In the world of e-Commerce, the strength of encryption that you employ – and the use of Extended Validation SSL (EV: a highly rigorous and demanding standard of verification) – needs to be beyond all compromise. Get this right and you will have loyal, long-term customers who will return time and again. Get it wrong and they will desert you and tell their friends to do the same.

Why? Because on-line fraud has been soaring out of control, and is ranked as one of the biggest problems within the Payment Card Industry (PCI). E-Commerce without proper safeguards, guaranteed and independently validated, leaves your valued customers wide open to attack and at the mercy of the cyber criminals that attempt to dupe them into providing critical information that can lead to substantial financial loss and/or identity theft.

It’s a serious problem. More than 234 million records with sensitive information have been breached since January 2005. As a merchant, you are at the center of payment card transactions, so it is imperative that you use the most sophisticated security procedures and technologies to thwart theft of cardholder data.

So, what can you do to ensure your customers are always safe? Online scams are increasingly making headline news. With many people walking away from on-line transactions fearing they will be the next, you have to show, beyond any shadow of a doubt, that you are exactly who you say you are.

In January this year, the PCI Security Standards Council (PCI SCC) published its E-Commerce Guidelines, detailing the technical and operational requirements set by the council to protect cardholder data. This will almost certainly become the reference point for merchants and customers alike. PCI has aligned with NIST standards in stipulating that adequate encryption of a cardholder’s sensitive data is imperative while it is being transmitted, insisting on nothing less than 128-bit encryption. It also calls for crypto keys – their storage and transmission – to be effectively managed.

What does that mean for you, to meet these requirements? The council singles out Secure Sockets Layer/Transport Layer Security (SSL/TLS) Encryption as an important way forward – technology that is at the very heart of Symantec’s security ethos and best practice. First, you need to provide full visibility into the SSL (Secure Socket Layer) traffic to detect possible threats. Second, you need to employ Web gateway solutions that offer SSL scanning and policy enforcement for encrypted traffic.

The PCI DSS (Data Security Standards) require that payment card data be protected during transmission over open, public networks (to include the Internet). SSL/TLS is used to encrypt information sent between the consumer and merchant, and between the merchant and e-commerce payment gateway. The proper implementation of SSL/TLS is one key mechanism that can be used to meet this requirement. Not only does True 128-bit SSL Encryption protect your customers’ credit card numbers, payment information, passwords and other confidential personal data, all at the highest level, but it is easy to implement, too. And, by employing EV (Extended Validation) SSL Certificates as well, you effectively eradicate the threat of a ‘brute force’ attack.

One further level of reassurance you need to communicate to your customers is the presence of the green address bar – growing in familiarity– that indicates these are properly authenticated sites, with the identity of the organization displayed. Research has found that 93% of Web users who see a green address bar are more inclined to engage in transactions at those locations than on sites without.

When you talk about winning trust, this is where it happens. What your customer gets from all of this is the confidence to transact on line. What you get, by delivering these highest levels of security, is more business.

*In the document, PCI SSC acknowledges the contribution of the E-commerce Special Interest Group (SIG) – which includes Symantec – in the preparation of its document.

A question which appeared on the forums the other day was worthy, I think, of further investigation.  It's one of those questions that you think should be 'obvious' or 'easy' but of course it's not that straight forward.

The question is:

When using FSAUTILITY to bulk recall files how can progress be tracked?

We know that when the FSA Archiving Task is running the report file that it generates usually reports 0 Kb for quite some time, but when you open it, it does contain data… so you can see 'progress' that way.

People who have used Enterprise Vault for some time know that there are lots of differences between the way that FSA and Exchange Mailbox archiving operate.  Fundamentally FSA does not use MSMQ as the Exchange Mailbox Archiving process does.  Items are collected for processing by a number of folder walker threads, this queue of files is operated on by a number of other threads.  Periodically the 'progress' is written out to the checkpoint XML file in case the scheduled window ends, or the task is stopped.  It means that when the task resumes it can quickly get to where it left off and carry on.  It also means that when the scheduled window ends the processing actually ends, that again is a little different to the Exchange Mailbox Archiving side of Enterprise Vault.

To answer the question about FSAUTIL needs some reproduction work.  The situation is reproducible I think by generating 15000 sample files, archiving them, and then trying the bulk recall from the command line.  

The command line I'm going to use is as follows:

FSAUTILITY -t -s \\fs01\data\hector -f -l 0

The interesting parts of the command line are:

-f … to overwrite the files which are currently on disk.  This can lead to somewhat unexpected results, but for my test where all the items on the source are placeholders, it'll be fine.  The unexpected results can be observed by overwriting an archived file which was previously recalled and edited, those edits will be lost.

-l 0 … by default FSAUtility only reports failures in the XML file.  Switching this to -l 0 will report successes and failures.

To generate the files I used my sample bulk creator script which is available on this link.  Quite surprisingly that didn't take too long to do.  The script ran for 12 minutes.  The next step was archiving them all.  And finally we can now get on with the bulk recall, and figuring out when the data is written to the XML file.

In looking at the XML file (which you kind of have to open in Notepad) it can be seen that the file is being written to whilst FSAUTILITY is building the list of files to restore. So whilst FSAUTILITY is showing 'Number of files queued for restore:' and the number next to that starts to rise.. those file entries are being written to the XML file.  They are showing information like this:

<?xml version="1.0"?>

<?xml-stylesheet type='text/xsl' href='C:\Program Files (x86)\Enterprise Vault\FSAUtilityLog.xsl'?>

<FSAUtilityLog>

  <Header>

    <Operation>Restore files</Operation>

    <DateTime>10/02/2013 14:19:06</DateTime>

    <SourcePath>\\fs01.ev.local\data\hector</SourcePath>

  </Header>

  <ItemList>

    <Item>

      <Item>.\test_1.out</Item>

      <ErrorCode>Restore operation started</ErrorCode>

    </Item>

    <Item>

      <Item>.\test_10.out</Item>

      <ErrorCode>Restore operation started</ErrorCode>

    </Item>

    <Item>

      <Item>.\test_100.out</Item>

      <ErrorCode>Restore operation started</ErrorCode>

    </Item>

The entry in the file indicates that the restore operation has started for each of the items, and the file is gradually growing.

After a few minutes I am seeing on the file system that some of the files are now being replaced from the version in the archive.  However, the XML file is not being updated (yet) to reflect that, and the number of items queued is slowly rising still.  Even after a few hours though the status of the items in the XML file is still simply 'Restore operation started'.

Summary

• The XML does get written to as the items are queued for processing.
• There is _no_ easy way to determine whether the files have been recalled or not, other than simply doing a DIR command.

It is a shame that this hasn't been thought of 'more' and had any development work done around it.  Moving placeholders or restoring items is something that people have to do from time to time, and to be honest right now you're left a little bit in the dark when it comes to tracking progress.

Today I'm taking a break from Shylock woes and instead looking at an issue one of the team raised regarding inconsistent jobs on our deployment server. Specifically, we've got two versions of a script task on our deployment servers where only one should exist. This is a nice task it's one of those jobs which looks horrible to correct, but it's actually easy to correct with just a bit of SQL knowledge.

The embedded script task in question begins with the string 'REM Resolve Shortcuts' so I quickly put together a little SQL to see where the problem lay,

select count(*),script from script_task
where script like 'REM Resolve Shortcuts%'
group by script

30	REM Resolve Shortcuts using SQLCMD.EXE (v1.2) .....
6	REM Resolve Shortcuts using SQLCMD.EXE (v1.2) .....

This indeed confirms the problem. At some point, I've updated a script bit not updated the version number and not performed this update across ALL the jobs on the Deployment Server. This will only become and increasing problem with time, so needs to be fixed now.

First, I need to find one of the scripts which has been correctly updated and then update the version number. Re-running the above SQL now gives,

30	REM Resolve Shortcuts using SQLCMD.EXE (v1.2) .....
6	REM Resolve Shortcuts using SQLCMD.EXE (v1.2) .....
1	REM Resolve Shortcuts using SQLCMD.EXE (v1.3) .....

So now we have one known 'good' script task. Our mission now is update all the script tasks which are sitting at version 1.2 to this new correct one which is at version 1.3.

So, after running a eXpress backup, this can be accomplished with the following SQL,

 

--Let us see how bad the problem is again...
select count(*),script from script_task
where script like 'REM Resolve Shortcuts%'
group by script


DECLARE @NewScript varchar(6000)

SET @NewScript=(select script from script_task where script like 'REM Resolve Shortcuts using SQLCMD.exe (v1.3)%')


SELECT @NewScript

Update script_task
set script=@NewScript
where script like 'REM Resolve Shortcuts using SQLCMD.exe (v1.2)%'


--Check that all scripts have been updated correctly
select count(*),script from script_task
where script like 'REM Resolve Shortcuts%'
group by script

 

This gives on execution the following SQL output in SQL Server Management Studio,

 

So brilliant. All resolved which means, I guess, it's back to Shylock.... :-(

 

 

It feels like my freshman years in the IT business, where there is no fear, not a single worry. Beer and pizza will be there later, and all things will work it's self out.

Well I am lost for words on this product deployment so far. Lots of bells and whistles to see in the Altiris 7.5 SMP, tons of automated actions that you don't have to script to do. Something you can train even beginner IT forayers to use in the console when it comes to software management, Patch and Inventory.

Until you get to the DS, we suddenly have lost our ability to image machines. As in issues on both Notification servers, separate issues, different errors. But bottom line is simply we cant reliably deploy any images.

The issues seems to relate to either timing, or design. The NSE's are supposed to get processed with priorities, and since inventory is one of the least important it becomes at the back of the line. So we went to Initial Deploy as a method for sending a highly prioritized NSE. That didn't always work. The Known machines at times will have multiple instances in the console. One for the WinPE random name and one for the AD domain name.

Confused and not impressed so far, image is simple? Another call with Altiris today on the continuation of the cases.

We are running Symantec Enterprise Vault 9.03 with Exchange 2003. It has been running fine for the last three years.

Recently, we upgraded to Exchange 2010 and added new targets and created new tasks. Couple of months later, the Journaling task failed then it was followed by the mail tasks that also failed with error 3305 & 2256.

After numerous days of troubleshooting and checking the online forums, I kept sseing the same discussions about VSA, permissions, Closest GC, DS Server registry entries, etc.

I verified all is set properly yet, the tasks kept failing.

I  found the solution to the failing Mailbox & Journaling tasks. It appears that all of the issues we encountered last week were related to Exchange 2010 being in a DAG configuration.

The solution is to create DBs that are not part of any DAG configuration and move or create system mailboxes and place them in these DBs.

This is true for the Journaling mailbox as well.

In collaboration with the SECURITY RESPONSE TEAM

As we predicted toward the end of last year, we’re already seeing an upswing in ransomware activity in 2013. The ransomware extortion scam has been in existence now for a number of years, but its popularity among cybercriminals has grown over the last two years and it continues to indiscriminately plague computer users in greater numbers. These attacks have evolved from website graffiti, to malware, to destruction or theft of business critical information, and more recently to extortion. SMBs are particularly vulnerable to these types of attacks because many don’t have the necessary IT resources or backups to recover hijacked assets. To help customers and partners better understand these attacks, Symantec has tracked this growing menace in various blogs, a whitepaper, and a video.

Over the last few weeks Symantec has observed a new spike in ransomware activity worldwide. While several variants of the ransomware threat are responsible for the overall spike, the main ransomware variant being observed is Trojan.Ransomlock.Y. This variant is being distributed through pornographic websites leading to the Impact Exploit kit. To help ensure its customers are adequately protected, Symantec has the following Intrusion Prevention Signatures (IPS) in place for the Impact Exploit kit, and is observing a similar telemetry spike around detections of this exploit kit:

• Web Attack: Impact Exploit Kit Website
• Web Attack: Impact Exploit Kit Website 2
• Web Attack: Impact Exploit Kit Website 3

Figure 1. Screenshot of Trojan.Ransomlock.Y

As a small business owner, it may seem like you have no choice but to pay up if your company is the target of a ransomware extortion scam. However, keep in mind that payment in no way guarantees that your computer or server will be unlocked, and can be a very costly mistake. The golden rule is to not pay the ransom to the cybercriminals, as paying any such ransom only helps to fuel further cybercrimes. If your business has fallen victim to a ransomware scam, Symantec provides a set of instructions that can help you remove these threats.

My role as a Systems Administrator and storage provisioner often results in requests for additional space, usually from an Oracle database administrator.  This often provides a challenge, as working under a very limited budget we often have to re-allocate resources.  We decided to try out Veritas Operations Manager before looking at Veritas Operations Manager Advanced.  

Using Veritas Operations Manager helps in the monitoring of the disk space and also allows one to view the tablespaces quickly of the databases, so one can tell if there's room for the Database Administrators to adjust the sizes of the tablespaces.  In most of my cases, where there is not more space available on the Oracle's filesystem and all tablespaces are full, I've been able to look at the free space of my other VXVM filesystems and re-allocate from there (Attachment 3, vomimg03), including the ones within the same cluster, but I have had some instances where there's been over 10G of free tablespace overlooked when there's been request for small amount (5G) of expansion.  The graphs from VOM's tablespace easily shows where this can be re-allocated (See Featured Image).

There are tons of other great things about VOM that have helped me out in my days as a System Administrator.  It's shown me that there have been LUN paths down that I didn't know about (attachment 2, vomimg02), and that there are some VCS monitors have faulted.  It helps greatly with upgrades to the VCS environment, by letting me know which versions are running on which systems, so I can coordinate upgrades quickly and easily without having to track down which ones have been done, which often happens when there are many other sysadmins.  Additionally, the product has helped to track down which LUN is represented from the Array by giving me the mapping of the LUN name to the enclosure to the VxVM name (Attachment 01, vomimg01),which is helpful if you're receiving errors in your logs about one of your LUNs.  The way that these features can nicely integrate within a VCS cluster really made the product a powerful time-saving tool for me.

The product is free, so I recommend trying it and see if it works for you.  There are many many more features (self-patching, hotfixes, ...) that I still haven't had the time to take advantage of, even after using it for more than a year.

There is a lot of fear out there when it comes to dealing with the cloud, especially with so much hype surrounding the technology. However, what you do, and do not, commit to the public cloud is entirely your call.

To misquote George Orwell’s classic, ‘Animal Farm’: ‘All clouds are equal – but some are more equal than others’. The other key thing to remember is that not everything is for the cloud, so it’s a matter of each to its rightful place.

Information highly sensitive? Then use private clouds, so that you benefit from scalability and flexibility internally, without exposing your data to the Internet. Consider which are your crown jewels of information and what protection you have around these. Is it good enough? Should those defences be more robust?

The starting point is to look carefully at each workload when deciding which kind of cloud your data should be in. The relative merits of issues such as availability, security – and the likely costs involved – are all factors that will help you pinpoint exactly what you are happy to send into public clouds and what you are not. You also need to know/find out what policies the cloud provider puts on your information. For example, do they encrypt your data? What security controls do they have in place? Do they delete your data when you no longer want it in the public domain?

Once you are satisfied on all of these issues, you should apply appropriate protection mechanisms, based upon what the information is that you are making public and what levels of protection you therefore require. When it comes to developing a solid strategy, it’s important you define information management policies, based on data classification, and assess its suitability for migration to the cloud. Here are some pointers:

For Private Clouds:

• Create a ‘Class of Service’ model, with defined information availability and protection characteristics, underpinned by appropriate technical capabilities.

For Public Clouds:

• Ensure you know how data is stored, protected, recovered, discovered and destroyed by your provider
• Know what level of controls and protection the provider puts on data – you won't know the technology
• Encrypt all data wherever possible – in motion and at rest
• Use controls to ensure only permitted data is moved to the cloud.

Some final words of advice: ‘Don’t not do it, but don’t do it blindly.’ Remember, you can move a lot of things to the cloud, but responsibility for protecting your organisation’s data isn’t one of them.

Effective information security is the key to enabling the trust and confidence that will make your cloud model successful.

Would you agree? What are your thoughts on this? We’re keen to get your feedback, so do let us know.

On February 5, 2013, Symantec hosted another Cyber Readiness Challenge event; the series promotes discussions surrounding the evolving cyberthreat landscape with an end goal of helping organizations mitigate risk and maintain their security posture. Symantec previously hosted games in Toronto, Irvine, California and Dallas. Last week, we brought the challenge to the windy city of Chicago where more than 60 participants gathered at the University of Illinois at Chicago (UIC) campus to engage in an evening of friendly competition. In fact, the setting proved to be an ideal meeting spot, enabling both security research students from UIC and enterprise IT professionals to participate in the festivities.

Symantec’s Cyber Readiness Challenge is an interactive competition – set in a ‘capture the flag’ style environment -- designed to have users with varying levels of technical acumen, perform a series of tasks attacking and defending simulated data centers (similar to that of a hacker attempting to infiltrate an organization). Kevin Haley, director of Symantec Security Response, kicked off the event providing insight on the evolving and sophisticated nature of targeted attacks – leveraging the characters from the Game of Thrones to demonstrate one such attack example (much to the delight of the crowd, which was peppered with fans of the book and HBO television show).

The challenge participants competed for both lucrative cash prizes as well as for bragging rights among their technical peers. During the actual game, many groups were seen working together and sharing insight while still maintaining enough information so as not to jeopardize their position on the leader board. The winner of the $2,500 grand prize was Peter Snyder using the player handle “BITSLab.” When asked how he planned to spend his winnings, Snyder stated he planned to take his UIC BITSLab colleagues out to dinner --  with that amount of money, we’re sure that it will be quite a meal for the group!

Other victors at the event include Rob Shupe (player handle: LordPrestor) who took home $1,000 and Walter O’Connor (player handle: hakman5) who left the challenge with a cool $750.

Haley added, “With another Cyber Readiness Challenge completed in Chicago last week, I can say with great pleasure that the goal of the event – to increase and expand upon the knowledge of cyberthreats and cybersecurity in today’s business landscape – is resonating well among the participants. Watching students and seasoned enterprise IT staff share technology tricks and best practices confirmed why this series of challenges is so important and highly beneficial.”

Symantec partner CDW was on site to talk about cybersecurity, the evolving threat landscape and also provided event attendees with trendy new water bottles!

Over the next few months, Symantec will host additional Cyber Readiness Challenges in Minneapolis, Minnesota; Mountain View, California; and New York City.

Contributor: Val S.

We recently came across a sample of a back door remote access tool (RAT) written entirely in Java. The RAT is freely distributed on underground forums, free for any registered forum user to download. It is named Frutas, which means “fruit” in Spanish.
 

Figure 1. Frutas logo
 

The Frutas RAT allows attackers to create a connect-back client JAR file to run on a compromised computer. When executed, it parses an embedded configuration file for a server IP and port to connect to. The back door builder provides some minor obfuscation, which allows the attacker to use a custom encryption key for some of the embedded back door functionalities.
 

Figure 2. Back door client creation
 

Upon receiving a back door connection, the RAT server alerts the attacker and allows them to perform various back door functions on the compromised computer, including:

• Query or kill system processes
• Browse file systems
• Download and execute arbitrary files
• Send popup messages
• Open a specified website in a browser
• Perform denial of service attacks against a specified IP address

Figure 3. Back door functionality
 

Figure 4. Example pop-up message sent to users
 

The back door Java file uses a custom class loader that loads encrypted class files (named Opcion[1-14]) as it receives commands from the RAT controller server. The key, specified by the attacker when creating the back door, is used to encrypt the class files using DES as a stream cipher.
 

Figure 5. Back door Java decompilation
 

This is a low prevalence remote access tool that is targeted at, although not limited to, the Spanish hacker base. This can be seen in the low detection rate. Symantec detects the back door controller and builder as Hacktool and the back door as Backdoor.Trojan.
 

Figure 6. Current detection status
 

To protect yourself from becoming a victim of this remote access tool it is essential that you keep your computer up to date by applying the latest updates, along with keeping your antivirus definitions up to date.

ServiceDesk Pack 7.5 for IT Analytics 7.1 SP2 User Guide is now live at the following location:

http://www.symantec.com/docs/DOC5639

これまでにも何度かこのブログでご報告したとおり、Zeus（Trojan.Zbot）などオンラインバンキングを狙うトロイの木馬が、しばらく前から世界中のオンラインバンキング利用者にとって頭痛の種になっています。日本を含む一部の国や地域は、これまでオンラインバンキングを狙うトロイの木馬の被害を免れてきました。理由はおそらく言葉の壁であろうと考えられますが、何か別の理由があったのかもしれません。しかし、警察庁がすでに何度か通知しているように、オンラインバンキングを利用する日本のユーザーがこの攻撃の被害を受けるようになってきています。

シマンテックは最近、日本の大手銀行 5 行を狙った新しい Zeus ファイルを発見しました。図 1 に、暗号化された設定ファイルの一部を示します。このマルウェアは、日本の銀行のみを標的にしています。

図 1. Zeus の設定ファイルで標的としてリストされている銀行

図 2 を見ても、この亜種への感染は日本でしか確認されていないことがわかります。明らかに、日本のオンラインバンキング利用者が狙われているのです。

図 2. Zeus の亜種が日本だけを標的にしていることを示す分布図

機能は、これまでの Zeus の亜種と変わりません。感染すると、Zeus は標的とした銀行のサイトにアクセスする Web ブラウザを監視し、日本語のメッセージを表示する HTML コードをインジェクトします。表示されるのは、以下のようなメッセージです。

「もっと良いサービスを提供するため、当行の個人ネット銀行機能のアップデートをさせて頂いていますので、この間ネット銀行機能を使ったら、新規登録する時ご入力した情報をもう一度入力をいただき、アップデートを完了させて頂くようお願い申し上げます」（原文ママ）

ユーザーは、パスワードやその他の情報を入力するよう要求されます。ログイン情報は、Zeus に組み込まれているキーロガー機能によって記録され、攻撃者がアカウントへのアクセスに利用できるようになります。

図 3. 偽の警告を表示する HTML コードにより、情報を入力するよう求められる

図 4. 偽の警告を表示する HTML コードにより、暗証カードの発行日を入力するよう求められる

攻撃者は、Zeus のインストールに Blackhole 悪用ツールキットを利用しています。シマンテックのセキュリティ製品をお使いであれば、以下の検出定義によりこの攻撃から保護されます。

ウイルス対策:

• Trojan.Zbot
• Packed.Generic.398
• Trojan.Gen
• Trojan.Maljava!gen22

侵入防止システム（IPS）:

• 25616 Web Attack: Malicious Website Accessed 2
• 26002 Web Attack: Exploit Toolkit Website 32
• 26434 System Infected: Citadel C&C Activity

ビヘイビア分析による遮断:
SONAR.Heuristic

Zeus は通常、悪用ツールキットを介して拡散されます。インストールされているすべてのソフトウェアを最新の状態に保つことをお勧めします。この手のマルウェアは電子メールを介してコンピュータに届く場合もあるので、信頼できない送信者から送られてきた電子メールや添付ファイルは開かないようにしてください。また、オンラインバンキングのサイトで、いつもと違う情報が要求される場合には、疑うことも必要です。

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

2 月 7 日、Adobe 社は 2 つのゼロデイ脆弱性（CVE-2013-0633、CVE-2013-0634）を修正する緊急パッチを公開しました。これは、Windows 版と Mac 版両方の Adobe Flash Player 11.5.502.146 およびそれ以前を対象としています。緊急パッチの公開は、これらのゼロデイ脆弱性が頻繁に攻撃に悪用されていることを受けてのもので、このパッチをただちに適用することをお勧めします。

CVE-2013-0633 の悪用が確認されている攻撃は、FireEye社による初期の解析報告に従って「LadyBoyle」と呼ばれています。この解析で、悪用コードを含むことが確認されたクラスファイルに LadyBoyle という名前が付いているためです。シマンテックでも、この脅威が標的型攻撃で盛んに拡散されていたことを確認しています。図 1 は、標的型攻撃に使われた電子メールに、CVE-2013-0633 を含む Word 文書が添付されている例です。Symantec Mail Security for Microsoft Exchangeはこの攻撃を 2 月 4 日に遮断しました。
 

図 1.脅威を含む標的型電子メール
 

標的型攻撃を受けて被害者が添付文書を開いてしまうと、文書に含まれている Flash オブジェクトによってゼロデイ脆弱性（CVE-2013-0633）が実行されます。その過程を次の図 2 に示します。
 

図 2. CVE-2013-0633 を悪用する標的型攻撃
 

図 2 に示すとおり、シマンテックはこの攻撃の各段階をそれぞれ Trojan.Mdropper、Trojan.Swifi、Backdoor.Bodaとして検出します。Backdoor.Boda に感染したシステムは、iee.boeing.job.com（現在は停止しています）にホストされているコマンド & コントロール（C&C）サーバーにアクセスします。一方、Web サイトにホストされている悪質な Flash（SWF）コンテンツを通じて盛んに拡散されている CVE-2013-0634 に対しては、以下の侵入防止シグネチャ（IPS）を用意しています。

Web Attack: Adobe SWF RCE CVE-2013-0634 2

シマンテックは現在、このゼロデイ脆弱性に対する保護対策をさらに調査中であり、詳しいことがわかり次第このブログを更新する予定です。いつものように、オペレーティングシステムとソフトウェアが最新版であることを確認してください。また、疑わしいリンクをクリックしたり、怪しい添付ファイルを開いたりしないようお勧めします。

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

寄稿: Val S.

最近シマンテックは、すべて Java で記述されたバックドアリモートアクセスツール（RAT）のサンプルを確認しました。RAT はアンダーグラウンドフォーラムで無料配布されており、フォーラムに登録すれば誰でも自由にダウンロードすることができます。このツールは Frutas という名前で、これはスペイン語で「フルーツ」を意味します。
 

図 1. Frutas のロゴ
 

Frutas RAT を使うと、攻撃者はコネクトバッククライアント JAR ファイルを作成して、侵入先のコンピュータ上で実行できるようになります。JAR ファイルは実行されると、埋め込まれた設定ファイルを解析して、接続先サーバーの IP アドレスとポートを検索します。バックドアビルダーに簡易的な不明瞭化機能があるので、攻撃者は埋め込みのバックドア機能の一部にカスタム暗号化キーを使うことができます。
 

図 2. バックドアクライアントが作成される
 

バックドア接続が確立すると、RAT サーバーから攻撃者に通知され、攻撃者は侵入先のコンピュータ上で以下のような各種のバックドア機能を実行できるようになります。

• システムプロセスをクエリーして強制終了させる。
• ファイルシステムを参照する。
• 任意のファイルをダウンロードして実行する。
• ポップアップメッセージを送信する。
• 指定した Web サイトをブラウザで開く。
• 指定した IP アドレスに対してサービス拒否攻撃を実行する。

図 3. バックドア機能
 

図 4.ユーザーに送信されるポップアップメッセージの例
 

バックドア Java ファイルで使われるカスタムのクラスローダーは、RAT コントローラサーバーからコマンドを受信し、暗号化されたクラスファイル（Opcion[1-14]）をロードします。ストリーム暗号として DES を利用してクラスファイルを暗号化する際には、バックドアの作成時に攻撃者が指定した暗号化キーが使われます。
 

図 5. バックドア Java の逆コンパイル
 

Frutas はリモートアクセスツールとしてそれほど普及率が高くはなく、スペインのハッカーベースを標的としていますが、それに限定されません。これは検出率が低いことにも表れています。シマンテックは、このバックドアコントローラとビルダーを Hacktoolとして、バックドアを Backdoor.Trojanとしてそれぞれ検出します。
 

図 6.現在の検出状況
 

このリモートアクセスツールによる被害から身を守るためには、最新の更新プログラムとウイルス定義を適用して、コンピュータを最新の状態に保つことが必要です。

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

寄稿: John Harrison

シマンテックは、ある大規模なマルバタイジング（悪質な広告）活動を 5 カ月以上にわたって追い続けてきました。この活動は現在も盛んに続いており、動的 DNSを使って追跡の目を逃れています。

この活動は急速に広がり、有名なドメインやアダルトサイトに侵入しました。Alexa ランキングで 5,000 位より上位の知名度の高いドメインの中にも、感染したサイトがあります。感染した Web サイトの一部は、ユーザーがサイト訪問時にシマンテック製品から警告されたことで通知により除染されていますが、多くのドメインは感染したままです。

マルバタイジングによって拡散される感染には、ユーザーの操作（クリックなど）を必要とせずにシステムに感染し、Web サイトやホストサーバーの脆弱性もまったく悪用しないという特徴があります。マルバタイジングで拡散される感染は、オンラインマーケティングサービスによって提供されている Web ページ広告を介して静かに広がります。

図 1.マルバタイジングの最近の検出数

感染サイクルは、攻撃者が悪質な広告を作成し、不明瞭化した JavaScript をインジェクトするところから始まります。次に、複数の正常なドメインにまたがる広告ネットワークに広告がホストされ、そのドメインにアクセスしたユーザーが感染します。

不明瞭化された JavaScript の一部を以下のスクリーンショットに示します。

図 2. 不明瞭化された JavaScript を利用するマルバタイジング

この悪質な JavaScript は、4 つの部分に分けることができます。

1. ActiveX が有効になっている Internet Explorer が存在するかどうかを確認します。このスクリプトは Internet Explorer に対してしか効果がないためです。

図 3. ActiveX が有効な IE の存在を確認

2. 感染したコンピュータを追跡し、ターゲット広告にリダイレクトして URL を追跡する cookie を実装します。

図 4.追跡機能の実装

3. ランダムなドメイン名をリストから選択します（過去 5 カ月の間に、複数のサーバー上にホストされた 50 以上の動的ドメインが使われていることをシマンテックは確認しています）。

図 5. 動的なドメインの使用

4. 隠し iFrame を作成し、news、finance、songs、forums といった一般的なディレクトリ名と動的なドメインを組み合わせます。

図 6. 動的ドメインと一般的なディレクトリ名を組み合わせる

この iFrame が次に、一般的なディレクトリ名と動的ドメインを組み合わせて作成された以下のような最終 URL にユーザーをリダイレクトします。

• [ランダムな文字].blogdns.com/forum
• [ランダムな文字].dyndns.biz/news
• [ランダムな文字].is-an-accountant.com/finance

上記のステップで生成された最終 URL はさらに別のページにリダイレクトされ、そのページで Java フィンガープリントが実行されて悪質な .jar ファイルが実行されます。.jar ファイルの拡張子は 1 種類だけではありません。図 7 に示すように、「.jar」以外にも画像形式に関係する拡張子（.gif、.jpg など）も使われています。

図 7. .gif 拡張子が付いた JAR ファイル

感染したコンピュータの Java ランタイムのバージョンに応じて、複数の JAR ファイルが投下されます。これまでに、Oracle の Java ランタイム環境に存在するリモートコード実行の脆弱性（CVE-2012-4681）と、Oracle の Java ランタイム環境に存在する複数のリモートコード実行の脆弱性（CVE-2013-0422）として特定されている脆弱性を悪用した JAR ファイルが確認されています。以下のスクリーンショットは、CVE-2013-0422 を悪用した JAR ファイルから、不明瞭化された Java クラスファイルを抽出したものです。

図 8. CVE-2013-0422 を悪用する Java クラスファイル

Java 脆弱性の悪用に成功して Java のサンドボックス制限をすり抜けると、JAR ファイルは一時ディレクトリの内部に DLL エントリを作成し、対応するレジストリエントリを侵入先のコンピュータに追加します。DLL の名前は、JAR ファイルのコンパイル時に毎回ランダムに生成されます。これまでの解析で確認されたファイル名の例としては、以下のものがあります。

• %Temp%\spoolsv.dll
• %Temp%\winlogon.dll
• %Temp%\java.dll
• %Temp%\alg.dll
• %Temp%\firefox.dll

次に DLL ファイルは、侵入先のコンピュータに他のマルウェアをダウンロードします。

マルバタイジングは増加傾向にあり、2010 年から 2012 年にかけては 20 倍に膨らみました。広告出版業者の 50 パーセント以上が、少なくとも一度はマルバタイジングの被害を受けています。

シマンテックのセキュリティ製品をお使いのお客様は、多層型の保護によってこれらの攻撃からすでに保護されています。Symantec Endpoint Protection 11 と 12 には、ネットワーク脅威防止の IPS 技術が搭載されており、マルバタイジングやそれに伴うドライブバイダウンロードから事前に保護します。企業のお客様は、セキュリティ製品でネットワーク脅威防止が有効になっていることを確認してください。すべてのノートンセキュリティ製品では、ネットワーク脅威防止技術は自動的に有効になっています。

Web 攻撃ツールキットがマルバタイジングからマルウェアを投下するのを遮断するための IPS シグネチャの一部を以下に挙げます。

• Web Attack: Exploit Toolkit Website 4
• Web Attack: Malicious Java Download 14

シマンテックのウイルス対策製品も、投下されるペイロードを Backdoor.Trojanとして、対応する JAR ファイルを Trojan.Maljavaとして検出します。

シマンテックが最近発表した Symantec AdVantage（英語）は、クラウドベースのマルバタイジング対策製品です。最新の検出機能とレポート機能を搭載しており、広告出版業者や配信業者が顧客にマルウェアを拡散するのを防ぎます。

Web サイトに広告を掲載しているサイト所有者に対しては、OTA（Online Trust Alliance）が推奨するマルバタイジング対策のガイドライン（英語）をお読みいただくことをお勧めします。OTA は、オンラインの信頼性を強化する一方、インターネットの革新性と活力を推進することをミッションとする非営利団体であり、シマンテックも OTA の創設メンバーです。

最新の Java アップデート（Java 7 Update 13）を適用している場合は、密かな悪用のリスクにさらされる心配はありません。悪用を避けるために、オペレーティングシステムやソフトウェア、ウイルス対策定義、IPS 定義には常に最新の更新を適用するようにしてください。

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

Sometimes Enterprise Vault can produce quite sizeable report files in the REPORTS subfolder of the main Enterprise Vault installation folder.  There isn't a configuration option within Enterprise Vault, or a registry key, where you can change the physical path that these report files are written to… but you _can_ move the folder, using these simple steps:

• Create a folder in the new location, eg E:\ReportsFolder
• Copy the contents of the current 'Reports' folder to the new location
• Delete the 'Reports' folder from inside the EV program folder.
• Run:

          MKLINK /J "c:\program files (x86)\enterprise vault\reports" E:\ReportsFolder

Note: This works in Enterprise Vault when it is installed on Windows 2008 R2 x64.  Similar possibilities may exist in Windows 2003.

L'obiettivo del team Symantec Website Security Solutions è di realizzare offerte integrate di qualità in grado di assistere i nostri clienti a raggiungere i loro traguardi.  Aiutiamo le società di e-commerce a organizzare e sviluppare la loro attività online su più tipi di dispositivi, piattaforme e contenitori multimediali. Aiutiamo inoltre le grandi imprese a proteggere le informazioni che transitano attraverso reti pubbliche e private, grazie alla crittografia SSL. 

La nostra suite Website Security Solutions risolve i problemi di organizzazioni di ogni dimensione, concentrandosi sulle esigenze tanto dell'organizzazione quanto dell'utente finale.  Per questo le nostre soluzioni sono davvero pensate “su misura per voi”.

Le nostre Website Security Solutions uniscono la crittografia SSL al simbolo Norton Secured Seal, che garantisce che i siti Web abbiano superato una scansione quotidiana anti-malware e siano stati verificati come legittimi da un leader nella fiducia online. I siti Web che mostrano il simbolo Norton si avvantaggiano di risultati delle ricerche migliorati e vengono visualizzati come affidabili ai potenziali acquirenti online che utilizzano Norton Safe Web o Safe Web Lite.  Symantec è il fornitore leader di certificati SSL con Extended Validation, che consentono di sfruttare la capacità integrata dei browser di visualizzare la barra o scheda verde agli utenti che effettuano acquisti online.

Stiamo ora introducendo Algorithm Agility, grazie al quale tutti i nostri certificati SSL offriranno gratuitamente un certificato firmato DSA oltre al normale certificato RSA. Ai clienti SSL Premium offriamo inoltre la possibilità di utilizzare certificati ECC, per consentire alle grandi aziende di scegliere la combinazione migliore di prestazioni e protezione per i loro ecosistemi online.

Le grandi aziende hanno anche l'esigenza di funzionalità di Business Intelligence, per gestire meglio aspetti quali il tracciamento e l'amministrazione dei certificati. Che si utilizzino certificati standard o SSL Premium, il nostro strumento Certificate Intelligence Center 2.0 semplifica notevolmente questi compiti, offrendo una vista centralizzata di tutti i certificati emessi da qualsiasi autorità di certificazione. Un dashboard unificato offre informazioni utilizzabili come base decisionale, producendo report di verifica e avvisi per tutti i certificati prossimi alla scadenza. Non perderete più migliaia di euro al minuto per problemi nelle connessioni sicure al vostro sito Web, attraverso Internet, API o SKI.

Siamo il team Symantec Website Security Solutions. Ci vantiamo di avere il marchio di fiducia più riconosciuto su Internet e di rappresentare la prima autorità di certificazione pubblica. Siamo orgogliosi del nostro uptime del 100% dal 2004. E siamo orgogliosi di costituire una parte importante di Symantec 4.0, garantendo fiducia grazie alle nostre soluzioni di sicurezza per e-commerce, pubblicità e applicazioni.

A lot of you know that I’ve been hanging around Health IT for over 20 years.  Some of you know that I’ve been involved in IT for nearly 30 years.  A few of you may know that well before I discovered programming and IT, I worked in the professional theatre.

What none of you know is that all I learned about resilient systems and business continuity and contingency planning I learned in the theatre.  Not in IT.  I say none of you knew that (until now) because I didn’t know it until last night. Well, you’ve either quit reading by now or are ready to have me explain. So, here goes . . .

Last night I went to the theatre.  It was 2 legendary Texas singer/songwriters - - you’d know them if I named names but I won’t.  Bare stage, acoustic guitars, minimal lighting, and 2 mics.  It was an historic theatrical venue, probably under 1,000 seats on 3 levels and any decent singer or actor could fill the place with no mic but I’m already looking around for extra lights, backup sound . . . My wife, whom I met when we worked in the theatre, reminds me that they really wouldn’t need that for this kind of show.  She had already done the risk analysis.

I was thinking back to other theatrical events.  I worked my way through undergraduate studies (in theatre) as a card-carrying stagehand in a roadhouse that presented touring shows, touring groups, regional and local rentals.  In show business, just like healthcare, it is all about the audience member.  Let’s call them the patient.  In healthcare, they are looking for care for a pain, injury or ideally just to protect their health.  In show business they want to be entertained - - another way being taken care of.

So, here was my introduction to business continuity:  A national Broadway tour of “Fiddler on the Roof” was coming to our roadhouse.  It was February in North Dakota and on this particular day that meant high winds and snow.  The cast had arrived on time but the trucks carrying the sets and costumes arrived at the theatre about the time the curtain was supposed to be going up.    The local presenter called the producer in NY who said  “Hell, yes, there will be a show.”  It took about 10 minutes to decide to do this:  Bring down the front curtain, have the principal (star) do his nightclub act on the stage in front of the curtain while we did the set up behind the curtain; we cut some of the scenic elements to get the set up down to about 2 hours.  The audience got a nightclub act; the actor got a “free” tryout. The show went on.  I’m sure much union overtime was paid but 3,000 “cultural patients” left the “hospital” healthy that night.  The company was so high on adrenaline that it was a stunning performance!  While no one locally thought of it, the NY producer knew exactly what to do and doing nothing was not an option.  Contingency planning!

Resiliency and high availability was a different story.  It was one of the first shows in that roadhouse and I was working the show as an electrician.  The show was The Four Seasons.  Yes, as in Frankie Valli and The . . .  This was before Jersey Boys . . . mid-70’s.  No sets but lots of costumes and lots and lots of sound equipment.  We unloaded what looked like a complete sound set up and I thought we were ready to go to sound checks when the road manager for The Four Seasons called us all over and said “Let’s finish unloading.”  We all went back to the loading dock and there was a complete, identical, fully redundant sound system (these mixing boards and set up probably cost ~$200,000 - - back then).  We unloaded it and set it up right next to the one we had just set up.  I had to ask: “Why?”  The answer is one I’ve not ever forgotten:  “We make our money making this sound; if we can’t make this sound we don’t make money.  If it’s a different sound, people won’t pay for it.  We can’t afford to miss one note, one word.”  Let me just say the answer made perfect sense to me then . . . and it still made sense 30 years later when I was asked to lead the selection and implementation of an EMR at the IDS where I was CIO.

Doing a nightclub act while the show was being set up?  A completely redundant sound system for The Four Seasons?  These were business decisions . . . the stage hands didn’t decide, the actors didn’t decide although they were all part of the decision and had to participate.  It took more money, it took more time and effort, but all the “patients” were assured of getting the show they paid for.  They got what they wanted, needed and expected.  No one said “the computer is down” or ”we can’t do that right now”. 

Healthcare has to be able to do availability and continuity at least as well as a theatrical road house.  I can’t even think of what it means if we can’t.  Clinicians depend on the data to treat and care for patients and that does not happen on the planned schedules of IT or the CFO or the doctor.  It needs to happen no matter what - - “. . . we can’t afford to miss one note, one word.”

Remind me to tell you about giving Ray Charles’ his 40th birthday cake backstage in the Green Room . . .

Wondering what the best practices for moving archived content are? Join Symantec for a webcast on February 19th at 10 a.m. PST to find out exactly what strategy your organization should take. Our webcast will cover tips and tricks for monitoring a successful migration process and how to successfully navigate the migration process from planning to implementation. We’ll also address the best practices for the preparation and movement of archived content from a legacy archive to market leading Enterprise Vault and Enterprise Vault.cloud archive platforms. Let Symantec help make your migration easier. Register today!

Are you looking for an independent overview of the Application Streaming and Virtualization solutions and curious about the different features- and functions each Application Virtualization vendor is offering!? This is the white paper you definitely must read! 

The detailed features of Cameyo, Citrix, Numecent, Microsoft (both App-V v4 and v5), Spoon, Symantec and VMWare are available in the feature compare matrix. The goals of this white paper are to:

• Provide an application and desktop delivery solutions overview
• Explain the pros and cons of Application Virtualization
• Highlight why Application virtualization and VDI are a perfect fit
• Describe the different application virtualization vendors and solutions
• Compare the features of the various application virtualization solutions 

Download the White Paper