OphionLocker Analysis: Proof Anyone Really Can Write Malware

OphionLocker is supposedly the new ransomware on the block and is already being compared with sophisticated operations such as CryptoLocker and CryptoWall, so i decided to take a look and what I found is nothing short of hilarious.

That’s right, the ransomware is actually a console application, Instead of writing the Win32 application. The developer has opted to use a console application, which implies he is either writing command line tools (he’s not), or that he has absolutely no damn idea what he’s doing.

If there is even any shadow of doubt that this was written by a competent C++ developer, this should set the record straight:

H:ConsoleApplication1ReleaseConsoleApplication1.pdb

That’s the PDB path of this application: “ConsoleApplicationX” is the name chosen by Visual Studio when automatically creating a new C++ console project, ConsoleApplication1 implies that this is the first Visual Studio project created; either the developer has just moved from another development environment, or more likely he’s never coded C++ before.

This is a hack to make the console window invisible, as a result the console window will open and then disappear a second later when running the application.

If you’re new to programming, writing your own cryptographic library is obviously quite a challenge, as you can see he’s opted to just use the Crypto++.

“But MalwareTech, even using a public cryptographic library, he’d need to know how to implement it.”

Well if we look through the strings in the application, we find the following string: “ecies.private.key”, which is the name of the file that the application uses to store the private key; this is consistent with the example ECIES (Elliptic Curve Integrated Encryption Scheme) code on the Crypto++ wiki.

The C&C communicated mechanism is much of the same story, although it could have been implemented with a few lines of code using the WinInet library, the developer has opted to use the insanely bulky HTTP Client library WinHTTPClient, which uses the WinHTTP api (should only be used for service and not client applications).

Obviously, no application is complete without some error handling, so here’s what happens if the locker fails to connect to the C&C.

Error handling is love, error handling is life.
GUI programming tends to be quite tricky, but it’s nothing you cant achieve with a message box and 300 text files that all say the same thing.
This is why we can’t have nice things.

Conclusion

Q: Can you code functional ransomware with absolutely no programming experience whatsoever?
A: Yes.

OphionLocker
MD5: e17da8702b71dfb0ee94dbc9e22eed8d
SHA1: eb78b7079fabecbec01a23c006227246e78126ab
SHA256: c1a0173d2300cae92c06b1a8cb344cabe99cf4db56fa9dca93629101c59ce68f

Uncategorized
9
Why Open Source Ransomware is Such a Problem

A while back 2sec4u posted a poll asking if people considered open source ransomware helpful to detection and prevention, with 46% voting yes. Although the poll wasn’t limited to people working in the antimalware industry, 46% is scarily high. Trying to prove a point, help me out Twitter. Is open source ransomware helping …

Uncategorized
1
Mapping Mirai: A Botnet Case Study

Mirai is a piece of malware designed to hijack busybox systems (commonly used on IoT devices) in order to perform DDoS attacks, it’s also the bot used in the 620 Gbps DDoS attack on Brian Kreb’s blog and the 1.1 Tbps attack on OVH a few days later. Although Mirai isn’t even close to …

Uncategorized
1
Dridex Returns to the UK With Updated TTPs

With the exception of a few unconfirmed reports of Dridex targeting Baltic countries (which doesn’t make much sense economically), infection campaigns have ceased since mid August when Dridex briefly resumed spreading to propagate multiple new botnets aimed at Switzerland. This morning a friend of mine, Liam, reported receiving a malicious email which unusually didn’t …