The use of Google's go language in malicious programs

This is a creation in Article, where the information may have evolved or changed.

Transferred from: Http://www.symantec.com/connect/blogs/malware-uses-google-go-language

I found the sample:

Company: Galaxynexusroot
File version: 3.02.2011
Internal name: Galaxynxroot
Source file name: GalaxyNxRoot.exe
Products name £ º Galaxysnxroot
Product Version: 3.02.2011

designed in + introduced in late, the Go programming language developed by Google have been g Aining Momentum the past three years. It's now being used to develop malware. Recently seen in the Wild,trojan.encriyoko is a new threat associated with components which is written in Go. The Trojan attempts to encrypt various file formats on compromised computers, rendering the encrypted files unusable.

The original sample we acquired, a file named GalaxyNxRoot.exe, is actually a dropper written in. NET which disguises Itse LF as a rooting tool to trick users into installing it.

Figure 1. GalaxyNxRoot.exe Properties

Once executed, the GalaxyNxRoot.exe file drops and launches, executable files, both written in Go:

• %temp%ppsap.exe
• %temp%adbtool.exe

The dropped PPSAP.exe file is an information-stealing Trojan. It collects system information such as current running processes, user name, MAC address, etc., and posts it to the follow ing remote location:
[http://]golang.iwebs.ws/about/step1.php

The dropped Adbtool.exe file downloads a encrypted file from the following remote location:
[Http://]sourceslang.iwebs.ws/downs/zdx.tgz

This file is decrypted as a Dynamic-link library (DLL), file and then loaded. It attempts to encrypt various file formats on the compromised computer. The targeted file formats include:

• Source code files (. C,. cpp,. cs,. php,. Java,. Pas,. vb,. frm,. bas,. Go,. asp,. aspx,. jsp,. PL,. py,. RB)
• Image files (. jpg,. png,. psd)
• Audio files (. wav,. wma,. Amr,. AWB)
• Archive files (. rar,. zip,. iso,. GZ,. 7z)
• Document files (file extensions containing the following strings:doc, XLS, ppt, MDB, pdf)
• Other types of files (file extensions containing the following strings:dw, DX, sh, pic, 111, Win, WVW, DRW, GRP, RPL, MCE , MCG, PAG)
  

Figure 2. Targeted file formats

The file paths is confirmed by the Trojan in order to avoid encrypting files under certain paths, such as%Windir%,%prog ramfiles%,%USERPROFILE%\Local Settings, and others.

The encryption uses the Blowfish algorithm. It either reads the encryption key from D:\nepia.dud or randomly generates one. The names of all of the encrypted files is then saved to the following location:
%temp%\vxsur.bin

Restoration of the encrypted files is difficult, if not impossible.

Symantec detects all these files:GalaxyNxRoot.exe as Trojan.dropper, PPSAP.exe as Infostealer, Adbtool.exe Asdownloader, and Zdx.dll as Trojan.encriyoko.