前言
美国国家安全局(NSA)旗下的“方程式黑客组织”(shadow brokers)使用的部分网络武器被公开,其中包括可以远程攻破全球约70%Windows机器的漏洞利用工具。
其中,有十款工具最容易影响Windows个人用户,包括永恒之蓝、永恒王者、永恒浪漫、永恒协作、翡翠纤维、古怪地鼠、爱斯基摩卷、文雅学者、日食之翼和尊重审查。不法分子无需任何操作,只要联网就可以入侵电脑,就像冲击波、震荡波等著名蠕虫一样可以瞬间血洗 互联网。
正文
本文就最近遇到的永恒之蓝做简析,本文所遇到的永恒之蓝为变种病毒。制作者将挖矿埋入了病毒中传播。因影响较多没继续跟踪虚拟币所属种类。
现象:
利用个人电脑及windows服务器空闲CPU来做大量的挖矿运算,占用闲置CPU资源.经过跟踪,发现部分进程中线程创建达3822+,外网连接数达到300+.造成其它正常程序打开响应慢,卡死状况。
细节:
异常启动svchost.exe进程.
调用病毒进程:TrustedHostServices.exe
伪装进程:spooler.exe (与系统预置打印机进程名称一致)
感染区:
在系统目录C:\Windows创建SecureBootThemes
在系统核心目录C:\Windows\System32创建SecureBootThemes
在系统核心目录C:\Windows\System32释放了如下文件:
MsraReportDataCache32.tlb,tpmagentservice.dll,TrustedHostServices.exe
注册了系统服务:tpmagentservice
传播路径:定向扫描135,445等内网常备端口.自动连接外网下载最新病毒包,并自更新.
解决办法:杀灭进程,删除服务,清除目录,关闭易感染端口,更新Windows系统补丁(通过金山卫士,360卫士或者其它杀软)
这里提供一个组合批处理工具,若有补充,欢迎斧正
@echo off &&title 正在杀毒中. 批处理需要右键,管理员权限运行,否则出错 By NXQ&& color 1f
echo “正在停止打印机服务”
sc stop spooler
sc config spooler start= disabled
sc stop tpmagentservice
sc delete tpmagentservice
tasklist /nh| find "TrustedHostServices.exe" 2>NULL
if "%ERRORLEVEL%"=="1" (echo no)
if "%ERRORLEVEL%"=="0" (ntsd -c q -pn TrustedHostServices.exe)
taskkill /F /im spoolsv.exe
DEL /F /Q /S C:WindowsSystem32MsraReportDataCache32.tlb
DEL /F /Q /S C:WindowsSystem32tpmagentservice.dll
DEL /F /Q /S C:WindowsSystem32TrustedHostServices.exe
wmic process where "ExecutablePath like 'C:WindowsSecureBootThemesMicrosoft%%'" call Terminate
DEL /F /Q /S C:WindowsSecureBootThemesMicrosoftspoolsv.exe
DEL /F /Q /S C:WindowsSecureBootThemes
DEL /F /Q /S C:WindowsSystem32SecureBootThemes
@echo off
color 1f
title 您正在使用一键屏蔽危险端口和服务
echo 您正在使用一键屏蔽危险端口和服务
echo"正在帮您关闭这些危险端口,请稍等"
echo “正在开启Windows防火墙服务”
net start MpsSvc
echo ”正在帮您开启Windows防火墙自启动“
sc config MpsSvc start= auto
echo ”正在启用防火墙“
netsh advfirewall set allprofiles state on
echo"正在帮您屏蔽端口...."
echo.
echo.
echo.
echo 正在屏蔽135端口 请稍候…
netsh advfirewall firewall delete rule name = "Disable port 135 - TCP"
netsh advfirewall firewall add rule name = "Disable port 135 - TCP" dir = in action = block protocol = TCP localport = 135
echo.
netsh advfirewall firewall delete rule name = "Disable port 135 - UDP"
netsh advfirewall firewall add rule name = "Disable port 135 - UDP" dir = in action = block protocol = UDP localport = 135
echo.
echo 正在屏蔽137端口 请稍候…
netsh advfirewall firewall delete rule name = "Disable port 137 - TCP"
netsh advfirewall firewall add rule name = "Disable port 137 - TCP" dir = in action = block protocol = TCP localport = 137
echo.
netsh advfirewall firewall add rule name = "Disable port 137 - UDP"
netsh advfirewall firewall add rule name = "Disable port 137 - UDP" dir = in action = block protocol = UDP localport = 137
echo.
echo 正在屏蔽138端口 请稍候…
netsh advfirewall firewall delete rule name = "Disable port 138 - TCP"
netsh advfirewall firewall add rule name = "Disable port 138 - TCP" dir = in action = block protocol = TCP localport = 138
echo.
netsh advfirewall firewall delete rule name = "Disable port 138 - UDP"
netsh advfirewall firewall add rule name = "Disable port 138 - UDP" dir = in action = block protocol = UDP localport = 138
echo.
echo 正在屏蔽139端口 请稍候…
netsh advfirewall firewall delete rule name = "Disable port 139 - TCP"
netsh advfirewall firewall add rule name = "Disable port 139 - TCP" dir = in action = block protocol = TCP localport = 139
echo.
netsh advfirewall firewall delete rule name = "Disable port 139 - UDP"
netsh advfirewall firewall add rule name = "Disable port 139 - UDP" dir = in action = block protocol = UDP localport = 139
echo.
echo 正在关闭445端口 请稍候…
netsh advfirewall firewall delete rule name = "Disable port 445 - TCP"
netsh advfirewall firewall add rule name = "Disable port 445 - TCP" dir = in action = block protocol = TCP localport = 445
echo.
netsh advfirewall firewall delete rule name = "Disable port 445 - UDP"
netsh advfirewall firewall add rule name = "Disable port 445 - UDP" dir = in action = block protocol = UDP localport = 445
echo.
echo "危险端口已经用Windows防火墙屏蔽成功"
echo.
echo ----------------
echo “正在关闭Workstation(LanmanWorkstation)服务”
sc stop LanmanWorkstation
sc config LanmanWorkstation start= disabled
echo.
echo ----------------
echo “正在关闭Server(LanmanServer)服务”
sc stop LanmanServer
sc config LanmanServer start= disabled
echo.
echo ----------------
echo “正在关闭TCP/IP NetBIOS Helper(lmhosts)共享服务”
sc stop lmhosts
sc config lmhosts start= disabled
echo.
echo ----------------
echo “正在关闭Distributed Transaction Coordinator(MSDTC)共享服务”
sc stop MSDTC
sc config MSDTC start= disabled
echo.
echo ----------------
echo “正在关闭NetBT服务”
sc stop NetBT
sc config NetBT start= disabled
echo.
echo ----------------
reg add "hklmSystemCurrentControlSetServicesNetBTParameters" /v "SMBDeviceEnabled" /t reg_dword /d "0" /f
reg add "hklmSOFTWAREMicrosoftOle" /v "EnableDCOM" /t reg_sz /d "N" /f
reg add "hklmSOFTWAREMicrosoftRpc" /v "DCOM Protocols" /t reg_multi_sz /d "" /f
echo.
echo ----------------
echo "恭喜您,危险端口已经关闭,请重新启动电脑后用netstat -an查看本地端口"
echo 按任意键退出
pause>nul
pause补丁列表
漏洞名称 解决方案
“EternalBlue 永恒之蓝” 由MS17-010解决
“EmeraldThread 翡翠线” 由MS10-061解决
“EternalChampion 永恒冠军” 由CVE-2017-0146和CVE-2017-0147解决
“ErraticGopher 漂泊地鼠” 在Windows Vista发布之前就已经解决
“EsikmoRoll 爱斯基摩卷” 由MS14-068解决
“EternalRomance 永恒罗曼史” 由MS17-010解决
“EducatedScholar 受过教育的学者” 由MS09-050解决
“ EternalSynergy 永恒协同” 由MS17-010解决
“EclipsedWing 黯淡羽翼” 由MS08-067解决