? ?????? ????? ? ????? ???????????? ?????????? ????? Stuxnet ? ??????? ???????????? Sysinternals. ? ??????????? Process Explorer, Autoruns ? VMMap ??? ??????? ??????? ????? ?? ?????????. Autoruns ?????? ??????? ?????? Stuxnet, ??? ???????? ????????? ? ??????? Mrxcls.sys ? Mrxnet.sys, ? ?????????, ??? ??? ?????????? Stuxnet (? ?????????????? ?????????? ?????????) ?????????? ?????? ??????? ??? ???????? ? ????????????? ???????. ? ??????? Process Explorer ? VMMap ?? ??????? ?????????? ??? Stuxnet ? ????????? ????????? ????????? ? ????? ????????? ????????, ??????????? ????????? ??????????? ????? ??? ????? ?????. ? ????? ?????? ?????? ? ??????????? ? ???????????? ?????? ????????? ??? ???? ????????, ??????????? ?? ?????? ?????? ? ?????? ???????. ? ???? ?????? ? ????????? ???? ????????????, ??????????????? ?????? Process Monitor, ??????? ??? ??????? ?? ????? ?????????, ????? ???????? ????? ???????? ????????? ??????? Stuxnet ?? ?????????? ??????? ? ????, ??? ?? ???????? (??????, ???? ??? ???????? ??? ?????????? ? ????? ? ????? ???? ?????? (Tom Clancy) ? ?????? ???????? (Michael Crichton), ?? ??? ????? ???????? ???????? ?? ??? ????? ???????????? Zero Day).
?????????? ??? ?????? ?????? ???????
Process Monitor ???????????? ????? 30000 ??????? ?? ????? ??????????? ?????????, ??? ??????? ????? ??? ?????? ???????, ??????????? ?? ?????????. ??????? ????? ???? ??????? ????????? ? ??????? ???????????? Windows ? ????????? ???????? Explorer ? ????? ?????, ??????????????? ?? ??????????? ? ?????????. ??? ??? ?? ????????? Process Monitor ????????? ?????????????? ??????? (????????? ? ????? ????????, ?????????? IRP-???????, ??????? System ? ???????? ? ??????????? NTFS), ?? ??? ????????? ?????? ?????????, ? ???? ?????? Process Explorer ?????????? ????? 10000 ???????:
???? ? ????, ????? ?????????????? Process Monitor ??????????, ????? ?? ?? ??????, ??? ????? ?????????? ????? ?????????? ??????. ??????? ? ?????? ???????? ??? ?????????? ???? ????, ? ? Process Monitor ???? ???????, ??????? ????????????? ??? ????? ????????? ?????????????. ?? ?????????? ??????, ??????? ????????? ??? ???????, ????? ????????? ? ???????????? ?????? ??? ?????? ???????. ????????? ???? ?????? (?Category is Write then Include?) ????? ? ??????? ??????????? ???? Filter:
???????, ??????????????? ????????? System ?????? ?? ????? ??? ???????????, ?? ? ????, ??? ? Stuxnet ???? ??????????, ?????????? ? ?????? ????, ??? ??? ??? ??????? ?????? ? ?????? ???????? ???????, ??????????? ? ????????? ???????? System, ??????? ???????? ?????????, ??? ????????? ???????? ????????? ????????? ????????? ??????. ?? ?????? ??????? ??????? ?? ?????????, ?????? ????? Enable Advanced Output ? ???? Filter, ?? ? ?? ????? ??????? ?????? ???????, ???????????? ?? ?????????, ??????? ????????? ??????? ????????? ? ????? ???????? ? ????????? ? ??????????? NTFS, ??? ??? ? ?????? ?????? ??????, ??????????? System (?????? ? ?????? ????????). ????? ??????? ??????????? ?? 600:
?? ????????? ???? ??????? ????????? ???????, ??????? ????? ?? ??????? ? ??????????. ??????????? ???????? ??????? ??????? ?????, ????????? ??? ??????? ?? ??????? ???????? ?????????? Windows. ????????, ?????? ????????? ????? ??????? ???? ??????? ?????????? Explorer ???????? ? ????? ??????? HKCU\Software\Microsoft\Windows\ShellNoRoam\BagsMRU:
? ???? ????? Explorer ????????? ????????? ????, ??? ??? ? ??? ????????? ??? ???????. ? ?????? ??? ? ??????? ??????? Process Monitor �quick filters�: ? ??????? ?????? ??????? ???? ?? ????? ?? ????? ??????? ??? ?????? ???????????? ???? ???????? ??????? ? ????? ?????? Exclude:
????????? ? ???? ????????? ????? ?????? ?? ???????? ??? ???????? ????? ?????, ? ?????? ?????? ??? ????????? ??????, ?????? ??????? ?? ??? ??? ??????? ????????? ???????? ? ??????? ???????? �is� ?? �begins with� (?????????? ?):
??? ????????? ????? ??????? ?? 450, ??? ??????? ???????, ?? ? ??? ??? ????? ????? ???????, ??????? ????? ?????????. ????????? ???? ??????? ????????? ? ?????????? ???????? ?????? ? ?????? ?????? ???? ???????. ????? ???? ?????? ?????? ?????????? ???????, ?????? ??? ????????? ???? ???????? ???????, ? ?? ????? ?????? ? ?????? ?????? ????. ?????????? ???? ??????? ????????? ?? ????? ????? ?? 350. ? ????????? ????????????? ??????, ???????? ?????????????? ??????? ??? ?????????? ?????? ??????????? ???????. ????? ????, ??? ? ???????????? ??? ??????? ????????, ?????????? ???? Filter ????? ????????? ??? (????????? ?? ????????, ??????? ? ???????, ?? ????? ?? ??????):
?????? ???????? ?????? 133 ???????, ? ?????? ?????? ?? ??? ??????????, ??? ??? ??? ????? ???? ??????? ?? Stuxnet. ?????? ????? ????????? ??.
??????????? ??????? ??????? Stuxnet
?????? ??????? ? ?????????? ?????? ?????????? Stuxnet, ????????????? ? ????????? Explorer, ???????????????? ?????? 4 ?????? ?????? ?? ???? ????????? ????????? ??????.
????? ????????, ??? ??? ???????? ?????? ????????????? ???????????????? Stuxnet, ? ?? Explorer.exe, ? ?????? ??????? ?? ???, ????? ??????? ?????????? ???? Event Properties, ? ??????? ?? ???????? Stack. ???? ????? ????? ??? NtWriteFile API ?????????? "<unknown>" ? ???? ????? ??????, ??? ????????? ?? ??, ??? ?????? ????? ????? ?? ????? ?? ? ????? DLL, ??????????? ? ???????:
???? ?? ???????? ?? ????? ?? ????????? ?????, ?? ????? ?????? ??????? ?????? <unknown>, ????? ??? ?? ?????????? ??????????? ??????? ???????, ????????? ??? ???????? ? ???????????? ? ?????????? API ??????????? ?????, ??????? ?????????? Process Monitor. ?????? ????? ? ???????? ?? ???????? ???????????? Explorer ? ??????? VMMap, ? ????? ??????? ??????, ?????????? ??????????? ????? ????? 0x2FA24D5, ??????? ????? ?????????? ?? ?????? ? ?????????? ? ??????????? ??????? ??????????? ????????? ????:
????? ???? ???????? Explorer.exe ??????? ???????? ???????? ????????? Lsass.exe ??????? ?????? ~Dfa.tmp, ~Dfb.tmp, ~Dfc.tmp ? ~Dfd.tmp ?? ????????? ???????? ??????? ??????. ?????? ?????????? ? Windows ??????? ????????? ?????, ??? ??? ? ?????? ??? ?????????, ??? ??? ??????? ?? Stuxnet, ? ?? ?? ??????????? ??????????? Windows. ??????? ??????? ? ?????? ????, ??? ?? ???? ????? Stuxnet, ??????? ??? ????, ??? ID (PID) ????? ???????? Lsass.exe, ?????? 300 ? ?? ????????? ? PID ?????????? ?????????? ???????? Lsass.exe, ??????? ? ????????? ? ?????? ????? ??????. ??????????, ???? PID ?? ?????????????? ?? ?????? ?? ???? ????????? Lsass.exe, ??????? ???? ???????? ????? ?????????, ??? ????????????, ??? Lsass.exe ???????? ??? ????? ?????????, ?????????? Stuxnet.
????? ???????, ??? ???? ??????? Lsass.exe ??????????????? ? ???????, ? ????? Ctrl+T, ????? ??????? ?????????? ???? ?????? ????????? Process Monitor (??? ????? ????? ??????? ?? ???? Tools). ?????? ????????? ????????, ??? ??? ?????????????? ???????? Lsass.exe ??????????? ?? ????? ?????????, ??????? ???, ? ???????? ??? PID 300. ????? ?????? ???? ????????? ? ?????? ????????? ????????? ?? ??, ??? ??? ??????????? ??????, ??? Process Monitor ???????? ??????????? ???????:
?????? ? ????, ??? ??? ??? ?????????? ??????? Lsass.exe, ?? ? ?????? ??? ?????????, ??? ??? ????????? ????? ?? ???? ??????? ??????? ??????????? Lsass.exe. ? ????? ????????? ?? ?? ????? ? ?????? ?????? ?????? <unknown>, ??? ? ? ?????? ?? ?????? ???????? Explorer.exe.
? ????????? ????? ??????? ??? ?????????? ??? ??????????, ????????? ?? ?????, ??? Lsass.exe ?????????? ???? ?? ???? ????????? Stuxnet ? MRxCls.sys ? ? ????? C:\Windows\System32\Drivers ? ??????? ??????????????? ??? ????? ???????:
? ?????? ??????? ?? ???????? WriteFile, ????? ??????? ?? ????, ? ???????, ??? ????? API CopyFileEx ????????, ??? Stuxnet ?????????? ?????????? ???????? ?? ??????? ?????:
????? ??????? ????, ??????? ?????? ?????????? ????? ???????????, ? ???????? ???????? ??????, ??????????? ???????? ??????, ????? ??????????????? ??????? ? ?????????? ???? ?????? ????????:
Process Monitor ????????? ?????? ?? ???? ~DFD.tmp, ??????? ??? ?????? ?????, ??? ??? ? ????, ??? ???? ???? ???????? ????? ????????:
??????????? ?????????? ??????? ??????? System ???????? Mrxcls.sys, ??????????? ???? ???????:
????? Stuxnet ?????????????? ? ????????? ???? ?????? ??????? Mrxnet.sys. ??????????? ??????????, ??? Stuxnet ??????? ??????? ??????? ? ~DFE.tmp, ?????????? ???? ???? ? ???? ?????????? Mrxnet.sys, ? ?????? ???????? ??????? ??? Mrxnet.sys:
????????? ???????? ?????? ??????? System ???????? ???? ??????? ??? ??, ??? ? Mrxcls.sys.
????????? ???????????, ??????????? ???????, ???????? ? ???? ???????? ??????? ?????????????? ?????? ? ????? C:\Windows\Inf: Oem7a.pnf, Mdmeric3.pnf, Mdmcpq3.pnf ? Oem6c.pnf. ???????? ???????? ???? ?????? ????? ????? ??????, ????? ? ???????? ??????, ??????? ???????? ?????? ???????? CreateFile:
????? PNF ? ??? ?????????????? ????????????????? ????? INF, ? ????? INF ? ??? ????? ? ??????????? ?? ????????? ????????? ?????????. ????? C:\Windows\Inf ?????? ??? ???? ?????? ? ?????? ???????? ???? PNF ??? ??????? ????? INF. ? ??????? ?? ?????? ?????? PNF ? ???? ????????, ??? ?? ?????? ????? INF, ??? ???????? ?? ????????? ? ??????? PNF ?? Stuxnet, ?? ?? ????? ????????? ?? ??????????? ? ??????? ??????? ? ???? ?????. ??? ? ? ?????? ? ????????? ?????? ?????? ?????????, ????? ???? ???????? ????? ????? ?????? ?? CopyFileEx ? ?????????? ??????? ?? ?????? ??????????, ??? ?? ????-???????? ????? ???????? ?????????? ????????? ????????? ?????? Stuxnet. ????? ?? ?????? ??????, ??? Stuxnet ???????? ~Dfa.tmp ? Oem7a.pnf:
??? ?????? ? ??? ????? ????????? ????????? Lsass.exe, ?? ??????????? ?????????? ??????? ? Mdmcpq3.pnf, ??????????? ?????????? ????????? Services.exe:
????? ??????????? ?????????, Stuxnet ??????????? ?????????????? ????, ????? ?????? ??? ?????, ????? ???, ????? ?? ????????? ???????? ????? ??????????????? ?????? ?????? PNF ????? ????????, ? ?????? ???? ???????? ??????? ? 4 ?????? 2009 ????. ????? ???????? SetBasicInformationFile ????????????? ????? ??? ????? Oem7a.pnf:
??? ?????? Stuxnet ????????? ????????? ?????, ?? ????????? ????? ???? ?????, ??????? ????????? ?? ????????? ????? ??? ???????? ????? ?? ???????? (??? ???????? ??????? ????????? ????? ? ?????? ????? ???????????.
???????, ??? Stuxnet ?????????? ????????? ????? ? ????? ?????? ?? ?????, ?????? ??? ?????????????? ?????? ????????????, ????????? ?? ???? ????? ?? ???????????? Stuxnet ???? ?? ????????? ????????? ?????.
? ??????????? ???? ???? ????????, ??????? ? ?? ???? ???? ??????????, ? ?????????? ??????? ? ?? ???? ????? ?? ? ????? ?????????????? ??????? Stuxnet. ???? ???? ? ??? ??????? ??????? ???????? ??????? ? ?????? HKLM\System\CurrentControlSet\Services\Network\FailoverConfig:
??? ???????? ??????? ? ???? ???? Network ?? ???????????? Windows ??? ?????? ???????????, ??????? ? ???? ?????. ????? ??????????? ?????? ? ???????? C:\Windows ?? ??? ??????? ?????????. ???????? Stuxnet ??????? ???? ???? ? ???????????? ????????? ??? ?????? ? ??? ????????????? ??????????? ????? ??????? ???.
????????? ???
?? ?????? ?????? ??? ?????? ?????? Stuxnet ? ??????? ?????????? ???????????? Sysinternals ???????? ???????????????? ??????? Stuxnet ?? ??????? ? ?????? ????????? ? ????? ??????????? ??? ??????????? ?????????, ? ????? ??????? ??????????? ??????? ??? ?????????? Stuxnet ? ??????? ???????????? ???????. ? ??????? ????? ? ??????? ?? Stuxnet ? ??????? ???????????? Sysinternals, ???????? ??, ??? Stuxnet ?????????? ?????? ?? ??????? ????????? ?? ?????? PNF, ????? ?????? ?? ?? ??????????. ? ????? ????????????? ?????? ?????????? ?? ????? ????????? Windows 7, ????? ???????? ?????, ??????? Stuxnet ??????????? ?????????? �???????? ???� ? Windows 7 (??????? ???????????? ???? ???????) ??? ????????? ???????????????? ????, ????? ??? ?????????? ?? ??? ??????? ? ??????? ???????????? ????????????. ????? ??????? ????? ?
Amanda Detmer Emma Stone Raquel Alessi Marisa Coughlan Shanna Moakler
No comments:
Post a Comment