Vaccine for Emotet Malware

Interesting story of a vaccine for the Emotet malware:

Through trial and error and thanks to subsequent Emotet updates that refined how the new persistence mechanism worked, Quinn was able to put together a tiny PowerShell script that exploited the registry key mechanism to crash Emotet itself.

The script, cleverly named EmoCrash, effectively scanned a user’s computer and generated a correct — but malformed — Emotet registry key.

When Quinn tried to purposely infect a clean computer with Emotet, the malformed registry key triggered a buffer overflow in Emotet’s code and crashed the malware, effectively preventing users from getting infected.

When Quinn ran EmoCrash on computers already infected with Emotet, the script would replace the good registry key with the malformed one, and when Emotet would re-check the registry key, the malware would crash as well, preventing infected hosts from communicating with the Emotet command-and-control server.

[…]

The Binary Defense team quickly realized that news about this discovery needed to be kept under complete secrecy, to prevent the Emotet gang from fixing its code, but they understood EmoCrash also needed to make its way into the hands of companies across the world.

Compared to many of today’s major cybersecurity firms, all of which have decades of history behind them, Binary Defense was founded in 2014, and despite being one of the industry’s up-and-comers, it doesn’t yet have the influence and connections to get this done without news of its discovery leaking, either by accident or because of a jealous rival.

To get this done, Binary Defense worked with Team CYMRU, a company that has a decades-long history of organizing and participating in botnet takedowns.

Working behind the scenes, Team CYMRU made sure that EmoCrash made its way into the hands of national Computer Emergency Response Teams (CERTs), which then spread it to the companies in their respective jurisdictions.

According to James Shank, Chief Architect for Team CYMRU, the company has contacts with more than 125 national and regional CERT teams, and also manages a mailing list through which it distributes sensitive information to more than 6,000 members. Furthermore, Team CYMRU also runs a biweekly group dedicated to dealing with Emotet’s latest shenanigans.

This broad and well-orchestrated effort has helped EmoCrash make its way around the globe over the course of the past six months.

[…]

Either by accident or by figuring out there was something wrong in its persistence mechanism, the Emotet gang did, eventually, changed its entire persistence mechanism on Aug. 6 — exactly six months after Quinn made his initial discovery.

EmoCrash may not be useful to anyone anymore, but for six months, this tiny PowerShell script helped organizations stay ahead of malware operations — a truly rare sight in today’s cyber-security field.

Posted on August 18, 2020 at 6:03 AM17 Comments

Comments

Vesselin Bontchev August 18, 2020 8:57 AM

While I admire what they have done and it has undoubtedly helped many potential victims, it was, strictly speaking, illegal. I wouldn’t have dared doing it myself. Causing programs on other people’s computers to crash, modifying their Registry without consent and so on, even with the best of intentions, can land you in deep poodoo.

TexasDex August 18, 2020 9:37 AM

I feel like this kind of thing isn’t really scalable, though.

Sure, it protected a subset of computers, for a while, but it’s basically a kind of security through obscurity. And it only worked on this one bit of malware.

Btw, is anybody noticing that the second half of the quoted article is underlined on hover (starting at the Team CYMRU link)? Looks like a glitch in the HTML…

TexasDex August 18, 2020 9:40 AM

@Vesselin Bontchev: No, this ‘vaccine’ is being installed by the organizations that own the computers, and it’s causing malicious software to crash only when running on their own computers. It’s no different than an antivirus signature identifying and blocking malicious software.

Clive Robinson August 18, 2020 11:46 AM

@ ALL,

This is not the first time a major criminal malware attack has been halted by what appears –after it’s found– to be a trivial mistake in the malware logic.

Part of the problem is the malware writers are trying to do fancy things to protect their advantage, however what they do appears not to be tested thoroughly.

The same does not appear to be true for level 3 –state level– attackers malware, this appears to get sufficient testing for it’s designed purpose[1].

Thus vague conclusions about competence and available resources can be drawn when comparing criminal malware developers and state level malware developers.

[1] Level 3 or “state level” malware however does have an advantage over criminal malware. That is it is generally a “covert” “directed” attack that whilst it might infect rather more computers than intended does not cause much noise thus gets missed by uploads to AV sites (as happened with the stuxnet predecessors). Criminal software being anything but covert in the “shake down phase” gets a lot of attention rather rapidly. So criminal malware writers are effectively on a short run clock.

Cyber Hozda August 19, 2020 9:49 PM

@Clive (rrd)
How does one apply for a position of a tester with a malware development company ?????
All
On a more serious note, writing to registry is usually restricted by any competent policy setup and / or by a number of antivirus software with (at least) users being prompted to allow the change or being notified that the change has been made. As such I fail to understand how this malware (as well as the vaccine) were able to play with the registry space so easily?

Ismar August 19, 2020 9:56 PM

So all one needs to do is to social engineer a ‘valid’ request to CERTs that a particular change to windows config is required and one can start exploiting those machines – no reason to think that the APT actors would not be able to pull this off, but then they already have unfettered access anyway …

weather August 19, 2020 11:00 PM

@cyber hoz
The windows registry is a file, that is normally lock while windows is running, but if not fully load, its copy paste, you don’t have to use setregkey Api to do it.
If memory serves its in system 32 director repair, SAM, same as the admin powssord.

echo August 20, 2020 5:39 AM

Why cannot I find an entry at Companies House for a company with a very Welsh sounding name? If it is not a Welsh company based in Wales I find the name misleading. Not an auspicious start for a security company.

Clive Robinson August 20, 2020 7:59 AM

@ echo,

Why cannot I find an entry at Companies House for a company

Companies House has two sites, the main one that appears very uninformative and Beta.

Have you tried searching on beta?

https://beta.companieshouse.gov.uk/search/

Just type the company name in the box marked “start here…”

As with most online searches start with the least common word, otherwise you could be getting a huge list to dig through.

For Example if you typed in “Bruce Schneier” it would give you all the Bruces of which there are thousands and hidden in there will be the small handful of Schneiers.

echo August 21, 2020 4:07 AM

@Clive

Still nothing for “Team Cymru”. I still think it’s a misleading name if it’s not a Welsh company registered in Wales with Welsh contact details and key personnel based in Wales. Maybe there’s a “logical and reasonable” explanation but I don’t like it.

Clive Robinson August 21, 2020 3:04 PM

@ echo,

Still nothing for “Team Cymru”.

Assuming the info I’ve found is for the same organisation, they are not UK based but US based.

As far as I can tell “Team Cymru Inc” are a non profit 501(c) entity based at 901 International Parkway Lake Mary FL 32746. Their SIC area of business is 7371 : which is “Custom Computer Programming Services”.

Originally founded back in 1998 with not very much showing untill 2005. The current Chairman and CEO is Rabbi Rob Thomas.

Their aim appears to be to “improve internet security for all”…

However if you look at their UTube channel they have a video advert advertising a UK Office.

Following this up gives the following,

TC-UK INTERNET SECURITY LIMITED.

Reg office : FLEMING COURT LEIGH ROAD, SO50 9PD, EASTLEIGH, Hampshire England UK.

Company Number : 09065783

Registered in England/Wales

SIC Code 62090 – Other information technology service activities.

Date of Incorporation : 2nd June 2014.

Company Type : Private Limited Company (PLC)

Previous addresses : 25 Moorgate London EC2R 6AY

Searching on “TC-UK INTERNET SECURITY” pulls up all sorts of information 😉

Don’t get hung up on the “previous address” even though it is a shared registered address with just under 500 companies having registered there with a little over 400 active currently. A little digging throws up a snipit of information, apparently “25 Moorgate” dropped “Onslow Bridge Chambers” from it’s name back in Dec 2004.

All of which suggests it’s either a firm of lawyers, Accountants, or both. That in part specialize in setting up Private Limited Companies” (PLCs) that have a more onerous registration process than ordinary Limited Liability Companies. They also appear to have had some involvment with “Limited Liability Partnerships” which whilst they do have legal uses for accountants, lawyers, and consultant type partnerships, due to their very limited trading reporting requirments have seen extensive use and abuse by those whose financial activities are at best questionable through to out right dishonest.

Any way I hope that helps a little with your enquiries.

echo August 21, 2020 7:17 PM

@Clive

I wasn’t digging too hard but had found them. I just didn’t make the connection. Thanks.

I’m not going to bother double checking the law but their website is unlawful. First their website is lacking a published UK business address. Secondly even if an entity is offshore it is still actionable in the courts. I have a healthy dislike for byzantine website and corporate structures. It’s not just confusion and hidden ownership but cross-jurisdictional issues. There’s other things with bother me but they didn’t set a good first impression.

I know it sounds a bit old school but I don’t trust anything I can’t kick or anyone I can’t personally throttle with my own hands.

Clive Robinson August 22, 2020 2:03 AM

@ echo,

I know it sounds a bit old school but…

I call that “Looking after me and mine” 😉

The trouble with a more graphic version is the “thought police” who arose out of some strange desire to not be honest[1], have now been agumented by the “mind games” proffessionals. Who it appears can understand neither jokes or colloquialisms for what they are (tension relievers).

Thus having that joke prayer of,

    Oh Lord please provide me with the wisdom and serenity to bury the bodies of those that have offended me in some place they can not be found.

Hanging on your wall is instantly taken by them as meaning you are “A severe risk to the public” as you are subconsciously expressing your desire to be a serial killer or other mass murdering type that is “obviously”, both “mad and bad”. And they have a catch 22 approach to life in that if they say you are mad, and you protest that you are not… Then your protests of innocence are then used as further proof that you are[2]…

[1] Apparently we all have to do “double talk” and “insincerity” incase we hurt other peoples feelings and they get physical…

[2] A man apparently spent 14years in the UK’s Broadmoor trying to prove he was not a “nutter”.

echo August 22, 2020 9:00 AM

Yes there’s plenty of job titles who mark their own homework and have a demonstrably strange inability to grasp chronic issues. This is called inadequacy, negligence, and fraud in ordinary life. Such are the joys of a country which wears human rights and justice as a mask to cover the grim reality of instititionalised Burkian doctrine.

There’s a neat little arrangement in the UK where the police cover up their own mistakes by the psychs writing someone off as mad and bad. In exchange psychs get off negligent manslaughter and NHS trusts get off corporate manslaughter with a deft “endevours will be made” and at worst a “lessons will be learned” public enquiry. If you dig around deep enough you will find buried in the range of reports such things as staff being too terrified of losing their jobs to complain, snotty psychs who areknown but not named by their colleagues as dismissing the most obviously severe cases as “not being worth it”, a direct relationship between collapsed standards and deaths in care and noticeable differences in the murder rate by people who aren’t receiving the care they need and in some cases wholly avoidable murder where the judges sympathised with these “victims of the system” and said they had no choice in law to dish out a slap on the wrist but a life sentence even though they didn’t want to

There is rather a lot in the UK which requires a deep investigation and some honesty and soul searching.

SpaceLifeForm August 23, 2020 4:33 AM

@ Clive, echo

Houston, we have a problem!

My research says only 284 beds at UK’s Broadmoor.

Will need a major expansion to admit Johnson, Farage, et al.

Is there room for Golf Course? No?

Shame, they could play golf with Trump.

echo August 23, 2020 5:00 AM

@SpaceLifeForm

I do think some people need to go on trial. The word “de-Nazification” springs to mind.

Rich Beamer September 15, 2020 8:27 AM

Reminds me of (WAY back) when the Stoned boot virus was a thing (along with its many variants), and a similar way was devised to inoculate the PC hard drive. Stoned was so successful and widespread because it had both self-preservation and propagation objectives. The first thing Stoned code did when it became memory-resident was look to see if it was already on the system: if not, it would write its code to the boot sector of the system HD, infecting that system and ensuring it loaded into memory (TSR) every time the system booted; however, if it saw its code signature (first four bytes of its code) already there, it would terminate and go away. So some researcher* back then decided to manually insert those first four bytes – only – into a PC hard disk boot sector, in an effort to inoculate the PC by simply fooling the virus that it was already there. He then tried to boot the PC with a Stoned-infected diskette, and voila! It failed to load – the inoculation trick worked.

*I cannot recall his name, but he was one of the big names/early pioneers in cyber, and I bet Bruce knows who I am talking about.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.