Interest in Bitcoin—the decentralized digital currency—is definitely growing. But as with anything established, it also sparks the interest of scammers. We have seen a few Trojans stealing Bitcoin wallets over the last few years. Also, Trojans installing Bitcoin miners are not that exotic anymore. A case from last week shows how far interest has grown on the criminal side. Reports have emerged about phishing websites impersonating Mt.Gox, the largest Bitcoin exchange site. Mt.Gox has already fought battles in the past—for example when it was on the receiving end of a distributed denial-of-service (DDoS) attack and also when US authorities temporarily seized part of their money.

Of course, as with the nature of phishing websites, the real site has nothing to do with the fake scam site. The scammers just used the same second-level domain (SLD) name, "mtgox", but with a different top-level domain (TLD)—for example, using .org, .net, .de, or .co.uk domains. The scam site tried to trick users into downloading and installing malware with the convincing MTGOX_Wallet.exe file name, which Symantec detects as Downloader.Ponik.
 

Figure 1. Phishing website uses alternate TLD
 

Figure 2. Phishing website
 

The phishing websites were even advertised using more than one major online advertising service, for example Microsoft’s advertisement network, in order to reach as many victims as possible. This resulted in the scam ad being displayed on many prominent websites.

The ad enticed users by stating "New Century Gold: BITCOIN Protect your money - Buy Bitcoin"—a clever turn-about since the ad links to a scam site that has everything else in mind except protecting your money.

The fact that the phishing site does not use the common Secure Sockets Layer (SSL) security protocol should have been a clear giveaway for any visitor. As with any financial service, regardless of the currency behind it, people should pay due diligence to ensure they are on a real website when entering information. In this case, the scammers left an additional clue inside the HTML of the phishing website for the curious type: they hide the original site's guidance to change passwords.
 

Figure 3. Phisher-altered HTML
 

Symantec recommends all Mt.Gox users change their passwords and verify accounts. Mt.Gox has started to intensify the verification process of its members, allowing deposits or withdrawals only from verified accounts. They appear to be doing as much as possible to comply with anti-money laundry laws in order avoid the same fate as Liberty Reserve, which was shut down by federal prosecutors in May. Despite Bitcoin being substantially different to Liberty Reserve due to its decentralized peer-to-peer structure, and hence much harder to shut down, it is still good business practice to do as much as possible to ensure secure service.

Symantec has recently launched cloud-based Symantec AdVantage to help prevent ads that lead to malware from ever reaching customers. Website owners that include advertising on their websites should also check out the anti-malvertisement guidelines recommended by the Online Trust Alliance (OTA). The OTA is a non-profit organization with the mission to enhance online trust while promoting innovation and the vitality of the Internet. Symantec is a founding member of the OTA.

Recently, we blogged about systems compromised by W32.Virut that were observed downloading W32.Waledac.D (Kelihos). Symantec has followed the Waledac evolution for a number of years and have observed the botnet showing considerable resilience against take-down efforts conducted in the past. Waledac is traditionally known as a spamming botnet which has been observed to send up to 2000 malicious emails on a daily basis.
 

Figure 1. W32.Waledac.D spam
 

In the past two months, we have observed Waledac infection numbers go from strength to strength, with the majority of infections originating in the United States.
 

Figure 2. Top 10 countries with computers compromised by W32.Waledac.D
 

Computers compromised with W32.Waledac.D were also distributing additional malware that had initially been detected as Backdoor.Tidserv. However, following our analysis, we have discovered it to be a new variant of Trojan.Rloader, dubbed Trojan.Rloader.B. Similar to its older brother, Trojan.Rloader.B’s main functionality revolves around click-fraud.
 

Figure 3. Trojan.Rloader.B attack steps
 

When Trojan.Rloader.B is first executed on the victim’s computer, it ensures that it is running on a physical machine and terminates itself if it is found to be running within a virtual machine. Virtual machines frequently run antivirus software and tools that can be used to analyze the malware. Next, it collects information about the compromised host and sends it back to the command-and-control server to register the compromised computer. At this point, it modifies the Windows host file to redirect a number of popular search engines to a malicious IP address which displays pop-up advertisements embedded within search results.

Trojan.Rloader.B also targets Mozilla Firefox and Internet Explorer Web browsers by modifying their preferences to redirect search requests to http://findgala.com. This is also done to display advertisements on the compromised computer.

During our investigation, we noticed Trojan.Rloader.B dropping a second click-fraud component previously detected as Trojan.Spachanel, which we discussed in a previous blog. When executed, Trojan.Spachanel injects JavaScript to load pop-up advertisements within the compromised browser.
 

Figure 4. Pop-up advertisement example
 

Symantec has detections in place for the new Rloader variant as Trojan.Rloader.B. We have updated the detections for Spachanel click-fraud modules as Trojan.Spachanel. Symantec will continue to monitor the activities of the Waledac botnet while ensuring the best possible protection is in place for our customers. To aid in protection against botnet infection, Symantec recommends that you employ the latest Symantec technologies.

Today, Kaspersky published a paper titled “The NeTTraveler (aka ‘TravNeT’).” The paper provides analysis on a targeted attack campaign that is targeting various organizations worldwide, such as governments, industries, and non-government organizations. This research is related to the McAfee blog “Travnet Trojan Could Be Part of APT Campaign” released earlier in March about a campaign we have been monitoring as well. We have the following antivirus coverage in place for this threat:

• Trojan.Travnet
• Trojan.Mdropper

We also provide the following IPS coverage:

• System Infected: Trojan.Travnet
• Web Attack: Microsoft Common Controls CVE-2012-0158
• Attack: MS Office Word RTF Exploit CVE-2010-3333

The identified infection vector of this campaign is spear phishing emails with specially crafted attachments in rich text format (RTF). We have observed malicious files in RTF format that exploit Microsoft Windows Common Controls ActiveX Control Remote Code Execution Vulnerability (CVE-2012-0158) and Microsoft Office RTF File Stack Buffer Overflow Vulnerability (CVE-2010-3333), both patched vulnerabilities in Microsoft Office and other Microsoft products. We have seen similar behavior from these files: exploitation of Microsoft Word to drop a file we detect as Trojan.Mdropper.

Once exploited malware is dropped which, in turn, drops other files and steals information from targets and sends it back to the attackers’ command-and-control (C&C) server. Symantec products detect the spear phishing Word documents as Trojan.Mdropper and the dropped files as Trojan.Travnet.

Users should ensure that software applications are up to date, and avoid clicking on suspicious links or opening suspicious email attachments. To best protect against targeted attacks, we advise users to use the latest Symantec technologies and incorporate layered defenses.

分散型のデジタル通貨 Bitcoin に対する関心が高くなっているのは確かです。しかし、注目を集めるものの常として、Bitcoin は詐欺師の関心も集めています。これまでの数年間に、Bitcoin ウォレットを盗むトロイの木馬がいくつか発見されています。また、Bitcoin マイナーをインストールするトロイの木馬も、もはや珍しくはありません。先週確認された例からも、犯罪者の Bitcoin に対する関心の高さがうかがえます。世界最大の Bitcoin 取引サイト Mt.Goxになりすましたフィッシングサイトについても報告されるようになっています。Mt.Gox に対する攻撃はすでに前例があります。たとえば、分散サービス拒否（DDoS）攻撃を受けたり、米国の捜査当局によって一時的に Mt.Gox の資金の一部が差し押さえられたりしたこともあります。

もちろん、フィッシングサイトのご多分にもれず、これは正規のサイトとはまったく無関係な偽の詐欺サイトです。詐欺師はセカンドレベルドメイン（SLD）名として "mtgox" を使うだけでなく、トップレベルドメイン（TLD）を変更して、たとえば .org、.net、.de、.co.uk などのドメインを使っています。詐欺サイトは、マルウェアをダウンロードしてインストールするようにユーザーを誘導します。このマルウェアには MTGOX_Wallet.exe というもっともらしいファイル名が付いており、シマンテックはこれを Downloader.Ponikとして検出します。
 

図 1.別の TLD を使うフィッシングサイト
 

図 2.フィッシングサイト
 

このフィッシングサイトは、Microsoft の広告ネットワークなど代表的なオンライン広告サービスを利用した宣伝まで行っています。これも、できるだけ多くのアクセスを獲得するためで、詐欺広告が多くの有名サイトでも表示される結果になっています。

広告は、「New Century Gold: BITCOIN Protect your money - Buy Bitcoin（21 世紀のゴールド。BITCOIN があなたのお金を守ります - Bitcoin を購入しよう）」という宣伝文句でユーザーを誘っています。広告からリンクする詐欺サイトには、人のお金を守ること以外のありとあらゆるものが揃っていると考えれば、まったく正反対の広告です。

このフィッシングサイトでは一般的なセキュリティプロトコルである Secure Sockets Layer（SSL）が使われていません。その一点だけでも疑ってかかるには十分です。扱われている通貨の種類にかかわらず、どんな金融サービスでも、アクセス先が正規の Web サイトであることを確認してから情報を入力するように注意を払う必要があります。今回の場合は、フィッシングサイトの HTML 内にはさらに別の手掛かりも残されていました。好奇心の強いユーザーなら気づくかもしれませんが、正規サイトには記載されているパスワード変更の注意書きが隠されているのです。
 

図 3.フィッシング詐欺師が書き換えた HTML
 

Mt.Gox をお使いの場合は、必ずパスワードを変更しアカウントを確認することをお勧めします。Mt.Gox でもメンバーの検証プロセスを強化し始めており、預け入れも引き出しも、検証済みのアカウントでしか行えません。Mt.Gox は、マネーロンダリング対策法を遵守するために最大限の努力を払っているように見えます。5 月に連邦検察官によって閉鎖に追い込まれた Liberty Reserve と同じ過ちを繰り返さないためでしょう。Bitcoin は分散型の P2P 構造になっているので、Liberty Reserve とは大きく異なり、またそれゆえに閉鎖することは難しいのですが、それでもサービスを保護するために万全を尽くすのはビジネスとして賢明でしょう。

シマンテックは最近、マルウェアにつながる広告をユーザーの目に触れる前に遮断するクラウドベースの Symantec AdVantageをリリースしました。Web サイトに広告を掲載しているサイト所有者に対しては、OTA（Online Trust Alliance）が推奨するマルバタイジング（悪質な広告）対策のガイドライン（英語）をお読みいただくことをお勧めします。OTA は、オンラインの信頼性を強化する一方、インターネットの革新性と活力を推進することをミッションとする非営利団体であり、シマンテックも OTA の創設メンバーです。

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

Lately not a day goes by without a major news story on cybercriminals, hacktivists, and spies.  These are generally viewed as the main threat actors behind the data breaches that we spend so much time -- and budget -- fighting. But what about Anne in Accounting, Sam in Sales and Paul in Production? While malicious attacks are certainly a significant problem and make for thrilling headlines, it’s mistakes made by people and systems that actually cause the majority of data breaches.

According to the 2013 Cost of a Data Breach study, negligence and system glitches together accounted for 64 percent of data breaches last year. These can include employees mishandling information, violations of industry and government regulations, inadvertent data dumps, stolen laptops, and wrongful access.

Insiders greatly contribute to data breaches. In fact, in the eight years since Symantec started tracking data breach costs with the Ponemon Institute, the insider threat leading to data breach has increased 22 percent. What’s even more concerning is these trusted insiders likely don’t know they’re doing something wrong. In related research, we found that 62 percent of employees think it is acceptable to transfer corporate data outside the company on personal devices and cloud services. And the majority never delete the data, leaving it vulnerable to data leaks.

These breaches caused by human error are significant. At $159 per compromised record in the United States ($117 globally), the mistakes made by trusted employees are costing enterprises a lot of money. While the cost of a data breach can vary widely because of the types of threats and data protection laws, the financial consequences are serious worldwide.

But this year’s report is not all bad news -- in the United States, the total cost per data breach was down slightly at $5.4 million. This suggests that organizations have made improvements in how they plan for and respond to data breach incidents. Certain factors can help organizations reduce the cost of a data breach such as having a strong security posture and an incident response plan, and appointing a CISO.

So what would a data breach cost your company? You can calculate an estimate of it yourself at www.databreachcalculator.com. This free tool from Symantec lets you connect the dots between all of this research by estimating how a data breach could impact your company.

While we struggle to keep cybercriminals out of our data center, we must not ignore the risk of data breach posed by people within our organizations.

The mistakes of our employees can be just as damaging as a breach caused by cybercriminals, hactivists and spies. Two-thirds of data breaches are right under our noses and more easily avoidable if we’d just pay attention to it. Symantec recommends the following best practices to prevent a data breach and reduce costs in the event of one:

1. Educate employees and train them on how to handle confidential information.
2. Use data loss prevention technology to find sensitive data and protect it from leaving your organization.
3. Deploy encryption and strong authentication solutions.
4. Prepare an incident response plan including proper steps for customer notification.

You can learn more about the Cost of a Data Breach study and download the global report and nine country reports for the United States, United Kingdom, France, Germany, Italy, India, Japan, Australia, and Brazil at http://bit.ly/10FjDik. 

寄稿: Avdhoot Patil

フィッシング攻撃のプラットフォームとしてソーシャルネットワークサイトを集中的に利用する例が後を絶ちません。シマンテックでも、ソーシャルネットワークに関連したフィッシング攻撃を何度も確認しています。フィッシングの餌としては、有名人を利用した宣伝、偽のアプリケーション、無料の通話時間、懸賞などが多用されています。最近では、トルコの Facebook ユーザーを標的としたフィッシング攻撃で、トルコ警察が悪用された例があります。このフィッシングサイトは、無料の Web ホスティングサイトをホストとして利用していました。

図. トルコ警察の正規の Web ページに見せかけたフィッシングサイト

このフィッシングサイトはトルコ語で書かれており、トルコの治安局長が所有者だと謳っています。さらに、トルコ警察が最近 Facebook アカウント情報の盗難を確認したため、Facebook の情報漏えい対策として Web サイトを作成したという説明が続きます。また、トルコの刑法に従って、ユーザーは正しい情報を入力する必要があり、ログイン情報を入力すれば、ユーザーアカウントの保護申請が警察に送信されると書かれています。

フィッシングページには、アンカラにあるトルコ警察本庁の名前と住所が記され、このメッセージはトルコ警察のセキュリティシステムから送信されたことになっていますが、言うまでもなく、フィッシングサイトはユーザーのログイン情報を盗み出す目的で作成されたものです。ログイン情報を入力すると、フィッシングページは正規の Facebook サイトにリダイレクトされます。

このフィッシング詐欺に引っかかってログイン情報を入力すると、詐欺師に情報を盗み出されてしまいます。

インターネットを利用する場合は、フィッシング攻撃を防ぐためにできる限りの対策を講じることを推奨します。

• 電子メールメッセージの中の疑わしいリンクはクリックしない。
• 電子メールに返信するときに個人情報を記述しない。
• ポップアップページやポップアップ画面に個人情報を入力しない。
• 個人情報や口座情報を入力する際には、鍵マーク、「https」の文字、緑色のアドレスバーなどが使われていることを確かめ、その Web サイトが SSL で暗号化されていることを確認する。
• ノートン インターネットセキュリティやノートン 360 など、フィッシング詐欺およびソーシャルネットワーク詐欺から保護する統合セキュリティソフトウェアを使う。
• 電子メールで送られてきたリンクや、ソーシャルネットワークに掲載されているリンクがどんなに魅力的でも不用意にクリックしない。
• 偽の Web サイトや電子メールを見かけたら通知する（Facebook の場合、フィッシング報告の送信先は phish@fb.com）。

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

In Outlook 2010 and above Microsoft introduced a new feature of having multiple Exchange accounts in the same Outlook profile. Prior to this version of Outlook, you couldn't do that. Whilst this is a good thing, it does cause some problems for our friendly Enterprise Vault Outlook Add-in.

Because of the way in which the Outlook Add-in works, the primary Exchange account has to be EV enabled. In my situation below my 'rob' account IS archiving enabled, and the other account is not. If the primary / default mailbox isn't enabled, you'll get a pop-up like this:

So if you have:

.. the pop-up is displayed, and you have no EV functionality even though one of the mailboxes does have EV archiving enabled.

If you have:

.. things will work.

Unfortunately there isn't a way around this.

http://searchvirtualdesktop.techtarget.com/news/2240184559/Citrix-kills-its-Application-Streaming-feature-directs-users-to-App-V

Bridget Botelho, News Director, and  

Alyssa Wood, Site Editor
 

Published: 22 May 2013

ANAHEIM, Calif. -- Citrix Systems Inc. heralded a number of technology updates this week, but what it didn't announce is that its Application Streaming feature is done for, and won't be supported in Windows Server 2012.

My colleague Christy has written before about the value of Twitter as a communications tool for Symantec Partners. Twitter is a great way for interacting with customers and prospects in a real-time conversation and can generate valuable sales leads 140 characters at a time. But when you need to widen the reach of your tweets you may find Twitter’s ads—known as Promoted Products—are a useful and cost-effective tool for getting your message in front of a larger audience.

What are Twitter ads?

There are two important kinds of Twitter ads for partners:

• Promoted tweets: these ads are regular tweets that you can “promote” (show) to an audience of users based on a number of demographics, including geography, gender and interests.
• Promoted accounts: these ads used to help increase your followers by recommending you as a suggested account to other users on Twitter.

Where do users see Twitter Ads?

Promoted tweets now show up in a user’s timeline and in search results. Promoted tweets are identified by a yellow arrow icon attached to the twee—this allows users to know which tweets have been placed by an ad buy.

Promoted accounts make similar use of the yellow arrow icon. These ad units appear in a section on the left side of the dashboard on Twitter.com as well as in the People Search result pages or the Discover tab of Twitter mobile applications.

How are Twitter ads sold?

Twitter ads are sold in a cost-per-engagement model, which means you only pay for ad placements when a user “engages” with the ad (that is, if they reply, retweet, favorite or click on the tweet). This means that you don’t pay for impressions (views) of your ad, you only pay when people actually click on the promoted tweet or account.

The price paid per engagement is based on an auction, and can vary depending on the competition for the particular demographic or keywords you selected. Twitter recently opened a self-service advertising product that lets you put together your own campaigns and pay as you go for promoted tweets and accounts.

How can I use Twitter ads?

If you are trying to reach new sales prospects, consider a promoted accounts campaign to put your profile in front of appropriate users. You can target them based on their interest in technology—or better yet, through a keyword targeting of your company or product names. This will help you reach a larger audience with upcoming sales promotions or new product releases.

If you have an important announcement to share with a broad audience, you can extend the reach of your message with a promoted tweet campaign, and reach your target audience through interests or keywords to ensure that the right people see your tweet. One great place to try a promoted tweet campaign can be at an industry conference you are attending; you may be able to attract more potential customers to your booth for product demos or sales consultations.

Have you used Twitter ads? If so, what was your experience? We’d love to hear your comments.

Find our complete Symantec Partner social media series.

W32.Virutに感染したシステムで W32.Waledac.D（Kelihos）のダウンロードが確認されたことを、少し前にこのブログでもご報告しました。シマンテックは Waledac の進化を何年も追い続けており、過去に実施された停止の試みに対してこのボットネットが非常に強い回復力を示したことを確認しています。Waledac は従来、1 日に最大で 2000 通もの悪質な電子メールを送信するスパムボットネットとして知られてきました。
 

図 1. W32.Waledac.D のスパム
 

過去 2 カ月間で、Waledac の感染数はますます増えており、その感染の大部分は米国が起源であることが確認されています。
 

図 2. W32.Waledac.D に感染したコンピュータ数の多い上位 10 カ国
 

W32.Waledac.D に感染したコンピュータは、別のマルウェアも拡散していました。これは、当初 Backdoor.Tidservとして検出されていましたが、シマンテックの解析結果に基づいて、Trojan.Rloaderの新しい亜種、Trojan.Rloader.Bであることが確認されています。他の亜種と同様、Trojan.Rloader.B の主要機能もクリック詐欺が中心です。
 

図 3. Trojan.Rloader.B の攻撃手順
 

Trojan.Rloader.B は、被害者のコンピュータ上で最初に実行されたときに物理マシン上で実行されているかどうかを確認し、仮想マシン内で実行されていることがわかると自身を終了します。仮想マシンでは、ウイルス対策ソフトウェアやマルウェアの解析に利用できるツールが実行されていることがよくあるからです。次に、Trojan.Rloader.B は侵入先のホストに関する情報を収集し、コマンド & コントロールサーバーに送信して、侵入先のコンピュータを登録します。また、この段階で Windows のホストファイルを改ざんして、多くの有名な検索エンジンが、検索結果に埋め込まれたポップアップ広告を表示する悪質な IP アドレスにリダイレクトされるようにします。

さらに、Trojan.Rloader.B は Mozilla Firefox と Internet Explorer の両方を標的として、検索要求が http://findgala.comにリダイレクトされるようにブラウザの設定を変更します。このとき同時に、感染したコンピュータ上では広告も表示されます。

シマンテックが調査を進める中で、2 つ目のクリック詐欺コンポーネントを投下する Trojan.Rloader.B の存在が判明しました。以前のブログで説明したように、以前は Trojan.Spachanelとして検出されていたコンポーネントです。Trojan.Spachanel は実行されると、侵入先のコンピュータでブラウザにポップアップ広告を読み込ませる JavaScript をインジェクトします。
 

図 4.ポップアップ広告の例
 

シマンテックは、Rloader の新しい亜種を Trojan.Rloader.B として検出する定義を追加しました。Spachanel のクリック詐欺モジュールを Trojan.Spachanel として検出する定義も更新しています。今後も Waledac ボットネットの活動の監視を続けつつ、適切な保護対策を提供していく予定です。ボットネット感染に対する万全の備えとして、シマンテックの最新技術（英語）をお使いいただくことをお勧めします。

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

6 月 5 日、Kaspersky 社は「The NeTTraveler (aka 'TravNeT')」（英語）と題するホワイトペーパーを公開しました。このホワイトペーパーでは、政府機関、企業、民間団体など世界中のさまざまな組織を狙う、ある標的型攻撃について解析されています。この調査は、「Travnet Trojan Could Be Part of APT Campaign（Travnet Trojan は APT 攻撃の一環か）」（英語）という McAfee 社のブログにも関連しています。これは、シマンテックも監視を続けている、ある攻撃について今年の 3 月に公開されたブログです。シマンテックは、この脅威に対して以下のウイルス対策定義を追加しました。

• Trojan.Travnet
• Trojan.Mdropper

また、以下の IPS 定義も追加しています。

• System Infected: Trojan.Travnet
• Web Attack: Microsoft Common Controls CVE-2012-0158
• Attack: MS Office Word RTF Exploit CVE-2010-3333

この攻撃で確認された感染経路はスピア型フィッシングメールで、特別に細工されたリッチテキスト形式（RTF）のファイルが添付されています。悪質な RTF ファイルで悪用が確認されているのは、Microsoft Windows コモンコントロールの ActiveX コントロールに存在するリモートコード実行の脆弱性（CVE-2012-0158）と Microsoft Office の RTF ファイルに存在するスタックバッファオーバーフローの脆弱性（CVE-2010-3333）ですが、どちらも Microsoft Office などの Microsoft 製品についてパッチがすでに公開されている脆弱性です。同様の動作は、Microsoft Word を悪用して投下されるファイルでも確認されており、これは Trojan.Mdropper として検出されます。

悪用に成功するとマルウェアが投下され、そのマルウェアがさらに別のファイルを投下したうえで標的から情報を盗み出し、攻撃者のコマンド & コントロール（C&C）サーバーに送信します。シマンテック製品は、このスピア型フィッシングの Word 文書を Trojan.Mdropper として、投下されるファイルを Trojan.Travnet として検出します。

お使いのソフトウェアが最新版であることを確認し、疑わしいリンクをクリックしたり、怪しい添付ファイルを開いたりしないようにしてください。標的型攻撃から保護するために、シマンテックの最新技術をお使いいただき、多層防御を導入することをお勧めします。

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

Contributor: Piotr Krysiuk

On June 5, Microsoft announced that they had worked together with members of the financial services industry and the FBI to disrupt the operations of a banking Trojan horse program called Citadel. The takedown operation resulted in over 1,000 Citadel botnets being taken offline.

Citadel is a banking Trojan that has been in existence since 2011. As with most banking Trojans, Citadel is a full crimeware kit, providing the attackers with payload builders, a command and control (C&C) server infrastructure, and configuration scripts to target various banks. Citadel is a descendant of that other behemoth of the financial Trojan world, Trojan.Zbot (Zeus). It came into existence after the Zeus source code was leaked in 2011, with criminal groups taking that code and enhancing it.

Figure 1. The Citadel Trojan interface

Citadel is aimed at a more "exclusive" attacker market than its more widespread predecessor, Zeus. The Citadel kit is sold through underground Russian forums and typically costs around $3,000, compared to $100 for the SpyEye and leaked Zeus kits. Citadel users will also have to fork out a further $30-$100 to purchase Web inject code for the banks that they wish to target. Additionally, even if attackers have that money to spend, there is a strict vetting process with referrals required for new purchasers.

Citadel infections have spread around the globe, but in the past six months the majority of infections have been in Australia, Italy and the US.

Figure 2. Citadel infections from January to June 2013

Symantec welcomes news of the takedown of these Citadel botnets. While these takedowns may not eliminate the threat of Citadel completely, it certainly disrupts current campaigns and sends out a clear message to attackers that their actions are being monitored. Symantec also welcomes the cooperation between the public and private sector in taking action against this threat.

For more information about the world of financial Trojans, read our whitepaper. Symantec's current antivirus and intrusion prevention signatures provide protection against Citadel infections.

Hello Everyone:

We are planning on a meeting Thursday July 18 2013 at the same place:

The Symantec office in Southfield.  

The time will be 11:00 AM with lunch to be served.

We will be discussing NetBackup AIR.  (Auto Image Replication) .

Also we will do some planning and discussions for having some good hands on

Work Shops as we talked about in the past, for the next meetings.  So please come join us

and be a part of the discussions.  This will allow us to get more details on AIR have some planning and discussions for a fall meeting to have hands on Work Shops that Scott Warmbier is dedicated to setting up for all of us.

More details will follow so save the date.

Scott Thornberry

The Workspace Virtualization and Workspace Streaming 7.5 Release Preview is now available!

Please download and begin testing. 

Log in (or create) your SymBeta account here:
https://symbeta.symantec.com/callout/?callid=DADBB48E770140B1ADE4A3DDE0356A67

What's new in 7.5?

• Windows 8 Support
• New installers
• Improved user-friendly Streaming console
• Improved streaming and virtualization performance
• Enhanced Virtual Composer
   

Hello,

Symantec Endpoint Protection 12.1.RU3 has been released on June 6 2013.

You may find the latest release, Symantec Endpoint Protection 12.1.RU3, here:

This build's version is: 12.1.3001.165

Upgrade and Migration paths

Symantec Endpoint Protection 12.1.3 (RU3) can upgrade seamlessly over the following:

• Symantec Endpoint Protection 12.1.2100.2093 (RU2 MP1)
• Symantec Endpoint Protection 12.1.2015.2015 (RU2)
• Symantec Endpoint Protection 12.1.1101.401 (RU1 MP1)
• Symantec Endpoint Protection 12.1.1000.157 (RU1)
• Symantec Endpoint Protection 12.1.671.4971 (RTM)
• Symantec Endpoint Protection 11.x (can be upgraded to enterprise version only)
• Symantec Endpoint Protection Small Business Edition 12.0

Symantec Endpoint Protection 12.1.3 (RU3) can migrate installations of the following legacy Symantec products:

• Symantec AntiVirus Corporate Edition 10.x.
• Symantec Client Security 3.x
• Symantec AntiVirus for Mac (client only)

This Symantec Release build contains:

• Resolution of 120 customer defects
• Updated third party components to resolve security vulnerabilities
• Integration of customer fixes from the previous SEP 11.0.7.4 release
• Integration with Insight for Private Clouds appliance
• SONAR and IPS intelligent updater (IU) support
• Support for SONAR User Mode Hooking
• FIPS 140-2 certification (pending validation by external vendor)
• Ability to restore clean files from quarantine
• Inclusion of SAV for Linux clients in reporting
• Support for Outlook 2013 (Outlook Auto-Protect)
• Support for Exchange 2013 server (auto-exclusions)

The following components are unchanged in this release: Mac client, Linux client, Enforcer, Security Virtual Appliance (SVA).

Symantec Insight for Private Clouds appliance

Symantec Insight for Private Clouds Endpoint Edition is typically installed in networks without Internet connectivity. The private server stores a copy of Symantec Insight's reputation database in your private cloud. Symantec Endpoint Protection reputation queries are HTTP or HTTPS requests to the private server rather than to Symantec's Insight server.

The private server downloads the Symantec Insight data over an encrypted, secure connection. You can manually update the Insight data or use third-party tools to check for updates and download the data automatically. Your update method depends on your network and the type of server on which you run Symantec Insight for Private Clouds.

When you use a private Insight server, Symantec does not receive any queries or submissions for file reputation.

5230 has same capacity options as NetBackup 5220

5230 has same form factor & expansion shelf (2U+3U+3U)

5230 has 12 compute cores, 5220 has 8 cores

64 or 128GB RAM on 5230, 48 or 96GB RAM on 5220

Broader I/O configurations on 5230.

2 10Gb Ethernet standard on each 5230 option

5 PCI-e slots available for I/O on 5230  versus 4 on 5220

Many high-tech companies are researching wearable technologies, i.e. things that you can wear and help to make your life easier. Probably causing the biggest stir in the technology community recently are smart glasses, with Google Glass being the primary example. Giving you visual aid with augmented reality is a fascinating thought for me. But it also sparked the discussion on what should be allowed regarding the respect of privacy. Do you need to inform your friends whenever you are filming them? Maybe a red LED in your glasses should turn on whenever you are recording, taking the term “evil eye” to a whole new level. If you search the Web for people who are planning on extending the built-in functionality of the Google Glass, you will come across all kinds of interesting integration ideas, including the controversial face-recognition feature.

But there are quite a few other wearable devices worth discussing. From smart bracelets and intelligent shoes to watches that can interact with other objects— all devices that are available to purchase. Recently at the D: All things Digital conference (D11), a few more prototypes were revealed to the public.

For example, Motorola demonstrated an electronic circuit tattoo that could be used to authenticate a person, acting as a key. They even went one step further and introduced a pill that would be able to transmit a signal from within your body once swallowed. Both ideas would render your body into something like a password token – something you are– that could be used for authentication purposes.

Of course, we already have similar technologies—my car opens magically at the touch of my finger. Or RFID cards that you can wear in your pocket. Not forgetting biometric factors. After all, your fingerprint is something you always have with you. Unfortunately, fingerprint readers are not contactless, so it might not be as convenient as the wireless technology.  Conversely, broadcasting signals always raises concerns about privacy and tracking. We have seen this concern in most countries where RFID passports were introduced. Even if you can’t extract the secret key from the chip to impersonate someone, you might still be able to generate a digital fingerprint response that allows you to start creating a tracking profile. This is one of the reasons that many people are using faraday-cadging wallets that block any unwanted RFID reading. I don’t think that we will have to wear faraday shield T-shirts anytime soon, but those are some of the challenges that we need to solve with regards to wearable authentication tokens when we want to have a broad acceptance rate.

Still, it is an interesting field and would definitely help some people who always forget their passwords – unless, of course, they forget to take their pill. It could also solve the problem of weak passwords as they would be strong by default and could act as a master password for a password safe. But we will have to wait and see how these concepts get implemented and if people are willing to wear such devices. Depending on this, it might still be possible to attack these systems, or just steal an authenticated session by ignoring the password completely.

In any case, we at Symantec are curious about what the future holds and are closely monitoring scam emails to see if they begin asking you to send your pill to them instead of offering cheap pills for you.

寄稿: Piotr Krysiuk

6 月 5 日、Microsoft 社は金融業界および FBI との協力により、オンラインバンキングを狙う Citadel というトロイの木馬プログラムの活動を停止に追い込んだことを発表しました。この停止措置により、1,000 以上の Citadel ボットネットがオフラインになりました。

Citadel はオンラインバンキングを狙うトロイの木馬のひとつで、2011 年に登場しました。オンラインバンキングを狙う他のトロイの木馬と同様に、Citadel も、すべてが揃ったクライムウェアキットであり、ペイロードビルダー、コマンド & コントロール（C&C）サーバーのインフラストラクチャ、さまざまな銀行を標的にする設定スクリプトを攻撃者に提供します。Citadel は、金融業界を狙うトロイの木馬として大きな存在である Trojan.Zbot（Zeus）の末裔です。2011 年に Zeus のソースコードが漏えいした後で、犯罪者グループがそのコードを引き継ぎ強化する形で登場しました。

図 1.トロイの木馬 Citadel のインターフェース

先駆けとなった Zeus が広範囲に出回ったのに対し、Citadel はより「資金力のある」攻撃者を市場として対象にしています。SpyEyeや、漏えいした Zeus のキットがわずか 100 ドルで取引されているのに対して、Citadel キットはロシアの地下フォーラムで通常 3,000 ドル前後で販売されています。Citadel のユーザーは、標的にしようとする銀行に合わせた Web インジェクションコードを購入するたびに、30 ～ 100 ドルを追加で支払う必要もあります。しかも、攻撃者に資金の余裕があったとしても、新規購入の場合には紹介が必要であり、厳格な審査プロセスがあります。

Citadel の感染は全世界に広がっていますが、過去 6 カ月で多数の感染が確認されているのは、オーストラリア、イタリア、米国でした。

図 2. 2013 年 1 月から 6 月までの Citadel の感染件数

シマンテックは、Citadel ボットネットの活動停止という今回の報道を歓迎します。この停止措置で Citadel の脅威を完全に排除できるわけではありませんが、現在の活動が停止することは確かであり、攻撃者に対しても、その活動がいつも監視されているという明確なメッセージになったはずです。この脅威の排除にあたって官民の協力態勢が取られたことも称賛に値します。

金融業界を狙うトロイの木馬について詳しくは、シマンテックのホワイトペーパー（英語）をお読みください。シマンテックの最新のウイルス対策と侵入防止シグネチャを使用することで、Citadel の感染を防ぐことができます。

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

Recently, we discovered a threat that abuses the Encrypting File System (EFS), which Symantec detects as Backdoor.Tranwos. Not only is it trivial for program code to use EFS, it’s also very effective at preventing forensic analysis from accessing the contents of the file.

The threat creates the folder %Temp%\s[RANDOM ASCII CHARACTERS] and then calls the EncryptFileW API in order to encrypt the folder and all files and folders subsequently created in the encrypted folder will be encrypted automatically by Windows. The threat also copies itself as the file name wow.dll in the folder and then modifies the Characteristic attribute of the PE header in order to change to a DLL file.
 

Figure 1. Creates folder and encrypts it
 

In some cases, security researchers may use another operating system, such as a version of Linux bootable from a removable drive, in order to retrieve malicious files from a compromised computer. This method is useful when retrieving files from a computer compromised by a rootkit. However, it’s impossible to get the file wow.dll by this method because the DLL file is encrypted on the EFS.

A user account that executes this threat can see the contents of the file and change the status of the encryption. As this threat makes it impossible for researchers to use forensic tools, as we normally would, we have to manually execute the threat on a test computer to gather the contents of the file. The purpose of this threat using EFS is only to prevent forensic analysis from retrieving the contents of itself.
 

Figure 2. wow.dll file path
 

After executing this threat, Explorer shows the folder and the file in green as it has been encrypted.

This threat has the functionality to vary command-and-control servers according to a command it may receive from the remote attacker through the back door it opens. It also has the functionality to download more malware onto the compromised computer. Symantec will continue to monitor this threat and report if anything new is discovered.

The best way to stay safe from this threat and others is to keep your antivirus definitions, IPS signatures, and firewall rules up to date.

User Facing: Desktop

• Added a way for users to enter a alternate email address to their user profile for email notifications.
• Added the ability for privileged users to translate forum posts.
• Removed the "0 comments" label from blog posts where comments have been disabled and will never have any comments.
• Added a share widget to Connect pages that will allow users viewing Connect in the Chinese language to share posts to the Sina Weibo microblogging website.
• Improved the formatting of events when they are exported from Connect and imported into Microsoft Outlook.
• Improved the workflow code to fix an issue with edited posts reverting to an unpublished state.
• Fixed the stuck "Solution" counter on user profile pages.
• Fixed an issue with the "status" flag on Idea and Known Issue content types. The flag now successfully updates when a privileged user changes the status of the post.
• Fixed a bug in the "Unsubscribe from further comments in this thread" email feature that was not allowing users who were authenticated to Connect to unsubscribe.

Admin Facing

• Modified the report that admins use to export "Ideas" to product teams to allow data exports within a date range.
• Resolved an issue with split solutions where a few posts were submitted as we performed the upgrade and were not being listed correctly when the post author tried to mark them as the solution using the split solution feature.
• Fixed an issue with the admin-facing userpoints audit tool.
• Improved the memory management of the script that imports new Accreditations and Certifications so it doesn't run into issues with not enough memory to complete the import.

Performance Wins

• Modified the RSS Builder (http://www.symantec.com/connect/rss-builder) to generate URLs that point to our faster service.
• Moved our reporting tools to a dedicated reporting server to give the processors on the production server more more cycles to serve Connect users.

Behind the Scenes

• For better SEO, we modified our code to always display the "friendly URL" to search engine crawlers instead of the post ID.
• Added new meta information to our translated pages that gives Google information necessary to send searchers to the correct version of a page for their language.