Google’s Go programming language seems to have found an appreciative niche user base – among cyber criminals.
The compiled language created by search giant Google was used to write several sections of the file-destroying Encriyoko Trojan horse, researchers at Symantec have stated.
Go is a compiled programming language. It was developed by Google in an attempt to combine the positive features of dynamic languages such as Python with the stability of other compiled languages like C++. An open source programming environment, Go is intended to permit rapid development speed while delivering high performance. Introduced in 2009, it has not enjoyed an enormous uptake; however, those working in Go are enthusiastic about its potential.
Once downloaded and installed on a Windows PC, the Trojan utilizes the Blowfish algorithm to encrypt every file that matches a particular set of criteria. These include files that do not have a certain character string in their names or which do have other specific strings; files within a certain broad range of sizes; or which have certain file extensions.
The encryption key used to obfuscate the file data may be drawn from a file on the D: drive; alternatively, it may be generated randomly. If this key cannot be retrieved, it may be extremely difficult – even impossible – to decrypt the files and recover the data. This makes Encriyoko potentially a very destructive Trojan.
Researchers state that it’s unclear exactly why the Trojan’s creators have opted to use Go. It’s not one of the more widely used languages and there appears to be no compelling reason to select this particular language over other, more common ones; it does not seem to have any special features that would make it attractive to those involved in developing Encriyoko.
One theory is that those responsible for Encriyoko may be working under the assumption that a less mainstream language may make analyzing and defeating the Trojan more complicated, helping to stymie reversal efforts. In this, experts say, they are unlikely to be correct: components written in Go will not be significantly harder to analyze and will not be any more resistant to reversal.
Another possibility is that the developers simply happen to be Go users who were more comfortable with that particular language than others. While there are no features that make Go a superior choice for creating Trojans, it does offer positive benefits for development in general. The team behind Encriyoko may have selected Go for its speed and flexibility.
Whatever the reason, the unknown virus writers may have unwittingly created extra publicity for what has been a little-explored language. Whether others will be encouraged to experiment with Go for more legitimate purposes remains to be seen, however.
Researchers from Symantec have warned that the Encriyoko Trojan is currently loose in the wild. It typically masquerades as a utility for rooting Samsung smartphones, a process that involves removing the controls that prevent users from installing unauthorized software on their phones. Rooting allows custom operating systems to be used on smartphones in place of manufacturer approved ones, which in turn allows the installation of unauthorized applications.
Clare Edwards is a freelance tech writer based in the UK and contributor to Degreejungle.com a resource for university students. When not reading about the latest gadgets and software developments, she enjoys amateur electronics and hiking.