Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Dirtydecrypt decrypt solution


  • Please log in to reply
10 replies to this topic

#1 Toyman

Toyman

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:19 AM

Posted 30 August 2013 - 12:41 PM

Mod Edit: Moved to General Security from Malware los,as no logs posted nor is it a needs removal topic. ~~ boopme

Hi all. This is my first post here. I have been a computer nerd since 1962. Darn, did I really admit to that. I started my career at Cape Canaveral in 1962 as a scientific programmer. My last position was at JPM where I was an Assembler programmer on large IBM mainframes.
 
Sorry about the title but I wanted this thread to be an attention getter.
 
 
Fortunately for me, I did not get this Malware. My friend (non nerd) did and I started looking into it and discovered the following:
 
 
The files CANNOT be decrypted as they are not encrypted. The technique they used was to overlay the beginning part of the file with that "File is encrypted" message screen with a PNG (Portable Network Graphics" format.

Open the affected file in NOTEPAD (make sure you select all files instead of *.txt files) and you will see the PNG header string which starts with IHDR. Then do a find (ctrl-f) and find IEND.

After the IEND will be whats left of your original file. In essence the PNG data string overlays the first 25,486 bytes.of your trashed file.

Whatever program you use to open the affected file recognizes the PNG format and processes it until it encounters the IEND. The remainder of your trashed file behind the IEND is ignored.

This is the reason the properties information for the file still reflects the original data so one might think that the entire file is there.

Wikipedia has an excellent description of the PNG format. Look under "2 PNG Working Group". Wikipedia also has a good explanation on why thumbnails can be seen normally although the corrupted file is not visible.
 
http://en.wikipedia.org/wiki/Portable_Network_Graphics#PNG_Working_Group
http://en.wikipedia.org/wiki/Windows_thumbnail_cache
 
 
I will try and include a screen image of my Notepad sessions. This is the actual data placed over the destroyed files.I created this file by taking a corrupted file and removing everything after the IEND parameter.
 
The second image is a display of how the JPG file looks after the the overlay is done. Note the IEND in blue followed by the JPG data.

Toyman

Ron H
 
 
Attached File  Dirtydecrypt Notepad image.jpg   123.2KB   30 downloadsAttached File  Dirtydecrypt overlaying JPG file.jpg   48.89KB   29 downloads

Edited by boopme, 30 August 2013 - 01:33 PM.


BC AdBot (Login to Remove)

 


#2 Zakaria888

Zakaria888

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:19 AM

Posted 01 September 2013 - 04:05 PM

I didn't understand what you said...

It doesn't work, i even tried it.

Removed everything after the IEND parameter.... cant even open the file after i save it.

More details please!

thanks



#3 Toyman

Toyman
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:19 AM

Posted 01 September 2013 - 06:27 PM

Apparently when Notepad saves a graphics image it makes it unrecognizable to viewer or browser programs. Even if you make no changes to the file.

 

Re-read my post. From PNG to IEND and maybe a few bytes after that is overlayed into your image or other file.

 

What you did was erase what was remaining of your original file.



#4 micnolmad

micnolmad

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:19 AM

Posted 18 September 2013 - 06:28 AM

Toyman, I have two files that I wonder if you could take a look at? I have tried to use a hexeditor to copy over the header of a healthy word document but didn't work. The file when opened in word was corrupt and word tried to fix it with the resulting file displaying the same "file is encrypted" text. I can't remember if I did this on the same pc that was infected before we formatted it and so the "fixing" tool might have been infected.

 

MSE have scanned them as safe, so have f-secure online scanner with mse realtime scanner disabled.

 

The files are excel sheets from office 2007 I think. Not sure on that though as they are from my fathers pc.

 

If anyone is up to taking a look at them please let me know. They are very important, as they are work time accounts from the house being restored and without it we can't verify the bills.

 

Thanks in advance..



#5 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,541 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:19 AM

Posted 18 September 2013 - 08:25 AM

Hi and thanks for sharing the info. If you read through this thread you will see that this has been discussed before. Yes, the way image processors/viewers work, is they read from the beginning of the file, detect a image format, and then read the file to the end of the image based on the image specification.  Once that end is reached, in this case for PNGs its IEND, it discards the rest of the file as garbage.  DirtyDecrypt uses PNG images for image files and other types of embedded files for other file formats.

 

Unfortunately, this does not help retrieve the original file as there is some data that IS actually using some sort of encryption/modification/whatever you want to call it to the file. I have compared original files vs encrypted files and in JPGs at least there is a definite difference in the contents. It is not only that the PNG is injected into it, but there is an actual modification of the contents of the file in some manner. Call that modification whatever you want.



#6 micnolmad

micnolmad

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:19 AM

Posted 18 September 2013 - 12:16 PM

I did read that a couple of weeks ago when the PC was first infected. I then conducted my own tests today and found evidece that either there are two versions of said virus or my father have one virus that didn't true encrypt and then had dd but mse stopped it. I only saw one screenshot of mse having dd in the quarantine so I assumed that was the only virus at work.

My evidence is that I have opened this excel file in hexeditor and can clearly see the old contents in plain text. How much that is still there being a spreadsheet with complex structure I don't know. I am new to looking at files in hex. I am a low degree software engineer so I do understand some of what's going on and I am thinking if files were truly encrypted it would encrypt all the content?

#7 micnolmad

micnolmad

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:19 AM

Posted 18 September 2013 - 12:21 PM

Oh I think I understand what your saying.. Even if old content exist later in the file the overwritten part is well overwritten and gone for good.. Since our files are documents and spreadsheets can the untouched parts be recovered?

#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,541 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:19 AM

Posted 18 September 2013 - 01:14 PM

If you want to submit them, I can take a look and verify for you.  Cant promise anything but cant hurt.

 

Submit the file here: http://www.bleepingcomputer.com/submit-malware.php?channel=3

 

Its very possible the variant you have may be doing things differently than the variant i tested with a while back.



#9 Netghost56

Netghost56

  • Members
  • 973 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:02:19 AM

Posted 24 September 2013 - 09:49 AM

I would think it would be more complicated than that. After all, you can open PNG files with the right photo app (Photoshop, for one) then save as a JPG or whatever the original file was.



#10 micnolmad

micnolmad

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:19 AM

Posted 03 October 2013 - 12:18 AM

I have uploaded a spreadsheet, the most important of all files so any kind of recovery is very very welcome. Thanks



#11 micnolmad

micnolmad

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:19 AM

Posted 25 October 2013 - 03:56 AM

Hi..

 

Have you had time to look at the sheets?

 

Thanks






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users