Malware samples received in the avast! Virus Lab Wednesday show that a spoofed email which looks like it has been sent from AVAST is spreading widely. Fortunately, AVAST detects this malware as Win32:Malware[Gen] and has been blocking the virus since 12:45 pm yesterday. The email’s subject header says, “Your Order details and Additional information,” and […]
If Hollywood is to be believed, we will all one day be living in a future filled with robots, or less likely, zombies. Robots are everywhere in our predicted future. A common theme on the silver screen is the artificial intelligence mastermind attempt…
by Thomas Salomon, head of AVAST Software ‘s German Software Development team In one of our previous posts we wrote about browser extensions and their possibly unwanted effects on our customers’ computers. Browser toolbars have been around for years, however, in the last couple of months they became a huge mess. Unfortunately, lots of free […]
ディーワーリーは、「光の祭典」とも呼ばれるヒンドゥー教の重要な祝祭です。この祭典は 5 日間続き、その間は多くの人々がお祝いの雰囲気を盛り上げ、お祭り気分を分かち合います。今年のディーワーリーは 11 月にあたりますが、予想どおり、ディーワーリーを悪用した詐欺メールが Symantec Probe Network で検出され始めています。
シマンテックが特定した詐欺メールは、インド準備銀行から送信されたように偽装されており、ディーワーリーを祝う特別賞金に当選したと書かれています。賞金額はインドの通貨で 4 クローレ 70 ラークルピー、つまり 1,070 万ルピー(およそ 17 万 5 千ドル)です。この賞金を手に入れるためと称して、指定された電子メールアドレスに個人情報を送信するよう要求されます。
このスパム攻撃では、以下の件名が確認されています。
件名: UP-COMING DIWALI SPLASH…….(もうすぐ感動のディーワーリー……)
図. ディーワーリーを悪用した 419 詐欺の電子メール
今後の数カ月間はいくつも祝祭日が続くので、こうした疑わしい電子メールには注意が必要です。インド準備銀行は、金銭詐取を狙った怪しい偽メールに注意するよう国民に警告しています。
シマンテックは、ディーワーリーを悪用するスパム攻撃が今後何日間か急増するものと予測しています。個人情報の漏えいを防ぐために、迷惑メールを開かないように十分に注意し、スパム対策シグネチャを定期的に更新するようにしてください。シマンテックでは、最新の脅威に関する情報をお届けできるよう、こうしたスパム攻撃に対して厳重な監視を続けています。
楽しく安全なディーワーリーをお過ごしください!
* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/ja にアクセスしてください。
In the 25 years that AVAST has existed, the goal has always been to protect people’s valuable data, residing on computers and mobile devices, from cybercrooks. Today, after all those years of experience gained from protecting nearly 200 million devices, we are proud to introduce our strongest, most effective product, the new avast! 2014. “The […]
寄稿: Val S
メキシコの犯罪組織は、金銭を盗み出す新しい手口を次々と生み出すことで悪名を馳せています。現金自動預け払い機(ATM)も頻繁に狙われていますが、犯罪者にとって問題になるのは ATM から実際に現金を取り出す方法です。以下の 3 つの方法がよく使われています。
以上の手口はいずれも、成否が完全に外的な要因に左右されますが、犯罪者にとって最も望ましいのは、ボタンをいくつか押すだけで ATM から現金を吐き出させる(2010 年の BlackHat カンファレンスで故バーナビー・ジャック(Barnaby Jack)氏が実演したように)ことです。金融機関にとっては悪夢ですが、犯罪者の夢が実現してしまったかもしれません。他のウイルス対策企業との合同調査で、シマンテックは 2013 年 8 月 31 日にそのサンプルを特定し、2013 年 9 月 4 日にその検出定義を追加しました。このサンプルは Backdoor.Ploutus として検出されます。
シマンテック外部からの情報によると、このマルウェアは CD-ROM ドライブに新しいブートディスクを物理的に挿入することで ATM に転送され、ブートディスクからマルウェアがコピーされます。
今回の犯罪者が作成したインターフェースは、侵入した ATM 上の ATM ソフトウェアと対話するため、現金を格納しているコンテナ(カセットとも呼ばれます)から、利用可能な現金をすべて引き出すことができます。
注意しなければならないのは、カードの所有者が ATM のテンキーで入力した情報をすべて読み取る機能も備えているため、犯罪者は外部デバイスをいっさい使わずに重要な情報を盗み出せるという点です。
このマルウェアの影響を受けている他の国や地域から確定的な情報はまだ届いていませんが、同じ ATM ソフトウェアを使っている他の国や地域の金融機関も狙われる恐れがあります。
失効していないアクティブな ATM ID を使って現金を引き出す必要があるため、上に挙げたコマンドのリストはこの順序で実行される必要があります。
ソースコードではスペイン語の関数名が使われ、英語の文法に間違いがあることから、このマルウェアはスペイン語圏の開発者によって作成されたものと考えられます。
前述したように、このタイプの操作では別途キーボードを接続する必要はありません。
ATM のテンキーを使って入力されるコマンドコードとその目的は、以下のとおりです。
12340000: キーボードがコマンドを受け取っているかどうかをテストします。
12343570: ATM ID を生成します。ID は、config.ini ファイルの DATAA というエントリに保存されます。
12343571XXXXXXXX: これは 2 つの処理を実行します。
12343572XX: ATM に現金を引き出すよう命令します。伏せ字にしてある桁が、引き出す金額(100 ドル紙幣の枚数)を表します。
この方法を使うには、外付けキーボードが必要です。
F8 = Backdoor.Ploutus のウィンドウが非表示の場合に、それを ATM のメイン画面に表示します。これにより、犯罪者がコマンドを送信できるようになります。
Backdoor.Ploutus のウィンドウが表示されたら、キーボードで対応するキーを押すと以下のキーコマンドが発行されます。
F1 = ATM ID の生成
F2 = ATM ID のアクティブ化
F3 = 引き出し
F4 = Backdoor.Ploutus ウィンドウの無効化
F5 = KeyControlUp(上に移動)
F6 = KeyControlDown(下に移動)
F7 = KeyControlNext(次に移動)
F8 = KeyControlBack(前に移動)
図. Backdoor.Ploutus のキーコマンド
今回の犯罪者が ATM ソフトウェアをリバースエンジニアリングし、それと対話するインターフェースを作り上げたことは明らかです。私たちは ATM アーキテクトではありませんが、確認できたコードに基づいて、Backdoor.Ploutus には以下のような機能があると推測できます。
今回の発見で改めて強調されたのは、従来の物理的な犯罪を企てる犯罪者とハッカーやサイバー犯罪者との間で協力関係が増してきていることです。セキュリティのあらゆる面で技術が進化しているため、従来型の犯罪者は、これまで必要とされなかったスキルがなければ盗みが成功しないことに気付きつつあります。今や、最新の銀行強盗団には、盗みを手助けする熟練した IT 専門家が不可欠になりました。これは映画の中だけの話ではありません。実際に、もしかしたら皆さんの身近な ATM で起きているかもしれない現実なのです。
* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/ja にアクセスしてください。
Contribuidor: Val S
Es del conocimiento público que los delincuentes en todo el mundo y en México siempre están buscando nuevas formas de obtener dinero ilícito. Una de las formas más comunes de ganar dinero &ldquo…
Contributor: Satnam Narang
Previously we blogged about Backdoor.Egobot and outlined how it targets specific industries while maintaining a low profile. The cybercriminals behind Egobot may also have developed Infostealer.Nemim for a more widespread and prevalent campaign. Despite a difference in scope, both threats steal information from compromised computers and there are indications these two threats originate from the same source.
Nemim components
Symantec detected Nemim in the wild as early as the fall of 2006. One of the earliest samples contained a timer mechanism to determine when to remove itself from the compromised computer. Removal was conditional and tied to a fixed date or based on the number of times the sample was executed. The timer mechanism feature was also found in samples of Egobot.
The Nemim samples we analyzed were digitally signed with stolen certificates and, over time, the malware was updated with three components:
Infector component
The infector component is designed to infect executables in specific folders. In particular, the infector targets the %UserProfile% folder and all of its subfolders.
Infection is not sophisticated. Nemim copies itself into a new section named .rdat added at the bottom of the infected file. The original entry point of the infected file is altered in order to point to the Nemim code in the .rdat section. The infection code is responsible for decrypting, dropping, and running an embedded executable file in the following path:
This executed file is the downloader component.
Downloader component
The downloader component acts as a wrapper for an encrypted executable. After decryption, the encrypted executable is loaded dynamically. This encrypted executable file contains the actual downloader functionality. However, before downloading, the malware harvests the following system information from the compromised computer:
Figure 1. System information harvested by Infostealer.Nemim from compromised computers
This harvested information is encrypted, converted to Base64, and sent to the command-and-control (C&C) server, just like Egobot. The harvested information is viewable on the C&C server in an unencrypted format. For instance, the P2Pdetou variable shows computer name and user name: [COMPUTER NAME]@[USER NAME]. The server then responds with basic commands, including a payload that is dropped and executed. The downloader then expects the server to respond with a “minmei” string accompanied by the following commands:
uprenoThe up command, for instance, indicates that the downloaded data contains an executable payload that the downloader will decrypt and run.
Information stealer component
The Information stealer component can steal stored account credentials from the following applications:
The information stealer sends stolen data back to the C&C server and, like the downloader, expects a “minmei” string in response.
Geographical distribution and protection
Japan and the United States are the main targets of Nemim, followed by India and the United Kingdom.
Figure 2. Infostealer.Nemim geographical distribution
Symantec detects all the components of these threats to protect customers from attacks:
Nemim and Egobot connection
Analysis of the Nemim binaries revealed a connection to Backdoor.Egobot due to several similarities found in both threats.
|
|
Nemim |
Egobot |
|
Information gathered in specific formats using specific tags |
Sys@User : %s@%s (%s) |
Sys@User : %s@%s (%s) |
|
Information encryption |
Encrypted and Base64 encoded |
Encrypted and Base64 encoded |
|
C&C communication format |
[URL/IP]/[PATH]/[FILE].php?a1= |
[URL/IP]/[PATH]/[FILE].php?arg1= |
|
Code injection technique |
Microsoft Detours functionality |
Microsoft Detours functionality |
Table 1. Similarities between Nemim and Egobot
Based on these similarities and the overlapping timelines of both the campaigns it is apparent that Nemim and Egobot come from the same source.
Potential for a new campaign
Nemim continues to operate today and has effectively evolved over time. For instance, the string encryption has become non-trivial, stolen digital certificates have been upgraded with newer ones, and there are now checks in place to detect common virtual machines. Indeed, for the last seven years the attackers have shown an unwavering commitment to innovation and have developed malware that is adaptable to fit the needs of two different attack campaigns. We expect this innovate trend will continue with a high potential for new campaigns.
Contributor: Satnam Narang
Backdoor.Egobot is a Trojan used in campaigns targeting Korean interests. The execution of the campaigns is straightforward and effective. Symantec data indicates the campaigns have been in operation since 2009. Egobot has continuously evolved by adding newer functionalities. The attackers use the four golden rules of a targeted campaign:
We have also uncovered a parallel campaign that has been in operation as early as 2006, which we will cover in another blog.
Egobot targets
Egobot is targeted at executives working for Korean companies and also at executives doing business with Korea. Industries targeted with Egobot include:
Targets are located around the globe and include Korea, Australia, Russia, Brazil, and the United States.
Figure 1. Countries targeted with Backdoor.Egobot
The aim of the Egobot campaign is to steal confidential information from compromised computers.
Exploitation
The attackers gather information about their targets using social engineering techniques prior to luring them into the trap. The targets are sent a spear phishing email, often pretending to be sent from a person they already know. The spear phishing email contains a relevant or enticing message to the target, prompting them to open the malicious attachment. The malicious attachment may be a shortcut .lnk file that points to a file hosted on GeoCities Japan.
Figure 2. Egobot spear phishing email with malicious shortcut attachment
Various malicious attachments have been used in this campaign:
When attachments are opened it triggers the following three-stage download process:
Stage 1: Download obfuscated HTML file
Each of the attachments downloads malware from sites hosted on GeoCities Japan. The files vary, but are usually named update[YYYYMM].xml which is an obfuscated HTML file that drops an executable on the system.
Stage 2: Download RAR archive
The dropped executable from Stage 1 then retrieves another file from GeoCities Japan. This file is hotfix[YYYYMM].xml, which is an executable RAR file. Both downloaded files in the first two stages are disguised as XML documents in an attempt to pass as a clean file.
Stage 3: Download back door component
The executable RAR file is responsible for preparing the system. It drops a set of files which are responsible for moving files around, injecting a component into processes, and stealing the following system information:
Figure 3. Stolen system information found in Egobot strings
Stolen information is sent to Egobot’s command-and-control (C&C) server in the following format:
Figure 4. Communication back to C&C server, arg1 value highlighted
Data that is sent back to the C&C is encrypted using a rotating key embedded within the malware. We observed the following two specific keys:
Finally, the executable RAR file downloads one last component from GeoCities Japan. This downloaded file is named using the value of arg1 in the GET command sent to the C&C. In this case, Egobot attempts to download a file called 1irst.tmp, which is the main payload.
Stealing information
The main payload has specific functions that are potentially disastrous for targeted business executives. These functions include:
The stolen information is uploaded to remote servers hosted in Malaysia, Hong Kong, and Canada. The attackers have also updated their code to include 64-bit versions to work seamlessly across 64-bit platforms.
Staying under the radar
Egobot is downloaded onto a system as a bundled RAR archive with various components packed using commercial packers exe32pack and UPX. These following components are used to mask the presence of the malware:
Figure 5. Backdoor.Egobot components
Symantec customers are protected by Symantec Email Security.cloud. Malicious samples from this campaign are detected as Trojan Horse, Trojan.Dropper, Trojan.Mdropper, and Backdoor.Egobot.
And, unfortunately, there is more to this story. Through our research into Egobot, Symantec has identified a parallel operation related to Egobot that has been active since 2006, about three years before Egobot. Further details on the Nemim campaign—including its relation to the Egobot campaign—are explained in a separate blog, Infostealer.Nemim: How a Pervasive Infostealer Continues to Evolve.
Where beer flows like water The Czechs love their beer. Monks living in the region started brewing in monasteries just a few centuries AD. The Czechs gave the gift of Pilsner to the world back in the mid-1800s, and ever since then citizens have supported their own industry by consuming more beer per capita than […]