Tuesday, May 16, 2017

Trojans and RansomWare explained in light of WannaCry RansomWare

Over the past week, around 200,000 systems are believed to have been hacked by wannacry ransomware. Let's start with some background first, and then move into the details-


Before you know what Ransomeware is, it's important to know what trojans are. We can broadly classify malicious computer programs into 2 categories-
  1. Spread wildly and attack destructively
  2. Spread surgically and attack covertly
The first category comprises the typical viruses that infect your computers, get inside your USB, copy themselves to every avenue they can. They slow down your computer, limit it's functionality, and in general, make a lot of changes that make them easy to detect. These, in general, serve no particular useful purpose for the writer of the malicious code, other than perhaps giving them the lulz or maybe some sense of accomplishment. Also, once spread, there is very limited amount (or none at all) amount of control that the writer of the malicious code has on it's actions.

The second ones are the precisely crafted viruses called trojans. These hide behind legitimate files, spread only through very few avenues as seen fit by their programmer. Let me make this point a bit clearer-
  1. Most viruses would copy themselves to all devices attached to the infected system, try to spread via the network, internet etc. from the infected system.
  2. Trojans will not automatically copy themselves. They will stay hidden and inactive.
As with everything else, the means of spread of trojan is also precise. The malicious code writer will hide them behind a legitimate file, and then spread this file using social networks, spam mails, etc. This way, only those computers will get infected that the attacker wants to infect.

What are some examples of trojans-
  1. Remote Administration Tools (RATs) - These are trojans which, when installed on the system, silently position themselves in such a way that they allow the attacker to control the system remotely. This means that the attacker can browser all your files, read all your data, see what you're typing (hence get all your accounts and passwords), get a live feed of your screen, and access your webcam. As you can clearly see, as opposed to other viruses, trojans have specific use for the malicious author. He now controls the infected computer.
  2. Botnet - This is a special use of a freely spreading trojan whose purpose is to infect as many computers as possible with a RAT like functionality but less control on who gets infected. This reduced control and increase rate of spreading is important because of the purpose of a botnet. Botnet is basically a large network of infected computers which the attacker uses to do his bidding. They are often used to carry out DDOS attacks. Suppose the trojan spread to 1000 computers (a very small number, there are HUGE botnets out there). The attacker can then use these 1000 computers to simultaneously attack websites and take them down. Another use for botnets is bitcoin mining.
Recently, a new use for trojans has been seen-


If you have been paying attention so far, you'll notice that once infected by a trojan, a computer's files are under control of the attacker. That means he can easily say- "Give me money or I'll delete all your files". Unfortunately for the attacker, once the victim sees this message, the trojan is no longer covert. The victim may install an antivirus, backup his important data to the cloud/ external storage media/ USB, etc. 

So, the attacker needs to do something which is equivalent to deleting, but reversible. Also, the reverse procedure should require the consent of the attacker. There is one solution - Encryption. If you know what encryption is, then you should see by now what's up. Otherwise, here's a simpler explanation (though not entirely accurate)-

What the attacker can do is similar to what happens when you find a compressed archive with a password. If you know the password, you can uncompress the archive, otherwise not. So, the attacker will take all files except the System files (without which your computer won't work), put them into a compressed archive with a secure password, and then delete the uncompressed files. 

Once he's done with compressing (encrypting really) everything, he'll inform you about what just happened, and tell you to pay him a certain amount in bitcoins in exchange for the password of the compressed archive (i.e. the decryption key). If you don't pay up, he will delete the compressed archive and your data will be lost forever. Even if you manage to remove the ransomware after it announces it's presence, it's a bit too late. You avert the possibility of data deletion but that doesn't mean that you can now get your data back. You still don't know the decryption key, and unless there's a cryptographic flaw/weakness in the encryption scheme used by the attacker (basically weak password is used), it's almost impossible to find the key and decrypt the data.

What's special about WannaCry?

So while there have been ransomware around for quite some time, this one has spread to epic proportions. Why?

NSA, Shadow Brokers and EternalBlue

The credit for this goes to NSA for discovering the EternalBlue exploit and Shadow Brokers for releasing it to the public. I won't delve into further details of this, but EternalBlue exploit can hack any Windows machine which didn't have the patch for it. What does that mean?

The standard Windows security update on 14 March 2017 resolved the issue via security update MS17-010, for all currently supported Windows versions.
"The issue" referring to the vulnerability. However, many systems have automatic updates disabled and didn't have the patch. All these machines were vulnerable to this attack. Considering how often people end up disabling automatic updates (because they're annoying), you can imagine the scale of the EternalBlue exploit. This is the reason why this particular ransomware was able to spread so quickly.


At this point, you already have enough background necessary to understand what WannaCry is, on your own. You know it's a ransomware, and you know it uses EternalBlue to infect computers. The details can be seen n the pic below-

  1. Files have been encrypted
  2. You need to pay $300 via bitcoin
  3. If you don't pay within 3 days, you need to pay $600
  4. If you don't pay in a week, all files will be deleted permanently.

This is it for this article.
Suggested reading : https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html - This guy slowed down the spread of the ransomware by registering a domain which he felt was suspiciously present in the source code. His diligence saved people a lot of money and hassle. (Oversimplified summary, please read post for more accurate analysis)

1 comment:

© Kali Tutorials, 2016. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Shashwat Chaudhary and Kali Tutorials with appropriate and specific direction to the original content.
Bitcoin: 1B5aLqJcMW7zznffTxQwta8JTZsxBDPguC