Ngeli nqaku siqala uthotho lweempapasho malunga ne-malware engabonakaliyo. Iinkqubo zokugqekeza okungekho fayile, ezaziwa ngokuba ziinkqubo zokuqhekeza ezingenafayile, zihlala zisebenzisa iPowerShell kwiinkqubo zeWindows ukuqhuba ngokuthe cwaka imiyalelo yokukhangela kunye nokukhupha umxholo obalulekileyo. Ukubona umsebenzi we-hacker ngaphandle kweefayile ezinobungozi ngumsebenzi onzima, kuba ... ii-antivirus kunye nezinye iinkqubo ezininzi zokubona zisebenza ngokusekelwe kuhlalutyo lwesiginitsha. Kodwa iindaba ezimnandi zezokuba isoftware enjalo ikhona. Umzekelo, , ekwaziyo ukubona umsebenzi ongalunganga kwiinkqubo zefayile.
Ukuqala kwam ukuphanda ngesihloko se-badass hackers, , kodwa kuphela izixhobo kunye nesoftware ekhoyo kwikhompyuter yexhoba, andizange ndicinge ukuba le yayiza kuba yindlela edumileyo yokuhlasela. Iingcali zoKhuseleko ukuba oku kuba ngumkhwa, kwaye - ukuqinisekiswa koku. Ngoko ke, ndagqiba ekubeni ndenze uthotho lweempapasho ngalo mbandela.
I-PowerShell eNkulu kwaye enamandla
Ndikhe ndabhala ngezinye zezi ngcinga ngaphambili kwi , kodwa ngakumbi kusekwe kwingqikelelo yethiyori. Ethubeni ndafika , apho unokufumana iisampuli ze-malware "ezibanjwe" endle. Ndigqibe ekubeni ndizame ukusebenzisa le ndawo ukufumana iisampulu ze-malware engenafayile. Kwaye ndaphumelela. Ngendlela, ukuba ufuna ukuya kuhambo lwakho lokuzingela i-malware, kuya kufuneka uqinisekiswe yile ndawo ukuze bazi ukuba wenza umsebenzi njengengcali yomnqwazi omhlophe. Njengeblogi yokhuseleko, ndiyidlulise ngaphandle kombuzo. Ndiqinisekile nawe unako.
Ukongeza kwiisampulu ngokwazo, kwisiza ungabona ukuba ezi nkqubo zenza ntoni. Uhlalutyo lweHybrid luqhuba i-malware kwibhokisi yesanti yayo kwaye ibeke iliso kwiifowuni zenkqubo, iinkqubo eziqhubayo kunye nomsebenzi wenethiwekhi, kwaye ikhuphe imitya yokubhaliweyo ekrokrisayo. Ngamabini kunye nezinye iifayile eziphunyeziweyo, i.e. apho awukwazi nokujonga ikhowudi yomgangatho ophezulu wokwenene, uhlalutyo lwe-hybrid luthatha isigqibo sokuba i-software inonya okanye iyakrokra ngokusekelwe kumsebenzi wayo wexesha lokuqhuba. Kwaye emva koko isampuli sele ivavanyiwe.
Kwimeko yePowerShell kunye nezinye izikripthi zesampula (Visual Basic, JavaScript, njl.), Ndakwazi ukubona ikhowudi ngokwayo. Umzekelo, ndifumene lo mzekelo wePowerShell:
Unokuphinda usebenzise i-PowerShell kwi-base64 encoding ukunqanda ukubhaqwa. Qaphela ukusetyenziswa kwe-Noninteractive kunye ne-Hidden parameters.
Ukuba uzifundile iiposti zam kwi-obfuscation, ngoko uyazi ukuba i- -e ukhetho luchaza ukuba umxholo u-base64 ufakwe ngekhowudi. Ngendlela, uhlalutyo lwe-hybrid lukwanceda ngale nto ngokuguqula yonke into emva. Ukuba ufuna ukuzama i-base64 PowerShell (emva koku ebizwa ngokuba yi-PS) ngokwakho, kufuneka usebenzise lo myalelo:
[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($EncodedText))Ngena nzulu
Ndikhethe iskripthi sethu sePS ndisebenzisa le ndlela, ngezantsi kumbhalo wenkqubo, nangona iguqulwe kancinane ndim:
Qaphela ukuba iskripthi sasibotshelelwe kumhla we-4 Septemba 2017 kwaye ii-cookie zeseshoni zathunyelwa.
Ndabhala ngolu hlobo lohlaselo kwi , apho i-base64 encoded script ngokwayo ilayisha engekho i-malware esuka kwenye indawo, usebenzisa into yeWebClient yethala le-.Net Framework ukwenza umsebenzi wokuphakamisa ubunzima.
Yenzelwe ntoni le nto?
Kukhuseleko lwesoftware yokuskena iilog zeziganeko zeWindows okanye i-firewall, i-base64 encoding ithintela umtya othi "WebClient" ukuba ibonwe yipatheni yombhalo ongenanto ukukhusela ukwenza eso sicelo sewebhu. Kwaye kuba bonke "ububi" be-malware bukhutshelwa kwaye bugqithiselwe kwi-PowerShell yethu, le ndlela ke isivumela ukuba sikuphephe ngokupheleleyo ukubhaqwa. Okanye kunoko, yile nto bendiyicinga ekuqaleni.
Kuyavela ukuba ngeWindows PowerShell Advanced Logging inikwe amandla (bona inqaku lam), uya kuba nakho ukubona umgca olayishiweyo kwilog yomnyhadala. Ndinje ) Ndicinga ukuba uMicrosoft kufuneka enze eli nqanaba lokugawulwa ngokwendalo. Ke ngoko, ngokungena okwandisiweyo kunikwe amandla, siya kubona kwilog yesiganeko seWindows isicelo esigqityiweyo sokukhuphela kwiskripthi sePS ngokomzekelo esiwuxubushe ngasentla. Ke ngoko, kunengqiqo ukuyivula, awuvumi?
Makhe songeze iimeko ezongezelelweyo
Abahlaseli ngobuchule bafihla uhlaselo lwe-PowerShell kwi-Microsoft Office macros ebhalwe ngeVisual Basic kunye nezinye iilwimi zokubhala. Ingcamango kukuba ixhoba lifumana umyalezo, umzekelo kwinkonzo yokuhambisa, kunye nengxelo eqhotyoshelweyo kwi-.doc format. Uvula olu xwebhu luqulethe i-macro, kwaye iphetha ngokuzisa i-PowerShell enobungozi ngokwayo.
Rhoqo iskripthi esisiSiseko esiBonakalayo ngokwaso siyafihlwa ukuze siphephe ngokukhululekileyo i-antivirus kunye nezinye izikena ze-malware. Ngomoya woku kungasentla, ndigqibe kwelokuba ndibhale iPowerShell engentla kwiJavaScript njengomsebenzi. Ngezantsi ziziphumo zomsebenzi wam:
IJavaScript efihliweyo ifihla i-PowerShell yethu. Abaduni bokwenyani benza oku kanye okanye kabini.
Le yenye indlela endiyibone idada kwiwebhu: isebenzisa i-Wscript.Shell ukuqhuba ikhowudi yePowerShell. Ngendlela, iJavaScript ngokwayo ukuhanjiswa kwe-malware. Iinguqulelo ezininzi zeWindows ziye zakhelwa ngaphakathi , yona ngokwayo inokuqhuba i-JS.
Kwimeko yethu, iskripthi esikhohlakeleyo se-JS sifakwe njengefayile kunye ne-.doc.js extension. IiWindows ziya kubonisa kuphela isimamva sokuqala, ngoko ke siya kubonakala kwixhoba njengoxwebhu lweLizwi.
I-ayikhoni ye-JS ibonakala kuphela kwi-ayikhoni yokuskrola. Ayimangalisi into yokuba abantu abaninzi bavule olu ncamathiselo becinga ukuba luxwebhu lweLizwi.
Kumzekelo wam, ndiguqule iPowerShell ngasentla ukukhuphela iskripthi kwiwebhusayithi yam. Iskripthi se-PS esikude siprinta nje "Ububi boMalware". Njengoko ubona, akanabubi konke konke. Ewe kunjalo, abahlaseli bokwenyani banomdla wokufumana ukufikelela kwilaptop okanye kwiseva, yithi, ngeqokobhe lomyalelo. Kwinqaku elilandelayo, ndiza kukubonisa indlela yokwenza oku usebenzisa i-PowerShell Empire.
Ndiyathemba ukuba kwinqaku lokuqala lentshayelelo asizange singene nzulu kakhulu kwisihloko. Ngoku ndiza kukuvumela ukuba uphefumle, kwaye kwixesha elizayo siza kuqala ukujonga imizekelo yokwenyani yohlaselo kusetyenziswa i-malware engenafayile ngaphandle kwamagama entshayelelo angeyomfuneko okanye ukulungiselela.
umthombo: www.habr.com