Re: [新聞] 勒索病毒再次席捲全球
※ 引述《imasa (便當俠)》之銘言:
: https://goo.gl/CB4HE6
: According to several sources
: the author of this new Petya strain appears to have taken inspiration from
: last month's WannaCry outbreak, and added a similar SMB work based on the
: NSA's ETERNALBLUE exploit. This has been confirmed by
: Payload Security, Avira, Emsisoft, Bitdefender, Symantec,
: and other security researchers.
: 一樣是利用之前SMB漏洞EternalBlue的勒索病毒
: 看來是受到Wannacry的啟發
https://blog.kryptoslogic.com/malware/2017/06/28/petya.html
目前為止的分析文
除了原本的EternalBlue感染方式外
Petya還加上利用Psexec和Wmic的Laternal Movement手法
去執行mimikatz 來dump 當前電腦的credential
之所以更新還會中招的電腦
就是因為自己的credenial有在這些被感染的電腦內
更新防範方式:
[短期]
先擋目前這波的Petya
在以下路徑下新增檔案並設唯讀
C:\Windows\perfc
C:\Windows\perfc.dll
C:\Windows\perfc.dat
這幾個路徑是Petya的工作檔案,如果檔案讀取失敗Petya就會停止執行
可能對之後的變種無效
[長期]
1. Firewall阻擋139和445 port (for psexec)
2. 停用Winmgmt(Windows Management Instrumentation)服務 (for wmic)
3. 停用SMBv1或更新MS17-010 patch
--
※ 發信站: 批踢踢實業坊(ptt.cc), 來自: 59.120.24.158
※ 文章網址: https://www.ptt.cc/bbs/AntiVirus/M.1498623521.A.92B.html
推
06/28 12:24, , 1F
06/28 12:24, 1F
推
06/28 13:14, , 2F
06/28 13:14, 2F
※ 編輯: imasa (59.120.24.158), 06/28/2017 13:32:03
推
06/28 13:50, , 3F
06/28 13:50, 3F
推
06/28 14:04, , 4F
06/28 14:04, 4F
推
06/28 14:05, , 5F
06/28 14:05, 5F
→
06/28 14:05, , 6F
06/28 14:05, 6F
推
06/28 14:06, , 7F
06/28 14:06, 7F
→
06/28 14:07, , 8F
06/28 14:07, 8F
→
06/28 14:08, , 9F
06/28 14:08, 9F
→
06/28 14:08, , 10F
06/28 14:08, 10F
→
06/28 14:10, , 11F
06/28 14:10, 11F
→
06/28 14:11, , 12F
06/28 14:11, 12F
推
06/28 14:25, , 13F
06/28 14:25, 13F
→
06/28 14:39, , 14F
06/28 14:39, 14F
→
06/28 14:39, , 15F
06/28 14:39, 15F
推
06/28 14:49, , 16F
06/28 14:49, 16F
推
06/28 15:08, , 17F
06/28 15:08, 17F
→
06/28 15:08, , 18F
06/28 15:08, 18F
推
06/28 15:59, , 19F
06/28 15:59, 19F
推
06/28 16:19, , 20F
06/28 16:19, 20F
→
06/28 18:49, , 21F
06/28 18:49, 21F
推
06/28 19:02, , 22F
06/28 19:02, 22F
→
06/28 19:08, , 23F
06/28 19:08, 23F
→
06/28 19:09, , 24F
06/28 19:09, 24F
推
06/28 19:09, , 25F
06/28 19:09, 25F
→
06/28 19:09, , 26F
06/28 19:09, 26F
→
06/28 19:10, , 27F
06/28 19:10, 27F
→
06/28 19:11, , 28F
06/28 19:11, 28F
→
06/28 20:15, , 29F
06/28 20:15, 29F
推
06/28 20:58, , 30F
06/28 20:58, 30F
→
06/28 21:00, , 31F
06/28 21:00, 31F
推
06/28 23:09, , 32F
06/28 23:09, 32F
推
06/28 23:10, , 33F
06/28 23:10, 33F
→
06/28 23:40, , 34F
06/28 23:40, 34F
推
06/29 09:50, , 35F
06/29 09:50, 35F
推
06/30 22:29, , 36F
06/30 22:29, 36F
→
06/30 22:33, , 37F
06/30 22:33, 37F
→
06/30 22:33, , 38F
06/30 22:33, 38F
推
07/03 05:33, , 39F
07/03 05:33, 39F
推
07/19 18:41, , 40F
07/19 18:41, 40F
討論串 (同標題文章)