Wani lokaci kawai kuna so ku kalli idanun wasu marubucin ƙwayoyin cuta kuma kuyi tambaya: me yasa kuma me yasa? Za mu iya amsa tambayar "yadda" kanmu, amma zai zama mai ban sha'awa sosai don gano abin da wannan ko kuma mahaliccin malware ke tunani. Musamman idan muka ci karo da irin wadannan "lu'u-lu'u".
Jarumin labarin yau misali ne mai ban sha'awa na mai rubutun ra'ayin yanar gizo. A fili an yi la'akari da shi a matsayin wani "ransomware", amma aiwatar da aikin sa na fasaha ya fi kama da barkwancin wani. Za mu yi magana game da wannan aiwatarwa a yau.
Abin takaici, yana da kusan ba zai yiwu ba a gano yanayin rayuwar wannan encoder - akwai ƙananan ƙididdiga akan shi, tun da, sa'a, bai zama tartsatsi ba. Saboda haka, za mu bar asali, hanyoyin kamuwa da cuta da sauran nassoshi. Bari mu yi magana game da lamarinmu na ganawa da Wulfric Ransomware da kuma yadda muka taimaka wa mai amfani ya adana fayilolinsa.
I. Yadda aka fara
Mutanen da ke fama da matsalar ransomware sukan tuntuɓi dakin gwaje-gwaje na rigakafin ƙwayoyin cuta. Muna ba da taimako ba tare da la'akari da samfuran riga-kafi da suka shigar ba. A wannan karon wani mutum ne ya tuntube mu wanda abin da ba a san ko ina ba ya shafe fayilolinsa.
Barka da rana An rufaffen fayiloli akan ma'ajin fayil (samba4) tare da shiga mara kalmar sirri. Ina tsammanin cutar ta fito ne daga kwamfutar 'yata ta kwamfuta (Windows 10 tare da daidaitaccen kariyar Windows Defender). Ba a kunna kwamfutar 'yar ba bayan haka. Fayilolin an rufaffen su ne musamman .jpg da .cr2. Tsawaita fayil ɗin bayan ɓoyewa: .aef.
Mun samu daga samfuran masu amfani na fayilolin rufaffiyar, bayanin fansa, da fayil ɗin da wataƙila mabuɗin marubucin ransomware ke buƙata don lalata fayilolin.
Ga duk alamunmu:
- 01c.af (4481K)
- hacked.jpg (254K)
- hacked.txt (0K)
- 04c.af (6540K)
- maɓalli (0K)
Bari mu dubi bayanin kula. Bitcoins nawa a wannan karon?
Translation:
Hankali, an rufaffen fayilolinku!
Kalmar wucewa ta musamman ga PC ɗin ku.Biya adadin 0.05 BTC zuwa adireshin Bitcoin: 1ERtRjWAKyG2Edm9nKLLCzd8p1CjjdTiF
Bayan biya, aika mani imel, haɗa fayil ɗin pass.key zuwa [email kariya] tare da sanarwar biya.Bayan tabbatarwa, zan aiko muku da decryptor don fayilolin.
Kuna iya biyan bitcoins akan layi ta hanyoyi daban-daban:
- biya ta katin banki
Game da Bitcoins:
Idan kuna da tambayoyi, da fatan za a rubuto mani a [email kariya]
A matsayin kari, zan gaya muku yadda aka yi wa kwamfutarku kutse da yadda za ku kare ta nan gaba.
Kerkeci mai ƙima, wanda aka tsara don nuna wa wanda aka azabtar da munin halin da ake ciki. Duk da haka, zai iya zama mafi muni.
Shinkafa 1. -A matsayin kari, zan gaya muku yadda ake kare kwamfutarka nan gaba. – Ga alama halal ne.
II. Mu fara
Da farko, mun kalli tsarin samfurin da aka aiko. Abin ban mamaki, bai yi kama da fayil ɗin da ransomware ya lalace ba. Bude editan hexadecimal kuma duba. Bytes 4 na farko sun ƙunshi ainihin girman fayil, 60 bytes na gaba suna cike da sifili. Amma abu mafi ban sha'awa shine a ƙarshe:
Shinkafa 2 Yi nazarin fayil ɗin da ya lalace. Me ya kama ido nan da nan?
Komai ya zama mai sauƙi mai ban haushi: 0x40 bytes daga taken an koma ƙarshen fayil ɗin. Don mayar da bayanai, kawai mayar da su zuwa farkon. An dawo da damar shiga fayil ɗin, amma sunan ya kasance a ɓoye, kuma abubuwa suna ƙara rikitarwa da shi.
Shinkafa 3. Rufaffen suna a cikin Base64 yayi kama da saitin haruffa.
Mu yi kokarin gano shi wuce.key, mai amfani ya ƙaddamar. A ciki muna ganin jerin 162-byte na haruffa ASCII.
Shinkafa 4. Haruffa 162 da aka bari akan PC ɗin wanda aka azabtar.
Idan ka duba da kyau, za ka lura cewa ana maimaita alamun tare da takamammen mita. Wannan na iya nuna amfani da XOR, wanda ke da alaƙa da maimaitawa, yawan abin da ya dogara da tsawon maɓalli. Bayan an raba kirtani zuwa haruffa 6 da XORed tare da wasu bambance-bambancen jerin XOR, ba mu sami wani sakamako mai ma'ana ba.
Shinkafa 5. Duba maimaita akai-akai a tsakiya?
Mun yanke shawarar yin google akai-akai, saboda a, hakan yana yiwuwa kuma! Kuma dukkansu a ƙarshe sun haifar da algorithm guda ɗaya - Batch Encryption. Bayan nazarin rubutun, ya bayyana a fili cewa layinmu ba kome ba ne face sakamakon aikinsa. Ya kamata a ambata cewa wannan ba mai ɓoyewa ba ne kwata-kwata, amma kawai maɓalli ne wanda ke maye gurbin haruffa da jerin 6-byte. Babu maɓalli ko wasu sirrin gare ku :)
Shinkafa 6. Wani yanki na asali algorithm na marubucin da ba a san shi ba.
Algorithm ba zai yi aiki kamar yadda ya kamata ba idan ba don daki-daki ɗaya ba:
Shinkafa 7. Morpheus ya amince.
Yin amfani da maye gurbin baya muna canza kirtani daga wuce.key cikin rubutun haruffa 27. Rubutun 'asmodat' ɗan adam (mafi yiwuwa) ya cancanci kulawa ta musamman.
Hoto.8. USGFDG=7.
Google zai sake taimaka mana. Bayan ɗan bincike, mun sami wani aiki mai ban sha'awa akan GitHub - Folder Locker, wanda aka rubuta a cikin .Net da kuma amfani da ɗakin karatu na 'asmodat' daga wani asusun Git.
Shinkafa 9. Fayil Locker dubawa. Tabbatar bincika malware.
Mai amfani shine mai ɓoyewa don Windows 7 kuma mafi girma, wanda aka rarraba azaman tushen buɗewa. Lokacin ɓoyewa, ana amfani da kalmar sirri, wanda ya zama dole don ɓarnawar gaba. Yana ba ku damar yin aiki duka tare da fayiloli guda ɗaya tare da dukan kundayen adireshi.
Laburaren sa yana amfani da Rijndael rufaffen ɓoyayyen algorithm a cikin yanayin CBC. Abin lura ne cewa girman toshe an zaɓi ya zama 256 ragowa - ya bambanta da wanda aka karɓa a cikin ma'aunin AES. A karshen, girman yana iyakance zuwa 128 ragowa.
An ƙirƙira maɓallin mu bisa ma'aunin PBKDF2. A wannan yanayin, kalmar sirri shine SHA-256 daga igiyar da aka shigar a cikin mai amfani. Abin da ya rage shi ne nemo wannan kirtani don samar da maɓallin yankewa.
To, bari mu koma kan mu riga decoded wuce.key. Ka tuna wannan layin tare da saitin lambobi da rubutun 'asmodat'? Bari mu yi ƙoƙari mu yi amfani da bytes 20 na farko na kirtani azaman kalmar sirri don Maɓallin Jaka.
Duba, yana aiki! Kalmar lambar ta fito, kuma komai ya kasance daidai. Yin la'akari da haruffan da ke cikin kalmar sirri, wakilcin HEX ne na takamaiman kalma a cikin ASCII. Bari mu yi ƙoƙarin nuna lambar lambar a cikin sigar rubutu. Mun samu'inuwa'. Kuna jin alamun lycanthropy?
Bari mu sake duba tsarin fayil ɗin da abin ya shafa, yanzu sanin yadda makullin ke aiki:
- 02 00 00 00 - Yanayin ɓoye suna;
- 58 00 00 00 - tsawon sunan fayil ɗin da aka ɓoye da tushe64;
- 40 00 00 00 - girman da aka canjawa wuri.
Sunan da aka rufaffen kansa da kan da aka canjawa wuri ana haskaka su da ja da rawaya, bi da bi.
Shinkafa 10. Sunan da aka rufaffen yana haskakawa a cikin ja, rubutun da aka canjawa wuri yana haskakawa cikin rawaya.
Yanzu bari mu kwatanta rufaffen da sunayen da aka ɓoye a cikin wakilcin hexadecimal.
Tsarin bayanan da aka ɓoye:
- 78 B9 B8 2E - datti da aka kirkira ta mai amfani (4 bytes);
- 0С 00 00 00 - tsawon sunan da aka yanke (12 bytes);
- Na gaba ya zo ainihin sunan fayil da manne tare da sifili zuwa tsayin toshe da ake buƙata (padding).
Shinkafa 11. IMG_4114 yayi kyau sosai.
III. Ƙarshe da Ƙarshe
Komawa farkon. Ba mu san abin da ya motsa marubucin Wulfric.Ransomware ba da kuma wace manufa ya bi. Tabbas, ga matsakaicin mai amfani, sakamakon aikin ko da irin wannan mai ɓoyewa zai zama kamar babban bala'i. Fayiloli ba sa buɗewa. Duk sunaye sun tafi. Maimakon hoton da aka saba, akwai kerkeci akan allon. Suna tilasta maka ka karanta game da bitcoins.
Gaskiya ne, a wannan lokacin, a ƙarƙashin sunan "mummunan rikodin rikodin," an ɓoye irin wannan yunƙuri na ban dariya da wauta, inda maharin ke amfani da shirye-shiryen da aka shirya kuma ya bar makullin daidai a wurin aikata laifuka.
Af, game da makullin. Ba mu da rubutun mugunta ko Trojan da zai taimaka mana mu fahimci yadda hakan ya faru. wuce.key – Hanyar da fayil ɗin ke bayyana akan PC mai kamuwa da cuta ya kasance ba a sani ba. Amma, na tuna, a cikin bayaninsa marubucin ya ambaci bambancin kalmar sirri. Don haka, kalmar kalmar decryption ta kasance na musamman kamar yadda sunan mai amfani kerkeci ya kebanta :)
Duk da haka, kerkeci inuwa, me yasa kuma me yasa?
source: www.habr.com