Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

Virus prevention methods and measures of the latest blackmail software

2025-01-16 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Share

Shulou(Shulou.com)06/01 Report--

Antian365.com simeon

1. Event review

(1) Phoenix New Media: the blackmail virus spread widely, and information security experts issued warnings one after another.

Http://news.ifeng.com/a/20170513/51086871_0.shtml

(2) QQ.com: this virus broke out all over the world! The campus networks of many universities in China have fallen, and people who have been hacked have received blackmail letters.

Http://tech.qq.com/a/20170513/013226.htm

(3) Antian Company: Antian urgently responds to the global outbreak of the new "worm" blackmail software "wannacry".

Https://mp.weixin.qq.com/s?__biz=MjM5MTA3Nzk4MQ==&mid=2650170534&idx=1&sn=dedc3ff25c3594b49bc4e6c53c9fd123&chksm=beb9c79489ce4e8253e77bf176fd1e88bfbdbe6f3b24d84acdbe391da073a87a0cf313c26fb7&mpshare=1&scene=1&srcid=0513oXuWB6ySDTUPZUPpnWod#rd

According to BBC, a software blackmail virus broke out in many parts of the world today, which can only be declassified by paying a high ransom (some need bitcoin). Many hospitals in the UK have been recruited, and patient data have been threatened to leak. At the same time, many universities in Russia, Italy, Europe, including China.

The ransomware is a new family called "wannacry". The encryption software uses popular RSA and AES encryption algorithms, which can not be cracked so far, or the cost of violent cracking is very high, and ordinary users are basically undeciphered. In other words, the world's security experts are unable to decrypt the files encrypted by the blackmail software.

The ransomware uses MS17-101vulnerabilities to * global hosts. At present, many intranet or extranet ports 445are basically open. Ransomware draws lessons from worm principle and makes use of SMB vulnerabilities based on port 445. in early research, we have found that ransomware takes advantage of system vulnerabilities, Mysql and Mssql database vulnerabilities and other high-level vulnerabilities. So in the past, everyone thought that network security was far away from me, but now we can't look at it this way. As long as you have a high-level loophole in your system, you may be infected.

two。 Actual influence

(1) take the initiative *

(2) the worm spreads, the network propagates faster. So far, many intranets have fallen.

(3) encrypt ppt, word, pdf and other document files.

(4) the use of RSA and AES encryption algorithm, after consulting Beijing Institute of Technology information security expert Dr. Zhang Zijian, at present, the algorithm is very time-consuming, ransomware claims to take decades! The encryption algorithm is as follows:

3. The situation that occurred

If the picture shows that the following situation has been infected by the blackmail software:

4. Prevention method

(1) backup! Backup! Backup! Be sure to back up important files offline. You can name the backup file mybak.ini.

(2) turn on the firewall

(3) blocking port 445

Jinbai'an Company provides a command script to guard against port 445 (download address: http://www.secboot.com/445.zip):

Echo "Welcome to Jinbai an blackmailer Defense script"

Echo "if the pc version is greater than the xp server version and greater than windows2003, right-click this file to run with administrator privileges."

Netsh firewall setopmode enable

Netsh advfirewallfirewall add rule name= "deny445" dir=in protocol=tcp localport=445action=block

(4) all programs run in the virtual machine. Linux+windows virtual machine mode is adopted. Documents and other materials are backed up in time, and mirror images are made regularly.

5. Shut down other dangerous ports

(1) close port 135and type "dcomcnfg" while running, then open "build Service"-"computer"-"Properties"-"my computer Properties"-"default Properties"-"enable distributed COM on this computer" to remove the selected box. Then click the default Agreement tab, select connection-oriented TCP/IP, and click the Delete or remove button.

Figure 4 shutting down port 135

(2) close the 139port, which is provided for "NetBIOS Session Service" and is mainly used to provide Windows file and printer sharing as well as Samba service in Unix. Click "Network"-"Local Properties", in the "Local connection Properties" dialog box that appears, select "Internet Protocol version 4 (TCP/IPv4) -" Properties, double-click to open "Advanced TCP/IP Settings"-"WINS", and select "disable NetBIOS on TCP/IP" in "NetBIOS Settings", as shown in figure 5.

Figure 5 closing port 139

(3) Port 445 is closed in the registry

Type "regedit" at the command prompt, open "HKEY_LOCAL_MACHINE"-"System"-"Controlset"Services"-"NetBT"-"Parameters", select "New"-"DWORD value", name the DWORD value "SMBDeviceEnabled", and change its value to "0", as shown in figure 6.

Figure 6 shutting down port 445

(4) check whether the port is open

In the future, the following command shows that 135, 139, 445 have been closed.

Netstat-an | find "445" | find "139" | find "135"

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Network Security

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report