Instascam: ?????????? Instagram for PC

Facebook に買収された Instagram は、写真とビデオの共有サービスとして人気がありますが、たびたびスパムと詐欺の標的になることも知られています。このブログでも、過去に何度かお伝えしたとおりです(参照 1参照 2参照 3)。今週のことですが、友人の Facebook タイムラインで、「Instagram for PC」と称するプログラムのインストリーム広告が共有されていました。このアプリケーションは Instagram をエミュレータで実行すると称し、PC ユーザーも携帯デバイスを使わずに Instagram にアクセスできると謳っています。

Instascam 1 edit.png

図 1. Instagram for PC の Web サイト

Instagram for PC をダウンロードしようとすると、2 つの個別のダウンロードが行われることが確認されました。

ファイル #1: Dynamic Link Library(.dll)ファイルの欠落

1 つ目にダウンロードされるのはサイズの大きい RAR アーカイブで、アプリケーションと思われるファイルとともに一連の Dynamic Link Library(.dll)ファイルがバンドルされています。アプリケーションを実行しようとすると、Instagram のログイン画面のような画面が表示されます。

Instascam 2.png

図 2. Instagram for PC のログイン画面

実際にはこのログイン画面は偽物で、ユーザーがログインを試みると偽の「Fatal error 2.4.5」メッセージが表示され、必要な .dll ファイルがないと説明されます。

Instascam 3.png

図 3. Instagram for PC で表示される偽のエラーメッセージ


Instascam 4.png

図 4. 欠落している .dll について解説する偽のページ

解説の文章は、見るからに怪しそうです。誤りが多いだけでなく、ダウンロードが「正常に機能しない」場合には、Twitter、Facebook、Google+ などのソーシャルサービスで情報を共有してからダウンロードを再試行するようにという指示までしています。

不足している .dll ファイルをダウンロードしようとすると、アンケートに答えるよう指示されます。


Instascam 5.png

図 5. Instagram for PC アンケート詐欺

ファイル #2: Instagram のアクティブ化

最新バージョンの Instagram for PC では、アプリケーションを正常に実行するために Instagram を「アクティブ化」する必要があると表示されます。アプリケーションの下部を見ると、Instagram がアクティブ化されていない(Not activated)という警告が赤字で書かれています。

Instascam 6.png

図 6. Instagram for PC のアクティブ化画面

[Click here to activate](アクティブ化するにはここをクリック)をクリックすると、新しいポップアップウィンドウが開き、Instagram をアクティブ化するためにやはり「complete a quick offer or survey(簡単なアンケートに答える)」よう要求されます。

いずれのバージョンにしても、謳われているとおりに Instagram for PC が手に入ることはありません。これもユーザーを誘導してアンケートに答えさせ、その裏でアフィリエイトプログラムを通じて儲けを企もうとする詐欺師の手口です。

Instagram for PC のサイトについては、Twitter と Facebook で 4,000 人以上のユーザーが投稿し、Google+ でも 2000 人以上が共有しています。


Instascam 7.png

図 7. Instagram for PC の Web サイトに並んだソーシャルサービスの共有アイコン

これらのファイルをダウンロードしても、キーロガーやバックドアといった悪質な機能がソフトウェアに実装されているわけではありません。シマンテックは、これらのファイルを Downloader.MisleadApp として検出します。

PC をお使いで、コンピュータから Instagram にアクセスしたいと考えた場合でも、正規の instagram.com 以外は利用しないでください。正規サイトから、どんなプラットフォームでも任意のブラウザでサービスにアクセスできるようになっています。

ソーシャルネットワークをお使いの場合には、ユーザーを欺いてログイン情報を送信させる、アプリケーションをインストールさせる、あるいはコードをコピーして Web ページに貼り付けさせるなど、あれやこれやの手口を繰り出す詐欺師に注意が必要です。疑わしいリンクを見かけたら、決してクリックせず、Facebook などのソーシャルネットワークに用意されているレポート機能を使って報告してください。いずれも、何度となく繰り返されてきた手口ですが、有効だからこそ繰り返されているのです。


ZeroAccess Modifies Peer-to-Peer Protocol for Resiliency

ZeroAccess has always distributed its malicious payloads to infected computers using a peer-to-peer protocol. The use of a peer-to-peer protocol removes the need to maintain centralized command-and-control (C&C) servers to distribute malicious payloads. In 2011, ZeroAccess’ peer-to-peer protocol communicated over TCP, but in the second quarter of 2012 the protocol was modified to use UDP. This was the last significant update to the ZeroAccess peer-to-peer protocol until June 29, 2013.

Symantec has been closely monitoring the ZeroAccess peer-to-peer networks since its discovery. On June 29, 2013, we noticed a new module being distributed amongst ZeroAccess peers communicating on the UDP-based peer-to-peer network that operates on ports 16464 and 16465. ZeroAccess maintains a second UDP-based network that operates on ports 16470 and 16471. ZeroAccess peers communicate to other peers connected to the same network; peers do not communicate across networks.

The module discovered on June 29 modifies the peer-to-peer functionality of ZeroAccess to make its peer-to-peer network more robust and resilient against outside manipulation. The following is a summary of the key code changes made on June 29, 2013, affecting ZeroAccess peer-to-peer functionality:

  • The number of supported peer-to-peer protocol messages has been decreased from three to two.
  • A secondary internal peer list is now used that can hold over 16 million peer IP addresses, up from 256 IP addresses.
  • The secondary internal peer list is stored as a Windows NTFS alternate data stream.
  • The logic of how a ZeroAccess peer will contact other peers has been modified.
  • Error checks and timeouts have been added to the malicious file download TCP connections.

In addition to the code update being available on the UDP 16464/16465 peer network for existing peers, after June 29, 2013, we have observed new ZeroAccess installers for the UDP 16464/16465 network which infect computers with ZeroAccess also contain the new peer-to-peer protocol and code changes.

Interestingly, the ZeroAccess UDP 16470/16471 network has not yet received the code update. The new ZeroAccess installer samples for the UDP 16470/16471 network also do not contain the new code. In the past, both the UDP 16464/16465 and UDP 16470/16471 networks generally received new features and code modifications at approximately the same time.

Most of the code changes made by the ZeroAccess authors in this update seem to be in response to published research on ZeroAccess or other perceived weaknesses the authors found in the code. These changes are also further evidence that ZeroAccess continues to be actively developed and remains a threat. Symantec expects development of ZeroAccess to continue and will actively monitor the threat for those changes.

The following sections provide further technical details on the peer-to-peer protocol and related code changes made to ZeroAccess.

Modified peer-to-peer protocol

When discovered in 2012, ZeroAccess’ UDP-based peer-to-peer protocol supported three message types: getL, retL, and newL. A number of security researchers have described the messages and pointed out flaws in the protocol, especially regarding the newL message type. The newL message type is used by ZeroAccess to share directly routable IP addresses (often called super nodes or super peers) amongst its peers. When a peer receives a newL message it adds the included IP address within the newL message type into its internal peer list. The peer also forwards the newL message to other peers it knows about, magnifying the message’s effect. Prior to June 29, by crafting a newL message and sending it to a ZeroAccess peer it was possible to introduce a rogue IP address into an infected ZeroAccess peer’s internal peer list and have that rogue newL message distributed to other ZeroAccess peers.

The new peer-to-peer protocol removes the newL message type, allowing the botnet to filter out rogue peer IPs.

Expanded internal peer-list

Another flaw previously identified regarding ZeroAccess’ peer-to-peer protocol is the fixed internal peer list size. Prior to the June 29 update, a ZeroAccess’ internal peer list was capped at 256 peers. After June 29, a secondary peer list was added and memory reserved to hold up to 16 million peer IP addresses. The list of 256 peers continues to be the “working set” of peers that are periodically contacted. The secondary peer list is used for redundancy purposes.

When the peer list was only 256 peers in length it was feasible that a significant ZeroAccess clean-up action could cut off ZeroAccess peers from the peer-to-peer network because none of their 256 known peers were online. It also became theoretically feasible to replace a ZeroAccess peer’s 256 internal peer list with rogue IP addresses. The secondary peer list makes both of these actions more difficult.

The secondary peer list is written to disk, along with the 256 peer working set. Previous to June 29, the 256 peers from the internal peer list were stored in a file named “@”. After June 29, the @ file still exists and continues to contain 256 peer IP addresses from the working set of peers. The secondary peer list, containing up to 16 million IP address, is stored as an NTFS alternate data stream of the @ file. The NTFS alternate data stream also uses the @ filename.

Altered run-time peer contact behavior

Prior to June 29, one of the peers from the 256 peers in ZeroAccess’ internal peer list would be contacted using a getL each second to ask for any data on new malicious modules and new ZeroAccess peer IP addresses. This behavior continues after June 29. However, for any remote peer that responds to a message, that responding peer’s IP address and response time-stamp will be added to the secondary peer list.

The IP’s in the secondary contact list are also contacted when ZeroAccess first starts up. At startup, as many as 16 IPs from the secondary peer list will be contacted each second. This secondary peer list communication will continue until at least 16 remote peers have responded to the infected host. Once an infected peer has been contacted by 16 remote peers, peers from the secondary list will not be contacted until the infected computer is restarted. The secondary peer list will continue to be added to and updated as remote peers respond as part of the normal periodic contact with the 256 peers from the working set. This behavior allows a ZeroAccess client to keep a large list of previously contacted peers for redundancy and still operate with a small working set of 256 peers in order for malicious payloads to be quickly distributed throughout the ZeroAccess network.

Another runtime peer-contact behavior change is the keeping of a contacted-peer state table. ZeroAccess peers continue to send unsolicited getL messages to remote peers and expect to receive retL messages in response. The retlL responses contain malicious payload metadata as well as new peer IP addresses. Prior to June 29, an infected peer would accept any UDP message from any IP address, regardless of whether the infected host had contacted that remote IP address before or not. After June 29, a ZeroAccess peer will continue to accept getL messages from any remote IP, but will only accept a retL message from an IP address that the receiving peer had previously sent a getL message to. Basically, when a ZeroAccess peer sends a getL message to a remote IP address it will add that remote IP address to a table in memory. When a ZeroAccess peer receives a retL message, it will scan its table of IP addresses that it previously sent a getL message to, if the peer’s IP address that sent the retL message does not appear in the table the ZeroAccess peer that received the retL message will disregard it. This change ensures that unsolicited retL messages are ignored and makes using retL messages as a means of introducing rogue IP addresses (like newL messages could be used in the previous protocol) more difficult.

Improved payload file transfer resiliency

A ZeroAccess peer already contains checks to ensure it does not download a rogue payload file from a remote host. A payload file’s metadata in retL messages is digitally signed and cannot be easily forged. In addition, the malicious payload files themselves are digitally signed, the signature is checked after the file is downloaded. The digital signatures prevent a rogue peer from introducing an arbitrary executable module into the peer-to-peer network. The June 29 code change adds checks to ensure that TCP file transfers are not taking too long to complete. These changes seem to be designed to protect against a kind of denial-of-service attack where a rogue peer attempts to trick a ZeroAccess peer into downloading a large number of files from a rogue peer that would deliver the file data too slowly. Using this attack it would be possible to occupy all TCP ports on an infected computer, not allowing it to download the intended malicious payloads.

Targeted Attacks Delivering Fruit

Contributor: Lionel Payet
Political news has always been one of the top topics used in targeted attacks. Last week we came across unique malicious emails targeting high-profile companies in Europe and Asia (in sectors such as finance, mining, telecom, …

Android Cryptographic Issue May Affect Hundreds of Thousands of Apps

There’s been a lot of confusion over the last few days, since bitcoin.org announced that an Android component responsible for generating secure random numbers contained a critical weakness that rendered many Android bitcoin wallets vulnerable.

Microsoft Patch Tuesday – August 2013

Hello, welcome to this month’s blog on the Microsoft patch release. This month the vendor is releasing eight bulletins covering a total of 23 vulnerabilities. 14 of this month’s issues are rated ’Critical’.

As always, customers are advised to follow these security best practices:

  • Install vendor patches as soon as they are available.
  • Run all software with the least privileges required while still maintaining functionality.
  • Avoid handling files from unknown or questionable sources.
  • Never visit sites of unknown or questionable integrity.
  • Block external access at the network perimeter to all key systems unless specific access is required.

Microsoft’s summary of the July releases can be found here:

The following is a breakdown of the issues being addressed this month:

  1. MS13-066 Vulnerability in Active Directory Federation Services Could Allow Information Disclosure (2873872)

    AD FS Information Disclosure Vulnerability (CVE-2013-3185) MS Rating: Important

    An information disclosure vulnerability exists in Active Directory Federation Services (AD FS) that could allow the unintentional disclosure of account information.

  2. MS13-062 Vulnerability in Remote Procedure Call Could Allow Elevation of Privilege (2849470)

    Remote Procedure Call Vulnerability (CVE-2013-3175) MS Rating: Important

    An elevation of privilege vulnerability exists in the way that Windows handles asynchronous RPC requests. An attacker who successfully exploited this vulnerability could execute arbitrary code and take complete control of an affected system. An attacker could then install programs, view, change, or delete data, or create new accounts with full user rights.

  3. MS13-064 Vulnerability in Windows NAT Driver Could Allow Denial of Service (2849568)

    Windows NAT Denial of Service Vulnerability (CVE-2013-3182) MS Rating: Important

    A denial of service vulnerability exists in the Windows NAT Driver that could cause the target system to stop responding until restarted.

  4. MS13-060 Vulnerability in Unicode Scripts Processor Could Allow Remote Code Execution (2850869)

    Uniscribe Font Parsing Engine Memory Corruption Vulnerability (CVE-2013-3181) MS Rating: Critical

    A remote code execution vulnerability exists in the Unicode Scripts Processor included in affected versions of Microsoft Windows. An attacker who successfully exploited this vulnerability could run arbitrary code as the current user.

  5. MS13-065 Vulnerability in ICMPv6 could allow Denial of Service (2868623)

    ICMPv6 Vulnerability (CVE-2013-3183) MS Rating: Important

    A denial of service vulnerability exists in the Windows TCP/IP stack that could cause the target system to stop responding until restarted. The vulnerability is caused when the TCP/IP stack does not properly allocate memory for incoming ICMPv6 packets.

  6. MS13-059 Cumulative Security Update for Internet Explorer (2862772)

    Internet Explorer Process Integrity Level Assignment Vulnerability (CVE-2013-3186) MS Rating: Moderate

    An elevation of privilege vulnerability exists in the way that Internet Explorer handles process integrity level assignment in specific cases. An attacker who successfully exploited this vulnerability could allow arbitrary code to execute with elevated privileges.

    EUC-JP Character Encoding Vulnerability (CVE-2013-3192) MS Rating: Moderate

    An information disclosure vulnerability exists in Internet Explorer that could allow script to perform cross-site scripting attacks. An attacker could exploit the vulnerability by inserting specially crafted strings into a website, resulting in information disclosure when a user viewed the website.

    Internet Explorer Memory Corruption Vulnerability (CVE-2013-3184) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer Memory Corruption Vulnerability (CVE-2013-3187) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer Memory Corruption Vulnerability (CVE-2013-3188) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer Memory Corruption Vulnerability (CVE-2013-3189) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer Memory Corruption Vulnerability (CVE-2013-3190) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer Memory Corruption Vulnerability (CVE-2013-3191) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer Memory Corruption Vulnerability (CVE-2013-3193) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer Memory Corruption Vulnerability (CVE-2013-3194) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer Memory Corruption Vulnerability (CVE-2013-3199) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

  7. MS13-063 Vulnerability in Windows Kernel Could Allow Security Feature Bypass (2859537)

    ASLR Security Feature Bypass Vulnerability (CVE-2013-2556) MS Rating: Important

    A security feature vulnerability exists in Windows due to the improper implementation of the Address Space Layout Randomization (ASLR). The vulnerability could allow an attacker to bypass the ASLR security feature, most likely during, or in the course of exploiting, a remote code execution vulnerability. The attacker could then load a DLL in the process.

    Windows Kernel Memory Corruption Vulnerability(CVE-2013-3196) MS Rating: Important

    An elevation of privilege vulnerability exists in the Windows kernel due to a memory corruption condition in the NT Virtual DOS Machine (NTVDM). An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs, view, change, or delete data, or create new accounts with full user rights.

    Windows Kernel Memory Corruption Vulnerability(CVE-2013-3197) MS Rating: Important

    An elevation of privilege vulnerability exists in the Windows kernel due to a memory corruption condition in the NT Virtual DOS Machine (NTVDM). An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs, view, change, or delete data, or create new accounts with full user rights.

    Windows Kernel Memory Corruption Vulnerability(CVE-2013-3198) MS Rating: Important

    An elevation of privilege vulnerability exists in the Windows kernel due to a memory corruption condition in the NT Virtual DOS Machine (NTVDM). An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs, view, change, or delete data, or create new accounts with full user rights.

  8. MS13-061 Vulnerabilities in Microsoft Exchange Server Could Allow Remote Code Execution (2876063)

    Oracle Outside In Contains Multiple Exploitable Vulnerabilities (CVE-2013-2393) MS Rating: Critical

    Remote Code Execution vulnerabilities exist in Exchange Server 2007 and Exchange Server 2010 through the WebReady Document Viewing feature. The vulnerabilities could allow a remote code execution as the LocalService account if a user views a specially crafted file through Outlook Web Access in a browser.

    Oracle Outside In Contains Multiple Exploitable Vulnerabilities (CVE-2013-3776) MS Rating: Critical

    Remote Code Execution vulnerabilities exist in Exchange Server 2007 and Exchange Server 2010 through the WebReady Document Viewing feature. The vulnerabilities could allow a remote code execution as the LocalService account if a user views a specially crafted file through Outlook Web Access in a browser.

    Oracle Outside In Contains Multiple Exploitable Vulnerabilities (CVE-2013-3781) MS Rating: Critical

    Remote Code Execution vulnerabilities exist in Exchange Server 2007 and Exchange Server 2010 through the WebReady Document Viewing feature. The vulnerabilities could allow a remote code execution as the LocalService account if a user views a specially crafted file through Outlook Web Access in a browser.

More information on the vulnerabilities being addressed this month is available at Symantec’s free SecurityFocus portal and to our customers through the DeepSight Threat Management System.

“LNK” Attacks are Back Again

Recently, we observed an attack campaign using link files attached to emails in Japan. We have blogged about threats utilizing link files before and this type of attack is still alive and well.
The target of the link is disguised to make it look like i…

?????? 3D ???

3D プリンタは魅力的なデバイスで、最近では値段も手ごろになり、広く利用できるようになりつつあります。多くのユーザーが好んで 3D プリンタを試用し、さまざまな分野にイノベーションを起こしています。3D 印刷によって可能なことはあまりに多く、武器の模造など物議を醸すアイデアの実現から、鍵の複製までさまざまです。ここで言っているのは、単に安っぽいプラスチック製の複製の話だけではありません。新型の 3D プリンタになると、チタンなどの素材を焼結して耐久性の高いものを作ることも可能です。

先々週に相次いで開催されたセキュリティカンファレンス OHM2013DEFCON では、錠前破り(ピッキング)に関して類似のプレゼンテーションが 2 つ行われました。どちらも、物理的な鍵の複製を 3D プリンタで作成できることを実証したもので、必要なのは元の鍵の ID 番号と、精巧な写真数枚だけです。たったそれだけで、実際に使える 3D モデルの鍵を複製できてしまうというのは、考えるだけでも心配です。3D モデルのファイルの一部は、一般に入手可能で、変更も改造も簡単です。

これは別に新しい概念ではありません。手錠の鍵の 3D モデルは、1 年以上前から一般に出回っています。数年前には、高解像度のカメラで撮影した数枚の写真から鍵を複製する方法を実証した本も何種類か出版されました。

もちろん、熟練した腕前の攻撃者であれば、通常のピッキング道具で錠を開けることもできます。3D プリンタが一般にも利用できるようになり、対応する鍵ファイルがオンラインで流通すれば、多くの人々がますます簡単に複製を作れるようになります。




ソーシャルメディアのアカウント、なかでも Twitter アカウントを利用して、Android.Opfake(昨年のブログを参照)などをホストしている悪質なサイトにユーザーを誘導する手口は、特に珍しいものではありません。シマンテックは最近、何も知らない一般ユーザーのアカウントが感染して、こうしたタイプの悪質なリンクをフォロワーにツイートしているケースを確認しました。

Compromised Twitter 1-3.png

図 1. 感染したアカウントからの悪質なツイート

感染した一連のアカウントが出現するようになったのは 7 月の初め頃で、影響は全世界のユーザーに及んでいます。数週間で広範囲のアカウントが感染しましたが、すでに何百というツイートが送信されているにもかかわらず、多くのユーザーは自分のアカウントが悪質なツイートを送信していることに気づいていません。

Compromised Twitter 4 edit.png

図 2. 感染したアカウントから正規のツイートと悪質なツイートが送信される



Compromised Twitter 5-10.png

図 3. マルウェアをホストしているサイトがブラウザで開く


Compromised Twitter 11 edit.png

図 4. 自動的にダウンロードされたアプリ

注目に値するのは、この悪質なツイートから無償版の Asphalt 7 を入手できるように見える点です。しかし、アプリをダウンロードしてインストールする際は、正規のアプリであるかどうかを再確認してください。このアプリは無償版を装っていますが、正規の Asphalt 7 アプリとは異なり、バックグラウンドでプレミアム SMS を送信するからです。この費用は、本物を実際に購入するよりも、よほど高くついてしまいます。

Compromised Twitter 12 edit.png

図 5. 偽の Asphalt 7 ダウンロードサイト


Compromised Twitter 13 edit.png

図 6. 興味を引く画像が添付された詐欺

シマンテックは、感染してしまったユーザーのサポートに関して Twitter 社と協力しています。アカウントが感染しているかどうかを確認するには、身に覚えのないツイートがないかどうか、フォローした覚えのないアカウントをフォローしていないかどうかを調べます。アカウントを感染から保護するために、強力なパスワードを使用し、フィッシング詐欺に注意してください。また、アカウント情報を盗み出すマルウェアにコンピュータやデバイスが感染しないように、オペレーティングシステムやインストールされているすべてのソフトウェアに最新のパッチを適用したり、最新のセキュリティソフトウェアを使用したりするなど、基本的なセキュリティ対策(ベストプラクティス)に従ってください。悪質なサイトにアクセスしてしまわないように、たとえ知人のツイートでも、ふだんとは違うメッセージは無視するようにしてください。ノートン モバイルセキュリティSymantec Mobile Security などのセキュリティアプリをインストールすることもお勧めします。シマンテックは、このブログで説明したマルウェアを Android.Opfake として検出します。


