Although the Salsa20 algorithm itself was not altered, there is one keyword that got changed in comparison to the original version. Looking inside the code, we can see that the significant changes have been made only to the elements responsible for displaying the screen with information.Īnother subtle, yet interesting change is in the Salsa20 key expansion function. Here’s a comparison of the changes in the code between the current version and the Goldeneye one. Thus, once the data is encrypted, having the valid key is the only way to restore it. Now it looks almost the same as in Goldeneye (that was the 4th step in the evolution) and it does not seem to have any significant bugs. The Salsa20 algorithm that was implemented incorrectly in the early versions of Petya and caused it to be cracked has been fixed in version 3 (read more here). The low level attack affecting the Master File Table hasn’t changed since Goldeneye. Unfortunately, it is not significant enough to help restoring the key. A small bug in the Salsa20 implementation has been found. Let’s have a look at the implementation and discuss the details. Thus, the malware appears to have only damaging intentions. Now, the necessary key seems to be lost for eternity. In the past, after paying the ransom, the Salsa key from the victim was restored and with its help, the Petya kernel was able to decrypt the Master File Table. The code from Petya’s kernel didn’t change much, but the new logic implemented in the high-level part (the Windows executable) caused the change in the malware’s mission. When the malicious kernel is booted, it encrypts the Master File Table with Salsa20 and in this way, makes the disk inaccessible. As before, the beginning of the disk is overwritten by the malicious Petya kernel and bootloader. The low-level attack works in the same style as the first Petya, described here. In this post, we will focus on some new important aspects of the current malware. The research is still in progress, and the full report will be published soon. We have recently been facing a huge outbreak of a new Petya-like malware armed with an infector similar to WannaCry.
0 kommentar(er)
