La energía es crucial para mantener nuestro estilo de vida moderno, por ello resulta inquietante el incremento anual de intentos de ataques reportados contra las compañías e industrias que la proveen. En la primera mitad de 2013, el sector energético fue el quinto más atacado a nivel mundial, recibiendo el 7.6 por ciento de todos los intentos de ciberataquesen el mundo, lo que se traduce en siete ataques dirigidos por día. Por ello no es de sorprender que en mayo de 2013 el Departamento de Seguridad Nacional de Estados Unidos de América advirtió sobre un incremento en la ola de ataques orientados a sabotear los procesos en las compañías energéticas. En Symantec, nuestros investigadores descubrieron que las empresas tradicionales de servicios públicos de energía están particularmente preocupadas por los escenarios creados por amenazas como Stuxnet o Disttrack / Shamoon, los cuales pueden sabotear instalaciones industriales.

En este escenario estamos aprendiendo que los agresores que tienen como blanco al sector energético también intentan robar propiedad intelectual sobre nuevas tecnologías, como generadores de energía eólica y solar, o diagramas de exploración de campos de gas. Si bien los incidentes de robo de datos pueden no representar una amenaza inmediata y catastrófica para una organización, pudieran ser aprovechados para crear una amenaza estratégica a largo plazo y la información robada podría ser utilizada en el futuro para realizar acciones más dañinas.

La motivación y origen de los ataques dirigidos a este sector pueden ser variable; desde la solicitud de un competidor para tomar acciones contra compañías de energía con el fin de ganar una ventaja de forma sucia, hasta grupos de “hackers a sueldo” como la agrupación Hidden Lynx  que están más que dispuestos a realizar este tipo de acciones. También se pueden encontrar hackers patrocinados por naciones para atacar empresas de energía, en un intento por desactivar infraestructura crítica; los grupos de “hacktivistas” también pueden atacar a las empresas para promover sus propios objetivos políticos. En este sentido los investigadores de Symantec saben que las amenazas pueden provenir de cualquier parte del mundo, y algunas veces, los responsables pueden estar familiarizados con los sistemas de la empresa e incluso dentro de la misma compañía, con la intención de llevar a cabo ataques para extorsionar, sobornar o como venganza. Las interrupciones en la operación también pueden simplemente ocurrir por accidente, como una mala configuración o un problema del sistema, por ejemplo en mayo de 2013, la red eléctrica en Austria estuvo cerca de sufrir un apagón debido a un problema de configuración.

Nuestras investigaciones han encontrado que los sistemas de energía modernos se están volviendo más complejos. Existen controles de supervisión y de adquisición de datos (SCADA, por sus siglas en inglés) o sistemas de control industrial (ICS, por sus siglas en inglés) que se sitúan fuera de los muros de protección tradicional. Conforme la tecnología de redes inteligentes siga ganando impulso y más sistemas nuevos de energía estén conectados al Internet de las cosas, se podrían abrir nuevas vulnerabilidades de seguridad relacionadas con tener un sinnúmero de dispositivos conectados a Internet. Adicionalmente, muchos países han comenzado a abrir su mercado energético y han añadido pequeños contribuyentes a la red de energía eléctrica, como plantas hidroeléctricas privadas, turbinas eólicas o colectores solares. Si bien, estos sitios más pequeños representan sólo una pequeña parte de la red, las entradas de alimentación de energía descentralizada pueden ser un desafío para la gestión, y más si los recursos de TI son limitados, por lo cual se deben monitorear cuidadosamente con el fin de  evitar pequeños cortes o interrupciones, que podrían ocasionar un efecto dominó en las redes más grandes.

En este sentido vemos la necesidad de una estrategia colaborativa que combine la tecnología con componentes de seguridad industrial para proteger la información de la industria energética. Para contribuir con este esfuerzo, Symantec realizó un estudio amplio sobre los ataques que se llevaron a cabo en el sector energético durante los últimos 12 meses. La investigación presenta los hechos y las datos sobre impactos, además de incluir información sobre los métodos, motivaciones, y la historia de estos ataques.

Para descargar una copia del informe de clic aquí.

También preparamos la siguiente infografía con el fin de ilustrar algunos de los hechos clave alrededor de los ataques dirigidos al sector energético.

One of the oldest tricks in the book for spammers is to spoof or forge the "From" address so that the email appears to come from a legitimate source.

This month, Symantec is introducing DMARC Validation as a free upgrade for Email Security.cloud customers, further enhancing our protection against these types of spam, targeted attacks and phishing messages.

Once customers enable this new functionality, Symantec will automatically check if sending domain owners have a published DMARC policy and check that the email is legitimate. 

Big, popular brands are often used in phishing and scam email attacks and I'm sure you've seen some of them first hand.
This is why over 80,000 domains have published DMARC policies and since 2011 it has been quickly adopted by some of the largest global brands and email senders such as Paypal, Twitter, Outlook.com, Yahoo! Mail, Facebook, LinkedIn and Bank of America.

DMARC.org reports that more than 25 million email messages spoofing PayPal were detected and rejected by DMARC during the 2013 holiday buying season and Twitter reports that roughly 110 million messages per day were spoofing its domains prior to deploying DMARC, showing this implementation is effective.

"The attention so far has been on how DMARC helps protect consumers and big brand-owners, but as adoption rises it also offers improved protection to employees at organizations big and small." said Steven Jones, Secretary of DMARC.org. "A lot of companies have been asking me about vendor-supported DMARC filtering to help protect their employees, so this is definitely a growing need in the market."

HOW TO TURN ON DMARC VALIDATION

Symantec Email Security.cloud customers will see the new configuration options in the admin interface, on or around March 29, 2014 and we encourage all customers to enable it as soon as they can.
You can enable DMARC Validation in the Spoofed Sender Detection settings located within the Antispam configuration in ClientNet. 

Further technical information on DMARC can be found at DMARC.org.

As attackers and miscreants try new ways to circumvent security, it's vitally important that a security product or service continually evolves to protect against the latest threats.
Symantec’s cloud based Email Security offering is always up to date and doesn't burden customers with software or hardware upgrades to get the latest benefits.
We track our own performance and publish metrics regularly against our SLAs online. 

Symantec’s comprehensive security expertise, vast global intelligence and portfolio offer organizations proactive, targeted attack protection across the endpoint, gateway and data center.

I believe that the IT industry will, in the future, hold far more responsibility for radical changes to culture and society than ever before. The Internet of Things (IoT) will see humanity take a new foundation on which to build things (the Internet) and start to create architectures and services that fundamentally change the way we live our lives. Just in the past few weeks, I have spoken to entrepreneurs and large businesses that are seeding technological concepts that could, eventually, touch all of us in very meaningful and real ways. It is difficult (especially for a technologist like me) not to get excited about self-driving cars that learn from each other, connected homes that allow us to remotely monitor and control our personal spaces and smart meters that have a profound impact on a nations energy consumption. But, as I have discussed before, there are likely to be unintended consequences to all of these ideas that technologists (even the really clever ones) are likely to miss given the current drive for innovation that is (quite understandably) being encouraged by both the private and the public sector.

Rapid technological development is currently not being matched by research into the societal impact of the Internet of Things. Project efforts today are primarily focused on potential business (or personal) benefits and very little is known about future impact of the technological advancements under development.

At Symantec, our primary concerns with regard to societal impact have to do with personal privacy, trust and the security of systems and information. Interestingly (and with a few exceptions) a great number of the technologies needed to facilitate a trust-worthy and secure IoT already exist. In our own portfolio, for example, we already have the ability to ensure trusted authentication of huge volumes of devices (we currently authenticate over 50 million internet-connected TV’s), to harden and secure critical industrial control systems and to create highly available, “always on” architectures. The issue here is that the “charter” for privacy and security in IoT is not yet agreed (by technology firms, governments or society at large). A great deal of work needs to be done to push this forward and to create working frameworks within which we can all operate and collaborate to create useful and trustworthy solutions that inspire people to do more.

My view… we need to pick some use-cases that are compelling and commercially viable, create privacy “charters” that are acceptable to their potential user groups and go build them. There is a real danger of “analysis paralysis” here (which is nearly as bad as rushing to build massive solutions that are not trustworthy or secure).

Current discussion around the potential of IoT is often very abstract. Let’s mix the skills of technologists with experts in people and society, build some pilots and ensure that these new solutions are “secure by design”. In the Internet of Things, security and privacy must be inherent and not optional features and a “retrofitting” of security to a system with a million connected objects will not be an option in years to come.

I.E.11 isn't officially supported in ITMS 7.5 release, therefore there could appear issue due incompatibility, while managing SMP 7.5 Console.
Many people have Windows 8/8.1 OS and there is I.E. 11 which (as far as I know) cannot be downgraded to lower version of I.E.

Temporary solution while next release of ITMS 7.5 where I.E. 11 will be supported:
1. Install "Chrome" browser on your WIndows 8/8.1 OS http://www.google.com/chrome/‎
2. Install "I.E. tab" for Chrome http://www.ietab.net/
3. Open "Chrome" browser ⇒ click on "I.E. tab"⇒ specify URL of your SMP Server

Can I use NetBackup Accelerator to backup Network Attached Storage (NAS) devices? Is NFS mount host or CIFS mount host better to make use of NetBackup Accelerator? Is NetBackup for NDMP or NetBackup for Accelerator using a mount host better for protecting a NAS device? Let us do a deep-dive!

Symantec has observed the growth of indigenous groups of attackers in the Middle East, centered around a simple piece of malware known as njRAT. While njRAT is similar in capability to many other remote access tools (RATs), what is interesting about this malware is that it is developed and supported by Arabic speakers, resulting in its popularity among attackers in the region.

The malware can be used to control networks of computers, known as botnets. While most attackers using njRAT appear to be engaged in ordinary cybercriminal activity, there is also evidence that several groups have used the malware to target governments in the region.

Symantec analyzed 721 samples of njRAT and uncovered a fairly large number of infections, with 542 control-and-command (C&C) server domain names found and 24,000 infected computers worldwide. Nearly 80 percent of the C&C servers were located in regions in the Middle East and North Africa, including Saudi Arabia, Iraq, Tunisia, Egypt, Algeria, Morocco, the Palestinian Territories and Libya. 

Figure 1. Majority of njRAT C&C servers are found in the Middle East and North Africa

The majority of the C&C server IP addresses were traced to ADSL lines, which indicates that most attackers using the malware could be home users in the Middle Eastern region.

njRAT is not new on the cybercrime scene. It has been publicly available since June 2013 and three versions have already been released, all of which can be propagated through infected USB keys or networked drives.

The malware has the basic features common in most RATs. It can download and execute additional malware; execute shell commands; read and write registry keys; capture screenshots; log keystrokes; and snoop on webcams.

Strong online support for Middle East home users
The main reason for njRAT’s popularity in the Middle East and North Africa is a large online community providing support in the form of instructions and tutorials for the malware’s development. The malware’s author also appears to hail from the region. njRAT appears to have been written by a Kuwait-based individual who uses the Twitter handle @njq8. The account has been used to provide updates on when new versions of the malware are available to download.

Figure 2. The creator of njRAT announcing in a tweet that version 0.7 of njRAT is available to download.

Symantec has also located the malware author’s WordPress webpage, which redirects to another Blogspot webpage. The latter displays visitor statistics, indicating that majority of the blog’s visitors come from Saudi Arabia as shown below:

Figure 3. The visitor statistics of @njq8’s Blogspot Web page

Technical support and tutorials on using njRAT are widely available on the Web. Symantec has found numerous video tutorials in the Arabic language containing step-by-step processes for downloading and setting up the malware, including steps such as dynamic DNS naming for C&C servers. This level of support enables attackers in the region to easily to build tools and server components for njRAT.

Figure 4. Description of a video tutorial of how to build an njRAT on hacking group MaDLeeTs’s website

Figure 5. The latest three tutorials on Anonymous Iraq’s YouTube channel are on obfuscating njRAT to evade antivirus software

Hacker groups launch targeted attacks with njRATs
Most njRAT users seem to be home users who are interested in online pranks such as spying on webcams or taking screenshots of victims’ computers. However, infections have also been recorded on the networks of a number of governments and political activists.

Symantec has identified 487 groups of attackers mounting attacks using njRAT. These attacks appear to have different motivations, which can be broadly classed as hacktivism, information theft, and botnet building.

One such group is the S.K.Y.P.E/Tagged group, which has C&C servers hosted in Egypt and Algeria. The group’s vector for infection is a screensaver hosted on the file sharing site ge.tt. When victims download the compressed .rar file containing the screensaver, they get an executable containing njRAT.

Figure 6. The infected screensaver created by the S.K.Y.P.E/Tagged group on the ge.tt file sharing site

It is also interesting to note that the infected file hosted on ge.tt was dated November 20, 2012, because njRAT only became publicly available in June 2013. It would appear that njRAT had already been created prior to that date and it is likely that the malware was disseminated among small groups of people, such as on a closed Web forum, prior to its public release.

Symantec has also observed that infection numbers spiked around the time this copy of njRAT was uploaded on ge.tt. The S.K.Y.P.E/Tagged group uses two C&C servers: njratmoony.no-ip.biz and njr.no-ip.biz. The number of newly infected computers reporting to both servers spiked in October and November of 2012.

Figure 7. The daily infection rate of computers reporting to the S.K.Y.P.E/Tagged group’s C&C servers, njratmoony.no-ip.biz and njr.no-ip.biz

njRAT signals growing cybercrime community
As large numbers of Middle Eastern attackers continue to use njRAT due to its accessibility, Symantec expects that they will try to find new ways of obfuscating the malware to evade detection by antivirus software. They are likely to continue to use njRAT since an Arabic speaking community and its Arabic author continue to provide support for the malware.

The more advanced threat actors, such as hacker groups, may continue to use njRAT for targeted attacks in the short term. For example, a report by the Electronic Frontier Foundation (EFF) and Citizen Lab found that njRAT is one of a number of tools being used to target Syrian opposition groups during the Syrian conflict. However, Symantec anticipates that such groups will eventually depart from using publicly-available tools like njRAT and begin to develop their own tools and more advanced RATs for cyberattacks.

Symantec detects this threat as Backdoor.Ratenjay.

Symantec Endpoint Protection receives the AV-TEST AWARD FOR BEST PERFORMANCE 2013

Corporate Users (Windows): Symantec Endpoint Protection

The AV-TEST AWARD FOR BEST PERFORMANCE 2013 is presented to the security software that has the least influence upon a system once installed.

The tests that are carried out involve typical activities such as loading websites, downloading software, installing and starting up programs and copying files.

To check the regular test results - http://www.av-test.org/en/tests/corporate-user/pro...

Hotfix 5 for Deployment Solution 7.5, Inventory Solution 7.5 and Symantec Management Platform 7.5 are now available via SIM.

Not quite ITMS I know, but its a start.  ;-)

On the back of Cryptolocker’s (Trojan.Cryptolocker) perceived success, malware authors have been turning their attention to writing new ransomcrypt malware. The sophisticated CryptoDefense (Trojan.Cryptodefense) is one such malware. CryptoDefense appeared in late February 2014 and since that time Symantec telemetry shows that we have blocked over 11,000 unique CryptoDefense infections. Using the Bitcoin addresses provided by the malware authors for payment of the ransom and looking at the publicly available Bitcoin blockchain information, we can estimate that this malware earned cybercriminals over $34,000 in one month alone (according to Bitcoin value at time of writing).

Imitation
“Imitation is not just the sincerest form of flattery - it's the sincerest form of learning” – George Bernard Shaw.

CryptoDefense, in essence, is a sophisticated hybrid design incorporating a number of effective techniques previously used by other ransomcrypt malware authors to extort money from victims. These techniques include the use of Tor and Bitcoins for anonymity, public-key cryptography using strong RSA 2048 encryption in order to ensure files are held to ransom, and the use of pressure tactics such as threats of increased costs if the ransom is not paid within a short period of time. However, the malware author’s poor implementation of the cryptographic functionality has left their hostages with the key to their own escape.

Infection
Symantec has observed CrytoDefense being spammed out using emails such as the one shown in Figure 1.

Figure 1. Malicious spam email example

Network communications
When first executed, CryptoDefense attempts to communicate with one of the following remote locations:

• machetesraka.com
• markizasamvel.com
• armianazerbaijan.com
• allseasonsnursery.com

The initial communication contains a profile of the infected computer. Once a reply is received from the remote location, the threat then initiates encryption and transmits the private key back to the server. Once the remote server confirms the receipt of the private decryption key, a screenshot of the compromised desktop is uploaded to the remote location.

Ransom demand
Once the files are encrypted, CryptoDefense creates the following ransom demand files in every folder that contains encrypted files:

• HOW_DECRYPT.TXT
• HOW_DECRYPT.HTML
• HOW_DECRYPT.URL

Figure 2. Example of HOW_DECRYPT.HTML file

As can be seen in Figure 2, the malware authors are using the Tor network for payment of the ransom demand. If victims are not familiar with what the Tor network is, they even go as far as providing instructions on how to download a Tor-ready browser and enter the unique Tor payment Web page address. The use of the Tor network conceals the website’s location and provides anonymity and resistance to take down efforts. Other similar threats, such as Cryptorbit (Trojan.Nymaim.B), have used this tactic in the past.

Payment
Once the user opens their unique personal page provided in the ransom demand using the Tor Browser, they will be presented with a CAPTCHA page.

Figure 3. Example of CAPTCHA shown to victim

Once they have filled in the CAPTCHA correctly, the user will be presented with the ransom payment page.

Figure 4. CryptoDefense ransom payment page

Of note here is the ransom demand of 500 USD/EUR to be paid within four days or the ransom doubles in price. The use of time pressure tactics by the cybercriminals makes victims less likely to question the costs involved when evaluating potential losses. The cybercriminals offer proof through a “My screen” button, included on the payment page, that they have compromised the user’s system by showing the uploaded screenshot of the compromised desktop. They also offer further proof that decryption is feasible by allowing the victim to decrypt one file through the “Test decrypt” button. They then proceed to educate their victim on how to get hold of Bitcoins to pay the ransom.

Encryption
CryptoDefense employs public-key cryptography using strong RSA 2048 encryption. This means that once the files have been encrypted, without access to the private key, victims will not be able to decrypt the files. With Cryptolocker, the private key was only ever found on servers controlled by the attacker, meaning the attackers always maintained control over the encryption/decryption keys. On investigating how CryptoDefense implemented its encryption, we observed that the attackers had overlooked one important detail: where the private key was stored.

As advertised by the malware authors in the ransom demand, the files were encrypted with an RSA-2048 key generated on the victim’s computer. This was done using Microsoft’s own cryptographic infrastructure and Windows APIs to perform the key generation before sending it back in plain text to the attacker’s server. However, using this method means that the decryption key the attackers are holding for ransom, actually still remains on the infected computer after transmission to the attackers server.

When using Microsoft’s cryptographis infrastructure, private keys are stored in the following location:

%UserProfile%\Application Data\Microsoft\Crypto\RSA

Due to the attackers poor implementation of the cryptographic functionality they have, quite literally, left their hostages a key to escape. Further details of Microsoft’s key storage architecture can be found here.

Earnings
Symantec is aware of the following Bitcoin addresses being used in CryptoDefense ransom demands:

• 1EmLLj8peW292zR2VvumYPPa9wLcK4CPK1 (First transaction March 18, 2014)
• 19DyWHtgLgDKgEeoKjfpCJJ9WU8SQ3gr27 (First transaction February 28, 2014)

The first known Bitcoin transaction for these addresses was on February 28, 2014. This corresponds with the first detection of a CryptoDefense sample by Symantec. At this time, based on the number of received transactions for both Bitcoin addresses, Symantec can estimate that the cybercriminals behind CryptoDefense have earned over $34,000 in just one month.

Prevalence
Symantec telemetry shows that we have blocked over 11,000 unique CryptoDefense infections in over 100 countries. The United States makes up the majority of these detections followed by the United Kingdom, Canada, Australia, Japan, India, Italy, and the Netherlands.

Figure 5. Heatmap for CryptoDefense detections

Protection
Although not related, such were the similarities seen between CrytoDefense and Cryptolocker that Symantec initially detected this threat as Trojan.Cryptolocker along with numerous other detections. Symantec detects CryptoDefense under the following detection names:

Antivirus detections

• Trojan.Cryptodefense
• Trojan.Cryptolocker
• Trojan.Gen.2

Heuristic detections

• WS.Trojan.H
• SONAR.Heuristic.112
• SONAR.Heuristic.113

Reputation detections

• Suspicious.Cloud.2
• Suspicious.Cloud.5.A
• Suspicious.Cloud.5.D

Intrusion prevention signatures

• System Infected: Trojan.Cryptodefense Activity

Symantec customers that use the Symantec.Cloud service are also protected from the spam messages used to deliver this malware.

For the best possible protection, Symantec customers should ensure that they are using the latest Symantec technologies incorporated into our consumer and enterprise solutions. To further protect against threats of this nature, it is recommended that you follow security best practices and always backup your files using a product such as Symantec’s Backup Exec Family. Finally, always keep your systems up to date with the latest virus definitions and patches.

Have you registered for Vision?

Today is the last day to register to receive your $200 discount and exclusive Vision 2014 jacket. You can also pre-register for our most popular sessions and labs, qualify for a free certification exam, and much more.

Find out all about Vision and register here.

シマンテックは、中東で発生した攻撃者グループが、njRATとして知られるシンプルなマルウェアを使いながら勢いを伸ばしていることを確認しています。njRAT は、他の多くのリモートアクセスツール（RAT）と似た機能も備えていますが、アラビア語の話者によって開発、サポートされているという点が特徴的で、結果としてアラビア語圏の攻撃者の間で人気を集めています。

njRAT を使うと、コンピュータのネットワークをいわゆるボットネットとして制御できるようになります。njRAT を使う攻撃者のほとんどが関与しているのは通常のサイバー犯罪活動のようですが、一部のグループが njRAT を使って中東地域の政府を標的としている証拠も見つかっています。

シマンテックは njRAT の 721 個のサンプルを解析し、きわめて多くの感染を確認しました。コマンド & コントロール（C&C）サーバーのドメインは 542 に及び、世界中で 24,000 台のコンピュータが感染していることがわかりました。C&C サーバーの 80% 近くは中東や北アフリカで見つかっており、サウジアラビア、イラク、チュニジア、エジプト、アルジェリア、モロッコ、パレスチナ地域、リビアなどで確認されています。

図 1. njRAT が使う C&C サーバーの大多数は中東や北アフリカで発見されている

C&C サーバーの IP アドレスをたどると、その大部分が ADSL 回線であることから、このマルウェアを使っているのは、そのほとんどが中東地域のホームユーザーであると思われます。

njRAT は、サイバー犯罪の世界で新顔ではありません。公開されたのは 2013 年 6 月で、これまでに 3 バージョンがリリースされています。そのすべてが、感染した USB メモリやネットワークに接続されたドライブから拡散します。

njRAT の基本的な機能は、多くの RAT と同じです。別のマルウェアをダウンロードして実行する、シェルコマンドを実行する、レジストリキーを読み書きする、スクリーンショットを取得する、キーストロークを記録する、Web カメラでのぞき見をするといった機能を備えています。

中東のホームユーザーに対するオンラインサポートが万全
njRAT が中東と北アフリカで人気を集めている最大の理由は、大規模なオンラインコミュニティの存在で、マルウェアの開発に関する手順やチュートリアルといった形でサポートが行われています。njRAT を作成したのはクウェートに住む個人ユーザーと目されており、作成者自身も同地域からこのコミュニティに参加しているようです。Twitter では @njq8 というアカウント名を使っており、njRAT の新しいバージョンがダウンロード可能になると、そのアカウントから更新情報を発信しています。

図 2. njRAT の作成者の Twitter アカウント。バージョン 0.7 がダウンロード可能になったことを告知している

シマンテックは、この作成者の WordPress ベースの Web ページも突き止めています。このページは Blogspot の別の Web ページにリダイレクトされており、リダイレクト先には、次の図のように訪問者の統計が表示されます。これを見ても、大多数がサウジアラビアからこのブログにアクセスしていることがわかります。

図 3. @njq8 が Blogspot の Web ページで公開している訪問者統計

njRAT の使い方については、技術サポートもチュートリアルも広く Web に出回っています。シマンテックは、アラビア語で製作されたチュートリアルの動画も数多く発見しました。これらの動画では、ダウンロードと設定のプロセスがステップバイステップで解説されており、C&C サーバーに対する動的 DNS の名前付けといった手順も含まれています。ここまで徹底したサポートのおかげで、この地域の攻撃者は njRAT 用のツールやサーバーコンポーネントを簡単に作成できるようになっているのです。

図 4. njRAT の作成方法を説明するチュートリアル動画の説明がハッキンググループ MaDLeeTs の Web サイトに掲載されている

図 5. Anonymous Iraq の YouTube チャネルにある最新 3 件のチュートリアル。njRAT を不明瞭化してウイルス対策ソフトウェアを回避する方法を説明している

njRAT を使って標的型攻撃を仕掛けるハッカーグループ
njRAT を使う攻撃者のほとんどはホームユーザーであり、Web カメラでのぞき見をしたり、被害者のコンピュータでスクリーンショットを取得したりといった、いわばオンラインのいたずらに興味を持っている存在にすぎません。しかし、多数の政府機関や政治活動家のネットワークで感染が記録されているのも事実です。

シマンテックが確認したところ、njRAT を使って攻撃を仕掛けているのは 487 グループにも及びます。攻撃の動機はさまざまですが、大まかに言うとハックティビズム、情報の窃盗、ボットネットの構築に分けることができます。

そうしたグループのひとつが「.K.Y.P.E/Tagged」というグループで、エジプトとアルジェリアに置かれた C&C サーバーを使っています。このグループの感染経路は、ファイル共有サイト ge.tt にホストされているスクリーンセーバーです。被害者が、このスクリーンセーバーを含む .rar 圧縮ファイルをダウンロードすると、njRAT の含まれている実行可能ファイルもダウンロードされてしまいます。

図 6. S.K.Y.P.E/Tagged グループが作成した感染スクリーンセーバーが、ファイル共有サイト ge.tt に置かれている

ge.tt にホストされている感染ファイルのタイムスタンプが 2012 年 11 月 20 日である点も注目に値します。njRAT が一般に利用できるようになったのは 2013 年 6 月ですが、njRAT はそれよりも前に作成されていた可能性があるからです。一般公開に先立って、非公開の Web フォーラムのような少人数のグループ間で配布されていたのかもしれません。

シマンテックは、この njRAT が ge.tt にアップロードされたタイミングを中心に感染件数が急増したことも確認しています。S.K.Y.P.E/Tagged グループが使っている C&C サーバーは、njratmoony.no-ip.biz と njr.no-ip.biz の 2 つですが、その 2 つのサーバーのサーバーと通信している、新たに感染したコンピュータの数が 2012 年 10 月と 11 月に急激に増加しています。

図 7. S.K.Y.P.E/Tagged グループの C&C サーバー（njratmoony.no-ip.biz と njr.no-ip.biz）と通信しているコンピュータの 1 日当たりの感染件数

njRAT はサイバー犯罪コミュニティ拡大の兆候
中東では相当数の攻撃者が、その使いやすさから njRAT を使い続けているため、マルウェアを不明瞭化してウイルス対策ソフトウェアによる検出をすり抜けようとする新しい試みが今後も続くものと予測されます。アラビア語圏のコミュニティと同地域に居住する作成者がサポートを続けるかぎり、njRAT は今後も使い続けられるでしょう。

短期的には、ハッカーグループのようにもっと高度な攻撃者が、標的型攻撃に njRAT を使い続ける可能性があります。たとえば、電子フロンティア財団（EFF）と Citizen Labによるレポートで明らかにされたように、シリア紛争で反体制派グループを狙って悪用された数多くのツールの中に njRAT も含まれていました。しかし、こうしたグループは最終的に、njRAT のように誰でも利用可能なツールからは遠ざかり、サイバー攻撃のために独自のツールや、より高度な RAT の開発を開始するとシマンテックは見込んでいます。

シマンテックは、この脅威を Backdoor.Ratenjayとして検出します。

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

By Paola Zeni, Symantec Director, Global Privacy, Ethics, and Compliance.

Symantec has been recognized as a 2014 World's Most Ethical Company by the Ethisphere Institute, an independent center of research promoting best practices in corporate ethics and governance. This is the seventh time that Symantec has been honored with this award, which recognizes organizations that continue to raise the bar on ethical leadership and corporate behavior. Symantec is one of only 10 technology companies worldwide honored this year.

This award belongs to all employees at Symantec, who act in their daily job in accordance with the highest ethical standards.

"World's Most Ethical Companies believe that customers, employees, investors and regulators place a high premium on trust, and that ethics and good governance are key in earning it," said Ethisphere's Chief Executive Officer, Timothy Erblich. "Symantec joins an exclusive community, committed to driving performance through leading business practices. We congratulate everyone at Symantec for this extraordinary achievement."

The World's Most Ethical Company assessment is based upon the Ethisphere Institute's Ethics Quotientframework, which was developed by ethical thought-leaders to assess an organization's performance in an objective, consistent and standardized way. In order to qualify for the award, Symantec provided information on its ethics and compliance program, reputation, leadership and innovation, corporate citizenship and responsibility, and culture of ethics.

The full list of the 2014 World's Most Ethical Companies can be found at http://ethisphere.com/worlds-most-ethical/wme-honorees/.

Paola Zeni is Symantec's Director of Global Privacy, Ethics, and Compliance.

Cheryl Tang, Senior Product Manager, Symantec Corp. illustrates why Mobile Application Management is vital to securing the future of "anywhere" business.

Cryptolocker（Trojan.Cryptolocker）が成功を収めたその裏で、マルウェアの作成者は新しい Ransomcrypt Trojan タイプのマルウェアの開発に精力を傾けていました。高機能化が進んだ CryptoDefense（Trojan.Cryptodefense）も、そうしたマルウェアのひとつです。CryptoDefense が出現したのは 2014 年 2 月のことですが、シマンテックの遠隔測定によると、それ以降、シマンテック製品は CryptoDefense への感染を 11,000 件以上（重複を除く）も遮断しています。CryptoDefense の作成者が身代金の受け渡し用として用意していた Bitcoin アドレスを使い、公開されている Bitcoin ブロックチェーン情報を参照して試算したところ、このマルウェアによってサイバー犯罪者は、たった 1 カ月で 34,000 ドルを稼いだと推測できます（執筆時点の Bitcoin 相場による）。

模倣
「Imitation is not just the sincerest form of flattery - it's the sincerest form of learning（模倣は最も誠実な形のお世辞であるのみならず、最も誠実な形の学習である」 - ジョージ・バーナード・ショー

CryptoDefense は基本的に、これまでの Ransomcrypt Trojan の作成者たちが被害者から金銭を脅し取ろうとして使ってきた数々の効果的な手法を取り込んだハイブリッド設計で、高度な機能を備えています。使われている手法としては、Torや Bitcoinによって匿名性を狙う、強力な RSA 2048暗号化を使う公開鍵暗号によって確実にファイルを人質に取るなどのほか、指定した短い期限のうちに支払いがない場合には身代金が釣り上がると称して脅しをかける圧力戦術もあります。ただし、CryptoDefense の作成者は暗号機能の実装スキルに乏しく、人質に取ったコンピュータに、独自に解決するための手掛かりを残しています。

感染
シマンテックが確認したところ、CrytoDefense は図 1 に示すような電子メールを使って拡散しています。

図 1. 悪質なスパムメールの例

ネットワーク通信
最初に実行されると、CryptoDefense は以下のいずれかのリモートサイトとの通信を試みます。

• machetesraka.com
• markizasamvel.com
• armianazerbaijan.com
• allseasonsnursery.com

最初の通信には、侵入先のコンピュータのプロファイルが含まれています。リモートサイトからの返信を受け取ると、次に暗号化を開始し、秘密鍵をサーバーに返送します。リモートサーバーで秘密の復号鍵の受信が確認されると、侵入先のコンピュータのデスクトップのスクリーンショットがリモートサイトにアップロードされます。

身代金の要求
ファイルの暗号化が終わると CryptoDefense は、暗号化されたファイルが格納されているフォルダごとに、身代金要求のための以下のファイルを作成します。

• HOW_DECRYPT.TXT
• HOW_DECRYPT.HTML
• HOW_DECRYPT.URL

図 2. HOW_DECRYPT.HTML ファイルの例

図 2 を見るとわかるように、CryptoDefense の作成者は要求した身代金の受け渡しに Torネットワークを使っています。被害者が Tor ネットワークのことを知らない場合のために、Tor 対応ブラウザをダウンロードして支払い用 Web ページのアドレスを入力するまでの手順も、わざわざ用意されています。Tor ネットワークを使うと、Web サイトの場所を隠して匿名性を保つことができるため、Web サーバーが停止措置を受けにくくなります。Cryptorbit（Trojan.Nymaim.B）などの同類の脅威でも、過去に同じ手口が使われていました。

身代金の受け渡し
身代金要求の中で指定されていた個人専用ページを Tor 対応ブラウザで開くと、CAPTCHAページが表示されます。

図 3.被害者に表示される CAPTCHA の例

CAPTCHA に正しい文字列を入力すると、次に身代金の決済ページが開きます。

図 4. CryptoDefense の身代金決済ページ

ここで注意しなければならないのは、要求されている 500 ドル/ユーロという金額を 4 日以内に支払わないと、身代金が倍になるという点です。このように期限を設けて急かせる手口を使われると、被害者は損失の可能性を評価する際のコストについてあまり疑問視しなくなるという傾向があります。決済ページには［My screen］というボタンが用意されていますが、これは侵入先のコンピュータでデスクトップのスクリーンショットを取得してアップロードすることで、ユーザーのシステムに侵入した証拠を見せるためです。さらには、［Test decrypt］ボタンを使えば被害者が 1 ファイルだけ復号できるようにしておき、実際に復号が可能であるという証拠も見せています。そのうえ、身代金を支払うために Bitcoin を取得する方法まで教えてくれるという周到さです。

暗号化
CryptoDefense は強力な RSA 2048暗号を使った公開鍵暗号を採用しています。つまり、いったんファイルが暗号化されてしまうと、秘密鍵がないかぎり被害者がファイルを復号することはできません。Cryptolockerの場合、秘密鍵は攻撃者が管理しているサーバーでしか見つからなかったため、暗号化/復号の鍵は完全に攻撃者の管理下にありました。一方、CryptoDefense での暗号化の実装方法を調べたところ、攻撃者は重要な情報を見落としていることがわかりました。秘密鍵のありかが保存されていたのです。

作成者自身が身代金要求の中で謳っているように、ファイルは被害者のコンピュータ上で生成された RSA-2048 鍵で暗号化されています。そのために、Microsoft 独自の暗号インフラと Windows API を使って、攻撃者のサーバーに平文で返信する前に鍵の生成が実行されます。ところが、この方法を使うということは、攻撃者が人質として確保しているはずの復号鍵が、実際には攻撃者のサーバーへの転送後にも感染したコンピュータにまだ残っているということになります。

Microsoft の暗号インフラを使うと、秘密鍵は次の場所に格納されます。

%UserProfile%\Application Data\Microsoft\Crypto\RSA

作成者が暗号機能の実装スキルに乏しいため、手掛かりどころか、文字どおり逃げ出すための「鍵」を人質に残してしまっているということです。Microsoft の暗号インフラで鍵を格納するアーキテクチャについて詳しくは、こちらを参照してください。

攻撃者の獲得額
シマンテックは、CryptoDefense の身代金要求で以下の Bitcoin アドレスが使われていることを確認しています。

• 1EmLLj8peW292zR2VvumYPPa9wLcK4CPK1（最初の取引は 2014 年 3 月 18 日）
• 19DyWHtgLgDKgEeoKjfpCJJ9WU8SQ3gr27（最初の取引は 2014 年 2 月 28 日）

これらのアドレスで初めて Bitcoin 取引が行われたのは、2014 年 2 月 28 日です。これは、シマンテックが CryptoDefense のサンプルを初めて検出した日付と一致しています。このとき 2 つの Bitcoin アドレスで受け取られた取引の数に基づいて試算すると、CryptoDefense の実行犯はわずか 1 カ月で 34,000 ドルを稼いだことになります。

拡散状況
シマンテックの遠隔測定によると、CryptoDefense の感染が遮断された件数は、100 カ国以上、11,000 件（重複を除く）にものぼります。この検出数の大半は米国に集中しており、英国、カナダ、オーストラリア、日本、インド、イタリア、オランダと続きます。

図 5. CryptoDefense の検出分布

保護対策
関係はないものの、CrytoDefense と Cryptolocker の間には類似点があったため、シマンテックは当初、今回の脅威を他の検出結果とともに Trojan.Cryptolocker として検出していました。現在は、CryptoDefense を以下の定義名で検出しています。

ウイルス対策定義

• Trojan.Cryptodefense
• Trojan.Cryptolocker
• Trojan.Gen.2

ヒューリスティック検出定義

• WS.Trojan.H
• SONAR.Heuristic.112
• SONAR.Heuristic.113

評価ベースの検出定義

• Suspicious.Cloud.2
• Suspicious.Cloud.5.A
• Suspicious.Cloud.5.D

侵入防止シグネチャ

• System Infected: Trojan.Cryptodefense Activity

シマンテックの Symantec.Cloudサービスをお使いのお客様は、このマルウェアの拡散に使われているスパムメッセージからも保護されています。

最善の保護対策のために、コンシューマ向けまたはエンタープライズ向けに提供されているシマンテックの最新技術をお使いいただくことをお勧めします。この種の脅威からさらに保護するために、基本的なセキュリティ対策（ベストプラクティス）に従ったうえで、シマンテックの Backup Exec ファミリーなどの製品を使って常にファイルをバックアップすることをお勧めします。また、最新のウイルス定義対策とパッチを使って、システムを常に最新の状態に保つようにしてください。

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

Register for Symantec DLO 7.6 Beta program https://symbeta.symantec.com/callout/?callid=86FFC...

Attacks are getting bigger and bolder and this calls for a new approach to cybersecurity. Cybercriminals have broadened their scope beyond conventional computer systems and now almost every connected device can be a target. 2013 was the year of the megabreach, where we witnessed some of the biggest data breaches of all time with an estimated 800 million records exposed. Point of Sale terminals have been infected with malware in order to siphon off millions of credit card records. Attackers are even going one step further and using malicious code to steal cold hard cash. A recent piece of malware, Ploutus, allows criminals to use a mobile phone to get an ATM to spit out cash by sending a simple text message.

An increasingly connected world means that attackers have access to more routes into a corporate environment. Default passwords and known vulnerabilities on peripheral devices and Web servers can provide an easy, direct path. And it isn’t just your own security you need to worry about. Many corporations have partners, suppliers, and service providers who have some level of access to the corporate network. These are often the weak link.

Attackers can also strike straight at the heart of an organization by targeting employees with well-crafted spear phishing emails. Once inside, the attacker can traverse the network to get to the data they’re seeking. They may need elevated privileges, and they may install hacking tools to facilitate this. Once attackers have the data they want, they need to exfiltrate it, maybe using a staging server along the way.

Organizations need to accept that attackers are well resourced, skilled, and will do what it takes to infiltrate their target and acquire their data, be it financial data, customer records, or intellectual property. Corporations need to get ahead of the attacker and embrace Proactive Cybersecurity.

What is Proactive Cybersecurity?
We know that attacks are multi-staged and persistent, but at each stage of a campaign the attackers leave traces of their presence. It might be a dropped file, hacking tools, a failed login, or a connection to an unknown FTP server. Proactive Cybersecurity takes these indicators of compromise and develops actionable intelligence so that you can learn to recognize attempted attacks and block them before attackers gain a foothold in your network. Proactive Cybersecurity puts you firmly in control of your network security.

To learn more about how Symantec’s Proactive Cybersecurity solutions join us at Symantec Vision.

Microsoft’s decision to switch off all support for Windows XP, some dozen years after it first made its entrance, is a momentous one. Those who have doggedly stuck by this much loved operating system, failing to be enticed into the arms of Vista, Windows 7 and Windows 8, will receive no further free updates or security patches (as of April 8, 2014).  

Lots of software goes down the end-of-life path, of course, and disappears into the mists, to be replaced by the latest updates. But, to paraphrase a major retailer’s advertising slogan, ‘This is no ordinary software. This is XP software’ – an OS that, by latest calculations, is still run by something like a quarter to one-third of desktops globally. And waiting in the dark corners for the plug to be pulled have been the cyber criminals, ready to leap in and exploit the situation. In fact, they are thought to have been planning their post-support XP attacks for some time, targeting vulnerabilities that are already known to them, but not yet exploited.

Symantec has pledged to continue to support Windows XP systems for the foreseeable future, but we strongly recommend that enterprises still using Windows XP upgrade to a more current operating system as soon as possible and protect it with a robust security solution. Because it isn’t just desktop users that should be bracing themselves for a backlash. In the age of industrial IT (bespoke systems) and the ‘Internet of Things’ (eg, kiosks), Windows XP and XP Embedded are to be found everywhere. For example, many of the world's cash machines are thought to be still running Windows XP (it is still running on 95% of ATMs worldwide, Reuters) while the OS is at the heart of countless numbers of industrial control systems (ICS). Moreover, many of these systems are critical – for instance, part of a manufacturing plant (eg, a robot control system) – and cannot be touched with updates anyway. So, even if the underlying operating system is supported and had a patch available, the chances are that the organisation wouldn’t be able to perform the update for extended periods of time.

Against this backdrop, how can organisations keep themselves safe? One favoured means of testing for potential vulnerabilities is to rely on either a ‘denylist’ or ‘allow list’ approach. With the former, you put together a list of all the perceived ‘negative’ or ‘bad’ conditions that might arise and then block anything on that list. With an allow list, you compile a list of all the good conditions and then verify that the input received and the behaviour of the system complies with this.

Which to use? It’s very much a matter of horses for courses. Indeed, they have very different use cases and advantages, depending on circumstance. Allow-listing is a really suitable method to protect highly mobile and fluid environments, such as where laptops are using browsers and downloading plug-ins etc. Here, we are looking at traditional malware detection, with some highly modern techniques, such as reputation filtering and behavioural analysis, that are extremely effective at blocking known and ‘zero day’ type attacks.

However, this is not ideal when you need to keep critical systems up to date with new signature files. In that situation, where its fixed function and updating do not take place on a regular basis, such as a domain name server or cash machine with a very simple function, why not lock that function down? And it is here that allow listing comes very much into its own.

All well and good, but, in the world of ICS, the challenges are even greater. Take an ATM, for example. It was most likely designed five years ago, with its software and control system shipped three years after that. There is only two years of its OS life left, yet it may be out in the field for another three years. Once there, all bets are off. It may experience a vulnerability, but, being a control system, it isn’t acceptable for it to be taken out of service, so they are often left untouched and at the mercy of an exploitation, especially where a patch is no longer available. Similarly, if you are designing a multi-media system for a car, the lead time might be 10 years and much of that Internet-connected technology might be vulnerable to attack, by the time it is out on the road.

The same applies to a vast range of other equipment, such as medical devices. A CAT scanner, for example, is highly vulnerable to attack, as it will be attached to the network. You may seek to introduce critical system protection retrospectively, but that might invalidate any warranty. And the solution? Well, you can do nothing and keep your fingers crossed or go the software manufacturer and buy a special support package for end of life systems, but that can be astronomically expensive.

The most effective – and cheapest – way to stay secure from attack is to be as far left of the incident as possible from the outset by making security is embedded into the very core of the design process and locking that down. You can’t account for everything, but you can dramatically reduce the risk. You also need to look at the supply chain, as that is an easy way in for cyber criminals, where perhaps a critical piece of security is eliminated, compromising the final product.

So, as we say our goodbyes to Windows XP support, it’s worth remembering that this is but one of a multitude of vulnerabilities out there in the field and that, for any organisation, staying safe is also very much about change management – and protecting the organisation from itself.

Updates deployed to the Connect production servers as a result of the code sprint that ended 01 April 2014.

User Facing: Desktop

• Fixed an issue that was causing unauthenticated users to see an incorrect vote count on posts because pages with votes were not being cleared from the Akamai caches when a vote was cast.
• Fixed and issue in post-by-email groups that was sending email notifications to users who were not group members.
• Gave group administrators the ability to restrict posting across groups. If a group admin enables the "disable cross posting" feature for Group A, users will not be allowed to submit a post to Group A and Group B. When a user attempts to post to a restricted group and any other group(s), they will be asked to choose which group(s) the post should be removed from.
• Modified our voting code and some other snippets to handle database save requests from anonymous users; since we've started allowing anonymous users to perform certain tasks like cast votes.

Hello all,

Recently I forgot the domain admin password for my lab, and was looking at a possible rebuild of the Domain Controller as a worst-case-scenario.

Luckily, I found the folloiwng blog today which had me up-and-running again within minutes:- 

http://blogs.technet.com/b/meacoex/archive/2011/08...

You basically do the following:

1.  Boot to installation media.

2.  Go to the repair option and choose the command window function.

3.  Change to the DC's system32 directory and perform following two actions:

4.  copy Utilman.exe Utilman.exe.bak

5.  move Cmd.exe Utilman.exe

6.  Reboot.

7.  Windowskey+U or press the accessibility icon.

8.  A Utilamn command window will open.

9.  net user administrator password

10.  Reboot and confirm login now works.

11.  Go through steps 1, 2 & 3.

12.  ren Utilman.exe Cmd.exe

13.  ren Utilman.exe.bak Utilman.exe

14.  Reboot and BAU baby.  :-)