Boston BSides Bringing Down the Great Cryptowall - Weston Hecker

as I said I'm a Western pecker just literally on boarded with a wrap about a week ago so it's doing pretty good and yeah I'm going to do a little bit of a introduction here so thus senior security engineer a senior pen tester researcher like I said I've been doing pen testing about 11 years spoken several just got accepted to be doing a similar talk to this at hope so takedown con also just got my black hat accepted also an ATM hacking so that'll be pretty awesome and yeah there's a couple other speaking engagements like you said 12 years programming security engineering so it's something that I definitely got a little bit of background and then I

was doing a actual for DARPA and department homeland security actually doing 911 attack mitigation so they're basically paying me and some people from the University of Houston to develop mitigation strategies for 911 and call center environments against telephone denial service so that's a pretty awesome project that's like I said this year I've been hacking point-of-sale systems hotel keys pretty much cars everything so that's been a very busy year so and yeah I'm gonna go over ransomware how to make your system immune to modern ransomware and it's something where while I was pulling some out were apart I actually came across t'kul things that I just thought it'd give out as concept and it's something that I've actually worked in production

for it so yeah here's some day I'm gonna go over to actual tools used a brief history of malware and ransom or at a security conference so I won't go too deeply into that but it's a how i came across the malware it's actually a pretty funny story so how i pulled apart malware to look to the payloads the actual droppers how to defend your systems from the droppers and the main payloads on the past people just a little bit heuristic data or they've relied on very expensive IDS's and IPS system so it's something that basically makes your system immune to the current versions of the malware so yeah so here's a basic guide a special windows 7

environment it's a tackled vm so it doesn't know that it's a virtual machine it thinks it's a physical machine and anything that's installed on it also believes that so it also included I a pro some unpacking software and injectors and if you guys want any more of the technical details I can go into that a little bit later and yeah to stop by our booth and I'll definitely talk to about it so tested on which ransomware did I test out so there was the new custom variants of Sam Sam that was in 2016 I went back did about seven variants of cryptolocker aight aight variants of crypto wall i did two variants of allah ki then i did

a couple of the older versions of crypto wall so yeah data what basically I'm gonna go over what caused the malware to start evolving because this is the actual weakness in the malware that we're actually taking advantage of so so the sum of the next generation security wall features I can't there's tons of them out there but they actually have advanced feature sets where they will actually spin up a virtual machine and actually install the software see what it's calling upon things like that so it's actually in a security environment it's looking to see if it's something delicious and that's something that the actual malware designers have started putting features in there for detecting virtual machines things the things of

that nature some of them have very distinct signatures so it's something where the actual now and where manufacturers are actually putting that into their actual droppers so and that's one of the ways that for example all three that creators on the left or infected because there are physical machines they had some of the things true that weren't true so and basically I got the malware last year on new years or so actually Christmas I got the email I checked it on New Year's but uh yeah one of my buddies actually he runs a triple disposable mail service I met him at defcon 18 he's a very interesting fellow so but yeah I get excited every

time he sends me an email because it's usually malware so be friends like I saying he runs at a self-destructing service on tour so he comes across a lot of custom malware a lot of the Packers things like that and I actually sold a he sold me this one for a billion disk so does anybody play eve online or has played EVE Online it's a yeah the currency of the game so i got it for a pretty good deal so and there's some what called industrial control software that he also sent me and i'm going to be doing white paper and some research on in october here so but it's actually looking at a well site information and

it looks like it yeah it's gonna be pretty interesting research so and yeah so softwares the service everybody that was a buzzword two years three years ago so and it's now something that the malware manufacturers are doing for about around fifty dollars you can launch your own campaigns using their actual tool kits and some of their actual web portals so it's something you actually have technical support so if anybody has problems procuring bitcoins or things like that they actually are pretty decent I never thought there'd be a day where we actually have a technical support for malware so that's pretty interesting but I'm going a little bit of the toolkits like there's the angler toolkit there's some other ones that are

actually off for sale on the black on the dark web in the actual black market and that's a pretty booming industry they are the estimations at a bed of mine are somewhere around I think it was like 40 million dollars a year the other up to like three and a half million a month based off of the actual reversing of the actual bitcoins in the crypto ransoms so or that actual ransoms that I've been paid on the cryptolocker and some of the other ones so yeah and basically what is the dropper pretty much everybody here should should have a little bit of knowledge of it it's basically the snow plow that comes before the bus it's something that is a

quick and actually pulls down the rest of the malware these signatures on these literally change our early I've seen I literally wasted the time pulling it apart the second time I wanted to see it was the same program it just was packed differently or it had a different obfuscation applied to it so it didn't have the same signature in the antivirus see ristic engines which are usually 66 hours at the very best behind so that's something where the battler droppers are actually they're staying ahead of the actual curve on this kind of stuff so and yeah here's a look at payloads this was a malware that I came across a couple months ago it actually ruins a

perfectly good windows 7 installation so I know this actual on the Malheur what the actual payload is is what the actual malware does so it's something that a yeah that's the payload then the dropper is actually the one that pulls the entire malware onto the system so and yet here's a what the payload for the actual cryptolocker is it looks for a lot of these kind of file extensions some of them actually prioritized by size things like that like Sam Sam does a very good job of actually creating a list of what it's going to encrypt first because it knows it's going to get caught you know forty fifty percent through its assuming it will buy some

kind of ids or actual certain portions when it starts spinning up some of the program so but the actual droppers they yeah here's some of the advanced here I stuck math or the methods that they're doing for as far as obfuscating the code this one's kind of a joke but it's yeah they're using the exact same features that people are using on the wild so it's something where yeah like actual software companies there isn't pretty much the exact same professionally tailored anti anti piracy and anti install solutions so well yes so this basically my first concept i'm gonna go over is actually attacking the dropper and this one was a one that was built into a file

extension that is usually emailed people and as you can see it passed this virus signature it did pass on virustotal i think there was one one flag on virustotal but that was about two years or but not two years 22 hours old so the actual hair stick engine did not actually detect that so so I'm going to go into the first concept on this so is everybody have a pretty good understanding of what the actual malware does how its pulled onto the system everybody here has heard of cryptolocker ransomware in general so the first actual one is called Old Yeller and basically why this works is the dropper every single one of the droppers i was

looking at they actually kill watchdog programs so that's something where ya and Weavin seed Old Yeller it's basically a good story of a boy and his dog and all the antivirus watch dogs are actually the process that restarts the antivirus if the antivirus is killed so when the actual watchdog is killed most of the time it's something that it can't restart itself so I've actually created a process that is basically a fake antivirus watchdog I attacked it to an intentional intentional kernel panic you can do in the registry and basically when the watchdog is kill or when the actual watchdog process is killed it'll actually intentionally blue-screen the computer so you've effectively stopped malware from being pulled down on your

network and this is actually attacking the pet are the actual dropper it's not actually looking for any signature information this is if it's already gotten past your antivirus and some of your other data so this will intentionally blue screen if you have that user that will go back through with their computer backup you can actually have the actual crash log copy over the hibernation file and it'll actually a soft brick the computer so you have to actually pull into IT because I've seen where people will literally after they got infected once they'll go back into the email because it didn't work correctly so what you have the software method to is keats Keats's my cat when I

was growing up so that's why I named it after him in honor of him and it's a basically a program like i was saying a lot of those systems are looking for Santa of sandbox environments and they'll actually stop themselves so what I did was take took about the malware came across several of the methods that it was looking for I was looking for like machines that had over two gigs of ram it would automatically go into hibernation mode if it wasn't over 2 gigs of ram so there's a registries a parts of there's actually a hex you can change inside your operating system to make like even like a 32 gigabyte system like this look like it has two gigs of

ram so that was one of the very very simple first methods that I came up with and I did get it working I worked on about seventy percent of the malware out there that I was testing so there are certain registries and flags and there was also i added a false debugger presence so i made it look like there was a debugger installed so and that was one of things where i was able to stop literally seventy percent of the malware that i was looking at earlier so and here's software method to it's called emo and it basically gets malware to kill itself so it's a pretty decent not only the full version of the malware it

makes it basically makes it kill itself it's lowers your ram down 1.5 gigabytes and that's how you can actually physically use your entirety of your ram it installs fake vmware tools it also installs fake debuggers then there are five sandbox environments that it adds registry keys stuff like that to make it look like it's a fully virtualized environment that the malware does not want to unpack itself into so that's something we're making these changes to the registry it literally killed one hundred percent i wish i could say 99.9 i wish they would have been one that would a you know gave me a little bit of a fight on it and it literally every single one of them about there being

dissected and it actually protected the computer and this too had no impact for as far as the testing that I did for in as far as in a production environment so and yeah I will be releasing these tools in August and some of these are very very simple as far as a anybody's access to a hex editor you can do one of the first methods that I was speaking about so as far as changing your actual ram so and here's the hardware method who's ever seen those really good deals on ebay like for a 256 gigabyte SD card for like eight dollars yeah they're not really that it's actually an eight gigabyte with yeah with a copyright

infringement too low going and all that jazz but basically what it does is has a hack table of content on it so you can actually it looks like you can load 256 gigabytes of information on it but it actually starts copying over itself and it just holds the toc contents of the actual card so this is one of the methods when I actually started generating fake mp3s fakin befores JPEGs things like that I started out with very very small files and once you fill the 200 feet 60 gigabyte draw disk with actual fake files you can just ghost it over you can just clone it over and make other ones to run in other computers so basically i

procured it on ebay was 14 it was too good to be true so that was something that uh yeah then over on the left here is verifying the data it does not verify it basically copies on to the actual SD card then it checks the integrity of the files so that's something this is definitely a hacked card and since it's an actual half to USB card you can load your own files on it and you can randomly generate them in those file extensions that I was looking at earlier so if you fill it with random JPEGs mp4s things like that it's actually going to be a pretty cool process here so this takes advance the parse order of the

actual ransomware so once you put this SD card in your machine you give it the a letter drive for the most part with the exception of Sam Sam there was a every single one of them went through your a drive first be dr c drive d drive then it went on to your online drives or your shared drives and stuff like that so that's something where if you throw this SD card inside your system and you mount it just give it your a a drive it'll actually uh yeah you can actually go above and beyond that with a some of the 16 gigabyte ones so if you literally fill this card with random data it's

going to tie the malware up I tied one of the malware's up for 18 hours one time it was on a pretty powerful machine but I care abot workstation when it's searching out some of these that'll actually find the smallest ones first we'll start encrypting them so that gives you a lot of time for your actual antivirus engine to get updated and also it ties the malware up pretty heftily and then also it also blue screens your computer when it's about thirty percent done because it literally takes one-point-three percent of your CPU utilization each cycle that it does so that's something we're about like I said about thirty-three percent through that card and that's I'm selling with Sam Sam

even the more some of the more advanced custom tailored ones it'll actually lock the operating system up so you just stopped your user from getting infected just by having a happy USB plugged into their system so there's no software you need to run or anything so and yeah hiding your files so basically there's also backup systems the new version of walkie actually deletes some of your backup files so that's something where or even your shadow folder system folder stuff like that so you can actually delete you can use a ship disk utility so you can basically shift some of your backups positions and stuff like that and it'll actually put them in systems folders three out of the five

members we're looking at earlier don't check into systems folders they don't want to lock up your operating system which is basically what I was doing so it's something where they try to stay away from the actual systems files and they stick to those file extensions they know they don't want to start actually interacting with systems files so that's something we're that's a very very simple one you can move some of the shadow copies or you can actually delete your shadow copies and not like I said none of the ransomware I came across as like a DoD wipe or a low-level format if it's a solid state drive it would erase it so and the DoD format is just the

three level pet or three passes so and yeah here's the cryptolocker simulator this is something I came up with after I pulled the first version of it apart it basically is a you can running for your environment you can see where you open reading rights are you can see what the actual payloads were you can see see if your antivirus would have caught some of the more advanced features and this is the original version of it you still give this out as a like a value add on pen tests so something where you know a lot of especially in smaller environments they didn't realize how susceptible they were with some of their open read rights or some of their

usernames passwords it there were some simple so this basically is a zoo form of the original version or it was actually the second version of crypto cryptolocker so and this one was just for simulation purposes so you can actually test some of the call home functionality which I'll go into here and this is the actual 2 point 0 or the framework that I have and this will also be released in August and it's all open source it's free you can feel free to play with our around with it as much as you want and this testing framework basically here's the list of the functions it calls the post so it sends posts sort of tries to call home it'll

test some well-known bad servers see if your actual firewalls going to catch it you can search for open reading rights you can test your backups against encryption you can calculate your ransom amounts of what they would have cost you you can do a bait file which is basically some of the information from the malware's that I pulled apart there are certain things they'll grab off of your system information to generate the key so at a later time or even at the current time you can actually pop some of that information into a backup even if it's a I've got it successfully working in up to a three week old backup so if you generate that same functionality into

those some of the changes do lock the operating system up so that like I said it is a low likelihood and I'm still going to be working on that but if you actually roll those a key or those those features into the actual backup you're able to re-encrypt and then you like most of the people that have actually helped pay ransoms it was stuff where they only need one file or two files so this is something where you can do your free file then you can re-encrypt yourself and then actually have it go for the second file so that's something we're yeah and as far as keats and some of the old yeller functionality in the

emo you can actually lock down some of that functionality so you can actually control some of that stuff you can modify it and it could pull down the actual file systems the time of infection stuff like that so and you can download the downgrade the clock time like I was saying and you can text your payload avoidance so that's something where you can actually test the to see if your virtual machine will be detected by different variants so that adds functionality that malware researchers can actually put this one looks for this now or this now or this snow so that's something we're above and beyond what I'm doing because I'm not a full time mallar engineer something where I I do

this a lot of my free time like I saying the original thing it took me probably two and a half two and a half weeks on my free time so it's something where I think some of the professionals had it tearing apart the day and a half later but they have an entire team so this is something where you're basically adding a kind of a signature but it's something that is attacking natural payloads and the droppers instead of the actual signature and stopping yourself from getting infected so and that's something where I'm excited to see some of the feedback first off from some of people in the community and then also from the actual malware people because I did a

talk at Def Con last year and I did us it actually injected fake credit card numbers in the memory and then I've seen actual some of the more recent versions of the memory scrapers actually combating some of that type of features so so it's pretty awesome to see you know the actual industry taken effect from it so I'm excited to see how the actual malware factors because this literally like i was saying stops a majority of the actual malware that's out there and yeah and here's the actual look at it and with that resolution i always do a blown-up version so like I was saying you can test your post call home you can actually test your backups so there's a

file extension if you want to you know see if your actual backup process is working things like that calculate the ransom you can check your domain on that to see the likelihood there's no feedback on the domain check to see if it's actually one that pays or actually gives you the encryption keys when you actually check it so this is pretty much an entire framework to simulate or emulate in your environment or your customers environments where they can actually see how they would be affected by some of the more recent ransomware and then they can also test some of their AV manufacturers to see if they catch a lot of that stuff so because these do have a lot of the features of

some of the antivirus so or of the actual malware it's so so and yeah here's one of the other ways i made a it's a basically a file there's a couple things i did an outlook plugin that is halfway done that basically when a file comes in if there's a way to do it in outlook i was not able to find it where you can basically save it in the older version before macros are enabled for certain users so it's something if you have that person that keeps clicking the spear phishing campaigns or if that's the twice the second time it's kind of maybe take that privilege away from them it's something where it sends a copy to

their spam folder so they do the original one if they needed to look at it and you can actually roll internal file extensions because when you install the the actual program that i have it's a this ones with keys so once you install keats it'll actually grab all the file extensions that cryptolocker goes for and it will actually obfuscate them so it actually and as you can see it's still associate some reassociate re associates them with the actual programs so and this does actually go into the actual padding on the xml data of the actual files so that was the next step if i was a malware manufacturer i would actually start looking deeper into some

of the files so but yeah so you can basically roll your own internal extensions like these used to be JPEGs and you know that other one is the powerpoint presentation so it's something where you can actually have your own custom file extension so if something comes from the outside it'll immediately grabbed by one of the swamp files so and then it'll actually if you want to have an internal file structure you could actually roll this internally inside of a we're actually talking earlier how hard it would be to actually do this in a larger environment 75 users yes all day long but what about 20 thousand users stuff like that and this is where it might be tailored for

certain certain parts or certain divisions of the company and you can actually have an internal file structure which can change daily that's what mine actually does not on this computer but it actually evolves daily so it'd be hard to stay on top of what the actual randomly generated file extensions be so and yeah is there any questions so yes

things like that kind of emulate virtual environment or a regular now are you worried about self-destruct to tell where the ones that when they detect that rather than just stop yeah and that's one of the things that I started looking at right at the end there because like some of them are the self destructing malware and that's why I attack at the dropper level because that was one of the things one some hours like you're saying some of them they will you know try being didn't seen ones I go after your Ida pro key so like it's something where you're getting attacked on that basis so something we're yeah totally this is that's why I'm trying to

stop it at that level of the actual dropper and that's where as far as the other that'd be awesome to check into some of the actual experience for some of them but yeah some of the actual payload for some of that stuff I haven't looked too much do you know which variant did some of the more destructive stuff okay

yep awesome yeah it's kind of the same thing because the original version the first two versions equipped a locker somebody handed me the TOEFL pulled apart versions and the rest of them I did myself but yeah I didn't look that deeply into some of the destructive payloads of it so and some of those are really really easy to flag but if they've already taken down the watchdog nav that's something we're yeah there's nothing left to stop it so what yeah i think is as far as being put in a series with this that would definitely stop some of this and yeah there's no there's no way better to block this other than to have proper backups to and that's a

huge problem up in the Midwest where I live up in North Dakota so so any other questions sweet um well most of its compiled and see but you have to any time you reverse engineer anything you usually have to do it in an assembly so x86 assembly then some of the phone stuff would be based in an arm assembly so and yeah it's it's a yeah you guys have a little bit of a background in programming it's definitely something once you get into but we're familiar with see it's pretty simple to are not simple but and nothing's ever simple about assembly but it's something we're dia you can definitely go back into some of the more

lower level languages so yeah but yeah that's as far as that goes it's all mostly if you didn't see or in the there are some comments and stuff liking pull out of some of the higher level stuff so his answer your question okay awesome yes I have seen a couple of them there's a couple sees oh the question was is a scene mobile ransomware and I have seen a couple for that were this is like a year or two ago I didn't actually get copies of them but they were going after unlocked android i forgot the actual distro or the version of android but there has been a couple of them that do premium toll services they have some of

them that run botnets for as far as stuff like that so but yeah as far as the actual i have i have caught caught wind of some of the actual ones that are actual ransom based ones so first of our strong systems i haven't actually looked into the validity of those or got samples of them so they be definitely something to check into though so yes o 0 for android i believe their their specific exploit that they took advantage of was with rooted devices or unattached devices and i don't remember the manufacturers or the actual distro but so but yeah that was one that was one of the biggest things at DEFCON it used to be so awesome you know it mean

that everybody wrote your phone like don't tell us what to put on our phones and then i'll send it's like we need to use security updates like please patch them quick verizon you know so there's been a total shift in that kind of stuff and yeah yeah but as far as some of that actual malware for sores i've been looking at a lot of ATM malware recently that's been going pretty crazy i know some gentleman down at a security conference did a really good talk on that recently some excited for those videos to come out but yeah like I said I don't pull it apart full time but this is something we're in a couple of iron

ments it worked really really good and I'm excited to see how the community plays off of it and some of the feedback so yeah any other questions yes

yep like I said about tackled I don't know whatever there's some other if you actually read some of that like there's very very good like their Sam's courses on pulling apart malware so there's like very very good research on actually setting up those sandbox environments and like that's not saying some of these triggers like a look for specific you know parts and registry and things like that so it's something we're from that point on if you want to actually set it up like like my one that I roll is like I take other some other people's concepts and other people's parts but as far as that goes it's yes setting up from scratch and then I just snapshot

reverted so as far as that goes and then you have to set off you have to segregate also some of the network functionality you don't want it going into production network so I would touch it with a very fine grain of salt because it's something we're soon as I start playing with malware it's amazingly fun and it's fun seeing it react to such simple processes too so it's something where if you want to get into the reversing malware perfect ones to start out on or some of the old big-name ones like my first one ever there was a chair noble or CA h or c CH the chernobyl virus it's the one that actually rewrote your bios on your

computer so and some of those really really old ones are very simple to pull apart with modern debuggers and actual reversing tools so so i would highly recommend that and it's really really fun if you're looking for a cheap hobby you know it's like this it's very cheap so just literally got to click a couple ads and you're getting your own free malware so yeah yeah so quick just

um for over as far as a as far as malware goes uh I did have a fringe there's a kind of a fringe idea where in it's actually having basically installing a hypervisor then using Class D in class II IP addresses which every single operating system and tool known to man will drop that kind of traffic like I had even a hard time getting Wireshark to even listen to IP addresses that were coming from that range so that's something where there I've done that over GRE tunnels on DMV are dynamic multi-point VPNs so like the actual traffic if anybody tried to sniff it out like literally as soon as we get out of its a sandbox we'd 0 WR RT router so it

would actually pass because it literally everything is taught with the exception of some very fringe equipment and some broadcast equipment everything else will plant drop the class D and E space so that's something we're on a network level that is something we did look at and that was a field pipeline implementation that we were looking at some of that I don't know what ever happened with the actual process of that so but that's on a network level you can trick it into there are certain things where you can call it into black holes and there are some actual tools out there and firewalls and some of the next generation functionality that can actually stop some of the actual

processes like I was saying but some of them will actually let it through so and that those are some of the sandbox there's 05 sandbox environments that I looked for what the actual Malraux is looking for and actually simulated those on a physical to machine and it's literally uh some of them aren't supposed to even exist on a window system like some of them are calling for Windows or Linux functionality so it's something we're yeah this is totally on the actual pc basis of it or on the actual computer end of it so is that answer your question ok awesome and any other questions sweet how we doing on time so awesome perfect yeah thanks thanks for

your time guys