Professional Documents
Culture Documents
VRP 1
VRP 1
V CH M T VIRUS
L i gi i thi u:
Virus l m t v n mun th a, lun lun m i v ng i vi t ra Virus lun l ng i i tr c. Mnh vi t v tham kh o c m t t v ci g i l virus cc b n c m t t cch nhn v Virus v tm v v ch m t ci Cm n ng i anh em vovi gip hon thnh vi c chuy n th ra file .chm
TaiLong
DFVr
Deface Virus
1. Ni qua v Virus(VR), Rootkit a. Virus b. Rootkit 2. My tnh c a b n b nhi m virus theo cch no 3. Cc tri u ch ng bi u hi n c a VR, Rootkit a. Cc tri u ch ng bi u hi n c a VR b. Cc tri u ch ng bi u hi n c a Rootkit 4. Tm ki m/nh n bi t/pht hi n VR, Rootkit a. Cch nh n bi t v pht hi n VR b. Cch nh n bi t v pht hi n Rootkit 5. Lm th no t b o v b n thn 6. S d ng cu l nh CMD pht hi n VR a. Cu l nh hi n th file b. Cu l nh xem ti n trnh ang ch y c. Cu l nh t t ti n trnh ang ch y
d. Cu l nh t t d ch v ang ch y e. Cu l nh xa f. Cu l nh th c thi trong REGEDIT
TaiLong
DFVr
Deface Virus
b. Rootkit
M t rootkit l m t cng c c thi t k t n chnh n v cc ti n trnh, d li u khc v/ho c ho t ng trn m t h th ng - G. Hoglund (www.rootkit.com) M t cng c c s d ng b o v cc backdoor v cc cng c khc d a vo vi c pht hi n ra b i cc nh qu n tr Rootkit khng ph i l m t virus, worm Nhi m v m ng i t o rootkit mu n lm l n cc process n cc services n cc drivers n cc kernel modules n cc c ng TCP/UDP ang c l ng nghe n cc files n cc kha trong regedit V xu th by gi th ng l lai ghp vidu: rootkit+virus, rootkit+worm, rootkit+trojan,
TaiLong
Deface Virus Hnh nh c ti n trnh no ang ch y t n nhi u ti nguyn h th ng, t n RAM CPU hay sao nhng cha tm ra n file, th m c lm ng i dng hoang mang khng th y d li u c n lm u Thay i a ch IP lm cho khng th vo c m ng Ly nhi m qua USB s d ng file autorun.inf kch ho t khi ng i dng kch p/chu t ph i vo USB, ly qua m ng LAN, Internet t c ly qua cc ng link c ch a virus, cc file nh km g i qua email
b. Cc tri u ch ng bi u hi n c a Rootkit
X y ra hi n t ng mn hnh xanh(BSoD) trn cc h th ng ang n nh bnh th ng X y ra cc l i khi b n c g ng shutdown ho c reboot l i h th ng X y ra l i khi k t n i m ng Cc chng trnh antivirus c nh bo nhng mm
M t s kha REGEDIT m VR hay kh i ch y HKLM\Software\Microsoft\Windows\CurrentVersion\Run HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce HKCU\Software\Microsoft\Windows\CurrentVersion\Run HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce TaiLong 4 DFVr
Deface Virus c nhi u ni m virus thay thm vo cc o n script v cc shortcut khi kh i ch y ti n trnh trong start up: Lu : M t s kho sau trong registry, gi tr ng c a n l %1%*. B t c chng trnh no m thm gi tr ny s th c thi cc file nh phn nh (.exe, .com) vid : virus.exe %1%* HKEY_CLASSES_ROOT\exefile\shell\open\command HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command HKEY_CLASSES_ROOT\comfile\shell\open\command HKEY_LOCAL_MACHINE\SOFTWARE\Classes\comfile\shell\open\command HKEY_CLASSES_ROOT\comfile\shell\open\command HKEY_LOCAL_MACHINE\SOFTWARE\Classes\batfile\shell\open\command Cng ki m tra t i cc ni sau Startup folder: kch vo Start->Programs->Startup, and right click on Startup and select "Open" from the menu. Check every file in this folder and make sure you know what they are. These files will startup automatically every time you login to your systems. Windows Scheduler - ki m tra n u b t k chng trnh xem n c t ch y vo nh ng lc no. i khi cc virus th ng s d ng scheduler nh m t cch cho chng trnh th c thi. n m trong c:\windows\task Ki m tra cc file: Win.ini (load=Trojan.exe or run=Trojan.exe) (cho win98) System.ini (Shell=Explorer.exe trojan.exe) (cho win98) Autoexec.bat Tm xem nh ng file no c thm vo, c th theo cc ui m r ng : .exe, .scr, .pif, .com, .bat Config.sys Tm xem nhng file no c thm vo
TaiLong
Deface Virus t k t qu chnh xc. Hn n a, rootkit c th trnh b pht hi n b ng cch che gi u t t c cc ti n trnh ngo i tr chnh ti n trnh pht hi n rootkit. M t cch khc l s d ng m t h th ng ho t ng d a trn cc s ki n lin t c theo di c th n m c rootkit vo th i i m n ti n hnh tc v ci t. Nh ng chng trnh nh th th ng c g i l h th ng ch ng xm nh p (IPS). Vi c theo di t pha HH l r t c n thi t. Cc h th ng IPS theo di m c ng i dng th c ra cng v n c th b rootkit t n cng nh chnh nh ng chng trnh khc c a ng i dng. Nh ng h th ng ny c th pht hi n v kha nh ng tc v n p cc module c a HH. Tuy nhin vi c kha h t cc module l i l m t i u phi th c t - nhi u chng trnh h p l khc cng s ti n hnh ci t cc module li. V d , m t s trnh di t virus s d ng cc module li th c hi n tc v qut theo yu c u. V n c th a ra m t gi i php hay hn l tnh thm kh nng cn nh c li u vi c n p m t module c ph i l x u hay khng b ng cch xem xt cc thu c tnh khc c a b ci t cng nh ng chng trnh lin quan. Trong khi m t rootkit v m t trnh duy t virus c th c chung m t s tc v (nh ci t m t module li) th ph n l n nh ng c tnh khc c a chng l i hon ton khng gi ng nhau. V d , m t rootkit c th c g ng lnh m t b ng cch khng t o ra c a s tr c quan, trong khi m t trnh di t virus l i mu n cho ng i dng bi t s hi n di n c a chng trnh. Trnh rootkit cng c th ci m t keylogger (b t bn phm v g i thng tin t i m t ng i dng khc) cn m t chng trnh di t virus th hon ton khng lm th . B ng cch t ng h p cc c tnh hnh ng khc nhau ( c l a ch n c n th n c th b t c nh ng thao tc chung lin quan t i ph n m m m c ch x u), vi c pht hi n nh ng chng trnh rootkit l hon ton c th th c hi n c v i tin t ng cao. Th c t , phng php ny c tn nh gi qua hnh ng v c th c p d ng r ng ri pht hi n nh ng l p m m c ch x u nh Trojan hay ph n m m gin i p. V d a trn nguyn l nh gi, tch ly kinh nghi m, h th ng ki u ny c th v n m c l i (coi nh ng chng trnh bnh th ng l ph n m m x u). Cch gi i quy t n gi n v i v n ny l c n ph i c danh sch c m cho nh ng l i chung th ng g p. (ph n ny kAmIkAzE (http://www.hedspi.net/diendan/) vi t)
5. Lm th no t b o v b n thn
T o m t b n sao cho nh ng file th ng xuyn s d ng c a b n, sau khi c qut s ch v i m t chng trnh antivirus - C p nh t chng trnh antivirus m i nh t ngay khi c th - C p nh t cc trnh duy t web m i nh tt khi c th - C p nh t cc chng trnh c th m i nh t pha my tr m ngay khi c th - C p nh t chng trnh Acrobat Reader m i nh t (n u b n s d ng n) - C p nh t chng trnh Office - Qut m i file khi b n t i t m ng v - N u b n s d ng cht qua IRC b n ph i v hi u ha ty ch n t ng truy nh p t i cc file. - Khng c m USB t cc ngu n khng ng tin c y. Ho c khi c m USB vo b n ph i disable ch c nng t ng ch y trong t USB i. Xem thm m y link sau http://support.microsoft.com/kb/126025 http://antivirus.about.com/od/securitytips/ht/autorun.htm http://nick.brown.free.fr/blog/2007/10/memory-stick-worms http://blogs.computerworld.com/the_best_way_to_disable_autorun_to_be_protected_from_infected_usb _flash_drives - Khi my tnh b n ang ho t ng hay chng trnh virus ch y theo di cc chng trnh ch y, v s xm nh p, th c thi c a m t chng trnh no - Khng truy c p vo cc trang web c g i t nh ng ng i l . N c th ch a m t o n m th c thi lm h ng, l i h th ng my tnh c a b n. N u b n mu n xem trang web b n c th copy ng link r i vo trang ny ki m tra link TaiLong 6 DFVr -
Deface Virus http://linkscanner.explabs.com/linkscanner/default.aspx T i th i i m hi n nay b n nn dng m t trnh duy t th 3 ngoi Internet Explorer nh Firefox, Opera, Google ChromeV hi n t i IE b t n cng nhi u nh t sau n Firefox v cc trnh duy t khc (mnh
hay dng Opera :D) - V hi u ha ch c nng th c thi c a java ho c cc script active-x trong trnh duy t c a b n. Khi no c n th cho php l i - Hi n n cc ph n ui m r ng bi t c nh d ng file l g(vo Folder Options view b tch Hide extensions for know files). V n u ai g i cho b n m t file nh l pic.jpg.vbs, b n c th ngh r ng file nh d ng l .jpg v ch y nth l.n n ngay :D - Lun lun c m t a boot, a ph c h i s a cha my tnh c a b n trong tr ng h p b ly nhi m. Khi c a ny b n c th copy d li u c a mnh, ki m tra virus t a . B n s d ng a Windows PE, Hirens Boot (t b n 9.7 l c winxp mini ch y v c th th c thi vi c copy v di t virus b ng tay). Ho c b n s d ng cc a c u h virus c a cc hng b o m t c u http://www.raymond.cc/blog/archives/2008/12/11/13-antivirus-rescue-cds-software-compared-insearch-for-the-best-rescue-disk/ - B n dng ch m t chng trnh di t virus v c p nh t n th ng xuyn, khi b n s d ng m t ph n m m di t virus s quen v i cch dng v ch c nng di t virus c a cc ph n m m di t cng c m t s y u t chung nh t. T mnh l m t cng c di t hay hn :>) D i y l danh sch m t s ph n m m hng u v di t virus (n u b n tr ti n mua) F-Secure (http://www.f-secure.com/en_EMEA/) BitDefender (http://www.bitdefender.com/) Kaspersky (http://www.kaspersky.com/) McAfee (http://www.mcafee.com/) Symantec (http://www.symantec.com/) Panda (http://www.pandasecurity.com/) Cn y l danh sch ph n m m di t virus mi n ph AVG Free Edition (http://free.avg.com/) Avast Home Edition (http://www.avast.com/eng/download-avast-home.html) Antivir Personal Edition (http://www.free-av.com/) Rising Antivirus Free Edition (http://www.freerav.com/) ClamWin Free Antivirus (http://www.clamwin.com/) A-Squared Free (http://www.emsisoft.com/en/software/free/) Ph n m m c a Vi t Nam c BKAV - http://www.bkav.com.vn/ (c b n Home mi n ph cho ng i dng nh, v b n thng m i dng cho doanh nghi p) CMC Antivirus - http://cmcinfosec.com/index.php (cng c b n free v b n thng m i) C p nh t cc b n v l i cho windows http://www.microsoft.com/technet/security/current.aspx Ho c b n c th dng tool Rising PC doctor v ph n no l i http://www.rising-global.com/Download/Rising-Free-Utilities/Rising-PC-Doctor.html Ci t ra ch n Leaks Vulnerabilities found Details tch vo Select all Ch n Fix Vulnerabilities TaiLong 7 DFVr -
Deface Virus
6. S d ng cu l nh CMD pht hi n VR
- Cc file n c ui (*.exe, *.dll, *.bat, *.txt, *.vbs, *.js, *.reg, *.cmd, *.com, *.pif, *.lnk, *.wsh) n m trong h th ng (th ng l C) C:\windows, c:\windows\system32, c:\windows\system, c:\windows\system\drivers. (m c nh c a windows th khng c nh ng file n) m ko ph i do ng i dng n i th u l virus ho c chng trnh c h i. Khi mu n ki m tra cc thu c tnh n nn ki m tra cc th m c windows, system32, system, drivers, tasks trong C:\ - VR xu h ng by gi th ng ch y cng m t lc nhi u ti n trnh
a) Cu l nh hi n th file
- DIR + L nh Dir /ah xem t t c cc file n + L nh Dir /ah /s xem t t c cc file n th m c y v cc th m c con c a n + L nh Dir /ah /b xem cc file n s p x p theo hng + L nh Dir /ah *.exe l ch xem nh ng file n c ui *.exe. Mu n xem nhi u nh d ng file ta thm d u , vd: DIR /ah *.exe, *.dll, *.bat + L nh Dir /ah /s *.dll l xem t t c cc file n c ui *.dll th m c v th m c con c a n Vd ta ang C:\windows\system32: c:\windows\dir /ah /s *.dll ch hi n th nh ng file n d ng *.dll
TaiLong
DFVr
Deface Virus
Nh hnh ny s d ng cu l nh dir /ah, dir /ah /b, dir /ah /b /s *.exe, *.dll
Deface Virus Tasklist /fi username eq ten_user_dang_dung /fi status eq running Tasklist /fi username ne system /f status eq running l nh ny hi n th tr ng thi ang ch y v i username ko ph i l system Tasklist /v /fi "STATUS eq running" xem ch nh ng ti n trnh ang ch y + Hi n th cc file DLL ch y cng ti n trnh Tasklist /m Tasklist /m wbem* L c nh ng ti n trnh ch y c cc file *.dll v i u ng wbem Tasklist /fi modules eq ntdll* l nh ny ch l c cc file dll v i u ng ntdll Tasklist /fi modules eq dnsq.dll ch hi n ti n trnh ch y c dnsq.dll (con dashfer)
- WMIC + Hi n th ti n trnh wmic process list wmic process list brief wmic process list full wmic process list brief /every:10 c 10s l i c p nh t 1 l n (CTRL+C to end) wmic process list brief | find "cmd.exe" ch tm v i cmd.exe + Hi n th cc ti n trnh ko n m trong th m c %windows% wmic PROCESS WHERE "NOT ExecutablePath LIKE '%Windows%'" GET ExecutablePath + Hi n th cc chng trnh khi kh i ng Wmic startup list brief TaiLong 10 DFVr
Deface Virus Wmic startup list full + Hi n th tn, danh sch cc user Wmic USERACCOUNT Wmic USERACCOUNT list brief Wmic USERACCOUNT list full Wmic USERACCOUNT WHERE "Disabled=0 AND LocalAccount=1" GET Name (ch hi n th tn) L nh Wmic USERACCOUNT cng gi ng l nh net user nhng xem chi ti t hn
c) Cu l nh t t ti n trnh ang ch y
- TSKILL L nh ny cng t t ti n trnh nhng v i t tnh nng l c hn Tskill pid Tskill name (vi d : tskill explorer) lu l ko c ui .exe - TASKKILL + T t ti n trnh cng lc v i nhi u PID, name Taskkill /f /pid id1 /pid id2 /pid id3 Vidu v i cc id nh 1234, 243, 879: taskkill /f /pid 1234 /pid 243 /pid 879 Taskkill /f /im explorer.exe /im system.exe /im userinit.exe + B t p t t ti n trnh no ang ch y v i username system (vd nh notepad.exe) Taskkill /f /fi username eq system /im notepad.exe + T t ti n trnh theo d ng cy v i s ID l 1234 nhng ch v i username no (administrator ch ng h n) Taskkill /pid 1234 /t fi username eq administrator + T t ti n trnh v i PID l n hn 2000 m ko quan tm n tn c a n Taskkill /f /fi pid ge 2000 /im * lu d u * ch p d ng l c cho ty ch n /im - WMIC TaiLong 11 DFVr
Deface Virus + T t ti n trnh v i PID v name Wmic process [pid] delete Wmic process where name=cmd.exe delete lu : d u hay d u u c c Wmic process where name=cmd.exe call terminate + T t m t lc nhi u ti n trnh theo tn, pid Wmic process where (name like OR name like explorer.exe OR name iexplore.exe) call terminate Vd: T t 2 ti n trnh c pid l 3288 v 4556 wmic process where (processid=3288 OR Processid=4556) call terminate - NTSD Theo c bi t th l nh ny dng debug Cng ko bi t nhi u v l nh ny c 2 l nh sau d ng nh t t m t ti n trnh NTSD c q p PID NTSD c q pn name Vd: ntsd c q pn explorer.exe
d) Cu l nh t t d ch v ang ch y
- SC L nh ny dng cho cc services + Truy v n, xem cc services, drivers SC query type= services SC query type= drivers Ho c xem t t c : SC query type= all + T t cc d ch v ang ch y SC stop ten_dichvu VD: SC stop schedule t t schedule SC stop srservice t t system restore + Disabled m t d ch v no SC config ten_dichvu start=disabled Vd: SC config schedule start= disabled SC config srservice start= disabled + Mu n xa m t d ch v no (lu ch dng xa cc d ch v c t o b i cc chng trnh c h i cn cc d ch v m c nh c a windows th c nguyn) SC delete ten_dichvu Vd: Sc delete malicious y ta del i d ch v malicious V i tn cc services kha HKLM\SYSTEM\CurrentControlSet\Services - NET STOP L nh ny ch stop m t d ch v Vd: Net stop srservice Net stop schedule - WMIC TaiLong
12
DFVr
Deface Virus + T t(stop) m t d ch v no ang ch y Wmic service where name=ten_dichvu call stopservice Vd: Wmic service where name=srservice call stopservice + T t nhi u d ch v 1 lc ta s d ng cu l nh gi ng nh t t nhi u ti n trnh VD: Wmic service where (name like srservice or name like schedule) call stopservice Cn mu n b t m t ti n trnh ln ch vi c thay stopservice = startservice + Disabled m t d ch v no Wmic service where name=ten_dichvu call changestartmode disabled Vd: Wmic service where name=srservice call changestartmode disabled + Disabled nhi u d ch v Vd: Wmic service where (name like srservice or name like sharedaccess) call changestartmode disabled Ring v l nh wmic cn r t nhi u ti n ch r t hay. Cc b n c y thm Wmic /? <--help Ho c vo g nh ng ci b n mu n hi n th ra cho ti n Vd: C:\wmic wmic:root\cli>/? wmic:root\cli>startup wmic:root\cli>process list ..
e) Cu l nh xa
- Del (ho c erase) lu l nh ny dng c n th n v n hay hn Xa cc thu c tnh n DEL /a:h Vidu: xa t t c cc file n DEL /a:h *.* Cn mu n ch xa t t c cc file *.exe, *.dll n DEL /a:h *.exe *.dll Cn n u file c thu c tnh red-only ta thm ty ch n /f Vd: Del /f /a:h *.exe *.dll N u mu n del trong c cc th m c con n a ta thm ty ch n /s Vd: Del /f /s /a:h *.exe *.dll Thm ty ch n /p n u b n mu n h i c xa hay khng tr c khi th c thi Thm ty ch n /q l c l ng l pem trong im l ng - RD (ho c rmdir) L nh ny xa th m c Vidu: t o ra m t th m c nodel.exe RD nodel.exe Thm ty ch n /s xa cc file v th m c con Rd /s nodel.exe
TaiLong
13
DFVr
Deface Virus
Deface Virus REG add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFind /t REG_DWORD /d 0 /f REG add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRun /t REG_DWORD /d 0 /f REG add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRun /t REG_DWORD /d 0 /f REG add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFolderOptions /t REG_DWORD /d 0 /f REG add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFolderOptions /t REG_DWORD /d 0 /f REG add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v HomePage /t REG_DWORD /d 0 /f REG add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t reg_sz /d "http://www.google.com.vn" /f + REG DELETE: Xa cc thi t l p trong regedit @echo: D b m t s thu c tnh c m th c thi file, ho c file b ch y b i file khc _________________________________ Reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe" /v Debugger /f Reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe" /v Debugger /f Reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe" /v Debugger /f Reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe" /v Debugger /f Reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe" /v Debugger /f Reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hijackthis.exe" /v Debugger /f Reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v Debugger /f Reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /f + REG QUERY: Hi n th key m y kha virus hay chui vo th c thi TaiLong 15
DFVr
Deface Virus Hi n th xem kha Run c kh i ch y g khi kh i ng khng Vidu: Reg query HKLM\software\microsoft\windows\currentversion\run Reg query HKLM\software\microsoft\windows\currentversion\runonce Reg query HKCU\software\microsoft\windows\currentversion\run Reg query HKCU\software\microsoft\windows\currentversion\runonce Reg query HKLM\software\Microsoft\Windows NT\CurrentVersion\Winlogon Hi n th xem kha Image file execution options c kha no b thay th khng Reg query HKLM\software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options Truy v n kha polices xem c chng trnh g b kha khng Reg query HKLM\Software\Microsoft\Windows\CurrentVersion\policies Reg query HKCU\Software\Microsoft\Windows\CurrentVersion\policies
Nh hnh trn: s d ng l nh schtasks /query xem th y c 2 file hell, virus. V s d ng l nh schtasks /delete xa. TaiLong 16 DFVr
Deface Virus
TaiLong
17
DFVr