¡Vd. usa un navegador obsoleto!
Es posible que la página no se visualice correctamente.
El análisis de tecnologías usadas por los malintencionados nos permite sacar conclusiones sobre los posibles vectores de desarrollo de la industria antivirus y afrontar las futuras amenazas con mayor eficacia. Entérese de cómo funcionan varios programas nocivos en sistemas infectados y cómo afrontarlo.
Encryption worm. Contains three components: a dropper, a disk encoder (capable of decoding) and an encryption worm.
After its launch, entirely loads itself to the memory. Then it uses ZLib library to extract its own overlay, which contains the encryption worm. This component is saved to C:\Windows\infpub.dat and launched using rundll32.exe:
C:\WINDOWS\system32\rundll32.exe C:\Windows\infpub.dat,#1 NN
where NN — a parameter obtained from the command line or a value 15 by default.
Then the dropper shuts down.
Using a driver DiskCryptor, the disk encoder (decoder) obtains information on all disks used by the system. It executes a command “schtasks /Delete /F /TN rhaegal” in the a command interpreter cmd.exe. Then the encoder checks a number of process arguments. If the process is launched without arguments, the component operates as the decoder.
To launch the encryption process, the encoder checks whether it has two parameters, whilst one of them has a designation “-id”.
On the Desktop, it creates an icon “DECRYPT.lnk”, which points to this Trojan’s binary file. It executes a command “schtasks /Delete /F /TN drogon” in the the command interpreter cmd.exe.
In the Task Manager, the Trojan creates a task for a computer’s restart “shutdown.exe /r /t 0 /f” with a specified time interval of 3 minutes. Then every 30 seconds the Trojan deletes the previous task and creates a new one, thus shifting the time for the task’s execution. Perhaps, this is done in the event the computer’s user deletes the Trojan before disk encryption is complete.
It generates a 32-symbol password for the disk encryption using the following alphabet:
0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
It collects the following information about the infected computer and generates the following structure:
struct __declspec(align(1)) st_pcinfo
{
_DWORD id;
_DWORD lcid;
_DWORD timezone_bias;
char RndBuf[33];
wchar_t langroup[];
wchar_t computername[];
};
where id — a parameter obtained via the command line. The structure has a fixed size of 0xF0. If values langroup or computername are too long, they are skipped. This structure is encrypted with the public key, then a new structure is generated, which looks the following way:
struct __declspec(align(1)) st_encrypted
{
_BYTE byte0;
_DWORD id;
_BYTE enc_data[240];
_DWORD crc32;
};
where value byte0 == 100, id — a parameter obtained via the command line, enc_data — data encrypted with the public key, crc32 — a control sum of all previous fields. This structure is encrypted using the Base64 algorithm and written to MBR.
The disk encryption algorithm and a bootloader were taken from the Diskcryptor project with an open source code with minor changes. The Trojan searches for the first system disk and installs its loader there. Then contents of this disk are encrypted. After the encryption, it shuts down the OS via “shutdown.exe /r /t 0 /f”.
Code fraction of the encryption worm is adopted from Trojan.Encoder.12544. It has two exports — #1 and #2. It can receive parameters of the command line: if a number is not indicated in these parameters, it uses a value 45 by default. It understands a parameter -h, which, presumably, is used to add a host to a list for the following infection. A parameter -f is used for modification of flags detected in the process system.
Launched from the dropper. Tries to obtain the following privileges:
Uses hashes to search for the following launched processes:
0x4A241C3E dwwatcher.exe
0x923CA517 McTray.exe
0x966D0415 dwarkdaemon.exe
0xAA331620 dwservice.exe
0xC8F10976 mfevtps.exe
0xE2517A14 dwengine.exe
0xE5A05A00 mcshield.exe
If such processes are detected, the first stage of encryption is skipped. Loads its file to the memory, makes preparations to launch it from the memory and sends controls there. Frees its library from the memory using a function FreeLibrary. Rewrites its file with trash data, deletes it, and then again passes control to the first export but with an installed flag “launched from the memory”.
The preventive control of the restart is performed only using Mutex, whose name is calculated on the basis of the name of the infected computer and hash of the malicious program image in the memory.
Checks the availability of a file C:\Windows\cscc.dat. If it is detected, the Trojan shuts down.
If SeDebugPrivilege is present, extracts from compressed sources a driver, which complies with the system bitness:
The extracted driver is saved in a file to C:\Windows\cscc.dat.
Then the encoder tries to shut down the running process rundll32.exe. Extracts from the sources a file with SHA1 afeee8b4acff87bc469a6f0364a81ae5d60a2add and saves it to C:\Windows\dispci.exe or %ALLUSERSPROFILE%\dispci.exe depending on the processes launched in the system. In the Task Manager, deletes a task “rhaegal” by executing the command “schtasks /Delete /F /TN rhaegal” and once again creates a task with the same name in order to launch dispci.exe with command-line parameters “-id %randomNumber%”. After that it registers a system service with a name “cscc”, a description “Windows Client Side Caching DDriver” to launch cscc.dat via execution of CreateService. If the Trojan fails to register this service, it attempts to create a service with a name “cdfs” by modifying the system registry. After that, the Trojan creates a task called “drogon” to restart the computer.
The Trojan runs two threads: the first one is used to wait for the session completion via GetSystemMetrics and to clear logs Setup, System, Security and Application via wevtutil, it also clears the USN log of the disk C via fsutil usn deletejournal. It also deletes the task “drogon”. The second thread collects IP addresses of network servers for the following spreading of the worm.
The Trojan extracts the Mimikatz tools to intercept passwords of open Windows sessions. Depending on an operating system’s capacity, the Trojan unpacks the respective version of the tool.
The respective tool is saved with an arbitrary name to the C:\Windows folder, and then it is launched. Then the malicious program searches for network folders available for writing, tries to open them using the obtained account data and saves its copy there.
The Trojan generates 0x21 bites of arbitrary data, transcribes them to 0x20 of printed symbols, and on the basis of the resulting string forms a key for AES. One key is used to encrypt all files. This key along with the system information is encrypted with the public RSA key stored in the Trojan and saved to a file with a ransom demands. At the present moment, decryption of files is impossible.
Trojan.BadRabbit.2
Trojan.BadRabbit.3
Según las estadísticas, cada quinto programa para el SO Android tiene vulnerabilidades, lo cual les permite a los malintencionados implementar los troyanos móviles en el dispositivo y realizar las acciones necesarias.
Auditor de seguridad en Dr.Web para Android diagnosticará y analizará la seguridad de un dispositivo móvil, ofrecerá soluciones para resolver los problemas y las vulnerabilidades encontrados.