ADM-201 dump PMP dumps pdf SSCP exam materials CBAP exam sample questions

全球勒索攻击|Petya – 译学馆
未登录,请登录后再发表信息
最新评论 (0)
播放视频

全球勒索攻击|Petya

Global Ransomware Attack | Petya/NotPetya

全球新一轮勒索病毒攻击
Another global ransomware attack
而这次攻击取消了Kill Switch(域名)
And this time, there is no kill switch.
这轮攻击似乎与Petya病毒相似
Now the threat in this case appears to be similar to Petya,
但卡巴斯基研究员表示其中有许多新变异的特性
but Kaspersky researcher suggests that it has a lot of novelty to it.
所以 他们将其称为NotPetya病毒
So, they call it NotPetya.
部分人仍叫它Petya病毒
Some people are calling it Petya.
不管叫什么名字 这种新变异病毒都十分有趣
Whatever it is. It is quite interesting.
下面我们一起一探究竟
So we will take a look at it.
但首先 由于这种病毒爆发
But first, um, since this is quite similar
与WannaCry病毒爆发的情况很类似
to the circumstances of the WannaCry disaster.
所以 我先列举两者的几点不同并对比
I’m gonna start with a few differences and contrasts.
先说最重要的 这种病毒传播途径只限于
First things first, this thing only spreads
LAN 也就是局域网
via LAN or your local networks.
所以不需要互联网
So it does not use the Internet
来感染其他电脑
to spread to other computers.
然而 这种新型病毒依旧通过”永恒之蓝”漏洞攻击
It does, however, use the same EternalBlue Exploit
该漏洞同样被WannaCry病毒使用
which was used by the WannaCry Ransomware
SMB协议是强制运行的
So SMB, if you want, is enforced.
你也可以选择从系统功能界面将其关闭
You can turn that off by going into your Windows features
或者更新系统也可以
or just update your system.
另一个主要的不同是
Another major difference is that
这个病毒是可以直接运行的
this malware isn’t direactly inexecutable.
它实际上是一个DLO文件
It’s actually a DLO file
这类文件必须由其他进程执行
which has to be executed by some other process.
这样一来 我们只需要运行DLO 并且手动运行指令
In this case, we are just gonna use Run DLO and run the command ourselves.
但这种病毒将很可能依附
But, it’s propably going to be attached
于某种病毒下载器上 以某种PIL文件存在
as some kind of pillow to some kind of a downloader/dropper
或者依附于相似的应用上
or some similar application.
我先前提到过
Since as I mentioned earlier,
这种病毒与Petya相似
it is similar to Petya
它能够重启你的系统
It does reboot your system
之后伪装成磁盘检查工具(CHKDSK)来加密你的文档
and then use that CHKDSK disguise to encrypte your files
这种情况下 恢复MBR就行不通了
In this case, restoring your MBR isn’t an option
这是因为你的文档和数据仍将被加密
because your files and data will still be encrypted
所以这种方法是没有用的
and that is just not going to work,
这点不同于最早几个版本Petya病毒
unlike some of the, you know, very early versions of Petya.
在了解这个程序长什么样和怎么运行之前
Now before we jump into how the program looks and works,
我们一起看看Idpro平台上的字符串
let’s take a look at the strings via IdPro.
首先我们注意到的是
So the first thing we notice
某种解密机制
is some sort of a decoding mechanism
由于永恒之蓝的攻击漏洞
because the Exploit itself, EternalBlue,
现在已经被几乎所有人拉入黑名单中
is currently blacklisted by pretty much everybody
因为大家希望能正常工作
who wants to stay in business.
为了通过这些电子签名
In order to get pass those signatures,
他们已经将自己那部分漏洞利用代码编码
they have encoded their part of the Exploit Code
尽量使其不可见
and, umm, try to make it invisible.
当然了 许多行为机制仍会将其暴露
Of course, a lot of behavioral mechanisms will still pick it up.
除此之外
Now, apart from that,
我们注意到另一件有趣的事实
another interesting fact to note is that
电子邮件其实显而易见
the email is easily noticiable.
现在我们如果一直下滑到底
Now if we scroll all the way to the bottom,
我们就能一探究竟
I think we’re going to see it.
看到了吧
There you go.
将你的比特币钱包账户
Send your Bitcoin Wallet,
账号和本机安装密钥发送到这个邮箱
ID and personal installation key to this mail.
邮箱服务提供商Posteo已经禁用这个邮箱地址
The mail provider Posteo have(has) deactivated this mail address.
所以你就不能支付赎金
So you will not be able to pay the ransom
不论你是否有意支付
regardless of whether or not you want to,
这是幸或不幸 因人而异
which is great or unfortuate depending on your circumstances.
我认为Posteo此举十分迅速
I’d say that was pretty prompt action from the email service provider though.
现在流行的任意一款恶意代码分析软件
Now for any malware analyst out there,
都有随机字节加密功能
it does use the CryptGenRandom function
该功能最早被视为是初代勒索软件标志
which is kind of one of the initial indicators of basic ransomware
同时它内部包含全部的传染机制
and it also has the entire infection mechanism built in.
所以一旦感染到你的系统
so once it’s on your system,
它将自动寻找
it is going to automatically look for
连接到同一网络的其它电脑
other computers connected to the same network
并开始通过你的局域网进行传播感染
and start infecting them via your LAN.
所以通常来说 大部分由此病毒
So usually most of the damage
造成的损失都在极短时间内发生
that this thing does happens very quickly,
基本在头一个小时左右内
like within the first hour or so.
在此之后
And after that,
一般它不能再感染其它的电脑
it’s usually not going to be able to infect more computers
这是当它一旦占用网络达到饱和 且所有的电脑都死机
once it saturates the network and also once all the machines are shut down.
那么我们继续 实际运行一下这个病毒 看看它在我们测试系统内如何运作
So now let’s go ahead and actually execute this and see how it runs on our Test System.
如果你也打算这么做的话 请千万小心
Please be extremely careful if you plan on replicating this yourself
因为很有可能 你自己和同一网络中其他电脑都将面临风险
because you might be putting yourself and other computers on the network at risk.
打开命令提示符
We will just open up Command Prompt
前往桌面目录
and navigate to our Desktop directory.
[输入命令声]
[Sound of typing commands]
你们看 DLO文档现在消失了
As you can see, the DLO file has now disappered.
过一会儿 系统将重启
After a while, the system is going to reboot.
重启后你将看到这个界面
And when it does, you will be greeted with this screen
它多少会让你想起原先磁盘检查界面
which kind of reminds you of the old CHKDSK thing.
但实际上这是假的
But this is actually fake
这里的进度条
and the progress bar here
只代表你文档加密的速度
just represents how quickly your files are being encrypted.
如果这运行在一个真实的系统中
Now if this was a real system,
我现在要做的就是拔掉电源
what I do right now is just pull the power out
并确保越快越好
and make sure, umm, I do it as quickly as possible
这样就能保证只加密最低限度的数据
so that the least amount of my data is encrypted.
然后我点开恢复介质 尽力恢复数据
And then I go into the recovery medium and recover what I can.
由于这将在重启后激活
Since this does activate on reboot,
所以如果你特别迅速地关闭了你的电脑
if you just shut down your computer real quick,
你的数据很可能还完好无损
your data might actually be safe.
所以请牢记这一点
So keep that in mind.
一旦加密完成
Once the encryption process is complete,
重启你的系统 将会看到这个界面
your sytem reboots again, and then you get this screen.
你看不到像Petya病毒界面里那个闪瞎双眼的骷髅图标
You don’t get the flashy skull thing like you get in Petya,
但看起来还是很相似的
but it still looks very similar.
这时 你就不能访问系统了
So at this point, you have no access to your system.
你只能输入密钥
All you can do is type in the key.
并且如果你没有输入正确的话
And if you don’t type the right key,
这就是你将看到的
this is all you get.
只能显示这个界面
That’s all there is to it.
那么如何保护自己呢?
So how can you protect yourself?
第一步: 在主计算机上运行一个信得过的反恶意软件
Step one: run a decent anti-malware solution on your main computer.
我不知道这么多垃圾都是从哪来的
And I don’t know where a lot of this garbage is coming from,
但是有些人直到WannaCry攻击之前 都不知道勒索软件是什么
but, you know, some people who didn’t even know what ransomware was before the WannaCry Attack
或者总是说杀毒软件阻挡不住恶意软件
or going around saying that AV programmes didn’t block their ransomware
或是他们根本分不清楚
or they made no difference.
但不要听那些连自己说什么都不知道的人胡说
But don’t listen to people who have no idea what they’re taking about
大部分优秀的杀毒软件从一开始就能阻断WannaCry病毒
Most decent AV solutions blocked WannaCry from day one
但同时也会搭载许多行为组件
and was also picked up by a lot of behavioral components.
综上 杀毒软件还是很重要的
So, AV does matter.
90%的病毒感染案例中
And in 90 per cent of the cases,
(杀毒软件)是你对抗病毒最重要也是最基本的防护手段
that’s your most important and basic safeguard against such things.
不要轻易相信一些胡言乱语
Don’t fall for any of the, you know, nonsense.
保护好自己 做好备份以防不时之需
Keep yourself protected. Have backups just in case.
一如既往地保持消息灵通 保卫电脑安全
And as always, stay informed, stay secure.

发表评论

译制信息
视频概述

如何应对新一轮勒索病毒Petya攻击,以及病毒运行机制

听录译者

叶33_

翻译译者

鱼汤娘子啊有毒

审核员

译学馆审核团D

视频来源

https://www.youtube.com/watch?v=KdgCwCuBUp4

相关推荐