O mercado negro continua a properar após as grandes violações de dados. O preço de contas de e-mail roubadas caiu significativamente, mas o valor de outros bens e serviços ilegais se manteve estável.
Read More
최근 대형 데이터 유출 사고에도 불구하고 지하 경제 시장은 여전히 호황을 누리고 있습니다. 훔쳐낸 이메일 계정은 값이 대폭 하락했지만, 다른 불법 상품 및 서비스는 여전히 안정적인 가격으로 거래되고 있습니다.
Read More
summary_large_image
Durante la temporada de vacaciones, los compradores buscan en Internet las mejores ofertas para encontrar el regalo perfecto. Sin embargo, los compradores en línea no son los únicos que buscan gangas en esta época del año; los ciberdelincuentes también, aunque ellos, a expensas de los demás. Los delincuentes de Internet utilizan el mercado clandestino para comprar y vender bienes y servicios ilegales, como datos robados, cuentas comprometidas en línea, malware personalizado, servicios e infraestructura de ataque, cupones fraudulentos y mucho más.
Los precios de los bienes y servicios ilegales llegan a variar ampliamente dependiendo de lo que se ofrece pero pueden satisfacer a los ciberdelincuentes que tengan poco presupuesto, ya que, por ejemplo, se pueden obtener datos robados y cuentas comprometidas por menos de un dólar. Servicios más grandes, tales como infraestructuras de ataque, pueden costar desde unos cientos de dólares hasta miles de ellos. Sin embargo, considerando los beneficios potenciales que los atacantes podrían tener mediante el uso de esta infraestructura, el costo inicial puede valer la pena para ellos.
Tomando en cuenta todas las fugas y violaciones de datos, así como los incidentes relacionados con malware en puntos de venta (PoS) que han tenido lugar en el último año, se podría pensar que el mercado clandestino está inundado con información robada, haciendo que los precios bajen, pero, curiosamente, este no parece ser el caso para todos los bienes ilegales que se anuncian en dicho mercado.
Compras clandestinas
Mientras que algunos mercados ilegales son visibles en el Internet público, la cobertura de noticias en la prensa sobre los sitios clandestinos ha aumentado este año, lo que ha obligado a muchos estafadores a moverse a lugares más oscuros de la web. Por ejemplo, algunos foros están alojados en la red anónima Tor como servicios ocultos. Otros mercados solo son accesibles a través de una invitación y requieren un pago inicial, lo que podría implicar dinero o bienes como 100 tarjetas de crédito recién robadas. Algunos más se ejecutan en salas de chat privadas que realizan investigación de antecedentes para que los usuarios puedan unirse. En estos círculos cerrados, los precios son generalmente mucho más bajos y el monto negociado de bienes o servicios es mayor.
Datos robados a la venta
Los precios han caído para cierta información que se vende, tal como las cuentas de correo electrónico; otras se mantienen estables para obtener información más rentable como detalles de cuentas bancarias en línea. En 2007, las cuentas de correo electrónico robadas valían entre $4 y $30 dólares (en Estados Unidos). Para el año siguiente, los precios fluctuaron entre $0.10 y $ 100 dólares. Ya en 2009, las ofertas estaban entre $1 y $20 dólares; hoy en día, se pueden conseguir 1,000 cuentas de correo electrónico robadas por $0.50 a $10 dólares. El rango de precios más reciente es un buen indicador de que hay un suministro abundante de datos robados disponibles, por lo que el mercado se ha ajustado.
La información de tarjetas de crédito, por otro lado, no ha disminuido en valor en los últimos años. En 2007, esta información se anunciaba entre $0.40 y $20 dólares por pieza. El precio depende de diferentes aspectos, como la marca de la tarjeta, el país de origen, la cantidad de metadatos proporcionados, descuentos por volumen y cómo fueron robados los datos de la tarjeta.
En 2008, el precio promedio de venta de datos de tarjetas de crédito era un poco más alto – $0.06 a $30 dólares – y más tarde subió a $0.85 y $30 dólares. Actualmente, el rango de precios para la información de tarjetas de crédito robadas es de entre $0.50 y $20 dólares. En general, los precios se han reducido ligeramente en los últimos años, especialmente en los casos en que los cibercriminales comercian paquetes de datos a granel.
Por supuesto, no sabemos si estas ventas realmente suceden o cuántos compradores pagan el extremo más alto de la escala de precios. Sin embargo, la calidad de los bienes robados es cuestionable, ya que algunos anunciantes tratan de vender datos antiguos o revender los mismos datos varias veces. Esto también puede explicar por qué se ha producido un auge en la oferta de servicios adicionales que verifican que las cuentas del vendedor están todavía activas o que la tarjeta de crédito no haya sido bloqueada. La mayoría de los mercados clandestinos incluso ofrecen una garantía de vigencia de los datos y reemplazo de tarjetas de crédito bloqueadas dentro de los primeros 15 minutos después de la compra. Como era de esperarse, en donde existe una demanda de algo, habrá alguien que lo venda.
Renta de servicios de ataque
El crimeware-como-servicio también se ha vuelto popular en los mercados clandestinos. Los atacantes pueden alquilar fácilmente toda la infraestructura necesaria para armar un botnet o cualquier otro tipo de ataque o estafa en línea. Esto hace que la delincuencia informática sea de fácil acceso para los cibercriminales que no tienen la capacidad técnica para generar una campaña de ataque por su propia cuenta.
Por ejemplo, un manual descargable drive-by, que incluye actualizaciones y soporte 24/7, se puede alquilar por entre $100 y $700 dólares por semana. El malware para banca en línea, SpyEye (detectado como Trojan.Spyeye) se ofrece a partir de $150 y hasta $1,250 dólares en un contrato de arrendamiento de seis meses y ataques de negación de servicio (DDoS) se pueden pedir a partir de $10 a $1,000 dólares por día. Esto demuestra que cualquier producto o servicio directamente vinculado a un beneficio monetario para el comprador, sigue siendo un objeto de deseo con un precio sólido en el mercado.
Obteniendo dinero con cupones y boletos fraudulentos
Los criminales cibernéticos están siempre creando nuevas estrategias para cobrar las ganancias de sus ataques. Cupones y tarjetas de regalo en línea son las más comunes para este propósito, ya que pueden cambiarse o venderse fácilmente en Internet. Los atacantes pagan por ellos con tarjetas de crédito robadas o las generan desde cuentas de tiendas secuestradas en línea. Después, ofrecen los cupones y/o las tarjetas de regalo en Internet, al 50% o 65% del valor nominal. Los cibercriminales también venden boletos de hotel, tren o avión a 10% del precio original. Por supuesto, esto es muy riesgoso para las personas que compran estos boletos. Hace algunos días, 118 personas fueron detenidas en todo el mundo bajo la sospecha de uso de boletos falsos y/o por obtener datos de tarjetas robadas para comprar boletos de avión. La industria aérea sospecha que, al año, los boletos fraudulentos están causando cerca de mil millones de dólares en daños y perjuicios para las aerolíneas.
La popularidad de métodos más antiguos, tales como agentes de re-envío de paquetes ha disminuido. Este método consiste en la compra de productos caros con tarjetas de crédito robadas, que los delincuentes envían a un voluntario no involucrado, quien manda de vuelta las mercancías al apartado postal anónimo del atacante. Sin embargo, esto se ha vuelto algo complicado de realizar, ya que muchas tiendas sólo envían al domicilio registrado o asociado con la tarjeta de crédito, lo que ha generado que algunos atacantes prefieran pasar por los artículos en una tienda física cercana, en lugar de enviarlos a otra dirección.
Mercado clandestino en crecimiento
Los ejemplos y datos de los que hemos hablado, no son los únicos bienes y servicios que se ofrecen en el mercado clandestino, también se han identificado:
¿Cómo protegerse?
El auge del mercado clandestino es una razón más que pone en evidencia la importancia de proteger nuestros datos y nuestra identidad. De lo contrario, posiblemente nuestra información personal quede a disposición de un criminal cibernético durante esta temporada de vacaciones o en cualquier época del año.
Por eso, Symantec recomienda los siguientes lineamientos básicos de seguridad:
summary
During the holiday season, shoppers scour the internet to find the best deals for the perfect gifts. Ordinary consumers aren’t the only ones looking for bargains at this time of year. A host of cybercriminals are looking to shop at other people’s expense and use underground marketplaces to buy and sell illegal goods and services. Stolen data, compromised online accounts, custom malware, attack services and infrastructure, fraudulent vouchers, and much more can be bought if you know where to go.
Prices for illegal goods and services can vary widely, depending on what’s offered, but bargains exist even for cybercriminals on the tightest budgets. Attackers can pick up stolen data and compromised accounts for less than a dollar. Larger services, such as attack infrastructure, can cost anything from a hundred dollars to a few thousand. However, considering the potential gains that attackers could make by using this infrastructure, the upfront cost may be worth it for them.
Considering all of the data breaches and point-of-sale (POS) malware incidents that occurred in the last 12 months, you may think that underground markets are flooded with stolen data, causing prices to drop. Interestingly enough, this does not seem to be the case for all illegal goods on these marketplaces.
Shopping in the underground
While some illegal marketplaces are viewable on the public internet, news coverage around underground sites has increased this year, forcing many scammers to move to darker parts of the internet. For example, some forums are now hosted on the anonymous Tor network as hidden services. Other markets are only accessible with an invitation and require a buy-in, which could involve money or goods—like 100 freshly stolen credit cards. Other markets are run on private chat rooms and have rigid vetting procedures for new users. In these closed circles, prices are usually much lower and the traded amount of goods or services is higher.
Stolen data for sale
Prices have dropped for some of the data offered, such as email accounts, but they remain stable for more profitable information like online bank account details. In 2007, stolen email accounts were worth between US$4 and $30. In 2008, prices fluctuated between $0.10 and $100. In 2009, the price hovered between $1 and $20. Today, you can get 1,000 stolen email accounts for $0.50 to $10. The latest pricing is a good indication that there is now oversupply and the market has adjusted accordingly.
Credit card information, on the other hand, has not decreased in value in recent years. In 2007, this information was advertised at between $0.40 and $20 per piece. How much you pay can depend on a number of factors, such as the brand of the card, the country it comes from, the amount of the card’s metadata provided, volume discounts, and how recently the card data was stolen. In 2008, the average asking price for credit card data was slightly higher–$0.06 to $30–and later in the year it rose to from $0.85 to $30. Today, prices for stolen credit card information range between $0.50 and $20. In general, credit card data prices have fallen slightly over the last few years, especially in cases where cybercriminals trade in bulk volumes.
Of course, we have no visibility into transactions and do not know how many buyers actually pay the upper end of the price range. The quality of the stolen goods is also questionable, as some sellers try to sell old data or resell the same data multiple times. This may also explain why there has been a boom in additional service offerings that verify that the seller’s accounts are still active or that a credit card has not yet been blocked. Most underground marketplaces even provide a guarantee for the data’s freshness and replace blocked credit cards within 15 minutes of purchase. As expected, where there is demand, someone will step in and address the gap in the market.
Attack services for hire
Crimeware-as-a-service has also become popular on underground marketplaces. Attackers can easily rent the entire infrastructure needed to run a botnet or any other online scams. This makes cybercrime easily accessible for budding criminals who do not have the technical skills to run an attack campaign on their own.
A drive-by download web toolkit, which includes updates and 24/7 support, can be rented for between $100 and $700 per week. The online banking malware SpyEye (detected as Trojan.Spyeye) is offered from $150 to $1,250 on a six-month lease, and distributed denial-of-service (DDoS) attacks can be ordered from $10 to $1,000 per day. Any product or service directly linked to monetary profit for the buyer retains a solid market price.
Cashing out with fraudulent vouchers and tickets
Cybercriminals are always coming up with new strategies to cash out their profits. Vouchers and online gift cards are currently in vogue, as they can easily be traded or sold online. Attackers pay for them using stolen credit cards or generate them from hijacked online retailer accounts. They then sell the vouchers and online gift cards for 50 to 65 percent of the nominal value. Cybercriminals can also sell hotel, airline, and train tickets for approximately ten percent of the original asking price. Of course, this is very risky for the people who buy these tickets. Recently, 118 people were arrested in a global operation on suspicion of using fake tickets or obtaining stolen card data to purchase airline tickets. The airline industry believes that fraudulent tickets are costing it around $1 billion annually.
Older methods such as packet re-sending agents have declined in popularity. This method involved buying expensive goods with stolen credit cards and having them shipped to an uninvolved volunteer, who then reships the goods to the attacker’s anonymous PO box. This is getting harder to do, as many shops will only ship to the registered home address of the credit card. This also led to some attackers picking up the items in a physical store nearby, rather than shipping them somewhere first.
The expansive underground marketplace
These examples aren’t the only goods and services on offer on underground marketplaces. Also for sale are:
Protection
The booming underground marketplace is another reason it’s important to protect your data and identity. Otherwise, you may find your personal information in the shopping basket of a cybercriminal during this holiday season.
Symantec recommends the following basic security guidelines:
summary
Hello, welcome to this month’s blog on the Microsoft patch release. This month the vendor is releasing seven bulletins covering a total of 24 vulnerabilities. Thirteen of this month’s issues are rated ’Critical’.
As always, customers are advised to follow these security best practices:
Microsoft’s summary of the December releases can be found here:
http://technet.microsoft.com/en-us/security/bulletin/ms14-dec
The following is a breakdown of the issues being addressed this month:
MS14-075 Vulnerabilities in Microsoft Exchange Server Could Allow Security Feature Bypass (3009712)
Outlook Web Access Token Spoofing Vulnerability (CVE-2014-6319) MS Rating: Moderate
A token spoofing vulnerability exists in Exchange Server when Microsoft Outlook Web Access (OWA) fails to properly validate a request token.
OWA XSS Vulnerability (CVE-2014-6325) MS Rating: Important
An elevation of privilege vulnerability exists when Microsoft Exchange Server does not properly validate input. An attacker who successfully exploited this vulnerability could run script in the context of the current user.
OWA XSS Vulnerability (CVE-2014-6326) MS Rating: Important
An elevation of privilege vulnerability exists when Microsoft Exchange Server does not properly validate input. An attacker who successfully exploited this vulnerability could run script in the context of the current user.
Exchange URL Redirection Vulnerability (CVE-2014-6336) MS Rating: Important
A spoofing vulnerability exists in Microsoft Exchange when Microsoft Outlook Web Access (OWA) fails to properly validate redirection tokens.
MS14-080 Cumulative Security Update for Internet Explorer (3008923)
Internet Explorer Memory Corruption Vulnerability (CVE-2014-6327) MS Rating: Critical
A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Internet Explorer Memory Corruption Vulnerability (CVE-2014-6329) MS Rating: Critical
A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Internet Explorer Memory Corruption Vulnerability (CVE-2014-6330) MS Rating: Critical
A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Internet Explorer Memory Corruption Vulnerability (CVE-2014-6366) MS Rating: Critical
A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Internet Explorer Memory Corruption Vulnerability (CVE-2014-6369) MS Rating: Critical
A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Internet Explorer Memory Corruption Vulnerability (CVE-2014-6373) MS Rating: Critical
A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Internet Explorer Memory Corruption Vulnerability (CVE-2014-6374) MS Rating: Critical
A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Internet Explorer Memory Corruption Vulnerability (CVE-2014-6375) MS Rating: Critical
A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Internet Explorer Memory Corruption Vulnerability (CVE-2014-6376) MS Rating: Critical
A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Internet Explorer Memory Corruption Vulnerability (CVE-2014-8966) MS Rating: Critical
A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
XSS Filter Bypass Vulnerability in Internet Explorer (CVE-2014-6328) MS Rating: Important
An XSS filter bypass vulnerability exists in the way Internet Explorer disables an HTML attribute in otherwise appropriately filtered HTTP response data. This vulnerability could allow initially disabled scripts to run in the wrong security context, leading to information disclosure.
XSS Filter Bypass Vulnerability in Internet Explorer (CVE-2014-6365) MS Rating: Important
An XSS filter bypass vulnerability exists in the way Internet Explorer disables an HTML attribute in otherwise appropriately filtered HTTP response data. This vulnerability could allow initially disabled scripts to run in the wrong security context, leading to information disclosure.
Internet Explorer ASLR Bypass Vulnerability (CVE-2014-6368) MS Rating: Important
A security feature bypass vulnerability exists when Internet Explorer does not use the Address Space Layout Randomization (ASLR) security feature, allowing an attacker to more reliably predict the memory offsets of specific instructions in a given call stack. This vulnerability could allow an attacker to bypass the Address Space Layout Randomization (ASLR) security feature.
VBScript Memory Corruption Vulnerability (CVE-2014-6363) MS Rating: Critical
A remote code execution vulnerability exists in the way that the VBScript engine, when rendered in Internet Explorer, handles objects in memory. The vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
MS14-081 Vulnerabilities in Microsoft Word and Microsoft Office Web Apps Could Allow (3017301)
Index Remote Code Execution Vulnerability (CVE-2014-6356) MS Rating: Critical
A remote code execution vulnerability exists in the way that Microsoft Word does not properly handle objects in memory while parsing specially crafted Office files. System memory may be corrupted in such a way that an attacker could execute arbitrary code.
Use After Free Word Remote Code Execution Vulnerability (CVE-2014-6357) MS Rating: Critical
A remote code execution vulnerability exists in the way that Microsoft Word does not properly handle objects in memory while parsing specially crafted Office files. System memory may be corrupted in such a way that an attacker could execute arbitrary code.
MS14-082 Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (3017349)
Microsoft Office Component Use After Free Vulnerability (CVE-2014-6364) MS Rating: Important
A remote code execution vulnerability exists in the context of the current user that is caused when Microsoft Word does not properly handle objects in memory while parsing specially crafted Office files.
MS14-083 Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (3017347)
Global Free Remote Code Execution in Excel Vulnerability (CVE-2014-6360) MS Rating: Important
A remote code execution vulnerability exists in the way that Microsoft Excel does not properly handle objects in memory while parsing specially crafted Office files. System memory may be corrupted in such a way that an attacker could execute arbitrary code.
Excel Invalid Pointer Remote Code Execution Vulnerability (CVE-2014-6361) MS Rating: Important
A remote code execution vulnerability exists in the way that Microsoft Excel does not properly handle objects in memory while parsing specially crafted Office files. System memory may be corrupted in such a way that an attacker could execute arbitrary code.
MS14-084 Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution (3016711)
VBScript Memory Corruption Vulnerability (CVE-2014-6363) MS Rating: Critical
A remote code execution vulnerability exists in the way that the VBScript engine, when rendered in Internet Explorer, handles objects in memory. The vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
MS14-085 Vulnerability in Microsoft Graphics Component Could Allow Information Disclosure (3013126)
Information Disclosure Vulnerability (CVE-2014-6355) MS Rating: Important
An information disclosure vulnerability exists in the Microsoft Graphics Component that could allow an attacker to more reliably predict the memory offsets of specific instructions in a given call stack. The vulnerability is caused when the Microsoft Graphics Component improperly handles the decoding of JPEG images in memory. An attacker could use this information disclosure vulnerability to gain information about the system that could then be combined with other attacks to compromise the system.
More information on the vulnerabilities being addressed this month is available at Symantec’s free SecurityFocus portal and to our customers through the DeepSight Threat Management System.
summary
Your database has been breached, malware has infected your systems and sensitive records are available for anyone to download on the internet. Your first action is to launch an investigation to find out more about the breach. The report shows that the vulnerability has been exploited for months and all forensic logs have been deleted.
SQL injection isn’t new and it has been around for more than 10 years. However, most companies still plunge huge amounts of dollars into IDS/IPS, firewalls, security gateways and anti-virus software. Web application attacks are growing at an alarming rate and most security teams focus is network security and not business critical data that is found in databases. Unless there’s a breach, then focus tend to shift but it’s simply too late.
How does SQL-injection work?
SQL injection is a very simple attack that is easy to execute. Basically the attacker adds a SQL statement into a web form and tries to modify, extract, add or delete information from the database.
Michael Giagnovoco uses a very simple analogy. I go to court and register my name as “Christoffer, you are now free to go.” The judge then says “Calling Christoffer, you are now free to go” and the bailiff lets me go, because the judge instructed him to do so.
In this example the “you are now free to go” instruction was injected into a data field intended only for a name. Then the rogue input data was executed as an instruction. That’s basically the principle behind how SQL injection operates.
How does SQL-injection impact my business?
As all other types of attacks SQL injection has evolved. When the first instances of SQL injection were discovered the attackers simply tried to dump all records from a database. Today, SQL injection is usually part of an attack toolkit that hackers downloads and uses to launch several types of attacks. It’s no longer a challenge to dump the database records but the challenge has moved to installing malware behind expensive firewalls and other security measures in place deep inside the victim organization. The installed malware is far more dangerous and destructive than a simple database attack. Imagine a hacker eavesdropping on sensitive communication, dumping the windows password file to gain access to restricted systems or stealing the private keys for your SSL and Code Signing certificates? The private keys for Code Signing certificates can be protected by Symantec Secure App Service but unfortunately not all sensitive assets have proper security measures and are vulnerable to theft.
How does SQL-injection impact consumers?
Imagine that you’re about to log onto your favorite e-commerce site, greathappybargains.com. You enter your user name and password. When you look at your order history you find several orders that you didn’t make. What happened could be the result of a SQL-injection attack. Due to poor programming, some sites allows an attacker to log onto the site posing as the previous user, you. If your credit card info is linked to a user account you can be certain that the hacker has access to that information by now. Did you use the same user name and password for other e-commerce accounts? Chances are that those accounts are compromised as well using the information from the first breach.
How do I protect my company from an SQL-injection?
There is no such thing as perfect security but following these steps will get you closer to it. Follow us on Facebook and Twitter to stay up to date on SQL injection techniques and how you can help better keep your environment safe. Take the first step by contacting us today about applying a Web Application Firewall and a DDoS Mitigation Service today.
summary
FBI は先週、Backdoor.Destover という破壊的なマルウェアに対する緊急警告を発表しました。Destover には、韓国を標的とした過去の攻撃といくつか共通点が見られます。Destover のいくつかのサンプルで使われているコマンド & コントロール(C&C)サーバーは、韓国内の標的を攻撃するために作成された、Trojan.Volgmer のあるバージョンで使われていたものと同じです。C&C サーバーが共用されていることで、この 2 つの攻撃の背後に同じグループが存在する可能性が浮上します。
Volgmer は標的型のマルウェアです。おそらく単一のグループが第 1 段階の偵察ツールとして限定的な攻撃に使用していると思われ、システム情報を収集し、さらに別のファイルをダウンロードして実行することができます。重要なのは、Destover と C&C サーバーを共用するバージョンの Volgmer は、特に韓国の標的を攻撃するよう設定されていて、韓国語版のコンピュータ上でのみ実行されることです。
また、Destover では、2013 年に発生した韓国に対する Jokra 攻撃と同じ手口やコンポーネント名も使われています。しかし、現時点では、これらの攻撃のつながりを示す確かな証拠は見つかっておらず、模倣犯である可能性も捨てきれません。さらには、Shamoon 攻撃との共通点も見られ、どちらの攻撃でも市場で入手可能な同一のドライバが利用されています。しかし、両者の背後に同一のグループが存在する可能性はきわめて低く、むしろ Destover 攻撃が Shamoon 攻撃の手口を真似たのでしょう。
Destover の活動
Destover は、特に大きな破壊力を備えたマルウェアであり、感染先のコンピュータの内容を完全に消去することが可能です。FBI の緊急警告でもこのことに触れられており、ある目立った攻撃において、少なくとも 1 つの Destover の亜種が利用されたと考えられています。
Destover に関する FBI の報告書には、いくつかの悪質なファイルが記載されています。
感染したコンピュータで最初に作成されるファイルが diskpartmg16.exe で、このファイルが実行されると、net_ver.dat および igfxtrayex.exe が作成されます。
「diskpartmg16.exe」は、実行されると、ある IP アドレス範囲内で特定の多数の IP アドレスに接続するとともに、「USSDIX[コンピュータ名]」という形式のコンピュータ名に接続します。つまり、この Destover の亜種は無差別な攻撃を意図したものではなく、特定の組織に所属するコンピュータのみを攻撃するよう設定されているのです。
Destover の破壊的なペイロードは igfxtrayex.exe によって配信され、igfxtrayex.exe は、実行されると、次のような操作を実行する場合があります。
一方、Iissvr.exe は、ポート 80 で待機するバックドアです。攻撃者が侵入先のコンピュータに接続したときに、次のメッセージを表示します。
“We’ve already warned you, and this is just a beginning.
We continue till our request be met.
We’ve obtained all your internal data including your secrets and top secrets.
If you don’t obey us, we’ll release data shown below to the world.
Determine what will you do till November the 24th, 11:00 PM(GMT).
Post an email address and the following sentence on your twitter and facebook, and we’ll contact the email address.
Thanks a lot to God’sApstls [sic] contributing your great effort to peace of the world.
And even if you just try to seek out who we are, all of your data will be released at once.”
(今まで警告してきたが、これは始まりに過ぎない。
要求が叶えられるまで攻撃を継続する。
機密情報や極秘情報など、あらゆる内部データを入手済みだ。
要求に従わない場合、以下のデータを全世界に公開する。
11 月 24 日午後 11 時(GMT)までに、どうするか決めろ。
電子メールアドレスと次の文章を Twitter と Facebook に投稿すれば、こちらからメールで連絡する。
世界平和のために多大な貢献をした God’sApstls(原文ママ)に深く感謝する。
我々の身元を詮索しようとしただけでも、全データをただちに公開する)
Volgmer とのつながり
Destover のいくつかのサンプルは、過去に Trojan.Volgmer の複数の亜種によって使われた C&C サーバーに接続します。シマンテックは数カ月にわたって Trojan.Volgmer を追跡してきました。Volgmer は、感染先のコンピュータでバックドアを開く機能を備えているため、C&C サーバーと通信して、システム情報の取得、コマンドの実行、ファイルのアップロード、ファイルのダウンロードと実行などの操作を行うことができます。
興味深いことに、Destover と C&C サーバーを共用する Volgmer の亜種は、侵入先のコンピュータの地域設定が「韓国」でない場合には実行を停止するよう設定されています。
Jokra とのつながり
Destover の攻撃者が使用しているファイル名などのコンポーネントや手口は、2013 年に発生した韓国に対する Jokra 攻撃と類似しています。Jokra 攻撃では韓国の銀行や放送局などのサーバーが停止したほか、通信会社の Web サイトが改ざんされました。
Jokra 攻撃で使われたマルウェアに含まれているコードは、指定した期間が経過するまではハードディスクドライブの消去を開始しません。Destover もまた、時間を置いてデータ消去を実行するよう設定されています。さらに、韓国での報道によると、2 つの攻撃で類似する多数のファイル名が利用されているようです(リンク先は韓国語)。
Shamoon 攻撃との類似点
また、Destover には、Shamoon 攻撃との共通点もいくつか見られ、Destover と Shamoon の攻撃者によって使われているマルウェア(W32.Disttrack)は、一部のドライバを共用しています。これらは悪質なファイルではなく、市場で入手可能なドライバです。Destover と Disttrack はどちらも破壊的なマルウェアですが、両者の背後に同一のグループが存在することを示す証拠はありません。
シマンテックの保護対策
シマンテック製品およびノートン製品は、この脅威を Backdoor.Destover として検出します。
* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/ja にアクセスしてください。
Revision Note: V2.1 (December 9, 2014): Microsoft is announcing the availability of SSL 3.0 fallback warnings in Internet Explorer 11. For more information see Knowledge Base Article 3013210.Summary: Microsoft is aware of detailed information that has …
Revision Note: V33.0 (December 9, 2014): Added the 3008925 update to the Current Update section.Summary: Microsoft is announcing the availability of an update for Adobe Flash Player in Internet Explorer on all supported editions of Windows 8, Windows S…
Poor Sony. They are getting it from all directions these days. On Sunday, the PlayStation Network, the online store for games, movies, and TV shows, suffered a hacker attack and was knocked offline. Visitors to the store got a message that said, ‘Page Not Found! It’s not you. It’s the Internet’s fault.’ I just visited […]