Theoretically, a risk matrix would seem to be a reasonable way of prioritizing risk management actions. Unfortunately, there are three major problems with the matrices as they are currently being use

Deciding what to do and where to invest to achieve higher levels of availability and more resilient recovery is a lot harder than it might first appear.  When it comes to resiliency there is not a single variant to control, stuff comes in a number of gradations; gradations of risk, gradations of solutions, and gradations of cost.  Making rational choices about all these trade-offs is
Read More

In October, Symantec unveiled a new strategy that would allow us to deliver better value to our customers and partners. This strategy will see Symantec separate into two unique companies, one focused on security and the other on information management. We are working very hard to design the right structure for each company, removing complexity in our processes and focusing on the infrastructure we need to deliver better than anyone else.

Part of our commitment to you means we respect not only the investment that you make in our technology, but the time you invest in building relationships with the Symantec team. Our Vision user conference is one such opportunity, one of the most important face-to-face events we host. Because of the timing of these events and our separation planning, we've made the decision to delay our Vision Barcelona (May 15-18, 2015) and Vision Orlando (Oct 12-15, 2015) events so we can truly deliver on the investment you make to attend.

We are very clear on our strategy and the work that must be done to bring both companies to market by the end of 2015. Watch for additional information to be shared soon about upcoming training and networking events for both companies in the near future.

We appreciate your previous attendance and support as we work to deliver on our vision to protect and manage your information today and in the years to come.

IT organizations have undergone rapid, organic growth and organizations continually scramble to meet the ever-increasing demands of the business. New applications, emerging technologies and alternative solutions have mushroomed. Mergers and acquisitions have added to the proliferation of these resources.
Read More

Backdoor.Destover, the destructive malware that was the subject of an FBI Flash Warning this week, shares several links to earlier attacks directed at targets in South Korea. Some samples of Destover report to a command-and-control (C&C) server that was also used by a version of Trojan.Volgmer crafted to attack South Korean targets. The shared C&C indicates that the same group may be behind both attacks.  

Volgmer is a targeted piece of malware, likely used by a single group, which has been used in limited attacks, possibly as a first stage reconnaissance tool. It can be used to gather system information and download further files for execution. Significantly, the version of Volgmer which shares a C&C with Destover was configured specifically to attack South Korean targets and will only run on Korean computers.

Destover also share some techniques and component names with the Jokra attacks against South Korea in 2013. However there is no hard evidence as yet to link the attacks and a copycat operation can’t be ruled out. Links also exist to the Shamoon Attacks, with both attackers using the same, commercially available drivers. However, in this instance it appears highly unlikely that the same group was behind both attacks and instead it would appear that the Destover attacks copied techniques from Shamoon.  

Destover in action
Destover is a particularly damaging form of malware that is capable of completely wiping an infected computer. It was the subject of an FBI Flash Warning earlier this week after at least one variant of it was understood to have been used in a high profile attack.

There are several malicious files associated with the FBI Destover report:

• diskpartmg16.exe
• net_ver.dat
• igfxtrayex.exe
• iissvr.exe

Diskpartmg16.exe is the first file that is created on an infected computer and, when executed, it creates the files net_ver.dat and igfxtrayex.exe.

When “diskpartmg16.exe” is run, it connects to a number of specific IP addresses within a set IP range, as well as computer names in the format “USSDIX[Machine Name]”. This indicates that this variant of Destover was not intended to be indiscriminate and the malware had instead been configured to only attack computers belonging to one particular organization.

The destructive payload of Destover is carried by igfxtrayex.exe. In certain instances, when run, it will:

• Delete all files on fixed and remote drives
• Modify the partition table
• Install an additional module(iissvr.exe)
• Connect to a number of IP addresses on ports 8080 and 8000.

Iissvr.exe, meanwhile, is a backdoor which listens on port 80. Once an attacker communicates with the compromised computer, this file displays a message, which reads:

“We’ve already warned you, and this is just a beginning.

We continue till our request be met.

We’ve obtained all your internal data including your secrets and top secrets.

If you don’t obey us, we’ll release data shown below to the world.

Determine what will you do till November the 24th, 11:00 PM(GMT).

Post an email address and the following sentence on your twitter and facebook, and we’ll contact the email address.

 

Thanks a lot to God’sApstls [sic] contributing your great effort to peace of the world.

And even if you just try to seek out who we are, all of your data will be released at once.”

Links to Volgmer
Some samples of Destover seen by Symantec link to a C&C server that has been used by variants of Trojan.Volgmer in the past. Symantec has been tracking Trojan.Volgmer for several months. Volgmer is a threat capable of opening a back door on an infected computer, which allows the malware to communicate with a C&C server to retrieve system information, execute commands, upload files, and download files for execution.

Interestingly, the variants of Volgmer that share a C&C server with Destover are configured to end execution if the compromised computer’s region is not “Korea”.

Links to Jokra
The Destover attackers use techniques and components, such as file names, that are similar to those used in the Jokra attacks against South Korea in 2013. These attacks crippled servers belonging to several South Korean banks and broadcasting organizations and also defaced the website of a Korean telecoms firm.

The malware used in the Jokra attacks contained code that did not begin wiping the hard drive until a set time period expired. Destover is also configured to perform a delayed wipe. Furthermore, media outlets in South Korea have reported that a number of similar file names were used in both attacks (Korean language link).

Similarities to Shamoon attacks
Destover also share some commonalities with the Shamoon Attacks. Both Destover and the malware used by the Shamoon attackers (W32.Disttrack) share some drivers. These are not malicious files and are commercially available drivers. While both Destover and Disttrack are destructive forms of malware, there is no evidence to suggest that the same group is behind both attacks.

Symantec protection
Symantec and Norton products detect this threat as Backdoor.Destover.

An IT Service Strategy is based on a service provision model, or Service Classes supports an organization’s transformation to cloud computing.

Read More

Ransomware threats such as CryptoLocker or CryptoWall are becoming more prevalent in enterprises. The purpose of these threats is quite simple; they are attempting to extort money from their victims with promises of restoring encrypted data.

We have seen a sharp rise in requests from customers with respect to Ransomware and it’s important to understand these risks, what to do, not to do and how to best prevent yourself from becoming a victim.

• My data’s been encrypted by Ransomware, what now?

  • Do not pay the ransom!

    • Paying the ransom may seem like a realistic response, but it is only encouraging and funding these attackers. Even if the ransom were paid, what guarantees do you have that you will actually regain access to your files? Remember that these are the same aggressors that are holding your files hostage in the first place.

    • Remove the impacted system from the network and remove the threat.

    • With a multitude of variants it is unrealistic to list the exact steps, but most security vendors have detailed write-ups for the threats that include removal instructions. Removal is best done with the system off the networks to prevent any potential spread of the threat.

    • Restore any impacted files from a known good backup. Restoration of your files from a backup is the fastest way to regain access to your data.

  • Can I regain access to my files without paying the ransom or restoring from backup?

    The answer is most likely no. There are earlier variants of these threats that simply hid the ransomed files, left copies of the original files with the Volume Shadow Copy service or left copies of the private encryption keys locally or in memory. It is certainly worth the effort of researching the details of the variant you encountered to see if there are options for you, but for the majority of instances, these options are no longer the case as the threat writers have updated their methods using the funds from earlier rounds of extortion.

  • Can I “Brute-Force” my way into my encrypted files?

    • No, the current threats employ an RSA-2048 bit encryption key. Brute-forcing the key is simply not possible currently.

• What can I do to protect myself from ransomware?

  • Install, configure and maintain an endpoint security solution

    • With the endpoint being the final line of defense from any threat, a multi-faceted security solution should be employed. This solution should have protections for not just file based threats (traditional AV), but should also include download protection, browser protection, heuristic technologies, firewall and a community sourced file reputation scoring system.

    • Symantec Endpoint Protection 12.1 (SEP 12) users can leverage the supplied “High Security” Virus and Spyware Protection policy that was generated automatically during installation of SEP 12 to provide protection for ransomware threats. As the default policies are often edited directly, the details on the specifics settings contained in the policy can be found here.

    • For additional protection from new ransomware variants, the “High Security” policy can be edited and the Download Protection feature can be modified to act on files that have not been proven to be good by the Symantec user base. The options that would need to be altered are located in the “Download Protection” – “Download Insight” - “Also detect files as malicious based on their use in the Symantec Community” section. Enabling the two check boxes next to “Files with:” and “Files known by users for:” and using the default values of 5 and 2 respectively will force the SEP 12 client to treat any file that have not been reported to Symantec by more than 5 users or have been reported for less than 2 days to be treated as unproven files.

• The handling of these files is set on the “Actions” tab under “Unproven files” and the setting of “Specify actions for unproven files:” should be set to “Quarantine risk”.  

• People using another endpoint AntiVirus solution should refer to their vendor for information on how to configure their real-time scanning options to be in-line wherever possible with “High Security” Virus and Spyware policy and the prevalence of any files as determined by their user base.

  • User Education

    • One of the primary vectors of these threats is “Spear Phishing” attempts, where an unsolicited e-mail will come from an unknown sender with an attachment that is then executed. Educating your users as to proper handling of unknown or suspicious files is crucial.

  • Employ content scanning and filtering on your mail servers.

    • Inbound e-mails should be scanned for known threats and should block any attachment types that could pose a threat.

  • Maintain a current patch level for any operating systems and applications that have known vulnerabilities.

    • Exploit kits hosted on compromised websites are commonly used to spread malware. Regular patching of vulnerable software is necessary to help prevent infection.

  • Install and configure Host Intrusion Prevention

    • IDS or IPS systems can detect and prevent the communication attempts that the malware uses to create the public and private encryption keys required to encrypt the data.

    • The Symantec Endpoint Protection (SEP) client IPS system blocks this type of communication traffic by default.

  • Block your end users from being able to execute the malware

    • SEP users can leverage the Symantec supplied example Application and Device Control policies to prevent files from being run in the root and/or subfolders of the users %AppData% directory variable to prevent the downloaded threat from being launched. The policy prevents launch attempts of files that have been extracted from compression formats that the threat has been spreading in, blocks Auto-Run, access to script files and the execution of files from removable volumes.

    • Software restriction policies enforced via GPO can be created and configured to accomplish the similar tasks.

  • Limit end user access to mapped drives

    • The current ransomware threats are capable of browsing and encrypting data on any mapped drives that the end user has access to. Restricting the user permissions for the share or the underlying file system of a mapped drive will provide limits to what the threat has the ability to encrypt.

  • Deploy and maintain a comprehensive backup solution.

    • The fastest way to regain access to your critical files is to have a backup of your data.

The above information is provided to help you to avoid being taken advantage of by cybercriminals, and to prevent and protect against these types of attacks. This is in no way is a concise plan to protect you, but will certainly decrease your risk level.

In some case, after upgrading DS, the PECTAgent.exe is crashing in automation without any error message.

From the PECTAgent. logs we see as final lines:

"</resourcekeys>
</request>"

the PECTAgent.exe crashes and stops

Suspected cause of this is corrupted .dll components.

Compare the size of the .dll files below taken from a DS 7.5 SP1 HF4 environment:

PECTAgent.exe version: 7.5.3290.0

x86

\Program Files\Altiris\Deployment\BDC\bootwiz\oem\DS\winpe\x86\Base\Program Files\Symantec\Deployment

x64

\Program Files\Altiris\Deployment\BDC\bootwiz\oem\DS\winpe\x64\Base\Program Files\Symantec\Deployment

It is possible that even .dll files having size as above may still be corrupted.

For troubleshooting with other PECTAgent issues collect pectagent dmp files as from article below:

https://www-secure.symantec.com/connect/blogs/ds-75-info-how-create-pectagentdmp-files-automation

FIX:

1 - Call support and ask for the delivery of files to replace the corrupted ones (excluding PECTAgent.ini. This file contains the server information and it is environment-specific -> keep the original)

2 - Replace corrupted files at locations below:

SMP:
\Program Files\Altiris\Deployment\BDC\bootwiz\oem\DS\winpe\x64\Base\Program Files\Symantec\Deployment
\Program Files\Altiris\Deployment\BDC\bootwiz\oem\DS\winpe\x86\Base\Program Files\Symantec\Deployment

3 - Check if replicated OK at Site Server location below:

Site Server:

\Program Files\Altiris\Altiris Agent\Agents\Deployment\SBS\Bootwiz\{374E1C49-4F58-4F5C-8D51-07A30F0D44AD}\cache\bootwiz\oem\DS\winpe\x64\Base\Program Files\Symantec\Deployment

\Program Files\Altiris\Altiris Agent\Agents\Deployment\SBS\Bootwiz\{374E1C49-4F58-4F5C-8D51-07A30F0D44AD}\cache\bootwiz\oem\DS\winpe\x86\Base\Program Files\Symantec\Deployment

4 - If not replicating delete the corresponding GUID snapshot at location below on SMP

C:\ProgramData\Symantec\SMP\Snapshots

5 - Re-create the pre-boot environment

6 - Test

NOTE:

If you found the above information useful, please give this article a thumbs-up(top right of the post) or add a comment below. Your feedback will help our tech community – Thank you, Mauro

Contributor:Candid Wueest

Industries that deal with sensitive information rely heavily on air-gapped systems to protect their critical data. However, while these systems are more secure than most others, there are ways to compromise them, potentially allowing attackers to steal the affected organizations’ highly sensitive data. From radio signal-emitting graphics cards to computers communicating through their speakers, are air gaps, once considered the Fort Knox of security measures, beginning to show cracks?

An air gap is a security measure that protects critical data by keeping one or more computers isolated from other unsecured networks, such as the internet, for example. System administrators may choose to air gap military systems, computerized medical systems, and control centers of critical infrastructure in order to protect data from attacks. Unfortunately, no system is 100 percent secure and there will always be a way to chip away at defenses. Several research reports have been making the news recently concerning ways in which air-gapped systems can be breached. Although some of the methods sound like they were taken straight out of a science fiction story, security researchers have definitely taken up the challenge of bridging the air gap.

Problems for would-be attackers
If an attacker wishes to breach an air-gapped system, they face three major hurdles:

1. Compromising a computer within the isolated network
   To breach an air-gapped system, the attacker needs to infect at least one of the air-gapped computers with malware. This could be done by using an insider in the targeted firm or an outsider, such as a consultant, who may be able to get access to the isolated area and use a malware-infected USB drive to compromise the computer. Air-gapped computers could also be compromised in supply chain attacks, where the computer’s components are intercepted and tampered with during the manufacturing or shipping processes.
2. Sending commands to the compromised computer
   Once a computer has been compromised, the attacker has to figure out how to send commands and updates to the malware. Normally, this would be conducted over the internet; however, anyone interested in taking on an air-gapped system needs to use a little more creativity.
3. Exfiltrating data from the compromised computer
   Unless the attacker only wants to cause some damage, they’ll need to find a way to exfiltrate the stolen data from the air-gapped network.

Let’s get creative
In light of these challenges, let’s take a look at some of the recent air-gap attack research reports and talk about how much of a realistic threat, if any, each method poses and what can be done to stay protected.

Turn on, tune in, get the data out
Researchers have recently proved how it’s possible to exfiltrate data from an air-gapped network by using FM radio signals sent from a computer’s graphics card. The researchers’ created proof-of-concept malware called AirHopper that uses the computer’s video display adapter to broadcast FM-compatible radio signals to a device with an FM receiver. The researchers were able to create an image pattern that generates a carrier wave modulated with a data signal. The image sent to the computer monitor looks indistinguishable from regular visual output but contains extra data that is transmitted as FM radio signals.

Attackers using this technique could infect computers with malware using USB devices or by way of supply-chain tampering. As for the receiver, this could be any modern smartphone, as most contain built-in FM receivers. The smartphone could belong to someone involved in the attack or someone who has had their device compromised. As smartphones are connected to the internet, they would be easier to compromise than a computer in an air-gapped network through a range of techniques like compromised websites or malicious emails.

The receiver needs to be within eight yards (seven meters) of the broadcasted radio signals in order to work. The researchers say they can transmit about 13 to 60 bytes a second in their tests, which is more than enough data to include login credentials and other sensitive information. For instance, an attacker with a receiver would only need to be in range of the compromised computer’s monitor for roughly eight seconds to download a 100-byte password file.

The technique is similar to how TEMPEST attacks are carried out; however, a TEMPEST attack only allows the attacker to spy on what is being displayed on the computer’s monitor.

Real world implications and mitigation
This technique is the most plausible for data exfiltration. Compromising smartphones is something that is well within the capabilities of cybercriminals and nation states, so exfiltrating the stolen data would not be a major hurdle. When it comes to mitigation, banning the use of mobile devices within a certain range of the air-gapped system may be one solution. However, if that is impractical, the use of electromagnetic shielding would stop any signals being transmitted from the isolated network.

Whispering malware
A recent research report detailed a system that uses inaudible sound as a means of communication, allowing data to be passed between computers that have no network connection. The researchers developed a proof-of-concept program that uses the built-in microphones and speakers found in many computers to transmit small amounts of data over a distance of roughly 65 feet (20 meters). However, this distance could be extended by a great deal using what the researchers call an acoustical mesh network of compromised computers that effectively relay the data to each other.

As most adults can hear sounds between 100Hz and 20kHz, anything outside of this range should be inaudible. According to the researchers, most commercial soundcards operate at a frequency of 48kHz though in their tests, most speakers wouldn’t work above 23kHz. This meant that the researchers needed to transmit at a frequency somewhere in the rage of 20kHz to 23kHz.

The scientists experimented with several different methods to send data between two laptops using only sound. The most effective method used a system originally developed to acoustically transmit data under water, called the adaptive communication system (ACS) modem. Bridging air-gapped systems using this method, however, only provides a bitrate of about 20 bits per second. As with the other method described in this blog, this relatively tiny transmission rate rules out the exfiltration of large files such as documents and images but does feasibly allow for sensitive data to be sent, such as passwords or encryption keys.

Real world implications and mitigation
Depending on whether or not computers within the air-gapped network are fitted with speakers and microphones, this technique could pose a moderate threat. However, as the researchers themselves note, there are several possible ways in which this type of attack vector can be mitigated. Disabling audio output and input devices is perhaps the most obvious countermeasure. The researchers recommend that system administrators should not fit air-gapped computers with audio output hardware to begin with. If needed, users could use headphones; however, these would need to be disconnected when not in use as they too can be used to transmit.

Operators could employ the use of audio filtering to block sound in a specific frequency range on air-gapped computers to avoid attacks. Finally, the researchers suggest the use of an audio intrusion detection guard that would analyze audio input and output and raise a red flag if it detects anything suspicious.

A more elaborate air-gap compromise: Dots, dashes, drones, and printers
Recent research presented at the 2014 Black Hat Europe conference showed how a malware-infected computer on an air-gapped network could receive and send attack commands through a multi-function printer’s scanner that the computer is connected to. To transmit data, an attacker would need to shine light, visible or infrared, into the room where the scanner is and while a scan is in progress.

The researchers devised a system to send and receive binary data using Morse code and say that several hundred bits can be sent during one scan, plenty to contain commands for the malware. Detecting the light from far away would be a problem but the researchers say this can be made easier with the use of a quadcopter drone.

An attacker could use a laser to send data from up to five kilometers away, although the researchers only tested the method up to 1,200 meters. An infected computer could be made to initiate a scan at a certain time or the attacker could wait until someone uses the scanner.

Real world implications
This method doesn’t pose much of a threat to air-gapped networks as it relies on several conditions being just right for it to work. Firstly, a successful breach would rely on there being a multifunction printer with a scanner connected to the isolated network and secondly, the scanner would need to be open or at least in use. But the most glaring problem with this attack technique is that if there is no window in the room where the isolated system is contained, it’s back to the drawing board for our would-be attackers.

Mind the gap
Air gaps are considered to be a reliable way to secure sensitive data and systems but no system is without its weaknesses. The examples discussed in this blog are all related to work carried out by security researchers in an effort to raise awareness around potential security weaknesses in air-gapped networks. Luckily, these researchers present their work to the public so that relevant measures can be put in place to protect against the weaknesses they highlight. Unfortunately, cybercriminals don’t publish their work in scientific journals or give talks at security conferences, so we have no way of countering their attack techniques until they’re uncovered. If there’s one thing we can be sure of, it’s that the bad guys are always hard at work figuring out new ways to get to the stuff we don’t want them to reach.

Turning data into intelligence is a prerequisite in these highly uncertain times, because not only does that empower organisations of all shapes and sizes to address today's cyber security challenges, but it also accelerates their ability to enable the innovation and agility of their businesses moving forward.

Intelligence is a critical asset for any business. Intelligence that enables better defence from today’s digitized threats we call “cyber intelligence”. This intelligence should not just be limited to the way we manage our data or technology but also the way we can apply better cyber intelligence to our processes and how we enable our people to be more cyber aware.

Let’s consider some of the challenges enterprises face and why better cyber intelligence matters so much.

First, digitisation is driving a new horizon for people and businesses. Software is intertwined in our daily personal and business lives – from checking email, to booking flights, to your organisations digitally enabled business systems and the way we interact with partners, clients, customers not to mention how we interact with our friends and families. This is contributing to an unremitting explosion in data growth with forecasts predicted to hit 40ZB by 2020 – if that happens there will be as many bytes of data on the planet as there are stars in the sky! Meanwhile, future emerging technology trends such as - the ‘Internet of Things’ – will require people to feel even more secure, as the number of Internet-enabled devices is beginning to explode. This rapid digitisation is testing times for every business but also how it influences the interactions and security of our personal lives.

So, what is the answer for better business cyber defence in these changing times? Putting in place an Intelligence driven cyber security strategy. Because this delivers both better intelligence, and the means by which enterprises can advance and future-proof the protective barriers around the business. It is, quite frankly, a game changer for any organisation. Most of all, it's a strategy that leverages Symantec's unique assets – our massive global footprint and access to huge amounts of security intelligence – helping us better protect information, manage risk, and prevent, detect and remediate attacks wherever these may happen.

Secondly, and just as importantly, it's a strategy that puts Symantec at the centre of a new security intelligence ecosystem – an ecosystem that will stimulate entirely new third-party products and services, making Symantec central to ensuring the constant security of our customers and partners. In short, better intelligence right across our customers’ business processes, delivering greater awareness for their people. Ultimately, ‘Big Data’ cyber security intelligence enables enterprises to take huge volumes of security information and:

• Be more prepared – understand the risk profile and have greater visibility across the estate
• Be better informed, more quickly, of external risks
• Be able to quickly detect and react to such threats
• Be able to prioritise the critical ones and direct security capabilities to the right activity
• Respond more effectively and recover much quicker
• Ultimately, be more protected!

In delivering against this remit, every single one of Symantec products and services will need to gather rich intelligence, analyse it and leverage the resulting insights, so that what we bring to our customers is a total cyber intelligence offering.

How are we making this happen? Defining a new technology and service based strategy that leverages our  massively scalable analytics platform and leveraging cutting-edge techniques to mine our unified intelligence assets. These are once-in-a-lifetime engineering challenges – ones that need to be embraced, if we are not only to keep pace with the breath-taking rate at which cybercrime is evolving, but to stay one step ahead of the game.

My next blog will look in some detail at how Symantec is leveraging cyber intelligence into its solutions.

For more insights follow me on Twitter: @hanlon_james and connect with me on LinkedIn: James Hanlon

FBI は先週、Backdoor.Destoverという破壊的なマルウェアに対する緊急警告を発表しました。Destover には、韓国を標的とした過去の攻撃といくつか共通点が見られます。Destover のいくつかのサンプルで使われているコマンド & コントロール（C&C）サーバーは、韓国内の標的を攻撃するために作成された、Trojan.Volgmerのあるバージョンで使われていたものと同じです。C&C サーバーが共用されていることで、この 2 つの攻撃の背後に同じグループが存在する可能性が浮上します。

Volgmer は標的型のマルウェアです。おそらく単一のグループが第 1 段階の偵察ツールとして限定的な攻撃に使用していると思われ、システム情報を収集し、さらに別のファイルをダウンロードして実行することができます。重要なのは、Destover と C&C サーバーを共用するバージョンの Volgmer は、特に韓国の標的を攻撃するよう設定されていて、韓国語版のコンピュータ上でのみ実行されることです。

また、Destover では、2013 年に発生した韓国に対する Jokra 攻撃と同じ手口やコンポーネント名も使われています。しかし、現時点では、これらの攻撃のつながりを示す確かな証拠は見つかっておらず、模倣犯である可能性も捨てきれません。さらには、Shamoon 攻撃との共通点も見られ、どちらの攻撃でも市場で入手可能な同一のドライバが利用されています。しかし、両者の背後に同一のグループが存在する可能性はきわめて低く、むしろ Destover 攻撃が Shamoon 攻撃の手口を真似たのでしょう。

Destover の活動
Destover は、特に大きな破壊力を備えたマルウェアであり、感染先のコンピュータの内容を完全に消去することが可能です。FBI の緊急警告でもこのことに触れられており、ある目立った攻撃において、少なくとも 1 つの Destover の亜種が利用されたと考えられています。

Destover に関する FBI の報告書には、いくつかの悪質なファイルが記載されています。

• diskpartmg16.exe
• net_ver.dat
• igfxtrayex.exe
• iissvr.exe

感染したコンピュータで最初に作成されるファイルが diskpartmg16.exe で、このファイルが実行されると、net_ver.dat および igfxtrayex.exe が作成されます。

「diskpartmg16.exe」は、実行されると、ある IP アドレス範囲内で特定の多数の IP アドレスに接続するとともに、「USSDIX[コンピュータ名]」という形式のコンピュータ名に接続します。つまり、この Destover の亜種は無差別な攻撃を意図したものではなく、特定の組織に所属するコンピュータのみを攻撃するよう設定されているのです。

Destover の破壊的なペイロードは igfxtrayex.exe によって配信され、igfxtrayex.exe は、実行されると、次のような操作を実行する場合があります。

• 固定ドライブおよびリモートドライブ上のすべてのファイルを削除する
• パーティションテーブルを改ざんする
• 追加モジュール（iissvr.exe）をインストールする
• ポート 8080 と 8000 で多数の IP アドレスに接続する

一方、Iissvr.exe は、ポート 80 で待機するバックドアです。攻撃者が侵入先のコンピュータに接続したときに、次のメッセージを表示します。

“We’ve already warned you, and this is just a beginning.

We continue till our request be met.

We’ve obtained all your internal data including your secrets and top secrets.

If you don’t obey us, we’ll release data shown below to the world.

Determine what will you do till November the 24th, 11:00 PM(GMT).

Post an email address and the following sentence on your twitter and facebook, and we’ll contact the email address.

 

Thanks a lot to God’sApstls [sic] contributing your great effort to peace of the world.

And even if you just try to seek out who we are, all of your data will be released at once.”

（今まで警告してきたが、これは始まりに過ぎない。

要求が叶えられるまで攻撃を継続する。

機密情報や極秘情報など、あらゆる内部データを入手済みだ。

要求に従わない場合、以下のデータを全世界に公開する。

11 月 24 日午後 11 時（GMT）までに、どうするか決めろ。

電子メールアドレスと次の文章を Twitter と Facebook に投稿すれば、こちらからメールで連絡する。

 

世界平和のために多大な貢献をした God’sApstls（原文ママ）に深く感謝する。

我々の身元を詮索しようとしただけでも、全データをただちに公開する）

Volgmer とのつながり
Destover のいくつかのサンプルは、過去に Trojan.Volgmer の複数の亜種によって使われた C&C サーバーに接続します。シマンテックは数カ月にわたって Trojan.Volgmer を追跡してきました。Volgmer は、感染先のコンピュータでバックドアを開く機能を備えているため、C&C サーバーと通信して、システム情報の取得、コマンドの実行、ファイルのアップロード、ファイルのダウンロードと実行などの操作を行うことができます。

興味深いことに、Destover と C&C サーバーを共用する Volgmer の亜種は、侵入先のコンピュータの地域設定が「韓国」でない場合には実行を停止するよう設定されています。

Jokra とのつながり
Destover の攻撃者が使用しているファイル名などのコンポーネントや手口は、2013 年に発生した韓国に対する Jokra 攻撃と類似しています。Jokra 攻撃では韓国の銀行や放送局などのサーバーが停止したほか、通信会社の Web サイトが改ざんされました。

Jokra 攻撃で使われたマルウェアに含まれているコードは、指定した期間が経過するまではハードディスクドライブの消去を開始しません。Destover もまた、時間を置いてデータ消去を実行するよう設定されています。さらに、韓国での報道によると、2 つの攻撃で類似する多数のファイル名が利用されているようです（リンク先は韓国語）。

Shamoon 攻撃との類似点
また、Destover には、Shamoon 攻撃との共通点もいくつか見られ、Destover と Shamoon の攻撃者によって使われているマルウェア（W32.Disttrack）は、一部のドライバを共用しています。これらは悪質なファイルではなく、市場で入手可能なドライバです。Destover と Disttrack はどちらも破壊的なマルウェアですが、両者の背後に同一のグループが存在することを示す証拠はありません。

シマンテックの保護対策
シマンテック製品およびノートン製品は、この脅威を Backdoor.Destoverとして検出します。

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

The Create Image Task fails with generic error:

"ErrorMessage: The Exception have occured in Client Imaging Task. Exception has occured in File Tcube_ClientCaptureImage.cpp at Line No 815. Type of exception is ClientCaptureImageException. Error Description is Child Process returned an error. The exit code from process is 1. Value of Windows error code = 183 and message is Cannot create a file when that file already exists."

1 - Investigating the log folder of the client machine in Automation:

X:\program files\symantec\deployment\logs\

we noticed some Ghost .dmp and txt log files were present; this means Ghost has failed and generated the logs

2 - there are two GHOSTERR_.txt files:

on the first the rror is:

"Error Number: 51928
Message: Invalid URL failed to create the image file.
 HTTP Result: 401, SSL error: 0"

this error is quite misleading

on the second:

"Error Number: 29003
Message: Bad block(s) encountered on read: Win32 error: (0x0000045d)
Message description : The request could not be performed because of an I/O device error."

3 - Please note the logs will also give some more info regarding the client machine "volumes"(drives) structure:

FilesystemManager diagnostic...
===============================

Volume 1
VolumePos: 1.2:
DriveLetter: C:
Description:  465.54GB Disk 0 Offset     230MB  465.54GB ST500DM002-1BD14 HP74
 

Volume 2
VolumePos: 1.1:
DriveLetter:
Description:     101MB Disk 0 Offset     129MB     101MB ST500DM002-1BD14 HP74
 

Volume 3
VolumePos: 80.1:
DriveLetter:
Description:     101MB Disk 79 Offset     129MB     101MB OS Volumes
 

Volume 4
VolumePos: 80.2:
DriveLetter: C:
Description:  465.54GB Disk 79 Offset     230MB  465.54GB OS Volumes
 

As from info above we can see there is a drive 80 present

4 - Drive 80 is the OS volume

This is not a physical drive, but rather the total of all drives listed. This is so that you can backup your entire system with multiple hard disks into a single image if you need to.

http://www.symantec.com/docs/TECH110680

FIX:

5 - Open "advanced" of the "create image" task:

6 - Put 80 instead of 1 at "Source disk (-SRC):"

7 - Test the "capure image job"

NOTE:

If you found the above information useful, please give this article a thumbs-up(top right of the post) or add a comment below. Your feedback will help Symantec tech community – Thank you, Mauro

SmartAssist: Workload analysis tool

Please ignore

The "Prepare for image capture" stays on "waiting for agent to get the task"indefinitely or until it times-out

The SMA on the client machine gets the task

Sysprep runs for few seconds and then it stops without returning any error message to the SMA/Console

When running Sysprep manually on the client,

C:\Windows\System32\sysprep\sysprep.exe /quiet /generalize /oobe /quit

we are prompted with the following error:

at this stage the client has probably been kicked out from the Domain and put into a Workgroup.

FIX:

1 - implement the workaround at page 15 of the release notes below:

http://www.symantec.com/docs/DOC7940

2 - Run instructions at article below( please ignore the three times count, it seems that with W8 and W8.1 you have to run this process each time after running sysprep):

https://www-secure.symantec.com/connect/articles/how-sysprep-windows-vista-7-or-8-image-more-three-times

3 - test the job from the console

---------------------------

if still having issues please check sysprep logs at client machine folder:

\Windows\System32\Sysprep\Panther

• setupact.log
• setuperr.log

NOTE:

If you found the above information useful, please give this article a thumbs-up(top right of the post) or add a comment below. Your feedback will help Symantec tech community – Thank you, Mauro

I am trying Heka for my current project. I need to include the source file path in the output message. I thought I would need to modify the plugin but there's actually an option called differentiator that can do the same trick, although not that straighforward. 

Here is the configuration: 

Yesterday, Symantec was named to The Civic 50 list of the most community-minded companies in America. In the technology sector, we were ranked number three.

The Civic 50 – featured in this week’s edition of Bloomberg Businessweek measures how a corporation's policies, activities, and employees affect the civic and social fabric of a community. Sponsored by Points of Light and Bloomberg LP, the survey ranked S&P 500 companies committed to using their time, talent, and resources to improve the quality of life in the communities where they do business.

Every time we’re recognized with an award or ranking, I feel proud of the progress we’re making against our corporate responsibility goals, and proud that that progress is being recognized externally. But I’m especially gratified by this award, because it’s a direct reflection of the culture we’re building here at Symantec, as well as of the commitment and passion of all our employees around the globe.

Across the world, our passion for community service comes through in our people. Employees execute on our corporate responsibility strategy through local-level community relations committees, Green Teams, and employee resource groups. They build relationships with nonprofit organizations in their communities, allowing us to make an impact on our philanthropic focus areas not only at the corporate level, but also on a local level in the communities where we have a business presence. And collectively, employees have  volunteered more than 31,000 hours of their own time in support of  the communities they call home.

Over the last year, we made measurable impacts in our communities through the launch of initiatives like the Symantec Cyber Career Connection (SC3), designed to bring underserved young adults into the in-demand field of cybersecurity. We also introduced the Symantec Service Corps, a month-long pro bono initiative that sends a team of employees to a developing nation to help local nonprofits fulfill their charitable missions more efficiently and effectively. We also just launched an initiative that trains employees to deliver online safety training to students in K-12 schools in the US. A similar curriculum is in development for the UK.

Why is community so important to us? In the old, narrow view of capitalism, companies seemingly prospered at the expense of the broader community. But today more than ever, we’ve seen how the success of a company and the health of communities are closely intertwined.

We’re in the business of protecting the world’s information. By harnessing the collective power of our nonprofit partners, employees and leadership – we can use the strength of a successful business model to continually help the communities we’re part of. I believe that the more you invest in others, the more successful you can be yourself. It sounds simple, but it’s key to how we approach business: serving our communities creates a positive cycle of company and community prosperity.

A key component to our philosophy around corporate responsibility is continuous improvement. We don’t see inclusion on this list as an end result – it’s a launching point from which we’ll set ever more aggressive targets, and continually push ourselves to find innovative ways to give back to the communities of which we’re members. As part of the recent launch of our 2014 Corporate Responsibility Report, we set a goal of achieving 84,000 employee volunteer hours – an average of four hours per employee – by 2020. Reaching this goal will take creativity, commitment, and the collective passion of all our employees. We’re committed to helping our employees apply their unique talents toward making the world a better, safer place – and I challenge each of you to think about how you can help. 

Cecily Joseph is Symantec’s Vice President, Corporate Responsibility

Your database has been breached, malware has infected your systems and sensitive records are available for anyone to download on the internet. Your first action is to launch an investigation to find out more about the breach. The report shows that the vulnerability has been exploited for months and all forensic logs have been deleted.      

SQL injection isn’t new and it has been around for more than 10 years. However, most companies still plunge huge amounts of dollars into IDS/IPS, firewalls, security gateways and anti-virus software. Web application attacks are growing at an alarming rate and most security teams focus is network security and not business critical data that is found in databases. Unless there’s a breach, then focus tend to shift but it’s simply too late.

How does SQL-injection work?

SQL injection is a very simple attack that is easy to execute. Basically the attacker adds a SQL statement into a web form and tries to modify, extract, add or delete information from the database.

Michael Giagnovoco uses a very simple analogy.  I go to court and register my name as “Christoffer, you are now free to go.” The judge then says “Calling Christoffer, you are now free to go” and the bailiff lets me go, because the judge instructed him to do so.

In this example the “you are now free to go” instruction was injected into a data field intended only for a name. Then the rogue input data was executed as an instruction. That’s basically the principle behind how SQL injection operates.

How does SQL-injection impact my business?

As all other types of attacks SQL injection has evolved. When the first instances of SQL injection were discovered the attackers simply tried to dump all records from a database. Today, SQL injection is usually part of an attack toolkit that hackers downloads and uses to launch several types of attacks. It’s no longer a challenge to dump the database records but the challenge has moved to installing malware behind expensive firewalls and other security measures in place deep inside the victim organization. The installed malware is far more dangerous and destructive than a simple database attack. Imagine a hacker eavesdropping on sensitive communication, dumping the windows password file to gain access to restricted systems or stealing the private keys for your SSL and Code Signing certificates? The private keys for Code Signing certificates can be protected by Symantec Secure App Service but unfortunately not all sensitive assets have proper security measures and are vulnerable to theft.

How does SQL-injection impact consumers?

Imagine that you’re about to log onto your favorite e-commerce site, greathappybargains.com. You enter your user name and password. When you look at your order history you find several orders that you didn’t make. What happened could be the result of a SQL-injection attack. Due to poor programming, some sites allows an attacker to log onto the site posing as the previous user, you. If your credit card info is linked to a user account you can be certain that the hacker has access to that information by now. Did you use the same user name and password for other e-commerce accounts? Chances are that those accounts are compromised as well using the information from the first breach.

How do I protect my company from an SQL-injection?

1. Install a Web Application Firewall (WAF).

• Keep in mind that a WAF can’t interpret an obscured SQL injection attack as it is based on signatures

2. Use Symantec Malware Scan

• It comes free with all Symantec SSL certificates and provides a daily scan of your web applications and provides you with a detailed report if a SQL injection vulnerability is found

3. Hire a penetration tester to test all web applications tied to a relational database.

• Great option but time consuming and testing needs to be conducted continuously.

4. Re-write all web applications

• Doable but consumes resources and budget. Training your staff in secure coding is critical and a good investment. 

5. Apply a database defense in depth strategy

• The only way to protect your business from the SQL injection threat is to monitor all SQL statements at the database tier using an arsenal of tools.

There is no such thing as perfect security but following these steps will get you closer to it. Follow us on Facebook and Twitter to stay up to date on SQL injection techniques and how you can help better keep your environment safe.  Take the first step by contacting us today about applying a Web Application Firewall and a DDoS Mitigation Service today.

Os analistas de segurança chamaram 2013 de “O ano das mega violações”, e as vulnerabilidades graves descobertas em 2014, como o Heartbleed e Shellshock, mostraram que a comunidade de segurança nunca pode descansar sobre seus louros.

Com esse cenário, tudo indica que 2015 trará a intensificação da luta entre aqueles que querem criar novas ameaças e explorar vulnerabilidades e os que procuram proteger contra eles. O avanço da Internet das Coisas também significa que os consumidores terão maior conectividade em seus aparelhos, dispositivos e máquinas – e isso traz potencialmente uma nova série de riscos à segurança.

A Internet das Coisas abrirá as portas para uma nova onda de ataques contra a segurança? Conforme os países se aproximam de seus planos de nação inteligente, qual será o papel do Big Data? O que virá para o espaço de segurança móvel?

As previsões da Symantec para a segurança na América Latina em 2015 debatem as questões que afetarão consumidores individuais, empresas e governos da região.

1. A inteligência artificial mudará o jogo na luta contra o cibercrime. Uma nova geração de plataformas de negócios está surgindo a partir da convergência entre o aprendizado de máquinas e big data, e isso mudará o jogo para a cibersegurança. O aprendizado de máquinas é uma forma de entendimento profundo que pode ser considerado o primeiro passo da inteligência artificial. Há uma necessidade crítica de ser “proativo” contra as ameaças, ao invés de reagir à elas. E o aprendizado de máquinas ajudará os fornecedores de segurança a ficar um passo à frente dos cibercriminosos. A capacidade que o aprendizado das máquinas tem de prever ciberataques aumentará as taxas de detecção e pode ser a chave que mudará a tendência do cibercrime.
    
2. A privacidade continuará sacrificada em função dos aplicativos móveis. Nós acreditamos que alguns usuários de aparelhos móveis continuarão a trocar sua privacidade por aplicativos móveis. Muitas pessoas são relutantes quanto a compartilhar informações bancárias e pessoais identificáveis online, porém, outros estão dispostos a disponibilizar informações sobre sua localização, duração da bateria do aparelho móvel, além de permitir acesso a fotos, lista de contatos e informações de atividade física em troca de aplicações móveis.

   Além disso, muitos consumidores realmente não sabem com o que estão concordando quando baixam aplicativos. Por exemplo, o Norton Research mostrou que a geração Milennials pode achar que sabe quais informações estão permitindo acesso, mas na realidade eles entendem muito pouco sobre o que estão concordando quando se trata de trocar informações por apps.   
    

3. Negação de serviço (DDoS) continuará uma ameaça crescente. Mais uma tendência observada em 2014 é o aumento de servidores Unix comprometidos e sua ampla largura de banda sendo utilizada em ataques DDoS. A motivação do atacante pode variar muito, e as principais razões são hacktivismo, lucro e disputas. Considerando-se a facilidade de conduzir ofensivas DDoS amplas, a Symantec antecipa que a tendência de crescimento deve continuar no futuro. A probabilidade de se tornar alvo de pequenos, mas intensos ataques estão aumentando.
    
4. ​O comportamento do usuário ficará no centro das atenções conforme a segurança for além das senhas. Com o sistema de senha sob ataque constante de cibercriminosos, os fornecedores e provedores de segurança estão enfrentando desafios crescentes nas formas de equilibrar a necessidade de conveniência contra a complexidade, ao mesmo tempo em que oferecem a experiência direta que os usuários exigem. A adoção de técnicas de autenticação de múltiplos fatores como senhas de uso único ou verificação de íris e de impressão digital pode fornecer métodos alternativos de proteção, mas podem não ser sempre a opção mais segura. A verdadeira solução para proteger informações valiosas está no comportamento dos usuários, que é a melhor forma para evitar o comprometimento de nossos ativos e identidades online pessoais.

1. As linhas de frente da cibersegurança serão fortalecidas por maiores parcerias e colaborações na indústria. A luta contra o cibercrime não pode ser vencida sozinha e a indústria de segurança, juntamente com provedores de telecomunicações e governos do mundo todo, estão unindo forças para vencer essa guerra. Essa área é uma das poucas no mundo que tem uma ‘indústria inimiga’ trabalhando constantemente para derrubá-la. Por isso, a guerra contra o cibercrime exige uma abordagem diferente.

   Por exemplo, durante 2015, enquanto os atacantes continuarem buscando novas vulnerabilidades para que possam “hackear o planeta”, as plataformas de fonte aberta continuarão a abordar essas vulnerabilidades através de maiores coordenação, colaboração e resposta da indústria. Vemos isso como um sinal positivo e a Symantec acredita que as plataformas de fonte aberta só vão melhorar no futuro.

El año 2014 está por terminar y es importante revisar qué ha pasado en los últimos meses en materia de ciberseguridad para entender lo que podemos esperar para el próximo año.  Si bien 2013 fue denominado como el año de las mega-fugas de datos, lo sucedido en 2014 no se queda atrás. Vulnerabilidades como Heartbleed y Shellshock, incidentes en los que información privada quedó expuesta o ataques dirigidos a ciertas industrias y/o usuarios en América Latina y el mundo nos recordaron que nadie se puede dormir en sus laureles.

Para 2015, pronosticamos que varias de las tendencias que hemos visto en años pasados seguirán vigentes y harán más compleja la lucha entre aquellos que deseen crear nuevas amenazas y aprovechar las vulnerabilidades y los que buscan proteger su información, por lo que será importante pensar en la seguridad de forma unificada e integral.

Por ejemplo, en el caso de la movilidad, ésta seguirá a la alza y los ciberdelincuentes se enfocarán cada vez más hacia ese escenario, mientras que, los usuarios seguirán sacrificando su privacidad por la necesidad que tienen de estar a la moda y pertenercer socialmente.

Así que, sin más, éstas son las 5 predicciones de Symantec relacionadas con el tema de ciberseguridad en América Latina, las cuales pueden tener impacto en consumidores finales, empresas y gobiernos  regionales:

• Los usuarios móviles arriesgarán su privacidad. La moda y la necesidad de pertenencia social de las personas son muchas veces motivos suficientes para sacrificar la privacidad a cambio de aplicaciones móviles. Aunque muchos usuarios aún son reacios a compartir información bancaria y de identificación personal en línea, otros están dispuestos a compartir datos sobre su ubicación y la batería de su dispositivo móvil, así como a permitir acceso a sus fotos, libreta de contactos e información de su salud, todo a cambio de obtener y usar cada vez más aplicaciones móviles. Además, muchos consumidores realmente no saben qué permisos de acceso otorgan a la hora de descargar aplicaciones. Por ejemplo, los millennials pueden pensar que saben los permisos que están dando, pero cuando se les preguntan detalles, tienen muy poca idea en lo que se refiere a la información comercial que usan las aplicaciones.
• La seguridad irá más allá de las contraseñas. Con el sistema de contraseñas bajo ataques constantes, los especialistas de seguridad enfrentan mayores desafíos en la forma de equilibrar la necesidad de conveniencia frente a la complejidad, y a la vez proporcionar a los usuarios una experiencia sin interrupciones. En este escenario, la adopción multi-factor de las técnicas de autenticación, tales como contraseñas de uso único o escaneo de iris y de huellas digitales pueden proporcionar métodos alternativos de seguridad, sin embargo, a veces pueden no ser las opciones más efectivas. Una opción para proteger información valiosa radica en el comportamiento de los usuarios que es, en última instancia, como podemos evitar que nuestros activos e identidades personales en línea se vean comprometidas, y es ahí donde se debe trabajar y poner foco en educar y compartir mejores prácticas.
• Los ataques de negación de servicios (DDoS) aumentarán. En 2014 vimos un aumento en los servidores Unix comprometidos por ataques y se dejó clara la posibilidad de que su gran ancho de banda se utilice en los ataques DDoS. La motivación del atacante puede variar: hacktivismo, dinero y las disputas son las principales razones. Dada la facilidad de llevar a cabo grandes ataques DdoS usando este medio, Symantec espera que sigan creciendo los ataques DDoS en los siguientes meses y que la probabilidad de que se vuelvan un objetivo de ataque pequeño pero intensivo está latente. Asimismo, seguramente durante 2015 continuaremos viendo ataques dirigidos tal como se identificaron en 2014, pues cada vez los ciberdelincuentes son más pacientes y específicos.
• El conocimiento y Big Data ayudarán a enfrentar los delitos informáticos. Una nueva generación de plataformas de negocios está surgiendo de la convergencia del aprendizaje automático y el big data y esto generará un cambio en materia de ciberseguridad. El aprendizaje automático se refiere a una forma de aprendizaje profundo que puede ser considerado como el primer paso en la inteligencia artificial. Para 2015 será crítico continuar siendo "proactivos" contra las amenazas, en lugar de reaccionar a ellas; el aprendizaje automático ayudará a los especialistas de seguridad a lo largo de la región a mantenerse un paso adelante de los cibercriminales. La capacidad del aprendizaje automático y la ciberinteligencia para predecir ataques cibernéticos mejorará las tasas de detección y puede ser la clave para revertir la tendencia actual en cuanto a crecimiento de delitos cibernéticos.
• Más alianzas y colaboraciones de industria. La lucha contra el cibercrimen no se puede ganar solo y la industria de la seguridad, junto con los proveedores de telecomunicaciones y gobiernos de todo el mundo, incluyendo América Latina, están uniendo fuerzas para ganar la guerra contra el cibercrimen. La industria de la seguridad es una de los pocas en el mundo que tiene una 'industria némesis' trabajando constantemente en contra de ella para disminuirla. Es por eso que, para triunfar se requiere un enfoque diferente, y por ejemplo, este año hemos visto diversas acciones de cooperación entre sectores público y privado en diversos países de la región. Esto es especialmente importante en países como Brasil, Colombia o México en donde la banda ancha ha tenido un crecimiento importante y cada día hay más usuarios que usan Internet para realizar diversos trámites, transacciones y comunicaciones.

En este sentido, en los siguientes meses los atacantes continuarán buscando nuevas vulnerabilidades para que puedan "hackear al planeta", por lo que las plataformas de código abierto seguirán enfrentando estas vulnerabilidades mediante una mayor coordinación, colaboración y respuesta de insutria. Vemos esto como un signo positivo y en Symantec creemos que las plataformas de código abierto sólo pueden mejorar en el futuro.

La necesidad de proteger la información  es cada vez más importante, por ello es siempre necesario hacer una reflexión para tomar conciencia de los posibles riesgos a los que nos enfrentaremos el próximo año y poder ir adelante de los cibercriminales en todos los frentes, usuarios, empresas, gobiernos.