EvilZone

Hacking and Security => Hacking and Security => : Rusty March 25, 2015, 11:10:51 AM

: Reverse engeneering a sos@anointernet.com ransom
: Rusty March 25, 2015, 11:10:51 AM

Hello,

I have a client which is infected with ransom virus (sos@anointernet.com).

What it does:
1. Append XXXXXXXXX-sos@anointernet.com to filenames
2. Modify exactly the first 30 000 bits of the file (looks as encryption at first look)
3. Append 4 bits at the end of the file.
4. Ask for money for decryption :)

I've attached a screenshot on the precise end of the encryption and start of real document.

Lucky the document has a predictable output of auto increment numbers.
There are occurring 03 00 00 <3 digit number> 03 00 00

Is there some technique I could apply to narrow down what type of encryption that is ?
Obviously encrypts same bits differently.

I was thinking of frequency analysis but I'm wondering how to apply it to binary file.

It is some form of CryptoLocker probably, but is there a way to confirm RSA-2048 bit encryption ?

Any thoughts are welcome :)

: Re: Reverse engeneering a sos@anointernet.com ransom
: HTH March 25, 2015, 11:32:20 AM

google told me that its another ransomware that encrypts with no current solution except paying the ransom(!!) or living without the data.

And I don't know for sure but even if that is RSA-2048, and you do know the plaintext. A sieve based attack would still cost... well a lot more than 300$ lets put it that way. Im not sure if its technologically feasible even on super computers

: Re: Reverse engeneering a sos@anointernet.com ransom
: Rusty March 25, 2015, 11:51:11 AM

Yes, RSA-2048 will basically kill all my efforts. I'm hoping for some lazy coders implementing something easy reversible encryption  :D

: Re: Reverse engeneering a sos@anointernet.com ransom
: Deque March 25, 2015, 03:34:05 PM

Try to get hands on the malware executable and reverse-engineer it.
Determining the encryption algorithm by just looking at the encrypted message is very difficult.

: Re: Reverse engeneering a sos@anointernet.com ransom
: Kulverstukas March 25, 2015, 06:59:07 PM

The malware creators must be a bunch of evil assholes to not give the decryption key after paying the ransom. I have dealt with one not long ago :P we chose to not pay...

: Re: Reverse engeneering a sos@anointernet.com ransom
: srirachasauce March 27, 2015, 04:09:20 AM

I would say move the binary over to a bash shell and use the string and file commands to get more information about the file. You can also use binwalk to try and extract more meta data / other information about the modified file:

http://binwalk.org/

http://malwaremusings.com/2012/09/07/the-usefulness-of-strings-during-static-malware-analysis/

http://linux.die.net/man/1/strings