We looked in to the HIKIT malware in our previous article. Mandiant stated that this malware stole data from the contractor companies that worked with the Department of Defense (DoD). The major evidence that led to this conclusion was that these contractor companies were among the clients of Mandiant and that they were infected and the data Mandiant obtained by examining these infections.

It is not possible to find a detailed explanation or analyse about HIKIT online. As we previously stated, despite the technical analysis, those behind this malware are still unknown. According to Mandiant, it is possible that an APT group of Chinese origin is behind it.

Our current study, in contrast to the previous, is less about the technical analysis and more about the investigation of the case. As previously stated, we have decided to dig deeper into the source of this malware.

The previous analysis did not cover a detailed explanation as to how this malware spreads. As a result of our studies, we have discovered that this malware exploited the Java Script codes run on “Microsoft Explorer” to infect systems.

 

Problem Product Producer
Exploit:HTML/IframeRef.Z Internet Explorer Microsoft

 

So, where did the infection come from? It was not possible for us to list all outcomes as carrying out separate investigations for each and every one of them would take a great deal of time. However, it will be possible to carry out these studies when a system is directly targeted. Our focus was the malware that we analysed as HIKIT is a malware with many variations.

As stated above, we started our study by identifying which websites hosted this “exploit” code. We obtained a list of sites that used the "exploit" code. These sites are as follows:

The Domain List

tkit.tk
tweak.tk
ahraz.tk
html-channel.com
freedomains4all.tk
html-site.nl
goodman-shirt.de
html-rulez.ru
html-studio.ru
tkmailias.tk
webnews.it

 

Many of our investigations on each domain did not result in solid evidence. The reason was that we were unable to find any registered domains. Only one of them had information on the domain name. We continued our researches on this domain name and the name it was registered to and identified the other domain addresses registered to the e-mail address we came across, nevertheless, it should be noted that these website might have been hacked to be used as a medium to spread various malwares.

Other Registired Domain Names

cristianos.ws
clfooter.ws
gaypornreviews.ws
duuf2gnia9bt18h7qy1tg621k.ws
888games.ws
fel0ny.ws
ukrainegirls.ws
spydirectory.ws
pandorabox.ws

We have found out that many of the site names above were registered to the e-mail address below. By looking into the site names and the domain WHOIS records of that date, it can be understood that these records were made on purpose.

3-1

 

At the beginning, we said that the dropped used to infect HIKIT was possible via the Java Script code that runs on MS Internet Explorer. Actually, our studies consisted of not only these but also other security weaknesses present in different applications. The Adobe Flash Player applications is just one of these.

So far, we had information on how HIKIT infected; however, there was not any information on the C&C servers. When we looked into the servers the above domains were connected to, the results were as follows;

IP Country
94.76.200.157 İngiltere
46.4.34.4 Almanya
87.106.29.14 Almanya
77.222.40.38 Rusya
208.82.114.84 Amerika
206.246.140.14 Amerika
24.223.234.70 Amerika
173.9.9.178 Amerika
91.199.120.6 İspanya
94.228.86.11 Slovakya
88.191.150.8 Fransa

 

The IP addresses that directly communicate with the above addresses, in other words, where initial attacks for HIKIT were carried out, communicate with the headquarters via many points. The major communications was via the server in Spain. The most transmittance of malware to this server is from China.

3-2

 

The IP address of the server overseeing the malware distribution in China points to the location below. When we made an enquiry on the same point for the resident instead of location, we came up with "People's Republic of China – Guiyang People’s Government.” This increased our suspicion that the distribution headquarters of this malware was a Chinese government facility. However, we are still uncertain as we do not have any solid evidence at hand.

3-3

 

With the below communications are still active, it can be said that this malware is about very different vectors. When we looked into the Exploit Kit software used, we mostly came across the software named “Blackhole Exploit Kit.”

3-4

“Maltego ile oluşturduğumuz organik graph”

 

It is still not possible to make certain statements about the source of HIKIT malware, it has a very fragmented structure and it is hard to present the obtained data with undeniable evidence. The graph structure above covers many vectors that have an organic connection with HIKIT. While many of the domain names are of German and Russian origin, servers that host the domains and that are the origin of spread are scattered among many facilities. While the major origin of spread is China, malwares are distributed from many different countries such Indonesia, Hungary, Romania and Korea.

As a result, while it is impossible to reach a final decision about the source, our research mostly circling around China, considering the current threats as well, gives a significant amount of ideas as to the source of the malware.

 

Trend Micro – Deep Discovery Inspector

We used the product Trend Micro – Deep Discovery Inspector in our research to finding the HIKIT malware over the web. Deep Discovery Inspector is capable of scanning malwares over the web and, with its “Virtual Analyzer” module, analysing them in detail.

3-5

 

Firstly, we positioned the Trend Micro Deep Discovery Inspector onto the work environment we created and relayed our web traffic to Deep Discovery Inspector over the spine switch. Having started to monitor our web traffic, Deep Discovery managed to catch the HIKIT malware we received as seen above.

The log included various data such as the source of the malware, the infected IP address and protocol information. If you like, you can get the results of the analyse carried out over the cloud by connecting to Trend Micro’s Threat Connect platform in order to better examine the malware.

 

3-6

 

We preferred to connect to the Threat Connect platform to see these details. To that end, it is sufficient to just open the details of the malwares caught by Deep Discovery and click on the name of the threat.

3-7

 

When you request detailed information about the threat, Deep Discovery will automatically direct you to the Threat Connect Platform. Then, it is possible to see the results of the analysis carried out by Trend Micro laboratories. The page covers the summary of the malware and a visualized organic connection graph.

3-8

 

It is possible to see the details by clicking on the graphs. Then, we can reach sample reports and obtain more detailed information about HIKIT. The map on the same screen shows which countries the malware named HIKIT is most active.

3-9

 

The sample report above shows the systems affected by, file format of and the processes created or affected by the malware. If that much detail about the malware is not enough, Trend Micro Threat Connect can dig even deeper and show the effects made in each stage of operation.

3-10

 

The “execution flow” tab on the same screen may show which resources the malware uses on the system and the modifications it makes by the second. The API used and the Mutex objects created by the malware in order not to infect an already-infected system are listed above.

It is possible to display details by clicking on the related objects and records, for instance, the figure below covers the Registry values created or modified via the system.

3-11

 

 

Trend Micro Deep Discovery and Threat Connect can present reports about the malwares it detects that are comprehensible to normal users. It also provides explanations as to how the malware can be deleted manually.

3-12

 

The above figure explains how to delete HIKIT malware step by step. Additionally, it provides various methods on how to perform that depending on the malware.

ATTACHMENTpdfThe HIKIT Rootkit Analysis (Part 2)

 image002

 

Yasin SÜRER
Threat Researcher
yasin.surer@boateknoloji.com

Introduction: The HIKIT Rookit Analysis 

Malwares (virus, worm, rootkit, etc.) are among the most important elements, included in complicated attacks. “Malwares" are among the most irrevocable tools, used by the attacker, during attacks, especially called APT (Advanced Persistent Threat), in which many different vectors are used.

Mostly, organized crime rings get the people, having advanced knowledge on this issue, write Malwares. Malwares, written as target-driven, must overcome several security mechanisms to reach a specific purpose.

This case means techniques and structures, used in Malwares, are complicated. Accordingly; malicious code analysis, besides being a difficult and onerous work, it requires advanced technical knowledge.

APT and Target

Discovered by Mandiant, HIKIT is a sort of Malware that enables seizing the control of remote system. HIKIT is an intelligence gathering purposed software, an advanced Malware, that carries out its functionality on kernel level completely.

The interesting point is that “intelligence” purpose of this Malware completely gathers data, belonging to the contracted / contractor companies of United States of America -- Department of Defense. It carries out activities aimed at gathering several data about organizations, in which some companies that are also available in SBIR/STTR list.

Technical Analysis

We only have an object named “oci.dll” to perform technical analysis on HIKIT. We confirmed that the file named “oci.dll” was not subjected to any compression process. We observe that there are files with different names in the current executable file when we proceed via this object. Initially; an interesting "string" data, available in the Malware, draws our attention.

h:\\JmVodServer\\hikit\\bin32\\RServer.pdb

The abovementioned data is the file that contains “debug” symbols, belonging to the Malware, that are available in the computer of the individual that developed the Malware. We can observe that name given to the Malware by the developer is “RServer” and its location in the developer’s computer. After getting this information, phases related with development process of the Malware are as follows:

  • As the first phase, the Malware installs the file named “oci.dll” via a “dropper”.
  • DLL installs the signed (driver) module into the system at kernel level.
  • The module, installed at kernel level, waits for a command from the attacker.

image003

How the aforementioned phases realized are displayed in the figure. The Malware, transmitted to users through various ways, waits for communicating with the attacker that connects behind "proxy".

After all these processes, we can start carrying out analysis process with the data we obtain. First of all; we need the most basic information on the executable file. We can start analyzing the Malware, beginning from the most basic steps, to carry out all these issues.

image004

As seen in the picture above, "oci.dll" file contains a file named "w2fw.sys". Thus; we can observe more clearly that the Malware contains a rootkit. Rootkit softwares operate at the kernel level and analysis process is harder when compared to the other (use-mode) Malwares.

image005

Code Signing Mechanism

Before mentioning about the following activities, the issue that must be known is code signing logic. Microsoft uses a technique called code signing to determine if modules to be executed at kernel level are safe. This means is to state that the module, installed in the kernel, is a safe module and it's approved.

image006

The interesting case that we encountered during analysis process is that *.inf extended files are signed due to GlobalSign certificates. GlobalSign became a current issue with a claim of "hacking" in 2011. It stopped its services for a while due to a doubt of certificates being stolen from its servers. The claims that suggested “GlobalSign was hacked” appeared in early September 2011 and when an analysis is carried out on "timestamp" information of the current file, October is pointed as the last date of edition.

image007 image008

We already stated that this Malware, analyzed in rootkit class, is executed in kernel level. As known, inf extended files contain the information on how to setup driver softwares. Now that we have the information that GlobalSign certificates are implemented on the malicious, we can observe that the Malware added itself to the system as signed to execute operations at kernel level.

image009

The Malware contains a function, as seen above, to perform various registrations and modifications in Register book. As soon as this function is completed, other routines that belong to the infection processes start to be operated.

image010

Malware & Attacker Communication

Other than this information, we obtain more interesting data when we open the malicious to analyze. For example; the Malware can make contact with the attacker for commands when the infection processes are completed.

image011

“Disassembly” output, that can be seen above, belongs to the routine that is operated for the attacker to connect to the target system. We can see that several processes are operated for connection to be completed If there is a key word within packets when the connection is established, connection process of the attacker is completed.

More technically, the Malware installs itself to NDIS-Level to monitor the incoming packets and adds to the system as "cyber network adaptor". Thus; by listening the packets, received by the whole network, it searches for a specific pattern between the among packets.

During this connection process, the attacker connects with the target via ports numbered 80 and 443. Within the rules of Firewall, 80 (HTTP) and 443 (HTTPS) ports are among the permitted ports. This case means that the malicious has an access to the target by means of by-passing firewall software or devices.

The interesting point in this phase is that the Malware does not contact with any (command and control) server or the attacker's computer. Instead, HIKIT contacts with the attacker by monitoring the whole net on the machine that it infected, in case of any incoming key word.

We can acquire a visual result on which values the aforementioned routines gain and where they go. It's clearly seen in the following figure that which function goes to what result. Accordingly; the information about which routines are effective in making contact is available in this diagram.

image012

The Malware permits several commands to be operated for remote access, when the contact is made. This definition is solely for the commands, operated by the malicious, and the commands to be operated by the attacker on the target are the commands that operating system defines. "Shell" command that we encountered among the commands to be operated after the contact is made, while proceeding within the machine code, enables creating a command line via remote machine.

image013

This means that all the commands, which can be operated by a common or authorized user on operating system, can give command to the backdoor, installed by the attacker to be operated. In short; it can operate a command for his purpose on the system by opening a "command prompt"  for the attacker.

image014

As soon as the “file” command, that can be seen below, is executed, it is in contact with the driver. Thus, the attacker can carry out the operations of file reading, changing file permissions, creating index and index listing. As a result; the attacker can succeed an access to system with full-authority, when the malicious completes infection processes.

The aforementioned “disassembly” is related with the implementation of the operations that were mentioned previously. Another feature of the malicious is the attacker’s ability of making contact via SOXKS5, a proxy.

image015

This feature, that attracted our attention while analyzing the malicious, is function which is embedded into the malicious by the attacker to make contact via proxy. As a result; it becomes harder to track the attacker as the contact is more uncertain.

"Strings” that belong to the below program are available. Some data, acquired in the beginning of the article, are available here. You can reach all "string" values, contained in the program, through analysis report.

Result

That this software, published and determined by Mandiant, is a part of APT attack is almost definite. It was stated that its aim was to gather intelligence and information about companies, contracted with U.S.A. Department of Defense. HIKIT was programmed to remain permanent in the system in which it is infected and turn systems into the attacker's slaves during this period. Similar examples of APT attacks are increasing today. As mentioned before, it is quite difficult to determine a malicious on NDIS Driver level and APT attack that it serves.

The aforementioned technique that enables the attacker to make contact with the system via a specific pattern is quite old and hard to determine. Determining this sort of an attack is only possible with "network traffic analysis” in some cases. As observed during the analysis; softwares and devices such as Firewall and Anti-virus are inefficient against these kinds of attacks.

The organizations that suffer from such attacks and companies that develop security products are completely aware of the situation. Besides classic security products such as; Firewall, anti-virus, the establishments must pay attention for different solutions to determine APT attacks.

1-1

1-2

1-3 1-4 1-5 1-6

Attachment :pdf The HIKIT Rootkit Analysis (Part1)

 image002

 

Yasin SÜRER
Threat Researcher
yasin.surer@boateknoloji.com

Daha önceki yazımızda HIKIT isimli zararlı yazılımı incelemiştik. Mandiant tarafından yapılan açıklamada, bu zararlı yazılımın Amerikan Savunma Bakanlığı ile ortak çalışan müteahhit firmalardan veri çaldığı belirtilmişti. Bu sonucuna varmalarındaki en büyük kanıt ise Mandiant’ın müşterileri arasında bu müteahhit firmaların bulunması ve bu firmaların enfekte olmaları, Mandiant’ın da bu enfeksiyonları inceleyerek elde ettiği verilerdi.

Internet üzerinde HIKIT hakkında detaylı bir açıklama veya analize ulaşmak mümkün değil. Daha öncesinde belirtildiği gibi yapılan teknik analizlere rağmen bu zararlı yazılımın arkasında kimler olduğu hala belirsiz.  Mandiant’a göre olayın arkasında Çin menşeili bir APT grubunun olması muhtemel.

Bu seferki çalışmamız, bir öncekinin aksine teknik analizden biraz daha uzak ve daha çok olayın soruşturulmasıyla ilgili. Daha önce incelediğimiz bu zararlı yazılımın kaynağı hakkında biraz daha derinlere inmeye karar verdik.

Bir önceki analizde bu zararlı yazılımın nasıl bulaştığı konusunda detaylı bir açıklama mevcut değildi. Yaptığımız araştırmalar sonucunda aslında bu zararlı yazılımın sistemlere bulaşmak için “Microsoft Internet Explorer” üzerinde çalışan Java Script kodlarından faydalandığını gördük.

 

Problem Ürün Üretici
Exploit:HTML/IframeRef.Z Internet Explorer Microsoft

 

Peki zararlı bu haliyle nerelerden bulaşıyordu? Bunun için tüm sonuçları listelememiz mümkün değildi çünkü her biri için ayrı araştırma yapmak oldukça fazla vakit gerektirecek bir konu. Doğrudan hedef alınan bir sistem olduğunda, tabi ki bu araştırmaları yapmak mümkün olacaktır. Bizim odak noktamız analiz ettiğimiz zararlı yazılımdı çünkü HIKIT oldukça fazla varyanta sahip bir zararlı yazılım.

Yukarıda belirtildiği üzere bu “exploit” kodunun hangi web siteleri üzerinde bulunduğunu araştırmaya başladık. Sonucunda “exploit” kodunu kullanan sitelerin bir listesine ulaştık. Aşağıda bu siteler listelenmiştir.

Alan Adı Listesi

tkit.tk
tweak.tk
ahraz.tk
html-channel.com
freedomains4all.tk
html-site.nl
goodman-shirt.de
html-rulez.ru
html-studio.ru
tkmailias.tk
webnews.it

 

Her bir domain için araştırma yaptığımızda, birçoğuna ait elle tutulur bir veri bulamadık. Bunun sebebi kayıtlı bir domain bulamamamızdı. Aralarında sadece tek bir alan adına ait bilgi mevcuttu. Araştırmalarımızı bu alan adı ve üzerine kayıtlı olduğu kişi üzerinden yürüttük ve bulduğumuz mail adresine kayıtlı diğer domain adreslerini tespit ettik, tabi bu sırada bu sitenin hack edilerek alan adının çeşitli zararlıların bulaştırmak üzere araç olarak kullanılmış olabileceğini de unutmamak gerekir.

Kayıtlı Diğer Alan Adları

cristianos.ws
clfooter.ws
gaypornreviews.ws
duuf2gnia9bt18h7qy1tg621k.ws
888games.ws
fel0ny.ws
ukrainegirls.ws
spydirectory.ws
pandorabox.ws

Yukarıda görülen alan adlarının birçoğunun aşağıda görülen mail adresine kayıtlı olduğunu tespit ettik. Alan adlarına ve o tarihe ait domain WHOIS kayıtlarına bakacak olursak bu kayıtların aslında kasıtlı yapıldığı anlaşılabilir.

3-1

 

En başta HIKIT’I bulaştırmak için indirilen dropper’ın MS Internet Explorer üzerine çalıştırılan Java Script kodu ile mümkün olduğunu söylemiştik. Aslında yaptığımız araştırmalarda sadece buna bağımlı kalmaktansa farklı uygulamalarda bulunan güvenlik açıkları da kullanılmış. Adobe Flash Player uygulaması bunlardan sadece bir tanesi.

Buraya kadar HIKIT’in nasıl enfekte olduğu konusunda bir fikrimiz vardı fakat C&C sunucuları hakkında bir bilgi yoktu. Yukarıdaki alan adlarının bağlı olduğu sunucuları incelediğimizde sonuçlar şu şekildeydi;

IP Ülke
94.76.200.157 İngiltere
46.4.34.4 Almanya
87.106.29.14 Almanya
77.222.40.38 Rusya
208.82.114.84 Amerika
206.246.140.14 Amerika
24.223.234.70 Amerika
173.9.9.178 Amerika
91.199.120.6 İspanya
94.228.86.11 Slovakya
88.191.150.8 Fransa

 

Yukarıdaki adresler ile doğrudan iletişimde olan, yani HIKIT için ilk atakların yapıldığı IP adresleri ise çok farklı noktalardan merkez ile iletişime geçmekte. En yoğun iletişim ise İspanya’da bulunan sunucu üzerinden gerçekleştirilmekte. Bu sunucuya en fazla zararlı yazılım aktarımı ise Çin’den gerçekleşiyor.

3-2

 

Çin’den gerçekleşen zararlı yazılım dağıtımlarının kontrol edildiği sunucuya ait IP adresi ise aşağıdaki yerleşkeye işaret ediyor. Aynı noktayı bu sefer adres arayarak değil de, bu adreste ne olduğuna bakmak için sorguladığımızda ise, “Çin Halk Cumhuriyeti – Guiyang (Guiyang People’s Government)” yerleşkesi görülmekte. Bu da bizim bu zararlı yazılım dağıtım merkezinin bir Çin devlet yerleşkesi olduğu konusundaki şüphemizi arttırdı. Lakin elimizde hala somut delil olamadığı için bu durumdan emin olamamaktayız.

3-3

 

Alt tarafta işletilen iletişimler hala aktif olmakla birlikte bu zararlı yazılımın çok farklı vektörler ile ilgili olduğu söylenebilir. Kullanılan Exploit Kit yazılımlarını incelediğimizde ise çoğunlukla “Blackhole Exploit Kit” adı verilen yazılıma rastladık.

3-4

“Maltego ile oluşturduğumuz organik graph”

 

HIKIT zararlısının kaynağı hakkında hala kesin ifadelerde bulunmak mümkün değil, çok dağıtık bir yapıya sahip ve elde edilen verilerin doğruluğunu inkâr edilemez şekilde delillerle ortaya koymak zor. Yukarıda görünen grafik yapısı, HIKIT ile organik bağlantısı bulunan birçok vektörü içermektedir. Her ne kadar alan adlarının çoğu Almanya ve Rusya kaynaklı olsalar da, alan adlarının barındırıldığı ve zararlıların asıl yayılma noktası olan sunucular çok fazla yerleşkeye dağıtılmış durumda.  Her ne kadar en fazla dağıtım kaynağı Çin olsa da Endonezya, Macaristan, Romanya, Kore gibi birçok farklı ülkeden zararlı dağıtımı yapılıyor.

Sonuç olarak kaynağı konusunda kesin bir hükme varılamayacak olsa da, araştırmamızın çoğunlukla Çin ekseninde dönmekte olması, aslında güncel tehditleri de göz önünde bulundurduğumuzda, zararlının kaynağı hakkında kuvvetli bir fikir sahibi olmamızı sağlıyor.

 

Trend Micro – Deep Discovery Inspector

HIKIT zararlı yazılımının ağ üzerinde tespit edilmesine yönelik yaptığımız çalışma için Trend Micro – Deep Discovery Inspector ürününü kullandık. Deep Discovery Inspector, zararlı yazılımları ağ üzerinde tarayarak içerisinde barındırdığı “Virtual Analyzer” modülü ile detaylı olarak analiz yapabilmektedir.

3-5

 

Öncelikle, oluşturduğumuz çalışma ortamına Trend Micro Deep Discovery Inspector’ü konumlandırdık ve akabinde ağ trafiğimizi omurga switch üzerinden Deep Discovery Inspector’e yönlendirdik. Ağ trafiğini dinlemeye başlayan Deep Discovery, ağ trafiğimizden geçen HIKIT zararlısını yukarıdaki ekran görüntüsünde de görüldüğü üzere yakalamayı başardı.

Log kaydına baktığımızda, zararlı yazılımın kaynağı, enfekte olan IP adresi ve protokol bilgileri gibi çeşitli veriler yer almakta. Eğer isterseniz zararlı yazılımı daha detaylı incelemek adına Trend Micro’nun Threat Connect platformuna bağlanarak bulut üzerinde yapılan analiz sonuçlarına ulaşabilirsiniz.

3-6

 

Biz bu detayları görmek için Threat Connect platformuna bağlanmayı tercih ettik. Bunun için Deep Discovery’nin yakaladığı zararlı yazılımın detaylarına girerek sadece tehdit ismine tıklamanız yeterli olacaktır.

3-7

 

Tehditle ilgili detaylı bilgi istediğinizde, Deep Discovery size otomatik olarak Threat Connect platformuna aktaracaktır. Bu noktadan sonra Trend Micro laboratuvarı tarafından yapılan analiz sonuçlarını görebilmek mümkün. Açılan sayfada zararlının özet bilgileri ve görselleştirilmiş bir organik bağıntı grafiği yer almaktadır.

3-8

 

Grafiklerin üzerine tıklayarak detayları görmeniz mümkün. Biz bu aşamadan sonra örnek rapora ulaşabilir ve HIKIT hakkında biraz daha detaylı bilgi edinebiliriz. Aynı ekranda bulunan harita üzerinden HIKIT isimli zararlı yazılımın en çok hangi ülkelerde aktif olduğunu görebilirsiniz.

3-9

 

Yukarıda örnek raporda zararlının etkilediği sistemleri, dosya formatını, oluşturduğu ya da etki ettiği süreçleri görmeniz mümkündür. Eğer zararlı yazılım hakkında bu kadar detay yeterli değilse, Trend Micro Threat Connect daha derine inerek zararlının adım adım çalıştırılma anında yarattığı etkileri size gösterebilir.

3-10

 

Aynı ekran üzerinde bulunan “execution flow” sekmesine tıklanarak saniye saniye zararlının sistem üzerinde hangi kaynakları kullandığı ve yaptığı modifikasyonları size sunabilir. Yukarıda kullanılan API ve zararlının zaten enfekte olduğu bir sisteme tekrar enfekte olmamak için oluşturduğu Mutex nesneleri listelenmiştir.

İlgili nesnelerin ve kayıtların üzerine tıklayarak detayları görmeniz mümkün, örnek olarak, aşağıda yer alan resimde sistem üzerinde oluşturulan veya değiştirilen Registry değerleri yer almaktadır.

3-11

 

Trend Micro Deep Discovery ve Threat Connect, tespit ettiği zararlılara ait ve normal kullanıcıların dahi anlayabileceği seviyede rapor sunabilmektedir. Aynı zamanda, manuel olarak zararlı yazılımın nasıl silineceğine dair açıklamaları sunmaktadır.

3-12

 

Yukarıda yer alan resimde HIKIT zararlısının nasıl silineceğine dair gerekli açıklamalar adım adım açıklanmıştır. Üstelik bunu yaparken zararlı yazılıma bağlı olarak bir kaç farklı yöntem sunabilmektedir.

ATTACHMENTpdfHIKIT-Investigation

 image002

 

Yasin SÜRER
Bilgi Güvenliği Uzmanı
yasin.surer@boateknoloji.com