Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Torrentlocker - Stopping it in its tracks


  • This topic is locked This topic is locked
1 reply to this topic

#1 Routaran

Routaran

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:54 AM

Posted 15 April 2015 - 10:49 AM

I've been working on a school project for the last couple weeks on setting up alerts via SNORT (IDS - packet inspection software) and monitoring for malicious traffic. I downloaded copies of Torrentlocker from malwaretips.com and ran it on a VM with wireshark capturing all the packets that came in and out of the system. Over the last 3 weeks, I've noticed a pattern.

 

When the malware is run, the software first does a DNS lookup for it's C&C server, so far all the C&C servers I've seen in the last month were .ru addresses. Shortly after the malware finds it's C&C server, it downloads a certificate which I believe the malware uses to then encrypt the data on the computer. The certificate however was peculiar. Normally, we'd have some name, address and company listed with certificates but this one was using the same default placeholders like "Default Name, Default City, Default Company Ltd, etc" 

 

So I wrote SNORT rules to log alerts when it saw a DNS query for a .ru address followed by an incoming certificate with "Default Company Ltd" I would test with a copy of Torrentlocker but it looks like all the C&C Servers have been taken down and the copy that I have doesn't encrypt anything any more. I am not sure if it was in fact the certificate or something else that's missing which Torrenlocker uses to start encrypting the user's data.

 

Since I'm unable to simply test right now, my question is this, if I were to drop that certificate packet, will it be enough to stop torrentlocker from encrypting data on the system?

 

Thanks



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:54 AM

Posted 15 April 2015 - 01:10 PM


A repository of all current knowledge regarding TorrentLocker is provided by Grinler (aka Lawrence Abrams), in this topic: TorrentLocker (fake CryptoLocker) Ransomware Information Guide and FAQ

More information in these articles:
* Regional distribution methods for TorrentLocker
* Analysis of ‘TorrentLocker’ – A New Strain of Ransomware Using Components of CryptoLocker and CryptoWall
* Cryptolocker variant Torrentlocker making new victims in NL
* TorrentLocker Ransomware Cracked and Decrypter has been made.

There is also an ongoing discussion in this topic: TorrentLocker Support and Discussion (CryptoLocker copycat)

Rather than have everyone start individual topics, it would be best (and more manageable for staff) if you posted any questions, comments or requests for assistance in that topic discussion.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users