【结束】卡巴区病毒要越狱？呼叫安全部队迎客厅专贴

显示全部楼层 · 发表于 2011-8-2 09:25:41

虽然用ais，但卡巴给我印象一直很好，支持一个

显示全部楼层 · 发表于 2011-8-2 09:57:40

显示全部楼层 · 发表于 2011-8-2 09:59:19

本帖最后由 oinio 于 2011-8-2 10:03 编辑

trainees@163.com

显示全部楼层 · 发表于 2011-8-2 10:19:12

本帖最后由 testnull 于 2011-8-3 14:44 编辑

样本名称：microantivirus.exe

MD5值：5CAA655182E2D5A53DA23E846459E4A6

操作系统：windows xp sp3 专业版

卡巴斯基版本：kis 2012 12.0.0.374

威胁名称：data0000.cab 检测到威胁: not-a-virus:FraudTool.Win32.MacroVirus.b

2011-8-3 13:32:10 根据哈希值智能查杀

病毒行为：打开后需安装。然后创建文件进程路径: D:\test\test one\microantivirus\microantivirus.exe

然后创建到临时文件文件: C:\Documents and Settings\000\Local Settings\Temp\IXP000.TMP\TMP4351$.TMP

创建了N个。然后注入到explorer。

创建开机启动到当前账户。开机名称：MacroVirus.exe。

创建内核驱动，地址：\??\C:\DOCUME~1\000\LOCALS~1\Temp\ftd30439.tmp

感受展望：总体来说，卡巴安装部队套装来说，还是相当强悍的。

加入了智能hips模块后更清晰的认识到软件的行为，

这样让用户用起来更方便。

希望以后能减少点系统的占用内存。再就是希望能加入pe里能用卡巴，这样在PE里修复系统的时候也方便。

谢谢。

语毕、

显示全部楼层 · 发表于 2011-8-2 10:28:50

本帖最后由 yange19880205 于 2011-8-2 10:29 编辑

yangebency@vip.qq.com

显示全部楼层 · 发表于 2011-8-2 13:12:33

615915866@qq.com

显示全部楼层 · 发表于 2011-8-2 13:33:29

louislife@live.cn

显示全部楼层 · 发表于 2011-8-2 13:44:36

本帖最后由 i_look 于 2011-8-2 13:56 编辑

1.基础任务：

样本名称： TubeDownloader.exe

MD5值：（EXE文件）470964797249F89ECCAF6248419C03AE
操作系统： Windows Xp-sp3 32位
卡巴斯基版本：卡巴斯基安全部队2012 均为安装完毕后的默认设置所有防护开启病毒库测试时更新

解压后卡巴斯基无响应，已提交，截图

2.拓展任务

（测试环境与程序均同上）：
运行解压后的exe时，窗口失去响应约30秒（计算机AMD 3GHZ 2GB），之后出现安装界面，并点击INSTALL

卡巴斯基均未报警，
安装完成后桌面出现一快捷方式，为该程序生成，双击后显示

从应用程序控制中查看到该程序权限
无标题.jpg

之后从卡巴斯基的日志中得到以下信息
未标题-1.jpg

可见，样本程序生成的文件均被信任为受信任组，
打开IE，添加了工具栏

3.样本行为分析

用COMODO D+进行分析，开启疯狂模式，如图：

试图联网下载

下载的IE工具栏程序

又一更可疑程序，以下均为其活动（仅选取部分）

具体：

011-08-02 11:35:00       C:\Documents and Settings\All Users\Application Data\Anti-phishing Domain Advisor\visicom_antiphishing.exe       修改注册表项       HKUS\S-1-5-21-1275210071-1563985344-1060284298-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
2011-08-02 11:35:42       C:\Documents and Settings\All Users\Application Data\Anti-phishing Domain Advisor\visicom_antiphishing.exe       修改注册表项       HKUS\S-1-5-21-1275210071-1563985344-1060284298-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
2011-08-02 11:35:59       C:\Documents and Settings\All Users\Application Data\Anti-phishing Domain Advisor\visicom_antiphishing.exe       修改注册表项       HKUS\S-1-5-21-1275210071-1563985344-1060284298-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
2011-08-02 11:36:15       C:\Documents and Settings\All Users\Application Data\Anti-phishing Domain Advisor\visicom_antiphishing.exe       修改注册表项       HKLM\SYSTEM\ControlSet001\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable
2011-08-02 11:36:28       C:\Documents and Settings\All Users\Application Data\Anti-phishing Domain Advisor\visicom_antiphishing.exe       DNS/RPC 客户端访问       \RPC Control\DNSResolver
2011-08-02 11:36:40       C:\Documents and Settings\All Users\Application Data\Anti-phishing Domain Advisor\visicom_antiphishing.exe       DNS/RPC 客户端访问       \RPC Control\DNSResolver
2011-08-02 11:37:00       C:\Documents and Settings\All Users\Application Data\Anti-phishing Domain Advisor\visicom_antiphishing.exe       DNS/RPC 客户端访问       \RPC Control\DNSResolver
2011-08-02 11:37:04       C:\Documents and Settings\All Users\Application Data\Anti-phishing Domain Advisor\visicom_antiphishing.exe       修改文件       \Device\Afd\Endpoint
2011-08-02 11:37:45       C:\Documents and Settings\All Users\Application Data\Anti-phishing Domain Advisor\visicom_antiphishing.exe       修改文件       \Device\Afd\Endpoint
2011-08-02 11:37:51       C:\Documents and Settings\All Users\Application Data\Anti-phishing Domain Advisor\visicom_antiphishing.exe       修改文件       C:\Documents and Settings\All Users\Application Data\Anti-phishing Domain Advisor\new\visicom_antiphishing.dll
2011-08-02 11:38:17       C:\Documents and Settings\All Users\Application Data\Anti-phishing Domain Advisor\visicom_antiphishing.exe       修改文件       C:\Documents and Settings\All Users\Application Data\Anti-phishing Domain Advisor\new\visicom_antiphishing.dll
2011-08-02 11:38:30       C:\Documents and Settings\All Users\Application Data\Anti-phishing Domain Advisor\visicom_antiphishing.exe       修改文件       C:\Documents and Settings\All Users\Application Data\Anti-phishing Domain Advisor\new\visicom_antiphishing.exe
2011-08-02 11:38:44       C:\Documents and Settings\All Users\Application Data\Anti-phishing Domain Advisor\visicom_antiphishing.exe       修改文件       C:\Documents and Settings\All Users\Application Data\Anti-phishing Domain Advisor\new\visicom_antiphishing.exe
2011-08-02 11:38:46       C:\Documents and Settings\All Users\Application Data\Anti-phishing Domain Advisor\visicom_antiphishing.exe       修改文件       C:\Documents and Settings\All Users\Application Data\Anti-phishing Domain Advisor\visicom_antiphishing.dll
2011-08-02 11:38:48       C:\Documents and Settings\All Users\Application Data\Anti-phishing Domain Advisor\visicom_antiphishing.exe       修改文件       C:\Documents and Settings\All Users\Application Data\Anti-phishing Domain Advisor\visicom_antiphishing.dll
2011-08-02 11:38:49       C:\Documents and Settings\All Users\Application Data\Anti-phishing Domain Advisor\visicom_antiphishing.exe       修改文件       C:\Documents and Settings\All Users\Application Data\Anti-phishing Domain Advisor\visicom_antiphishing.dll
2011-08-02 11:38:50       C:\Documents and Settings\All Users\Application Data\Anti-phishing Domain Advisor\visicom_antiphishing.exe       修改文件       C:\Documents and Settings\All Users\Application Data\Anti-phishing Domain Advisor\new\visicom_antiphishing.dll
2011-08-02 11:38:50       C:\Documents and Settings\All Users\Application Data\Anti-phishing Domain Advisor\visicom_antiphishing.exe       修改文件       C:\Documents and Settings\All Users\Application Data\Anti-phishing Domain Advisor\new\visicom_antiphishing.dll
2011-08-02 11:38:52       C:\Documents and Settings\All Users\Application Data\Anti-phishing Domain Advisor\visicom_antiphishing.exe       修改文件       C:\Documents and Settings\All Users\Application Data\Anti-phishing Domain Advisor\visicom_antiphishing.exe
2011-08-02 11:39:11       C:\Documents and Settings\All Users\Application Data\Anti-phishing Domain Advisor\visicom_antiphishing.exe       修改文件       C:\Documents and Settings\All Users\Application Data\Anti-phishing Domain Advisor\visicom_antiphishing.exe
2011-08-02 11:39:15       C:\Documents and Settings\All Users\Application Data\Anti-phishing Domain Advisor\visicom_antiphishing.exe       修改文件       C:\Documents and Settings\All Users\Application Data\Anti-phishing Domain Advisor\visicom_antiphishing.exe_old
2011-08-02 11:39:39       C:\Documents and Settings\All Users\Application Data\Anti-phishing Domain Advisor\visicom_antiphishing.exe       修改文件       C:\Documents and Settings\All Users\Application Data\Anti-phishing Domain Advisor\visicom_antiphishing.exe
2011-08-02 11:39:46       C:\Documents and Settings\All Users\Application Data\Anti-phishing Domain Advisor\visicom_antiphishing.exe       修改文件       C:\Documents and Settings\All Users\Application Data\Anti-phishing Domain Advisor\visicom_antiphishing.exe
2011-08-02 11:40:08       C:\Documents and Settings\All Users\Application Data\Anti-phishing Domain Advisor\visicom_antiphishing.exe       修改文件       C:\Documents and Settings\All Users\Application Data\Anti-phishing Domain Advisor\visicom_antiphishing.exe
2011-08-02 11:40:10       C:\Documents and Settings\All Users\Application Data\Anti-phishing Domain Advisor\visicom_antiphishing.exe       修改文件       C:\Documents and Settings\All Users\Application Data\Anti-phishing Domain Advisor\new\visicom_antiphishing.exe
2011-08-02 11:40:13       C:\Documents and Settings\All Users\Application Data\Anti-phishing Domain Advisor\visicom_antiphishing.exe       修改文件       C:\Documents and Settings\All Users\Application Data\Anti-phishing Domain Advisor\new\visicom_antiphishing.exe
2011-08-02 11:40:14       C:\Documents and Settings\All Users\Application Data\Anti-phishing Domain Advisor\visicom_antiphishing.exe       创建进程       C:\Documents and Settings\All Users\Application Data\Anti-phishing Domain Advisor\visicom_antiphishing.exe
2011-08-02 11:40:27       C:\Documents and Settings\All Users\Application Data\Anti-phishing Domain Advisor\visicom_antiphishing.exe       创建进程       C:\Documents and Settings\All Users\Application Data\Anti-phishing Domain Advisor\visicom_antiphishing.exe
2011-08-02 11:40:30       C:\Documents and Settings\All Users\Application Data\Anti-phishing Domain Advisor\visicom_antiphishing.exe       安装钩子       C:\Documents and Settings\All Users\Application Data\Anti-phishing Domain Advisor\visicom_antiphishing.dll

4.卡巴斯基防护体验

虽然此次卡巴并没有对此程序作出拦截，但是其中感受不少，
  1.卡巴之所以没有拦截很大原因来自对文件的信任
  2.卡巴的防护非常全面，界面友好，人性化，在其他测试中，关闭了文件防护后运行病毒也未成功，得益于应用程序控制
  3.当然还有不足之处，比如应用程序控制保护措施对于运行样本时的窗口失去响应有较大影响，关闭防护后打开速度加快；打开exe文件时的响应速度变慢
总结：未来的杀软应当是更加智能，增加对云的利用，在防御方面做到全面以应对来自网络，未知文件，可移动存储等方面的威胁，
除此之外，加强杀软对用户隐私数据的保护，文件的恢复，计算机性能方面的维护同样必要（例如NORTON360,AVIRA的注册表清理软件，AVG的PC TUNEUP,COMODO的系统清理工具及时光机）
所以安全厂商应当为用户、企业提供一套全面的计算机安全解决方案。当然，卡巴斯基在这些方面一直走在了众多安全厂商之前。

显示全部楼层 · 发表于 2011-8-2 14:06:14

sporttery310@sina.com

显示全部楼层 · 发表于 2011-8-2 14:08:06

luolanxuanzhu@163.com

[其他] 【结束】卡巴区病毒要越狱？呼叫安全部队迎客厅专贴

评分