????????????????????????????????

      No Comments on ????????????????????????????????

寄稿: Avdhoot Patil

インターネットは、至るところにセキュリティ上の脅威が潜む危険な場所でもありますが、脅威が複合するとその危険性はさらに高くなります。最近のフィッシングはサイバー犯罪において重要な役割を担っており、フィッシング詐欺師も最近、他のセキュリティ上の脅威に対して関心を強めています。今年は、たとえばマルウェアやスパムといった脅威とフィッシングとの融合が確認されています。先日、偽アプリでマルウェアが使われていたのも、その一例です。

今月に入ってからも再び、Facebook に偽装したフィッシングサイトでマルウェアが使われました。このフィッシングサイトは、Android と iPhone のユーザーを誘導して偽アプリをインストールさせようとします。サイトのホストサーバーはフランスのパリに置かれ、ページはフランス語で書かれていました。

フィッシングサイトにはエサが付きものですが、毎度お決まりのエサでユーザーが見慣れてしまわないように、フィッシング詐欺師は次々と新たな手口を考え出してきます。今回のエサは、パスワードを入力せずに iPhone や Android から Facebook にログインできると謳う偽アプリの広告です。

figure1_0.png

図 1. 偽の Facebook アプリを宣伝するフィッシングサイト

広告の売り文句によれば、このアプリは 24 時間だけ無料で試用できます。広告の下にあるボタンは、翻訳すると「続行」という意味で、このボタンをクリックすると手順の書かれたページに移動します。

figure2_0.png

図 2. 偽アプリを利用するための手順説明

手順は以下のとおりです。

  1. ユーザーは、フォームに個人情報を入力する必要があります。
  2. iPhone アプリまたは Android アプリを選択し、アプリをダウンロードします。
  3. アプリを試用できるのは、初回のインストール時だけです。
  4. 試用期間の 24 時間が過ぎると、アプリは自動的にロックされます。
  5. 試用期間が過ぎると、支払いオプションを記載した電子メールが届きます。ユーザーは、アプリを使い続けることも、アンインストールすることもできます。

figure3_0.png

図 3. 個人情報の入力フォーム

この手順を読んで続行ボタンをクリックするとフィッシングページにリダイレクトされ、名前、電子メールアドレス、パスワードの入力を求められます。フィッシングサイトの説明によれば、このアプリをインストールすることで、ユーザーはこのアプリの使用を法的に同意したことになります。

このフィッシングサイトでは、個人情報を求める理由が以下のように説明されています。

  1. 24 時間の試用期間が経過してから、アクティブ化コードを受け取るために電子メールアドレスが必要です。
  2. iPhone または Android アプリにアクセスする際にはパスワードが必要です。

figure4_0.png

図 4. モバイルアプリのインストーラに偽装した悪質なダウンロード

フィッシングサイトで次のページに進むと、アプリのダウンロードリンクとして Android と iPhone のロゴが表示されます。これらのリンクをクリックすると、iphone.zip.exe または android.phone.exe というファイルのダウンロードを確認するメッセージが表示されます。実際には、これは Android アプリでも iPhone アプリでもなく、Windows 用のマルウェアです(シマンテックはこれを Backdoor.Breut として検出します)。Android や iPhone のロゴを使っているのは、インストールを誘うためにすぎません。

今回のマルウェアを解析した結果、以下のような事実を確認しました。

  1. このマルウェアは Darkcomet RAT と同一である。
  2. ネットワーク接続の機能はない。
  3. コマンド & コントロール(C&C)サーバーは 127.0.0.1:1604(ローカルループバックアドレス)と設定されている。
  4. このマルウェアは外部サーバーには接続しない。

この手口に乗ってログイン情報を入力したユーザーは、個人情報を盗まれ、なりすまし犯罪に使われてしまいます。

インターネットを利用する場合は、フィッシング攻撃を防ぐためにできる限りの対策を講じることを推奨します。

  • アカウントにログインするときに、アドレスバーの URL を確かめ、間違いなく目的の Web サイトのアドレスであることを確認する。
  • 電子メールメッセージの中の疑わしいリンクはクリックしない。
  • 電子メールに返信するときに個人情報を記述しない。
  • ポップアップページやポップアップウィンドウに個人情報を入力しない。
  • 個人情報や口座情報を入力する際には、鍵マーク(画像やアイコン)、「https」の文字、緑色のアドレスバーなどが使われていることを確かめ、その Web サイトが SSL で暗号化されていることを確認する。
  • ノートン インターネットセキュリティやノートン 360 など、フィッシング詐欺やソーシャルネットワーク詐欺から保護する統合セキュリティソフトウェアを使う。
  • 電子メールで送られてきたリンクや、ソーシャルネットワークに掲載されているリンクがどんなに魅力的でも不用意にクリックしない。

 

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/ja にアクセスしてください。

Typoon Haiyan: Spammers Strike with DHA Attack

      No Comments on Typoon Haiyan: Spammers Strike with DHA Attack

Tacloban, the new ground zero created by Haiyan, is the raison d’être for a large Directory Harvest Attack (DHA) launched by spammers today.

A DHA attack is launched to check the validity of an email directory or emails related to a targeted email server. The aim of this is to collect intelligence and prepare a platform to launch a large spam campaign on that particular site once a database is put in place. Rejected emails return as bounce or Non-Delivery Report/Receipt (NDR) and the rest is concluded as legit, while valid emails will soon be bombarded with a host of spam, phish and malware laden email attacks.

The attack is launched, with the spammer claiming to be from a reputed mass media and communications company on a very large internet site and service provider, for the sole purpose of harvesting and validating email addresses.

The email’s structure is very simple. The headers and body content of the said attack are taken from a news article of a reputed news channel that was published around 14 November 2013. The alias in the form line and the subject line contain randomization at the end to prevent being caught by the spam filter detection.

Subject: Typhoon: After battle to survive, the struggle to live 26488
From: “Typhoon: After battle to survive, the struggle to live 26488″<email address>

Figure1_4.png

Figure 1. A spam email about Typhoon Haiyan from a DHA attack

Symantec advises users to configure directory harvest attack recognition to protect their website environment, and to update their spam filter algorithms to repel such attacks.

Can avast! protect me against CryptoLocker?

      No Comments on Can avast! protect me against CryptoLocker?

Question of the week: I have read frightening stories about CryptoLocker locking computers. I don’t have $200 to pay blackmailers for my own files. How do I protect myself from getting attacked? Does avast! protect from CryptoLocker?   “Avast! Antivirus detects all known variants of CryptoLocker thanks to our automated processing and CommunityIQ,” said Pavel […]

2014 Predictions from Symantec

      No Comments on 2014 Predictions from Symantec

Whispers.

The secret to predicting the future is to listen for the whisper.

By the time you’ve heard things in a loud, clear voice they have already come true. I’ve been listening to the whispers in 2013 and have a pretty good idea for what we’ll be hearing loud and clear in 2014. Below are my predictions of the top things we’ll hear and what they will mean for us in 2014.

  • People will finally begin taking active steps to keep their information private.
  • Scammers, data collectors and cybercriminals will not ignore any social network, no matter how “niche” or obscure.
  • The “Internet of Things” becomes the “Internet of Vulnerabilities.”
  • Mobile apps will prove that you can like yourself too much.

“Wait a minute…The Internet knows more about me than my own mother?”

People will finally begin taking active steps to keep their information private.

Privacy issues have littered the headlines in 2013, delivering a wake-up call to people and businesses about the amount of personal information we share and that is collected every day by everyone from your doctor to your social network. You can expect to see privacy protection as a feature in new and existing products. Then, beyond 2014, we’ll be arguing on whether or not these features actually provide any privacy protection. Expect Tor, which enables online anonymity, to become a popular application across the spectrum of Internet users. You’ll also see a resurgence of users adopting aliases and fake names on social networking sites to protect their privacy. And you know who is going to lead the way on this? Teens. They do care about privacy—and not just where their parents are concerned. Given this, more people will move to new, upstart and niche social networking sites, in an attempt to hang with their friends in obscurity. Which leads to my next prediction…

 “Adult supervision is not wanted but adult behavior may keep you out of trouble.” 

Scammers, data collectors and cybercriminals will not ignore any social network, no matter how “niche” or obscure.

It’s tempting to believe that you can move to a new neighborhood and all your old problems will go away. They don’t in real life and they won’t when it comes to social networking. Any new social network that attracts users will also attract scammers and miscreants. Users who feel it’s just them and their friends on these new sites are in for a big (and unpleasant) surprise. Your mother won’t be there to remind you, so let me: If something sounds too good to be true, it almost certainly is a scam. Protect yourself by using security best practices no matter where you are on the Internet, or how you connect to it. And speaking of connecting…

“Your toaster is not infected, but your security camera just robbed you blind.

The “Internet of Things” becomes the “Internet of Vulnerabilities.”

You can expect dumb things will get smarter in 2014. With millions of devices connected to the Internet—and in many cases running an embedded operating system—in 2014, they will become a magnet for hackers. Security researchers have already demonstrated attacks against smart televisions, medical equipment and security cameras. Already we’ve seen baby monitors attacked and traffic was shut down on a major tunnel in Israel, reportedly due to hackers accessing computer systems via a security camera system. Major software vendors have figured out how to notify customers and get patches for vulnerabilities to them. The companies building gadgets that connect to the Internet don’t even realize they have an oncoming security problem. These systems are not only vulnerable to an attack – they also lack notification methods for consumers and businesses when vulnerabilities are discovered. Even worse, they don’t have a friendly end-user method to patch these new vulnerabilities. Given this, we are going to see new threats in ways in which we’ve never seen before.

“I like you, I like you, I like you… That will be $20 and your login and password, please.”

Mobile apps will prove that you can like yourself too much.

People (generally) trust those they sleep with, so it should not be surprising that with 48 percent of people sleeping with their smart phones, they are lulled into a (false) sense of security about them. In 2013, we reported on a mobile app that would secure additional “likes for your postings on Instagram. All you had to do was hand over your login and password to some guy in Russia. More than 100,000 people saw nothing wrong with that. We trust our mobile devices and the wonderful apps that run on them to make our lives better. We suspend disbelief for that device that sits in our pocket, purse or nightstand. The bad guys are going to take advantage of this big time in 2014. I’m not even talking about malware – mobile apps are going to be behind hoaxes, cons and scams of all sorts in 2014.  

So, there you have them, my predictions for 2014. Of course, the best part of trying to predict the future is being surprised by the unforeseen and the unimaginable. I’ll be right on some of my predictions. I’ll be proved wrong on others. What’s certain is that I’ll be listening for all the new whispers to see what 2015 will bring.

predictions-infographic-FINAL.jpg

Cryptolocker ??????: ???????????????????

      No Comments on Cryptolocker ??????: ???????????????????

英国の国家犯罪対策庁(NCA)は先週、大量スパム攻撃によってきわめて多くのユーザーが Cryptolocker マルウェアの標的になっていると警告しました。

この警告によると、英国内で数百万人ものユーザーが悪質な電子メールを受け取っており、その主な標的は中小規模の企業のようです。

Trojan.Cryptolocker については最近のブログでも取り上げており、ランサムウェアに類する脅威の活発な進化の状況を報告しました。Cryptolocker は、侵入先のコンピュータ上のファイルを暗号化し、復号鍵を取引材料として身代金を要求する手口で増加しています。シマンテックは、『インターネットセキュリティ脅威レポート』の最新号で、このようなランサムウェアの急増を予測していました。
 

image1-b.png

図 1. Cryptolocker に誘導されるスパムメールの例
 

このスパム攻撃では、被害者を狙うさまざまなワナが使われています。たとえば、覚えのない番号から発信された音声メッセージや、未払いの請求書などに偽装した電子メールが確認されています。
 

image2_9.png

図 2. Cryptolocker に誘導されるスパムメッセージの別の例
 

悪質な添付ファイル自体はダウンローダであり、それを使って Trojan.Zbot など他の脅威が取得されます。それが最終的に Cryptolocker の感染を引き起こして身代金を要求します。
 

image3_9.png

図 3. 復号鍵に必要な支払いの要求画面
 

NCA の警告によると、2 枚の Bitcoin(2013 年 11 月 18 日時点で 653 ポンドに相当)を要求する Cryptolocker のサンプルが確認されています。シマンテックが解析したサンプルの中には、Bitcoin を 1 枚だけ要求するものもありました。

シマンテックの Email Security.cloud をお使いのお客様は、組み込みの Skeptic™ テクノロジにより、このスパム攻撃から保護されています。また、シマンテックはこれらのサンプルに対して以下のセキュリティシグネチャを用意しています。

検出名 検出定義のタイプ
Downloader ウイルス対策シグネチャ
Trojan.Zbot ウイルス対策シグネチャ
Trojan.Cryptolocker ウイルス対策シグネチャ
Trojan.Cryptolocker!g2 ヒューリスティック検出
Trojan.Cryptolocker!g3 ヒューリスティック検出
System Infected: Trojan.Cryptolocker 侵入防止シグネチャ

シマンテックでは、今後も Cryptolocker マルウェアの最新版に対して保護対策の提供を続けていきますが、お客様の側でも、万一 Cryptolocker に感染した場合に予想される損害を最小限に抑えるための対策として、ファイルを定期的にバックアップすることを強くお勧めします。組み込みツールを使ってファイルを復元する方法については、「Recovering Ransomlocked Files Using Built-In Windows Tools(ランサムウェアでロックされたファイルを Windows の組み込みツールで復元する)」(英語)と題したサポート記事を参照してください。

 

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/ja にアクセスしてください。

Smart Phone Users Face Amalgamation of Phishing and Malware

Contributor: Avdhoot Patil
The internet can be a dangerous place with security threats lurking from every direction, and it gets worse when threats meld together. Phishing today is a major part of cybercrime and phishers have recently gained interest i…

A Personal Farewell to Peter Szor

      No Comments on A Personal Farewell to Peter Szor

It was with quite some skepticism that I accepted Peter Szor’s invitation to go surfing with him five years ago. I had tried surfing several times before but had been disappointed by the lack of adrenalin. I came from a snowboarding background and everyone had told me to try surfing because it was so similar. I had tried it, several times, and I was not impressed. It was mostly about sitting around waiting for something to happen. Where is the adrenalin? Where is the rush?

PeterSzor.jpg

Peter Szor holding his book The Art of Computer Virus Research and Defense, I was looking for a picture of him out surfing but I realized that sadly I don’t have any pictures with him at all.

At first Peter wanted to take me (a true novice) to his secret spot* in Malibu, a point break with a rocky bottom that would cut you to pieces if you fell the wrong way. In fact, I remember Peter arriving to work one morning and asking me to have a look at a three inch gash on his head wanting to know if I thought it needed stiches! Not only did he want to take me to this treacherous razor-wire-for-a-sea-bed secret spot (treacherous in my mind anyway) but he also wanted to pick me up at 4:45 AM so we could get out to this spot, about a 45 minute drive from the office, and be ready for the swell he knew was coming. I didn’t want to rock his enthusiasm so I accepted. I think some other people advised him on the “hidden” danger of his strategy and, luckily, he thought better of the first outing and took me close to Santa Monica pier instead at a much more reasonable 6:30 AM.

I don’t know if Peter had read the stress lines appearing on my face or if he was just explaining his own philosophy to me that day. I was new in town and I suppose the stress was starting to show—the stress of being in a new city, a new country and a new role, the stress of taking over and building a new team, setting up the office, as well as dealing with all the normal craziness and hustle and bustle that an incident response role incurs on a daily basis. Whether he was an astute observer or not, I can still clearly remember that early morning surfing session and the conversation we had. In a year of new experiences, arriving in Los Angeles that morning still stands crystal clear in my memory. 

We had paddled out together, a little past the break, and we were sitting on our boards waiting… and waiting… I was in the ready position my board facing towards the beach and the city, just waiting for the right wave to come. Peter was sitting upright on his board facing out instead to the ocean. He said “this is what I love about surfing” and at first I thought I misheard him. “There are no waves” I thought. “I’m not catching anything, it’s early, my arms are tired, and I’m just stuck here waiting”. I told myself, “this guy is losing it”.

“I love to come out here in the morning,” he continued, “turn my back on the city, look out on the ocean and just let all the stress go, have the sun on your face, the blue sky above you, nature all around you, feel the calm of the ocean and just relax. If I catch a wave that’s great, that’s a bonus, but I can just sit here and pretend the stress of the city doesn’t even exist and revel in nature”. And here I was scratching at this ocean and trying to bend it to my liking, trying my hardest to get something out of waking up early, trying so hard to be productive. So, like Peter, I stopped, turned my board around, and for the first time enjoyed surfing.

One minute later Peter was up and away on a nice wave he had spotted while his back was turned away from the city. He sailed by me smiling, giving a thumbs up as he passed. It took me quite a few more sessions before I could enjoy a wave in that way but I have never looked at surfing the same since.

That wasn’t the only thumbs up he sent my way. On a professional level he also gave me some much needed thumbs up during my first years in the Los Angeles office. I appreciated his kind words since, even though he sat just one cubicle away, he did not work on my team or benefit from my work in any way. Affirmation of your work has added gravitas coming from someone with more than 20 years of experience, 40 patents, a book, and numerous papers to their name. Actually the breadth of his patents is still a constant annoyance to me as I try to patent ideas and find out “oh, that’s covered by Peter’s XX patent from 10 years ago”. But that I can handle.

The last time I saw Peter was about two months ago. We went out paddling in Huntington Beach which is where he had relocated to when he started working with McAfee. Huntington is at least an hour drive away so meeting up was not as easy as before and on the occasions when he did come up my direction, to Santa Monica, he was visiting family so surfing was the last thing on his mind. I needed to have a work related conversation with him that week. I wanted his input on a situation many security companies were dealing with at the time. He was familiar with many companies, having worked at F-Secure and McAfee, as well as Symantec. So we agreed to meet up to discuss work and to catch some waves at the same time.

We headed out to Bolsa Chica state beach and were in the water for about an hour. The waves were bad but the day was good. With not much surfing to be done Peter was just enjoying the water, chatting with other surfers, asking them about their boards, showing off his, and just generally talking to everyone. We had lunch together and talked for a few hours. He showed me his new house, raved about his new wife—who was away that day so I didn’t get to meet her—and we caught up on his new role at McAfee.

I didn’t see him again after that. I was planning (and attending) my wedding in Hong Kong. When I returned two weeks ago and contemplated getting in the water again, I thought of Peter. I wanted to call him to go out paddling again. In the end I was still jetlagged so I put off the surfing and the call to Peter for one more week, one week too long. 

I’m sad that I won’t get a chance to paddle out with Peter again, and to turn our backs to the city, and forget all the stress of life, to be one with nature and enjoy a piece of serenity with my friend for one more short moment.

May you look out on the ocean with your troubles far behind you forever Peter and may you Rest In Peace.

Liam.

*Secret spot: it’s not really a secret spot but someone had told Peter not to mention it to anyone so he felt terribly guilty mentioning it to me at all.

Note: We don’t have comments enabled here but feel free to tweet @liam_omurchu if you have your own stories with Peter.

 

Cryptolocker Alert: Millions in the UK Targeted in Mass Spam Campaign

Last week, the United Kingdom’s National Crime Agency (NCA) warned that tens of millions of customers were being targeted by the Cryptolocker malware through a mass spam campaign.
According to the alert, millions of UK customers received maliciou…

On the road with avast! Mobile Security

      No Comments on On the road with avast! Mobile Security

With six fewer days between Thanksgiving and Christmas this year, the highways are already busy with tractor trailers delivering merchandise to retailers, shoppers making gift runs, and families hitting the road or airports to travel “Over the River and Through the Woods” to Grandmother’s house. With all that moving around, it’s a given that someone […]

Disarm Advanced Persistent Threats with Symantec Messaging Gateway

Most people today rely on email as their method for business communication – sending and receiving hundreds of emails every day. This dependence on email can create a weak link in securing corporate information and expose a company to attacks. Wh…