INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE J. Jones and N. Shashidhar Vol.6, No.4 Ransomware Analysis and Defense WannaCry and the Win32 environment Justin Jones, Narasimha Shashidhar Department of Computer Science, Sam Houston State University, Huntsville, TX, USA. e-mail: fjxj037, [email protected] Abstract—Ransomware is a specific type of malware that threatens the victim’s access to her data unless a ransom is paid. It is also known as a cryptovirus due to its method of operation. Typically, ransomware encrypts the contents of the victim’s hard drive thereby rendering it inaccessible to the victim. Upon payment of the ransom, the decryption key is released to the victim. This means of attack is therefore also sometimes aptly called cryptoviral extortion. The ransomware itself is delivered to the victim using several channels. The most common channel of delivery is by masquerading the malware as a Trojan horse via an email attachment. In this work, we study a high-profile example of a ransomware called the WannaCry worm. This ransomware is particularly malicious since it has the ability to traverse computing equipment on a network without any human intervention. Since this worm has had a large scale impact, we find it imperative and instructive to better understand the inner workings of this high-profile ransomware. To this end, we obtain a sample of WannaCry and dissect it completely using advanced static and dynamic malware analysis techniques. This effort, we hope, will shed light on the inner workings of the malware and will enable cyber security experts to better thwart similar attacks in the future by: a) generating appropriate signatures and b) developing stronger defense solutions. Our analysis is conducted in a Win32 environment and we present our detailed analysis so as to enable reproduction of our work by other malware analysts. This, we hope, will further advancement in generating appropriate signatures to detect the worm. Secondly, we present a prototype software that will enable a user to prevent this malware from unleashing its payload and protect the user on a Win32 environment in an effort to advance the development of efficient software defense mechanisms to protect users from such a worm attack in the future. Keywords—Ransomware, cryptovirus, extortion, static and dynamic analysis, malware analysis, cyber security. 1. Introduction extensions and making empty threats to full-blown attacks affecting hundreds of thousands of sys- A type of malware known as ransomware has tems worldwide that implement sophisticated NSA- recently become very prevalent in the cyber security developed exploits as their propagation vector. In world, taking over user systems and demanding this paper, we explore a specific piece of malware ransom for the safe return of system functionality known as WannaCry that recently made headlines while holding the user’s data hostage. While initially around the world and we perform a full static and not incredibly sophisticated, this type of software dynamic analysis to explore its inner workings. has evolved from simple scripts that change file Seeking a full understanding of this malware is 57 a fruitful exercise since this will enable malware and Yung [8] and by Salvi and Kerkar [6]. Pascariu analysts in developing appropriate signatures to et al. [5] presented a process of reducing the attack thwart the spread of this malware. Furthermore, surface in the case of ransomware attacks. A more we believe that this deeper understanding of the recent study conducted by Chen and Bridges [1] inner workings of the malware will also enable introduced a method to identify and rank the most one to develop fine-tuned software defense solutions discriminating ransomware features from a set of that will protect the user. To this end, we will system logs. In an effort to reveal the presence of endeavor to write a functional piece of software to the WannaCry malware, they ranked features that stop this malware from executing within a Win32 reveal a set of actions produced by malware on environment. Our primary contribution therefore is the system logs thereby automating the process and two-fold: to demonstrate the inner workings of Wan- avoiding tedious manual analysis. Despite this rich naCry so as to facilitate further analysis by malware body of work, a thorough treatment of a specific analysts and to uncover several hidden “features” of instance of this family of malware is non-existent this cryptovirus and to further the software defense in the literature. A search of research articles on mechanisms against similar malware in the future by most databases for WannaCry reveals that there is developing a functional piece of defense software. hardly any work done in the academic realm in understanding this malware. It is certain that indus- 2. Prior and Related Work try (Norton, Symantec, McAfee and others) must invest substantial time and effort in understanding The academic body of work is rich with re- this malware so as to develop efficient defense search articles studying cryptoviral extortion and mechanisms while the academic realm has not kept the associated malware’s effects on a computing pace with the industry. It is this reason that offered environment. For instance, Young [7] presented the us the motivation to delve deeper into understanding experimental results obtained by implementing the WannaCry and conduct advanced static and dynamic payload of a cryptovirus on the Microsoft Win- analysis of this ransomware. As a final note before dows platform. Since most malware, including the concluding the related work survey, the field of WannaCry worm, infect the MS-Windows platform, malware analysis has made tremendous advances this bias is reflected in the work done by re- and the techniques and tools used by some of the searchers in the literature (and our present work) as authors of these above mentioned prior art have well [9]. Kumar and Kumar [3] present an overview been superseded by newer tools. In this sense, our of the modus operandi and the general structure and present work also serves to illustrate these newer working of a cryptovirus. A more detailed treatment trends in malware analysis. This survey is not meant of an instance of such malware is presented by Filiol to be comprehensive and does not explore all av- and Raynal [2] including a discussion of Code Red, enues of research in malware analysis (or WannaCry Slammer and the Blaster worms. An example of a analysis). The interested reader is directed to the large scale cryptoviral extortion is presented in the above mentioned research articles and the references work done by McCormack [4] which outlines both therein. the financial and data losses incurred due to this attack. A historical perspective on the birth, neglect and explosion of ransomware is presented by Young 58 3. Analysis in the GitHub repository5 accompanying the paper, In this section, we begin by describing the vul- including the Wireshark pcap, IDA Pro idb, registry nerability that WannaCry exploits, followed by its snapshots and a compressed file containing the general file structure, cryptographic function calls extracted payload. before diving into static and dynamic analysis. 3.1.2 General File Data 3.1. WannaCry/WCry 6 3.1.1 Background Utilizing PEiD , we notice that the program was packed using Microsoft Visual Studio C++ 6.0 for Win32 and we should hence have no trouble WannaCry (referring to the general family consist- unpacking it. Utilizing Dependency Walker7, we ing of all named variations of WannaCrypt, WCry, see that the program uses ADVAPI32.DLL which is WanaCrypt, WanaCrypt0r, etc) came into prevalence the source of many cryptographic security functions during a massive attack starting on May 12, 2017. implemented in Windows as shown in Fig.1. In This software utilizes an exploit called EternalBlue1, fact, this is where the SMB exploit EternalBlue is a known vulnerability in the Server Message Block found. It is interesting to note however that had (SMB) protocol used by Microsoft Windows which we not known ahead of time that the program was previously patched in a critical update outlined uses ADVAPI32.DLL, we wouldn’t have thought to in KB40133892. As this vulnerability has been gather this piece of information during our examina- explored and detailed very thoroughly already, we tion until we go further through the decompilation instead shift our focus to WanaCry’s implementa- and execution steps. As it stands, most if not all tion and software aspects while avoiding the inner ransomware will want to utilize this dynamic linked workings of the exploit. library if it intends to perform any non-trivial cryp- The working sample of WannaCry has been ob- tographic operations, such as encryption/decryption 3 tained from theZoo , with SHA256 hash: of files. The inclusion of this library is the first ed01ebfbc9eb5bbea545af4d01bf5f107 indication that this software may be ransomware. 1661840480439c6e5babe8e080e41aa Looking into the functionality imported from this and is positively identified by VirusTotal as a mem- library, we see that CRYPT32.DLL, and the imports ber of the WanaCry family4. The software is being immediately indicate this program is performing tested in a Microsoft-supplied 32-bit Windows 7 a large number of cryptographic function calls as appliance as a VMWare Player virtual host. The shown in Table1. Of particular interest are the appliance is given host-only network access and all functions CryptGenKey, and CryptEnrcypt which outgoing traffic is recorded with Wireshark during we believe (based on rudimentary static analysis) our analysis. All relevant analysis files are supplied are responsible for generating a random encryption key, and the actual encryption operation. Here, we 1. http://bit.ly/2spdT15 2. https://support.microsoft.com/en-us/help/4013389/title 5. https://github.com/NachoChef/Malware-Analysis-and-Defense 3.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages13 Page
-
File Size-