K+ 成功防御tdss

显示全部楼层 · 发表于 2011-9-17 15:54:36

2011-9-17 15:53:02 底层磁盘写操作阻止
进程: c:\documents and settings\administrator\桌面\1\1.exe
目标: \Device\Harddisk0\DR0
规则: [应用程序]*.exe

2011-9-17 15:53:08 修改注册表值阻止
进程: c:\documents and settings\administrator\桌面\1\1.exe
目标: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations
值: \??\C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\IDC.tmp !\??\C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcp80.dll \??\C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e
规则: [应用程序]?:\*\* -> [注册表]HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager; PendingFileRenameOperations

2011-9-17 15:53:11 删除注册表值阻止
进程: c:\documents and settings\administrator\桌面\1\1.exe
目标: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
规则: [注册表组]r080_服务 -> [注册表]HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters

显示全部楼层 · 发表于 2011-9-17 15:56:11

hx1997 发表于 2011-9-17 15:49
IDP killed
但是重启后无法进入系统

在沙盘里运行。重启后能不能进入系统？

显示全部楼层 · 发表于 2011-9-17 15:57:02

saga3721 发表于 2011-9-17 15:46
楼主把打印机驱动服务开着运行TDSS了吗？

关闭后运行样本照样中毒啊！

显示全部楼层 · 发表于 2011-9-17 15:57:18

本帖最后由 hx1997 于 2011-9-17 15:57 编辑

jayavira 发表于 2011-9-17 15:56
在沙盘里运行。重启后能不能进入系统？

应该能等会我试下
因为沙盘里运行的确是有影响所以我在虚拟机里运行了。

IDP对TDSS从来不给力。

显示全部楼层 · 发表于 2011-9-17 15:58:52

hx1997 发表于 2011-9-17 15:57
应该能等会我试下
因为沙盘里运行的确是有影响所以我在虚拟机里运行了。

嗯
我没有安装虚拟机，所以麻烦你测试一下吧

显示全部楼层 · 发表于 2011-9-17 15:59:54

DW blocked
试一下SBIE

DefenseWall log file

09.17.2011  15:57:57，模块 C:\Documents and Settings\Administrator\Local Settings\Temp\39.tmp， Attempt to set value PendingFileRenameOperations within the key HKLM\SYSTEM\ControlSet001\Control\Session Manager\ (注册表)

09.17.2011  15:57:35，模块 C:\Documents and Settings\Administrator\桌面\1.exe， Attempt to add new printer provider (后台打印程序)

09.17.2011  15:57:35，模块 C:\Documents and Settings\Administrator\桌面\1.exe， Attempt to send forbidden IOCTL code 4D014 to \Device\Harddisk0\DR0 (文件 )

09.17.2011  15:57:35，模块 C:\Documents and Settings\Administrator\Local Settings\Temp\39.tmp， Attempt to set value PendingFileRenameOperations within the key HKLM\SYSTEM\ControlSet001\Control\Session Manager\ (注册表)

09.17.2011  15:57:35，模块 C:\Documents and Settings\Administrator\Local Settings\Temp\39.tmp， Attempt to set value Cache within the key HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\ (注册表)

09.17.2011  15:57:35，模块 C:\Documents and Settings\Administrator\Local Settings\Temp\39.tmp， Attempt to set value Directory within the key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\ (注册表)

09.17.2011  15:57:35，模块 C:\Documents and Settings\Administrator\Local Settings\Temp\39.tmp， Attempt to set value Cookies within the key HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\ (注册表)

09.17.2011  15:57:35，模块 C:\Documents and Settings\Administrator\Local Settings\Temp\39.tmp， Attempt to set value History within the key HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\ (注册表)

09.17.2011  15:57:35，模块 C:\Documents and Settings\Administrator\Local Settings\Temp\39.tmp， 10:Attempt to open protected file C:\Documents and Settings\Administrator\Cookies\ (资源隔离)

09.17.2011  15:57:35，模块 C:\Documents and Settings\Administrator\Local Settings\Temp\39.tmp， 10:Attempt to open protected file C:\Documents and Settings\Administrator\Cookies\ (资源隔离)

09.17.2011  15:57:35，模块 C:\Documents and Settings\Administrator\Local Settings\Temp\39.tmp， 8:Attempt to open protected file C:\Documents and Settings\Administrator\Cookies\index.dat (资源隔离)

09.17.2011  15:57:36，模块 C:\Documents and Settings\Administrator\Local Settings\Temp\39.tmp， Attempt to set value Common AppData within the key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\ (注册表)

09.17.2011  15:57:36，模块 C:\Documents and Settings\Administrator\Local Settings\Temp\39.tmp， Attempt to set value AppData within the key HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\ (注册表)

09.17.2011  15:57:36，模块 C:\Documents and Settings\Administrator\Local Settings\Temp\39.tmp， Attempt to set value ProxyEnable within the key HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ (注册表)

09.17.2011  15:57:36，模块 C:\Documents and Settings\Administrator\Local Settings\Temp\39.tmp， Attempt to set value SavedLegacySettings within the key HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\ (注册表)

09.17.2011  15:57:35，模块 C:\Documents and Settings\Administrator\桌面\1.exe， 1:Process is running untrusted now (进程)

显示全部楼层 · 发表于 2011-9-17 16:02:29

本帖最后由 dl123100 于 2011-9-17 16:05 编辑

都已经成功注入spoolsv了这时如果处理得好点重启毒霸就杯具了
另外没必要测试微点这几年流行的一些相对特殊的攻击方式其中大概70%微点几乎完全对付不了

显示全部楼层 · 发表于 2011-9-17 16:05:09

jayavira 发表于 2011-9-17 15:58
嗯
我没有安装虚拟机，所以麻烦你测试一下吧

试过了默认设置运行，不降权都可以正常重启进系统的。

沙盘不允许加驱所以是不会悲剧的。

显示全部楼层 · 发表于 2011-9-17 16:06:29

hx1997 发表于 2011-9-17 16:05
试过了默认设置运行，不降权都可以正常重启进系统的。

沙盘不允许加驱所以是不会悲剧的。

ok。这样我就可以放心运行样本了

显示全部楼层 · 发表于 2011-9-17 16:10:45

毛豆KILL

[病毒样本] K+ 成功防御tdss

浏览过的版块