A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #21313  by patriq
 Sat Nov 02, 2013 6:09 pm
C&C at hxxp://93.189.44.187/ now showing this message form:
Code: Select all
This service allow you to purchase private key and decrypter for files encrypted by CryptoLocker.

If you already purchased private key using CryptoLocker, then you can download private key and decrypter for FREE.
Select any encrypted file and click "Upload" button.
The first 1024 bytes of the file will be uploaded to the server for search the associated private key. The search can take up to 24 hours. 

IMMEDIATELY AFTER UPLOADING FILE TO THE SERVER, YOU RECEIVE YOUR ORDER NUMBER. YOU CAN USE THIS NUMBER TO CHECK STATUS OF ORDER.
OR if you already know your order number, you may enter it into the form below. 

This service accessible through the Tor network:
http://f2d2v7soksbskekh.onion/
Attachments
cryptolocker.png
screenshot
cryptolocker.png (52.49 KiB) Viewed 885 times
 #21363  by Quads
 Thu Nov 07, 2013 9:50 pm
A User Report for HMP Alert 2.5 beta

"Now when I try and open Norton 360 the GUI flashes onto the screen then disappears. Once it's gone I can't bring it back. Uninstalled hmp beta and restarted, now Norton is working again."
 #21378  by RP-Tech
 Mon Nov 11, 2013 11:26 pm
Has anyone seen this attached to zero-access rootkit ? Maybe have a sample of both, I am testing to see what can be done to prevent Cryptolocker from running.

Fellow tech and myself have had 2 users infected with Cryptolocker but also had zeroaccess attached which from some research seems to be point of entry in our case and Kaseya AV & Kaseya Malwarebytes Pro do not detect it at all KAV gets encrypted and rendered useless. KAM does not detect either, but the free download version picks up the rootkit and virus. Just wondering if anyone else has ran into this at all or not.
 #21380  by ilyuha79
 Mon Nov 11, 2013 11:28 pm
According to the malware authors, only the first 1024 bytes of a file is uploaded to the C&C server in order to search for the matching private key in cases where you lost the public key, which could take up to 24 hours. So it sounds like the C&C uses some brute force method for searching for the key. So what would that do? Try every single private key that it has generated to decrypt the first 1024 bytes until it finds the right one? But how does it know which is the right key after the decryption process? If AES key is truly random, you wouldn't be able to tell just by looking at it what you've decrypted is an actual AES key. In order to tell, you could potentially add some kind of constant bit of data that will show up in the decrypted data once the right private key is used to decrypt it. Or, in a more complex case, you'd have to go a step further and use the supposed AES key you've decrypted to decrypt the actual file header (which I presume might be stored in the first 1024 bytes) and then check if the header looks like a document that might have been originally encrypted on the infected machine.
I'm curious if anyone knows if there is anything else besides the AES key that the CryptoLocker encrypts using the RSA public key that eventually gets stored together with the file?
  • 1
  • 3
  • 4
  • 5
  • 6
  • 7
  • 12