Overview
Reveton
is a Ransoware where it locks the users PC and claims that you have done
something wrong and that you have to pay a “Fine”. For the it to be convincing, the
Lock screen displays key details like your IP, OS, computer name and a Timer to
show how much time you have to comply.
Figure 1: The Dreaded Lock Screen
|
Once the Lock Screen appears, it will block any other window from showing (Explained in Achieving Lock Screen) so you can call task manager but the Lock Screen will always be the active window
Points of Interest
The sample did not create a copy to the windows directory nor did it modify the windows registry in such a way that the sample will be persistent since the sample file did not create an “autorun” entry in the windows registry, it did not modify registries that handle window switching, and it did not disable the windows key.
Although Window switching and the window key works, navigating outside the spawned lock screen will be futile since the sample will always return the focus back to the lock screen. At least it became persistent in this aspect.
Achieving Lock Screen Effect
So how can the sample lock the screen if no registry were modified or any external program dropped to do the locking? Well by Subclassing, you can intercept all calls to the window procedure of a window. That allows you to get Window Messages which is are “Statuses” of a call. One simple example of a Window Message is WM_ENABLE which signifies if a window is enabled.
To better illustrate, please refer to the figure below. We will only focus on the Lock Screen Effect so the other processes (Checking if your PaySafeCard PIN Code is valid)
Figure 2: The Lock Screen Effect Flow chart |
The chart is great but that does not explain why the Lock does not close when you use the alt+f4 command. Well the problem is the picture with all those rambling about you have done something wrong is not the main window, it is just a place holder the image saying that you did something wrong. The main window, or at least the window where your keyboard cursor is placed, is actually another separate window just place in front of it. Layered approach similar in photo editing in Adobe Photoshop. If that is not enough, the sample is generating dummy windows in the background to catch stray close operation.
Figure 3: The Lock Screen Layout |
Conclusion
This sample proved that, contrary to popular belief, you do not need to modify windows registry to keep the user focused on the created lock screen. The author of this file is aware of current AV’s capability to track dropped files and modify registries in which he tried to compensate for that through the mentioned technique but it does make you wonder what the next lock screen technique will be. Perhaps we will see it soon, timer did say I still have 1 day to give them my PaySafeCard PIN Code.
0 comments:
Post a Comment