{"id":17708,"date":"2016-05-06T09:00:15","date_gmt":"2016-05-06T01:00:15","guid":{"rendered":"https:\/\/blog.trendmicro.com.tw\/?p=17708"},"modified":"2016-05-06T12:09:26","modified_gmt":"2016-05-06T04:09:26","slug":"locky-%e5%8b%92%e7%b4%a2%e8%bb%9f%e9%ab%94%e5%88%a9%e7%94%a8-flash-%e5%92%8c-windows-%e7%b3%bb%e7%b5%b1%e6%a0%b8%e5%bf%83%e6%bc%8f%e6%b4%9e%e6%95%a3%e5%b8%83","status":"publish","type":"post","link":"https:\/\/blog.trendmicro.com.tw\/?p=17708","title":{"rendered":"Locky \u52d2\u7d22\u75c5\u6bd2\u5229\u7528 Flash \u548c Windows \u7cfb\u7d71\u6838\u5fc3\u6f0f\u6d1e\u6563\u5e03"},"content":{"rendered":"<p>\u4eca\u5e74\u56db\u6708\u521d\uff0cAdobe Flash Player \u51fa\u73fe\u4e86\u4e00\u500b\u00a0<a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/cve-2016-1019-zero-day-integrated-in-exploit-kit\/\">\u96f6\u6642\u5dee\u6f0f\u6d1e<\/a> \u00a0(CVE-2016-1019)\u3002\u6b64\u6f0f\u6d1e\u5f88\u5feb\u5c31\u88ab\u6536\u9304\u5230 \u00a0<a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/look-adobe-flash-player-cve-2016-1019-zero-day-vulnerability\/\">Magnitude \u6f0f\u6d1e\u653b\u64ca\u5957\u4ef6<\/a> \u7576\u4e2d\uff0cAdobe \u88ab\u8feb\u7dca\u6025\u91cb\u51fa<a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/news\/vulnerabilities-and-exploits\/adobe-patch-for-critical-flash-vulnerability\">\u4fee\u88dc\u7a0b\u5f0f<\/a>\u3002\u99ed\u5ba2\u5229\u7528\u6b64\u6f0f\u6d1e\u4e26\u642d\u914d<a href=\"https:\/\/blog.trendmicro.com.tw\/?p=17503\">\u300cDrive by download\u300d\u8def\u904e\u5f0f\u4e0b\u8f09\uff08\u96b1\u85cf\u5f0f\u4e0b\u8f09\u3001\u5077\u6e21\u5f0f\u4e0b\u8f09\u3001\u5f37\u8feb\u4e0b\u8f09. \u7db2\u9801\u639b\u99ac\uff09<\/a>\u6280\u5de7\u4f86\u6563\u5e03 <a href=\"https:\/\/blog.trendmicro.com.tw\/?p=16651\">Locky\u52d2\u7d22\u75c5\u6bd2(\u52d2\u7d22\u8edf\u9ad4\/\u7d81\u67b6\u75c5\u6bd2)<\/a>\u3002<\/p>\n<p><a href=\"https:\/\/blog.trendmicro.com.tw\/?attachment_id=17709\" rel=\"attachment wp-att-17709\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-17709\" src=\"https:\/\/blog.trendmicro.com.tw\/wp-content\/uploads\/2016\/05\/Vulnerability.jpg\" alt=\"Vulnerability \u6f0f\u6d1e \u52d2\u7d22\u8edf\u9ad4 \u8b66\u544a \u5b89\u5168\" width=\"400\" height=\"400\" srcset=\"https:\/\/blog.trendmicro.com.tw\/wp-content\/uploads\/2016\/05\/Vulnerability.jpg 400w, https:\/\/blog.trendmicro.com.tw\/wp-content\/uploads\/2016\/05\/Vulnerability-150x150.jpg 150w, https:\/\/blog.trendmicro.com.tw\/wp-content\/uploads\/2016\/05\/Vulnerability-300x300.jpg 300w\" sizes=\"(max-width: 400px) 100vw, 400px\" \/><\/a><\/p>\n<p>\u4e0d\u904e\uff0c\u4f7f\u7528\u8005\u6240\u9762\u81e8\u7684\u5a01\u8105\u9084\u4e0d\u53ea\u9019\u6a23\u3002\u6700\u8fd1\uff0c\u8da8\u52e2\u79d1\u6280\u767c\u73fe\u9019\u9805\u653b\u64ca\u53c8\u589e\u52a0\u4e86\u4e00\u500b\u65b0\u7684\u6280\u5de7\u3002\u9664\u4e86\u5229\u7528 Flash \u6f0f\u6d1e\u4e4b\u5916\uff0c\u99ed\u5ba2\u66f4\u5229\u7528\u4e00\u500b\u00a0<a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/exploring-cve-2015-1701-a-win32k-elevation-of-privilege-vulnerability-used-in-targeted-attacks\/\">\u820a\u7684 Windows \u6b0a\u9650\u5347\u7d1a\u6f0f\u6d1e<\/a> (CVE-2015-1701) \u4f86\u8eb2\u907f\u8cc7\u5b89\u8edf\u9ad4\u7684\u6c99\u76d2\u6a21\u64ec\u5206\u6790\u6280\u8853\u3002<\/p>\n<p><strong><em>\u96b1\u533f\u7684\u60e1\u610f\u884c\u70ba<\/em><\/strong><\/p>\n<p>\u8da8\u52e2\u79d1\u6280\u4e0d\u50c5\u5206\u6790\u4e86\u64f7\u53d6\u5230\u7684\u7db2\u8def\u6d41\u91cf\uff0c\u4e5f\u5206\u6790\u4e86\u4e00\u500b\u76f8\u95dc\u7684\u6a94\u6848\u4e0b\u8f09\u7a0b\u5f0f \u00a0(\u4e5f\u5c31\u662f\u00a0<a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/threat-encyclopedia\/malware\/TROJ_LOCKY.DLDRA\">TROJ_LOCKY.DLDRA<\/a>)\u3002\u5f9e\u7db2\u8def\u6d41\u91cf\u53ef\u767c\u73fe\u6b64\u5a01\u8105\u5229\u7528\u7684\u662f CVE-2016-1019 \u6f0f\u6d1e\u3002\u81f3\u65bc\u6a94\u6848\u4e0b\u8f09\u7a0b\u5f0f\uff0c\u5247\u662f\u5229\u7528\u4e86\u4e00\u500b\u7f55\u898b\u7684 Windows \u6838\u5fc3\u6f0f\u6d1e\u3002\u6a94\u6848\u4e0b\u8f09\u7a0b\u5f0f\u53ef\u85c9\u6b64\u9023\u4e0a\u5176\u5e55\u5f8c\u64cd\u7e31 (C&amp;C) \u4f3a\u670d\u5668 (IP\uff1a202.102.110.204:80)\uff0c\u4e26\u4e14\u4e0b\u8f09<a href=\"https:\/\/blog.trendmicro.com.tw\/?p=16651\">Locky\u52d2\u7d22\u8edf\u9ad4<\/a>\u5230\u7cfb\u7d71\u4e0a\u3002\u9019\u9805\u6280\u5de7\u5229\u7528\u4e86\u591a\u9805\u6838\u5fc3\u5c64\u7d1a\u7684\u7cfb\u7d71\u6a5f\u5236\uff0c\u5305\u62ec\uff1a\u5de5\u4f5c\u9805\u76ee\u3001\u7cfb\u7d71\u57f7\u884c\u7dd2\u4ee5\u53ca\u975e\u540c\u6b65\u7a0b\u5e8f\u547c\u53eb (APC)\u3002\u7531\u65bc\u9019\u4e9b\u6a5f\u5236\u5728\u4f7f\u7528\u6642\u90fd\u4e0d\u9700\u8981\u900f\u904e\u4efb\u4f55\u6a94\u6848\uff0c\u56e0\u6b64\u60e1\u610f\u7a0b\u5f0f\u53ef\u4ee5\u5728\u4e0d\u88ab\u5075\u6e2c\u7684\u72c0\u6cc1\u4e0b\u690d\u5165\u7cfb\u7d71\u4e2d\u3002<\/p>\n<p>\u6a94\u6848\u4e0b\u8f09\u7a0b\u5f0f\u6703\u5c07\u5176\u60e1\u610f\u7a0b\u5f0f\u78bc\u690d\u5165 Windows \u7528\u4f86\u57f7\u884c\u5404\u7a2e\u670d\u52d9\u7684 \u00a0<em>svchost.exe<\/em> \u7cfb\u7d71\u57f7\u884c\u7a0b\u5e8f\u7576\u4e2d\u3002\u6b64\u5916\uff0c\u5b83\u9084\u6703\u6aa2\u67e5 Windows \u7684\u7248\u672c\u53ca <em>win32k.sys<\/em> \u6a94\u6848\u7684\u65e5\u671f\u4f86\u78ba\u8a8d\u7cfb\u7d71\u662f\u5426\u542b\u6709\u6f0f\u6d1e\uff0c\u85c9\u6b64\u964d\u4f4e\u88ab\u5075\u6e2c\u7684\u98a8\u96aa\u3002<\/p>\n<p>\u9019\u9805\u6f0f\u6d1e\u53ef\u7528\u65bc\u8eb2\u907f\u5075\u6e2c\uff0c\u5c24\u5176\u662f\u80fd\u8eb2\u907f\u6c99\u76d2\u6a21\u64ec\u5206\u6790\u6280\u8853\u3002\u6b64\u5916\uff0c\u4ee5\u9019\u9805\u6838\u5fc3\u6f0f\u6d1e\u70ba\u57fa\u790e\u7684\u96b1\u85cf\u6280\u5de7\uff0c\u4e5f\u8b93\u5206\u6790\u548c\u6c99\u76d2\u6a21\u64ec\u6280\u5de7\u66f4\u96e3\u5075\u6e2c\u9019\u9805\u5a01\u8105\u3002\u6211\u5011\u5728\u5206\u6790\u60e1\u610f\u7a0b\u5f0f\u6a94\u6848\u6642\u767c\u73fe\u5b83\u5728\u9047\u5230\u65b0\u7248\u7684 Windows \u4f5c\u696d\u7cfb\u7d71\u6642\u53ef\u80fd\u6703\u6539\u7528\u5176\u4ed6\u6f0f\u6d1e\u3002<!--more--><\/p>\n<p><strong><em>Locky \u6a94\u6848\u4e0b\u8f09\u7a0b\u5f0f\u4ecb\u7d39<\/em><\/strong><\/p>\n<p>\u9664\u4e86\u4f7f\u7528\u7cfb\u7d71\u6838\u5fc3\u6f0f\u6d1e\u4e4b\u5916\uff0cTROJ_LOCKY.DLDRA \u9019\u500b\u60e1\u610f\u7a0b\u5f0f\u5728\u529f\u80fd\u4e0a\u8207\u5176\u4ed6\u6a94\u6848\u4e0b\u8f09\u7a0b\u5f0f\u7121\u7570\u3002\u4e0b\u5716\u6458\u8981\u986f\u793a\u6b64\u7a0b\u5f0f\u7684\u57f7\u884c\u6d41\u7a0b\uff1a<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2016\/04\/payload-anylysis.jpg\" width=\"974\" height=\"833\" \/><\/p>\n<p><em>\u5716 1\uff1a\u6a94\u6848\u4e0b\u8f09\u7a0b\u5f0f\u57f7\u884c\u6d41\u7a0b\u5716\u3002<\/em><\/p>\n<p>\u6839\u64da\u6211\u5011\u7684\u5206\u6790\uff0c\u6b64\u6a23\u672c\u63a1\u7528\u4e86\u591a\u9805\u53cd\u9664\u932f\u6280\u5de7\uff0c\u4ee5\u53ca\u65b0\u7684\u5305\u88dd\u65b9\u6cd5\u3002\u5305\u62ec\u52a0\u5bc6\u7684 API \u5b57\u4e32\u4ee5\u53ca\u5728\u57f7\u884c\u6642\u671f\u52d5\u614b\u7522\u751f API \u4f4d\u5740\u3002<\/p>\n<p>\u5176\u7236\u57f7\u884c\u7a0b\u5e8f (\u521d\u59cb\u57f7\u884c\u7a0b\u5e8f) \u9664\u4e86\u7522\u751f\u5b50\u57f7\u884c\u7a0b\u5e8f (\u5206\u652f\u57f7\u884c\u7a0b\u5f0f) \u4e26\u96a8\u6a5f\u7522\u751f\u6307\u4ee4\u5217\u53c3\u6578\u4e4b\u5916\uff0c\u4e26\u4e0d\u505a\u5176\u4ed6\u4e8b\u60c5\u3002\u5b50\u57f7\u884c\u7a0b\u5e8f\u63a5\u4e0b\u4f86\u6703\u5148\u6aa2\u67e5\u7576\u524d\u7684\u4f5c\u696d\u7cfb\u7d71\u7248\u672c\u4ee5\u78ba\u8a8d\u7cfb\u7d71\u662f\u5426\u5b58\u5728 <a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/exploring-cve-2015-1701-a-win32k-elevation-of-privilege-vulnerability-used-in-targeted-attacks\/\">CVE-2015-1701<\/a> \u6f0f\u6d1e\uff0c\u82e5\u6709\u4fbf\u958b\u59cb\u89f8\u767c\u6b64\u6f0f\u6d1e\u3002\u6b64\u6642\uff0c\u60e1\u610f\u7a0b\u5f0f\u6703\u5229\u7528\u7cfb\u7d71\u7684\u975e\u540c\u6b65\u7a0b\u5e8f\u547c\u53eb (APC) \u529f\u80fd\u8b93 \u00a0<em>svchost.exe <\/em>\u9023\u4e0a\u5176 C&amp;C \u4f3a\u670d\u5668\u4e26\u4e0b\u8f09 Locky \u52d2\u7d22\u8edf\u9ad4\u5230\u7cfb\u7d71\u4e0a\uff0c\u4e5f\u5c31\u662f\u8da8\u52e2\u79d1\u6280\u6240\u5075\u6e2c\u5230\u7684 \u00a0RANSOM_LOCKY.PUY \u60e1\u610f\u7a0b\u5f0f\u3002<\/p>\n<p><strong><em>\u6f0f\u6d1e\u89f8\u767c\u6a5f\u5236<\/em><\/strong><\/p>\n<p>\u5b50\u57f7\u884c\u7a0b\u5e8f\u4e00\u958b\u59cb\u57f7\u884c\uff0c\u9996\u5148\u6703\u6aa2\u67e5\u7576\u524d\u7684\u4f5c\u696d\u7cfb\u7d71\u7248\u672c\uff0c\u4ee5\u78ba\u8a8d\u524d\u8ff0\u6f0f\u6d1e\u662f\u5426\u5df2\u4fee\u88dc\u3002\u82e5\u672a\u4fee\u88dc\uff0c\u5c31\u89f8\u767c\u6b64\u6f0f\u6d1e\u3002\u82e5\u5df2\u4fee\u88dc\uff0c\u5b83\u4f9d\u7136\u9084\u662f\u6703\u9023\u4e0a C&amp;C \u4f3a\u670d\u5668\uff0c\u53ea\u662f\u6703\u6368\u68c4\u96b1\u85cf\u6280\u5de7\u3002<\/p>\n<p>\u70ba\u4e86\u89f8\u767c\u9019\u9805\u7cfb\u7d71\u6f0f\u6d1e\uff0c\u60e1\u610f\u7a0b\u5f0f\u6703\u5148\u8b93 <em>user32.dll!afnDispatch<\/em> \u7684\u51fd\u5f0f\u547c\u53eb\u8868\u4e2d <em>ClientCopyImage<\/em> \u51fd\u5f0f\u7684\u4f4d\u5740\u6307\u5411 <em>DetourClientCopyImage<\/em> \u51fd\u5f0f\u7684\u4f4d\u5740\u3002\u7531\u65bc Microsoft \u63d0\u4f9b\u4e86\u53cd\u5411\u547c\u53eb (callback) \u529f\u80fd\uff0c\u56e0\u6b64\u9019\u500b API \u51fd\u5f0f\u6703\u5728 <em>USER32!CreateWindowEx<\/em> \u51fd\u5f0f\u57f7\u884c\u6642\u88ab\u547c\u53eb\u3002<\/p>\n<p>&nbsp;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2016\/04\/fig2_CVE-2016-1019-1-440x247.jpg\" width=\"440\" height=\"247\" \/><\/p>\n<p><em>\u5716 2\uff1aDetourClientCopyImage \u793a\u610f\u7a0b\u5f0f\u78bc\u3002<\/em><\/p>\n<p>\u7576 <em>SetWindowLongA<\/em> \u51fd\u5f0f\u57f7\u884c\u6642\uff0c<em>Fake_WinProc_exploit_403A90 <\/em>(\u5167\u542b\u60e1\u610f\u7a0b\u5f0f\u78bc) \u5c31\u6703\u5728\u7cfb\u7d71\u6838\u5fc3\u7684\u6b0a\u9650\u4e0b\u57f7\u884c (\u539f\u672c\u4e0d\u8a72\u5982\u6b64)\u3002<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2016\/04\/fig3_code.jpg\" width=\"532\" height=\"586\" \/><\/p>\n<p><em>\u5716 3\uff1aBeginExploit_403C42 \u793a\u610f\u7a0b\u5f0f\u78bc\uff0c\u5167\u542b\u89f8\u767c\u6f0f\u6d1e\u7684\u7a0b\u5f0f\u78bc\u3002<\/em><\/p>\n<p>\u4e0a\u5716\u4e2d\u7684\u793a\u610f\u7a0b\u5f0f\u78bc\u986f\u793a\u60e1\u610f\u7a0b\u5f0f\u5982\u4f55\u85c9\u7531<em>CreateWindowExA<\/em> \u51fd\u5f0f\u4f86\u89f8\u767c CVE-2015-1701 \u6f0f\u6d1e\u3002<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2016\/04\/fig4_CVE-2016-1019.jpg\" width=\"720\" height=\"436\" \/><\/p>\n<p><em>\u5716 4\uff1a\u4f7f\u7528\u8005\u6a21\u5f0f\u4e2d\u7684\u60e1\u610f\u7a0b\u5f0f\u78bc\u5728\u7cfb\u7d71\u6838\u5fc3\u7576\u4e2d\u57f7\u884c\u6642\u7684\u5806\u758a\u5167\u5bb9\u3002<\/em><\/p>\n<p>\u4e0a\u5716\u7684\u5806\u758a\u5167\u5bb9\u986f\u793a\u9810\u5148\u5b89\u6392\u5728 <em>Fake_WinProc_exploit_403A90<\/em> \u51fd\u5f0f\u4e2d\u7684\u4f7f\u7528\u8005\u6a21\u5f0f\u60e1\u610f\u7a0b\u5f0f\u78bc\u5982\u4f55\u900f\u904e <em>win32k!xxxSendMessage<\/em> \u51fd\u5f0f\u547c\u53eb\u5728\u6838\u5fc3\u6a21\u5f0f\u4e2d\u57f7\u884c\u3002<\/p>\n<p><strong><em>\u6f0f\u6d1e\u653b\u64ca\u6280\u5de7<\/em><\/strong><\/p>\n<p>\u5728\u89f8\u767c\u7cfb\u7d71\u6838\u5fc3\u6f0f\u6d1e\u4e4b\u5f8c\uff0c\u6a94\u6848\u4e0b\u8f09\u7a0b\u5f0f\u5c31\u6703\u5229\u7528\u5404\u7a2e\u6280\u5de7\u4f86\u96b1\u85cf\u5176\u60e1\u610f\u884c\u70ba\u3002\u5982\u5716 1 \u6240\u793a\uff0c\u88ab\u89f8\u767c\u7684\u7cfb\u7d71\u6838\u5fc3\u6f0f\u6d1e\u6703\u5148\u5f9e\u5b50\u8655\u7406\u7a0b\u5e8f\u7a7a\u9593\u5229\u7528 <em>nt!ExQueueWorkItem<\/em> \u5c07\u60e1\u610f\u7684\u5de5\u4f5c\u9805\u76ee\u6392\u5165\u4f47\u5217\u3002\u7cfb\u7d71\u6703\u7ba1\u7406\u53ca\u6392\u7a0b\u9019\u4e9b\u5de5\u4f5c\u9805\u76ee\u4f86\u63d0\u5347\u6548\u80fd\u3002<\/p>\n<p>\u7576\u60e1\u610f\u7a0b\u5f0f\u7684\u5de5\u4f5c\u9805\u76ee\u88ab\u6392\u7a0b\u57f7\u884c\u7dd2\u547c\u53eb\u6642\uff0c\u5b83\u6703\u641c\u5c0b\u7cfb\u7d71\u4e2d\u7684\u6240\u6709\u57f7\u884c\u7a0b\u5e8f\u4f86\u5c0b\u627e\u4e00\u500b\u547d\u4ee4\u5217\u7576\u4e2d\u542b\u6709\u300c<em>\u2013k netsvcs<\/em>\u300d\u53c3\u6578\u7684 \u00a0<em>svchost.exe<\/em> \u57f7\u884c\u7a0b\u5e8f\u3002\u63a5\u8457\u5b83\u6703\u9644\u8457\u5230\u9019\u500b\u57f7\u884c\u7a0b\u5e8f\uff0c\u7136\u5f8c\u5206\u914d\u8a18\u61b6\u9ad4\u4e26\u8907\u88fd\u5176\u60e1\u610f\u7a0b\u5f0f\u78bc\uff0c\u6700\u5f8c\u767c\u51fa\u4e00\u500b\u4f7f\u7528\u8005\u6a21\u5f0f\u7684 APC \u7d66\u9019\u500b\u57f7\u884c\u7a0b\u5e8f\u3002<\/p>\n<p>\u5728\u8a2d\u8a08\u4e0a\uff0c\u4f7f\u7528\u8005\u6a21\u5f0f\u7684 APC \u53ea\u80fd\u5728\u6307\u5b9a\u7684\u8655\u7406\u7a0b\u5e8f\/\u57f7\u884c\u7dd2\u4e4b\u4e0b\u6216\u662f <em>svchost<\/em> \u57f7\u884c\u7a0b\u5e8f\u4e4b\u4e0b\u57f7\u884c (\u5982\u6b64\u4f8b)\u3002\u7576 <em>svchost<\/em>\u00a0 \u57f7\u884c\u7a0b\u5e8f\u906d\u5230\u60e1\u610f APC \u99ed\u5165\u6642\uff0c\u5c31\u6703\u5728\u5176\u57f7\u884c\u7a7a\u9593\u7576\u4e2d\u7522\u751f\u4e00\u500b\u65b0\u7684\u57f7\u884c\u7dd2\u3002\u9019\u500b\u65b0\u7684\u57f7\u884c\u7dd2\u63a5\u8457\u5229\u7528\u7279\u6b8a\u7684 API \u547c\u53eb\u4e0b\u8f09\u5176\u4ed6\u60e1\u610f\u7a0b\u5f0f\u3002<\/p>\n<p><em>\u5716 5\uff1a\u7576\u9060\u7aef\u7522\u751f\u7684\u57f7\u884c\u7dd2\u5728 svchost \u57f7\u884c\u7a0b\u5e8f\u7576\u4e2d\u9023\u7dda\u81f3 C&amp;C \u4f3a\u670d\u5668\u6642\u7684\u5806\u758a\u72c0\u6cc1\u3002<\/em><\/p>\n<p><strong><em>\u53cd\u5236\u63aa\u65bd<\/em><\/strong><\/p>\n<p>\u9019\u500b\u6a94\u6848\u4e0b\u8f09\u7a0b\u5f0f\u904b\u7528\u4e86\u8907\u96dc\u7d30\u81a9\u7684\u6280\u5de7\u4f86\u9023\u4e0a\u5176 C&amp;C \u4f3a\u670d\u5668\u3002\u6211\u5011\u76f8\u4fe1\u9019\u662f\u70ba\u4e86\u5c07\u5176\u60e1\u610f\u884c\u70ba\u96b1\u85cf\u5728\u770b\u4f3c\u6b63\u5e38\u7684\u7cfb\u7d71\u6d3b\u52d5\u7576\u4e2d\u4ee5\u8eb2\u907f\u767d\u540d\u55ae\u6216\u5176\u4ed6\u9632\u79a6\u6a5f\u5236\u3002<\/p>\n<p>\u7cfb\u7d71\u6838\u5fc3\u6f0f\u6d1e\u4ee5\u53ca\u76f8\u95dc\u7684\u884c\u70ba\u76f8\u5c0d\u8f03\u5c11\u53d7\u5230\u95dc\u6ce8\u3002\u9019\u500b\u6a94\u6848\u4e0b\u8f09\u7a0b\u5f0f\u5f88\u53ef\u80fd\u5c31\u662f\u56e0\u70ba\u9019\u6a23\u624d\u63a1\u7528\u9019\u985e\u6280\u5de7\u3002\u6b64\u5916\uff0c\u50cf\u9019\u6a23\u5229\u7528\u7cfb\u7d71\u6838\u5fc3\u6a5f\u5236 (\u5de5\u4f5c\u9805\u76ee\u3001APC\u3001\u7cfb\u7d71\u57f7\u884c\u7dd2) \u7684\u6280\u5de7\u901a\u5e38\u4e0d\u5728\u8cc7\u5b89\u9632\u79a6\u7684\u76e3\u63a7\u7bc4\u570d\u5167\u3002\u4e0d\u50c5\u5982\u6b64\uff0c\u9019\u7a2e\u6280\u5de7\u7684\u96e3\u5ea6\u4e5f\u76f8\u7576\u9ad8\uff0c\u56e0\u70ba\u9019\u4e9b\u6a5f\u5236\u7684\u8cc7\u6599\u7d50\u69cb\u7d93\u5e38\u8b8a\u52d5\uff0c\u800c\u4e14\u53ea\u51fa\u73fe\u5728\u57f7\u884c\u6642\u671f\u3002<\/p>\n<p>\u53e6\u4e00\u65b9\u9762\uff0c\u5c0d\u5916\u9023\u7dda\u5c0d\u65bc <em>svchost<\/em> \u57f7\u884c\u7a0b\u5e8f\u4f86\u8aaa\u662f\u5b8c\u5168\u6b63\u5e38\u7684\u52d5\u4f5c\uff0c\u56e0\u70ba\u8a72\u57f7\u884c\u7a0b\u5e8f\u5c31\u662f\u5c08\u9580\u7528\u4f86\u70ba Microsoft \u5176\u4ed6\u57f7\u884c\u7a0b\u5e8f\u63d0\u4f9b\u5404\u985e\u670d\u52d9\u3002\u56e0\u6b64\uff0c\u5c07\u7db2\u8def\u6d41\u91cf\u96b1\u85cf\u5728\u6b64\u8655\u53ef\u8aaa\u662f\u842c\u7121\u4e00\u5931\u3002<\/p>\n<p>\u6211\u5011\u5f37\u70c8\u5efa\u8b70\u4f7f\u7528\u8005\u5c07\u7cfb\u7d71\u4e0a\u7684 Adobe Flash Player \u66f4\u65b0\u5230\u6700\u65b0\u7248\u672c\u3002\u4fdd\u6301\u8edf\u9ad4\u66f4\u65b0\u662f\u9632\u7bc4\u6f0f\u6d1e\u653b\u64ca\u3001\u4fdd\u969c\u7cfb\u7d71\u5b89\u5168\u7684\u65b9\u5f0f\u4e4b\u4e00\u3002\u9664\u6b64\u4e4b\u5916\uff0c\u60a8\u6700\u597d\u662f\u96a8\u6642\u5099\u4efd\u8cc7\u6599\uff0c\u4e26\u4e14\u4e0d\u8981\u652f\u4ed8\u4efb\u4f55\u8d16\u91d1\uff0c\u56e0\u70ba\u5c31\u7b97\u652f\u4ed8\u8d16\u91d1\u4e5f\u7121\u6cd5\u4fdd\u8b49\u80fd\u6551\u56de\u6a94\u6848\u3002<\/p>\n<p>\u8da8\u52e2\u79d1\u6280\u7684 \u00a0<a href=\"https:\/\/t.rend.tw\/?i=Mzc4MQ\">\u8da8\u52e2\u79d1\u6280Deep Security<\/a>\u00a0 \u548c <a href=\"https:\/\/t.rend.tw\/?i=Mzg2Mw\">Vulnerability Protection<\/a> \u00a0 \u53ef\u5229\u7528\u4e0b\u5217\u6df1\u5c64\u5c01\u5305\u6aa2\u67e5 (DPI) \u898f\u5247\u4f86\u9632\u6b62\u5229\u7528\u524d\u8ff0\u6f0f\u6d1e\u653b\u64ca\uff1a<\/p>\n<ul>\n<li>1007572 \u2013 Adobe Flash Player Remote Code Execution Vulnerability (\u9060\u7aef\u6307\u4ee4\u57f7\u884c\u6f0f\u6d1e) (CVE-2016-1019)<\/li>\n<\/ul>\n<p>TippingPoint \u5ba2\u6236\u53ef\u900f\u904e\u4e0b\u5217 MainlineDV \u904e\u6ffe\u898f\u5247\u4f86\u9632\u7bc4\u5229\u7528 CVE-2016-1019 \u6f0f\u6d1e\u7684\u653b\u64ca\uff1a<\/p>\n<ul>\n<li>24253: HTTP: Adobe Flash FileReference Type Confusion Vulnerability (\u6a94\u6848\u53c3\u7167\u985e\u578b\u6df7\u6dc6\u6f0f\u6d1e)<\/li>\n<\/ul>\n<p><a href=\"https:\/\/t.rend.tw\/?i=Mzc4MQ\">\u8da8\u52e2\u79d1\u6280Deep Security<\/a>\u00a0 \u7d93\u5e38\u80fd\u5728\u4e0d\u9700\u66f4\u65b0\u7684\u72c0\u6cc1\u4e0b\u5075\u6e2c\u96f6\u6642\u5dee\u653b\u64ca\u3002\u8da8\u52e2\u79d1\u6280\u7684\u5404\u9805\u7aef\u9ede\u9632\u8b77\u7522\u54c1\uff0c\u5305\u62ec\uff1a<a href=\"https:\/\/t.rend.tw\/?i=MzY1Mg\">\u8da8\u52e2\u79d1\u6280PC-cillin\u96f2\u7aef\u7248<\/a>\u3001<a href=\"https:\/\/www.trendmicro.tw\/tw\/business\/complete-software-protection\/index.html\">\u8da8\u52e2\u79d1\u6280 Smart Protection Suites<\/a> \u4ee5\u53ca<a href=\"https:\/\/t.rend.tw\/?i=NDI1OA==\">Worry-Free Pro<\/a>\u90fd\u80fd\u6709\u6548\u5075\u6e2c <a href=\"https:\/\/blog.trendmicro.com.tw\/?p=16651\">Locky\u52d2\u7d22\u8edf\u9ad4<\/a>\u7684\u60e1\u610f\u6a94\u6848\uff0c\u4fdd\u8b77\u4f7f\u7528\u8005\u7cfb\u7d71\u3002<\/p>\n<p>\u4ee5\u4e0b\u662f\u6b64\u653b\u64ca\u76f8\u95dc\u7684 SHA1 \u96dc\u6e4a\u78bc\uff1a<\/p>\n<ul>\n<li>FED07EC9CDE2A7B1581F192644CFA03D680A6245<\/li>\n<\/ul>\n<p>\u539f\u6587\u51fa\u8655\uff1a <a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/locky-ransomware-spreads-flash-windows-kernel-exploits\/\">Locky Ransomware Spreads via Flash and Windows Kernel Exploits<\/a>\u00a0\u4f5c\u8005\uff1aMoony Li \u53ca \u00a0Hugo Cao<br \/>\n<strong>\u5ef6\u4f38\u95b1\u8b80:<\/strong><\/p>\n<p>&nbsp;<\/p>\n<p>\u2605\u91dd\u5c0d\u4f01\u696d\u7528\u6236,<a href=\"https:\/\/t.rend.tw\/?i=NDI4NA==\">\u8da8\u52e2\u79d1\u6280\u7aef\u9ede\u89e3\u6c7a\u65b9\u6848<\/a>\u4ea6\u53ef\u4ee5\u5075\u6e2c\u52d2\u7d22\u8edf\u9ad4<\/p>\n<p><a href=\"https:\/\/t.rend.tw\/?i=NDI4NA==\" rel=\"attachment wp-att-17378\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-17378\" src=\"https:\/\/blog.trendmicro.com.tw\/wp-content\/uploads\/2016\/04\/ransomware-banner.jpg\" alt=\"ransomware banner\" width=\"880\" height=\"300\" srcset=\"https:\/\/blog.trendmicro.com.tw\/wp-content\/uploads\/2016\/04\/ransomware-banner.jpg 880w, https:\/\/blog.trendmicro.com.tw\/wp-content\/uploads\/2016\/04\/ransomware-banner-300x102.jpg 300w, https:\/\/blog.trendmicro.com.tw\/wp-content\/uploads\/2016\/04\/ransomware-banner-768x262.jpg 768w, https:\/\/blog.trendmicro.com.tw\/wp-content\/uploads\/2016\/04\/ransomware-banner-600x205.jpg 600w, https:\/\/blog.trendmicro.com.tw\/wp-content\/uploads\/2016\/04\/ransomware-banner-800x273.jpg 800w\" sizes=\"(max-width: 880px) 100vw, 880px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p><a href=\"https:\/\/t.rend.tw\/?i=NDIwOQ\">\u2605\u4f60\u4ed8\u9322\u4e86\u55ce?\u5225\u8b93\u6a94\u6848\u7576\u8089\u7968!\u52d2\u7d22\u8edf\u9ad4\u5e38\u898b\u554f\u984c\u96c6<br \/>\n<\/a><a href=\"https:\/\/t.rend.tw\/?i=NDIwOQ\"><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com.tw\/wp-content\/uploads\/2016\/03\/ransomware-FAQ.png\" alt=\"\" \/><\/a><a href=\"https:\/\/t.rend.tw\/?i=Mzg2MA\"><br \/>\n<\/a><br \/>\n<strong>\u5982\u4f55\u9632\u79a6\u52d2\u7d22\u8edf\u9ad4<\/strong><strong>?<\/strong><br \/>\n<a href=\"https:\/\/t.rend.tw\/?i=NDEwMQ\">\u2605\u7262\u8a18\u56db\u6b65\u9a5f\u548c&#8221;\u4e09\u4e0d\u4e09\u8981&#8221;\u53e3\u8a23<\/a><br \/>\n\u3010\u4e00\u822c\u7528\u6236\u3011<br \/>\n<a href=\"https:\/\/t.rend.tw\/?i=NDIxMA\">\u2605\u4f7f\u7528\u8da8\u52e2\u79d1\u6280PC-cillin 2016\u5c0d\u6297\u52d2\u7d22\u8edf\u9ad4<\/a><br \/>\n\u3010\u4f01\u696d\u7528\u6236\u3011<br \/>\n<a href=\"https:\/\/t.rend.tw\/?i=NDIwOA\">\u2605\u8da8\u52e2\u79d1\u6280\u7aef\u9ede\u89e3\u6c7a\u65b9\u6848<\/a><br \/>\n<a href=\"https:\/\/t.rend.tw\/?i=NDIwNw\">\u2605\u4e2d\u5c0f\u4f01\u696d\u5982\u4f55\u9632\u79a6\u52a0\u5bc6\u52d2\u7d22\u8edf\u9ad4?<\/a><\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>PC-cillin 2016\u96f2\u7aef\u7248\u5df2\u6709\u589e\u52a0\u5c0d<a href=\"https:\/\/blog.trendmicro.com.tw\/?p=12412\">\u52d2\u7d22\u8edf\u9ad4 Ransomware<\/a>\u52a0\u5bc6\u884c\u70ba\u7684\u9632\u8b77\u6a5f\u5236\uff0c\u53ef\u9810\u9632\u6a94\u6848\u88ab\u52d2\u7d22\u8edf\u9ad4\u60e1\u610f\u52a0\u5bc6<\/p>\n<p><a href=\"https:\/\/t.rend.tw\/?i=Mzc4Nw\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-13631\" src=\"https:\/\/blog.trendmicro.com.tw\/wp-content\/uploads\/2015\/08\/Windows10Banner-540x90v5.gif\" alt=\"Windows10Banner-540x90v5\" width=\"540\" height=\"90\" \/><\/a><\/p>\n<p><a href=\"https:\/\/t.rend.tw\/?i=MzQ4NA\">\u8da8\u52e2\u79d1\u6280PC-cillin\u96f2\u7aef\u7248<\/a> \uff0c\u69ae\u7372 AV-TEST \u300c\u6700\u4f73\u9632\u8b77\u300d\u734e,\u9818\u514828 \u6b3e\u5bb6\u7528\u8cc7\u5b89\u7522\u54c1\u9632\u6bd2\u8edf\u9ad4 ,\u53ef\u8de8\u5e73\u53f0\u540c\u6642\u652f\u63f4\u5b89\u88dd\u65bcWindows\u3001Mac\u96fb\u8166\u53caAndroid\u3001iOS \u667a\u6167\u578b\u624b\u6a5f\u8207\u5e73\u677f\u96fb\u8166\uff0c\u63a1\u7528\u5168\u7403\u7368\u5bb6\u8da8\u52e2\u79d1\u6280\u300c\u4e3b\u52d5\u5f0f\u96f2\u7aef\u622a\u6bd2\u6280\u8853\u300d\uff0c\u4ee5\u9818\u5148\u696d\u754c\u5e73\u5747 50 \u500d\u7684\u901f\u5ea6\u9632\u79a6\u60e1\u610f\u5a01\u8105\uff01\u5373\u523b<a href=\"https:\/\/t.rend.tw\/?i=Mzc4NQ\">\u514d\u8cbb\u4e0b\u8f09<\/a><\/p>\n<p style=\"font-size: 8pt;\">\u300a \u60f3\u4e86\u89e3\u66f4\u591a\u95dc\u65bc\u7db2\u8def\u5b89\u5168\u7684\u79d8\u8a23\u548c\u5efa\u8b70\uff0c\u53ea\u8981\u5230<a href=\"https:\/\/www.facebook.com\/trendmicrotaiwan\">\u8da8\u52e2\u79d1\u6280\u7c89\u7d72\u7db2\u9801<\/a> \u6216\u4e0b\u9762\u7684\u6309\u9215\u6309\u8b9a \u300b<\/p>\n<p><iframe loading=\"lazy\" style=\"border: none; overflow: hidden; width: 350px; height: 62px;\" src=\"https:\/\/www.facebook.com\/plugins\/likebox.php?id=255176705131&amp;width=350&amp;connections=0&amp;stream=false&amp;header=false&amp;height=62\" width=\"300\" height=\"150\" frameborder=\"0\" scrolling=\"no\"><\/iframe><\/p>\n<p style=\"font-size: 8pt;\"><b><\/b>\u300a\u63d0\u9192\u300b\u5c07\u6ed1\u9f20\u6e38\u6a19\u79fb\u52d5\u5230\u7c89\u7d72\u9801\u53f3\u4e0a\u65b9\u7684<strong>\u300c\u5df2\u8aaa\u8b9a\u300d<\/strong>\u6b04\u4f4d\uff0c\u52fe\u9078<strong>\u300c\u6436\u5148\u770b\u300d<\/strong>\u9078\u9805<strong>,<\/strong>\u6700\u65b0\u8cbc\u6587\u5c31\u6703\u512a\u5148\u986f\u793a\u5728\u52d5\u614b\u6d88\u606f\u9802\u7aef\uff0c\u8b93\u4f60\u4e0d\u6703\u932f\u904e\u4efb\u4f55\u66f4\u65b0\u3002<br \/>\n*\u624b\u6a5f\u7248\u76f4\u63a5\u524d\u5f80\u5c08\u9801\u9996\u9801\uff0c\u4e0b\u62c9\u8ffd\u8e64\u4e2d\uff0c\u5c31\u80fd\u5c07\u7c89\u7d72\u5c08\u9801\u8a2d\u5b9a\u6436\u5148\u770b\u3002<\/p>\n<p>&nbsp;<\/p>\n<p style=\"font-size: 8pt;\">\u25bc \u6b61\u8fce\u52a0\u5165\u8da8\u52e2\u79d1\u6280\u793e\u7fa4\u7db2\u7ad9\u25bc<br \/>\n<strong><br \/>\n<\/strong><strong><a href=\"https:\/\/line.me\/ti\/p\/%40fgt4590r\"><img loading=\"lazy\" decoding=\"async\" class=\"\" src=\"https:\/\/biz.line.naver.jp\/line_business\/img\/btn\/addfriends_zh-Hant.png\" alt=\"\u597d\u53cb\u4eba\u6578\" width=\"89\" height=\"30\" border=\"0\" \/><\/a> <\/strong><a href=\"https:\/\/www.trendmicro.com.tw\/edm\/Tracking.asp?id=2762&amp;name=20111213\"><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com.tw\/wp-content\/uploads\/2015\/08\/eNews_images_2015_0161.gif\" alt=\"\" \/><\/a> <a href=\"https:\/\/www.trendmicro.com.tw\/edm\/Tracking.asp?id=2764&amp;name=20111213\"><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com.tw\/wp-content\/uploads\/2015\/08\/eNews_images_2015_0171.gif\" alt=\"\" \/><\/a> <a href=\"https:\/\/www.trendmicro.tw\/tw\/\"><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com.tw\/wp-content\/uploads\/2015\/08\/eNews_images_2015_0131.gif\" alt=\"\" \/><\/a> <a href=\"https:\/\/esupport.trendmicro.com\/zh-tw\/business\/default.aspx\"><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com.tw\/wp-content\/uploads\/2015\/08\/eNews_images_2015_0141.gif\" alt=\"\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u4eca\u5e74\u56db\u6708\u521d\uff0cAdobe Flash Player \u51fa\u73fe\u4e86\u4e00\u500b\u00a0\u96f6\u6642\u5dee\u6f0f\u6d1e \u00a0(CVE-2016-1019)\u3002\u6b64 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":"","_wpscppro_dont_share_socialmedia":false,"_wpscppro_custom_social_share_image":0,"_facebook_share_type":"","_twitter_share_type":"","_linkedin_share_type":"","_pinterest_share_type":"","_linkedin_share_type_page":"","_instagram_share_type":"","_medium_share_type":"","_threads_share_type":"","_google_business_share_type":"","_selected_social_profile":[],"_wpsp_enable_custom_social_template":false,"_wpsp_social_scheduling":{"enabled":false,"datetime":null,"platforms":[],"status":"template_only","dateOption":"today","timeOption":"now","customDays":"","customHours":"","customDate":"","customTime":"","schedulingType":"absolute"},"_wpsp_active_default_template":true},"categories":[2266],"tags":[2647,2734,2559,298,452],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/17708"}],"collection":[{"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=17708"}],"version-history":[{"count":0,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/17708\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=17708"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=17708"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=17708"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}