Last week we promised to explain in detail how the “Blackbeard” Trojan infiltrates and hide itself in a victim’s system, especially on its 64-bit variant. Everything described in this blogpost happens just before Pigeon (clickbot payload) gets downloaded and executed. The most interesting aspects are the way it bypasses the Windows’ User Access Control (UAC) […]
Earlier this month we introduced you to AVAST Evangelist: Paulius Yla. With nearly 10 years of experience gained from supporting users on the AVAST forum, Paulius can be easily called an AVAST expert. He has been using our software since 2003 and participated in testing dozens of AVAST products. Paulius has shared with us 5 […]
スパマーにとって、成功を収めるには 2 つの要因があります。
スパマーは、巧妙なバランスでこの 2 つを両立させます。どちらか一方に偏ってもう一方を軽視すれば、スパム攻撃は失敗してしまうからです。たとえば、件名も本文もランダムなものにすればスパムフィルタをすり抜けることは可能ですが、それではどんなに不用心なユーザーにも露骨なスパムとして無視されてしまいます。逆に、際立って魅力的なメッセージを作成すれば電子メールの開封率は上がりますが、大部分のメッセージはスパムフィルタによって遮断されてしまいます。スパマーにもそれなりに厄介な課題があるということです。
そうした課題に対処するために、スパマーは今まで以上にコンテンツの真意をユーザーから隠そうとしています。定番の各種医薬品を件名に挙げて(もっと露骨な場合もあるかもしれません)オンラインの医薬品販売サイトにアクセスさせようとするスパム攻撃は今でも後を絶ちませんが、スパムらしからぬ説得力のあるコンテンツを利用した高度なスパム攻撃も増えてきています。頻繁に使われているのが、有名人や重要人物の死亡記事、あるいは天災のような最新のニュースや事件を利用する手口です。スパムメッセージは、報道機関から送信された正規の電子メールを装い、最新のニュース記事を掲載していますが、実際にはスパム Web サイトにリンクしています。このようなスパム戦略は、マルウェアを拡散するスパムメッセージで一般的です。
コールトゥアクションが実行される確率を上げるうえでは、スパム専用のドメインを登録するのが効果的ではないことにスパマーも気付いています。特定のドメインは、スパム対策ソフトウェアによって簡単に遮断されてしまうからです。スパム対策機能に対抗するために最近スパマーの間で広まっているのが、乗っ取った URL(所有者には知られずにスパムコンテンツをホストしているだけで本来は正規のサーバー)を利用する手法や、コールトゥアクションのリンク先を不明瞭化する短縮 URL を利用する手法です。
メッセージの配信率と電子メールの開封率をどちらも増やすために、スパマーがスパムのコンテンツを変更し、状況に対応してきた 6 週間の変遷の実例を見てみましょう。
この変遷の最初は、有名な音声メールサービスのブランドを詐称するメッセージでした。
図 1. 悪質なスパムメッセージ
[Play](再生)ボタンをクリックすると、以下の URL に移動します。
http://[ドメイン]/message/i9X8PSVcFk0n0QqhGNTJmh8e3/XSunSgPKMsrzQ7Y7s=/play
実際には、音声メールが再生されるどころか、マルウェアがコンピュータにダウンロードされます。
12 月 19 日になると、スパマーはコンテンツの形式として音声メールをやめて、大手小売業者を騙った偽の配達不能通知に切り替えました。これが同一犯による攻撃であると判明したのは、メッセージにいくつかの手掛かり(同種の URL 乗っ取りが使われていたことなど)があったからですが、特に目立ったのはスパマーが犯した失敗でした。最初のサンプルと同じヘッダーを使ってしまったため、件名は音声メールの送信エラーとなっていながら、メッセージ本文には小売業者からの配達不能通知と書かれていたのです。
図 2. スパムメールの件名が誤っていたことから同一のスパム攻撃であることが発覚
この間違いにはスパマーの側もすぐに気付いたようで、コンテンツはたちまち修正されました(4 分後、またはもっと短時間で)。
図 3. 修正後のスパムメールの件名
この一連のスパム攻撃では、ほかにも 2 つの小売業者が詐称されています。メッセージの構成は変わりませんが、コールトゥアクションのリンク先として、ディレクトリパスを変えながらさまざまな URL が乗っ取られ、悪用されています。このスパム攻撃は、ディレクトリの第 1 階層を次々と変えることでスパムコンテンツを秘匿していましたが、最終的には一定期間で使われたディレクトリの数は限られています。
図 4. スパマーが利用している複数のコンテンツディレクトリ名の変遷
このスパマーは、同時に複数のディレクトリパスでスパムを拡散するのではなく、あるひとつの特定のディレクトリパスをしばらく使ってから次のディレクトリパスに移るという特徴があります。
次に変化が見られたのは 1 月 7 日、ホリデーシーズンが終わってショッピング熱も収まってきた頃です。スパマーは、大手小売業者からの配達不能通知をやめて、今度は大手電力会社を詐称する手口に切り替えました。
図 5. 詐称する相手が小売業者から電力会社に変わったスパム攻撃
スパマーはまたしても、電子メールの件名で同じミスを犯します。件名では小売業者を騙りながら、メッセージ本文には電力会社からの通知を載せてしまったのです。
図 6. スパムメールの件名が誤っていたことから同一のスパム攻撃であることが再び発覚
お粗末な失敗ですが、今回も件名はすぐに修正されました。
図 7. 修正後のスパムメールの件名
スパムコンテンツとして、このスパマーが電力会社を選んだのはなぜでしょうか。クリスマスシーズンで電気料金が相当かさんでしまったかもしれないという消費者の不安を煽って、スパムメッセージから誘導されるクリック数を増やそうとしたのかもしれません。スパムメッセージにはかなり大きな請求額が記載されているため、受信したユーザーは関心を持たざるをえません。そうなればスパムとしてはもう成功したも同然です。
小売業者に偽装したスパムは 1 月 12 日に急増していますが、これは電力会社に偽装したスパムに移行してからしばらく経ってからのことです。このときのメッセージは、全体的にそれまでの攻撃と同じ構成を維持しながら、クリスマスシーズンに関する言及はなくなっていました。
図 8. クリスマス後の配達不能通知スパム
上記の例から明らかなように、スパマーは常にスパムフィルタの検出をすり抜けようと試みています。また、信憑性を持たせるためにスパムの文面が正規のコンテンツであるという偽装も忘れません。今回の場合は、リンクをクリックすると .zip ファイルがダウンロードされ、そこに Trojan.Fakeavlock というマルウェアが含まれています。
日常生活でオンラインへの依存度が高くなるほど、スパマーがスパムメッセージでクリックを誘う手口も多様化します。今回と同様のスパム戦略も続くでしょう。残念ながら、Web を利用するときにはスパムに対する厳重な警戒を今後も続けなければならないということです。こうした攻撃から保護するために、以下の基本的なセキュリティ対策(ベストプラクティス)に従うことをお勧めします。
シマンテックでは、最新の脅威に関する最新の情報をお届けできるよう、常時スパムの監視を続けています。
* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/ja にアクセスしてください。
Could your baby monitor be used to spy on you? Is your television keeping tabs on your viewing habits? Is it possible for your car to be hacked by malicious attackers? Or could a perfectly innocent looking device like a set-top box or Internet router be used as the gateway to gain access to your home computer?
A growing number of devices are becoming the focus of security threats as the Internet of Things (IoT) becomes a reality. What is the Internet of Things? Essentially, we are moving into an era when it isn’t just computers that are connected to the Internet. Household appliances, security systems, home heating and lighting, and even cars are all becoming Internet-enabled. The grand vision is of a world where almost anything can be connected—hence the Internet of Things.
Exciting new developments are in the offing. A connected home could allow you to logon to your home network before you leave work in the evening to turn on your central heating and your oven. If your alarm goes off while you are out in the evening, you could logon to your home security system from your smartphone, check your security cameras and reset your alarm if there isn’t a problem.
Unfortunately, every new technological development usually comes with a new set of security threats. Most consumers are now very aware that their computer could be targeted with malware. There is also growing awareness that the new generation of smartphones are also vulnerable to attack. However, few people are aware of the threat to other devices.
Linux worm
The Internet of Things may be in its infancy but threats already exist. For example, Symantec investigator Kaoru Hayashi recently discovered a new worm that targeted computers running the Linux operating system. Most people have probably never come across Linux, but it plays a big role in the business world and is widely used to run Web servers and mainframes for example.
The worm, Linux.Darlloz, initially appeared to be nothing out of the ordinary. It utilizes an old vulnerability in scripting language PHP to gain access to a computer; attempts to gain administrative privileges by trying a series of commonly-used usernames and passwords and propagates itself by searching for other computers. The worm leaves a back door on the infected computer, allowing the attacker to issue commands to it.
Since the worm exploits an old vulnerability in PHP, the threat relies on finding computers that haven’t been patched in order to spread. If this was all that the worm did, it would be fairly unremarkable. However, as Kaoru investigated the threat further, he discovered something interesting. The version circulating in the wild was designed to infect only computers running Intel x86 chip architectures, which are usually found on personal computers and servers. Kaoru then discovered versions designed for the ARM, PPC, MIPS and MIPSEL chip architectures hosted on the same server as the original worm. These architectures are mostly found in devices such as home routers, set-top boxes, security cameras and industrial control systems. The attacker was in a position to begin attack these devices at a time of their choosing.
One of the interesting things this worm does is scan for instances of another Linux worm, known as Linux.Aidra. If it finds any files associated with this threat, it attempts to delete them. The worm also attempts to block the communications port used by Linux.Aidra. There is no altruistic motive behind removal of the other worm. The likelihood is that the attacker behind Linux.Darlloz knows that the kinds of devices infected by Linux.Aidra have limited memory and processing power, and does not want to share them with any other piece of malware.
Linux.Aidra, the malware that Linux.Darlloz attempts usurp, also exemplifies this new generation of threats. Like some of the variants of Darlloz discovered by Symantec, Linux.Aidra targets smaller devices, specifically cable and DSL modems. The worm adds them to a botnet, which can be utilized by the attackers to perform distributed denial-of-service (DDoS) attacks. Whoever authored Darlloz obviously believed that Aidra infections were so widespread that it posed a potential threat to their own malware.
What is particularly worrisome about these kinds of threat is that, in many instances, the end-user may have no idea that their device is running an operating system that could be attacked. The software is, by and large, hidden away on the device. Another potential issue is that some vendors don’t supply updates, either because of hardware limitations or outdated technology, such as an inability to run newer versions of the software.
Vulnerable security cameras
This worm is just the latest in a series of incidents highlighting the emerging security threat around the Internet of Things. Earlier this year, the US Federal Trade Commission settled a case against TRENDnet, a firm that makes Internet-enabled security cameras and baby monitors. The FTC said that TRENDnet had marketed the cameras as being secure. “In fact, the cameras had faulty software that left them open to online viewing, and in some instances listening, by anyone with the cameras’ Internet address,” the FTC said. “As a result of this failure, hundreds of consumers’ private camera feeds were made public on the Internet”.
In January 2012, a blogger made the flaw public and this resulted in people publishing links to the live feeds of nearly 700 of the cameras. “The feeds displayed babies asleep in their cribs, young children playing, and adults going about their daily lives,” the FTC said. As part of the company’s settlement with the FTC, the firm had to beef up the security on its devices and promising not to misrepresent their security in future promotional material.
What is notable about the TRENDnet incident is that the devices targeted were not infected with any form of malware. Their security configuration simply allowed anyone to access them if they knew how. This was not an isolated incident. There is now even a search engine called Shodan that allows people to search for a range of Internet-enabled devices.
Shodan searches for things rather than websites. Aside from security cameras and other home devices, Shodan can also find building heating control systems, water treatment plants, cars, traffic lights, fetal heart monitors and power plant controls. If a device is simply found using Shodan, it does not mean a device is vulnerable. However, services such as Shodan do make it easier for devices to be discovered if attackers know of vulnerabilities in them.
The connected world
Not all concerns relate to security vulnerabilities. Internet-enabled televisions are now quite common and offer a number of useful additional features such as access to video streaming services and Web browsing. Recently, electronics manufacturer LG confirmed that several of its television models track what people watch and send aggregate data back to the company. The company said that it did this in order to customize advertising for its customers. However, an error in the system meant that the television continued to collect data even when the feature was turned off. The company has said a firmware update is being prepared that will correct this problem.
Figure 1. Estimate on the growth in the number of connected devices in the world (Source: Cisco)
The Internet of Things is still only in its early stages. The number of Internet-enabled devices is beginning to explode. According to Cisco, there are now more than 10 billion connected devices on the planet. Given that the world’s population is just over 7 billion, that means that there are now more connected devices than there are people. Cisco, which has been keeping tabs on the numbers of devices, now believes that the number of connected devices will hit 50 billion by 2020. Interestingly, the company believes that around 50 percent of the growth will occur in the last three years of this decade.
Within the past number of years, we have seen a huge range of connected devices emerge. For example the humble thermostat is now Web-enabled. So too is the light bulb, which can now be controlled with a smartphone. Even the automotive industry is sitting up and paying attention, promising connected vehicles that can receive a stream of real-time information.
What is driving this explosion? Simply put, there is now more “room” on the Internet and devices are becoming cheaper to manufacture. Every device connected to the Internet needs an address in order to communicate with other devices. This is known as an Internet Protocol (IP) address. The number of available addresses under the current system of addresses, Internet Protocol Version 4 (IPv4), has been almost exhausted. A new system, IPv6, is currently being adopted. It can provide a vastly larger number of IP addresses, billions upon billions for every single person on the plant.
Other standards are also evolving. For example, the industry charged with overseeing the Bluetooth standard for wireless communications recently announced the latest version of the technology. The group said that Bluetooth is evolving to take into account the development of the Internet of Things. The new Bluetooth standard will make it easier for devices to find and talk to each other in an increasingly crowded environment. And it will now be easier for Bluetooth-enabled devices to link up with an IPv6-enabled Internet.
In tandem with this increase in network space, Internet-enabled devices are becoming easier to manufacture. Many people may be aware of Moore’s law, the axiom that predicts that that the computing power of processors will double every two years. A corollary is that lower powered chips are becoming cheaper to manufacture all of the time. Other technologies, such as Wifi chipsets, have dropped significantly in price over recent years. All of these factors are combining to mean that it’s becoming easier and cheaper to produce Internet-enabled devices.
Staying protected
Many of your devices are attached to your home network, which is in turn connected to the Internet. Your router/modem is what stands between your devices and the wider world. Securing it is of paramount importance. Most come equipped with a Firewall, so ensure that it is turned on and properly configured.
Spammer success is dependent on two factors:
Spammers walk a fine line to balance these two aspects; relying heavily on one factor and ignoring the other will make the spam campaign fail. For example, spammers can evade spam filters by randomizing the subject and body of the message, however such randomization is likely to be ignored by even the most unsophisticated user as obvious spam. Similarly, crafting stand-out enticing messages to increase the email open rate often results in spam filters blocking the message. Spammers have a tough challenge.
Rising up to meet this challenge, spammers are now hiding the true content from the user more than ever before. While there are still spam campaigns with links to online pharmacies with subject lines mentioning a variety of popular Rx names—can it be more obvious?—more sophisticated spam campaigns now use enticing email content unrelated to the spam. One of the most popular methods is to use current events and news, such as the death of a celebrity or major figure or even a natural disaster. A spam message may look like a legitimate email from a news organization containing an article about current events, but actually links to a spam website. This spam strategy is common for spam messages that spread malware.
To increase the success of the call-to-action, spammers have realized that registering a domain for their spam has become less effective as it was too easy for anti-spam software to simply block that particular domain. To counter anti-spam efforts, spammers may now use hijacked URLs (otherwise legitimate servers hosting spam content without the owner’s knowledge) or URL shorteners that obfuscate the destination as call-to-action.
Let’s take a look at how spammers adapted and changed their content through a six-week period to increase their success in both message delivery and email open rates.
We begin this journey with a message that spoofs a well-known voicemail service brand.
Figure 1. Malicious spam message
Clicking the Play button leads to the following URL:
http://[DOMAIN]/message/i9X8PSVcFk0n0QqhGNTJmh8e3/XSunSgPKMsrzQ7Y7s=/play
Instead of playing the voicemail, malware is actually delivered to the computer.
On December 19 spammers changed their content template from voicemail to a fake delivery failure notification from large retailers. How do we know this as the same attack? There are various clues in the message (including same type of hijacked URLs being used), but most obvious is the mistake the spammer made by using the same header as the first sample, indicating a missed voicemail, while the body of the message indicates a delivery failure notification from a retailer.
Figure 2. Wrong spam email subject reveals single spam campaign
Oops! This was obviously a mistake on the spammer’s part as the content was quickly fixed (in four minutes, or possibly sooner).
Figure 3. Fixed spam email subject
Two additional retailers were also spoofed as part of this particular spam campaign. The structure of the messages remained the same, but the spammers used a variety of hijacked URLs as a call-to-action, which changed the directory paths. This spam campaign hid the spam content in various first directories, but eventually used several directories over time.
Figure 4. Spammer uses various content directory names over time
This spammer preferred to use one particular directory path at a time, and then move on to the next one, rather than distributing the spam across multiple options all at once.
Another change occurred on January 7, when holiday shopping activity had presumably declined. Rather than using fake delivery notification from a large retailer, the spammers switched to spoofing a large utility company.
Figure 5 Spam campaign switches from retailer to utility company spoofing
The spammer made the same mistake once again with an email subject header that indicates a delivery notification from a retailer, but a body message showing an energy utility statement.
Figure 6. Another wrong spam email subject reveals single spam campaign
Oops again! This mistake was soon fixed with a corrected email subject.
Figure 7. Fixed spam email subject
Why did these spammers chose to use utility statements for their spam content? They may be leveraging consumer fear of a large electricity bill due to the Christmas holiday period to make their spam message more enticing to click on. The spam message contains a large bill, and that piques the recipient’s interest enough to make the spam campaign a success.
There was a small spike in retailer-spoofed spam on January 12, well after the utility spam increased in volume. Those messages, while retaining the overall structure of the previous campaigns, dropped the reference to the Christmas holiday.
Figure 8. Post-Christmas delivery notification spam
As the above examples have demonstrated, spammers are always attempting to make their spam messages undetectable by spam filters. They also want to appeal to recipients by pretending the spam contains some legitimate content. In this particular case, clicking on the link leads to a .zip file download containing Trojan.Fakeavlock malware.
There will be more avenues for spammers to entice recipients to click on spam messages as we live more of our lives online. These same spam strategies will continue. Unfortunately, this means that Web users must continue to be on high alert for spam and observe the following best practices to stay protected:
Symantec constantly monitors spam attacks to ensure that users are kept up-to-date with information on the latest threats.
This is one “before and after” picture that we didn’t want to see. Someone contacted the original developers of Chrome extensions Add to Feedly and Tweet This Page with an offer to purchase. Thinking it was a good opportunity for a company with more time and money to further develop what they started, both developers […]
An article in German magazine Der Spiegel stated that the NSA is capable of installing backdoors on devices by Juniper Networks (firewall manufacturer), Cisco and Huawei (giant network device manufacturers), and also, Dell. According to the article, a special hacking team intercepted some new computer deliveries to secretly install spyware in these machines. Der Spiegel […]
このブログで、Snapchat ユーザーを狙うポルノスパムと「隠れファン」スパムを取り上げてから数週間が経過しましたが、今度は性的に思わせぶりな写真に加えて、危殆化したカスタム URL を使う新しいスパム攻撃が Snapchat 上で出回っています。
図 1. Snapchat スパム
スパムメッセージにはそれぞれ、モバイルデバイス用 Kik インスタントメッセージアプリ上の特別に細工されたユーザー名と、「Add my kik(Kik を追加)」というリンクが含まれています。
図 2. デジタルカメラを構えた Snapchat は罠
Kik Messenger でこのようなスパムボットに応答すると、このスパム攻撃では昨年の夏頃にシマンテックが Tinder で発見したのと同じようなスパムチャットボットのセリフが使われます。
図 3. Kik と同様のチャットのセリフを使うスパムボット
この攻撃で確認された興味深い特徴として、小規模な Web サイトや人気ブランドが所有しているカスタム URL が危殆化して利用されているという点が挙げられます。スパマーは、ユーザーに偽の安心感を植え付けるために、ブランド名の入った短縮ドメインを使って独自のリンクを作成するという方法を使用しているのです。
図 4. 有名ブランド名の入った短縮ドメインがユーザーをスパムに誘導
危殆化したブランド名入りの短縮ドメインとして、これまでに特定されている例を以下に示します。
図 5. 危殆化した短縮 URL の統計ページ
ブランド名の入ったカスタム URL にはアフィリエイトマーケティング用のリンクが設定されており、ユーザーはアダルト向け Web カメラサイトの登録ページに誘導されます。
シマンテックは Bitly 社と緊密に連携して、ブランド名の入った短縮 URL のスパム利用を調査し、見つかりしだい停止しています。Bitly 社によると、さまざまなブランドに帰属する Bitly API キーを入手したスパマーが存在するのは間違いないということです。影響を受けているブランドの一部は、AddThis というソーシャルブックマークサービスを利用していました。AddThis は、最近になって AddThis Web サイト埋め込みコードの一部として API キーを平文で公開するようユーザーに求めることを中止しています。
図 6. API キーの安全性に関する AddThis サポートページの注意書き
API キーを一般に公開すると、誰でもアカウントを危殆化できるようになり、この場合には他者のドメインを使って短縮 URL を作成できることになります。
AddThis サービスをお使いの場合は、こちらのサポート記事で API キーの保護方法を参照してください。Bitly をお使いの場合は、Bitly API のベストプラクティスに従って、API キーのセキュリティを保証する必要があります。
Snapchat ユーザーを標的とする最近のスパム活動は、特に驚くことでもありません。詐欺師やスパマーは、人気のある新しいアプリをいつでも狙っています。Snapchat も同様で、ユーザー規模が十分に大きくなれば、たちまち標的になります。Snapchat のフィードにスパムスナップが表示されないようにするには、Snapchat のプライバシー設定を変更してスナップを「My Friends(友人)」からのみ受け取るようにすることをお勧めします。もちろん、迷惑メッセージや友人申請を受け取ったときには十分に注意してください。
* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/ja にアクセスしてください。
A UK Government public awareness campaign Cyberstreetwise.com launched this week, aiming to help educate UK consumers and small businesses about online security. The campaign, running for three months via radio, outdoor and online advertising, offers tips to help people improve their performance online, and help keep important and personal information safe.
We know that most of the UK population are not doing enough to protect themselves, leaving themselves open for cybercriminals to access their data and abuse their personal info, tricking them into downloading malware.
Cyberstreetwise is advising people in the UK to adopt a few simple online behaviours to make them and their families safer, such as:
Have a look at the site – and your own personal devices – and please spread the word. Be Cyberstreetwise!
Throughout the year, independent testing labs run antivirus products through the rigors of “real-world’ testings as well as simulations and testing of specific features and performance. avast! Free Antivirus was honored as the Top Rated Program of 2013 by one of the most respected antivirus testing labs, AV-Comparatives. Tests during 2013 were carried out on […]