By Andrew Brandt
Ransomware is nothing new, but a Ukrainian ransomware Trojan that came over the transom last week demonstrated that the concept of “payment” can extend to services other than banking or finance. In this case, the Trojan (which we and several other AV companies call Trojan-Ransom-Krotten) thoroughly locks down the infected system then demands payment—in the form of credit paid to the Ukrainian mobile phone provider Kyivstar, which the victim then has to transfer to the malware distributor’s account.
Yes, Alice, the hacker wants you to pay his cellphone bill.
Once the ransomware has taken hold on a victim’s computer, it locks down the operating system in dozens of different ways, as well as changing several registry keys that add juvenile, profane text to Internet Explorer’s title bar and elsewhere on the desktop and in folders.
Paying the ransom in these cases simply emboldens the malware creator to continue his crime spree. Of course, even once a victim hypothetically pays this ransom, there’s also no guarantee that there’s any way at all for the malware distributor to reverse the damage — which takes the form of significant levels of annoyance — caused by this insipid Trojan.
Fortunately for the victim, the creator of this Trojan isn’t the sharpest tack in the box. Not only were we easily able to tease out the Trojan’s payloads and add signatures which would prevent the Trojan from delivering its payload files to a victim’s computer, but we’re able to see exactly how the author (ineffectively) tries to frustrate the kinds of behavioral analysis we and other antivirus vendors perform.
The Krotten sample in question came as a file called chatadmin.exe. Antivirus signatures to remove the file and its payloads have been in our generic Ransomware definition since last October, when it first appeared in the wild. A researcher who was taking a closer look at the file brought it to my attention when he saw the exceptional level of stupid the Trojan exhibits in the course of its actions.
On a virtual machine, the program simply quits when you try to run it. On real, physical test hardware, however, the program drops payloads, locks down the machine within about 8 seconds, then reboots the system.
Most of what the program does is set keys in the Windows Registry. Many of the keys it sets are used by system administrators for group policies, to lock down systems in a large corporation. The Trojan sets more than 40 of these keys to disable various features in Windows Explorer most users wouldn’t give a second thought to, such as the ability to open the Start menu, close an open window, use the Run dialog box, print, open a file, or do, well, almost anything at all. In addition, the Trojan sets software restriction policies that prevent most applications from running. Instead, you see a dialog box that looks like this.
Another annoyance comes from the changes to the user interface. One of the keys the Trojan sets changes the way Windows displays the time in the System Tray and in the Details view inside folders. Instead of the time, windows displays a curse word in Russian anywhere the time would normally appear.
And another registry key adds a line of text to the title bar of Internet Explorer which — in censored translation — displays the following at the top of all IE windows:
my (male anatomy) is rotten, (female anatomy) is spoiled, and (female anatomy)-cutter is in my (backside).
When the computer comes back from its reboot, Windows displays a dialog box that looks like this:
For those who don’t speak Russian, here’s a rough translation provided by one of our Russian-speaking engineers:
In order to restore normal functionality of your computer without losing all the information! and saving money, send me an email to email@example.com, with the code for replenishing a Kyivstar account with 30 Grivna. In response within 24 hours you will get an email with a file to remove this program from your computer.
In this case, 30 Grivna (the national currency of Ukraine, also called Hryvnia) is worth a whopping…three dollars and ninety four cents. Hey, that really is a bargain for ransomware. Maybe the author just finished watching the movie Better Off Dead before writing this work of art and thought, hey, that paperboy has a cunning business plan.
The computer also launches Internet Explorer, and opens a Web page from the Web site rotten.com with a postmortem photograph of the bloody and mutilated face of Uday Hussein, Saddam Hussein’s son. And of course, because the Trojan has set the policy key that prevents you closing the open window, the gruesome photograph just stares you in the face.
Stay classy, ransomware authors.
But laughably, upon closer analysis, the Trojan author apparently wrote his code using a free tool called Sign 0f Misery (or just S0M), which is to application programming what the Dell configurator is to building a PC. We found this hilarious because, with zero effort, anyone can plug a program written in S0M back into the program’s interface, and S0M just displays all the procedures the program uses. For example, the Trojan’s author built in a safety mechanism: If a file with the name 290564175.txt is in the root of the C: drive on the system, the Trojan halts execution and quits.
So, using S0M, we could see how the program’s routine works: It drops a small executable file into the Temp folder. That program checks several registry keys to see if Windows is running in a virtual environment.
Now, we’ve seen this behavior in a lot of malware before, but it hasn’t ever been laid out on the table like this for us. So I have to thank the malware author for giving our Threat Research group a list of registry keys they should modify on the virtual machines they use for research. Those keys include:
HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\PTLTD_ HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\IDE\DiskVirtual__HDD_________________________FWR10003 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\IDE\DiskVirtual_HD______________________________1._1____
If none of those keys are present, the Trojan goes on to delete the registry keys that start up 11 antivirus products, then drops and executes a self-extracting archive that has been split into six segments. The archive puts the segments together, then unfurls five more payloads, each of which has a specific task: One, for example, drops a batch file that reboots the computer; One sets the policy registry keys; One monitors the system and, if the victim somehow manages to revert any of the policy keys, resets those keys. Almost all of them was written with Sign 0f Misery, which makes the research so much easier for everyone involved.
The payloads also include an autorun.inf file, dropped in the root of the C: drive, which runs the malicious payload at startup, as well as a Hosts file that redirects 110 different domains to rotten.com, including those used by antivirus vendors for updates, Web mail services, and other sites that are, presumably, popular in Russia and the Ukraine.
But even here, the author blew it: He created two entries to block access to Virustotal, a free service which anyone can use to scan unknown files through multiple AV engines. But a typo in the Hosts file means that, even though a victim can’t browse to virustotal.com, if a victim adds the www. prefix to the domain he can still use this valuable service, even on an infected PC. Derp.
In all, it was an entertaining and enlightening peek behind the scenes. Not only is our engine capable of preventing the files from reaching the filesystem and cleaning an infected box, but a moderately technical user can use free tools like GMER, launched from a computer running in Safe Mode With Command Line, to delete the nuisance files and registry keys manually.