Shulou(Shulou.com)05/31 Report--

Today, I will talk to you about how to defend against the bad GlobeImposter extortion attack. Many people may not know much about it. In order to make you understand better, the editor has summarized the following contents for you. I hope you can gain something according to this article.

Ordinary blackmail virus events generally enter the user system through mail, puddle attacks, U disk ferry and so on, and the infection attacks continue to be carried out in the internal network by the horizontal movement function of malicious code itself (such as the exploitation of MS17-010 vulnerability). Through the analysis of this blackmail attack, we find that the primary difference between this attack and the common extortion incident is that after breaking through the enterprise protection boundary, the attacker actively infiltrates the intranet, bypasses the security protection, and releases the malicious code of blackmail, which is highly destructive and targeted.

In this incident, after hackers open a breakthrough from the external network, they will infiltrate other machines in the intranet by means of tool-assisted manual work. The tools used by hackers mainly come from a compressed package. The tools used include, but are not limited to:

1. Full-function remote control Trojan horse

2. Add the script of the administrator automatically

3. Shared scanning tools in intranet

4. Windows password crawling tool

5. Network sniffing and multi-protocol burst tools

6. Browser password viewing tool

After opening the intranet breach, the attacker will break the password to other hosts in the intranet. After the intranet is moved horizontally to a new host, an attempt will be made to include, but not limited to, the following operations:

1. Uninstall the protection software installed on the host machine manually or with tools

2. Download or upload a hacker kit

3. Manually enable remote control and blackmail viruses

Risk level

360 Safety Monitoring and response Center risk rating: high risk

Warning level: blue warning (general network security warning)

Scope of influence

Institutions that are vulnerable to attacking organizations.

The main means for the attacker to break through the boundary may be the brute force cracking of the password of the Windows remote desktop service. After entering the intranet, he will use a variety of methods to obtain login credentials and spread horizontally in the intranet. To sum up, organizations that meet the following characteristics will be more vulnerable to attackers:

1. Organizations with weak passwords and Windows remote Desktop Services (port 3389) exposed on the Internet.

2. The intranet Windows terminals and servers use the same or a few sets of passwords.

3. Windows servers and terminals are not deployed or do not update antivirus software in time.

Disposal recommendation 1. Server and terminal protection

1.1. All servers and terminals should enforce complex password policies and put an end to weak passwords.

1.2. Put an end to the use of common passwords to manage all machines.

1.3, install antivirus software, terminal security management software and update the virus database in a timely manner.

1.4. Install vulnerability patches in time.

1.5. The server turns on the key log collection function, which provides the basis for tracing the source of security events.

2. Network protection and security monitoring

2.1. Divide the security domain of the intranet reasonably. Strict restrictions on ACL between various security domains, limiting the scope of lateral movement.

Key business systems and core databases should set up independent security zones and do a good job in regional boundary security defense, strictly restrict access to important areas and shut down unnecessary and unsafe services such as telnet and snmp.

2.3. set up IDS/IPS equipment in the network to discover and block the lateral movement behavior of the intranet in time.

2.4. Set up full traffic recording equipment in the network, and discover the lateral movement behavior of the intranet, and provide a good basis for tracing the source.

2.5. outbound access of IP:54.37.65.160 is prohibited through ACL.

3. Application system protection and data backup

3.1. At the application system level, it is necessary to test and reinforce the security penetration of the application system to ensure the security and controllability of the application system.

3.2. Back up the business system and data in time, and verify the availability of the backup system and data.

3.3. To establish a security disaster preparedness plan, once the core system is attacked, it is necessary to ensure that the backup business system can be enabled immediately; at the same time, it is necessary to do a good job of security isolation between the backup system and the main system to prevent both the main system and the backup system from being attacked at the same time, affecting business continuity.

Security protection itself is a dynamic confrontation process. On the basis of the above security reinforcement measures, in daily work, it is also necessary to strengthen the management of the system use process and the real-time monitoring of network security status:

The computer does not use storage devices such as U disk and removable hard disk of unknown origin; it does not connect to the public network; at the same time, the internal network of the organization does not run devices of unknown origin.

Regular security inspection and assessment should be carried out, security weaknesses should be found in time, security loopholes and deficiencies in security management mechanism should be repaired in time, and the security of the system should be maintained at a relatively high level at all times. (similar to regular physical examination)

Timely pay attention to and follow up the technological progress of network security, qualified units can adopt a new type of traffic monitoring equipment based on big data and cooperate with professional analysis services. in order to achieve the worm virus the first time discovery, the first time disposal, the first time traceability eradication.

Technical analysis 1. Extortion sample analysis

1.1 sample initialization

After running, the blackmail sample first determines whether the% LOCALAPPDATA% or% APPDATA% environment variable exists, if so, copies itself to the% LOCALAPPDATA% or% APPDATA% directory, and then writes the copied path to: HKEY_CURRENT_USER\\ Software\\ Microsoft\\ Windows\\ CurrentVersion\\ RunOnce\\ BrowserUpdateCheck to boot.

Generate a RSA private key and encrypt it with a hard-coded public key, then convert the encrypted ciphertext into an ASCII code, and finally write the ciphertext into the% ALLUSERSPROFILE% variable path

1.2 encryption proc

After the initialization is completed, the virus will go through the whole process. After excluding the list of unencrypted folders in the sample, it encrypts all other files using the randomly generated public key, and then writes the unique ID of the previously generated machine to the end of the file.

The excluded paths are as follows:

Windows ·Microsoft ·Microsoft Help ·Windows App Certification Kit ·Windows Defender ·ESET ·COMODO ·Windows NT ·Windows Kits ·Windows Mail ·Windows Media Player ·Windows Multimedia PlatformWindows Phone Kits ·Win dows Phone Silverlight Kits ·Windows Photo Viewer ·Windows Portable Devices ·Windows Sidebar ·Windows PowerShell ·NVIDIA Corporation ·Microsoft. NET ·Internet Explorer ·Kaspersky Lab ·McAfe ·Avira ·spytech softw are ·sysconfig ·Avast ·DrWeb ·Symantec ·Symantec _ Client_ Security ·system volume information ·AVG ·Microsoft Shared ·Common Files ·Outlook Express ·Outlook Express ·Movie Maker ·Movie Maker ·Chrome ·Mozilla Firefox ·s ·Mozilla Firefox, remote control sample analysis

The sample is the server side of the remote control Trojan horse written by delphi, which contains common remote control functions and remote operation functions, and the successful machine can be completely controlled.

2.1 Environmental detection

First of all, the program starts a series of environment tests, and then exits the process if the detection fails. Testing includes debugging testing, debugging module testing, API hook testing, virtual machine sandbox testing and so on. As follows:

1) Debug module detection

2) Local and remote debugging and debugging detection

3) detect the virtual machine, query the "0" key, detect the "VIRTUAL" field, and detect whether it is in the VM virtual machine or VBOX.

4) detect Cuckoo sandbox

5) detect WINE

6) detect CWSandbox

7) detect JoeBox and Anubis

8) detect whether ShellExecuteExW is hook

If the above series of tests fail, exit the program.

2.2 Trojan initialization

Decrypt configuration information, key:PuBAanR08QJw3AjM

Copy itself to one of the following directories, filename aspbcn.exe

And write the startup item

When finished, restart the process of writing the startup item and exit itself.

Download and extract the sqlite module

Try to elevate permissions

Establish a connection, IP 54.37.65.160 port: 0xCFD8, send some basic system information, disk information, PC name, account information and so on to the remote.

2.3 backdoor instruction section

Enter the backdoor command loop, full-featured Trojan horse, operations including file-related, process-related, service-related, registry-related, system control, screenshot, firewall, DDOS attacks and so on. The listed parts are as follows:

1) some basic instructions, such as file-related, process-related, service-related, registry-related

2) simulate mouse operation through windows API to control the system.

3) get the account information saved by the browser

4) Udp Flood Attack

5) TCP SYN Attack

6) Port forwarding function module, which can control other machines in the internal network that cannot be connected to the external network through port forwarding.

After reading the above, do you have any further understanding of how to defend against bad GlobeImposter extortion attacks? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.