REVERSING A POLYMORPHIC FILE-INFECTING RANSOMWARE presented at AtlSecCon 2016

by Raul Alvarez,

Summary : Virlock is a polymorphic file-infecting ransomware. It is capable of infecting executable files and at the same time, hold your computer hostage.
Running a single infected file is a sure way of infecting your computer all over again. That is one of the main goals of Virlock. As a ransomware, the malware makes sure that you won’t be able to use your computer until you pay the ransom demand. And to make our lives, even harder, Virlock employs an on-demand polymorphic algorithm, where each and every copy of the infected executable file is different from each other. And there is more, Virlock is not only a polymorphic file-infecting ransomware. The initial set of the malware code is metamorphic in nature.
In this presentation, we will dive deep in Virlock’s code to expose how it generates its metamorphic code, how it uses an on-demand polymorphic algorithm, how it infects an executable file, and every complicated algorithm that it has in its sleeves. We will also look into its code structure on how everything comes together.
A few demonstrations will be provided to show how some of its algorithms execute in the context of a debugger.
Given Virlock’s code complexity, is there a way we can have protection from this malware? We will answer that question and more.