It's a file infector... it's ransomware... it's Virlock

Presented at VB2015, Sept. 30, 2015, 2 p.m. (30 minutes).

Win32.Virlock with all its variations is both a new kind of file infector and ransomware (screen-locker) at the same time. In this paper, we aim to cover the techniques used by this virus and discuss methods that can be used to detect and disinfect systems affected by it.

Virlock uses several techniques, including code-obfuscation, staged unpacking, random API calls and large/redundant areas of decrypted code, to make it difficult to analyse. It also protects its code by decrypting only the sequences that are going to be executed. After a sequence of code is executed, Virlock encrypts it again. By staggering the decryption/encryption process, it ensures that a memory dump at a certain point will not reveal its features but only the piece of code that is being executed at that time.

There is also a moment in its first execution when it shifts its shape by changing certain instructions and encryption keys so that new generations will look different. Each new infection is different from any other, mostly because of the time-stamps that play an important role in computing the encryption keys. Having these protection methods will also make any clean-up attempt quite a challenge. The disinfection process for this virus involves searching inside malware code for specific instructions arrangements.

We will present some ideas that could help in detecting and disinfecting a Virlock-infected system.


Presenters:

  • Vlad Craciun - Bitdefender
    Vlad Craciun Vlad Craciun was born in Piatra Neamt in 1986. He joined Bitdefender Laboratories in early 2009 and since then he has been analysing different types of malware and file infectors. He finished his Master's degree in 2012 at the "Gh. Asachi" technical University of Iasi with a thesis entitled "Advanced binary analysis using complex emulation and branch stuffing techniques". At the moment he's also a Ph.D. student at the "Alexandru Ioan Cuza" University of Iasi, researching the field of symbolic execution and dynamic analysis of possible malware applications. His hobbies include processor design, embedded systems, electronics, psychology, religious cultures and metaphysics.
  • Andrei Nacu - Bitdefender
    Andrei Nacu Andrei Nacu was born in Botosani in the winter of 1987, and currently resides in Iasi. He studied art as a kid and since high-school, he chose to follow the path of computer science. His latest academical achievement is a Master's Degree in Embedded Control Systems at the 'Gheorghe Asachi' Technical University of Iasi. Since 2010, he has worked at Bitdefender and is now a team leader there. He has also been known to teach laboratory classes of Object Oriented Programming in C++ at the Faculty of Computer Science, which is part of the 'Alexandru Ioan Cuz' University of Iasi. His personal achievements include getting married and becoming a father. Whenever he finds spare time, he enjoys gaming (especially retro and indie titles), football, reading sci-fi literature and comics or just drinking beer and hanging out with friends.
  • Mihail Andronic - Bitdefender
    Mihail Andronic Mihail Andronic was born in 1987 and currently resides in Iasi, Romania. He has a licence degree in computer science from the Faculty of Computer Science, part of the 'Alexandru Ioan Cuza' University of Iasi. Since 2010 he has fought cybercrime at Bitdefender and is now a technical leader there. His hobbies include travelling, biking and motorcycling.

Links:

Similar Presentations: