Enye yezinhlobo ezivame kakhulu zokuhlaselwa ukuzala kwenqubo enonya esihlahleni ngaphansi kwezinqubo ezihlonipheke ngokuphelele. Indlela eya efayeleni elisebenzisekayo ingase isolise: uhlelo olungayilungele ikhompuyutha ngokuvamile lusebenzisa i-AppData noma ifolda ye-Temp, futhi lokhu akuvamile ezinhlelweni ezisemthethweni. Ukukhuluma iqiniso, kufanelekile ukusho ukuthi ezinye izinsiza zokuvuselela ezizenzakalelayo zenziwa ku-AppData, ngakho-ke ukuhlola nje indawo yokwethulwa akwanele ukuze uqinisekise ukuthi uhlelo lunonya.
Isici esengeziwe sokuba semthethweni isiginesha ye-cryptographic: izinhlelo eziningi zangempela zisayinwe umthengisi. Ungasebenzisa iqiniso lokuthi ayikho isignesha njengendlela yokuhlonza izinto zokuqalisa ezisolisayo. Kodwa futhi kukhona uhlelo olungayilungele ikhompuyutha olusebenzisa isitifiketi esintshontshiwe ukuze izisayinde.
Ungaphinda uhlole inani le-MD5 noma i-SHA256 cryptographic hash, okungenzeka ihambisane nohlelo olungayilungele ikhompuyutha olutholwe ngaphambilini. Ungenza ukuhlaziya okumile ngokubheka amasiginesha kuhlelo (usebenzisa imithetho ye-Yara noma imikhiqizo ye-antivirus). Kukhona nokuhlaziya okuguquguqukayo (ukuqhuba uhlelo endaweni ethile ephephile nokuqapha izenzo zalo) kanye nobunjiniyela obuhlehlisayo.
Kungaba nezimpawu eziningi zenqubo enonya. Kulesi sihloko sizokutshela ukuthi ungakuvumela kanjani ukucwaningwa kwemicimbi efanele ku-Windows, sizohlaziya izimpawu umthetho owakhelwe ngaphakathi oncike kuzo. ukukhomba inqubo esolisayo. I-Intrust ukuze kuqoqwe, kuhlaziywe futhi kugcinwe idatha engahlelekile, esevele inamakhulu okusabela okuchazwe ngaphambilini ezinhlotsheni ezahlukahlukene zokuhlasela.
Lapho uhlelo lwethulwa, lulayishwa kumemori yekhompyutha. Ifayela elisebenzisekayo liqukethe imiyalelo yekhompyutha namalabhulali asekelayo (isibonelo, *.dll). Uma inqubo isivele iyasebenza, ingakha imicu eyengeziwe. Imicu ivumela inqubo ukuthi isebenzise amasethi ahlukene wemiyalelo ngesikhathi esisodwa. Kunezindlela eziningi zekhodi enonya ukuze ingene kumemori futhi isebenze, ake sibheke ezinye zazo.
Indlela elula yokuqalisa inqubo enonya ukuphoqelela umsebenzisi ukuthi ayiqalise ngokuqondile (isibonelo, kokunamathiselwe kwe-imeyili), bese usebenzisa ukhiye we-RunOnce ukuze uyiqalise njalo uma ikhompuyutha ivuliwe. Lokhu kuhlanganisa nohlelo olungayilungele ikhompuyutha βokungenafayelaβ olugcina imibhalo ye-PowerShell kokhiye bokubhalisa abasetshenziswa ngokusekelwe kusibangeli. Kulokhu, iskripthi se-PowerShell siyikhodi enonya.
Inkinga ngokusebenzisa uhlelo olungayilungele ikhompuyutha ngokucacile ukuthi kuyindlela eyaziwayo etholwa kalula. Olunye uhlelo olungayilungele ikhompuyutha lenza izinto ezihlakaniphe kakhulu, njengokusebenzisa enye inqubo ukuze iqale ukuyikhumbula. Ngakho-ke, inqubo ingakha enye inqubo ngokusebenzisa umyalo othile wekhompyutha nokucacisa ifayela elisebenzisekayo (.exe) elizosebenza.
Ifayela lingacaciswa kusetshenziswa indlela egcwele (isibonelo, C:Windowssystem32cmd.exe) noma indlela eyingxenye (isibonelo, cmd.exe). Uma inqubo yasekuqaleni ingavikelekile, izovumela izinhlelo ezingekho emthethweni ukuthi zisebenze. Ukuhlasela kungabukeka kanje: inqubo iqala cmd.exe ngaphandle kokucacisa indlela egcwele, umhlaseli ubeka i-cmd.exe yakhe endaweni ukuze inqubo iqalise ngaphambi kweyomthetho. Uma uhlelo olungayilungele ikhompuyutha seluqalile, lungaqalisa uhlelo olusemthethweni (njenge-C:Windowssystem32cmd.exe) ukuze uhlelo lwangempela luqhubeke nokusebenza kahle.
Ukwehluka kokuhlasela kwangaphambilini umjovo we-DLL ube yinqubo esemthethweni. Uma inqubo iqala, ithola futhi ilayishe imitapo yolwazi enweba ukusebenza kwayo. Ngokusebenzisa umjovo we-DLL, umhlaseli udala umtapo wolwazi onegama elifanayo ne-API njengesemthethweni. Uhlelo lulayisha umtapo wolwazi ononya, futhi, nawo, lulayisha osemthethweni, futhi, uma kunesidingo, luwubize ukuthi lwenze imisebenzi. Ilabhulali enonya iqala ukusebenza njengommeleli womtapo wolwazi omuhle.
Enye indlela yokufaka ikhodi enonya kumemori ukuyifaka ohlelweni olungaphephile esivele luyasebenza. Izinqubo zithola okokufaka okuvela emithonjeni ehlukahlukene - ukufunda kunethiwekhi noma amafayela. Ngokuvamile benza isheke ukuze baqinisekise ukuthi okokufaka kusemthethweni. Kodwa ezinye izinqubo azinakho ukuvikeleka okufanele lapho kufakwa imiyalelo. Kulokhu kuhlasela, awukho umtapo wezincwadi kudiski noma ifayela elisebenzisekayo eliqukethe ikhodi enonya. Konke kugcinwa enkumbulweni kanye nenqubo esetshenziswayo.
Manje ake sibheke indlela yokwenza yokuvumela ukuqoqwa kwemicimbi enjalo ku-Windows kanye nomthetho ku-InTrust esebenzisa ukuvikelwa ezinsongweni ezinjalo. Okokuqala, masiyivule sisebenzisa ikhonsoli yokuphatha ye-InTrust.
Umthetho usebenzisa amandla okulandelela inqubo ye-Windows OS. Ngeshwa, ukunika amandla ukuqoqwa kwemicimbi enjalo kusekude sobala. Kunezilungiselelo ezi-3 ezihlukene Zenqubomgomo Yeqembu okudingeka uziguqule:
Ukucushwa Kwekhompyutha > Izinqubomgomo > Izilungiselelo zeWindows > Izilungiselelo Zokuphepha > Izinqubomgomo Zasendaweni > Inqubomgomo Yokucwaninga > Ukulandela inqubo yokuhlola
Ukucushwa Kwekhompyutha > Izinqubomgomo > Izilungiselelo zeWindows > Izilungiselelo Zokuphepha > Ukucushwa Kwenqubomgomo Yokuhlola Okuthuthukile > Izinqubomgomo Zokuhlola > Ukulandelela Ngemininingwane > Ukudalwa kwenqubo yokuhlola
Ukucushwa Kwekhompyutha > Izinqubomgomo > Izifanekiso Zokuphatha > Isistimu > Ukudalwa Kwenqubo Yokuhlola > Faka ulayini womyalo emicimbini yokudala inqubo
Uma isinikwe amandla, imithetho ye-InTrust ikuvumela ukuthi uthole izinsongo ezingaziwa ngaphambilini ezibonisa ukuziphatha okusolisayo. Ngokwesibonelo, ungakwazi ukubona I-malware ye-Dridex. Ngenxa yephrojekthi ye-HP Bromium, siyazi ukuthi lolu songo lusebenza kanjani.
Ochungechungeni lwayo lwezenzo, i-Dridex isebenzisa i-schtasks.exe ukuze idale umsebenzi ohleliwe. Ukusebenzisa lolu hlelo lokusebenza olusuka emugqeni womyalo kuthathwa njengokuziphatha okusolisa kakhulu; ukwethula i-svchost.exe ngamapharamitha akhomba kumafolda abasebenzisi noma ngamapharamitha afana nemiyalelo ethi "net view" noma "whoami" kubukeka kufana. Nasi isiqeshana sokuhambisanayo :
detection:
selection1:
CommandLine: '*svchost.exe C:Users\*Desktop\*'
selection2:
ParentImage: '*svchost.exe*'
CommandLine:
- '*whoami.exe /all'
- '*net.exe view'
condition: 1 of themKu-InTrust, konke ukuziphatha okusolisayo kufakwe emthethweni owodwa, ngoba eziningi zalezi zenzo aziqondile kusongo oluthile, kodwa kunalokho ziyasolisa endaweni eyinkimbinkimbi futhi ku-99% yamacala asetshenziselwa izinhloso ezinhle ngokuphelele. Lolu hlu lwezenzo luhlanganisa, kodwa alukhawulelwe kulokhu:
- Izinqubo ezisebenza kusuka ezindaweni ezingavamile, njengamafolda esikhashana abasebenzisi.
- Inqubo yesistimu eyaziwa kakhulu enefa elisolisayo - ezinye izinsongo zingazama ukusebenzisa igama lezinqubo zesistimu ukuze zihlale zingabonwa.
- Ukwenziwa okusolisayo kwamathuluzi okulawula afana ne-cmd noma i-PSExec lapho kusetshenziswa izifakazelo zesistimu yendawo noma ifa elisolisayo.
- Ukusebenza kwekhophi yethunzi esolisayo kuwukuziphatha okuvamile kwamagciwane e-ransomware ngaphambi kokubethela uhlelo; abulala izipele:
- Via vssadmin.exe;
- Nge-WMI. - Bhalisa ukulahlwa kwazo zonke izidleke zokubhalisa.
- Ukunyakaza okuvundlile kwekhodi enonya lapho inqubo yethulwa ukude kusetshenziswa imiyalo efana ne-at.exe.
- Imisebenzi yeqembu lendawo esolisayo kanye nokusebenza kwesizinda kusetshenziswa i-net.exe.
- Umsebenzi osolisayo we-firewall usebenzisa i-netsh.exe.
- Ukukhohliswa okusolisayo kwe-ACL.
- Ukusebenzisa i-BITS ukuze kukhishwe idatha.
- Ukukhohlisa okusolisayo nge-WMI.
- Imiyalo yombhalo esolisayo.
- Imizamo yokulahla amafayela esistimu avikelekile.
Umthetho ohlangene usebenza kahle kakhulu ukuthola izinsongo ezifana ne-RUYK, i-LockerGoga nezinye i-ransomware, uhlelo olungayilungele ikhompuyutha kanye namathuluzi obugebengu be-inthanethi. Umthetho uhlolwe umthengisi ezindaweni zokukhiqiza ukuze kuncishiswe izinto ezingelona iqiniso. Futhi sibonga iphrojekthi ye-SIGMA, iningi lalezi zinkomba likhiqiza inani elincane lemicimbi yomsindo.
Ngoba Ku-InTrust lona umthetho wokuqapha, ungasebenzisa iskripthi sokuphendula njengokusabela kusongo. Ungasebenzisa isikripthi esisodwa esakhelwe ngaphakathi noma udale esakho futhi i-InTrust izosabalalisa ngokuzenzakalelayo.
Ngaphezu kwalokho, ungahlola yonke i-telemetry ehlobene nomcimbi: Imibhalo ye-PowerShell, ukwenziwa kwenqubo, ukukhohlisa kwemisebenzi okuhleliwe, umsebenzi wokuphatha we-WMI, futhi ukusebenzisele ukuhlolwa kwezidumbu ngesikhathi sezehlakalo zokuphepha.
I-InTrust inamakhulu eminye imithetho, eminye yayo:
- Ukuthola ukuhlaselwa kwe-PowerShell kwehlisela phansi yilapho othile esebenzisa ngamabomu inguqulo endala ye-PowerShell ngoba... enguqulweni endala yayingekho indlela yokuhlola ukuthi kwenzekani.
- Ukutholwa kwelogo yelungelo eliphezulu yilapho ama-akhawunti angamalungu eqembu elithile elikhethekile (njengabaphathi besizinda) engena eziteshini zokusebenza ngengozi noma ngenxa yezigameko zokuphepha.
I-InTrust ikuvumela ukuthi usebenzise izinqubo zokuphepha ezingcono kakhulu ngendlela yokutholwa echazwe ngaphambilini nemithetho yokuphendula. Futhi uma ucabanga ukuthi okuthile kufanele kusebenze ngokuhlukile, ungenza ikhophi yakho yomthetho futhi uyilungiselele njengoba kudingeka. Ungahambisa isicelo sokuqhuba umshayeli wendiza noma ukuthola izinsiza zokusabalalisa ngamalayisensi esikhashana kuwebhusayithi yethu.
Bhalisela yethu , sishicilela amanothi amafushane nezixhumanisi ezithakazelisayo lapho.
Funda ezinye izindatshana zethu mayelana nokuphepha kolwazi:
(isihloko esidumile)
Source: www.habr.com