安基网 首页 IT技术 安全攻防 查看内容

阿里云独家技术分析 新型勒索病毒Mindlost

2018-2-6 02:07| 投稿: xiaotiger |来自: 互联网


免责声明:本站系公益性非盈利IT技术普及网,本文由投稿者转载自互联网的公开文章,文末均已注明出处,其内容和图片版权归原网站或作者所有,文中所述不代表本站观点,若有无意侵权或转载不当之处请从网站右下角联系我们处理,谢谢合作!

摘要: 1月15日,安全研究组织MalwareHunter发现了Mindlost勒索软件的第一批样本。阿里云安全团队第一时间对该勒索软件进行了技术分析。通过此分析报告,希望给业界研究者提供参考依据,并为可能受到影响的企业与机构,提供 ...

1月15日,安全研究组织MalwareHunter发现了Mindlost勒索软件的第一批样本。

阿里云安全团队第一时间对该勒索软件进行了技术分析。通过此分析报告,希望给业界研究者提供参考依据,并为可能受到影响的企业与机构,提供安全建议。

一、 概述

阿里云安全团队分析后发现,该病毒运行后会”隐藏”自己,然后后台加密采用随机秘钥的128位的aes算法,加密样本账户的电脑的Users目录下的文件,如果后缀为".txt",".jpg",".png",".pdf",".mp4",".mp3",".c",".py"的文件就直接加密,且解密赎金达到200美元。其加密完成后显示的提示图片如下:

被加密的企业和个人,需要通过在线网站使用信用卡的方式支付赎金。

根据目前披露的信息,该勒索软件并未大量主动分发,严重性不及WannaCry 和 Petya。阿里云安全团队推测,这是一个正在开发中的勒索软件。

但从样本的变化看,后续可能会有新的版本和变种出现;我们会持续关注,针对勒索软件的防护和处理建议。

二、技术分析

1. Mindlost勒索病毒的执行流程如下:

2. 技术实现细节:

该Mindlost勒索病毒的是一个由C#语言编写的程序,且该病毒作者还采用AgileDotNetRT.dll反编译插件,将所有代码全部混淆,增加了反编译难度。具体功能实现细节如下:

a.将自己写入注册表,实现自启动:

b.检测虚拟机:

c.检测该样本账户机器是否已经被加密过,如果该样本账户的uuid已经在他的服务器数据库中,且没有支付赎金,则不再加密该样本账户

d.创建aes的随机秘钥的代码如下:

e.获取样本账户C:\\Users目录下的所有文件,如果文件后缀为".txt",".jpg",".png",".pdf",".mp4",".mp3",".c",".py"则对该文件进行加密,被加密文件的后缀为.enc,如果文件目录是载"Windows","Program Files","Program Files (x86)"目录下,则放弃对该目录文件的加密,最后如果C:\\Users目录下没加密的文件则被删除。

f. 加密完成后,会将加密的私钥上传到病毒作者的服务器上,代码如下:

g.下载提示样本账户付款的图片,且将该图片改成该样本账户电脑的桌面背景,代码如下:

三、 C&C地址分析

在分析代码的过程中,我们发现了该病毒连接数据库服务器和样本账户名和密码:

Data Source = victimssqlserver.database.windows.net;

user id=daniel;

password=Lifsgledi979

交赎金网站:http://Mindlost.azurewebsites.net,目前已经失效

四、 补充信息和防护建议

目前,阿里云安全团队总共获取到Mindlost的6个样本文件,通过时间戳分析,最早编译时间在2018.01.15, 此时的样本并未做代码混淆。

在2018.01.25编译的版本中,已经对代码做了混淆。但所有样本都包含调试信息,其中较为敏感的是pdb文件路径”

/Users/danielohayon/Documents/Mindlost/Mindlost/Mindlost/Encryptor/obj/Debug/Encryptor.pdb”,Mindlost的名字也是来自于此,路径中还包含了样本账户名danielohayon,由此猜测该勒索病毒还在开发中,就被已各安全人员发现。

当然,也不排除作者故意留下关键路径迷惑大家。

像这样的勒索软件样本,阿里云安全团队每天都会处理很多,大多都能通过及时的预警,病毒库与防御规则更新,将其在云上的影响降至最低。截至2月3日,阿里云平台客户不受MindLost勒索软件影响。

原文:阿里云安全公众号

, groupId: 6518884483305832968, itemId: 6518884483305832968, type: 2, subInfo: { isOriginal: false, source: 信息安全搬运工, time: 2018-02-05 10:01:10 }, tagInfo: { tags: [{"name":"软件"},{"name":"Windows"},{"name":"科技"}], groupId: 6518884483305832968, itemId: 6518884483305832968, repin: 0, }, has_extern_link: 0 }, commentInfo: { groupId: 6518884483305832968, itemId: 6518884483305832968, comments_count: 1, ban_comment: 0 }, mediaInfo: { uid: 16708401348, name: 信息安全搬运工, avatar: //p4.pstatp.com/large/509600019595fae42675, openUrl: /c/user/16708401348/, follow: false }, pgcInfo: {"media_info":{"open_url":"/c/user/16708401348/","avatar_url":"https://p4.pstatp.com/large/509600019595fae42675","media_id":1577869177541646,"name":"信息安全搬运工","user_verified":false},"articles":[{"item_id":"6518884483305832968","url":"/item/6518884483305832968","title":"阿里云独家技术分析|新型勒索病毒Mindlost"},{"item_id":"6517850819289678340","url":"/item/6517850819289678340","title":"Windows 提权命令指南"},{"item_id":"6517819616985612804","url":"/item/6517819616985612804","title":"火狐浏览器出现严重远程代码执行漏洞"},{"item_id":"6517771697628643847","url":"/item/6517771697628643847","title":"kDriver Fuzzer:基于ioctlbf框架编写的驱动漏洞挖掘工具"}]}, feedInfo: { url: /api/pc/feed/, category: __all__, initList: [{"comments_count":57,"media_avatar_url":"//p4.pstatp.com/large/54ed001edc597a4db8e7","is_feed_ad":false,"is_diversion_page":false,"title":"一次黑客入侵事件之后,我居然找到了致富方法","single_mode":true,"gallary_image_count":20,"middle_mode":true,"has_video":false,"video_duration_str":null,"source_url":"/group/6517762532952769038/","source":"IT小明","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":62,"image_url":"//p3.pstatp.com/list/190x124/5e7c0004c9c2c74fdd9a","group_id":"6517762532952769038","is_related":true,"media_url":"/c/user/74887486145/"},{"comments_count":0,"media_avatar_url":"//p3.pstatp.com/large/14f001b7e7217ab01b3","is_feed_ad":false,"is_diversion_page":false,"title":"网警提醒 手机病毒是怎么传播的吗","single_mode":true,"gallary_image_count":1,"middle_mode":true,"has_video":false,"video_duration_str":null,"source_url":"/group/6516763681986970115/","source":"威海网警","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":0,"image_url":"//p3.pstatp.com/list/190x124/5e7600004e3e12f949f7","group_id":"6516763681986970115","is_related":true,"media_url":"/c/user/6062939662/"},{"comments_count":20,"media_avatar_url":"//p3.pstatp.com/large/5688000164046badbaeb","is_feed_ad":false,"is_diversion_page":false,"title":"Web系统大规模并发——电商秒杀与抢购","single_mode":true,"gallary_image_count":13,"middle_mode":true,"has_video":false,"video_duration_str":null,"source_url":"/group/6518349596719055368/","source":"爱JAVA爱火影","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":2,"image_url":"//p3.pstatp.com/list/190x124/5e800003a7ffbbbf317c","group_id":"6518349596719055368","is_related":true,"media_url":"/c/user/4142236051/"},{"comments_count":61,"media_avatar_url":"//p3.pstatp.com/large/1700/4435508780","is_feed_ad":false,"is_diversion_page":false,"title":"又到年会造富时间,这些技术团队凭什么拿下搜狗近千万大奖?","single_mode":true,"gallary_image_count":3,"middle_mode":false,"has_video":false,"video_duration_str":null,"source_url":"/group/6518897042348048910/","source":"猫眼识天下","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":93453,"image_url":"//p3.pstatp.com/list/190x124/6158000018b0b9a0bbe0","group_id":"6518897042348048910","is_related":true,"media_url":"/c/user/3729436288/"},{"comments_count":41,"media_avatar_url":"//p9.pstatp.com/large/3b04000005dc69c0adfa","is_feed_ad":false,"is_diversion_page":false,"title":"对比了 18000 个 Python 项目,这 TOP45 值得学习!","single_mode":true,"gallary_image_count":2,"middle_mode":true,"has_video":false,"video_duration_str":null,"source_url":"/group/6517509824186417678/","source":"CSDN","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":12,"image_url":"//p1.pstatp.com/list/190x124/5e780003e52703e8197e","group_id":"6517509824186417678","is_related":true,"media_url":"/c/user/3905900971/"},{"comments_count":56,"media_avatar_url":"//p9.pstatp.com/large/289e001a387400ba9981","is_feed_ad":false,"is_diversion_page":false,"title":"十款冷门而逆天的软件,带你领略软件界的“黑马”们","single_mode":true,"gallary_image_count":11,"middle_mode":false,"has_video":false,"video_duration_str":null,"source_url":"/group/6518715420474606083/","source":"科技毒瘤","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":76,"image_url":"//p3.pstatp.com/list/190x124/5e8a0001324c3f741a4e","group_id":"6518715420474606083","is_related":true,"media_url":"/c/user/58197591159/"},{"comments_count":146,"media_avatar_url":"//p3.pstatp.com/large/3f2700018da24365567a","is_feed_ad":false,"is_diversion_page":false,"title":"黑客如何攻破一个网站?图文讲解全流程丨新手易懂,长文静心看","single_mode":true,"gallary_image_count":39,"middle_mode":false,"has_video":false,"video_duration_str":null,"source_url":"/group/6517400781509886478/","source":"安全犀牛","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":57,"image_url":"//p9.pstatp.com/list/190x124/5e7c00015f0371bdf0e4","group_id":"6517400781509886478","is_related":true,"media_url":"/c/user/71650448494/"},{"comments_count":47,"media_avatar_url":"//p3.pstatp.com/large/470b0003013c97b4d22c","is_feed_ad":false,"is_diversion_page":false,"title":"从零开始,创建自己的区块链","single_mode":true,"gallary_image_count":4,"middle_mode":false,"has_video":false,"video_duration_str":null,"source_url":"/group/6518638934421930500/","source":"贤庭漫步","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":30,"image_url":"//p3.pstatp.com/list/190x124/5e8a00006aa24c1fc302","group_id":"6518638934421930500","is_related":true,"media_url":"/c/user/77399214073/"},{"comments_count":36,"media_avatar_url":"//p1.pstatp.com/large/594300036db0b6848f2b","is_feed_ad":false,"is_diversion_page":false,"title":"单点登录系统原理和实现","single_mode":true,"gallary_image_count":10,"middle_mode":false,"has_video":false,"video_duration_str":null,"source_url":"/group/6516663388557279748/","source":"此谷非彼古","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":0,"image_url":"//p1.pstatp.com/list/190x124/5e6f0004e0d99b22f23c","group_id":"6516663388557279748","is_related":true,"media_url":"/c/user/51944734828/"},{"comments_count":13,"media_avatar_url":"//p1.pstatp.com/large/46fe00033400503d2f4f","is_feed_ad":false,"is_diversion_page":false,"title":"「杂谈」为什么IT大牛都使用RESTful架构来编写API?","single_mode":true,"gallary_image_count":7,"middle_mode":false,"has_video":false,"video_duration_str":null,"source_url":"/group/6517873898061562376/","source":"编码之道","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":13,"image_url":"//p3.pstatp.com/list/190x124/5e890004f034809ca8e6","group_id":"6517873898061562376","is_related":true,"media_url":"/c/user/3577482910/"},{"comments_count":1,"media_avatar_url":"//p9.pstatp.com/large/5874001f42d996d052a2","is_feed_ad":false,"is_diversion_page":false,"title":"Nginx+Tomcat+Memcached+Msm搭建高性能负载均衡集群","single_mode":true,"gallary_image_count":7,"middle_mode":true,"has_video":false,"video_duration_str":null,"source_url":"/group/6518967302891766275/","source":"程序猿视界","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":1,"image_url":"//p3.pstatp.com/list/190x124/5e8b0001f535b9e42503","group_id":"6518967302891766275","is_related":true,"media_url":"/c/user/18994374602/"},{"comments_count":13,"media_avatar_url":"//p1.pstatp.com/large/2c5e000728a7c818a637","is_feed_ad":false,"is_diversion_page":false,"title":"这么炫酷的下拉框,简单到没有朋友!赶紧动手来制作吧!","single_mode":true,"gallary_image_count":4,"middle_mode":true,"has_video":false,"video_duration_str":null,"source_url":"/group/6518557370556088840/","source":"小峰聊电影","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":18,"image_url":"//p3.pstatp.com/list/190x124/5e860005a563b91b6f50","group_id":"6518557370556088840","is_related":true,"media_url":"/c/user/5750992551/"},{"comments_count":7,"media_avatar_url":"//p2.pstatp.com/large/5b490005316112997205","is_feed_ad":false,"is_diversion_page":false,"title":"那时的计算机人才缘何都对杀毒软件情有独钟?难道仅仅因为兴趣?","single_mode":true,"gallary_image_count":1,"middle_mode":true,"has_video":false,"video_duration_str":null,"source_url":"/group/6517136462050230791/","source":"每日易点","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":0,"image_url":"//p1.pstatp.com/list/190x124/5e7b00000aba614709d9","group_id":"6517136462050230791","is_related":true,"media_url":"/c/user/86654203355/"},{"comments_count":13,"media_avatar_url":"//p1.pstatp.com/large/46d80004936d68c03401","is_feed_ad":false,"is_diversion_page":false,"title":"表格中序号自动填充!再也不担心每次修改表格都重新排列序号了!","single_mode":true,"gallary_image_count":13,"middle_mode":false,"has_video":false,"video_duration_str":null,"source_url":"/group/6518894008071094792/","source":"安志斌么","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":5,"image_url":"//p3.pstatp.com/list/190x124/5e8a0001f7e132182c89","group_id":"6518894008071094792","is_related":true,"media_url":"/c/user/75868430217/"},{"comments_count":9,"media_avatar_url":"//p3.pstatp.com/large/3e6b000192cf8321888f","is_feed_ad":false,"is_diversion_page":false,"title":"学了这么多年java原来这就是java的反射和动态加载类","single_mode":true,"gallary_image_count":3,"middle_mode":false,"has_video":false,"video_duration_str":null,"source_url":"/group/6518705921139409411/","source":"全栈步道者","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":0,"image_url":"//p3.pstatp.com/list/190x124/5e890004ab141c1137d1","group_id":"6518705921139409411","is_related":true,"media_url":"/c/user/63038537572/"},{"comments_count":0,"media_avatar_url":"//p1.pstatp.com/large/594300036db0b6848f2b","is_feed_ad":false,"is_diversion_page":false,"title":"Nginx-WebSocket代理","single_mode":true,"gallary_image_count":3,"middle_mode":false,"has_video":false,"video_duration_str":null,"source_url":"/group/6518937394706645517/","source":"此谷非彼古","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":0,"image_url":"//p3.pstatp.com/list/190x124/5e8800024dfc065f7f16","group_id":"6518937394706645517","is_related":true,"media_url":"/c/user/51944734828/"},{"comments_count":8,"media_avatar_url":"//p3.pstatp.com/large/5b5000026579036fc035","is_feed_ad":false,"is_diversion_page":false,"title":"基于互联网的电子交易支付系统,是由七个部分组成","single_mode":true,"gallary_image_count":2,"middle_mode":true,"has_video":false,"video_duration_str":null,"source_url":"/group/6517124176954786311/","source":"科技最信息","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":0,"image_url":"//p3.pstatp.com/list/190x124/5e750005aa4dfa0d13c1","group_id":"6517124176954786311","is_related":true,"media_url":"/c/user/86734715318/"},{"comments_count":41,"media_avatar_url":"//p3.pstatp.com/large/355e000178bc2f75b082","is_feed_ad":false,"is_diversion_page":false,"title":"Token 认证的来龙去脉","single_mode":true,"gallary_image_count":5,"middle_mode":false,"has_video":false,"video_duration_str":null,"source_url":"/group/6516654967204348430/","source":"IT技术之家","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":5,"image_url":"//p1.pstatp.com/list/190x124/5e750000367d310e0bfd","group_id":"6516654967204348430","is_related":true,"media_url":"/c/user/52652576434/"},{"comments_count":4,"media_avatar_url":"//p9.pstatp.com/large/5e7200060ba6e1e7328a","is_feed_ad":false,"is_diversion_page":false,"title":"面试重点:Java虚拟机篇","single_mode":true,"gallary_image_count":10,"middle_mode":false,"has_video":false,"video_duration_str":null,"source_url":"/group/6518965098101342723/","source":"高效码农","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":0,"image_url":"//p3.pstatp.com/list/190x124/5e84000330ca26c3c6c6","group_id":"6518965098101342723","is_related":true,"media_url":"/c/user/4699727666/"},{"comments_count":8,"media_avatar_url":"//p3.pstatp.com/large/2c5d000e41b17b14ad2f","is_feed_ad":false,"is_diversion_page":false,"title":"TCP状态机:学习TCP连接必须掌握的技术点","single_mode":true,"gallary_image_count":5,"middle_mode":false,"has_video":false,"video_duration_str":null,"source_url":"/group/6516754677583839758/","source":"杨冰幻","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":0,"image_url":"//p1.pstatp.com/list/190x124/5e750001f7a4367111c8","group_id":"6516754677583839758","is_related":true,"media_url":"/c/user/14626698754/"}] }, shareInfo: { shareUrl: https://m.toutiao.com/item/6518884483305832968/, abstract: 1月15日,安全研究组织MalwareHunter发现了Mindlost勒索软件的第一批样本。通过此分析报告,希望给业界研究者提供参考依据,并为可能受到影响的企业与机构,提供安全建议。

小编推荐:欲学习电脑技术、系统维护、网络管理、编程开发和安全攻防等高端IT技术,请 点击这里 注册账号,公开课频道价值万元IT培训教程免费学,让您少走弯路、事半功倍,好工作升职加薪!



免责声明:本站系公益性非盈利IT技术普及网,本文由投稿者转载自互联网的公开文章,文末均已注明出处,其内容和图片版权归原网站或作者所有,文中所述不代表本站观点,若有无意侵权或转载不当之处请从网站右下角联系我们处理,谢谢合作!


鲜花

握手

雷人

路过

鸡蛋

相关阅读

最新评论

最新

返回顶部