Author Topic: Reverse engeneering a sos@anointernet.com ransom  (Read 926 times)

0 Members and 1 Guest are viewing this topic.

Offline Rusty

  • /dev/null
  • *
  • Posts: 6
  • Cookies: 0
    • View Profile
Reverse engeneering a sos@anointernet.com ransom
« on: March 25, 2015, 11:10:51 am »
Hello,

I have a client which is infected with ransom virus (sos@anointernet.com).

What it does:
1. Append XXXXXXXXX-sos@anointernet.com to filenames
2. Modify exactly the first 30 000 bits of the file (looks as encryption at first look)
3. Append 4 bits at the end of the file.
4. Ask for money for decryption :)

I've attached a screenshot on the precise end of the encryption and start of real document.

Lucky the document has a predictable output of auto increment numbers.
There are occurring 03 00 00 <3 digit number> 03 00 00

Is there some technique I could apply to narrow down what type of encryption that is ?
Obviously encrypts same bits differently.

I was thinking of frequency analysis but I'm wondering how to apply it to binary file.

It is some form of CryptoLocker probably, but is there a way to confirm RSA-2048 bit encryption ?

Any thoughts are welcome :)

Offline HTH

  • Official EZ Slut
  • Administrator
  • Knight
  • *
  • Posts: 395
  • Cookies: 158
  • EZ Titan
    • View Profile
Re: Reverse engeneering a sos@anointernet.com ransom
« Reply #1 on: March 25, 2015, 11:32:20 am »
google told me that its another ransomware that encrypts with no current solution except paying the ransom(!!) or living without the data.

And I don't know for sure but even if that is RSA-2048, and you do know the plaintext. A sieve based attack would still cost... well a lot more than 300$ lets put it that way. Im not sure if its technologically feasible even on super computers
« Last Edit: March 25, 2015, 11:38:13 am by HTH »
<ande> HTH is love, HTH is life
<TurboBorland> hth is the only person on this server I can say would successfully spitefuck peoples women

Offline Rusty

  • /dev/null
  • *
  • Posts: 6
  • Cookies: 0
    • View Profile
Re: Reverse engeneering a sos@anointernet.com ransom
« Reply #2 on: March 25, 2015, 11:51:11 am »
Yes, RSA-2048 will basically kill all my efforts. I'm hoping for some lazy coders implementing something easy reversible encryption  :D

Offline Deque

  • P.I.N.N.
  • Global Moderator
  • Overlord
  • *
  • Posts: 1203
  • Cookies: 518
  • Programmer, Malware Analyst
    • View Profile
Re: Reverse engeneering a sos@anointernet.com ransom
« Reply #3 on: March 25, 2015, 03:34:05 pm »
Try to get hands on the malware executable and reverse-engineer it.
Determining the encryption algorithm by just looking at the encrypted message is very difficult.

Offline Kulverstukas

  • Administrator
  • Zeus
  • *
  • Posts: 6627
  • Cookies: 542
  • Fascist dictator
    • View Profile
    • My blog
Re: Reverse engeneering a sos@anointernet.com ransom
« Reply #4 on: March 25, 2015, 06:59:07 pm »
The malware creators must be a bunch of evil assholes to not give the decryption key after paying the ransom. I have dealt with one not long ago :P we chose to not pay...
« Last Edit: March 25, 2015, 06:59:29 pm by Kulverstukas »

Offline srirachasauce

  • /dev/null
  • *
  • Posts: 17
  • Cookies: -2
    • View Profile
Re: Reverse engeneering a sos@anointernet.com ransom
« Reply #5 on: March 27, 2015, 04:09:20 am »
I would say move the binary over to a bash shell and use the string and file commands to get more information about the file. You can also use binwalk to try and extract more meta data / other information about the modified file:

http://binwalk.org/

http://malwaremusings.com/2012/09/07/the-usefulness-of-strings-during-static-malware-analysis/

http://linux.die.net/man/1/strings