The Dirty decrypter is a crypto ransomware; its intention is to encrypt the compromised user’s pictures, documents, videos etc making them unusable. The malware coerces you to pay large sums of money to decrypt any of these files. Failure to pay this sum will cause the malware to destroy all the decryption keys for the files, which results in destruction of the user’s files forever. The malware was coded with the ability to override several essential security measures such as Windows Firewall, UAC, and Anti-Virus solutions.

It also obtains administrative privileges by exploiting the default HomeGroupUser$ account thereby gaining full access to all parts of the computer. If this malware is allowed to propagate in our network it can cause massive degradation of productivity of our firm rendering our employees helpless.

Analysis of Dirty Decrypter

Initially the compromised machine was isolated and the malicious executable was tracked down. Several types of files including Pictures, Documents, videos etc were encrypted and a message was displayed in its place.

On following the onscreen steps for decrypting the affected file, a window was launched that asks the user to pay a large sum of money in order decrypt the files on the infected system.

The malware was zipped and password protected and transferred securely to carry out malware analysis. Malware was then executed on cuckoo sandbox, to identify the basic behavior of the executable. The results are shown below

Then dynamic malware analysis process was carried out using different tools inside a virtual and isolated environment. First the file was run through the ExeInfo, which detects most common packers, cryptors and compilers for PE files which helped us to find that file was written in Delphi and was not obfuscated.

fig1ExeInfo interface showing the type and architecture

The execution of further steps to analyze the executable became extremely strenuous, as the malware caused the termination of analysis tools such as process explorer, Regshot and Wireshark. To analyze the network behavior of the sample somehow, malware was executed in Virtualbox and bridged the network with the host and then ran Wireshark. All traffics generated by the malicious file were captured by the Wireshark seamlessly.It was found that there were network requests to suspicious entities, most of these were HTTP requests.

The output PCAP file from the Wireshark was then loaded into NetWitness Investigator (Network forensic tool) to perform in depth network forensics. The results were very promising with several suspicious IP addresses, DNS requests to unknown domains, destination Countries, destination organization, mac address etc.

fig2NetWitness Investigator showing the IP addresses and DNS requests performed by the Dirty decrypter malware

NetWitness Investigator showing the destination country, city, organization, IP protocol

The malware executable was then loaded into a debugger for assembly level analysis. The debugger used was Ollydbg, which helped to analyze the code in greater detail. From the code analysis, we found the most interesting feature of the said executable. The malware scans the file system for files of certain extensions. The malware is coded to encrypt files with the extensions listed below

  • .jpg
  • .jpeg
  • .png
  • .rtf
  • .doc
  • .zip
  • .7z
  • .pdf
  • .docx
  • .doc
  • .xls
  • .xlsm
  • .xlsx
  • .rar
  • .avi
  • .mpeg
  • .mpg
  • .wmv

From the diagram below (2), it can be inferred that the malware is omitting certain system folders such as program files, system32 and some typical files like Dirty. This is to ensure the smooth working of malware behaviors inside the compromised machine.


fig3

(1) Debugger showing the type of files to be encrypted. (2) Folders and files to be excluded from encryption

Further analysis into the compiled architecture of the malware, showed very promising yet tricky coding. The malware after getting installed in a computer, initially acquires the administrative privileges and then overrides antivirus solutions, Firewall and disables UAC notifications.This leaves the machine vulnerable to further attacks.

fig4Malicious codes showing Overriding behaviors

fig5Malicious codes showing taskmanager disabled

The malware exploited the standard homegroupuser$ , dropping it in the administrators group with full privileges.Even if we remove the user from the group, it reappears immediately and it has also been found that an unknown user was responsible for running the malicious executable ‘dirtydecrypt.exe’.

Malware makes HomeGroupUser mapped into the administrators group.

Unknown user with read and execute privileges responsible for the execution of the Dirtydecryt.exe

All the results can be inferred from below given diagrams.

Windows firewall found to be overridden by the malicious code

fig6User Account Control settings overridden by the malware

fig7Taskmanager got disabled by the Dirtydecrypter ransomware

Mitigation

  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses or has qualified software assessment test.
  • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
  • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
  • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
  • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
  • Isolate the compromised system immediately if the malware is found to be present.

References

  • www.symantec.com