Sunday, December 18, 2016

Cum te feresti de noile generatii de virusi, fara fisiere fizice pe hard

Au inceput sa apara virusi care nu isi mai creeaza fisiere pe HDD.
In anumite cazuri acestia isi creeaza ceva fisiere pe HDD, dar sunt sterse de indata ce sunt incarcate in RAM asa ca o detectie a antivirus-ului este destul de mica mai ales ca ultimele variante de la Poweliks au tot codul random si obfuscat (base 64/ascii/script powershell) stocat in registri. 

Protectia acestora nu se bazeaza pe permisiunile NTFS ci mai degraba pe valorile sale NULL scrise in registri asa ca o stergere manuala a key-lor de registri a acestora se va sfarsi printr-o eroare.

Pentru cei interesati de aceste noi tehnici aveti link-urile de mai jos:
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/evolution-of-poweliks.pdf

https://thisissecurity.net/2014/08/20/poweliks-command-line-confusion/
http://blog.airbuscybersecurity.com/post/2016/03/FILELESS-MALWARE-–-A-BEHAVIOURAL-ANALYSIS-OF-KOVTER-PERSISTENCE
https://thisissecurity.net/2014/08/20/poweliks-command-line-confusion/
http://www.dostips.com/forum/viewtopic.php?t=5311

http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3377

PS: acest malware se bazeaza pe valori NULL scrise in registri asa ca pentru o devirusare manuala va trebui sa folositi acest soft de la Sysinternals:

https://technet.microsoft.com/en-us/sysinternals/regdelnull.aspx

Varianta pe care am intalnit-o eu rezida in procesul regsvr32.exe si dllhost.exe ... asa ca, daca nu instalati nimic in momentul respectiv ar trebui sa investigati problema cu autoruns si process explorer pe aceste procese.

Fisiere create:

C:\Users\user\appdata\local\ random file name\
C:\Users\user\appdata\Roaming\random file name\
C:\Users\ user \AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.lnk sau *.bat

Registry:

HKLM sau HKCU\Software\Classes\random name\shell\open\command aici veti regasi o ="\"C:\\Windows\\system32\\mshta.exe\" \"javascript: ....etc

HKLM sau HKCU\Software\random name\ - fara subkeys - Prin acest fel poate fi foarte usor de vizualizat pentru ca nu are sageata de la alte subkeys si valoriile cheilor din interior sunt foarte lungi si obfuscate.

Vrei sa fii la curent cu articolele publicate ? ABONEAZA-TE ACUM ! Nu te costa nimic

Delivered by FeedBurner

5 comments:

  1. I blog often and I truly appreciate your content.
    야설

    Feel free to visit my blog :
    야설

    ReplyDelete
  2. Hi, just wanted to say, I loved this post. It was practical. Keep on posting!
    It's awesome designed for me to have a web site, which is helpful designed for my knowledge. thanks admin
    온라인섯다

    ReplyDelete
  3. It's awesome in favor of me to have a web site, which is helpful designed for my know-how. thanks admin.
    스포츠토토

    ReplyDelete
  4. It's perfect time to make a few plans for the future and it is time to be happy. I've learn this submit and if I may just I desire to recommend you some attention-grabbing things or advice. Maybe you could write subsequent articles referring to this article. I want to read even more issues approximately it!

    Also visit my web page : 성인웹툰

    ReplyDelete
  5. This is really interesting, You are a very skilled blogger. I have joined your feed and look forward to seeking more of your fantastic post. Also, I Have shared your website in my social networks!
    안전놀이터

    ReplyDelete

Related Posts Plugin for WordPress, Blogger...