Hello,

I am using TS3500 tape library with 2 robots in redundancy passion. I have solaris 11 os & would like to configuer the robot. Can anybody help me for the steps and also i want to know is that 2 robot i can use as robot1 & robot 2 after configuration.

Vision 2014 is just a few weeks away, but there is still time to take advantage of our Early Bird perks and discounts. Make sure you register by March 31st to receive your $200 discount and exclusive Vision 2014 jacket, pre-register for our most popular sessions and labs, qualify for a free certification exam, and much more.

Find out all about Vision and register here.

And stay tuned for additional information about the keynote addresses, coming soon.

Figura. Uma breve história de malwares para dispositivos móveis.

O ano de 2014 marca o décimo aniversário da criação do primeiro malware para dispositivos móveis. Tudo começou em 2004, quando a primeira variante do SymbOS.Cabir foi submetida para os pesquisadores de segurança. A análise revelou que o worm tinha como alvo o Symbian OS, um sistema operacional bastante popular para dispositivos móveis naquela época.

Telefones infectados se utilizavam do Bluetooth para pesquisar outros dispositivos próximos que estivessem com o modo de descoberta ativado e então tentava se disseminar para o outro aparelho. O usuário tinha que aceitar a transferência do arquivo e também o processo de instalação antes do malware infectar efetivamente o dispositivo. Essa característica limitou a proliferação do vírus, já que a vítima deveria estar no raio de alcance do Bluetooth e também autorizar o processo de cópia e instalação.

Mas este foi apenas o começo. Várias outras variantes do Cabir apareceram com diferentes modificações. Algumas dessas variantes tinham como objetivo o roubo de informações como os contatos do celular enquanto outras tinham uma atuação mais parecida com um vírus clássico, infectando outros arquivos locais.

Poucos meses depois, uma versão modificada de um jogo chamado Mosquito apareceu na Internet. Junto com o jogo, que era bastante popular, essa versão modificada também trazia o trojan Trojan.Mos, que enviaria mensagens de texto (SMS) em segundo plano para números de serviços pagos, acarretando gastos para o proprietário do dispositivo. Esse foi o primeiro caso amplamente visto em dispositivos móveis de um malware com finalidade de lucro financeiro.

A mesma tática vem sendo utilizada nos dias de hoje em centenas de jogos para a plataforma Android, que depois de instalados, enviam mensagens de texto e consomem tráfego de Internet no celular.

Logo após o Mosquito, apareceram as primeiras versões do Skull. A ameaça recebeu esse nome porque uma de suas características era substituir o ícone da maioria das aplicações pela imagem de uma caveira. O malware também substituiu arquivos de sistema e de aplicativos por lixo, impossibilitando o seu funcionamento correto, tornando o telefone quase inutilizável. Para a nossa sorte, naquela época a categoria ransomware não era popular, caso contrário nós veríamos o malware tentando sequestrar as informações do usuário dentro do próprio dispositivo.

Isso mudou em 2013 quando nós vimos as primeiras amostras desse tipo de software malicioso também para dispositivos móveis. Essas ameaças focam mais em manter o telefone refém ao invés dos próprios dados, já que sincronizações das informações dos dispositivos são frequentes e cópias de segurança são realizadas regularmente para ambientes cloud.

Em 2005, o SymbOS.CommWarrior.A entrou em cena. Ele estendeu o vetor de propagação para incluir o envio de mensagens MMS para vários números da lista de contatos. Esse malware teve bastante êxito em sua tarefa e variantes do CommWarrior foram vistas em redes de dispositivos móveis por anos. Em 2006, o Trojan.RedBrowser.A estendeu para outros sistemas operacionais as ameaças que enviam mensagens de texto para números de serviços pagos, sistemas esses que suportavam a plataforma JME. Esse foi o primeiro Trojan para JME com a capacidade de infectar diferentes plataformas para dispositivos móveis.

Dentro de um ano os dispositivos móveis tiveram que lidar com malwares muito similares àqueles encontrados em computadores tradicionais, incluindo worms, Trojans para roubo de dados e com fins lucrativos, e vírus que infectavam outros arquivos. Se isso não fosse suficiente, a ascensão das categorias adware e spyware não passaram desapercebidas nos dispositivos móveis. O Spyware.FlyxiSpy, lançado em 2006, foi comercializado e teve muito sucesso em monitorar atividades de um dispositivo móvel. Uma vez instalado, ele monitorava detalhes de ligações telefônicas e mensagens de texto SMS e enviava as informações para um servidor remoto. O malware foi anunciado como a melhor solução para pessoas que queriam monitorar seus cônjuges. Ameaças similares seguiram e evoluíram nesse mesmo caminho, permitindo o monitoramento de todos os passos do usuário.

Com muitos bancos online passando a utilizar mensagens de texto SMS em seus métodos de verificação de transações, os criminosos também seguiram o mesmo rumo. Como resultado, em 2010, autores de códigos maliciosos introduziram o SymbOS.ZeusMitmo, uma ameaça capaz de encaminhar mensagens de texto de transações bancárias dos dispositivos comprometidos para os criminosos. Isso permitiu que eles continuassem a cometer suas fraudes bancárias online. A idéia foi tão bem-sucedida que, em pouco tempo, surgiram vários malwares com o propósito de explorar serviços de transações de bancos online, para diversas plataformas móveis, exceto para iOS.

Quando o Android se tornou a maior plataforma de dispositivos móveis em 2011, os criadores de malwares começaram a tomar ciência disso. O método preferido de vetor de distribuição para os ataques se tornaram aplicativos com Trojans, usando algumas técnicas de engenharia social para torná-los mais atraentes. Por exemplo, o Android.Geinimi foi um dos primeiros bots de sucesso para dispositivos móveis, disfarçado como uma aplicação real. Desde então botnets para dispositivos móveis tem se tornado popular e são usadas em sua maioria para fraudes, entre outros tipos de ataques.

O Android.Rootcager chegou no mesmo ano e foi a primeira ameaça para a plataforma Android a usar um exploit para elevar os privilégios do usuário. Isso também reforça uma das poucas diferenças entre malwares para dispositivos móveis e ameaças para desktops tradicionais. Em computadores Windows geralmente vemos malwares que usam um exploit para se auto-instalar no computador comprometido. De fato, websites com código malicioso que enviam informações para o dispositivo comprometido tem se tornado o vetor mais utilizado. Entretanto, em dispositivos móveis, esse tipo de técnica acontece muito raramente. Na maioria das vezes, o usuário continua sendo enganado a instalar um aplicativo que aparentemente é bom quando na verdade não é.

Isso não quer dizer que não existam vulnerabilidades em sistemas operacionais para dispositivos móveis – atualmente existem algumas poucas – mas sim que os criminosos ainda não acharam necessário usar esse tipo de porta de entrada para um ataque. Em 2010, um website especializado em jailbreak de iPhone demonstrou como essa forma de ataque poderia ser utilizada. O site aproveitou uma vulnerabilidade no tratamento de fontes de documentos PDF para instalar programas impróprios. Desde então os fabricantes de sistemas operacionais para dispositivos móveis atualizaram e melhoraram sua segurança, tornando mais difícil para um malware fazer uso de vulnerabilidades.

Nos últimos dois anos temos visto um maior crescimento de Trojans e adwares que estão focando em dispositivos móveis, principalmente na plataforma Android. Até mesmo ataques direcionados agora fazem uso de ameaças móveis com o propósito de espionar esses dispositivos. Considerando isso, malwares para dispositivos móveis se tornaram ameaças reais que precisam de maior atenção porque ainda estão em uso. De fato estamos nos aproximando do momento que veremos o próximo passo da evolução das ameaças para dispositivos móveis, especialmente agora que os dispositivos se tornaram componentes importantes para identificação e soluções de pagamento.

From the inside of Support, I saw what worked, and what did not, both from Customers and from Support Reps. This document is all about empowering YOU - the customer - to enable you to get what you need out of your support experience.

In late January this year, eager fans purchased tickets for Coachella, an annual two-weekend, three-day music festival but were later targeted by scammers in a phishing campaign that persisted up till the end of February.

Front Gate Tickets, the company responsible for handling the festival’s ticketing had sent an email to ticket buyers at the end of February warning users on the phishing campaign stating:

“The phishing involved a fraudulent website designed to look like the login page for Coachella ticket buyers to access their Front Gate accounts, built in an attempt to capture username and password information.”

The email went on to explain that the phishing links were circulated on message boards and email campaigns, and that the perpetrators had harvested the email addresses of ticket buyers who posted them publicly on message boards.

The timing of this campaign happened right before the wristbands used for entry into Coachella were shipped out to attendees. Based on this, it’s clear that the perpetrators of the campaigns had intended to access accounts of ticket buyers to modify the mailing address, phone number and email on file in order to have the wristbands shipped to them. One user on the Coachella message board confirmed this to be the case:

“I was able to get my information put back on the account yet they changed the address, phone and email on file. Glad I double checked and didn't lose my tickets!”

This incident is an important lesson for the modern music fan. In just two years, scammers have gone from merely creating fake Facebook pages offering tickets to Coachella to directly targeting attendees with phishing emails to steal their wristbands.

Coachella is not the only music festival happening this year. In the coming months, festivals like Sasquatch, Bonnaroo, Outside Lands, Lollapalooza and others will be taking place throughout the United States and even more festivals happening in other parts of the world.

Symantec Security Response encourages festival attendees to not share their email addresses on message board threads. If sharing is necessary, use the board’s built-in private messaging function.

If you’re a ticket buyer and you receive an email with a link asking you to log in to find out more information about your upcoming event, do not click on it blindly. Instead, open up a new browser or tab to visit the official website to log in. If the email seems suspicious, find a contact number or email address on the ticket distributor’s or music festival’s website and seek their assistance instead.

Since Exchange 2010 and now with Exchange 2013, Microsoft Exchange ships with throttling policies. These are designed to prevent mis-use of system resources by end users. However, they can become a bit of a pain for applications which 'require' this mis-use such as Enterprise Vault or Blackberry Enterprise Manager.

These applications mis-use the system in the eyes of Exchange because they do 'too many things'.  An end-user would never need dozens of MAPI session open, or tens of items/folders open at any one time. That's what the throttling policies are trying to protect against, but unfortunately they can interfere with the usage of these type of applications.

Enterprise Vault's Admin Service will report issues if the throttling policy is in place against the Vault Service Account mailbox. It does this when the service starts. This is a good thing for the product to do.

Enterprise Vault also ships with a PowerShell script which will create a new, unlimited, policy, and apply it to the Vault Service Account mailbox. But sometimes this is done at too wide a level - an Exchange organisation sometimes spans many geographies and many different administration teams.  So setting the policy globally like this sometimes sends shudders down the back of corporate IT teams.

A couple of useful articles exist which help a savvy administrator to create the effects of the policy change without using the script.  Effectively you do the manual steps which the scripts automate. This allows you to change and customise what is happening.  Here are the links:

How to create the Enterprise Vault Service Account's throttling policy manually in Exchange 2010
http://www.symantec.com/docs/TECH157927

How to create the Enterprise Vault Service Account's throttling policy manually in Exchange 2013
http://www.symantec.com/docs/TECH216009

I’ve been thinking about data a lot recently. Nothing unusual there - it’s my job after all, and given the way data is growing at the moment, the term ‘big data’ is a regular on the daily buzzword bingo card. What’s really been making me think however, is not so much the quantities of data, but where it all is and how we can access it. 

The volumes of data being stored in online media sites such as YouTube or Vimeo, the blogs, content and status updates across social networks, the events and transactional traffic being generated by advertisers and devices are all creating an online pool that is dwarfing the overall volumes being stored inside corporate data centres. 

Such resources present a rich seam, which is increasingly available to be mined, as examples such as Amazon providing access to “Open datasets” via EC2 illustrate. Add to this the vast pools of governmental data - across transport and other public services - being opened up through initiatives led by the likes of Sir Tim Berners Lee and Professor Nigel Shadbolt, and the opportunity becomes overwhelming. 

As the shutters rise on increasing pools of data, an emerging challenge is either of getting to the data where it is, or getting the data to where it can be processed and analysed. While Moore’s Law has done a great job of increasing processing power while reducing its costs (which is why we have so much data in the first place), networking bandwidth has not increased at the same rate.

While in the future we might get some kind of quantum networking, in the short term at least such bottlenecks are here to stay. Data transfer is expensive, meaning that our data mountains tend to stay where they are. 

What can be done? Of course, there is more to data than simply raw sets of zeroes and ones. Data can be aggregated, pre-processed, meta-tagged, connected and referenced. Consider the simple example of mapping Britain’s bus services - while bus data might need to be accessed in real-time, nobody is suggesting the same for the map. 

Many have commented that the role of the data scientist will become increasingly important in years to come. I believe we will see another role emerge - that of "data orchestrator", who works out how to connect these disparate data sources without shifting the base data around. 

The role is architectural - while OpenStack, CloudStack and so on will be the tools of the trade, the physical nature of today’s enterprise and wide area networks, data centres and hosting facilities also play a part. For example, if the task is to link open transport with social network data, where better to start than in a colocation centre which is hosting both?

Much work remains to be done. I (and many others) have been discussing the concept of federated meta-repositories for example, which enable the distributed data sources to be viewed as a whole, rather than having to start from scratch every time. One thing is for sure however - for the time being, in large part, our data sources are likely to stay where they are. It is up to all of us to create the tools and develop the skills to respond accordingly. 

A principios de marzo tuve la oportunidad de estar en Bogotá, Colombia para participar en nuestro Partner Engage 2014, un evento anual que creamos para nuestros socios, y en el cual nos acompañaron 140 partners provenientes de diversas ciudades de Colombia y también de Venezuela y Ecuador.

Many organizations today rely on passwords as the foundational layer of security for access to sensitive business data. With the rapid growth of smartphones and tablets, expanding use of cloud services, and nearly ubiquitous mobile workforce, passwords make for a shaky foundation. Today's companies require too many passwords, and often too complex (or frequently expiring) passwords to remember, leading employees to find workarounds or re-use passwords for multiple accounts. Highly sophisticated attackers target these users to take advantage of vulnerable passwords and holes in security, which could result in a costly breach for your company.

By Aled Miles, Symantec's Senior Vice President, Latin America and the Caribbean

As the inaugural Symantec Service Corps (SSC) assignment wound down, I had the enormous pleasure of hosting the team for dinner in Arequipa, Peru before they left for home. As you know, this team of ten was selected for Symantec’s first effort at a long-term international service project, spending four weeks applying their professional skills to assist three Peruvian organizations. I know we’ve all been following along on their journey through the Postcards from Peru series on this blog, but I wanted to share my personal observations after the privilege of spending an evening with this interesting and focused team, that had only known each other for 28 days.

I was genuinely impressed by each and every SSC member. This team has done truly amazing things. I had spent the first part of the week in Sao Paulo with our Brazil colleagues. I often route back to California with a stop in Lima and a direct flight to San Francisco. I’ll be honest … my energy was a little low as I faced a fourth night out after even more air travel. I shouldn’t have been concerned … this group gave me a full recharge.

Their experiences were humbling. These exceptional employees committed themselves to 12 hour days for four weeks away from their families – dealing with food poisoning! – and still made a significant difference in a community that needs their expertise and energy.

We sat for hours over dinner (until 12:30am!) discussing their experiences – team dynamics, individual learnings, adapting to a new culture, and how they would “show up” at Symantec upon their return. This is a group that has clearly listened and learned from one another. They also looked after each other, leaving their egos behind.

They reminded me: when you are focused on a clear business outcome with a short and urgent timescale – focused only on the customer – you can make a material difference.

Do the right thing. Set a high bar and seize opportunities to improve. Have courage to take smart risks. Commit and deliver. Value individual differences. Own our collective success and failure. This team demonstrated our new Symantec values in every action they took.

To Alicia, Allyson, Ashley, Chris, Claire, Craig, Joe, Kamal, Marq, Prakash … I clearly saw that you have changed lives in Peru during the last four weeks.

Thank you for being our brand.

Aled Miles is Symantec's Senior Vice President, Latin America and the Caribbean.

‘The attacker still has the upper hand,’ says the Dutch government’s most recent Cyber Security Report. The report continues: attackers are getting smarter, more devices are being connected to the internet and yet many incidents could have been prevented by implementing basic security measures.

The human and business consequences are high. In 2011, for example, internet banking fraud alone resulted in Dutch losses of €35 million, according to the report.  Over 3 million Dutch citizens in 2013 said that they have been victims of cybercrime in the last 12 months according the Norton Cybercrime Report.

In 2012, one in eight Dutch adults were the victim of cybercrime, according to government research. Young people, who are more active online, were more likely to be victimised, with one in five being affected. Worryingly, in an increasingly social online world – 30% of social network users say they share passwords with others whilst 35% are happy to connect with people they do not know online. (Source: Norton Cybercrime Report).

The threat is not going away. Citizens and businesses need to be proactive in their own defence against cybercrime; particularly as we all transact more online and mobile devices multiply. And while nine out of ten victims of phishing and skimming do report the incident to the authorities, prevention is the preferred option.

The Nationaal Cyber Security Centrum’s website offers advice and security alerts in Dutch. For more information about Symantec Website Security Solutions in the Netherlands, visit our website or call us to find out how we can help your organisation stay safe online.

EXECUTIVE SUMMARY:

Security researchers have released a paper documenting a large and complex operation, code named “Operation Windigo”.  Since the campaign began in 2011, more than 25,000 Linux and UNIX servers were compromised to steal Secure Shell (SSH) credentials, to redirect Web visitors to malicious content, and to send spam. Well-known organizations such as cPanel and Linux Foundation were confirmed victims.

Targeted operating systems include Apple OS X, OpenBSD, FreeBSD, Microsoft Windows, and various Linux distributions. The paper claims Windigo is responsible for sending an average of 35 million spam messages on a daily basis. This spam activity is in addition to more than 700 Web servers currently redirecting approximately 500,000 visitors per day to malicious content.

The paper lists three main malicious components (ESET detection names):

• Linux/Ebury – an OpenSSH backdoor used to control servers and steal credentials
• Linux/Cdorked – an HTTP backdoor used to redirect Web traffic
• Perl/Calfbot – a Perl script used to send spam

Lengthy campaigns by malicious attackers have become commonplace. With the appropriate resources, motivation, and desire, attackers can obtain significant rewards for their efforts. While some campaigns focus on targeting specific organizations to identify and exfiltrate sensitive information, the goal here was financial gain, by way of Web redirects, spam, and drive-by-downloads.

THREAT DETAILS:

The following is according to ESET:

The attack, which has been dubbed “Operation Windigo” is a complex knot of sophisticated malware components are designed to hijack servers, infect the computers that visit them, and steal information. Victims of “Operation Windigo” have included cPanel and kernel.org.

ESET’s security research team, which uncovered Windigo, today published a detailed technical paper, presenting the findings of the team’s investigations and malware analysis. The paper also provides guidance on how to find out if your systems are affected and instructions for removing the malicious code.

OPERATION WINDIGO: Gathering Strength For Over Three Years

While some experts have spotted elements of the Windigo cybercriminal campaign, the sheer size and complexity of the operation has remained largely unrealised by the security community.

Interestingly, although Windigo-affected websites attempt to infect visiting Windows computers with malware via an exploit kit, Mac users are typically served adverts for dating sites and iPhone owners are redirected to pornographic online content.

An Appeal To Sysadmins To Take Action Against Windigo

Over 60% of the world’s websites are running on Linux servers, and ESET researchers are calling on webmasters and system administrators to check their systems to see if they have been compromised.

How To Tell If You’re Server Has Fallen Foul Of Windigo

ESET researchers, who named Windigo after a mythical creature from Algonquian Native American folklore because of its cannibalistic nature, are appealing for Unix system administrators and webmasters to run the following command which will tell them if their server is compromised or not:

• $ ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo “System clean” || echo “System infected”

Tough Medicine For Windigo Victims

If sysadmins discover their systems are infected, they are advised to wipe affected computers and reinstall the operating system and software.  It is essential that fresh passwords and private keys are used, as the existing credentials must be considered compromised.

For a higher level of protection in future, technology such as two-factor authentication should be considered.  All computer users are reminded that they should never reuse or choose easy-to-crack passwords.

ESET’s Key Findings:

• The Windigo operation has been ongoing since at least 2011
• More than 25,000 unique servers have been compromised in the last two years
• A wide range of operating system have been compromised by the attackers; Apple OS X, OpenBSD, FreeBSD, Microsoft Windows (through Cygwin) and Linux, including Linux on the ARM architecture
• Malicious modules used in Operation Windigo are designed to be portable. The spam-sending module has been seen running on all kinds of operating systems while the SSH backdoor has been witnessed both on Linux and FreeBSD servers
• Well known organizations including cPanel and Linux Foundation fell victim of this operation
• Windigo is responsible for sending an average of 35 million spam messages on a daily basis
• More than 700 web servers are currently redirecting visitors to malicious content
• Over half a million visitors to legitimate websites hosted on servers compromised by Windigo are being redirected to an exploit kit every day
• The success rate of exploitation of visiting computers is approximately 1%
• The malicious group favours stopping malicious activity over being detected
• The quality of the various malware pieces is high: stealthy, portable, sound cryptography (session keys and nonces) and shows a deep knowledge of the Linux ecosystem
• The HTTP backdoor is portable to Apache’s httpd, Nginx and lighttpd
• The gang maximizes available server resources by running different malware and activities depending on the level of access they have
• No vulnerabilities were exploited on the Linux servers; only stolen credentials were leveraged.
• We conclude that password-authentication on servers should be a thing of the past

AFFECTED SOFTWARE:

• Apple OS X
• OpenBSD
• FreeBSD
• Microsoft Windows (through Cygwin)
• Linux, including Linux on the ARM architecture

SYMANTEC MSS SOC DETECTION CAPABILITIES: 

Emergency response measures have been taken in order to provide MSS customers with early warning and potential escalations for successful exploitations related to this threat. Emergency response signatures may generate false positives and will undergo tuning to ensure enhanced accuracy over time; however, given the nature of the threat, it is prudent to be overly cautious about alerting to potentially related activity. Please contact the SOC’s Analysis team if you have any questions or concerns related to this detection or wish to discuss having such signatures disabled or otherwise adjusted to meet your organization’s needs.

For customers with our IDS/IPS Security Management services, vendor-based signatures will be automatically deployed, as per the vendor’s recommendation.  If you would like further information regarding the signature states on your devices, or would like to request the activation of a specific signature, the Analysis Team can be reached by requesting help via phone, e-mail, or visiting the MSS portal at https://mss.symantec.com.

For customers with monitor-only IDS/IPS devices, Symantec MSS stands ready to provide security monitoring once your IDS/IPS vendor releases signatures and those signatures are enabled on your monitored devices.

MSS SOC Analytics Detection

• URL Analytics (WSM Signatures)
  • [MSS URL Detection] Possible Perl/Calfbot Command and Control Communications
  • [MSS URL Detection] Potential Linux/CDorked Outbound Communications Detected
  • [MSS URL Detection] Potential Perl/Calfbot Outbound Communications Detected
• HotIP Signatures
  • Hot-IP - Potential Perl/Calfbot Outbound Communications

Vendor Detection

• Snort/SourceFire
• Emerging Threats (ET)
• Intrushield
• ISS Network Sensor
• Symantec SEP/AV
  • Backdoor.Trojan
  • Linux.Cdorked
  • Linux.SSHKit
  • Linux.SSHKit!gen1
  • Trojan.Dropper
  • Trojan.Tracur!gen5
  • Trojan.Tracur!gen8
• Symantec SEP/IPS
  • System Infected: Festi Rootkit Activity

This list represents a snapshot of current detection.  Symantec MSS stands ready to provide security monitoring once additional vendors or additional detection is identified and enabled on your monitored devices.  As threats evolve, detection for those threats can and will evolve as well.

MITIGATION STRATEGIES:

• Symantec recommends customers use a layered approach to securing their environment, utilizing the latest Symantec technologies, including enterprise-wide security monitoring from Edge to Endpoint.
• Symantec recommends that all customers follow IT security best practices.  These will help mitigate the initial infection vectors used by most malware, as well as prevent or slow the spread of secondary infections.
• Minimum Recommended Best Practices Include:
  • Use/Require strong user passwords (8-16+ alphanumeric characters, with at least 1 capital letter, and at least 1 special character)
  • Disable default user accounts
  • Educate users to void following links to untrusted sites
  • Always execute browsing software with least privileges possible 
  • Turn on Data Execution Prevention (DEP) for systems that support it
  • Maintain a regular patch and update cycle for operating systems and installed software
• Deploy network intrusion detection/prevention systems to monitor network traffic for malicious activity. 
• For technologies not monitored/managed by MSS, ensure all signatures are up to date, including endpoint technologies.
• Ensure all operating systems and public facing machines have the latest versions and security patches, and antivirus software and definitions up to date.
• Ensure systems have a running firewall, unnecessary ports are closed/blocked, and unused services are disabled.
• To reduce the impact of latent vulnerabilities, always run non-administrative software as an unprivileged user with minimal access rights.
• Do not follow links or open email attachments provided by unknown or untrusted sources. 
• Ensure staff is educated on Social Engineering and Phishing techniques.

REFERENCES:

• 25,000 Linux and Unix Servers Compromised in Operation Windigo
  • http://www.symantec.com/connect/blogs/25000-linux-and-unix-servers-compromised-operation-windigo

• Operation Windigo: Malware Used To Attack Over 500,000 Computers Daily After 25,000 UNIX Servers Hijacked By Backdoor Trojan

• http://blog.eset.ie/2014/03/18/operation-windigo-malware-used-to-attack-over-500000-computers-daily-after-25000-unix-servers-hijacked-by-backdoor-trojan/

• Operation Windigo: The vivisection of a large Linux server-side credential stealing malware campaign

http://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf

Earlier this month at Mobile World Congress, Symantec announced File Sync and Share that is truly private. So, how does privacy play a role in our lives, and what kinds of secure control does Norton by Symantec provide file-sharing consumers and business owners to help keep them feeling protected?

Microsoft 社は 3 月 25 日、Microsoft Word に影響するパッチ未公開の脆弱性が新たに見つかったというセキュリティアドバイザリを公開しました。攻撃者は、Microsoft Word に存在するメモリ破損の脆弱性（CVE-2014-1761）を悪用して、標的となるコンピュータにリモートでアクセスできるようになります。アドバイザリでは、この脆弱性は限定的な標的型攻撃で悪用されていたと報告されています。

不明な RTF 文書を開かないように注意するだけでなく、このようなファイルを Outlook でプレビューすることも避けてください。攻撃者にこの脆弱性を悪用される恐れがあります。Outlook の一部のバージョンでは、電子メールに添付されている RTF 文書のデフォルトビューアが Microsoft Word に設定されていることに注意してください。

まだパッチは公開されていませんが、悪用のリスクを最小限に抑えるためにいくつかの回避策があります。Microsoft 社は、Microsoft Word で RTF コンテンツを開けないようにする Fix it修正ソリューションを提供しています。また、Outlook で電子メール表示をプレーンテキストに限定するように設定して、この問題の影響を軽減することもできます。

Microsoft 社は、Enhanced Mitigation Experience Toolkit（EMET）を使えばこの悪用を適切に遮断できるとしていますが、これは他の回避策を適用できない場合の代替策と考えてください。

Microsoft 社からパッチが公開されたら、できるだけ速やかに適用することをお勧めします。

シマンテックセキュリティレスポンスは、CVE-2014-1761 の悪用からお客様を保護するために、以下の検出定義を提供しています。

ウイルス対策

• Bloodhound.Exploit.550

侵入防止システム

• System Infected: Fraudulent Digital Certificate

シマンテックは現在、追加の確認に取り組んでおり、詳しいことがわかり次第このブログでお伝えする予定です。

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

企業に対しても一般家庭ユーザーに対しても、サポート終了間近の Windows XP 環境をそれ以降のバージョンにアップグレードするよう求める声は日増しに大きくなっています。機能強化が必要ないとしても、セキュリティとサポートのために必須のアップグレードです。ATM も基本的には、現金へのアクセスを制御するコンピュータであり、ATM の 95% 近くは Windows XP 上で稼働していることがすでに知られています。2014 年 4 月 9 日に予定されている Windows XP のサポート終了を目前に控えた今、金融機関は ATM を標的とするサイバー攻撃の深刻な危機に直面しています。しかも、これは仮想危機などではありません。現実に起こっている危機であり、サイバー犯罪者が ATM を狙う手口はますます巧妙になっています。

2013 年 10 月には、このブログでもお伝えしたとおり、新しい ATM マルウェアがメキシコで確認されており、攻撃者は外付けキーボードを使って ATM から自由に現金を引き出していました。この脅威は、Backdoor.Ploutusと命名されています。その数週間後には、このマルウェアがモジュール式のアーキテクチャへと進化したことを示す新しい亜種も発見されました。この新しい亜種は英語版にもローカライズされており、作成者が活動範囲を他の国や地域にも広げつつあることを示唆しています。新しい亜種は Backdoor.Ploutus.Bとして検出されます（このブログでは一貫して「Ploutus」と呼びます）。

Ploutus のこの亜種で特徴的なのは、侵入先の ATM に SMS を送信するだけで、サイバー犯罪者は ATM を使って現金を払い戻すことができたという点です。信じられないかもしれませんが、この手口は今でも世界中の至るところで使われています。

今回は、この手口がどのように機能するのかを紹介します。

図 1.攻撃者が携帯電話を使って ATM から現金を引き出す手口

携帯電話から ATM に接続
攻撃者は、ATM の内部に接続した携帯電話を使って ATM をリモートで制御します。携帯電話を ATM に接続する方法はいくつかありますが、一般的なのは USB テザリングと呼ばれる設定を使う方法です。実質的には、携帯電話とコンピュータ（この場合は ATM）との間で共有インターネット接続が確立されることになります。

ATM に Ploutus を感染させるには、攻撃者が携帯電話を正しく設定し、ATM に接続する必要があります。必要な手順がすべて完了すると、完全な双方向接続が確立され、携帯電話の準備が整います。

携帯電話は USB ポートを介して ATM に接続されているので、電力もその接続から供給され、携帯電話本体が充電されます。このため、携帯電話は電源の入った状態を無限に維持できます。

ATM に SMS メッセージを送信
携帯電話を ATM に接続し、設定が完了すると、攻撃者は ATM 内部に接続された携帯電話に特定の SMS コマンドメッセージを送信できるようになります。所定の形式の新しいメッセージを検出すると、携帯電話はそのメッセージをネットワークパケットに変換し、USB ケーブルを通じて ATM に転送します。

このマルウェアにはネットワークパケットモニター（NPM）のモジュールがあり、パケット盗聴の機能を果たして、ATM に向かうすべてのネットワークトラフィックを監視します。侵入先の ATM が有効な TCP パケットまたは UDP パケットを携帯電話から受信すると、NPM がそのパケットを解析し、パケット内の特定のオフセットで「5449610000583686」という数字を探します。データのパッケージ全体を処理することが目的です。この特定の数字が見つかると、NPM は次の 16 桁を読み込み、それを使って Ploutus 実行のコマンドラインを作成します。このコマンドは、たとえば次のような形式になります。

cmd.exe /c PLOUTOS.EXE 5449610000583686=2836957412536985

以前のバージョンの Ploutus では、主犯格がこの数字をマネーミュール（送金仲介人）と共有する必要がありました。そのため、万一マネーミュールがこの数字の意味に気づいた場合には、主犯格の人物から金銭を詐取できる可能性がありました。今回のバージョンでは、16 桁の数字がマネーミュールには見えないため、主犯格はセキュリティの強化を図ることができ、現金の引き出しを一括管理できるようになっています。この数字の有効期限は 24 時間です。

SMS メッセージを使って ATM をリモートで制御する方法は、離れたところからほとんど瞬時に成功するため、この犯罪に関与する誰にとってもはるかに便利です。主犯格は、マネーミュールが引き出す金額を正確に把握でき、マネーミュールは現金が出てくるまで長時間 ATM の付近にとどまっている必要がありません。主犯格とマネーミュールが動作を同期させていれば、マネーミュールが現金を払い戻す振りをするか、単に ATM の前を通り過ぎるだけで、現金を引き出すことができます。

攻撃全体の流れ
この攻撃が機能する細かい手口は以上に見たとおりなので、これが全体としてどのように機能するのか概要を見てみましょう。

図 2. Ploutus による ATM 攻撃の概要

プロセスの概要

1. 攻撃者は ATM に Ploutus をインストールし、USB ケーブルを使って携帯電話を ATM に接続します。
2. コントローラにより、2 通の SMS メッセージが ATM 内部の携帯電話に送信されます。
   1. 1 通目の SMS には、ATM で Ploutus を起動する有効なアクティブ化 ID が含まれています。
   2. 2 通目の SMS には、現金を引き出すための有効な払い戻しコマンドが含まれています。
3. 有効な SMS メッセージの着信を検出した携帯電話は、TCP パケットまたは UDP パケットとしてそれを ATM に転送します。
4. ATM 内部では、ネットワークパケットモニターモジュールが TCP/UDP パケットを受信し、それに有効なコマンドが含まれていれば Ploutus を実行します。
5. Ploutus によって ATM から現金が引き出されます。払い戻される現金の額は、マルウェア内部であらかじめ設定されています。
6. マネーミュールによって ATM から現金が回収されます。

シマンテックは、Ploutus に感染した実際の ATM を使って、この攻撃を実験的に再現することに成功しました。この攻撃が成功する様子を短い動画でご確認いただけます。

このデモ動画では Ploutus マルウェアを使っていますが、シマンテックセキュリティレスポンスでは、同じように ATM を標的とする別種のマルウェアもいくつか確認しています。Ploutus の場合、攻撃者は ATM 内部から現金を盗み出そうとしていますが、シマンテックが解析した一部のマルウェアでは、別の悪質なソフトウェアを使って中間者攻撃を仕掛けている間に、顧客のキャッシュカード情報と暗証番号を盗もうとします。ATM から現金を引き出すといっても、最も有効な方法という点では攻撃者によって考え方も違うようです。

ATM を保護するために何ができるか
最近の ATM は、ハードディスクドライブの暗号化などによってセキュリティ機能が強化されているため、こうした侵入の手口も防ぐことができます。しかし、依然として Windows XP 上で動作している旧型の ATM の場合、特にそれがありとあらゆる遠隔地にすでに設置されているとなると、Ploutus のような攻撃を防ぐことはかなり困難です。また、ATM の内部にあるコンピュータの物理的なセキュリティに対処が必要という別の問題点もあります。ATM 内の現金は金庫で厳重に保管されていますが、コンピュータはそうではないためです。旧型の ATM で物理的なセキュリティがこのように不十分な場合、攻撃者はそれだけ有利になります。

犯罪者にとっての難易度を高くするためには、以下のようにさまざまな対策が考えられます。

• Windows 7 や Windows 8 など、サポートされているオペレーティングシステムにアップグレードする。
• 物理的に十分な保護を実施し、ATM に監視カメラの設置を検討する。
• CD-ROM や USB ドライブなど、許可されていないメディアから起動できないように BIOS の機能を制限する。
• ディスク全体暗号化ソフトウェアを使って、ディスクの改変を防ぐ。
• Symantec Data Center Security: Server Advanced（旧称、Critical System Protection）などのシステム保護ソリューションを使う。

こうした対策をすべて実施すれば、内部に共犯者がいないかぎり、攻撃者が ATM に侵入することはかなり難しくなります。

シマンテックのコンシューマ向け保護、エンドポイント保護、サーバー保護の各ソリューションは、当面の間 Windows XP を引き続きサポートしますが、Windows XP をお使いの場合には、できるだけ速やかに新しいオペレーティングシステムにアップグレードすることをお勧めします。

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

今年 1 月の後半、熱烈なファンであればコーチェラフェスティバルのチケットを買い求めたことでしょう。コーチェラフェスティバルは、2 週連続で週末の 3 日間をかけて毎年開催されるイベントですが、これを狙った詐欺師によるフィッシング攻撃が、2 月末まで続いていました。

コーチェラフェスティバルのチケット販売を扱っている Front Gate Tickets 社は 2 月末、チケットの購入者に電子メールを送り、このフィッシング攻撃について以下のように警告しています。

「このフィッシングでは偽の Web サイトが使われています。コーチェラフェスティバルのチケットをお買いになった方が Front Gate のアカウントにアクセスするためのログインページに酷似したデザインですが、ユーザー名とパスワードの情報を取得するために偽装されたものです」

この電子メールではさらに、フィッシング用のリンクが掲示板やスパムメールでも出回っていること、攻撃者はチケット購入者が掲示板に投稿した電子メールアドレスを収集していたことなどについても説明が続きます。

この攻撃が仕掛けられたのは、コーチェラフェスティバルで入場券代わりになるリストバンドが参加者宛てに出荷された直後です。それを考えると、攻撃者はチケット購入者のアカウントにアクセスし、登録されている郵送先住所や電話番号、電子メールアドレスを変更してリストバンドを詐取しようとしていたに違いありません。実際、コーチェラフェスティバルの掲示板でも、あるユーザーからこれを裏付ける投稿がありました。

「私はアカウント情報を元に戻すことができましたが、登録されている住所や電話番号、電子メールアドレスは変更されていました。念のため確認したおかげでチケットを失わずに済んだのはラッキーでした」

今回の事件は、デジタル時代の音楽ファンにとってよい教訓になります。コーチェラフェスティバルのチケット進呈を謳う偽の Facebook ページを作るだけだった詐欺が、わずか 2 年足らずのうちに、直接フィッシングメールで参加者を標的にして、リストバンドを盗み出すという手口にまで発展したのです。

今年開催されるのは、もちろんコーチェラフェスティバルだけではありません。今後数カ月の間に、サスカッチ、ボナルー、アウトサイドランズ、ロラパルーザなどさまざまな音楽フェスティバルが米国内だけでも予定されており、世界中ではさらに多くの音楽フェスティバルが開催されます。

フェスティバルに参加する方は、掲示板のスレッドで電子メールアドレスを共有しないことをお勧めします。どうしても共有する必要がある場合には、掲示板に用意されている非公開メッセージの機能を使ってください。

チケットの購入後、参加予定のイベントについて詳しい情報を確認するためと称して、リンクを掲載し、ログインを求めてくる電子メールを受け取った場合には、むやみにリンクをクリックせず、新しいブラウザまたはタブを開いて公式サイトにアクセスしてください。電子メールに疑わしい点がある場合には、チケット販売者や音楽フェスティバルの公式サイトで連絡先の電話番号や電子メールアドレスを探し、確認を依頼してください。

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

This blog entry gives a series of support videos for mail services from Symantec.cloud.

Archives with a mismatch in their archive type settings may not be showing in your vault admin console. This SQL script will show if any of these problems exist in your environment.

I have just checked my 7.5 HF4 system and have found that all six "Site Management > Settings > Monitor Service > Advanced > Windows Remote Monitoring Server <architecture> <action>" policies are enabled!

This obviously does not make sense, as the Uninstall policies should only be used either when the Install & Upgrade policies are disabled, or have had their targets changed so that they do not cover the servers that you want to target the uninstall process against.

How did this get passed QA one asks?
 

EXECUTIVE SUMMARY:

On March 24th, Microsoft posted a security advisory (2953095) for a newly discovered, unpatched vulnerability affecting Microsoft Word.  Microsoft has noticed limited, targeted attacks directed at Microsoft Word 2010. The vulnerability could allow remote code execution if a user opens a specially crafted RTF file using an affected version of Microsoft Word, or previews or opens a specially crafted RTF email message in Microsoft Outlook while using Microsoft Word as the email viewer.  CVE-2014-1761  has been assigned for this vulnerability.

Please be aware that Word is the default viewer for Microsoft Outlook 2007, Microsoft Outlook 2010, and Microsoft Outlook 2013, and that even looking at the e-mail in the preview pane could lead to an infection through this attack.

THREAT DETAILS:

This vulnerability allows the attacker to gain the same privileges on a target machine as the victim, ultimately allowing remote code execution. The threat drops a backdoor to allow the attacker access to the victim machine. 

At this time, it appears the attack is targeted, and the impact is low. We do not have any further information on the countries/regions that are impacted at this time.

According to Microsoft, this exploit fails (resulting in a crash) on machines running Word 2013.

Microsoft also mentions that the malicious document in the wild is designed to trigger a memory corruption vulnerability in the RTF parsing code. The attacker embedded a secondary component in order to bypass ASLR, and leveraged return-oriented-programming techniques using native RTF encoding schemes to craft ROP gadgets.

Please be aware that Word is the default viewer for Microsoft Outlook 2007, Microsoft Outlook 2010, and Microsoft Outlook 2013, and that even looking at the e-mail in the preview pane could lead to an infection through this attack.

IMPACT:

• An attacker who successfully exploited this vulnerability could gain the same rights as the currently logged on user.
• Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative privileges.

AFFECTED SOFTWARE:

• Microsoft Word 2003 Service Pack 3
• Microsoft Word 2007 Service Pack 3
• Microsoft Word 2010 Service Pack 1 (32-bit editions)
• Microsoft Word 2010 Service Pack 2 (32-bit editions)
• Microsoft Word 2010 Service Pack 1 (64-bit editions)
• Microsoft Word 2010 Service Pack 2 (64-bit editions)
• Microsoft Word 2013 (32-bit editions)
• Microsoft Word 2013 (64-bit editions)
• Microsoft Word 2013 RT
• Microsoft Word Viewer
• Microsoft Office Compatibility Pack Service Pack 3
• Microsoft Office for Mac 2011
• Word Automation Services on Microsoft SharePoint Server 2010 Service Pack 1
• Word Automation Services on Microsoft SharePoint Server 2010 Service Pack 2
• Word Automation Services on Microsoft SharePoint Server 2013
• Microsoft Office Web Apps 2010 Service Pack 1
• Microsoft Office Web Apps 2010 Service Pack 2
• Microsoft Office Web Apps Server 2013

MICROSOFT WORKAROUNDS:

• Deploy the Enhanced Mitigation Experience Toolkit.
• Microsoft has provided a temporary "Fix It" solution as a workaround until a security update is made available: https://support.microsoft.com/kb/2953095
• Please see the Microsoft Security Advisory for more information: http://technet.microsoft.com/en-us/security/advisory/2953095

MITIGATION STRATEGIES:

• Apply the workaround until patches are made available by the vendor.
• Apply the updates from Microsoft as soon as they become available.
• Symantec recommends customers use a layered approach to securing their environment, utilizing the latest Symantec technologies, including enterprise-wide security monitoring from Edge to Endpoint.
• Do not use out of date software, keep your operating system and software up to date with the latest versions and security patches.
• Run all software as a non-privileged user with minimal access rights.
• To reduce the impact of latent vulnerabilities, always run non-administrative software as an unprivileged user with minimal access rights.

• Deploy network intrusion detection systems to monitor network traffic for malicious activity. 
• Do not follow links or open email attachments provided by unknown or untrusted sources. 

• Memory-protection schemes (such as non-executable stack and heap configurations and randomly mapped memory segments) will complicate exploits of memory-corruption vulnerabilities.
• Symantec encourages users to apply all relevant patches when they are available.

SYMANTEC MSS SOC DETECTION CAPABILITIES:

MSS SOC Analytics Detection

• Hot IP Signatures
  • Hot IP - MS word (CVE-2014-1761) zero day C&C traffic

Vendor Detection

• Symantec SEP/AV
  • Bloodhound.Exploit.550
• Snort/SourceFire

REFERENCES:

• Zero-Day Vulnerability Discovered in Microsoft Word
• Microsoft Security Advisory (2953095)
• NIST Vulnerability Summary for CVE-2014-1761
• Security Advisory 2953095: Recommendation to stay protected and for detections