The security community is buzzing with news of a threat called Heartbleed. The bug reportedly affects nearly two-thirds of all websites, including Yahoo Mail, OKCupid, WeTransfer, and others. The bug takes advantage of a vulnerability in OpenSSL, an open-source protocol used to encrypt vast portions of the web. It allows cybercrooks to steal encryption keys, usernames […]
The security community is buzzing with news of a threat called Heartbleed. The bug reportedly affects nearly two-thirds of all websites, including Yahoo Mail, OKCupid, WeTransfer, and others. The bug takes advantage of a vulnerability in OpenSSL, an open-source protocol used to encrypt vast portions of the web. It allows cybercrooks to steal encryption keys, usernames […]
先日、Microsoft のスクリプト言語、Windows PowerShell がマルウェア作成者によって不正な目的に利用されていると報じられました。シマンテックは、さらに多くの PowerShell スクリプトが、悪質な目的で攻撃に使われていることを特定しています。これまでに確認された他の PowerShell スクリプトとは違って、今回のスクリプト(シマンテックは Backdoor.Trojan として検出します)は、さまざまな層の不明瞭化の機能を備えており、悪質なコードを rundll32.exe にインジェクトして、コンピュータの内部に潜伏しながら、バックドアのように動作し続けることができるのです。
図 1. 元の Microsoft Windows PowerShell スクリプト
上の画像を見るとわかるように、このスクリプトは平文でユーザーの目に触れないように不明瞭化されています。ところが、攻撃者はスクリプト全体を base64 でエンコードするために、-EncodedCommand というパラメータを使っていました。デコードしてもスクリプトは不明瞭化されたままで、次の図のように見えます。
図 2. PowerShell スクリプトの最初の復号層
次に、このスクリプトは自身の一部を base64 から平文に再度デコードし、デコードされた部分を圧縮解除の機能によって渡します。圧縮解除されたデータは、不明瞭化を解除した PowerShell スクリプトの最新段階であり、Invoke-Expression コマンドによって実行されます。
図 3. 不明瞭化を解除された PowerShell スクリプト
攻撃者は、コンピュータに潜伏するために埋め込まれたコードを処理中にコンパイルし、実行できるように、CompileAssemblyFromSource というコマンドを使います。コンパイルされたコードは次に、保留状態で rundll32.exe を実行し、新しく作成されたプロセスに悪質なコードをインジェクトして、rundll32 のスレッドを再開します。これが、コンピュータ上で検出をすり抜けるための手口です。
インジェクトされたコードは次にリモートコンピュータへの接続を試み、リモートコンピュータは命令のバッファが受信されるのを待ちます。続いてこのコードが、EXECUTE_READWRITE 許可を持つ命令を格納し、その命令がステルス状態で実行されます。
インジェクトされたコードがメモリを割り当て、命令を受信して後で実行する過程を次の図に示します。
図 4. rundll32.exe にインジェクトされた悪質なコード
シマンテック製品をお使いのお客様は、Backdoor.Trojan という検出定義により、この攻撃から保護されています。感染を防ぐために、シマンテックの最新技術を使い、ウイルス対策を更新することをお勧めします。不明な PowerShell スクリプトは実行しないよう心がけるとともに、悪質なスクリプトの実行を防ぐために、PowerShell のデフォルトの実行設定は低くしないようにしてください。
* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/ja にアクセスしてください。
Hello, welcome to this month’s blog on the Microsoft patch release. This month the vendor is releasing four bulletins covering a total of 11 vulnerabilities. Seven of this month’s issues are rated ’Critical’.
As always, customers are advised to follow these security best practices:
Microsoft’s summary of the April releases can be found here:
http://technet.microsoft.com/en-us/security/bulletin/ms14-apr
The following is a breakdown of the issues being addressed this month:
MS14-017 Vulnerabilities in Microsoft Word and Office Web Apps Could Allow Remote Code Execution (2949660)
Microsoft Office File Format Converter Vulnerability (CVE-2014-1757) MS Rating: Important
A remote code execution vulnerability exists in the way that affected Microsoft Office software converts specially crafted files. An attacker who successfully exploited this vulnerability could run arbitrary code as the current user. If the current user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Microsoft Word Stack Overflow Vulnerability (CVE-2014-1758) MS Rating: Important
A remote code execution vulnerability exists in the way that Microsoft Word parses specially crafted files. An attacker who successfully exploited this vulnerability could run arbitrary code as the current user. If the current user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Word RTF Memory Corruption Vulnerability (CVE-2014-1761) MS Rating: Critical
A remote code execution vulnerability exists in the way that Microsoft Word parses specially crafted files. An attacker who successfully exploited this vulnerability could run arbitrary code as the current user. If the current user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
MS14-018 Cumulative Security Update for Internet Explorer (2950467)
Internet Explorer Memory Corruption Vulnerability (CVE-2014-0235) MS Rating: Critical
A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Internet Explorer Memory Corruption Vulnerability (CVE-2014-1751) MS Rating: Critical
A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Internet Explorer Memory Corruption Vulnerability (CVE-2014-1752) MS Rating: Critical
A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Internet Explorer Memory Corruption Vulnerability (CVE-2014-1753) MS Rating: Critical
A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Internet Explorer Memory Corruption Vulnerability (CVE-2014-1755) MS Rating: Critical
A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Internet Explorer Memory Corruption Vulnerability (CVE-2014-1760) MS Rating: Critical
A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
MS14-019 Vulnerability in Windows File Handling Component Could Allow Remote Code Execution (2922229)
Windows File Handling Vulnerability (CVE-2014-0315) MS Rating: Important
A remote code execution vulnerability exists in the way that Microsoft Windows processes .bat and .cmd files that are run from an external network. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
MS14-020 Vulnerability in Microsoft Publisher Could Allow Remote Code Execution (2950145)
Arbitrary Pointer Dereference Vulnerability (CVE-2014-1759) MS Rating: Important
A remote code execution vulnerability exists in the way that Microsoft Publisher parses specially crafted files. An attacker who successfully exploited this vulnerability could run arbitrary code as the current user. If the current user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
More information on the vulnerabilities being addressed this month is available at Symantec’s free SecurityFocus portal and to our customers through the DeepSight Threat Management System.
Once again, it’s time to reveal the latest findings from our Internet Security Threat Report (ISTR), which looks at the current state of the threat landscape, based on our research and analysis from the past year. Key trends from this year’s report include the large increase in data breaches and targeted attacks, the evolution of mobile malware and ransomware, and the potential threat posed by the Internet of Things. We’ll explore each of these topics in greater detail below.
The year of the mega data breach
While 2011 was hailed by many as the “Year of the Data Breach,” breaches in 2013 far surpassed previous years in size and scale. For 2013, we found the number of data breaches grew 62 percent from 2012, translating to more than 552 million identities exposed last year – an increase of 368 percent. This was also the first year that the top eight data breaches each resulted in the loss of tens of millions of identities – making it truly the year of the “mega” data breach. By comparison, only one data breach in 2012 reached that distinction.
Attackers set their sights on medium-sized businesses
If you’ve been following our reports, you know that small and medium-sized businesses (SMBs) are a key target for attackers, and this year proved no exception to the trend. In 2013, SMBs collectively made up more than half of all targeted attacks at 61 percent – up from 50 percent in 2012 – with medium-sized (2,500+ employees) businesses seeing the largest increase.
Attacks against businesses of all sizes grew, with an overall increase of 91 percent from 2012. Similar to last year, cybercriminals deployed watering hole attacks and spear-phishing to increase the efficiency of their campaigns. However, spear-phishing campaigns were down 23 percent, with cybercriminals relying less on emails to carry out their attack campaigns. Watering hole attacks allowed the bad guys to run more campaigns through drive-by-downloads, targeting victims at the websites they frequently visit. Efforts were also aided by a 61 percent increase in zero-day vulnerabilities, which allowed attackers to set up on poorly patched sites and infect their victims with little or no additional effort required.
Government remained the most targeted industry (16 percent of all attacks). This year we looked at not only the volume of attacks but also at who are the preferred targets and what are the odds of being singled out. The bad news is that no one faces favorable odds and we all need to be concerned about targeted attacks. However, looking at the odds produced some surprises. If you’re a personal assistant working at a mid-sized mining company, I have bad news for you – you topped the “most wanted” list for attackers.
Mobile malware and madware invades consumers’ privacy
While many people download new apps to their mobile devices without a second thought, many malicious apps contain highly annoying or unwanted capabilities. Of the new malware threats written in 2013, 33 percent tracked users and 20 percent collected data from infected devices. 2013 also saw the first remote access toolkits (or RATs) begin to appear for Android devices. When running on a device, these RATs can monitor and make phone calls, read and send SMS messages, get the device’s GPS coordinates, activate and use the camera and microphone and access files stored on the device – all without the knowledge or consent of the victim.
Ransomware growth explodes and turns even more vicious
As we had previously predicted, ransomware, the malicious software that locks computers and files, grew rapidly in 2013. Ransomware saw an explosive 500 percent growth over last year and remained a highly profitable enterprise for the bad guys, netting $100 to $500 USD for each successful ransom payment. We also saw attackers become more vicious by holding data hostage through high-end encryption and threatening to delete the information forever if the fee was not paid within the given time limit.
The future of identity theft: The Internet of Things
Which of these things have been hacked in the past year: a refrigerator or a baby monitor? When I ask customers this question, they often reply, “Both.” The correct answer is the baby monitor. Despite what you may have heard on the news, Internet connected refrigerators have yet to be attacked. But never say never. Security researchers in 2013 demonstrated that attacks against cars, security cameras, televisions and medical equipment are all possible. The refrigerator’s time will come. The Internet of Things (IoT) is on its way and related threats are sure to follow. In this year’s report, we talk about what we’ve seen so far, and the consensus is that the Internet connected device at most risk of attack today is the home router.
What comes next? With personal details and financial information being stored on IoT devices, it’s only a matter of time before we find a true case of a refrigerator being hacked. Right now, security is an afterthought for most manufacturers and users of these devices, and it will likely take a major security incident before it is seriously considered. However, by starting the conversation now about the potential security risks, we will be that much more prepared when that day comes. This year’s ISTR starts the conversation.
For more details, check out the complete Internet Security Threat Report, Vol. 19.
Revision Note: V2.0 (April 8, 2014): Advisory updated to reflect publication of security bulletin.Summary: Microsoft has completed the investigation into a public report of this vulnerability. We have issued MS14-017 to address this issue. For more inf…
Severity Rating: Revision Note: V2.0 (April 8, 2014): Advisory updated to reflect publication of security bulletin.Summary: Microsoft has completed the investigation into a public report of this vulnerability. We have issued MS14-017 to address this is…
Severity Rating: Revision Note: V22.0 (April 8, 2014): Added the 2942844 update to the Current Update section.Summary: Microsoft is announcing the availability of an update for Adobe Flash Player in Internet Explorer on all supported editions of Window…
Severity Rating: Revision Note: V2.0 (April 8, 2014): Advisory updated to reflect publication of security bulletin.Summary: Microsoft has completed the investigation into a public report of this vulnerability. We have issued MS14-017 to address this is…
寄稿: Parag Sawant
フィッシング詐欺師は、ユーザーの重要な情報を手に入れるチャンスを増やすために、さまざまな計略を繰り出し続けています。シマンテックが最近確認したフィッシング攻撃の場合は、男性と女性のどちらが偉いかと質問する偽の投票サイトを通じてデータが集められていました。
フィッシングページは無料の Web ホスティングサイトを利用しており、Facebook ユーザーを標的にした偽の投票ページには、「WHO IS GREAT BOYS OR GIRLS?(男性と女性、どちらが偉い?)」という質問と[VOTE(投票)]ボタンがあります。ページには、投票結果を示す棒グラフも埋め込まれており、過去 4 年間の総得票数が示されます。このようなグラフがあることで、より本物らしく見えます。
図 1. 投票サイトへの登録を求める Facebook アプリケーション
最初のフィッシングページには、投票プロセスを開始するボタンがあります。このボタンをクリックすると、次の図のようにポップアップウィンドウが開き、ユーザーのログイン ID とパスワードを入力するよう求められます。
図 2. ユーザーのアカウント情報の入力を求めるポップアップウィンドウ
ポップアップウィンドウには、男性か女性のどちらかに投票するためのボタンと、投票を送信するボタンも表示されます。フィールドに必要な情報をすべて入力し終わると、投票した情報を確認するための確認ページに進みます。
図 3. ユーザー情報を入力し終わると、投票の確認メッセージが表示される
ここで最初のページに戻ろうとして、投票数が定期的に増えていることに気付きました。先ほど 4,924,055 だった数値が、今見ると 4,924,096 になっているのです。
図 4. 変化する前と変化した後の投票数の比較
今回のフィッシング詐欺師は以下の URL を使っており、そのサブドメインからこれがアプリケーションであることがわかります。
[http://]smartapps.[削除済み].com
このサイトに騙されたユーザーは、個人情報を盗まれ、なりすまし犯罪に使われてしまいます。
偽アプリケーションを餌に使う手口は珍しいものではありません。インターネットを利用する際には、フィッシング攻撃を防ぐためにできる限りの対策を講じることを推奨します。
* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/ja にアクセスしてください。