justinkendra - Fotolia
Petya malware behavior may change based on AV installed
Researchers found changes in malware behavior when Petya detected certain security products, but experts are unsure why these features might exist.
Researchers found differences in malware behavior when Petya-like ransomware detected certain security products, but it's unclear why this might be.
Bogdan Botezatu, senior e-threat analyst for Bitdefender, based in Romania, noted in a white paper that the Petya malware -- also referred to as NotPetya, GoldenEye, ExPetr and PetrWrap, among others, by various sources -- used a different process when attacking a system that has Kaspersky security products on it.
"This process has been inaccurately reported by the research community as potentially destructive to the data stored on the disk drive. This is wrong, as the first 10 sectors of the disk only hold the Master Boot Record [MBR] and nine other empty sectors," Botezatu wrote in the research. "If AVP.exe (a process related to Kaspersky security solutions) is identified on the infected machine, the malware simply overwrites the MBR -- a reversible operation that can be counteracted by booting from an installation medium, then issuing the FIXMBR command. As this command replaces the MBR with a valid one but does not fix the partition table (partition is still missing), victims have to use dedicated software to reference the partition in the partition table, then root FIXBOOT to recover the lost sector of the Windows Boot Manager."
Matt Suiche, founder of Comae Technologies, based in Dubai, United Arab Emirates, had done extensive research on the Petya ransomware when it first appeared and confirmed this finding on Twitter. Costin Raiu, director of the global research and analysis team for Kaspersky Lab, based in Moscow, also confirmed the finding and suggested a potential reason for the malware behavior change.
To avoid getting detected too early by the system watcher and getting the process terminated.— Costin Raiu (@craiu) July 12, 2017
Botezatu said this explanation from Raiu might be accurate, but it didn't quite add up.
"I would have seen the benefit of that if the malware checked for the presence of avp.exe and would overwrite a much larger chunk of the hard drive in response, so it can inflict serious damage," Botezatu told SearchSecurity. "This routine was very carefully written -- there are no hardcoded processes to look for, but rather hashes of processes that require reverse engineering and a lot of time to figure out what processes the malware is looking for. I doubt that whoever authored this routine wrote the detection part artfully just to mess up a couple of lines below in the disk-trashing function."
Botezatu suggested this malware behavior may have been designed to waste the time of researchers or perhaps to protect the threat actors themselves.
"Because of the aggressive pace at which this malware spreads in conjunction with the fact that it does not discern between targets, it is possible attackers wanted to make sure their own computers did not get ransomed if the malware broke loose into their own network," Botezatu said.
Raiu claimed Kaspersky security products were not the only ones that triggered a change in the Petya malware behavior.
yes, it avoided using Eternalblue exploits if Symc products were detected for a similar reason.— Costin Raiu (@craiu) July 13, 2017
However, Botezatu said his research showed mentions of Symantec products, but that was all he could determine.
"The malware is looking for two processes associated with Symantec security solutions (NS.exe and ccSvcHst.exe), but as far as I know, these processes don't alter the way the malware behaves," Botezatu said.
Suiche said he didn't find any evidence of Petya malware changes when encountering Symantec products either in research by Microsoft or his own research.
Learn tips on how to avoid being hit by ransomware.
Find out other ways the Petya malware is moving toward higher sophistication.
Get info on how a backdoor in tax software allowed the Petya spread.