Joint Strike Force against Dorifel

The computer virus Dorifel became the past three days a very prominent news item as it was on a rampage, infecting as many computers as possible on both government and private networks. IT personnel were stressed out since there were next to no virus signatures to detect the malware.

The inconvenience felt by the general public grew fast as many town’s civil services, like the issuing of passports, had to be taken offline for damage control: Dorifel had encrypted most Excel and Word documents and converted them into executable files.

The result was that many government staff had to blow the dust of the old fashioned typewriters again as they were asked to leave their computers switched off in an attempt to stop the outbreak in its tracks.

Photo by Marcel van Hoorn (ANP)

The creativity of cybercriminals is endless and they do their utmost to stay hidden, bypass antivirus protection, slow down malware research and do something new. Knowing that most antivirus products will first focus on malware blocking only, we figured at the start of the outbreak that there will be no readily available solution soon to recover the millions of affected documents (which prolongs the exposure of sensitive data to the cybercriminals).

Teaming Up with Emsisoft
While we were investigating the outbreak, we also spoke with Fabian Wosar of Emsisoft who was immediately keen to help. He recently created tooling to combat the ACCDFISA and Reveton ransomware families and conveniently had a few boiler plate functions laying around to speed up development of a dedicated remediation tool.

We immediately setup an extra examination environment in our office in Hengelo for Fabian to remotely work on with us, gathered malicious objects and affected documents and started to analyze the malware’s code and behaviors. The task was to find out how the seized documents were encrypted, if there was a way to recover them and, if possible, create a special tool that people can use to recover their documents.

Working Around The Clock
After working from Wednesday evening into Thursday morning on August 9th, Fabian was ready to offer everybody a free to use decryption tool which is available from our special support page:

From this spot we would again like to thank Fabian Wosar for working with us on such short notice and helping everybody, especially the Dutch people, in limiting the effects of this attack.

To continue, we would like to share some interesting details that we encountered using the images below.

Image: Word, Excel and application files are automatically altered and renamed by the Dorifel malware. Notice the ? which is in fact unicode character 202E (aka RTLO right-to-left-override character) which causes the infected file to show up in Windows as ‘Contractrcs.doc’ to fool users the file is still a document.

Image: The encrypted ‘documents’ contains movie phrases and references to TV shows.

Image: The +++scarface+++ marker indicating the start of the encrypted data, which represents the original document.

Image: The pseudo code of the encryption/decryption loop.

Image: The assembly code of the encryption/decryption loop.

Image: Dorifel communicating on the network. Notice it queries for a local machine named KASPERSKY. More important, notice the internet traffic with the pin= parameter, where Dorifel tries get additional payload. Since it first tries to connect to Microsoft’s Update Service (which is hardcoded in the malware) we think that the attackers were also planning to redirect Windows update traffic. The domain is currently sinkholed.

Image: Dorifel connecting to the website for Command & Control information.

Image: Every 1500 seconds Dorifel is retrieving a seemingly harmless ‘Breaking Bad’ season 5 poster (jpeg).

Image: The ‘Breaking Bad’ jpeg image contains hidden encoded Command & Control data. Dorifel stores it in a .dat file in its own folder under &appdata%, e.g. C:\Documents and Settings\User\Application Data\S4428M\G9D8Z3.exe.dat

Image: Small extract from our database where our HitmanPro software was used to rescue AV protected computers that were infected by Dorifel. The table shows that many machines also had Zeus/Zbot/Citadel Trojans, for weeks! Note: user 4624107 had an expired license of our software, which is why the same malware was detected twice.

One Response to Joint Strike Force against Dorifel

  1. […] Voor de analyse is gebruik gemaakt van een van de twee veel voorkomende versies van het virus. Het virus is gedecompileerd en vervolgens geanalyseerd. Daarbij heeft Webwereld hulp gehad van Fox IT, beveiligingsexpert Jordy de Jong, Surfright en Fabian Wosar, CTO van Emsisoft. Wosar heeft een gratis tool beschikbaar gemaakt die de schade van het virus herstelt en sinds kort ook de softwareverwijzingen uit het Windows-register haalt. Surfright distribueert dit programma en maakte een eigen weergave van de gebeurtenissen. […]

%d bloggers like this: