Recent js blackmailer anti-killing skills analysis-vulnerability warning-the black bar safety net

ID MYHACK58:62201673254
Type myhack58
Reporter 佚名
Modified 2016-04-02T00:00:00


Recently many users reflect the computer in a blackmailer virus, also known as the“Locky ransomware”, the computer in documents, pictures and other important information is virus encryption. Such viral vectors for the js script by js script download remote server of the pe file, and that this pe file in the local run, so the completion of the victimized computers data encryption. According to the 3 6 0 Security Center monitoring, js blackmailer virus is mainly through a Web hang horse and phishing emails are two ways to spread, this article will the virus spread method and anti-killing techniques for analysis. 0x01 web page hang horse spread Hackers will use part of the site's vulnerability, the js blackmailer virus implanted into the web page, when a user visits a malicious Web page, the computer will automatically download and execute the virus. ! Figure 1: Sample 1 As shown in Figure 1 of the sample, it uses the hexadecimal code for a simple encryption, it decrypts it is relatively simple, the decrypted code as shown in Figure 2: ! Figure 2: the decrypted sample 1 Through the analysis of the decrypted code can be seen, it uses the IE ActiveX control to get the remote PE file, the implementation process includes downloading the file, save the file and run the file in three steps. It first create an MSXML2. XMLHTTP object to communicate with a remote server, Access server data, and then use the created ADODB. The Stream object will get the data saved to the user's TEMP directory, and finally use to create the WScript. Shell objects directly run this file. Sample 1 due to the encryption methods is relatively simple, so it is easy to be antivirus software killing, in order to be anti-killing, and its variants for more complex encryption, such as shown in Figure 3 The sample is the more popular encryption methods. ! Figure 3: sample 2 First of all it is a string definition of a daughters function, through this function to the completion of the string taken. ! Figure 4: The character of the interception operation Then in your code insert some meaningless variables were confusing, as shown in Figure 5 The variable abeUtGplX, the ojfdmCwgalh, the yHoFUfYVm and GapGRiqoRoK is starting to confuse the Code of the role. ! Figure 5: code obfuscation Finally, in order to further achieve the free killing the object, which the code will be used in keyword definitions to an array nUvahxKnc, it or the keywords and and some meaningless character combinations, or a key is split into several different characters, when in use and then the character to split or splice operation. It will also come in an array insert some meaningless characters for the code confusion, and in the execution of the script to dynamically modify the length of the array so as to remove those meaningless characters, the specific code as shown in Figure 6. ! Figure 6: Using an array for code obfuscation The sample final result of the decryption as shown in Figure 7: ! Figure 7: decrypted sample 2 0x02 message propagation Hacking by social engineering, using People's curiosity, carefully constructed a letter phishing email, the js blackmailer script into a mail attachment, when the user double-click to run the js file will be caught, common e-mail the form as shown below. ! Figure 8: phishing email 1 ! Figure 9: phishing e-mail 2 In order to achieve the anti-killing purposes, fishing message 1 in js file first with to character splitting and splicing method, since these methods already mentioned, no analysis. Secondly, it will be the main malicious code into an if conditional expression, through the call Date. getMilliseconds and WScript. The Sleep function to get a few different number of milliseconds, and then by determining which of several variables value is equal to decide whether to execute the if condition in the content, as shown in Figure 1 to 0. ! Figure 1 0: The if expression Phishing emails 1 in the sample after decryption as shown in Figure 1 1 shown in Fig. ! Figure 1 1: the decrypted sample By analyzing the encrypted code, it can be seen through phishing emails way of spreading js blackmailer and hung it to spread in different ways, it does not use ActiveX controls to be run, but choose to use the WScript object. Since the windows operating system in the wscript. exe for js script file to provide a host environment, so that when the mail is kept to the local, double-click the js file it will directly run. Phishing e-mail 2 in the sample is a phishing e-mail 1 variants, in order to achieve further anti-killing effect, which in the following several aspects have changed. First of all it of if condition expression is changed, it uses the/@cc_on @/conditional compilation, the first Kcm assigned the value of false, then the conditional compilation in the Kcm value is assigned the value true if the antivirus software is not special treatment, it's difficult to detect to the following content, the particular code shown in Figure 1 and 2. !

[1] [2] next