Security Now
Security is top-of-mind everywhere, especially right here where Juniper experts share their thoughts on the latest security breakthroughs and product advancements
Showing results for 
Search instead for 
Do you mean 

Juniper Sky Advanced Threat Prevention vs. Locky Malware

by Juniper Employee ‎04-14-2016 02:00 PM - edited ‎04-15-2016 01:24 PM

Introduction

“Locky” is a new strain of ransomware malware that emerged on February 16th of this year. Ransomware is a type of malware that infects a computer and blocks access to the computer or files on the computer in some way. The most common ransomware technique is encrypting documents and other important files so the content of the files is inaccessible until a ransom is paid, typically using Bitcoin as the method of payment. With Locky, the payoff was 0.5 or 1 BTC for most people (about $200 to $400 USD).

 

The “Locky” name was given to this malware because it renames all of those encrypted files with a “.locky” extension.

 

Two malicious files are distributed as part of Locky:

 

  1. The Microsoft Word document used to infect systems:
  • SHA-256: 97b13680d6c6e5d8fff655fe99700486cbdd097cfa9250a066d247609f85b9b9
  • Length: 66048 bytes
  1. The dropped ransomware executable:
  • SHA-256: 17c3d74e3c0645edb4b5145335b342d2929c92dff856cca1a5e79fa5d935fec2
  • Length: 184320 bytes

 

Anti-Virus vs. Locky

How did traditional security systems do on the Locky Word document?

 

It’s well-known that signature-based security solutions often fail to detect new threats, but virtually all anti-virus solutions missed the Word document when it was first distributed. Even a full-day after the initial distribution, only 3 out of 54 AV vendors available on VirusTotal detected the threat.

 

Sky ATP vs. Locky

The Locky Word Document

What did Sky ATP see with the Locky Word document?

 

Sky ATP uses a series of analysis engines to determine whether a file object is malicious or not. Two technologies developed inside of Juniper successfully identify Locky as a threat and we assign both Lock files a score of 7 out of 10 (high threat level).

 

Specifically, for the Word document:

  1. Our document analysis system determined that the Word document was malicious (and this was the most significant factor in our systems decision that the document was malicious).
  2. Our dynamic analysis system determined that the Word document was malicious as well.

We have a variety of new techniques to extract information from potentially malicious file objects. Without revealing the attributes of malicious documents that we use to determine that a document or executable is malicious, we wanted to show how suspicious Locky is and give a sense of the richness of data available to determine the malicious nature of this threat.

 

We took a wide variety of good documents and malicious documents from our malware database and examined the traits of Locky. Here are some of the traits specifically seen in Locky and how often those traits are seen in good Word documents and how often they are seen in malicious Word documents:

Good documents

Malicious documents

Trait

0.9%

84.4%

Document has macros

6.6%

50.2%

No title

7.5%

45.3%

Single paragraph document

< 0.1%

39.6%

Obfuscation function calls found

varies

27.6%

Code Page 1251 Windows Cyrillic (Slavic)

 

It’s impossible to simply block all documents that contain macros because they are often used in legitimate documents (more often with complex documents and spreadsheets), but it’s definitely a very bad sign of the things to come with Locky. Similarly, you wouldn’t want to block all documents containing Code Page 1251, but it seems to confirm that Locky originated from an Eastern European country (or at least someone who had configured their system to use Cyrillic).

 

Let’s dive into a bit more detail on what the macros did by running a code trace.

 

The Locky ransomware infection begins with a Microsoft Word document containing Visual Basic macros. By default, such macros are often disabled, so the user is presented with a blank or misformatted page with an instruction to enable macros if the page does not render properly.

Picture1.png

When the user enables macros for this document, the infection process begins via the embedded Visual Basic scripts. These scripts use a variety of obfuscation techniques to hide the actual intent of the macros, but these obfuscation attempts are detected by Sky ATP’s static and dynamic analysis engines.

Picture2.png

 

This calls the first VBA routine:

Picture3.png

 

The value of UserForm1.Label1.Caption is a string of values separated by slash characters. (We’ll soon see how this is used to obfuscate the functionality of these scripts.)

Picture4.png

 

After the Split function executes, we have an array DrinkSun with the following elements:

Picture5.png

 

The execution continues by jumping to the “ErrExit” label:

Picture6.png

 

This creates a Microsoft.XMLHTTP object KogdaGe_1 that can make http requests, and then an Adodb.Stream object KogdaGe_2. The GoTo statement jumps over a large section of unnecessary (and invalid!) code which exists only to hinder automated analysis.

Picture7.png

 

The script then creates Shell.Application and WScript.Shell objects, and stores the “Process” environment variable for the Wscript.Shell object, which contains a value of the form:

 

PROCESS: TEMP=C:\path\to\temp\dir

 

The TEMP directory referenced here will later be used to store a malicious binary downloaded from a remote server.

Picture9.png

 

Here we find another use of obfuscation: the array KogdaGe_7 contains an encoded URL. (The actual URL and obfuscation algorithm varies between Locky samples.) Running this computation in Python, we get:

Picture10.png

 

So the array KogdaGe_7 actually represents the URL of a malicious binary, encoded to hinder static analysis.

Picture11.png

 

Now the script uses the Microsoft.XMLHTTP object created previously to prepare an HTTP connection ("GET") to the malicious URL we just decoded.

Picture12.png

 

The HTTP connection is used to send a request for the binary at "http://www [DOT] jesusdenazaret [DOT] com [DOT] ve/34gf5y/r34f3345g [DOT] exe".

Picture13.png

 

The value of the TEMP directory from the Process environment variable is extracted and stored as KogdaGe_4.

Picture14.png

 

Now the full path for storing the downloaded binary is constructed by concatenating the TEMP directory with a filename. Note that the innocuous-looking filename "ladybi.txt" is now transformed into "ladybi.exe."

Picture15.png 

Here we see the first use of the "CallByName" routine being used for obfuscation. This call is equivalent to: KogdaGe_2.Type = 1.

Picture16.png

 

The Adodb.Stream object created above is opened.

Picture17.png

 

This CallByName function call is equivalent to rbp = KogdaGe_1.responseBody.

Picture18.png 

This is equivalent to KogdaGe_2.write(KogdaGe_1.responseBody), which saves the downloaded binary to the Adodb.Stream:

Picture19.png 

Equivalent to KogdaGe_2.savetofile("<temppath>\ladybi.exe", 2).

Picture20.png

 

Finally, we reach the end of the script’s execution, and the malicious program now stored as ladybi.exe is executed.

 

The Locky Executable

Sky ATP detects the executable dropped by the Word macro primarily through the use of behavioral analysis. This determination is a little bit more complex, but Locky behaves similarly to a lot of malware.

 

Good applications

Malware

Trait

21.8%

49.5%

Accesses hosts file

27.4%

50.4%

DNS resolution

43.6%

67.1%

Excessive sleep calls

0.2%

12.2%

DNS resolution of many domain names with many failures

2.4%

9.7%

Generates new code (typically unpacking or expanding shellcode)

1.7%

3.9%

Posts data to a webserver

< 0.1%

1.9%

Creates PE files with a name already existing in Windows

0.2%

1.1%

System process connects to network

 

The difficult part is differentiating Locky from good software. As you can see, a lot of good software has similar behaviors. Even DNS lookups will fail sometimes from good software so it’s important to have a robust decision-making system to stitch together all of this information.

 

After the Visual Basic macros in the document have download the Locky executable file, the encryption and ransom process begins. First, the malware copies itself to a temporary directory under the name “svchost.exe” and relaunches. “svchost.exe” is also the name of an executable distributed as part of Windows that supports services run from dynamic-link libraries so the malware is behaving very suspiciously already.

Picture21.png

 

Then it contacts a command and control (C&C) server to retrieve the key (specific to each computer) that will be used to encrypt the user’s files (as well as files on network drives) and writes these values (and an autostart key) to the registry.

 

As part of contacting the C&C server, Locky does DNS lookups on a variety of domain names, some of which didn’t exist at the time it was distributed.

Picture22.png

 

Picture23.png

 

Picture24.png

 

Once this is completed, the user’s files are replaced with encrypted versions.

 

Inside of Sky ATP, all of this information is fed into the Sky ATP machine learning verdict engine that compares the behavior of a potentially malicious piece of code to the code being analyzed.

 

After analyzing the malware executable, our verdict engine assigns a threat score of 7 out of 10 (any score 7 or higher is considered to be a high threat level).

Picture25.png

 

A text file containing ransom information pops up the give the victim the ransom information.

Picture26.png

 

In case that isn’t enough, Locky helpfully opens an image file containing the same instructions, and also changes the user’s desktop wallpaper to display this image.

Picture27.png

Machine Learning

It’s hard to show exactly what our machine learning verdict engine is doing. After all, from just these two files, this is how many different traits were examined and how many ultimately contributed to our malware classifications:

 

File

Features Examined

Locky Word Document

~216,000

Locky Executable

~20,000,000

 

Obviously, it’s impossible to represent all of these features, but to illustrate roughly how the machine learning in Sky ATP is working, we took the Word Document feature set and reduced it to two dimensions.

 

On the X axis we have the distance from separating hyperplane, scaled from 0 to 1, which shows how far the features of the document are from the hyperplane that separates the good from the bad.

 

If we project these features onto the hyperplane, and decompose them into two components, taking the first component, and scale this component to between 0 and 1, we get the Y axis.

 

The first component has a strong correlation with the separating hyperplane itself - that is if we split the good from the bad horizontally where Y=0, it would be almost identical to splitting them horizontally where X=0.

 

In this chart, red dots are examples of good documents and blue dots are examples of malicious documents.

 

The shading represents the probability of a document being malware given our model, so anything that falls in the blue-shaded area has a probability close to 0 of being classified as malware, while documents that fall in the red-shaded area have a probability close to 1 of being classified as malware.

 

Locky, in yellow, is firmly on the right side of the hyperplane after the algorithm learns how to separate good documents from malicious ones based on the traits of those documents.
output_eltkSw.gif

It is important to note that the algorithm hasn’t seen Locky ahead of time, but was able to determine that it is malicious based on the characteristics of the document.

 

Thanks

I want to thank Asher Langton for helping with the traces and behavioral data, Peter Gael and Roman Sinayev for additional information used in this article.

 

More Reading

There have been several good write-ups that give an overview of Locky’s behavior:

 

Comments
by Bob V
on ‎04-19-2016 08:14 AM
Great article. A question though. My understanding is that Locky (and Dridex by the same authors) are delivered by email. Per my SE, Sky only looks at HTTP/s so it wouldn't be able to detect initial Locky infections through its main delivery vector. Thoughts?
by vsukhanov
on ‎04-27-2016 02:59 PM
Locky ransomware spotted using Javascript downloader: http://www.scmagazine.com/locky-seen-using-javascritp-downloader-instead-of-binary-or-macros/article... FireEye researchers spotted a Locky ransomware campaign using Javascript downloaders to infect users instead of macro- or binary-based downloaders. Threat actors are sending the malicious downloaders using malicious .zip and .rar files disguised as invoices, corporate documents, tax information, and other seemingly benign files in order to spread the new downloader. The new downloader is written in "more compact" script coding that allows attackers to encrypt the malicious code into .zip or .rar files multiple times, InfoArmor's chief intelligence officer, Andrew Komarov, told SCMagazine.com The malicious code bypasses anti-spam filters and anti-virus software through obfuscation, Komarov said. Komarov said the previous downloaders weren't very efficient because most users have their machines set up to block macros but the new downloaders are based on script language and are easier to obfuscate within Javascript which makes it harder to detect. Those behind the Locky malware didn't design the malicious downloaders but obtained them from a third party, he said, noting that 50 unique malicious downloaders can be purchased for between $1 to $25, making them an inexpensive way to spread the ransomware. FireEye researchers observed the new downloader using a custom network communication protocol which in their, in their tests, only downloaded the Locky ransomware as its payload, according to an April 22 blog post. The researchers went on to say that the downloader could be a new platform for installing other malware or for “pay-per-install” malware distribution.
Announcements

Juniper Design & Architecture Center - Mobile Cloud
Labels
About the Author
  • Andrew is a Juniper Distinguished Engineer responsible for the architecture of Juniper's network management user interfaces.
  • Asher Langton is a senior software engineer and malware researcher on Juniper's Sky ATP team.
  • Aviram Zrahia is a consulting engineer at Juniper Networks and an industry researcher of cyberspace. He holds a CISSP and GCIH certifications, as well as a bachelor's degree in computer science and MBA in management of technology, innovation, and entrepreneurship. He is also a research fellow in the Blavatnik Interdisciplinary Cyber Research Center (ICRC) at Tel Aviv University, currently focusing on the domain of threat intelligence sharing.
  • Bill is the Director of Federal Certifications and Policy at Juniper Networks. In this role, Bill focuses on several areas unique to the needs of Federal Government customers, including product certifications, IPv6, and security. Bill came to Juniper Networks in January 2008 after more than 20 years in the IT community working with commercial enterprise customers, service providers, and the US Federal Government. Bill started his career as an engineering officer in the US Air Force after graduating with a Bachelor of Aerospace Engineering from the Georgia Institute of Technology. Bill has an MBA from the Wharton School at the University of Pennsylvania.
  • Brad Minnis, CPP is the Senior Director of Corporate Environmental, Health, Safety & Security for Juniper Networks, Inc. based in Sunnyvale, CA, where he is responsible for strategic design, implementation and management of the company’s security, safety, environment, crisis management and business continuity functions. He also leads the company’s efforts in corporate citizenship and sustainability, and manages the Corporation’s government-related security programs. Mr. Minnis has over 30 years experience in the Silicon Valley and has managed EHSS operations for a number of high tech companies, including Juniper Networks, 3Com Corporation, and National Semiconductor Corporation. Mr. Minnis’ specialties include security management, supply chain and product integrity, anti-counterfeit, occupational health and safety and crisis management. In his role as Cyber Incident Response Team Leader for Juniper, Mr. Minnis has managed numerous high impact cyber-related incidents and cross-functional responses. Mr. Minnis served for ten years in the United States Navy and has served in leadership positions the International Security Management Association (ISMA) and ASIS International, serving as Chairman of the San Francisco Chapter in 2003. He has also co-written several publications on software integrity assurance and supply chain security with organizations such as SAFECode. Mr. Minnis is certified as a Protection Professional by the Professional Certification Board of ASIS International and attended the University of Connecticut, where he received two certificates in Environmental, Health and Safety
  • Craig Dods is the Chief Architect for Security within Juniper Networks' Strategic Verticals. He currently maintains multiple top-level industry certifications including his JNCIE-SEC, holds multiple networking and security-related patents, as well as having disclosed multiple critical-level CVE's in a responsible manner. Prior to joining Juniper, Craig served as IBM's Managed Security Services' Chief Security Architect, and held previous security roles at Check Point Software Technologies and Nokia.
  • François Prowse is a Senior Systems Engineer for Juniper Networks, based in Brisbane Australia. Francois joined Juniper in 2006 as part of the New Zealand SE team, subsequently relocating to Australia. Prior to Juniper, Francois worked for four years at Alcatel in both operational and architectural roles, being jointly responsible for the construction of New Zealands' largest MPLS core network. Prior to Alcatel, Francois worked at UUnet, focusing on core network expansion in Europe. In all previous roles JUNOS has been the driving factor behind day to day operations, providing him with over 8 years of operational experience. Francois is a Juniper Networks Certified Internet Expert (JNCIE #144) which he obtained prior to joining Juniper Networks.
  • Greg Sidebottom is a Senior Engineering Manager in the Identity and Policy Management business unit at Juniper Networks. Greg has spent the last decade plus conceptualizing, architecting, designing, and leading the implementation of Juniper's SDX and SRC families of policy based service management applications. Previous to this, Greg held positions in the software and networking industries at Siemens, Cognos, Nortel, GTE labs subsidiary MPR Teltech, and the Alberta Research Council. Greg is an author of eight invention disclosures resulting in two patents issued and three pending. Greg holds a B.Sc. in Computer Science for the University of Calgary and an M.Sc. and Ph.D. in Computing Science from Simon Fraser University.
  • Jennifer Blatnik is vice president of cloud, security and enterprise portfolio marketing at Juniper Networks with focus on enterprise deployments of security, routing, switching, and SDN products, as well as cloud solutions. She has more than 20 years of experience helping enterprises solve network security challenges. Before joining Juniper, Jennifer served multiple roles at Cisco Systems, Inc., including directing product management for security technologies aimed at small to medium enterprises, as well as supporting managed services, cloud service architectures and go-to-market strategies. She holds a B.A. in Computer Science from University of California, Berkeley.
  • Jim Kelly, Senior Product Line Manager – CTP Products Juniper Networks. Jim Kelly is the senior product line manager for the CTP products where he is responsible for the CTP product direction, marketing and circuit emulation applications within Juniper Networks. Mr. Kelly has more than 28 years of experience in the networking industry in technical roles, sales, marketing, and product management positions. He started his career in the United States Air Force. He has worked for Wang, Digital Telecom Systems, American Airlines, Network Equipment Technologies, Carrier Access, and Nortel Networks. He started Juniper Networks federal DoD sales in July 2000 and joined Juniper Networks again in October 2005 through the acquisition of Acorn Packet Solutions where he was the director of sales and marketing.
  • I have been in the networking industry for over 35 years: PBXs, SNA, Muxes, ATM, routers, switches, optical - I've seen it all. Twelve years in the US, over 25 in Europe, at companies like AT&T, IBM, Bay Networks, Nortel Networks and Dimension Data. Since 2007 I have been at Juniper, focusing on solutions and services: solving business problems via products and projects. Our market is characterized by amazing technological innovations, but technology is no use if you cannot get it to work and keep it working. That is why services are so exciting: this is where the technology moves out of the glossy brochures and into the real world! Follow me on Twitter: @JoeAtJuniper For more about me, go to my LinkedIn profile: http://fr.linkedin.com/pub/joe-robertson/0/4a/34a
  • Justin Ryburn is a Consulting Engineer at Juniper Networks. He holds an MBA and a MS in IT Management from Webster University as well as numerous industry certifications. Justin contributed content for Cyber Forensics (Auerbach Publishing, 2007), wrote Juniper's Day One Guide on Deploying BGP Flowspec, and has spoken at numerous industry conferences on BGP Flowspec. Prior to joining Juniper, Justin held various operations, engineering, and sales engineering positions over his 20-year career with companies such Savvis, Nortel, XO, and Charter.
  • Laurence is passionate about technology, particularly cyber security. His depth and breadth of knowledge of the dynamic security landscape is a result of over twenty years’ experience in cyber security. He understands the security concerns businesses face today and can bring insight to the challenges they will face tomorrow. Laurence joined Juniper Networks in 2016 and is our senior security specialist in EMEA. Security throughout the network is a key area where Juniper Networks can help as business moves to the cloud and undertakes the challenge of digital transformation.
  • Security Life timer
  • Mark Belk is the National Government Chief Architect at Juniper Networks
  • 30 Years in Book Publishing, 20 years in Technical Book Publishing, including Apple Developer Press, Adobe Press, Nokia Developer Books, Palm Books, and since 2001, almost 10 years as consulting editor/editor in chief for Juniper Networks Book. Joined the company and started the Day One book line and in 2011, the new This Week book line.
  • Solutions Marketing Sr Manager
  • Scott is the Director of Product Marketing for Mobile Security at Juniper Networks. In his 20+ years in high tech, Scott has worked on Mobile and Endpoint Security, Network Security, IPS, Managed Services, Network Infrastructure, Co-location, Microprocessor Architecture, Unix Servers and Network Adapters. He has held leadership roles at Check Point, McAfee, Symantec, Exodus Communications, Cable & Wireless, Savvis, and HP.
  • Sherry Ryan is IT Vice President and CISO of Juniper Networks. Previously, Sherry held similar positions at Blue Shield of California, Hewlett-Packard, Safeway and Levi Strauss where she established and led their information security programs. Sherry holds the Certified Information Security Manager (CISM) certification from ISACA and the Certified Information Systems Security Professional (CISSP) certification from ISC2. She is a member of the High Tech Crime Investigation Association (HTCIA) and the Information Systems Security Association (ISSA). Sherry has a bachelor's degree in Business Administration from the University of Redlands, and earned her MBA from the College of Notre Dame.
About Security Now

Discussing a wide range of topics impacting enterprises and
data center security.

Subscribe RSS Icon


Our Bloggers

Jennifer Blatnik
Vice President
Enterprise Portfolio Marketing

Profile | Subscribe

Ritesh Agrawal
Director
Software Engineering

Profile | Subscribe

Scott Emo
Director
Product Marketing

Profile | Subscribe

Bill Shelton
Director Field Sales

Profile | Subscribe