ログインフォームにはセキュリティコードについての説明もあり、10 桁の数字を入力し、かつ紙にも書きとめておくようにという指示があります。セキュリティコードは非常に重要であり、管理権限を委譲する場合や、新しい管理者または運営者を追加する場合に必要になるというのがその理由とされています。ログイン情報を入力して[Submit]ボタンをクリックすると、「Thank You. Your Fan Page is being verified and we will notify you within 48 hours when the process is completed.(ありがとうございます。ファンページは検証中です。処理が終わったら、48 時間以内にご連絡いたします)」という確認メッセージが表示されます。
Migrating certificates during a major key size migration can be difficult at best. I’m going to give you some background, share a great video we have produced, as well as share seven steps to aid in this migration.
Background – Key Sizes Change w…
In China, there is a saying: “道高一尺,魔高一丈,” meaning “The law is strong, but the outlaws are sometimes stronger.” In the last few weeks, a new Android malware we’re calling Android/Obad.A has appeared. It uses a number of techniques that have rarely been seen before in mobile malware. Android/Obad.A requests the victim to authorize its Device Read more…
A few weeks ago, we told you about Obad, a backdoor Trojan that targets the Android operating system (OS). What differentiates a Trojan from a traditional virus is that this type of software attempts to masquerade as something useful in order to trick users into opening the file and then leaves a backdoor open so Read more…
A few weeks ago, we told you about Obad, a backdoor Trojan that targets the Android operating system. This Trojan affects all Android OS users, and it is strongly recommended that you address this flaw immediately! What does Obad do? Essentially, Obad enables the downloading of malicious apps onto your Android device right under your Read more…
On June 26 2013, browser manufacturer Opera announced that they had been breached as a result of a targeted attack against their infrastructure. However, this was no ordinary targeted attack. The attackers in this case weren’t looking to steal intellectual property. They wanted to use Opera’s auto-update mechanism in order to propagate a piece of malware normally associated with financial Trojans.
When attackers breached the Opera network sometime around June 19 2013, they first stole an expired Opera code signing certificate to sign a piece of malware. Signing the malware allowed them to distribute it via Opera’s auto-update mechanism. Users would receive the malware as part of a browser update. The malware in question is Downloader.Ponik, a downloader Trojan typically used to propagate cybercrime-related malware, such as financial Trojans and infostealers.
Opera, in their statement, estimates that a few thousand users may have automatically received the malware sometime between 01:00 and 01:36. Opera spotted the breach and were able to halt any further propagation of the malware. As the attackers only had a small window in which to operate they had limited success. Had they had more prolonged access to the Opera network they would have been much more successful. Or would they?
Had the attackers had access to the Opera servers for a longer period they would have been able to propagate their malware to a much larger number of users. However, such an attack would be very noisy, drawing the attention of security companies who would quickly provide protection and lead a concerted effort to take down command-and-control (C&C) servers. All of this would render the malware effectively useless. This is reminiscent of Conficker, a threat which spread to millions of computers and was due to trigger a payload on April 1, 2009. However, by that time, security organizations and hosting providers had worked together to take control of the C&C servers. The threat was being so closely monitored that the attackers were unable to leverage it.
When attackers try aggressive propagation methods they become victims of their own success. For now this attack has been neutralized. Opera recommends that users update their browsers as proactive measure against further attacks. Symantec provides protection for this as Downloader.Ponik. We also recommend that users who think they may have been affected reset their passwords.
Yesterday, Symantec published details about a new distributed denial-of-service (DDoS) attack carried out by a gang dubbed “DarkSeoul” against South Korean websites. We identified their previous attacks against South Korea, including the devastating Jokra attacks in March 2013 that wiped numerous computer hard drives at South Korean banks and television broadcasters. As a result of our continued investigations into attacks against South Korea, we have come across a new threat—detected as Trojan.Korhigh—that attempts to perform a similar wiping action.
Similar to previous wipers encountered by Symantec in attacks against South Korea, Trojan.Korhigh has the functionality to systematically delete files and overwrite the Master Boot Record (MBR) on the compromised computer, rendering it unusable. The Trojan accepts several command line switches for added functionality, such as changing user passwords on compromised computers to “highanon2013” or executing specific wipe instructions related to the following file types:
asp
aspx
avi
bmp
dll
do
exe
flv
gif
htm
html
jpeg
jpg
jsp
mp4
mpeg
mpg
nms
ocx
php
php3
png
sys
wmv
The Trojan may also change the computer wallpaper as an indication of compromise. At this time, we cannot confirm the identity of the attackers.
Figure. Trojan.Korhigh wallpaper
The threat may also attempt to gather system information about the compromised machine (operating system version, computer name, current date) which it sends to the following IP addresses:
112.217.190.218:8080
210.127.39.29:80
Symantec is continuing its analysis of this threat and is monitoring on-going attacks against South Korea. To ensure the best protection, Symantec recommends that you use the latest Symantec technologies and up-to-date antivirus definitions.
