Mining Trojan horse incident in 2017
Publish: 2021-04-16 14:24:19
1. This trojan takes advantage of the "eternal blue" vulnerability to attack and spread in the local area network. It builds a robust botnet of the infected machine, supports the self-renewal of the intranet, and lurks in the computer for a long time to extract Monroe money. Because most ordinary personal computers have been patched by windows security update and Tencent computer manager and other security software, they are basically not affected by wanna miner. It is suggested that if the suspected wanna miner mining Trojan horse is found, the poisoned machine can be located and isolated in time. It can be judged by scanning port 26931. If the port is open, the host has been infected; If you need to patch the intranet, all the computers that have not been patched. It is suggested that professional terminal security management software should be installed in the whole network, such as Tencent Yudian. The administrator should carry out mass antivirus and patch installation for the whole network to avoid unnecessary losses.
2. Can try avast antivirus, occupy small, the 360 and computer housekeeper software such as deleted, this consumption of computer performance
3. Don't worry about this. 360 has automatic interception function
Mining Trojan horse is now in the limelight, and its gold sucking power is catching up with blackmail virus. Recently, 360 security guard intercepted a Monroe coin mining Trojan horse spread by "eternal blue". Due to carrying heavy attack ammunition, the Trojan horse spread a large amount, reaching 100000 times a day at the peak, and 360 recently intercepted more than one million attacks
it is understood that this is a large-scale attack of mining Trojan horse carrying "eternal blue" against ordinary Internet users. In order to prevent computers from becoming the coolie of hackers mining, 360 reminds Internet users to ensure that they are well patched and immune to all kinds of attacks using "eternal blue", and at the same time, 360 security guard is opened to comprehensively defend against all kinds of mining Trojan horse
.
Mining Trojan horse is now in the limelight, and its gold sucking power is catching up with blackmail virus. Recently, 360 security guard intercepted a Monroe coin mining Trojan horse spread by "eternal blue". Due to carrying heavy attack ammunition, the Trojan horse spread a large amount, reaching 100000 times a day at the peak, and 360 recently intercepted more than one million attacks
it is understood that this is a large-scale attack of mining Trojan horse carrying "eternal blue" against ordinary Internet users. In order to prevent computers from becoming the coolie of hackers mining, 360 reminds Internet users to ensure that they are well patched and immune to all kinds of attacks using "eternal blue", and at the same time, 360 security guard is opened to comprehensively defend against all kinds of mining Trojan horse
.
4. It's the virus that will let your computer mine automatically.
the anti-virus software can kill the virus directly.
install a computer Housekeeper on your computer, and then use the virus to check and kill the virus to kill your computer
the anti-virus software can kill the virus directly.
install a computer Housekeeper on your computer, and then use the virus to check and kill the virus to kill your computer
5. Quoting several cases in the "Internet black and gray Instry Report 2017"
1, Dongpeng special drink wool collecting event
marketing activities are familiar to everyone, and attract users through the incentive mechanism. But at the same time, it will also attract a group of people called "wool party", who rely on registering a large number of accounts to obtain coupons, compete for red envelopes and prizes, and then resell them. Big promotion, subsidies and marketing activities are all opportunities to "make money" in their eyes, which are called informers
activities that lack business security awareness and are well subsidized are most likely to be removed. Dongpeng teyin is a beverage company in Guangdong Province. The traditional promotion activity is a lucky draw for bottle caps. With the popularity of the Internet, it decided to try a new way to get red envelopes by scanning the QR code. It wanted to use the Internet to save the tedious circulation and collect customer information by the way. Unexpectedly, the wool Party hit them in the head
with the warming up of the activities, a large number of people selling Dongpeng special drink CDK (code) quickly appeared. The so-called code is the link converted from the active QR code. After purchasing the code, you can get the red envelope by clicking on wechat. The wechat accounts in the hands of the channel merchants and the wool party are limited, but they have a lot of codes. They sell at a price slightly lower than the minimum amount of red envelopes, and the buyers can make a steady profit
is it ordinary users who buy CDK? It can only be said that the proportion is too small. Ordinary users have no channel to know the existence of CDK. Most of them are other gray instry practitioners who have many wechat accounts in their hands. Their usual business is to use wechat to add a large number of friends, and then realize through fraud, wechat business and other forms. Dongpeng special drink CDK is just a passing act
in short, with the promotion of interests, someone quickly cooperated with the core node of the waste recycling station to buy a large number of bottle caps at a low price and extract two-dimensional code information. It is called "waste code" in the market, and the corresponding one is "Bizhong code", which is purchased from the manufacturer of bottle caps and internal personnel after getting through the relationship. The two-dimensional code is linked by one key and sold to the channel providers, Channel business then distributes to all levels of offline, a set of process down, layers of profit, do activities of the enterprise has become a big injustice. The final result is that Dongpeng teyin found that the actual amount of bonus exchanged is much higher than expected, and only the "zombie users" with zero marketing effect were gained
it's not just Dongpeng special drinks. There are a lot of such procts in the market, such as Mengniu Youyi C, Mengniu ice cream, Pepsi Cola, red bull, Qixi, Xiaoming, Jingdong QR code, etc. When the activity develops to a certain scale, there will be people in the downstream who will spread it wantonly in the form of "collecting tuition and making money". The whole process is like a locust crossing the border and eating up the activity funds of the enterprise
the basic way of action of the wool party is to win by volume, use a large number of accounts to compete violently for subsidies and prizes, such as discount coupons for new users, and then sell them at a low price. In fact, they are just one of the ends of the Internet's black instrial chain. Some people directly call them brick movers because they have low technical requirements and are purely manual labor
we should pay attention to their account source and action mode. For example, where does the registered mobile phone number of new users' gift certificates come from? The answer is cell phone black card. Threat Hunter collects and maintains the black card library of massive data, which will be introced in detail in the following instry chain analysis. In addition to mobile phone numbers, the wool party needs to pass the IP and device detection of the platform to commit crimes. These have platform and chain instries in the black instry, and the wool party is just one of their downstream instries. Please refer to the upstream resource provider mole for detailed instry chain analysis
2. Apple 36
also suffered from wool removal. After users consume on IOS, Apple will split accounts with app service providers according to the proportion and settle accounts quarterly. At the time of settlement, a large number of merchants found that Apple's share was far from the actual sales amount. Under the inspection, we found the real reason: being collected
some accounts disappear immediately after small consumption of 6 yuan and 30 yuan, with batch traces. Originally, in order to improve the user experience, apple set up a strategy that small amount recharge below 40 yuan can not be verified, but distribute goods first. To black proce, this action means each trumpet 36 yuan of profit, launched an action immediately
they will first register a large number of email accounts through scripts. Some foreign email registration does not need to provide a mobile phone number, this step of operation is almost "no cost". After completion, apple IDS will be generated in batches by using software, and then activated in batches. Most manufacturers will judge the amount of IP registration in a short period of time. For the black instry, the cost of this step is the cost of replacing IP. In this regard, the threat hunter will elaborate on the methods for black procts to escape IP detection in the following instrial chain section
consumption needs to be bound with bank cards. For a large number of bank card needs, the solution of black instry is to share and register virtual bank cards at home. After setting up home sharing, each account can have 8 subsidiary accounts to share the same bank card. This bank card is a virtual card. When a black property company holds a bank card, it can apply for a virtual bank card online from the card issuing bank. The card number will be different from the original card, but all belong to the same account
when Apple finds that the account is stolen, it will be blocked. When multiple subsidiary accounts are blocked, Apple will blacklist the main account and its bound bank card. At this time, the virtual card will be cancelled and reapplied, which will not affect the continued use at all. Apple will also test the device. At this time, the company will refresh the fingerprint of the device before it is locked in combination with the software to solve the problem easily
after collecting wool, heichan will make use of the advantage of low price to sell virtual goods through various channels for cash. The game and right instries are the hardest hit areas
for 36 technology, Apple has made policy adjustments, and new registered users are limited to the mode of distribution before collection. However, this move only increases the cost for the black instry, which is still in the range of acceptance. The impact is that the demand of black proction for old brands has increased significantly, and the problems waiting for Apple will be number theft, library collision, number keeping and so on. For example, in the above cashing process, e to the recharge restriction, the user (the person who purchases the virtual goods in the hands of black and gray procts) will be asked for the account number and password, and this account can be "recycled" and put into the next round of use. The account related instry chain can be described in detail by referring to the account mole below
3. Didi's false registration
according to relevant regulations, the online car Hailing platform needs to carry out relevant examination and review on registered drivers, such as a certain driving age, Beijing requires "Beijing people Beijing car", etc. Many people who do not meet the requirements want to complete the registration, they will use a kind of "registration on behalf of" black business
in September 2017, Didi reported to the internet police corps of the Public Security Department of Guangdong Province, and found that hundreds of thousands of accounts had the problems of false registration and inconsistency between people and vehicles. After investigation, we found the profiteering activities of the black instry. Driving age does not match, foreign cars do not send single, vehicles over age can take money to "solve."
first of all, the information source of the black instry can find out the real information of people and vehicles that meet the requirements through the ghosts in the instry. First level middlemen purchase vehicle personnel information from information sources. Then the price is increased and resold to the second level middleman, and the second level price is increased and resold to the registered operator. The agent registration operator then "processes information" through PS and other means, and combines with the buyer's information to integrate the compliance information into a complete set and complete the registration operation, with a charge of 300-500 yuan. And even if it is found, Didi can only seal the driver
some operators will also collect a handful of Didi's wool by the way. For example, by using the recommendation mechanism, Didi company stipulates that every successful driver recommended will win a charging award of 218 yuan and 30% of the first eight orders of new drivers. It's not hard to imagine that in the competition period of car Hailing on various websites, the activities, regardless of cost, only want to survive in the war, and how huge profits can be made by the generation registration group
in fact, in the battle of didi Kuai, fake driver accounts were mainly used to swipe bills and make profits by combining plug-ins. After the merger of online car hailing and the tightening of state supervision, the registration groups turn to sell services to those who do not meet the requirements, and some groups will make extra profits by selling "registration Courses". This kind of teaching charging mode often occurs when their own interests are reced. When the interests are huge, the people who master the methods will only make money silently
this series of profit-making behaviors not only hurt Didi, but also ordinary users. For example, Didi plug-in will realize "picking and grabbing orders" by modifying the positioning. Didi has to change the distance optimization algorithm to random order distribution within a few kilometers. Users can only bear to wait for a car three kilometers away in the cold wind when they clearly see a car nearby
what makes us more alert is that our personal information is so easy to obtain. In fact, the social work database of the black instry is also constantly improving, with more and more data and higher accuracy. It is widely used in Library collision, fraud and other places, which is frightening. Didi's authentication is more complex, and the more commonly used graphic verification code, ID card authentication and facial recognition authentication all have a stable service instry chain, which will be introced in the following part of account authentication
4. Uber was blackmailed by hackers
last year, Uber encountered large-scale data leakage, including the names, e-mails and telephone numbers of 50 million users. And the personal information of 7 million drivers and the license number of 600000 American drivers. Uber said credit cards and other information and data were not leaked. 57 million data, which is not worth mentioning compared with the leaked scale of Yahoo and enquifax, the US credit agency, and it is not surprising data in the black instry. But Uber's approach has attracted attention - paying ransom to hackers
at that time, CSO and assistant tried to conceal this by paying us $100000 to avoid the circulation of Uber data in the black market. After that, the two were fired and the CEO forced to resign. Uber finally stated that there was no evidence that the data of this incident was used by hackers and that it would provide free information protection and monitoring services for drivers with information leakage
the way hackers get data is curious. In fact, they obtained login credentials from Uber engineers' private GitHub library, then visited Uber's Amazon cloud service account for computing, found user data in the account, and then blackmailed. We can't help but find that the attack sometimes only needs to find a loophole, while the defense needs to be comprehensive and tight. In addition to defense, there is another problem we need to face - how to act on the leaked data. Uber's concealment is not desirable
in the face of this problem, a violent and effective way to confront it is to establish a larger leaked database than the black instry. If the black instry can determine that the leaked account number is when using the user information, it will directly trigger the risk control logic, conct more strict audit, bypass the hacker's protection, and cause an unavoidable blow to the enemy. The establishment of such a database requires not only effective and real-time collection of supplementary programs, but also the sharing and participation of major manufacturers, the collection of multi-party information, and the construction of a more comprehensive data source< In February 2017, a news about "high school textbooks related to pornography" was wildly reprinted, and the website of poetry in the high school Chinese elective textbooks of the people's ecation press was printed
1, Dongpeng special drink wool collecting event
marketing activities are familiar to everyone, and attract users through the incentive mechanism. But at the same time, it will also attract a group of people called "wool party", who rely on registering a large number of accounts to obtain coupons, compete for red envelopes and prizes, and then resell them. Big promotion, subsidies and marketing activities are all opportunities to "make money" in their eyes, which are called informers
activities that lack business security awareness and are well subsidized are most likely to be removed. Dongpeng teyin is a beverage company in Guangdong Province. The traditional promotion activity is a lucky draw for bottle caps. With the popularity of the Internet, it decided to try a new way to get red envelopes by scanning the QR code. It wanted to use the Internet to save the tedious circulation and collect customer information by the way. Unexpectedly, the wool Party hit them in the head
with the warming up of the activities, a large number of people selling Dongpeng special drink CDK (code) quickly appeared. The so-called code is the link converted from the active QR code. After purchasing the code, you can get the red envelope by clicking on wechat. The wechat accounts in the hands of the channel merchants and the wool party are limited, but they have a lot of codes. They sell at a price slightly lower than the minimum amount of red envelopes, and the buyers can make a steady profit
is it ordinary users who buy CDK? It can only be said that the proportion is too small. Ordinary users have no channel to know the existence of CDK. Most of them are other gray instry practitioners who have many wechat accounts in their hands. Their usual business is to use wechat to add a large number of friends, and then realize through fraud, wechat business and other forms. Dongpeng special drink CDK is just a passing act
in short, with the promotion of interests, someone quickly cooperated with the core node of the waste recycling station to buy a large number of bottle caps at a low price and extract two-dimensional code information. It is called "waste code" in the market, and the corresponding one is "Bizhong code", which is purchased from the manufacturer of bottle caps and internal personnel after getting through the relationship. The two-dimensional code is linked by one key and sold to the channel providers, Channel business then distributes to all levels of offline, a set of process down, layers of profit, do activities of the enterprise has become a big injustice. The final result is that Dongpeng teyin found that the actual amount of bonus exchanged is much higher than expected, and only the "zombie users" with zero marketing effect were gained
it's not just Dongpeng special drinks. There are a lot of such procts in the market, such as Mengniu Youyi C, Mengniu ice cream, Pepsi Cola, red bull, Qixi, Xiaoming, Jingdong QR code, etc. When the activity develops to a certain scale, there will be people in the downstream who will spread it wantonly in the form of "collecting tuition and making money". The whole process is like a locust crossing the border and eating up the activity funds of the enterprise
the basic way of action of the wool party is to win by volume, use a large number of accounts to compete violently for subsidies and prizes, such as discount coupons for new users, and then sell them at a low price. In fact, they are just one of the ends of the Internet's black instrial chain. Some people directly call them brick movers because they have low technical requirements and are purely manual labor
we should pay attention to their account source and action mode. For example, where does the registered mobile phone number of new users' gift certificates come from? The answer is cell phone black card. Threat Hunter collects and maintains the black card library of massive data, which will be introced in detail in the following instry chain analysis. In addition to mobile phone numbers, the wool party needs to pass the IP and device detection of the platform to commit crimes. These have platform and chain instries in the black instry, and the wool party is just one of their downstream instries. Please refer to the upstream resource provider mole for detailed instry chain analysis
2. Apple 36
also suffered from wool removal. After users consume on IOS, Apple will split accounts with app service providers according to the proportion and settle accounts quarterly. At the time of settlement, a large number of merchants found that Apple's share was far from the actual sales amount. Under the inspection, we found the real reason: being collected
some accounts disappear immediately after small consumption of 6 yuan and 30 yuan, with batch traces. Originally, in order to improve the user experience, apple set up a strategy that small amount recharge below 40 yuan can not be verified, but distribute goods first. To black proce, this action means each trumpet 36 yuan of profit, launched an action immediately
they will first register a large number of email accounts through scripts. Some foreign email registration does not need to provide a mobile phone number, this step of operation is almost "no cost". After completion, apple IDS will be generated in batches by using software, and then activated in batches. Most manufacturers will judge the amount of IP registration in a short period of time. For the black instry, the cost of this step is the cost of replacing IP. In this regard, the threat hunter will elaborate on the methods for black procts to escape IP detection in the following instrial chain section
consumption needs to be bound with bank cards. For a large number of bank card needs, the solution of black instry is to share and register virtual bank cards at home. After setting up home sharing, each account can have 8 subsidiary accounts to share the same bank card. This bank card is a virtual card. When a black property company holds a bank card, it can apply for a virtual bank card online from the card issuing bank. The card number will be different from the original card, but all belong to the same account
when Apple finds that the account is stolen, it will be blocked. When multiple subsidiary accounts are blocked, Apple will blacklist the main account and its bound bank card. At this time, the virtual card will be cancelled and reapplied, which will not affect the continued use at all. Apple will also test the device. At this time, the company will refresh the fingerprint of the device before it is locked in combination with the software to solve the problem easily
after collecting wool, heichan will make use of the advantage of low price to sell virtual goods through various channels for cash. The game and right instries are the hardest hit areas
for 36 technology, Apple has made policy adjustments, and new registered users are limited to the mode of distribution before collection. However, this move only increases the cost for the black instry, which is still in the range of acceptance. The impact is that the demand of black proction for old brands has increased significantly, and the problems waiting for Apple will be number theft, library collision, number keeping and so on. For example, in the above cashing process, e to the recharge restriction, the user (the person who purchases the virtual goods in the hands of black and gray procts) will be asked for the account number and password, and this account can be "recycled" and put into the next round of use. The account related instry chain can be described in detail by referring to the account mole below
3. Didi's false registration
according to relevant regulations, the online car Hailing platform needs to carry out relevant examination and review on registered drivers, such as a certain driving age, Beijing requires "Beijing people Beijing car", etc. Many people who do not meet the requirements want to complete the registration, they will use a kind of "registration on behalf of" black business
in September 2017, Didi reported to the internet police corps of the Public Security Department of Guangdong Province, and found that hundreds of thousands of accounts had the problems of false registration and inconsistency between people and vehicles. After investigation, we found the profiteering activities of the black instry. Driving age does not match, foreign cars do not send single, vehicles over age can take money to "solve."
first of all, the information source of the black instry can find out the real information of people and vehicles that meet the requirements through the ghosts in the instry. First level middlemen purchase vehicle personnel information from information sources. Then the price is increased and resold to the second level middleman, and the second level price is increased and resold to the registered operator. The agent registration operator then "processes information" through PS and other means, and combines with the buyer's information to integrate the compliance information into a complete set and complete the registration operation, with a charge of 300-500 yuan. And even if it is found, Didi can only seal the driver
some operators will also collect a handful of Didi's wool by the way. For example, by using the recommendation mechanism, Didi company stipulates that every successful driver recommended will win a charging award of 218 yuan and 30% of the first eight orders of new drivers. It's not hard to imagine that in the competition period of car Hailing on various websites, the activities, regardless of cost, only want to survive in the war, and how huge profits can be made by the generation registration group
in fact, in the battle of didi Kuai, fake driver accounts were mainly used to swipe bills and make profits by combining plug-ins. After the merger of online car hailing and the tightening of state supervision, the registration groups turn to sell services to those who do not meet the requirements, and some groups will make extra profits by selling "registration Courses". This kind of teaching charging mode often occurs when their own interests are reced. When the interests are huge, the people who master the methods will only make money silently
this series of profit-making behaviors not only hurt Didi, but also ordinary users. For example, Didi plug-in will realize "picking and grabbing orders" by modifying the positioning. Didi has to change the distance optimization algorithm to random order distribution within a few kilometers. Users can only bear to wait for a car three kilometers away in the cold wind when they clearly see a car nearby
what makes us more alert is that our personal information is so easy to obtain. In fact, the social work database of the black instry is also constantly improving, with more and more data and higher accuracy. It is widely used in Library collision, fraud and other places, which is frightening. Didi's authentication is more complex, and the more commonly used graphic verification code, ID card authentication and facial recognition authentication all have a stable service instry chain, which will be introced in the following part of account authentication
4. Uber was blackmailed by hackers
last year, Uber encountered large-scale data leakage, including the names, e-mails and telephone numbers of 50 million users. And the personal information of 7 million drivers and the license number of 600000 American drivers. Uber said credit cards and other information and data were not leaked. 57 million data, which is not worth mentioning compared with the leaked scale of Yahoo and enquifax, the US credit agency, and it is not surprising data in the black instry. But Uber's approach has attracted attention - paying ransom to hackers
at that time, CSO and assistant tried to conceal this by paying us $100000 to avoid the circulation of Uber data in the black market. After that, the two were fired and the CEO forced to resign. Uber finally stated that there was no evidence that the data of this incident was used by hackers and that it would provide free information protection and monitoring services for drivers with information leakage
the way hackers get data is curious. In fact, they obtained login credentials from Uber engineers' private GitHub library, then visited Uber's Amazon cloud service account for computing, found user data in the account, and then blackmailed. We can't help but find that the attack sometimes only needs to find a loophole, while the defense needs to be comprehensive and tight. In addition to defense, there is another problem we need to face - how to act on the leaked data. Uber's concealment is not desirable
in the face of this problem, a violent and effective way to confront it is to establish a larger leaked database than the black instry. If the black instry can determine that the leaked account number is when using the user information, it will directly trigger the risk control logic, conct more strict audit, bypass the hacker's protection, and cause an unavoidable blow to the enemy. The establishment of such a database requires not only effective and real-time collection of supplementary programs, but also the sharing and participation of major manufacturers, the collection of multi-party information, and the construction of a more comprehensive data source< In February 2017, a news about "high school textbooks related to pornography" was wildly reprinted, and the website of poetry in the high school Chinese elective textbooks of the people's ecation press was printed
Hot content