2015年4月15日に公開された Microsoft のセキュリティ更新プログラムリリース「2015年4月の Microsoft セキュリティ情報の概要」では、4件の脆弱性が深刻度「緊急」とされました。その「緊急」の 1つである「MS15-034「MS15-034 HTTP.sys の脆弱性により、リモートでコードが実行される (3042553)」の脆弱性(CVE-2015-1635)に対し、早くも Webサーバをオペレーティングシステム(OS)ごと強制終了させる攻撃が可能な実証コード(PoC : Proof of Concept)が公開されました。この実証コードは攻撃が非常に容易である危険性が高いものであるため、特に脆弱性に該当する Windows で Webサイトを運営、管理されている管理者の方は、速やかにアップデートを行うことを推奨します。
続きを読む2021年9月、Squirrelwaffleは、スパムキャンペーンを通じて拡散される新種のローダとして登場しました。このキャンペーンは、悪意のある電子メールを既存のメールチェーンに返信する形で送信していたことで知られています。これは、不正活動に対するメール受信者の警戒心を弱めるための戦術です。これを可能にするために攻撃者は、Microsoft Exchange Serverの脆弱性である「ProxyLogon」と「ProxyShell」の双方に対する脆弱性攻撃ツール(エクスプロイト)を連鎖的に悪用していたとトレンドマイクロは推測しています。
トレンドマイクロのインシデント・レスポンスチームは、中東で発生したSquirrelwaffleに関連するいくつかの侵入事例を調査しました。トレンドマイクロは、これらの攻撃手口に上記のエクスプロイトが関与しているかどうかを確認するため、初期アクセス時の手口について掘り下げて調査しました。
今回の推測は、トレンドマイクロが観測したすべての侵入事例が「ProxyLogon」と「ProxyShell」に対して脆弱とみられるオンプレミスのMicrosoft Exchange Serverから発生していたという事実に起因しています。本ブログ記事では、これらの観測された初期アクセス時の手口と、Squirrelwaffleキャンペーンの初期段階について詳説します。
続きを読むMicrosoft は、2014年11月の定例セキュリティ情報で、Internet Explorer、Microsoft Office、Microsoft Windows、Microsoft Windows Object Linking and Embedding (OLE) および Microsoft .NET Framework に関する 14件のセキュリティ情報を公開しました。これらのセキュリティ情報のうち 4件について深刻度を「緊急」、8件については「重要」と指定しました。Windows 利用者の皆様は情報を確認の上、速やかにアップデートを行うことを推奨します。
続きを読むMicrosoft already released their November patch, they released 6 bulletins that covers 1 zero-day vulnerability, Microsoft XML Core Services Could Allow Remote Code Execution. below are the details of November’s release
- MS06-066– Vulnerabilities in Client Service for NetWare Could Allow Remote Code Execution
- MS06-067– Cumulative Security Update for Internet Explorer
- MS06-068– Vulnerability in Microsoft Agent Could Allow Remote Code Execution
- MS06-069– Vulnerabilities in Macromedia Flash Player from Adobe Could Allow Remote Code Execution
- MS06-070– Vulnerability in Workstation Service Could Allow Remote Code Execution
- MS06-071– Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution
Click the links above for detailed information on these bulletins.
続きを読むSay you are a new hire for any company. Your boss asks you to develop a well-researched and well-documented company policy on, say for example, company employee travels. Most often than not, you will have to start of with a Google search. And that is exactly what you do. Open Google and type in “travelpolicy”. This will be the result:
You don’t choose the first hit simply because you see it’s a .GOV site and information found in .GOV sites may seem too lengthy for your objectives. You just need a simple do-it-yourself tutorial in how to create and implement a travel policy guide for your business – which is exactly the description for the second hit encircled in the above image. So you click on it.
And then the site opens…
Seems like the site is pretty much taking more time in downloading images and content. So you wait… And wait… And when you observe that it’s been taking forever for the site to complete, you close the window and move on to other sites that can offer the information that you need.
End of story?
Not quite.
As you waited for the site to completely show up, something was already happening in the background that goes unobserved…
The site, www.travelpolicy.com, has an IFRAME at the very top which leads you to the 81.95.146.98/index.html. The index.html file actually has a script that exploits the MS Internet Explorer (MDAC) Remote Code Execution Exploitdescribed in MS06-014. The original exploit code is also modified in an attempt to bypass AV scanners that detect the original code.
It sure is nasty! An executable file, win.exe, is downloaded to your system and executed. This file is actually a backdoor with rootkit features, and is a variant of the notorious family of backdoor rootkits known as Haxdoor!
So what happens next? Well… you can actually see the following files suddenly added to your System32 directory in Windows:
kgctini.dat
klo5.sys
lps.dat
yvpp01.dll
yvpp02.sys
You’ll also see a newly-added Registry key with numerous data perverting WinLogon:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\yvbb01
The following services will also be added:
NAME: yvbb01
DISPLAY: Miniport FT32
STATUS: SERVICE_RUNNING
FILE: C:\WINDOWS\System32\yvbb01.sys
NAME: yvbb02
DISPLAY: Miniport FT
STATUS: SERVICE_RUNNING
FILE: C:\WINDOWS\System32\yvbb02.sys
If you have all of these in your system, then it will surely be hell cleaning these all up – especially with rootkits! But it’s a good thing you don’t have these tell-tale signs of a drive-by-download-backdoor-rootkit infection. It’s a good thing that your system is not compromised with a stealthy backdoor installed in your machine that can allow remote malicious hackers to do at most anything with your computer and with your files…
You simply don’t have to worry because these things haven’t happened at all. At the first click on the travelpolicy.com site, Trend Micro already flagged a detection of HTML_DLOADER.BHF so the downloading and execution of the backdoor rootkit as well as its other malicious components, which by the way are detected by Trend as BKDR_HAXDOOR.JG, will not occur. You were actually protected from this threat. It was just a bad dream – a nightmare. You were actually safe.
Everything is secure. It’s a good thing you are using Trend Micro.
NOTE: The above malicious URL is still alive at the time of this posting. Google has already been notified of this and we’re hoping that the site will be taken down immediately. In the meantime, we strongly advise users to stay clear away from this site.
続きを読むSubject: Campus Life
Message Body:
We have been thinking of including you in the new campus magazine in an article headed “Campus Life”. Can you approve the photo and article for us before we go to printing please.
If any details are wrong then we can amend before printing on Tuesday 1st November so please get back to us as soon as possible.
Many Thanks & Best Regards,
J Chuang
Editor
Possible Attachments:
- Photo + Article.exe
- Photo + Article.scr
- Photo + Article.zip
NOTE: The .exe and .scr usually comes using the icon of a PDF file.
So far, we’ve seen only a couple of infections, including a university that put an online warning for the academe in their university website:
We’ve included some text here from the image above just in case the image is unclear:
If you receive an email with the subject “Campus Life” and an attachment named “Photo + Article.zip” PLEASE do not open the attachment — just delete the message from your mailbox without opening it. DO NOT OPEN THE ATTACHMENT! There may be variations in the subject and attachment, so please exercise extra vigilance with any email messages that you may receive, especially those that have ZIP attachments…
Thank you for your patience while we resolve this problem…
Kinda like a nasty November 1 Halloween Trick (leave the Treat part out of it) because there is NO treat in what an infected user will experience once the malware is executed.
Using port 8080, the executed malware connects to Internet Relay Chat (IRC) servers and joins a channel, allowing a remote malicious user to issue the following commands that are locally executed on the affected system:
- Download and execute remote files
- Retrieve system information
- Update itself
Good news for Trend Micro customers though, this malware is detected by Trend as either BKDR_IRCBOT.BM, first seen and detected last Oct 26, 2005 or BKDR_BREPLIBOT.B , first seen and detected last Oct 29, 2005.
Other related malwares that started propagating the week just before this November 1 are:
BKDR_BREPLIBOT.A – first seen on Oct 26, 2005
WORM_IRCBOT.AJ – first seen on Oct 27, 2005
This is definitely one evidence of the increasing prolifiration of targeted attacks. The target entity in this case may most definitely be users among the academe and most probably be students who may be tricked into having their 5-minutes-of-fame-plus-photo-plus-article published “in the new campus magazine in an article headed ‘Campus Life'”!
Considered targets in these kinds of attacks vary and may range from operating systems to frequently-used applications or computing peripherals, or from geographical locations to user and institutional groups such as the educational group mentioned above. Let us continue to be more vigilant regarding these attacks in the days to come…
続きを読む