1.php APT group:攻击行动评估 - By nEINEI Time:2011-12-12 1) 利用N/1 day漏洞,后者是钓鱼邮件下载可执行的木马文件,进而控制目标计算机器,继续下载控制组件。 2)下载的木马Poison ivy RAT. 3)盗取信息为主要目的。 Symptoms C:\DOCUME~1\~1\LOCALS~1\Temp\\~$RD5918.tmp (successful) C:\DOCUME~1\~1\LOCALS~1\Temp\16952bc60a64af478fd7fd74bfb662b2f2c26cebc515cf4d17adeed90da6cf06 (successful) \\.\PIPE\wkssvc (successful) \\.\PIPE\lsarpc (successful) \\.\MountPointManager (successful) C:\WINDOWS\Registration\R000000000007.clb (successful) c:\docume~1\~1\37324.tmp (successful) C:\WINDOWS\system32\reg.exe (successful) \\.\LPRS (successful) C:\DOCUME~1\~1\LOCALS~1\Temp\\~$RD5918.tmp (successful) reg add hklm\SYSTEM\CurrentControlSet\Services\secdrv /v imagepath /t REG_EXPAND_SZ /d \??\c:\docume~1\~1\37324.dat /f (successful) reg add hklm\SYSTEM\CurrentControlSet\Services\secdrv /v imagepath /t REG_EXPAND_SZ /d system32\DRIVERS\Secdrv.sys /f (successful) C:\Program Files\Internet Explorer\IEXPLORE.EXE (successful) 相关样本信息: 052E62513505A25CCFADF900A052709C B0EECA383A7477EE689EC807B775EBBB 5B90896127179F0AD2E6628593CDB60D 最小闭合的攻击样本: RAT B0EECA383A7477EE689EC807B775EBBB = 8192 bytes. 攻击能力计算: K = 2 (正常理解范围) a = 3 (无交互) s = 1 (钓鱼邮件为主) m = 2 (常规方式+被发现已有三年以上隐藏时间) p = 1 (攻击1种平台) x = 2 (N/1 day 漏洞,CVE-2009-4324 ,CVE-2010-2883,) 攻击能力 = (a+s+m+p)^(k) * (1+x)^ 2 + c AT = (3 + 1 + 2 + 1) ^ 2 * (1 + 2) ^ 2 + (8192/1024) = 7^2 * (3^2) + 8 = 449 ==> 449*1000/1279625(1T攻击力单位) =0.351T 参考引用: 1.http://www.zscaler.com/pdf/technicalbriefs/tb_advanced_persistent_threats.pdf 2.《论高级威胁的本质及攻击能力的量化研究》- www.vxjump.net/files/aptr/aptr.txt