Japanese animation is known as anime and Japanese comics are known as Manga. In the last two decades, these industries have grown in popularity across the world. People know that cashing in on the latest trend is often an easy way to earn money, and many legal and illegal businesses often take advantage of this. The popularity of anime and manga has opened up a new avenue for cybercriminals to push malware threats onto unsuspecting fans through malvertisements and mobile risks.

During the early 90’s Japanese comics experienced a boom in the US market and earned their place on the shelves of major book sellers. Before these books can be read by fans who do not speak Japanese, they must be translated. The number of manga being officially translated is growing, but this doesn’t seem to be enough to keep fans satisfied. In addition, only the more popular titles are candidates for translation.

One problem the manga industry faces is how to choose the comics that will be appreciated by non-Japanese speaking fans. One indicator that proves to be very useful is reader communities. Some of these communities work together to produce translated scans of Japanese manga, known as scanlation (or scanslation).

Official editors monitored these communities and orientated their business accordingly; unfortunately it backfired. The Japanese comics and anime industry began to lose customers due to growing number of people accessing the Internet in the late 90’s and the rise of giant scanlation sites providing free online manga content.

In the last few years lawsuits have been launched against websites and communities offering scanlation services, as it is a violation of copyright if the holder hasn’t given their permission.

Scanlation involves a lot of work and a scanlating team can include the following members:

• Translator
• Cleaner
• Proofer
• Typesetter
• Re-drawer

Team members are mostly volunteers, so in order to keep the publication of new material coming out at regular intervals, some form of monetization is needed and advertisements are often a key source of income.

Exploit kits and malvertisement
These sites show up to ten advertisements on a chapter’s page on average, and in some cases they are using eleven ad providers. Recent investigations around malvertisements, exploit kits, and the recently rolled out Microsoft Internet Explorer Use-After-Free Remote Code Execution Vulnerability (CVE-2013-2551) led us to observe a number of scanlation sites linked to malicious redirections by malvertisement and malicious code. The chart shown in Figure 1 provides an overview of the different malware detections observed from July 2013 through early January 2014.

Figure 1. IPS detections from scanlation domains (July 2013 – January 2014)

With the roll out of CVE-2013-2551 in December 2013 and the shutdown of the Blackhole exploit kit, the trend has changed. We are observing more malvertisement type attacks that are mainly pushing out Trojan.FakeAV. In these recent malvertisement cases, the scanlation websites were not directly compromised with malicious code, it was their ad providers. The users of scanlation websites also become victims in these cases because of the heavy use of ads targeted at them on the websites. Figure 2 shows IPS detections from Scanlation domains observed from October 2013 to early January 2014.

Figure 2. IPS detections from scanlation domains (October 2013 - January 2014)

An evolving reading format
As smartphones and tablets have become a more integral part ofpeople’s lives, less are using their computers or actual books. A vast majority of websites have released mobile versions of their content to make mobile access easier.

We conducted a mobile browsing test and observed how readers were redirected while reading random pages of recently released manga. We saw that users sometimes encountered a forced redirection when trying to go to the next page. The redirection led to a download prompt for an APK file. We categorized this Android application, Airpush Adware, as a security risk. Airpush Adware can collect and send out the user’s phone number, email address, and a list of applications to third parties, which could lead to the user receiving spam through email and SMS.

Figure 3. Airpush privacy policy and advertising terms

A large number of mobile applications that collect manga from different scanlation domains have begun to appear. These apps can offer over 1,000 manga in multiple languages that users can read online and off. With high download and installation rates, these applications are ideal targets for malicious piggybacking and Trojanized readers. As an example, we found one application, distributed on third party markets that offered manga reading services, delivering premium SMS. Symantec detects this threat as Android.Opfake.

A growing global enthusiasm for scanlating
The detection data gathered from July 2013 through January 2014 on these scanlation domains shows regular spikes and that can easily be tied  to the release of popular manga chapters for Naruto, Bleach, One Piece, Fairy Tail, and Kingdom.

A heatmap of the malvertisements seen on scanlation websites confirms that the highest readership is in the United States, followed by Europe, and Australia. Manga readership is also present in the Middle East and Brazil. Currently, the scanlation teams appear to be translating manga into six different languages (English, German, Italian, Spanish, Russian, and French).

Figure 4. IPS detections for Scanlation domains and malvertising (July 2013 – January 2014)

With a large variety of manga available, the vast amount of new comics can make the medium difficult to access unless the reader understands Japanese or waits for official editors to provide a translated version.

Because new mangaka (manga authors) need to earn their popularity with fans, they often allow, or turn a blind eye to, scanlation services. As such, the functional structure of scanlation services closely flirts with legal issues and copyright abuse. Unfortunately, the growing popularity of scanlation services has caused it to attract cybercriminal attention.

Symantec Security Response advises users to keep their software up-to-date to limit the successful exploit of vulnerabilities and not to install applications outside of trusted app stores.

Japanese animation is known as anime and Japanese comics are known as Manga. In the last two decades, these industries have grown in popularity across the world. People know that cashing in on the latest trend is often an easy way to earn money, and many legal and illegal businesses often take advantage of this. The popularity of anime and manga has opened up a new avenue for cybercriminals to push malware threats onto unsuspecting fans through malvertisements and mobile risks.

During the early 90’s Japanese comics experienced a boom in the US market and earned their place on the shelves of major book sellers. Before these books can be read by fans who do not speak Japanese, they must be translated. The number of manga being officially translated is growing, but this doesn’t seem to be enough to keep fans satisfied. In addition, only the more popular titles are candidates for translation.

One problem the manga industry faces is how to choose the comics that will be appreciated by non-Japanese speaking fans. One indicator that proves to be very useful is reader communities. Some of these communities work together to produce translated scans of Japanese manga, known as scanlation (or scanslation).

Official editors monitored these communities and orientated their business accordingly; unfortunately it backfired. The Japanese comics and anime industry began to lose customers due to growing number of people accessing the Internet in the late 90’s and the rise of giant scanlation sites providing free online manga content.

In the last few years lawsuits have been launched against websites and communities offering scanlation services, as it is a violation of copyright if the holder hasn’t given their permission.

Scanlation involves a lot of work and a scanlating team can include the following members:

• Translator
• Cleaner
• Proofer
• Typesetter
• Re-drawer

Team members are mostly volunteers, so in order to keep the publication of new material coming out at regular intervals, some form of monetization is needed and advertisements are often a key source of income.

Exploit kits and malvertisement
These sites show up to ten advertisements on a chapter’s page on average, and in some cases they are using eleven ad providers. Recent investigations around malvertisements, exploit kits, and the recently rolled out Microsoft Internet Explorer Use-After-Free Remote Code Execution Vulnerability (CVE-2013-2551) led us to observe a number of scanlation sites linked to malicious redirections by malvertisement and malicious code. The chart shown in Figure 1 provides an overview of the different malware detections observed from July 2013 through early January 2014.

Figure 1. IPS detections from scanlation domains (July 2013 – January 2014)

With the roll out of CVE-2013-2551 in December 2013 and the shutdown of the Blackhole exploit kit, the trend has changed. We are observing more malvertisement type attacks that are mainly pushing out Trojan.FakeAV. In these recent malvertisement cases, the scanlation websites were not directly compromised with malicious code, it was their ad providers. The users of scanlation websites also become victims in these cases because of the heavy use of ads targeted at them on the websites. Figure 2 shows IPS detections from Scanlation domains observed from October 2013 to early January 2014.

Figure 2. IPS detections from scanlation domains (October 2013 - January 2014)

An evolving reading format
As smartphones and tablets have become a more integral part ofpeople’s lives, less are using their computers or actual books. A vast majority of websites have released mobile versions of their content to make mobile access easier.

We conducted a mobile browsing test and observed how readers were redirected while reading random pages of recently released manga. We saw that users sometimes encountered a forced redirection when trying to go to the next page. The redirection led to a download prompt for an APK file. We categorized this Android application, Airpush Adware, as a security risk. Airpush Adware can collect and send out the user’s phone number, email address, and a list of applications to third parties, which could lead to the user receiving spam through email and SMS.

Figure 3. Airpush privacy policy and advertising terms

A large number of mobile applications that collect manga from different scanlation domains have begun to appear. These apps can offer over 1,000 manga in multiple languages that users can read online and off. With high download and installation rates, these applications are ideal targets for malicious piggybacking and Trojanized readers. As an example, we found one application, distributed on third party markets that offered manga reading services, delivering premium SMS. Symantec detects this threat as Android.Opfake.

A growing global enthusiasm for scanlating
The detection data gathered from July 2013 through January 2014 on these scanlation domains shows regular spikes and that can easily be tied  to the release of popular manga chapters for Naruto, Bleach, One Piece, Fairy Tail, and Kingdom.

A heatmap of the malvertisements seen on scanlation websites confirms that the highest readership is in the United States, followed by Europe, and Australia. Manga readership is also present in the Middle East and Brazil. Currently, the scanlation teams appear to be translating manga into six different languages (English, German, Italian, Spanish, Russian, and French).

Figure 4. IPS detections for Scanlation domains and malvertising (July 2013 – January 2014)

With a large variety of manga available, the vast amount of new comics can make the medium difficult to access unless the reader understands Japanese or waits for official editors to provide a translated version.

Because new mangaka (manga authors) need to earn their popularity with fans, they often allow, or turn a blind eye to, scanlation services. As such, the functional structure of scanlation services closely flirts with legal issues and copyright abuse. Unfortunately, the growing popularity of scanlation services has caused it to attract cybercriminal attention.

Symantec Security Response advises users to keep their software up-to-date to limit the successful exploit of vulnerabilities and not to install applications outside of trusted app stores.

This blog article examines the how security threats impacted users and businesses in 2013 and possible solutions that can be adopted to fight those threats.

The Clearwell Utility & Clearwell Commander both have the ability to stop and start the services, both require you to be present to use them, that is they can't be automated.

Systems administrators from time to time need to automate the start and stop of Clearwell services in the small hours whilst actions are being performed on the server. Neither of the tools allow for this, but it is possible using b commands on the Clearwell appliance.

As we are all aware, information is expanding at a staggering rate. World data in 2010 was estimated at 1.2 zetabytes, expected to rise to 7.9ZB in 2015 and, in 2020, to 40ZB, with something like 30 billion connected devices in the next few years. Against that backdrop, there is really no way we have either the time or bandwidth (cost) to shift these large lumps of data around. Yet, potentially, they have enormous value to people who want to access them.

In this world of ‘Bigger Data’ – and what is rapidly becoming ‘Even Bigger Data’ – this presents a massive challenge for all of us: how do we supply Data as a Service, while still maintaining control?

Because the reality is that, in these data-driven times, everyone is going to have to consider themselves as a consumer and a provider of Data as a Service, and deal with all of the consequences this brings into play.

In the new world of mega-data, information that would once have been considered beyond the reach of many is now almost your everyday fare. Practically nothing is off the menu. All of which means that there are some very large datasets out there that people want to exploit, such as Facebook data, mobile and location data, census data, research data, geonome data, medical history… the list is daunting.

Amazon is a great case in point here. It is actually starting to offer public access to very large datasets. Amazon Web Services provides a centralised repository that can be integrated into AWS cloud-based applications. Like all AWS services, users pay only for the compute and storage they use for their own applications (1). However, consumers don’t want to copy the whole lot. So they are going to have to buy/ rent some Amazon EC2 to process the data at the Amazon location and just transport the results.

This highlights what lies at the crux of Data as a Service: simply offering the data is not enough. A level of infrastructure has to be provided, so customers can run apps against the data and then transport the results. This then leads into all the normal threads of how do you bill for access to that data: by processing time; by amount of data processed; by amount of metadata created?

Then there is the need to ensure that the highest levels of confidentiality are observed around the data. For instance, where medical data is concerned, one objective might be to understand the numbers of people who have contracted flu in a particular area, without compromising the integrity of that process. For example, if healthcare statistics are being offered out ‘as a Service’, you have to ensure the appropriate levels of anonymity have been put in place, so that, when combined with another data source – say, Facebook –individuals’ personal information is properly protected. And, of course, the smaller the dataset, the harder it is to retain that anonymity.

In tackling these challenges, organisations need the ability to effectively control factors within the organisation, knowing what and where their most important information is. Equally, Symantec’s goal is to help them understand user behaviour, determine risks and improve productivity. For customers, the result will be a stronger ‘information fabric’ – ie, the layer of metadata that is common across all data types that enables organisations to get better insight into their data, helping them to understand the information they have, it’s criticality to their business, while eliminating redundancy.

Also, Symantec is simplifying security by addressing the challenge of managing all the different solutions that companies are now investing in. Its Security as a Service solution, for instance, monitors both Symantec and third-party security products in the environment, to deliver the highest levels of protection moving forward, while Data Insight 4.0 is the latest version of Symantec's unstructured data governance solution, providing actionable intelligence into the ownership and usage of unstructured data, such as documents, presentations, spreadsheets and emails. Most importantly, Data Insight 4.0 provides new discovery, analysis and remediation capabilities to help organisations better reduce costs and risk, achieve compliance and gain insights into their unstructured data.

All of this serves to reinforce the fact that Bigger Data, in itself, has little value. What gives it its worth is the information analytics that are applied to it, in a secure environment. Get that formula right and your business will extract maximum payback from its operations, Get it wrong and it’s more likely to be your competitors enjoying those fruits.

Please also check out the latest blog from our CEO Steve Bennett on how we at Symantec are helping people, businesses, and governments protect and manage their information.

---------------------------------

(1) http://aws.amazon.com/datasets

日本のアニメーションは「アニメ（Anime）」として、漫画は「マンガ（Manga）」として知られており、過去 20 年間で漫画アニメ産業は世界中で人気を博するようになりました。そうした最新の流行を利用するのが、ひと儲けする方法として手っ取り早いことはよく知られており、合法的にも非合法的にもその手法は広く利用されています。アニメと漫画の流行も、マルバタイジング（悪質な広告）やモバイルリスクなどを通じてサイバー犯罪者が無防備なファンにマルウェアの脅威をもたらす新たな手口を生み出しています。

1990 年代に、日本の漫画は米国の市場で大ブームとなり、大手書店の本棚にも並ぶようになりました。日本語のわからないファンが読むためには、漫画の翻訳を待たねばなりません。公式に翻訳される漫画の数は増えていますが、ファンを満足させるにはまだまだ足りないようです。しかも、翻訳対象になるのは人気の高い作品に限られています。

漫画産業が直面している問題のひとつが、日本語を母語としないファンに評価される作品をどう選ぶかということです。その判断基準として、読者コミュニティが非常に有効であることが判明しています。読者コミュニティのなかには、日本の漫画をスキャンして翻訳版を制作するグループも存在し、そのような行為はスキャンレーション（Scanlation）またはスキャンスレーション（Scanslation）と呼ばれています。

公式の出版社はそうした読者コミュニティに注目し、その動きに合わせて事業の方向性を決めていましたが、それが裏目に出てしまいました。90 年代の終わりにはインターネットにアクセスするユーザーが急増し、巨大なスキャンレーションサイトがオンラインで無料の漫画を提供するようになったため、日本の漫画アニメ産業は顧客を失い始めたのです。

この数年間に、スキャンレーションサービスを展開する複数の Web サイトやコミュニティが、著作権者の許可を得ていないため著作権違反であるとして訴えられています。

スキャンレーションには多くの作業が必要であり、そのチームには以下のようなメンバーが存在します。

• 翻訳者
• クリーナー
• 校正者
• 植字工
• リライター

チームのメンバーはほとんどが自主的に参加しているため、新しい作品を定期的に出版し続けるには、何らかの収益化が必要であり、また広告も無視できない収入源となります。

悪用ツールキットとマルバタイジング
こうしたサイトでは、1 章分のページに平均 10 個の広告が表示され、場合によっては 11 の広告プロバイダが利用されています。マルバタイジングや悪用ツールキット、先日公表された「Microsoft Internet Explorer に存在する解放後使用のリモートコード実行の脆弱性」（CVE-2013-2551）について実施した最近の調査でも、多くのスキャンレーションサイトが、マルバタイジングや悪用コードによって悪質なリダイレクト先にリンクされていることが確認されました。図 1 のグラフは、2013 年 7 月から 2014 年 1 月初めにかけて確認された各種マルウェアの検出状況を示しています。

図 1.スキャンレーションサイトでの IPS 検出状況（2013 年 7 月から 2014 年 1 月）

2013年 12 月に CVE-2013-2551 が公表され、Blackhole 悪用ツールキットが停止されると、傾向が一変しました。Trojan.FakeAVを送りつけるマルバタイジングタイプの攻撃が急増しています。最近のマルバタイジングの場合、悪質なコードに直接感染していたのはスキャンレーションサイトではなく、広告プロバイダでした。この場合、スキャンレーションサイトのユーザーを標的とした広告が多用されるため、スキャンレーションサイトのユーザーも被害を受けます。図 2 に、2013 年 10 月から 2014 年 1 月初めに確認されたスキャンレーションサイトでの IPS 検出状況を示します。

図 2.スキャンレーションサイトでの IPS 検出状況（2013 年 10 月から 2014 年 1 月）

読書形態の変化
スマートフォンやタブレットが人々の生活にとって欠かせないものになる一方で、紙の本や PC の利用度は少なくなってきました。大部分の Web サイトでは、モバイルアクセスが容易になるように、モバイル向けのコンテンツも公開されています。

シマンテックは、モバイルのブラウズテストを実施し、最近公開された漫画のページをランダムに読み込んだとき、読者がどのようにリダイレクトされるのかを調べました。その結果、次のページに移動しようとすると強制リダイレクトが発生する場合もあることがわかりました。リダイレクト先では、APK ファイルをダウンロードするよう指示されます。シマンテックは、「Airpush Adware」というこの Android アプリをセキュリティ上のリスクとして分類しています。Airpush Adware はデバイスの電話番号、電子メールアドレス、アプリのリストを収集して第三者に送信する可能性があり、電子メールや SMS を介してスパムが届く原因にもなりかねないからです。

図 3. Airpush のプライバシーポリシーと広告規約

さまざまなスキャンレーションサイトから漫画を収集するモバイルアプリが大量に出回り始めています。こうしたアプリは、オンラインでもオフラインでも 10,000 冊以上の漫画を複数の言語で楽しめると謳っています。ダウンロード率もインストール率も高いことから、このようなアプリは悪質な便乗攻撃や、トロイの木馬による攻撃の格好の標的です。たとえば、漫画購読サービスを謳いながら、実際はプレミアム SMS を利用させるアプリがサードパーティのマーケットで配布されていることも確認されています。シマンテックは、この脅威を Android.Opfakeとして検出します。

世界中に広がるスキャンレーション熱
2013 年 7 月から 2014 年 1 月にかけて、このようなスキャンレーションサイトで収集された検出データには定期的に急上昇が見られます。これが『NARUTO -ナルト-』、『BLEACH』、『ONE PIECE』、『FAIRY TAIL』、『キングダム』といった人気漫画の新刊が公開されたタイミングであることは明らかです。

スキャンレーションサイトで確認されたマルバタイジングの分布図を見ると、読者率が最も高いのは米国であり、ヨーロッパ、オーストラリアがそれに続いていることがわかります。漫画の読者は中東やブラジルにも広がっており、スキャンレーショングループは現在、漫画を 6 言語（英語、ドイツ語、イタリア語、スペイン語、ロシア語、フランス語）に翻訳しているようです。

図 4.スキャンレーションサイトでの IPS 検出状況とマルバタイジング（2013 年 7 月から 2014 年 1 月）

出版されている漫画の数は膨大ですが、新刊漫画のうち圧倒的多数は日本語を理解できなければ読むことができず、そうでなければ公式の翻訳を待つしかありません。

新人の漫画家は、ファンの人気を獲得したいあまり、スキャンレーションサービスを許す、あるいは見て見ぬふりをする傾向があります。そのため、スキャンレーションサービスは本質的に法律上の問題や著作権侵害をないがしろにしがちです。そして、スキャンレーションサービスの人気が高くなるほど、サイバー犯罪者の注目も集めるようになっています。

ソフトウェアは脆弱性の悪用を防ぐために、常に最新の状態に保つことをお勧めします。また、アプリケーションは信頼できるアプリストアだけからインストールするようにしてください。

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

We recently encountered a website of a major Japanese book publisher and distributor, of books, magazines, comics, movies, and games, injected with a malicious iframe leading to another website hosting an exploit kit.

As far as we know, at least three files on the book publisher’s site were compromised.

 
Figure 1.Malicious iframe found on publisher’s site

The malicious iframe was present across multiple pages including the homepage. Our telemetry shows the first potential victim visited the site at approximately 22:00 PST on January 5, 2014 (15:00 JST on January 6, 2014). The security issue was not fixed until late on January 8, PST (in the evening of January 9, 2014 JST).

The malicious iframe loads another website, hosting an exploit kit, as soon as a user visits the book publisher’s site. The exploit kit has been identified as Gongda exploit kit, which in this particular attack served exploits for the following five vulnerabilities:

•    Oracle Java SE Remote Java Runtime Environment Code Execution Vulnerability (CVE-2012-0507)
•    Microsoft XML Core Services Remote Code Execution Vulnerability (CVE-2012-1889)
•    Oracle Java Runtime Environment Multiple Remote Code Execution Vulnerabilities (CVE-2013-0422)
•    Adobe Flash Player Remote Memory Corruption Vulnerability (CVE-2013-0634)
•    Oracle Java SE Memory Corruption Vulnerability (CVE-2013-2465)  

Figure 2.Attack scenario

Upon successful exploitation of the vulnerabilities, Infostealer.Torpplar is downloaded. This malware is tailored to target Japanese users for information stealing purposes. The malware monitors open windows for a list of Japanese websites that include the following:
•    2 online banking sites
•    3 online shopping sites
•    3 Web mail sites
•    3 gaming/video websites
•    14 credit card sites

It is interesting that the malware targets only two online banking sites, one of which is merely a regional bank. Most banks are aware that they are a target of sophisticated malware such as Trojan.Zbot and have implemented additional layers of protection and verification for their online customers. We believe the attacker knows this and intentionally targeted other financially viable sites that have only basic security measures in place.

The stolen information is sent to a predefined website in plain text, which can be easily read if intercepted.

We have the following IPS signatures in place to block exploit attempts dished out by the Gongda exploit kit used in the attack:
 
•    Web Attack: Gongda Exploit Kit Website
•    Web Attack: Gongda Exploit Kit Website 2

In addition to the Infostealer.Torpplar detection, the following AV detections are available for the files associated with this attack:

•    Trojan.Webkit!html
•    Trojan.Malscript
•    Trojan.Maljava
•    Trojan.Swifi

To stay protected, Symantec recommends users to apply the latest patches and keep AV and IPS definitions up-to-date.

aial2 downloads and documents are currently coming to Symantec Connect. These downloads are part of a tool kit to help build up a web-site to check the IIS log file trends on Altiris servers. Not all the downloads are published so we are providing a quick update on what capabilities will be available once all the tools and docs are released.

We are proud to announce that Symantec have been accepted as Applicant Members of the Electronic Industry Citizenship Coalition (EICC).

Symantec is committed to protecting people and information, independent of device, platform or location. We consider the security of information central to corporate responsibility in this digital age of increased exposure, and are excited about EICC membership and fully support the EICC vision and goals:

Vision:  Through the application of high standards we can create better social, economic and environmental outcomes for all those involved in the Electronics and ICT supply chains. This includes increased efficiency and productivity for customers and suppliers, improved conditions for workers, economic development and a cleaner environment for local communities.  

Mission:  To deliver these benefits through a shared approach to implementing the EICC Code of Conduct. This approach will reduce duplication, focus efforts on positive social and environmental change, build supply chain capabilities in social responsibility and employ a process that solicits feedback from stakeholders.

We are committed to progressively aligning our own operations with the provisions of the EICC Code of Conduct and to support and encourage our own Tier 1 Supply Chain Suppliers to do the same. Where possible and applicable, we will seek to adopt the EICC approach and tools in practical ways in the spirit of the industry’s common goals and continuous improvement.

We look forward to working as part of the EICC Program and to joining other members who have made this commitment to good corporate citizenship.

Amanda Davis is Symantec's Senior Manager, Global Quality and Environmental Compliance.

Hello, welcome to this month's blog on the Microsoft patch release. This month the vendor is releasing four bulletins covering a total of six vulnerabilities. All six of this month's issues are rated ’Important’.

As always, customers are advised to follow these security best practices:

• Install vendor patches as soon as they are available.
• Run all software with the least privileges required while still maintaining functionality.
• Avoid handling files from unknown or questionable sources.
• Never visit sites of unknown or questionable integrity.
• Block external access at the network perimeter to all key systems unless specific access is required.

Microsoft's summary of the January releases can be found here:
http://technet.microsoft.com/en-us/security/bulletin/ms13-Jan

The following is a breakdown of the issues being addressed this month:

1. MS14-001 Vulnerabilities in Microsoft Word and Office Web Apps Could Allow Remote Code Execution (2916605)

   Memory Corruption Vulnerability in Microsoft Word (CVE-2014-0258) MS Rating: Important

   A remote code execution vulnerability exists in the way that affected Microsoft Office software parses specially crafted files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs, view, change, or delete data, or create new accounts with full user rights.

   Memory Corruption Vulnerability in Microsoft Word (CVE-2014-0259) MS Rating: Important

   A remote code execution vulnerability exists in the way that affected Microsoft Office software parses specially crafted files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs, view, change, or delete data, or create new accounts with full user rights.

   Memory Corruption Vulnerability in Microsoft Word (CVE-2014-0260) MS Rating: Important

   A remote code execution vulnerability exists in the way that affected Microsoft Office software parses specially crafted files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs, view, change, or delete data, or create new accounts with full user rights.

2. MS14-002 Vulnerability in Windows Kernel Could Allow Elevation of Privilege (2914368)

   Kernel NDProxy Vulnerability (CVE-2013-5065) MS Rating: Important

   An elevation of privilege vulnerability exists in the NDProxy component of the Windows kernel due to the improper validation of input passed from user mode to the kernel. The vulnerability could allow an attacker to run code in kernel mode. An attacker who successfully exploited this vulnerability could run a specially crafted application and take complete control of an affected system. The attacker could then install programs, view, change, or delete data, or create new accounts with full administrator rights.

3. MS14-003 Vulnerability in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2913602)

   Win32k Window Handle Vulnerability (CVE-2014-0262) MS Rating: Important

   An elevation of privilege vulnerability exists when the Windows kernel-mode driver improperly uses window handle thread-owned objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code with elevated privileges.

4. MS14-004 Vulnerability in Microsoft Dynamics AX Could Allow Denial of Service (2880826)

   Query Filter DoS Vulnerability (CVE-2014-0261) MS Rating: Important

   A denial of service vulnerability exists in Microsoft Dynamics AX that could allow an attacker to cause a Dynamics AX server to become unresponsive.

More information on the vulnerabilities being addressed this month is available at Symantec's free SecurityFocus portal and to our customers through the DeepSight Threat Management System.

The rise of “rest in peace” scam messages on social media sites continues. Jackie Chan, Morgan Freeman, Will Smith, Keanu Reeves, and Rihanna are only a few of the celebrities that have been proclaimed dead in recent scams. The sensational messages usually include links to a video. Before the user gets to see the video, they are tricked into manually sharing the bait message with all of their family and friends in order to spread the scam further. Even after sharing the post, the user will still not be able to see the fake video. Rather, they will be redirected to a site with advertisements that asks the user to fill out a survey. The ads and surveys generate revenue for the scammer. Other variants of the scam ask the user to download a malicious browser extension or application. This kind of scam is not new, but as long as they make money, they will continue.

Figure 1. Fake video scam shared across social media sites

Some scammers are currently focusing on Paul Walker and Roger Rodas, who both recently died in a car accident. Even though the base of the story is true, the scammers are using these tragic deaths to try to promote fake videos which claim to include unseen footage of the crash. One scam group has specialized in the use of malicious Facebook applications to boost the reach of the scam. With a simple geo IP location JavaScript, the scammers can determine the user’s location and redirect their browser to a site that suits their region. This is straight forward and common behavior nowadays. The redirects can point to malicious Facebook apps, remotely hosted scams sites, or phishing sites. Luckily, in this example, the phishing website does not look very convincing, as some browsers break the layout of the site.

Figure 2. Fake Facebook login Web page with broken layout

Unfortunately, the redirects can sometimes skip one of Facebook’s warnings about malicious URLs. Whenever a user clicks on a link in a Facebook post, the browser will get redirected to a transfer script. If Facebook thinks that the destination URL is suspicious, a warning message is displayed, informing the user and allowing them to report the post as spam. Since the Web page is shown in an iframe below the warning, it is possible, in some rare cases, that the scammer could automatically redirect the user to a new site. As a result, the user will only see the warning message for less than a second before they are sent to the malicious Facebook application page. Often, multiple redirects are involved until the final page is reached.

Figure 3. Link redirection warning

If a user attempts to install a malicious application, the app asks for permission to read the user’s data and to post in their timeline. The scammer’s main goal here is to post the message through the user’s Facebook account without the victim’s knowledge so that more people fall for the scam.  Once the user installs the application, the scam message is posted to their timeline and the user is redirected to the survey scam Web pages.

A few hundred people per hour have clicked on each of these links and some have installed the application. Of course, Facebook is doing its best to block the malicious links and remove the applications as fast as possible. Unfortunately the bad guys have automated scripts on their side. Each of the analyzed domains hosted more than 2,000 copies of the malicious Facebook application, each under a slightly different name. This allows the scammers to rotate the malicious links once the app is blocked.

Figure 4. Scam application asking for permissions

As always, Internet users are advised to follow best practices:

• Be vigilant and skeptical when reading sensational stories on social media sites
• Do not install plugins or tools from untrusted sites
• Think twice before filling out verification surveys in order to access content
• When installing social applications, verify that the requested permissions are really required

Symantec customers are protected against these types of attacks by various IPS signatures and our URL reputation blocking service.

Symantec would like to encourage Facebook users to report any scams that they encounter to Facebook. The Facebook security team is currently working on this particular scam and they are blocking and removing the threat as new versions appear.

シマンテックでは、このたび、Symantec Validation and ID Protection Service（VIP）において、Self Service Portal と VIP Manager の機能強化を実施しました。

Self Service Portal のデザインを一新しました。クレデンシャルの管理がしやすくなっただけでなく、利用する組織のロゴを最上部に表示することもできます。管理者向けポータルである VIP Manager では、新機能の追加とカスタマイズ機能の強化、パスワード管理におけるセキュリティ強化を行いました。いずれもシマンテックが提供している Web ベースのポータルですので、すぐに利用することができます。

実装した新機能

1. Self-Service Portal の機能拡張
2. VIP Manager の機能拡張
3. VIP Manager のパスワードセキュリティ強化

新機能の詳細

Self Service Portal の機能拡張の詳細

• Self Service Portal とクレデンシャル登録画面のデザインを使いやすく変更
• Self Service Portal で、お客様のロゴが表示可能になりました * 
• 管理者向けにリモートデバイスの診断ページを追加しました。これを使って Registered Computer（VIP Intelligent Authentication で利用できるデバイス登録機能）の問題解決を行えます。このページでは、プラグインのインストール状況などを確認できます
• 簡体字中国語のサポート
• Macintosh 用 Chrome のサポート、Window 8（Internet Explorer 10 のみ）、および Windows 8.1（Chrome、Firefox、Safari および Internet Explorer 7 以降）のサポート

VIP Manager の機能拡張の詳細

• グループ機能を拡張して、Admin Groups との連携が可能になりました。これにより特定のユーザグループに対して管理者権限についてカスタマイズができます **
• Direct Sign-In 設定ができるようになりました。これによって VIP Manager に直接ログインをするのではなく、Microsoft Active Directory のような社内のアイデンティティプロバイダの情報を使って認証をすることができます **
• レポートで、ローカルのタイムゾーンが表示されるようになりました

VIP Manager のパスワードセキュリティ強化の詳細

• テンポラリパスワードの有効期間を 7 日間から 30 分に短縮しました
• パスワードをリセットする場合、管理者はテンポラリパスワードを加えた 2 つのセキュリティコードを入力するようにしました
• パスワード内で特殊文字の利用を可能にしました

* このリリースでは、ログインページではロゴは表示されません。

** この機能には Enterprise Gateway を 9.3 以降にバージョンアップする必要があります。

It’s not surprising to see scammers exploiting the laxity of Internet users.

Symantec has observed another malware wave over the past few days following the holiday season. Many users check their utility and other official emails post-vacation to see if they missed out important messages. This is where spammers take a chance and hope that users will click on malicious links in their emails.

In this latest wave of attacks, spammers are taking advantage of users’ desire to open and respond to urgent emails right away. When this happens, the malware infects users’ computers and extracts confidential data.

Last week, I too, received some of these scam emails posing as delivery failure notifications from well-known stores with an online presence, stating that I missed the delivery of a couple of parcels while I was away on vacation.

At first, I wondered how this was possible since I hadn’t placed any orders, and wondered if they might be surprise gifts. However, just before clicking the link contained in the email, I checked the status bar only to find that it had been spoofed. My level of suspicion was raised even further by the language and grammatical errors found in the email, as shown in Figure 1.

Figure 1. Spam email with grammatical errors and malicious link

Similarly, I also received an email in which the spammer masqueraded as another well-known brand, making the message appear to be a statement, while embedding a malicious link. Fortunately, there was a discrepancy between the template used by the brand and the email headers which belonged to another email. Upon further inspection, I discovered that the embedded link contained malware. The spam also used a hijacked URL as shown in Figure 2.
 

Figure 2. Another delivery failure spam email

Another email I received invited me to attend the funeral of someone I did not know. I began to check if I knew the family, or if it was a college friend or neighbor, but then discovered that the link in the email was malicious.

Figure 3. Funeral invitation spam email

This type of spam requires users to adopt a two-pronged approach – to be on guard while sieving through emails, and be on the lookout for mistakes made by the scammers.

A lot of these spam emails are full of grammatical errors, faulty sentence structure, tactical errors such as spoofing one retail operator and associating the email headers with a competitor. Another tactic employed envolves the use of hijacked domains and URLs, which are rotated and recycled over time, but have no association with the brands or entity that the email claims to be from.

While you are overcoming your post-holiday blues, Symantec recommends that you exercise diligence when dealing with your emails, and not to let scammers exploit your vacation hangover.

シマンテックは最近、日本のある出版社の Web サイトに、悪用ツールキットがホストされている別の Web サイトに誘導する悪質な iframe がインジェクトされていたことを確認しました。この出版社は、書籍や雑誌、漫画、映画から、ゲームまで取り扱っている大手です。

確認できた限りで、この出版社のサイト上で少なくとも 3 つのファイルが感染していました。

 
図 1.出版社のサイトで確認された悪質な iframe

この悪質な iframe は複数のページにわたって存在し、ホームページにも仕掛けられていました。シマンテックの遠隔測定によると、最初の被害者がサイトにアクセスしたのは、太平洋標準時 2014 年 1 月 5 日の 22:00（日本標準時 2014 年 1 月 6 日 15:00）頃で、このセキュリティ問題が修正されたのは、太平洋標準時 1 月 8 日遅く（日本標準時 1 月 9 日夕方以降）になってからでした。

ユーザーが出版社のサイトにアクセスするとすぐに、悪質な iframe は悪用ツールキットがホストされている別の Web サイトを読み込みます。悪用ツールキットは Gongda であると特定されており、今回の攻撃では以下の 5 つの脆弱性を悪用していました。

•    Oracle Java SE Runtime Environment に存在するリモートコード実行の脆弱性（CVE-2012-0507）
•    Microsoft XML コアサービスに存在するリモートコード実行の脆弱性（CVE-2012-1889）
•    Oracle Java Runtime Environment に存在する複数のリモートコード実行の脆弱性（CVE-2013-0422）
•    Adobe Flash Player に存在するリモートメモリ破損の脆弱性（CVE-2013-0634）
•    Oracle Java SE に存在するメモリ破損の脆弱性（CVE-2013-2465）

図 2.攻撃のシナリオ

脆弱性の悪用に成功すると、Infostealer.Torpplarがダウンロードされます。これは、日本のユーザーから情報を盗み出すために作成されたマルウェアで、以下のサイトを含む日本語の Web サイトがウィンドウに表示されているかどうかを監視します。
•    2 つのオンラインバンキングサイト
•    3 つのオンラインショッピングサイト
•    3 つの Web メールサイト
•    3 つのゲーム/動画 Web サイト
•    14 のクレジットカードサイト

注目に値するのは、オンラインバンキングサイトが 2 つしか標的になっていない点で、そのうち 1 つは地方銀行です。ほとんどの銀行は、Trojan.Zbotといった高度なマルウェアに狙われていることを自覚しているため、オンラインユーザーのために幾重にもわたって保護や検証の手段を実装しています。攻撃者もその点を承知しており、金銭になりそうな情報を扱っていながら基本的なセキュリティ対策しか講じていない他のサイトを意図的に狙ったものと考えられます。

盗み出された情報は、あらかじめ定義された Web サイトに平文で送信されるため、傍受されると容易に読み取られてしまいます。

この攻撃で使われている Gongda 悪用ツールキットによって試みられる悪用を遮断するために、シマンテックは以下の IPS シグネチャを提供しています。
 
•    Web Attack: Gongda Exploit Kit Website
•    Web Attack: Gongda Exploit Kit Website 2

Infostealer.Torpplar の検出定義だけでなく、この攻撃に伴うファイルに対して以下のウイルス検出定義も用意しています。

•    Trojan.Webkit!html
•    Trojan.Malscript
•    Trojan.Maljava
•    Trojan.Swifi

このような攻撃から保護するために、最新のパッチを適用し、ウイルス検出定義と IPS 定義を常に最新の状態に保つことをお勧めします。

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。