Shulou(Shulou.com)06/01 Report--

Recently, a mining virus using Powershell has broken out frequently in the enterprise network. The virus uses the WMI+Powershell method to carry out file-free mining and stays in memory for mining.

In addition to the advanced threat of no files, Powershell's mining virus also has two horizontal transmission mechanisms, namely WMIExec automatic blasting and MS17-010 "Eternal Blue" loophole, which can easily spread rapidly in the local area network of the enterprise network.

In the past year, at least eight cases of Powershell mining virus have been processed. Today we are going to talk about the treatment and preventive measures of the virus.

Open the WMI tester through wbemtest and connect to: root\ Default and you will find that the Powershell mining virus has helped you create a new * class.

The previous name was Win32_Services, but the * * classes created by some variants have changed their name to System_Anti_Virus_Core, but the content is still of the same type.

Double-click the * class and you will find that the Base64 encrypted * code

Base64 decoder

Http://www.heminjie.com/tool/base64.php

The Powershell.exe mining virus also creates an IPSec policy in the local security policy that prevents connections to port 445 of this server.

Treatment of Powershell mining virus

At present, some antivirus manufacturers have checked and killed the Powershell mining virus. It is recommended to systematically check and kill the mining virus through antivirus. If there is no antivirus enterprise, or if the antivirus in your enterprise is currently unable to detect and kill this mining virus, you can also clean it up manually. The detailed steps are as follows:

1. End the Powershell.exe process

As the finishing reaction is particularly slow after the mining virus in the server, it is recommended to temporarily process the Powershell.exe on the server after the end of the Powershell.exe command (after the end of the Powershell.exe process, the Powershell.exe process will start itself within 1-2 hours).

two。 Delete * * Class

Open the WMI Checker through wbemtest

Connect to the default namespace

Machines hit by mining viruses will have an extra class with the following screenshot

Or something like this.

3. Delete the IPSec policy of the local security policy netbc

Open the local security policy, and then navigate to the security settings à application control policy à IP security policy (default is empty)

According to the results of the previous processing, the Powershell mining virus basically did not relapse after the following steps on the server.

Safety recommendation

1. System level

Server side:

Establish standardized specifications for server production and security baselines (such as how to set security policies, patch requirements, anti-virus, operation and maintenance management requirements, etc., before the server goes online)

Define server operation and maintenance specifications, security requirements, and security checking mechanisms

Establish a server configuration management mechanism, first of all, configure and manage the operating system.

Client:

Establish a client system access mechanism, such as no patch updates, no antivirus clients can not access the server area network

Define security requirements such as client patch update policy, antivirus update policy, etc.

Establish a unified PC manager platform for the client, so that the machines of the client can be managed uniformly.

two。 Operation and maintenance level

Strengthen the server monitoring and early warning mechanism

Strengthen the education of users' safety awareness

Establish a unified log management platform to collect, store and analyze the relevant logs of server systems and network devices.

Establish a unified operation and maintenance management platform for servers, which can quickly manage servers in batches.

Author: Wang Ji

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.