Follow Managed PKI on Twitter @SymantecMPKI

Symantec Managed PKI (MPKI) 8.7 is now live - with improvements to ease of use and manageability, stronger integrations with Mobile Device Management (MDM) solutions such as Airwatch, Fiberlink, and Symantec SMM; and broader ecosystem support with certificate support for LTE Base Stations, Smart Meters, and Airline e-Enabling.

Summary of New Features:

• Better integration with MDM solutions (Airwatch, Fiberlink, and Symantec SMM)
• Support for new ecosystems:
  • Smart Meters – lightweight certificates to establish trust between devices
  • LTE Base Stations – delivering operator certificates to support 3GPP standards
  • Airline e-Enabling – operations security via authentication and digital signatures (wired and wireless)
• Ability for device manufacturers  to order certificates asynchronously in a batch to support future enhancements in the Machine-to-Machine (M2M) interaction space
• PKI Client enhancements improve ease of use and support for 3rd party hardware vendors
• Administrative enhancements improve manageability and migration from competitive solutions
• Updated language support for PKI Manager, PKI Certificate Services, and PKI Client

The Symantec Managed PKI Service is not only a key component in supporting current standards such as 3GPP, but is committed to providing solutions for technology growth areas such as Smart Grids, Airline e-Enabling, and future M2M developments.  Support for new ecosystems and enhanced integrations with MDM vendors increase the flexibility of MPKI and its ability to address a wide range of scenarios and BYOD initiatives, while administrative enhancements improve the user experience.   Symantec is the leader in establishing a trusted relationship between a device and its user or other devices on the network.

 Feature Highlights:

Support for New Ecosystems

MPKI continues to enhance support for well known integrations such as with MDM solutions in additional to developing support for new growth areas such as those detailed below.

• LTE Base Station Security – 3GPP standards require key network elements of a wireless operator LTE network such as a base station (or eNodeB) or the Security Gateway (SEG) be secured using digital certificates.   Vendor digital certificates, which are embedded at manufacturing time, and operator digital certificates are both required.  MPKI 8.7 enhancements focus on the operator certificates that need to be delivered over a CMP v2 interface.
• Smart Grid Support - PKI Manager now includes optional functionality that allows an enterprise to issue certificates that are compliant with recent Smart Grid technology. Smart Grid-compliant certificates are lightweight certificates the do not include all of the certificate extensions of standard certificates.  These certificates can be issued to operational devices (such as smart appliances) and other Smart Grid-compliant devices (such as Push and Server devices).  The strong public key authentication of certificates is used to establish trust between these components of the Smart Grid network.
• Airline e-Enabling - Modern airplanes (ex. Boeing 787 Dreamliners) use a significant number of digital certificates in operations to ensure security via authentication and digital signatures.  Applications include back office e-enabling, ground support, airplane identity and maintenance, terminal/hangar wired and WiFi connectivity, and external application integration. MPKI 8.7 provides the necessary certificates and management to secure these critical functions while allowing users the required flexibility and mobility.

Support for M2M interactions

There is a growing need in the Internet of Things (IoT) or the more technical term Machine-to-Machine (M2M) interaction space to embed digital certificates into a variety of devices which connect and autonomously communicate with each other. Early examples of such devices include Cable Modems, Digital TVs, and WiMAX devices, but the market is expected to evolve into a broad range of devices in the future beginning with network elements and smart meters and expanding far beyond that. Symantec MPKI Service provides a flexible way to configure certificate profiles that can be used with a batch interface for requesting these certificates. Device Manufacturers are expected to upload requests for certificates providing a batch of device identifiers and will in turn receive a batch of certificates and private keys, which can be injected into devices within the secure confines of the manufacturing process. This positions us to take advantage of new growth areas as they develop.

PKI Client Enhancements

With each successive release MPKI continues to improve ease of use and interoperability with 3rd party hardware vendors.  With this release we have added several enhancements to our PKI Client.

• PKI Client supports post-processing for VPN networks on Mac-based devices, enabling you to take advantage of automated functions on the MPKI system to configure certificates for commonly used applications.
• Additional tokens and smartcards such as the SafeNet iKey 2032 and 4000 that work with the SafeNet CSP, or tokens such as the Gemalto SA .NET Dual that work with the Microsoft based CSP are now supported.  This allows you to leverage your existing investment in hardware. 
• Chrome browser support added to current support for IE and Firefox for Windows environments.
• Windows Vista (32-bit) support added to current support for Windows XP, Windows 7, MacOS X – providing more platforms to support your BYOD needs
• Simplified Chinese added to our supported languages for PKI Client

MPKI Administrator Enhancements

• Ease of migration - For migrating customers we have provided Administrators the capability to import files containing PKCS#12 files not generated from the MPKI into PKI Manager; and set policy to be used during key recovery of these certificates.
• Administrative Enhancements – Administrators may now assign seat counts to sub-accounts and more easily delete users, which will automatically revoke the certificates associated with that user.  Additionally, by using search filters multiple certificates may be deleted. For Administrators this means:
  • The dataset stays clean and manageable as test certificate profiles and dummy data can be deleted after Administrators finish testing new release features. 
  • Bulk deletion of certificates using various search filters make Administrators more efficient.  For example if your organization is planning for a layoff you now have fewer steps to delete all users and all certificates.
  • Being able to allocate seats to sub-accounts from the total number purchased makes it easier to track usage of seats across the sub-accounts.  For example if you have sub-accounts based in multiple regions (i.e. APJ and the US) you may want to take advantage of this management feature.

 Platform and OS Requirements:

 The following are platform and OS requirements for MPKI 8.7. 

Language Support

Managed PKI v8.7 includes support for the following languages:

• PKI Manager supports English, French, and Japanese
• PKI Certificate Services supports English, French, German, Japanese, Portuguese, Norwegian, Spanish, and simplified Chinese
• PKI Client supports English, French, German, Japanese, Portuguese, Norwegian, Spanish, and simplified Chinese.

 End-of-Life Announcements:

As the PKI market evolves, Symantec regularly assesses market trends and re-balances its solution portfolio to best meet its customer needs. Being a market leader in security services, Symantec continues to re-invent and strengthen its service technologies and solutions to deliver more business value to its customers. As the size and scope of its product portfolio increases and changes, Symantec must proactively end-of-life services and support for certain third-party platforms and applications. At the same time, Symantec will continue to add support for new platforms and applications to replace discontinued services and components.

Please note that as the announcement distributed in November stated all versions prior to Managed PKI 7.3 and all versions prior to Managed PKI for Windows 6.2 will end of life July 31, 2013.

Note that the date above is for planning purposes only. Symantec will not accelerate the date without prior notice. However, if the situation is warranted, we reserve the right to delay the date and continue supporting these products for longer than planned.

If you are unsure as to what version you have please contact your Sales representative or Support.

Technical Support:

We value your business and are committed to customer care.  Please contact us if we can assist or answer any questions. Symantec Support can be reached via email at: enterprise_pkisupport@symantec.com or by phone at +1-650-426-3535 or 1-800-579-2848. 

Disclaimer: Any information regarding pre-release Symantec offerings, future updates or other planned modifications is subject to ongoing evaluation by Symantec and therefore subject to change. This information is provided without warranty of any kind, express or implied.  Customers who purchase Symantec offerings should make their purchase decision based upon features that are currently available.

The Vision 2013 Call for Papers is now open.

Do you have a case study featuring successful implementations of Symantec products? Or best practice tips and trick using Symantec solutions? The Vision team is now accepting proposals for sessions at Vision 2013 Las Vegas.

To apply, simply provide a brief summary of what you would like to cover in the session and why it would appeal to Vision attendees. The Vision team will respond to all applications by February 8, 2013.

You can submit your proposal HERE.

The Vision 2013 Call for Papers is now open.

Do you have a case study featuring successful implementations of Symantec products? Or best practice tips and trick using Symantec solutions? The Vision team is now accepting proposals for sessions at Vision 2013 Las Vegas.

To apply, simply provide a brief summary of what you would like to cover in the session and why it would appeal to Vision attendees. The Vision team will respond to all applications by February 8, 2013.

You can submit your proposal HERE.

The Vision 2013 Call for Papers is now open.

Do you have a case study featuring successful implementations of Symantec products? Or best practice tips and trick using Symantec solutions? The Vision team is now accepting proposals for sessions at Vision 2013 Las Vegas.

To apply, simply provide a brief summary of what you would like to cover in the session and why it would appeal to Vision attendees. The Vision team will respond to all applications by February 8, 2013.

You can submit your proposal HERE.

寄稿: Lionel Payet

先週、W32.Waledacが W32.Virutと共存している現状をお伝えしましたが、Trojan.Pandex（別名 Cutwail）など他のスパムボットネットも、依然として拡散の試みを続けていることを忘れてはなりません。

W32.Cridexを操る攻撃者は、さまざまな攻撃経路を使ってマルウェアを拡散しています。たとえば Blackhole 悪用ツールキットを利用する、細工された PDF 文書でユーザーを欺こうとするなどの手口がありますが、今月に入ってさらに手の込んだ攻撃を仕掛けるようになりました。

攻撃者は、正規の Web サイトに侵入し、そこで悪質な HTML ファイルをホストすることに成功しています。この HTML ファイルによってユーザーが Blackhole 悪用ツールキットにリダイレクトされると、侵入先のコンピュータに W32.Cridex がダウンロードされます。では、攻撃者はどのようにユーザーを欺こうとしたのでしょうか。ここに登場するのがボットネットです。

Pandex ボットネット、別名 Cutwail あるいは Pushdo は、新しい脅威ではありません。最初に活動が確認されてから 6 年以上が経過しており、全世界で毎日シマンテック製品が検出するスパムメールのうち、およそ 18 パーセントを占めています。スパムを送信するだけでなく、侵入先のコンピュータから電子メールアドレスを収集する機能も持っており、それが今後の活動に利用されることになります。シマンテックは、この脅威に対していくつかの検出定義を用意しています。

• Trojan.Pandex
• Trojan.Pandex!gen1
• Trojan.Pandex!gen2

遠隔測定の結果、この脅威の分布を次の図のように推測しています。
 

図 1. Trojan.Pandex スパムの拡散状況を示す分布図
 

W32.Cridex の攻撃経路

W32.Cridex がコンピュータに侵入して感染する経緯は、以下の図のとおりです。
 

図 2. W32.Cridex の攻撃経路
 

Trojan.Pandex に感染したコンピュータは、次のような電子メールを送信します。
 

図 3. Trojan.Pandex が送信する電子メールのサンプル
 

ユーザーがリンクをクリックすると、judiciary.go.ke にホストされている悪質な HTML ファイルにアクセスし、そこからさらに以下の悪質な URL にリダイレクトされます。

• dfudont.ru:8080/[削除済み]/column.php

このドメインは、以下の場所に解決されます。

• 212.112.[削除済み] （ドイツ）
• 89.111.[削除済み] （ロシア連邦）
• 91.224.[削除済み] （リトアニア）

シマンテックは Blackhole v2 悪用ツールキットに対して多くの IPS 検出を定義しており、遠隔測定データによって悪質な URL から以下のシグネチャを検出しました。

• Web Attack: Blackhole Exploit Kit Website 8
• Web Attack: Blackhole Exploit Kit
• Web Attack: Blackhole Functions
• Web Attack: Blackhole Toolkit Website 20
• Web Attack: Blackhole Toolkit Website 31

これらの脅威が検出された分布状況は、以下の図のとおりです。
 

図 4. Blackhole 悪用ツールキットに関連する IPS 検出の分布状況
 

Blackhole 悪用ツールキットによる攻撃が成功すると、W32.Cridex が侵入先のコンピュータにダウンロードされます。シマンテックは、以下の検出定義を用意しています。

• W32.Cridex
• W32.Cridex!gen1

このワームはコマンド & コントロール（C&C）サーバーと通信し、C&C サーバーとの間でファイルのダウンロードとアップロードを行い、侵入先のコンピュータでファイルを実行するので、ユーザーは新たなマルウェアの攻撃を受ける恐れがあります。

解析の時点では、以下の C&C サーバーが使われていました。

• 140.123.[削除済み]:8080      
• 182.237.[削除済み]:8080     
• 220.86.[削除済み]:8080       
• 221.143.[削除済み]:8080       
• 64.85.[削除済み]:8080       
• 163.23.[削除済み]:8080      
• 210.56.[削除済み]:8080      
• 173.245.[削除済み]:8080      
• 173.201.[削除済み]:8080     
• 203.217.[削除済み]:8080     
• 97.74.[削除済み]:8080      
• 62.28.[削除済み]:8080      
• 69.64.[削除済み]:8080        
• 38.99.[削除済み]:8080       
• 174.142.[削除済み]:8080     
• 78.28.[削除済み]:8080       
• 88.119.[削除済み]:8080      
• 188.117.[削除済み]:8080     
• 217.65.[削除済み]:8080
• 188.165.[削除済み]:8080   

解析の結果、シマンテックは Dynamoo による発見を確認することができました。また、感染したサーバーに情報が通知され悪質なファイルが削除されたことも確認しています。

お使いのオペレーティングシステムとソフトウェアが最新版であることを確認してください。また、インターネットを閲覧したりメールをチェックしたりするときには、疑わしいリンクをクリックしないようにしてください。

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

2012 年 2 月のブログで、Android.Bmaster（別名 Rootstrap）についてご報告しました。数十万台のデバイスが感染し、その時点で、それまでに記録された最大のモバイルボットネットでした。最近その Bmaster の規模を上回ったのが、新たに発見された MDK ボットネットです。Android.Troj.mdk と命名され、Kingsoft 社によれば 7,000 種類以上のアプリに潜伏して、最大 100 万台ものデバイスに感染したと考えられています。

シマンテックの解析では、MDK Trojan を Android.Backscriptの新しい亜種と判定しています。この脅威のグループの検出定義は 2012 年 9 月に追加されました。MDK のコードは Android.Backscript に酷似しており、APK の署名に使われている証明書も同じです。従来のバージョンと異なるのは、今回の亜種が AES（Advanced Encryption Standard）アルゴリズムを使って、サーバーやコマンドなど、ファイル内のデータを暗号化している点です。

図 1. MDK と Android.Backscript で同じ証明書が使われている

図 2.暗号化されたサーバーやコマンドが含まれるファイル

トロイの木馬がインストールされると、攻撃者はユーザーのデバイスをリモート制御できるようになり、ユーザーデータを収集したり、別の APK をダウンロードしたり、迷惑広告を表示したりすることも可能になります。スクリプトや別の APK のダウンロードには、次のサーバーが使われています。

app.looking3g.com

トロイの木馬は、正規のアプリ、たとえば Temple Run や Fishing Joy といった人気ゲームなどに再パッケージ化され、ユーザーを騙してマルウェアのインストールを誘います。検出を回避するために、動的ロード、データの暗号化、コードの不明瞭化といった手段も使われています。

図 3.トロイの木馬が仕掛けられた Temple Run で、データを暗号化する「m」という悪質なサービスが起動

シマンテックは、この MDK を Android.Backscriptとして検出します。この検出定義ですでに 11,000 もの悪質なアプリを検出しています。トロイの木馬が仕掛けられたアプリは、ほとんどが中国のサードパーティマーケットで見つかっていることから、感染は中国に限定されるものと見られます。

Android デバイスをお使いの方は、安全のために、アプリは信頼できる既知のアプリベンダーだけからダウンロードすること、そしてノートン モバイルセキュリティや Symantec Mobile Securityなどのセキュリティアプリをデバイスにインストールすることをお勧めします。スマートフォンやタブレットの安全性に関する一般的なヒントについては、モバイルセキュリティの Web サイト（英語）を参照してください。

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

Our place is holding some events on 27th and 28th February in the UK so i thought I would invite you all - I have added them to the events calendar but thought it may have better visibility here - hope you can come and enjoy it - here are the details:

Cognitive Network Solutions, a Symantec Data Protection Master

& Hardware Appliance Specialist partner,

would like to invite you to this must attend event.

Come and see how we can improve your Backups, Reduce Cost and Increase Efficiency.

• NetBackup 5220 Appliance – A complete backup & recovery solution for your virtual & physical systems in a single box. Complete with built in storage, intelligent end to end de-duplication and more
• Superior load balancing for fastest possible backup performance
• Utilise the NetBackup Appliance to refresh your Backup Infrastructure. No more dealing with multiple vendors “One Stop Shop”.
• Backup up to 100 x faster and meet the most demanding of SLA’s using NetBackup 7.5
• Live Technical Demo of NBU Hardware appliance
• Road map – NetBackup Appliances – “The Future”

We are holding two events:

27th February 2013
Symantec
88 Wood Street
4th Floor
London EC2V 7AJ
-
2 minutes from Barbican or Bank Tube Stations

28th February 2013
National Motorcycle Museum
Bickenhill
Solihull
West Midlands B92 OEJ
-
2 minutes from Birmingham International Train Station and Birmingham Airport. Close to M42 Junction 6 and M6 Junction 4

Session Times

9.00am – 1.00pm

Register Now!

For more information please visit our website

or contact us on sales@thesolution.co.uk or

or call us on 01384 340666

Hi All.

In this blog we are going to talk about SSR Monitor, a lightweight application that helps monitor the backup status of up to 100 machines. As a user you may want to just get a quick overview of the backup status of all the machines in your environment. SSR Monitor helps you do exactly this. You can add all the machines you wish to monitor and at a glance get to know the backup status of those machines and in case there are failures gets the list systems where the backup did not complete successfully.

How to install:

To install Symantec System Recovery 2013 Monitor:

1. Download the Sym_System_Recovery_2013_Monitor_1.0.0.46534_Multilingual_Product.exe using following link:

http://www.symantec.com/docs/TECH201944

2. Copy it to the computer on which you want to install Symantec System Recovery 2013 Monitor.
3. Double-click the exe.
4. On the Symantec System Recovery Installation Wizard, follow the on-screen prompts.

Users can also choose to install Symantec System Recover 2013 monitor by running SSR installation setup. Once Symantec System Recovery Media browser launches, in the home page users will see the option to install Symantec System Recovery Monitor under "More Useful links. Please refer to screenshot below:

Before you install Symantec System Recovery 2013 Monitor, ensure that you have administrator's rights.

The following Microsoft Windows 32-bit or 64-bit operating systems are supported:

• Microsoft Windows XP (All Editions)
• Microsoft Windows Server 2003 or R2
• Microsoft Windows Vista (All Editions)
• Microsoft Windows Server 2008 or R2
• Microsoft Windows 7 (All Editions)
• Microsoft Windows 8 (Desktop Edition)
• Microsoft Windows Server 2012

It’s an easy to use and install application; please refer to the pre-requisites below:

• The minimum system requirements to run the Symantec System Recovery 2013 Monitor application:
  • Microsoft.NET Framework 4.0

• On the machine to be monitored Symantec System Recovery Service should be operational.
• Simple File sharing option must be disabled [For XP and Windows 2003]
• To allow communication from the host computers, add DCOM port and SSR service to the firewall exceptions list. Please refer to following technote for more details:

http://www.symantec.com/docs/TECH188450

• For Vista, Win7 and Win8 client OS, turn off UAC if using Standard user in workgroup environment or domain user with restrictive permissions in Domain environment.

Please refer to the Readme file after installing the application for more details.

SSR Monitor helps displays information like backup protection status, job last and next run time, remote BESR/SSR client version, protection status justification, etc. It allows addition, removal and edit of remote computer.

This is it for now. In the next follow up blog we will talk about different features and capabilities provided by SSR Monitor.

Stay tuned!

Have you ever wondered what the LastPSTSearch registry entry was on a client / Outlook workstation with Enterprise Vault in the environment? Well, for quite some time when I was working with PST migrations I would stumble across issues where test PST files that I had put in place on a client machine weren't being picked up for migration.  It seemed sometimes that they were, and sometimes that they weren't.

In the end much of this was down to the LastPSTSearch registry key....

The registry key is related to Client Driven PST Migration, and indicates the date when the last scan for PSTs was performed.  If the date is recent, then no new scan will take place.  That's why when I was first looking at these sorts of migration issues it would appear to work sometimes, but not others.

The registry key is located here:

HKEY_CURRENT_USER  \ Software  \ KVS \ Enterprise Vault \ Client

It looks like this:

By default the scanning takes place every 7 days, but that can be changed by altering the policy and synchronising the mailbox settings.

Enterprise Vault 10.0.3 was released on January 18, 2013 and in addition to many new enhancements for Exchange, it also adds support for SharePoint 2013. 

The Enterprise Vault team has focused a lot of attention on SharePoint in recent months as our customers are growing more aware of the need to manage SharePoint storage and to prepare for eDiscovery of this growing repository of content.  Our last release, EV 10.0.2, added the ability to capture social content including blogs, wikis, discussions boards and custom lists.  This was important for both eDiscovery and for storage optimization.

Capturing social content is a storage management perspective as it allows for the capture of important content prior to deleting a site.   Site proliferation is one of the biggest headaches for SharePoint admins.   Everyone wants to have the power to create a site but very few people remember to delete the site after it has outlived its usefulness.  

One of the compelling features in SharePoint 2013 is the ability to automatically expire sites based on criteria such as the last accessed date.   While this is an important step in curbing site proliferation, SharePoint admins will still be reluctant to automate deletion of a site unless they know that the critical content from the site will be preserved.  

This is where EV for SharePoint comes in.   Granular policies allow the targeting of content based on:

• Type of content (Documents, pictures, blogs, wikis, etc.)
• Metadata (created by, modified by, date range, specific custodians, any custom metadata)
• File characteristics (size, name)

By proactively archiving the important information within the site, expiration becomes viable and you can take full advantage of this great new SharePoint 2013 feature.

For more information on EV for SharePoint see the feature brief.

Follow me @DScottyt

On January 23, Symantec announced a new strategy to significantly improve performance for you and your customers. We plan to improve existing products and services, and at the same time develop new, innovative products and services. We will also transform the Partner Program to better support your business. Partner Program changes will occur in phases. We’ll keep you informed as details are available. For now, it is business as usual. 

 Read  more.

It's an exciting time for IT professionals. Symantec's annual conference, which is being held at the MGM in Las Vegas this year, is right around the corner. It runs from the 15th April to the 18th April 2013 - 4 days of paradise in Las Vegas! Vision offers IT professionals a jam-packed line up of hands-on labs, in-depth training, and technical breakouts that address the issues they care about most—including private and public cloud, Virtualization, mobile, infrastructure and information protection.

The Backup Exec team is in the midst of preparing for this BIG event and we want to hear from you. As we build out our session plan, we are keen to understand what topics you care about the most. What would you like us to address? What would you like to learn? Are there particular sessions you would like us to run?

Reply to this blog with your needs and wants, and the BE team will take every suggestion into consideration. We will keep you posted on our plans so you know what we have in store for you.

Can't wait to meet you all in Vegas.

Bye for now,

Kate

It is important for malware authors to keep a solid network connection between their malware on compromised computers and their own servers so that the malware can receive commands and be updated. However, communication between the malware and the malware servers may be filtered by a gateway or local firewall, or blocked by an intrusion prevention system (IPS). Consequently, malware authors try to find more secure methods of providing communication between the malware and the servers. For example, I wrote a blog last November detailing how Backdoor.Makadocs uses the Google docs viewer function as a proxy to maintain a solid connection between the malware and its servers. More recently, I discovered a Trojan horse that uses Sender Policy Framework (SPF), which is an email validation system designed to prevent email spam, to achieve the same goal.

Basically, SPF consists of a domain name server (DNS) request and response. If a sender’s DNS server is set up to use SPF, the DNS response contains the SPF in a text (TXT) record.

Figure 1.How SPF works

The following matrix contains some SPF examples of major legitimate sites.
 

Table 1. SPF examples of major legitimate sites

The point for the malware author is that domains or IP addresses in SPF can be obtained from a DNS request and this DNS request doesn’t need to be requested from a computer directly. Usually the local DNS server is used as a DNS cache server. The DNS cache server can send a request instead of the computer.
 

Discovery of a Trojan horse using SPF

Recently, I discovered a Trojan horse (detected by Symantec products as Trojan.Spachanel) that uses SPF. Basically, it hijacks a Web browser to inject malicious content into every HTML page. The process of how the malware carries out an attack is illustrated below.
 

Figure 2.How Trojan.Spachanel carries out an attack

Below is a captured SPF record that is received from the attacker’s DNS server.

Figure 3.A malicious SPF record

The following is an example of JavaScript that is inserted at the end of an HTML tag. The obfuscated URL in the below image is the same as the obfuscated URL in Figure 3.
 

Figure 4.Example of JavaScript inserted after an HTML tag

Why did the attacker use SPF to get the malicious domains or IP addresses? My guess would be that it is because the attacker wants to hide communication in legitimate DNS queries. If this malware connects to the attacker’s server by a higher port number using the original protocol, it may be filtered by a gateway or local firewall, or blocked by an intrusion prevention system (IPS). In some cases, specific domains are blocked by a local DNS server, but this malware generates a domain that is rarely filtered. Furthermore, DNS requests are generally speaking not sent directly. Usually there is a DNS cache server in the network or in the ISP network, which makes it difficult for a firewall to filter it. Therefore, this is the attacker’s attempt to maintain a solid connection between the malware and the attacker’s server.
 

What happens after infection?

The inserted JavaScript tag loads the malicious content, which overlays a pop-up window on the bottom left corner of the browser. The legitimate site itself is not actually infected nor connected with the popup content in any way. (In Figure 5, the site used to illustrate this effect is the Symantec home page.) The JavaScript is only inserted into the compromised computer’s browser and not the Web server. Therefore, computers that aren’t compromised by this malware will not see the window.
 

Figure 5.Legitimate site appearing to display malicious content

So far, we have seen the following four types of pop-up windows.
 

Figure 6. Four malicious pop-up windows

From what we have seen, if a button on the “PC Speed Test” or “PC Performer Test” pop-up window is clicked, the browser redirects the user to a security risk download site. The “how fast can you build your muscle mass?” pop-up window looks like an advertisement, but at the time of writing nothing happens if the button is clicked. We have only seen the “captcha” pop-up window in one attack and we have not yet analyzed it to see what it does.

Evidently the purpose of these attacks is to make money for the attacker by selling security risks and clicking advertisements.

To stay safe, please ensure that your computer has the latest software patches installed and always keep your antivirus definitions up-to-date.

Voici la nouvelle version de Adobe Reader 11

The white board sessions seems to get longer, and the endless syntex errors are just a blur dulled by time.

But we are making steady progress. Altiris 7 doesnt suck like everyone said it would, and other than a very crappy(Personal opinion) console design, everything is pretty smooth.

Things accomplished:

Hardware independent image done, took 3 days, completely modular.

Base Software installed through Unattended.xml. Again modular based on what we copy in to the partitioned image duing WinPE.

Agent installer logic build into WinPE with variables to install agent to the correct Parent/Child Server.

PCAnywhere tested and working perfectly.

SQL sort issues kind of resolved- gotta specify ASC and DESC on a few servers. So we just specified for all at the top and let hierchy replicate them down.

The Grocery List for next week:

Populate Software manager for SVS, Desktop Deploymen.

Win 7 32 bit for older systems.

Drivers for all previous models.

Win 7 pilot for group Policy assessment.

Yep, gonna be a relaxing weekend for once.

Please mark thread as solved if you consider this to have answered your question(s)
 

マルウェア作成者にとっては、コンピュータに侵入を果たしたマルウェアと、自分たちが運用するサーバーとの間でネットワーク接続を確保することが重要です。マルウェアがコマンドを受信したり、マルウェアを更新したりするために必要だからです。しかし、マルウェアとマルウェアサーバーとの間の通信は、ゲートウェイやローカルファイアウォールによってフィルタ処理される場合もあれば、侵入防止システム（IPS）で遮断される場合もあります。そこで、マルウェア作成者はマルウェアとサーバーの間で通信方法の安全性を高くしようと努めることになります。たとえば、昨年 11 月に掲載したブログでは、Backdoor.Makadocsが Google Docs のビューア機能をプロキシとして利用し、マルウェアとサーバーの間で確実な接続を確保していることについて詳しく解説しました。ごく最近には、SPF（Sender Policy Framework）を使うトロイの木馬が発見されています。SPF はスパムメールを防止するために設計された電子メール検証システムですが、今回のトロイの木馬は確実な接続を確保するために SPF を使用しています。

基本的に、SPF はドメインネームサーバー（DNS）の要求とレスポンスで構成されています。送信者の DNS サーバーが SPF を使うように設定されている場合、DNS レスポンスにはテキスト（TXT）レコードで SPF が含まれます。

図 1. SPF の仕組み

以下の表に、主な正規サイトの SPF の例を示します。
 

表 1.主な正規サイトの SPF の例

マルウェア作成者にとって重要なのは、SPF 内のドメインまたは IP アドレスを DNS 要求から取得できるかどうか、そしてこの DNS 要求をコンピュータから直接要求しなくて済むかどうかということです。通例、ローカル DNS サーバーが DNS キャッシュサーバーとして使われ、DNS キャッシュサーバーはコンピュータに代わって要求を送信できます。
 

SPF を利用するトロイの木馬の発見

最近、SPF を利用するトロイの木馬が発見されました（シマンテック製品はこれを Trojan.Spachanelとして検出します）。原理としては、Web ブラウザを乗っ取り、各 HTML ページに悪質なコンテンツをインジェクトします。このマルウェアが攻撃を実行する過程を以下の図に示します。
 

図 2. Trojan.Spachanel が攻撃を実行する過程

次に示すのは、攻撃者の DNS サーバーから取得した SPF レコードです。

図 3.悪質な SPF レコード

HTML タグの最後には、以下の例のような JavaScript が挿入されています。以下の画像で隠されている URL は、図 3 で隠されている URL と同じです。
 

図 4. HTML タグの後に挿入されている JavaScript の例

なぜ攻撃者は、悪質なドメインや IP アドレスの取得に SPF を使ったのでしょうか。私の推測では、攻撃者は正規の DNS 要求の中に通信を隠蔽しようとしているのかもしれません。このマルウェアが、独自のプロトコルを使って大きなポート番号で攻撃者のサーバーに接続した場合は、ゲートウェイやローカルファイアウォールによってフィルタ処理されたり、侵入防止システム（IPS）で遮断されたりする可能性があります。場合によっては、特定のドメインがローカル DNS サーバーによって遮断されますが、このマルウェアで生成されるドメインはほとんどフィルタ処理されません。また、DNS 要求は直接送信されないのが一般的です。通常、ネットワークや ISP ネットワークには DNS キャッシュサーバーがあるため、ファイアウォールがそれをフィルタ処理することは困難です。したがってこれは、マルウェアと攻撃者のサーバーとの間で確実な接続を確保する目的であると考えられます。
 

感染するとどうなるか

挿入されている JavaScript タグによって悪質なコンテンツがロードされると、ブラウザの左下隅にポップアップウィンドウが重ねて表示されます。正規のサイト自体が感染しているわけではなく、ポップアップのコンテンツもまったく接続はしていません（図 5 は、シマンテックのホームページを題材に、このポップアップの表示を示した例です）。この JavaScript は感染したコンピュータのブラウザに挿入されるだけで、Web サーバーには影響しません。したがって、このマルウェアに感染していないコンピュータでは、このポップアップも表示されません。
 

図 5.悪質なコンテンツを表示しているように見える正規のサイト

これまでに確認されているポップアップウィンドウは、以下の 4 種類です。
 

図 6. 4 種類の悪質なポップアップウィンドウ

現在までに確認されているところでは、「PC Speed Test（PC のスピードテスト）」または「PC Performer Test（PC のパフォーマンステスト）」というポップアップウィンドウでボタンをクリックした場合に、ブラウザがセキュリティリスクのダウンロードサイトにリダイレクトされます。「how fast can you build your muscle mass?（肉体改造にかかる時間はどれくらい?）」というポップアップウィンドウは広告のように見えますが、このブログの執筆時点では、ボタンをクリックしても何も起きません。あるポップアップウィンドウでは「CAPTCHA」が表示されるだけですが、その機能はまだ解析されていません。

これらの攻撃の目的が、セキュリティリスクの販売と広告のクリックによって金銭を得ることにあるのは明らかです。

安全を確保するために、コンピュータには最新のソフトウェアパッチをインストールし、ウイルス対策定義も常に最新の状態に保つようにしてください。

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

「愚者は自らの経験に学ぶが、私は他者の経験に学ぶ方がいい」
- オットー・フォン・ビスマルク

今年は多くの「学ぶ愚者」に会えることでしょう。新しいオペレーティングシステム、ハイパーバイザ、アプリケーションが発売されたとき、IT 管理者はそれらの運用開始に際して痛い思いをして何かを学びます。片やビスマルクのように静観の姿勢をとると、貴社の競争力は低下し、ご自身のスキルは使えないものになってしまいます。

このジレンマに対する 1 つの答えが Backup Exec であり、それは本日 Info-Tech Research Group 社がシマンテックを優れた製品のクアドラントの最上位に位置付けたことでも裏付けられました。バックアップとリカバリは、多数のニッチな専門ツールよりも単一のプラットフォームのほうがはるかに安心できるというお客様の声を当社では長年聞いてきました。物理と仮想、テープとディスク、複数のハイパーバイザベンダー、複数のアプリケーションが混在するようなケースでも Backup Exec 2012 は適切に処理するので、誤って立ち往生することがありません。

この取り組みに対し Info-Tech 社はレポートの中で次のようにまとめています。

現在、35% 以上の企業が複数のバックアップソリューションを管理しています。しかし、ほとんどの企業は完全仮想化を果たしておらず、半数以上の企業（52%）が今でもテープを使っています。50% を超える企業が仮想環境で 2 種類以上のハイパーバイザを管理しており、各ベンダーのサポート内容を把握しておくことが不可欠です。

ビスマルクが言うように、賢い IT 管理者は同業者の経験を見て問題を回避します。Backup Exec はどの競合製品よりも多くの Windows 環境を保護しています。今年、ばらばらの単体製品へとインフラ移行を行う理由はあるでしょうか?

 Info-Tech Research Group 社調査書『Vendor Landscape, Virtual Backup Software, 2013』

Hello Guys,

This post guides us through How to create a VMware Application Protection policy to back up the SharePoint Application in a Virtual Machine.

On the NetBackup Master Server

NetBackup Management > Right Click on Policies > Select New. Provide a name to the policy.

This would open up an “Add New Policy Window” dialog.

Choose Policy Type as VMware.

Select a Storage unit

NOTE – Enable Granular Recovery is disabled, as this type of policy is by default granular.

Add a new schedule as per your requirement.

IMPORTANT- Clients Tab

For VMware application aware backups, the name of the client cannot be entered manually or chosen from list of clients. It must be chosen using a VMware Intelligent Policy (VIP) query.

We get a query generation dialog. In this dialog you can create a query that searches for VMs, in the above screen we are trying to search for VMs whose display name equals “vmwinapp1”.

To validate the query click on “Test Query” button. We would see the query results in a dialog as shown below. If the result does not match your expectations, modify the query to get desired results.

Now click on the VMware Tab.

Check Enable file recovery from VMbackup.

Uncheck Enable block-level incremental backup. This option must be disabled for VMware backups that protect SharePoint Server.

Check Enable SharePoint Recovery.

This option enables recovery of the SharePoint databases or individual objects from the virtual machine backups. If this option is disabled, you can recover the entire virtual machine from the backup, but you cannot recover the SharePoint databases or objects individually. If uncheck, this would just be a VM backup and not a SharePoint aware VM backup.

Primary VM identifier - This setting specifies the type of name by which NetBackup recognizes virtual machines when it selects them for backup. The network host name for the virtual machine. (This option is the default.) NetBackup obtains the host name by means of a reverse lookup on the virtual machine's IP address. If no host name can be found, the IP address is used as the host name.

Transport modes - The transport modes determine how the snapshot data travels from the VMware datastore to the VMware backup host. The appropriate mode depends in part on the type of network that connects the VMware datastore to the VMware backup host. By default, all modes are selected. NetBackup tries each transport mode in order, from top to bottom. It uses the first mode that succeeds for all disks in the virtual machine.

Important point to note here is that unlike the Exchange and SQL options, there is no log truncation option for SharePoint VMware backups; manual log truncation is normally not required in SharePoint installations. This is usually managed by SQL server engine which acts as backend in SharePoint.

Click OK to save the policy. You will be presented with a warning box that reminds us that we need to enter SharePoint administrator credentials in host properties for the clients.

We are done with the Application aware VM policy for SharePoint backups.

It's a new year and with it comes new opportunities for design evolution on the web.

Looking forward, there are three trends I think we can expect to see more of this year.

1. Mobile no longer an after-thought.
There has been and will continue to be an increased and hyper-focus on mobile. There is still a lot of upside growth in the mobile web space to be had. Consequently, it can't be ignored and what we can expect to see is more inclusion and integration of mobile in website planning. There will be less of sites being thought of in silos based on desktop or mobile. Instead, there will be more of a holistic approach to web presences where desktop, smartphone, and tablet instances will be thought of collectively. This will manifest itself in more sites being built responsively, more hybrid sites that are built for desktop but with mobile support, and specific smartphone and tablet sites.

2. Simple yet designed.
In light of mobile and the influence of the mobile experience, we can expect to see desktop sites still well-designed but simpler and clearer. Sites will take their cues from mobile and adopt a less cumbersome and busy interface, and take on a more streamlined and visually effective appeal to accommodate for mobile viewing. Style and design won't be out the door; but the all-things-mobile rage and the need to make sites accessible via mobile devices will influence site design.

3. Docked UI elements.
While scrolling for new content is acceptable, not having to scroll for the same content because it can be made portable will become be popularized. This includes elements such as navigation, contact information, and contextually relevant content. Abuse of this feature will diminish its value but if used judiciously and appropriately, this can be a user experience hit. This will not be applicable to all sites and scenarios but will make sense for consumer and information-driven sites with lengthy pages.