Linux中國

新的「永恆之石」病毒利用了七個 NSA 黑客工具,「想哭」病毒才兩個

633 views78
By
Share

研究人員們發現有一個新的蠕蟲病毒正在通過 SMB 文件共享漏洞傳播,但是不同於 「想哭」 WannaCry 勒索病毒的構成,這個病毒利用了 7 個 NSA 黑客工具,而不是 「想哭」 WannaCry 勒索病毒的兩個。

這個蠕蟲病毒的存在首次發現是在周三,它感染了 Miroslav Stampar 的 SMB 文件共享的蜜罐,Miroslav Stampar 是克羅埃西亞政府計算機應急響應小組成員,也是用來探測和利用 SQL 注入漏洞的 SQLMAP 工具的製造者。

永恆之石利用了七個 NSA 的工具

Stampar 命名這個在樣本中被發現的病毒為 「永恆之石」 EternalRocks ,其基於蠕蟲病毒可執行的特性,它通過 6 個以 SMB 文件共享漏洞為中心的 NSA 工具來感染暴露在外網的一台開啟 SMB 埠的計算機。這些被叫做 永恆之藍永恆戰士永恆浪漫永恆協同的 SMB 漏洞被利用危害易受攻擊的計算機,而 SMBTOUCHARCHITOUCH 這兩個 NSA 工具起到了檢測 SMB 文件共享漏洞的作用。

一旦這個蠕蟲病毒獲得了最初的立足點,那麼它會用另一個叫做 DOUBLEPULSAR 的 NSA 工具擴散到新的易受攻擊的機器上。

永恆之石名字的起源

「永恆之石」名字的起源

「想哭」勒索病毒爆發,用了一個 SMB 蠕蟲病毒感染計算機並擴散給新的受害人,這影響了超過 24 萬受害者。

不同於「永恆之石」,「想哭」的 SMB 蠕蟲病毒只利用了永恆之藍這一個漏洞做初步感染,然後通過 DOUBLEPULSAR 來擴散到其他的計算機上。

「永恆之石」更加複雜,但危險性較低

作為蠕蟲病毒,「永恆之石」沒有「想哭」那麼危險,這是由於它當前不傳遞任何惡意的內容,然而,這並不意味著「永恆之石」不複雜,據 Stampar 說,實際恰恰相反。

首先,「永恆之石」要比「想哭」的 SMB 蠕蟲病毒更加隱蔽,一旦病毒感染了一台計算機,它會發起有兩個階段的安裝過程,其中另一個是延遲執行的。

在病毒的第一個安裝過程階段,永恆之石獲取一個感染計算機主機的立足點,下載 tor 客戶端,然後連接到它的命令控制伺服器,其定位在暗網的一個 .onion 的域名上。

在一個預定的時間內,一般是 24 個小時,命令控制器會響應,這個長延遲執行進程的做法最有可能繞過沙盒安全測試環境和安全研究人員們對病毒的分析,因為沒多少人願意一整天來等命令控制器響應。

沒有停止開關的域名

此外,「永恆之石」病毒也會用和一個與「想哭」 SMB 的蠕蟲病毒文件相同名字的一個文件,以此愚弄安全研究人員來誤判它。

但是不同於「想哭」病毒,永恆之石不包括停止開關的域名,但這是安全研究人員唯一用來停止「想哭」病毒爆發的方法。

在病毒隱匿期滿且命令控制器有了響應,永恆之石開始進入安裝過程的第二階段,它會下載一個名為 shadowbrokers.zip 的歸檔形式的第二階段惡意組件。

這個文件能夠自解壓,它包含著 shadow Brokers 黑客組織在 2017 年 4 月泄漏的七個 NSA 的 SMB 漏洞工具。 這個蠕蟲病毒會開始一個快速的 ip 掃描過程並且嘗試連接隨機的 ip 地址。

shadowbrokers.zip的內容

在 shadowbrokers.zip 壓縮包里發現了 NSA 工具的配置文件。

「永恆之石」可以馬上成為武器

由於該病毒集成的漏洞較多且廣泛,缺少停止開關的域名,而且有它的隱匿期,如果病毒的作者決定用它來作為勒索、銀行木馬、遠程控制或者其他功能的武器,「永恆之石」可能會對 SMB 埠暴露在互聯網的易受攻擊的計算機造成嚴重的威脅。

就目前來看,蠕蟲病毒看起來像是一個試驗,或者是惡意軟體作者在進行測試或者為未來的威脅而做的微調。

然而,這並不意味著「永恆之石」是無害的,感染了這個病毒的計算機是通過命令控制伺服器來控制,並且蠕蟲病毒的製造者能夠利用這個隱藏通訊連接,發送新的惡意軟體到這台感染了病毒的電腦上。

此外,DOUBLEPULSAR,這是一個帶有後門的植入仍然運行在感染了永恆之石的 PC 上,不幸的是,該病毒的作者沒有採取任何措施來保護這個 DOUBLEPULSAR 的植入,這意味這預設其運行在未被保護的狀態下,其他的惡意的用戶能使用它作為把感染了永恆之石的計算機的後門,發送他們自己的惡意軟體到這些感染病毒的 PC 上。

關於這個病毒的感染過程的 IOC 和更多信息能夠在 Stampar 在幾天前設置的 [GitHub] 倉庫上獲得。

SMB 漏洞的混戰

當前,有許多人在掃描舊的和未打補丁的 SMB 服務,系統管理員已經注意到並且開始給易受攻擊的計算機打補丁,關閉舊版的 SMBv1 協議,慢慢的來減少被永恆之石感染的計算機數量。

此外,像 Adylkuzz 這類惡意軟體,也會關閉 SMB 埠,來阻止來自其它威脅軟體的進一步利用,這同時也導致了「永恆之石」和其它利用 SMB 漏洞的惡意軟體潛在目標數量的減少,來自 ForcepointCyphortSecdo 的報告詳細介紹了當前針對 SMB 埠的計算機的威脅情況。

雖然如此,系統管理員補丁打的越快,系統越安全,「蠕蟲病毒感染速度正在和系統管理員給機器打補丁速度比賽」,Stampar 在一次私人談話中告訴 BleepingComputer 記者,「一旦計算機被感染,它能在任何時間將其作為武器,不論你打多時間多近的補丁。」

(題圖:Miroslav Stampar, BleepingComputer & Ana María Lora Macias

作者簡介:

Catalin 涉及了各方面,像數據泄漏、軟體漏洞、漏洞利用、黑客新聞、暗網、編程話題、社交媒體、Web技術、產品研發等領域。

via: https://www.bleepingcomputer.com/news/security/new-smb-worm-uses-seven-nsa-hacking-tools-wannacry-used-just-two/

作者:CATALIN CIMPANU 譯者:hwlog 校對:wxy

本文由 LCTT 原創編譯,Linux中國 榮譽推出

本文轉載來自 Linux 中國: https://github.com/Linux-CN/archive

對這篇文章感覺如何?

太棒了
0
不錯
0
愛死了
0
不太好
0
感覺很糟
0
雨落清風。心向陽
    Previous
    Next

    You may also like

    78 Comments

    1. Good post! We will be linking to this particularly great post on our site. Keep up the great writing

      回復

    2. naturally like your web site however you need to take a look at the spelling on several of your posts. A number of them are rife with spelling problems and I find it very bothersome to tell the truth on the other hand I will surely come again again.

      回復

    3. Awesome! Its genuinely remarkable post, I have got much clear idea regarding from this post

      回復

    4. very informative articles or reviews at this time.

      回復

    5. Very well presented. Every quote was awesome and thanks for sharing the content. Keep sharing and keep motivating others.

      回復

    6. very informative articles or reviews at this time.

      回復

    7. Awesome! Its genuinely remarkable post, I have got much clear idea regarding from this post

      回復

    8. I』m often to blogging and i really appreciate your content. The article has actually peaks my interest. I』m going to bookmark your web site and maintain checking for brand spanking new information.

      回復

    9. I like the efforts you have put in this, regards for all the great content.

      回復

    10. I just like the helpful information you provide in your articles

      回復

    11. Great information shared.. really enjoyed reading this post thank you author for sharing this post .. appreciated

      回復

    12. Great information shared.. really enjoyed reading this post thank you author for sharing this post .. appreciated

      回復

    13. I like the efforts you have put in this, regards for all the great content.

      回復

    14. Pretty! This has been a really wonderful post. Many thanks for providing these details.

      回復

    15. For the reason that the admin of this site is working, no uncertainty very quickly it will be renowned, due to its quality contents.

      回復

    16. naturally like your web site however you need to take a look at the spelling on several of your posts. A number of them are rife with spelling problems and I find it very bothersome to tell the truth on the other hand I will surely come again again.

      回復

    17. There is definately a lot to find out about this subject. I like all the points you made

      回復

    18. naturally like your web site however you need to take a look at the spelling on several of your posts. A number of them are rife with spelling problems and I find it very bothersome to tell the truth on the other hand I will surely come again again.

      回復

    19. I just like the helpful information you provide in your articles

      回復

    20. Nice post. I learn something totally new and challenging on websites

      回復

    21. There is definately a lot to find out about this subject. I like all the points you made

      回復

    22. This is my first time pay a quick visit at here and i am really happy to read everthing at one place

      回復

    23. This is my first time pay a quick visit at here and i am really happy to read everthing at one place

      回復

    24. very informative articles or reviews at this time.

      回復

    25. I appreciate you sharing this blog post. Thanks Again. Cool.

      回復

    26. There is definately a lot to find out about this subject. I like all the points you made

      回復

    27. This is my first time pay a quick visit at here and i am really happy to read everthing at one place

      回復

    28. I very delighted to find this internet site on bing, just what I was searching for as well saved to fav

      回復

    29. I very delighted to find this internet site on bing, just what I was searching for as well saved to fav

      回復

    30. I do not even understand how I ended up here, but I assumed this publish used to be great

      回復

    31. I like the efforts you have put in this, regards for all the great content.

      回復

    32. I like the efforts you have put in this, regards for all the great content.

      回復

    33. There is definately a lot to find out about this subject. I like all the points you made

      回復

    34. I really like reading through a post that can make men and women think. Also, thank you for allowing me to comment!

      回復

    35. I very delighted to find this internet site on bing, just what I was searching for as well saved to fav

      回復

    36. Pretty! This has been a really wonderful post. Many thanks for providing these details.

      回復

    37. naturally like your web site however you need to take a look at the spelling on several of your posts. A number of them are rife with spelling problems and I find it very bothersome to tell the truth on the other hand I will surely come again again.

      回復

    38. I very delighted to find this internet site on bing, just what I was searching for as well saved to fav

      回復

    39. Very well presented. Every quote was awesome and thanks for sharing the content. Keep sharing and keep motivating others.

      回復

    40. This was beautiful Admin. Thank you for your reflections.

      回復

    41. naturally like your web site however you need to take a look at the spelling on several of your posts. A number of them are rife with spelling problems and I find it very bothersome to tell the truth on the other hand I will surely come again again.

      回復

    42. I very delighted to find this internet site on bing, just what I was searching for as well saved to fav

      回復

    43. very informative articles or reviews at this time.

      回復

    44. I appreciate you sharing this blog post. Thanks Again. Cool.

      回復

    45. There is definately a lot to find out about this subject. I like all the points you made

      回復

    46. I really like reading through a post that can make men and women think. Also, thank you for allowing me to comment!

      回復

    47. You』re so awesome! I don』t believe I have read a single thing like that before. So great to find someone with some original thoughts on this topic. Really.. thank you for starting this up. This website is something that is needed on the internet, someone with a little originality!

      回復

    48. I do not even understand how I ended up here, but I assumed this publish used to be great

      回復

    49. I like the efforts you have put in this, regards for all the great content.

      回復

    50. I just like the helpful information you provide in your articles

      回復

    51. Great information shared.. really enjoyed reading this post thank you author for sharing this post .. appreciated

      回復

    52. naturally like your web site however you need to take a look at the spelling on several of your posts. A number of them are rife with spelling problems and I find it very bothersome to tell the truth on the other hand I will surely come again again.

      回復

    53. Very well presented. Every quote was awesome and thanks for sharing the content. Keep sharing and keep motivating others.

      回復

    54. This is really interesting, You』re a very skilled blogger. I』ve joined your feed and look forward to seeking more of your magnificent post. Also, I』ve shared your site in my social networks!

      回復

    55. This is my first time pay a quick visit at here and i am really happy to read everthing at one place

      回復

    56. I like the efforts you have put in this, regards for all the great content.

      回復

    57. This is really interesting, You』re a very skilled blogger. I』ve joined your feed and look forward to seeking more of your magnificent post. Also, I』ve shared your site in my social networks!

      回復

    58. I am truly thankful to the owner of this web site who has shared this fantastic piece of writing at at this place.

      回復

    59. I like the efforts you have put in this, regards for all the great content.

      回復

    60. This is my first time pay a quick visit at here and i am really happy to read everthing at one place

      回復

    61. very informative articles or reviews at this time.

      回復

    62. This is my first time pay a quick visit at here and i am really happy to read everthing at one place

      回復

    63. I appreciate you sharing this blog post. Thanks Again. Cool.

      回復

    64. You』re so awesome! I don』t believe I have read a single thing like that before. So great to find someone with some original thoughts on this topic. Really.. thank you for starting this up. This website is something that is needed on the internet, someone with a little originality!

      回復

    65. Good post! We will be linking to this particularly great post on our site. Keep up the great writing

      回復

    66. very informative articles or reviews at this time.

      回復

    67. I appreciate you sharing this blog post. Thanks Again. Cool.

      回復

    68. very informative articles or reviews at this time.

      回復

    69. Hi there to all, for the reason that I am genuinely keen of reading this website』s post to be updated on a regular basis. It carries pleasant stuff.

      回復

    70. I really like reading through a post that can make men and women think. Also, thank you for allowing me to comment!

      回復

    71. Pretty! This has been a really wonderful post. Many thanks for providing these details.

      回復

    72. very informative articles or reviews at this time.

      回復

    73. Very well presented. Every quote was awesome and thanks for sharing the content. Keep sharing and keep motivating others.

      回復

    74. I do not even understand how I ended up here, but I assumed this publish used to be great

      回復

    75. I very delighted to find this internet site on bing, just what I was searching for as well saved to fav

      回復

    76. The best part? It just works.

      回復

    77. I』m often to blogging and i really appreciate your content. The article has actually peaks my interest. I』m going to bookmark your web site and maintain checking for brand spanking new information.

      回復

    78. Hi there to all, for the reason that I am genuinely keen of reading this website』s post to be updated on a regular basis. It carries pleasant stuff.

      回復

    Leave a reply

    您的郵箱地址不會被公開。 必填項已用 * 標註

    這個站點使用 Akismet 來減少垃圾評論。了解你的評論數據如何被處理

    More in:Linux中國