Contributor: Lionel Payet
Back in June we discovered a malicious Android application that was holding user’s Android phones for ransom. This discovery confirmed earlier predictions that ransomware would evolve and arise on new platforms, such as …
Hello, welcome to this month’s blog on the Microsoft patch release. This month the vendor is releasing thirteen bulletins covering a total of 47 vulnerabilities. Thirteen of this month’s issues are rated ’Critical’.
As always, customers are advised to follow these security best practices:
Microsoft’s summary of the September releases can be found here:
http://technet.microsoft.com/en-us/security/bulletin/ms13-Sep
The following is a breakdown of the issues being addressed this month:
MS13-068 Vulnerability in Microsoft Outlook Could Allow Remote Code Execution (2756473)
Message Certificate Vulnerability (CVE-2013-3870) MS Rating: Critical
A remote code execution vulnerability exists in the way that Microsoft Outlook parses specially crafted S/MIME email messages. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
MS13-069 Cumulative Security Update for Internet Explorer (2870699)
Internet Explorer Memory Corruption Vulnerability (CVE-2013-3201) MS Rating: Critical
A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Internet Explorer Memory Corruption Vulnerability (CVE-2013-3202) MS Rating: Critical
A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Internet Explorer Memory Corruption Vulnerability (CVE-2013-3203) MS Rating: Critical
A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Internet Explorer Memory Corruption Vulnerability (CVE-2013-3204) MS Rating: Critical
A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Internet Explorer Memory Corruption Vulnerability (CVE-2013-3205) MS Rating: Critical
A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Internet Explorer Memory Corruption Vulnerability (CVE-2013-3206) MS Rating: Critical
A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Internet Explorer Memory Corruption Vulnerability (CVE-2013-3207) MS Rating: Critical
A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Internet Explorer Memory Corruption Vulnerability (CVE-2013-3208) MS Rating: Critical
A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Internet Explorer Memory Corruption Vulnerability (CVE-2013-3209) MS Rating: Critical
A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Internet Explorer Memory Corruption Vulnerability (CVE-2013-3845) MS Rating: Critical
A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
MS13-067 Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution (2834052)
SharePoint Denial of Service Vulnerability (CVE-2013-0081) MS Rating: Important
A denial of service vulnerability exists in Microsoft SharePoint Server. An attacker who successfully exploited this vulnerability could cause the W3WP process on an affected version of SharePoint Server to stop responding, causing the SharePoint site, and any other sites running under that process, to become unavailable until the process is restarted.
MAC Disabled Vulnerability (CVE-2013-1330) MS Rating: Critical
A remote code execution vulnerability exists in the way SharePoint Server handles unassigned workflows. An attacker who successfully exploited this vulnerability could run arbitrary code in the context of the W3WP service account.
SharePoint XSS Vulnerability (CVE-2013-3179) MS Rating: Important
An elevation of privilege exists in Microsoft SharePoint Server. An attacker who successfully exploited this vulnerability could allow an attacker to perform cross-site scripting attacks and run script in the security context of the logged-on user.
POST XSS Vulnerability (CVE-2013-3180) MS Rating: Important
An elevation of privilege exists in Microsoft SharePoint Server. An attacker who successfully exploited this vulnerability could allow an attacker to perform cross-site scripting attacks and run script in the security context of the logged-on user.
MS13-072 Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2845537)
XML External Entities Resolution Vulnerability (CVE-2013-3160) MS Rating: Important
An information disclosure vulnerability exists in the way that Microsoft Word parses specially crafted XML files containing external entities.
Word Memory Corruption Vulnerability (CVE-2013-3847) MS Rating: Important
A remote code execution vulnerability exists in the way that affected Microsoft Office software parses specially crafted files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Word Memory Corruption Vulnerability (CVE-2013-3848) MS Rating: Important
A remote code execution vulnerability exists in the way that affected Microsoft Office software parses specially crafted files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Word Memory Corruption Vulnerability (CVE-2013-3849) MS Rating: Important
A remote code execution vulnerability exists in the way that affected Microsoft Office software parses specially crafted files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Word Memory Corruption Vulnerability (CVE-2013-3850) MS Rating: Important
A remote code execution vulnerability exists in the way that affected Microsoft Office software parses specially crafted files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Word Memory Corruption Vulnerability (CVE-2013-3851) MS Rating: Important
A remote code execution vulnerability exists in the way that affected Microsoft Office software parses specially crafted files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Word Memory Corruption Vulnerability (CVE-2013-3852) MS Rating: Important
A remote code execution vulnerability exists in the way that affected Microsoft Office software parses specially crafted files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Word Memory Corruption Vulnerability (CVE-2013-3853) MS Rating: Important
A remote code execution vulnerability exists in the way that affected Microsoft Office software parses specially crafted files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Word Memory Corruption Vulnerability (CVE-2013-3854) MS Rating: Important
A remote code execution vulnerability exists in the way that affected Microsoft Office software parses specially crafted files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Word Memory Corruption Vulnerability (CVE-2013-3855) MS Rating: Important
A remote code execution vulnerability exists in the way that affected Microsoft Office software parses specially crafted files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Word Memory Corruption Vulnerability (CVE-2013-3856) MS Rating: Important
A remote code execution vulnerability exists in the way that affected Microsoft Office software parses specially crafted files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Word Memory Corruption Vulnerability (CVE-2013-3857) MS Rating: Important
A remote code execution vulnerability exists in the way that affected Microsoft Office software parses specially crafted files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Word Memory Corruption Vulnerability (CVE-2013-3858) MS Rating: Important
A remote code execution vulnerability exists in the way that affected Microsoft Office software parses specially crafted files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
MS13-074 Vulnerabilities in Microsoft Access Could Allow Remote Code Execution (2848637)
Access Memory Corruption Vulnerability (CVE-2013-3155) MS Rating: Important
A remote code execution vulnerability exists in the way that Microsoft Access parses content in Access files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Access Memory Corruption Vulnerability (CVE-2013-3156) MS Rating: Important
A remote code execution vulnerability exists in the way that Microsoft Access parses content in Access files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Access Memory Corruption Vulnerability (CVE-2013-3157) MS Rating: Important
A remote code execution vulnerability exists in the way that Microsoft Access parses content in Access files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
MS13-073 Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (2858300)
Microsoft Office Memory Corruption Vulnerability (CVE-2013-1315) MS Rating: Important
A remote code execution vulnerability exists in the way that Microsoft Excel parses content in Excel files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Microsoft Office Memory Corruption Vulnerability (CVE-2013-3158) MS Rating: Important
A remote code execution vulnerability exists in the way that Microsoft Excel parses content in Excel files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
XML External Entities Resolution Vulnerability (CVE-2013-3159) MS Rating: Important
An information disclosure vulnerability exists in the way that Microsoft Excel parses specially crafted XML files containing external entities.
MS13-071 Vulnerability in Windows Theme File Could Allow Remote Code Execution (2864063)
Windows Theme File Remote Code Execution Vulnerability (CVE-2013-0810) MS Rating: Important
A remote code execution vulnerability exists in the way Windows handles certain specially crafted Windows theme files. This vulnerability could allow an attacker to execute arbitrary code if the attacker convinces a user to apply a specially crafted Windows theme. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
MS13-077 Vulnerability in Windows Service Control Manager Could Allow Elevation of Privilege (2872339)
Service Control Manager Double Free Vulnerability (CVE-2013-3862) MS Rating: Important
A vulnerability exists in the way that the Windows Service Control Manager (SCM) handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code and take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
MS13-070 Vulnerability in OLE Could Allow Remote Code Execution (2876217)
OLE Property Vulnerability (CVE-2013-3863) MS Rating: Important
A vulnerability exists in OLE that could lead to remote code execution if a user opens a file that contains a specially crafted OLE object. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
MS13-078 Vulnerability in FrontPage Could Allow Information Disclosure (2825621)
XML Disclosure Vulnerability (CVE-2013-3137) MS Rating: Important
An information disclosure vulnerability exists in FrontPage that could allow an attacker to disclose the contents of a file on a target system.
MS13-075 Vulnerability in Microsoft Office IME (Chinese) Could Allow Elevation of Privilege (2878687)
Chinese IME Vulnerability (CVE-2013-3859) MS Rating: Important
An elevation of privilege vulnerability exists in Office IME (Chinese) that could allow a low-privilege user to elevate their privileges.
MS13-076 Vulnerabilities in Kernel-Mode Drivers Could Allow Elevation of Privilege (2876315)
Win32k Multiple Fetch Vulnerability (CVE-2013-1341) MS Rating: Important
An elevation of privilege vulnerability exists when the Windows kernel-mode driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could gain elevated privileges and read arbitrary amounts of kernel memory.
Win32k Multiple Fetch Vulnerability (CVE-2013-1342) MS Rating: Important
An elevation of privilege vulnerability exists when the Windows kernel-mode driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could gain elevated privileges and read arbitrary amounts of kernel memory.
Win32k Multiple Fetch Vulnerability (CVE-2013-1343) MS Rating: Important
An elevation of privilege vulnerability exists when the Windows kernel-mode driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could gain elevated privileges and read arbitrary amounts of kernel memory.
Win32k Multiple Fetch Vulnerability (CVE-2013-1344) MS Rating: Important
An elevation of privilege vulnerability exists when the Windows kernel-mode driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could gain elevated privileges and read arbitrary amounts of kernel memory.
Win32k Multiple Fetch Vulnerability (CVE-2013-3864) MS Rating: Important
An elevation of privilege vulnerability exists when the Windows kernel-mode driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could gain elevated privileges and read arbitrary amounts of kernel memory.
Win32k Multiple Fetch Vulnerability (CVE-2013-3865) MS Rating: Important
An elevation of privilege vulnerability exists when the Windows kernel-mode driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could gain elevated privileges and read arbitrary amounts of kernel memory.
Win32k Elevation of Privilege Vulnerability (CVE-2013-3866) MS Rating: Important
An elevation of privilege vulnerability exists when the Windows kernel-mode driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could gain elevated privileges and read arbitrary amounts of kernel memory.
MS13-079 Vulnerability in Active Directory Could Allow Denial of Service (2853587)
Remote Anonymous DoS Vulnerability (CVE-2013-3868) MS Rating: Important
A denial of service vulnerability exists in implementations of Active Directory that could cause the service to stop responding until an administrator restarts the service. The vulnerability is caused when the LDAP service fails to handle a specially crafted query.
More information on the vulnerabilities being addressed this month is available at Symantec’s free SecurityFocus portal and to our customers through the DeepSight Threat Management System.
寄稿: Binny Kuriakose
シリア危機を私利私欲のために悪用するスパムが後を絶ちません。赤十字社から送信されたように偽装した詐欺メッセージを利用するほか、シリアのニュースを扱った電子メールも悪用されています。スパマーは、ランダムな URL を含む悪質なメッセージを仕掛けて、危殆化した悪質な Web サイトにユーザーを誘い込もうとします。この Web サイトには不明瞭化された JavaScript コードがホストされており、そのコードによってトロイの木馬 Downloader.Ponik がダウンロードされます。
Downloader.Ponik が実行されると、以下のファイルが作成されます。
これらのファイルが、ペイロードである悪質な実行可能ファイルをインジェクトすると、攻撃者はパスワードや重要な情報を盗み出せるようになります。
電子メールの件名は、メッセージの本文とまったく無関係な内容です。
Completed: Please DocuSign this document : Confidential Company Agreement 2013..pdf(完了: この文書に DocuSign で署名してください: Confidential Company Agreement 2013..pdf)
電子メールの本文には以下のようなデータが含まれ、「http://xxxxx.xxx.xx/xxxxx/index.html」というパターンで URL が埋め込まれています。
図 1. スパムメールの内容
ほとんどの攻撃で悪用されているのは、ユーザーのコンピュータでまだ更新されていない、またはパッチが適用されていない脆弱性です。ソフトウェアとウイルス対策定義は常に最新の状態に保つことをお勧めします。また、疑わしいリンクをクリックしたり、送信元の不明なファイルを開いたりしないようにしてください。
シマンテックでは、スパマーから送信されるこのような攻撃から保護するために、定期的にセキュリティ更新を提供しています。
* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/ja にアクセスしてください。
8 月といえば、世界中の多くの人々が仕事の手をいったん休め、休暇を過ごす時期でしょう。しかし、日本でワンクリック詐欺アプリを開発している詐欺師たちにとっては、8 月こそが繁忙期だったようです。この月、詐欺師たちは生産性を大きく伸ばし、1,000 個近くの詐欺アプリを Google Play に公開しました。Google Play に表示されている統計データによると、騙されてしまった Android デバイスユーザーが、詐欺アプリを少なくとも累計 8,500 回ダウンロードしています。実際の数字はおそらくそれよりもはるかに多く、10,000 回以上ダウンロードされているものと思われます。
図 1. 8 月中 1 日あたりに公開された詐欺アプリ数
1 月から 8 月末までに公開されたワンクリック詐欺アプリ数は合計で約 2,500 個です。しかも、詐欺師たちがその手を緩める兆しは一向に見えません。これまでと同様に、8 月に公開された詐欺アプリの大半は、翌朝にはストアから削除され、一晩しか持ちませんでした。それでも、詐欺師たちにとっては、ダウンロード数を稼ぐのに十分な時間のようです。詐欺アプリはたいてい、オフィスでの作業時間が終わると思われる毎日午後に公開されます。週末にかけて公開されれば、詐欺アプリが生き残る可能性も高くなるのに加え、運が良ければ数日間もサイト上に残り、多くのダウンロード数を稼ぐものもあります。
図 2. 月間の詐欺アプリ公開数
7 月と同じく、8 月にも新しいタイプのワンクリック詐欺アプリが登場しています。採用されている戦略はさまざまですが、いずれの亜種もそれほどの成功を収められずに短期間で姿を消しています。興味深いことに、アプリを公開している詐欺師たちの 97 % が同じグループに所属しています。
図 3. 8 月に公開された詐欺アプリの亜種
最新型の亜種のうち、ダウンロード数は限られているものの、Google Play でうまく生き残ったものが 1 つあります。この詐欺アプリには、さまざまなアダルト関連サイトへのリンクが仕込まれていますが、そのうち 1 つか 2 つは実際には詐欺サイトにつながっており、有料サービスに適切に登録しないままに料金を支払うようユーザーを騙そうとします。たいてい、こうした詐欺サイトではアダルト動画を見るための料金と称して 10 万円程度要求されますが、これは合法的なサービスの平均よりもはるかに高い金額です。この詐欺アプリは、他の合法的なリンクの中に悪質なリンクを紛れ込ませることで、セキュリティチェックに見つからないように偽装します。この悪質なリンクは、リダイレクタ URL に誘導され、リダイレクタで指定されているサイトを開くようにアプリに指示します。そのため、悪質な活動に関係していると疑われても、詐欺師たちは、詐欺アプリが最終的にどこに誘導されるかをサーバー側で簡単に変更することができます。
詐欺アプリの動作は、次のとおりです。
図 4. 詐欺アプリ
アプリストアではアプリを簡単に検索してダウンロードすることができますが、騙されて不正なアプリをダウンロードしてしまうリスクが常に伴います。確実に信頼できるアプリのみをインストールするようにしてください。デバイスを保護するためにノートン モバイルセキュリティを使用することをお勧めします。シマンテック製品では、このブログで説明した詐欺アプリは Android.Oneclickfraud として検出されます。
* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/ja にアクセスしてください。
For many of us around the globe, August may be a month to take a bit of a break from work and go on a summer holiday. In contrast, August appears to the busiest month of the year for the scammers developing Japanese one-click fraud apps. They have incr…
Contributor: Binny Kuriakose
Spammers continue to leverage the crisis in Syria for their personal gain. Besides taking advantage of a scam message that claimed to be from The Red Cross, spammers are now taking advantage of emails about the news in Syri…
標的型攻撃は日常的に発生するようになり、攻撃者は最新のニュース記事をすぐさまソーシャルエンジニアリングの材料として利用しています。最近確認された標的型攻撃は、ペイロードとして Backdoor.Korplug を送信するもので、Symantec.cloud サービスで捕捉されました。この攻撃では、シリアでの化学兵器使用疑惑に関連して最近ワシントンポスト紙に掲載された記事が利用されています。攻撃者は、この記事の全文を悪質な文書に利用していますが、これは被害者を騙して、あたかも正規の文書であるかのように思わせることが目的です。
図 1. 記事を盗用した悪質な文書の一部
この攻撃は、Backdoor.Korplug による標準的な手口に従っています。以前のブログでお伝えしたように、「Microsoft Internet Explorer に存在する解放後使用のリモートコード実行の脆弱性」(CVE-2013-2551、Bloodhound.Exploit.497)を含む悪質な .doc ファイルを電子メールで標的に送り付ける手口です。
図 2. シリアでの化学兵器使用疑惑に関する報道を悪用した標的型攻撃の電子メールの例
シマンテックは、今回のブログで解説したような新しい脅威やそれに類似した脅威について監視を続けます。疑わしい電子メールはそもそも開封しないことをお勧めします。また、いつものことですが、このような攻撃から保護するために、シマンテックの最新技術をお使いいただき、シマンテックのコンシューマ向けまたはエンタープライズ向けの最新ソリューションを導入してください。
* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/ja にアクセスしてください。
Targeted attacks are a daily occurrence and attackers are fast to employ the latest news stories in their social engineering themes. In a recent targeted attack, delivering a payload of Backdoor.Korplug and caught by our Symantec.cloud services, we obs…
寄稿: Roberto Sponchioni
シマンテックセキュリティレスポンスは最近、Alusinus という新しいリモートアクセスツール(RAT)を発見しました(Backdoor.Alusins として検出されます)。これは、スペイン語圏のアンダーグラウンド向けのプログラムで、ビルダー自体はいくつかの標準機能を備えた単純なものですが、その中に興味深く、特筆に値する機能が 1 つあります。このビルダー機能により、Backdoor.Alusins は検出をすり抜けやすくするために、calc.exe、svchost.exe、notepad.exe といった正常なプロセスに自身をインジェクトすることができます。
図 1. Backdoor.Alusins のコントロールパネル – ユーザー名、コンピュータ名、ウイルス対策やファイアウォールの情報が攻撃者に報告される
リアルタイムのデスクトップ監視
攻撃者は、Backdoor.Alusins を使って、被害者のデスクトップを表示し、ユーザーの活動をリアルタイムで監視することができます。
図 2. 侵入先のコンピュータのデスクトップ表示
Web カメラの監視
また、リアルタイムで Web カメラの動作の監視とキャプチャが可能です。
図 3. Web カメラのセッション
キーロガー機能
さらに、Backdoor.Alusins には、ログイン情報などを盗み出すために、侵入先のコンピュータ上のキーストロークをリアルタイムで監視する機能もあります。
図 4. キーロガー
迷惑行為
攻撃者は、この RAT を使って、システムエラーメッセージをカスタマイズして被害者に直接メッセージを送ることができます。このメッセージ送信機能によって、悪質ないたずらやリモートからの迷惑行為が引き起こされる恐れがあります。攻撃者はいつでも、被害者に煩わしいメッセージやポップアップを送信し、同時に Web カメラを通じて被害者の反応を観察できるからです。このツールの作成者は、対話型のオンライン詐欺を想定してこの機能を実装した可能性もあります。
図 5. 侵入先のコンピュータで任意のエラーメッセージを表示できる
加えて、Backdoor.Alusins を使えば攻撃者は侵入先のコンピュータで以下の処理を実行することも可能です。
Backdoor.Alusins はそれほど普及している RAT ではなく、スペイン語圏のハッカー層を対象としていますが、それに限定されるものではありません。シマンテックは、このバックドアビルダーとバックドアを Backdoor.Alusins として検出します。
この RAT やその他の脅威から保護するために、ウイルス対策定義、オペレーティングシステム、およびソフトウェアを常に最新の状態に保つようにしてください。
* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/ja にアクセスしてください。
Contributor: Roberto Sponchioni
Symantec Security Response has recently come across a new remote administration tool (RAT) called Alusinus, which we detect as Backdoor.Alusins. The program was intended for the Spanish speaking underground and the buil…