GOOGLE的go语言在恶意程序中的使用

xiaocaiju · · 2650 次点击 · · 开始浏览    
这是一个创建于 的文章,其中的信息可能已经有所发展或是发生改变。

转自:http://www.symantec.com/connect/blogs/malware-uses-google-go-language

我找到的样本:

公司: GalaxyNexusRoot
文件版本: 3.02.2011
内部名称: GalaxyNxRoot
源文件名: GalaxyNxRoot.exe
产品名称: GalaxySNxRoot
产品版本: 3.02.2011




Designed in 2007 and introduced in late 2009, the Go programming language developed by Google has been gaining momentum the past three years. It is now being used to develop malware. Recently seen in the wild,Trojan.Encriyoko is a new threat associated with components which are written in Go. The Trojan attempts to encrypt various file formats on compromised computers, rendering the encrypted files unusable.

The original sample we acquired, a file named GalaxyNxRoot.exe, is actually a dropper written in .NET which disguises itself as a rooting tool to trick users into installing it.
 

Figure 1. GalaxyNxRoot.exe properties
 

Once executed, the GalaxyNxRoot.exe file drops and launches two executable files, both written in Go:

  • %Temp%PPSAP.exe
  • %Temp%adbtool.exe

The dropped PPSAP.exe file is an information-stealing Trojan. It collects system information such as current running processes, user name, MAC address, etc., and posts it to the following remote location:
[http://]golang.iwebs.ws/about/step1.php

The dropped adbtool.exe file downloads an encrypted file from the following remote location:
[http://]sourceslang.iwebs.ws/downs/zdx.tgz

This file is decrypted as a Dynamic-link library (DLL) file and then loaded. It attempts to encrypt various file formats on the compromised computer. The targeted file formats include:

  • Source code files (.c, .cpp, .cs, .php, .java, .pas, .vb, .frm, .bas, .go, .asp, .aspx, .jsp, .pl, .py, .rb)
  • Image files (.jpg, .png, .psd)
  • Audio files (.wav, .wma, .amr, .awb)
  • Archive files (.rar, .zip, .iso, .gz, .7z)
  • Document files (file extensions containing the following strings:  doc, xls, ppt, mdb, pdf)
  • Other types of files (file extensions containing the following strings: dw, dx, sh, pic, 111, win, wvw, drw, grp, rpl, mce, mcg, pag)
     

Figure 2. Targeted file formats
 

The file paths are confirmed by the Trojan in order to avoid encrypting files under certain paths, such as %Windir%, %ProgramFiles%, %UserProfile%\Local Settings, and others.

The encryption uses the Blowfish algorithm. It either reads the encryption key from D:\nepia.dud or randomly generates one. The names of all of the encrypted files are then saved to the following location:
%Temp%\vxsur.bin

Restoration of the encrypted files will be difficult, if not impossible.

Symantec detects all these files: GalaxyNxRoot.exe as Trojan.Dropper, PPSAP.exe as Infostealer, adbtool.exe asDownloader, and zdx.dll as Trojan.Encriyoko.


有疑问加站长微信联系(非本文作者)

本文来自:CSDN博客

感谢作者:xiaocaiju

查看原文:GOOGLE的go语言在恶意程序中的使用

入群交流(和以上内容无关):加入Go大咖交流群,或添加微信:liuxiaoyan-s 备注:入群;或加QQ群:692541889

2650 次点击  
加入收藏 微博
暂无回复
添加一条新回复 (您需要 登录 后才能回复 没有账号 ?)
  • 请尽量让自己的回复能够对别人有帮助
  • 支持 Markdown 格式, **粗体**、~~删除线~~、`单行代码`
  • 支持 @ 本站用户;支持表情(输入 : 提示),见 Emoji cheat sheet
  • 图片支持拖拽、截图粘贴等方式上传