Tag Archives: malware

Operation Troy: OpenIOC Release

      No Comments on Operation Troy: OpenIOC Release

  In conjunction with our investigation into Operation Troy, we will be releasing IOC data in the open and highly flexible OpenIOC Framework format. The McAfee Operation Troy IOC can be downloaded here.       In addition to various open/free tools, OpenIOC data can be consumed by:             McAfee Read more…

avast! Mobile Security gets Editors’ Choice Award from PC Magazine

PC Magazine awarded avast! Mobile Security the Editors’ Choice Award for free Android security apps thanks to its “huge array of powerful tools and fine-grained controls.” A major concern for smartphone owners is the increasing threat of malicious software targeting Android OS. Max Eddy, software analyst for PC Magazine, writes that, “avast! is well-positioned to guard […]

Fake Flash Player installer spreads via Twitter and Facebook

Recently we identified a threat which uses Twitter and Facebook to spread. The origin of the infection begins by clicking malicious tweets or Facebook posts. After clicking a tweet similar to the figure below, the user is redirected to a webpage, which asks to download and install Adobe Flash Player. The translation of the marked […]

avast! Free Antivirus is the best deal for the Real World

In the “real world” of monthly bills and rising expenses, a decision about antivirus protection often comes down to the best protection for the money – and that’s where avast! Free Antivirus wins out over the rest. In the May 2013 Real-World Protection Test by AV-Comparatives, avast! Free Antivirus was up against 19 paid-for internet […]

Security Apps, Malware Race to Be First On Your Mobile

In China, there is a saying: “道高一尺,魔高一丈,” meaning “The law is strong, but the outlaws are sometimes stronger.” In the last few weeks, a new Android malware we’re calling Android/Obad.A has appeared. It uses a number of techniques that have rarely been seen before in mobile malware. Android/Obad.A requests the victim to authorize its Device Read more…

Styx Exploit Kit Takes Advantage of Vulnerabilities

Web-based malware has increased over the last few years due to an abrupt spike in new exploit kits. These kits target vulnerabilities in popular applications and provide an effective way for cybercriminals to distribute malware. We have already discussed Red Kit, a common exploit kit. Recently McAfee Labs has observed an increase in the prevalence Read more…

Your Facebook connection is now secured! Thank you for your support!

The title of this blog post may make you think that we will discuss the security of your Facebook account. Not this time. However, I will analyze an attack which starts with a suspicious email sent to the victim’s email account. The incoming email has the following subject, ‘Hey <name> your Facebook account has been […]

Android:Obad – malware gets smarter – so does AVAST

If you had the privilege to meet Android:Obad, which Kaspersky earlier reported to be the “most sophisticated android malware,” you are in a real bad situation and this will probably be the moment to which you’ll be referring to in the future as “The time I learned the hard way what better-safe-than-sorry means.” A few […]

??????????????????????

      No Comments on ??????????????????????

寄稿: 篠塚大志

マルウェアの作成者は、より巧妙な手口を求めて常に新しい方法を模索しています。サイバー犯罪者の前にはシマンテック保護技術がいくつも立ちふさがり、ユーザーのセキュリティ意識も高くなっているため、彼らの攻撃が成功することはますます難しくなってきました。

最近の調査で、シマンテックは Word13.exe という変わった名前のサンプルを発見しました。外見だけからすると、デジタル署名された Adobe 社製のファイルのように見えます。
 

Fake Certificate 4.jpg

図 1. Adobe 社の署名の付いた Word13.exe ファイル
 

Fake Certificate 1.png

図 2. 偽のデジタル署名のプロパティ
 

しかし、よく調べてみると、実に興味深い点に気づきます。
 

Fake Certificate 2.png

図 3. 偽の署名と証明書
 

これが偽物であることは、[発行者]フィールドに「Adobe Systems Incorporated」と書かれていることでわかります。Adobe 社は VeriSign 製品の顧客だからです。また、証明書の情報を見ると、CA ルート証明書を信頼できないこともわかり、これも決定的な証拠になります。
 

Fake Certificate 3.png

図 4. Adobe 社の正規の署名と証明書
 

シマンテックは、このファイルに対する保護対策を提供しており、Backdoor.Trojan として検出します。

Backdoor.Trojan は、自身を実行して iexplore.exe または notepad.exe にインジェクトし、バックドア機能を開始します。

作成される可能性があるファイルは、以下のとおりです。

  • %UserProfile%\Application Data\ aobecaps \cap.dll
  • %UserProfile%\Application Data\ aobecaps \mps.dll
  • %UserProfile%\Application Data\ aobecaps \db.dat

また、ポート 3337 で以下のコマンド & コントロール(C&C)サーバーに接続します。

  • Icet****ach.com 

そのうえで、このトロイの木馬は以下の処理を実行する可能性があります。

  • ユーザーとコンピュータの情報を盗み出す
  • フォルダを作成する
  • ファイルを作成、ダウンロード、削除、移動、検索、実行する
  • スクリーンショットを取得する
  • マウス機能をエミュレートする
  • Skype 情報を盗み出す

このマルウェアの被害を受けないように、ウイルス対策定義を常に最新の状態に保ち、ソフトウェアも定期的に更新するようにしてください。ダウンロードの URL が提示された場合には、必ずその URL を再確認し、必要に応じて念のために証明書と署名を確認してください。

 

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/ja にアクセスしてください。

Malware Using Fake Certificate to Evade Detection

Contributor: Hiroshi Shinotsuka

Malware authors are always seeking new ways to hone their craft.  As cybercriminals are facing a multitude of preventative technologies from Symantec and users are becoming more security conscious, it is becoming increasingly difficult for the bad guys to win.

Recently, during research, we came across an oddly named sample, Word13.exe. Upon first glance, it appears to be a digitally signed file from Adobe.
 

Fake Certificate 1.png

Figure 1. Fake digital signature properties
 

But upon closer inspection we found something very interesting.
 

Fake Certificate 2.png

Figure 2. Fake signature and certificate
 

It’s fake, as the “Issued By” field says “Adobe Systems Incorporated” – Adobe is a VeriSign customer. Also, in the certificate information, we see that the CA Root certificate is not trusted – another dead giveaway.
 

Fake Certificate 3.png

Figure 3. Legitimate Adobe signature and certificate
 

Symantec has protection in place and detects this file as Backdoor.Trojan.

Backdoor.Trojan will execute and inject itself into iexplore.exe or notepad.exe and start a back door function.

It may create following files:

  • %UserProfile%\Application Data\ aobecaps \cap.dll
  • %UserProfile%\Application Data\ aobecaps \mps.dll
  • %UserProfile%\Application Data\ aobecaps \db.dat

It connects to the following command-and-control (C&C) server on port 3337:

  • Icet****ach.com 

This back door may then perform the following actions:

  • Steal user and computer information
  • Create folders
  • Create, download, delete, move, search for, and execute files
  • Capture screenshots
  • Emulate mouse function
  • Steal Skype information

To ensure that you do not become a victim of this threat, please ensure that your antivirus definitions are always up-to-date and that your software packages are also regularly updated. Always double check the URL of the download that is being offered and, if applicable, check the certificate and signature just to be safe.