Wednesday 30 September 14:00 - 14:30, Green roomVlad Craciun (Bitdefender)
Andrei Nacu (Bitdefender)
Mihail Andronic (Bitdefender) download slides (PDF)Win32.Virlock with all its variations is both a new kind of file infector and ransomware (screen-locker) at the same time. In this paper, we aim to cover the techniques used by this virus and discuss methods that can be used to detect and disinfect systems affected by it.Virlock uses several techniques, including code-obfuscation, staged unpacking, random API calls and large/redundant areas of decrypted code, to make it difficult to analyse. It also protects its code by decrypting only the sequences that are going to be executed. After a sequence of code is executed, Virlock encrypts it again. By staggering the decryption/encryption process, it ensures that a memory dump at a certain point will not reveal its features but only the piece of code that is being executed at that time.There is also a moment in its first execution when it shifts its shape by changing certain instructions and encryption keys so that new generations will look different. Each new infection is different from any other, mostly because of the time-stamps that play an important role in computing the encryption keys. Having these protection methods will also make any clean-up attempt quite a challenge. The disinfection process for this virus involves searching inside malware code for specific instructions arrangements.We will present some ideas that could help in detecting and disinfecting a Virlock-infected system.Click here for more details about the conference.