Dude, Where Are My Files? Reverse Engineering Ransomware
Fire Eye Labs
Join Michael Sikorski, author of "Practical Malware Analysis", as he introduces you to malware analysis and reverse engineering by dissecting Ransomware. Mike will review some of the most famous ransomware attacks in recent memory such as WannaCry and Petya. In multiple demonstrations, he’ll show exactly how to reverse engineer malware using real-world samples.
Thanks for having me, and thanks for introducing me. So, when I get to my bio slide, I can click much faster through it. So, we’ll get started. You’re wondering, “Oh, is this his background? It looks like a pretty cool image.” And it is a pretty cool image. It’s hi-res, it’s a ship, but actually, it is a very specific company. Maersk is the biggest container shipping company in the world. They’re constantly moving many, many things obviously, and they were hit with ransomware to the tune of costing them $300 million. What I like to think is, “What could that boat be filled with to cost $300 million?” Then just imagine it sinking, because that’s essentially what happened to them.
They were unable to ship things because they were crippled by the ransomware until they got their systems rebuilt, and it was obviously extremely costly, and maybe you didn’t get one of your Amazon packages fast enough. But you think, “Oh, maybe this stuff, ransomware, you just see it on the news, is it actually hitting real people?” It’s impacting my life. So he said I worked for the NSA, bought a house in Baltimore and I have tax bills that I have to pay there for my rental property. I go online to pay it and I can’t pay it. Due to ransomware attack, the city is down. So I can’t even pay my water bill or my tax bill, and they’re like, “Oh, just walk it into onsite.” I’m not going to drive from New York and go all the way down there, luckily they waived the late fees. But you get the point. This is impacting my life now too, not just my work life.
So, the topic we’re going to be talking about is reverse engineering ransomware, but we’re going to get there. First, I’ll start off, tell you a little about what I do, what my team does, and then we’ll talk about what malware analysis is, so you can understand what that process is and what it takes and why it’s important for computer security. Then we’ll dive into ransomware and then we’ll even take time to get hands on, where we’ll actually be looking at assembly code. So, it’s going to get a little deep, really quick. It’s a tech talk series here and I want to make sure that I’m up there in the most technical rankings. So that’s why I’m just going to splash some … Even if you don’t read it, at least there was assembly code on the screen for a brief second.
But it’ll give you a good sense of what it is to be a malware analyst, which is the goal here. Then we’ll have some time for Q&A. So like you said, I’m Michael Sikorski, I do go by Siko just because there were nine Mikes on the track team so I had to get renamed to something and I’m not crazy or anything, but it is Siko, it is what it is. I’m a malware analyst, researcher, author, teacher. I love all those things. I’ve been at Mandiant for 12 years, since it was a very tiny consulting shop. I was doing jack of all trades consulting, where we were a security company and anything people would pay us to do, I was physically trying to break into banks that hired us, to physically break in, and I was getting stopped at retina scanners and trying to talk my way in the door and stuff like that.
But over time we focused on incident response and I’ll talk about that. Been teaching at Columbia for a while, and for fun, I have my kids. I have a three month old, so I don’t have quite as much spunk as I normally have because I don’t sleep at all. I also have a four year old daughter and we like to dress up as Star Wars characters on Halloween. You can find me on Twitter or my email if you want to get in contact with me. So, little bit of history of incident response for you, and this comes from history of my career as well as the incident response field as a whole.
So like I said, I started at Mandiant. We were doing anything people would pay us to do in security, and really over time, our bread and butter became incident response. What incident response is, is somebody gets hacked, we get called in to sort out the mess. That was our niche, we were really good at it. We started to really focus in on China. We became the experts in the world at chasing China, who was hacking U.S. companies and we became experts on that. So we would go into a network and say, “Oh, we know exactly which group in China this is, we know how they operate, we know their tools. Oh, they’re on version two of the tools, of their malware tools? We know about that, we know how to deal with it.” So we were very efficient. Companies like that, and China was hacking everyone.
So, it got out of control to the point that the New York Times called us and said … and we’re like, “Oh, they want to do an interview.” And it wasn’t an interview. They were hacked by China. So we went into the New York Times and did an incident response for them and they said, “Hey, you’re so efficient at this, how did you do it?” We explain the whole thing and they’re like, “That’d be a really cool story.” At the same time we were developing this paper, which is now famous in the security world called APT1, and we really put where the first time somebody pointed the finger at all the hacking China was doing of U.S. companies. This is primarily for gain of getting intellectual property type things, and their first focus they were in on was the defense contractors.
They were getting plans for jets and stuff like that, because it’s a lot easier to steal the jet plan than it is to create a jet yourself, especially with the efficiency they were hacking people. Of course, this got us pretty famous, being on the front page of the New York Times. Our CEO is on the cover of Fortune Magazine and it caught the eye of a Silicon Valley company who just put out a malware product and IPOed, and they use all their IPO money to buy us. So, now I work for a company called FireEye and we both work together hand in hand. Then of course there’s malware analysts. That’s our niche. Our niche is focused on taking the malware that’s found in these investigations, they toss it over to us, we reverse engineer it, take it apart, figure out how it works from the inside out, and bring that back to them. So, we reverse for incident response, intelligence, and then networks that we monitor for people.
Then we do a lot of research into making ourselves more efficient because originally when I started this team 12 years ago to support a small operation, there was just two of us, reverse engineering as much malware as we can. Now we have 50 reverse engineers, and we’re reversing thousands of malware samples a year. We did that by a combination of scaling the number of people, but also our technology and our efficiency. So we spent a lot of time on research and we release a lot to the community. So we share a lot with the security community and we put out the biggest hacker competition for reverse engineering malware each year. To give you a sense of that, we have like five thousand people try to complete the competition and only like one to two hundred finish it worldwide.
So, malware analysis, let’s dive into what that is a little bit more. What is it? It’s dissecting malicious software. I say dissecting computer viruses when people ask me what I do. It is a very specialized skill set. You have to be focused on that one thing, and you can’t really do too many other things because to get the skills that you need, it just takes a really long time and you have to keep it fresh because the malware is changing at such a rapid pace, and you need to be able to keep up with it. It really is, what I say here is, the cat and mouse game, where the attackers are literally changing their malware to mess with the tools that I use to analyze their malware. On purpose, they break my tools and I have to figure out workarounds to deal with that.
The first time I think we were put on the map as a malware team was, we were putting out tools and the malware started to search for the tools saying, “Oh, are the FLARE tools installed?” In that case, as a piece of malware, I’m going to do something differently. That put us on the map because the malware was looking for our security tools. Malware analysis is not forensics, it’s not incident response, but it drives those processes because we do malware analysis, we figure out how to find it on the host, and then the incident response team could then look across the whole enterprise for that malware and the way we found it. For example, if the malware installs itself to be there after system reboot, they can look for that and get it removed. But they need us to be able to figure those things out.
There’s different levels of malware analysis support. I’ll talk about the basic side and then the advanced side. So the basic side is, there’s basic static analysis where it’s sort of like an autopsy where you take the malware, just ones and zeros at the end of the day, and you’re just looking at it. You’re seeing if hashes of it relate to things that you’ve already seen before, you look at the strings. I know some of your software developers, the strings are like, “Hello World!” would be a string. “Janestreet.com” would be a great string. That would be in a piece of malware if it was going to janestreet.com. But we would see those kinds of strings in the software, pull them out, and get a sense for what we’re dealing with.
Then we’ve created technologies to Floss here, which will … a lot of times, malware won’t just have “janestreet.com” just sitting there for you to read, instead they’ll encode it in some way that during runtime they’ll decode it and Floss enables you to get at that data and it decodes it for you. Then of course, we look at PE, ELF formatted files. For example, if you’re dealing with Windows or Linux, and you get the point. Basic dynamic analysis is where you’re actually running the malware. So you have monitoring tools like … and this is dangerous. You’re actually running malware, so you want to be careful, you want to be in a safe environment, and then you want to monitor the host and the network. Because you want to see how the malware … where does it install itself? Does it copy files somewhere? Does it talk on the network?
Then you want to be able to say, “I could write a network signature to block whatever network communication is doing, so you can stop it from spreading or whatever it might be doing.” And of course we create technology that we release to the public in this space. One thing is, as a malware analyst, if you’re running the malware, you don’t want to connect it to the internet because that could cause a lot of damage. So what you do is you’ve got to trick the malware into thinking it’s connected to the internet when it’s actually not. That’s why we released a tool called FakeNet to be able to do that, which tricks the malware, thinks it’s running. So if it goes to a website like google.com, it’s going to get a website returned, and that’s how it keeps it running and doing its bad stuff.
Sandboxes also fall under this category. Sandboxes are a technology that are now very popular, you guys might even run all your emails through a sandbox. What that means is, your emails are probably opened and every link in them is clicked, and every attachment is opened within these sandbox environments. If anything bad happens in that process, that email is then quarantined and it’s not delivered to you. That’s pretty standard practice now. FireEye was the one who invented that, and that’s how they IPOed and did all that, just to give you the background of that. Now that’s just standard practice across the whole industry. But you cannot just apply that to email, you could apply that to network traffic, you could apply that same thing to random files in the network that are getting transferred around and so on. So, I’ll loop back to sandbox technology later in the talk.
Safe environment is critical when you’re dealing with malware, you do not want to do malware analysis on your host machine because you can cause a lot of damage. I’ve only run malware on my host system three times. It’s very bad. It’s not fun, but you do reverse engineer the malware very quickly when you’ve accidentally run it on your system. But anyway, we released an open source Windows distribution called FLARE VM, because we encounter a lot of malware in Windows and that’s primarily the type of malware we deal with, and so we want to have a lot of tools there and it makes it easy to update the tools, but you want to be in a safe environment, and you also want to have a snapshotting capability so that after you run the malware, you basically trash the whole system, you want to make sure you can snapshot and go back to an original state.
So we use a lot of virtualization technology. We make sure it’s patched because you don’t want any vulnerabilities. But yeah, safe environments are critical to the process. So that’s the basics of malware analysis, are those techniques. That’s pretty much expected of our entire incident response team, so that they could do the things I already described. It’s this more advanced analysis, deep reverse engineering, where we come into play. There’s limitations to the basic analysis. The limitations are, you can imagine if you run a piece of malware, it might not do all the bad things. It might, for example, start by going to sleep for five days. We’ve seen a piece of malware do that. It goes to sleep for five days and then it wakes up and starts doing bad stuff.
Your sandbox is not going to wait five days before delivering an email to somebody…see the problem? So you have to actually deep dive reverse engineer the malware to figure out that it would sleep for five days before it does its bad stuff. So what does that take? That means we take the executable and we take it apart and we disassemble it and look at the code and figure out the exact machine code that would actually run on the system to figure out what it might do. Then we could also do debugging, which is just like disassembly, except we’re obviously running it and observing it in that internal state.
Most of the time, the malware analyst is spending their life looking at assembly code. That’s what we do, we love it. It’s like a big puzzle and we just love diving into it. So, what does this process of disassembling look like? First it starts off where the malware author writes some code in a high level language like C. We haven’t seen any OCaml-like malware before. So before I get that question I’ll just nip it right there, but we do see a lot of other languages other than C. Java, Python, and the more out there ones, since we don’t want to have one that out there, would be like Delphi. They’re still an attack group running around right now with Delphi compiler, and it’s really annoying to reverse engineer Delphi for a variety of reasons that I’m not going to get into. I have an entire class module. It takes a half day to teach, focused on just reversing Delphi binaries because of one attack group in China.
But anyway, back to the C code. Gets compiled by the compiler into machine code, that gets run by your CPU to do stuff. That’s how programming works. What we do is we then apply a disassembler and we turn that into assembly code that we can make sense of, and often that’s the best we can do. There are decompilers out there which attempt to turn it right back into the original C code, but that tends to only work with very simple programs. The technology there still isn’t at the point where we can trust it for all of our analysis, maybe a few functions here and there, but the whole binary, there’s just no way to get back to the original source code, especially when you get complicated things like C++ because the decompiling technology is not there yet.
But universities all over the world are spending a lot of time and effort to try and figure that out for us. But for now we’re stuck looking at assembly code, and this is often what we’re looking at. So, you’re like, “Well, that looks painful.” But our tool, IDA Pro, which is pretty much the industry standard for malware analysis, the NSA actually open sourced a tool called Ghidra that does the same kind of thing, and I actually worked on that when I worked there, and it does the same kind of thing. It takes a piece of software, disassembles it and presents it to you. But it doesn’t just give you the raw assembly, it actually puts it in a graph view, and you can make sense of it when it’s in this graph view, and when I look at this, I right away say, “I’m dealing with a switch statement.” A switch statement that says, checks for, if the argument passed in is zero, one, two or the default case.” You see the four boxes, those are the four different paths that code can go.
So a lot of our life is spent looking at that. I just wanted to give you a taste there. We’re actually going to pull up IDA Pro in a little bit and take a look at a few things quickly. So, I could talk about categories and malware all day, because there are just so many different categories of rootkits, back doors and so on, but being Jane Street, figured focus a little bit more on the financial type of malware, and then obviously we’re talking about ransomware today. But in addition to ransomware, some financial malware that’s getting very popular obviously with the Bitcoin explosion, there’s a lot of cryptominers out there where early on a lot of these botnets that control … it’s malware that controls a million machines, they were just starting to mine because it’s free power, so they just started mining.
They mostly mined for more obscure currencies, because it would take like … I don’t know, whatever it is, 10 years or something to mine a Bitcoin with that kind of power. But some of the smaller cryptocurrencies, they were mining efficiently and making money off it. They also put into their malware trying to steal crypto wallets, because at that time, when it was first coming out, those were not really secured in the way they should be either. Banking Trojans is more when somebody is injected into your web browser and they’re able to steal your banking information as you’re logging into it.
Credit card scrapers, a lot of point of sale systems send back the credit card data to a server, let’s say. So, sitting in memory a lot of the time is, you have the credit card information. What happens is, the malware will just scrape memory to try and steal that, and rather than running a piece of malware on every single point of sale system, they could just run one piece of malware on the server that gets all that back in the centralized place. There’s ATM malware, and we’ve seen ATM malware where somewhere along the pipeline of it going out and getting installed, malware was installed.
Then of course, there’s point of sale malware where it’s malware running right on the point of sale terminal, where you’re swiping your credit card and collecting it right there. We’ve seen people horribly hook up their point of sale systems where they’re connecting them straight to the internet and crazy things like that, which you should not be doing. One of the biggest IRs we did for a retailer that had a point of sale malware was, we thought we removed the whole infection from their point of sale terminals. But it turns out that the attacker was so sophisticated that they infected the retailer’s gold image that’s rolled out to new stores. So as the retailer opened a store, they were installing the malware for the bad guy, every single store that they opened.
The way we figured that out was, only the new stores had the malware, the old stores that we already fixed didn’t have it because we removed the malware. It took a very long time to figure out that the actual image that they were using to open a new store and install in the new terminals was infected. It was a pretty cool story. A big thing regarding financial malware, I talked earlier about all the nation-state China hacking. Most of the time they were focused on getting this intellectual property and that kind of stuff, or getting into networks really deep so that they would be there for a very long period of time, so if there was something they wanted to steal, eventually they would have access.
But recently, nation-states are now stealing money. When I first started doing this, the people stealing money were like some dude in Ukraine and then he’d post pictures with Lamborghinis and cash. That’s the kind of attacker we saw stealing money, literally. But now we see, for example, North Korea. Due to the fact that they have embargoes in place, they cannot make money like they used to because they can’t trade with people. So guess what they got into the business of? Hacking people for money. I’ll talk about that more later. So, they’ve changed their focus, and so we see Russia and North Korea stealing money from people to generate revenue for the government. Interesting.
So, the topic at hand is ransomware. So, what is ransomware? It’s any malware that enables cyber extortion for financial gain. So they’re going to do something like encrypt all your files or lock your system and say, “You’re not allowed to have access to this until you pay me money.” That’s what ransomware is. It’s gotten really popular partially due to the anonymous currency, ability and access people have to things like Bitcoin. So these people get paid anonymously much easier than they could in the past. In the past, that was very problematic for them. They would ransom somebody’s system, and what do you do, mail a check to the bad guy? It doesn’t really work out. So, that’s why this really exploded in the last few years, because it was so much easier for them to get anonymous payment.
We do see a varying degree of sophistication here when we’ve obviously reverse engineered a large amount of different ransomwares. For example, we found a piece of ransomware, didn’t even encrypt your files, it just renamed them to different extension. That was enough to trick lots of people into thinking that they had to pay. A lot of times the ransomware asks for an amount of money that’s not too huge enough that you would pay, but it does get tricky for people to get access to these cryptocurrencies. Like when my mom gets infected with ransomware, she doesn’t know how to get some Bitcoin on the dark web or something. So, it is tricky.
We did have a law firm that we investigated who was hit by ransomware, and this was just a very large scale extortion case where all their data was going to be done and was going to be lost. So it was a pretty big payment the hacker wanted. So, the FBI got looped in, it turns out the hacker was domestic and due to our investigation and coordinating with the FBI, we’re actually able to knock on that person’s door and get them to decrypt everything for the law firm. You’re like, “Oh, that’s a good story. They got their data back!” But the interesting part of that is, the law firm bought a ton of Bitcoin, and in the time from when they acquired the Bitcoin until the time they got their data back, Bitcoin had shot up a crazy amount of money. So them getting hacked and having us do the investigation, made them $1 million. It was crazy. I was just like…
Anyway, reverse engineering needs to be done to answer questions with ransomware. One is, often ransomware is spreading. They don’t want to just infect one system, they want to infect many systems. So how do you make it stop? How do you stop it from spreading? How do you stop it from encrypting all the files? Maybe there’s some tricks you can do to protect yourself. Also, what we end up reverse engineering a lot for clients is, “Hey, is it even possible for us to get our files back?” Because you don’t want to pay somebody a million dollars if there’s no chance, like the files are just trash, because we’ve seen malware that does that, where they’re not even encrypting it, they’re just damaging the files. Of course, if you’re going to do a large scale attack, you want to give people their files back, otherwise nobody’s going to pay you. Maybe the first one will pay, but not everyone.
So generally, attackers do have the ability to get your files back, but sometimes they make mistakes in the programming process, and we’ll see some of that today where they make a mistake in the programming process and they can’t get your files back for you, no matter what they do. Those are the types of questions we get from clients. So like, “If I pay, can I get my files back?” And then the other question we get is, “How about I don’t even pay, you just reverse engineer the malware and figure out how to get my files back?” We’ve had success doing that as well. It depends how they implement crypto and stuff like that. So as a malware analyst, we look for things in ransomware. For example, getting deep into the coding a little bit is, if we’re reverse engineering Windows malware, we look for the Windows API functions that might be interesting to us.
Things like ReadFile, WriteFile, make sense that malware would call that on Windows if they were going to read a file and then encrypt it and write it. So what we can do is, focus our efforts on the right file and then work our way backwards in the reverse engineering process to say, “Hey, they’re probably going to encrypt everything right before they write a file.” And so rather than looking at millions of lines of assembly code, we can zero in on just a small section of the assembly code and figure out what’s going on with the encryption. Also, another set of APIs malware often uses is the MapViewOfFile. That’s where you’re taking a file off this, mapping it into memory, make all your changes into live memory, and then you flush the file back to disc. So they don’t use the ReadFile, WriteFile API, instead they’re just doing it all in memory.
Obviously there’s some approaches they use for encryption, and sometimes they’re doing symmetric, sometimes they’re doing asymmetric, and there’s different advantages and disadvantages to each one. So for symmetric, that’s with single private key encryption algorithms like RC4, AES, DES. They are very fast, and you just really need just a single key to encrypt and a single key to decrypt. So it’s pretty easy to use. However, malware needs to protect the key, and that’s difficult, because if you give somebody a key, they can just decrypt the files and they’re good to go.
So in other words, when we reverse engineer the malware, we see them getting this private key in different ways. Sometimes they generate it on the system and then they upload it to the web, to the bad guy, to their C2 server. C2 is short for command and control. That’s just the bad guy’s server that they’re controlling access to. So a lot of times they’ll start off, generate the private key, ship it off to the internet, and then delete it from the system, and then only give them the private key back if they pay the money. Sometimes they request the key from the C2 server, and then other times the key is just embedded inside the malware. That’s the case where you could get lucky where you can reverse engineer the malware, pull out the key, and then decrypt all the files.
Asymmetric is going to be the whole public-private key pairing that you need to have going on. You might use this for email if you use PGP or S/MIME, and the advantage is, it’s best from a security perspective, but it’s slower to encrypt things. So if you’re encrypting an entire file system, for example, and also key management is challenging. Attackers are very lazy. They do not want to manage a whole public-private key pair for each system. Imagine if you’ve infected a 100,000 systems, now you have a 100,000 keys. It’s a lot of effort. So most of the time they’re pretty lazy and they don’t go through that because they’re not pushed to it, they don’t need to.
But with asymmetric, you do need to have that pair. So what often happens is they generate the public-private key and then just upload the private key and then keep the public key locally and encrypt all the files. Sometimes they just come embedded with only a public key, and then they don’t provide you the private key to decrypt your files until you pay the money. We also do a lot of things from crypto identification, we use tools with signatures that integrate into things like IDA Pro that can zero in on, “Hey, this is an S-box for AES, go right there, that’s going to be where the AES encryption is happening for symmetric encryption.” Also, we have our own tools that we’ve picked up to recognize when there’s a complicated function that either has compression or encryption or something like that.
So instead of reversing these functions…you don’t want to reverse these functions. That’s what they look like. That’s what an encryption function looks like. Each one of those little white boxes is a box of assembly code. You never want to reverse engineer something like this, unless you really, really have to. So, generally we stay away from that. And most ransomware will use something they downloaded from the internet, an open source encryption algorithm, or they implemented something that they could do in one line. Or they’re just renaming files. But generally, it’s not their own baked up encryption because it’s hard to do encryption properly, especially if you’re talking public-private key.
Also if we’re talking about symmetric encryption, chances are, we could just rip out the function straight out of the malware and use the function that we’ve ripped out of the malware to do the decryption. We’ve had success doing that as well, where we didn’t even know how the encryption really worked, we just knew that it took a key, we had the key, ripped it out of the malware, the code straight out of the malware and actually reused it. So those are some tricks and techniques that you can use.
So, WannaCry. This was pretty famous malware. How many people have heard of WannaCry? Yeah, we got a lot of security people in here maybe or I guess WannaCry is pretty famous outside of security. So sometimes you pay and you get your files back. WannaCry was a worm and it utilized the EternalBlue exploit for SMB lateral movement. That’s why it spread like wildfire through people’s networks like it did in Baltimore city. SMB is a protocol that gives you access to file shares, printers…all Windows systems come with that and talk that protocol. Where this EternalBlue exploit came from was the Shadow Brokers leak. And of course, as soon as the Shadow Brokers leak went out, Microsoft realized that there was a vulnerability in SMB for them, which is a big problem.
They started scrambling to try and patch it and update all their systems as fast as they possibly could. At the same time, there’s a race going on with the hackers who got ahold of it and they’re trying to package it into malware. And guess what? They packaged it into WannaCry. They were the first ones to hit it. Because a lot of times the way these attacks work is once you get in, you patch up the problem so that other people can’t use that attack to get in. That’s exactly what a lot of these worms do. Now, WannaCry was patched by Microsoft, but by the time the patch went out, it was too late. Also, when you roll out a patch, you need people to actually install updates. And how many times do you say, “Let’s snooze on updates for another day.” Everybody does that and that’s a problem.
So, this spread like wildfire, and they asked for $600 in Bitcoins. People stopped asking for a whole Bitcoin because it got too pricey. They did that at first, and then people were just like, “Ah, forget about it, just buy a new computer.” So they asked for Bitcoins. The command and control communication all happened over Tor channels, which is an encrypted channel, and this is the splash screen for WannaCry. So, that actually popped up when you were a malware analyst running it on your system and it says, “How do you pay?” “How do you send payment?” and so on and so forth. There is a large extension list of all the files that it would encrypt on your system.
This was a serious problem. The estimates are $4 billion in loss from this one piece of malware. This wasn’t just like corporate networks, this was healthcare providers, hospitals were getting hit with this. In England, we’re talking MRI scanners, blood storage refrigerators, they all got hit with this and were ransomed, they got taken down. They couldn’t even accept people at the hospital. This is like life and death stuff. This is not good. I think WannaCry, or the authors of WannaCry, didn’t realize how much it would spread. Who knows if their intention was to get on MRI scanners, but it just spread like wildfire beyond belief.
Within four days, this whole outbreak was down to a trickle. So you can imagine if you’re a malware analyst, you need to solve this really quick because you only have four days, by then who cares? There’s still some caring after that. Things like, “Can I get my files back?” Those types of questions can be answered, but the spread and reverse engineering, you have to do that really quick. The president of Microsoft said that he believed it was North Korea, and we paired up with some of our government agencies and a lot of us all agree that that is the case based on a variety of things.
The WannaCry itself had a lot to it. So luckily, I have a big malware analysis team and I could farm out things, the different components of it. So this came in and you got to deal with the encryptor, the decryptor, the exploit itself, how it’s spreading, how is it communicating on the network? These are all individual components that we could apply different reverse engineers on each component and we could get the answers we need quicker. This also came with a lot of anti forensics, we had to deal with that, where it was trying to cover its tracks. It was removing the fact that it got in, how it got in, all that kind of stuff to hide. So WannaCry had a kill switch. What was this kill switch? Well, this young gentleman, who went by the handle MalwareTech, found the kill switch, and blogged about it. “How to accidentally stop a global cyber attack.” So, he blogged about how he did this.
How he did it was a little bit lucky. So he said, “Upon running the sample in my malware analysis environment, I instantly noticed it queried an unregistered domain, which I promptly registered.” Then he posted this website there, “sinkhole.tech - where the bots party hard and the researchers harder.” By posting this website on that unregistered domain, he immediately stopped the spread of WannaCry and just shut it down. It was like … how did that happen? I don’t know if he knew or not, but it takes a reverse engineer to figure out why what he did was effective in stopping WannaCry. So we’re going to go through that process and we’re going to figure out what the actual kill switch was.
Oh, and MalwareTech, he recently got arrested for selling malware. So, what we would do is we would take the executable because it was a Windows executable, and we would drop it into our tool, IDA Pro here, and this is WannaCry dropped into the tool. And nice thing about IDA Pro is, there’s a lot of compiler generated code and stuff like that. But IDA Pro knows, we want to start where the malware author wrote, which is the main method. For anybody who’s written a C program, the main method, “Hello World!” You just need print “Hello World!” in your main method, you’re good to go. So this is the main method of WannaCry. It’s pretty small. So, that’s the amount of assembly code you see there. It looks like there’s two paths it can take, really early on. I’ve been a little strategic in marking the two paths to make it easy for you to see.
Let’s see if I can get it easy for you to see. Nope, that’s as good as we’re going to do. There’s two paths. The green path and the red path. We want it to go the red path because that exits the process, which means WannaCry is no longer running. If we go the left path, that’s going to ransom your system. We do not want the green path. So we walk our way back through the code. We say, “Oh, well, we want to go the red path, how do we make that happen?” We see two critical calls here. One is for internet open URL and the other is for internet open. What this does is it goes to a website and downloads a web page. It’s all it does. Then if it gets a web page back, it’s going to go the red path and die.
If it doesn’t get a web page there, it’s going to ransom your system. And it’s like, “Whoa, why would they do that?” Now we’re going to go back in our minds and remember sandbox technology. Sandbox technology will run a piece of malware like this. Maybe it came in an email attachment or something like that. The sandbox would run it, it would see it going to this domain, and the sandbox would serve up a website. WannaCry doesn’t want to run inside a sandbox because then it’s going to get caught quicker, and people were going to figure out about that exploit that allows it to spread like wildfire.
So this is an anti sandbox technique. Let’s take a look at the domain that they ended up using. Yeah, it’s kind of crazy…It’s like somebody just jammed on the keyboard. It’s like some crazy domain name. So that’s what MalwareTech registered and put that website up and it stopped the infection WannaCry. Of course, what ended up happening next was, just change one letter in your binary. So it’s not I-F, it’s I-G or something. Then WannaCry starts working again, and then there were all these security professionals who were like, “I found the new kill switch! I found the new kill switch!” It’s like, you just changed a character in the string, like who cares?
Then attackers said, “Why don’t we just strip out this whole kill switch thing because it’s causing us problems?” Then they stripped that out, but by then there was enough time for people to realize how it was spreading, and they were able to patch their systems and stop WannaCry from happening, which just by him registering this, saved the day though, because it gave people enough time to reverse engineer and figure out what was going on. But chances are, he just ran it and was like, “Hey, there’s no domain there, I’m going to put a domain up to be famous on the internet.”
EternalPetya. So, sometimes your computer is over. That’s what this one’s about. What does that mean? So, EternalPetya also known as NotPetya was a piece of ransomware, but we don’t even call it ransomware, we just call it destructive malware, because that’s really what it was at the end of the day. They did have a splash screen where you could pay them a ransom. This is the splash screen right here–send $300 worth of Bitcoin here and we’ll get paid. That’s what it looks like. There’s a lot of components here where it would steal credentials. So that’s like your login and password, and it’s spread also with the EternalBlue, but also a variation of it, because a lot of people wrote signatures for EternalBlue rather than patching their systems, so they wrote … that’s often what happens is, before Microsoft rolls out a patch, you write a signature or something that could detect the attack and prevent it while Microsoft makes the fix, and then you update your system. That’s how it generally works.
So what they did was they modified it and called it EternalRomance, and EternalRomance started to go around and then it encrypts files with AES, and then there was a problem. We realized this through reverse engineering that it installs an MBR bootkit, but it encrypts the Master File Table. Now, if you don’t do Windows forensics, which I don’t expect that all of you do, the Master File Table is how the operating system keeps track of where files are, where the contents of the files are, how the whole file system is really set up, and when you’re doing computer forensics, it’s a place you go to find files that were deleted. Somebody thinks they deleted the file, they’re not really deleted because you can use something like that at the really low level.
But if you encrypt the Master File Table and then throw away the key, you’ve essentially trashed the entire operating system. So it’s over. Because they made a mistake, they didn’t get the key that they encrypted the Master File Table with out to themselves, and therefore it’s over. The whole system is just done. This is exactly what hit Maersk, which is that shipping container company. That’s why they lost $300 million because it spread like wildfire through their network and trashed all their systems, and they had to re-image all of their systems, basically buy all new computers. Because at that point, you’re probably on old computers, might as well just buy new ones at that point.
This is what it looked like. This is a grocery store and people are like, “I just want to buy some lettuce or something, and it’s just like exactly the screen I showed you. Like all the way down and all the registers, little did these people know that they’re not going to be buying groceries unless they’re paying cash or something. All these machines need to be re-imaged or just buy new computers. That’s like, again, hitting everyday people’s lives. Because this thing spread. So, EternalPetya does not have a kill switch, but it does have a vaccine. One thing malware does, pretty consistently across all malware, is they only like to run one version of themselves per computer system that they’re on. And why would you do that?
Well, number one is you don’t want to have 100 versions of the same malware running on one system, could be pretty noisy, could slow down the machine, people can notice it, also could be confusing to yourself because if you have 100 implants talking back, it’s problematic. So generally they do something sort of like a marker to say, “I’m here, remove yourself or go away because I’m already here.” Malware universally does that. One of the ways they do that is by creating a file on the system, and they would … It’s a pretty simple way. And you say, “If that file’s created, I’m already here, I should just kill off the malware.” So again, we could go through the reverse engineering process here for NotPetya and realize that there’s a vaccine for it.
So again, inside of IDA Pro, and we’re digging deep in the assembly code, and one thing we often look for is a function call of exit process because exit process, as you see here, just terminates the process. So in other words, if you get the malware just to run that, it’ll terminate itself and it won’t do all the bad stuff. Again, we have the left and right. And IDA Pro isn’t this helpful for us as malware analysts, I’ve colored it red and green, that’s it. If you just open up every ransomware and colored it red and green, it’d be a lot easier of a job, but anyway, we want it to go this path, and the bad guy wants to go this path, because this is where it’s going to create the file, and it’s going to keep running because the function is going to return, it’s not going to exit process.
If you notice, there’s nothing after exit process, the thing’s done at that point, but it creates the file and then it returns and does its ransoming of the system, in this case, it just trashes the whole computer. So we do not want it to go the green path, we want it to go the red path. Again, we’re going to work our way back through the code, which means reverse engineering going backwards, and we say, “Well, we want to go this path.” Well, it only goes this path if the file does not exist and it checks a path file exists. So it says, “Does this file exist? If not, I want to create it and do the bad stuff. If it does exist, terminate.” So we have to reverse engineer a little bit more here. We’ve got to go a little bit deeper than we did with WannaCry, and we have to figure out what is this sub-routine here. So it calls a function. So we have to dive into that function to figure out what’s happening, what file we’re talking about. Because it’d be good to know.
So, this is the function we’re presented with and we could quickly reverse engineer this function. It starts off by getting the current file path name, which is just the path of the malware itself. This malware was distributed in a very specific way, such that it was distributed with …So it was distributed with a very specific name. So I’ll just make a path. Let’s say the path was on your desktop, and then it was distributed as perfc.dat. So that’s how it was getting dropped on the systems and run. So, in the malware when we’re looking, that’s what the current file path name is that they’re using, and they’re passing that to a function call of “PathFindFileName,”which just gets the file name out of the path.
So what does that do? It essentially just removes whatever the directory is. So, so far we have perfc. Next up, we see PathCombine, and it’s combining the path of that file name with C:\Windows\. So again, we now are putting C:\Windows\ on the front of that. We have a little bit more code to reverse engineer, and it’s going to find the extension, which gets a pointer to the start of the extension, which is the dot, the period. Then they’d call XOR ecx, ecx. Does anybody know what XORing something with itself does?
Zeroes it out. Yeah. So what happens here is they’re zeroing out ecx register. Then they’re moving that zero into the pointer they got from find extension, which is pretty simple. That’s just essentially saying there’s now a zero where that period is, which ends up truncating the file name to C:\Windows\perfc. So, this code would run, C:\Windows\perfcC. Then it would say, “Does that path exist?” If it doesn’t exist, that’s the file it’s going to create, and we’re going to go the green path. So, in other words, we can create a file named C:\Windows\perfc, and protect ourselves against this malware. Yes, just that easy, isn’t that crazy?
So what we could do is, though, we could say, “Hey, you have EndPoint Technology on all your systems, you have an ability to deploy a file really quick, just drop a C:\Windows\perfc file on all your systems, and you’ll be protected against this crazy attack that’s going on while we figure out really what’s happening, while we figure out how to stop the spreading and get the patches in and everything else. So again, this is like the kill switch, where we’re just buying some time as this infection is going on at a large scale. But the goal here was to show you exactly how the reverse engineering, the code process, you would never figure out that you needed to create C:\Windows\perfc, or if it was distributed to you in a different way, to create a different file, or how the kill switch was working, unless you did that deep dive code analysis level.
So, in conclusion, malware analysis is critical to understanding threats. So whether it’s a ransomware attack that’s spreading like wildfire or a very specific targeted attack that we’re studying, you need to be able to reverse engineer the malware to figure out what the attacker goals are, how they’re installing their tools and systems, how to find those tools on other systems and really stop what’s going on. Ransomware is really popular obviously, it impacts all of us, the grocery store, paying your water bill. It’s problematic. Reverse engineering at the code level is required to get those answers. And hopefully you followed me with that assembly, quick assembly code look to get a little taste of what it’s like to be a malware analyst, where you’re actually reversing at the code level to find out what are some of the tricks that you can do for malware.
I tried to pick examples that you could explain in five minutes, because obviously a lot of the reverse engineering process could take hours, days, weeks sometimes to get through one piece of malware, especially malware that’s been armored and protected, where they’re trying to fight against tools like IDA Pro, where you drop it in, and the IDA Pro disassembler breaks because they’re targeting me, because they know that I’m going to be using that tool. So, maybe you can encrypt the ransom files, but at least if you reverse engineer, you could figure out if you could tell your clients, if they could even get their files back in the first place.
If somebody got infected with NotPetya, I could tell them, just get a new computer, forget about it. That’s the answer that we can give people sometimes. Other times, we can give them the vaccine, we can give them the kill switch and so on. So, maybe you find a way to stall the infection spread, maybe it goes a different way.