启动SVCHOST，利用svchost写入启动文件夹……过SSF（卤煮基于某些人的测试亲自开撸）

显示全部楼层 · 发表于 2015-12-22 23:06:16

顶起，明天看看HMPA344能不能拦截到加密

显示全部楼层 · 发表于 2015-12-23 14:39:43

真够吓人的.. 一打开就看他一直在读写文件.....

显示全部楼层 · 发表于 2015-12-28 03:19:10

抱歉挖一下这个老帖

刚才在32位虚拟机上测了一下SSF，发现结果略有不同

在样本利用svchost开始写启动项、加密之间，还存在着下面的动作：

2015/12/28 2:58:07,C:\Users\ABCDEFG\Downloads\virus\6dbb913a9c28a63bb81a86bc483341246536f97aa71cd7620f28261a06ff2d7b\6dbb913a9c28a63bb81a86bc483341246536f97aa71cd7620f28261a06ff2d7b.exe,53,Allowed ;Execution of an application ("C:\Windows\system32\svchost.exe")
2015/12/28 2:58:20,C:\Users\ABCDEFG\Downloads\virus\6dbb913a9c28a63bb81a86bc483341246536f97aa71cd7620f28261a06ff2d7b\6dbb913a9c28a63bb81a86bc483341246536f97aa71cd7620f28261a06ff2d7b.exe,29,Allowed ;Modifying process memory (svchost.exe(pid=3392))
2015/12/28 2:58:26,C:\Users\ABCDEFG\Downloads\virus\6dbb913a9c28a63bb81a86bc483341246536f97aa71cd7620f28261a06ff2d7b\6dbb913a9c28a63bb81a86bc483341246536f97aa71cd7620f28261a06ff2d7b.exe,29,Allowed ;Modifying process memory (svchost.exe(pid=3392))
2015/12/28 2:58:29,C:\Users\ABCDEFG\Downloads\virus\6dbb913a9c28a63bb81a86bc483341246536f97aa71cd7620f28261a06ff2d7b\6dbb913a9c28a63bb81a86bc483341246536f97aa71cd7620f28261a06ff2d7b.exe,29,Allowed ;Modifying process memory (svchost.exe(pid=3392))
2015/12/28 2:58:34,C:\Users\ABCDEFG\Downloads\virus\6dbb913a9c28a63bb81a86bc483341246536f97aa71cd7620f28261a06ff2d7b\6dbb913a9c28a63bb81a86bc483341246536f97aa71cd7620f28261a06ff2d7b.exe,29,Allowed ;Modifying process memory (svchost.exe(pid=3392))
2015/12/28 2:58:39,C:\Users\ABCDEFG\Downloads\virus\6dbb913a9c28a63bb81a86bc483341246536f97aa71cd7620f28261a06ff2d7b\6dbb913a9c28a63bb81a86bc483341246536f97aa71cd7620f28261a06ff2d7b.exe,29,Allowed ;Modifying process memory (svchost.exe(pid=3392))
2015/12/28 2:58:43,C:\Users\ABCDEFG\Downloads\virus\6dbb913a9c28a63bb81a86bc483341246536f97aa71cd7620f28261a06ff2d7b\6dbb913a9c28a63bb81a86bc483341246536f97aa71cd7620f28261a06ff2d7b.exe,29,Allowed ;Modifying process memory (svchost.exe(pid=3392))
2015/12/28 2:58:50,C:\Users\ABCDEFG\Downloads\virus\6dbb913a9c28a63bb81a86bc483341246536f97aa71cd7620f28261a06ff2d7b\6dbb913a9c28a63bb81a86bc483341246536f97aa71cd7620f28261a06ff2d7b.exe,29,Allowed ;Modifying process memory (svchost.exe(pid=3392))
2015/12/28 2:58:52,C:\Users\ABCDEFG\Downloads\virus\6dbb913a9c28a63bb81a86bc483341246536f97aa71cd7620f28261a06ff2d7b\6dbb913a9c28a63bb81a86bc483341246536f97aa71cd7620f28261a06ff2d7b.exe,29,Allowed ;Modifying process memory (svchost.exe(pid=3392))
2015/12/28 2:58:55,C:\Users\ABCDEFG\Downloads\virus\6dbb913a9c28a63bb81a86bc483341246536f97aa71cd7620f28261a06ff2d7b\6dbb913a9c28a63bb81a86bc483341246536f97aa71cd7620f28261a06ff2d7b.exe,29,Allowed ;Modifying process memory (svchost.exe(pid=3392))
2015/12/28 2:59:00,C:\Users\ABCDEFG\Downloads\virus\6dbb913a9c28a63bb81a86bc483341246536f97aa71cd7620f28261a06ff2d7b\6dbb913a9c28a63bb81a86bc483341246536f97aa71cd7620f28261a06ff2d7b.exe,29,Allowed ;Modifying process memory (svchost.exe(pid=3392))
2015/12/28 2:59:03,C:\Users\ABCDEFG\Downloads\virus\6dbb913a9c28a63bb81a86bc483341246536f97aa71cd7620f28261a06ff2d7b\6dbb913a9c28a63bb81a86bc483341246536f97aa71cd7620f28261a06ff2d7b.exe,29,Allowed ;Modifying process memory (svchost.exe(pid=3392))
2015/12/28 2:59:06,C:\Users\ABCDEFG\Downloads\virus\6dbb913a9c28a63bb81a86bc483341246536f97aa71cd7620f28261a06ff2d7b\6dbb913a9c28a63bb81a86bc483341246536f97aa71cd7620f28261a06ff2d7b.exe,29,Allowed ;Modifying process memory (svchost.exe(pid=3392))
2015/12/28 2:59:08,C:\Users\ABCDEFG\Downloads\virus\6dbb913a9c28a63bb81a86bc483341246536f97aa71cd7620f28261a06ff2d7b\6dbb913a9c28a63bb81a86bc483341246536f97aa71cd7620f28261a06ff2d7b.exe,29,Allowed ;Modifying process memory (svchost.exe(pid=3392))
2015/12/28 2:59:10,C:\Users\ABCDEFG\Downloads\virus\6dbb913a9c28a63bb81a86bc483341246536f97aa71cd7620f28261a06ff2d7b\6dbb913a9c28a63bb81a86bc483341246536f97aa71cd7620f28261a06ff2d7b.exe,29,Allowed ;Modifying process memory (svchost.exe(pid=3392))
2015/12/28 2:59:12,C:\Users\ABCDEFG\Downloads\virus\6dbb913a9c28a63bb81a86bc483341246536f97aa71cd7620f28261a06ff2d7b\6dbb913a9c28a63bb81a86bc483341246536f97aa71cd7620f28261a06ff2d7b.exe,29,Allowed ;Modifying process memory (svchost.exe(pid=3392))
2015/12/28 2:59:14,C:\Users\ABCDEFG\Downloads\virus\6dbb913a9c28a63bb81a86bc483341246536f97aa71cd7620f28261a06ff2d7b\6dbb913a9c28a63bb81a86bc483341246536f97aa71cd7620f28261a06ff2d7b.exe,29,Allowed ;Modifying process memory (svchost.exe(pid=3392))
2015/12/28 2:59:29,C:\Users\ABCDEFG\Downloads\virus\6dbb913a9c28a63bb81a86bc483341246536f97aa71cd7620f28261a06ff2d7b\6dbb913a9c28a63bb81a86bc483341246536f97aa71cd7620f28261a06ff2d7b.exe,36,Allowed ;Injecting dll (svchost.exe(pid=3392))

请注意，紫色的条目，SSF会直接提醒你这是典型的远程注入行为

而最后的红色条目，就是明明白白的注入DLL

我发现，只要在红色的这一步Deny（Deny即可，不需要Terminate），就不会有之后的写启动项和加密的动作

显示全部楼层 · 发表于 2015-12-28 09:46:24

综合症初期患者发表于 2015-12-28 03:19
抱歉挖一下这个老帖

刚才在32位虚拟机上测了一下SSF，发现结果略有不同

换到64位看看还是一样的吗？

显示全部楼层 · 发表于 2015-12-28 11:55:39

墨家小子发表于 2015-12-28 09:46
换到64位看看还是一样的吗？

64位下你不是已经测了吗？

显示全部楼层 · 发表于 2015-12-28 12:33:05

综合症初期患者发表于 2015-12-28 11:55
64位下你不是已经测了吗？

对啊 64位下是拦截不到你说的那些，这就是说64位下SSF防御强度不如X32的

显示全部楼层 · 发表于 2015-12-28 13:41:06

墨家小子发表于 2015-12-28 12:33
对啊 64位下是拦截不到你说的那些，这就是说64位下SSF防御强度不如X32的

是啊，我记得去年曾经在wilderssecurity上看到有人用很激烈的发言抱怨SSF在64位下的防护...

显示全部楼层 · 发表于 2015-12-28 13:47:14

综合症初期患者发表于 2015-12-28 13:41
是啊，我记得去年曾经在wilderssecurity上看到有人用很激烈的发言抱怨SSF在64位下的防护...

对了，你会在实机下重复试用NS不？

显示全部楼层 · 发表于 2015-12-28 14:22:42

显示全部楼层 · 发表于 2015-12-28 16:09:16

墨家小子发表于 2015-12-28 13:47
对了，你会在实机下重复试用NS不？

我记得Symantec版区有人发过工具...不过我没收藏...

[可疑文件] 启动SVCHOST，利用svchost写入启动文件夹……过SSF（卤煮基于某些人的测试亲自开撸）

本帖子中包含更多资源