Articles on this Page
- 01/18/16--11:37: _Mentoring in Real L...
- 01/19/16--08:45: _Symantec faz alerta...
- 01/20/16--06:00: _Indian, US, UK fina...
- 01/20/16--20:12: _インド、米国、英国で企業の財務部門を狙...
- 01/21/16--04:10: _Scammers impersonat...
- 01/21/16--17:04: _Transitioning from ...
- 01/22/16--06:10: _Global mass injecti...
- 01/22/16--12:18: _Symantec Advanced T...
- 01/24/16--18:27: _インドの所得税局を騙ってマルウェアを拡...
- 01/24/16--22:44: _大量インジェクションにより、全世界で数...
- 01/25/16--11:12: _What’s Your Level o...
- 01/25/16--17:51: _The rise of Japanes...
- 01/25/16--20:33: _Symantec Advanced T...
- 01/26/16--10:20: _Tackling the Tech G...
- 01/26/16--11:50: _Roadmap Review Cove...
- 01/26/16--12:46: _Support Perspective...
- 01/26/16--22:57: _日本語のゼロクリック詐欺が登場
- 01/27/16--06:24: _Android ransomware ...
- 01/27/16--08:55: _Independent Tests C...
- 01/27/16--16:09: _Calling ALL Symante...
- 01/18/16--11:37: Mentoring in Real Life – What are You Doing for Others?
- 01/20/16--20:12: インド、米国、英国で企業の財務部門を狙うリモートアクセス型のトロイの木馬
- 01/21/16--17:04: Transitioning from SHA-1 TLS Certificates
- 01/22/16--06:10: Global mass injection affects thousands of websites worldwide
- 01/24/16--18:27: インドの所得税局を騙ってマルウェアを拡散する詐欺師
- 01/24/16--22:44: 大量インジェクションにより、全世界で数千の Web サイトが感染
- 01/25/16--11:12: What’s Your Level of Risk?
- Organizations with 5,000+ employees using cloud services
- Employees using cloud apps—both company sanctioned and otherwise
- Less than 100% of company data is encrypted
- Reliance on passwords instead of more sophisticated user authentication and identity management
- Uncertainty over data access and where it resides
- 01/25/16--17:51: The rise of Japanese zero-click fraud
- 01/25/16--20:33: Symantec Advanced Threat Protection、独立第三者機関のテストで他社を圧倒
- 01/26/16--11:50: Roadmap Review Covering Symantec's Full Portfolio
- 01/26/16--12:46: Support Perspective and Battle Plan: W32.Qakbot 2016
- %UserProfile%\Application Data\Microsoft\[random_directory]\[random_name].dll
Encrypted configuration data. (not actually a DLL)
A backup copy of the original file
- %UserProfile%\Local Settings\Temp\~[random_name].tmp
An empty tmp file
- W32.Qakbot uses AutoPlay (autorun.inf) files to launch remotely. – Older versions
- W32.Qakbot copies itself to open shares
- W32.Qakbot copies itself to password protected shares with weak passwords
- W32.Qakbot’s current iteration does not appear to be using vulnerabilities, but this can change quickly
- This means getting AV detection on any new (undetected) samples.
- Machines with Auto-Protect alerts should be scanned with up-to-date definitions.
- The entire network needs to be audited for unprotected machines, out of date machines, and infected or likely infected machines.
- Traffic to known W32.Qakbot domains is a good indicator of a potentially infected machine.
- Protecting and managing fileservers is often the key to solving any outbreak scenario. - Unprotected NAS devices are at risk!
- Qakbot updates itself VERY quickly and that "unprotected server in the closet" will pull down an as-yet-undetected variant sooner or later, infecting the whole network once again.
- Unprotected and under-protected machines need to be removed from the network until cleaned and protected.
- Unprotected machines should be returned to the network only after being protected, checked for suspect files, and scanned clean.
- Infected machines need to be scanned clean. Safe Mode is not necessary, just a basic Full System Scan.
- Don’t forget file servers. This bears repeating.
- Watch scan logs closely for indications of “Reboot required” or results that indicate a potential issue like “Quarantine failed”
- AutoPlay is a spreading mechanism for thousands of worms and should be disabled. Microsoft has moved to this position as well.
- An “Open Share” is any share that does not require a password to access. Password-restricting shares can slow or stop a worm like this in their tracks.
- Remove write-access on shares from users not needing this level of access.
- Maintain a strict patching regimen. Qakbot and threats like it often add new capabilities in response to new vulnerabilities.
- Infected customers should block the Command and Control (C&C) servers or they quickly will become re-infected with new variants.
- Once clean, upgrade to the newest version of SEP 12.1 with SONAR and Download Insight
- Review mailserver policies allowing
- It isn’t a File Infector. W32.Qakbot is not infecting files and detected samples should be quarantined or deleted
- It isn’t magic. It’s easy to panic in an outbreak, but don’t let your imagination run away with you and let you attribute all unexpected behaviors to the malware. There is actually nothing unusual about this worm’s ability to spread. Its biggest feature is the number of variants it can quickly download into an environment.
- It isn’t gone. Historically, Qakbot has wrought havoc for a few months before going dormant, only to flare back up again. Stay vigilant. Once clean, strongly consider a full implementation of Sep 12.1.
- It isn’t a targeted attack. There are no indications that this campaign is a targeted attack, at this time.
- Autorun / AutoPlay Disabled?
- Open File Shares Closed/Password Protected? Strong Passwords?
- All Unprotected machines removed from the network and queued for updates/cleaning/protection?
- Known Qakbot URLs blocked at the Client Firewall to prevent mobile machines from infecting other with a new variant?
- Qakbot URLs blocked at the Perimeter Firewall?
- SEP AutoProtect set to load at System Startup?
- SEP Network AutoProtect enabled?
- Qakbot Application and Device Control policy implemented?
- Windows and Internet Explorer
- Apple QuickTime up to date and patched
- W32.Qakbot - What You Should Know - Hon Lau
- Qakbot, Data Thief Unmasked: Part I
- Qakbot, Data Thief Unmasked: Part II
- 01/26/16--22:57: 日本語のゼロクリック詐欺が登場
- 01/27/16--08:55: Independent Tests Confirm Symantec Remains Invincible
- 01/27/16--16:09: Calling ALL Symantec DLP Product Practitioners
Dr. Martin Luther King, Jr., celebrated activist and civil rights leader, left an undeniable mark on society for his life’s work fighting for freedom and justice for all. His thought-provoking lessons remain timeless. He once told an audience in Montgomery, Alabama that life’s most persistent and urgent question is, ‘What are you doing for others?’” January 18th is Martin Luther King, Jr. Day – a day where we are reminded of his greatest ask – that all citizens participate in community action, for no matter how small it may seem, each action contributes to the solutions needed to solve endemic social problems. On this day, Americans celebrate Dr. King through service projects that strengthen communities, empower individuals, and build solutions.
In honor of Martin Luther King, Jr. Day, and in observance of National Mentoring Month, we want to highlight Symantec’s volunteer work in Science, Technology, Engineering and Math (STEM) education. One of our goals is to excite, engage and educate 1 million students in science, technology, engineering and mathematics (STEM) education by 2020. There are expected to be over 1 million open computing jobs by 2020. However, last year only 38,000 computer science students graduated into the workforce. We want to encourage our youth to pursue careers in STEM, particularly underrepresented populations such as women and people of color. STEM education is a core philanthropic focus area for Symantec. We believe that it is essential to equip our future generations with the skills need to be successful, just as it is important for us to build a strong and diverse workforce.
Mentoring can be an excellent way to give back. In a 2014 report about the mentoring effect, it found that mentoring is linked to improved academic, social, and economic prospects, and strengthens communities and our nation. This year’s National Mentoring Month theme is Mentor in Real Life, emphasizing the real life benefits of mentorship:
• Having a mentor empowers young people to make smart choices that put them on a path to making better life decisions.
• A mentor who encourages smart daily behaviors—finishing homework, having healthy social interactions, saying no when it counts—has a noticeable influence on a young person’s growth
• By sharing their own life experiences, mentors provide students with a clear vision of what their future could look like. The impact is that, statistically, students with mentors are more likely to continue school through higher education.
• Mentoring builds relationships that are as meaningful for the mentor as they are for the young person.
• Young adults who had mentors as kids are 55% more likely to be enrolled in college— and more than twice as likely to say they held a leadership position in a club or sports team.
• For the mentors, the relationship can build leadership and management skills, expand a mentor’s professional network, and provide an empowering opportunity to give back to the community.
One of our most popular volunteer stories from last year was employee Brian Varner’s piece on ‘How Mentoring Can Make a Difference’ and his experience tutoring two twin girls who eventually were accepted into MIT for computer science. As he stated in his story, “Hard science is a dying skill. We need more evangelists in the hard sciences, especially since there is dire need not only for more cybersecurity professionals, but also for more diversity in STEM professions in general. There is this image of a ‘hacker’ being the young boy in a hoodie; you don't think of a young woman who is going to MIT. Unfortunately there’s a reason for that image, since women only make up less than 11 percent of the cybersecurity workforce… Regardless of one’s career, there are opportunities to help steer our young people along the way, and the reward is exponentially returned. “
Brian Varner and the twins
There are now opportunities to volunteer right from your home or your office with virtual volunteering. This has transformed the volunteering landscape as it now allows people to participate who may have been deterred from volunteering due to time or life constraints. And even though virtual volunteering has made it easier to give one’s time, it has not taken away from the social and individual benefits that volunteering can bring. Symantec volunteers experienced this first hand with TutorMate. Over the course of the school year last year, 15 Symantec employees volunteered 30 minutes each week as reading tutors. Jackie Fahrner, one of the Symantec volunteers, said, “I had such a great experience through this process. Tutormate gave me a chance to impact a child’s life. It was so easy. All I had to do was schedule a session and then show up online. Getting to know my student and connecting with her was rewarding. I found out we had many things in common – our love of chocolate and dogs. Both of us looked forward to our time together, and the best part is that she was learning through the experience. By the end of the year her reading skills jumped and knowing I was part of that is very rewarding. If taking thirty minutes out of my week improved Lyriq’s chances, just think of the impact we can all make together. Sign me up for next year, and I have others I am recruiting as well!”
The tutors:Tracey Bye, Jackie Fahrner, Allyson Gomez, Tricia Gregoire, Shannon Hernandez, Marisa Luke, Debbie Orens, Ramya Sankaran, Ashley Savageau, Sowmya Simha, Lindsay Warden, Alice Wong, Stacie Wong, Kristen Woods, and Bryan Zirkel
As Dr. King asked, what are you doing for others? Volunteering through mentorship is not only a wonderful way to help a young person grow, it’s also uplifting and fulfilling for you as a mentor. We encourage our employees and partners to get involved and share their knowledge so we can inspire the next generation of STEM professionals!
To learn more about our volunteering initiatives, contact Community_Relations@symantec.com
A Symantec traz os fatos recentes mais relevantes ocorridos ao redor do mundo e aponta a ousadia e inovação dos ciberataques, cujo cenário se assemelha a um roteiro de filme de ficção, porém são realidade e provocam uma verdadeira revolução na forma de se pensar em segurança da informação.
“Estamos na era da guerra cibernética. Organismos de estados financiam ataques para obter informações de outros países, e espionagem e crime organizado se misturam nesses atores”, afirma Alan Castro, engenheiro de sistemas e especialista em segurança da informação da Symantec.
Os ataques à alvos específicos e com objetivos muito claros chamam a atenção à partir de 2010, quando o malware Stuxnet inutilizou um quinto das centrífugas da indústria nuclear Natanz, no Irã. O ataque, atribuído a um esforço conjunto entre os Estados Unidos e Israel para sabotar os planos militares iranianos, foi chamado de “primeira arma digital” pela publicação especializada em tecnologia Wired.
Em 2012, a Aramco, produtora de gás e petróleo da Arábia Saudita, sofreu um ciberataque que atingiu 30 mil computadores, numa tentativa de interromper a produção e exportação de seus produtos.
No Brasil, foi descoberta uma quadrilha que mirava o Instituto Brasileiro de Meio Ambiente (Ibama) para cometer crimes ambientais. O fato, divulgado em agosto de 2015, envolvia empresários fantasmas que contratavam hackers para invadir computadores de superintendentes do órgão e liberar a venda ilegal dos chamados créditos florestais, que representam a quantidade de madeira que cada empresa possui no sistema. Segundo informações divulgadas na época, em apenas dez dias, a venda de madeira com os créditos falsos movimentou quase R$ 11 milhões, o que, em árvores, representa o carregamento de 1.400 caminhões.
Outro famoso golpe que tem se tornado muito popular: o ransomware, que sequestra dados e pede resgate pelas informações roubadas, já está em sua quarta versão e já rendeu ao menos US$ 325 milhões para os criminosos, de acordo com a Aliança Contra Ameaças Digitais, grupo de especialistas em segurança cofundado pela Symantec para divulgar informações para a indústria. Vale ressaltar que esse malware ataca não apenas empresas e governos, mas também pessoas físicas, usuárias de dispositivos pessoais.
Mas, o mais assustador ainda está por vir. Uma clínica especializada em reabilitação de viciados em internet na Coreia do Sul ficou famosa ao oferecer tratamento com estímulos magnéticos no cérebro. A prática induz ao cansaço quando o paciente navega por um determinado período de tempo na web. Pesquisas testam a eficácia do método com outros vícios, como fumo. Mas o uso pode não ficar restrito à área de saúde. Especialistas alertam que se dá para criar cansaço, dá para criar vontade de comprar, por exemplo. E, no futuro, hackers poderão configurar o equipamento para que ele gere o estado emocional desejado. Uma verdadeira manipulação cerebral.
Diante deste cenário, é possível salientar a evolução do perfil dos malfeitores digitais – eles deixam de lado os golpes genéricos e aleatórios motivados por reconhecimento para ataques direcionados e com objetivos definidos, como de ganhos financeiros. Soma-se a este fator, o aumento do número de usuários com acesso à internet em diferentes dispositivos, o que possibilita novas e diferentes armadilhas online.
Para mais detalhes sobre este tema, acesse o Whitepaper“Inovação Hacker: de espionagem industrial por drones a estímulos magnéticos cerebrais” produzido pela Symantec ou agende uma entrevista com um dos especialistas da empresa.
Financially motivated attackers are sending social-engineering emails to SMBs in India, the UK, and US in order to deliver Backdoor.Breut and Trojan.Nancrat.
金銭的な動機をもった攻撃者が、インド、米国、英国の中小規模企業を狙ってソーシャルエンジニアリングのメールを送り付け、Backdoor.Breut と Trojan.Nancrat を拡散しています。
India, USA, UK, and other countries are being targeted with fraudulent "tax deduction" emails containing information-stealing malware.
Since its founding, Symantec has been dedicated to security. That is our raison d’etre. As such, we continually collaborate across the industry to update standards, making them more secure and harder to hack or fake. That is why the CA/Browser Forum determined that Certification Authorities must not issue public SHA-1 TLS certificates after December 31, 2015. While this directive is an important step in making the Internet safer and more secure, the transition process also needs to support companies with legacy systems and devices so they are not left behind or saddled with insurmountable IT costs.
We liken this to when the US government determined that the use of lead paint was unsafe and should stop being used. That directive was absolutely the right thing to do moving forward, but to require that every house and building in the US remove all lead paint by a certain deadline would have created financial and logistical impossibilities for consumers and businesses. While it is correct to strive for the perfect ideal, the real-world implications are often a bit messy.
In the same vein, the shift to the SHA-256 standard severely impacts legacy systems and applications. We heard from some of our customers that they could not switch out every certificate in every application and device, not only because of the time and cost involved, but also because many of the systems and some older browsers simply don’t support SHA-256. While we fully support and encourage the transition to SHA-256 from a security purist standpoint, we also believe it is unreasonable to force our customers to absorb significant business and financial hardships that could severely impact their viability and operations, as well as that of their end users.
Therefore, we were left with a choice: either force customers to completely cease support of all those legacy systems, applications, devices and browsers that cannot support SHA-256, or try and identify ways to help ease the transition for customers to SHA-256 while minimizing the risk of continued SHA-1 support for those customers who still need it.
In an effort to help these customers, Symantec, along with other CAs and Microsoft, proposed a CA/Browser Forum ballot to allow continued issuance of SHA-1 TLS certificates into 2016, as long as those certificates expired by the end of 2016 – providing additional transition time for those who needed it. During the ballot debate, researchers unveiled new attacks against SHA-1, revealing the algorithm to be weaker than originally thought. As a result, the ballot was withdrawn.
Throughout 2015, Symantec and other CAs issued fewer and fewer SHA-1 TLS certificates as we transitioned to certificates signed with the newer, stronger SHA-256 hash algorithm. That was as expected, since the industry has been working for several years to manage this algorithm transition.
We’re now beyond December 31, 2015 - the SHA-1 issuance deadline set by the CA/Browser Forum Baseline Requirements. And as we look back over the last three months of 2015, it’s clear that customers had planned around this deadline as we experienced a last-minute surge in customer orders for SHA-1 certificates in December:
Many customers clearly chose to enroll for and to obtain SHA-1 certificates as close as possible to the end-of-2015 issuance deadline, something even recommended by one of the browser members of the CA/Browser Forum.
But we have customers for whom even all of 2016 is not enough time to transition. For these customers, we have identified another way to help – to use our legacy public roots for specific use cases (such as with legacy feature phones) while instructing browsers, and all other clients that can, to stop trusting these roots for general applications. Given the nature of the attacks on SHA-1 and other hashing algorithms, the best defense is really in the hands of the browsers and other clients to remove support for SHA-1 altogether.
With that goal in mind, we reached out to browser vendors in November 2015 to formally advise them to remove or “un-trust” our legacy PCA3-G1 root if they had not already done so (some had removed the root earlier in 2015). With browsers discontinuing support for SHA-1 and our PCA3-G1 root specifically, the general risk of a SHA-1 attack is substantially reduced. This multi-prong approach strikes the hard-sought balance between our intent for stronger security and our intent for a practical transition for all involved. Even this approach is proving more difficult than expected, as it created issues for some clients, such as those with older Android devices and for some code-signing customers on Windows. Given additional transition time potentially needed by these clients, we will continue to include our legacy PCA3-G1 root in our annual WebTrust for CAs Audit so anyone still supporting these roots can be confident that certificates issued from these roots are issued in line with our public Certificate Policy and Certificate Practices Statement.
While moving to a private CA root can help those customers with incompatible systems, Symantec has repeatedly directed all of our customers who can to make the transition to SHA-256 as quickly as possible. The guide we issued on moving from SHA-1 to SHA-256 certificates can be found in our Knowledge Base.
Symantec fully supports the deprecation of SHA-1, but we are also acutely aware of the difficulty this transition poses for many enterprise customers and technology providers across the ecosystem. We have put in place measures that we hope balances the very real business needs of our customers with the goal of creating a more secure web environment. As a founding member of the CA/Browser Forum, we wanted to be open and transparent about how we have tackled this transition and why we made the decisions we did to both advance adoption of the latest security standards while finding practical ways to support our customers who are struggling with very tangible issues.
Attackers compromise over 3,500 public servers in possible reconnaissance drive for future attacks.
Symantec Advanced Threat Protection received the highest scores across all test categories in recent independent third-party testing from Miercom and Dennis Technology Labs, against vendors including FireEye, Cisco, Palo Alto Networks, and Fortinet.
Miercom reported that Symantec scored 26% better than FireEye and 18% better than Cisco SourceFire in overall malware detection and received perfect marks in detecting Advanced Persistent Threats and Advanced Evasion Techniques (AETs). In fact, while Symantec detected every AET tested, Cisco detected only 5% and FireEye detected none of them.
AETs are a type of network attack that combines several different known evasion methods to create a new technique delivered over several network layers simultaneously. By combining evasion methods, an AET can create millions of ways to evade detection, making them “the most complex threats to date,” according to Miercom.
“We were pleased with the performance of the Symantec ATP solution for detecting malware, particularly its ability to effectively detect and remove not only the most common but even the unknown malware threats as well,” wrote Miercom CEO Robert Smithers.
In another competitive benchmarking conducted by Dennis Technology Labs, Symantec was ranked best in detection, scoring 100% in both detection accuracy and legitimate accuracy (allowing legitimate programs to operate unhindered). Palo Alto Networks scored 90% in detection accuracy while Cisco and Fortinet each scored below 75%. The test used genuine active threats, including malicious URLs and custom threats, and legitimate applications were used to test for false positives.
Source: Dennis Technology Labs December 2015
Symantec Advanced Threat Protection is a single unified solution that uncovers, prioritizes, and remediates advanced attacks. It leverages an organization’s existing Symantec™ Endpoint Protection and Email Security.cloud investments and requires no new agents. It fuses intelligence from endpoints, networks, and email, as well as Symantec’s massive global sensor network, to stop threats that evade individual point products. And with one click of a button, Symantec Advanced Threat Protection will search for, discover, and remediate any attack artifacts in your organization. All from a single console.
Learn more about Symantec Advanced Threat Protection at atp.symantec.com
Read the full report from Miercom: http://miercom.com/pdf/reports/20151026.pdf
Read the full report from Dennis Technology Labs: http://www.dennistechnologylabs.com/reports/s/a-m/symantec/DTL_2015_APT.1.0.pdf
攻撃者が 3,500 を超えるパブリックサーバーに侵入しましたが、これはおそらく今後の攻撃につながる偵察活動のようです。
Do you know what your current risk level is for corporate data loss? And how do you compare with your peers?
We can help.
Symantec commissioned a Wall Street Journal Custom Studios report, “Keeping Your Data Safe: Protecting Corporate Information in the Cloud,” to help enterprises understand employee behavior, their attitude with the cloud, and how it affects data security.
While protecting information should be a company-wide concern, 51% of employees believe securing corporate information is the IT team’s problem, not theirs, according to the report. Furthermore, 79% of employees admit to engaging in risky behaviors—intentionally or unintentionally—that place corporate data at risk.
Are your employees putting your sensitive company data at risk?
Symantec found organizations with the highest risk of data loss have the following characteristics:
So, what is your current level of risk for corporate data loss?
We created this short, interactive Information Protection (IP) scorecard to help you assess your level of protection. Just answer these five questions and find out your IP score today!
Scammers are using more aggressive tactics with new “zero-click” sites to try to con victims out of US$2,000.
Symantec Advanced Threat Protection（ATP）が、独立第三者機関である Miercom と Dennis Technology Labs による最近のテストで、FireEye、Cisco、Palo Alto Networks、Fortinet の各社を抑え、全テストカテゴリを通じて最高スコアを得点しました。
Miercom のレポートによると、シマンテックはマルウェア検出部門の全体で FireEye 社より 26%、Cisco 社（SourceFire）より 18% 高いスコアを記録し、APT（Advanced Persistent Threat）と AET（Advanced Evasion Techniques）の検出についてパーフェクトの成績をおさめています。実際、シマンテックはテスト対象の AET をすべて検出しましたが、Cisco では検出率が 5%、FireEye ではゼロでした。
AET とは、既知の回避方法を複数組み合わせて新しい手法を編み出し、複数のネットワーク層を同時に狙う手口です。複数の回避手法を組み合わせるため、AET は何百万通りもの方法で検出を回避することができ、Miercom によると「これまでで最も複雑な脅威」となっています。
「Symantec ATP ソリューションのマルウェア検出性能、特に一般的な脅威だけでなく、未知のマルウェアまで効果的に検出して削除する性能は、たいへん満足できる結果でした」と、Miercom の CEO、Robert Smithers 氏は書いています。
Dennis Technology Labs が実施したもうひとつの競合ベンチマークでは、シマンテックが検出の最高点を記録し、検出精度と適合判定精度（正規プログラムの動作を妨害しない精度）のどちらにおいても 100% を達成しました。Palo Alto Networks 社の検出精度は 90%、Cisco 社と Fortinet 社の検出精度はともに 75% を下回っています。このテストでは、悪質な URL やカスタムの脅威など実際に活動中の脅威を用い、また誤認のテストには正規のアプリケーションを利用しました。
出典: Dennis Technology Labs、2015 年 12 月
Symantec Advanced Threat Protection は、高度な脅威の検出から優先順位付け、修復までをすべて実行できる単一のソリューションです。Symantec™ Endpoint Protection と Email Security.cloud に対するこれまでの投資を有効に活用し、新しいエージェントは必要ありません。エンドポイント、ネットワーク、メールからの情報と、シマンテックの膨大なグローバルセンサーネットワークの情報を融合し、個別の製品をすり抜けた脅威も遮断します。ボタンを 1 回クリックするだけで、Symantec Advanced Threat Protection は組織に残るどんな攻撃の痕跡も検索・検出し、修復します。しかも、操作に使うコンソールは 1 つだけです。
Symantec Advanced Threat Protection について詳しくは、atp.symantec.comを参照してください。
Miercom の完全なレポートは、こちらからご覧いただけます: http://miercom.com/pdf/reports/20151026.pdf（英語）
Dennis Technology Labs の完全なレポートは、こちらからご覧いただけます: http://www.dennistechnologylabs.com/reports/s/a-m/symantec/DTL_2015_APT.1.0.pdf（英語）
As the Community Relations site lead for the San Francisco Symantec office, I help plan and organize the employee volunteering initiatives for the teams at this location. In December of last year, we had the opportunity to plan and host of very special evening at the office – Mission Bit’s Fall Demo Day! Mission Bit is a local nonprofit that strives to eliminate the tech divide for youth living in urban poverty and rural areas across the San Francisco Bay Area. The organization provides computer programming courses to public school students that focus on project based learning to teach both core concepts and practical skills. These courses are free to the high school students. At the end of each semester, students showcase their ideas to an audience and panel of judges. This last quarter’s Demo Day was hosted here at the San Francisco office!
Across Mission Bit’s five courses, they had 15 student groups that created web sites, mobile apps and games that they had designed during their 13 week coding course. It was an amazing event with over 200 people in attendance! The projects were scored by a panel of seven judges that compromised of software engineers, tech entrepreneurs, community leaders and educators – two of which were Symantec employees. Judges scored the projects based on a number of factors and cash prizes went to the top three groups.
Demo day was an excellent opportunity to get to know the organization and all that they do for the community. In the spirit of this quarter’s theme of science, technology, engineering, and math (STEM), we’ve decided to continue working with Mission Bit and will be organizing and hosting another STEM event this quarter. Mission Bit will receive a $5,000 grant from Symantec and on top of that, with Symantec’s Dollars for Doer’s program, for each employee that volunteers their time Symantec donates an additional $15 per hour per volunteer!
It is very beneficial for students to hear professional’s stories of how they entered into the technology sector as a career. Each person has had a different path of how they got into the field, and sharing those stories help young people visualize the many opportunities in tech. We at Symantec have the opportunity to create impact. Not only by sharing our stories, but also by sharing our knowledge. It is very easy for us and it is so important for young people to have a mentor. Mentorship is just as important as monetary donations, if not more. And I find that volunteering is just as beneficial to the employee. Every time an employee volunteers, they always come out feeling more energized.
It is so important for me that we at the San Francisco office meet each quarter’s volunteer initiative for multiple reasons – the grant money that goes to the organization, the positive contribution to the community, and the beneficial impact for the individuals that participate, both student and employee. I always say to the employees: this is a great way to give back to the local community, it is just a few hours of your time, it will be fun, and you always get something out of it. One thing I hear a lot from employees is the fine-tuning of their own skills. For example, public speaking – when you have a classroom of students shooting rapid fire questions at you, it keeps you on your toes! But it is a wonderful skill to perfect, because we have to do that every day with our customers, express ourselves clearly and eloquently. I always encourage everyone to get involved in whatever capacity they are able. Volunteers always walk away feeling a little lighter, a little braver, and that much happier that they gave a bit of their time to their community!
To learn more, contact email@example.com.
I've never even thought I code before Mission Bit. My instructor made such a huge impact on me and I look forward to learning more next semester." - Taya Fonsworth 12th Grade Gateway High School
Tina De Carolis is an Administrative Specialist and Symantec’s San Francisco Community Relations Site Lead
We’ll break away from our traditional deep dive on a specific technology in this week’s Technical Connect call. In response to survey feedback, this call will provide a roadmap review of Symantec’s solution portfolio. The plan is to hit on major features across our most popular products while high lighting planned integration points. Most importantly, you’ll be able ask questions via our live "Q&A Chat" window running throughout the event.
Register on the Event Calendar
On Thanksgiving weekend 2009, the threat landscape exploded with multiple global outbreaks of W32.Qakbot. That run lasted through January of 2010, and re-occurred 2011 and in 2013. Over the last few years, Symantec Security Response has written blogs on what you should know, it’s prevention, and explained why and what is being stolen. Since then, Qakbot has made many changes to how it spreads through an environment, and how it exfiltrates data. As of January 2016, a new run of Qakbot outbreaks have started to pop up.
II. THREAT DETAILS:
W32.Qakbot scans for mapped drives and attempts to spread to open shares and shares with common passwords. It then downloads a configuration file and, based on that, carries out its functions. In the past, Qakbot has used Autorun, scheduled tasks, open shares, and OS and plugin vulns to propagate.
The current campaign uses the following files:
How it spreads:
Quickly Appearing Variants:
Qakbot downloads new versions frequently to evade AntiVirus signatures. Each new wave has a list of domains and FTP accounts that it can reach out and download from.
Communication for the current Qakbot campaign:
Symantec Endpoint Protection:
Intrusion Prevention Signatures:
Applying the 5 Steps of Virus Troubleshooting to a W32.Qakbot Outbreak
The Qakbot Battle Plan
Step 1. Identify the threat
Step 2. Identify infected machines:
Step 3. Quarantine the infected/unprotected/under protected machines:
Step 4. Clean the infected machines:
Step 5. Prevent future outbreaks:
III. Questions and Answers
Q - How does this spread, once in the network?
A - Open shares. Closing these shares, removing infected machines from the network, or dropping infected machines to a quarantined subnet will keep this from spreading. Enabling Network AutoProtect will also help. Some variants use a limited Bruteforce password attack against network shares, and account lockouts can indicate an infected machine is trying to muscle it’s way in.
Q - How did this get into my network?
Q - Will patching vulnerabilities help me stop this threat in my network?
A - No, vulnerabilities can be a door and the threat has already come in. These vulnerabilities should be patched ASAP (along with any other holes in the environment), but this will not counter an already-live infection.
Q - Why am I seeing so many variants of this threat?
A - The threat is being constantly repacked to avoid detection.
Q - I keep getting new variants of this threat on my protected, patched machine. Why?
A - Unprotected/Under-protected machines in the environment are actively downloading repackaged variants. If these machines have open shares in common with your otherwise protected machine, they are a direct conduit for repackaged variants. Alternately, there might already be an undetected Qakbot on that machine and a Loadpoint report should be collected.
Q - The write-up says May 7th, 2009. Will definitions on or after this date catch my W32.Qakbots?
A - Possibly, but probably not. Detection has been modified to include dozens if not hundreds of repackaged variants. For the spike in Qakbot activity in January 2016, new definitions needed to detect new variants have been released multiple times daily. For January 2016 we have already updated detection 32 times.
Q – Why aren’t you detecting or creating detection for all the files I submitted?
A – Qakbot uses an encrypted settings file that is named to look like a DLL. The file isn’t a .DLL and has no header and therefore can take no malicious actions in and of its self. Symantec does not create detection for the se settings files. Also, once the ISPs begin to filter and block the sites that Qakbot is using to its files, these sites will replace the Qakbot content of the files requested by the threat, with HTML to notify the user that the site has been closed.
If unsure, you can look at these files safely using a text editor to see what domain the files are coming from. Current AV products are not able to safely delete these files since there is nothing to distinguish them from legitimate files.
Q - Are there URLs and Domains I should be blocking at the firewall?
A - Yes. See Section II
Q - What about the scheduled tasks?
A - Older variants of Qakbot download .job files (scheduled tasks), in order to automatically launch the threat. While we haven’t seen any in the present run, it’s important to note that these files are not malicious but do indicate that the threat does, or did have access to one of the hosting sites. These should be deleted manually.
Q - What about Autorun?
A - New variants of Qakbot haven’t been using this, but several of the older variants do and the threat changes quickly. This can allow the threat to load directly into memory and thereby avoid AV detection. Auto play should be disabled either with a GPO or ADC policy, just in case.
Q – I’m no longer able to update SAV or SEP. Why?
A – New variants of Qakbot may block access to URLs of security companies like Symantec. They can also change permissions to “Program Files\Common Files\Symantec Shared”.
What W32.Qakbot is not:
IV. FIXTOOL SECTION
Q - Is there a fixtool geared towards the Qakbot variants found in 2016?
A - No. The fixtool that is currently posted was designed for variants from 2011. The currently supported versions of SEP are capable of remediation.
V. QAKBOT MITIGATION POSTURE
While the majority of our customers have a strong security posture and are relatively unfazed, some other environments have a more relaxed posture. It is these networks that Qakbot thrives.
If you're battling a seemingly-endless stream of Qakbot issues in a network, verify the following questions about your "Qakbot Mitigation Posture".
Note: This is not necessarily a checklist of everything you must do, but a way to understand where your environment may need to be scrutinized.
「ゼロクリック」でサイトを開かせて約 24 万円を支払わせようとする、強引な詐欺が登場しました。
Android.Lockdroid.E poses as a porn app and tricks users into giving it admin rights. Almost 67 percent of Android devices are at risk.
AV-Test, the well-regarded independent testing organization that enterprises rely on for unbiased, robust security product testing, published its last bi-monthly report (November-December) of 2015 yesterday. The test evaluated numerous endpoint protection products against real-world scenarios and threats including zero-day threats and widespread malware. Symantec Endpoint Protection blocked 100% of threats, scoring a perfect “6” in the protection test and capping off a year of straight “6” scores in protection. This result speaks to the combined strength of our advanced security technologies such as Insight, SONAR, and IPS. Symantec Endpoint Protection is clearly the industry leader in Endpoint Protection.
Especially interesting is the inclusion of Cylance in the test. As we can see in the latest AV-Test report, when Cylance was placed in a real-world test – where threats are introduced via real attacks via web, exploit, and e-mail– they failed to protect. In addition, the test results show that they also suffered from significant false positives and performance issues. These results match our internal testing and emphasize the need for you to look into real-world tests during evaluations.
For more information:
The Symantec Certification Team has begun the design and development of the Data Loss Prevention 14.5 SCS Certification exam.
The next step in the process is a Web-based survey for the exam that includes the proposed exam objectives. The Certification team invites you to participate in the Blueprint survey for the upcoming exam. You will be asked to rate the exam objectives based on the importance of each objective. Your opinions will be combined with the input from other Symantec DLP product practitioners and used to determine how many questions should be asked on the test for each objective.
Input from experienced practitioners such as you is vital to validating the usefulness and appropriateness of the exam. We greatly value the input you provide.
To access the survey:
In order to access the survey you will need a link that’s specific for you. Please email Annette Fettig: annette_fettig@symantec with your name and email address.
When is the survey available and how long will it take to complete?
The survey is available 24/7 starting today and will be available through Monday February 8th. Please plan on setting aside approximately 15 to 30 minutes to complete the survey [depending on your expertise]. Your results will only be counted if you complete and submit the entire survey.
Who should complete this survey?
You should complete the survey if you have the relevant technical knowledge and experience with DLP. Ultimately, we seek a minimum of 30 Symantec DLP product practitioners to complete the survey. We encourage you to respond to this invitation with the email addresses of others in your organization so that they can also receive a personal invitation to participate.
Thank you for supporting Symantec Education!