I've been working on a school project for the last couple weeks on setting up alerts via SNORT (IDS - packet inspection software) and monitoring for malicious traffic. I downloaded copies of Torrentlocker from malwaretips.com and ran it on a VM with wireshark capturing all the packets that came in and out of the system. Over the last 3 weeks, I've noticed a pattern.
When the malware is run, the software first does a DNS lookup for it's C&C server, so far all the C&C servers I've seen in the last month were .ru addresses. Shortly after the malware finds it's C&C server, it downloads a certificate which I believe the malware uses to then encrypt the data on the computer. The certificate however was peculiar. Normally, we'd have some name, address and company listed with certificates but this one was using the same default placeholders like "Default Name, Default City, Default Company Ltd, etc"
So I wrote SNORT rules to log alerts when it saw a DNS query for a .ru address followed by an incoming certificate with "Default Company Ltd" I would test with a copy of Torrentlocker but it looks like all the C&C Servers have been taken down and the copy that I have doesn't encrypt anything any more. I am not sure if it was in fact the certificate or something else that's missing which Torrenlocker uses to start encrypting the user's data.
Since I'm unable to simply test right now, my question is this, if I were to drop that certificate packet, will it be enough to stop torrentlocker from encrypting data on the system?