How to Set UAC not be displayed for installing MSI's in win-7?

最近、標的型攻撃でマルウェアを企業に送りつける手段として、ショートカットファイルがよく使われるようになってきました。シマンテックは、ネットワークに侵入するためにショートカットファイルが使われるさまざまな手法を確認しており、その一例を以前のブログでもお伝えしました。最近も、セキュリティ製品による検出をすり抜け、電子メールの受信者を欺いて添付ファイルを実行させるためにショートカットファイルが使われている別の例が見つかっています。この亜種では、分割したマルウェアと、それを再結合するためのショートカットファイルを添付した電子メールが送信されます。

この攻撃に使われる電子メールには、ショートカットファイルを含むアーカイブファイルが添付されています。ショートカットにはフォルダのアイコンが使われていますが、それとは別に実際のフォルダもあり、そこに Microsoft 文書ファイルと、.dat 拡張子の付いた 2 つの隠しファイルが含まれています。

図 1.添付されているアーカイブファイルの内容

図 2. Summit-Report1 フォルダの内容

エクスプローラをデフォルト設定で使っている一般的なユーザーであれば、アーカイブファイルには 2 つのフォルダだけが含まれているように見えるでしょう。2 つのフォルダのどちらかをクリックすると、文書ファイルを含むフォルダに移動しますが、実際にはショートカットファイルであるフォルダを開こうとすると、copy コマンドが実行され、2 つの .dat ファイルが結合されて 1 つの悪質なファイルが生成されます。こうしてコンピュータはマルウェアに感染してしまいます。添付されているアーカイブファイルの構造はさまざまですが、複数に分割されたファイルとショートカットファイルが含まれている点は変わりません。

図 3. ショートカットファイルのプロパティに、.dat ファイルの結合に使われるスクリプトの一部が表示される

図 4. ~$1.dat の中のバイナリデータ

図 5. ~$2.dat の中のバイナリデータ

図 6.結合後の実行可能ファイルのバイナリデータ

攻撃の前にマルウェアを分割しておき、被害者のコンピュータ上で再結合するという手口が使われている理由は、いくつか考えられます。最大の理由は、悪質なファイルが検出されるのを防ぐためでしょう。ファイルがいくつかの部分に分割されていれば、セキュリティ製品が悪質なファイルと判定するのは困難だからです。さらに、ゲートウェイセキュリティ製品によって実行可能ファイルが削除されるのを防ぐという理由も考えられます。一般的なゲートウェイ製品には、ファイルタイプを基準にファイルをフィルタ処理する機能があります。電子メールに実行可能ファイルが添付されている場合にそれを削除するように設定できるので、IT 部門ではたいていそのようなフィルタ処理を実施しています。

ショートカットファイルはごく単純で、費用も掛かりません。脆弱性を利用する必要がないので、リソース負荷が高くなることもなく、被害者のコンピュータが脆弱になっている必要もありません。アイコンをフォルダや文書ファイルのように見せかけるのも簡単です。悪質なファイルを準備したら、後は 1 行スクリプトを作成するだけで攻撃態勢が整います。

このような手口の攻撃に備えるには、どうすればよいでしょうか。一般的な状況であれば、電子メールにショートカットファイルを添付する合理的な理由はありません。電子メールの添付ファイルとしてショートカットファイルは不要だと判断できれば、ネットワークのゲートウェイでフィルタ機能を使ってショートカットファイルを除外することを検討できます。

シマンテックは、このブログで説明したマルウェアを Trojan Horseとして検出します。

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

SFHA 5.1SP1RP4 is now available on SORT:

https://sort.symantec.com/patch/finder

Sign up for SORT patch notifications on:

https://sort.symantec.com/welcome/notifications

thanks

tony

In its fiscal year 2013, Symantec contributed more than $24 million in cash and software to nonprofits working within its four philanthropic focus areas: science, technology, engineering, and math (STEM) education; online safety; diversity; and environmental responsibility. Over the next few weeks, we will hear from several of our partners on various projects and programs that Symantec is helping to support. Last week, we heard from Acterra, an environmental nonprofit serving Silicon Valley, and today we hear from Edwin Link, Sr. Director of Academic Success, Arts, and Innovation at the Boys & Girls Clubs of America.

Ask a kindergarten class if they like science and all kids will raise their hands. Then, ask a sixth-grade class if they like science. The number of hands raised will decrease greatly—especially the girls’. Interestingly enough, ask the same sixth-grade class if they’d like to save the environment and the majority of girls will now raise their hands.

Why is the diminishing interest in science occurring in young women, yet the underlying interest in science-related activities remains? I hope that my incredibly curious five-year-old daughter never loses interest in science as she gets older. Unfortunately, our society is one in which minorities—particularly women—are underrepresented in STEM fields. How can we help reverse this trend and encourage the growth of a qualified, diverse workforce in STEM-related fields? 

Societal Disconnect: STEM Job Growth and the Underprepared Workforce

Nearly all 30 of the fastest-growing occupations will require some education and experience in STEM, and by 2018, 1.2 million U.S. jobs will be available in STEM-related fields, according to the U.S. Bureau of Labor Statistics. However, when polled, only 14.5 percent of female students expressed an interest in STEM compared to 39.6 percent of male students. And since the graduating class of 2000, African-Americans interested in STEM majors/careers have dropped 30 percent (myCollegeOptions and STEMconnector). The stark reality is that Americans, particularly underrepresented minorities, will be largely unprepared to secure these positions, putting our nation at-risk of losing competitive ground in the global economy.

Out-of-School Programs' Role in Igniting STEM Interest

Research proves that out-of-school programs, like those offered at Boys & Girls Clubs, are most effective in stimulating interest in STEM-related careers. Today,more than 4,000 Boys & Girls Clubs serve nearly 4 million young people, particularly underserved youth, and enable them to achieve great futures. By partnering with technology leaders like Symantec, Boys & Girls Clubs of America (BGCA) is engaging underserved youth, including young women and minorities, in hands-on, project-based learning experiences that foster interest and exploration in STEM careers.

As the new school year begins, more youth will have the opportunity to learn about STEM during after-school hours thanks to the partnership between Symantec and BGCA. Through generous grants from Symantec, ten Boys & Girls Clubs will each receive a $7,500 grant to enhance STEM-related programming—from robotics to game design—and increase the number of youth engaged in STEM within their communities.

Success Story: SySTEMic Learning at Boys & Girls Clubs of Venice

One grant recipient, Boys & Girls Clubs of Venice in California, will be able to increase and enhance their high-quality STEM programming to 500 Club members—ages 6 to 17. Some of the inventive programs at Boys & Girls Clubs of Venice include:

• Cyber Security – CyberPatriot, the premier national high school cyber defense competition, gives hands-on exposure to the foundations of cyber security.
• Robotics – Club members are introduced to engineering through a partnership with FIRST Robotics for the FIRST Lego League and FIRST Robotics Challenge.
• Underwater Robotics – Yes, underwater robotics! This pilot project uses underwater robots to teach STEM and prepare students for technical careers.
• NASA’s B.E.S.T. Program – In partnership with NASA and the Los Angeles Unified School District's Beyond The Bell program, this unique program brings engineering principles to younger audiences.
• Audio Engineering – Club members learn various elements of audio engineering, such as music production and vocal recording.

Hope for the Future

Thanks to the support of partners like Symantec, Venice and other innovative Clubs are able to lessen the STEM learning divide for deserving, yet underserved youth. It takes imaginative programming and caring mentors to spark interest in STEM in young adults, especially underrepresented minorities. BGCA’s goal is to teach talented kids how to make technology—rather than just consume it—and prepare our members for successful 21st century careers.

Maybe there’s hope for my daughter in STEM in the future.

Edwin Link is Senior Director, Academic Success, Arts, and Innovation for the Boys & Girls Clubs of America.

Ahead of this week's G20 summit in Saint Petersburg, Russia, attackers are leveraging the meeting's visibility in targeted attacks.

One particular campaign we have identified is targeting multiple groups. They include financial institutions, financial services companies, government organizations, and organizations involved in economic development.
 

Figure 1. Email purporting to be from G20 Representative
 

The email purports to be sent on behalf of a G20 representative. The email continues:
 

Many thanks for circulating these updated building blocks. Please find the UK comments on these attached. I look forward to seeing you in St Petersburg soon.
 

The ‘building blocks’ mentioned are the theme of multiple documents, which discuss the UK government’s feedback on a series of building blocks to address development, anti-corruption, and employment.
 

Figure 2. File listing for malicious attachment
 

Attached to the email is a RAR archive file. The archive contains five files. Of the five files, two of them masquerade as different file types. One of the documents is actually an executable, while the .msg file is a .lnk file, which we have seen usedin attacks before. If the victim tries to run the .msg file, it will run both the malicious executable and one of the non-malicious documents. The five files contained in the archive, and their MD5s, are as follows:
 

Figure 3. Non-malicious document presented to the victim
 

The victim will be shown a non-malicious document. What is interesting about these documents is that each of them has track changes enabled and contains the reported comments from the UK called out in the original e-mail. At this time, we cannot verify the authenticity of these documents, but from our observation, modifications were made to them earlier this month, which states that they were last modified by a user named “UK Government.”
 

Figure 4. Author information from the document
 

The malicious executable that runs in the background is known as Poison Ivy. Symantec detects this executable as Backdoor.Darkmoon.

Backdoor.Darkmoon is a well-known remote access Trojan (RAT) that has been used in various targeted attack campaigns over the years, including The Nitro Attacks which we reported on in 2011.

When executed, this version of Backdoor.Darkmoon will copy itself to %Windir% as winupdsvc.exe. It will then attempt to connect to the following URLs on ports 80, 8080, or 443:

• [http://]www.verizon.itemdb.com
• [http://]www.verizon.dynssl.com
• [http://]www.verizon.proxydns.com

While this particular campaign leverages Darkmoon, we have found other campaigns from the same group using different threats. Last month, we found them using Java remote access tools (jRAT) that we identify as Backdoor.Jeetrat and Backdoor.Opsiness, also known as Frutas RAT.

Security Response is aware of other groups using the G20 Summit as a theme in targeted attacks, which showcases how this particular meeting is ripe for attackers to use as bait.

If it’s worth doing, it’s worth doing on the Internet. And it’s not just Silicon Valley startups that feel this way – cybercriminals do, too. In fact, most types of cons and crimes have migrated to the Internet. Nigerian prince scams remain alive and well, finding more willing victims. Robbing banks is now done with a mouse. And in 2012, we saw that kidnapping (called “ransomware,” and in this case holding your computer hostage) finally became viable on the Internet.

At this point, which crimes haven’t gone digital? Well, fortunately technology barriers still remain when it comes to crimes of violence (though some might argue that a DDoS attack comes close), but you might be surprised to learn that blackmail is gaining traction on the Internet.

In February, the Singapore Police sent out a notification warning of a rather tawdry blackmail scam. In essence, female scam artists secretly recorded online sessions with male victims in which they talked the victims into doing something normally done quite privately. In essence, victims were recorded in a compromising position. The recordings were then used to blackmail the victims into paying hush money to keep the videos private. There is probably no point in warning members of the male sex to stop being so stupid, but the Singapore Police did its best and advised the public on preventative measures.

However, most of us are not going to fall for this type of blackmail scam. But this does not mean we are without risk. Given human nature and the fact that we keep so much of our personal lives on our electronic devices, there is more at risk today then you may think. We reported in the 2013 Internet Security Threat Report on the increase in targeted attacks – they’re up 42 percent – and that these attacks are being directed at just about everyone. In these instances, once an attacker has penetrated your computer, the next step is to vacuum up every piece of data they can find. Not just files and passwords, but mailboxes and pictures, too.

These attackers are looking for intellectual property, but given the way our work and personal lives are all mixed together these days, it’s inevitable that information about our personal lives will get exfiltrated by attackers targeting businesses. Even personal information “in the cloud” becomes accessible if login and password information to such accounts is stolen or phished.

We can argue that the attackers are not after us, personally – their goal is to steal our intellectual property. That’s true for the most part, but crimes of opportunity may present themselves to an attacker. And why resist at all? If you’re already a cybercriminal, why not snag that piece of personal information gleaned while searching for intellectual property and blackmail the owner?

It happened to William Gerrity. In February, he bravely came forward to talk about hackers who tried to blackmail him. His blackmailers had no compromising photos or sexual liaisons to use for blackmail. Instead, they tried to use private communications as blackmail material. Finding confidential memos and personal emails, an attacker looking for business information took a shot at personal blackmail. In the end, Gerrity decided not to pay. While he’d prefer that the personal information they captured not become public, having it public was preferable to being blackmailed. Unable to extort his victim, the attacker never released the material, instead going back to his day job of stealing intellectual property.

Gerrity’s story had a happy ending, but what if the attackers had found truly compromising material? Human nature being what it is, many people likely do have compromising material on their computers. In fact, over the past year, several public figures have resigned their positions after just such material was found. In these cases, the pictures or emails indicating infidelity were made public. What if they hadn’t been? The materials would still exist. What if, instead of being made public, these pictures or emails were found by an attacker? Blackmail material indeed. 

There is a lesson for all of us here. We must think carefully about what we put on our computers and phones because there are people in this world who will try to get their hands on it. Without good computer security, we cannot keep our personal information safe, no matter how carefully we place it online. So, we must protect our personal information. Keeping our privacy is dependent on good security.

今週ロシアのサンクトペテルブルクで開催が予定されている G20 サミットを目前にして、攻撃者はサミットの知名度を標的型攻撃に利用しています。

シマンテックが検出したある攻撃では、金融機関、金融サービス企業、政府機関、経済開発関連の組織など複数のグループを標的としています。
 

図 1. G20 の代表から送信されたと騙る電子メール
 

この電子メールは、G20 代表に代わって送信されたと称しています。そのうえで、以下のような文面が続きます。
 

Many thanks for circulating these updated building blocks. Please find the UK comments on these attached. I look forward to seeing you in St Petersburg soon.
（更新版のビルディングブロックを回覧していただき、大変ありがとうございます。英国のコメントは添付ファイルでご覧ください。それでは、サンクトペテルブルクでお会いできることを楽しみにしています。）
 

ここで言われている「ビルディングブロック」とは、開発、汚職防止、雇用に対処する一連のビルディングブロックに対する英国政府のフィードバックを議論している複数の文書のテーマです。
 

図 2.悪質な添付ファイル内のファイル
 

この電子メールに添付されているのは、RAR 形式のアーカイブファイルで、アーカイブファイルには 5 つのファイルが含まれています。そのうち 2 つは、ファイルタイプが偽装されており、実際には、文書ファイルの 1 つが実行可能ファイルであり、.msg ファイルが .lnk ファイルです。.lnk ファイルは、これまでにも攻撃に使われたことがあります（参照 1、参照 2）。被害者が .msg ファイルを実行しようとすると、悪質な実行可能ファイルと、悪質ではない文書の 1 つが実行されます。アーカイブファイルに含まれている 5 つのファイルとその MD5 ハッシュ値は、以下のとおりです。
 

図 3.被害者に送信される悪質ではない文書
 

被害者には、悪質でない文書の内容が表示されます。これらの文書で注目に値するのは、いずれも変更履歴が有効になっており、元の電子メールで言及されていた、英国からのコメントが記入されていることです。現時点で、これらの文書の正当性は確認できませんが、シマンテックの調べによると変更は今月の初めに行われており、最終更新者は「UK Government（英国政府）」という名前のユーザーでした。
 

図 4.文書の作成者情報
 

バックグラウンドで実行される悪質な実行可能ファイルは、Poison Ivy として知られるものです。シマンテックは、この実行可能ファイルを Backdoor.Darkmoonとして検出します。

Backdoor.Darkmoon は、悪名高いリモートアクセス型のトロイの木馬（RAT）のひとつで、過去数年間にさまざまな標的型攻撃に使われてきました。たとえば、シマンテックが 2011 年に報告した Nitro 攻撃でも使われています。

Backdoor.Darkmoon のこの亜種は、実行されると自身を winupdsvc.exe として %Windir% ディレクトリにコピーしたうえで、ポート番号 80、8080、443 で以下の URL に接続しようと試みます。

• [http://]www.verizon.itemdb.com
• [http://]www.verizon.dynssl.com
• [http://]www.verizon.proxydns.com

今回の攻撃では Darkmoon が利用されていますが、同じグループによる攻撃で別の脅威が使われた例も確認しています。先月には、Java リモートアクセスツール（jRAT）を使う例を確認しており、シマンテックは Backdoor.Jeetratおよび Backdoor.Opsinessとして検出します。また。この脅威は Frutas RATとしても知られています。

セキュリティレスポンスは、他のグループも標的型攻撃に G20 サミットを利用していることを確認しており、今回のサミットが攻撃者にとっては絶好の素材になっていることが裏付けられています。

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

Do you know what version of the Outlook Add-in is running in your environment? Do you care what version is running? You should - and in many organisations even those that employ software deployment tools to ensure PC's are 'up to date' often have a handful of versions/revisions of the Outlook Add-in.

Knowing which version is in use, definitely helps when it comes to help desk calls. Some versions of the Outlook Add-in have issues which get reported from time to time, and are fixed in later versions. Sometimes it is a necessary step in the help desk process for the support engineer to ASK the user which version of the Outlook Add-in they have installed. For reference there are a few ways that a user can provide this information (accurately):

- Version information from valkyrie.dll in the EV client program folder.

- Review a client log file from %temp%

- Open the 'back stage view' or the Outlook 'About' dialog

What though if you want to verify this from the server side? Well the best source of information is the IIS logs. You'll see entries like this in the log files:

2013-09-02 23:59:59 192.168.145.20 GET /EnterpriseVault/clienttest.gif - 80 - 192.168.145.77 EnterpriseVaultOutlookExt-V10.0.4.1189 401 2 5 1394

2013-09-02 23:59:59 192.168.145.20 GET /EnterpriseVault/clienttest.gif - 80 EV\TEST1 192.168.145.77 EnterpriseVaultOutlookExt-V10.0.4.1189 200 0 0 332

2013-09-02 23:59:59 192.168.145.20 GET /EnterpriseVault/clienttest.gif - 80 EV\TEST1 192.168.145.77 EnterpriseVaultOutlookExt-V10.0.4.1189 200 0 0 245

2013-09-02 23:59:59 192.168.145.20 GET /EnterpriseVault/download.asp VaultID=1C8D0B2021BD7D34087E60FE75FDBFB741110000evserver&SaveSetID=201308307856712~201308300953240000~Z~60E81EB2FC9A8F7C560CF4981A8C2941&FormatType=Unicode&Client=EV10.0.4.1189-Outlook14&Format=MUD&AttachmentID=0 80 EV\TEST1 192.168.145.77 EnterpriseVaultOutlookExt-V10.0.4.1189 200 0 0 2856

2013-09-02 23:59:59 ::1 POST /evindexing/velocity.aspx v.app=api-soap& 80 - ::1 - 401 2 5 4

2013-09-02 23:59:59 ::1 POST /evindexing/velocity.aspx v.app=api-soap& 80 EV\vaultadmin ::1 - 200 0 0 326

2013-09-02 23:59:59 192.168.145.20 GET /EnterpriseVault/clienttest.gif - 80 EV\TEST1 192.168.145.77 EnterpriseVaultOutlookExt-V10.0.4.1189 200 0 0 216

You can use something like LogParser, which I've written about before, to scan the log files that you have and produce a list of versions that have been employed.

So, do you know which versions of the Outlook Add-in are in use in your organisation.. I mean really know?

Updates deployed to the Connect production servers as a result of the code sprint that ended 03 September 2013.

User Facing: Desktop

• Changed the Quick Search in the Help Center to look for titles that "contain" a search term instead of titles that "begin with" a search term. This enhancement should make the Quick Search more useful to users.
• Fixed a label in the Subscriptions UI that was listing one of the subscription types as, "not available".
• Fixed a transient problem in forum list pages where the "I need a solution" text was displaying inline with the forum teaser text.
• Fixed the sort order of blog names on the RSS-Builder.

Admin Facing

• Created a new report that can be used to monitor voting trends on Connect posts.
• Created a new report that Symantec's social networking partners can use to verify their list of what is published on Connect against our list of what is published on Connect.
• Resolved an issue with under-privileged users seeing the "Sticky at top of lists" checkbox under the workflow tab at the top of their submissions.
• Fixed a UI issue with the "Connect Achievements" block displaying on admin pages where it should not.
• Updated the code we use to schedule a pre-determined publication date and/or time for posts to Connect.
• Refactored the UI on the admin-facing tool we use to associate products with communities on Connect.

Behind the Scenes

• Added code that should improve our SEO by limiting items that are included in our XML Sitemap -- crawled by search engines -- to those that are relevant. We achieved this by allowing our backend system to communicate with our Adobe Analytics system, determine if a content item was relevant and if it was, add it to our XML Sitemap.

Contributor: Roberto Sponchioni

Symantec Security Response has recently come across a new remote administration tool (RAT) called Alusinus, which we detect as Backdoor.Alusins. The program was intended for the Spanish speaking underground and the builder itself is rather straightforward with several standard functions, although one function is interesting and is worth noting. The builder allows the RAT to inject itself into a clean process, such as calc.exe, svchost.exe, or notepad.exe in order to improve its chances of evading detection.
 

Figure 1. Backdoor.Alusins control panel – user name/computer name, AV and firewall information are reported back to attacker
 

Real time desktop monitoring
Backdoor.Alusins allows an attacker to view the victim’s desktop and monitor user activity in real time.
 

Figure 2. Desktop view of compromised computer
 

Webcam monitoring
It can also monitor and capture real time webcam activity.
 

Figure 3. Webcam session
 

Keylogging functionality
Backdoor.Alusins also has the ability to monitor keystrokes on a compromised computer in real time in order to steal information, such as login credentials.
 

Figure 4. Keylogger
 

Harassment
The RAT allows an attacker to communicate directly with the victim by using a series of customizable system error messages. This messaging feature has the potential for great mischief or remote harassment. The attacker could, at any time, send annoying messages or popups to the victim while at the same time, observing the user’s reactions through the webcam. It’s possible that whoever created this tool, had online interactive scams in mind when creating this feature.
 

Figure 5. Custom error messages that can be displayed on compromised computer
 

Additionally, Backdoor.Alusins allows an attacker to perform the following actions on a compromised computer:

• Monitor processes
• Open Web pages
• Open and close the optical drive
• End sessions
• View installed programs
• View all services
• Download and execute files
• Connect to a remote host to receive commands
• View the Windows registry
• Retrieve the type and version of installed firewall
• Retrieve the type and version of installed antivirus software
• Exfiltrate system information such as computer name, user name, IP address, operating system version, and language
• Retrieve a list of processes (PID and associated process name)
• Send emails using specified user names and passwords
• Steal user names and passwords for Pidgin and Filezilla
• View or end system processes

This threat is a low prevalence remote access tool that is targeted at, but not limited to, the Spanish hacker base. Symantec detects the back door builder and the back door as Backdoor.Alusins.

To stay protected against this remote access tool and other threats it is essential that users keep their antivirus definitions, operating system, and software up-to-date.

We’ve pushed the backup performance envelope so that you don’t have to! VMware Backup Benchmarks have been around since 2007 and continue to be an important part of keeping data centers running smoothly.

Tune in to the next installment of our Google+ Hangout Virtual Vision series for a more in-depth discussion and lessons learned from a panel of experts on a best practice framework and performance benchmarks based on VMware’s vStorage APIs for Data Protection (VADP). We’ll show you how to protect 4 TB of virtual machine data an hour, and prove how easy this can be done with minimal hardware and a small budget.

Tune in and get your questions answered live by our expert panelists during the event by submitting your questions to the hashtag #SYMCHangout or Google+ events page.

Panelists:

George Winter - Technical Product Manager, Symantec, vExpert

Abdul Rasheed - Technical Marketing Manager, Symantec, vExpert

Alex Sakaguchi - Product Marketing Manager, Symantec

Mark your calendars:

Title:  VMware Backups That Work Google+ Hangout

Date: Wednesday, September 11, 2013

Time: Starts at 9:30 a.m. PT / 12:30 p.m. ET

Length: 1 hour

Where:  Google+ Hangout: http://bit.ly/1efz3zB

寄稿: Roberto Sponchioni

シマンテックセキュリティレスポンスは最近、Alusinus という新しいリモートアクセスツール（RAT）を発見しました（Backdoor.Alusinsとして検出されます）。これは、スペイン語圏のアンダーグラウンド向けのプログラムで、ビルダー自体はいくつかの標準機能を備えた単純なものですが、その中に興味深く、特筆に値する機能が 1 つあります。このビルダー機能により、Backdoor.Alusins は検出をすり抜けやすくするために、calc.exe、svchost.exe、notepad.exe といった正常なプロセスに自身をインジェクトすることができます。
 

図 1. Backdoor.Alusins のコントロールパネル - ユーザー名、コンピュータ名、ウイルス対策やファイアウォールの情報が攻撃者に報告される
 

リアルタイムのデスクトップ監視
攻撃者は、Backdoor.Alusins を使って、被害者のデスクトップを表示し、ユーザーの活動をリアルタイムで監視することができます。
 

図 2.侵入先のコンピュータのデスクトップ表示
 

Web カメラの監視
また、リアルタイムで Web カメラの動作の監視とキャプチャが可能です。
 

図 3. Web カメラのセッション
 

キーロガー機能
さらに、Backdoor.Alusins には、ログイン情報などを盗み出すために、侵入先のコンピュータ上のキーストロークをリアルタイムで監視する機能もあります。
 

図 4.キーロガー
 

迷惑行為
攻撃者は、この RAT を使って、システムエラーメッセージをカスタマイズして被害者に直接メッセージを送ることができます。このメッセージ送信機能によって、悪質ないたずらやリモートからの迷惑行為が引き起こされる恐れがあります。攻撃者はいつでも、被害者に煩わしいメッセージやポップアップを送信し、同時に Web カメラを通じて被害者の反応を観察できるからです。このツールの作成者は、対話型のオンライン詐欺を想定してこの機能を実装した可能性もあります。
 

図 5.侵入先のコンピュータで任意のエラーメッセージを表示できる
 

加えて、Backdoor.Alusins を使えば攻撃者は侵入先のコンピュータで以下の処理を実行することも可能です。

• プロセスを監視する
• Web ページを開く
• 光学ドライブを開閉する
• セッションを終了する
• インストールされているプログラムを表示する
• すべてのサービスを表示する
• ファイルをダウンロードして実行する
• リモートホストに接続してコマンドを受信する
• Windows レジストリを表示する
• インストールされているファイアウォールのタイプとバージョンを取得する
• インストールされているウイルス対策ソフトウェアのタイプとバージョンを取得する
• コンピュータ名、ユーザー名、IP アドレス、オペレーティングシステムのバージョン、言語といったシステム情報を抽出する
• プロセスのリスト（PID とそれに対応するプロセス名）を取得する
• 指定したユーザー名とパスワードを使って電子メールを送信する
• Pidgin や Filezilla のユーザー名とパスワードを盗み出す
• システムプロセスを表示または終了する

Backdoor.Alusins はそれほど普及している RAT ではなく、スペイン語圏のハッカー層を対象としていますが、それに限定されるものではありません。シマンテックは、このバックドアビルダーとバックドアを Backdoor.Alusinsとして検出します。

この RAT やその他の脅威から保護するために、ウイルス対策定義、オペレーティングシステム、およびソフトウェアを常に最新の状態に保つようにしてください。

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

Are you eager to get a sneak peek into the all new and exciting features of Enterprise Vault 11 release? Then here is your chance to do so, by participating in the upcoming Enterprise Vault 11 Beta program. Beta is a major milestone in our product release cycle and we would like you to get an early insight to these features to help you prepare for this release. It will also help us to gather important feedback regarding these features. Below is a high level summary of the key features that we plan to make available in the beta program

1. Enterprise Vault Search– is a new and much anticipated end-user search UI which will provide a rich & cross browser search experience. It is intended to enhance and unify the search options available to end-users and provide a slick & easy to use interface. It will allow users to access and search/navigate their archive folder hierarchy on any browser,  run and save search terms, export search results, utilize advanced search queries and much more.

2. Mail Connect – will provide the ability to browse & search the archive via IMAP protocol compatible clients from various platforms such as mobile, tablets, laptops and desktops. This opens up direct access to the user archive from an array of different clients and will be especially useful if you have Mac clients or are moving your email services to the cloud but want to retain your EV data on premise.

3. PST Migration Enhancements– will provide enhancements to the native PST migration capabilities by allowing administrators to group, filter and sort information in the admin console as well as delivering an all new live dashboard to track migration progress. Other exciting features include the ability to migrate password protected PST files.

4. Enhanced SCOM Monitoring– will provide improved daily monitoring of key Enterprise Vault resources to help identify any issues or failures in the Enterprise Vault environment.

If you are interested please email us by clicking on the appropriate region you are based out of (APJ / EMEA / Americas), and we will get back to you with more details about the beta program & participation.

We are looking forward for your participation in the beta program and valuable feedback on the features.

Last year saw a shift in website threats, with more targeted attacks emerging that were aimed at small and medium businesses. While website security should always be at the forefront of any online business, a new Symantec infographic emphasises the importance of paying attention to the findings and enforcing any necessary changes in the online presence of a SME so that they are less likely to become the victim of malicious threats.

The first part of the Infographic takes a look at some of the concerning figures that were seen last year, including the phenomenal 24 million identities that were stolen as a result of one breach of security[1]. It shows that online security is an essential part of everyday working life, with hackers continuing to play a huge role when it comes to data breaches. While 88% of breaches were reported to be due to outside attacks, the alarming remainder 12% indicates that SME’s need to be aware of their employees just as much as they should worry about an anonymous hacker.

Over the past year, research has shown that the manufacturing industry has emerged as one of the main targets of targeted attacks, accounting for 24% of targeted threats e.g. those that are aimed at an individual or a group within an organisation. Recent figures also show that there has been a 13% increase in SME attacks during 2012 compared with 2011.

Part two of the Infographic goes into more detail about specific vulnerabilities that were witnessed over the course of 2012. A massive 556 million people were victims of some sort of cybercrime (e.g. spam, phishing and malware attacks) last year, with the occurrence of phishing using social media increasing by 123%. Typical threats included fake gift cards and survey scams, which accounted for more than half of social media attacks. Phishing websites are continuing to use false SSL certificates to lure users into thinking they are legit sites, with prevalence rising by 46% in 2012 compared to 2011. The emergence of Extended Validation SSL Certificates is one way that the industry has reacted to this rise in phishing sites. The growing use of Extended Validation SSL Certificates, which trigger browsers to indicate whether a user is on a secured site by turning the address bar Green – helps users easily differentiate between genuine and fake sites.  A small business needs to be aware that employees may fall upon one of these sites as a result of day to day browsing, so the need for up-to-date, effective internet security software – as well as user awareness - is paramount.

Any small or medium business needs to be aware of the importance of online security and ensure that they are doing everything in their power to avoid becoming a victim of malicious activity. This latest research as presented by Symantec serves to further drive this message home, urging business owners to protect their interests as fully as possible.

Download Part One and Part Two of the full Website Security Threat Report now.

Corporate responsibility is inherent to Symantec’s business and built into our priorities and values. This month Symantec will release its FY13 Corporate Responsibility Report, which provides an update on our performance and progress on key goals over the last year.

In the coming weeks, several Symantec employees will share their thoughts around our progress in several of our key CR focus areas: environmental responsibility, online safety, and gender and diversity.

We’ll hear from Kelly Shea, Global Sustainability Program Manager; Cecily Joseph, Senior Director, Corporate Responsibility; Marian Merritt, Norton Internet Safety Advocate; and Charmy Ruparel, Program Manager, Diversity & Inclusion. We look forward to bringing you their perspectives and insights on our FY13 CR strategy and performance.

Stay tuned for this series starting this Tuesday, 9/10!

Lora Phillips is Symantec's Senior Manager, Corporate Responsibility.

Today is riddle day. So here it is in full:

When is a basic inventory not a basic inventory?

When it's a custom inventory!!!

So, now this explains why we are getting thousands of customer inventory every day at my customer. The custom inventories are generated by VBS and as documented here on Connect [1] (and I'm sure in much of the product documentation) we generate NSE's with a msgTo element pointing to the Basic Inventory Dataclass:

'----------------------NOTIFICATION SERVER ENTRY STARTS HERE------------------
dim nse
set nse = WScript.CreateObject ("Altiris.AeXNSEvent")
nse.To = "{1592B913-72F3-4C36-91D2-D4EDA21D2F96}" 'Never change this guid, it is needed by NS.
nse.Priority = 1
dim objDCInstance
set objDCInstance = nse.AddDataClass ("{8284a0ad-b37f-4c9b-b0ad-cb92f97d7401}") ' Change this to math the guid of the custom data class
dim objDataClass
set objDataClass = nse.AddDataBlock (objDCInstance)

Remains to see what can be done about this, so we have event data logged on the Evt_NS_Event_History showing apples for apples, and not custom inventory as basic inventory...

[1] https://www-secure.symantec.com/connect/forums/problem-about-custom-inventory

Recently one of the fans of NetBackup on Facebook asked a question. Although his questions were specific to the difference between Snapshot client backup and regular backups, I thought it might be better to explain this in a blog and post this for the benefits of newer NetBackup Administrators.

NetBackup Client: The client side of NetBackup software on the system being protected. Its role is read from disk; send data to backup storage and metadata to backup catalog.

NetBackup Snapshot Client: The feature on NetBackup client that takes snapshot of file system state or application prior to performing backups. On UNIX/Linux platforms, this operation requires a specific policy attribute to be turned on to use this feature. On Windows, this feature is automatically enabled to make use of Windows’ Volume Shadow Copy Service (VSS).

What is the value of Snapshot Client over regular NetBackup client?

On UNIX/Linux platforms, Snapshot Client feature enables you to take the snapshot of supported file systems prior to taking backups. You also have the ability to offload the backup to an alternate client or media server when making use of this feature.

On Windows platforms, Windows VSS integration already provides the ability to take the snapshot even when Snapshot client attribute is not turned on in the policy. Hence the primary advantage of using Snapshot client on Windows is to offload the backup to an alternate client (that can also be a media server).

FlashBackup: FlashBackup is a backup method (based on Symantec’s patented technology) that provides the performance advantage of backing up the raw device while providing you the flexibility to restore individual files from the raw device backup. Note that traditional raw device/partition backups require you to restore the entire partition. In FlashBackup, the file system structure and metadata is indexed using a patented technology after which the entire device is read in raw mode.

Is FlashBackup a Snapshot Client feature?

Yes, FlashBackup is a feature of Snapshot Client. However, you may not need to specifically turn on Snapshot Client attribute in the policy because the use of snapshots is implied when you set your policy type to FlashBackup. The default Snapshot method for the file system (e.g. VSS for Windows, nbu_snap for Solaris, vxfs_snap for HP-UX etc.) is chosen with FlashBackup, but you do have the option to override it in the policy.

How about VMware/HyperV policy type?

These are also special cases of Snapshot Client where FlashBackup technology is enhanced further (there is a set of technologies under the umbrella named Symantec V-Ray) to provide agentless backups of virtual machines from an offhost system. The inner-workings of Symantec V-Ray are covered in this blog series.

Do you have questions or clarifications on terminology? Engage with NetBackup on Facebook/Twitter and we may post a detailed response here in Connect. 

Been messing the last few days with a combination of t-sql and Word macros to create a way of documenting the policies and rules for Altiris Monitor 7.1 servers.

All pretty much done, so am writing up for CONNECT.

Here's a taster graphic though of the end-result which was created by,

1. Running some SQL
2. Pasting the results into Excel
3. Copy/Pasting table from Excel into Word
4. Clicking on a Macro button
5. Selecting a table layout and adjusting columns

All in all a couple minutes work! The symbols you see are shorthands for severity, agentbased/agentless, repeats and alert reset method.

Recently, a letter was sent out announcing the NetBackup 7.6 First Availability (FA).  If you didn't receive it, here is a crossposting.  (Note that I personally have no information beyond what's in this letter - please use the contact address below if you have any questions.)

Dear NetBackup Customer:

We are pleased to inform you that Symantec NetBackup 7.6 will have a First Availability (FA) program.  The FA is expected to be available in early October, 2013.  Just as with NetBackup 7.5, Symantec is offering the opportunity to obtain and run production-ready General Availability (GA) NetBackup 7.6 as soon as it becomes available.  Through the First Availability program, you can take advantage of the latest feature capabilities that have been made available in NetBackup.  

What are the key new features NetBackup 7.6?

• NetBackup Accelerator support for virtual machines including applications
• VMware Instant Recovery
• Oracle Policy Framework
• 3X faster backup and restore with MSDP (Media Server Deduplication Pool)
• SLP (Storage Lifecycle Policy) windows and targeted AIR (Auto-Image Replication)
• Replication Director VMware, Application, and Block Array Support
• Extensive support for Windows 2012

Is this an alpha or beta program?

No.  First Availability software is production ready GA software that has passed stringent Symantec release and quality criteria.   This is not an alpha or beta program and we encourage and fully support FA code in production environments.  The First Availability program provides GA quality software to you as soon as it becomes available.

What is the difference between First Availability and General Availability?

The First Availability program allows customer access to software at the same time that it is ready to begin the GA hosting process.  The GA software will be available via FileConnect/DVD Media, this will be the same version you receive through the First Availability program and no further upgrade or action is necessary.

When does the First Availability program end?

NetBackup FA code is fully supported through support.  Once the GA posting is complete on the Symantec web-site, the software and the e-mail address will be removed from the download site.

What’s next?

Please register here if you are interested in the NetBackup 7.6 Program: https://symbeta.symantec.com/callout/?callid=E473ECD54F244C5A86197A3A555A107F

If you have any additional questions then please send email to: DL-ENG-NBU-First-Avail@symantec.com.  

For those who express an interest in participating, expect to hear from us again once the software is available for download.