Blog

A few weeks ago, we blogged about NTOS.EXE and its custom packer:

http://www.websense.com/securitylabs/blog/blog.php?BlogID=134

Websense detected a new variant of NTOS.EXE this past weekend. This time, we don't discuss the packer, which is unpacked by our generic unpacker anyway, but instead discuss the blackmail feature of this trojan.

Here is the list of file extensions targeted by the trojan:

12m 3ds 3dx 4ge 4gl 7z a a86 abc acd ace act ada adi aex af3 afd ag4 ai aif aifc aiff ain aio ais akf alv amp ans ap apa apo app arc arh arj arx asc asm ask au bak bas bb bcb bcp bdb bh bib bpr bsa btr bup bwb bz bz2 c c86 cac cbl cc cdb cdr cgi cmd cnt cob col cpp cpt crp cru csc css csv ctx cvs cwb cwk cxe cxx cyp db db0 db1 db2 db3 db4 dba dbb dbc dbd dbe dbf dbk dbm dbo dbq dbt dbx dfm djvu dic dif dm dmd doc dok dot dox dsc dwg dxf dxr eps exp f fas fax fdb fla flb frm fm fox frm frt frx fsl gtd gif gz gzip ha hh hjt hog hpp htm html htx ice icf inc ish iso jar jad java jpg jpeg js jsp key kwm lst lwp lzh lzs lzw ma mak man maq mar mbx mdb mdf mid mo myd obj old p12 pak pas pdf pem pfx php php3 php4 pgp pkr pl pm3 pm4 pm5 pm6 png ppt pps prf prx ps psd pst pw pwa pwl pwm pwp pxl py rar res rle rmr rnd rtf safe sar skr sln swf sql tar tbb tex tga tgz tif tiff txt vb vp wps xcr xls xml zip

Ransom: The victim is asked to pay $300!

NTOS injects itself into svchost.exe and runs a routine to scan the hard drive for files to encrypt. It also drops a read_me.txt file inside the encrypted file folders.

As the trojan scans the hard drive for files to encrypt, it saves the full path in a .tmp file, inside the temp directory of the current user. After the scanning is done, the trojan gets the list of files to encrypt from the .tmp file and displays the blackmail text, asking for money:

Encryption Algorithm Uncovered

It takes about 30 seconds to find out that the files aren't encrypted by RSA but rather by a custom encryption algorithm.

The hackers want to scare infected people into buying their decryption tool to restore their files.

The encryption routine starts with an SBOX initialization, very similar to the one used in RC4, as you can see below:

Then, a static key is "extended" and the SBOXes updated. The static key bytes are used as an index into the SBOXes.

Here is a dump of the static key:

Once the SBOXes have been updated, the trojan uses the personal code (as seen in the registry or in the read_me.txt file) to encrypt the static key using a simple XOR loop:

This process also uses the SBOXes, which are again updated, and now we have a new static key that is dependent on the personal code.

Now, the trojan calls the RC4-like routine again, the one generating the SBOXes (overwriting the old SBOXes), and they are updated using the new static key that was made from the personal code.

At this point, everything is ready for file encryption.

The trojan makes a backup of the first 7 bytes of the file to be encrypted and appends these 7 bytes to the encrypted file. The original bytes are overwritten by the string "GLAMOUR", which is some sort of header that the trojan looks for when infecting files, in order to know which files it has already encrypted.

Then, the trojan starts encrypting the contents of the file (it skips the first 7 bytes, of course), using the encryption algorithm.

Cracking the Encryption

It's pretty easy to decrypt the encrypted files with the personal code. We won't give too many details about it (no screen shot, no disassembly), because we don't want to help the malware authors.

In a nutshell, the algorithm is using encrypted bytes as an index inside the SBOX, so if you apply the algorithm twice, you won't get a decrypted file, but yet another scrambled one.

In order to decrypt the files, you need to use the decrypted bytes as an index inside the SBOX. You need to change only one line to break the encryption algorithm.

Wait, this didn't take us a few years, as they predicted, did it? ;-)

We have created a custom decoder tool. Perhaps we could sell it for the discounted price of $200, a full $100 savings off the manufacturer's price! Act now! ;-)

Researcher: Nicolas Brulez