{"id":10545,"date":"2025-10-13T13:28:42","date_gmt":"2025-10-13T06:28:42","guid":{"rendered":"https:\/\/infosec.new88088.net\/?p=10545"},"modified":"2026-02-05T13:28:48","modified_gmt":"2026-02-05T06:28:48","slug":"khi-phan-mem-diet-virus-bi-tiem-ma-doc-la-chan-hoa-thanh-cua-ngo-tan-cong","status":"publish","type":"post","link":"https:\/\/infosec.new88088.net\/2025\/10\/13\/khi-phan-mem-diet-virus-bi-tiem-ma-doc-la-chan-hoa-thanh-cua-ngo-tan-cong\/","title":{"rendered":"Khi ph\u1ea7n m\u1ec1m di\u1ec7t virus b\u1ecb ti\u00eam m\u00e3 \u0111\u1ed9c: \u201cL\u00e1 ch\u1eafn\u201d h\u00f3a th\u00e0nh c\u1eeda ng\u00f5 t\u1ea5n c\u00f4ng"},"content":{"rendered":"<p><b>Nh\u00e0 nghi\u00ean c\u1ee9u an ninh m\u1ea1ng c\u00f3 t\u00ean Two Seven One Three v\u1eeba c\u00f4ng b\u1ed1 m\u1ed9t k\u1ef9 thu\u1eadt m\u1edbi gi\u00fap k\u1ebb x\u1ea5u ti\u00eam m\u00e3 \u0111\u1ed9c tr\u1ef1c ti\u1ebfp v\u00e0o ti\u1ebfn tr\u00ecnh ph\u1ea7n m\u1ec1m di\u1ec7t virus, bi\u1ebfn ch\u00ednh nh\u1eefng ti\u1ebfn tr\u00ecnh \u0111\u01b0\u1ee3c b\u1ea3o v\u1ec7 th\u00e0nh c\u00e1nh c\u1eeda h\u1eadu (backdoor).<\/b><\/p>\n<div style=\"text-align: center\"><a class=\"js-lbImage\" style=\"cursor: pointer\" href=\"https:\/\/whitehat.vn\/attachments\/1760342365758-png.17734\/\" target=\"_blank\" rel=\"noopener\" data-lb-sidebar-href=\"\" data-lb-caption-extra-html=\"\" data-fancybox=\"lb-thread-18829\" data-caption=\"&lt;h4&gt;1760342365758.png&lt;\/h4&gt;&lt;p&gt;&lt;a href=&quot;https:&amp;#x2F;&amp;#x2F;whitehat.vn&amp;#x2F;threads&amp;#x2F;khi-phan-mem-diet-virus-bi-tiem-ma-doc-la-chan-hoa-thanh-cua-ngo-tan-cong.18829&amp;#x2F;#post-44347&quot; class=&quot;js-lightboxCloser&quot;&gt;WhiteHat Team \u00b7 13&amp;#x2F;10&amp;#x2F;2025 l\u00fac 3:17 PM&lt;\/a&gt;&lt;\/p&gt;\"><img fetchpriority=\"high\" decoding=\"async\" class=\"bbImage \" title=\"1760342365758.png\" src=\"https:\/\/whitehat.vn\/data\/attachments\/18\/18069-e1321cc113fa65ec1fa58fc5441c56ba.jpg\" alt=\"1760342365758.png\" width=\"712\" height=\"400\" \/><\/a>\u200b<\/div>\n<p>Ph\u1ea7n m\u1ec1m antivirus (AV) \u0111\u01b0\u1ee3c thi\u1ebft k\u1ebf \u0111\u1ec3 \u201cb\u1ea5t kh\u1ea3 x\u00e2m ph\u1ea1m\u201d v\u00ec n\u00f3 ch\u1ea1y v\u1edbi quy\u1ec1n h\u1ec7 th\u1ed1ng (SYSTEM) v\u00e0 c\u00f3 c\u01a1 ch\u1ebf t\u1ef1 b\u1ea3o v\u1ec7. K\u1ebb t\u1ea5n c\u00f4ng gi\u1edd \u0111\u00e2y t\u00ecm c\u00e1ch l\u1ee3i d\u1ee5ng ch\u00ednh \u0111\u1eb7c t\u00ednh n\u00e0y \u0111\u1ec3 t\u1ea5n c\u00f4ng h\u1ec7 th\u1ed1ng. N\u1ebfu ch\u00e8n \u0111\u01b0\u1ee3c m\u00e3 v\u00e0o ti\u1ebfn tr\u00ecnh AV, m\u00e3 \u0111\u1ed9c s\u1ebd c\u00f3 \u0111\u1eb7c quy\u1ec1n cao, kh\u00f3 b\u1ecb ph\u00e1t hi\u1ec7n v\u00e0 c\u00f3 th\u1ec3 thao t\u00fang h\u1ec7 th\u1ed1ng. K\u1ef9 thu\u1eadt m\u1edbi v\u1eeba \u0111\u01b0\u1ee3c m\u00f4 t\u1ea3 \u0111\u00e3 cho th\u1ea5y \u0111i\u1ec1u \u0111\u00f3 ho\u00e0n to\u00e0n kh\u1ea3 thi v\u00e0 \u0111\u00e1ng lo ng\u1ea1i.<\/p>\n<p>V\u1ea5n \u0111\u1ec1 kh\u00f4ng ph\u1ea3i ph\u1ea7n m\u1ec1m AV \u201cy\u1ebfu\u201d v\u1ec1 ph\u00e1t hi\u1ec7n m\u00e3 \u0111\u1ed9c, m\u00e0 l\u00e0 vi\u1ec7c AV \u01b0u ti\u00ean \u1ed5n \u0111\u1ecbnh ho\u1ea1t \u0111\u1ed9ng (operational reliability). Nhi\u1ec1u th\u00e0nh ph\u1ea7n ph\u1ee5 tr\u1ee3 c\u1ee7a AV (giao di\u1ec7n, VPN, firewall) v\u1eabn \u0111\u01b0\u1ee3c ph\u00e9p ghi v\u00e0o th\u01b0 m\u1ee5c c\u00e0i \u0111\u1eb7t v\u00e0 ch\u1ea1y v\u1edbi quy\u1ec1n cao. K\u1ebb t\u1ea5n c\u00f4ng l\u1ee3i d\u1ee5ng c\u00e1c \u201cth\u00e0nh ph\u1ea7n ph\u1ee5\u201d n\u00e0y b\u1eb1ng c\u00e1ch:<\/p>\n<ul>\n<li data-xf-list-type=\"ul\">Nh\u00e2n b\u1ea3n d\u1ecbch v\u1ee5 (service cloning): export\/import registry key \u0111\u1ec3 t\u1ea1o b\u1ea3n sao d\u1ecbch v\u1ee5 AV. Sau kh\u1edfi \u0111\u1ed9ng l\u1ea1i, b\u1ea3n sao n\u00e0y \u0111\u01b0\u01a1\u0323c n\u1ea1p v\u00e0o Services.exe v\u00e0 tr\u1edf th\u00e0nh ti\u1ebfn tr\u00ecnh \u0111\u01b0\u1ee3c b\u1ea3o v\u1ec7.<\/li>\n<li data-xf-list-type=\"ul\">Chi\u1ebfm provider m\u00e3 ho\u00e1: thay registry key c\u1ee7a Cryptography Provider tr\u1ecf t\u1edbi m\u1ed9t DLL \u0111\u1ed9c h\u1ea1i; khi d\u1ecbch v\u1ee5 kh\u1edfi \u0111\u1ed9ng, n\u00f3 t\u1ea3i DLL n\u00e0y nh\u01b0 m\u1ed9t provider h\u1ee3p l\u1ec7.<\/li>\n<li data-xf-list-type=\"ul\">Nh\u00e1i ch\u1eef k\u00fd s\u1ed1: D\u00f9ng c\u00f4ng c\u1ee5 nh\u01b0 CertClone \u0111\u1ec3 sao ch\u00e9p ch\u1ee9ng ch\u1ec9, k\u00fd DLL \u0111\u1ed9c h\u1ea1i nh\u1eb1m qua m\u1eb7t ki\u1ec3m tra ch\u1eef k\u00fd.<\/li>\n<\/ul>\n<p>K\u1ebft h\u1ee3p c\u00e1c b\u01b0\u1edbc tr\u00ean, k\u1ebb t\u1ea5n c\u00f4ng c\u00f3 th\u1ec3 vi\u1ebft file v\u00e0o th\u01b0 m\u1ee5c c\u00e0i \u0111\u1eb7t AV, th\u1ef1c hi\u1ec7n l\u1ec7nh v\u1edbi quy\u1ec1n cao v\u00e0 tr\u00e1nh b\u1ecb ph\u00e1t hi\u1ec7n b\u1edfi c\u01a1 ch\u1ebf b\u1ea3o v\u1ec7 c\u1ee7a AV.<\/p>\n<p>K\u1ebb x\u1ea5u t\u1ea1o m\u1ed9t d\u1ecbch v\u1ee5 \u201cgi\u1ea3\u201d gi\u1ed1ng h\u1ec7t, thay provider m\u00e3 ho\u00e1 trong Windows \u0111\u1ec3 tr\u1ecf t\u1edbi DLL \u0111\u1ed9c h\u1ea1i \u0111\u00e3 \u0111\u01b0\u1ee3c k\u00fd \u201cgi\u1ed1ng th\u1eadt\u201d, kh\u1edfi \u0111\u1ed9ng d\u1ecbch v\u1ee5, DLL \u0111\u00f3 \u0111\u01b0\u1ee3c n\u1ea1p v\u00e0o ti\u1ebfn tr\u00ecnh AV b\u1ea3o v\u1ec7, DLL th\u1ef1c thi h\u00e0nh \u0111\u1ed9ng (V\u00ed d\u1ee5: Ghi file, m\u1edf c\u1ed5ng, kh\u1edfi ch\u1ea1y shell). Sau khi th\u00e0nh c\u00f4ng, k\u1ebb t\u1ea5n c\u00f4ng c\u00f3 th\u1ec3 kh\u00f4i ph\u1ee5c registry \u0111\u1ec3 gi\u1ea3m kh\u1ea3 n\u0103ng ph\u00e1t hi\u1ec7n.<\/p>\n<p>N\u1ebfu th\u00e0nh c\u00f4ng, k\u1ebb x\u1ea5u s\u1ebd c\u00f3 \u0111\u1eb7c quy\u1ec1n cao tr\u00ean m\u00e1y n\u1ea1n nh\u00e2n, t\u1eaft ho\u1eb7c b\u1ecf qua bi\u1ec7n ph\u00e1p ph\u00f2ng th\u1ee7, ch\u00e8n backdoor r\u1ea5t kh\u00f3 ph\u00e1t hi\u1ec7n. Ph\u1ea1m vi r\u1ed9ng v\u00ec ph\u01b0\u01a1ng ph\u00e1p t\u1eadn d\u1ee5ng c\u00e1c t\u00ednh n\u0103ng h\u1ec7 \u0111i\u1ec1u h\u00e0nh chu\u1ea9n (service, registry, provider), kh\u00f4ng c\u1ea7n khai th\u00e1c kernel-level hay l\u1ed7 h\u1ed5ng zero-day \u0111\u1eb7c th\u00f9. B\u1ea5t k\u1ef3 h\u1ec7 th\u1ed1ng n\u00e0o ch\u1ea1y AV m\u00e0 cho ph\u00e9p ch\u1ec9nh s\u1eeda registry ho\u1eb7c import certificate d\u1ec5 d\u00e0ng \u0111\u1ec1u c\u00f3 nguy c\u01a1.<\/p>\n<p>M\u1ed9t \u0111i\u1ec3m quan tr\u1ecdng \u1edf \u0111\u00e2y l\u00e0 k\u1ef9 thu\u1eadt l\u1ea1m d\u1ee5ng (abuse), t\u1ee9c l\u00e0 c\u00f4ng c\u1ee5 qu\u1ea3n tr\u1ecb v\u00e0 c\u00e1ch h\u1ec7 \u0111i\u1ec1u h\u00e0nh cho ph\u00e9p tin c\u1eady module\/driver t\u1ea1o ra b\u1ec1 m\u1eb7t t\u1ea5n c\u00f4ng. Ngo\u00e0i ra, m\u00e3 ngu\u1ed3n m\u1edf ph\u1ee5c v\u1ee5 ki\u1ec3m th\u1eed (IAmAntimalware) gi\u00fap c\u1ed9ng \u0111\u1ed3ng hi\u1ec3u r\u1ee7i ro, nh\u01b0ng c\u0169ng c\u00f3 th\u1ec3 b\u1ecb l\u1ea1m d\u1ee5ng, n\u00ean vi\u1ec7c c\u00f4ng b\u1ed1 c\u1ea7n k\u00e8m bi\u1ec7n ph\u00e1p khuy\u1ebfn ngh\u1ecb r\u00f5 r\u00e0ng.<\/p>\n<p>C\u00e1c chuy\u00ean gia khuy\u1ebfn c\u00e1o:<\/p>\n<ul>\n<li data-xf-list-type=\"ul\">C\u00e1c nh\u00e0 cung c\u1ea5p AV c\u1ea7n t\u0103ng c\u01b0\u1eddng ki\u1ec3m so\u00e1t module load: Gi\u00e1m s\u00e1t \u0111\u01b0\u1eddng d\u1eabn DLL, ch\u1eb7n load t\u1eeb th\u01b0 m\u1ee5c l\u1ea1 v\u00e0 th\u1eaft ch\u1eb7t ki\u1ec3m tra ch\u1eef k\u00fd.<\/li>\n<li data-xf-list-type=\"ul\">H\u1ec7 th\u1ed1ng c\u1ea7n h\u1ea1n ch\u1ebf kh\u1ea3 n\u0103ng import ch\u1ee9ng ch\u1ec9 t\u00f9y ti\u1ec7n; qu\u1ea3n tr\u1ecb vi\u00ean h\u00e3y ki\u1ec3m so\u00e1t ch\u1eb7t quy\u1ec1n ghi registry v\u00e0 vi\u1ec7c th\u00eam provider.<\/li>\n<li data-xf-list-type=\"ul\">Tri\u1ec3n khai PPL (Protected Process Light) cho c\u00e1c ti\u1ebfn tr\u00ecnh quan tr\u1ecdng v\u00e0 b\u1eadt c\u01a1 ch\u1ebf ki\u1ec3m tra t\u00edch h\u1ee3p (integrity checks).<\/li>\n<li data-xf-list-type=\"ul\">Doanh nghi\u1ec7p n\u00ean gi\u00e1m s\u00e1t thay \u0111\u1ed5i d\u1ecbch v\u1ee5, ch\u1ee9ng ch\u1ec9 h\u1ec7 th\u1ed1ng v\u00e0 h\u00e0nh vi ghi v\u00e0o th\u01b0 m\u1ee5c c\u00e0i \u0111\u1eb7t AV; c\u1ea3nh b\u00e1o k\u1ecbp th\u1eddi n\u1ebfu c\u00f3 h\u00e0nh vi b\u1ea5t th\u01b0\u1eddng.<\/li>\n<li data-xf-list-type=\"ul\">\u0110\u1ed1i v\u1edbi ng\u01b0\u1eddi d\u00f9ng cu\u1ed1i: Gi\u1eef h\u1ec7 th\u1ed1ng v\u00e0 ph\u1ea7n m\u1ec1m AV lu\u00f4n c\u1eadp nh\u1eadt, c\u1ea9n tr\u1ecdng khi c\u1ea5p quy\u1ec1n admin cho ph\u1ea7n m\u1ec1m l\u1ea1.<\/li>\n<\/ul>\n<p>K\u1ef9 thu\u1eadt ti\u00eam m\u00e3 v\u00e0o ti\u1ebfn tr\u00ecnh AV cho th\u1ea5y m\u1ed9t ngh\u1ecbch l\u00fd: c\u00e0ng b\u1ea3o v\u1ec7 m\u1ea1nh, c\u00e0ng c\u00f3 ch\u1ed7 \u0111\u1ec3 b\u1ecb l\u1ea1m d\u1ee5ng n\u1ebfu c\u01a1 ch\u1ebf \u201ctin t\u01b0\u1edfng\u201d kh\u00f4ng \u0111\u1ee7 ch\u1eb7t. C\u00f4ng nghi\u1ec7p an ninh c\u1ea7n c\u00e2n b\u1eb1ng gi\u1eefa \u0111\u1ed9 b\u1ec1n (stability) v\u00e0 b\u1ea3o m\u1eadt (security) v\u00e0 nhanh ch\u00f3ng c\u1eadp nh\u1eadt c\u01a1 ch\u1ebf b\u1ea3o v\u1ec7, r\u00e0 so\u00e1t qu\u1ea3n tr\u1ecb ch\u1ee9ng ch\u1ec9 v\u00e0 registry \u0111\u1ec3 ng\u0103n ch\u1eb7n k\u1ecbch b\u1ea3n k\u1ebb x\u1ea5u l\u1ee3i d\u1ee5ng \u201cl\u00e1 ch\u1eafn\u201d th\u00e0nh \u0111i\u1ec3m y\u1ebfu.<\/p>\n<div style=\"text-align: right\"><b><i>WhiteHat<\/i><\/b>\u200b<\/div>\n<div style=\"text-align: right;margin-top: 16px\"><i>Theo: <a href=\"https:\/\/whitehat.vn\/threads\/khi-phan-mem-diet-virus-bi-tiem-ma-doc-la-chan-hoa-thanh-cua-ngo-tan-cong.18829\/\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/whitehat.vn\/threads\/khi-phan-mem-diet-virus-bi-tiem-ma-doc-la-chan-hoa-thanh-cua-ngo-tan-cong.18829\/<\/a><\/i><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Nh\u00e0 nghi\u00ean c\u1ee9u an ninh m\u1ea1ng c\u00f3 t\u00ean Two Seven One Three v\u1eeba c\u00f4ng b\u1ed1 m\u1ed9t k\u1ef9 thu\u1eadt m\u1edbi gi\u00fap k\u1ebb x\u1ea5u ti\u00eam m\u00e3 \u0111\u1ed9c tr\u1ef1c ti\u1ebfp v\u00e0o ti\u1ebfn tr\u00ecnh ph\u1ea7n m\u1ec1m di\u1ec7t virus, bi\u1ebfn ch\u00ednh nh\u1eefng ti\u1ebfn tr\u00ecnh \u0111\u01b0\u1ee3c b\u1ea3o v\u1ec7 th\u00e0nh c\u00e1nh c\u1eeda h\u1eadu (backdoor). \u200b Ph\u1ea7n m\u1ec1m antivirus (AV) \u0111\u01b0\u1ee3c thi\u1ebft k\u1ebf [&hellip;]<\/p>\n","protected":false},"author":46,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[33],"tags":[],"class_list":["post-10545","post","type-post","status-publish","format-standard","hentry","category-tin-tuc-cua-vien"],"_links":{"self":[{"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/posts\/10545","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/users\/46"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/comments?post=10545"}],"version-history":[{"count":0,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/posts\/10545\/revisions"}],"wp:attachment":[{"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/media?parent=10545"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/categories?post=10545"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/tags?post=10545"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}