Wednesday, June 1, 2011

Blog Post: ??????????? ????? Stuxnet ? ??????? ???????????? Sysinternals (????? 2)

? ?????? ????? ? ????? ???????????? ?????????? ????? Stuxnet ? ??????? ???????????? Sysinternals. ? ??????????? Process Explorer, Autoruns ? VMMap ??? ??????? ??????? ????? ?? ?????????. Autoruns ?????? ??????? ?????? Stuxnet, ??? ???????? ????????? ? ??????? Mrxcls.sys ? Mrxnet.sys, ? ?????????, ??? ??? ?????????? Stuxnet (? ?????????????? ?????????? ?????????) ?????????? ?????? ??????? ??? ???????? ? ????????????? ???????. ? ??????? Process Explorer ? VMMap ?? ??????? ?????????? ??? Stuxnet ? ????????? ????????? ????????? ? ????? ????????? ????????, ??????????? ????????? ??????????? ????? ??? ????? ?????. ? ????? ?????? ?????? ? ??????????? ? ???????????? ?????? ????????? ??? ???? ????????, ??????????? ?? ?????? ?????? ? ?????? ???????. ? ???? ?????? ? ????????? ???? ????????????, ??????????????? ?????? Process Monitor, ??????? ??? ??????? ?? ????? ?????????, ????? ???????? ????? ???????? ????????? ??????? Stuxnet ?? ?????????? ??????? ? ????, ??? ?? ???????? (??????, ???? ??? ???????? ??? ?????????? ? ????? ? ????? ???? ?????? (Tom Clancy) ? ?????? ???????? (Michael Crichton), ?? ??? ????? ???????? ???????? ?? ??? ????? ???????????? Zero Day).

?????????? ??? ?????? ?????? ???????

Process Monitor ???????????? ????? 30000 ??????? ?? ????? ??????????? ?????????, ??? ??????? ????? ??? ?????? ???????, ??????????? ?? ?????????. ??????? ????? ???? ??????? ????????? ? ??????? ???????????? Windows ? ????????? ???????? Explorer ? ????? ?????, ??????????????? ?? ??????????? ? ?????????. ??? ??? ?? ????????? Process Monitor ????????? ?????????????? ??????? (????????? ? ????? ????????, ?????????? IRP-???????, ??????? System ? ???????? ? ??????????? NTFS), ?? ??? ????????? ?????? ?????????, ? ???? ?????? Process Explorer ?????????? ????? 10000 ???????:

clip_image002

???? ? ????, ????? ?????????????? Process Monitor ??????????, ????? ?? ?? ??????, ??? ????? ?????????? ????? ?????????? ??????. ??????? ? ?????? ???????? ??? ?????????? ???? ????, ? ? Process Monitor ???? ???????, ??????? ????????????? ??? ????? ????????? ?????????????. ?? ?????????? ??????, ??????? ????????? ??? ???????, ????? ????????? ? ???????????? ?????? ??? ?????? ???????. ????????? ???? ?????? (?Category is Write then Include?) ????? ? ??????? ??????????? ???? Filter:

clip_image004

???????, ??????????????? ????????? System ?????? ?? ????? ??? ???????????, ?? ? ????, ??? ? Stuxnet ???? ??????????, ?????????? ? ?????? ????, ??? ??? ??? ??????? ?????? ? ?????? ???????? ???????, ??????????? ? ????????? ???????? System, ??????? ???????? ?????????, ??? ????????? ???????? ????????? ????????? ????????? ??????. ?? ?????? ??????? ??????? ?? ?????????, ?????? ????? Enable Advanced Output ? ???? Filter, ?? ? ?? ????? ??????? ?????? ???????, ???????????? ?? ?????????, ??????? ????????? ??????? ????????? ? ????? ???????? ? ????????? ? ??????????? NTFS, ??? ??? ? ?????? ?????? ??????, ??????????? System (?????? ? ?????? ????????). ????? ??????? ??????????? ?? 600:

clip_image006

?? ????????? ???? ??????? ????????? ???????, ??????? ????? ?? ??????? ? ??????????. ??????????? ???????? ??????? ??????? ?????, ????????? ??? ??????? ?? ??????? ???????? ?????????? Windows. ????????, ?????? ????????? ????? ??????? ???? ??????? ?????????? Explorer ???????? ? ????? ??????? HKCU\Software\Microsoft\Windows\ShellNoRoam\BagsMRU:

clip_image008

? ???? ????? Explorer ????????? ????????? ????, ??? ??? ? ??? ????????? ??? ???????. ? ?????? ??? ? ??????? ??????? Process Monitor �quick filters�: ? ??????? ?????? ??????? ???? ?? ????? ?? ????? ??????? ??? ?????? ???????????? ???? ???????? ??????? ? ????? ?????? Exclude:

clip_image010

????????? ? ???? ????????? ????? ?????? ?? ???????? ??? ???????? ????? ?????, ? ?????? ?????? ??? ????????? ??????, ?????? ??????? ?? ??? ??? ??????? ????????? ???????? ? ??????? ???????? �is� ?? �begins with� (?????????? ?):

clip_image012

??? ????????? ????? ??????? ?? 450, ??? ??????? ???????, ?? ? ??? ??? ????? ????? ???????, ??????? ????? ?????????. ????????? ???? ??????? ????????? ? ?????????? ???????? ?????? ? ?????? ?????? ???? ???????. ????? ???? ?????? ?????? ?????????? ???????, ?????? ??? ????????? ???? ???????? ???????, ? ?? ????? ?????? ? ?????? ?????? ????. ?????????? ???? ??????? ????????? ?? ????? ????? ?? 350. ? ????????? ????????????? ??????, ???????? ?????????????? ??????? ??? ?????????? ?????? ??????????? ???????. ????? ????, ??? ? ???????????? ??? ??????? ????????, ?????????? ???? Filter ????? ????????? ??? (????????? ?? ????????, ??????? ? ???????, ?? ????? ?? ??????):

clip_image014

?????? ???????? ?????? 133 ???????, ? ?????? ?????? ?? ??? ??????????, ??? ??? ??? ????? ???? ??????? ?? Stuxnet. ?????? ????? ????????? ??.

??????????? ??????? ??????? Stuxnet

?????? ??????? ? ?????????? ?????? ?????????? Stuxnet, ????????????? ? ????????? Explorer, ???????????????? ?????? 4 ?????? ?????? ?? ???? ????????? ????????? ??????.

clip_image016

????? ????????, ??? ??? ???????? ?????? ????????????? ???????????????? Stuxnet, ? ?? Explorer.exe, ? ?????? ??????? ?? ???, ????? ??????? ?????????? ???? Event Properties, ? ??????? ?? ???????? Stack. ???? ????? ????? ??? NtWriteFile API ?????????? "<unknown>" ? ???? ????? ??????, ??? ????????? ?? ??, ??? ?????? ????? ????? ?? ????? ?? ? ????? DLL, ??????????? ? ???????:

clip_image018

???? ?? ???????? ?? ????? ?? ????????? ?????, ?? ????? ?????? ??????? ?????? <unknown>, ????? ??? ?? ?????????? ??????????? ??????? ???????, ????????? ??? ???????? ? ???????????? ? ?????????? API ??????????? ?????, ??????? ?????????? Process Monitor. ?????? ????? ? ???????? ?? ???????? ???????????? Explorer ? ??????? VMMap, ? ????? ??????? ??????, ?????????? ??????????? ????? ????? 0x2FA24D5, ??????? ????? ?????????? ?? ?????? ? ?????????? ? ??????????? ??????? ??????????? ????????? ????:

clip_image020

????? ???? ???????? Explorer.exe ??????? ???????? ???????? ????????? Lsass.exe ??????? ?????? ~Dfa.tmp, ~Dfb.tmp, ~Dfc.tmp ? ~Dfd.tmp ?? ????????? ???????? ??????? ??????. ?????? ?????????? ? Windows ??????? ????????? ?????, ??? ??? ? ?????? ??? ?????????, ??? ??? ??????? ?? Stuxnet, ? ?? ?? ??????????? ??????????? Windows. ??????? ??????? ? ?????? ????, ??? ?? ???? ????? Stuxnet, ??????? ??? ????, ??? ID (PID) ????? ???????? Lsass.exe, ?????? 300 ? ?? ????????? ? PID ?????????? ?????????? ???????? Lsass.exe, ??????? ? ????????? ? ?????? ????? ??????. ??????????, ???? PID ?? ?????????????? ?? ?????? ?? ???? ????????? Lsass.exe, ??????? ???? ???????? ????? ?????????, ??? ????????????, ??? Lsass.exe ???????? ??? ????? ?????????, ?????????? Stuxnet.

????? ???????, ??? ???? ??????? Lsass.exe ??????????????? ? ???????, ? ????? Ctrl+T, ????? ??????? ?????????? ???? ?????? ????????? Process Monitor (??? ????? ????? ??????? ?? ???? Tools). ?????? ????????? ????????, ??? ??? ?????????????? ???????? Lsass.exe ??????????? ?? ????? ?????????, ??????? ???, ? ???????? ??? PID 300. ????? ?????? ???? ????????? ? ?????? ????????? ????????? ?? ??, ??? ??? ??????????? ??????, ??? Process Monitor ???????? ??????????? ???????:

clip_image022

?????? ? ????, ??? ??? ??? ?????????? ??????? Lsass.exe, ?? ? ?????? ??? ?????????, ??? ??? ????????? ????? ?? ???? ??????? ??????? ??????????? Lsass.exe. ? ????? ????????? ?? ?? ????? ? ?????? ?????? ?????? <unknown>, ??? ? ? ?????? ?? ?????? ???????? Explorer.exe.

? ????????? ????? ??????? ??? ?????????? ??? ??????????, ????????? ?? ?????, ??? Lsass.exe ?????????? ???? ?? ???? ????????? Stuxnet ? MRxCls.sys ? ? ????? C:\Windows\System32\Drivers ? ??????? ??????????????? ??? ????? ???????:

clip_image024

? ?????? ??????? ?? ???????? WriteFile, ????? ??????? ?? ????, ? ???????, ??? ????? API CopyFileEx ????????, ??? Stuxnet ?????????? ?????????? ???????? ?? ??????? ?????:

clip_image026

????? ??????? ????, ??????? ?????? ?????????? ????? ???????????, ? ???????? ???????? ??????, ??????????? ???????? ??????, ????? ??????????????? ??????? ? ?????????? ???? ?????? ????????:

clip_image028

Process Monitor ????????? ?????? ?? ???? ~DFD.tmp, ??????? ??? ?????? ?????, ??? ??? ? ????, ??? ???? ???? ???????? ????? ????????:

clip_image030

??????????? ?????????? ??????? ??????? System ???????? Mrxcls.sys, ??????????? ???? ???????:

clip_image032

????? Stuxnet ?????????????? ? ????????? ???? ?????? ??????? Mrxnet.sys. ??????????? ??????????, ??? Stuxnet ??????? ??????? ??????? ? ~DFE.tmp, ?????????? ???? ???? ? ???? ?????????? Mrxnet.sys, ? ?????? ???????? ??????? ??? Mrxnet.sys:

clip_image034

????????? ???????? ?????? ??????? System ???????? ???? ??????? ??? ??, ??? ? Mrxcls.sys.

????????? ???????????, ??????????? ???????, ???????? ? ???? ???????? ??????? ?????????????? ?????? ? ????? C:\Windows\Inf: Oem7a.pnf, Mdmeric3.pnf, Mdmcpq3.pnf ? Oem6c.pnf. ???????? ???????? ???? ?????? ????? ????? ??????, ????? ? ???????? ??????, ??????? ???????? ?????? ???????? CreateFile:

clip_image036

????? PNF ? ??? ?????????????? ????????????????? ????? INF, ? ????? INF ? ??? ????? ? ??????????? ?? ????????? ????????? ?????????. ????? C:\Windows\Inf ?????? ??? ???? ?????? ? ?????? ???????? ???? PNF ??? ??????? ????? INF. ? ??????? ?? ?????? ?????? PNF ? ???? ????????, ??? ?? ?????? ????? INF, ??? ???????? ?? ????????? ? ??????? PNF ?? Stuxnet, ?? ?? ????? ????????? ?? ??????????? ? ??????? ??????? ? ???? ?????. ??? ? ? ?????? ? ????????? ?????? ?????? ?????????, ????? ???? ???????? ????? ????? ?????? ?? CopyFileEx ? ?????????? ??????? ?? ?????? ??????????, ??? ?? ????-???????? ????? ???????? ?????????? ????????? ????????? ?????? Stuxnet. ????? ?? ?????? ??????, ??? Stuxnet ???????? ~Dfa.tmp ? Oem7a.pnf:

clip_image038

??? ?????? ? ??? ????? ????????? ????????? Lsass.exe, ?? ??????????? ?????????? ??????? ? Mdmcpq3.pnf, ??????????? ?????????? ????????? Services.exe:

clip_image040

????? ??????????? ?????????, Stuxnet ??????????? ?????????????? ????, ????? ?????? ??? ?????, ????? ???, ????? ?? ????????? ???????? ????? ??????????????? ?????? ?????? PNF ????? ????????, ? ?????? ???? ???????? ??????? ? 4 ?????? 2009 ????. ????? ???????? SetBasicInformationFile ????????????? ????? ??? ????? Oem7a.pnf:

clip_image042

??? ?????? Stuxnet ????????? ????????? ?????, ?? ????????? ????? ???? ?????, ??????? ????????? ?? ????????? ????? ??? ???????? ????? ?? ???????? (??? ???????? ??????? ????????? ????? ? ?????? ????? ???????????.

clip_image044

???????, ??? Stuxnet ?????????? ????????? ????? ? ????? ?????? ?? ?????, ?????? ??? ?????????????? ?????? ????????????, ????????? ?? ???? ????? ?? ???????????? Stuxnet ???? ?? ????????? ????????? ?????.

? ??????????? ???? ???? ????????, ??????? ? ?? ???? ???? ??????????, ? ?????????? ??????? ? ?? ???? ????? ?? ? ????? ?????????????? ??????? Stuxnet. ???? ???? ? ??? ??????? ??????? ???????? ??????? ? ?????? HKLM\System\CurrentControlSet\Services\Network\FailoverConfig:

clip_image046

??? ???????? ??????? ? ???? ???? Network ?? ???????????? Windows ??? ?????? ???????????, ??????? ? ???? ?????. ????? ??????????? ?????? ? ???????? C:\Windows ?? ??? ??????? ?????????. ???????? Stuxnet ??????? ???? ???? ? ???????????? ????????? ??? ?????? ? ??? ????????????? ??????????? ????? ??????? ???.

????????? ???

?? ?????? ?????? ??? ?????? ?????? Stuxnet ? ??????? ?????????? ???????????? Sysinternals ???????? ???????????????? ??????? Stuxnet ?? ??????? ? ?????? ????????? ? ????? ??????????? ??? ??????????? ?????????, ? ????? ??????? ??????????? ??????? ??? ?????????? Stuxnet ? ??????? ???????????? ???????. ? ??????? ????? ? ??????? ?? Stuxnet ? ??????? ???????????? Sysinternals, ???????? ??, ??? Stuxnet ?????????? ?????? ?? ??????? ????????? ?? ?????? PNF, ????? ?????? ?? ?? ??????????. ? ????? ????????????? ?????? ?????????? ?? ????? ????????? Windows 7, ????? ???????? ?????, ??????? Stuxnet ??????????? ?????????? �???????? ???� ? Windows 7 (??????? ???????????? ???? ???????) ??? ????????? ???????????????? ????, ????? ??? ?????????? ?? ??? ??????? ? ??????? ???????????? ????????????. ????? ??????? ????? ?

Amanda Detmer Emma Stone Raquel Alessi Marisa Coughlan Shanna Moakler

No comments:

Post a Comment