currently, there had been discussions around the theme that if our product is installed, ExPetr malware received’t write the special malicious code which encrypts the MFT to MBR. Some have even speculated that some kind of conspiracy can be ongoing. Others have cited it’s plain and simple nonsense. As average, Vesselin Bontchev, a legend in IT protection, who’s turn into noted for usually getting things correct, spoke of it most suitable:
So, what’s going on here? As a smart man once spoke of, “the code doesn’t lie,” so let’s analyze the ExPetr MBR disk infection/wiping code in particulars.
In a nutshell, the malware does these actions:
- tests administrator privileges
- Enumerates operating techniques
- reckoning on the processes found, initialize a different runtime config
- counting on this runtime config, malware execution branches are chosen
The malware’s leading feature
The “assess privileges” feature
an interesting truth is that malware tries to locate a couple of working processes (it calculates a hash from running process names and compares it with a few complicated-coded values).
Enumerating running approaches
essentially the most wonderful part that occurs here is:
After this circumstance two malicious features may well be executed:
- InfectMbr This pursuits will write the malicious GoldenEye encryptor code to the MBR. After reboot, this code will encrypt MFT and 1024 bytes of each file.
- WipePhysicalDrive This activities will overwrite the first 10 sectors of the disk with random trash.
Let’s describe this circumstance in element:
- The WipePhysicalDrive feature can be initiated if:
- the special bit in runtime config isn’t set (that happens when malware finds the avp.exe running manner).
- the InfectMbr function fails.
here’s what happens after an initial an infection:
image illustration of situation
Very important additions:
- WipePhysicalDrive can be initiated even with no matter if the avp.exe process is operating or not. This characteristic can be known as when the malware couldn’t write the malicious code to MBR. for example, it may be led to by the undertaking of other safety options blockading this write.
- in spite of whether MBR became contaminated with malicious code or became overwritten with random trash, malware will still try to encrypt the sufferer’s info using the AES and RSA ciphers and the attacker’s public key.
average, it looks that the community behind ExPetr have constructed what’s constantly referred to as a stone soup. here is a mix of ancient code, new code, dirty hacks, verify checks and constituents of peculiar code. as an instance, there’s a special condition block during which the AES file encryption doesn’t run in any respect, youngsters, this condition is always false. It very lots seems like some thing that become rushed out the door earlier than it was polished and capable, from many elements of view.
Why the frenzy, you may also ask yourself? We don’t know, but there can be a number of explanations. certainly one of them can be they tried definitely challenging to capture the EternalBlue/EternalRomance “educate”. After WannaCry, a lot of corporations began patching their windows installations to shut these vulnerabilities, conveniently shrinking the window of probability. It’s viable the authors of ExPetr desired to contaminate as many pursuits as feasible earlier than these exploits had been commonly patched.
regardless of the frenzy, the attackers have been absolutely aware of our applied sciences (and other groups’ applied sciences, most likely), particularly equipment Watcher, which is extremely positive at fighting ransomware. device Watcher works by means of gathering suggestions about the suspicious actions of running courses and builds a rating. as an instance, when a software reads a full file in memory, it then writes an extra file of similar dimension yet diverse layout, then deletes the customary, and the ranking raises. different an identical time-honored dangerous conduct is used to enhance the ranking and first rate conduct to decrease it. If assorted malicious moves turn up a number of instances, again and again, the score can reach a threshold where it’s pretty evident that anything is wrong. if that’s the case, gadget Watcher warns the consumer and offers to terminate the offending process and repair the information.
To fight against this technology, the ExPetr authors have protected multiple “counter measures.” one in all them is to avoid writing the GoldenEye encryptor code to the MBR if our product is working. this is performed to be able to steer clear of elevating the suspicion score and getting terminated too early. It truly looks that they put tremendous power into making an attempt to pass our products and target our users, which means they have been fairly worried about being stopped. even so, these didn’t work too smartly, reinforcing the thought of a big pile of hacks, put together in a rush. The system Watcher component fires anyway and forestalls the file encryption, terminating the system and undoing the changes.
To conclude, our clients had been covered regardless of the measures constructed into ExPetr to target them.
So why we are penning this longer explanation? With advanced malware code and retro measures constructed to bypass antivirus products, it is complex to remember all of the performance of today’s malware. it is easy to get tricked and accept as true with definite code checks give a free circulate to Kaspersky users. really, they had been supposed as a means of making an attempt to flow under the device Watcher’s radar. in the conclusion, it didn’t work. Our users wouldn’t have a free move from ExPetr, in view that they have an accepted “free circulate” from our items and device Watcher.