Analysis of Petya extortion Trojan

Analysis of Petya extortion Trojan

Recently, the security vendor G-Data released a report saying that a new extortion Trojan Petya was found. This trojan is characterized by first modifying the MBR Boot Sector of the system, then executing malicious code in the boot sector after forced restart, encrypting the hard disk data, displaying extortion information, and requesting bitcoin through the Tor anonymous network. This is the first malicious trojan to combine extortion and MBR modification. The harbo analysis system obtained Trojan samples and reproduced the extortion process.

This trojan is transmitted by email. The email is disguised as a resume, and the target is the company's HR department. Trojans are added to the email by means of links, which point to a shared file on the dropbox.

After downloading the file from dropbox, you can find that the file name is also related to the resume, and the icon is disguised as a self-extracting file.

 

 

The malicious code of this trojan is not saved in the executable section, but is decompressed in the memory after running, and then executed. The main purpose of this Code is to rewrite the disk MBR and then force restart. To write MBR, open the path \. \ PhysicalDrive0 as a file and write data to it.

 

 

Most of the written content is 512 bytes (Standard sector size) of invalid data, "7777 ......".

 

Valid data is divided into three segments, namely S1, S2, and S3.

S1 is the standard MBR sector, and the flag at the end of it is 55 AA. This data is written to the 0 sector of the disk as the boot program after the system is restarted. This pilot program will read S2 data stored in the 34th sector into the base address of the memory h, and then jump to continue the execution.

 

The length of S2 data is 0 × 2000 bytes, Which is malicious code for encryption and extortion. After this code is executed, a false prompt is first displayed, asking the victim to think that the system is performing a disk scan and repair. In fact, the disk encryption program is in progress.

 

Once the encryption is complete, the trojan begins to expose its volume, with a volume header flashing on the victim's screen:

 

Press any key to display the extortion text and payment method. Like the recent outbreak of other extortion Trojans, this trojan requires that the user pay a ransom through bitcoin in exchange for decryption of the password in the Tor anonymous network. In this section, Trojans claim to be PETYA, which is also the origin of such Trojans.

 

It should be noted that most of the text on this page is encoded in S2 data, but the payment-related part is dynamically read from S3.

 

The two parts can be found from the data saved in S3.

 

From this, we can understand the relationship between the three pieces of data written by the trojan: S1 is the boot program, S2 is the malicious code, S3 is equivalent to the configuration file, and the execution parameters can be adjusted without modifying S2, it even includes encryption keys.

In summary, since the Trojan horse authors have tasted the sweetness of the extortion Trojan Horse outbreak last year, various types of extortion Trojans have emerged in large numbers. In addition to the two common features of email social engineering propagation and anonymous Network + bitcoin ransom payment, the trojan author began to try to integrate various technologies into the Trojan, to enhance the anti-detection capability. The MBR modification technology is a traditional Virus Malicious technique. It was just a simple attempt for joke programs, and this time it was linked with the extortion process, it has played a new role. This evolutionary trend of extortion Trojans deserves our constant attention and vigilance.