GoldenEye Malware

I don't have anything to say -- mostly because I'm otherwise busy -- about the malware known as GoldenEye, NotPetya, or ExPetr. But I wanted a post to park links.

Please add any good relevant links in the comments.

Posted on July 4, 2017 at 3:40 PM • 18 Comments

Comments

Vesselin BontchevJuly 4, 2017 4:35 PM

Sigh... It's not Goldeneye. It either belongs to the Petya family (my opinion), to which Goldeneye is also a member, or it is a completely new family (Kaspersky's opinion) that drops the Petya boot loader (also used in Goldeneye).

Basically, the evolution of the Petya family goes like this: Red Petya (MBR infector, encrypts the MFT, encryption is breakable), Misha (file encryptor, encryption is not breakable), Green Petya (MBR infetor, encrypts the MFT, encryption is not breakable), Goldeneye (a combination of Green Petya and Misha, encypts MFT and files, encryption is not breakable), this thing (MBR infector is almost identical to Green Petya/Goldeneye, file encryptor is a complete rewrite, LAN crawler added).

The worm is a LAN-only spreader (no spreading over the Internet, except by accident in some very rare cases), using EternalBlue and EternalRomance NSA exploits, stealing passwords via a Mimikatz variant and using them to copy and start itself remotely via PsExec (from Sysinternals) or WMIC. This part of it is very well written, better than WannaCry, with the exception of a minor stupidity when using PsExec.

The ransomware parts (file and MFT encryptors) are complete shit. The MFT encryptor is taken from Petya and modified slightly but rather clumsily (probably with the intention to make it use a different private key). It overwrites the encryption key before generating the user ID and, as a result, the MFT is not decryptable (meaning even the author wouldn't be able to decrypt it). The file encryptor part is also shit, full of errors and bugs, but mostly works and the encrypted files can be decrypted if you have the key and proceed carefully (i.e., use the silly encryption method it uses).

I disagree with the notion that it is a cyber attack (presumably by Russia) against Ukraine. IMO, it's just yet another shitty ransomware that barely works; I've seen dozens like it or even worse. The distribution vector (the company M.E.Doc) had been hacked and abused several times in the past, including to distribute other shitty ransomware.

Here are some articles on the subject, in no particular order:

New Ransomware Variant "Nyetya" Compromises Systems Worldwide
Surprise! NotPetya Is a Cyber-Weapon. It's Not Ransomware
ExPetr/Petya/NotPetya is a Wiper, Not Ransomware
Schroedinger's Pet(ya)
Petya.2017 is a wiper not a ransomware
EternalPetya and the lost Salsa20 key
Windows 10 platform resilience against the Petya ransomware attack
New ransomware, old techniques: Petya adds worm capabilities
(Eternal) Petya From A Developer’s Perspective
PetrWrap: the new Petya-based ransomware used in targeted attacks
WannaCry Déjà Vu: Petya Ransomware Outbreak Wreaking Havoc Across the Globe
Petya_ransomware.md
Massive GoldenEye Ransomware Campaign Slams worldwide users
Petya— Enhanced WannaCry ?
Petya-based ransomware using EternalBlue to infect computers around the world
Petya ransomware outbreak: Here’s what you need to know
Petya ransomware variant attacks computers worldwide
New Variant of Petya Ransomware Spreading Like Wildfire
‘Petya’ Ransomware Outbreak Goes Global
Petya Ransomware Attack – What’s Known
Petya Ransomware Outbreak Originated in Ukraine via Tainted Accounting Software
Petya, dead but still dancing
Everything you need to know about the Petya, er, NotPetya nasty trashing PCs worldwide
Petna / Eternalblue Petya
Fujitsu UK & Ireland BlogPetya, Medoc and the delivery of malicious software
New Petya / NotPetya / ExPetr ransomware outbreak
Carbon Black Threat Research Technical Analysis: Petya / NotPetya Ransomware
Surprise! NotPetya Is a Cyber-Weapon. It's Not Ransomware
Why NotPetya Kept Me Awake (& You Should Worry Too)
NonPetya: no evidence it was a "smokescreen"
What Good Is A Not For Profit (Eternal) Petya?
Things we have learned about Petna, the Petya-based malware
EternalPetya - yet another stolen piece in the package?
From BlackEnergy to ExPetr
Getting your hands on the "micro kernel" of NotPetya
Who is behind Petna?
Analysis of TeleBots’ cunning backdoor
PetrWrap Ransomware Technical Analysis
PetrWrap Technical Analysis Part II: Further Findings and Potential for MBR Recovery
How EternalPetya Encrypts Files In User Mode

Dirk PraetJuly 5, 2017 4:35 AM

@ Vesselin Bontchev

It's not Goldeneye. It either belongs to the Petya family (my opinion), to which Goldeneye is also a member, or it is a completely new family (Kaspersky's opinion) that drops the Petya boot loader (also used in Goldeneye).

Thanks for your insights, Vesselin. Always a pleasure to read.

Dan HJuly 5, 2017 6:33 AM

@ab praeceptis

After WWII, the Soviets forcibly removed people from their homes and land in the Balkan states and some were sent to Soviet prison camps. That is partly a reason for their hatred of Russians.

Dirk PraetJuly 5, 2017 6:52 AM

@ ab praeceptis

While I'm 99.999% certain that it wasn't a russian state action I *do* see a certain russian element.

Western politicians and MSM generally like to depict Russians as poor, oppressed folks suffering intolerable hardships from a brutal dictator and a totally corrupt regime. They are in fact a very proud and nationalistic people many of whom actually support Putin and in no way look at the West for any kind of salvation. The anti-Russia hysteria orchestrated by Western-backed Ukrainian oligarchs is a thorn in the side of many and I guess it's not unreasonable to assume that the country has plenty of th3j35t3r-like cyber vigilantes who are only too happy to deal a couple of blows left and right.

@ Landossa

Not specific to Petya/Goldeneye, but a good way to mitigate ransomware threats using dynamically updated firewall block lists of known ransomware sources

Thanks for that pointer!

Bruce SchneierJuly 5, 2017 1:22 PM

@ab praeceptis

I deleted a comment of yours. This is not the blog to discuss the political situation between Russia and the Ukraine. Please take your comments to a more appropriate forum.

Thank you.

Clive RobinsonJuly 6, 2017 6:27 AM

When are people going to wake up to the basic facts?

The current spate of malware is presented as "Ransonware" but... There is no real backend for payment let alone actually getting the money out. Likewise there is no system set up for sending out a decrypt key to those who have been hit and payed. So you have to ask if this is realy ransomware put together by incompetents, or something else.

If the latter you have to ask to what effect. Like it or hate it the most likely reason is politics at some level. One argument is it's anti-USA IC entities, another it is the work of USA IC entities, making use of the malware while it's still usable. The list goes on but eventually you get to one that it's anti USA Software Corp such as MicroSoft.

Which ever way you argue it the USA does not come out smelling of roses, more like the fresh organic material you feed to roses by the pitch fork full from the farmyard/stables.

Thus the pertinent questions are "Why?" followed by "What are we going to do about it?".

I'll leave the political / economic argument of the "Why?" to others, but note it's an endemic problem that appears to be building up to a perfect storm, that has an increasing probability of going kinetic which falls fairly well in line with US Foreign Policy this century.

The question those who want to look after their own patch of cyber-space need to answer is the second "What are we going to do about it?".

The simple answers are "Don't play the high risk game" and "Don't believe that one solution will save you". But in many peoples eyes that is not very helpful as it's general not specific.

But to understand why general advice is actually more useful than specific advice you have to understand the problem from the general to the point where specifics can be seen as what they are which is out of date reactions to past events being reused, thus frequently "to little to late". A situation that for political and economic reasons is not going to change any time soon[1].

So the first generality you have to understand is appart from a little lipservice in effect "You are on your own".

The second generality is almost always you pay for the actions of others. That is the profit in pushing shoddy goods is way way higher than not. Especially when there is in effect no comeback for those that do.

Which moves onto the third point the idea of a fair market does not apply, there is realy no choice in the market, it's thus not open, no informed choice by customers is possible. Infact when seen in the general it's a series of near monopolies working overall as a cartel.

But a fourth problem that few consider is where the problem actually is in the majority of cases. Outside of DoS attacks the problem is in your little patch of cyber-space. That is it's your systems, your reaources that are attacking you because you don't have control over them. Yes read that again, you do not control your systems, somebody else does to the extent you realy should not call them "our systems".

An oft stated but ill understood generalism boils down to "IT soulutions are of no use without connectivity". Whilst true there are degrees of connectivity and it is the degree you have more control over than any other aspect of your resources.

Whilst you can find more very general problems those five should make you realise that you have a serious risk on your hands and little you can proactively do about it other than limit connectivity...

The NSA et al sure know this, it's why they put so much energy into developing attacks that usurp control via connectivity. It's also what the smarter cyber-criminals know as well. If you control access to your resources correctly they get forced from low risk cyber attacks into either very high risk physical attacks or going to find easier systems to attack.

Once you understand that being proactive means you have to stand on your own two feet and control connectivity you are ready to get a little less general.

The next thing you need to understand is that there are "instances" of specific attacks, that fall in general "classes" of attacks. Fighting instances is a reactive behaviour, whilst fighting classes is proactive behaviour.

To understand this you need to think about the physical world not just of security but safety. In the main they are about controling access (the physical version of the information connectivity). Not just to humans but things like fire. The physical solution is to create physical zones and control the access points via the likes of doors. In general security doors are also safety doors and have not just security ratings but fire, smoke and similar safety ratings.

History has taught us that you design such physical control resources not for an "instance" of security or safety but "classes" of security and safety. If you don't it will fail not just for known specific attacks but just about every other unknown attack. It will also be inordinately expensive not just fragile. You can see this if you consider "fire drills" they are designed to get people away not just from the specific instance of a fire, but any class of localised danger. So bomb threat, hostile intruders, chemical spills, building collapse etc etc. And as we know from 9/11 aircraft being flown into buildings which was not on the majority of "considered threat lists" prior to that.

Untill people get to grips with these underlying generalities they will fail in their attempts to protect their little patch of cyber space.

But another important asspect to remember is from the Process Control Industry and the ideas that go behind "Intrinsic safety". The most important of which is "systems fail" and most often it's neither "fail safe" or "fail with warning" unless specifically designed to do so. But as importantly even protection mechanisms fail. Thus you need to design in multiple protection systems so that you do not have "A single Point of Failure".

As I've pointed out once or twice before people can learn a lot from studying the early history of boiler safety. Just one lesson is the safety systems. Not just that there were various types such as spring operated preasure relife valves but that there were secondary and tertiary systems that were there to protect in case other systems failed to work. Thus if the spring preasure relife valve failed to work, a soft metal and moderatly easily replacable plug would blow out at a higher preasure, and if that failed there were deliberate weak spots that would burst out in a safe manner, which were not replacable, thus the boiler would be considered scrap. Further there was legally required testing of the boiler at regular intervals introduced, which also gave rise to the idea of "Preventative maintenance".

Many people in ICT security talk about the value and importance of "backups". But how many talk about the need for multiple backup systems and regular testing?

The point is it is known that attackers for ransom in the past have also attacked the backup system by the use of encryption, so that after a few months even the backup tapes were encrypted.

There are ways to protect against this but you have to take active steps to do so. In the past many considered this not worthwhile on the assumption it was an "insider only" attack. Thus not realistic to protect against because the only person capable of doing it was also the person who could hide it. Thus the idea of legal remedies as/and insurance.

Unfortunately people are being reactive not proactive with that idea. The data will be lost and no amount of money will bring it back. What people are not asking is,

    What will happen when APT and Ransomware are joined together?

It's not a question of "If" but "When" it happens. A proactive approach wilst not stopping it will alow you to recover.

And that is you need to have a weather eye for what is heading over the horizon, and put prevention / recovery processes in place and not be reliant on others, otherwise there is a probability you will be a victim without a future.

You can not have a weather eye without understanding the general lay of the land and how classes of attack can be prevented.

[1] For instance politicians want to be seen as "hard on crime" however that is realy "conventional crime that effects the voters". Thus cyber-crime is not just low on political agenders, but actually to be encoraged by some politicians. The reason is simple, the smarter criminals see that there is considerably less risk from cyber-crime than conventional crime. Thus the problem criminals who are smart and thus hard to catch move out of conventional crime leaving those that are, opportinist idiots, not smart or trapped economically, thus easy to catch and imprison. Which is manner from heaven for politicals, conventional crime rate drops, convictions go up and they can thus cut spending on police etc so win, win, win. This is very similar to the CCTV issue, it works well at first, but the criminals quickly evolve around it and crime continues, but that's OK it gets the politico back in office as the blowback effect takes longer than the election cycle...

PeteJuly 6, 2017 4:02 PM

@ Bruce :
I would have liked to read the comment you deleted, not least because there are replies to it that are now nonsensical - AND continue the discussion about USA-USSR relations .. (Yep, I believe it's ALL cold-war BS)

I also find it a bit ironic that a guy who calls for politicians (government) to solve the security-issues won't allow "political" discussion .
I strongly suspect you just didn't agree with the opinions expressed .

Puppet MasterJuly 10, 2017 9:37 AM

If someone wanted to specifically hit Ukrainian businesses and pretty much only them, then this was almost the perfect way to do it. Hitting a company involved in Ukrainian tax collection ensures that mostly companies that do business in Ukraine get hit.

The fact that the scheme for data recovery could never have worked, shows that the code has never been tested. Thus it would quickly be public knowledge that paying would not help the victim.

Why target poor Ukrainian companies, when there are for more juicy targets to the west? This smells too much of a nation state attack and not of a cyber-extortion attack. And given that the target was Ukraine, this must have come from Russia.

ab praeceptisJuly 10, 2017 5:13 PM

Puppet Master

This smells too much of a nation state attack and not of a cyber-extortion attack. And given that the target was Ukraine, this must have come from Russia.

Or from a party that wanted many very short-sighted and superficial observers to think exactly that.

Moreover - what a surprise! - it just so happens that at least the us-american spooks (I guess they are not the only ones but they are the ones from whom we *know* it) have tools and demonstrated intention to wanton attribute hacking to parties they don't like.

Btw, "motive" is but one element in courts, a strongly desirable one but by itself an insufficient one.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.