先日のブログで、Internet Explorer 10 に影響するゼロデイ脆弱性の悪用の可能性が確認されたという報告について調査していることをお伝えしましたが、この新しいゼロデイ脆弱性「Microsoft Internet Explorer の解放後使用によるリモートコード実行の脆弱性」（CVE-2014-0322）を悪用する攻撃について詳細が判明しました。

図. IE 10 のゼロデイ脆弱性を悪用する水飲み場型攻撃

攻撃の手口

この水飲み場型攻撃で標的になったのは、vfw.org（海外戦争復員兵協会）の Web サイトです。攻撃の活動中にこのサイトにアクセスすると、攻撃者によって挿入された iframe により、危殆化した第 2 のページ（aliststatus.com でホストされています）がバックグラウンドで読み込まれます。iframe である img.html ファイルが tope.swf という悪質な Flash ファイルを読み込み、そこで Internet Explorer 10 の脆弱性が悪用されます。シマンテックは、悪質な iframe を Trojan.Malscriptとして、また悪質な SWF ファイルを Trojan.Swifiとして検出します。

SWF ファイルによって脆弱性が悪用されると、aliststatus.com ドメインから次のダウンロードが実行され、ペイロードの最終段階が開始されます。ここで最初にダウンロードされるのは、erido.jpg という名前の PNG 画像ファイルです（Trojan Horseとして検出されます）。この画像ファイルに埋め込まれている複数のバイナリが、SWF ファイルによって実行されるシェルコードによって抽出されます。埋め込まれているバイナリは sqlrenew.txt と stream.exe です。sqlrenew.txt は、その名前とは違い実際には DLL ファイルであり、同じく Trojan Horse として検出されます。stream.exe は Backdoor.Winnti.Cとして検出されます。

SWF ファイルに含まれるコードが DLL ファイル sqlrenew.txt の読み込みを実行し、この時点で DLL が処理を引き継いで、最終的なペイロードである stream.exe を起動します。このサンプルは、攻撃者が制御する newss.effers.com サーバーへの接続を実行します。

過去の攻撃との関連性

調査を進める過程で明らかになったデータから、今回の攻撃は、シマンテックが Hidden Lynx（謎の山猫）と呼んでいる悪質なグループと関係することが示唆されます。Backdoor.Moudoorを使ったこのグループによる以前の攻撃で確認されたインフラが今回も使われていることが、データに示されています。

今回の攻撃に対する防止策と緩和策

Internet Explorer 10 を使っていないユーザーや、Mac OS 向けのブラウザを使っているユーザーは、この脆弱性の影響を受けません。Windows で Internet Explorer 10 を使っている場合には、別のブラウザを使うか、Microsoft の Enhanced Mitigation Toolkit（EMET）をインストールする、またはブラウザを新しいバージョンにアップグレードするなどの緩和策が考えられます。また、関連するパッチが公開され次第、速やかに適用することもお勧めします。

シマンテック製品をお使いのお客様は、以下の検出定義によってこの攻撃から保護されています。

ウイルス対策

• Trojan.Malscript
• Trojan.Swifi
• Trojan Horse
• Backdoor.Winnti.C

侵入防止シグネチャ

• Web Attack: Malicious SWF Download 19
• Web Attack: MSIE Generic Browser Exploit 3

シマンテックの遠隔測定によると、ペイロードの一部は以下のヒューリスティック検出定義によって各段階で検出されていることも判明しています。

• SONAR.Heuristic.112
• Suspicious.Cloud.2
• WS.Trojan.H

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

I have released aila2 at version 1 [1] a few weeks ago and have a fair few users already.

And some features requests coming in. So I have decided to publish the source code here, in case poeple want to extend the tool to match their own need, or just want to peer at the various project and programs.

Now, here are some fetaures that should be coming on version-2, but feel free to add on to the list, you never know - they may make it in ;-):

• aila2 to account for http error codes (2xx, 3xx, 4xx, 5xx)
• aila2 to report on specific Task Server interfaces
• aila2-filter to add inclusion / exclusion based on return code type (2xx, 3xx...)
• aila2-filter to add inclusion / exclusion based on the Web console traffic

[1] aila2: Version 1 Full Package with Installation and Execution Scripts

Some days it’s what I do outside of my “day job” at Symantec that reminds me why I am proud to be a part of this organization. As many of us who work for Symantec know, the company is not just about the financial bottom line. Symantec also strives to have a wider positive impact on our communities through the company’s philanthropic strategy that contributes primarily to four key focus areas - science, technology, engineering, and math (STEM) education, and equal access to education, diversity, online safety, and environmental responsibility.

My manager, Tom Martin, leads a newly formed organization, created as part of the transformation to our new business strategy, which we call Symantec 4.0. As a leadership team, we wanted to signal to our new organization the value (both personal and professional) of supporting the company's key philanthropic focus areas, and to provide another proof point of the benefits of reaching out beyond our organization.

To do this, I organized a volunteer event supporting one of Symantec’s key non-profit partners in STEM education – Science Buddies.

The mission of Science Buddies is to help students from all walks of life to build their literacy in science and technology so they can become productive and engaged citizens in the 21st century. Science Buddies does this by empowering K-12 students, parents, and teachers to quickly and easily find free project ideas and help in all areas of science from physics to food science and music to microbiology. Through its website sciencebuddies.org, the non-profit puts comprehensive, scientist-authored tools, tips, and techniques at your fingertips.

Symantec has been a sponsor of Science Buddies since 2007, and last year the organization was one of the key recipients of Symantec’s donation of $1 million USD to support STEM education. Through the years, Symantec and Science Buddies have partnered to celebrate and encourage K-12 computer science exploration both through the creation of new Project Ideas and through visible recognition of students conducting science experiments presenting their projects at science fairs, both on the community and national level. Additionally, Symantec has provided core program support and enabled ongoing development of the Computer Science interest area at Science Buddies.

The volunteer event was organized across four sites within the US and Singapore. During the event 31 employees spent three hours “guinea pigging” new science projects that Science Buddies will offer on their website. Employees were paired up and given a kit with which to complete the stated project. They were asked to identify any unclear instructions and take photos along the way in order to help future kids complete the project.

This was one of the first times we had employees volunteering together across international borders and it was a fantastic experience!

Employees shared that they enjoyed doing something new and different with their volunteer time, enjoyed meeting new people, accomplishing something worthwhile outside of our organization, and learning new aspects about science.

One of the best parts of this event was actually touching and living the Symantec 4.0 values. Additionally, it helped us in our work of building a team, by creating a common fun experience, and a forum where people could meet one another face to face. As part of our leadership team, I am committed to hosting more volunteer projects within our core philanthropic areas—next up is Earth Day!

Kristen Woods is Symantec's Senior Director, Sales Operations.

In this blog detailing how spammers continue to change their messages in order to increase their success rate, we looked at the evolution of the same spam campaign from missed voicemail messages to spoofing various retailers, and then spoofing utility statements. Clicking on the link led the users to a download for a .zip file containing Trojan.Fakeavlock. Attackers may have realized that those attack vectors no longer entice recipients, so spammers have introduced two new schemes for this campaign that appear to be random and unrelated at first, but they do share a common goal.

The first scheme spoofs various courts around the country:

Figure 1. United States court spam email

The second scheme spoofs a funeral home:

Figure 2. Funeral home spam email

What do these two vectors have in common? They both urge the recipients to open the message and quickly click on the links. There is a sense of urgency in both messages; usually people do not want to ignore a message from a court, and they would probably want to see if they recognize the person mentioned in the funeral invitation link. In the latter case, the funeral is scheduled to be on the same day or next day, which increases the urgency even more.

While the spammers continue to try their best, they keep making the same mistake. They usually send poorly crafted messages where the header does not match the information in the body. Here is one such example where the header indicates that the message is from a court when the body is a utility statement:

Figure 3. Spam email where the header and body do not match

This spam campaign continues to use various hijacked URLs (a compromised web server hosting spam content without the owner’s knowledge) as call-to-actions. Various directory paths are used to hide this spam content as seen here:

Figure 4. Directories used to hide spam content

The left half of the graph shows relatively simple colors, compared with the right half where there are more colors being represented per day. This indicates that the spammer is using a greater variety of directory paths compared to December and early January.

This particular spam run is probably not over yet, and the spammer may find another clever vector to utilize. However, Symantec constantly monitors spam attacks to ensure that users are kept up-to-date with information on the latest threats.

Today I was working with a customer on the quality of their inventory data in the CMDB. They have some questions about the data refresh, related to the (still on-going?) datahash problem [1].

 I'm honestly thinking that we should take some serious resolution to resolve the datahash problem outside of the product.

Now this is not what was interesting today. Rather I was saying to the customer that it would be great to have a dashboard where we could review the data quality quickly. After voicing this I went directly into SQL and crafted the query you can find below.

The result-set contains the following columns:

• Data Class Guid
• Data Class Name
• Computer Count
• Modified in the last 4 weeks
• Not modified in the last 4 week
• % up-to-date

The query tries to provide a clean result set (not returning internal data that doesn't relate to computer inventory). To achieve this result we only return data classes from the NS, Patch, Inventory and Software Management Solutions that have a dataclass table name starting with 'Inv'.

Now I need to work out how to get the '% up-to-date' results to show in a visual manner, so you could see at a glance which inventory classes are broadly out of synch and need urgent attention.

select i1.InventoryClassGuid, dc.Name, i1.Computers as 'Resource #', i2.Computers 'Modified in last 4 weeks', i1.Computers - i2.Computers as 'Not modified in last 4 weeks', cast(cast(i2.Comp
uters as float)/ cast(i1.Computers as float) * 100 as money) as '% up-to-date'
  from (
			select InventoryClassGuid, COUNT(distinct(ResourceGuid)) as 'Computers'
			  from ResourceUpdateSummary rus
			 group by rus.InventoryClassGuid
		) i1
  join (
			select InventoryClassGuid, COUNT(distinct(ResourceGuid)) as 'Computers'
			  from ResourceUpdateSummary rus
			 where rus.ModifiedDate < GETDATE () - 28
			 group by InventoryClassGuid
		) i2
	on i1.InventoryClassGuid = i2.InventoryClassGuid
  join DataClass dc
    on i1.InventoryClassGuid = dc.guid
  left join Item i
    on dc.Guid = i.guid
  left join vProduct p
    on i.ProductGuid = p.Guid
 where dc.DataTableName like 'Inv%'
   and p.Name in ('Inventory Solution', 'Altiris Patch Management Solution for Windows', 'Notification Server', 'Software Management')
  order by dc.name

For many of our customers, defensible deletion should be of a paramount importance. A defensible deletion policy can mitigate risk due to over-exposure (retention) of ESI while maintaining compliance to various governmental regulations (especially in regards to a “smoking gun”), reduce the effort and cost of discovery (in regards the effort in dealing with ONLY potentially relevant data), and reduce the storage footprint of their ESI which would reduce the administration overhead and costs.

For many website owners and network security admins 2013 was the final push to move older websites and servers off of 1024-bit RSA SSL certificates to 2048-bit RSA certificates. This was an industry wide effort and one that was essential to safeguard the future of SSL/TLS. For us here at Symantec it was a year of education, communication, and mobilization.  Although many people were comfortable with SSL certificate administration and the base functions of the technology, many did not understand the core aspects of SSL encryption.  Our webinars, blogs and other publications on the subjects of algorithms and encryption levels became highly popular; and still are.

Now that 2013 has come to a close and the migration from 1024-bit SSL certificates are becoming a distant memory it is time to switch your mind to hash algorithms (e.g. SHA-1) as we embark on another migration to higher cryptographic standards before 2017. Once again this is an industry wide push to ensure that we are at the forefront of technology to meet a multitude of future demands.

What is a Hash Algorithm?

A hash algorithm reduces and maps the entire contents of the SSL certificate into a small, fixed-size value. The Certification Authority's (CA) private key is used to encrypt the hashed value, and that is included in the certificate as the signature.  The main purpose is to reduce data of any size to a small fixed-size fingerprint that effectively represents the initial file which is signed by a CA.

The Issue

On 12 November 2013, Microsoft published a security advisory on “Deprecation of SHA-1 Hashing Algorithm for Microsoft Root Certificate Program”.  In summary, Microsoft is requesting that Certificate Authorities stop issuing new SHA-1 SSL and code signing certificates by 1 January 2016. With regards to SSL certificates, Windows (Internet Explorer) will no longer recognize or accept SHA-1 certificates from 1 January 2017. All SHA-1 SSL certificates issued before or after this announcement must be replaced with a SHA-256 (SHA-2) equivalent by 1 January 2017 to continue working with Microsoft platforms.  In regards to code-signing certificates, your code must be time stamped before 1 January 2016.

At the time of writing, the Certification Authority/Browser Forum (CA/BF) has not endorsed Microsoft’s schedule to depreciate the SHA-1 hash algorithm.  It is also worth noting that certificates chained to a private root, such as Symantec Private Certification Authority (CA) or any self-signed CA are not affected by these migrations and other regulations associated with certificates chained to public roots.

What You Need To Do/Know

Much like the recent migration from 1024 to 2048-bit RSA or ECC certificates there will be a little bit of pain but the methodologies will thankfully be the same, which should be some comfort to those of you licensing SSL certificates to multiple servers. To simplify things let me give you a check list of actions to take:

1. Locate all of your SHA-1 certificates.  Tools such as Symantec Certificate Intelligence Center can discover all of the certificates on your network regardless of who issues them.
2. Create a migration plan.
   
   1. SHA-1 SSL certificates expiring before 1 January 2017 will need to be replaced with a SHA-2 equivalent certificate.
   2. SHA-1 SSL certificates expiring after 1 January 2017 should be replaced with a SHA-2 certificate at your earliest convenience. 
   3. Any SHA-2 certificate chained to a SHA-1 intermediate certificate should be replaced with another one chained to a SHA-2 intermediate. 
3. Execute. Plan to do this sooner rather than later. Although many people tend to wait until the deadline, the last thing you need to handle on a New Year’s Eve is SSL certificate installation and testing.  Since any unused validity will be credited back to you, there are few benefits in waiting.
4. Test.  Upon installation please check your configuration using our set of SSL tools.  Although SSL installation may like simple muscle memory after a while, there may be hardware or software conflicts you may not have caught and a belt and suspenders approach makes sense here.

SHA-2 Ubiquity and Hardware/Software Conflicts

One thing that some owners of webservers learned in 2013 is that some older servers are not configured to handle advanced SSL encryption.  In our recent webcast on the subject only 18% of attendees who responded to the poll said they were confident that all of their servers can handle the SHA-2 hash algorithm.  If a server can’t handle SHA-2 what will you do?

If retiring them is not an option (and we know that this is often not an option you can consider), the main course of action is to move it to the backend (intranet usage) and encrypt it with a SHA-1 SSL certificate chained to a private root.  Symantec can provide an organization with a custom private SSL hierarchy to overcome hardware/software conflicts in legacy devices.  Talk to us today to help complete your cost/benefit analysis when considering this option.  It is also worth noting that in the event you encounter a hardware/software conflict please access our SSL Support Pages or contact Symantec Technical Support (available 24/7/365 days a year) using the contact information provided to you (based on region) or located in your SSL control center.

At Symantec we are committed to supporting you through this next transition in encryption standards.  In summary please plan, prepare, execute and test your move to SHA-2 before 1 January 2017 for SSL and 1 January 2016 for code-signing certificates.  If you would like to learn more view our aforementioned webinar How to Navigate the Future Changes in SSL Encryption (select “View” at the bottom of the text for the recording).

Colin Davitian, Sr. Director of Product Management, highlights the mantra transition of NetBackup from, “Industry-leading performance and flexibility”, to “Simplicity without sacrifice” in the next few years. The best way to ensure data integrity is to make backup intuitive. The more intuitive the tool, the more likely customers will successfully protect their data.

以前のブログで、成功率を上げるためにスパマーがメッセージを次々と変更している事例についてお伝えしました。その中で解説したように、同じスパム活動で使われるメッセージが、音声メールの通知から、小売業者の配達不能通知へ、さらには電力会社を装った案内へと変更されていたのです。リンクをクリックすると、Trojan.Fakeavlockを含む .zip ファイルがダウンロードされます。しかし、スパマーもこうした攻撃経路ではユーザーがなかなか騙されなくなってきたことに気付いたようで、この攻撃に 2 つの手口を追加しています。最初はランダムで無関係のように見えましたが、目的は明らかに共通しています。

1 つ目は米国各地の裁判所を騙る手口です。

図 1. 米国の裁判所に偽装したスパムメール

2 つ目は葬儀場を騙る手口です。

図 2. 葬儀場に偽装したスパムメール

この 2 つの手口に共通するのは、どちらも大至急メッセージを開封してリンクをクリックするように急かしている点です。どちらも緊急性を感じさせる文面であり、たいていの人は裁判所からの通知は無視できないでしょうし、いったい誰の葬儀なのか知りたくて葬儀への招待リンクもクリックしてしまうでしょう。後者の場合は、葬儀の日取りが当日か翌日になっているので、余計に急かされることになります。

スパマーはこうして工夫を凝らしている一方で、やはり同じミスを繰り返しています。以前と同様、ヘッダーの情報が本文と食い違っているのです。以下に示す例でも、ヘッダーでは裁判所からの通知を装っていながら、本文は電力会社からの案内になっています。

図 3.ヘッダーと本文が食い違っているスパムメール

このスパム活動は今でも、乗っ取った URL（所有者の知らないうちに侵入を受けてスパムコンテンツをホストしている Web サーバー）をコールトゥアクションとして利用しています。以下に示すように、スパムコンテンツを秘匿するために使われているディレクトリパスもさまざまです。

図 4.スパムコンテンツを秘匿するために使われているディレクトリパス

グラフの左半分は色分けが比較的単純ですが、右半分になると同じ日でも色が複雑に分かれています。12 月から 1 月初旬に掛けての期間と比べると、このスパムに使われているディレクトリパスの種類が増えています。

このスパム活動はまだ終わりそうになく、スパマーはこれからも新たな経路を考案するものと思われます。シマンテックでは、最新の脅威に関する最新の情報をお届けできるよう、常時スパムの監視を続けています。

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

Sometimes as an Enterprise Vault administrator or an Enterprise Vault end-user you might need to check if a folder is excluded from archiving with the Exchange Archiving Task.  It's quite simple to check using the Outlook Add-in. Let's see how:

Outlook Add-in to Use

Since Enterprise Vault 10.0.2 there has been a single Outlook Add-in, rather than separate HTTP and DCOM versions.  So the best Outlook Add-in to use is one that is 10.0.2 or later. This will work only with an Enterprise Vault 9 or Enterprise Vault 10 Server.  If you're on an older version, you will need to make sure you have the DCOM version of the Outlook Add-in installed.

Open Outlook

These steps will work in any version of Outlook, so all you've got to do is open Outlook.

Find the folder

The next step is to locate the folder in the hierarchy and select it.

View the properties

If you right click on the folder you'll be able to bring up the properties.  For example:

Go to the Enterprise Vault Properties tab

If you don't see the Enterprise Vault tab, check in the Outlook Add-in log file, it could be that the Add-in has been set to 'Light' mode:

19/02/2014 07:27:00.014[1880][H]:     Enterprise Vault Client 10.0.4.1189 (Light functionality enabled)

If it has, then you need to change that in the desktop policy for the user, and synchronise the mailbox, as well as restarting Outlook (remember you can change the policy for one user by changing the policy and synchronising that one user -- and changing the policy back again).   You should then be able to see the Enterprise Vault tab, like so:

You can then verify if the folder does have a particular policy applied to it, in particular you can see if it is configured to not archive.  And here is one that is more 'normal':

What a whirlwind for the Symantec Service Corps (SSC). The 10-person team started their journey in October with the initial application process. After being accepted into the program in November, they participated in weekly training sessions and invested countless hours of preparation, and now they are officially on the ground in Arequipa, Peru, hard at work.

To kick things off, the team participated in an orientation session on Saturday, February 15, followed by dinner with Pyxera Global, the non-profit partner helping to facilitate SSC Peru 2014. As a group that arrived from seven different locations—Australia, Mountain View, India, the UK, Canada, Ireland and Springfield—they enjoyed participating in numerous team-building activities learning about each other’s personalities, perspectives and work styles, including human bingo, identifying learning styles, and a scavenger hunt. Allyson Gomez, HR Project Specialist and SSC member, also facilitated a session on the Leadership Success Profile specifically focused on “How to Build Strong Teams.”

“It was great meeting everyone in person, sharing stories and exchanging ideas. We have a very strong, intelligent team. I can’t wait to see where this journey takes us,” said Allyson.

Packing—what made the cut?

Of course, before even arriving in Peru, the team had to pack their suitcases for this month-long journey. What surprises did they bring?

• “My hiking boots. Joseph Ferrar and I will attempt to hike up El Misti, one of the extinct volcanos nearby at 19,000 feet, if the weather cooperates and we can find the right tour guides.” – Craig Chan, Senior Principle Pricing and License Specialist 
• “A Spanish/English dictionary I have had since high school that has survived many trips abroad.” – Allyson Gomez, HR Project Specialist, Leadership and Employee Development
• “A pack of Oreos—some comfort food!” – Ashley Savageau, Community Relations Program Manager

SSC in action: A look at the three clients and projects

While the team is certainly missing their families, friends, and co-workers, the opportunity to make an impact in Peru is abundantly clear. Over the next three weeks, the group is working in teams of three-to-four people supporting the following three organizations:

• Paz Peru—Claire Dean (USA), Alicia Pereira Pimintel (Belgium), Ashley Savageau (USA), and Joseph Ferrar (UK) are helping Paz Peru conduct a market study of its competitors and clients. The team will then work to develop a marketing plan for one of their programs, including recommendations on how the plan can be executed. Paz Peru, an affiliate of the Swiss Cooperation Peace Foundation, is a non-profit that supports women and girls who suffer from domestic violence and abuse.

• Descosur—Craig Chan (USA), Chris Brown (Australia), and Kamal LaBreche (Canada) are supporting Decosur by assessing the security of the accounting systems currently in place, recommending an adequate system of information protection, and analyzing existing reporting to uncover ways to improve their financial systems and reporting. Decosur is a NGO dedicated to promoting social and economic development for marginalized and rural populations in Peru. The organization aims to increase family income and strengthen local institutions by targeting the supply chains of the local agricultural industry.

• Center of Research, Education and Development (CIED)—Allyson Gomez (USA), Marq Bauman (USA), and Prakash Pappachan (India), are analyzing the current institutional structure and resource allocation for CIED, including creating an organizational chart, change management plan, and succession planning for regional offices across Peru. For the past 40 years, CIED has worked to strengthen public and social institutions to support rural economic development. Specifically, the Arequipa office has had success implementing projects that focus on empowering youth and women in surrounding rural areas, helping them to achieve social inclusion and economic independence.

“I’m excited about working in a different culture and language. Seeing how I will adapt my skills—that I don’t even question in my regular job—to fit the needs of this new environment,” said Marq Bauman, Senior Principal IT Business Analyst, Business Solutions Enablement Services.

Follow their journey

In addition to rolling up their sleeves and partnering with these three clients, the team is immersing themselves in the Peruvian culture, from sampling the food and shopping at the local market, to speaking the local language (or at least attempting to).

Week one is almost over but there is much more in store. Join the Symantec Service Corps team on their journey by following along on their blog at http://symantecservicecorps.com/ and Twitter feed, as well as watching this space for regular updates.

Lora Phillips is Symantec's Senior Manager, Global Corporate Responsibility.

EXECUTIVE SUMMARY:

FireEye published a blog on a new unpatched vulnerability in Microsoft Internet Explorer 10 (CVE-2014-0322) being exploited in the wild on 2/14/2014. The compromised website (vwg[.]org) was injected with an iframe that redirects the user to the attacker’s malicious page, which then runs a Flash file. The Flash file contains shell code and it downloads a PNG file from a remote site upon successful execution of the IE vulnerability. The PNG file has a DLL and EXE embedded at the bottom. The DLL launches the EXE which is the payload.

Data uncovered during Symantec investigation suggests a connection between this attack and the malicious actors known to Symantec as Hidden Lynx. The data indicates the same infrastructure is being leveraged as found in a previous attack by this group who used Backdoor.Moudoor.

THREAT DETAILS:

The target of this watering hole attack was the vfw[.]org (Veterans of Foreign Wars) website. While this attack was active, visitors to the site would encounter an Iframe which was inserted by the attackers in order to load a second compromised page (hosted on aliststatus[.]com) in the background. The Iframe img.html file loads a malicious tope.swf Flash file that exploits a vulnerability in Internet Explorer 10. Symantec detects the malicious Iframe as Trojan.Malscript and detects the malicious SWF file as Trojan.Swifi.

Exploitation of the vulnerability by the SWF file, leads to another download from the aliststatus[.]com domain in order to initiate the final stages of the payload. The first part of this download is a PNG image file named erido.jpg (detected as Trojan Horse) that contains multiple embedded binaries that are then extracted by shell code executed by the SWF file. The embedded binaries are named sqlrenew.txt, which despite the name is actually a DLL file (also detected as Trojan Horse), and stream.exe (detected as Backdoor.Winnti.C or Backdoor.ZXShell).

Additional code from the SWF file is responsible for loading the sqlrenew.txt DLL file. At this point the DLL takes over and launches a stream.exe process which is the final payload. This sample is responsible for connecting back to the attacker-controlled newss[.]effers[.]com server.

Figure:  Watering hole attack using IE 10 Zero-Day

IMPACT:

• Users not running Internet Explorer 10, or running a browser native to Mac OS, are not vulnerable. For Internet Explorer 10 users on Windows.   
• An attacker who successfully exploited this vulnerability could gain the same rights as the currently logged on user.
• Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative privileges.

AFFECTED SOFTWARE:

• Microsoft Internet Explorer 10

SYMANTEC MSS SOC DETECTION CAPABILITIES:

MSS Detection

• [MSS URL Detection] Backdoor.Winnti.C possible C&C traffic

Vendor Detection

• Symantec AV

Trojan.Malscript (Malicious Web Page)

Trojan.Swifi (Malicious File)

Trojan Horse (Malicious DLL)

Trojan Horse (Downloaded PNG file)

Backdoor.Winnti.C (Payload)

SONAR.Heuristic.112

Suspicious.Cloud.2

WS.Trojan.H

• Symantec IPS

Web Attack: Malicious SWF Download 19

Web Attack: MSIE Generic Browser Exploit 3

• Snort/SourceFire

2018147 ET WEB_CLIENT Possible IE10 Use After Free CVE-2014-0322

MITIGATION STRATEGIES:

Microsoft Internet Explorer users who are concerned about this vulnerability and who are unable to patch their machines can follow these mitigation steps:

• Symantec recommends customers use a layered approach to securing their environment, utilizing the latest Symantec technologies, including enterprise-wide security monitoring from Edge to Endpoint.
• Do not use Microsoft Internet Explorer version 10, upgrade to the newest version of Internet Explorer (11), or use another browser.
• Deploy the Enhanced Mitigation Experience Toolkit (EMET).
• Do not use out of date software, keep your operating system and software up to date with the latest versions and security patches.
• Run all software as a non-privileged user with minimal access rights.
• To reduce the impact of latent vulnerabilities, always run non-administrative software as an unprivileged user with minimal access rights.

• Deploy network intrusion detection systems to monitor network traffic for malicious activity. 
• Do not follow links or open email attachments provided by unknown or untrusted sources. 

• Memory-protection schemes (such as non-executable stack and heap configurations and randomly mapped memory segments) will complicate exploits of memory-corruption vulnerabilities.
• Symantec encourages users to apply all relevant patches when they are available.

REFERENCES:

• New Internet Explorer 10 Zero-Day Discovered in Watering Hole Attack

http://www.symantec.com/connect/blogs/new-internet-explorer-10-zero-day-discovered-watering-hole-attack

• NIST Vulnerability Summary for CVE-2014-0322

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2014-0322

• New IE Zero-Day Found in Watering Hole Attack

http://www.fireeye.com/blog/uncategorized/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html

• Security Focus BID 65551

http://www.securityfocus.com/bid/65551

We thank you again for choosing Symantec as your Managed Security Services Provider. Should you have any questions or feedback, please contact your Services Manager, or the Analysis Team can be reached by requesting help via phone, e-mail, or visiting the MSS portal at https://mss.symantec.com.

Global Client Services Team

Symantec Managed Security Services

https://mss.symantec.com

"Symantec™ IT Management Suite 7.5 HF4 powered by Altiris™ technology Release Notes" (http://www.symantec.com/docs/DOC7126)

Hace unos días, perdí mi teléfono durante un viaje de trabajo. Cuando me di cuenta que mi celular había desaparecido, inmediatamente llegaron 3 preguntas a mi mente:

1) ¿Recuperaré mi teléfono?

2) ¿Quién lo tendrá? ¿Cómo puedo localizarlo?

3) ¿Qué pasará con la información que tengo en él?

Inicialmente me angustié al pensar que si alguien lo recuperaba, podría ver todos mis datos, contactos, correo personal y de mi empresa, fotografías, redes sociales y aplicaciones, como la de mi banco, ya que irresponsablemente dejé el usuario y contraseña de acceso en el block de notas.

Minutos después, me tranquilicé un poco al recordar que mi smartphone tenía una contraseña y agradecí ser de las personas que tienen la costumbre de tomar algunas precauciones. Por ejemplo, podía rastrearlo por GPS y borrar la información cuando quisiera (cosa que hice inmediatamente). Podía recuperar la información de mi teléfono porque la había respaldado un día antes en mi PC. Pero, la verdad es que además del enojo por haberlo perdido, no pude dormir tranquilo durante varias noches.

Jamás me contactaron para devolverlo, a pesar de que mi información de contacto estaba señalada claramente.

En Symantec, tuvimos curiosidad por saber qué pasa cuando se pierde un smartphone y qué hace con él quien lo recupera. ¿Cuántos smartphones se extravían diariamente en México y cuánta información está en riesgo, tanto personal como de negocios?

Por ello, nos dimos a la tarea de investigarlo y decidimos contactar a un consultor de la compañía Security Perspectives Inc. para que nos ayudara a conocer lo que los usuarios podemos experimentar cuando extraviamos nuestros smartphones y son recuperados por un tercero.

Así, llevamos a cabo el Proyecto “Honey Stick” de Symantec, que consistió en “olvidar” a propósito 30 smartphones en zonas de gran afluencia (como transporte público, escuelas, tiendas, parques y otros lugares) en las ciudades de Guadalajara, Monterrey y la Ciudad de México. Antes de “perderlos” les almacenamos datos ficticios, corporativos y personales, incluyendo varias aplicaciones, para asegurarnos que pareciera que realmente fueron extraviados.

Un pequeño detalle era que cada dispositivo fue configurado para transmitir información de lo que hacían con ellos, quienes los encontraban y, especialmente, qué información fue consultada. ¿Quieren saber cuáles fueron los resultados que obtuvimos?

Calculábamos un 50-50 de probabilidades de que alguien nos regresara un teléfono, pero la investigación nos confirmó que en realidad solo existe un 17% de posibilidades de que esto suceda. Intentaron devolvernos solamente 5 de los 30 equipos y aún cuando las personas tuvieron la intención de regresarlos, ¡en todos ellos trataron de ver la información y las aplicaciones en el equipo!

• En el 97% de los casos, las personas intentaron ver al menos un archivo.
• 87% de los intentos fueron para ingresar a aplicaciones o datos corporativos
• Las aplicaciones o información personal se consultó en 90% de las ocasiones.

A nivel empresarial, estos resultados son interesantes, ya que nos dimos cuenta que cuando se pierde un equipo que está conectado a alguna empresa, hay altas probabilidades de que las personas que tienen el smartphone intenten conectarse a las redes de la empresa y/o ver la información corporativa.

• En el 40% de los dispositivos hubo intentos para acceder al correo empresarial, lo cual podría haber dejado expuesta información delicada.
• En el 63% de los casos detectamos intentos de ver una aplicación que creamos para simular la administración remota de una red corporativa.

No estamos diciendo que todas las personas son malintencionadas, sino más bien que todos somos curiosos por naturaleza y que, aunque tengamos el mejor o más nuevo teléfono inteligente, ciertamente ninguna información está segura en manos de otro.

A raíz de esta investigación llegamos a varias conclusiones. Una de ellas es que si eres un empresario y uno de tus colaboradores pierde su smartphone, las apuestas juegan en tu contra.

Por ello sugerimos a las empresas tomar en cuenta estas acciones para asegurar que los dispositivos móviles de sus empleados y la información corporativa estén protegidos:

• Implementar políticas estrictas en cuanto al uso de smartphones para el trabajo, lo cual incluye contraseña obligatoria en la pantalla de inicio. Existen programas para administración de dispositivos y seguridad móvil que pueden apoyar en este tema.
• Hacer énfasis en proteger la información y no solo buscar la protección de los dispositivos, para que los datos estén seguros sin importar dónde y en manos de quién terminen.
• Educar a los colaboradores sobre los riesgos relacionados con sus celulares, tanto físicos como en línea, así como las consecuencias de que su smartphone sea extraviado o robado.

Por otra parte, los usuarios también deberíamos considerar varias acciones para proteger nuestros dispositivos y la información personal que guardamos:

• La medida más básica y que requiere de poco esfuerzo, es activar la función de bloqueo de pantalla y utilizar una contraseña segura (por ejemplo, de más de 8 caracteres, que combine números, letras y símbolos).
• Utilizar software de seguridad que reduce las posibilidades de un ataque o robo de información mientras utilizamos redes públicas. Además, los programas de ubicación de móviles nos ayudan a saber dónde están y bloquearlos o borrar los datos de forma remota.
• Hay que mantener nuestro equipo cerrado y no descuidarlo. Debemos poner atención al lugar donde lo dejamos. Además, al diferenciar nuestro teléfono evitamos que se confunda con otros que estén cerca. ¿Por qué no adquirir una funda de color o pegarle alguna etiqueta?
• También hay que respaldar periódicamente nuestra información (fotos, canciones, documentos) que tengamos almacenada.
• Otra recomendación es tener nuestra información de contacto en la pantalla de bloqueo, ya que ayudará a que quien lo recupere se pueda poner en contacto sin acceder al equipo.

En conclusión, los teléfonos y dispositivos se pueden reponer o volver a comprar, pero los datos almacenados en ellos no y están en riesgo si no tomamos las debidas precauciones para protegerlos.

We are excited to share some important news with you today. Based on feedback from customers and partners during our Tech Demos at the end of last year, the next release of Backup Exec (formerly referenced as Backup Exec 2012 R2), will be named Backup Exec 2014*. We will be rolling out the Beta in two stages:

-  Stage one is planned to start next week with a select group of customers.

-  Stage two will likely start the first or second week of March and will be available for all users who have been approved for the Beta program.

This Beta is an important milestone and we wanted to take this opportunity to thank you for your patience. Our top priority is to release a high quality version of Backup Exec. This means we will not compromise on quality to ship a product before it’s ready. While it has taken us a bit longer to reach this milestone, it enables us to provide you with a higher quality product.

Finally, if you haven’t signed up the Beta program, there is still time. This is your chance to try out and test the upcoming Backup Exec release before it’s generally available to the market later this year. This version of the Backup Exec Beta program is very unique. Most vendors, Symantec included, typically support Beta programs in test environments only. This year, we decided to do things a little differently. We will support you running the Beta in test or production environments right up until GA date.

To sign up, visit: www.backupexec.com/2014beta and as a reminder, here’s a quick recap of why you should sign up to the Beta program today:

·         Get support for Windows 2012 and 2012 R2

·         Get granular recovery capabilities for Exchange 2013 and SharePoint 2013

·         Gain access to a dedicated Beta feedback team who are standing by to assist you throughout the Beta

           program

·         Upgrade to newer builds throughout the Beta program

·         Upgrade from Beta code to Gold code without having to uninstall/reinstall

·         Leverage the job monitor multi-server jobs functionality that’s back!

We look forward to receiving your valuable feedback on the Beta and helping us attain our goal of a high quality release.

---

*We are still working through the exact eligibility requirements for customers no longer current on maintenance and will provide an update ahead of general availability (GA).

ITMS 7.5 HF4 is out

By Garrett Jones, Vice President of Global Channel Operations

I had a great time at last week’s Symantec Partner Engage event in Budapest visiting with more than 300 of our top partners from across the EMEA region.  In addition to sharing more about our company’s strategy and vision, it was also exciting to share the details around our redesigned Partner Program framework.  Built on Symantec’s Global Channel Strategy announced in November, the new Partner Program will better support the way our partners do business by fostering stronger partnerships that enable growth and delivering differentiated value to our customers. 

As we consider the breadth of our portfolio, we need partners who are focused on each type of customer across all levels of complexity.  We need partners that understand and can solve the needs of an SMB just as much as we need partners with deep relationships in the enterprise space to help with more complex solutions. The new Partner Program addresses these needs and is designed to reward for growth in areas where partners are most capable.

As a part of the redesign, we are introducing Symantec Competencies, an enablement framework that builds upon partners’ existing capabilities to deliver better customer experience through deeper expertise in areas of focus that are aligned to our solutions.  How does this work? Partners will build the capabilities required to sell and implement our solutions, and once partners have obtained the capabilities for a given competency, many of the benefits defined in the program become available.  As partners meet certain performance standards, the benefits increase, and partners will earn very compelling rewards for growing their business and delivering exceptional value to customers.  The competencies are the foundation of the program, and they underpin the program design principals of being customer focused, performance based and more rewarding for our most committed partners.

What else is different about the redesigned Partner Program?  With the new Partner Program, we will spend more on financial benefits for the channel than ever before.  The program design concentrates the investments more selectively with our top performing partners. We’ve enhanced our Opportunity Registration program and added a performance rebate for growth.  We will also offer development funds so we can invest in our partners as they have invested in us.  

We’re also enhancing our non-financial benefits to help our partners grow their business and advance customers through the sales cycle.  One of the new benefits will be access to the same market intelligence that we use for internal business planning, so we can align our execution with our partners on the same market data and grow together.  We will also increase our consulting and technical support benefits and offer more online learning opportunities.

Following the EMEA Partner Engage event, Roger Bär, chief executive officer of Comsoft, shared his enthusiasm with us by stating, “We have maintained a close partnership with Symantec for many years. With their forthcoming redesigned Partner Program, we look forward to the many benefits that will help us secure more business opportunities and position us for success.”

Additionally, Savitha Bhaskar, general manager of Condo Protego shared, “Symantec’s new competency framework will help to distinguish us against our competitors as it reflects a clear understanding of our ability to deliver value and satisfaction.”

We will share more details later this year when we get closer to the official launch.  We are being very thoughtful with regards to how partners will transition to the new program and how we recognize our partners’ current investments. As such, we’ve designed a transition period in which current membership status and associated benefits will be maintained throughout the transition.  

We built this program by collaborating with partners and adjusting our approach based on the feedback along the way.  Our approach will continue to be iterative and evolve to ensure the program provides value and meets the needs and expectations of our partners. Look for more information in the coming months.  

By Garrett Jones, Vice President of Global Channel Operations

I had a great time at last week’s Symantec Partner Engage event in Budapest visiting with more than 300 of our top partners from across the EMEA region.  In addition to sharing more about our company’s strategy and vision, it was also exciting to share the details around our redesigned Partner Program framework.  Built on Symantec’s Global Channel Strategy announced in November, the new Partner Program will better support the way our partners do business by fostering stronger partnerships that enable growth and delivering differentiated value to our customers. 

As we consider the breadth of our portfolio, we need partners who are focused on each type of customer across all levels of complexity.  We need partners that understand and can solve the needs of an SMB just as much as we need partners with deep relationships in the enterprise space to help with more complex solutions. The new Partner Program addresses these needs and is designed to reward for growth in areas where partners are most capable.

As a part of the redesign, we are introducing Symantec Competencies, an enablement framework that builds upon partners’ existing capabilities to deliver better customer experience through deeper expertise in areas of focus that are aligned to our solutions.  How does this work? Partners will build the capabilities required to sell and implement our solutions, and once partners have obtained the capabilities for a given competency, many of the benefits defined in the program become available.  As partners meet certain performance standards, the benefits increase, and partners will earn very compelling rewards for growing their business and delivering exceptional value to customers.  The competencies are the foundation of the program, and they underpin the program design principals of being customer focused, performance based and more rewarding for our most committed partners.

What else is different about the redesigned Partner Program?  With the new Partner Program, we will spend more on financial benefits for the channel than ever before.  The program design concentrates the investments more selectively with our top performing partners. We’ve enhanced our Opportunity Registration program and added a performance rebate for growth.  We will also offer development funds so we can invest in our partners as they have invested in us.  

We’re also enhancing our non-financial benefits to help our partners grow their business and advance customers through the sales cycle.  One of the new benefits will be access to the same market intelligence that we use for internal business planning, so we can align our execution with our partners on the same market data and grow together.  We will also increase our consulting and technical support benefits and offer more online learning opportunities.

Following the EMEA Partner Engage event, Roger Bär, chief executive officer of Comsoft, shared his enthusiasm with us by stating, “We have maintained a close partnership with Symantec for many years. With their forthcoming redesigned Partner Program, we look forward to the many benefits that will help us secure more business opportunities and position us for success.”

Additionally, Savitha Bhaskar, general manager of Condo Protego shared, “Symantec’s new competency framework will help to distinguish us against our competitors as it reflects a clear understanding of our ability to deliver value and satisfaction.”

We will share more details later this year when we get closer to the official launch.  We are being very thoughtful with regards to how partners will transition to the new program and how we recognize our partners’ current investments. As such, we’ve designed a transition period in which current membership status and associated benefits will be maintained throughout the transition.  

We built this program by collaborating with partners and adjusting our approach based on the feedback along the way.  Our approach will continue to be iterative and evolve to ensure the program provides value and meets the needs and expectations of our partners. Look for more information in the coming months.  

As a wise man once said, “Never put down to malice what can be ascribed to stupidity.” This adage could easily be applied to the founders of ‘hackers for hire’ web site needapassword.com, who were arrested  by the FBI on (strong, it has to be said) suspicion of running a web site which stole passwords to email accounts.

Is ‘stupid’ too strong? Given the fact that the site used Paypal as a payment mechanism, probably. The pair didn’t go particularly out off their way to cover their tracks, and even had terms and conditions on their web site which warned users against illegal use of their services.

The Arkansas duo weren’t the only people involved in what amounted to an internationally co-ordinated investigation, covering the USA, Romania, India and China. Security experts often point out that a chain is only as strong as its weakest link - in this case, the spread of the hackers-for-hire network was broad enough to offer investigators a route in. Once one part was compromised, so was the rest.

As we know, however, such examples are just the tip of the hacking iceberg, the technological equivalent of stealing tools from an open shed. Of greater concern are smarter groups which work for richer, and more desperate clients.

We shouldn't be surprised that financial companies - involved in asset management, investment banking, mergers and acquisitions - are the ones most targeted by such groups: after all, according to the old adage, "That's where the money is." Geography doesn't appear to be a limitation - while many attacks are currently in South Korea and Japan, a major attack cited by the paper (VOHO, which involved a 'watering hole' campaign) was in the US.

In our September 2013 Intelligence Report, we reported that such attacks are not only increasing, but the organizations involved are becoming more corporate. For example, Hidden Lynx has been set up to offer hacking services to other groups. Hidden Lynx appears to be a highly professional outfit, the goal of which is to "gain access to information within organizations in some of the wealthiest and most technologically advanced countries."

A darkly vibrant market in hacking services is developing for such organizations, essentially, showing others how it is done. We do not believe that the information being accessed is particularly easy to sell in its own right, leading us to believe that the hacking attacks are more likely to have been commissioned for express purposes such as corporate or state espionage or fraud.

For our enterprise clients, the message is clear: leaving confidential information weakly protected is becoming like entering a war zone without armor. You might not get hit, but any idea of 'security by obscurity' should be consigned to the past. Even if you do not fully appreciate the value of your information and the importance of protecting it, the chances are, others will.

Updates deployed to the Connect production servers as a result of the code sprint that ended 18 February 2014.

User Facing: Desktop

• Added "previous" and "next" buttons to posts that users navigate to via their personal workspace. These buttons allow users to review posts in their workspace more efficiently.
• Added the popular social networking site Reddit to the list of options that are available to users who like to share Connect content with their social circle.
• Added the ability for Blog Administrators to add a graphical promotion to the right column of their blog pages.
• Added the ability for Blog Administrators to enable short-form-RSS that syndicates a blog's summary (instead of the full text of the blog) and a link users can follow back to Connect to read the full post.
• Fixed a caching issue that was hiding links to translated versions of posts from anonymous users.
• Added the ability for post-by-email group members to submit posts using the BCC line in their email client.
• Modified code that manages post-by-email submissions to check the "I need a solution" option, by default, on post submission.