mirror of
https://github.com/mbirth/wiki.git
synced 2024-11-09 13:16:45 +00:00
Finished post about crypto virus.
This commit is contained in:
parent
37a68d2b57
commit
834f2554b4
BIN
assets/codeaphp.png
Normal file
BIN
assets/codeaphp.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 33 KiB |
BIN
assets/codeaphp2.png
Normal file
BIN
assets/codeaphp2.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 112 KiB |
@ -58,7 +58,7 @@ What this does is basically:
|
|||||||
|
|
||||||
The files to download are selected by 3 parameters:
|
The files to download are selected by 3 parameters:
|
||||||
|
|
||||||
* `ad`, the BitCoin address you should sent money to
|
* `ad`, the BitCoin address you should send money to
|
||||||
* `id`, some identifier?, can be omitted
|
* `id`, some identifier?, can be omitted
|
||||||
* `rnd`, file selector
|
* `rnd`, file selector
|
||||||
|
|
||||||
@ -92,9 +92,54 @@ The downloaded PHP script (`a.php`) seems to be freshly obfuscated each time
|
|||||||
you download it. But while the obfuscated version differs every time, the
|
you download it. But while the obfuscated version differs every time, the
|
||||||
deobfuscated code is the same.
|
deobfuscated code is the same.
|
||||||
|
|
||||||
Only with different `ad` values in the download URL, you'll get different
|
This is how it looks after download:
|
||||||
encryption keys. This is the BitCoin address you are asked to send money to.
|
|
||||||
This is also and identifier for your encryption key.
|
|
||||||
|
|
||||||
|
After removing the first layer of obfuscation, it turns into this:
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
And now it becomes clearer, what's happening here. In `$h772` we have an
|
||||||
|
`eval()` command with the code to *evaluate* being encoded in base64.
|
||||||
|
|
||||||
|
In `$e51` there's a regular expression with the `/e` modifier, which enabled
|
||||||
|
callbacks in older PHP versions. This means, whenever the parser finds a
|
||||||
|
match, a given piece of code is called. And as you might have guessed, that
|
||||||
|
code is the one in `$h772`. And to have the parser find something, the subject
|
||||||
|
in the `preg_replace` call is exactly the same as the search string in `$e51`.
|
||||||
|
|
||||||
|
So to get to the actual code, we just have to `base64_decode()` the string
|
||||||
|
without `eval()`ing it. And this brings us to the final code. You can see all
|
||||||
|
iterations in this [GIST](https://gist.github.com/mbirth/11979a35a152478427928dbdf593797b).
|
||||||
|
|
||||||
|
(I've annotated and reformatted the final stage.)
|
||||||
|
|
||||||
|
Fun fact: The base64 encoded code contains proper indentation and Windows line
|
||||||
|
endings (CR+LF instead of LF only). They could've saved a lot of space by
|
||||||
|
removing all unneccessary spaces and line breaks.
|
||||||
|
|
||||||
|
The code does this:
|
||||||
|
|
||||||
|
* Try all drives from `C:` to `Z:`
|
||||||
|
* For each drive, check the contents of the root directory
|
||||||
|
* If it's a folder and it's not `winnt`, `windows`, `appdata`, etc., check that
|
||||||
|
folder (recursively)
|
||||||
|
* If it's a file, check if the extension is `zip`, `rar`, `doc`, etc. and if so,
|
||||||
|
encrypt it and add `.crypted` to the filename
|
||||||
|
|
||||||
|
Now the interesting things are right at the beginning of the `Tree($p)` method.
|
||||||
|
There are 3 variables defined:
|
||||||
|
|
||||||
|
* `$a` which defines the intended action, `e` is for encryption, `d` for
|
||||||
|
decryption
|
||||||
|
* `$k` is the key, which is decoded from base64
|
||||||
|
* `$s` is a backslash character to not have to mess around with proper escaping
|
||||||
|
|
||||||
|
I noticed that with different `ad` values in the download URL (see previous
|
||||||
|
chapter), you'll get different encryption keys in `$k`. `ad` is the BitCoin
|
||||||
|
address you are asked to send money to. This means the encryption key is based
|
||||||
|
on the BitCoin address.
|
||||||
|
|
||||||
E.g., an `ad` value of `17DmGrhMXJcvsmj9tihgTRGAhACynuBmSo` returns a PHP
|
E.g., an `ad` value of `17DmGrhMXJcvsmj9tihgTRGAhACynuBmSo` returns a PHP
|
||||||
script with the key:
|
script with the key:
|
||||||
@ -106,5 +151,20 @@ If you change `ad` to `27DmGrhMXJcvsmj9tihgTRGAhACynuBmSo`, the key changes to:
|
|||||||
MmSWbqXczBBUtCGOY6rxrB6Q2ECoaLUCGHDI5C54QaQHiP5010q99mPQNqAKkMkCtCicYss0uCCIDHPa5DiMDF6wYajvGFmaKJD4mtscEVSXPLUuduRStiug/kCCoA16swZZvi2c
|
MmSWbqXczBBUtCGOY6rxrB6Q2ECoaLUCGHDI5C54QaQHiP5010q99mPQNqAKkMkCtCicYss0uCCIDHPa5DiMDF6wYajvGFmaKJD4mtscEVSXPLUuduRStiug/kCCoA16swZZvi2c
|
||||||
^^^
|
^^^
|
||||||
|
|
||||||
|
In other words: This script is generic and can be used for different BitCoin
|
||||||
|
accounts which will generate different encryption keys. And you need to wire
|
||||||
|
your money to the correct one to get the correct decryption key.
|
||||||
|
|
||||||
to be continued...
|
|
||||||
|
Decrypting encrypted files
|
||||||
|
==========================
|
||||||
|
|
||||||
|
So let's imagine you accidentally run the script and all your important files
|
||||||
|
are now encrypted and renamed to `important.doc.crypted`. What can you do?
|
||||||
|
|
||||||
|
Well, we've learned that the encryption key is based on the `ad` value. And that
|
||||||
|
you still have in that mail with the bogus zip file. Using that, we can download
|
||||||
|
the PHP script again, which contains the actual key.
|
||||||
|
|
||||||
|
After deobfuscating it, you just have to change `$a='e'` to `$a='d'` and run it
|
||||||
|
and it should decrypt all your files again. Problem solved.
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user