Hello Reader,
The world is always full of fud and conspiracy so I wanted to understand the mystery surrounding the Truecrypt website change and the rumors of a compromised binary in version 7.2. What you'll see in the winning answer is a program that does in fact decrypt Truecrypt binaries and to the testing shown, does nothing else except try to grab a certificate.
The world is always full of fud and conspiracy so I wanted to understand the mystery surrounding the Truecrypt website change and the rumors of a compromised binary in version 7.2. What you'll see in the winning answer is a program that does in fact decrypt Truecrypt binaries and to the testing shown, does nothing else except try to grab a certificate.
So while it certainly doesn't help those who want to continue using Truecrypt it does certainly change the frame of reference for those people believing the site was hacked and being used to serve malware.
The Challenge:
Download the latest release of Truecrypt here: http://sourceforge.net/projects/truecrypt/files/TrueCrypt/TrueCrypt-7.2.exe/download and perform an analysis of the binaries to determine what besides decrypting files it is doing
The Winning Answer:
Anonymous
The Challenge:
Download the latest release of Truecrypt here: http://sourceforge.net/projects/truecrypt/files/TrueCrypt/TrueCrypt-7.2.exe/download and perform an analysis of the binaries to determine what besides decrypting files it is doing
The Winning Answer:
Anonymous
After downloading and installing the latest release of Truecrypt (version 7.2; SHA256=8af39ed9c2080fa9b3061fa7c0ff792f) on Windows XP analysis sytem, noted the following:
1. Drops several files:
• TrueCrypt.lnk
• TrueCrypt.lnk
• TrueCrypt Setup.exe
• desktop.ini
• License.txt
• truecrypt-x64.sys
• TrueCrypt.exe
• truecrypt.sys
• TrueCrypt Format.exe
• Uninstall TrueCrypt.lnk
2. Changes to the filesystem (not comprehensive):
• C:\DOCUME~1\User\LOCALS~1\Temp\
• C:\DOCUME~1\User\LOCALS~1\Temp\Configuration.xml
• C:\DOCUME~1\User\LOCALS~1\Temp\Language*.xml
• C:\DOCUME~1\User\LOCALS~1\Temp\Setup files
• C:\DOCUME~1\User\LOCALS~1\Temp\TrueCrypt-7.2.exe
• C:\Documents and Settings
• C:\Documents and Settings\All Users
• C:\Documents and Settings\All Users\Application Data
• C:\Documents and Settings\All Users\Application Data\desktop.ini
• C:\Documents and Settings\All Users\Desktop
• C:\Documents and Settings\All Users\Desktop\TrueCrypt.lnk
• C:\Documents and Settings\All Users\Documents
• C:\Documents and Settings\All Users\Documents\My Music
• C:\Documents and Settings\All Users\Documents\My Music\desktop.ini
• C:\Documents and Settings\All Users\Documents\My Pictures
• C:\Documents and Settings\All Users\Documents\My Pictures\desktop.ini
• C:\Documents and Settings\All Users\Documents\My Videos
• C:\Documents and Settings\All Users\Documents\My Videos\desktop.ini
• C:\Documents and Settings\All Users\Documents\desktop.ini
• C:\Documents and Settings\All Users\Start Menu
• C:\Documents and Settings\All Users\Start Menu\Programs
• C:\Documents and Settings\All Users\Start Menu\Programs\TrueCrypt
• C:\Documents and Settings\All Users\Start Menu\Programs\TrueCrypt\TrueCrypt User's Guide.lnk
• C:\Documents and Settings\All Users\Start Menu\Programs\TrueCrypt\TrueCrypt Website.url
• C:\Documents and Settings\All Users\Start Menu\Programs\TrueCrypt\TrueCrypt.lnk
• C:\Documents and Settings\All Users\Start Menu\Programs\TrueCrypt\Uninstall TrueCrypt.lnk
• C:\Documents and Settings\All Users\Start Menu\Programs\desktop.ini
• C:\Documents and Settings\All Users\Start Menu\desktop.ini
• C:\Documents and Settings\User
• C:\Documents and Settings\User\Application Data
• C:\Documents and Settings\User\Application Data\desktop.ini
• C:\Documents and Settings\User\Desktop
• C:\Documents and Settings\User\My Documents
• C:\Documents and Settings\User\My Documents\My Pictures
• C:\Documents and Settings\User\My Documents\My Pictures\desktop.ini
• C:\Documents and Settings\User\My Documents\desktop.ini
• C:\Documents and Settings\User\Start Menu
• C:\Documents and Settings\User\Start Menu\desktop.ini
• C:\Program Files\TrueCrypt
• C:\Program Files\TrueCrypt\
• C:\Program Files\TrueCrypt\License.txt
• C:\Program Files\TrueCrypt\TrueCrypt Format.exe
• C:\Program Files\TrueCrypt\TrueCrypt Setup.exe
• C:\Program Files\TrueCrypt\TrueCrypt.exe
• C:\Program Files\TrueCrypt\\TrueCrypt User Guide.pdf
• C:\Program Files\TrueCrypt\truecrypt-x64.sys
• C:\Program Files\TrueCrypt\truecrypt.sys
• C:\WINDOWS\TrueCrypt Setup.exe
• C:\WINDOWS\system32\Drivers\truecrypt.sys
• C:\WINDOWS\system32\msctfime.ime
• C:\WINDOWS\win.ini
3. Changes to the registry (not comprehensive):
• CLSID\{00021401-0000-0000-C000-000000000046}
• CLSID\{00021401-0000-0000-C000-000000000046}\TreatAs
• HKEY_CLASSES_ROOT\*
• HKEY_CLASSES_ROOT\*\Clsid
• HKEY_CLASSES_ROOT\.exe
• HKEY_CLASSES_ROOT\CLSID\{00021401-0000-0000-C000-000000000046}
• HKEY_CLASSES_ROOT\CLSID\{00021401-0000-0000-C000-000000000046}\TreatAs
• HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
• HKEY_CLASSES_ROOT\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\InProcServer32
• HKEY_CLASSES_ROOT\Directory
• HKEY_CLASSES_ROOT\Directory\
• HKEY_CLASSES_ROOT\Directory\CurVer
• HKEY_CLASSES_ROOT\Directory\\Clsid
• HKEY_CLASSES_ROOT\Directory\\ShellEx\IconHandler
• HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions
• HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}
• HKEY_CLASSES_ROOT\Folder
• HKEY_CLASSES_ROOT\Folder\Clsid
• HKEY_CLASSES_ROOT\SystemFileAssociations\.exe
• HKEY_CLASSES_ROOT\SystemFileAssociations\application
• HKEY_CLASSES_ROOT\exefile
• HKEY_CLASSES_ROOT\exefile\
• HKEY_CLASSES_ROOT\exefile\CurVer
• HKEY_CLASSES_ROOT\exefile\\Clsid
• HKEY_CLASSES_ROOT\exefile\\ShellEx\IconHandler
• HKEY_CURRENT_USER\Keyboard Layout\Toggle
• HKEY_CURRENT_USER\SOFTWARE\Microsoft\CTF
• HKEY_CURRENT_USER\SOFTWARE\Microsoft\CTF\LangBarAddIn\
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{475c7950-e3d2-11e0-8d7a-806d6172696f}\
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{475c7952-e3d2-11e0-8d7a-806d6172696f}\
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{475c7950-e3d2-11e0-8d7a-806d6172696f}\
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{475c7952-e3d2-11e0-8d7a-806d6172696f}\
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\LangBarAddIn\
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MosTrace\CurrentVersion\DebugAsyncTrace
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
• HKEY_LOCAL_MACHINE\Software\Classes
• HKEY_LOCAL_MACHINE\Software\Classes\.tc
• HKEY_LOCAL_MACHINE\Software\Classes\CLSID
• HKEY_LOCAL_MACHINE\Software\Classes\TrueCryptVolume
• HKEY_LOCAL_MACHINE\Software\Classes\TrueCryptVolume\DefaultIcon
• HKEY_LOCAL_MACHINE\Software\Classes\TrueCryptVolume\Shell\open\command
• HKEY_LOCAL_MACHINE\Software\Microsoft\COM3
• HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\SystemShared
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\IMM
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\TrueCrypt
• HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName
• HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ProductOptions
• HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\DefaultSecurity
• HKEY_USERS\S-1-5-21…
• HKEY_USERS\S-1-5-21…\Control Panel\Desktop
• HKEY_USERS\S-1-5-21…\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
• HKEY_USERS\S-1-5-21…_Classes
• \CLSID\{00021401-0000-0000-C000-000000000046}
• \CLSID\{00021401-0000-0000-C000-000000000046}\InprocHandler32
• \CLSID\{00021401-0000-0000-C000-000000000046}\InprocHandlerX86
• \CLSID\{00021401-0000-0000-C000-000000000046}\InprocServer32
• \CLSID\{00021401-0000-0000-C000-000000000046}\InprocServerX86
• \CLSID\{00021401-0000-0000-C000-000000000046}\LocalServer
• \CLSID\{00021401-0000-0000-C000-000000000046}\LocalServer32
4. During install, setup displayed a window with a warning that "TrueCrypt is not secure as it may contain unfixed security issues", "development of TrueCrypt was ended in 5/2014" as well as a suggestion to/explanation for using BitLocker to encrypt data (which is very similar to the information found on the SourceForge site). Based on the prompts during install, the author of the code states that this version is for decrypting data (and not for encrypting data).
5. The certificate used in the setup installation did not appear to be valid; the analysis machine did not allow outbound network traffic and there were requests relating to obtaining a certificate (need to rerun again to verify if the network traffic was related). Aside from the certificate related requests, no other network traffic was observed during and after installation.
6. No indications that the software attempts to maintain continuous persistence (need to test further but nothing observed so far).
7. After reviewing the installation file statically, noted the following imports:
• ADVAPI32.dll
• COMCTL32.dll
• GDI32.dll
• KERNEL32.dll
• ole32.dll
• OLEAUT32.dll
• SETUPAPI.dll
• SHELL32.dll
• SHLWAPI.dll
• USER32.dll
So far, have not found any deviations from what was observed during dynamic analysis and/or anything to support that the file is malicious; on the other hand, there are some additional areas to review.
Also Read: Daily Blog #343
Post a Comment