研究调研 – 第 26 页 – 绿盟科技技术博客

恶意样本分析手册——理论篇

2017-03-28李东宏Windows内核加载器, 中断异常处理, 函数调用约定, 大小端模式, 恶意样本分析, 文件格式, 样本分析手册, 流程控制语句的识别, 调试器的原理, 进制转换, 逻辑运算1 Comment

在计算机系统中，我们是以字节为单位的，每个地址单元都对应着一个字节，一个字节为 8bit。但是在C语言中除了8bit的char之外，还有16bit的short型，32bit的long型（要看具体的编译器），另外，对于位数大于 8位的处理器，例如16位或者32位的处理器，由于寄存器宽度大于一个字节，那么必然存在着一个如何将多个字节安排的问题。

Microsoft Windows Server 2003 R2 IIS 6.0远程代码执行技术分析与防护方案

2017-03-28田泽夏IIS 6.0远程代码执行漏洞, Microsoft Windows Server 2003 R2 IIS 6.0 漏洞, Microsoft Windows Server 2003 R2 IIS 6.0远程代码执行, Microsoft Windows Server 2003 漏洞, R2 IIS 6.0远程代码执行漏洞, Windows Server 2003 漏洞

3月27日，Zhiniang Peng 和Chen Wu发布了关于IIS 6.0 WebDAV远程代码执行的漏洞信息（CVE-2017-7269，CNNVD-201703-1151）。该漏洞源于Microsoft Windows Server 2003 R2的IIS 6.0 中WebDAV 服务下ScStoragePathFromUrl函数存在缓冲区溢出漏洞。如果一个PROPFIND请求中包含以”If: <http://”开头的超长头部，将触发一个缓冲区溢出漏洞，攻击者可以利用此漏洞远程执行任意代码，此利用方法和2016年7-8月份爆出的方法一致。

2017网络安全威胁3月月报

2017-03-24陈颐欢DDoS攻击, ddos攻击事件, 安全会议, 绿盟科技博客, 绿盟科技漏洞库, 网络安全威胁月报, 高危漏洞

绿盟科技网络安全威胁周报及月报系列，旨在简单而快速有效的传递安全威胁态势，呈现重点安全漏洞、安全事件、安全技术。

Apache Struts 2 Remote Code Execution Vulnerability (S2-046) Technical Analysis and Solution

2017-03-23蒋红梅Apache Struts 2 Remote Code Execution Vulnerability, Apache Struts 2 Vulnerability, EnglishVersion, Remote Code Execution Vulnerability, S2-046, Struts 2 Remote Code Execution Vulnerability

In the wee hours of March 21, Apache Struts 2 released a security bulletin, announcing a remote code execution (RCE) vulnerability in the Jakarta Multipart parser, which has been assigned CVE-2017-5638.

Dridex Banking Malware Sample Technical Analysis and Solution

2017-03-23刘鹏Dridex, Dridex Banking Malware, EnglishVersion, IBM's X-Force, Sample Introduction, Sample Technical Analysis and Solution

IBM’s X-Force security team recently discovered an updated version of Dridex, called Dridex v4. Dridex is one of the most popular banking trojans. It was first spotted in 2014 when it was viewed as the successor of GameOver ZeuS (GoZ) because it uses GoZ-related techniques. An important improvement in Dridex v4 is that it evades detection antivirus software by introducing the AtomBoming technique for malicious code injection.

Apache Struts2 Remote Code Execution Vulnerability (S2-045) Technical Analysis and Solution

2017-03-09杨爱玲Apache Struts2, EnglishVersion, NSFOCUS Threat Intelligence, S2-045, Struts Vulnerability, Struts2 Remote Code Execution Vulnerability

Apache Struts2 is prone to a remote code execution vulnerability (CNNVD-201703-152) in the Jakarta Multipart parser plug-in. When uploading a file with this plug-in, an attacker could change the value of the Content-Type header field of an HTTP request to trigger this vulnerability, causing remote code execution.

Struts 2再爆高危漏洞绿盟科技解决方案，看得见防得住

2017-03-08王猛CVE-2017-5638, NF RSAS, NTI威胁中心, Struts 2 高危漏洞, 绿盟NF防火墙, 绿盟远程安全评估系统, 远程代码执行漏洞

Apache Struts2的Jakarta Multipart parser插件存在远程代码执行漏洞，漏洞编号为CVE-2017-5638。攻击者可以在使用该插件上传文件时，修改HTTP请求头中的Content-Type值来触发该漏洞，导致远程执行代码。

2017网络安全威胁2月月报

2017-03-06陈颐欢ddos攻击事件, 互联网安全漏洞, 安全会议, 漏洞库, 绿盟科技博客, 绿盟科技漏洞库, 高危漏洞

绿盟科技网络安全威胁周报及月报系列，旨在简单而快速有效的传递安全威胁态势，呈现重点安全漏洞、安全事件、安全技术。

“Shifu” Banking Trojan Technical Analysis and Solution

2017-02-24刘鹏Attack Location, Conclusion, CVE-2016-0167, EnglishVersion, NSFOCUS, Propagation and Infection, Shifu Banking

The banking trojan “Shifu” was discovered by the IBM counter fraud platform in April, 2015. Built based on the Shiz source code, this trojan employs techniques adopted by multiple notorious trojans such as Zeus, Gozi, and Dridex.

Hadoop Hit by Ransom Attack

2017-02-24蒋红梅EnglishVersion, Hadoop Hit by Ransom Attack, Protection Measures, Ransom Attack Pattern, What Is Hadoop

Recently, some hacker organizations have turned their eyes to ransom attacks targeting certain products. As of last week, hacker organizations had taken control of and wiped data from at least 34,000 MongoDB databases, asking for a ransom to return the stolen files.