Password protected archives help malware evade detection

Reading Time: 4 minutes

If you need to deliver or store confidential documents over the Internet, then placing them inside a password-protected, self-extracting ‘archive’ is one of the best ways to keep out prying eyes. Many users will be familiar with archives in the form of ‘zip’ files and programs like WinZip (there are others like 7-Zip and WinRar which perform a similar function). An archive allows you save multiple documents inside a single file and to compress the overall file size. Importantly, if you password-protect this archive, you will also encrypt its contents. This means it will be unreadable by any 3rd party that intercepts it. The archive can only be opened by the intended recipients – people to whom you have supplied the correct password. Choose a good password and it’ll be years, if ever, before anyone unauthorized can decrypt your files.

It might come as a surprise, but malware authors use this precise security technique for the same reasons. Like you, they don’t want their files to read by any 3rd party apart from the intended recipient. In this case, the 3rd party is a static Antivirus scanner on an email gateway, public hosting or users machine. The intended recipient is the victim of a malware scam.

Although malware inside a password protected archive cannot be detected by the AV scanner, this doesn’t guarantee it will be successful. Encryption only grants the malware safe passage through the Internet and (they hope) onto the victim’s machine. Once the malware starts to run, the real-time virus-detection provided by most popular security software will neutralize the threat. Of course, this relies on the end-user actually having an AV installed – and this is the strategy of the malware author.

There will always be a percentage of home and business users that do not have real-time anti-virus running. They don’t expect every instance of their malware to score a hit, but by distributing it in such massive volumes, they also know that it will be successful in a significant number of cases.

We recently spotted malware using this exact approach:

Looks like the author expressed himself in the file properties:

A simple Google search for “MrFreeCrypt” returns Russian language results for a “New generation of cryptors”:

CryptService!!! Новое поколение крипторов. Online 24/7 fud 0/44.
гарантия от 24 часов. ICQ: 6*******7 jabber: mrfreecrypt@j****r.ru
----
CryptService!!! New generation of cryptors. Online 24/7 detection 0/44.
guarantee of 24 hours. ICQ: 6*******7 jabber: mrfreecrypt@j****r.ru

We can’t state for sure it’s the same person, but it seems a pretty large coincidence.

The file itself is a ‘7-zip’ self-extracting archive with two files inside:

   Date      Time    Attr         Size   Compressed  Name
------------------- ----- ------------ ------------  ------------------
2012-10-21 10:54:14 ....A          107           95  stub.vbs
2012-10-24 16:15:24 ....A       113359        61353  sfx.exe
------------------- ----- ------------ ------------  ------------------
                                113466        61448  2 files, 0 folders

“stub.vbs” is a simple Visual Basic Script which runs “sfx.exe” with the following command line parameter:

Set WshShell = WScript.CreateObject("WScript.Shell")
WshShell.Run "sfx.exe  -pfdhtu578h4j45nh49856856hyg"

“sfx.exe” is another self-extracting archive with only one executable inside – the actual malware component:

   Date      Time    Attr         Size   Compressed  Name
------------------- ----- ------------ ------------  ------------------
2012-10-25 00:15:16 ....A        20480        11712  input.exe
------------------- ----- ------------ ------------  ------------------
                                 20480        11712  1 files, 0 folders

Rather than ‘7-zip’, “sfx.exe” is inside a different type of archive known as a ‘RAR’ file. The RAR file is also password protected and encrypted. The interesting part here is that the RAR accepts the decryption password as a command line parameter “-p”. The “stub.vbs” script provides the password in this way. The chain looks so far looks like this:

[7-zip SFX] → stub.vbs → password → [RAR+password SFX] → malware

As mentioned earlier, this does not mean the malware removal process will ultimately be successful. As soon as the file is executed on the local file system, it becomes subject to detection by real-time Antivirus scanners. However, it works fine against static scanners on cloud storage services, user initiated ‘on-demand’ scans or the static scanners on email gateways. This becomes a bit more alarming when you consider this means it will avoid detection by major mail providers like Yahoo, Google, Hotmail and others. Because of this, users must take care to help protect themselves. First and foremost, install an anti-virus program from a reputable vendor. Secondly, don’t just open attachments on a mail you weren’t expecting, on mails from people you don’t know or on mails that look suspicious or spam-like.

The actual malware component is “FBI” ransom-ware.

It installs itself as an auto-run application via the following registry value:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"GoogleChrome"="C:\\DOCUME~1\\User\\LOCALS~1\\Temp\\RarSFX0\\input.exe"

It protects itself from removal by disabling “Safe Mode” and “Safe Mode with Networking” by deleting the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\*
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\*

It then blocks user input and displays a fake, ‘lock screen’ which tries to extort money from the victim. The screen informs the victim that their computer has been locked by the FBI for suspected misuse and they must pay a fine within 48 hours to unlock it.