Служба Windows BITS используется для повторного заражения компьютеров малварью
Xakep #263. Кредитки в опасности
Эксперты SecureWorks предупреждают: хакеры нашли новый способ для повторной доставки малвари в однажды скомпрометированную систему. Для этого злоумышленники используют компонент Windows BITS (Background Intelligent Transfer Service), который отвечает за передачу файлов между клиентом и сервером, и работает с Windows Update и Microsoft Security Essentials. Оказалось, что с доставкой малвари BITS справляется не хуже, чем с доставкой обновлений.
Нельзя сказать, что идея использования Windows BITS для атак появилась недавно, — еще в 2006 году русскоязычные хакеры обсуждали вредоносное ПО, которое могло бы использовать BITS для загрузки и установки малвари. Реальные случаи эксплуатации службы таким образом встречаются с 2007 года. Так что обнаруженные исследователями SecureWorks атаки, это скорее «хорошо забытое старое».
Исследователей SecureWorks пригласили расследовать странный случай: система, в которой точно не было никакой малвари, то и дело демонстрировала странное поведение и вызывала срабатывания систем безопасности.
Вскоре эксперты выяснили, что оригинальное заражение произошло еще 4 марта 2016 года: компьютер под управлением Windows 7 пострадал от разновидности вредоноса DNSChanger, а именно от малвари Zlob.Q. Логи показали, что именно Zlob.Q добавил службе BITS новых заданий.
Пример лога Microsoft-Windows-Bits-Client/Operational.evtx
Первое задание инициировало скачивание файла, который сохранялся в C:\ProgramData\<066b06e5-512c-0>\<066b06e5-512c-0>.d. По завершении загрузки, BITS выполняла полученный код как «notification program», а затем «прибирала за собой», удаляя использованные файлы. Хотя оригинальный вредонос был давно стерт из системы антивирусом, задания в BITS сохранились, и повторная загрузка малвари производилась «по расписанию». Так как BITS является доверенной службой, антивирус не блокировал данную активность и не расценивал ее как вредоносную. Система безопасности лишь создавала уведомления о том, что происходит что-то подозрительное.
Вот что происходило после загрузки файла
Исследователи отмечают, что максимальный срок жизни заданий BITS составляет 90 дней, однако его можно продлить, и тогда злоумышленник получит надежный плацдарм для дальнейших атак.
В заключение специалисты SecureWorks описали способы борьбы с заражениями такого рода, а также привели список доменов, которые использовались злоумышленниками в данном случае. С подробным отчетом исследователей можно ознакомиться здесь.
WM_MOUSEHWHEEL message
Sent to the active window when the mouse’s horizontal scroll wheel is tilted or rotated. The DefWindowProc function propagates the message to the window’s parent. There should be no internal forwarding of the message, since DefWindowProc propagates it up the parent chain until it finds a window that processes it.
A window receives this message through its WindowProc function.
Parameters
The high-order word indicates the distance the wheel is rotated, expressed in multiples or factors of WHEEL_DELTA, which is set to 120. A positive value indicates that the wheel was rotated to the right; a negative value indicates that the wheel was rotated to the left.
The low-order word indicates whether various virtual keys are down. This parameter can be one or more of the following values.
| Value | Meaning |
|---|---|
| MK_CONTROL 0x0008 | The CTRL key is down. |
| MK_LBUTTON 0x0001 | The left mouse button is down. |
| MK_MBUTTON 0x0010 | The middle mouse button is down. |
| MK_RBUTTON 0x0002 | The right mouse button is down. |
| MK_SHIFT 0x0004 | The SHIFT key is down. |
| MK_XBUTTON1 0x0020 | The first X button is down. |
| MK_XBUTTON2 0x0040 | The second X button is down. |
The low-order word specifies the x-coordinate of the pointer, relative to the upper-left corner of the screen.
The high-order word specifies the y-coordinate of the pointer, relative to the upper-left corner of the screen.
Return value
If an application processes this message, it should return zero.
Remarks
Use the following code to obtain the information in the wParam parameter.
Use the following code to obtain the horizontal and vertical position.
As noted above, the x-coordinate is in the low-order short of the return value; the y-coordinate is in the high-order short (both represent signed values because they can take negative values on systems with multiple monitors). If the return value is assigned to a variable, you can use the MAKEPOINTS macro to obtain a POINTS structure from the return value. You can also use the GET_X_LPARAM or GET_Y_LPARAM macro to extract the x- or y-coordinate.
Do not use the LOWORD or HIWORD macros to extract the x- and y- coordinates of the cursor position because these macros return incorrect results on systems with multiple monitors. Systems with multiple monitors can have negative x- and y- coordinates, and LOWORD and HIWORD treat the coordinates as unsigned quantities.
The wheel rotation is a multiple of WHEEL_DELTA, which is set to 120. This is the threshold for action to be taken, and one such action (for example, scrolling one increment) should occur for each delta.
The delta was set to 120 to allow Microsoft or other vendors to build finer-resolution wheels (for example, a freely-rotating wheel with no notches) to send more messages per rotation, but with a smaller value in each message. To use this feature, you can either add the incoming delta values until WHEEL_DELTA is reached (so for a delta-rotation you get the same response), or scroll partial lines in response to more frequent messages. You can also choose your scroll granularity and accumulate deltas until it is reached.
8 buttons usb wheel
Why do i see many drivers ?
Below is a list of drivers that may be suitable for your device. With the different devices, they can have the same driver , it’s because they all use the same chip manufacturer.
How to select driver?
If you are looking for an update , pickup the latest one. If your driver isn’t working, use the driver having the same OEM with the your laptop/desktop brand name.
Watch this video to see how it works — click here
Windows Driver Download Center
Use the links on this page to download the latest version of Genius USB Wheel Mouse drivers. All drivers available for download have been scanned by antivirus program. Please choose the relevant version according to your computer’s operating system and click the download button.
Your machine is currently running: Windows (Detect)
Genius USB Wheel Mouse Drivers Download
- Description: Scan your system for out-of-date and missing drivers
- File Version: 8.5
- File Size: 2.33M
- Supported OS: Windows 10, Windows 8.1, Windows 7, Windows Vista, Windows XP
- Driver Version: 1.8.1.8
- Release Date: 2012-10-31
- File Size: 35.09K
- Supported OS: Windows 10 32 bit, Windows 8.1 32bit, Windows 7 32bit, Windows Vista 32bit, Windows XP 32bit
Please enter verification code, then click the download button.
- Driver Version: 1.3.2.7
- Release Date: 2012-10-31
- File Size: 29.84K
- Supported OS: Windows 10 32 bit, Windows 8.1 32bit, Windows 7 32bit, Windows Vista 32bit, Windows XP 32bit
Please enter verification code, then click the download button.
- Driver Version: 1.8.1.3
- Release Date: 2011-10-26
- File Size: 35.7K
- Supported OS: Windows 10 32 & 64bit, Windows 8.1 32 & 64bit, Windows 7 32 & 64bit, Windows Vista 32 & 64bit, Windows XP
Please enter verification code, then click the download button.
- Driver Version: 8.01.00
- Release Date: 2005-07-14
- File Size: 30.78K
- Supported OS: Windows 10 32 bit, Windows 8.1 32bit, Windows 7 32bit, Windows Vista 32bit, Windows XP
Please enter verification code, then click the download button.
Программа DriverPack полностью бесплатна
- Главная /
- прочие устройства /
- прочие устройства IBM /
- IBM Lenovo Wireless USB 3-Button Wheel Mouse
Устали искать драйверы для ваших устройств?
DriverPack Online автоматически найдет и установит нужные вам драйверы
Bits on wheels windows
Python curses wheels for Windows
This repository has the source code for the Python curses wheels provided by Christoph Gohlke, set up for easy rebuilding. Only build-wheels.bat is original work.
Wheels built from this repository are made available on PyPI and can be installed with this command:
You can also download wheels from Gohlke’s page.
The curses module is in the Python standard library, but is not available on Windows. Trying to import curses gives an import error for _curses , which is provided by Modules/_cursesmodule.c in the CPython source code.
The wheels provided here are based on patches from https://bugs.python.org/issue2889, which make minor modifications to _cursesmodule.c to make it compatible with Windows and the PDCurses curses implementation. setup.py defines HAVE_* macros for features available in PDCurses and makes some minor additional compatibility tweaks.
The patched _cursesmodule.c is linked against PDCurses to produce a wheel that provides the _curses module on Windows and allows the standard curses module to run.
The wheels are built with wide character support and force the encoding to UTF-8. Remove UTF8=y from the nmake line in build-wheels.bat to use the default system encoding instead.
Clone the repository with the following command:
—recurse-submodules pulls in the required PDCurses Git submodule.
Install compilers compatible with the Python versions that you want to builds wheel for by following the instructions at https://wiki.python.org/moin/WindowsCompilers.
Visual Studio 2017 will work for Python 3.5-3.7. For Python 3.5 support, you will need to check VC++ 2015.3 v140 toolset for desktop (x86,x64) during installation.
Note: It is a good idea to install older compilers before newer ones. See the Troubleshooting section.
Install Python 3.3 or later to get the Python launcher for Windows.
Install any other Python versions you want to build wheels for.
Only the Python X.Y versions that have pyXY\ directories are supported.
Install the wheel package for all Python versions. Taking Python 3.4 as an example, the following command will do it:
py is the Python launcher, which makes it easy to run a particular Python version.
Open the Visual Studio Developer Command Prompt of the compiler required by the version of Python that you want to build a wheel for.
Use the 32-bit version ( x86 Native Tools Command Prompt for VS 2017 ) to build wheels for 32-bit Python versions, and the 64-bit version (e.g. x64 Native Tools Command Prompt for VS 2017 ) to build wheels for 64-bit Python versions.
For Python 2.7, the Developer Prompt is called Visual C++ 2008 32/64-bit command prompt.
Run build-wheels.bat , passing it the Python version you’re building a wheel for. For example, the following command will build a wheel for Python 3.5:
If you have both 32-bit and 64-bit versions of the same Python version installed and are building a 32-bit wheel, add «-32» to the version number, like in the following example:
If you are building multiple wheels for Python versions that are all compatible with the same compiler, you can list all of them in the same command:
build-wheels.bat first cleans and rebuilds PDCurses, and then builds and links the source code in pyXY\ for each of the specified Python versions, producing wheels as output in dist\ .
Rebuilding the wheels for Python 2.7, 3.5, 3.6, and 3.7
In Visual C++ 2008 32-bit Command Prompt :
In Visual C++ 2008 64-bit Command Prompt :
In x86 Native Tools Command Prompt for VS 2017 :
In x64 Native Tools Command Prompt for VS 2017 :
This gives a set of wheels in dist\ .
This building scheme above should be the safest one to use. In practice, many of the resulting wheels seem to be forwards- and backwards-compatible.
Python 2.7 wants to install both the 32- and 64-bit versions into the same directory by default. They must be installed into different directories. The Python launcher will still find them via py -2.7 and and py -2.7-32 .
Windows SDK 7.1 (which has Visual C++ 10.0, needed for Python 3.4) might refuse to install when Visual Studio 2017 is installed, giving an error related to a pre-release version of .NET Framework 4.
I don’t know if the problem also affects the full Visual Studio 2010.
There is a registry hack that seems to fix it. If you get a permission error trying to edit the registry key, see this article.
Microsoft recommends installing earlier versions of Visual Studio before later ones. That might be the least-hassle solution.
Also note that the x64 (64-bit) Visual C++ 10.0 compiler isn’t freely available.
Uploading to PyPI
Don’t forget to bump the version number in setup.py before building new wheels. Semantic versioning is intended.
Once the wheels are built, follow the instructions here to upload them to PyPI.
pip /PyPI will look at the wheel metadata and automatically install the right version of the wheel.
Adding support for a new Python version
Create a new directory for the Python version, e.g. py38\
Copy Modules\_cursesmodule.c from the CPython source code to py38\_cursesmodule.c .
Apply the following patch to py38\_cursesmodule.c :
Copy Modules\_curses_panel.c and Modules\clinic\_cursesmodule.c.h from the CPython sources to py38\_curses_panel.c and py38\clinic\_cursesmodule.c.h , respectively.
In practise, Modules\_cursesmodule.c from newer Python 3 versions is likely to be compatible with older Python 3 versions too. The Python 3.4, 3.5, 3.6, and 3.7 wheels are currently built from identical _cursesmodule.c files.
About
Windows curses wheels from Christoph Gohlke, set up for easy rebuilding
