Image: CDC
Most of the time, fighting malware is a losing game. Malware authors create their code, distribute payloads to victims via various methods, and by the time security firms catch up, attackers make small changes in their code to quickly regain their advantage in secrecy.
It has been like this since the late 80s, when malware first appeared on the scene, and despite the claims of most security firms, it will remain like this for the foreseeable future.
Once in a while, we do get good news from security researchers or law enforcement authorities. Malware authors can slip up and get arrested, or large-scale coordinated efforts manage to bring down larger botnets.
However, not all malware operations can be hurt this way. Some cyber-criminals either reside in countries that don’t extradite their citizens or have a solid knowledge of what they’re doing.
Emotet is one of the gangs that check both boxes. Believed to operate from the territories of the former Soviet States, Emotet is also one of today’s most skilled malware groups, having perfected the infect-and-rent-access scheme like no other group.
The malware, which was first seen in 2014, evolved from an unimportant banking trojan into a malware swiss-army knife that, once it infects victims, it spreads laterally across their entire network, pilfers any sensitive data, and turns around and rents access to the infected hosts to other groups.
Today, Emotet scares IT departments at companies all over the world and has given massive headaches to the entire cyber-security industry.
Emotet’s secret bug
But under the hood, Emotet is just a piece of software — just like everything else (malware = malicious software). As such, Emotet also has bugs.
In the cyber-security industry, there’s a very dangerous moral line when it comes to exploiting bugs in malware, a line many security companies won’t cross, fearing they might end up harming the infected computers by accident.
However, a rare bug can sometimes appear that is both safe to exploit and has devastating consequences for the malware itself.
One such bug came to light earlier this year, discovered by James Quinn, a malware analyst working for Binary Defense.
The fact that Quinn discovered the bug was no accident. For the past years, Quinn’s primary job has been to hunt Emotet and keep an eye on its operations, but also, as a personal hobby, to raise awareness about this threat part of the Cryptolaemus group. (Read about Cryptolaemus’ fascinating history of hunting Emotet here.)
While trawling through the daily Emotet updates in February, Quinn spotted a change in the Emotet code — in one of the recent payloads the Emotet botnet was mass-spamming across the internet.
The change was in Emotet’s “persistence mechanism,” the part of the code that allows the malware to survive PC reboots. Quinn noticed Emotet was creating a Windows registry key and saving an XOR cipher key inside it.
Image: Binary Defense
But this registry key wasn’t only used for persistence, Quinn explained in a report that’s set to go live after this article. The key was also part of many other Emotet code checks, including its pre-infection routine.
Meet EmoCrash
Through trial and error and thanks to subsequent Emotet updates that refined how the new persistence mechanism worked, Quinn was able to put together a tiny PowerShell script that exploited the registry key mechanism to crash Emotet itself.
The script, cleverly named EmoCrash, effectively scanned a user’s computer and generated a correct — but malformed — Emotet registry key.
When Quinn tried to purposely infect a clean computer with Emotet, the malformed registry key triggered a buffer overflow in Emotet’s code and crashed the malware, effectively preventing users from getting infected.
When Quinn ran EmoCrash on computers already infected with Emotet, the script would replace the good registry key with the malformed one, and when Emotet would re-check the registry key, the malware would crash as well, preventing infected hosts from communicating with the Emotet command-and-control server.
Effectively, Quinn had created both an Emotet vaccine and killswitch at the same time. But the researcher said the best part happened after the crashes.
“Two crash logs would appear with event ID 1000 and 1001, which could be used to identify endpoints with disabled and dead Emotet binaries,” Quinn said.
In other words, if EmoCrash would be deployed across a network, it could allow system administrators to scan or set up alerts for these two log event IDs and immediately discover when and if Emotet infected their networks.
Getting EmoCrash in the hands of defenders
The Binary Defense team quickly realized that news about this discovery needed to be kept under complete secrecy, to prevent the Emotet gang from fixing its code, but they understood EmoCrash also needed to make its way into the hands of companies across the world.
Compared to many of today’s major cybersecurity firms, all of which have decades of history behind them, Binary Defense was founded in 2014, and despite being one of the industry’s up-and-comers, it doesn’t yet have the influence and connections to get this done without news of its discovery leaking, either by accident or because of a jealous rival.
To get this done, Binary Defense worked with Team CYMRU, a company that has a decades-long history of organizing and participating in botnet takedowns.
Working behind the scenes, Team CYMRU made sure that EmoCrash made its way into the hands of national Computer Emergency Response Teams (CERTs), which then spread it to the companies in their respective jurisdictions.
According to James Shank, Chief Architect for Team CYMRU, the company has contacts with more than 125 national and regional CERT teams, and also manages a mailing list through which it distributes sensitive information to more than 6,000 members. Furthermore, Team CYMRU also runs a biweekly group dedicated to dealing with Emotet’s latest shenanigans.
This broad and well-orchestrated effort has helped EmoCrash make its way around the globe over the course of the past six months.
Emotet fixes its code
In a phone interview on Aug. 14, Binary Defense senior director Randy Pargman said the tool purposely didn’t include a telemetry module as not to dissuade companies from installing it on their networks.
Binary Defense may never know how many companies installed EmoCrash, but Pargman said they received many messages from companies that prevented attacks or discovered ongoing incidents.
However, both Pargman and Quinn believe the tool had at least some impact on Emotet operations, as the tool helped drive down the number of infected bots available to Emotet operators.
Binary Defense doesn’t believe the Emotet gang ever found out about their tool, but the gang most likely knew something was wrong. Since February and through the subsequent months, Emotet iterated through several new versions and changes in its code. None fixed the issue.
Either by accident or by figuring out there was something wrong in its persistence mechanism, the Emotet gang did, eventually, changed its entire persistence mechanism on Aug. 6 — exactly six months after Quinn made his initial discovery.
EmoCrash may not be useful to anyone anymore, but for six months, this tiny PowerShell script helped organizations stay ahead of malware operations — a truly rare sight in today’s cyber-security field.
And since it’s always funny when security researchers troll malware operators, Quinn also tried to obtain a CVE for Emotet’s buffer overflow bug from MITRE, the organization that tracks security flaws across software programs.
Sadly, MITRE declined to assign a CVE to Emotet, which would have made it the first malware strain with its own CVE identifier.
Image: Binary Defense