News ≈ Packet Storm

Ridiculous Ransomware Kill Switch

This article has been indexed from

News ≈ Packet Storm

Since the malvuln project started it is now approaching almost 600 vulnerable pieces of malware to date. Witnessing the endless ransomware attacks in the news and as I had no ransom trophy kills, I figured I would take a crack at it. At first, ransomware seemed like a big challenge. I am not aware of any sample that listen on any ports that can be abused and local elevation of privilege techniques mean nothing when things get encrypted immediately.

But Wait..

In steps DLL hijacking. DLL hijacking is a method of injecting malicious code into an application by exploiting the way some Microsoft Windows applications search and load Dynamic Link Libraries (DLLs). Only Microsoft operating systems are susceptible to DLL hijacking.

This coding flaw with DLL searching has plagued many pieces of legitimate software for years. If a program is run and side loads an arbitrary DLL it will execute that code in the parent process. Initial research has found this flaw to be a common mistake made by ransomware authors and we can leverage it to mitigate the attack.

Implementing A Kill Switch

Not all methodologies are the same, but implementing a kill switch is possible for all pieces of ransomware that suffer from this issue. The code for implementing a kill switch primarily uses Win32API calls GetCurrentDirectory, OpenProcess and TerminateProcess.

Time was spent analyzing the running ransomware in a virtual machine using the sysinternals “Process Monitor” utility and monitoring for the “NAME NOT FOUND” result. This is a simple indicator identifying the DLL being sought by the ransomware.

For example, “Conti Ransom” wants to load “netapi32.dll” when it spawns. We can craft a DLL to call GetCurrentDirectory to return the current directory. Next, we compare the return value from GetCurrentDirectory with the hardcoded string “C:\Windows\System32” using the standard “strcmp” string function.

If strcmp returns a non zero value, we know the malware is looking in its own directory and not the legit “System32” directory which is normally where “netapi32.dll” lives. Based off that condition, we make the decision to call the WIN32API OpenProcess() function to get a handle to our own process ID (PID) and terminate.

In cases like “BlackBasta.Ransom”, where it looks for “wow64log.dll” in the “C:\Windows\System32” dire

[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.

Read the original article:

Liked it? Take a second to support IT Security News on Patreon!
Become a patron at Patreon!