Shulou(Shulou.com)05/31 Report--

How to analyze and detect Rapid blackmail virus? in view of this problem, this article introduces the corresponding analysis and answer in detail, hoping to help more partners who want to solve this problem to find a more simple and feasible method.

Blackmail virus has always been a hot spot in the security industry. Recently, security personnel have discovered a blackmail virus called rapid, which uses RSA and AES to encrypt files. It not only infects existing files on the computer, but also encrypts newly created files. In this paper, the rapid virus is analyzed in detail, its encryption mechanism is analyzed, and its encrypted files are analyzed.

1. Overview

When the rapid virus runs, it creates multiple threads to constantly scan the file system and encrypt files. It not only infects existing files on the computer, but also encrypts newly created files. For encrypted files, the file name is added with the ".rapid" extension, and the file size is increased by 0x4D0 bytes.

The rapid virus will create a blackmail prompt file called "How Recovery Files.txt" in the encrypted folder, which contains an email to contact the victim on how to complete the payment. When the user restarts the computer, a blackmail prompt file named "recovery.txt" will pop up automatically, which is the same as the "How Recovery Files.txt" file.

two。 Detailed analysis

Use blue eye (LanyEye) next-generation threat awareness system to detect rapid programs. In Lan's eyes, the rapid program is marked as high-risk:

Then carry on the reverse analysis to the rapid program.

First, the program calls ShellExecuteA to execute the command shown in the figure:

The main functions include clearing Windows shadow copies and preventing victims from using shadow copies to recover files. Disable system repair and automatic modification functions, blackmail programs may encrypt driver files to cause frequent system crashes, disable repair functions, and ignore errors to reduce the probability of system crashes. Terminating oracle.exe, sqlite.exe, sql.exe processes, on the one hand, can release memory, on the other hand, can release the occupation of certain files by these database processes.

The program then adds a boot entry and creates a new Encrypter and userinfo keys under the registry HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Run, with the Encrypter key value of "% AppData\ Romaing\ info.exe" and the userinfo key value of "% AppData\ Romaing\ recovery.txt". The "info.exe" file is a copy of the blackmail virus program itself, and the "recovery.txt" file is the extortion information file with the same content as the "How Recovery Files.txt" file mentioned above.

In order to ensure the normal operation of the system, the program will not select the files under the folder names "Windows", "intel", "nvidia", "ProgramData" and "temp":

This blackmail software does not filter files by suffixes, but determines whether the selected files are "How Recovery Files.txt", "info.exe" and "recovery.txt". If they are three of them, they are skipped and the rest are fully encrypted.

2.1. Encryption process

The program first creates a CSP container of type PROV_RSA_FULL, and then imports the public key (named RSA1) of RSA that is hard-coded in the program through Base64.

The program then checks to see if the registry key "local_public_key" exists. If not, the registry key "local_public_key" is created.

The program creates a CSP container of type PROV_RSA_FULL and calls CryptGenKey () to generate a random RSA key pair (named RSA2).

Then call CryptExportKey () to export the newly generated RSA2 private key data, and call the RSA1 public key to encrypt the RSA2 private key. When the encryption is complete, write the RSA private key data to the registry key HKEY_CURRENT_USER\ Software\ EncryptKeys\ local_enc_private_key and the data length to the registry key HKEY_CURRENT_USER\ Software\ EncryptKeys\ local_enc_private_key_len

Call CryptExportKey () again to export the random RSA2 public key data you just generated, this time without encryption, write directly to the registry HKEY_CURRENT_USER\ Software\ EncryptKeys\ local_public_key and HKEY_CURRENT_USER\ Software\ EncryptKeys\ local_public_key_len.

Then start to encrypt the file, get the size of the selected file, if the file size is less than 0x4D0 bytes, then directly enter the encryption process; otherwise read the data of 0x20 bytes at the end of the file and determine whether this part of the data is the encryption mark "F5 D5 CD CD CD 7D CD CD 95 91 C1 CD AD CD CD 41 CD C1 99 FD 1D 59 95 81 FD 99 79 25 A5", if not, enter the encryption process, otherwise select the next file. Because the encrypted file is larger than 0x4D0, and the encryption flag of 0x20 bytes is added at the end of the file.

After the program enters the encryption process, it first calls CryptGenKey () to generate a random AES key.

And call CryptExportKey () to export AES key data, BLOBTYPE=PLAINTEXTKEYBLOB:

As shown in the figure, the length of data returned is 0x2C 0x3A42AF 0x3A42A8-0x3A42AF is BLOBHEADER, 0x3A42B0-0x3A42B3 is keysize,0x3A42B4-0x3A42D3 is the key of AES, and 0x3A42D4-0x3A4327 is the data populated with 0xCD:

Encrypt the AES key with the RSA2 public key, encrypting the entire 0x80 byte of "BLOB format data + AES key + fill data" mentioned above:

Read the file data and encrypt the read file data using the AES key:

AES encryption is grouped according to 128bit, when the number of bytes of the original file is not an integer multiple of 128bit, the encrypted ciphertext data will be larger than the plaintext data, so the program fills the plaintext tail with 0x10 bytes of 0x00 (the number of bytes of an AES packet) before encryption.

Overwrite the encrypted data to the file, first write only the ciphertext data of the original file size, and then write more 0x10 bytes of data

Continue to write data to the file, writing 0x4D0 bytes of data. The 0x4D0 byte data consists of five parts: the first part is the 0x10 byte, which is the increasing amount of data; the second part is the 0x20 byte, which contains the string of the size of the source file and the filling data of the 0xCD; the third part is the 0x80 byte, which is the encrypted AES key data; the fourth part, the 0x400 byte, is the encrypted RSA2 private key data; the fifth part, the 0x20 byte, is the file encryption flag data.

Add the ".rapid" extension after the file name:

Display extortion information

So far, we have analyzed the file encryption process of rapid blackmail software, and then we will analyze the encrypted files.

3. Analysis of encrypted files

Suppose a file with a size of 0x9000 bytes is encrypted by a rapid program, and the encrypted file structure is as follows:

Rapid blackmail virus uses digital signature (RSA_AES-256) to encrypt files, and the decryption of files requires obtaining the private key of the digital signature. However, the private key of array signature is encrypted by RSA, so it is difficult to obtain the private key of digital signature without RSA private key, and it is very difficult to recover files.

2017 is a year with a high incidence of blackmail viruses, and it is expected that this situation will continue in 2018. Each and every one of us should be vigilant not to open attachments from suspicious mailboxes, avoid using third-party software resources, and install anti-virus software. reduce security risks.

This is the answer to the question on how to analyze and detect Rapid blackmail virus. I hope the above content can be of some help to you. If you still have a lot of doubts to be solved, you can follow the industry information channel to learn more about it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.