Отчет об инциденте: «GoldenEye/Petya»





27 2017

, GoldenEye, .

, MBR ( Windows) , .







DLL, , , . . , , , , .



, . . , GoldenEye , , .







.











:



• MeDoc —

( )



• ETERNALBLUE: , ,

Microsoft 14 2017 MS17-010.



• PSEXEC: , PSEXEC.



• WMI: , WMI







1: 7e37ab34ecdcc3e77e24522ddfd4852d



. :



• EternalBlue







• PSEXEC



v8 = wsprintfW(a2, L”%s \\\\%s -accepteula -s “, v3, a3);

v9 = wsprintfW(&a2[v8], L”-d C:\\Windows\\System32\\rundll32.exe \”C:\\Windows\\%s\”,#1 “, &v14)

+ v8;



• WMI



wbem\wmic.exe %s /node:”%ws” /user:”%ws” /password:”%ws” process call create “C:\Windows

\System32\ rundll32.exe \”C:\Windows\%s\” #1







2: 71b6a493388e7d0b40c83ce903bc6b04



, — EZVIT, MeDoc,

. GoldenEye :







, -, .







• ,

. ,

, .



• , .



• ETERNALBLUE, , :

technet.microsoft.com/en-us/library/security/ms17-010.aspx



• , Adaptive Defense Adaptive Defense 360.



• Adaptive Defense, Adaptive Defense Lock: , Panda Security .



• ,

.



All Articles