The past year has been one of expansion for ransomware. Throughout 2012 an increasing number of blogs, tutorials and discussion forums were written to help people gain access to ransomware-locked computers without paying the ransom.

The authors of Reveton ransomware are aware that the persistence of their malware on a system is not only narrowed by an antivirus product, but also the computer user who tries to remove the threat.  Not every infection is going to result in a paid ransom, so the Reveton authors have an additional way of monetizing a successful infection: password stealing.

Reveton uses exploit kits like Blacole as an infection vector. For example, the following graph shows the massive increase of Reveton infections after the adoption of the Java exploit CVE-2013-0422 into exploit kits in January 2013.

MAPS telemetry on a dropped Reveton component

Figure 1: MAPS telemetry on a dropped Reveton component.

Once an exploit kit installs Reveton on a system, the ransomware will start contacting its command and control (C&C) server. It downloads information about the system’s external IP address, for example the Internet provider, city, and country.

It will additionally download a DLL which renders the lock screen (Figure 3). The downloaded information is compressed and stored in a container in %APPDATA%\<random name>.pad so it is available offline.

Reveton communication with a C&C server

Figure 2: Reveton communication with a C&C server.

The malware is also equipped with its own portable executable-loader; it is able to load the DLL directly from the container.

The user is now facing the lock screen and tries to gain access to their system. The Reveton trojan continues its work in the background.

German localized locked screen

Figure 3: German localized locked screen.

The trojan downloads the password-stealer component from the C&C server and runs it in memory. The code that reads the passwords seems to be shared between multiple families, and might be derived from the Win32/Ldpinch family.

Code similarity

Figure 4: Code similarity from left to right: PWS:Win32/Fareit.A, PWS:Win32/Karagany.A, PWS:Win32/Reveton.B.

Reveton authors added their own custom protocol, beginning with a 0x29a command. This is the same initial packet sent by the Trojan:Win32/Reveton component to initiate communication with the C&C server.

 PWS:Win32/Reveton authentication command.

Figure 5: PWS:Win32/Reveton.B authentication command.

PWS:Win32/Reveton.B can steal passwords for a comprehensive selection of file downloaders, remote control applications, FTP, poker, chat and e-mail clients, as well as passwords stored by browsers and in protected storage.

However, as it can load almost any DLL served by the C&C on the fly, this might change.

Our advice is, before you become a victim of the Reveton infection, spend a few minutes to eliminate possible infection vectors by updating software components which are targeted by drive-by-downloads. You should install all the relevant Microsoft security updates and update browser plug-ins like Java and Flash Player.

There are more details on how to do this on our software updates page. If you ever encounter a Reveton infection, make sure you change all your passwords to protect your sensitive information after you eliminate the infection.

There is also more technical details about the Reveton threat on our encyclopedia page for the family. 

Stefan Sellmer

MMPC