The W32/Seftad RansomWare has been spreading for a few days now, locking infected computers and trying to extort money for a recovery password. The infection is easily recognized by the text message below, which is displayed when the computer starts up, or rather fails to start.
Your PC is blocked. All the hard drives were encrypted. Browse www.safe-data.ru to get an access to your system and files. Any attempt to restore the drives using other way will lead to inevitable data loss !!! Please remember Your ID: 773923, with its help your sign-on password will be generated. Enter password:
But they lie, the hard disk is not encrypted, only a few sectors have been changed. This table shows the changes to the disk sectors. Also shown are the memory addresses where they are loaded to memory by the malware.
<strong>Infected Drive Disk Address Memory Address Sector Contents</strong> Sector 1 0x000 0x7C00 Malware boot sector Sector 2 0x200 0x7C00 Malware code Sector 3 0x400 0x7E00 Text strings & CRC Sector 4 0x600 - - Sector 5 0x800 0x7E00 Original boot sector
Hard drive sector 1 normally contains the Master Boot Record (MBR), with the partition table and the boot code needed to start the operating system. It has been copied to sector 5 with two bytes changed. Sector 1 now contains the malware boot code, with no partition table.
When the computer starts, the malware boot code from sector 1 is loaded and executed. It reads sectors 2 and 3 into memory at address 0000:7c00. The malware then checks whether a certain ID number is present at the start of sector 2 and the end of sector 3. The ID number check code can be used to confirm the identity of the malware boot sector.
1000:002b cmp dword ptr [bx+02h], 636d6a68h ; code start marker 1000:0033 jnz loc_0000004b ; marker not found 1000:0035 add bx, 3fch ; location of code end marker 1000:0039 cmp dword ptr [bx], 636d6a68h ; code end marker 1000:0040 jnz loc_0000004b ; marker not found
(The addresses in the listings are disk based addresses, conversion to memory addresses is shown where necessary.)
At this point the code loaded from sector 2 is executed, and the routine that reads in the password starts. Up to 16 characters can be keyed in, and when the Enter key is pressed processing begins. The first step is to pad the password with spaces so that the length is always 16 characters.
1000:027d mov al, 20h ; " " text space 1000:027f cmp di, 10h ; if di <16 carry set 1000:0282 jnc loc_00000289 ; if we have 16 chars jump 1000:0284 mov [bx+di], al ; add a space " " 1000:0286 inc di ; increase char count 1000:0287 jmp 27fh ; check again if 16 chars
Next each of the 16 password characters is sent to a CRC generator. The resulting CRC will be used to check the whether the password is correct.
1000:0289 mov cl, 10h ; cl = 16, chars in password 1000:028b xor dx, dx ; dx = 0x00, CRC goes here 1000:028d mov si, 7e7ah ; password buffer (disk 047a) 1000:0290 cld ; clear direction flag 1000:0291 lodsb ; load pwd char to al, si++ 1000:0292 call loc_00000368 ; call the CRC16 generator 1000:0295 dec cl ; cl-- update character count 1000:0297 jnz 291h ; loop to load next character
There are many different CRC16 alogorithms. The one used is the xmodem version, not the most common or the best, but it will work for this task. The core of the CRC generator is shown below.
1000:036a mov ah, al ; move password char to ah 1000:036c xor al, al ; zero al 1000:036e xor dx, ax ; dx=crc, 0x00 on first pass 1000:0370 mov cl, 08h ; set cl for 8 bits 1000:0372 shl dx, 1h ; shift left 1 bit 1000:0374 jnc 37ah ; if top bit was 0 jump 1000:0376 xor dx, 1021h ; CRC polynomial = 0x1021 1000:037a dec cl ; cl-- 1000:037c jnz 372h ; loop until cl=0
Once the password CRC has been calculated, it is checked against the reference CRC at memory location 0000:7ffa, where it was loaded from disk sector 3.
1000:0299 cmp dx, [7ffah] ; password CRC loc (crc=0x24e0) 1000:029d jz loc_000002b2 ; if equal
The CRC value 0x24E0, located at memory address 0000:7ffa, can be found at at disk location 0x7ffa - 0x7c00 + 0x200 = 0x05fa, shown in the hex dump below. Any password with this CRC will work.
Disk:05F0 Mem:7FFA 00 00 00 00 00 00 00 00 00 00 <strong>E0 24</strong> 68 6A 6D 63 ..........à$hjmc
When an incorrect password is entered, the words "Wrong password" are displayed, with "Enter password:" appearing again below. After three tries the computer reboots and the process starts again. Rebooting here is probably just a simple way to clear the display.
When a correct password has been entered, the process of restoring the computer begins. First the original boot sector is loaded into memory, from disk sector 5.
1000:02b2 mov bx, 7e00h ; buffer 1000:02b5 mov cx, 05h ; track=0 sector=5 1000:02b8 mov dx, 80h ; head=0 drive=hard disk 1000:02bb mov ax, 201h ; read disk sectors, 1 sector 1000:02be int 13h ; read disk 1000:02c0 jnc loc_000002ca ; jump if read was ok
When the original boot sector was saved, the last two bytes were changed to "be af". These are now checked, and if they are wrong the message "Data corrupted" is displayed.
Disk:09F0 Mem:7FF0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 <strong>BE AF</strong> ..............¾¯ 1000:02ca mov di, 7ffeh ; (disk 09fe) 1000:02cd cmp word ptr [di], 0afbeh ; check value 1000:02d1 jz loc_000002db ; if ok jump
If the bytes are as expected, they are changed back to their original value, "55 aa", which is the Boot Record Signature. If the BIOS does not see these bytes it will not boot.
1000:02db mov dx, 0aa55h ; boot record signature 1000:02de mov word ptr [di], dx ; write to mem, di=7ffe
The repaired boot sector is now written to sector 1, so that the computer becomes bootable again.
1000:02e0 mov cx, 01h ; write to sector 1 1000:02e3 mov dx, 80h ; head=0 drive=hard disk 1000:02e6 mov ax, 301h ; write disk sectors, 1 sector 1000:02e9 int 13h ; write to disk 1000:02eb jnc loc_000002f5 ; jump if ok, to "clean up disk"
Finally a buffer is filled with nulls and written to disk sectors 2, 3 and 5, so that all traces of the infection are removed, and the computer is rebooted. Of course if any of these sectors was being used by some system level software, like a disk or boot utility, whatever data they contained is lost and the password will not restore the computer to its original state.
The best way to cure this infection is to use a suitable disk repair utility. If this fails then hopefully the information presented here will help with manual repair. In any case it is important to remember that even when the computer boots successfully, it will still be infected with the malware that started this, and needs to be cleaned.
Additional information about this malware can be found in Fortinet researcher Patrick Yu's All your drives are belong to us.