Ichi chinyorwa chikamu cheiyo Fileless Malware series. Zvimwe zvikamu zvese zvenhevedzano:
- (tiri pano)
Mune ino nhevedzano yezvinyorwa, isu tinoongorora nzira dzekurwisa dzinoda kushoma kushanda nesimba kune vanoba. Kare Isu takavhara kuti zvinokwanisika kuisa iyo kodhi pachayo muDDE autofield payload muMicrosoft Word. Nekuvhura gwaro rakadaro rakanamirwa kune phishing email, mushandisi asina kungwarira anobvumira anorwisa kuti awane tsoka pakombuta yake. Nekudaro, pakupera kwe2017, Microsoft iyi loophole yekurwiswa paDDE.
Kugadzirisa kunowedzera registry yekupinda iyo inodzima DDE inoshanda muShoko. Kana uchiri kuda kushanda uku, saka unogona kudzosa iyi sarudzo nekugonesa iyo yekare DDE kugona.
Nekudaro, iyo yekutanga chigamba yakangovhara Microsoft Word. Ko uku kusadzikama kweDDE kuripo mune zvimwe zvigadzirwa zveMicrosoft Office zvinogona zvakare kushandiswa mukurwiswa pasina-kodhi? Hongu chokwadi. Semuenzaniso, iwe unogona zvakare kuvawana muExcel.
Husiku Hwavapenyu DDE
Ini ndinorangarira kuti nguva yekupedzisira pandakamira pane tsananguro yeCOM scriptlets. Ndinovimbisa kuti ndichasvika kwavari gare gare munyaya ino.
Zvichakadaro, ngatitarisei rimwe divi rakaipa reDDE muExcel vhezheni. Sezvakangoita muShoko, zvimwe zvakavanzika zveDDE muExcel kubvumira kuti uite kodhi pasina kushanda nesimba. Semushandisi weShoko akakura, ndaiziva minda, asi kwete zvachose nezvemabasa ari muDDE.
Ndakashamisika kuziva kuti muExcel ndinogona kudaidza goko kubva musero sezvakaratidzwa pazasi:
Waizviziva here kuti izvi zvaibvira? Ini pachangu, handidaro
Uku kugona kuvhura Windows shell kune ruremekedzo rweDDE. Unogona kufunga zvimwe zvinhu zvakawanda
Zvishandiso zvaunogona kubatana nazvo uchishandisa Excel yakavakirwa-mukati DDE mabasa.
Uri kufunga zvakafanana nezvandiri kufunga here?
Rega yedu mu-sero command itange iyo PowerShell chikamu iyo yobva yadhawunirodha nekuita chinongedzo - ichi , yatakamboshandisa kare. Ona pazasi:
Ingoisa diki PowerShell kurodha uye kumhanya kure kodhi muExcel
Asi pane kubata: iwe unofanirwa kuisa pachena iyi data muchitokisi kuti iyi fomula ishande muExcel. Mubiki angaite sei iyi DDE command ari kure? Icho chokwadi ndechekuti kana tafura yeExcel yakavhurika, Excel inoedza kugadzirisa zvese zvinongedzo muDDE. Zvigadziriso zveTrust Center zvagara zvichigona kudzima izvi kana kunyevera kana uchigadziridza zvinongedzo kune ekunze data masosi.
Kunyangwe pasina zvigamba zvichangoburwa, unogona kudzima otomatiki link yekuvandudza muDDE
Microsoft pakutanga pachayo Makambani muna 2017 anofanirwa kudzima otomatiki link zvigadziriso kudzivirira DDE kusagadzikana muIzwi neExcel. Muna Ndira 2018, Microsoft yakaburitsa zvigamba zveExcel 2007, 2010 uye 2013 izvo zvinodzima DDE nekukasira. Izvi Computerworld inotsanangura zvese zvechigamba.
Zvakanaka, zvakadini nematanda ezviitiko?
Microsoft zvakadaro yakasiya DDE yeMS Word uye Excel, nekudaro pakupedzisira yaona kuti DDE yakafanana nebug pane kushanda. Kana nekuda kwechimwe chikonzero iwe usati waisa zvigamba izvi, unogona zvakare kuderedza njodzi yekurwiswa kweDDE nekudzima otomatiki link inogadziridza uye nekugonesa marongero anoita kuti vashandisi vagadzirise zvinongedzo pakuvhura magwaro nemaspredishiti.
Zvino iwo miriyoni yemadhora mubvunzo: Kana iwe uri nyajambwa wekurwiswa uku, PowerShell zvikamu zvakatangwa kubva kuIzwi ndima kana maExcel maseru acharatidza murogi?
Mubvunzo: PowerShell zvikamu zvinotangwa kuburikidza neDDE zvakarogwa here? Mhinduro: hongu
Paunomhanyisa PowerShell zvikamu zvakananga kubva kuExcel cell kwete semacro, Windows inonyora zviitiko izvi (ona pamusoro). Panguva imwecheteyo, ini handikwanise kutaura kuti zvichave nyore kuti timu yekuchengetedza ibve yabatanidza madotsi ese pakati pechikamu chePowerShell, gwaro reExcel uye meseji yeemail uye kunzwisisa kwakatanga kurwiswa. Ini ndichadzoka kune izvi mune yekupedzisira chinyorwa mune yangu isingapere-inopera yakatevedzana pane isingaite malware.
Ko COM yedu yakadii?
Mune yapfuura Ndakabata nyaya yeCOM scriptlets. Dzakanaka mavari. , iyo inokutendera kuti upfuure kodhi, taura JScript, sechinhu cheCOM. Asi zvino zvinyorwa zvakawanikwa nevabiki, uye izvi zvakavabvumira kuwana tsoka pakombuta yemunhu akabatwa pasina kushandisa zvishandiso zvisina basa. Izvi kubva kuDerbycon inoratidza akavakirwa-mukati maWindows maturusi senge regsrv32 uye rundll32 anobvuma scriptlets ari kure senharo, uye matsotsi anoita kurwisa kwavo pasina rubatsiro rwemalware. Sezvandakaratidza kekupedzisira, unogona kumhanya zviri nyore PowerShell mirairo uchishandisa JScript scriptlet.
Zvakazoonekwa kuti munhu akangwara chaizvo akawana nzira yekumhanyisa COM scriptlet Π² Excel gwaro. Akaona kuti paaiedza kuisa link yegwaro kana kuti mufananidzo musero, imwe pasuru yaiiswamo. Uye iyi package inogamuchira chinyararire scriptlet iri kure sekuisa (ona pazasi).
Boom! Imwe nzira yekubira, yakanyarara yekuvhura goko uchishandisa COM zvinyorwa
Mushure mekuongororwa kwekodhi yakaderera, muongorori akawana kuti chii chaizvo bug mune software software. Yakanga isina kuitirwa kumhanyisa COM zvinyorwa, asi kungobatanidza kune mafaera. Handina chokwadi kana patova nechigamba chekusagadzikana uku. Muchidzidzo changu chega ndichishandisa Amazon WorkSpaces ine Hofisi 2010 yakafanomisikidzwa, ndakakwanisa kudzokorora mhedzisiro. Zvisinei, pandakaedzazve gare gare, hazvina kushanda.
Ndinovimba chaizvo kuti ndakakuudza zvinhu zvakawanda zvinonakidza uye panguva imwechete yakaratidza kuti hackers vanogona kupinda mukambani yenyu mune imwe kana imwe nzira yakafanana. Kunyangwe iwe ukaisa ese achangoburwa eMicrosoft zvigamba, matsotsi achiri ane akawanda maturusi ekuwana tsoka muhurongwa hwako, kubva kuVBA macros ini ndakatanga iyi nhevedzano kusvika kune yakaipa payload muIzwi kana Excel.
Muchikamu chekupedzisira (ini ndinovimbisa) mune ino saga, ini ndichataura nezve nzira yekupa yakangwara dziviriro.
Source: www.habr.com