荣耀彩票代理

IT技术互动交流平台

安卓变僵尸:新型病毒“维京部落”分析

作者:Check Point ,FB小编Sphinx编译  发布日期:2016-05-13 20:50:33

 Check Point研究团队在Google Play Store发现了一款新的Android病毒,并取名为Viking Horde(维京部落)。这款病毒能够执行广告欺诈,还能进行DDoS攻击、发送垃圾信息等。至少已经有5款应用通过了Google Play的病毒扫描。

WULUNSHIZAIYIrootHUOSHIWEIrootDESHEBEISHANG,Viking HordeDOUHUICHUANGJIANYIGEJIANGSHIWANGLUO,YONGJINGGUODAILIDEIPDIZHIWEIZHUANGGUANGGAODIANJI,ZHEIYANGGONGJIZHEJIUNENGZHUANQIAN。JIANGSHIWANGLUOSHIYIZUYOUHEIKEKONGZHIDESHEBEI,SHEBEIDEYONGHUHAOBUZHIQING。GENJUSHEBEIDEJISUANNENGLIBUTONG,“JIANGSHI”NENGZUOGEZHONGGEYANGDESHI。JIANGSHIWANGLUOYUEDA,NENGGOUZUODESHIYUEDUO。

ZAIYIrootDESHEBEISHANG,Viking HordeNENGGOUCHUANSHUEWAIDEEYIpayload,CONGERYUANCHENGZHIXINGRENYIDAIMA,TAHAIHUILIYONGrootQUANXIANSHIDEZISHENNANYISHANCHU。

Horde介绍

Viking HordeXILIEBINGDUZHONGXIAZAILIANGZUIDADEJIUSHIViking JumpYINGYONG,ZI4YUE15RISHANGCHUANDAOGooglePlay,GAIYINGYONGYIJINGYOU50,000-100,000DEXIAZAILIANGLE。YOUXIEDIFANGDESHICHANGZHONG,Viking JumpHAIDENGSHANGLEGoogle PlayMIANFEIYINGYONGPAIXINGBANG。

TIJIAOZUIZAODEYINGYONGSHIWi-Fi Plus,YU3YUE29RITIJIAO。QITADEYINGYONGBAOKUOMemory Booster, Parrot Copter, HESimple 2048。SUOYOUGANRANViking HordeDEYINGYONGDEPINGFENDOUHENDI,YANJIUTUANDUICAICEKENENGSHIYINWEIYONGHUZHUYIDAOLETAQIGUAIDEXINGWEI,LIRUQINGQIUrootQUANXIAN。

荣耀彩票代理GONGJIZHEMENCHUANGJIANDEJIANGSHIWANGLUOSANBUZAIQUANSHIJIEGEGEGUOJIA,Check PointYANJIUTUANDUITONGGUOYIGEC&CFUWUQISHOUJIDESHUJUHUODELEQISHOUHAIZHEDEFENBUQINGKUANG。

LAIYUAN:Check PointYIDONGWEIXIEYANJIUTUANDUI,2016NIAN5YUE6RI

Viking Horde工作原理

荣耀彩票代理YANJIUViking HordeDAIMAHEC&CFUWUQIHOU,YANJIURENYUANHUACHULELIUCHENGTU。

1.BINGDUSHOUXIANCONGGoogle PlaySHANGXIAZAI。DANGYINGYONGQIDONGYOUXISHI,TAHUIZAIYINGYONGDEMULUWAIMIANANZHUANGJIGEZUJIAN。ZHEIJIGEZUJIANDEMINGZIDOUBEIWEIZHUANGCHENGXITONGXIANGGUANDEMINGZI,RUcore.bin,clib.so, android.bin HE update.bin。RUGUOSHEBEIMEIYOUroot,ZUJIANJIUHUIBEIANZHUANGDAOSDKASHANG,RUGUOYIJINGrootLE,JIUHUIANZHUANGDAOroot/data。ZHEIXIEWENJIANZHONGDEYIGESHIYONGLAIZAIGEZUJIANJIAOHUANXINXIDE。LINGYIGEBAOHANSUOYOUSHENGCHENGDEZUJIANMINGCHENG,FANGBIANQITAZUJIANFANGWENTAMEN。

荣耀彩票代理2.JIEXIALAIBINGDUHUIJIANCHASHEBEISHIFOUYIJINGroot:

RUGUOSHI,BINGDUJIUHUIQIDONGLINGWAILIANGGEZUJIAN:

app_exec.SHIXIANYUFUWUQIDETONGXUNXIEYI

荣耀彩票代理app_exec_watch_dogSHIXIANGENGXINHEXITONGZHUZU。Watchdog HUIJIANKONGapp_exec JINCHENG,RUGUOYOUBIYAOHUIZHONGQI。

RUGUOSHEBEIMEIYOUBEIroot,EYIRUANJIANJIUHUIYIGONGXIANGKUJIAZAIapp_execWENJIAN,BINGQIETONGGUOJNI(Java Native Interface,NENGGOUYUNXUJavaDAIMAYUNXINGBENDIERJINZHIWENJIAN)LAIDIAOYONGTADEHANSHU。

WULUNNAZHONGQINGKUANGXIA,YIDANapp_execYINGYONGBEIANZHUANG,TAJIUHUIYUC&CFUWUQIJIANLITCPLIANJIEBINGQIEKAISHITONGXIN。TONGXINNEIRONGBAOHANXIALIEZHILING。

Ping。MEI10MIAOYINGYONGCHENGXUJIUHUIJIFUWUQIFASONG5GEZIJIE。TONGYANG,FUWUQIHUIHUIFU5GEZIJIE。

荣耀彩票代理GENGXINSHEBEIXINXI:JIANGSHENGYUDIANLIANG、LIANJIELEIXINGHESHOUJIHAOMAFASONGJIFUWUQI。

荣耀彩票代理3. XIAYIBUJIUSHITONGGUONIMINGDAILILIANJIEZHIXINGEYIGONGNENG。C&CFUWUQIHUIFASONGYIGE“create_proxy”MINGLING,QIZHONGHUIYOULIANGGEIPDIZHIHEDUANKOUZUOWEICANSHU。ZHEILIANGGEIPDIZHIJIUHUIBEIYONGLAIDAKAILIANGGEsocketsLIANJIE,YIGEJIYUANCHENGFUWUQI,YIGEJIYUANCHENGMUBIAO。RANHOUTAHUIDUQUDIYIGEsocketSHOUDAODESHUJU,XIANGMUBIAOZHUJICHUANSHU。BINGDUDEKAIFAZHEKEYIJIECIYINZANGTADEIPDIZHI。

僵尸网络活动

荣耀彩票代理JIBIANSHEBEIMEIYOUBEIroot,Viking HordeHAISHIHUIBATABIANCHENGNENGGOUFASONGJIESHOUXINXIDEDAILI。YIXIAJIUSHIYIGECONGGONGJIZHEDEC&CFUWUQISHANGKANDAODEGANRANDESHEBEI。

荣耀彩票代理YUANCHENGDUANSHIDAILIDEIP,ERsocks IPSHIC&CFUWUQIDEIP。C&CFUWUQIBAOHANSHEBEIDEYIXIEXINXI,BAOKUOCAOZUOXITONGBANBEN、DIANCHIZHUANGTAIHEGPSZUOBIAO。ZAIBENLIZHONG,SHEBEIWEIYUMEIGUO,YUNYINGSHANGSHIT-Mobile。

Viking C&C服务器

JIANGSHIWANGLUOYOUHENDUOTAIC&CFUWUQIKONGZHI,MEITAIDOUGUANLIZHEJIBAITAIDESHEBEI。EYIRUANJIANDESHOUYAOMUBIAOSHIJIECHISHEBEI,RANHOUYONGTAMONIDIANJIWANGZHANSHANGDEGUANGGAOLAIZHUANQIAN。EYIRUANJIANXUYAODAILILAIRAOGUOGUANGGAOSHANGDEFANQIZHAJIZHI。

YOUXIEYONGHUPINGLUNHAISHUOZHEIKUANYINGYONGHUIFASONGSHOUFEIDUANXIN,RUJIETUSUOSHI。 ZHEIGEJIANGSHIWANGLUONENGYONGYIGEZHONGYONGTU,BAOKUODDoSGONGJI、FASONGLAJIYOUJIANHEFASONGBINGDU。

病毒的持续性

荣耀彩票代理BINGDUSHIYONGDUOZHONGFANGFAZHUZUZAIXITONGZHONG。SHOUXIAN,Viking HordeANZHUANGDENEIXIEZUJIANSHIYONGLEGENXITONGYOUGUANDEMINGZI,SHIDETAMENHENNANDINGWEISHANCHU。

荣耀彩票代理RUGUOSHEBEIJINGGUOroot,YOULIANGXIANGJIZHIYOUKEYIYONGLAIFANGZHISHANCHU:

 

app_execZUJIANHUIJIANKONGZHUCHENGXUSHIFOUCUNZAI。RUGUOYONGHUXIEZAILEZHUCHENGXU,app_execHUIJIEMIYIGEMINGWEIcom.android.securityDEZUJIANBINGQIEJINGMOANZHUANG。ZHEIGEZUJIANSHIYINZANGDE,ZHONGQIZHIHOUZHIXING。

watchdogZUJIANHUIANZHUANGapp_execZUJIANDEGENGXIN。RUGUOapp_execBEISHANCHU,watchdogHUICONGGENGXINMULUZHONGXINANZHUANGTA。

荣耀彩票代理XIANRAN,YOUXIEYONGHUHAIZHUYIDAOLEZHEIYANGDEHUODONG:

针对root设备的额外组件

荣耀彩票代理KENENGZUIWEIXIANDEGONGNENGJIUSHIGENGXINJIZHI:app_execCONGFUWUQIXIAZAIZUIXINDEERJINZHIWENJIAN,RANHOUYIapp_exec_updateDEMINGZICHUCUNZAI/dataMULU。

WatchdogHUIZHOUQIXINGDIJIANCHAGENGXINWENJIANSHIFOUCUNZAI,BINGQIEYONGTATIHUANapp_exec。ZHEIJIUYIWEIZHEVikingHordeKEYIGENJUFUWUQIDEMINGLINGXIAZAIXINDEERJINZHIWENJIAN。watchdogZUJIANHUIYONGTATIHUANDIAOYINGYONG。ZHEIYANGDEHUAZHEITAISHEBEISHANGJIUKEYIXIAZAIZHIXINGRENHEYUANCHENGDAIMA。

附录 1: app 包名

com.Jump.vikingJump
com.esoft.wifiplus
com.fa.simple2048
com.android.wifiman
Com.g.o.speed.memboost
Com.f.a.android.flyingcopters

附录2: C&C 服务器列表

   www[.]adautoexchange[.]com
   www[.]adexchng[.]com
   www[.]adexchnge[.]com
   www[.]adexchangetech[.]com

附录3: 感染的可执行文件的SHA256

85e6d5b3569e5b22a16245215a2f31df1ea3a1eb4d53b4c286a6ad2a46517b0c
254c1f16c8aa4c4c033e925b629d9a74ccb76ebf76204df7807b84a593f38dc0
ebfef80c85264250b0e413f04d2fbf9e66f0e6fd6b955e281dba70d536139619
10d9fdbe9ae31a290575263db76a56a601301f2c2089ac9d2581c9289a24998a
a13abb024863dc770f7e3e5710435899d221400a1b405a8dd9fd12f62c4971de
1dd08afbf8a9e5f101f7ea4550602c40d1050517abfff11aaeb9a90e1b2caea1
e284a7329066e171c88c98be9118b2dce4e121b98aa418ae6232eaf5fd3ad521

 

Tag标签:         
  • 专题推荐

About IT165 - 广告服务 - 隐私声明 - 版权申明 - 免责条款 - 网站地图 - 网友投稿 - 联系方式
本站内容来自于互联网,仅供用于网络技术学习,学习中请遵循相关法律法规