{"id":703,"date":"2015-08-28T10:56:29","date_gmt":"2015-08-28T07:56:29","guid":{"rendered":"https:\/\/furkansandal.com\/bilinen-tehditlere-karsi-antiviruslerin-durumu\/"},"modified":"2015-08-28T10:56:29","modified_gmt":"2015-08-28T07:56:29","slug":"bilinen-tehditlere-karsi-antiviruslerin-durumu","status":"publish","type":"post","link":"https:\/\/furkansandal.com\/bilinen-tehditlere-karsi-antiviruslerin-durumu\/","title":{"rendered":"Bilinen Tehditlere Kar\u015f\u0131 Antivir\u00fcslerin Durumu"},"content":{"rendered":"
\n

\t\t\t\t\t\t\t\t\"Bilinen<\/p>\n

\"image_pdf\"<\/div>\n

Son kullan\u0131c\u0131, sistem g\u00fcvenlik y\u00f6neticisi, bili\u015fim g\u00fcvenli\u011fi uzman\u0131 da olsan\u0131z, zaman zaman \u015fu soruyu kendinize sordu\u011funuz oluyordur; Hangi antivir\u00fcs yaz\u0131l\u0131m\u0131n\u0131 kullanmal\u0131y\u0131m ? Bilindi\u011fi \u00fczere antivir\u00fcs yaz\u0131l\u0131mlar\u0131n\u0131n temelinde imza tabanl\u0131 bir teknoloji yatmaktad\u0131r bu nedenle yeni \u00e7\u0131kan tehditlere kar\u015f\u0131 antivir\u00fcs yaz\u0131l\u0131m\u0131 \u00fcreticisinin k\u0131sa bir s\u00fcre i\u00e7inde imza olu\u015fturmas\u0131 ve bunu d\u00fcnya genelindeki kullan\u0131c\u0131lar\u0131na yayg\u0131nla\u015ft\u0131rmas\u0131, kullan\u0131c\u0131lar\u0131 a\u00e7\u0131s\u0131ndan bilinen tehditlere kar\u015f\u0131 sistemlerini koruyabilme ad\u0131na b\u00fcy\u00fck bir \u00f6neme sahiptir. Dolay\u0131s\u0131yla bir antivir\u00fcs yaz\u0131l\u0131m\u0131n\u0131 de\u011ferlendirirken, onlarca \u00f6nemli kriterden bir tanesi de, bu antivir\u00fcs yaz\u0131l\u0131m\u0131n\u0131n veritaban\u0131n\u0131n, bilinen tehditlerin ne kadar\u0131n\u0131 tespit edebildi\u011fi, ne kadar g\u00fcncel oldu\u011fudur.<\/p>\n

Evvel zaman i\u00e7inde, sistem ve bellek \u00fczerinden ileri seviye bilinmeyen zararl\u0131 yaz\u0131l\u0131mlar\u0131 imzas\u0131z, davran\u0131\u015fsal analiz yaparak tespit edebilen bir g\u00fcvenlik \u00fcr\u00fcn\u00fcn\u00fc de\u011ferlendirmek i\u00e7in \u00e7e\u015fitli testler (POC – proof of concept) yaparken, antivir\u00fcs yaz\u0131l\u0131m\u0131nlar\u0131n\u0131n yetersiz oldu\u011fu noktalarda bu \u00fcr\u00fcn\u00fcn katma de\u011ferini ortaya \u00e7\u0131karmaya \u00e7al\u0131\u015f\u0131yordum. Bunun i\u00e7in de antivir\u00fcs yaz\u0131l\u0131mlar\u0131n\u0131n tespit edemedi\u011fi fakat bu \u00fcr\u00fcn taraf\u0131ndan davran\u0131\u015fsal analiz ile tespit edilen ileri seviye zararl\u0131 yaz\u0131l\u0131mlara ihtiya\u00e7 duymu\u015ftum.<\/p>\n

Bu \u00e7al\u0131\u015fman\u0131n akabininde, antivir\u00fcs yaz\u0131l\u0131mlar\u0131n\u0131n bu zamana kadar tespit edilmi\u015f olan APT zararl\u0131 yaz\u0131l\u0131mlar\u0131n\u0131 tespit etmede ne kadar ba\u015far\u0131l\u0131 olup olmad\u0131klar\u0131n\u0131 da \u00f6\u011frenmeye karar verdim. Mevzu bahis ileri seviye zararl\u0131 yaz\u0131l\u0131mlar olunca akl\u0131ma hemen Mandiant’\u0131n 2013 y\u0131l\u0131n\u0131n \u015eubat ay\u0131nda yay\u0131nlam\u0131\u015f oldu\u011fu ve 2006 y\u0131l\u0131ndan raporun yay\u0131nlanmas\u0131na kadar ge\u00e7en s\u00fcrede \u00c7inliler taraf\u0131ndan ger\u00e7ekle\u015ftirilen ve ileri seviye sald\u0131r\u0131lar\u0131 konu alan APT-1 raporu gelmi\u015fti. Mandiant sa\u011folsun bu raporun yan\u0131nda tespit ettikleri zararl\u0131 yaz\u0131l\u0131mlar\u0131n md5 hash bilgilerini (1007<\/strong> tane) de ek rapor olarak payla\u015fm\u0131\u015ft\u0131. 1007<\/strong> tane zararl\u0131 yaz\u0131l\u0131ma, testlerde kullanmak i\u00e7in ula\u015fmak pek m\u00fcmk\u00fcn olmasa da VirusShare sitesi sayesinde 293 tanesine ula\u015fmak m\u00fcmk\u00fcn olmu\u015ftu.<\/p>\n

\u00a0<\/p>\n

\"Antivirus<\/div>\n

\u00a0<\/p>\n

Tabii 293 tane zararl\u0131 yaz\u0131l\u0131m\u0131 teker teker VirusTotal sitesine y\u00fcklemek ve her birinin sonucuna bakmak pratikte m\u00fcmk\u00fcn olamayaca\u011f\u0131 i\u00e7in hem merak\u0131m\u0131 gidermek hem de benzer nedenlerden \u00f6t\u00fcr\u00fc bu t\u00fcr bir \u00e7al\u0131\u015fmaya ihtiya\u00e7 duyanlar\u0131 da d\u00fc\u015f\u00fcnerek Python ile iki tane ara\u00e7 haz\u0131rlamaya karar verdim.<\/p>\n

Haz\u0131rlad\u0131\u011f\u0131m ilk ara\u00e7 olan Virustotal Mass Uploader (vt_mass_uploader.py) arac\u0131 ile elinizde bulunan birden fazla zararl\u0131 yaz\u0131l\u0131m\u0131 VirusTotal sitesine y\u00fckleyebiliyorsunuz. Bunun i\u00e7in arac\u0131n bulundu\u011fu klas\u00f6rde malwares<\/strong> ad\u0131nda bir klas\u00f6r olu\u015fturman\u0131z ve y\u00fcklenmesini istedi\u011finiz zararl\u0131 yaz\u0131l\u0131mlar\u0131 bu klas\u00f6re kopyalaman\u0131z yeterli oluyor.<\/p>\n

\u00a0<\/p>\n

\"Antivirus<\/div>\n

\u00a0<\/p>\n

Haz\u0131rlad\u0131\u011f\u0131m ikinci ara\u00e7 olan VirusTotal Reporter (vt_reporter.py) arac\u0131 ise VirusTotal Mass Uploader arac\u0131n\u0131n \u00e7\u0131kt\u0131s\u0131 olan vt_report.txt<\/strong> dosyas\u0131n\u0131 okuyarak VirusTotal’a y\u00fcklenen zararl\u0131 yaz\u0131l\u0131mlar\u0131n raporlar\u0131n\u0131 zararl\u0131 yaz\u0131l\u0131m\u0131n ad\u0131.txt<\/strong> olarak diske yazmaktad\u0131r. Bu dosyalardan hangi antivir\u00fcs yaz\u0131l\u0131m\u0131n\u0131n ilgili zararl\u0131 yaz\u0131l\u0131m\u0131 tespit edip edemedi\u011fi g\u00f6r\u00fclebilmektedir.<\/p>\n

\u00a0<\/p>\n

\"Antivirus<\/div>\n
\"Antivirus<\/div>\n

\u00a0<\/p>\n

Mandiant’\u0131n 2013 y\u0131l\u0131nda yay\u0131nlanan APT raporunda yer alan 293 zararl\u0131 yaz\u0131l\u0131m\u0131 yukar\u0131daki ara\u00e7lar ile VirusTotal’a y\u00fckleyip, pop\u00fcler antivir\u00fcs yaz\u0131l\u0131mlar\u0131n\u0131n hangilerini tespit edip edemedi\u011fine bakt\u0131\u011f\u0131mda ortaya \u00e7\u0131kan tablo beni biraz \u015fa\u015f\u0131rtt\u0131.<\/p>\n

\u00a0<\/p>\n

\"Antivirus<\/div>\n
\"Antivirus<\/div>\n

\u00a0<\/p>\n

2 sene \u00f6nce yay\u0131nlanan bir rapora ra\u011fmen antivir\u00fcs yaz\u0131l\u0131mlar\u0131ndan baz\u0131lar\u0131n\u0131n 25.05.2015<\/strong> tarihi itibariyle hala bu zararl\u0131 yaz\u0131l\u0131mlar\u0131 tespit edemedi\u011fi a\u00e7\u0131k\u00e7a g\u00f6r\u00fcl\u00fcyor. \u00d6rne\u011fin Clamav<\/strong> antivir\u00fcs yaz\u0131l\u0131m\u0131 293<\/strong> tane zararl\u0131 yaz\u0131l\u0131mdan 20<\/strong> tanesini, Panda ise 18<\/strong> tanesini, Bitdefender<\/strong> ve F-Secure<\/strong> ise 14<\/strong> tanesini tespit edemiyor. Tabii bu zararl\u0131 yaz\u0131l\u0131mlardan bir tanesinin ip ve port taramak i\u00e7in kullan\u0131lan Angry IP Scanner oldu\u011funu s\u00f6ylemem laz\u0131m dolay\u0131s\u0131yla 293\/293<\/strong> tespit eden bir antivir\u00fcs yaz\u0131l\u0131m\u0131 olsayd\u0131 bu defa da \u00e7ok do\u011fru bir sonu\u00e7 olmayacakt\u0131. Bu \u00f6rneklem sonucunda ortaya \u00e7\u0131kan tabloya g\u00f6re Symantec<\/strong>, ESET-NOD32<\/strong> ve Sophos<\/strong>‘un di\u011fer antivir\u00fcs yaz\u0131l\u0131mlar\u0131na g\u00f6re imza ile bilinen tehditleri tespit etmede daha ba\u015far\u0131l\u0131 oldu\u011funu s\u00f6ylersek yanl\u0131\u015f olmayacakt\u0131r.<\/p>\n

Yapt\u0131\u011f\u0131m bu \u00e7al\u0131\u015fman\u0131n antivir\u00fcs yaz\u0131l\u0131mlar\u0131n\u0131 de\u011ferlendirmek isteyenlere, hangi antivir\u00fcs yaz\u0131l\u0131m\u0131n\u0131 kullanmal\u0131y\u0131m sorusuna yan\u0131t arayanlara yol g\u00f6sterece\u011fini \u00fcmit ederek, bir sonraki yaz\u0131da g\u00f6r\u00fc\u015fmek dile\u011fiyle herkese g\u00fcvenli g\u00fcnler dilerim.<\/p>\n

\n
\"Email\"<\/div>\n<\/div>\n
\n
<\/div>\n<\/div>\n

\t\t\t\t\t\t\t<\/p>\n

\t \t\t\t\t\t\t<\/div>\n","protected":false},"excerpt":{"rendered":"

Son kullan\u0131c\u0131, sistem g\u00fcvenlik y\u00f6neticisi, bili\u015fim g\u00fcvenli\u011fi uzman\u0131 da olsan\u0131z, zaman zaman \u015fu soruyu kendinize sordu\u011funuz oluyordur; Hangi antivir\u00fcs yaz\u0131l\u0131m\u0131n\u0131…<\/p>\n","protected":false},"author":1,"featured_media":494,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_mi_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","footnotes":""},"categories":[6,1,9,10,3,7,11,4],"tags":[78,76,88,89,26,83,81,79,82,77,80,84,85,87,86],"aioseo_notices":[],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/furkansandal.com\/wp-content\/uploads\/2015\/08\/fiziksel_guvenlik.jpg?fit=227%2C226&ssl=1","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p6BM7I-bl","amp_enabled":true,"_links":{"self":[{"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/posts\/703"}],"collection":[{"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/comments?post=703"}],"version-history":[{"count":0,"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/posts\/703\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/media\/494"}],"wp:attachment":[{"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/media?parent=703"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/categories?post=703"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/tags?post=703"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}