インターネット上には、”Adobe Reader” の未知および暗躍するゼロデイ脆弱性の情報が数多く存在しています。この情報には、Adobe のセキュリティ機能「サンドボックス」を回避する機能を含む要注意の機能があるため、当然のことながらユーザは注意しなければなりません。ただし、この状況に解決策がないわけではありません。
続きを読むセキュリティ業界では、Java を狙った新たなゼロデイ脆弱性が判明して以降、この脆弱性について注目しています。このゼロデイ脆弱性は、「スパイ活動」を主な目的としたサイバー攻撃「Nitro」による標的型攻撃で利用される中国の攻撃ツール(「Gondad」または「KaiXin」)から応用されたようです。そして、この脆弱性は、攻撃ツール「BlackHole Exploit Kit」を用いるサイバー犯罪の活動に一役買ったのです。これらの攻撃ツール開発の繋がりが明らかになり始めていますが、Nitro といった一連の標的型攻撃が無くなることはないため、再びこの活動が活発になってきたということではないことを念頭に置いておく必要があります。Nitro の攻撃者は、不正活動が報告された2011年以降から活動を続けているのです。
続きを読む2012年8月末、Oracle Java 7の “Java Runtime Environment (JRE)7 Update 6 ビルド1.7x” に存在する未修正の脆弱性「CVE-2012-4681(JVNTA12-240A)」が、特定のサイトに組み込まれた不正なJARファイルにより利用されたことが確認されました。問題の不正なJARファイルによってこの脆弱性が利用されると、最終的にバックドア型不正プログラムのダウンロードに誘導されることとなります。これにより、実質上、不正リモートユーザが目的とするコマンドをこの脆弱性の被害を受けたコンピュータ上で実行することが可能になります。
このゼロデイのエクスプロイトコードは、Internet Explorer(IE)や Firefox、Opera のすべてのバージョン上で実行されます。また、Metasploitの検証によると、Google Chrome および Safari 上でも実行されると報告されています。
続きを読む今日、Apple製品が大きな人気を博していることは周知の事実であり、毎回、同社製品のリリース前にはニュースにも取り上げられ、発売と同時に華々しく迎えられます。先月同社が発表した次期 OS「Mac OS X Mountain Lion」も、その点では例外ではありません。OS 自体の発売は、2012年夏の終わり頃となる予定ですが、この OS の各機能については、各メディアが既に報じています。
この Mountain Lion のリリース情報に関して、注目を集めている機能の1つが「Gatekeeper」です。この機能では、不正なアプリのダウンロードを避ける方法としてホワイトリスト化を採用しています。つまり、アプリのダウンロード先に応じてアプリケーションの実行を制限する方法です。なお、ダウンロード先の制限は、以下の 3段階に設定することが可能です。
続きを読む「TrendLabs(トレンドラボ)」では、ここ数年、クライアント側のソフトウェアが脆弱性を利用する攻撃者の「格好の的」となっており悪用されていることを確認しています。そして2011年、脆弱性を悪用した攻撃による脅威はさらに複雑かつ巧妙になりました。 トレンドラボでは、ゼロデイ脆弱性が悪用されている事例がますます増えていることも確認しました。そして、そのうちのいくつかは、とりわけ深刻なものでした。具体的には以下のような脆弱性が世界的に悪用されていたことを確認しています。
I’m writing down this post to let you know about targeted attacks we’re facing in Europe, especially in Italy.
The “Italian Job”, (a.k.a. Linkoptimizer, a.k.a. Gromozon) appears to be orchestrated by a well-organized gang, using several aliases to avoid recognition but in the end, still refers to the same malware chain.
An infection by Linkoptimizer could triggered by
- A downloaded malware. It uses attractive filenames, like “www.google.com” or “www.sport.com”
- A Trojanised WMF File (Downloader)
- ActiveX/OCX File (dropper)
- ByteVerify (Java exploit)
The downloaded malware, when executed, installs
- A rootkit
- Various files hidden through ADS (Alternate Data Streams)
- Random files encrypted using EFS
- Linkoptimizer (hidden by a rootkit)
Once you got infected, Linkoptimizer downloads other Trojans, adware and installs other spyware applications, pop-ups several IE pages which redirect users to other malicious websites as well. With all of these installed, the machine is nearly unusable and really tough to clean up. You can easily find a machine infected by Linkoptimizer hosting more than 10 or 20 different malware.
The websites hosting these malicious files are constantly updated and adding new content very fast. Because of this, we’re seeing many different version of the same malware.
Here are some malware families involved here
- TROJ_LINKOPTI
- TROJ_AGENT
- TROJ_SMALL.Y
- TROJ_CLICKER
- TROJ_DROPPER
- TROJ_DLOADER
- TROJ_SPABOT
- TROJ_SPYWAD
- DIAL_DIAMIN
- DIAL_ADDIAL
- ADW_SMALL
- ADW_SYSTEMDOCT
You may ask why this threat is typically localized in Italy. The primary reason is that most of the malicious websites are using Italian keywords. A simple search on Google using Italian words can easily bring you to a malicious website.
Cleaning this malware infestation is a difficult, if not impossible, task, no thanks to the installed rootkit, which hides all the other malware files. But once the rootkit is disabled, you can start cleaning up the malware files. But with the malware constantly updated or modified, this makes the cleanup a bit tougher. An additional solution is to have a URL filtering solution to filter out the known malicious websites and avoid further infection through the known malicious websites.
Italian .bizness
While struggling with Linktoptimizer, Italy is getting harassed yet again by another menace, dubbed as the “Italian .Bizness”, a.k.a TROJ_AGENT.HDX.
It arrives by email, in Italian, asking you to download a removal tool to clean up your machine. It contains an HTTP link inside the body – the link uses a .biz domain, hence, the nickname.
Below is the English translation of the email text:
I am not an expert in this matter, anyway our technician states that those “e-mails” from you Are not made on purpose but can be caused by a virus. Moreover he say that it is possible to remove this worm with the AV program that you can download from the following address: http://www.spyware<BLOCKED>smasher.biz
I don’t have the knowledge nor the time to verify if this hypothesis is correct but I must “legally warn” you from keeping on sending undesired e-mails to my working e-mail. If I will receive again JUST A SINGLE MESSAGE of this kind, I will proceed with a legal action without any notice.
Stop sending or if it is a virus worm remove it immediately since probably I am not the only one receiving this trash from you.
I remind you that the police have the instruments to trace the real identity of the owner of an e-mail address even if registered with a fantasy name or international registration. So donâ??t think you can continue to infect my mail box with this kind of things.
Waiting for your kind reply,
This is a clever use of social engineer, using the “scare tactic” quite well.
Clicking on the link directs you to a webpage asking the user to download a removal tool. The download link is quite hard to miss; it is advertised by a green button:The so-called “removal tool” (filename removal_tool.exe) uses the following icon, making it all the more attractive.
Once the malware (the ‘removal tool’) is executed it drops a dll file, webdesk.dll in windows system32 folder, and it installs this as a BHO (Browser Helper Object).
The files removal_tool.exe and webdesk.dll are detected as TROJ_AGENT.HDX and can be cleaned up using our latest DCT.
The emails being spammed also advertise other URLs, such as
- http://www.privacy<BLOCKED>wall.biz
- http://www.notmore<BLOCKED>spyware.biz
- http://www.spyware<BLOCKED>executioner.biz
- http://www.kill<BLOCKED>malaware.biz
- http://www.pc-<BLOCKED>protector.biz
- http://www.spyware<BLOCKED>smasher.biz
- http://www.safe<BLOCKED>master.biz
- http://www.watchware<BLOCKED>murderer.biz
- http://www.adware<BLOCKED>zap.biz
- http://www.nowim<BLOCKED>protected.biz
- http://www.SpyStuff<BLOCKED>Killer.biz
- http://www.adware<BLOCKED>wipe.biz
- http://www.safe<BLOCKED>master.biz
- http://www.myclean<BLOCKED>pc.biz
- http://www.TenKiller<BLOCKED>Direct.biz
- http://www.watchare<BLOCKED>assassin.biz
- http://www.free-spyware-<BLOCKED>killer-software.biz
- http://www.spyware<BLOCKED>murderer.biz
There are probably many other websites hosting these malicious files. Most of these websites are pointing to the same IP address, hosted in Russia.
A peculiar characteristic of these websites is that they could only be accessed from Italy, not from an Italian Windows system but geographically from Italy. Even using an Italian DNS or Proxy you won’t be able to connect to these sites from another country.
Both of these local outbreaks are specifically targeted to Italy. I guess several groups working in concert are involved here – one sub-group created the websites as fast as we can send an SMS, another created the malware, another spams the emails and another hosting the bot network for sending spam.
続きを読むSay you are a new hire for any company. Your boss asks you to develop a well-researched and well-documented company policy on, say for example, company employee travels. Most often than not, you will have to start of with a Google search. And that is exactly what you do. Open Google and type in “travelpolicy”. This will be the result:
You don’t choose the first hit simply because you see it’s a .GOV site and information found in .GOV sites may seem too lengthy for your objectives. You just need a simple do-it-yourself tutorial in how to create and implement a travel policy guide for your business – which is exactly the description for the second hit encircled in the above image. So you click on it.
And then the site opens…
Seems like the site is pretty much taking more time in downloading images and content. So you wait… And wait… And when you observe that it’s been taking forever for the site to complete, you close the window and move on to other sites that can offer the information that you need.
End of story?
Not quite.
As you waited for the site to completely show up, something was already happening in the background that goes unobserved…
The site, www.travelpolicy.com, has an IFRAME at the very top which leads you to the 81.95.146.98/index.html. The index.html file actually has a script that exploits the MS Internet Explorer (MDAC) Remote Code Execution Exploitdescribed in MS06-014. The original exploit code is also modified in an attempt to bypass AV scanners that detect the original code.
It sure is nasty! An executable file, win.exe, is downloaded to your system and executed. This file is actually a backdoor with rootkit features, and is a variant of the notorious family of backdoor rootkits known as Haxdoor!
So what happens next? Well… you can actually see the following files suddenly added to your System32 directory in Windows:
kgctini.dat
klo5.sys
lps.dat
yvpp01.dll
yvpp02.sys
You’ll also see a newly-added Registry key with numerous data perverting WinLogon:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\yvbb01
The following services will also be added:
NAME: yvbb01
DISPLAY: Miniport FT32
STATUS: SERVICE_RUNNING
FILE: C:\WINDOWS\System32\yvbb01.sys
NAME: yvbb02
DISPLAY: Miniport FT
STATUS: SERVICE_RUNNING
FILE: C:\WINDOWS\System32\yvbb02.sys
If you have all of these in your system, then it will surely be hell cleaning these all up – especially with rootkits! But it’s a good thing you don’t have these tell-tale signs of a drive-by-download-backdoor-rootkit infection. It’s a good thing that your system is not compromised with a stealthy backdoor installed in your machine that can allow remote malicious hackers to do at most anything with your computer and with your files…
You simply don’t have to worry because these things haven’t happened at all. At the first click on the travelpolicy.com site, Trend Micro already flagged a detection of HTML_DLOADER.BHF so the downloading and execution of the backdoor rootkit as well as its other malicious components, which by the way are detected by Trend as BKDR_HAXDOOR.JG, will not occur. You were actually protected from this threat. It was just a bad dream – a nightmare. You were actually safe.
Everything is secure. It’s a good thing you are using Trend Micro.
NOTE: The above malicious URL is still alive at the time of this posting. Google has already been notified of this and we’re hoping that the site will be taken down immediately. In the meantime, we strongly advise users to stay clear away from this site.
続きを読む