Tag Archives: Security Response

Microsoft Patch Tuesday – November 2014

      No Comments on Microsoft Patch Tuesday – November 2014
This month the vendor is releasing fourteen bulletins covering a total of 33 vulnerabilities. Fourteen of this month’s issues are rated ’Critical’.

ms-tuesday-patch-key-concept-white-light 2_0.png

Hello, welcome to this month’s blog on the Microsoft patch release. This month the vendor is releasing fourteen bulletins covering a total of 33 vulnerabilities. Fourteen of this month’s issues are rated ’Critical’.

As always, customers are advised to follow these security best practices:

  • Install vendor patches as soon as they are available.
  • Run all software with the least privileges required while still maintaining functionality.
  • Avoid handling files from unknown or questionable sources.
  • Never visit sites of unknown or questionable integrity.
  • Block external access at the network perimeter to all key systems unless specific access is required.

Microsoft’s summary of the November releases can be found here:
http://technet.microsoft.com/en-us/security/bulletin/ms14-nov

The following is a breakdown of the issues being addressed this month:

  1. MS14-064 Vulnerabilities in Windows OLE Could Allow Remote Code Execution (3011443)

    Windows OLE Automation Array Remote Code Execution Vulnerability (CVE-2014-6332) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory.

    Windows OLE Remote Code Execution Vulnerability (CVE-2014-6352) MS Rating: Important

    A remote code execution vulnerability exists in the context of the current user that is caused when a user downloads, or receives, and then opens a specially crafted Microsoft Office file that contains OLE objects.

  2. MS14-065 Cumulative Security Update for Internet Explorer (3003057)

    Internet Explorer Memory Corruption Vulnerability (CVE-2014-4143) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer Memory Corruption Vulnerability (CVE-2014-6337) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer Memory Corruption Vulnerability (CVE-2014-6341) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer Memory Corruption Vulnerability (CVE-2014-6342) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer Memory Corruption Vulnerability (CVE-2014-6343) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer Memory Corruption Vulnerability (CVE-2014-6344) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer Memory Corruption Vulnerability (CVE-2014-6347) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer Memory Corruption Vulnerability (CVE-2014-6348) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer Memory Corruption Vulnerability (CVE-2014-6351) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer Memory Corruption Vulnerability (CVE-2014-6353) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer Elevation of Privilege Vulnerability (CVE-2014-6349) MS Rating: Important

    An elevation of privilege vulnerability exists when Internet Explorer does not properly validate permissions under specific conditions. An attacker who successfully exploited this vulnerability could run scripts run with elevated privileges.

    Internet Explorer Elevation of Privilege Vulnerability (CVE-2014-6350) MS Rating: Important

    An elevation of privilege vulnerability exists when Internet Explorer does not properly validate permissions under specific conditions. An attacker who successfully exploited this vulnerability could run scripts run with elevated privileges.

    Internet Explorer Cross-domain Information Disclosure Vulnerability (CVE-2014-6340) MS Rating: Important

    An information disclosure vulnerability exists when Internet Explorer does not properly enforce cross-domain policies. An attacker could exploit this issue to gain access to information in another domain or Internet Explorer zone.

    Internet Explorer Cross-domain Information Disclosure Vulnerability (CVE-2014-6345) MS Rating: Important

    An information disclosure vulnerability exists when Internet Explorer does not properly enforce cross-domain policies. An attacker could exploit this issue to gain access to information in another domain or Internet Explorer zone.

    Internet Explorer Cross-domain Information Disclosure Vulnerability (CVE-2014-6346) MS Rating: Important

    An information disclosure vulnerability exists when Internet Explorer does not properly enforce cross-domain policies. An attacker could exploit this issue to gain access to information in another domain or Internet Explorer zone.

    Internet Explorer Clipboard Information Disclosure Vulnerability (CVE-2014-6323) MS Rating: Important

    An information disclosure vulnerability exists when Internet Explorer does not properly restrict access to the clipboard of a user who visits a website. The vulnerability could allow data stored on the Windows clipboard to be accessed by a malicious site. An attacker could collect information from the clipboard of a user if that user visits the malicious site.

    Internet Explorer ASLR Bypass Vulnerability (CVE-2014-6339) MS Rating: Important

    A security feature bypass vulnerability exists when Internet Explorer does not use the Address Space Layout Randomization (ASLR) security feature, which could allow an attacker to more reliably predict the memory offsets of specific instructions in a given call stack.

  3. MS14-066 Vulnerability in Schannel Could Allow Remote Code Execution (2992611)

    Microsoft Schannel Remote Code Execution Vulnerability (CVE-2014-6321) MS Rating: Critical

    A remote code execution vulnerability exists in the Secure Channel (Schannel) security package due to the improper processing of specially crafted packets.

  4. MS14-067 Vulnerability in XML Core Services Could Allow Remote Code Execution (2993958)

    MSXML Remote Code Execution Vulnerability (CVE-2014-4118) MS Rating: Critical

    A remote code execution vulnerability exists when Microsoft XML Core Services (MSXML) improperly parses XML content, which can corrupt the system state in such a way as to allow an attacker to run arbitrary code. The vulnerability could allow a remote code execution if a user opens a specially crafted file or webpage.

  5. MS14-069 Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (3009710)

    Microsoft Office Double Delete Remote Code Execution Vulnerability (CVE-2014-6333) MS Rating: Important

    A remote code execution vulnerability exists in the context of the current user that is caused when Microsoft Word does not properly handle objects in memory while parsing specially crafted Office files.

    Microsoft Office Bad Index Remote Code Execution Vulnerability (CVE-2014-6334) MS Rating: Important

    A remote code execution vulnerability exists in the context of the current user that is caused when Microsoft Word improperly handles objects in memory while parsing specially crafted Office files. This could corrupt system memory in such a way as to allow an attacker to execute arbitrary code.

    Microsoft Office Invalid Pointer Remote Code Execution Vulnerability (CVE-2014-6335) MS Rating: Important

    A remote code execution vulnerability exists in the context of the local user that is caused when Microsoft Word improperly handles objects in memory while parsing specially crafted Office files. This could corrupt system memory in such a way as to allow an attacker to execute arbitrary code.

  6. MS14-070 Vulnerability in TCP/IP Could Allow Elevation of Privilege (2989935)

    TCP/IP Elevation of Privilege Vulnerability (CVE-2014-4076) MS Rating: Important

    An elevation of privilege vulnerability exists in the Windows TCP/IP stack (tcpip.sys, tcpip6.sys) that is caused when the Windows TCP/IP stack fails to properly handle objects in memory during IOCTL processing.

  7. MS14-071 Vulnerability in Windows Audio Service Could Allow Elevation of Privilege (3005607)

    Windows Audio Service Vulnerability (CVE-2014-6322) MS Rating: Important

    An elevation of privilege vulnerability exists in the Windows audio service component that could be exploited through Internet Explorer. The vulnerability is caused when Internet Explorer does not properly validate permissions under specific conditions, potentially allowing script to be run with elevated privileges.

  8. MS14-072 Vulnerability in .NET Framework Could Allow Elevation of Privilege (3005210)

    TypeFilterLevel Vulnerability (CVE-2014-4149) MS Rating: Important

    An elevation of privilege vulnerability exists in the way that .NET Framework handles TypeFilterLevel checks for some malformed objects.

  9. MS14-073 Vulnerability in Microsoft SharePoint Foundation Could Allow Elevation of Privilege (3000431)

    SharePoint Elevation of Privilege Vulnerability (CVE-2014-4116) MS Rating: Important

    An elevation of privilege vulnerability exists when SharePoint Server does not properly sanitize page content in SharePoint lists. An authenticated attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the logged-on user.

  10. MS14-074 Vulnerability in Remote Desktop Protocol could allow Security Feature Bypass (3003743)

    Remote Desktop Protocol (RDP) Failure to Audit Vulnerability (CVE-2014-6318) MS Rating: Important

    A security feature bypass vulnerability exists in Remote Desktop Protocol (RDP) when RDP does not properly log failed logon attempts. The vulnerability could allow an attacker to bypass the audit logon security feature. The security feature bypass by itself does not allow an arbitrary code execution. However, an attacker could use this bypass vulnerability in conjunction with another vulnerability.

  11. MS14-076 Vulnerability in Internet Information Services (IIS) Could Allow Security Feature Bypass (2982998)

    IIS Security Feature Bypass Vulnerability (CVE-2014-4078) MS Rating: Important

    A security feature bypass vulnerability exists in Internet Information Services (IIS) that is caused when incoming web requests are not properly compared against the ‘IP and domain restriction’ filtering list.

  12. MS14-077 Vulnerability in Active Directory Federation Services could allow Information Disclosure (3003381)

    Active Directory Federation Services Information Disclosure Vulnerability (CVE-2014-6331) MS Rating: Important

    An information disclosure vulnerability exists when Active Directory Federation Services (AD FS) fails to properly log off a user. The vulnerability could allow an unintentional information disclosure.

  13. MS14-078 Vulnerability in IME (Japanese) Could Allow Elevation of Privilege (2992719)

    Microsoft IME (Japanese) Elevation of Privilege Vulnerability (CVE-2014-4077) MS Rating: Moderate

    An elevation of privilege vulnerability exists in Microsoft IME for Japanese that is caused when a vulnerable sandboxed application uses Microsoft IME (Japanese).

  14. MS14-079 Vulnerability in Kernel-Mode Driver Could Allow Denial of Service (3002885)

    Denial of Service in Windows Kernel Mode Driver Vulnerability (CVE-2014-6317) MS Rating: Moderate

    A denial of service vulnerability exists in the Windows kernel-mode driver that is caused by the improper handling of TrueType font objects in memory.

More information on the vulnerabilities being addressed this month is available at Symantec’s free SecurityFocus portal and to our customers through the DeepSight Threat Management System.

Countdown to Zero Day—Did Stuxnet escape from Natanz?

      No Comments on Countdown to Zero Day—Did Stuxnet escape from Natanz?
Symantec’s analysis on the Stuxnet worm features in new Kim Zetter book.

Today, Kim Zetter released her book, “Countdown to Zero Day”. The book recounts the story of Stuxnet’s attempt to sabotage Iran’s uranium enrichment program. The work that Eric Chien, Nicolas Falliere, and I carried out is featured in the book. During the process of writing the book, Kim interviewed us on many occasions and we were lucky enough to be able to review an advanced copy.

countdowncover.png
Figure 1. Kim Zetter’s new book, “Countdown to Zero Day”

In the chapter 17 of the book, “The Mystery of the Centrifuges”, Kim talks about how Stuxnet infections began in Iran, identifying several companies where she believes the infections originated.

“To get their weapon into the plant, the attackers launched an offensive against four companies. All of the companies were involved in industrial control processing of some sort, either manufacturing products or assembling components or installing industrial control systems. They were likely chosen because they had some connection to Natanz as contractors and provided a gateway through which to pass Stuxnet to Natanz through infected employees”

This is a different story from the one that David Sanger’s sources painted in his New York Times article and in his book “Confront and Conceal”. Sanger states:

“. . . an element of the program accidentally became public in the summer of 2010 because of a programming error that allowed [Stuxnet] to escape Iran’s Natanz plant and sent it around the world on the Internet.”

So which is right? Did Stuxnet originate outside of Natanz and spread all over the world with the hopes of eventually entering Natanz? Or did Stuxnet start inside of Natanz and accidentally escape due to a programming error?

Tracing the spread of Stuxnet
We actually covered how Stuxnet originated in a blog post in February 2011. Let’s start with whether it is possible to track Stuxnet’s origin back to specific companies in Iran.

Normally, it would not be possible to state with 100 percent accuracy where an infection started. However, in the case of Stuxnet version 1.x, the attackers left a trail behind which allows analysts to trace the specific genealogy of each sample. This is possible because every time Stuxnet executes, it records some information about the computer it is executing on and stores that within the executable file itself, creating a new unique executable in the process. As a result, every unique executable contains an embedded and ordered list showing the computers it has previously infected. As Stuxnet spreads from computer to computer, the list grows and grows. By examining this list, we can trace back from one entry to the next, extracting computer information from each entry. These are the breadcrumbs we can follow to get back to the original compromised computers.

What do the breadcrumbs look like?
Each entry in the list looks like the data shown in the following image. Although this may not make sense at first, by analyzing the code within Stuxnet, we can find out what each number represents.

stuxnetentry.png
Figure 2. List entry of compromised computers

Among other information, the computer name, domain name, date, and IP address are stored in each entry. We can extract information from previous data, which is shown in the following image.

stuxnetentrydetails.png
Figure 3. Details stored in each entry

By looking at each entry in the list embedded in any sample, we can see how the threat moved from one computer to the next. The real computer names and domains have been anonymized.

Figure 4. List of compromised computers from one sample shows how Stuxnet spread

In the previous image, we can see Stuxnet’s path through the first six compromised computers. This information was extracted from one sample. When we look at the first six infections from a different sample, we get the following path.

stuxnetpatha.png
Figure 5. List of compromised computers from another sample shows different movement pattern

The two samples’ first four entries are the same but after that, the samples moved in two different directions. At the fifth step, one sample compromised a computer on the WORKGROUP domain while the other sample compromised a computer on the MSHOME network.

Using this data, we graphed the spread of Stuxnet infections. See pages eight to ten of our Stuxnet whitepaper for more details.

stuxnetpathb.png
Figure 6. Spread of Stuxnet infections

Many computers and domains used generic names that do not provide much insight into the targets. For example, WORKGROUP and MSHOME—two default workgroup names—appear very frequently in the breadcrumb logs. However, we were able to identify all of the places where Stuxnet infections originated, and they were all in Iran.

The verdict
So did Stuxnet spread into Natanz as Zetter says or escape out of Natanz as Sanger reported?

Based on the analysis of the breadcrumb log files, every Stuxnet sample we have ever seen originated outside of Natanz. In fact, as Kim Zetter states, every sample can be traced back to specific companies involved in industrial control systems-type work.

This technical proof shows that Stuxnet did not escape from Natanz to infect outside companies but instead spread into Natanz.

Unfortunately, these breadcrumbs are only available for Stuxnet version 1.x. There was at least one previous version of Stuxnet released, version 0.5 (which we analyzed in our whitepaper), for which this infection path information is not available.

While version 0.5, which did not spread as aggressively as version 1.x, could have been planted inside Natanz and then spread outwards, this version was no longer operational during the conversation timeframe (the summer of 2010) outlined in the Sanger article. As a result, it is unlikely the 0.5 version is the subject of his article.

To make up your own mind, you should read Kim Zetter’s “Countdown to Zero Day”, which is out today.

Operation CloudyOmega: Ichitaro zero-day and ongoing cyberespionage campaign targeting Japan

      No Comments on Operation CloudyOmega: Ichitaro zero-day and ongoing cyberespionage campaign targeting Japan
The campaign was launched by an attack group that has communication channels with other notorious attack groups including Hidden Lynx and the group responsible for LadyBoyle.

JustSystems has issued an update to its Ichitaro product line (Japanese office suite software), plugging a zero-day vulnerability. This vulnerability is being actively exploited in the wild to specifically target Japanese organizations.

The exploit is sent to the targeted organizations through emails with a malicious Ichitaro document file attached, which Symantec products detect as Bloodhound.Exploit.557. Payloads from the exploit may include Backdoor.Emdivi, Backdoor.Korplug, and Backdoor.ZXshell; however, all payloads aim to steal confidential information from the compromised computer.

The content of the emails vary depending on the business interest of the targeted recipient’s organization; however, all are about recent political events associated with Japan. Opening the malicious attachment with Ichitaro will drop the payload and display the document. Often such exploitation attempts crash and then relaunch the document viewer to open a clean document in order to trick users into believing it is legitimate. In this particular attack, opening the document and dropping the payload are done without crashing Ichitaro and, as such, users have no visual indications as to what is really happening in the background.

CloudyOmega
As Security Response previously discussed, unpatched vulnerabilities being exploited is nothing new for Ichitaro. However, during our investigation of this Ichitaro zero-day attack, we discovered that the attack was in fact part of an ongoing cyberespionage campaign specifically targeting various Japanese organizations. Symantec has named this attack campaign CloudyOmega. In this campaign, variants of Backdoor.Emdivi are persistently used as a payload. All attacks arrive on the target computers as an attachment to email messages. Mostly the attachments are in a simple executable format with a fake icon. However, some of the files exploit software vulnerabilities, and the aforementioned vulnerability in Ichitaro software is only one of them. This group’s primary goal is to steal confidential information from targeted organizations. This blog provides insights into the history of the attack campaign, infection methods, malware payload, and the group carrying out the attacks.

Timeline
The first attack of the campaign can be traced back to at least 2011. Figure 1 shows the targeted sectors and the number of attacks carried out each year. The perpetrators were very cautious launching attacks in the early years with attacks beginning in earnest in 2014. By far, the public sector in Japan is the most targeted sector hit by Operation CloudyOmega. This provides some clue as to who the attack group is.

CloudyOmega 1 edit.png
Figure 1. Targeted sectors and number of attacks

Attack vector
Email is the predominant infection vector used in this campaign.

CloudyOmega 2 edit.png
Figure 2. Sample email used in attack campaign

Figure 2 is an example of an email used in recent attacks prior to those exploiting the Ichitaro zero-day vulnerability. The emails include password-protected .zip files containing the malware. Ironically, the attackers follow security best practices by indicating in the first email that the password will be sent to the recipient in a separate email. This is merely to trick the recipient into believing the email is from a legitimate and trustworthy source. The body of the email is very short and claims the attachment includes a medical receipt. The email also requests that the recipient open the attachment on a Windows computer. The file in the attachment has a Microsoft Word icon but, as indicated within Windows Explorer, it is an executable file.

CloudyOmega 3 edit.png
Figure 3. Attached “document” is actually a malicious executable file

Payload
The malicious payload is Backdoor.Emdivi, a threat that opens a back door on the compromised computer. The malware is exclusively used in the CloudyOmega attack campaign and first appeared in 2011 when it was used in an attack against a Japanese chemical company. Emdivi allows the remote attacker executing the commands to send the results back to the command-and-control (C&C) server through HTTP.

Each Emdivi variant has a unique version number and belongs to one of two types: Type S and Type T. The unique version number is not only a clear sign that Emdivi is systematically managed, but it also acts as an encryption key. The malware adds extra words to the version number and then, based on this, generates a hash, which it uses as an encryption key.

Both Emdivi Type S and Type T share the following functionality:

  • Allow a remote attacker to execute code through HTTP
  • Steal credentials stored by Internet Explorer

Type T is primarily used in Operation CloudyOmega, has been in constant development since the campaign was first launched in 2011, and is written in the C++ programing language. Type T employs techniques to protect itself from security vendors or network administrators. Important parts of Type T, such as the C&C server address it contacts and its protection mechanisms, are encrypted. Type T also detects the presence of automatic analysis systems or debuggers, such as the following:

  • VirtualMachine
  • Debugger
  • Sandbox

Type S, on the other hand, was used only twice in the attack campaign. Type S is a .NET application based on the same source code and shared C&C infrastructure as Type T. However, protection mechanisms and encryption, essential features for threat survival, are not present in Type S. One interesting trait of Type S is that it uses Japanese sentences that seem to be randomly taken from the internet to change the file hash. For instance, in the example shown in Figure 4, it uses a sentence talking about the special theory of relativity.

CloudyOmega 4 edit.png
Figure 4. Japanese text used by Emdivi Type S variant

Who is Emdivi talking to?
Once infected, Emdivi connects to hardcoded C&C servers using the HTTP protocol.

So far, a total of 50 unique domains have been identified from 58 Emdivi variants. Almost all websites used as C&C servers are compromised Japanese websites ranging from sites belonging to small businesses to personal blogs. We discovered that 40 out of the 50 compromised websites, spread across 13 IP addresses, are hosted on a single cloud-hosting service based in Japan.

CloudyOmega 5.png
Figure 5. Single IP hosts multiple compromised websites

The compromised sites are hosted on various pieces of web server software, such as Apache and Microsoft Internet Information Services (IIS), and are on different website platforms. This indicates that the sites were not compromised through a vulnerability in a single software product or website platform. Instead, the attacker somehow penetrated the cloud service itself and turned the websites into C&C servers for Backdoor.Emdivi.

The compromised cloud hosting company has been notified but, at the time of writing, has not replied.

Symantec offers two IPS signatures that detect and block network communication between infected computers and the Emdivi C&C server:

Zero-day and links to other cybercriminal groups
During our research, multiple samples related to this attack campaign were identified and allowed us to connect the dots, as it were, when it came to CloudyOmega’s connections to other attack groups.  

In August 2012, the CloudyOmega attackers exploited the zero-day Adobe Flash Player and AIR ‘copyRawDataTo()’ Integer Overflow Vulnerability (CVE-2012-5054) in an attack against a high-profile organization in Japan. The attackers sent a Microsoft Word file containing a maliciously crafted SWF file that exploited the vulnerability. Once successfully exploited, the file installed Backdoor.Emdivi. As CVE-2012-5054 was publicly disclosed in the same month, the attack utilized what was, at the time, a zero-day exploit.

Interestingly, the Flash file that was used in an Emdivi attack in 2012 and the one used in the LadyBoyle attack in 2013 look very similar.

Figure 6 shows the malformed SWF file executing LadyBoyle() code that attempts to exploit the Adobe Flash Player CVE-2013-0634 Remote Memory Corruption Vulnerability (CVE-2013-0634). The Flash file seems to have been created using the same framework used by the CloudyOmega group, but with a different exploit.

CloudyOmega 6 edit.png
Figure 6. Malformed SWF file used in the LadyBoyle campaign in February 2013

Both attacks use a .doc file containing an Adobe Flash zero-day exploit that is used to install a back door. No other evidence connects these two different campaigns; however, as described previously in Symantec Security Response’s Elderwood blog, it is strongly believed that a single parent organization has broken into a number of subgroups that each target a particular industry.

In terms of the latest attack on Ichitaro, we collected a dozen samples of JTD files, all of which are exactly the same except for their payload. The parent organization, it would seem, supplied the zero-day exploit to the different subgroups as part of an attack toolkit and each group launched a separate attack using their chosen malware. This is why three different payloads (Backdoor.Emdivi, Backdoor.Korplug, and Backdoor.ZXshell) were observed in the latest zero-day attack.

fig9_0.png
Figure 7. Parent group sharing zero-day exploit

Conclusion
Operation CloudyOmega was launched by an attack group that has communication channels with other notorious attack groups including Hidden Lynx and the group responsible for LadyBoyle. CloudyOmega has been in operation since 2011 and is persistent in targeting Japanese organizations. With the latest attack employing a zero-day vulnerability, there is no indication that the group will stop their activities anytime soon. Symantec Security Response will be keeping a close eye on the CloudyOmega group.

Protection summary
It is highly recommended that customers using Ichitaro products apply any patches as soon as possible.

Symantec offers the following protection against attacks associated with Operation CloudyOmega:

AV

IPS

When tech support scams meet Ransomlock

      No Comments on When tech support scams meet Ransomlock
A technical-support phone scam uses Trojan.Ransomlock.AM to lock the user’s computer and trick them into calling a technical help phone number to resolve the issue.

Ransomlock 1.jpg

What’s true for businesses is also true for scams and malware, to remain successful they must evolve and adapt. Sometimes ideas or methods are borrowed from one business model and used in another to create an amalgamation. After all, some of the best creations have come about this way; out of ice-cream and yogurt was born delicious frogurt, and any reputable hunter of the undead will tell you the endless benefits of owning a sledge saw. Cybercriminals responsible for malware and various scams also want their “businesses” to remain successful and every now and again they too borrow ideas from each other. We recently came across an example of this when we discovered a technical-support phone scam that uses a new ransomware variant (Trojan.Ransomlock.AM) that locks the user’s computer and tricks them into calling a phone number to get technical help to resolve the issue.

A game of two halves:

Ransomware

Ransomware can be divided into two main categories: Ransomware that simply locks the compromised computer’s screen (Trojan.Ransomlock), and ransomware that encrypts files found on the compromised computer (Trojan.Ransomcrypt, Trojan.Cryptowall, Trojan.Cryptolocker etc.).

This year we’ve observed a major role reversal in the ransomware landscape with the cryptomalware variants overtaking the ransomlock variants in prevalence. Ransomlock variants may have lost the lead to cryptomalware variants, but they are by no means out of the game and from time-to-time we do observed newcomers that add a fresh twist to the screen-locking business model.

Ransomlock 2.png

Figure 1. Top ten ransomware detections as of 11-07-14

Technical support scams

Technical support scams are definitely not new and have been around for quite some time now. In these scams, the crooks cold call random people, often claiming to be a well-known software company, and try to convince them that their computers are full of critical errors or malware. The end goal is to get onto the victim’s computer using a remote-access tool in order to convince users of problems, as well as to entice the victim into buying fake repair tools in order to fix the non-existent problems. The Federal Trade Commission states that this type of scam is one of the fastest growing cyberscams and several high-profile arrests have been made in recent times in a crackdown on the cybercriminals responsible. Technical support scams rely on potential victims being cold called and this can mean a lot of work for the scammers; however, some cybercriminals have now overcome this and have figured out a way to get the victims to call them.

When scams merge

We recently came across Trojan.Ransomlock.AM that, like its predecessors, locks the compromised computer’s screen. The locked screen displays a blue screen of death (BSoD) error message, but this is no ordinary BSoD!

In this BSoD, the message claims that the computer’s health is critical and a problem is detected and it asks the user to call a technical support number.

For the sake of research, we made a call to the number to see just what these crooks are up to.

Ransomlock 3 edit.png

Figure 2. Fake BSoD lock screen

According to the support engineer we spoke to, named “Brian,” the technical support company is called “Falcon Technical Support.” Once the number has been called, the scam follows the same modus operandi as most technical support scams; however, the most interesting thing here is the use of ransomware in order to get the user to call the scammers. Once the call has been made, the scammers have everything they need to convince the user their computer is infected with malware…because it is infected with Trojan.Ransomlock.AM.

ransomlock comic edit.png

Figure 3. The scammers get a bright idea

Trojan.Ransomlock.AM

Trojan.Ransomlock.AM has been observed being distributed and bundled with a grayware installer (detected as Downloader). This installer offers to install grayware applications such as SearchProtect and SpeedUPMyPc.

Upon execution, it installs the grayware as advertised but it also drops another file named preconfig.exe, which is the malware installer (detected as Trojan.Dropper). This second installer adds an entry on the infected computer so that when it restarts it will execute the final payload (diagnostics.exe) which is Trojan.Ransomlock.AM.

Trojan.Ransomlock.AM needs an internet connection to perform its dirty deeds. The malware first needs to send information from the compromised computer to the command-and-control (C&C) server, such as the hostname, IP address, screen resolution, and a random number. In exchange, the C&C server sends back the correct size image file to fit the whole screen. The information collected will also give the crooks a useful jump start when trying to convince the user their computer is in trouble, which other technical support scammers do not have. The malware, stolen information, and BSoD lock screen all help to strengthen the scammers’ social-engineering capabilities.

Fortunately, Trojan.Ransomlock.AM was first seen in September and does not have a high prevalence; however, as with any threat, this can quickly change. According to our telemetry, the threat is currently limited to the United States.

Symantec protection

Trojan.Ransomlock.AM is far from the most complex or resilient ransomware we’ve seen and is in fact very simple. The compromised computer may look locked but users can simply follow these steps to unlock the screen:

  1. Simultaneously press the Ctrl+Alt+Delete keys on the keyboard
  2. Open Task Manager
  3. Search for the malware name (it should be diagnostics.exe) and end the process
  4. When the screen is unlocked, go to the registry editor by clicking on the Start button, then Run, and typing REGEDIT
  5. Delete the registry entry HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun”Diagnostics” = “[PATH TO MALWARE]”
  6. You should also delete the file folder from the directory

Users of Symantec products can simply perform a full scan to safely remove Trojan.Ransomlock.AM.

Symantec has the following detections in place to protect against this threat:

Antivirus detections

Symantec advises users to be extra careful when calling or receiving a call from a technical call center. Users should be cautious and always check the company’s identity. If you need assistance with a computer-related issue, contact a reputable bricks-and-mortar computer repair shop or your IT support team if it’s your work computer that is affected. 

OSX.Wirelurker: ???? Mac OS X ??????????????? Apple ????????????

      No Comments on OSX.Wirelurker: ???? Mac OS X ??????????????? Apple ????????????
WireLurker は、侵入先の iOS デバイスから情報を盗み出す可能性があります。

OSXWirelurker 3 edit.png

現在、シマンテックセキュリティレスポンスは OSX.Wirelurker について調査を進めています。WireLurker は、Mac OS X が実行されているコンピュータや iOS デバイスを狙う脅威であり、侵入先の iOS デバイスから情報を盗み出す可能性があります。

OSXWirelurker 1 edit.png

図. Maiyadi App Store

WireLurker は、中国のサードパーティのアプリストア Maiyadi App Store で発見されました。この脅威は海賊版の Mac OS X アプリケーションに仕込まれており、OS X が実行されているコンピュータに、こうした海賊版アプリケーションをダウンロードすると、USB ケーブルで接続されているすべての iOS デバイスに WireLurker が拡散します。そして、たとえ iOS デバイスがジェイルブレイクされていなくても、悪質なアプリケーションがインストールされてしまいます。

シマンテックの保護対策

シマンテック製品は、次の検出定義で WireLurker を検出します。

Mac ユーザーが OSX.Wirelurker などのマルウェアを防ぐためには、次のような方法があります。

  • サードパーティのアプリストアから海賊版の Mac OS X アプリケーションをダウンロードしない。
  • 素性の分からないコンピュータや信頼できないコンピュータに iOS デバイスを接続しない。
  • Mac OS X コンピュータにセキュリティソフトウェアをインストールする。

 

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/ja にアクセスしてください。

OSX.Wirelurker: Avoid pirated Mac OS X applications, untrusted Apple computers

      No Comments on OSX.Wirelurker: Avoid pirated Mac OS X applications, untrusted Apple computers

Wirelurker can be used to steal information from compromised iOS devices.

 
Symantec Security Response is currently investigating OSX.Wirelurker, a threat that targets Apple computers runn…

OSX.Wirelurker: Evita aplicaciones piratas de Mac OS X y computadoras Apple poco confiables

      No Comments on OSX.Wirelurker: Evita aplicaciones piratas de Mac OS X y computadoras Apple poco confiables
Wirelurker puede ser usado para robar información de computadoras comprometidas

wirelurker-connect2-re-edit_0.jpg

Symantec Security Response se encuentra investigando actualmente OSX.Wirelurker, una amenaza dirigida a computadoras Apple que corren bajo el sistema operativo Mac OS X y dispositivos Apple con sistema iOS. Wirelurker puede ser utilizado para robar información de los dispositivos iOS que han sido comprometidos.

OSXWirelurker 1 edit.png

Imagen. Tienda Maiyadi App Store

WireLurker fue descubierto en una tienda online china de un tercero, llamada Maiyadi App Store. La amenaza se “troyaniza” en aplicaciones piratas Mac OS X. Una vez que una aplicación pirata se descarga en una computadora que utiliza OS X, Wirelurker se extiende a cualquier dispositivo iOS conectado a dicha máquina mediante un cable USB. Wirelurker puede entonces instalar aplicaciones maliciosas, incluso si al dispositivo no se le ha realizado un jailbreak.

Protección de Symantec

Symantec detecta a Wirelurker como:

Aquí algunos pasos que los usuarios de Mac pueden llevar a cabo para evitar malware como OSX.Wirelurker y reducir los riesgos de infección:

  • No descargar aplicaciones piratas de Mac OS X especialmente de tiendas en línea de terceros.
  • Evitar conectar dispositivos iOS en computadoras desconocidas o poco confiables.
  • Instalar software de seguridad en computadoras Mac OS X, como el nuevo Norton Security que permite proteger en un solo producto laptops y dispositivos móviles.

Spin.com visitors served malware instead of music

      No Comments on Spin.com visitors served malware instead of music
Compromised site sent visitors to Rig exploit kit to infect them with a range of malware including Infostealer.Dyranges and Trojan.Zbot.

Toolbox_concept.png

On October 27, while tracking exploit kits (EKs) and infected domains, Symantec discovered that the popular music news and reviews website spin.com was redirecting visitors to the Rig exploit kit. This exploit kit was discovered earlier this year and is known to be the successor of another once popular EK, Redkit. The Rig EK takes advantage of vulnerabilities in Internet Explorer, Java, Adobe Flash, and Silverlight and was also one of the EKs associated with the askmen.com compromise back in June.

At the time of writing, the spin.com website was no longer compromised. However, spin.com is a popular site in the US, according to Alexa, so the attackers could have potentially infected a substantial amount of users’ computers with malware during the time the site was compromised. The number of potential victims could grow substantially depending on the length of time the website was redirecting visitors to the EK prior to our discovery. Our data shows that the attack campaign mainly affected spin.com visitors located in the US.

Fig1.png
Figure 1. Symantec telemetry shows visitors based in the US were most affected by spin.com compromise

How the attack worked
The attackers injected an iframe into the spin.com website, which redirected users to the highly obfuscated landing page of the Rig EK.

Fig2_13.png
Figure 2. Injected iframe on compromised spin.com website

When the user arrives on the landing page, the Rig EK checks the user’s computer for driver files associated with particular security software products. To avoid detection, the EK avoids dropping any exploits if the security software driver files are present.

Fig3_0.PNG
Figure 3. Rig EK searches for driver files used by security software products

The EK then looks for particular installed plugins and will attempt to exploit them accordingly. In the recent compromise, the Rig EK took advantage of the following vulnerabilities:

Upon successfully exploiting any of these vulnerabilities, a XOR-encrypted payload is downloaded onto the user’s computer. The Rig EK may then drop a range of malicious payloads such as downloaders and information stealers including banking Trojan Infostealer.Dyranges, and the infamous Trojan.Zbot (Zeus).

Symantec protection
Symantec has detections in place to protect against the Rig EK and the vulnerabilities exploited by it, so customers with updated intrusion prevention and antivirus signatures were protected against this attack. Users should also ensure that they update their software regularly to prevent attackers from exploiting known vulnerabilities. Symantec provides the following comprehensive protection to help users stay protected against the Rig EK and the malware delivered by it in this recent website compromise:

Intrusion prevention

Antivirus

Scammers pose as company execs in wire transfer spam campaign

      No Comments on Scammers pose as company execs in wire transfer spam campaign

Innocent-looking payment requests could result in financial loss for companies as finance department employees targeted with fraudulent emails.
Read more…