Introduction to Petya

Introduction to Petya

At the end of last month, Germany's veteran security vendor, Goethe-tower, issued a security report that a new extortion trojan named Petya emerged. So what exactly is this new extortion Trojan?
0x01 Trojan Overview
The trojan itself is not technically complex: The Trojan is written in C language. By modifying the data of the first 63 sectors of the system's disk, including the primary Boot Record (MBR, enables automatic loading of malicious code written by Trojans upon startup. Then the system is forced to restart, so that the computer can automatically load malicious code to encrypt the user's disk and display the extortion interface.
As mentioned above, we can understand the principle of Trojan horse in two sentences, but the practical application gives us the feeling that it is simple! Rude! But ---- valid!
0x02 code analysis
Preparations before restart
Because the trojan is mainly transmitted through the network disk, the only disguise of the Trojan is to disguise it as a self-extracting program on the icon:

In addition, there is no other disguise. Directly switch to the topic-open the drive C and obtain the physical disk of the drive C through DeviceIOControl.


After obtaining the disk, open the disk in readable and writable mode (to write data ):

Everything is ready. I am in arrears-I started to write the data. The entire data set written by the trojan is in the first 63 sectors of the disk, which is divided into four parts: 1. modify the 1st-byte content of the disk's 512 sectors (0 cylinder, 0 head, 1 Sector) ---- modify MBR; 2. write all the idle parts of the subsequent slice into the character "7" (that is, HEX data 0x37); 3. enter malicious code with a total length of 35th bytes (0x2000 bytes, that is, the space of 16 sectors) in 8192 sectors. 4. fill in the configuration data with 55th bytes starting from 512 sectors.
Modify MBR

Use "7" to fill the free space

Write malicious code

Write configuration data

After writing all the changes, the system restarts. The Trojan does not execute the shutdown command of the system by means of the smallest pediatrics. Instead, it calls the ZwRaiseHardError function in ntdll to trigger hardware exceptions to create a blue screen, so as to force restart:

Analyze paused. Let's look at the disk.
Until now, we will pause the analysis and check that the data on the disk, including the first 63 sectors of MBR, has been modified by Trojans and malicious code is added. However, the disk partition itself has not been substantially damaged. You can use a tool to open the disk to see the modified MBR and malicious code:


Looking at the modified MBR code, 34th sectors will be added at the beginning (the count starts from 0, that is, the first 35th sectors mentioned in the article) and execute:

Continue to run! Check the restart scenario.
OK. Now let the trojan continue. After the blue screen of the system is triggered, the system restarts automatically. A disk repair message will appear:

As shown in, the system will prompt you to repair the file system where drive C is located, and warn users in uppercase (although the so-called "warning" content written in English is totally unacceptable in China) ---- never stop shutdown. Once you shut down your data, it will all be ruined!
But in fact? If you don't shut down your data, it's also ruined-because this prompt is not a system's original repair program, it's a fraudulent prompt written by the trojan itself. The progress value shown below is actually meaningful: this progress is exactly the progress of malicious code encrypting your disk! Is to directly use the tool to open the disk, the corresponding text found from the disk data modified by the virus:

After the so-called "File System Repair" is completed, the user is facing a skeleton icon with a blind eye (1. the flashing effect cannot be displayed. what you actually see is the blinking of the red/white switching. 2. in all fairness, this interface is still well made! ⊙ ﹏ ⊙ B)

Press Any Key as required to go to the topic! Are you familiar with this? Go to the next onion Browser and visit the link I specified. Enter your personal decryption code and pay the money, and get the decryption key to restore the system to normal!

Like CTB-Locker, which has been popular for many years, this is nothing more than encrypting your specific files, but encrypting your entire disk ......
0x03 prevention and repair
Although this trojan uses the ZwRaiseHardError function rather than the shutdown command to restart the system, after all, the overall Trojan design idea is based on modifying the MBR of the system, therefore, for most security software that has the primary protection function and has been fighting against MBR Trojans for so many years, you can intercept the MBR modification operation. In addition, according to our monitoring, this trojan has not experienced a large-scale outbreak in China, so as long as you install reliable security software, you do not have to worry too much about the Petya Trojan.
But if you do not use security software for protection ...... It involves fixing the problem. This is troublesome.
If you are a stream of consciousness
Assume that your mind is good enough and your hands are fast enough. It's just a moment of carelessness. Remember to shut down the system before entering the fake "File System Repair" interface (we recommend that you unplug the power ). If you have done so ---- congratulations! The subsequent steps are not complex. You only need to find a PE system, let your machine boot from the USB flash drive into the PE system, and then use any tool in it to guide the repair to re-build the MBR.

Although the malicious code has been written, the disk has not been encrypted yet. As long as you re-build the MBR, the normal system MBR will not execute the malicious code written by the Trojan. So those malicious code will only become a large piece of code-quietly lying on your disk, and will never be executed. Of course, if you don't even want a dead body, after recreating the MBR, execute the "Clear reserve sector" in the lower part of the mirror, the dead will be cleaned up for you. (^ O ^ )/~
If you are an Information Security Expert
If you have the habit of backing up the system frequently, you don't need to talk nonsense ...... After performing the preceding steps to reconstruct the MBR, you can restore the system.
If you have no preparation
Unfortunately, even so, you don't have to pay a ransom. Unlike the typical CTB-Locker, this Trojan does not change any of your files, but only destroys the overall file index of the disk. Therefore, if you really need to recover important files and do not care whether the system can be started, you can do it yourself:

However, if you want to restore the entire system intact, you need professional tools and professional methods. Therefore, it is easier to find professional data recovery services.
By the way
Here, we can say that there has recently been a extortion Trojan with a similar MBR modification in China:

If this trojan is used, you only need to follow the above steps to recreate the MBR, and then add another step to retrieve the lost partition table to complete the repair-because the trojan only destroys the partition table, but I didn't start with the file index: