On Friday one of my customers became infected with CryptoLocker. Sadly.. he also then sent me an email saying “PS. I am backing up again now, in case that saves some more of my files.”.
Which was exactly NOT what to do when you have an infected computer. Even if he didn’t run the backup software – just connecting the drive encrypted it anyway.
So with no further safeguards on his data he is in the process of paying the ransom. During this time I decided to dig a little deeper. The command and control server that CryptoLocker is connected to is a Kimsufi server at OVH in France on 126.96.36.199.
I port scanned it. It appears to be a Windows server. nmap reported the following results:
Nmap scan report for ks3279883.kimsufi.com (188.8.131.52)
Host is up (0.016s latency).
Scanned at 2014-03-08 08:55:12 EST for 5s
Not shown: 990 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp filtered microsoft-ds
3389/tcp open ms-term-serv
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown
58080/tcp open unknown
Device type: general purpose
Running: Microsoft Windows Vista|2008|7
While trying to dig a little deeper and trying to telnet to port 49152 I accidentally typoed and telnetted to port 59152. To my amazement I was greeted with “RFB 003.008” – The VNC banner.
I thought.. this will be a laugh, let’s try and guess the password. I ran VNC and connected to the port. Instead of being prompted for a password I was instantly shown someone’s desktop! A computer somewhere in UAE direction.
Eventually I even came across my own customer’s infected computer. What astonished me was the desktop I saw via the C&C server was not what I was seeing on my own Remote Access and what the customer was seeing on the physical screen. Somehow the infection is spawning a private desktop.
Given what a slick operation the CryptoLocker operation seems to be – I’m amazed that these are just wide open and drifting in the breeze.
-They wanted 0.7BTC sent to 13RUPViE1ix2CeeGbZEp4bKLfy3GAwtkbE. It seems CryptoLocker criminals accept 0.6999 BTC [as the customer didn’t know about transaction charges when they bought BTC].
-Each VNC connection produces a brand new ‘desktop’. If you close the session and load it again all windows are back to blank.
-VNC services starting at port 58000 and higher as far as I’ve found. -Some ports in the same range respond but don’t seem to announce what service they are.
-If you use the run command to launch iexplore (Internet Explorer) it force launches with the switches -nomerge and -resetdestinationlist (A slightly mistake in their programming means that if you use the run command to do “iexplore http://www.bing.com” will load internet explorer trying to visit http://www.bing.com-nomerge
– Point of Sale PC, Toronto Canada
– Home computer Canada
– Home user usa
– Honda dealership – Canada
– UK Based
– UK BT IP / Renault dealer?
– USA Dentist
– French shipping (cargo ships) company
– My customer, UK
– Audio company – USA
– Cargo company Canada
– Healthcare, USA
– Taxi firm, UK
– Car body shop, UK
– Major office furniture company, USA (web browsing goes via messagelabs too!). High value corp. network.
-Home PC, Germany
-Food oil trading company, USA
-Home PC, Unknown Country
Update – 9th March 2014:
Some time overnight (UK Time) the C&C server was taken offline. The infected customer computer is now busy trying to send SYN packets to the server that no longer exists while still reporting that payment is waiting for validation.
Worrying news.. and I hope it reconnects to a new C&C server soon and that payment can be validated and the key provided. Such a pain. The re-download link on the background picture on the computer also results in a 404 not found message.
I’ve also chucked one of the encrypted files onto the http://f2d2v7soksbskekh.onion hidden ToR service website in the hope that they see payment has been made and will provide the key.
Update – 10th March 2014:
The program was trying to connect to the old dead C&C server so I slayed and reloaded both the cryptolocker exe files. It initially tried to connect to torrentclub.eu! Then did a POST to kxdcqtsiocjwykv.org
After about 2 hours the decryption process started! Phew. I do wonder if it would have reconnected to a new C&C server without a slay / reload or reboot.