Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security Case Study 2016: Petya - taking ransomware to the low level

hasherezade
September 14, 2016

Security Case Study 2016: Petya - taking ransomware to the low level

hasherezade

September 14, 2016
Tweet

More Decks by hasherezade

Other Decks in Research

Transcript

  1. PETYA – taking
    ransomware to the low
    level
    Hasherezade

    View Slide

  2. Agenda
    •Ransomware – introduction and overview
    •Petya – what is different?
    •Brief analysis
    •Walk throught the evolution
    •Defeating the first version
    •Defeating the second version
    •Status for today

    View Slide

  3. Ransomware – introduction and overview
    General idea:
    Forcing a victim to pay the
    ransom by blocking access to
    the files
    The most popular type of malware this year

    View Slide

  4. Ransomware – introduction and overview
    0
    50000
    100000
    150000
    200000
    250000
    300000
    350000
    Ransomware detections per month
    Petya 5887
    Cerber 357462

    View Slide

  5. Ransomware – introduction and overview
    What is a typical ransomware?
    Example: Cerber
    Original file Encrypted file

    View Slide

  6. Ransomware – introduction and overview
    Instructions for the victim are displayed on the screen as a ransom note:

    View Slide

  7. Ransomware – introduction and overview
    So many types! Easy to get lost...
    https://id-ransomware.malwarehunterteam.com

    View Slide

  8. Almost all the ransomware encrypts files
    one by one
    Petya attacks bootloader, and then
    encrypts low-level structures on the
    disk (Master File Table) – making files
    inaccessible
    Petya – how is it different?

    View Slide

  9. Infection process
    •Dropper (Windows EXE),
    overwrites the disk’s beginning
    •Petya kernel – perform the disk
    encryption (but: not the full disk
    as the authors claim)

    View Slide

  10. Low-level infection
    MBR is overwritten by a custom, Petya’s bootloader

    View Slide

  11. Low-level infection
    Ransom note is written straight on the disk (not as a file)

    View Slide

  12. Low-level infection
    NOT full disk is encrypted. Still we can find readable elements

    View Slide

  13. Infection steps
    Attachment with
    the malicious
    dropper
    Run with the Administrator priviledges
    Disk encryption

    View Slide

  14. • Generates 16 byte long random key – it will be used for disk encryption
    • Encrypts that random key by a hardcoded public key
    • Converts encrypted content into Base58
    • Encrypts MBR by XOR z 0x7 (0x37 in version 1) and moves it into another sector
    • Overwrites disk’s beginning with Petya’s code
    • Overwrites MBR with custom bootloader
    • Prepares verification sector
    • Prepares data sector storing: generated random key and it’s encrypted form (will be displayed later as the user ID), etc
    Stage 1: dropper

    View Slide

  15. Stage 1: dropper
    Sector with data written to the disk by the dropper (at Stage 1):

    View Slide

  16. Stage 2: kernel
    • Fetches to the memory the key generated in the Stage 1
    • Erase that key from the data sector
    • Encrypts verification sector and the next part of the disk (MFT) with the help of
    given key and the algorithm Salsa 20

    View Slide

  17. Stage 2: kernel
    Sector with data after the Stage 2:

    View Slide

  18. Stage 2 completed

    View Slide

  19. •Walk throught the evolution
    •24 March – version 1 (Red), first
    publication: GData
    •12 May - version 2 (Green), paired with
    ransomware Mischa
    •15 June - version 3 (looks like 2, but
    improved)

    View Slide

  20. Defeating the first version
    •Mistakes in implementation of Salsa20 (publications: TG Soft,
    Checkpoint)
    •Tool for cracking the key, author: @leo_and_stone
    •A clone of Leo’s tool, working as Live CD (authors: me, AlexWMF,
    m0rb)
    •Cracking takes from few seconds to few minutes
    „ Petya uses only 8 on 16
    Byte entered for the initial
    key, this will permit to
    obtain a way more easy
    the key used to cipher the
    MFT.”
    source:
    http://www.tgsoft.it/engli
    sh/news_archivio_eng.asp
    ?id=718
    @VirITeXplorer (TG Soft)
    https://blog.malwarebytes.com/threat-analysis/2016/04/petya-ransomware/

    View Slide

  21. Mistakes in Salsa20 - v 1
    Detailed analysis:
    https://blog.malwarebytes.com/threat-analysis/2016/05/petya-and-mischa-ransomware-duet-p1/
    static uint16_t rotl(uint16_t value, int16_t shift)
    {
    return (value << shift) | (value >> (32 - shift));
    }
    ERROR! Units should be 32 bit long, not 16 bit
    long!
    AH AL
    8 bits 8 bits 8 bits 8 bits
    AX=16bits
    EAX=32bits

    View Slide

  22. Mistakes in Salsa20 - v 1
    Detailed analysis:
    https://blog.malwarebytes.com/threat-analysis/2016/05/petya-and-mischa-ransomware-duet-p1/
    ERROR! Units should be 32 bit long, not 16 bit
    long!
    void s20_hash(uint8_t seq[64])
    {
    int i;
    uint16_t x[16];
    uint16_t z[16];
    for (i = 0; i < 16; ++i)
    x[i] = z[i] = s20_littleendian16(seq + (4 * i));
    for (i = 0; i < 10; ++i)
    {
    s20_doubleround(z);
    }
    for (i = 0; i < 16; ++i) {
    z[i] += x[i];
    s20_rev_littleendian_orig(seq + (4 * i), z[i]);
    }
    }

    View Slide

  23. Mistakes in Salsa20 - v 1
    Detailed analysis:
    https://blog.malwarebytes.com/threat-analysis/2016/05/petya-and-mischa-ransomware-duet-p1/
    ERROR! Units should be 32 bit long, not 16 bit
    long!
    static uint16_t s20_littleendian(uint8_t *b)
    {
    return b[0] +
    (b[1] << 8);
    }

    View Slide

  24. Mistakes in Salsa20 - v 1
    hpLehdbjdcVaMDGj
    hxLxhxbxdxVxMxGx
    Every second character matters
    8 characters to crack
    (out of 54 character set)

    View Slide

  25. Cracking the key - v 1
    •Brutforce possible, but...
    •Leo_and_Stone found a better solution:
    genetic algorithms
    54^8 = 72301961339136
    vs
    54^16 = 5.2275736134859E+27
    Challenge:
    Find the key: 8 characters out of 54
    character set

    View Slide

  26. Cracking the key - v 1
    https://www.youtube.com/watch?v=OllHO6J6zvA
    file:///home/tester/Documents/found_key.png

    View Slide

  27. Defeating the second version
    •Mistake in implementation of Salsa20 (found by
    me)
    •GPU-based bruteforce decoder implemented by
    @procrash
    •Cracking takes about 3 days

    View Slide

  28. Mistake in Salsa20 - v 2
    static int16_t s20_littleendian(uint8_t *b)
    {
    return b[0] +
    (b[1] << 8);
    }
    Detailed analysis:
    https://blog.malwarebytes.com/threat-analysis/2016/05/petya-and-mischa-ransomware-duet-p1/
    Size of the unit didn’t changed – it’s only
    extended by the sign bit (unint16_t -> int16_t)

    View Slide

  29. Mistake in Salsa20 - v 2
    static int16_t s20_littleendian(uint8_t *b)
    {
    return b[0] +
    (b[1] << 8);
    //...
    }
    static uint32_t s20_littleendian(uint8_t *b)
    {
    return b[0] +
    (b[1] << 8)} +
    (b[2] << 16) +
    (b[3] << 24);
    Version form Petya #2:
    From the valid Salsa20:

    View Slide

  30. Mistake in Salsa20 - v 2
    sHbGrSTkpCrhoKRt
    sHxxrSxxpCxxoKxx
    Every second PAIR of characters
    matters
    8 characters to crack
    (out of 54 character set)

    View Slide

  31. Cracking the key v 2
    •No longer the genetic approach works... 
    •Let’s try brutforce then...
    •Implementation: @procrash
    54^8 = 72301961339136
    vs
    54^16 = 5.2275736134859E+27
    Challenge:
    Find the key: 8 characters out of 54
    character set

    View Slide

  32. Status for today
    •The current version (3) uses valid Salsa20
    • https://blog.malwarebytes.com/threat-analysis/2016/07/third-time-unlucky-
    improved-petya-is-out/
    •Autor rents Petya to other criminals by an affiliate
    program
    •Recently deployed in Poland
    • https://www.cert.pl/news/single/kolejna-odslona-kampanii-komornika-
    sadowego-ransomware-petya-mischa/

    View Slide

  33. Status for today: chances to brutforce the v 3?
    Version 1 & 2:
    8 characters matters, i.e.
    Version 3:
    16 characters matters, i.e.
    hxLxhxbxdxVxMxGx
    sHxxrSxxpCxxoKxx
    https://password.kaspersky.com/
    https://www.betterbuys.com/estimating-password-cracking-times/

    View Slide

  34. Copycats: Satana ransomware
    https://blog.malwarebytes.com/threat-analysis/2016/06/satana-ransomware/

    View Slide

  35. Solutions?
    Better to prevent rather than to cure!

    View Slide

  36. Questions? Remarks?
    More:
    https://blog.malwarebytes.com/?s=petya
    https://hshrzd.wordpress.com/?s=petya

    View Slide

  37. Thank you!

    View Slide