Flamer- New Stuxnet-like malware

显示全部楼层 · 发表于 2012-6-3 14:24:42

http://kuai.xunlei.com/d/WGMAEJUUAWAK
这个比较全的病毒样本下载不下来

显示全部楼层 · 发表于 2012-6-3 14:29:08

尘梦幽然发表于 2012-6-3 14:24
也对，因为提的是HASH、
那么不能云端全自动同步响应吗？

这名词啥意思？

显示全部楼层 · 发表于 2012-6-3 14:29:53

ble 发表于 2012-6-3 14:24
http://kuai.xunlei.com/d/WGMAEJUUAWAK
这个比较全的病毒样本下载不下来

这个帖子所有样本爬楼全下载下来，比你发的还全。

显示全部楼层 · 发表于 2012-6-3 14:31:52

本帖最后由 hx1997 于 2012-6-3 15:18 编辑

Flame 的感染过程行为日志
EQ 4.2 + 陷井规则

2012-06-03 14:25:45 Create    Log Action:Accept
Process Path:C:\WINDOWS\system32\rundll32.exe
File Path:C:\WINDOWS\system32\mssecmgr.ocx
Rule:Program Rule->015_ÐÅÈÎ³ÌÐòx->%windir%\system32\rundll32.exe->%windir%\*

2012-06-03 14:25:46 Set Value    Log Action:Sandbox Action
Process Path:C:\WINDOWS\system32\rundll32.exe
Registry Path:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa
Registry Name:Authentication Packages
New Data:msv1_0
Rule:Last Rule->015_×¢Òâx->*\SYSTEM\*ControlSet*\Control\Lsa

2012-06-03 14:26:30 Delete Registry    Log Action:Accept
Process Path:C:\WINDOWS\system32\services.exe
Registry Path:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PerfProc\Performance
Registry Name:Error Count
Rule:Program Rule->030_ÐÅÈÎx->%windir%\system32\services.exe

2012-06-03 14:26:34 Write Memory    Log Action:Accept(Auto Create Rule )
Process Path:C:\WINDOWS\system32\services.exe
Target Process:C:\WINDOWS\explorer.exe

2012-06-03 14:26:35 Create Thread    Log Action:Accept(Auto Create Rule )
Process Path:C:\WINDOWS\system32\services.exe
Target Process:C:\WINDOWS\explorer.exe

2012-06-03 14:26:37 Write Memory    Log Action:Accept(Auto Create Rule )
Process Path:C:\WINDOWS\system32\services.exe
Target Process:C:\Program Files\Internet Explorer\IEXPLORE.EXE

2012-06-03 14:26:37 Create Thread    Log Action:Accept(Auto Create Rule )
Process Path:C:\WINDOWS\system32\services.exe
Target Process:C:\Program Files\Internet Explorer\IEXPLORE.EXE

2012-06-03 14:29:25 Write Memory    Log Action:Accept(Auto Create Rule )
Process Path:C:\WINDOWS\system32\services.exe
Target Process:C:\WINDOWS\system32\winlogon.exe

2012-06-03 14:29:26 Create Thread    Log Action:Accept(Auto Create Rule )
Process Path:C:\WINDOWS\system32\services.exe
Target Process:C:\WINDOWS\system32\winlogon.exe

2012-06-03 14:30:07 Create    Log Action:Accept
Process Path:C:\WINDOWS\system32\winlogon.exe
File Path:C:\WINDOWS\Temp\~HLV927.tmp
Rule:Program Rule->015_ÐÅÈÎ³ÌÐòx->%windir%\system32\winlogon.exe->%windir%\*

2012-06-03 14:30:07 Create    Log Action:Sandbox Action
Process Path:C:\WINDOWS\explorer.exe
File Path:C:\WINDOWS\Temp\~HLV473.tmp
Rule:Program Rule->081_ÓÅÏÈx->%windir%\Explorer.EXE->%windir%\*

2012-06-03 14:30:24 Write    Log Action:Sandbox Action
Process Path:C:\WINDOWS\explorer.exe
File Path:C:\WINDOWS\system32\boot32drv.sys
Rule:Program Rule->081_ÓÅÏÈx->%windir%\Explorer.EXE->%windir%\system32\*

2012-06-03 14:30:24 Create    Log Action:Sandbox Action
Process Path:C:\WINDOWS\explorer.exe
File Path:C:\WINDOWS\Temp\~HLV084.tmp
Rule:Program Rule->081_ÓÅÏÈx->%windir%\Explorer.EXE->%windir%\*

2012-06-03 14:30:35 Create    Log Action:Accept
Process Path:C:\WINDOWS\system32\winlogon.exe
File Path:C:\WINDOWS\Temp\~KWI988.tmp
Rule:Program Rule->015_ÐÅÈÎ³ÌÐòx->%windir%\system32\winlogon.exe->%windir%\*

2012-06-03 14:30:36 Write    Log Action:Accept
Process Path:C:\WINDOWS\system32\winlogon.exe
File Path:C:\WINDOWS\Temp\~KWI988.tmp
Rule:Program Rule->015_ÐÅÈÎ³ÌÐòx->%windir%\system32\winlogon.exe->%windir%\*

2012-06-03 14:30:39 Write    Log Action:Accept
Process Path:C:\WINDOWS\system32\winlogon.exe
File Path:C:\WINDOWS\Temp\~KWI988.tmp
Rule:Program Rule->015_ÐÅÈÎ³ÌÐòx->%windir%\system32\winlogon.exe->%windir%\*

2012-06-03 14:30:39 Write    Log Action:Accept
Process Path:C:\WINDOWS\system32\winlogon.exe
File Path:C:\WINDOWS\Temp\~KWI988.tmp
Rule:Program Rule->015_ÐÅÈÎ³ÌÐòx->%windir%\system32\winlogon.exe->%windir%\*

2012-06-03 14:30:53 Write    Log Action:Accept
Process Path:C:\WINDOWS\system32\winlogon.exe
File Path:C:\WINDOWS\Temp\~KWI988.tmp
Rule:Program Rule->015_ÐÅÈÎ³ÌÐòx->%windir%\system32\winlogon.exe->%windir%\*

2012-06-03 14:30:53 Write    Log Action:Accept
Process Path:C:\WINDOWS\system32\winlogon.exe
File Path:C:\WINDOWS\Temp\~KWI988.tmp
Rule:Program Rule->015_ÐÅÈÎ³ÌÐòx->%windir%\system32\winlogon.exe->%windir%\*

2012-06-03 14:30:54 Write    Log Action:Accept
Process Path:C:\WINDOWS\system32\winlogon.exe
File Path:C:\WINDOWS\Temp\~KWI988.tmp
Rule:Program Rule->015_ÐÅÈÎ³ÌÐòx->%windir%\system32\winlogon.exe->%windir%\*

2012-06-03 14:30:55 Write    Log Action:Accept
Process Path:C:\WINDOWS\system32\winlogon.exe
File Path:C:\WINDOWS\Temp\~KWI988.tmp
Rule:Program Rule->015_ÐÅÈÎ³ÌÐòx->%windir%\system32\winlogon.exe->%windir%\*

2012-06-03 14:30:55 Write    Log Action:Accept
Process Path:C:\WINDOWS\system32\winlogon.exe
File Path:C:\WINDOWS\Temp\~KWI988.tmp
Rule:Program Rule->015_ÐÅÈÎ³ÌÐòx->%windir%\system32\winlogon.exe->%windir%\*

显示全部楼层 · 发表于 2012-6-3 14:32:06

hx1997 发表于 2012-6-3 14:29
这名词啥意思？

不是说360和金山都声称可以把未知文件自动上传然后秒速同步本地查杀吗？

显示全部楼层 · 发表于 2012-6-3 14:34:00

尘梦幽然发表于 2012-6-3 10:03
应该说是触发SONAR和IPS会实时上传文件，而HASH实时上传你怎么看出来的？

sonar和ips触发后会有两条上传记录，一条几乎是实时的，另一条会显示已挂起，如果前面有没有完成提交的内容的话甚至会拖几天，一般都是上传文件的那条

显示全部楼层 · 发表于 2012-6-3 14:35:57

hx1997 发表于 2012-6-3 14:29
这个帖子所有样本爬楼全下载下来，比你发的还全。

怎么下载啊，刚来论坛，不是很懂，谢谢了

显示全部楼层 · 发表于 2012-6-3 14:36:03

wjcharles 发表于 2012-6-3 14:34
sonar和ips触发后会有两条上传记录，一条几乎是实时的，另一条会显示已挂起，如果前面有没有完成提交的内 ...

也就是说，HASH一旦提交失败，文件也就不会提交。
感觉平时扫描发现的文件上传都要挂起很久。

显示全部楼层 · 发表于 2012-6-3 14:36:56

尘梦幽然发表于 2012-6-3 14:32
不是说360和金山都声称可以把未知文件自动上传然后秒速同步本地查杀吗？

那也需要鉴定的，金山的需要 99 秒，360 的说是 1 秒，但有时也要人工鉴定。

而且这种入库顶多是个强特征，真正的人工分析才可以写出通用性较高的特征。

至于 QVM，真心不懂。

显示全部楼层 · 发表于 2012-6-3 14:40:37

ble 发表于 2012-6-3 14:35
怎么下载啊，刚来论坛，不是很懂，谢谢了

一楼一楼看，哪楼有附件都下载下来...

晚点我发个集合...

[病毒样本] Flamer- New Stuxnet-like malware

评分