Nthawi zina mumangofuna kuyang'ana m'maso mwa wolemba ma virus ndikufunsa kuti: chifukwa chiyani komanso chifukwa chiyani? Titha kuyankha funso "motani" tokha, koma zingakhale zosangalatsa kudziwa zomwe wopanga pulogalamu yaumbanda akuganiza. Makamaka tikakumana ndi "ngale" zotere.
Ngwazi yankhani yamasiku ano ndi chitsanzo chosangalatsa cha wojambula. Zikuoneka kuti idapangidwa ngati "ransomware" ina, koma kukhazikitsidwa kwake kwaukadaulo kumawoneka ngati nthabwala zankhanza za wina. Tikambirana za kukhazikitsa uku lero.
Tsoka ilo, ndizosatheka kutsata moyo wa encoder iyi - pali ziwerengero zochepa kwambiri, chifukwa, mwamwayi, sizinafalikire. Choncho, tidzasiya chiyambi, njira za matenda ndi maumboni ena. Tiyeni tingokamba nkhani yathu yokumana ndi Wulfric Ransomware ndi momwe tidathandizira wogwiritsa ntchito kusunga mafayilo ake.
I. Momwe zidayambira
Anthu omwe akhala akuzunzidwa ndi ransomware nthawi zambiri amalumikizana ndi labotale yathu yolimbana ndi kachilomboka. Timapereka chithandizo mosasamala kanthu za zomwe antivayirasi adayika. Nthawi ino tinalumikizidwa ndi munthu yemwe mafayilo ake adakhudzidwa ndi encoder yosadziwika.
Masana abwino Mafayilo adabisidwa posungira mafayilo (samba4) ndi kulowa opanda mawu achinsinsi. Ndikukayikira kuti matendawa adachokera pakompyuta ya mwana wanga wamkazi (Windows 10 yokhala ndi chitetezo cha Windows Defender). Kompyuta ya mwana wamkaziyo sinayatsidwe pambuyo pake. Mafayilo ndi encrypted makamaka .jpg ndi .cr2. Fayilo yowonjezera pambuyo pa kubisa: .aef.
Tidalandira kuchokera kwa ogwiritsa ntchito mafayilo obisidwa, cholemba cha dipo, ndi fayilo yomwe mwina ndiye fungulo lomwe mlembi wa ransomware amafunikira kuti asinthe mafayilo.
Nazi malingaliro athu onse:
- 01c.aef (4481K)
- hacked.jpg (254K)
- hacked.txt (0K)
- 04c.aef (6540K)
- pass.key (0K)
Tiyeni tiwone cholembacho. Kodi ma bitcoins angati nthawi ino?
Translation:
Chenjerani, mafayilo anu amasungidwa!
Mawu achinsinsi ndi apadera pa PC yanu.Perekani kuchuluka kwa 0.05 BTC ku adilesi ya Bitcoin: 1ERtRjWAKyG2Edm9nKLLCzd8p1CjjdTiF
Mukalipira, nditumizireni imelo, ndikulumikiza fayilo ya pass.key [imelo ndiotetezedwa] ndi chidziwitso cha malipiro.Pambuyo kutsimikizira, ndikutumizirani decryptor kwa owona.
Mutha kulipira ma bitcoins pa intaneti m'njira zosiyanasiyana:
- kulipira ndi khadi la banki
Za Bitcoins:
Ngati muli ndi mafunso, chonde lembani kwa ine pa [imelo ndiotetezedwa]
Monga bonasi, ndikuuzani momwe kompyuta yanu idaberekera komanso momwe mungatetezere mtsogolo.
Nkhandwe yodzionetsera, yopangidwa kuti iwonetse wozunzidwayo kuopsa kwa vutolo. Komabe, zikanakhala zoipitsitsa.
Mpunga. 1. -Monga bonasi, ndikuuzani momwe mungatetezere kompyuta yanu m'tsogolomu. -Zikuwoneka zachilungamo.
II. Tiyeni tiyambe
Choyamba, tinayang'ana dongosolo la chitsanzo chotumizidwa. Zodabwitsa ndizakuti, sizimawoneka ngati fayilo yomwe idawonongeka ndi ransomware. Tsegulani hexadecimal editor ndikuyang'ana. Ma byte 4 oyamba ali ndi kukula kwa fayilo koyambirira, ma byte 60 otsatira amadzazidwa ndi ziro. Koma chosangalatsa kwambiri chili kumapeto:
Mpunga. 2 Unikani fayilo yomwe yawonongeka. Ndi chiyani chomwe chimakukopani nthawi yomweyo?
Chilichonse chidakhala chosavuta movutitsa: ma byte 0x40 kuchokera pamutu adasunthidwa mpaka kumapeto kwa fayilo. Kubwezeretsa deta, chabe kubwerera kwa chiyambi. Kufikira kwa fayilo kwabwezeretsedwa, koma dzinali lidali lobisika, ndipo zinthu zikuvuta kwambiri.
Mpunga. 3. Dzina lobisika mu Base64 limawoneka ngati gulu la anthu ongoyendayenda.
Tiyeni tiyese kuzilingalira pass.key, yoperekedwa ndi wogwiritsa ntchito. Mmenemo tikuwona mndandanda wa 162-byte wa zilembo za ASCII.
Mpunga. 4. Zilembo za 162 zatsala pa PC ya wozunzidwayo.
Mukayang'anitsitsa, mudzawona kuti zizindikirozo zimabwerezedwa pafupipafupi. Izi zikhoza kusonyeza kugwiritsa ntchito XOR, yomwe imadziwika ndi kubwerezabwereza, yomwe nthawi zambiri imadalira kutalika kwa fungulo. Titagawanitsa chingwe kukhala zilembo 6 ndi XORed ndi mitundu ina ya XOR, sitinapeze zotsatira zabwino.
Mpunga. 5. Onani zobwerezabwereza zokhazikika pakati?
Tinasankha google constants, chifukwa inde, ndizothekanso! Ndipo onse adatsogolera ku algorithm imodzi - Batch Encryption. Pambuyo pophunzira script, zinaonekeratu kuti mzere wathu si kanthu koma zotsatira za ntchito yake. Ziyenera kunenedwa kuti iyi si encryptor konse, koma ndi encoder yomwe imalowetsa zilembo ndi ma 6-byte matsatidwe. Palibe makiyi kapena zinsinsi zina kwa inu :)
Mpunga. 6. Chidutswa cha algorithm yoyambirira ya wolemba osadziwika.
Algorithm siyingagwire ntchito momwe iyenera kukhalira ngati sichoncho mwatsatanetsatane:
Mpunga. 7. Morpheus adavomereza.
Pogwiritsa ntchito reverse reverse timasintha chingwe kuchokera pass.key m'mawu a zilembo 27. Zolemba zamunthu (zambiri) za 'asmodat' zimayenera kusamaliridwa mwapadera.
Chithunzi 8. USGFDG=7.
Google itithandizanso. Pambuyo pofufuza pang'ono, timapeza ntchito yosangalatsa pa GitHub - Folder Locker, yolembedwa mu .Net ndikugwiritsa ntchito laibulale ya 'asmodat' kuchokera ku akaunti ina ya Git.
Mpunga. 9. Foda Locker mawonekedwe. Onetsetsani kuti mwayang'ana pulogalamu yaumbanda.
Ntchitoyi ndi encryptor ya Windows 7 ndi apamwamba, omwe amagawidwa ngati gwero lotseguka. Panthawi ya encryption, mawu achinsinsi amagwiritsidwa ntchito, omwe ndi ofunikira kuti atsitsidwe. Imakulolani kuti mugwire ntchito ndi mafayilo payekha komanso ndi zolemba zonse.
Laibulale yake imagwiritsa ntchito Rijndael symmetric encryption algorithm mu CBC mode. Ndizofunikira kudziwa kuti kukula kwa block kudasankhidwa kukhala ma bits 256 - mosiyana ndi omwe amatengera mulingo wa AES. Pamapeto pake, kukula kwake kumangokhala ma bits 128.
Kiyi yathu imapangidwa molingana ndi muyezo wa PBKDF2. Pankhaniyi, mawu achinsinsi ndi SHA-256 kuchokera pa chingwe chomwe chalowetsedwa muzothandizira. Zomwe zatsala ndikupeza chingwechi kuti mupange kiyi ya decryption.
Chabwino, tiyeni tibwerere ku zomwe zasinthidwa kale pass.key. Mukukumbukira mzerewu wokhala ndi manambala angapo komanso mawu akuti 'asmodat'? Tiyeni tiyese kugwiritsa ntchito ma byte 20 oyamba a chingwe ngati mawu achinsinsi a Folder Locker.
Taonani, zimagwira ntchito! Mawu a code adabwera, ndipo zonse zidamveka bwino. Kutengera zilembo zachinsinsi, ndi chiwonetsero cha HEX cha mawu enaake mu ASCII. Tiyeni tiyese kuwonetsa mawu a code mu mawonekedwe alemba. Timapeza 'shadowwolf'. Kodi mukumva kale zizindikiro za lycanthropy?
Tiyeni tiwonenso mawonekedwe a fayilo yomwe yakhudzidwa, podziwa momwe locker imagwirira ntchito:
- 02 00 00 00 - njira yolembera dzina;
- 58 00 00 00 - kutalika kwa fayilo yosungidwa ndi base64;
- 40 00 00 00 - kukula kwa mutu wosamutsidwa.
Dzina lobisika lokha ndi mutu womwe wasamutsidwa zimawonetsedwa zofiira ndi zachikasu, motsatana.
Mpunga. 10. Dzina lobisika likuwonetsedwa mofiira, mutu womwe wasamutsidwa umawonetsedwa mwachikasu.
Tsopano tiyeni tifanizire mayina obisidwa ndi osungidwa muzithunzi za hexadecimal.
Kapangidwe ka data yosasinthika:
- 78 B9 B8 2E - zinyalala zopangidwa ndi zofunikira (4 bytes);
- 0Π‘ 00 00 00 - kutalika kwa dzina lotsekedwa (12 byte);
- Chotsatira pamabwera dzina lenileni la fayilo ndi zomangirira ndi ziro mpaka kutalika kwa block (padding).
Mpunga. 11. IMG_4114 ikuwoneka bwino kwambiri.
III. Mapeto ndi Mapeto
Kubwerera ku chiyambi. Sitikudziwa chomwe chinalimbikitsa wolemba Wulfric.Ransomware ndi cholinga chomwe adatsata. Inde, kwa wogwiritsa ntchito wamba, zotsatira za ntchito ya encryptor yotereyi zidzawoneka ngati tsoka lalikulu. Mafayilo samatsegulidwa. Mayina onse apita. M'malo mwa chithunzi chachizolowezi, pali nkhandwe pawindo. Amakukakamizani kuti muwerenge za bitcoins.
Zoona, nthawi ino, pansi pa "encoder yowopsya," panali zobisika zoyesayesa zopusa ndi zopusa za kulanda, kumene wowukirayo amagwiritsa ntchito mapulogalamu okonzeka ndipo amasiya makiyi pomwepo pamalo ophwanya malamulo.
Mwa njira, za makiyi. Tidalibe zolemba zoyipa kapena Trojan zomwe zingatithandize kumvetsetsa momwe izi zidachitikira. pass.key - njira yomwe fayilo imawonekera pa PC yomwe ili ndi kachilombo sikudziwikabe. Koma, ndikukumbukira, m'mawu ake wolembayo adatchula zachinsinsi chachinsinsi. Chifukwa chake, mawu amawu oti decryption ndi apadera monga dzina lolowera shadow wolf ndi lapadera :)
Ndipo komabe, nkhandwe yamthunzi, chifukwa chiyani ndipo chifukwa chiyani?
Source: www.habr.com