Security Alert BadRabbit Ransomware Avoids Russian Antivirus Vendor Dr. Web

Discussion in 'News Archive' started by omidomi, Dec 23, 2017.

  1. omidomi

    omidomi Level 61
    Trusted AV Tester

    Apr 5, 2014
    Fallout New Vegas :D
    Windows 8.1
    BadRabbit will skip the encryption process when detecting the antivirus software from Russian security firm Dr. Web and profiles users before deciding to infect.

    Security researchers are noticing something curious about Tuesday's BadRabbit ransomware outbreak. Apparently, the malicious code is built to avoid encrypting PCs running antivirus from Russian anti-malware vendor Dr. Web.

    Researchers at FireEye noticed the issue when reverse-engineering a BadRabbit malware sample. The ransomware will forgo encryption on a machine when it finds one of four antivirus processes from the Russian security firm, it said.

    Security firm Cylance found the same. BadRabbit will end attempts to spread over the victim's network and harvest the PC's passwords if Dr.Web antivirus is detected, it said.

    Why the ransomware's developer sought to avoid the Moscow-based company's software might raise eyebrows. Russia often gets blamed for some of the world's biggest cyber attacks.

    But on Thursday, the Moscow-based Dr.Web published its own findings (translated from Russian). It too discovered that BadRabbit skips the encryption process when the company's antivirus is detected on the system. The title of their post even suggests the ransomware is "afraid" of the company's products.


    However, this actually has to do with how the company's antivirus software protects a PC's master boot record -- which BadRabbit will try to encrypt.

    Instead, the ransomware will seek to avoid early detection, but will start a full disk encryption after a system reboot, Dr.Web said in its findings.

    Tom Bonner, a senior threat manager at Cylance, said he arrived at a similar conclusion.

    "I think it (BadRabbit) is trying to be as surreptitious as possible, and not raise too many flags," he said.

    To avoid raising those flags, Dr.Web isn't the only antivirus software BadRabbit will try to scan for. It'll also look for the presence of McAfee's antivirus software, Bonner said.

    If found, the ransomware will stop spreading over the victim's network, but it'll still try to encrypt the files onboard, he added.
    Others like FireEye security researcher Nick Carr find BadRabbit's avoidance of Dr.Web software suspicious. Nevertheless, Tuesday's outbreak spread across computers largely in Russia, but also spilled into Ukraine, Turkey and even Japan, according to security firms.

    BadRabbit attacked by spreading itself over a fake Adobe Flash Player update that was distributed by over a dozen hacked websites.

    That Flash update sought to trick visitors into executing the installer, which would then maliciously encrypt all the files inside the PC. To free the system, a victim would have to pay about $282 in Bitcoin.

    Who was behind the attack still isn't known. But security researchers suspect BadRabbit's creator may have been the same culprit behind another ransomware outbreak in June called NotPetya. Both attacks shared some of the same unique computer code and tactics, which is rare to find.

    Security firm FireEye is also uncovering evidence that whoever launched BadRabbit had been trying to profile its potential victims.

    Hacked websites found delivering BadRabbit had malicious Javascript code installed. That code is designed to gather data from website visitors through their browser sessions, and relay it back to a separate server.

    What data is being profiled about visitors isn't clear, but it allows BadRabbit's creator to distinguish between which visitors will be targeted with a malicious payload, FireEye's Carr said.

    That's strange behavior for a ransomware attack when most are designed to infect as many targets as possible. But it might offer an important clue to what BadRabbit was actually trying to achieve. "We have reason to suspect that this was not a truly financially-motivated attack," Carr said.
    abdou17, Prorootect, kuttan and 17 others like this.
  2. askalan

    askalan Level 10
    AV Tester

    Jul 27, 2017
    This confirms my tests. I found it kind of strange that there was no warning.
    omidomi, GonzitoVir, Andy Ful and 8 others like this.
  3. Omidreza.S

    Omidreza.S Level 2

    Dec 20, 2014
    Electrical engineer
    Windows 8.1
    Doctor Web
    Maybe it's from the company itself or the government,Very suspicious
  4. tim one

    tim one Level 19
    Trusted AV Tester

    Jul 31, 2014
    Windows 10
    #4 tim one, Dec 28, 2017
    Last edited: Dec 29, 2017
    BadRabbit uses at least three components: a dropper, an encoder and a disk cryptor also able to perform the functions of decryptor. Once started, the dropper loads itself into memory, saving on disk and running the encoder using rundll32.exe and finally, ending the process.

    The malware collects information on the infected computer, and indeed it checks if the processes of Dr. Web are running.
    If BR sees them, it skips the first stage of the encryption, apparently to avoid a premature detection, but it tries to launch the full encryption of the disk after the system reboot. Dr. Web doesn't allow the possibility of modification of the MBR so the attempt of disk encryption fails.

    Then the disk cryptor checks the arguments of its process and if it turns out to be running without arguments, it works as a decryptor. Before starting the encryption, BR performs a series of preparatory actions, then it is created in the Windows Scheduler, a task PC reboot. Subsequently, the malware deletes the old task every 30 seconds and it creates a new one, constantly shifting the execution time of the task. This process is likely prepared for the case in which the user deletes the malware before the disk encryption is completed.

    Then BadRabbit generates a password for the encryption, it writes information on your computer in a specific pattern, encrypting it with a public key and saving it in another structure that is encoded with the use of the algorithm Base64 and saving it in the MBR. Then BR looks for the first sector of the system disk and it installs its bootloader. Later the content of this disk will be encrypted.

    A part of the code of BadRabbit comes from NotPetya. Going from memory of the infected computer, the encoder, if you have the corresponding privileges, extracts one of the stored drivers.
    To start these driver, BR, in the course of the operation, tries to register a system service "cscc" and if it fails, it will try to start the driver DiskCryptor with the name "cdfs" through the registry edit.

    So as you can see, BadRabbit is very complex, even using recycled code.

    Edit: sorry It was BR for BadRabbit not BD (braininfart) :p
  5. Opcode

    Opcode Level 24
    Content Creator

    Aug 17, 2017
    Windows 10
    I agree with @tim one, and the fact that DiskCryptor was used made everything ten times worse because DiskCryptor relies on a kernel-mode component, which could potentially provide the ability to over-power current security solutions installed on the system.

    The thing that interests me is that the developers used DiskCryptor, but didn't try to abuse other device drivers belonging to other software packages like Process Hacker (kprocesshacker.sys) or CPU-Z. Both of those are potentially vulnerable targets, I recall being shown an article awhile back where a game cheater exploited the CPU-Z driver to access processes it shouldn't have, despite kernel-mode self-protection mechanisms. I don't think it was ever fixed either, bad bad CPU-Z...
  6. tim one

    tim one Level 19
    Trusted AV Tester

    Jul 31, 2014
    Windows 10
    #6 tim one, Dec 29, 2017
    Last edited: Dec 29, 2017
    Yeah good point @Opcode, and another strange thing is that BR uses the Mimikatz utility (like Notpetya) to intercept the password of the open sessions in Windows. Depending on the number of bits of the OS, it decompresses the version of the utility, saving it with an arbitrary name in the folder C:\Windows, and starting it. Then it searches for writable network folders and tries to open them by using the credentials obtained, and by saving a copy.

    After it has performed all the preliminary operations, BR creates a task that will restart the computer. During the completion of the session, BadRabbit clears the system log.

    GitHub - gentilkiwi/mimikatz: A little tool to play with Windows security
Similar Threads Forum Date
Q&A Ransomware Samples General Security Discussions Today at 2:01 AM
Video Review Emsisoft AntiMalware 2018 vs Ransomwares Video Reviews Saturday at 11:53 PM
Author of Polski, Vortex, and Flotera Ransomware Families Arrested in Poland Security News Saturday at 4:41 PM
  • About Us

    Our community has been around since 2010, and we pride ourselves on offering unbiased, critical discussion among people of all different backgrounds about security and technology . We are working every day to make sure our community is one of the best.
  • Need Malware Removal Help?

    If you're being redirected from a site you’re trying to visit, seeing constant pop-up ads, unwanted toolbars or strange search results, your computer may be infected with malware. We offer free malware removal assistance to our members in the Malware Removal Assistance forum.
  • Quick Tip

    Without meaning to, you may click a link that installs malware on your computer. To keep your computer safe, only click links and downloads from sites that you trust. Don’t open any unknown file types, or download programs from pop-ups that appear in your browser.