PCYO 评测夜鸥 六度计算世界

少年强 则 中国强

挖矿病毒利用 NSA武器库中永恒之蓝病毒机制透过SMB感染清除实录

前言

美国国家安全局(NSA)旗下的“方程式黑客组织”(shadow brokers)使用的部分网络武器被公开,其中包括可以远程攻破全球约70%Windows机器的漏洞利用工具。
其中,有十款工具最容易影响Windows个人用户,包括永恒之蓝、永恒王者、永恒浪漫、永恒协作、翡翠纤维、古怪地鼠、爱斯基摩卷、文雅学者、日食之翼和尊重审查。不法分子无需任何操作,只要联网就可以入侵电脑,就像冲击波、震荡波等著名蠕虫一样可以瞬间血洗 互联网。

nasa.jpg

正文

本文就最近遇到的永恒之蓝做简析,本文所遇到的永恒之蓝为变种病毒。制作者将挖矿埋入了病毒中传播。因影响较多没继续跟踪虚拟币所属种类。

现象:

利用个人电脑及windows服务器空闲CPU来做大量的挖矿运算,占用闲置CPU资源.经过跟踪,发现部分进程中线程创建达3822+,外网连接数达到300+.造成其它正常程序打开响应慢,卡死状况。
细节:

异常启动svchost.exe进程.
调用病毒进程:TrustedHostServices.exe
伪装进程:spooler.exe (与系统预置打印机进程名称一致)
感染区:

在系统目录C:\Windows创建SecureBootThemes
在系统核心目录C:\Windows\System32创建SecureBootThemes
在系统核心目录C:\Windows\System32释放了如下文件:
MsraReportDataCache32.tlb,tpmagentservice.dll,TrustedHostServices.exe
注册了系统服务:tpmagentservice
传播路径:定向扫描135,445等内网常备端口.自动连接外网下载最新病毒包,并自更新.
解决办法:杀灭进程,删除服务,清除目录,关闭易感染端口,更新Windows系统补丁(通过金山卫士,360卫士或者其它杀软)

这里提供一个组合批处理工具,若有补充,欢迎斧正

@echo off &&title 正在杀毒中. 批处理需要右键,管理员权限运行,否则出错 By NXQ&& color 1f
echo “正在停止打印机服务”
sc stop spooler
sc config spooler start= disabled
sc stop tpmagentservice
sc delete tpmagentservice

tasklist /nh| find "TrustedHostServices.exe" 2>NULL
if "%ERRORLEVEL%"=="1" (echo no)
if "%ERRORLEVEL%"=="0" (ntsd -c q -pn TrustedHostServices.exe)

taskkill /F /im spoolsv.exe
DEL /F /Q /S C:WindowsSystem32MsraReportDataCache32.tlb
DEL /F /Q /S C:WindowsSystem32tpmagentservice.dll
DEL /F /Q /S C:WindowsSystem32TrustedHostServices.exe
wmic process where "ExecutablePath like 'C:WindowsSecureBootThemesMicrosoft%%'" call Terminate
DEL /F /Q /S C:WindowsSecureBootThemesMicrosoftspoolsv.exe
DEL /F /Q /S C:WindowsSecureBootThemes
DEL /F /Q /S C:WindowsSystem32SecureBootThemes

@echo off

color 1f

title 您正在使用一键屏蔽危险端口和服务

echo 您正在使用一键屏蔽危险端口和服务

echo"正在帮您关闭这些危险端口,请稍等"

echo “正在开启Windows防火墙服务”

net start MpsSvc

echo ”正在帮您开启Windows防火墙自启动“

sc config MpsSvc start= auto

echo ”正在启用防火墙“

netsh advfirewall set allprofiles state on

echo"正在帮您屏蔽端口...."

echo.

echo.

echo.

echo 正在屏蔽135端口 请稍候…

netsh advfirewall firewall delete rule name = "Disable port 135 - TCP"

netsh advfirewall firewall add rule name = "Disable port 135 - TCP" dir = in action = block protocol = TCP localport = 135

echo.

netsh advfirewall firewall delete rule name = "Disable port 135 - UDP"

netsh advfirewall firewall add rule name = "Disable port 135 - UDP" dir = in action = block protocol = UDP localport = 135

echo.

echo 正在屏蔽137端口 请稍候…

netsh advfirewall firewall delete rule name = "Disable port 137 - TCP"

netsh advfirewall firewall add rule name = "Disable port 137 - TCP" dir = in action = block protocol = TCP localport = 137

echo.

netsh advfirewall firewall add rule name = "Disable port 137 - UDP"

netsh advfirewall firewall add rule name = "Disable port 137 - UDP" dir = in action = block protocol = UDP localport = 137

echo.

echo 正在屏蔽138端口 请稍候…

netsh advfirewall firewall delete rule name = "Disable port 138 - TCP"

netsh advfirewall firewall add rule name = "Disable port 138 - TCP" dir = in action = block protocol = TCP localport = 138

echo.

netsh advfirewall firewall delete rule name = "Disable port 138 - UDP"

netsh advfirewall firewall add rule name = "Disable port 138 - UDP" dir = in action = block protocol = UDP localport = 138

echo.

echo 正在屏蔽139端口 请稍候…

netsh advfirewall firewall delete rule name = "Disable port 139 - TCP"

netsh advfirewall firewall add rule name = "Disable port 139 - TCP" dir = in action = block protocol = TCP localport = 139

echo.

netsh advfirewall firewall delete rule name = "Disable port 139 - UDP"

netsh advfirewall firewall add rule name = "Disable port 139 - UDP" dir = in action = block protocol = UDP localport = 139

echo.

echo 正在关闭445端口 请稍候…

netsh advfirewall firewall delete rule name = "Disable port 445 - TCP"

netsh advfirewall firewall add rule name = "Disable port 445 - TCP" dir = in action = block protocol = TCP localport = 445

echo.

netsh advfirewall firewall delete rule name = "Disable port 445 - UDP"

netsh advfirewall firewall add rule name = "Disable port 445 - UDP" dir = in action = block protocol = UDP localport = 445

echo.

echo "危险端口已经用Windows防火墙屏蔽成功"

echo.

echo ----------------

echo “正在关闭Workstation(LanmanWorkstation)服务”

sc stop LanmanWorkstation

sc config LanmanWorkstation start= disabled

echo.

echo ----------------

echo “正在关闭Server(LanmanServer)服务”

sc stop LanmanServer

sc config LanmanServer start= disabled

echo.

echo ----------------

echo “正在关闭TCP/IP NetBIOS Helper(lmhosts)共享服务”

sc stop lmhosts

sc config lmhosts start= disabled

echo.

echo ----------------

echo “正在关闭Distributed Transaction Coordinator(MSDTC)共享服务”

sc stop MSDTC

sc config MSDTC start= disabled

echo.

echo ----------------

echo “正在关闭NetBT服务”

sc stop NetBT

sc config NetBT start= disabled

echo.

echo ----------------

reg add "hklmSystemCurrentControlSetServicesNetBTParameters" /v "SMBDeviceEnabled" /t reg_dword /d "0" /f

reg add "hklmSOFTWAREMicrosoftOle" /v "EnableDCOM" /t reg_sz /d "N" /f

reg add "hklmSOFTWAREMicrosoftRpc" /v "DCOM Protocols" /t reg_multi_sz /d "" /f

echo.

echo ----------------

echo "恭喜您,危险端口已经关闭,请重新启动电脑后用netstat -an查看本地端口"

echo 按任意键退出

pause>nul
pause

补丁列表

漏洞名称 解决方案
“EternalBlue 永恒之蓝” 由MS17-010解决
“EmeraldThread 翡翠线” 由MS10-061解决
“EternalChampion 永恒冠军” 由CVE-2017-0146和CVE-2017-0147解决
“ErraticGopher 漂泊地鼠” 在Windows Vista发布之前就已经解决
“EsikmoRoll 爱斯基摩卷” 由MS14-068解决
“EternalRomance 永恒罗曼史” 由MS17-010解决
“EducatedScholar 受过教育的学者” 由MS09-050解决
“ EternalSynergy 永恒协同” 由MS17-010解决
“EclipsedWing 黯淡羽翼” 由MS08-067解决

本原创文章未经允许不得转载 | 当前页面:PCYO 评测夜鸥 六度计算世界 » 挖矿病毒利用 NSA武器库中永恒之蓝病毒机制透过SMB感染清除实录

评论