Win32 / Virlock - the first self-propagating ransomware
The Win32 / Virlock malware is the first ransomware known to date that specializes in infecting executable files, that is, it behaves like a file virus. Virlock can block the user's desktop with a ransom demand, encrypt the user's files, and also propagate its body as a polymorphic virus.
The ransomware families that we observed earlier, in fact, can be divided into two large groups: screen locks (LockScreen) and file encryptors (Filecoder). In the first case, the ransomware blocks the user access to the desktop until a ransom is received, and in the second case it encrypts the user's files, making it impossible to use them. In this case, a ransom demand message may appear as a desktop wallpaper, in the form of an open text file, and also through a simple window (as is the case with Cryptolocker ).
In some cases, the ransomware may use a hybrid approach and contain both of these features, i.e. blocking access to the desktop or device is accompanied by encryption of files on it. In this case, the malicious code will use special mechanisms to prohibit closing the window that appears. An example of such a malicious program is the Android / Simplocker ransomware .
In October, we recorded a new type of malware such as ransomware. The Win32 / Virlock malware could block the user's desktop with a ransom demand, encrypt files, and also infect executable files as a polymorphic virus by embedding its own code in them. Recently, we discovered several new modifications of this virus, which indicates its active development by attackers. The VirLock code demonstrates the high level of technical training of the authors of this malicious program.
Win32 / Virlock uses a special trick to encrypt files. Instead of the usual method of byte encrypting the entire file or its beginning, such a file is converted to executable and the Virlock code is added to it. The malicious program specializes in compromising the following file types: * .exe, * .doc, * .xls, * .zip, * .rar, * .pdf, * .ppt, * .mdb, * .mp3, * .mpg, * .png, * .gif, * .bmp, * .p12, * .cer, * .psd, * .crt, * .pem, * .pfx, * .p12, * .p7b, * .wma, * .jpg , * .jpeg. At the same time, Virlock is able to infect files on network drives and removable media.
When a file that is not executable is infected (encrypted), Virlock creates a new executable Win32 PE file for it, into which the virus code and the encrypted contents of the document are written. The original file is deleted, and a new one appears in its place with the same name and the .exe extension added to the name. When such a file is launched for execution, it decrypts the original file, writes it to the current directory, and opens it.
Running an infected Virlock file is accompanied by the creation of two of its new files, which are similar to the original dropper, but because of polymorphism they contain different executable code. One file is created in the% userprofile% directory, and the second in% alluserprofile%. To ensure startup, the malware writes the path to its file in the corresponding Run registry key of both HKLM and HKCU. We also observed Virlock modifications that extracted the third executable from themselves. He registered as a service. These extracted files were responsible for further infection of the files in the system.
Part of the ransomware code is responsible for displaying the lock screen to the user, while using the methods of self-defense that have already become typical, including completing the processes of the explorer and task manager.
Fig. The lock screen of one of the modifications to the malware.
The message in the lock window contains a warning text for the user and offers to pay the amount of the ransom in bitcoins. Recently, we wrote about another ransomware TorrentLocker, which also extorts money from the user in this cryptocurrency. Below is the lock screen of the newer version of Virlock, it allows the user to use web browser and notepad applications.
Fig. Another kind of lock screen. The payment tab is displayed.
Fig. Tab with information about working with bitcoins in the case of Canada.
The malicious code that is responsible for displaying the lock screen is able to perform some localization of the interface of the screen itself (window). To do this, use a connection to google.com and further analyze the domain to which you are redirected, for example, google.com.au, google.ca, google.co.uk, google.co.nz. The GetUserGeoID function is also used . For countries corresponding to the above domains, their flag, the value of bitcoins and the current exchange rate of the national currency are displayed.
From a technical point of view, the most interesting part of the malware is the file infection mechanism and polymorphism. Virlock polymorphism ensures that the malware body is unique in every infected file. Virlock uses several layers of file encryption.
The Virlock executable file includes special code that we call XOR stub builder . It is located in a file in an unencrypted state. The rest of the malware data and its code, as well as the data of the original file (in case we are not dealing with the original dropper, but with the file that was infected) are encrypted.
The mentioned XOR stub builder consists of eight blocks of code and is used to generate instructions of the XOR type, which will be used to decrypt the file data. One of these blocks is shown in the figure below.
Fig. XOR stub builder code block . XOR stub builder
code blocksare polymorphic, that is, they differ from one infected file to another. In any case, the execution of each of them leads to the calculation of a specific double word (DWORD) and its recording at a fixed offset in memory. These words are XOR stub instructions, i.e. stubs with XOR instructions that decrypt the rest of the file.
We talked about the layered approach that Virlock uses when encrypting a file. In such a scheme, an XOR stub is used to decrypt a small section of the executable file code (Part 1). Such code consists of several functions. The screenshot below shows a snippet of XOR code stubs. For decryption, the key 0x6B130E06 was used, and the size of the decrypted part is 0x45c.
Fig. The XOR code is a stub. Next, control is transferred to a decrypted code block of size 0x45C bytes.
An interesting feature of Virlock is the structure of its decrypted code (Part 2). Almost every function in it is encrypted again and starts with a stub that decrypts the code of the function itself. This significantly complicates the analysis of the malicious program, since the function code cannot be analyzed in the disassembler. The stub code is simple enough and uses the XOR algorithm to decrypt the function body. After the function is executed, its code in memory is encrypted back, while encryption is performed using the new key. The figure below shows an example of such code. Rdtsc instructionis used to get the encryption key, then the XOR operation is used to encrypt several variables and the function body.
Fig. The encryption code of the function body after its execution.
This malware feature can be called run-time polymorphism. When you run several copies of it, the memory dumps of the executable file will vary.
When decrypting Part 2, the malware code also resorts to another decryption procedure. As we mentioned, Part 1, which is decrypted using the XOR stub, decrypts the rest of the malware file and the contents of the infected file, if present. The decryption procedure consists in applying the cyclic right shift ROR operation. The decryption key used is hardwired in the body of the malicious program.
Thus, Virlock uses a three-level encryption scheme:
Virlock contains code that implements file polymorphism (file infection) in the second part. When control receives the corresponding function, it copies the body of the malicious program to the allocated memory location. Thus, file polymorphism is a consequence of run-time polymorphism, since the body of the malicious program copied to the memory location has already been modified by encryption algorithms and code modifications (by the functions of the second part, which were executed before the infection code). Further, this code is re-encrypted, in accordance with the levels described above. The copied code is the so-called second part, which, together with the contents of the infected file, is encrypted using new keys. After that, a block of functions is formed in the memoryXOR stub builder , he will be responsible for decoding the first part.
Having completed all these steps, Virlock writes the generated file, which contains the encrypted body of the virus and the original file data to disk. To do this, the original file that has been infected is overwritten. If the infected file was not an executable PE-file, a new .exe extension is added to its name and existing extension.
Conclusion
Our LiveGrid telemetry system shows that a small number of users have been infected with Virlock. Their number is not comparable with the number of users who have been infected by TorrentLockeror other ransomware like him. However, an analysis of the transactions conducted on the specified Bitcoin account shows that some victims have already paid the ransom to the attackers.
The ransomware families that we observed earlier, in fact, can be divided into two large groups: screen locks (LockScreen) and file encryptors (Filecoder). In the first case, the ransomware blocks the user access to the desktop until a ransom is received, and in the second case it encrypts the user's files, making it impossible to use them. In this case, a ransom demand message may appear as a desktop wallpaper, in the form of an open text file, and also through a simple window (as is the case with Cryptolocker ).
In some cases, the ransomware may use a hybrid approach and contain both of these features, i.e. blocking access to the desktop or device is accompanied by encryption of files on it. In this case, the malicious code will use special mechanisms to prohibit closing the window that appears. An example of such a malicious program is the Android / Simplocker ransomware .
In October, we recorded a new type of malware such as ransomware. The Win32 / Virlock malware could block the user's desktop with a ransom demand, encrypt files, and also infect executable files as a polymorphic virus by embedding its own code in them. Recently, we discovered several new modifications of this virus, which indicates its active development by attackers. The VirLock code demonstrates the high level of technical training of the authors of this malicious program.
Win32 / Virlock uses a special trick to encrypt files. Instead of the usual method of byte encrypting the entire file or its beginning, such a file is converted to executable and the Virlock code is added to it. The malicious program specializes in compromising the following file types: * .exe, * .doc, * .xls, * .zip, * .rar, * .pdf, * .ppt, * .mdb, * .mp3, * .mpg, * .png, * .gif, * .bmp, * .p12, * .cer, * .psd, * .crt, * .pem, * .pfx, * .p12, * .p7b, * .wma, * .jpg , * .jpeg. At the same time, Virlock is able to infect files on network drives and removable media.
When a file that is not executable is infected (encrypted), Virlock creates a new executable Win32 PE file for it, into which the virus code and the encrypted contents of the document are written. The original file is deleted, and a new one appears in its place with the same name and the .exe extension added to the name. When such a file is launched for execution, it decrypts the original file, writes it to the current directory, and opens it.
Running an infected Virlock file is accompanied by the creation of two of its new files, which are similar to the original dropper, but because of polymorphism they contain different executable code. One file is created in the% userprofile% directory, and the second in% alluserprofile%. To ensure startup, the malware writes the path to its file in the corresponding Run registry key of both HKLM and HKCU. We also observed Virlock modifications that extracted the third executable from themselves. He registered as a service. These extracted files were responsible for further infection of the files in the system.
Part of the ransomware code is responsible for displaying the lock screen to the user, while using the methods of self-defense that have already become typical, including completing the processes of the explorer and task manager.
Fig. The lock screen of one of the modifications to the malware.
The message in the lock window contains a warning text for the user and offers to pay the amount of the ransom in bitcoins. Recently, we wrote about another ransomware TorrentLocker, which also extorts money from the user in this cryptocurrency. Below is the lock screen of the newer version of Virlock, it allows the user to use web browser and notepad applications.
Fig. Another kind of lock screen. The payment tab is displayed.
Fig. Tab with information about working with bitcoins in the case of Canada.
The malicious code that is responsible for displaying the lock screen is able to perform some localization of the interface of the screen itself (window). To do this, use a connection to google.com and further analyze the domain to which you are redirected, for example, google.com.au, google.ca, google.co.uk, google.co.nz. The GetUserGeoID function is also used . For countries corresponding to the above domains, their flag, the value of bitcoins and the current exchange rate of the national currency are displayed.
From a technical point of view, the most interesting part of the malware is the file infection mechanism and polymorphism. Virlock polymorphism ensures that the malware body is unique in every infected file. Virlock uses several layers of file encryption.
The Virlock executable file includes special code that we call XOR stub builder . It is located in a file in an unencrypted state. The rest of the malware data and its code, as well as the data of the original file (in case we are not dealing with the original dropper, but with the file that was infected) are encrypted.
The mentioned XOR stub builder consists of eight blocks of code and is used to generate instructions of the XOR type, which will be used to decrypt the file data. One of these blocks is shown in the figure below.
Fig. XOR stub builder code block . XOR stub builder
code blocksare polymorphic, that is, they differ from one infected file to another. In any case, the execution of each of them leads to the calculation of a specific double word (DWORD) and its recording at a fixed offset in memory. These words are XOR stub instructions, i.e. stubs with XOR instructions that decrypt the rest of the file.
We talked about the layered approach that Virlock uses when encrypting a file. In such a scheme, an XOR stub is used to decrypt a small section of the executable file code (Part 1). Such code consists of several functions. The screenshot below shows a snippet of XOR code stubs. For decryption, the key 0x6B130E06 was used, and the size of the decrypted part is 0x45c.
Fig. The XOR code is a stub. Next, control is transferred to a decrypted code block of size 0x45C bytes.
An interesting feature of Virlock is the structure of its decrypted code (Part 2). Almost every function in it is encrypted again and starts with a stub that decrypts the code of the function itself. This significantly complicates the analysis of the malicious program, since the function code cannot be analyzed in the disassembler. The stub code is simple enough and uses the XOR algorithm to decrypt the function body. After the function is executed, its code in memory is encrypted back, while encryption is performed using the new key. The figure below shows an example of such code. Rdtsc instructionis used to get the encryption key, then the XOR operation is used to encrypt several variables and the function body.
Fig. The encryption code of the function body after its execution.
This malware feature can be called run-time polymorphism. When you run several copies of it, the memory dumps of the executable file will vary.
When decrypting Part 2, the malware code also resorts to another decryption procedure. As we mentioned, Part 1, which is decrypted using the XOR stub, decrypts the rest of the malware file and the contents of the infected file, if present. The decryption procedure consists in applying the cyclic right shift ROR operation. The decryption key used is hardwired in the body of the malicious program.
Thus, Virlock uses a three-level encryption scheme:
- The first part (Part 1) of the malware code is decrypted with the XOR stub code, which in turn is generated using the XOR stub builder .
- The second part (Part 2) of the malware code is decrypted using the first part (Part 1).
- Each function of the code of the second part (Part 2) is encrypted and decrypted with its own stub, which is located at the very beginning of the function. After the function is executed, its code in memory is encrypted back.
Virlock contains code that implements file polymorphism (file infection) in the second part. When control receives the corresponding function, it copies the body of the malicious program to the allocated memory location. Thus, file polymorphism is a consequence of run-time polymorphism, since the body of the malicious program copied to the memory location has already been modified by encryption algorithms and code modifications (by the functions of the second part, which were executed before the infection code). Further, this code is re-encrypted, in accordance with the levels described above. The copied code is the so-called second part, which, together with the contents of the infected file, is encrypted using new keys. After that, a block of functions is formed in the memoryXOR stub builder , he will be responsible for decoding the first part.
Having completed all these steps, Virlock writes the generated file, which contains the encrypted body of the virus and the original file data to disk. To do this, the original file that has been infected is overwritten. If the infected file was not an executable PE-file, a new .exe extension is added to its name and existing extension.
Conclusion
Our LiveGrid telemetry system shows that a small number of users have been infected with Virlock. Their number is not comparable with the number of users who have been infected by TorrentLockeror other ransomware like him. However, an analysis of the transactions conducted on the specified Bitcoin account shows that some victims have already paid the ransom to the attackers.