Analyzing a System Hacked by Extortionware

Or, the Case of the Intrusive Bowel Movement

There is a category of malicious software often called Police Ransomware. It is a category within Extortionware or scareware. It claims that the authorities have detected illegal activity on your computer and locked it down. However, as this is a first offense, you can pay a fine and avoid serious legal trouble. The payment would, of course, go directly to the criminal gangs running these scams, which make many millions of dollars for the criminals. Here's a case I saw.

I was doing some work for someone who told me early one morning that they had just received an urgent call from the tenants of a building they owned.

The small business building was rented to the state Department of Transportation. Four men from the DOT worked there supervising a nearby road construction project. They had arrived that morning and discovered that the building had been broken into.

Well, they should call the police. Why are you telling me about this?

They said it had something to do with their computer. The building was broken into, but something even worse had happened to their computer.

Well, this still sounds like a job for the police, but I'll go have a look at it if you want.

The police officer and I arrived at the same time and we introduced ourselves in the parking lot. In we went to meet the four excited DOT workers. They started telling the police officer about how they had arrived to find the front door ajar, the lights on, and other signs of intrusions.

Like what?

"Just look at this! The pencil sharpener fastened underneath this shelf has been knocked loose and the pencil shavings were dumped on the desk."

Has anything like this happened before?

"Yes, three or maybe four times in the past few months we have found the door ajar and the lights on in the morning."

Had you reported this to the police?

"No, we hadn't, there hadn't been any signs of theft or damage or vandalism. Except... well... The last time, whoever broke in had a really big bowel movement in the rear bathroom and then didn't flush the toilet. They just left it there. We always use the bathroom in the front."

Ah, scattered pencil shavings and unflushed bowel movements. The glamour of police work. Why am I here?

"The computer is the worst part of it all! Whoever broke was involved in child pornography or maybe terrorism, and now we're in trouble with the Department of Homeland Security!"

Oh, it's this... Let's have a look at it. Here is a digital photograph of the screen of one of the four computers in the building. This had appeared when they first used the computer. They got scared and powered it off and back on again a number of times, and it always started Windows and immediately went to this display. You have a very brief glimpse of the Windows desktop, and then the malware starts and it goes to this.

The system was configured to automatically start a login session for a user account. There was no user authentication or password protection in place, and they never turn this computer off.

Let's look at the components of what was displayed on the screen.

A warning near the top warns that the system is locked down and the police have already recorded evidence. A fuzzy picture suggests that pictures of the user may have been collected. If the laptop had a webcam above the display, the malware would have attempted to turn that on and display its live output here with the "video recording" shown as "on".

This is the standard criminal Police Ransomware, a category within Extortionware or Scareware, malicious software that locks up a system with a message screen meant to look ominous but making ludicrous threats and claims in faulty English. The messages purport to be from law enforcement, possibly at the national level, and accuse the victims of accessing child abuse images or supporting terrorism. They demand the payment of a "fine", really a ransom to recover use of their computer and access to their files, through an on-line money order.

The DOT workers were absolutely convinced that they were in big trouble with the Federal Government, specifically the Department of Homeland Security.

I explained that this was standard malware. Criminals, likely Russian or Ukrainian, ran the scam. They put up web sites enticing people to view pages through promises of erotica, games, or other entertainment. Meanwhile malicious software embedded in those pages infect unpatched Windows systems with this malware. The next time and every following time you reboot, the malware starts at boot time and takes over. Any payment would just send money to the criminals. Europol estimated in February 2014 that millions of computers had been infected and tens of thousands of victims had paid ransom demands over the past two years, making this a multimillion Euro business for the criminals.

"Oh no, this was for real, just look where it says the computer was registered by the police!" And see the penalties — years in prison, huge fines!

Here's what looks to them like good news, they might be able to get out of this by paying a $300 fine!

And how would you pay this fine?

You can get MoneyPak from hundreds of thousands of global locations, online, from wallets, from kiosks and ATMs.

Exchange your cash for a MoneyPak vouchers and use your voucher code in form below.

Code:

Status: Waiting for Payment 47:58:52

Where can I buy MoneyPak: Walmart, Rite Aid, Walgreens, KMart, CVS/pharmacy, 7/11

A first-time violation may not lead to imprisonment. In the case of a first-time violation you just need to pay the fine according the Law Of Loyalty To The People as of January, 29, 2013.

And as luck would have it, there was both a CVS and a Walmart in town! They just had to decide which one to go to in order to buy this $300 MoneyPak wire transfer.

Guys, think about it.

Do you really think that DHS is going to let involvement in terrorism and child pornography slide because it's your first time and you paid a fine through the local pharmacy?

"It says right here that's all we have to do!"

Yes, through this preposterously named "Law Of Loyalty To The People". Why don't you ask this police officer for the details of this law?

At this point I was openly mocking them, but the officer had to maintain some level of respectful discourse. He told them in strong terms that they should not contribute any money to this criminal scam. He had heard about this trend, he hadn't seen it yet, but clearly I seemed to know what I was talking about.

Now, just why was I here again?

Well, the property owners didn't know anything about what was going on other than there was a physical break-in and something about computers, and I do computer work, so they sent me here.

Could I investigate this? The police officer's assumption was that "probably it was a kid" but there might be some information left on the machine providing some clues as to the interests and possibly the approximate age of the intruder. This was in a smaller community, there's limited expertise and manpower on the police force to handle this sort of thing. But given some personal information about the intruder, they might be able to track them down.

Across the road was something that looked like it could be a multi-trailer meth lab, and some other ratty dwellings were within eyesight. The officer couldn't help but look across the road as he described his theory and what he might be able to accomplish with partial information about the intruder.

The view across the road.

I could certainly take a look. If someone is repeatedly breaking into this building to use their computer, maybe at some point they signed in to their e-mail account or even logged in to Facebook or similar, and we might be able to discover an e-mail or other online identity. Even if not, the browser history and cache might give you some idea about their interests, background, personality, some suggestion of who to look for.

Do I have what I need to do this?

Yes, I have a bootable Linux CD and a 1 TB USB-connected external disk drive. Give me ten minutes to go up the street and get that and I can get started. It might take about an hour to really do the data collection right, first recording the SHA-2 cryptographic hash of the disk itself and only then transferring a forensic style image of the disk onto my external drive. I'll do the analysis on a copy of that image, doing the work on a Linux workstation or my BSD laptop. That way we would have some reasonably trustworthy evidence that the image I collect is identical to the original data on this compromised computer. Right?

[ glazed look ]

I'll go get my stuff and get started, OK?

OK.

Capturing the data

The DOT workers had already messed with the system, physically handling it and rebooting it several times, so there was no need to try to capture any highly volatile data like the contents of CPU caches or RAM or the process table.

I put a Linux CD in the drive and rebooted the system, stopping at the BIOS setup. I first verified that the hardware clock was accurate. It was, so file system timestamps would be directly meaningful without adding or subtracting an offset. I also verified that it would boot from the optical drive.

I used Knoppix as I had that with me, but any Linux distro could work if you are very careful to drop to a shell instead of starting an install or attempting to rescue an existing Linux distribution.

At this point you have a running Linux operating system with a complete file system. The unusual thing is that the file system exists only in RAM, loaded from a compressed image on the rescue media. The df command will show that the root file system is mounted from /dev/mem or tmpfs or similar.

Let's see what disk devices are available and what they contain. It's one disk with one partition. Some rescue media may show all possible disk devices but the final file command will show you which ones really exist in the system.

# ls -l /dev/sd*
brw-rw---- 1 root disk 8,  0 Apr 16 12:58 /dev/sda
brw-rw---- 1 root disk 8,  0 Apr 16 12:58 /dev/sda1
# file /dev/sd*
/dev/sda:   block special
/dev/sda1:  block special
# file -s /dev/sd*
/dev/sda:   x86 boot sector
/dev/sda1:  x86 boot sector

Alternatives to openssl include sha256sum and both shash and sha256 on BSD.

Let's attach my external disk (which will be detected as sdb with its single partition sdb1). Then we will immediately measure the SHA-2-256 hash of the internal disk. The tee command sends the result both to standard output and into a file on the external disk. Then we'll make a precise bit-for-bit copy of the internal disk, and verify that the image we collected is identical to what's in the system. The openssl and dd commands all take quite a while to run as they read an entire 112 GB device and, for the dd, write a copy to the external drive through the laptop's USB 2.0 port. As for the chmod command, the external drive had an Ext4 file system. A VFAT would be limited to 4 GB maximum file size, and Ext4 is useful on both Linux and BSD, and on macOS with FUSE or Paragon's ExtFS for Mac OX X.

# ls -l /dev/sd*
brw-rw---- 1 root disk 8,  0 May 28 08:51 /dev/sda
brw-rw---- 1 root disk 8,  0 May 28 08:51 /dev/sda1
brw-rw---- 1 root disk 8,  0 May 28 08:51 /dev/sdb
brw-rw---- 1 root disk 8,  0 May 28 08:51 /dev/sdb1
# mkdir /mnt/external
# mount /dev/sdb1 /mnt/external
# openssl sha256 /dev/sda | tee /mnt/external/sda.sha256
SHA256(/dev/sda)= 2bf93a0a5250bfefb42a4694620d8a9f5aa2116af0dc5493f97c7bcce57fa771
# dd if=/dev/sda of=/mnt/external/sda.image bs=1M
114473+1 records in
114473+1 records out
120034123776 bytes transferred
# chmod 444 /mnt/external/sda.image
# openssl sha256 /mnt/external/sda.image
SHA256(/mnt/external/sda.image)= 2bf93a0a5250bfefb42a4694620d8a9f5aa2116af0dc5493f97c7bcce57fa771

Now we can shut down Knoppix, power down the victim computer, and detach the external drive. We will copy the collected data from the USB disk onto a Linux machine for analysis.

The image file itself is read-only, but let's be safe. Let's mount a copy of the image in read-only mode and see what we find. We're now on the Linux machine used for analysis:

# mkdir /mnt/disk
# mount -o ro,loop sda-copy.image /mnt/disk
# ls -l /mnt/disk
-rwxrwxrwx 1 root root           0 Nov 20  2003 AUTOEXEC.BAT
-rwxrwxrwx 1 root root           0 Nov 20  2003 CONFIG.SYS
drwxrwxrwx 2 root root        4096 May 19  2013 Documents and Settings
-rwxrwxrwx 1 root root           0 Nov 20  2003 IO.SYS
-rwxrwxrwx 1 root root           0 Nov 20  2003 MSDOS.SYS
drwxrwxrwx 1 root root       12288 May 24  2003 Program Files
drwxrwxrwx 1 root root           0 May 24  2013 RECYCLER
drwxrwxrwx 1 root root           0 Nov 20  2003 System Volume Information
drwxrwxrwx 1 root root        4096 May 14  2013 Temp
drwxrwxrwx 1 root root       40960 Apr 24  2003 WINDOWS

Yep, that's Windows.

We'll make a tar archive of just the files so we have a little more easily manageable data set for some of the analysis.

# cd /mnt/disk
# tar cf ~/sda-files.tar .
# cd
# chmod -w sda*
# umount /mnt/disk
# ls -l sda*
-r--r--r--    1 root root  22154301440 May 28 14:08 sda-files.tar
-r--r--r--    1 root root 120034123776 May 28 14:03 sda.image
-r--r--r--    1 root root 120034123776 May 28 14:36 sda-copy.image
-r--r--r--    1 root root           75 May 28 14:03 sda.sha256
# ls -lh sda*
-r--r--r--    1 root root  21G May 28 14:08 sda-files.tar
-r--r--r--    1 root root 112G May 28 14:03 sda.image
-r--r--r--    1 root root 112G May 28 14:36 sda-copy.image
-r--r--r--    1 root root  75B May 28 14:03 sda.sha256

Investigating the activity

The DOT employees had left the building "about noon" on Friday, May 24, the weekend before the Memorial Day holiday weekend. They had returned on Tuesday morning, the 28th, to find the door ajar, lights on, pencil shavings scattered, and the computer in this state. (But at least there was no epic BM in the bathroom this time)

I got a detailed list of files modified between 00:00:00 on May 24th and 00:09:00 on May 28th by going into the copy of the victim machine's file system and running the below command sequence. The tar command preserves metadata including modification timestamps, so this wouldn't have to be done on the mounted image.

The first two commands create a "before" timestamp file dated to 00:00 on May 24, and an "after" one dated to 09:00 on May 28. The third command uses command substitution — the part within $(...) executes first and its output is used as parameters to what's outside. So we first get a list of the files newer than the "before" but not newer than the "after", and then we get a detailed listing of their attributes including timestamps down to the second (actually microseconds or better) sorted into reverse time order (earliest first).

# touch -t 05240000 /tmp/TIME-before
# touch -t 05280900 /tmp/TIME-after
# ls -ltr --full-time $( find . -type f -newer /tmp/TIME-before \! -newer /tmp/TIME-after )

Very little happened after 12:53 on May 24th, and I soon realized that it was just some automated software updates. Before that time things were far more interesting. It quickly became apparent that the intruder must have come in right after they left.

It seemed plausible that the intruder lived nearby and immediately broke in when he saw them leave for the weekend.

I used the URLs in the browser history, the browser cookies, and the browser cache files to try to figure out what had happened. The browser cache included recent Google searches.

The URLs in the Internet Explorer browser history are easily extracted, although without timestamps. The browser history is stored in a number of non-text files, you can use the strings command to extract the text strings recording the previously viewed URL:
Documents and Settings/username/Local Settings/History/History.IE5/index.dat
Documents and Settings/username/Local Settings/History/History.IE5/*/index.dat

Some of the recent URLs show where this is going:

Browser cookies are stored in:
Documents and Settings/username/Cookies/*

Internet Explorer browser cache files are stored in:
Documents and Settings/username/Local Settings/Temp/*
Documents and Settings/username/Local Settings/Temporary Internet Files/Content.IE5/*/*

The cookie files showed that there was a little activity (3 cookies) from 10:14 to 10:34 on Friday morning, starting with two cookies from state government sites. Then there was a lot of activity (85 cookies) from 12:35 to 12:53. Some pages take a number of seconds to load, so it is difficult to determine the precise grouping of cookies to reconstruct composite page loads. But we can see the overall pattern of activity. A script like the following is useful:

#!/bin/sh

touch /tmp/$$
for F in [0-9A-Z]*
do
	echo $( ls --full-time $F | awk '{print $6, $7}' ) $F $( grep '/' $F ) >> /tmp/$$
done

cat /tmp/$$
rm /tmp/$$

The output looks like this:

2013-03-18 07:05:03.000000000 2MK5BE9Z.txt microsoft.com/ microsoft.com/ microsoft.com/ microsoft.com/
2013-03-20 11:04:33.000000000 OCWGH11P.txt google.com/ google.com/
2013-04-16 12:16:11.000000000 S06EE0EK.txt google.com/verify
2013-04-22 12:22:23.000000000 RSGAANHK.txt office.microsoft.com/
[...]

Here is the initial part after simplifying the output by deleting the fractional seconds and file names, and then breaking it into just the days of interest:

This pattern continues, gradually slowing until one last cookie is loaded at 12:53:35:

Some of the Google searches can be retrieved. Google search result pages have a distinctive URL. If you were to search for "my example search" the URL would be something like this:
https://www.google.com/search?q=my+example+search&...
with following fields for the referring (previous) page, preferred language, etc.

Internet Explorer places these strings in files named search*.txt with ASCII escape codes in place of some non-alphanumeric characters. The above example URL would be recorded as:
https://www.google.com/search?sclient\x3dpsy-ab\x3dq=my+example+search\x26...

I could only find cached Google searches for the last two days before the presumed intrusion. A simple script outputs the date and time stamp, the subdirectory and cache file name, and that file's contents with the search string restored to what was typed. Here is the script:

#!/bin/sh

# First, the date/time stamp with the sub-second accuracy stripped off:
echo -n "$(ls --full-time "$1" | awk '{print $6, $7}') " | sed 's/\.[0-9].*/ /'
# Then, the final directory in the full path and the file:
echo "$1" | awk -F/ '{printf("%s/%s ", $(NF-1), $NF);}'

# Pull the search out of the content.
# Throw away everything through "&q=", encoded as "\x26q\3d",
# and then everything from the following "&", encoded as "\x26".
# Also change every "%20" and "+" to a blank space.
grep 'google.com.*search?.*\\x3d' "$1" |
	sed 's/.*q\\x3d//' | 
	sed 's/\\x26.*//' | 
	sed 's/%20/ /g' | sed 's/+/ /g'

Use this script this way:

$ find Temp* -name search\* -exec ~/bin/search-extractor "{}" \; | sort

Google sends data as it makes suggestions while you are typing the search string, and these are cached. This leads to a lot of cached partial searches when the person at the keyboard takes 23 seconds to type a 16-character phrase:

2013-05-23 07:06:18 UV2KFO9G/search[1] g
2013-05-23 07:06:20 4X634J0N/search[1] go
2013-05-23 07:06:21 9XMW27RP/search[1] gos
2013-05-23 07:06:21 HWB1QJPQ/search[1] gosp
2013-05-23 07:06:22 2PCTKBEF/search[1] gospe
2013-05-23 07:06:23 4BGRCL4H/search[1] gospel
2013-05-23 07:06:25 UV2KFO9G/search[2] gospel 
2013-05-23 07:06:34 4X634J0N/search[2] gospel b
2013-05-23 07:06:36 9XMW27RP/search[2] gospel bl
2013-05-23 07:06:37 HWB1QJPQ/search[2] gospel blue
2013-05-23 07:06:37 WV1LNPF5/search[1] gospel blu
2013-05-23 07:06:38 2PCTKBEF/search[2] gospel blueg
2013-05-23 07:06:39 4BGRCL4H/search[2] gospel bluegr
2013-05-23 07:06:40 UV2KFO9G/search[3] gospel bluegra
2013-05-23 07:06:41 4X634J0N/search[3] gospel bluegras
2013-05-23 07:06:41 9XMW27RP/search[3] gospel bluegrass

Things were becoming more clear once I reduced the output to the final submitted searches:

What had really happened?

If you really cared, the other cache file names and the URLs in the history would let you largely figure out which URLs were loaded after these searches. Then the cached HTML pages and image files allowed you to see the page content.

The DOT supervisor had been very worried that an intruder really was using their computer to view illegal content, but there wasn't any. Just ugly tattooed women who looked like angry former employees of a failed carnival. Dogs wouldn't have anything to do with them.

I went back to the office building two days later and happened to arrive just as the DOT's computer contractor was arriving. He had brought a replacement computer. I asked about configuring the new system to require password authentication plus a password-protected screen lock. The compromised computer had a swipe-type fingerprint scanner, although none of the men in the building realized that's what it was or even knew that such things were available.

The contractor's weary response was that they see this sort of thing all the time. They had once tried configuring systems to require passwords. The DOT workers were continually locked out of their own systems and couldn't accomplish anything.

I told the DOT supervisor that I hadn't found any illegal content, just a sampling of unsuccessful attempts at erotica. It was very strange that the four highly portable and easily sold laptop computers hadn't been taken. I hadn't found any cached data revealing a precise identity, and I was looking for some clarification on their precise schedule.

You see, it seemed that many days started with some searches for bluegrass gospel, then it was a mixture of deck repair, central Florida and cattle ranching, undiscovered bestiality, more mundane sexual topics, and a little highway project supervision, all of it peppered with misspellings.

All at once it was a hurried "That's great, tell you what, they just brought in a replacement computer and things are all back to normal so there's no need to look any further! Thanks for what you've done but I think it's all OK now!"

Yeah.

Apparently one of the workers was within a year of retirement, and he frequently mentioned the deck maintenance project he needed to finish so he could sell the house and fulfill the dream of moving to Florida, raising cattle, and playing gospel bluegrass.

Meanwhile the DOT workers frequently left the door not only unlocked but ajar, forgot to turn off the lights, and at least once used the back bathroom and neglected to flush. And Doctor Stronger of Bloomington? He's a specialist in plastic surgery and pain control. I expected him to be a psychiatrist specializing in paraphilias.

The property owners and the police department had asked for an investigation and report, and one was produced. The last two recommendations were:

This is a common pattern...

The European Cybercrime Centre at Europol published a threat assessment in February, 2014, eight months after the episode described here, reporting that 'Police Ransomware" had grown exponentially over the past two years. Any numbers will be approximations, and the problem is going to be grossly under-reported, but they estimate that within the European Union millions of computers had been infected and tens of thousands of ransoms had been paid, making several million Euros for criminal gangs.

Ransomware software "kits" are sold in on-line forums, so attacks can be launched with no requirement for technical expertise.

ThreatTrack Security Labs did a study in November 2013 looking at malware infections of senior corporate executives' computers. Their blind survey of IT professionals who have to clean up infected executive computers found that senior leaders get malware on their system by:

• 56% — Clicking on malicious links in phishing emails.
• 47% — Attaching infected devices to corporate computers.
• 45% — Allowing family members to use corporate computers.
• 40% — Viewing malware-laden porn sites.
• 33% — Intentionally installing an application that turned out to be malicious.

The New York Times reported that the team of Navy SEALs and CIA paramilitary operators who raided Osama bin Ladin's compound just down the street from Pakistan's military academy "found a trove of information and had the time to remove much of it, about 100 thumb drives, DVDs and computer disks, along with 10 computer hard drives and five computers." An unnamed U.S. official told Politico that the team had recovered "the mother lode of intelligence" and hundreds of analysts were examining it at a base in Afghanistan.

Then about a week later Reuters reported what everyone should have been expecting. "The pornography recovered in bin Laden's compound in Abbottabad, Pakistan, consists of modern, electronically recorded video and is fairly extensive."

A Forbes story told how a Syrian hacker intruded into the computer systems of the Mukhabarat, the dreaded secret police. He was working to expose the brutal Assad regime's use of deep packet inspection hardware made by the U.S. company Blue Coat. He found evidence of that (Blue Coat said it does not know how its hardware ended up in Syria), but along the way he also found evidence that the secret police view pornography during work hours.

An NSA document from October 3, 2012, says "A previous SIGINT assessment report on radicalization indicated that the radicalizers appear to be particularly vulnerable in the area of authority when their private and public behavior is compared. Some of the vulnerabilities, if exposed, would likely call into question a radicalizer's dedication to the jihadist cause, leading to the degradation or loss of his authority."

The first such vulnerability cited is "Viewing sexually explicit material online or using sexually explicit language when communicating with unexperienced young girls."

So, the NSA is intercepting and analyzing Internet traffic to build archives of evidence of embarrassing online behavior. If it's a general sweep of all such information, that may be why they needed to build a new data center in Utah.

The CryptoLocker malware appeared in September 2013. It encrypts files on local and network drives and then displays a message offering to decrypt the data if a payment is made. It threatens to delete the data if the payment is not made by a stated deadline. An analysis by ZDNet in December 2013 showed that US$ 27 million worth of Bitcoins had been traced to payments to the malware operators.

Some people say that paying the ransom is the only way to recover files that have not been backed up. Law enforcement routinely advises against paying ransoms.

But law enforcement agencies keep getting hit by this, losing access to critical data, and paying the ransoms.

The police department in Swansea, Massachusetts paid a ransom of $750 after CryptoLocker hit one of their computers containing sensitive data that wasn't backed up. Police computers. Sensitive data. No backups. They followed this up with claims that they were never compromised and everything is just fine now. Move along, nothing to see here.

The municipal government of Greenland, New Hampshire lost eight years worth of data. Some of their files were backed up and could be recovered, but various categories were not.

The Dickson County (Tennessee) sheriff's office paid $572 to get tens of thousands of files decrypted. They reported that "a substantial portion of the data encrypted on the report management server was able to be restored from backups" but they still had 72,000 encrypted files.

The Midlothian, Illinois police department paid $500 to a hacker.

The Tewksbury, Massachusetts paid $500 ransom.

The Collinsville, Alabama police department refused to pay. They had no backups, so they never got their data back.

The Lincoln County Sheriff's Office and four towns in midcoast and northern Maine paid ransoms in April, 2015.

The so-called "Police Locker" malware was ported to Android by May, 2014. The criminal gangs behind this, including the Nerta and Reveton gropus, advertise their products. See the dontneedcoffee.com page for some interesting analysis and screenshots of the various national jurisdictions spoofed by their malware.

Update

After this episode had happened and I had created this page, ransomware grew into a worse and worse problem. Russian intelligence and organized crime (the boundary between them is vague) began aggressively using it against U.S. infrastructure.