Service level agreements (SLAs) must be met whether you’re keeping mission-critical data centers running or serving up frosty beverages. Disasters, configuration errors, poor performance, thirsty customers…it’s an ever-changing race to keep your operation available, fast, and resilient. Let us show you what our customers are doing to meet the challenge of delivering on SLAs.

The performance gap between computing devices and storage devices has been growing for several years. Currently, CPU and DRAM operations are measured in nanoseconds while hard disk drive (HDD) operations are measured in milliseconds – that is several orders of magnitude difference.  Enterprises are increasingly looking at SSD/Flash storage to help narrow this performance gap.

Join the Symantec Storage team on Wednesday, August 21 at 9:30am PT to learn about the growing reliance on SSD/Flash to optimize storage environments, discuss the benefits and risks, and examine best practices in incorporating SSDs to help meet your SLAs.

Tune in and get your questions answered live by our expert panelists during the event by submitting your questions to the hashtag #SYMCHangout.

Mark your calendars:

Title:               Why Host-Based SSDs are Critical for SLAs in Mission-Critical Datacenters

Date:                Wednesday, August 21, 2013

Time:               Starts at 9:30 am PT

Length:            1 Hour

Where:             Google+ Hangout: http://bit.ly/13T1ak9

Se avete la necessità di installare .NET Framework in un computer che non è collegato a Internet oppure dovete eseguire l'installazione in più computer,  allora è preferibile utilizzare il programma di installazione offline di .NET Framework.

Questo metodo di installazione ha due vantaggi principali, eseguire solo una volta il download del programma di installazione e inoltre ridurre i tempi di installazione in caso di installazione multiple.

Segue il riferimento al sito Microsoft per il download delle diverse release del software .NET Framework  :

From climate change to cyber security to employee diversity, corporate responsibility (CR) and sustainability touches every aspect of Symantec’s business. We’ve defined our strategy and are continually working towards our goals to operate as a responsible global citizen. In addition to our dedicated global corporate responsibility team, every day Symantec employees across the world are helping us deliver on this, creating value for both our business and our stakeholders.

We are happy to introduce an ongoing feature of the CR in Action blog – the Sustainability Spotlight - that will profile employees and their contribution to Symantec’s CR and sustainability efforts. Some are members of our CR team, others contribute through our Green Teams or volunteering, some have seen an opportunity and developed programs in their function or region -- all are making a difference.

Today we hear from Claire Scull, Project Manager EMEA Corporate Communications.

What is your role at Symantec and what areas related to corporate responsibility (CR) does your job touch on?

I’ve been at Symantec for six years this August, and have always been actively engaged with CR and local charity activities inside and outside of my professional world -- which increasingly seem to merge into one.   

My role at Symantec is within the Europe, Middle East, and Africa (EMEA) Public Relations team, based in the UK, responsible for the day to day operations, planning & reporting of the team, and managing our EMEA agency team.  Sitting at an EMEA level I have a good insight as to what happens across our EMEA region, and what local teams are working on specifically around CR.

I am also the UK charity committee PR lead, and sit on the EMEA CR team, as well as contributing to global CR projects.  A lot of my involvement in these activities is driven through my own personal passion, however being in the communications team I do get to see and hear all of the other good stuff we do as a company, and get to have input into what and how we do it.

Can you highlight a specific project you have worked on or are currently involved in? Were these part of your traditional role, an initiative that you developed, or part of a larger program/initiative at Symantec?

I am actively involved in an annual Action for Children event, ‘Byte Night.’ Action for Children supports and speaks out for the UK's most vulnerable and neglected children and young people, for as long as it takes to make a difference in their lives. ‘Byte Night’ is the IT industry’s annual sleep out to raise funds and awareness for the charity and the great work they do. 

I first became involved with Byte Night three years ago, when a colleague asked me to join in as they were a team member short a few days before the big event. Since then I have become more actively engaged and now sit on the Thames Valley Board helping to get the event up and running each year, supporting fundraising efforts across the Thames Valley, and bringing support, encouragement and motivation inside Symantec to help us with our Symantec team fundraising. 

This year we have a FANTASTIC team of sleepers and supporters: Heena Lad, Steve Edwards, Lisa Sellers, Paul Barrick, Sian John, Jennifer Ellis, Lynn Gardner, Lisa Hall, Adam Petherick, Carl Ogden, Elliot Fonte, Jennifer Sawyer, Penny Rose, Hayley Brant, Michelle Brown, Natalie Kini, Nick Shaw, Catherine Lay, Wayne Hunt, Tara Knee, Pamela Kernott, Matt Ellard, and Simon Moor. It is the team that really makes the event happen!

I am also involved with another charity, which I have been fortunate to engage with through a Symantec introduction, TeenTech.  I am now the voluntary editor for their newsletter which goes to all of their supporters, sponsors, teachers and schools involved with the charity.

Are you involved in any volunteer efforts at Symantec, such as Green Teams or community volunteer events?

I have also volunteered my time to contribute to the Green Team as I see it very closely related to the charity activities we often undertake, and I can leverage my role in the communications team both ways to provide input and support for the activities we undertake.

Do you see opportunities for others in your area/function to contribute in a similar way?

Employees may already be engaged in various activities and not fully realize the support Symantec can offer them and those they are helping. I would encourage anyone across Symantec to become involved with their local, regional or global CR activities across the charity, green, diversity and or Symantec Women's Action Network committees.  If you have a passion, why not channel it and maximize it through all that Symantec has to offer in support of you, your passions and ultimately those it will benefit outside of the company! 

CR is an important area for Symantec and its employees to put focus to.  I strongly believe that we as individuals, families, communities and businesses all exist alongside each other, and we should all contribute back as much as we take out.  Therefore as a global company it is Symantec’s duty to act responsibly in the communities within which it sits and operates, and provide support, development and encouragement to those within that community.

Dear NetBackup Customer:

I am pleased to inform you that Symantec NetBackup 7.6 will have a First Availability (FA) program.  The FA is expected to be available in early October, 2013.  Just as with NBU 7.5, Symantec is offering the opportunity to obtain and run production-ready general availability (GA) NetBackup 7.6 as soon as it becomes available.  Through the First Availability program, you can take advantage of the latest feature capabilities that have been made available in NetBackup. 

What are the key new features NetBackup 7.6?

• NetBackup Accelerator support for virtual machines including applications
• VMware Instant Recovery
• Oracle Policy Framework
• 3X faster backup and restore with MSDP
• SLP windows and targeted AIR
• Replication Director VMware, Application, and Block Array Support
• Extensive support for Windows 2012

IS THIS AN ALPHA OR BETA PROGRAM?

No.  First Availability software is production ready GA software that has passed stringent Symantec release and quality criteria.   This is not an Alpha or Beta program and we encourage and fully support FA code in production environments.  The First Availability program provides GA quality software to you as soon as it becomes available.

What is the DIFFERENCE BETWEEN FIRST AVAILABILTY AND GENERAL AVAILABILITY?

The First Availability program allows customer access to software at the same time that it is ready to begin the GA hosting process.  The GA software will be available via FileConnect/DVD Media, this will be the same version you receive through the First Availability program and no further upgrade or action is necessary.

WHEN DOES THE FIRST AVAILABILITY PROGRAM END?

NetBackup FA code is fully supported through support.  Once the GA posting is complete on the Symantec web-site, the software and the e-mail address will be removed from the download site.

What’s Next?

Please register here if you are interested in the NetBackup 7.6 Program:

https://symbeta.symantec.com/callout/?callid=E473ECD54F244C5A86197A3A555A107F

If you have any additional questions then please send email to:

DL-ENG-NBU-First-Avail@symantec.com. 

For those who express an interest in participating, expect to hear from me again once the software is available for download.

Regards,

Larry Temple

mobilesecurity.com [London, UK] Blackberry may have previously been the preferred smartphone manufacturer for members of the US government, but recent reports suggest that future federal use of smartphones will expand to include both iPhone and Android devices.

Blackberry was awarded the FIPS (Federal Information Processing Standard) 140-2 certification for its new line of Blackberry 10 devices. That certification, implying the highest levels of data security, came about in November 2012, even before the devices were launched. But the United States Department of Defense is now apparently looking towards a more “platform agnostic” approach to mobile device use.

One of the goals is to open its networks to devices from Apple and manufacturers of Android devices by February 2014, and the move would suggest greater faith in the security developments of the two biggest mobile platforms, Android and iOS.

- See more at: http://www.mobilesecurity.com/articles/419-governm...

A while ago I wrote about some of the Enterprise Vault process diagrams which have been made available, that post is here.

Now there is a nice technote which lists lots, and lots, and lots of different process diagrams – take a look at:

http://www.symantec.com/docs/HOWTO77305

VMworld 2013 is just a week away. Perhaps this is the one of the biggest technology events where I get to see experts who really get their hands dirty (functional IT staff like system administrators, VM administrators, Storage administrators, solution architects etc.) back in their jobs.

Whether or not you are using NetBackup, we invite you to attend the session below where we dig deep into VMware vStorage APIs for Data Protection (VADP) and its performance characteristics. We would share the lessons learned from extensive lab benchmarks simulating real production workloads. This will help you design and deploy a backup solution for your VMware vSphere environment that meets your business SLAs. 

Time: Wednesday, Aug 28, 3:30 PM - 4:30 PM Pacific Time

Topic: Session # BCO5851 – VMware Backups that Work – Lessons Learned and Backup Performance Tuning Based on Extensive VADP Benchmark Testing

Speakers: George Winter and Abdul Rasheed (both are VMware vExperts 2013)

There will be some questions at the end. Those who are first to answer those questions would be walking away with some cool gifts!

Click here to register directly for this session at VMworld website

Stop by Symantec booth during solution floor hours to learn what is new in NetBackup 7.6 and NetBackup 5230 for your vSphere and vCloud environments. This is one of the biggest releases centered on virtualized workloads and you will be delighted to see what is coming!

Everything Enterprise Vault client related used to be what I was 'all about' when I was working in Symantec Enterprise Vault Engineering. Okay I also dabbled with tons of other stuff, but I was somewhat of a subject matter expert when it came to things relating to the Outlook Add-in. That's partly why it irks me when I see things like this technote suggesting to perform the Outlook Add-in install by first of all disabling UAC. I mean a security firm should really recommend this, I don't think.  Anyway, it is an interesting one, and it brings up the question that is often asked about why there is a setup.exe and an MSI file - it's all down to what 'regular' users can launch.

Take a look at the technote: http://www.symantec.com/docs/TECH209344

Would you disable UAC? 

Contributor: Sujay Kulkarni

The Ashes Test cricket series, one of most popular Test series in cricket, is played between England and Australia. It is played alternately in England and Australia and is the oldest test rivalry between these two sides. Cricket fans are glued to the TV and their online devices to watch this riveting series.

In the current Ashes series England is leading 3-0 and is on the cusp of creating history against Australia—if they beat them hands down in the last test match, which now is a real possibility. However, what is making the rounds is not Scholes, Carrick, or Robin Van Persie, but Captain Cook and his elite squad waiting to steamroll Australia.

This interesting scenario has got scammers smacking their lips. They have come up with a trick to lure you into sending them your personal information over email because your email address has won  "242,500,000 USD in the 2013 ASHES SERIES".

Here is the catch, you have one obligation to fulfill by replying back to the scammer with your "personal details". Well, that would set the ball rolling for the scammer, wouldn't it?

In a typical 419 spam, the scammer mentions in the email that you have won—an award of $50,000 USD for example—and asks you to reply back with your personal details, immediately to claim the money.

Symantec customers should take the following precautionary measures to stay safe:

• Update operating system patches when prompted
• Update the antivirus patches regularly
• Do not open any unsolicited emails when you do not recognize the sender or the subject and avoid clicking on suspicious email attachments
• When dealing with unsolicited mails avoid sending any personal details, especially to unknown persons

Enjoy the ongoing the Ashes Test cricket series without getting bowled over by any Spammer’s googly.

A few weeks ago at Black Hat 2013 in Las Vegas, there was a particularly interesting presentation entitled, “The Factoring Dead: Preparing for the Cryptopocalypse.” Here at Symantec, we found the topic particularly interesting. Tthe presentation touched on a key topic that we would like to highlight. RSA is a tried and true algorithm and pervasive throughout the ecosystem and there is no reason to mistrust it. This year the industry is moving from RSA 1024-bit certificates to 2048-bits based on NIST recommendations, as the compute power available to bad actors makes a brute force attack on 1024 bit keys increasingly practical. However, what the article mentioned was that recent advances in technology and mathematics have questioned whether this natural balance of bit length versus compute power has a third variable that could make RSA more vulnerable to factoring within 2-5 years. The presenters indicated that the Elliptic-curve cryptography, or the ECC algorithm, is the best replacement should it become apparent that RSA shouldn’t be used.

Fortunately, the presenters have pointed out one thing we’ve known here at Symantec for quite some time – that the SSL landscape is changing and will continue to evolve, and that algorithm agility (or diversity) is a key element in making the entire ecosystem stronger. Earlier this year, we introduced the DSA and ECC algorithms in addition to the RSA algorithm. We are currently the only Certificate Authority to offer a choice of algorithms with every certificate (and yes, you can choose all three at once). We are also the only CA to offer a pure ECC implementation, meaning all certificates in the chain, including the roots, use ECC keys and not RSA keys. These are production certificates with good root  ubiquity that are currently being deployed by our customers.

We have the solution to the Cryptopocalypse ready to install today, even if this scenario remains in the realm of theoretical academia for the foreseeable future.

寄稿: Sujay Kulkarni

ジ・アッシズ（The Ashes）は、イングランド代表とオーストラリア代表の間で競われるクリケットのテストマッチとして人気の高いシリーズです。両国の間で最も古いテストマッチであり、イングランドとオーストラリアで 1 年ごとに交互に開催されます。クリケットファンであれば、この注目のシリーズを観戦するためにテレビとインターネットに釘付けになっていることでしょう。

現在のところイングランドが 3-0 でリードしていて、最後のテストマッチでイングランドが快勝することになれば（実現しそうです）、対オーストラリア戦における転換点になるでしょう。とはいえ、今話題になっているのは、スコールズ（Scholes）、キャリック（Carrick）、ロビン・ファン・ペルシ（Robin Van Persie）といったサッカー選手ではなく、打倒オーストラリアをもくろむキャプテンのアラステア・クック（Alastair Cook）と彼が率いる精鋭チームです。

この興味深いシナリオを悪用しようと、詐欺師が待ち構えています。詐欺師は、あなたの電子メールアドレスが「2013 年アッシズシリーズで 242,500,000 ドルに当選（242,500,000 USD in the 2013 ASHES SERIES）」したと称して、個人情報をメールで送信させようとします。

詐欺の手口としてユーザーに求められるのはただ 1 つ、詐欺師に個人情報を返信することだけです。それだけで、後は詐欺師の思いのままになるというわけです。

これは典型的な 419 スパムです。電子メールの中で詐欺師は、あなたが抽選に当たった（たとえば、50,000 ドルの賞金が当たった）と説明し、それを受け取るために今すぐ個人情報を返信するようにと要求してきます。

シマンテック製品をお使いのお客様は、安全対策として以下の予防措置をお守りください。

• オペレーティングシステムのパッチが公開されたらすぐに適用する。
• ウイルス対策定義を定期的に更新する。
• 送信者や件名に覚えがない迷惑メールは開かないようにし、疑わしい添付ファイルもクリックしないようにする。
• 迷惑メールを扱うときは、不明な相手に個人情報を送信しないよう特に注意する。

詐欺師の攻撃に不意を突かれないよう注意しながら、今年のアッシズシリーズをお楽しみください。

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

Hello,

My name is Mithun Sanghavi and I am part of the Technical Support organization at Symantec. I’m sure you have had a few “How do I..." or "Where can I find...?” kind of questions about Symantec Endpoint Protection. This blog is to assist Symantec Endpoint Protection users with answers to these questions.

First off, I want to introduce you to SymWISE. This is our new product support knowledge base. It is available for our users and partners. This system is an online resource for support information for all Symantec products. SymWISE is one component of a larger effort to provide online resources and self-service options for our users and partners.

Content includes:

• Best practices
• Downloads
• How to instructions
• Technical product information
• Troubleshooting tips

SymWISE features a search engine to help you find the information you need for any Symantec product. This article will help you navigate SymWISE

Symantec Endpoint Protection Team has deployed a team of Tech Support Engineers who work via social media to find our users who need assistance.

You can find us on Twitter at

• @mithunsanghavi
• @csavade67

I am available on other forums as well.

• Reddit
• Symantec Connect
• Spiceworks - http://community.spiceworks.com/profile/show/Mithun%20Sanghavi%20(Symantec)
• Google+

I also urge you to check out the Symantec Connect Forums. This is where members of our development and product management teams as well as other Symantec users gather to discuss all things related to their solutions. You can find us inside Connect at

• Mithun Sanghavi
• Chetan Savade

SymWISE is just one place to find the information you need. My team is another. Do not hesitate to contact me here or the venues above with any questions you have about Symantec Endpoint Protection.

You could also Create a case with with Symantec Technical Support Team. Check this Article below:

How to create a new case in MySupport

http://www.symantec.com/docs/TECH58873

Phone numbers to contact Symantec Technical Support:-

Regional Support Telephone Numbers:

• United States: 800-342-0652 (407-357-7600 from outside the United States)
• Australia: 1300 365510 (+61 2 8220 7111 from outside Australia)
• United Kingdom: +44 (0) 870 606 6000

Additional contact numbers: http://www.symantec.com/business/support/contact_techsupp_static.jsp

Hope that helps!!

A nice  resource to test your password is the website TestYourPassword. In a simply interface you can test your passord and see if a psword can be defined weak, good or strong.

In the main page you can find also a function to generate a new strong password and if you are interested to know how a password is cracked there is nice video to explain how hacker scan a network for weak passwords and crack them.

Link : TestYourPassword

See also the article : How to test your passwords

Instagram, the popular photo and video sharing service acquired by Facebook, is often a target for spam and scams, some of which we have writtenaboutover the past year. This week, a friend shared an in-stream advertisement for a program called Instagram for PC on his Facebook timeline. This application claims to run Instagram in an emulator, so that PC users can access the service without a phone.
 

Figure 1. Instagram for PC website
 

When trying to download a copy of Instagram for PC, we observed two separate downloads.

File #1: Missing Dynamic Link Library (.dll) File

The first download was a large RAR archive that bundled a series of dynamic link library (.dll) files along with the supposed application. When a user attempts to run the application, they will be greeted with what looks like a login screen for Instagram.
 

Figure 2. Instagram for PC login screen
 

In reality, this login screen is a fake. If a user tries to login, they receive a phony “Fatal error 2.4.5” message, claiming there is a missing .dll file.
 

Figure 3. Fake error message for Instagram for PC
 

If the user selects “Yes” on the dialog for the missing file, they are redirected to a page that discusses the error and how it can be fixed.
 

Figure 4. Fake missing .dll page
 

The language used to explain the error is fishy. Not only that, but the page claims that if the download “won’t” work, the user should click a variety of social sharing options before trying the download again.

When a user tries to download the missing .dll file, they’re asked to fill out a survey.
 

Figure 5. Instagram for PC survey scam
 

File #2: Activate Instagram

The most recent version of Instagram for PC now claims that in order for the application to work, the user needs to “activate” Instagram. At the bottom of the application, there’s even a warning in red text that the service is “not activated.”
 

Figure 6. Instagram for PC activation screen
 

Clicking on “Click here to activate” results in a new pop-up window that again asks the user to “complete a quick offer or survey” in order to activate Instagram.

Both of the supposed versions of Instagram for PC do not deliver as promised. This is just another vehicle for the scammers to convince users to fill out surveys, so they earn money through shady affiliate programs.

Over 4,000 people have posted about the Instagram for PC site on Twitter and Facebook, while over 2,000 have shared it on Google+.
 

Figure 7. Social sharing icons from the Instagram for PC website
 

For anyone that downloaded these files, there was no malicious functionality bundled with the software, such as a keylogger or backdoor. Symantec products detect these files as Downloader.MisleadApp.

If you’re a PC user and you want to access Instagram on your computer, look no further than instagram.com. Yes, the site itself provides access to the service on any browser on any platform. 

If you are a social network user, be wary of scammers trying to find ways to convince you to provide your login details, install applications, or copy and paste code into Web pages. Do not click on suspicious links and report any suspicious links using the reporting functionality within Facebook and other social networks. These are all tactics that have been used time and time again because they work.

ZeroAccess has always distributed its malicious payloads to infected computers using a peer-to-peer protocol. The use of a peer-to-peer protocol removes the need to maintain centralized command-and-control (C&C) servers to distribute malicious payloads. In 2011, ZeroAccess’ peer-to-peer protocol communicated over TCP, but in the second quarter of 2012 the protocol was modified to use UDP. This was the last significant update to the ZeroAccess peer-to-peer protocol until June 29, 2013.

Symantec has been closely monitoring the ZeroAccess peer-to-peer networks since its discovery. On June 29, 2013, we noticed a new module being distributed amongst ZeroAccess peers communicating on the UDP-based peer-to-peer network that operates on ports 16464 and 16465. ZeroAccess maintains a second UDP-based network that operates on ports 16470 and 16471. ZeroAccess peers communicate to other peers connected to the same network; peers do not communicate across networks.

The module discovered on June 29 modifies the peer-to-peer functionality of ZeroAccess to make its peer-to-peer network more robust and resilient against outside manipulation. The following is a summary of the key code changes made on June 29, 2013, affecting ZeroAccess peer-to-peer functionality:

• The number of supported peer-to-peer protocol messages has been decreased from three to two.
• A secondary internal peer list is now used that can hold over 16 million peer IP addresses, up from 256 IP addresses.
• The secondary internal peer list is stored as a Windows NTFS alternate data stream.
• The logic of how a ZeroAccess peer will contact other peers has been modified.
• Error checks and timeouts have been added to the malicious file download TCP connections.

In addition to the code update being available on the UDP 16464/16465 peer network for existing peers, after June 29, 2013, we have observed new ZeroAccess installers for the UDP 16464/16465 network which infect computers with ZeroAccess also contain the new peer-to-peer protocol and code changes.

Interestingly, the ZeroAccess UDP 16470/16471 network has not yet received the code update. The new ZeroAccess installer samples for the UDP 16470/16471 network also do not contain the new code. In the past, both the UDP 16464/16465 and UDP 16470/16471 networks generally received new features and code modifications at approximately the same time.

Most of the code changes made by the ZeroAccess authors in this update seem to be in response to published research on ZeroAccess or other perceived weaknesses the authors found in the code. These changes are also further evidence that ZeroAccess continues to be actively developed and remains a threat. Symantec expects development of ZeroAccess to continue and will actively monitor the threat for those changes.

The following sections provide further technical details on the peer-to-peer protocol and related code changes made to ZeroAccess.
 

Modified peer-to-peer protocol

When discovered in 2012, ZeroAccess’ UDP-based peer-to-peer protocol supported three message types: getL, retL, and newL. A number of security researchers have described the messages and pointed out flaws in the protocol, especially regarding the newL message type. The newL message type is used by ZeroAccess to share directly routable IP addresses (often called super nodes or super peers) amongst its peers. When a peer receives a newL message it adds the included IP address within the newL message type into its internal peer list. The peer also forwards the newL message to other peers it knows about, magnifying the message’s effect. Prior to June 29, by crafting a newL message and sending it to a ZeroAccess peer it was possible to introduce a rogue IP address into an infected ZeroAccess peer’s internal peer list and have that rogue newL message distributed to other ZeroAccess peers.

The new peer-to-peer protocol removes the newL message type, allowing the botnet to filter out rogue peer IPs.
 

Expanded internal peer-list

Another flaw previously identified regarding ZeroAccess’ peer-to-peer protocol is the fixed internal peer list size. Prior to the June 29 update, a ZeroAccess’ internal peer list was capped at 256 peers. After June 29, a secondary peer list was added and memory reserved to hold up to 16 million peer IP addresses. The list of 256 peers continues to be the “working set” of peers that are periodically contacted. The secondary peer list is used for redundancy purposes.

When the peer list was only 256 peers in length it was feasible that a significant ZeroAccess clean-up action could cut off ZeroAccess peers from the peer-to-peer network because none of their 256 known peers were online. It also became theoretically feasible to replace a ZeroAccess peer’s 256 internal peer list with rogue IP addresses. The secondary peer list makes both of these actions more difficult.

The secondary peer list is written to disk, along with the 256 peer working set. Previous to June 29, the 256 peers from the internal peer list were stored in a file named "@". After June 29, the @ file still exists and continues to contain 256 peer IP addresses from the working set of peers. The secondary peer list, containing up to 16 million IP address, is stored as an NTFS alternate data stream of the @ file. The NTFS alternate data stream also uses the @ filename.
 

Altered run-time peer contact behavior

Prior to June 29, one of the peers from the 256 peers in ZeroAccess’ internal peer list would be contacted using a getL each second to ask for any data on new malicious modules and new ZeroAccess peer IP addresses. This behavior continues after June 29. However, for any remote peer that responds to a message, that responding peer’s IP address and response time-stamp will be added to the secondary peer list.

The IP’s in the secondary contact list are also contacted when ZeroAccess first starts up. At startup, as many as 16 IPs from the secondary peer list will be contacted each second. This secondary peer list communication will continue until at least 16 remote peers have responded to the infected host. Once an infected peer has been contacted by 16 remote peers, peers from the secondary list will not be contacted until the infected computer is restarted. The secondary peer list will continue to be added to and updated as remote peers respond as part of the normal periodic contact with the 256 peers from the working set. This behavior allows a ZeroAccess client to keep a large list of previously contacted peers for redundancy and still operate with a small working set of 256 peers in order for malicious payloads to be quickly distributed throughout the ZeroAccess network.

Another runtime peer-contact behavior change is the keeping of a contacted-peer state table. ZeroAccess peers continue to send unsolicited getL messages to remote peers and expect to receive retL messages in response. The retlL responses contain malicious payload metadata as well as new peer IP addresses. Prior to June 29, an infected peer would accept any UDP message from any IP address, regardless of whether the infected host had contacted that remote IP address before or not. After June 29, a ZeroAccess peer will continue to accept getL messages from any remote IP, but will only accept a retL message from an IP address that the receiving peer had previously sent a getL message to. Basically, when a ZeroAccess peer sends a getL message to a remote IP address it will add that remote IP address to a table in memory. When a ZeroAccess peer receives a retL message, it will scan its table of IP addresses that it previously sent a getL message to, if the peer’s IP address that sent the retL message does not appear in the table the ZeroAccess peer that received the retL message will disregard it. This change ensures that unsolicited retL messages are ignored and makes using retL messages as a means of introducing rogue IP addresses (like newL messages could be used in the previous protocol) more difficult.
 

Improved payload file transfer resiliency

A ZeroAccess peer already contains checks to ensure it does not download a rogue payload file from a remote host. A payload file’s metadata in retL messages is digitally signed and cannot be easily forged. In addition, the malicious payload files themselves are digitally signed, the signature is checked after the file is downloaded. The digital signatures prevent a rogue peer from introducing an arbitrary executable module into the peer-to-peer network. The June 29 code change adds checks to ensure that TCP file transfers are not taking too long to complete. These changes seem to be designed to protect against a kind of denial-of-service attack where a rogue peer attempts to trick a ZeroAccess peer into downloading a large number of files from a rogue peer that would deliver the file data too slowly. Using this attack it would be possible to occupy all TCP ports on an infected computer, not allowing it to download the intended malicious payloads.

Facebook に買収された Instagram は、写真とビデオの共有サービスとして人気がありますが、たびたびスパムと詐欺の標的になることも知られています。このブログでも、過去に何度かお伝えしたとおりです（参照 1、参照 2、参照 3）。今週のことですが、友人の Facebook タイムラインで、「Instagram for PC」と称するプログラムのインストリーム広告が共有されていました。このアプリケーションは Instagram をエミュレータで実行すると称し、PC ユーザーも携帯デバイスを使わずに Instagram にアクセスできると謳っています。
 

図 1. Instagram for PC の Web サイト
 

Instagram for PC をダウンロードしようとすると、2 つの個別のダウンロードが行われることが確認されました。

ファイル #1: Dynamic Link Library（.dll）ファイルの欠落

1 つ目にダウンロードされるのはサイズの大きい RAR アーカイブで、アプリケーションと思われるファイルとともに一連の Dynamic Link Library（.dll）ファイルがバンドルされています。アプリケーションを実行しようとすると、Instagram のログイン画面のような画面が表示されます。
 

図 2. Instagram for PC のログイン画面
 

実際にはこのログイン画面は偽物で、ユーザーがログインを試みると偽の「Fatal error 2.4.5」メッセージが表示され、必要な .dll ファイルがないと説明されます。

図 3. Instagram for PC で表示される偽のエラーメッセージ
 

エラーメッセージのダイアログで［Yes］を選択すると、エラーの解説と修正方法が書かれたページにリダイレクトされます。
 

図 4.欠落している .dll について解説する偽のページ
 

解説の文章は、見るからに怪しそうです。誤りが多いだけでなく、ダウンロードが「正常に機能しない」場合には、Twitter、Facebook、Google+ などのソーシャルサービスで情報を共有してからダウンロードを再試行するようにという指示までしています。

不足している .dll ファイルをダウンロードしようとすると、アンケートに答えるよう指示されます。

図 5. Instagram for PC アンケート詐欺
 

ファイル #2: Instagram のアクティブ化

最新バージョンの Instagram for PC では、アプリケーションを正常に実行するために Instagram を「アクティブ化」する必要があると表示されます。アプリケーションの下部を見ると、Instagram がアクティブ化されていない（Not activated）という警告が赤字で書かれています。
 

図 6. Instagram for PC のアクティブ化画面
 

［Click here to activate］（アクティブ化するにはここをクリック）をクリックすると、新しいポップアップウィンドウが開き、Instagram をアクティブ化するためにやはり「complete a quick offer or survey（簡単なアンケートに答える）」よう要求されます。

いずれのバージョンにしても、謳われているとおりに Instagram for PC が手に入ることはありません。これもユーザーを誘導してアンケートに答えさせ、その裏でアフィリエイトプログラムを通じて儲けを企もうとする詐欺師の手口です。

Instagram for PC のサイトについては、Twitter と Facebook で 4,000 人以上のユーザーが投稿し、Google+ でも 2,000 人以上が共有しています。

図 7. Instagram for PC の Web サイトに並んだソーシャルサービスの共有アイコン
 

これらのファイルをダウンロードしても、キーロガーやバックドアといった悪質な機能がソフトウェアに実装されているわけではありません。シマンテックは、これらのファイルを Downloader.MisleadAppとして検出します。

PC をお使いで、コンピュータから Instagram にアクセスしたいと考えた場合でも、正規の instagram.com以外は利用しないでください。正規サイトから、どんなプラットフォームでも任意のブラウザでサービスにアクセスできるようになっています。

ソーシャルネットワークをお使いの場合には、ユーザーを欺いてログイン情報を送信させる、アプリケーションをインストールさせる、あるいはコードをコピーして Web ページに貼り付けさせるなど、あれやこれやの手口を繰り出す詐欺師に注意が必要です。疑わしいリンクを見かけたら、決してクリックせず、Facebook などのソーシャルネットワークに用意されているレポート機能を使って報告してください。いずれも、何度となく繰り返されてきた手口ですが、有効だからこそ繰り返されているのです。

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

Ciphers have been in use since around 3,000B.C., but their importance and relevance for information security has really come to the mainstream with the growth of the Internet and the escalating volumes of data exchanged on line every day.

The history of ciphers and encryption is a compelling one – being a constant battle between encryption by cryptographers and decryption by cryptanalysts. That has brought repeated cycles of development of a cryptographic algorithm, attempts to break it, followed by a new cipher algorithm to replace the obsolete ones.

And that battle goes on today, with the big focus now on preventing keys from being factored/hacked. Most of us will no doubt have come into contact with the RSA algorithm in our daily working lives, for its influence has been massive. Since the RSA algorithm was first publicly described in 1977 by Ron Rivest, Adi Shamir, and Len Adleman, 17 key sizes have been factored, with the highest key size so far being RSA 768-bit in 2009. However, as computing power increases, so does the threat that RSA 1024-bit will be factored, too. As always, it’s only a matter of time.

But before I tell you what the future holds in the war against the cybercriminals – and the major new developments waiting in the wings – first let me take you on a brief ‘time travel’ journey through the ages, looking back at the major cryptographical milestones.

The oldest-known ciphers are said to be hieroglyphics (ancient Egyptian script) on monuments, dating back more than 5,000 years and considered undecipherable until the 19th century. But history tells us that nothing remains sacrosanct in the world of security forever!

The first century B.C. saw the emergence of the Caesar cipher, which was frequently used by the Roman Emperor Julius Caesar and is one of the most famous methods of cryptography. The cipher worked by substituting each letter in the original message for another letter located a fixed number of positions down the alphabet, which was only known by the sender and receiver (known as ‘shift ciphers’). As these ciphers can be easily decrypted by trying out a maximum of 26 shift numbers, using a random shift can vastly increase the number of permutations (to 26 x 25 x 24 x …. = 400000000000000000000000000!), rendering decryption far more difficult.

An encryption method that rearranges the sequence of characters based on a fixed rule is known as a ‘substitution cipher’. These are the most commonly used cryptography systems throughout history. However, substitution ciphers, including the simpler Caesar cipher, can all be decrypted using frequency analysis. This uses linguistic parameters to guess pre-encrypted letters based on how often they appear.

The development of modern communications precipitated a surge in cryptography and cryptanalysis during the First World War, with the decryption of even the most complex ciphers facilitated enormously by the advent of mechanical cipher machines. And none resonates more with the public consciousness than the redoubtable Enigma, invented by German engineer Arthur Scherbius in 1918. Enigma’s cryptography featured polyalphabetic substitution encryption. The unit was made up of multiple rotors, embedded with the 26 letters of the alphabet, known as a scrambler, and a plugboard, which carried out single alphabetic character conversions. For each letter input on the keyboard, the scrambler rotated one gradation, which enabled easy encryption or decryption, using a key that changed with each input letter.

Under threat of invasion by Germany, Poland invented an encryption machine known as Bombe, but improvements made to Enigma created an increasing number of encryption patterns, so it was uneconomical for Poland to continue its cryptanalysis work. Instead, in 1939, two weeks before the start of the Second World War, Poland passed on its research findings and decryption work to Britain. With this information, Britain was able to decrypt the German army’s pattern for Enigma, which meant the Enigma code was finally broken.

Any mention of ‘Enigma’ should instantly invoke the name of Alan Turing. Widely regarded as the father of computer science and artificial intelligence, it was he who devised the huge electro-mechanical ‘Bombes’ – forerunners to modern computers – which played a decisive part in Bletchley Park’s war-time triumph in the decrypting of Enigma, known as ‘Ultra’. Information thus gained about German movements and plans remained an important data source for the Allies until the end of the 1938-45 war. However, this breakthrough remained highly confidential, so Germany continued to use Enigma with complete faith until the end of the war. The fact that Enigma had been decrypted did not become public knowledge until 1974.

Since the Second World War, encryption and decryption have, of course, shifted from mechanical machine to computer, with the rapid spread of PCs in the private sector placing vital importance on cryptography for corporate commercial transactions and other civilian uses, as well as military applications. All of which takes us back to the cybercriminals and our never-ending battle to stay one step ahead of them. How can it be done? What new deterrents are waiting in the wings?

Further information:

As we were writing this blog, a colleague made some interesting observations around RSA key sizes and the emergence of alternative algorithms.

We’ve also blogged here about Symantec’s Algorithm Agility program.

EventLogSourcesView is a simple portable tool that displays the list of all event log sources installed on your system.
For every event log source, the following information is displayed: Event Source Name, Event Type, DLL/EXE Files containing the event message strings, Registry Modified Time, and version information taken from the DLL/EXE file (Product Name, Company, File Description, File Version)
EventLogSourcesView also allows you to export the event log sources list into tab-delimited/comma-delimited/html/xml file.

License : Freeware

Link : EventLogSourcesView

Download : EventLogSourcesView (32 bit)  - EventLogSourcesView (64 bit)

Although ransomware has become an international problem, we rarely see Chinese versions. Recently, Symantec Security Response noticed a new type of ransomlock malware that not only originates from China but also uses a new ransom technique to force users into paying to have their computers unlocked.

This threat is written in Easy Programming Language and is spread mostly through a popular Chinese instant messaging provider. Once a computer is compromised, the threat changes the login credentials of the current user and restarts the system using the newly created credentials. The login password is changed to “tan123456789” (this was hardcoded in the sample we acquired) but the malware author may update the threat and change the password. The account name is changed to “contact [IM ACCOUNT USER ID] if you want to know the password” (English translation)so that once the computer has restarted, and the user is unable to log in, they will see the account name/message and contact the user ID in order to get the new password.

Figure 1. Login screen with changed account name after system restart

If the victim contacts the provided user ID, who is more than likely the malware author, they will see a statement on the profile page asking for approximately 20 Chinese Yuan (US$3.25). The statement says that the login password will be sent as soon as the money is received and that if the malware author is pestered by the user they will be blocked.

Symantec detects this threat as Trojan.Ransomlock.AF. For users already infected with this threat, there are several ways to restore system access:

1. Use password “tan123456789” to log into the system and reset the password (as mentioned before, this might not always work as the password may be changed by the malware author)
2. Use another administrator account to log into the system and reset the password
3. If your current account is not a super administrator account, enter safe mode and log in as super administrator and then reset the password
4. Use Windows recovery disk to reset the password