-
Notifications
You must be signed in to change notification settings - Fork 413
Ignore already infected victim #4
Comments
Adding a key to to the registry that holds the information is a good idea, for example: Infected: True malware at first run will add registry value "Infected: True", then it starts to ask server about pubkey and a bitcoin address it then save it to reg Pubkey : , BTCAddr:, then after encryption complete, it will finally add values Encrypted: True, Paid: False What do you think 💭 |
Read my mind, go already have a package for interact with windows registry https://godoc.org/golang.org/x/sys/windows/registry I think this is a best approach than a simple hidden file |
Yes, simple and easy 👍 |
Ok, but what if the user adds the keys to the registry himself so that he can't be infected ? |
@azastrael yes i though of that, another possible way is to MD5 a combination of some hardware serials and maybe some system, but this also is not good as some of those value changes and/or can be changed by user. using this MD5 we can contact the C2C and check if it already infected/exist in the database. |
Using Hardware ID, like from HDD or bios serial number. Like: https://groups.google.com/forum/#!topic/golang-nuts/pKuFQxAy4P4 |
The malware need a form to recognize if the actual user is already infected and skip before trigger the encryption proccess.
My idea is something like a "lock file", a hidden file or whatever created by the malware after finish the encryption process. This file will store the encryption id to make possible the malware retrieve some information from de C&C server (this will be implemented later) and obviously after the victim unlock the files it need to be removed
I will leave this issue open for discussion and ideas
The text was updated successfully, but these errors were encountered: