Deface Virus

V CH M T VIRUS
L i gi i thi u:
Virus l m t v n mun th a, lun lun m i v ng i vi t ra Virus lun l ng i i tr c. Mnh vi t v tham kh o c m t t v ci g i l virus cc b n c m t t cch nhn v Virus v tm v v ch m t ci Cm n ng i anh em vovi gip hon thnh vi c chuy n th ra file .chm

TaiLong

DFVr

Deface Virus

1. Ni qua v Virus(VR), Rootkit a. Virus b. Rootkit 2. My tnh c a b n b nhi m virus theo cch no 3. Cc tri u ch ng bi u hi n c a VR, Rootkit a. Cc tri u ch ng bi u hi n c a VR b. Cc tri u ch ng bi u hi n c a Rootkit 4. Tm ki m/nh n bi t/pht hi n VR, Rootkit a. Cch nh n bi t v pht hi n VR b. Cch nh n bi t v pht hi n Rootkit 5. Lm th no t b o v b n thn 6. S d ng cu l nh CMD pht hi n VR a. Cu l nh hi n th file b. Cu l nh xem ti n trnh ang ch y c. Cu l nh t t ti n trnh ang ch y
d. Cu l nh t t d ch v ang ch y e. Cu l nh xa f. Cu l nh th c thi trong REGEDIT

g. M t s l nh hay dng khc

TaiLong

DFVr

Deface Virus

1. Ni qua v virus(VR), Rootkit a. Virus

Virus hay ni chung hn l malware (= MALicious + softWARE) l nh ng ph n m m c h i hay nh ng o n m c c kh nng ly, nhi m, t sao chp chnh n, n c p thng tin, gi danh cc ti n trnh h th ng, n n p, c g ng ph ho i nhn h i u hnh(OS kernel), lm thay i c u hnh h th ng ho c cc ng d ng khc ch y trn h th ng c a b n Malware ni chung c g m c cc lo i sau: Trojan horse, virus, worm, spyware(ph n m m gin i p), adware(ph n m m qu ng co), backdoor, keylog, botnet, v hi n gi cn c ph n m m gi danh cc chng trnh antivirus (nh antivirus2009,), rootkit(chuyn n n p).

b. Rootkit
M t rootkit l m t cng c c thi t k t n chnh n v cc ti n trnh, d li u khc v/ho c ho t ng trn m t h th ng - G. Hoglund (www.rootkit.com) M t cng c c s d ng b o v cc backdoor v cc cng c khc d a vo vi c pht hi n ra b i cc nh qu n tr Rootkit khng ph i l m t virus, worm Nhi m v m ng i t o rootkit mu n lm l n cc process n cc services n cc drivers n cc kernel modules n cc c ng TCP/UDP ang c l ng nghe n cc files n cc kha trong regedit V xu th by gi th ng l lai ghp vidu: rootkit+virus, rootkit+worm, rootkit+trojan,

2. My tnh c a b n b nhi m virus theo cch no

Ly nhi m vo my tnh t m t c ng b virus, t CD ho c A. Ho c ly nhi m qua USB (b ng cch t ng kch ho t). Th ng l khi ta kch p vo USB, ho c kch chu t ph i ch n Open/Explorer. Ly nhi m qua ph n nh km trong email. Cc file ly nhi m b nh km th ng l cc file th c thi (nh l .exe, .com, .vbs, .dll, .sh, .bat, .scr, .pif, ). V cc email g i t i th ng c g i t nh ng ng i khng quen bi t, v chng c th ch a cc o n m ph ho i bn trong cc form c a .html, m t ng c th c thi khi ta m email Ly nhi m khi download nh c trn Bittorrent Ly nhi m qua cc trang web (sex, crack) th ng l khi download. Cc trang web ny th ng c y t i qua vi c qu ng co, ho c nh km vo cc web khc v y t i ng i vi ng thm. Vi c duy t web cng b ly nhi m (th ng l qua cc nh d ng .htm v .html) Virus khai thc qua cc i m y u cha c v c a Microsoft(IE, Office, Media,)

3. Cc tri u ch ng bi u hi n c a VR, Rootkit a. Cc tri u ch ng bi u hi n c a VR

My tnh ch y n Kha, khng cho ch y cc chng trnh h th ng nh (cmd, regedit, task manager, gpedit, run, control panel, ) ho c cc chng trnh di t virus khng th th c thi c Ho c khi ch y m t chng trnh g th ng thng bo l i, ch y cc file *.exe, *.com, *.bat u b thay th b ng cc chng trnh khc(virus) 3 DFVr

TaiLong

Deface Virus Hnh nh c ti n trnh no ang ch y t n nhi u ti nguyn h th ng, t n RAM CPU hay sao nhng cha tm ra n file, th m c lm ng i dng hoang mang khng th y d li u c n lm u Thay i a ch IP lm cho khng th vo c m ng Ly nhi m qua USB s d ng file autorun.inf kch ho t khi ng i dng kch p/chu t ph i vo USB, ly qua m ng LAN, Internet t c ly qua cc ng link c ch a virus, cc file nh km g i qua email

b. Cc tri u ch ng bi u hi n c a Rootkit
X y ra hi n t ng mn hnh xanh(BSoD) trn cc h th ng ang n nh bnh th ng X y ra cc l i khi b n c g ng shutdown ho c reboot l i h th ng X y ra l i khi k t n i m ng Cc chng trnh antivirus c nh bo nhng mm

4. Tm ki m/nh n bi t/pht hi n VR, Rootkit a. Cch nh n bi t v pht hi n VR

Process chi m kh nhi u ti nguyn h th ng (CPU v Memory) Process c tn l , ho c c tn g n gi ng v i cc process h th ng. M t vi process h th ng hay b nhi l explorer.exe, svchost.exe; lsass.exe, winlogon.exe,.... chng th ng c tn gi ki u nh expl0rer.exe, schost.exe, 1sass.exe, WIN1OGON.exe ch ng h n - Process b t t r i t ng c ch y l i (t c ko th t t c): Tr ng h p ny l do virus g i 1 lc nhi u process, ph i tm c process g c v nh ng process lin quan t t h t chng i. C th t t 1 lc nhi u process, ho c t t t trn xu ng d i, theo d ng cy hay d ng(suspend) process r i m i del ti n trnh . - D a vo cch m t (description), xc minh ch k(verify signature), user name, ng d n(image name) c a ti n trnh ang ch y - Tm ki m thu th p thng tin v ti n trnh no khng xc nh trn google ho c nh ng trang cung c p thng tin v con virus nh threatexpert.com hay ki m tra thng tin m t v VR GriSOFT's Virus Encyclopedia, Eset's Virus Descriptions, McAffee's Virus Glossary, Symantec's Virus Encyclopedia, or Trend Micro's Virus Encyclopedia. D i y l m t s file m virus th ng hay gi danh - explorer.exe l m t chng trnh h p php n m trong th m c c:\windows ch khng n m trong c:\windows\system32 ho c b t c ni u khc taskmgr.exe l m t chng trnh h p l c a windows oc g i l taskmgr.exe ch khng ph i taskmngr.exe lu l virus r t hay gi danh, i tn nh ng file h th ng rundll32.exe l m t chng trnh h p l c a windows v n m trong c:\windows\system32 ch khng n m trong b t c ni no khc

M t s kha REGEDIT m VR hay kh i ch y HKLM\Software\Microsoft\Windows\CurrentVersion\Run HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce HKCU\Software\Microsoft\Windows\CurrentVersion\Run HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce TaiLong 4 DFVr

Deface Virus c nhi u ni m virus thay thm vo cc o n script v cc shortcut khi kh i ch y ti n trnh trong start up: Lu : M t s kho sau trong registry, gi tr ng c a n l %1%*. B t c chng trnh no m thm gi tr ny s th c thi cc file nh phn nh (.exe, .com) vid : virus.exe %1%* HKEY_CLASSES_ROOT\exefile\shell\open\command HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command HKEY_CLASSES_ROOT\comfile\shell\open\command HKEY_LOCAL_MACHINE\SOFTWARE\Classes\comfile\shell\open\command HKEY_CLASSES_ROOT\comfile\shell\open\command HKEY_LOCAL_MACHINE\SOFTWARE\Classes\batfile\shell\open\command Cng ki m tra t i cc ni sau Startup folder: kch vo Start->Programs->Startup, and right click on Startup and select "Open" from the menu. Check every file in this folder and make sure you know what they are. These files will startup automatically every time you login to your systems. Windows Scheduler - ki m tra n u b t k chng trnh xem n c t ch y vo nh ng lc no. i khi cc virus th ng s d ng scheduler nh m t cch cho chng trnh th c thi. n m trong c:\windows\task Ki m tra cc file: Win.ini (load=Trojan.exe or run=Trojan.exe) (cho win98) System.ini (Shell=Explorer.exe trojan.exe) (cho win98) Autoexec.bat Tm xem nh ng file no c thm vo, c th theo cc ui m r ng : .exe, .scr, .pif, .com, .bat Config.sys Tm xem nhng file no c thm vo

b. Cch nh n bi t v pht hi n Rootkit

Tm ki m nh ng ti n trnh khng xc nh Ki m tra cc c ng m (netstat, tcpview) D a trn ch k tm ki m rootkits, virus, backdoors bi t, tm ki m cc ph n c h i, cc t nh kill, die s ng trong b nh (memory) C hai cch chnh pht hi n m t rootkit trn my b nhi m: qut v theo di cc s ki n. K thu t qut s d ng phng php so snh cch nhn c a h th ng s d ng cc cng c m c ng i dng v i cch nhn t bn trong li HH. N u c d u hi u che gi u no, thnh ph n ph i hi n ln bn trong li ch khng ph i mn hnh ng i dng. G n y c kh nhi u chng trnh c th m nhi m ch c nng qut ny. V m t l thuy t th phng php ny l r t t t rootkit gi u cc ti nguyn h th ng, v y cch t t nh t pht hi n rootkit l tm ki m nh ng g b che gi u. Tuy nhin v n c m t vi nh c i m. Nh c i m u tin l n u b n thn HH c l i th vi c qut cng c th b chnh rootkit qua m t. Kh nng x y ra nguy c ny ph thu c vo c th qu trnh qut v b n thn rootkit c th c thi nh th no. Th ng th li HH Windows khng c m t cng khai cho nn r t kh m b o ti n trnh qut 5 DFVr

TaiLong

Deface Virus t k t qu chnh xc. Hn n a, rootkit c th trnh b pht hi n b ng cch che gi u t t c cc ti n trnh ngo i tr chnh ti n trnh pht hi n rootkit. M t cch khc l s d ng m t h th ng ho t ng d a trn cc s ki n lin t c theo di c th n m c rootkit vo th i i m n ti n hnh tc v ci t. Nh ng chng trnh nh th th ng c g i l h th ng ch ng xm nh p (IPS). Vi c theo di t pha HH l r t c n thi t. Cc h th ng IPS theo di m c ng i dng th c ra cng v n c th b rootkit t n cng nh chnh nh ng chng trnh khc c a ng i dng. Nh ng h th ng ny c th pht hi n v kha nh ng tc v n p cc module c a HH. Tuy nhin vi c kha h t cc module l i l m t i u phi th c t - nhi u chng trnh h p l khc cng s ti n hnh ci t cc module li. V d , m t s trnh di t virus s d ng cc module li th c hi n tc v qut theo yu c u. V n c th a ra m t gi i php hay hn l tnh thm kh nng cn nh c li u vi c n p m t module c ph i l x u hay khng b ng cch xem xt cc thu c tnh khc c a b ci t cng nh ng chng trnh lin quan. Trong khi m t rootkit v m t trnh duy t virus c th c chung m t s tc v (nh ci t m t module li) th ph n l n nh ng c tnh khc c a chng l i hon ton khng gi ng nhau. V d , m t rootkit c th c g ng lnh m t b ng cch khng t o ra c a s tr c quan, trong khi m t trnh di t virus l i mu n cho ng i dng bi t s hi n di n c a chng trnh. Trnh rootkit cng c th ci m t keylogger (b t bn phm v g i thng tin t i m t ng i dng khc) cn m t chng trnh di t virus th hon ton khng lm th . B ng cch t ng h p cc c tnh hnh ng khc nhau ( c l a ch n c n th n c th b t c nh ng thao tc chung lin quan t i ph n m m m c ch x u), vi c pht hi n nh ng chng trnh rootkit l hon ton c th th c hi n c v i tin t ng cao. Th c t , phng php ny c tn nh gi qua hnh ng v c th c p d ng r ng ri pht hi n nh ng l p m m c ch x u nh Trojan hay ph n m m gin i p. V d a trn nguyn l nh gi, tch ly kinh nghi m, h th ng ki u ny c th v n m c l i (coi nh ng chng trnh bnh th ng l ph n m m x u). Cch gi i quy t n gi n v i v n ny l c n ph i c danh sch c m cho nh ng l i chung th ng g p. (ph n ny kAmIkAzE (http://www.hedspi.net/diendan/) vi t)

5. Lm th no t b o v b n thn
T o m t b n sao cho nh ng file th ng xuyn s d ng c a b n, sau khi c qut s ch v i m t chng trnh antivirus - C p nh t chng trnh antivirus m i nh t ngay khi c th - C p nh t cc trnh duy t web m i nh tt khi c th - C p nh t cc chng trnh c th m i nh t pha my tr m ngay khi c th - C p nh t chng trnh Acrobat Reader m i nh t (n u b n s d ng n) - C p nh t chng trnh Office - Qut m i file khi b n t i t m ng v - N u b n s d ng cht qua IRC b n ph i v hi u ha ty ch n t ng truy nh p t i cc file. - Khng c m USB t cc ngu n khng ng tin c y. Ho c khi c m USB vo b n ph i disable ch c nng t ng ch y trong t USB i. Xem thm m y link sau http://support.microsoft.com/kb/126025 http://antivirus.about.com/od/securitytips/ht/autorun.htm http://nick.brown.free.fr/blog/2007/10/memory-stick-worms http://blogs.computerworld.com/the_best_way_to_disable_autorun_to_be_protected_from_infected_usb _flash_drives - Khi my tnh b n ang ho t ng hay chng trnh virus ch y theo di cc chng trnh ch y, v s xm nh p, th c thi c a m t chng trnh no - Khng truy c p vo cc trang web c g i t nh ng ng i l . N c th ch a m t o n m th c thi lm h ng, l i h th ng my tnh c a b n. N u b n mu n xem trang web b n c th copy ng link r i vo trang ny ki m tra link TaiLong 6 DFVr -

Deface Virus http://linkscanner.explabs.com/linkscanner/default.aspx T i th i i m hi n nay b n nn dng m t trnh duy t th 3 ngoi Internet Explorer nh Firefox, Opera, Google ChromeV hi n t i IE b t n cng nhi u nh t sau n Firefox v cc trnh duy t khc (mnh

hay dng Opera :D) - V hi u ha ch c nng th c thi c a java ho c cc script active-x trong trnh duy t c a b n. Khi no c n th cho php l i - Hi n n cc ph n ui m r ng bi t c nh d ng file l g(vo Folder Options view b tch Hide extensions for know files). V n u ai g i cho b n m t file nh l pic.jpg.vbs, b n c th ngh r ng file nh d ng l .jpg v ch y nth l.n n ngay :D - Lun lun c m t a boot, a ph c h i s a cha my tnh c a b n trong tr ng h p b ly nhi m. Khi c a ny b n c th copy d li u c a mnh, ki m tra virus t a . B n s d ng a Windows PE, Hirens Boot (t b n 9.7 l c winxp mini ch y v c th th c thi vi c copy v di t virus b ng tay). Ho c b n s d ng cc a c u h virus c a cc hng b o m t c u http://www.raymond.cc/blog/archives/2008/12/11/13-antivirus-rescue-cds-software-compared-insearch-for-the-best-rescue-disk/ - B n dng ch m t chng trnh di t virus v c p nh t n th ng xuyn, khi b n s d ng m t ph n m m di t virus s quen v i cch dng v ch c nng di t virus c a cc ph n m m di t cng c m t s y u t chung nh t. T mnh l m t cng c di t hay hn :>) D i y l danh sch m t s ph n m m hng u v di t virus (n u b n tr ti n mua) F-Secure (http://www.f-secure.com/en_EMEA/) BitDefender (http://www.bitdefender.com/) Kaspersky (http://www.kaspersky.com/) McAfee (http://www.mcafee.com/) Symantec (http://www.symantec.com/) Panda (http://www.pandasecurity.com/) Cn y l danh sch ph n m m di t virus mi n ph AVG Free Edition (http://free.avg.com/) Avast Home Edition (http://www.avast.com/eng/download-avast-home.html) Antivir Personal Edition (http://www.free-av.com/) Rising Antivirus Free Edition (http://www.freerav.com/) ClamWin Free Antivirus (http://www.clamwin.com/) A-Squared Free (http://www.emsisoft.com/en/software/free/) Ph n m m c a Vi t Nam c BKAV - http://www.bkav.com.vn/ (c b n Home mi n ph cho ng i dng nh, v b n thng m i dng cho doanh nghi p) CMC Antivirus - http://cmcinfosec.com/index.php (cng c b n free v b n thng m i) C p nh t cc b n v l i cho windows http://www.microsoft.com/technet/security/current.aspx Ho c b n c th dng tool Rising PC doctor v ph n no l i http://www.rising-global.com/Download/Rising-Free-Utilities/Rising-PC-Doctor.html Ci t ra ch n Leaks Vulnerabilities found Details tch vo Select all Ch n Fix Vulnerabilities TaiLong 7 DFVr -

Deface Virus

6. S d ng cu l nh CMD pht hi n VR
- Cc file n c ui (*.exe, *.dll, *.bat, *.txt, *.vbs, *.js, *.reg, *.cmd, *.com, *.pif, *.lnk, *.wsh) n m trong h th ng (th ng l C) C:\windows, c:\windows\system32, c:\windows\system, c:\windows\system\drivers. (m c nh c a windows th khng c nh ng file n) m ko ph i do ng i dng n i th u l virus ho c chng trnh c h i. Khi mu n ki m tra cc thu c tnh n nn ki m tra cc th m c windows, system32, system, drivers, tasks trong C:\ - VR xu h ng by gi th ng ch y cng m t lc nhi u ti n trnh

a) Cu l nh hi n th file
- DIR + L nh Dir /ah xem t t c cc file n + L nh Dir /ah /s xem t t c cc file n th m c y v cc th m c con c a n + L nh Dir /ah /b xem cc file n s p x p theo hng + L nh Dir /ah *.exe l ch xem nh ng file n c ui *.exe. Mu n xem nhi u nh d ng file ta thm d u , vd: DIR /ah *.exe, *.dll, *.bat + L nh Dir /ah /s *.dll l xem t t c cc file n c ui *.dll th m c v th m c con c a n Vd ta ang C:\windows\system32: c:\windows\dir /ah /s *.dll ch hi n th nh ng file n d ng *.dll

TaiLong

DFVr

Deface Virus

Nh hnh ny s d ng cu l nh dir /ah, dir /ah /b, dir /ah /b /s *.exe, *.dll

b) Cu l nh xem ti n trnh ang ch y

- TASKLIST + Xem c d ch v no ang ch y cng ti n trnh Tasklist /svc L c ring m t ti n trnh xem c d ch v no ang ch y cng n Tasklist /svc /fi imagename eq explorer.exe + Hi n th cc ti n trnh c PID l n hn 2000(ty ch n PID) v in ra nh d ng csv: hi n th bao g m "Image Name","PID","Session Name","Session#","Mem Usage","Status","User Name","CPU Time","Window Title" Tasklist /v /fi "pid gt 2000" /fo csv In ra m t file cho d nhn: Tasklist /v /fi "pid gt 2000" /fo csv >hell.txt + hi n th cc ti n trnh v i tr ng thi ang ch y v i cc username m c nh v i cc username: system, network service, local service, administrator. Cn n u b n ang ch y trong user no th hi n th v i tn user Tasklist /fi "USERNAME eq NT AUTHORITY\SYSTEM /fi "STATUS eq running" L nh rt g n: Tasklist /fi "USERNAME eq SYSTEM" /fi "STATUS eq running" TaiLong 9 DFVr

Deface Virus Tasklist /fi username eq ten_user_dang_dung /fi status eq running Tasklist /fi username ne system /f status eq running l nh ny hi n th tr ng thi ang ch y v i username ko ph i l system Tasklist /v /fi "STATUS eq running" xem ch nh ng ti n trnh ang ch y + Hi n th cc file DLL ch y cng ti n trnh Tasklist /m Tasklist /m wbem* L c nh ng ti n trnh ch y c cc file *.dll v i u ng wbem Tasklist /fi modules eq ntdll* l nh ny ch l c cc file dll v i u ng ntdll Tasklist /fi modules eq dnsq.dll ch hi n ti n trnh ch y c dnsq.dll (con dashfer)

- WMIC + Hi n th ti n trnh wmic process list wmic process list brief wmic process list full wmic process list brief /every:10 c 10s l i c p nh t 1 l n (CTRL+C to end) wmic process list brief | find "cmd.exe" ch tm v i cmd.exe + Hi n th cc ti n trnh ko n m trong th m c %windows% wmic PROCESS WHERE "NOT ExecutablePath LIKE '%Windows%'" GET ExecutablePath + Hi n th cc chng trnh khi kh i ng Wmic startup list brief TaiLong 10 DFVr

Deface Virus Wmic startup list full + Hi n th tn, danh sch cc user Wmic USERACCOUNT Wmic USERACCOUNT list brief Wmic USERACCOUNT list full Wmic USERACCOUNT WHERE "Disabled=0 AND LocalAccount=1" GET Name (ch hi n th tn) L nh Wmic USERACCOUNT cng gi ng l nh net user nhng xem chi ti t hn

c) Cu l nh t t ti n trnh ang ch y
- TSKILL L nh ny cng t t ti n trnh nhng v i t tnh nng l c hn Tskill pid Tskill name (vi d : tskill explorer) lu l ko c ui .exe - TASKKILL + T t ti n trnh cng lc v i nhi u PID, name Taskkill /f /pid id1 /pid id2 /pid id3 Vidu v i cc id nh 1234, 243, 879: taskkill /f /pid 1234 /pid 243 /pid 879 Taskkill /f /im explorer.exe /im system.exe /im userinit.exe + B t p t t ti n trnh no ang ch y v i username system (vd nh notepad.exe) Taskkill /f /fi username eq system /im notepad.exe + T t ti n trnh theo d ng cy v i s ID l 1234 nhng ch v i username no (administrator ch ng h n) Taskkill /pid 1234 /t fi username eq administrator + T t ti n trnh v i PID l n hn 2000 m ko quan tm n tn c a n Taskkill /f /fi pid ge 2000 /im * lu d u * ch p d ng l c cho ty ch n /im - WMIC TaiLong 11 DFVr

Deface Virus + T t ti n trnh v i PID v name Wmic process [pid] delete Wmic process where name=cmd.exe delete lu : d u hay d u u c c Wmic process where name=cmd.exe call terminate + T t m t lc nhi u ti n trnh theo tn, pid Wmic process where (name like OR name like explorer.exe OR name iexplore.exe) call terminate Vd: T t 2 ti n trnh c pid l 3288 v 4556 wmic process where (processid=3288 OR Processid=4556) call terminate - NTSD Theo c bi t th l nh ny dng debug Cng ko bi t nhi u v l nh ny c 2 l nh sau d ng nh t t m t ti n trnh NTSD c q p PID NTSD c q pn name Vd: ntsd c q pn explorer.exe

d) Cu l nh t t d ch v ang ch y
- SC L nh ny dng cho cc services + Truy v n, xem cc services, drivers SC query type= services SC query type= drivers Ho c xem t t c : SC query type= all + T t cc d ch v ang ch y SC stop ten_dichvu VD: SC stop schedule t t schedule SC stop srservice t t system restore + Disabled m t d ch v no SC config ten_dichvu start=disabled Vd: SC config schedule start= disabled SC config srservice start= disabled + Mu n xa m t d ch v no (lu ch dng xa cc d ch v c t o b i cc chng trnh c h i cn cc d ch v m c nh c a windows th c nguyn) SC delete ten_dichvu Vd: Sc delete malicious y ta del i d ch v malicious V i tn cc services kha HKLM\SYSTEM\CurrentControlSet\Services - NET STOP L nh ny ch stop m t d ch v Vd: Net stop srservice Net stop schedule - WMIC TaiLong

12

DFVr

Deface Virus + T t(stop) m t d ch v no ang ch y Wmic service where name=ten_dichvu call stopservice Vd: Wmic service where name=srservice call stopservice + T t nhi u d ch v 1 lc ta s d ng cu l nh gi ng nh t t nhi u ti n trnh VD: Wmic service where (name like srservice or name like schedule) call stopservice Cn mu n b t m t ti n trnh ln ch vi c thay stopservice = startservice + Disabled m t d ch v no Wmic service where name=ten_dichvu call changestartmode disabled Vd: Wmic service where name=srservice call changestartmode disabled + Disabled nhi u d ch v Vd: Wmic service where (name like srservice or name like sharedaccess) call changestartmode disabled Ring v l nh wmic cn r t nhi u ti n ch r t hay. Cc b n c y thm Wmic /? <--help Ho c vo g nh ng ci b n mu n hi n th ra cho ti n Vd: C:\wmic wmic:root\cli>/? wmic:root\cli>startup wmic:root\cli>process list ..

e) Cu l nh xa
- Del (ho c erase) lu l nh ny dng c n th n v n hay hn Xa cc thu c tnh n DEL /a:h Vidu: xa t t c cc file n DEL /a:h *.* Cn mu n ch xa t t c cc file *.exe, *.dll n DEL /a:h *.exe *.dll Cn n u file c thu c tnh red-only ta thm ty ch n /f Vd: Del /f /a:h *.exe *.dll N u mu n del trong c cc th m c con n a ta thm ty ch n /s Vd: Del /f /s /a:h *.exe *.dll Thm ty ch n /p n u b n mu n h i c xa hay khng tr c khi th c thi Thm ty ch n /q l c l ng l pem trong im l ng - RD (ho c rmdir) L nh ny xa th m c Vidu: t o ra m t th m c nodel.exe RD nodel.exe Thm ty ch n /s xa cc file v th m c con Rd /s nodel.exe

TaiLong

13

DFVr

Deface Virus

f) Cu l nh th c thi trong REGEDIT

- REG Xem tr gip REG /? y Vidu th c t lun :> + REG ADD: L nh ny s d ng thm, thi t l p cc thu c tnh cho regedit nh @echo G b thu c tnh n ______________________________ REG add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowSuperHidden" /t reg_dword /d 0 /f REG add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Hidden" /t reg_dword /d 2 /f REG add HCKU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "HideFileExt" /t reg_dword /d 1 /f REG add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWA LL" /v "CheckedValue" /t reg_dword /d 1 /f @echo: Thi t l p l i m c nh m y file kh i ng _________________________________ REG add "HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v "load" /t reg_sz /d "" /f REG add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t reg_sz /d "Explorer.exe" /f REG add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Userinit" /t reg_sz /d "%SystemRoot%\system32\userinit.exe," /f REG add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "LegalNoticeCaption" /t reg_sz /f REG add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "LegalNoticeText" /t reg_sz /f @Echo: G b m t s thu c tnh b kha _______________________________ REG add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 0 /f REG add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t REG_DWORD /d 0 /f REG add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDriveTypeAutoRun /t REG_DWORD /d 1 /f TaiLong 14 DFVr

Deface Virus REG add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFind /t REG_DWORD /d 0 /f REG add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRun /t REG_DWORD /d 0 /f REG add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRun /t REG_DWORD /d 0 /f REG add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFolderOptions /t REG_DWORD /d 0 /f REG add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFolderOptions /t REG_DWORD /d 0 /f REG add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v HomePage /t REG_DWORD /d 0 /f REG add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t reg_sz /d "http://www.google.com.vn" /f + REG DELETE: Xa cc thi t l p trong regedit @echo: D b m t s thu c tnh c m th c thi file, ho c file b ch y b i file khc _________________________________ Reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe" /v Debugger /f Reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe" /v Debugger /f Reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe" /v Debugger /f Reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe" /v Debugger /f Reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe" /v Debugger /f Reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hijackthis.exe" /v Debugger /f Reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v Debugger /f Reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /f + REG QUERY: Hi n th key m y kha virus hay chui vo th c thi TaiLong 15

DFVr

Deface Virus Hi n th xem kha Run c kh i ch y g khi kh i ng khng Vidu: Reg query HKLM\software\microsoft\windows\currentversion\run Reg query HKLM\software\microsoft\windows\currentversion\runonce Reg query HKCU\software\microsoft\windows\currentversion\run Reg query HKCU\software\microsoft\windows\currentversion\runonce Reg query HKLM\software\Microsoft\Windows NT\CurrentVersion\Winlogon Hi n th xem kha Image file execution options c kha no b thay th khng Reg query HKLM\software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options Truy v n kha polices xem c chng trnh g b kha khng Reg query HKLM\Software\Microsoft\Windows\CurrentVersion\policies Reg query HKCU\Software\Microsoft\Windows\CurrentVersion\policies

g) M t s l nh hay dng khc

- Scheduled Tasks: (t m d ch l vi c l p l ch) Khi h th ng b n b nhi m virus, khi virus s th c hi n tc v l p l ch t c t th i gian kh i ch y m t file th c thi c a virus. Nh vi c keylog theo di bn phm v g i cc phm m b n b m n m t server t xa no trn c s c l p l ch. Scheduled Tasks ch l m t ni khc m virus n nu. Chnh l th m c c:\windows\tasks (th ng C:\ l ch a file h th ng) L nh schtasks: Mu n truy v n xem c thng tin g khng ta s d ng l nh schtasks /query xem chi ti t hn ta s d ng schtasks /query v ho c theo d ng list schtasks /query /fo list Mu n xa m t l ch c t ta dng l nh schtasks /delete /tn ten_file /f Mu n xa t t c cc l ch ta s d ng k t * schtasks /delete /tn * /f

Nh hnh trn: s d ng l nh schtasks /query xem th y c 2 file hell, virus. V s d ng l nh schtasks /delete xa. TaiLong 16 DFVr

Deface Virus

Openfiles: Xem xt k l ng cc file ch y trong h th ng

- Cu l nh Openfiles xem su hn cc file ang ch y xem c nhng file no ch y cng Nhi u nh qu n tr h th ng khng thn thi n v i l nh kh m nh opefiles c xy d ng trong windows ny l m. Nh ci tn c a n, l nh ny cho php hi n t t c cc file m c m , ch ra tn cc ti n trnh tc ng v i m i file. N c xy d ng trong cc phin b n t windows xp tr ln. L nh ny ph bi n nh l nh lsof c a Linux v Unix, n s hi n cho ng i qu n tr t t c cc file m trn my tnh c a b n, a ra tn ti n trnh v y ng d n m i file. Khng nh l nh lsof c a Linux, tuy nhin, n khng cung c p cho ta nhi u thng tin chi ti t hn, nh s Process ID, s ng i dng v cc thng tin lin quan khc. Th c thi l nh ny: Ban u ta ph i kch ho t n Openfiles /local on Ng i dng s ph i restart l i my tnh, v khi kh i ng l i xong thi ta c th th c hi n cc l nh lin quan n l nh ny nh Openfiles /quey /v L nh ny s hi n cho ta nh s n xu t, bao g m thng tin ti kho n ng i dng t i m i ti n trnh v i m t file ang ch y bn d i. thu th p thng tin m malware ci t, ho c nh ng g m m t k t n cng c th lm trn my tnh c a b n, ng i dng nn tm ki m nh ng thng tin b t th ng ho c nh ng files l , c bi t l n c tch h p vo my tnh v i quy n ng i ang dng(local) k t thc l nh ny ta s d ng l nh Openfiles /local off V ta ph i kh i ng l i vi c th c thi hon t t :>)

TaiLong

17

DFVr