Category Archives: Security Response News

Chrome ????????????????????

      No Comments on Chrome ????????????????????

Google 社は、Chrome ウェブストアに新しくアップロードされるアプリケーションと拡張機能に対してスキャンを実施するようになりました。Google Play では、すでに類似の機能が導入されています。

悪質な拡張機能にソーシャルネットワークユーザーが欺かれるケースについては、これまでにいくつも紹介してきました。自分のプロフィールに誰がアクセスしたかを確認できるなど、新しい機能をソーシャルネットワークに追加すると謳うのが典型的な手口です。すべてが公式の Chrome ウェブストアで公開されているわけではないので、Google 社の新しいプロセスでも、侵入を果たそうとする悪質な拡張機能をすべて遮断できるわけではありません。それでもなお、悪質な Chrome 拡張機能をできるだけ排除しようとする Google 社の取り組みをシマンテックは歓迎します。また、マルウェアを含む項目の検出率が上がるように自動システムを改善してきた姿勢も評価できます。

悪質なブラウザ拡張機能は、きわめて強力です。拡張機能をインストールしてアクセスを許可すると、ブラウザ内部から悪質なタスクを実行できます。それが、金融業界を狙うトロイの木馬、たとえば Zeus などによる MITB(Man-in-the-Browser)攻撃を引き起こす場合もあり、Web コンテンツを入れ替える、ログインフォームからパスワードを盗み出す、あるいはバックグラウンドでクリック詐欺を実行することも可能になります。現在、こうした悪質な拡張機能はソーシャルネットワーク詐欺としてごく一般的です。Firefox の拡張機能におけるマルウェアの危険性については 2009 年にホワイトペーパー(英語)を公開しましたが、同じ危険性が Chrome の拡張機能にも当てはまります。

Chrome1.jpg

図 1. 新機能を追加すると称する悪質なブラウザ拡張機能

ソーシャルメディアに出現する悪質な拡張機能に関連して、ソーシャルネットワークで無料を謳う商品を見かけたら、特にそれが人気の高い商品であるほど、十分に注意してください。ソーシャルネットワークで現在利用できない機能があるとしたら、利用できないそれなりの理由があるのです。発行元が不明なブラウザ拡張機能はインストールしないようにしてください。無料商品の提供や、未実装の機能の追加を謳っている場合は言うまでもなく、ソーシャルネットワークで盛んに宣伝されている場合には特に疑ってかかりましょう。

 

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/ja にアクセスしてください。

New Disk Wiper Found in Korean Attacks

Yesterday, Symantec published details about a new distributed denial-of-service (DDoS) attack carried out by a gang dubbed “DarkSeoul” against South Korean websites. We identified their previous attacks against South Korea, including the devastating Jokra attacks in March 2013 that wiped numerous computer hard drives at South Korean banks and television broadcasters. As a result of our continued investigations into attacks against South Korea, we have come across a new threat—detected as Trojan.Korhigh—that attempts to perform a similar wiping action.

Similar to previous wipers encountered by Symantec in attacks against South Korea, Trojan.Korhigh has the functionality to systematically delete files and overwrite the Master Boot Record (MBR) on the compromised computer, rendering it unusable. The Trojan accepts several command line switches for added functionality, such as changing user passwords on compromised computers to “highanon2013” or executing specific wipe instructions related to the following file types:

  • asp
  • aspx
  • avi
  • bmp
  • dll
  • do
  • exe
  • flv
  • gif
  • htm
  • html
  • jpeg
  • jpg
  • jsp
  • mp4
  • mpeg
  • mpg
  • nms
  • ocx
  • php
  • php3
  • png
  • sys
  • wmv

The Trojan may also change the computer wallpaper as an indication of compromise. At this time, we cannot confirm the identity of the attackers.
 

111.png

Figure. Trojan.Korhigh wallpaper
 

The threat may also attempt to gather system information about the compromised machine (operating system version, computer name, current date) which it sends to the following IP addresses:

  • 112.217.190.218:8080
  • 210.127.39.29:80

Symantec is continuing its analysis of this threat and is monitoring on-going attacks against South Korea. To ensure the best protection, Symantec recommends that you use the latest Symantec technologies and up-to-date antivirus definitions.

Phishers Ensuring Social Security with Fake Apps

Contributor: Avdhoot Patil
As usual, phishers continue to focus on social networking as a platform for their phishing activities. Fake social networking applications on phishing sites are not uncommon. Phishers continue to come up with new fake applica…

Norton Mobile Insight Discovers Facebook Privacy Leak

Today we released a new version of Norton Mobile Security for Android devices that contains our new Norton Mobile Insight technology. Mobile Insight has analyzed over 4 million Android applications and processes tens of thousands of new applications ev…

Four Years of DarkSeoul Cyberattacks Against South Korea Continue on Anniversary of Korean War

Yesterday, June 25, the Korean peninsula observed a series of cyberattacks coinciding with the 63rd anniversary of the start of the Korean War. While multiple attacks were conducted by multiple perpetrators, one of the distributed denial-of-service (DD…

Chrome Web Store Apps Now Automatically Scanned

Google has started to scan newly uploaded applications and extensions in its Chrome Web Store, similar to what they already do in the Android Play Market.
We have written about quite a few cases where malicious extensions were pushed on social network …

The Risk with Content Management Systems

The federal Office for Information Security in Germany (BSI) together with the “Fraunhofer SIT” and “]init[ AG” released a study on the risk with common content management systems (CMS) for websites. A CMS is typically used to a…

Phishers Claim to Ensure Security for Digital Currency Users

Contributor: Avdhoot Patil
Digital currency, a form of electronic money, is a relatively new concept to the world. Many of these currencies have arisen during the past decade and digital currency in general has always been a subject of controversy. In …

Vine: Spammers Find a New Home on Twitter’s Video Sharing Service

In late January of this year, Twitter released Vine, a social video-sharing service that it acquired in late 2012. Initially launched on iOS, Vine has similar characteristics to Twitter as videos are intentionally short (users are only allowed six seco…

When Unicorns Breach your Security

      No Comments on When Unicorns Breach your Security

Last week a purple unicorn (a stuffed one, not a real one) generated some confusion at a border station in Turkey. According to this article, a family including their nine year old daughter, travelling across the Turkish border accidentally used the stuffed unicorn’s toy passport instead of the daughter’s real passport. The officer checked the passport, officially stamped it, and then let them through. At this point, the story deviates based on the source. Immigration said that the officer just wanted to be kind to the girl and forgot to stamp the real passport too. The family reports that there was no hesitation and that their daughter may have just have slipped through.

This story serves as a good reminder that security measures are only as good as their implementation. From crypto-graphical functions implemented with static initialization vectors, to passwords that are derived from public MAC addresses, to Web applications with poor session management that can be bypassed by calling the API directly. There are many examples throughout history of secure technology that actually had large, gaping security holes once they had been implemented. These examples do not even consider products that are implemented properly, but are not configured correctly or suitably integrated into the process so that the log files are never read.

If you are implementing security functions, ensure that you do it properly. Follow coding standards and play the attack scenario through. If you install security products, make sure that you configure them to your needs. Take note, if you do not pay attention to the details, you might be overrun by purple unicorns.