Introduction to new varieties of Petya
According to twitter, Ukrainian government agencies have been attacked on a large scale, including the computer of Ukraine's deputy prime minister tencent The computer housekeeper has confirmed that the virus is a variant of Petya blackmail virus. After poisoning, Petya blackmail virus will scan the machines in the intranet and spread to the intranet machines through the eternal blue vulnerability to achieve the purpose of rapid transmission. There are foreign countries security The researchers believe that the Petya ransom virus variant can spread through email attachments, using vulnerable DOC documents to attack. After poisoning, the virus will be modified system When the computer restarts, the virus code will take over the computer before the windows operating system and perform malicious operations such as encryption. After the computer restarts, a disguised interface will be displayed. This interface is actually displayed by viruses. The interface pretends to be in the process of disk scanning, but actually encrypting the disk data.
When the encryption is complete, the virus requires the victim to pay $300 worth of bitcoin before returning the decryption key.
Communication channel analysis possible communication channel - mailbox communication
According to the official information of Ukraine Cert, the email attachment is considered to be the source of the virus attack. The email attachment is a doc document. The document triggers the attack through the vulnerability cve-2017-0199. The computer housekeeper also traces the source of the similar email attack in China. The earliest occurrence of the similar email attack occurred in the morning of June 27. In the actual test process, the whole attack process is not completely reproduced.
Possible communication channel - Medoc
Many security research institutions believe that the source of Petya's attack is Medoc Software The update service for was hijacked.
Detailed functional analysis of infection process analysis
1. Write MBR
Sector 0 ~ 0x21 stores the MBR and microkernel code data of the virus, while the original MBR is encrypted in sector 0x22.
2. Encrypt files
1) Traversing partition
2) File type to encrypt
3) File encryption process
3. Mode of communication
1) It may spread in LAN through management share, and then remote command execution can be realized by wmic.
C:\Windows\dllhost.dat \\10.141.2.26 -accepteula -s -d C:\Windows\System32\rundll32.exe "C:\Windows\perfc.dat",##1 60 "RCAD\ryngarus.ext:FimMe21Pass!roy4""RCAD\svcomactions:3GfmGeif"
c:\windows\system32\wbem\wmic.exe /node:"IP_ ADDR" /user:"User" /password:"PWD" process call create "c:\windows\system32\rundll32.exe" \"c:\windows\perfc.dat\" #1
2) Propagation via the eternalblue and eternal romance vulnerabilities
Before launching an attack, the program attempts to obtain a list of IP addresses that can be attacked
In order to obtain: the IP of TCP connection, the IP of local ARP cache and the IP address of server in LAN. After collecting these addresses, further attacks are carried out.
Disk encryption and blackmail details
Main function description:
1. System restart, malicious MBR loading;
2. Detect whether the disk is encrypted, if not, display the forged disk detection interface and encrypt MFT;
3. Display the red blackmail interface, let the user input the secret key;
After MBR starts, copy the data of sector 1-21 to 8000 address, and JMP executes 8000 address code
The disk is encrypted by reading the marker bit
If the disk is not encrypted, the forged disk detection interface is displayed and MFT is encrypted
After encryption, read the blackmail statement after the sector
Display the obtained statement on the screen
Get the secret key from the screen and verify it
1. Download and install firefly in time, and use blackmail virus immune tools to prevent the disease in advance. (download address of immunization tool
2. Complete the patch in time.
3. In case of suspicious files, especially the attachments in unfamiliar e-mails, do not open them easily. First, upload them to the Hubble analysis system (HTTPS: / / Habo. QQ. COM /).