Considerations about stopping
crypto trojans and crypto worms

Author: Pentesting Online - Soenke Freitag, Date: 05/14/2017

Preface:

Crypto trojans have become a major problem in nowadays computer infrastructure. As of 2017 there are several such trojans out there most noticed nowadays is aka "Wanna Decryptor 2" aka "WannaCry" due to its massive synchroneous appearance on 13.5.2017.

What a crypto trojan or a crypto worm does:

  • Implementing a transparent read/write handler in the file-stream to encrypt data and to decrypt data (mostly with asymmetric cipher).
  • Encrypt files during IDLE times of the computer.
  • Transferring the private (decrypt) key of the infected system to the attacker via some TCP/IP protocol, mostly HTTP or IRC.
  • Optional: Trying to infect reachable other computers with known exploits or 0Day exploits.
  • Optional: Trying to send out itself via mail to contacts list
  • On day of blackmailing the key will be deleted from the infected host and a message will be displayed. (The day will be determined
    from the amount of encrypted files (Locky, Teslacrypt etc.) or be a given day (WannaDecryptor)).

Possible countermeasures in shortrun for AV vendors or IDS systems

  • checksum file write/read chain drivers from application level down to physical layer. Use a checksum database and cloud intelligence
    for patches and updates.
  • Detecting computers IDLE state (eg. due to no mouse/keyboard operation and no replay of any media) and monitoring uncommon
    CPU-Load and HDD-Write useage during this state.
  • Baiting - the AV product could generate random files of desired document types (like .doc, .pdf, .jpg) and monitor its integrity. It is important that these files differ in length, contents and location from system to system.

Countermeasures for network admins

  • Additionaly to backups, AV (Antivirus), IDS/IPS (Intrusion detection /Intrusion prevention) and hardening windows with DEP (Data Execution
    Prevention) Microsoft provides EMET (Enhanced Mitigation Experience Toolkit) (2).
  • Due to the fact that ransomware encrypts any reachable media the backup media should be write-only / read only but no files on the backup
    should be changeable or deleteable from the user site.

How to prosecute the authors

To get the people behind those trojans an old phrase comes into mind: "Follow the money" - but how if the money consists just of some bytes anonymously transfered over the wire ? Maybe steganographically poisoned bitcoins or registered bitcoins would be a first step to follow the money-flow.

Future:

  • Software on backup servers might detect encryption (for example on timestamped files with the same length and name or uncommon ammounts of different files). Also files of special types have common headers like the JFIF-Tag in JPG Files (3)
    This would be a new function of server side software.

  • Authentication chain in the operating system - the application has to authenticate itself to the filehandler, the filehandler has to authenticate itself to the device driver ... and so on. (This would be hard work for MS and bring problems to tiny software vendors).

Problems:

  • Several applications can handle the same document type (eg. Word, Libre Office, Open Office etc.) - all must be enabled to write documents.
  • Defragmentation tools and user-wanted relocation of Files.
  • Macro / OLE / COM / ... manipulation of authenticated applications.

Literature:

(1) BSI Paper with Link (German) https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2016/Ransomware_11032016.html
(2) EMET: support.microsoft.com/de-de/help/2458544/the-enhanced-mitigation-experience-toolkit
(3) JPG Standard: www.iso.org/standard/18902.html