Crypto Locker. Short English version

Intro

Crypto Locker: Russian version (full)

As it had been known for me, Crypto Locker - a malicious malware, which encrypts all accessible user data, and then asks about ₤ 200 for its decryption.
And I'd tried to exploit it within Vbox virtual machine for finding a way to fight with it and (if it possible) to make user data decryption process became more painless.

Test Lab implementation

  1. I've created Windows 7 (64-bit) VirtualBox TestLab with My suggested security settings implemented.
  2. Partial description of My Security Settings in English can be found here: http://www.mechbgon.com/srp/
  3. No antivirus on TestLab had been installed.
  4. On TestLab had been created “CryptoLocker” user without administrative privileges.
  5. Wireshark (version 1.10.3) for Windows 64-bit had been installed onto TestLab.
  6. CryptLocker executable files had been downloaded from https://www.grc.com/malware.htm, and those files had been putted onto TestLab Shared Folder.
  7. Internet access for TestLab had been cancelled, and I've begun testing process.

Crypto Locker investigation process description, part 1

  1. All accessible versions of CryptoLocker had been tested.
  2. Until TestLab systems had no Internet access, nothing been happened.
  3. This description deals with a latest (November 20, 2013) version of Crypto Locker malware.
  4. Before launching CryptoLocker execution file, a Wireshark's network packets capture process had been launched.
  5. I've found some network activity initially produced by Crypto Locker: a DNS Queries for A type record for different garbage names in domains .net, .org, .info, .biz, .com, .ru, co.uk; capture file for analysis can be downloaded here: infected_v2.pcapng.zip
  6. I've tried to resolve some of them, and only .co.uk domains had been resolved correctly: for example, riucygtrudyvio.co.uk, wymahjeuncgkid.co.uk, ioisdcnrfocndy.co.uk, ehhtgdyhcijevq.co.uk and others.
  7. All these domains contain common parts:
    1. they resolved as 212.71.250.4 for A type record;
    2. they has common bunch of NS type records, which give a following list: ns0.sinkdns.org, ns1.sinkdns.org, ns2.sinkdns.org, ns3.sinkdns.org, ns4.sinkdns.org.
  8. By using Geoip v.2 Service I've found 212.71.250.4 IP address location: Linode LLC, United Kingdom, Europe.
  9. Moreover, host ns1.sinkdns.org resolved to IP address 178.79.159.82, which is located at Linode LLC, United Kingdom, Europe, too.
  10. Ip addresses 212.71.250.4, 96.126.112.224, 178.79.159.82, 106.186.21.174, 50.116.57.116 and 23.92.24.20 are included in linode.com domain.
  11. linode.com is the property of Linode LLC, United Kingdom, Europe and it offers Cloud Linux hosting service.
  12. I've made some tryouts to find a registered owners of domains riucygtrudyvio.co.uk, wymahjeuncgkid.co.uk, ioisdcnrfocndy.co.uk, ehhtgdyhcijevq.co.uk using whois service, but it tells all these domains had not been registered at all.
  13. Now I've reconfigured Crypto Locker's TestLab network settings, and I've given TestLab (and Crypto Locker on it) an access to my DNS server.
  14. By analyzing new network packets captured with Wireshark, I've found Crypto Locker tried to connect to server with IP address 212.71.250.4 on port 80 (SYN flag set) after *.co.uk domain (for example, njedbrnccwrmqe.co.uk) had been successfully resolved by DNS.

Abstract

  1. Resolving of unregistered domains can be possible only in case of zone's root DNS Server cache poisoning, or like a result of any other successful method of DNS Servers attacks (which is unknown for me).
  2. Other words, there are an evidence of successful co.uk zone DNS Server attack: domains like wymahjeuncgkid.co.uk, which had never been registered, are successfully resolved by DNS. That is why I made a following decision: the root DNS server of co.uk zone are the victim of successful network attack.
  3. Also, a server, in favor of which all these unregistered domains are resolved (212.71.250.4), is located in UK.
  4. One of resolving servers named ns1.sinkdns.org (IP address 178.79.159.82) is located in UK.

1-st resume

  • By analyzing the activity of Crypto Locker, we can see it tries to connect to server 212.71.250.4, which is hidden behind a cover made of bunch of fake domain names.
  • These fake domain names still successfully resolved by DNS, because co.uk root DNS servers are the victim of network attack.
  • After all consequences of network attack will be corrected, CryptoLocker functionality will be broken, and all evidences concerning relations between Crypto Locker and network attacks to co.uk root DNS servers will be lost.
  • Moreover, it will be impossible to prove the server with IP address 212.71.250.4 is related with Crypto Locker.
  • If any criminal investigation will be known to Crypto Locker exploiters, they will erase the results of network attack to co.uk. root DNS servers, and all next investigation with Crypto Locker activity will be impossible.
  • It looks like Crypto Locker exploiters use some botnet with two directions, at least:
    • make an attacks to root DNS servers of DNS zones;
    • распространять Crypto Locker

Crypto Locker investigation, part 2

  1. Now I need to give TestLab (and for Crypto Locker inside it) access to server with IP address 212.71.250.4, and capture all network packets for further forensic investigations.

Project cancelled

security_lab/crypto_locker_en.txt · Last modified: 2013/12/26 13:23 by drybkin
About this template
CC Attribution-Share Alike 4.0 International
Powered by PHP Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0 Valid HTML5