360 Security Guard · 2016/04/06 11:41
Author: Luke Viruswalker
0 x00 profile
At the end of last month, Goethe, one of Germany’s oldest security companies, released a security report that noted the emergence of a new extortion Trojan called Petya. So what’s up with this new extortion horse?
0x01 Overview of Trojan Horses
The Trojan horse itself is not technically complicated: the Trojan horse is written in C language, through modifying the data of the first 63 sectors of the disk where the system is located, including the master boot record (MBR), to realize the purpose of automatically loading the malicious code written by the Trojan horse after boot. It then forces the system to restart, causing the computer to automatically load malicious code that encrypts the user’s disk and displays the extortion interface.
As mentioned above, the principle of Trojan horse can be explained in two sentences, but the practical application gives us the feeling is: simple! Rough! But ———— works!
0x02 Code analysis
Preparations before the restart
Since the main way of transmission of Trojan horse from the network disk sharing, so the Trojan horse does the only camouflage is on the icon ———— disguised as a self-decompression program:
In addition, there is no other disguise, directly cut to the theme ———— open drive C, and through DeviceIOControl to get the physical disk where drive C is located.
After obtaining the disk, open the disk in readable and writable mode:
Everything is ready, only owe dongfeng ———— began to formally written. All data written by the Trojan horse is concentrated in the first 63 sectors of the disk, which are divided into four parts: 1. Modify the 512 byte content of the first sector (cylinder 0, magnetic head 0, sector 1) ———— that is, modify the MBR. 2. Write the character 7 (HEX data 0x37) to all the idle parts of the subsequent sectors. 3. The 35th sector starts to be filled with malicious code with a total length of 8192 bytes (0x2000 bytes, i.e. the space of 16 sectors); 4. Sector 55 starts to fill in 512 bytes of configuration data.
- Modify the MBR
- Fill in the free space with “7”
- Write malicious code
- Write configuration Data
All the rewrites are done, so it’s time to reboot. The Trojan does not execute the shutdown command in a minimal way, but calls a ZwRaiseHardError function in NTDLL to trigger a hardware exception to create a blue screen, so as to achieve the purpose of forced restart:
Analysis pause, let’s look at the disk
At this point, we will analyze the pause to see that at this time the disk ———— including the first 63 sectors of the MBR data have been modified by Trojan, adding malicious code. But the disk partition itself has not been substantially damaged. When we open the disk with a tool, we can clearly see the MBR that has been modified and the malicious code that has been added:
A closer look at the modified MBR code will loop the data in sector 34 (where the count starts at 0, which is sector 35 before this article) into memory at the beginning and execute:
Keep running! Take a look at what happens after the reboot
OK, now we let the Trojan continue, trigger the system blue screen after automatic restart, will appear a disk repair message:
As shown in the picture above, the system will remind you that you are repairing the file system where disk C is located, and warn users in all capital letters ———— do not stop shutting down, once you shut down your data will be destroyed!
But in fact? If you do not shut down your data will be destroyed ———— because this message is not the original system repair program, but the Trojan itself written deceptive prompt. The progress shown below is actually meaningful: it is the progress of malicious code encrypting your disk! The following is the corresponding text found in the virus-modified disk data by opening the disk directly with the tool:
After the so-called “file system fix” is complete, the user is presented with a blinding skeleton icon (1). The screenshot cannot show the flicker effect, what you actually see is the flicker of red and white color switch; 2. In all fairness, the interface is pretty well made! It’s the man you b)
Press Any Key to get to the point! Does that sound familiar? Go to the next Tor Browser and go to the link I specified, enter your personal decryption code and pay, get the decryption key, and get the system back to normal!
It’s the same blackmail trick that’s been popular for years with CTB-Locker, only instead of encrypting your specific files, this time it’s encrypting your entire disk…
0x03 About Prevention and Repair
Although this Trojan calls ZwRaiseHardError function rather than shutdown command to restart the system, after all, the design idea of the whole Trojan is based on modifying the system MBR, so for most security software with the main defense function and has been fighting against THE MBR Trojan for so many years, This can already be intercepted in the single action of modifying the MBR. In addition, according to our monitoring, the Trojan did not break out on a large scale in China, so as long as we install reliable security software, Petya Trojan need not be too panic.
But when you’re not protected by security software… Which brings us to fixing the problem. This one is a little bit trickier.
- If you are a stream-of-consciousness god operating
Assuming your awareness is good enough and your hand speed is fast enough. It was just a slip of the tongue. Be sure to completely shut down (unplugged is recommended) before entering the fake “File system Repair” screen. If you make it ———— congratulations! The next steps should not be complicated. All you need to do is find a PE system, boot your machine into the PE system from the USB stick, and use whatever boot repair tools there are to rebuild the MBR.
As long as you rebuild the MBR, the normal system MBR will not execute the malicious code written by the Trojan horse. So that malicious code just becomes a huge body of code ———— lying on your disk, never to be executed. Of course, if you don’t even want the body, after rebuilding the MBR, perform the following “clear Reserve sector”, and even the body will clean up for you. (^o^)/~
- If you are an information security expert
If you’re in the habit of backing up your system regularly, enough is enough… After rebuilding the MBR as described above, you are ready to restore the system
- If you have nothing to prepare for
That’s unfortunate, but even then you don’t actually have to pay the ransom. Because unlike typical CTB-Locker, this Trojan doesn’t change any of your files, but just breaks the disk’s overall file index. So if you really have important files that need to be recovered, and you don’t really care if the system itself still works, you can do it yourself:
But if you want to restore the whole system intact, it needs more professional tools and professional methods, so it is more easy to find professional data recovery services.
- By the way
Here by the way, recently there has been a similar modification of the MBR blackmail Trojan:
If this is a Trojan, you only need to follow the above steps to rebuild the MBR, and then add a step to recover the lost partition table can be completed repair ———— because this Trojan only destroyed the partition table, and did not start the file index:
! [p24][24]