Late last month, German veteran security vendors Goethe Tower released a security report, the report pointed out the emergence of a named Petya in the new extortion Trojan. Then this new extortion Trojan the hell is going on? 0x01 Trojan overview The Trojan itself is actually technically is not complicated: a Trojan written in C language, by modifying the system where the disk including the Master Boot Record MBR in the front 6 3 a sector of data, the realization boot automatically load the Trojan writes malicious purposes. And then force the trigger system to restart, let the computer automatically load the malicious code, and then encrypt the user's disk and show it to blackmail the interface. As described above, the two sentences will be able to understand the Trojan horse principle, but the practical application up to what we feel is simple! Rowdy is! But----effective! 0x02 code analysis Before restarting the preparatory work Since the Trojan is the main route of transmission from the network disk share, so the Trojans do only the camouflage is on the icon----disguised as a self-extracting program: ! In addition to it there are no other disguise, straight-cut theme----open the C drive, and through DeviceIOControl to get to C disk where the physical disk. ! ! Access to the disk to read and write the mode to open the disk actually is to write to: ! Everything is ready, only owe the East wind----begin formal writing. The Trojan writes the entire dataset in the disk of the front 6 3 within a sector, divided into four parts: 1. Modify the disk 1 Sector（0 cylinder, 0 head, 1 Sector 5 1 2-byte contents of----that modifying the MBR; 2.the The subsequent sector of the free part of the all the writing the character“7”that HEX data 0x37）;3. The first 3 of the 5 sectors begins to fill the total length is 8 1 9 2 bytes 0x2000 bytes, i.e., 1 6 a sector of the space of the malicious code; 4. 5 5 sectors began to fill in the length of 5 1 2 bytes of configuration data. Modify the MBR ! With“7”fill free space ! Write malicious code ! Write configuration data ! Rewrite are finished, just restart. The Trojan did not use the pediatric instruments to perform a system shutdown commands, but calls a ntdll in ZwRaiseHardError function triggers a hardware exception to manufacture a blue screen, in order to achieve a forced restart purpose: ! Analysis of the pause, we look at the disk 've been here, we will analyze the pause, see at this time the disk----include the MBR the first 6 to 3 sectors of data have been the Trojan to modify, adding the malicious code. But the disk partition itself also has not been substantial damage. We use the tool to open the disk you can clearly see has been modified the MBR and added the malicious code to: ! ! Take a closer look at the modified MBR code will start the first 3 of 4 sectors, where the Count is starting from 0, that is, the article said before the first 3 of the 5 sectors of the data cycle is loaded into memory and executed: ! Continue to run up! Look at the restart after the scene OK, this time we let the Trojans continue on, trigger the system to blue screen after the automatic reboot, there will be a segment of disk repair information: ! As shown above, the system will prompt you are repair the C disc where the file system, and with the all-caps font to alert the user, although written in English these so-called“warning”of the content in the country is completely acclimatized）---- don't stop the shut down, once you shut down your data on the whole ruined! However the fact? You don't shutdown your data is also ruined.---- because this message is simply not system of the original repair program, but the Trojans own the Write of the deceptive message. And displayed below the progress value is to have real meaning: this schedule is precisely the malicious code in the encryption you disk the progress! The following figure is the direct use of tools to open the disk, from a virus to modify the disk data to find the corresponding text: !