Learn how to mitigate the risk associated with the rise of mobility - smartphones and tablets - and how these devices can securely and effectively be leveraged to drive better patient outcomes and increase patient access to information and resources. If you missed our recent webinar, click here to view the archived edition.

Recently we have observed a series of mobile ads intended to scare users into believing that their device is infected with a threat called “Trojan: MobileOS/Tapsnake”.
 

Figure 1. Fake Tapsnake infection warnings
 

The malware alert is fake. Tapsnake is an older Android threat (we blogged about it in 2010 and detect it as Android.Tapsnake) that just happens to be mentioned in these ads to make them appear more authentic. We visited a site serving these ads using a brand new Android device with a fresh install and nothing on it and still received this alert. Users of Apple's iPhone have also reported seeing Tapsnake alerts, despite the fact that the threat doesn’t target iOS devices.
 

Figure 2. Scareware tactics target Android users
 

This type of warning is commonly associated with scareware, which originated on PCs. When users visit scareware websites, they are shown a warning that claims their computer or device is infected with malware. These scareware sites may then offer free downloads of fake antivirus software.

This is all a trick designed to convince the user to download an application.
 

Figure 3. Android Antivirus app offer
 

Symantec Security Response advises users not to install applications outside of trusted app stores. Instead, users should only trust well-known and reputable security software, such as Norton Mobile Security available on the Google Play app store. For general safety tips for smartphones and tablets, visit the Symantec Mobile Security website.

Ten Reasons Symantec is Saying Thanks to 2013

Having used Storage Foundation for some time, I take for granted the interpreting of disk and volume sector sizes into a more human friendly format such as Gigabyte (GB) & Terabyte (TB).

Fundamentally disks/LUNs use a sector as the granular unit of transfer, typically this is 512 bytes on Solaris, Linux & AIX and 1024bytes on HP-UX. Whilst that is great for disks, it is not easy on the human eye i.e 1 TB = 2,147,483,648 sectors (assuming 512byte/sector) and it takes a little maths to do the conversion from sectors to GB or TB.

Like disks, the Volume Manager Component (VxVM) of Storage Foundation also uses sectors and in the early versions that is what you had work if displaying volume sizes in the CLI. Fortunatley in later releases, we have introduced human friendly formats in the commands to aid ease of use. Below are some examples from a Linux system showing how human friendly formats can be used in displaying volumes and disks with the CLI:

Volume Creation

First we need to create a 1TB volume using vxassist utility. vxassist allows size to be specified in a variety of units: m – Megabyte, g – Gigabyte, t – Terabytes. If no unit value is specified, then the value will default to sectors.

vxassist [options] [-b] make volume {length|maxsize[=size]} [attribute ...]

So let’s create the 1TB volume in disk group datadg:

[root@server101 ~]# vxassist -g datadg make testvol1 1t

Volume Sizes

To display the size of the volume, vxprint can be used, but this will display sectors by default. As you can see the 1TB volume we created earlier is now showing as 2147483648 sectors:

[root@server101 ~]# vxprint -g datadg -h testvol1

TY NAME         ASSOC        KSTATE   LENGTH   PLOFFS   STATE    TUTIL0  PUTIL0

v  testvol1     fsgen        ENABLED  2147483648 -      ACTIVE   -       -

pl testvol1-01  testvol1     ENABLED  2147483648 -      ACTIVE   -       -

sd d9-01        testvol1-01  ENABLED  2147483648 0      -        -       -

To display the size in other human friendly formats, use the underused “–u” unit option and supply:  m for Megabyte, g for Gigabyte, t for terabytes etc:

[root@server101 ~]# vxprint -g datadg -h -ug testvol1

TY NAME         ASSOC        KSTATE   LENGTH   PLOFFS   STATE    TUTIL0  PUTIL0

v  testvol1     fsgen        ENABLED  1024.00g -        ACTIVE   -       -

pl testvol1-01  testvol1     ENABLED  1024.00g -        ACTIVE   -       -

sd d9-01        testvol1-01  ENABLED  1024.00g 0.00g    -        -       -

Disk/Lun sizes

For finding the size of a disk, there are a number of methods. In addition to the various native O/S methods, if the disk was part of a VxVM disk group, then you could determine the size by displaying the private region and public region sizes and adding them together:

[root@server101 ~]# vxprint -g datadg -dt -um

DM NAME         DEVICE       TYPE     PRIVLEN  PUBLEN   STATE

dm d9           ibm_shark0_9 auto     32.00m   2999968.85m -

In Storage Foundation 6.1 we have made this easier by enhancing the vxdisk command to include a size option (-o size) that displays sizes in "vxdisk list",  even if a disk is not in a Disk Group:

[root@server101 ~]# vxdisk -o size list

DEVICE                           SIZE(MB)     GROUP

ibm_shark0_0                     1024         fssdg

ibm_shark0_1                     1024         -

ibm_shark0_2                     1024         -

Again this allows use of human friendly format “-u” :

[root@server101 ~]# vxdisk -o size -ug list

DEVICE                           SIZE         GROUP

ibm_shark0_0                     1.00g        fssdg

ibm_shark0_1                     1.00g        -

ibm_shark0_2                     1.00g        -

In addition to using vxdisk and vxprint commands, the vxlist utility can also be used to provide a summary of the size configuration:

[root@server101 ~]# vxlist disk

TY   DEVICE         DISK   DISKGROUP        SIZE      FREE STATUS

disk ibm_shark0_0   d0     sharedg1      989.87m   489.87m imported

disk ibm_shark0_1   -      -                   -         - uninitialized

disk ibm_shark0_9   d9     datadg          2.86t     1.86t imported

disk sda            -      -                   -         - uninitialized


[root@server101 ~]# vxlist volume

TY   VOLUME     DISKGROUP        SIZE STATUS    LAYOUT   LINKAGE

vol  cfs1       sharedg1      500.00m healthy   concat   -

vol  testvol1   datadg          1.00t healthy   concat   -

See vxprint, vxdisk& vxlist for further info

http://www.symantec.com/docs/TECH154475

最近、デバイスが「Trojan: MobileOS/Tapsnake」という脅威に感染していると思い込ませてユーザーを脅そうとする一連のモバイル広告が確認されています。
 

図 1. Tapsnake への感染を通知する偽の警告
 

このマルウェア感染警告は偽物です。Tapsnake は Android を狙う比較的古い脅威（シマンテックでは 2010 年にブログでこの脅威について報告しており、Android.Tapsnakeとして検出します）で、この種の広告の信憑性を高めるために、広告の中でたまたま名前が使われているだけです。シマンテックでは、新品の Android デバイスを使って、この広告を提供するサイトにアクセスしてみました。このデバイスは初期インストールの状態で、他に何も追加されていませんでしたが、それでもこの警告が表示されました。この脅威は iOS デバイスを標的にはしていませんが、Apple 社の iPhone ユーザーからも Tapsnake 警告が表示されたという報告があります。
 

図 2. Android ユーザーを標的にしたスケアウェアの手口
 

この種の警告はたいてい、元々 PC を狙っていたスケアウェアに関連しています。スケアウェアの Web サイトにアクセスすると、コンピュータやデバイスがマルウェアに感染しているという警告が表示されます。このようなスケアウェアサイトが、偽のウイルス対策ソフトウェアの無料ダウンロードを提供している場合もあります。

これはすべて、ユーザーにアプリをダウンロードさせるための策略です。
 

図 3. Android 用の偽ウイルス対策アプリの提供
 

信頼できるアプリストア以外からアプリをインストールしないようにしてください。また、Google Play アプリストアで提供されているノートン モバイルセキュリティなど、有名なセキュリティソフトウェアだけを信頼してください。スマートフォンやタブレットの安全性に関する一般的なヒントについては、モバイルセキュリティの Web サイト（英語）を参照してください。

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

Updates deployed to the Connect production servers as a result of the code sprint that ended 24 December 2013.

User Facing: Desktop

• Added the ability to browse from one post to the next in the "My Activity" context.
• Modified workflow for forum posts to allow users to move their own posts from 'draft' state to 'published' state.
• Fixed an issue related to attaching non-English polls to posts (of any language).
• Added share counts to each of the social media widgets.
• Added the ability for Blog admins to add a list of featured blog posts to their blog pages.
• Changed the blog section to display -- and sort by -- posted date (instead of by updated date).
• Migrated legacy posts from the SymIQ for Partners forum to two private groups on Connect: Enterprise Vault Technical Champions (EVTC) and NetBackup Technical Champions (NBUTC).
• Cleaned up the "Full thread notifications" code and UI that was implemented to support the new SymIQ for Partners groups.
• Modified email headers on notifications sent to members of Full thread notifications enabled groups. Reply address now displays the email address of the user who posted the initial post and not noreply@symantec.com.
• Addressed an issue of missing group owners on some of Connect's group pages.

Admin Facing

• Update the content votes report to work properly with the new "Was this helpful" voting scheme.

Over the last few weeks Symantec has seen a significant spike in NTP reflection attacks accross the Internet.

NTP is the Network Time Protocol, it is a relatively obscure protocol that runs over port 123 UDP and is used to sync time between machines on a network.  If you have ever set up a home computer or server and been asked which time server you want to use, that is an NTP connection.

NTP is one of those set-it-and-forget-it protocols that is configured once and most network administrators don't worry about it after that.  Unfortunately, that means it is also not a service that is upgraded often, leaving it vulnerable to these reflection attacks.

How do NTP reflection attacks work?

Similar to DNS amplification attacks, the attacker sends a small forged packet that requests a large amount of data be sent to the target IP Address. 

In this case, the attackers are taking advantage of the monlist command.  Monlist is a remote command in older version of NTP that sends the requester a list of the last 600 hosts who have connected to that server.  For attackers the monlist query is a great reconnaissance tool.  For a localized NTP server it can help to build a network profile.  However, as a DDoS tool, it is even better because a small query can redirect megabytes worth of traffic:

[root@server ~]# ntpdc -c monlist [hostname]

remote address          port local address      count m ver code avgint  lstint
===============================================================================
localhost.localdomain  53949 127.0.0.1              1 7 2      0      0       0
tock.usshc.com           123 xxx.xxx.xxx.xxx         1 4 4    5d0      0      53
198.52.198.248           123 xxx.xxx.xxx.xxx         1 4 4    5d0      0      54
rook.slash31.com         123 xxx.xxx.xxx.xxx       1 4 4    5d0      0      55
eightyeight.xmission.c   123 xxx.xxx.xxx.xxx         1 4 4    5d0      0      56

Most scanning tools, such as NMAP, have a monlist module for gathering network information and many attack tools, including metasploit, have a monlist DDoS module. 

How can you protect your servers?  The easiest way to update to NTP version 4.2.7, which removes the monlist command entirely.  If upgrading is not an option, you can start the NTP daemon with noquery enabled in the NTP conf file.  This will disable access to mode 6 and 7 query packetts (which includes monlist). 

By disabling monlist, or upgrading so the the command is no longer there, not only are you protecting your network from unwanted reconnaissance, but you are also protecting your network from inadvertently being used in a DDoS attack.

• In 2012, the Android operating system ran on 75% of the smartphones shipped in the third quarter. Apple's iOS was second with 15% marketshare. (source)

• In December 2012, 64% of Android devices were running version 2.x of the OS and only 34% were on the latest version 4.x. This led many to hypothesize that lower engagement on Android was due to a lesser user experience on older devices with Android 2.x. (source)

• In December 2013, only 25.7% of Android devices are running Android 2.x and 74.2% are on 4.x. Yet the engagement differences continue. (source)

• Thanksgiving Day and Black Friday 2013 saw record online sales. iOS-based devices drove more than $543 million dollars in online sales, with iPad taking a 77% share. Android-based devices were responsible for $148 million in online sales, a 4.9% share of mobile driven online sales. (source)

• On Thanksgiving 2013, iOS ended up accounting for over 21% of all sales, and $121.61 per order. Android accounted for only 4.6% of sales. (source)

• For every $1.00 in app download revenue earned by iOS developers, their Android counterparts earn just $0.19. That's five-times-greater return rate for developers. (source)

• Ads on Apple's iOS posted return nearly 1,800% higher than the same ad running on Android. (source)

• iPhone users spend an average of 19 cents per app downloaded against just 6 cents per download for their Android counterparts. (source)

http://www.symantec.com/vision/

We have been working on a new design for www.geotrust.com, let us know what you think of the new design in the comments below.

Workarround to Event 57802 and 57804, catalog mistmatch

Here is a handy SQL query that will allow you to search your database tables for a particular word or words (tested against SQL 2008 R2):

**********************************

CREATE TABLE myTable99 (TABLE_NAME sysname, COLUMN_NAME sysname, Occurs int)
GO

SET NOCOUNT ON

DECLARE @SQL varchar(8000), @TABLE_NAME sysname, @COLUMN_NAME sysname, @Sargable varchar(80), @Count int

SELECT @Sargable = 'enter word or words here'

DECLARE insaneCursor CURSOR FOR
    SELECT c.TABLE_NAME, c.COLUMN_NAME
      FROM INFORMATION_SCHEMA.Columns c INNER JOIN INFORMATION_SCHEMA.Tables t
        ON t.TABLE_SCHEMA = c.TABLE_SCHEMA AND t.TABLE_NAME = c.TABLE_NAME
     WHERE c.DATA_TYPE IN ('char','nchar','varchar','nvarchar','text','ntext')
       AND t.TABLE_TYPE = 'BASE TABLE'

OPEN insaneCursor
 
FETCH NEXT FROM insaneCursor INTO @TABLE_NAME, @COLUMN_NAME

WHILE @@FETCH_STATUS = 0
    BEGIN
        SELECT @SQL = 'INSERT INTO myTable99 (TABLE_NAME, COLUMN_NAME, Occurs) SELECT '
                + '''' +  @TABLE_NAME + '''' + ','
                + '''' + @COLUMN_NAME + '''' + ','
                + 'COUNT(*) FROM [' + @TABLE_NAME  
                + '] WHERE [' + @COLUMN_NAME + '] Like '
                + ''''+ '%' + @Sargable + '%' + ''''
        --SELECT @SQL
        EXEC(@SQL)
        IF @@ERROR <> 0
            BEGIN
                SELECT @SQL
                SELECT * FROM INFORMATION_SCHEMA.Columns WHERE TABLE_NAME = @TABLE_NAME
                GOTO Error
            END
        FETCH NEXT FROM insaneCursor INTO @TABLE_NAME, @COLUMN_NAME
    END

SELECT * FROM myTable99 WHERE Occurs <> 0

Error:
CLOSE insaneCursor
DEALLOCATE insaneCursor

GO

DROP TABLE myTable99
GO

SET NOCOUNT OFF
 

I guess we need to face it. Sality is here to stay.

We have been dealing with new Sality variants for more than 8 years and the Sality.AE family for a little over 5…the variants keep coming. It has become one of the most common file infectors reported by Enterprise customers. With its ability to move through shares and disable AV, it’s one of the most destructive and tricky threats we have out there. That said, it’s not too hard to stop, provided you have two things. The first is an understanding of how it spreads and infects, the second is a willingness to mount the proper defense while you seek out the hidden pockets of this threat and eradicate it.

So, first things first. How does it spread?

This is a file infector and it can only spread through shares. Its uses two methods, I refer to as a “Push” and a “Pull” to infect. Managing these attacks will keep the threat from spreading to more computers.

The “Push”

This one is pretty well understood. An infected machine looks at the list of drives connected to it and systematically attempts to infect .EXE and .SCR files. If network shares are listed as mapped drives, it will spread to these as well. Then, as the malicious code is injected into the target file and saved to the hard drive, AV detects the write process and attempts to clean the file. Without AV detection, the threat infects many .EXE files, and when these are launched (either by the user or by the system), the threat becomes memory resident and continues to spread. The first .EXEs the threat will infect will be notepad.exe and/or winmine.exe. Copies of these infected .EXEs will be renamed and then moved to the root of all of shares and drive, including mapped network drives, along with an autorun.inf file, to facilitate the “Pull”.

The “Push” process can be prevented by AV with the proper definitions, and default settings. Also, preventing write access to the shares can be very helpful.

The “Pull”

This process is less well known as is why we have such a hard time eradicating this threat. Infected machines now have infected and renamed versions of known files like notepad or winminesitting at the root of their shares and drives, with an autorun.inf pointing to them. This is the equivalent of a shotgun and a string tied to a door. i.e.: As soon as the door/drive is opened the virus/shotgun fires.

Now here is the tricky part; The virus file is sitting on a remote computer, and when it launches it is launching into the local computer's memory. Frequently, neither of these locations is protected by AV. Now we have a virus running around in memory and AV never had a chance to stop it. One of the first things this memory-only piece does is try to break your antivirus, and then it's free to write to the hard drive and infect other files un-impeded.

Note: the same thing can happen if you’re running  .EXEs from a remote location.

Prevention - Mitigation

New variants of Sality come out all the time and the technology used to avoid detection is getting trickier and trickier. So, how do you keep this threat from ruining your week? There are two incredibly simple steps that need to be done to manage this outbreak. Skip them and you will waste hours chasing this around and reformatting machines that have been damage beyond recovery.

Once you have solid AV coverage, the “pull”, which is the most insidious part of this attack, can be rendered moot, by enabling network scanning and by disabling Autoplay. This will prevent the threat from launching from a remote host directly into the local memory and therefore skipping the file write process that is essential to AV programs.

Once you have implemented the above steps, the threat should no longer be spreading. Then you can use a network audit, from within the management console of your AV, to determine what machines do not have valid and updated AV, and what machines are currently infected. These machines should be cleaned using the Symantec Recovery Tool, AV reinstalled, and then reintroduced to the production network.

For more on Sality, check out these links:

Best practices for responding to active threats on a network

All-in-One Malware: An Overview of Sality

Things I Can Live Without

Threat Write-Up:

Most Common Sality variant:
W32.Sality.AE
 

Legacy variants:
W32.Sality.AB
W32.Sality.AM
W32.Sality.R
W32.Sality.S
W32.Sality.U
W32.Sality.X
W32.Sality.Y and W32.Sality.Y!inf
W32.Sality.V and W32.Sality.V!inf

IPS Attack Signatures:
HTTP W32.Sality Activity
System Infected: W32.Sality Download
System Infected: HTTP W32.Sality Activity
System Infected: W32.Sality Activity 3
SMB Sality File Activity
SMB Critical File Tamper Activity
 

The Symantec Data Insight team is proud to announce that BNY Mellon won a prestigious industry award, the Information Security Executive (ISE) North America Project of the Year in the Commercial Category, with the use of Data Insight for their unstructured data governance project.

By implementing Data Insight, BNY Mellon’s Risk and Compliance Group was able to develop a governance process to provide security and user access certifications over high risk data stored in network shared drives, which are scrutinized by regulatory agencies, external and internal auditors. The customer was particularly delighted by the level of commitment the Symantec engineering team demonstrated throughout the implementation. The Phase 1 of the customer's project has been deemed a success, catapulting BNY Mellon to win the ISE Award. Moving forward, the customer plans to continue to showcase the value of this project both internally and externally.

Data Insight helps organizations improve unstructured data governance through actionable intelligence into data ownership, usage and access controls. Its reporting, analytics and visualization capabilities help drive efficiency and cost reduction across the data lifecycle, improve protection of sensitive data and achieve compliance.

Learn more about Data Insight here.

Ever wondered terminology of Number of 9's in SLA. See the actual downtime offered by multiple vendors in market.

Hope this helps understanding SLA 

After a clean install of ITMS 7.1.2 MP1.1 v7RU, it was found that it was not possible to create a new CMDB rule as its first dropdown list failed to open.

To workaround this issue, you need to clone a sample CMDB rule and then modify it to suit your needs.

Based on discussions we are having across our customer base, we know that the Internet of Things (IoT) is a growing phenomenon. It’s not particularly new - after all, organisations have been monitoring the state of their buildings and equipment, and managing where things are in the supply chain, for many years now. What’s changing is the range and scale of physical objects that we’re starting to see connected, from air conditioning units to office doors. 

From our perspective of course, we are very interested in what this means in security terms. So, should organisations allow increasing numbers of devices and objects to connect to the Internet, or block all attempts to do so? From our perspective, the answer lies in being aware of the risks of doing so, and acting accordingly. 

As a starting point, we believe the challenges lie in misusing what is likely to mean a major new entry point to the organisation. We already have a major example - Stuxnet, a sophisticated malware program which targeted Supervisory Control And Data Acquisition (SCADA)-based systems ranging from power stations to industrial plants. 

Beyond intrusion and direct hacking, what kinds of security challenges might we also expect? The following potential risks are worth considering:

• Denial of service goes beyond hacking into a piece of industrial equipment. Many IoT scenarios are dependent on networks of physical objects - from supply chain to buildings management applications, from smart parking to intelligent waste disposal.  DDoS attacks could target all the end points of a particular use case, making the things inaccessible and breaking the use case they support.
• Equally, in the same way that Botnets target insecure desktop and laptop computers, increasingly smart devices could be turned to unplanned use. Imagine if the processor in every plug socket became able to send Spam, to generate costly SMS messages, or indeed participate in a DDoS attack.
• Weakening perimeters. Physical objects were generally not designed to be internet-connected, and therefore network security was not considered by design. Could it be that a ‘smart’ vending machine in the office canteen could actually be used to breach perimeter security and gain access to corporate systems?
• Organisations should be aware of the potential for unintended consequences of IoT use cases. These include potential privacy breaches (for example over-intrusive staff monitoring) and the possibility of ‘gaming the system’, for example customers simply walking through a store to gain loyalty points.
• Inadvertent breaches through use of IoT could also become an issue, for example the CEO’s car broadcasting its location. We would also advise keeping a careful eye on new devices people bring into the office - could that plant watering monitor provide an accidental gateway?

All of the above can be implicated in new attack vectors, which as ever, come from unexpected directions. We will no doubt see new variations on themes such as ‘man in the middle’ or ‘watering hole’ attacks, this time targeted at information flows from physical objects rather than people and their computers. 

As with all new areas of technology, organisations shouldn't panic unnecessarily about the potential for harm. However, as new use cases emerge, it is worth looking at areas such as these in the risk assessment process, and acting accordingly.

Do you agree? It would be great to hear your thoughts.

Last week Trend has reported about a new variant of Cryptolocker worm. In Trend Micro terminology -> WORM_CRILOCK.A (http://about-threats.trendmicro.com/us/malware/worm_crilock.a) - this is being detected by Symantec as Trojan.Cryptolocker.B (http://www.symantec.com/security_response/writeup.jsp?docid=2013-122312-5826-99). In a difference to previous variants of Cryptolocker this particular variant spreads over removable devices. Another significant difference is that it does not rely on a malware downloader routine any more to infect the systems but instead works as activator for software like Office or Adobe Photoshop in P2P sites.

Reference:
New CryptoLocker Spreads via Removable Drives
http://blog.trendmicro.com/trendlabs-security-intelligence/new-cryptolocker-spreads-via-removable-drives

On how to defend against the Cryptolocker threats please check following Symantec publications:

[Trojan.Cryptolocker]
http://www.symantec.com/security_response/writeup.jsp?docid=2013-091122-3112-99
Cryptolocker: A Thriving Menace
https://www-secure.symantec.com/connect/blogs/ransomcrypt-thriving-menace
Cryptolocker Alert: Millions in the UK Targeted in Mass Spam Campaign
https://www-secure.symantec.com/connect/blogs/cryptolocker-alert-millions-uk-targeted-mass-spam-campaign
Cryptolocker Q&A: Menace of the Year
https://www-secure.symantec.com/connect/blogs/cryptolocker-qa-menace-year