Shulou(Shulou.com)06/02 Report--

Tencent Security team deeply analyzes wannacry Worm

Background:

On May 12, 2017, the WannaCry worm broke out worldwide through the MS17-010loophole, infecting a large number of computers. After infecting the computer, the worm will implant blackmail virus into the computer, causing a large number of computer files to be encrypted. This paper analyzes it in detail.

* Overview:

WannaCry*** uses the "Eternal Blue" vulnerability tool in the Formula Toolkit leaked not long ago to scan the network port * *. After being successfully captured, the target machine will download WannaCry*** from the * machine to be infected, and act as a * machine to scan the Internet and other local area network machines again, resulting in a large-scale and ultra-fast spread of worm infection.

* the parent is mssecsvc.exe. After running, it will scan the Internet machines of random ip to try to get infected. It will also scan the machines of the same network segment of the LAN for infection transmission. In addition, it will release the blackmail program tasksche.exe to encrypt and extort the disk files.

* encryption uses AES to encrypt files, and RSA 2048, an asymmetric encryption algorithm, to encrypt random keys. Each file uses a random key, which is theoretically unbreakable.

Detailed analysis: mssecsvc.exe behavior:

1. Switch:

* set a switch on the network to exit the process and stop spreading infection when the local computer can successfully access the http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com. At present, the domain name has been taken over by security companies.

2. Worm behavior:

By creating a service to start, each boot will start itself.

Read the MS17_010 exploit code from * * itself. Playload is divided into x86 and x64 versions.

Create two threads to scan the IP of the internal network and the external network respectively, and start the process worm transmission infection.

Scan the public network random ip address port 445 for infection.

For the local area network, directly scan the network segment where the current computer is located for infection.

During the infection process, try to connect port 445.

If the connection is successful, a vulnerability infection is attempted on the address.

3. Release the blackmailer

Tasksche.exe behavior: (blackmailer)

Decompress and release a large number of blackmailer modules and configuration files. The decompression password is WNcry@2ol7.

First of all, close the specified process to prevent some important files from being occupied and can not be infected.

Traverse the disk files to avoid directories that contain the following characters.

\ ProgramData

\ Intel

\ WINDOWS

\ Program Files

\ Program Files (x86)

\ AppData\ Local\ Temp

\ Local Settings\ Temp

This folder protects against ransomware. Modifying it will reduce protection

At the same time, avoid infecting the instructions released by *.

* encryption flow chart:

Traverse disk files and encrypt the following 178 extension files.

.doc, .docx, .xls, .xlsx, .ppt, .pptx, .pst, .ost, .msg, .eml, .vsd, .vsdx, .txt, .csv, .rtf,. 123, .wks, .wk1, .pdf, .dwg, .onetoc2, .snt, .jpeg, .jpg, .docb, .docm, .dot, .dotm, .dotx, .xlsm, .xlsb, .xlw, .xlt .xlm, .xlc, .xltx, .xltm, .pptm, .pot, .pps, .ppsm, .ppsx, .ppam, .potx, .potm, .edb, .hwp,. 602, .sxi, .sti, .sldx, .sldm, .sldm, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .bz2, .tbk, .bak, .tar, .tgz, .gz .7z, .rar, .zip, .backup, .iso, .vcd, .bmp, .png, .gif, .raw, .cgm, .tif, .tiff, .nef, .psd, .ai, .svg, .djvu, .m4u, .m3u, .mid, .wma, .flv, .3g2, .mkv, .3gp, .mp4, .mov, .avi, .asf, .mpeg, .vob, .mpg .wmv, .fla, .swf, .wav, .mp3, .sh, .class, .jar, .java, .rb, .asp, .php, .jsp, .brd, .sch, .dch, .dip, .pl, .vb, .vbs, .ps1, .bat, .cmd, .js, .asm, .h, .pas, .cpp, .c, .cs, .suo, .sln, .ldf .mdf, .ibd, .myi, .myd, .frm, .odb, .dbf, .db, .mdb, .accdb, .sql, .sqlitedb, .sqlite3, .asc, .lay6, .lay, .mml, .sxm, .otg, .odg, .uop, .std, .sxd, .otp, .odp, .wb2, .slk, .dif, .stc, .sxc, .ots, .ods, .3 dm .max, .3ds, .uot, .stw, .sxw, .ott, .odt, .pem, .p12, .csr, .crt, .key, .pfx, .der

Two RSA 2048 public keys are built into the program for encryption, one of which contains a paired private key to demonstrate a file that can be decrypted, and the other is a real encryption key, and there is no matched private key in the program.

* A 256-byte key is randomly generated, and a copy is encrypted with RSA2048, and the RSA public key is built into the program.

Construct a file header, which contains information such as logo, key size, RSA encrypted key, file size, and so on.

Use CBC mode AES to encrypt the file content, write the file content to the constructed file header, save it as a file with a .WNCRY extension, fill the original file with random numbers and then delete it to prevent data recovery.

After all the files are encrypted, release the instructions document, pop up the blackmail interface, pay hundreds of dollars worth of bits to the specified bit wallet address, three bitcoin wallet addresses are hard-coded in the program.

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

Decryption program:

* A paired private key of one of the public keys is built into the decryption program, which can be used to decrypt several files encrypted with the public key, to "prove" to the user that the program can decrypt the file and induce the user to pay for bitcoin.

After that, the program determines whether there is a "00000000.dky" file locally, which is the private key file needed for real decryption. If it exists, the key file is detected by decrypting the test file.

If it is correct, it will be decrypted. If there is an error or does not exist, * the program will determine whether taskhsvc.exe exists in the extracted Tor directory. If it does not exist, the file will be generated, and CreateProcessA will be called to pull up the process:

The program is mainly an tor anonymous agent tool. When started, the tool will listen to the local port 9050 and communicate with the server through the local agent.

After clicking the "Check Payment" button, it is up to the server to decide whether to issue the private key needed for decryption. If the private key is issued, the dky file required for decryption will be generated locally.

The program can then decrypt the dky file. However, so far, there have been no successful cases of decryption.

List of documents and functions:

B.wnry: desktop wallpaper after blackmailing

C.wnry: configuration file, including onion domain name, bitcoin address, tor download address, etc.

R.wnry: prompt file, which contains tips for winning the call

S.wnry: zip file, containing Tor client

T.wnry: test fil

U.wnry: decryption program

F.wnry: list of files that can be decrypted without payment

Security recommendations:

Due to a number of previous cases of exploiting port 445 sharing vulnerabilities, operators closed port 445 to individual users. Because the campus network is independent, there is no such setting, and the patch is not updated in time, so it leads to a large number of campus network users in this incident. The housekeeper provides the following safety advice:

1. Close ports 445,139. For more information, please see http://mp.weixin.qq.com/s/7kArJcKJGIZtBH1tKjQ-uA.

2. Download and update the patch and fix the loophole in time (Microsoft has urgently released XP, Win8, Windows server2003 and other system patches, and has supported all mainstream systems, please update immediately).

XP, Windows Server 2003, win8 and other system access: http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598

System access to Win7, win8.1, Windows Server 2008, Windows 10, Windows Server 2016: https://technet.microsoft.com/zh-cn/library/security/ms17-010.aspx

3. Install Tencent PC Manager, PC manager will automatically turn on active defense to intercept and kill.

4. Paying for Bitcoin cannot decrypt the file, do not pay for Bitcoin, keep the encrypted file, and wait for decryption.

Original address: http://www.freebuf.com/articles/system/134578.html

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.