 0a25 e2e3 cfd3 0a36 3233 2030 206f 626a 0a3c 3c0a 2f50 2036 3031 2030 2052 0a2f 5320 2f4c 696e 6b0a 2f54 7970 6520 2f53 7472 7563 7445 6c65 16 bytes . MemoryPDF file 2550 4446 2d31 2e35 0a25 e2e3 cfd3 0a36 3233 2030 206f 626a 0a3c 3c0a 2f50 2036 3031 2030 2052 0a2f 5320 2f4c 696e 6b0a 2f54 7970 6520 2f53 7472 7563 7445 6c65 16 bytes . xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx 2f54 7970 6520 2f53 7472 7563 7445 3c0a 3031 2030 2052 0a2f 5320 2f4c 696e 6b0a 3233 2030 206f 626a 0a3c 3c0a 2f50 xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx 2030 206f 626a 0a3c 3c0a 2f50 2036 2f54 7970 6520 2f53 7472 7563 7445 3c0a 3031 2030 2052 0a2f 5320 2f4c 696e 6b0a 3233 2030 206f 626a 0a3c 3c0a 2f50 2036 0a36 4446 2d31 2e35 0a25 e2e3 cfd3 0a36 CryptoAPI 1 2 3 4 New .PDF file
20. Analysis Encryption Moves new .pdf file  .pdf.ecc file • Loads new .pdf file • Creates .pdf.ecc file • Delete new .pdf file
21. .3fr .cr2 .ff, .ff* .lrf .odp .ptx .slm .wb2 .7z* .crt .flv .ltx .ods .py, .py* .snx .wma .ai* .crw .fos .lvl .odt .qdf .sql .wmo .apk .css .fpk .m2, .m2* .orf .qic .sr2 .wmv .arw .csv .fsh .m3u .p12 .r3d .srf .wpd .avi .das .gdb .m4a .p7b .raf .srw .wps .bar .db, .db* .gho .map .p7c .rar .sum .x3f .bay .dcr .hkx .mdb .pak .raw .svg .xf, .xf8 .bc6 .der .itl .mdf .pdd .rb, .rb* .t12 .xlk .bc7 .dmp .itm .mef .pdf .re4 .t13 .xls .big .dng .iwd .mlx .pef .rim .tax .xlsx .bik .doc .iwi .mov .pem .rtf .tor .xxx .bkf .docx .jpe .mp4 .pfx .rw2 .txt .zip .bkp .dwg .jpg .ncf .png .rwl .upk .bsa .dxg .js, .js* .nrw .ppt .sav .vcf .cas .epk .kdb .ntl .pptx .sb, .sb* .vdf .cdr .eps .kdc .odb .psd .sid .vpk .cer .erf .kf, .kf* .odc .psk .sie .vtf Analysis Encryption
22. Analysis Encryption Internet independent Encrypted file •Modules •File signature
23. Normal file creation • 21 modules Cryptowall file creation • 50 modules • Windows’ cryptographic modules: crypt32.dll Analysis Encryption Encrypted File Modules
24. Analysis Encryption Encrypted File Modules
25. Analysis Encryption Raw data pattern • Beginning / header • End / footer Encrypted File File signature File type Signature Microsoft Office file D0 CF 11 E0 A1 B1 A1 E1 JPG file FF D8 FF E0 | FF D9 PDF file 25 50 44 46
26. Un-encrypted .docx file Encrypted .docx file Analysis Encryption Encrypted File File signature
27. Un-encrypted .pdf file Encrypted .pdf file Analysis Encryption Encrypted File File signature
28. Analysis Network • ipinfo.io • 7tno4hib47vlep5o.42kjb11.net • 7tno4hib47vlep5o.42kjb12.net • 7tno4hib47vlep5o.tor2web.blutmagie.de • 7tno4hib47vlep5o.tor2web.fi
29. Analysis Network 7tno4hib47vlep5o.42kjb11.net
30. Analysis Static Analysis REMnux • REMnux: pyew, Strings, pescanner, densityScout, trid
31. Analysis Forensic Read .pdf  saves as new .pdf Moves new .pdf  .pdf.ecc • Deletes new .pdf • Creates .pdf.ecc Forensic tools • Scalpel, EnCase Forensic
32. Analysis Forensic 2550 4446 2d31 2e35 0a25 e2e3 cfd3 0a36 3233 2030 206f 626a 0a3c 3c0a 2f50 2036 3031 2030 2052 0a2f 5320 2f4c 696e 6b0a 2f54 7970 6520 2f53 7472 7563 7445 6c65 16 bytes . MemoryPDF file 2550 4446 2d31 2e35 0a25 e2e3 cfd3 0a36 3233 2030 206f 626a 0a3c 3c0a 2f50 2036 3031 2030 2052 0a2f 5320 2f4c 696e 6b0a 2f54 7970 6520 2f53 7472 7563 7445 6c65 16 bytes . 2f54 7970 6520 2f53 7472 7563 7445 3c0a 3031 2030 2052 0a2f 5320 2f4c 696e 6b0a 3233 2030 206f 626a 0a3c 3c0a 2f50 2036 0a36 4446 2d31 2e35 0a25 e2e3 cfd3 0a36 Write 1 2 3 New .PDF file Delete Load
33. Analysis Forensic xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx 2f54 7970 6520 2f53 7472 7563 7445 3c0a 3031 2030 2052 0a2f 5320 2f4c 696e 6b0a 3233 2030 206f 626a 0a3c 3c0a 2f50 New .PDF file 2550 4446 2d31 2e35 0a25 e2e3 cfd3 0a36 3233 2030 206f 626a 0a3c 3c0a 2f50 2036 3031 2030 2052 0a2f 5320 2f4c 696e 6b0a 2f54 7970 6520 2f53 7472 7563 7445 6c65 PDF file
34. Conclusion
35. Ransomware • TOR network • Bitcoin • No internet • Unable to carve Email • Attachment • Link Further Analysis • Dynamic : debugger • Static: REs Conclusion
36. Be Paranoid !
37. Reference 1. Fruz, A. (2014). Cryptolocker. Retrieved from InfoSec Institute site: resources.infosecinstitute.com/cryptolocker/ 2. Virustotal.com (2015). Cryptowall file identification. Retrieved from Virustotal site: https://www.virustotal.com/en/file/685a9578c314b8a191160e89313674772cfa4adcb73112336321eb06ddd750c9/analysis/ 3. JAMESWT (2015). Cryptowall (2015 03 23). Retrieved from Malware Tips site : http://malwaretips.com/threads/cryptowall- 2015-03-23.43940/ 4. Kessler, G. (2014). File Signature Table. Retrieved from Gary Kessler site: http://www.garykessler.net/library/file_sigs.html 5. Dell SecureWorks Counter Threat Unit™ Threat Intelligence (2014). Cryptowall Ransomware. Retrieved from Dell SecureWorks site: http://www.secureworks.com/cyber-threat-intelligence/threats/cryptowall-ransomware/ 6. Malwr.com (2015). Cryptowall file identification. Retrieved from Malwr site: https://malwr.com/analysis/ZDQ5OGI2NDMzNDJjNGQxYzkyNGVjM2U1YTIxZDUzNzU/

Editor's Notes

TOR is a encrypted network comprises volunteers all over the world. It works by relaying the connection from its origin through some nodes before it reaches the destination.

Bitcoin is a digital currency and over anonymity of the owner.
A drive-by download refers to the unintentional download of a virus or malicious software (malware) onto your computer or mobile device. A drive-by download will usually take advantage of (or “exploit”) a browser, app, or operating system that is out of date and has a security flaw

A drive-by download will usually take advantage of (or “exploit”) a browser, app, or operating system that is out of date and has a security flaw. This initial code that is downloaded is often very small (so you probably wouldn’t notice it), since its job is often simply to contact another computer where it can pull down the rest of the code on to your smartphone, tablet, or computer. Often, a web page will contain several different types of malicious code, in hopes that one of them will match a weakness on your computer.
These downloads may be placed on otherwise innocent and normal-looking websites. You might receive a link in an email, text message, or social media post that tells you to look at something interesting on a site. When you open the page, while you are enjoying the article or cartoon, the download is installing on your computer.
https://blogs.mcafee.com/consumer/drive-by-download

https://support.evvnt.com/hc/en-us/article_attachments/200859568/browsers.jpg
A drive-by download refers to the unintentional download of a virus or malicious software (malware) onto your computer or mobile device. A drive-by download will usually take advantage of (or “exploit”) a browser, app, or operating system that is out of date and has a security flaw

A drive-by download will usually take advantage of (or “exploit”) a browser, app, or operating system that is out of date and has a security flaw. This initial code that is downloaded is often very small (so you probably wouldn’t notice it), since its job is often simply to contact another computer where it can pull down the rest of the code on to your smartphone, tablet, or computer. Often, a web page will contain several different types of malicious code, in hopes that one of them will match a weakness on your computer.
These downloads may be placed on otherwise innocent and normal-looking websites. You might receive a link in an email, text message, or social media post that tells you to look at something interesting on a site. When you open the page, while you are enjoying the article or cartoon, the download is installing on your computer.
https://blogs.mcafee.com/consumer/drive-by-download

https://support.evvnt.com/hc/en-us/article_attachments/200859568/browsers.jpg
Crypt32.dll is the module that implements many of the Certificate and Cryptographic Messaging functions in the CryptoAPI, such as CryptSignMessage.
https://msdn.microsoft.com/en-us/library/windows/desktop/aa379884%28v=vs.85%29.aspx
Identify – Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. The activities in the Identify Function are foundational for effective use of the Framework. Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs. Examples of outcome Categories within this Function include: Asset Management; Business Environment; Governance; Risk Assessment; and Risk Management Strategy.

• Protect – Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services. The Protect Function supports the ability to limit or contain the impact of a potential cybersecurity event. Examples of outcome Categories within this Function include: Access Control; Awareness and Training; Data Security; Information Protection Processes and Procedures; Maintenance; and Protective Technology.

• Detect – Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event. The Detect Function enables timely discovery of cybersecurity events. Examples of outcome Categories within this Function include: Anomalies and Events; Security Continuous Monitoring; and Detection Processes.

• Respond – Develop and implement the appropriate activities to take action regarding a detected cybersecurity event. The Respond Function supports the ability to contain the impact of a potential cybersecurity event. Examples of outcome Categories within this Function include: Response Planning; Communications; Analysis; Mitigation; and Improvements.

• Recover – Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event. The Recover Function supports timely recovery to normal operations to reduce the impact from a cybersecurity event. Examples of outcome Categories within this Function include: Recovery Planning; Improvements; and Communications.

CryptoWall: How It Works

You are reading a preview.

Check these out next

CryptoWall: How It Works

More Related Content

Viewers also liked (7)

Similar to CryptoWall: How It Works (20)

Recently uploaded (20)

CryptoWall: How It Works

Editor's Notes

CryptoWall: How It Works

You are reading a preview.

CryptoWall: How It Works

Recommended

More Related Content

Viewers also liked (7)

Similar to CryptoWall: How It Works (20)

Recently uploaded (20)

CryptoWall: How It Works

Editor's Notes