Dissecting Winlocker – ransomware goes centralized

2012-11-01

Aditya K. Sood

Michigan State University, USA

Richard J. Enbody

Michigan State University, USA

Rohit Bansal

Independent security researcher, USA
Editor: Helen Martin

Abstract

Winlocker, aka Gimemo, has revolutionized the design of ransomware - all the infected machines are controlled centrally using two C&C panels. Aditya Sood and colleagues discuss the design and behaviour of the Winlocker ransomware.


Winlocker, aka Gimemo, has revolutionized the design of ransomware. Before digging deep into the design of Winlocker, let’s talk briefly about ransomware. As the name suggests, this class of malware forces the user to pay a sum of money in order to regain control of the infected system. Ransomware locks down certain functionalities of the operating system (or even the whole operating system, depending on the design) as well as software running on the infected machine. When a user tries to interact with the system, the malware is activated and demands a ransom.

We have already seen many different types of ransomware, but Winlocker is the first we have seen that is centralized in nature – all the infected machines are controlled using two different Command and Control (C&C) panels. One of the C&C panels is used for verification of the transaction generated to pay the ransom. If the transaction is verified and the required amount is transferred to the attacker’s e-currency account, an email is sent to the attacker to unlock the infected system. The other C&C panel is used for managing the administrative operations such as sending unlock commands to the infected system. Use of a centralized platform to manage the ransomware has enabled the attacker to build a crimeware service that can be sold in the underground market. Winlocker’s creator has already started an Insidious Winlocker Affiliate Program (IWAP) in which Winlocker is provided as a crimeware service. Buyers of the service share access to the C&C panel that monitors successful infections for ransom payments – they do not have access to the administrative control panel. Figure 1 shows the C&C panel that is shared with the buyers under the affiliate program.

Winlocker affiliate C&C panel.

Figure 1. Winlocker affiliate C&C panel.

Winlocker working flow

Unlike traditional ransomware, Winlocker does not install as a disguised program that is listed in the Add/Remove programs tool. Winlocker is a sophisticated ring 3 layer rootkit that executes nefarious operations. Winlocker performs API hooking to circumvent the communication flow of the target processes and then injects malicious hooks to control the execution. This makes Winlocker much more powerful, which allows it to lock the operating system completely. Winlocker bypasses the User Account Control (UAC) and Data Execution Prevention (DEP) protection schemes very easily. It works successfully on almost all versions of Windows including XP, Vista and Windows 7 on both x32 and x64 systems.

The working flow is described as follows:

  • Regular malware infection frameworks such as botnets, browser exploit packs, etc. are used to spread the Winlocker ransomware across the Internet.

  • Winlocker is wrapped in a dropper that deletes itself after successful installation of Winlocker in the system, as shown in Figure 2. The dropper looks for the %COMSPEC% environment variable to get the full path and uses ‘/c del’ batch commands to delete itself by redirecting the output to ‘>> NUL’. Winlocker executes instantly and locks the operating system completely.

    Dropper self-deletion code.

    Figure 2. Dropper self-deletion code.

  • Winlocker is installed in the ‘C:\ProgramFiles\system\’ folder as a file named system.exe with an associated file, Key.txt, as shown in Figure 3. The filename might vary with different versions of Winlocker. The Key.txt file contains certain configuration and system-related information that is required to restore the system later on.

    Folder and file generation.

    Figure 3. Folder and file generation.

  • Winlocker displays a ransom page which is built using a custom template that is based on the Windows Active Template Library (ATL) at the backend to communicate with the C&C server. (The dialog creation and design will be discussed later.) The user is forced to provide an access code to unlock the system. To get the access code, the user has to go to a third-party service provider that charges a few dollars and generates the access code. This code must be entered into the Winlocker ransom template to unlock the system. Direct credit card transactions are not allowed on the infected system. Figure 4 shows Moneypak [1] being used as an e-currency for the transaction. As soon as the money is received by the attacker, the unlock command is issued from the C&C panel.

    Winlocker in action.

    Figure 4. Winlocker in action.

    (For a larger version of Figure 4, please click here.)

    A number of different Winlocker templates are used in different countries, as listed in [2].

Winlocker dialog generation

Winlocker generates a custom dialog to be shown to the user when the system is locked. Winlocker uses the standard built-in Windows APIs to design the dialog. Let’s see what kind of functions are used:

  • The dialog is generated using the ShowDialog function which is called when WM_INITDIALOG is dispatched by the system handler. The ShowDialog function reveals the full screen to the user.

  • The GetWindowLongA function is used to retrieve the style of the dialog. The SetWindowLongA function is used to remove all the extra header objects, such as buttons, from the dialog.

  • Using the RegisterHotKey function, shortcuts such as ALT-TAB are disabled. The SetWindowsPos function is deployed to force the dialog box to be displayed on top (setting the position) of all other running windows. The SetForegroundWindow function sets the ransom dialog in the foreground.

  • Using the GetDlgItem and MoveWindow functions, Winlocker restricts the resizing of the window when WM_SIZE is dispatched by the system handler.

  • Winlocker is finally activated and displayed on top of all other windows when the WM_TIMER message is dispatched. To do this, Winlocker enumerates all the running windows using EnumWindows to obtain the handles which are required to put all other windows in the background. It also uses SetWindowsHookEx to handle the different kind of keys to be used in the ransom dialog.

Winlocker also uses a primary function from the Active Template Library (ATL) [3] which registers a window class that is used to host ActiveX controls. Basically, it is used to define different controls. Winlocker registers its inherent window class using the AtlAxWinInit function as shown in Listing 1. Figure 5 (Resource Hacker) shows that the AtlAxWin class is used by Winlocker to register a control object that carries a reference to the remote C&C panel.

hModule= LoadLibraryA(“atl.dll”);
hAddr = GetProcAddress(hModule, “AtlAxWinInit”);
hAddr();
hDiag = GetModuleHandleA(0);
CreateDialogParamA(hDiag, (LPCSTR)0x3E8, 0, DialogFunc, 0);
while ( GetMessageA(&Msg, 0, 0, 0) )
{
   TranslateMessage(&Msg);
   DispatchMessageA(&Msg);
}
hFree = FreeLibrary(hModule);
ExitProcess(v3);

Listing 1: AtlAxWinInit loading.
AtlAxWin class with control object.

Figure 5. AtlAxWin class with control object.

Winlocker characteristics

In this section, we take a look at some of the modifications performed by the Winlocker ransomware in the system.

SafeBoot – safe mode modification

As Winlocker is designed specifically for ransom purposes, its functionality is very targeted in nature. Winlocker actually deletes all the entries present in the registry hives that relate to safe mode booting. The SafeBoot [4] option in the registry usually has two sub entries. The ‘minimal’ SafeBoot option allows the minimum set of device drivers to be loaded in safe mode. The ‘network’ SafeBoot option allows the system to have the minimum set of device drivers and networking capabilities during safe mode. Winlocker actually deletes the entry in the following key: ‘HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal’ and ‘HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network’. Some of the deleted entries are presented in Listing 2.

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppMgmt 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Base 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Boot Bus Extender 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Boot file system 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CryptSvc 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DcomLaunch 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmadmin 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmboot.sys 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmio.sys 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmload.sys 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmserver 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\EventLog 
-------Truncated --------

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetMan 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Network 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetworkProvider 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NtLmSsp 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PCI Configuration 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PlugPlay 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PNP Filter 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PNP_TDI 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Primary disk 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpcdd.sys 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpdd.sys 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpwd.sys 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdsessmgr 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\RpcSs 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SCSI Class 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sermouse.sys 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SharedAccess 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sr.sys 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SRService
-------Truncated --------

Listing 2: List of SafeBoot entries deleted by Winlocker.

System restore – modification

The system restore functionality plays a significant role in the success and demise of the ransomware. The malware authors have to manage the system restore capability for successful infection and control of the ransomware in the system. As the name suggests, system restore allows the user to revert Windows settings and configurations to an earlier point in time, referred to as a restore point. Winlocker manages the system restore functionality by disabling it directly in the registry hive. As a result, during the locking of the system, the user is unable to access the system restore settings. The attacker uses similar functions to enable system restore after the ransom has been paid by the user. Figure 6 shows the code extracted from Winlocker that adds the registry key ‘DisableConfig’ in ‘HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore’ for disabling the policies configured for system restore.

Disabling system configuration.

Figure 6. Disabling system configuration.

Similarly, Winlocker also adds ‘DisableSR’ in ‘HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\SystemRestore’ to disable system restore completely. Figure 7 shows the disabling of the system restoration capability.

Disabling system restore.

Figure 7. Disabling system restore.

These configuration changes cannot stop the operating system from making automated checkpoints, but definitely restrict the user’s access to the system restore functionality.

Validating installation using HTTP

Once the system is infected, Winlocker connects back to the C&C server. It sends a GET request to receive the notification that the C&C panel has actually established a connection with it. Listing 3 shows the request sent by Winlocker with user-specific information. The user information plays a critical role because certain functionalities of Winlocker are dependent on this information (for example, if Winlocker is installed on a machine with administrator access, it will infect all the other users on the system as well). The C&C server sends the HTTP response as valid. As a result, Winlocker executes the ransom template after locking the system. The usual pattern of the request is:

http://<IP Address>/c35312fb3a7e05b7a44db2326bd29040/k.php?i=4u2RejXq9bKEBroPJ6u2TgkYzVbMGDs0Re6wp8hKE
zVmOI4u2RejXq9bMEB&u=Administrator&l=de&f=0&a=aff_3556.

Here, we have looked at the primary characteristics of Winlocker. In [5], a researcher has reversed the Winlocker builder – this may prove useful for writing Winlocker patches.

Conclusion

In this paper, we have discussed the design and behaviour of the Winlocker ransomware. At this point in time, Winlocker infects machines with the collection of a ransom payment as its only goal. It has copied a standard design used by botnets and become centralized. In reality, Winlocker is a popular crimeware service in the underground market.

Bibliography

[2] Winlocker Templates. https://www.botnets.fr/index.php/Gimemo.

[4] Safe Mode Boot options in Windows XP. http://support.microsoft.com/kb/315222.

[5] WinLocker Builder v0.4 – Cracking Generated Winlocks. http://www.xylibox.com/2011/04/winlocker-builder-v04-cracking.html.

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest articles:

Nexus Android banking botnet – compromising C&C panels and dissecting mobile AppInjects

Aditya Sood & Rohit Bansal provide details of a security vulnerability in the Nexus Android botnet C&C panel that was exploited to compromise the C&C panel in order to gather threat intelligence, and present a model of mobile AppInjects.

Cryptojacking on the fly: TeamTNT using NVIDIA drivers to mine cryptocurrency

TeamTNT is known for attacking insecure and vulnerable Kubernetes deployments in order to infiltrate organizations’ dedicated environments and transform them into attack launchpads. In this article Aditya Sood presents a new module introduced by…

Collector-stealer: a Russian origin credential and information extractor

Collector-stealer, a piece of malware of Russian origin, is heavily used on the Internet to exfiltrate sensitive data from end-user systems and store it in its C&C panels. In this article, researchers Aditya K Sood and Rohit Chaturvedi present a 360…

Fighting Fire with Fire

In 1989, Joe Wells encountered his first virus: Jerusalem. He disassembled the virus, and from that moment onward, was intrigued by the properties of these small pieces of self-replicating code. Joe Wells was an expert on computer viruses, was partly…

Run your malicious VBA macros anywhere!

Kurt Natvig wanted to understand whether it’s possible to recompile VBA macros to another language, which could then easily be ‘run’ on any gateway, thus revealing a sample’s true nature in a safe manner. In this article he explains how he recompiled…


Bulletin Archive

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.