by RSS Raul Alvarez  |  Feb 01, 2017  |  Filed in: Security Research

Since its discovery in early 2016, we have tracked a number variations of Petya, a ransomware variant famous for multi-stage encryption that not only locks your computer, but also overwrites the Master Boot Record. Petya continues to persist, and in this blog we will take a deeper look at its more complex second stage of attack.

Petya overwrites the Master Boot Record (MBR), along with its neighboring sectors using its boot code and a small kernel code. The MBR contains the master boot code, the partition table, and other relevant information regarding the primary disk of a given computer system.

When you boot up a computer infected with Petya, you see a blinking ASCII picture of a skull displayed. There are a few variations of Petya that are commonly identified based on the different colors of the skull shown. In the original version, the skull is red, while in some variants it is green.

Initialization

In its initial stage, Petya arrives as a regular malware and tries to overwrite the MBR and other sectors with its code.  It then triggers a reboot to execute the 2nd stage, using the NtRaiseHardError API, as shown in Figure 1.

reboot

Figure 1

We are not going to discuss Petya’s initial stage in this blog, however, since there are lots of articles already written about it. Instead, we will take a closer look its actual boot code from inside a debugger.

The Second Stage

Once a reboot is triggered during the initial attack stage, Petya displays a fake CHKDSK, which is actually part of the encryption routine. While it is encrypting the rest of the neighboring sectors, the screen displays a fake meter showing the percentage of the disk being checked. Afterward, it displays a blinking ASCII skull picture (our sample is red, indicating that it is one of the original variants.)

Boot Code in a Debugger

Let’s take a closer look at the second stage by loading it into a debugger. Analyzing the infected MBR in a debugger is not easy, but it’s possible. Once the infected MBR is loaded, Petya copies 0x20 sectors of the malware code to the memory location, starting at 0x8000, just a couple of hundred bytes away from the starting boot code.

During the boot process, the computer doesn’t yet know which operating system is to be loaded. Therefore, no Windows APIs are available at the moment. The malware relies on the primitive INT 13H. The malware uses this to perform its basic function, such as reading the sectors (function 0x42, INT 13H) to a different memory location. Figure 2, below, shows the instructions used to read a sector, and the structure of the Disk Address Packet (DAP.)  The DAP contains the address of the buffer used to transfer the content of the sector, as well as which sector to be read.

int_13_ah_42_b

Figure 2

Fake CHKDSK

After reading the boot code, the fake CHKDSK is displayed, followed by the encryption process.

The initial warning message displayed by the fake CHKDSK is printed character by character using another INT 10H, function 0x0E, as shown in Figure 3.

Figure 3

Red Skull

Once the encryption process is complete, the malware triggers another bootstrap loader, this time displaying the red skull (see Figure 4). From that time on,  every time you reboot an infected machine the red skull is displayed, and pressing any key displays a warning and payment prompt (see Figure 5.)

petya-redskull

Figure 4

ransom-page

Figure 5

Wrap Up

Most ransomware still allows you to use the infected machine to pay the ransom. But Petya doesn’t give you that opportunity. You have to use a different computer to go online, pay the ransom, and get the decryption key. But be aware that if you pay the ransom, there is no guarantee that you will recover your infected system.

The userland version of ransomware is easier to analyze than an MBR version like Petya. It is interesting to note how different strategies and deployments of ransomware pose a different threat to different victims. The modification of MBR or other sectors in the hard drive requires elevated privilege. Which means that one way to effectively avoid infection with similar malware or ransomware is to lower your privilege level in your computer system. Our advice is to always login to your computer with a non-admin account.

Always follow best safety practices to avoid being infected, including regularly installing patches and updates, scheduled drive scanning with updated AV files, filtering your web and email traffic, and scanning links and attachments before clicking on them. And for ransomware, a consistent backup strategy will save you a lot of headaches. Stay safe.

Appendix

MD5sum: af2379cc4d607a45ac44d62135fb7015
Detection: W32/Petr.A!tr

by RSS Raul Alvarez  |  Feb 01, 2017  |  Filed in: Security Research