According engineer suggestion, If dmp work with powerpath ,we suggest turn off dmp_monitor_osevent. This suggestion is also work for 6.0.1, 6.0.3.

Hello Everyone,

Symantec Endpoint Protection 12 RU4 MP1 is released.

This build's version is: 12.1.4100.4126

What's new in this release:

Extended upgrade support

• Unlike most maintenance patch releases, you can upgrade any version of Symantec Endpoint Protection directly to 12.1.4.1. Unsupported downgrade paths still apply.

Expanded operating system support

• The Symantec Endpoint Protection (SEP) client is now supported on Windows To Go (Windows 8.1 Enterprise).
• Symantec Endpoint Protection Manager (SEPM), the SEP client, and the Symantec Network Access Control client are now supported on Windows 8.1 Update 1.
• SEPM, the SEP client, and the Symantec Network Access Control client are now supported on Windows Server 2012 R2 Update 1

Note: If in case you do not see the SEP 12 RU4 MP1 Release on flexnet, you may see the same in coming few days on your Fileconnect Account.

You may find the Latest Release of Symantec Endpoint Protection 12 RU4 MP1 at: https://symantec.flexnetoperations.com/control/symc/registeranonymouslicensetoken

Product Related Articles:

Title: Upgrading or migrating to Symantec Endpoint Protection 12.1.4.1 (RU4 MP1)
Document ID: TECH216176
Article URL: http://www.symantec.com/docs/TECH216176  

Title: New fixes and features in Symantec Endpoint Protection 12.1.4.1 (RU4 MP1)
Document ID: TECH216262
Article URL: http://www.symantec.com/docs/TECH216262

Title: Symantec Endpoint Protection, Symantec Endpoint Protection Small Business Edition, and Symantec Network Access Control 12.1.4.1 Release Notes/What’s New
Document ID: DOC7313
Article URL: http://www.symantec.com/docs/DOC7313

Title: System Requirements for Symantec Endpoint Protection, Enterprise and Small Business Editions, and Network Access Control 12.1.4
Document ID: TECH216260
Article URL: http://www.symantec.com/docs/TECH216260

In recent years, the Japanese Internet community has faced difficult times trying to combat financial Trojans such as SpyEye (Trojan.Spyeye) and Zeus (Trojan.Zbot). The number of victims affected and the amount of funds withdrawn from bank accounts due to compromises is increasing at an alarming rate. Just to give you an idea, according to the Japanese National Police Agency, the number of reported illegal Internet banking withdrawals jumped from 64 incidents in 2012 to 1,315 incidents in 2013. The loss in savings amounted to approximately 1.4 billion yen (US$ 14 million) in 2013, up from 48 million yen (US$ 480,000) in 2012.

More recently, the nation has also discovered that multiple malware families dedicated to stealing banking details from Japanese users are being developed. Recently, we have seen the development of  Infostealer.Ayufos, Infostealer.Torpplar, as well as Infostealer.Bankeiya. Today, we are going to take a closer look at Infostealer.Bankeiya.

We became interested in this Trojan when we observed a widespread attack exploiting the Internet Explorer Microsoft Internet Explorer Use-After-Free Remote Code Execution Vulnerability (CVE-2014-0322) in February, which we published a blog on. At the time, there was no patch available for the vulnerability, which left users of Internet Explorer 9 and 10 insecure. The  Infostealer.Bankeiya developer decided to take advantage of the situation and compromised various legitimate websites in order to perform drive-by-download attacks. Even after the patch was released on March 11, the aggressive attacks continued. These legitimate sites include commonly visited websites such as a Japanese tour provider, TV channel site, and a lottery site as well as a handful of small sites including online shops, community websites, and personal websites, among others.

After further investigating the malware, we noticed that this was not a new family of malware. The very first variant was actually discovered in October 2013 and a large number of variants have been observed since. The sole purpose of Infostealer.Bankeiya is to steal banking details from  compromised computers. Besides using the Internet Explorer vulnerability, we have also confirmed that the Oracle Java SE Remote Code Execution Vulnerability (CVE-2013-2463) is also being exploited to infect systems with Infostealer.Bankeiya. Other vulnerabilities could also be exploited.

A typical Infostealer.Bankeiya attack works like this:

1. The attacker compromises a legitimate website to host exploit code on the site in order to infect visitors’ computers.
2. If someone with a computer vulnerable to the exploit visits the site, the system becomes infected with Infostealer.Bankeiya.
3. The malware uploads details about the compromised computer including the IP address, Mac address, OS version, and the name of security software installed.
4. The malware downloads encrypted configuration data which specifies the location of its updated version from either:
   1. A profile on a blog page solely created to host the encrypted data
   2. A specified URL on a compromised website
5. If an update is found, the malware will download the new version and replace itself with it. This version may contain information about the location of a new command-and-control (C&C) server.
6. If a victim logs onto  the targeted bank’s online site, the malware will display a fake pop-up window in order trick the victim into entering banking details.
7. The banking details entered by the victim will be sent to the C&C server and stored for the attacker to retrieve.

Figure 1. Login page for Infostealer.Bankeiya command-and-control server

Symantec sinkholed known C&C servers to prevent the malware on the compromised computers from transmitting any further data to the attacker. We also monitored the servers by logging the accesses made by the victims’ computers in order to estimate how successful the attacks had been. We did this for a week in mid-March and the results indicate that up to 20,000 computers could have been compromised. A majority of accesses were coming from Japanese IP addresses. This is not surprising, but the sheer volume is a bit alarming. Please note that the following figure is based on the number of devices on the Internet accessing the servers and some devices were removed because they were non-infected systems.

Figure 2. Devices accessing the command-and-control servers

According to the sinkhole data, the second largest number of hits came from Hong Kong. This is also in line with the figure we provided in our previous blog about computers targeted with the CVE-2014-0322 exploit code. There is a reason for this. During our investigation we also noticed a connection with another type of attack that uses files to mine for bitcoins. One particular attack targeted users visiting a compromised forum site in Hong Kong. In this case, the CVE-2014-0322 exploit code was used to download and execute bitcoin miner software called jhProtominer on the victim’s computer in order to abuse the computer’s hardware to mine for the virtual coin. The attacker appears to be motivated enough to target different audiences across borders and is looking for any type of opportunity to make a profit.

Many malware infections occur as a result of visiting legitimate sites that have been compromised. It is vital that all software products are frequently updated so that the most recent patches are applied. In some cases, a patch will not be available, as was the case for one of the vulnerabilities used by Infostealer.Bankeiya. Security software can be used to strengthen the computer’s security status in such cases. So we urge you to install security software and keep it up-to-date. By following these recommendations, most infections can be prevented.

サイバー攻撃はますます大規模に、そして大胆になっているため、セキュリティ対策にも新たなアプローチが必要になってきています。サイバー犯罪者は、従来のコンピュータシステム以外にも攻撃対象を広げており、今ではインターネットに接続できるデバイスのほとんどが標的になる恐れがあります。2013 年は大規模なデータ侵害の年であり、推定 5 億件の情報が漏えいするという史上最大のデータ侵害も発生しました。店頭レジ端末（POS）がマルウェアに感染し、何百万件というクレジットカード情報が抜き取られる事件もありました。さらに一歩進み、悪質なコードを使って現金を盗み出す攻撃も発生しています。最近確認された Ploutusに至っては、単純な SMS メッセージを送信することで、携帯電話を使って ATM から現金を引き出すことさえ可能です。

インターネットに接続できるデバイスが増加するということは、攻撃者が企業環境に侵入できる経路が増えることを意味します。周辺機器や Web サーバーでデフォルトのままのパスワードが使われていたり、既知の脆弱性が残っていたりすれば、いとも簡単に侵入されてしまいます。しかも、頭痛の種は社内のセキュリティに限ったことではありません。多くの企業は、パートナーや仕入れ先、サービスプロバイダとの取引があり、取引先が何らかのレベルで企業ネットワークにアクセスできる場合もあります。こういったアクセスが侵入経路にもなりかねません。

その一方で、巧妙なスピア型フィッシングメールを使って従業員を狙い、企業の中心部に直接攻撃を仕掛けてくる攻撃者もいます。いったん侵入に成功すれば、攻撃者はネットワークを横断して、求めているデータを入手できるようになります。攻撃者は権限の昇格を狙っているのかもしれませんし、ハッキングツールをインストールして攻撃をやりやすくようとしているのかもしれません。求めるデータを手に入れたら、次に必要なのはそれを密かに外部に送り出すことです。その際にはステージングサーバーが使われる可能性もあります。

企業は、攻撃者が潤沢な資源と高いスキルを持っていることを自覚しなければなりません。攻撃者は、金融データでも顧客データでも、あるいは知的財産でも、標的に侵入してデータを入手するためにはあらゆる手段を尽くします。企業は、こうした攻撃者の先手を取るために、一歩先を行くサイバーセキュリティを導入する必要があります。

一歩先を行くサイバーセキュリティとは
攻撃が何段階にもわたって執拗に続けられることはわかっていますが、その段階ごとに、攻撃者は何らかの痕跡を残しています。投下されたファイル、ハッキングツール、ログイン失敗の記録、あるいは未知の FTP サーバーへの接続記録などです。一歩先を行くサイバーセキュリティでは、こうした侵入の痕跡を手掛かりにして実践的なインテリジェンスを構築することで、攻撃者が実際にネットワークに足場を築くよりも前に、攻撃の試みを検知して遮断できるよう学習します。一歩先を行くサイバーセキュリティを導入することにより、ネットワークセキュリティを確実に制御できるようになります。

一歩先を行くシマンテックのサイバーセキュリティソリューションにご興味のある方は、ぜひ Symantec Visionにご参加ください。

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

If you have issues with changing the Installed Feature Set, ensure you disable the Uninstall Password option before deploying the Installation Package to the target group.

2Tware Convert VHD is a tool that allow to convert VMware’s VMDK virtual disk image to Microsoft’s VHD image.The other great feature is that also allows you to convert existing physical computers into virtual machines, which is known as a P2V conversion Once physical computer is converted into VMDK disk, you can test any new software and system configurations without making any changes to your physical machine.

License : Free

Link : 2Tware Convert VHD

For the fourth consecutive year, Symantec sponsored and partnered in the Dare2BDigital conference as a part of its Corporate Responsibility and Diversity initiative. The objective of the event was to provide 7th-10th graders an opportunity to discover the creative and exciting careers that await them in computer science and engineering.

At this year's conference, 200 teenaged girls explored careers in science and technology at this unique collaboration between technology companies, educators, parents and community organizations. The conference met its objective, as the survey results revealed that 99 percent of young women attendees felt that the conference maintained (17 percent) or increased (82 percent) their interest in fields that use technology.

Participating in conferences such as Dare2B Digital reiterates Symantec's commitment to building a long-term pipeline of technical women to meet the needs of tomorrow. I want to thank all of our volunteers from the Symantec Women's Action Network and facilitators who volunteered their personal time on the weekend in making this event happen. You have made a difference!

Catch the Phish and Digital Drama

For the first time, Symantec hosted a student workshop, called Catch the Phish and Digital Drama, which was developed by Marian Merritt, Symantec Director of Cyber Security Partnerships and led by Shu Zhang, Senior Manager, IT from Symantec. Using games, videos and group discussions, Shu and 12 Symantec volunteers taught girls how to avoid common Internet problems. Girls collaborated to spot treacherous e-mail scams known as phishing attacks. Using clips from teen-discussion groups and television, the girls discussed the concept of "digital drama" and the role gender can play in their online activities.

The Symantec workshop was very well received by the students, as 92 percent thought the Catch the Phish and Digital Drama workshop was "great" or "good." Participants said it was "very interesting and interactive" and "the videos were cool and learning about phishing was interesting." They also said it offered "interesting perspectives and valuable tips."

"I feel I learned from the girls more than I taught," Zhang said. "I learned many social networking apps and stories that I have never heard before. I was very inspired how strong, mature, independent and compassionate they are. It was a very satisfying volunteering event indeed."

Kids weren't the only ones who had the opportunity to attend workshops. Nehal Mehta, Symantec Director, Strategic Alliances, was MC for for the parent track, while May Mitchell, Symantec Vice President, North America Marketing, spoke on building trust in the digital age, a topic that focused on how to keep your family safe online. Mitchell covered how to create a positive digital footprint, protect your privacy and money, protect yourself from bullies and predators, and protect yourself from yourself. Other sessions focused on ways to encourage women to move into the technology field and tackling the costs of college.

"The Symantec employees who volunteered not only contributed but learnt a lot in the process," said Priya Rangaiah, Symantec Senior Principal SQA Engineer and a volunteer at the event. "This was indeed a very inspiring conference -- it allowed Symantec and volunteers to make a difference. What a great opportunity to share career journeys and inspire the next generation!"

Charmy Ruparel is Symantec's Global Diversity Program Manager.

Earlier this week, a large number of Twitter accounts were compromised and used by spammers to spread “miracle diet” spam. The compromised accounts included public figures, as well as average users of the social networking service.

Figure 1. Twitter miracle diet spam

Déjà vu
Diet spam is quite common and can been found on various social networking sites and Twitter is no stranger to this problem. Over the years, we’ve seen many different campaigns try to capitalize on the latest miracle diet craze. In this particular case, spammers are trying to peddle garcinia cambogia extract through a page designed to look identical to the real Women’s Health website.

Figure 2. Fake promotional page used by spammers in this campaign

Notable accounts compromised
In the latest spam campaign, accounts belonging to athletes, politicians, television producers, bloggers, comedians and other public figures were compromised, which helped extend the spammers reach exponentially to hundreds of thousands of followers.

Figure 3. Compromised accounts of two public figures

Many of the tweets contained messages saying “I couldn’t believe it when I lost 6 lbs!” and “I was skeptical, but I really lost weight!” followed by a URL shortened using Bitly.com.

Celebrities and public figures are often sought after to help endorse products. One of the compromised accounts included Jamie Eason, known simply as the World’s Fittest Model. By compromising accounts like Jamie’s, spammers increase their odds of convincing someone to click on their links and perhaps even purchase the diet product.

While some of these notable figures simply removed the spam tweets, others were transparent enough to admit that their accounts were compromised:

Well, I *did* lose some weight recently. (No idea where that came from.)

— Jason Kottke (@jkottke) April 1, 2014

Thank you for tweeting about your recent weight loss strange hacker but please stop. Sorry for those tweets, I got hacked!

— Sebastian Vollmer (@SebVollmer) April 1, 2014

Looks like I got hacked. Sorry about that folks. I was not truly amazed by that diet link.

— JJ Redick (@JJRedick) March 31, 2014

Compromised websites
What makes this particular spam campaign stand out from others we’ve seen in the past is that the spammers have compromised a large number of websites that are being used to redirect people to their miracle diet promotional pages.

Figure 4.  Compromised website running an unsupported version of Joomla

The compromised websites we found are running older versions of the content management system Joomla, specifically version 1.5, which stopped receiving support from the developers back in September 2012.

Figure 5. Spam link reveals vulnerable Joomla extension

It would also appear that the spammers have targeted a vulnerability within the jNews Joomla extension. We have reached out to a number of the sites to inform them that they have been compromised.

Connection to Pinterest spam
Last week, TechCrunch published an article about spam on Pinterest. One of their co-editor’s accounts was compromised and used to pin weight loss photos. Based on our research, the image descriptions and compromised sites acting as redirects are like the ones used in the Twitter campaign, so we believe that both campaigns are connected to the same spammers.

Figure 6. TechCrunch co-editor’s compromised Pinterest account

Conclusion
Diet spam is here to stay and social networks remain the perfect place for spammers to try to make money off of unsuspecting users. While it is still unclear how the spammers compromised these Twitter accounts, Symantec Security Response advises users to follow these steps to secure their accounts. For website owners, consider using the most recent version of your content management system, apply all security patches, update your extensions, and review the directory permissions on your Web servers.

We are continuing to monitor this campaign and have reached out to both Twitter and Bitly to provide assistance.

If you need an SSL certificate to protect your website or some other business-critical application such as email or storage systems, then you need to remember your ABCDs.

A is for the Appropriate certificate

There are a few different types of SSL certificate out there for different applications. For example, there are Unified Communications Certs (UCC) and code signing certificates. But the most common type is designed to secure a website, authenticate it and encrypt the traffic between the site and the user.

Within this group there are SSL Wildcard certificates that are ideal if you want to protect multiple subdomains of the same address, for example if you had multiple sites for different languages such as uk.company.com and us.company.com.

For other certificates, you have a choice of Extended Validation certificates which give site visitors visible reassurance about the provenance of the site and regular certificates. Within the Symantec SSL portfolio, there are different levels of encryption, different types of the encryption algorithm and security but they all include daily website malware scanning and Symantec Seal-in-Search.

More information about Symantec SSL certificates.

B is for Best support

Before you buy a certificate, it’s important to check that you’ll get the support you need. Sometimes, even the most proficient IT managers needs help with a particularly complex certificate problem. With Symantec, you’ve got multi language 24/7/365 support on tap.

C is for Certificate Authority

Not all SSL is the same because not all CAs are the same. Founded as VeriSign in 1995, we support the world’s largest and most critical certificate deployments. Our validation services process on average over four and a half billion hits per day – with zero downtime in more than ten years. This is why 97 of the world's 100 largest financial institutions and 75 percent of the 500 biggest e-commerce sites in North America use SSL Certificates from Symantec.

D is for Documentation

Before you request a certificate, especially an Extended Validation (EV) certificate, it helps to have all your documentation ready. You’ll need to authenticate your organisation, prove you have authority to request a certificate, authenticate your domain and, in some cases, verify the organisation with additional documentation.

The more you know the better prepared you can be to enrol and install your certificate. Read on to find out how SSL and using the Norton Secured Seal on your site can help you succeed online.

For SSL download our interactive SSL resource, ‘SSL Explained’ now.

I want to share the following simple tip.
This is to query the BE SQL DB(BEDB) for check the file name for the catalog.
This information will not be directly supported by Symantec.
In addition, this feature is not available directly from Backup Exec.
Symantec is not responsible for any issue caused by a use of it as well.

select cr.MachineName,
       cr.ResourceName,
       ci.HistoryFileName,
       ci.ImageName,
       cm.MediaName,
       ci.EngineName,
       cf.MediaID,
       ci.ImageNumber,
       cm.CartridgeLabel,
       cm.MediaType,
       cm.Location,
       cm.RelativeLocation,
       cm.CreationDateTime,
       ci.NumBytes
      
from CatImage ci join CatResource cr on cr.ResourceID = ci.ResourceID
   join CatFragment cf on cf.ImageID = ci.ImageID
   join CatMedia cm on cm.MediaID = cf.MediaID
   
where cr.MachineName like '%HOSTNAME%'

order by ci.HistoryFileName, cr.ResourceName

The result is:
(In the example, used to search for the host name of VCENTER.)

Can be used even when you want to keep together with catalog data of replicated backup data to tape media for DR or long-term keep for a specific host.
May not need some of the information is output.
The purpose of this query is to extract the file name in the catalog.
To do this, you may need to install the Microsoft SQL Server Management Studio additionally.
Required the SQL2005 or higher version management console the because using the SQL2005 Express Edition in BE2010 and BE2012.
And you can use the ScanFS utilities for in order to more easily work(perform the copy or move multiple files at once) with.
(ScanFS utility are download via Google search.)

You need some data processing tasks after the SQL query.

1. Copy the contents of HistoryFileName field.
2. Paste to the text editor such as Notepad or Wordpad
3. Use the Replace(Ctrl + H) function to change the ‘.fh’ to ‘.xml'.
   
4. Once more paste the copy contents to bottom part.
   
5. Copy of all contents.
6. Run the ScanFS (Shareware utility) and paste to ‘Define search criteria’ window of copied all contents.
   
7. Define to catalog location to search of Directory field.
8. Click to Disk Search
   

The End.

Regards,

ここしばらく、日本のインターネットユーザーは SpyEye（Trojan.Spyeye）や Zeus（Trojan.Zbot）といった、オンラインバンキングを狙うトロイの木馬への対応に悩まされ続けています。これらのマルウェアによる被害件数も、銀行口座から引き出された金額も、驚くほどの割合で急増しています。警察庁によれば、オンラインバンキングでの不正な引き出しの件数は、2012 年の 64 件から、2013 年には 1,315 件へと跳ね上がりました。これだけでも、その深刻さがうかがえるでしょう。預金の被害額も、2012 年には 4,800 万円だったものが、2013 年には約 14 億円にのぼっています。

先日は、日本のユーザーから銀行口座に関する情報を盗み出そうとする複数のマルウェアファミリーも見つかっています。最近確認されたものとして Infostealer.Ayufos、Infostealer.Torpplar、Infostealer.Bankeiyaがありますが、今回は Infostealer.Bankeiya について詳しく説明します。

シマンテックが Infostealer.Bankeiya に注目し始めたのは、「Microsoft Internet Explorer に存在する解放後使用のリモートコード実行の脆弱性」（CVE-2014-0322）を悪用する攻撃の拡散が確認された 2 月のことです。この脆弱性についても、以前のブログでお伝えしています。当時はまだ、この脆弱性に対するパッチが公開されていなかったため、Internet Explorer 9 と 10 のユーザーは無防備なままになっていました。Infostealer.Bankeiya の開発者は、その状況につけ込み、さまざまな正規の Web サイトに侵入してドライブバイダウンロード攻撃を仕掛けたのです。3 月 11 日にパッチが公開されてもなお、盛んな攻撃が続きました。攻撃された正規サイトには、旅行代理店、テレビ局、宝くじのサイトのようにアクセス数の多いものから、少数ながらオンラインショップ、コミュニティサイト、個人 Web サイトなど小規模なサイトも含まれています。

Infostealer.Bankeiya の調査をさらに進めたところ、これは新しいマルウェアファミリーではないことが判明しました。実際に最初の亜種が発見されたのは 2013 年 10 月のことで、それ以来多くの亜種が確認されています。Infostealer.Bankeiya の目的は、侵入先のコンピュータからオンラインバンキングに関する情報を盗み出すことだけです。システムに感染するときに、Internet Explorer の脆弱性だけでなく、「Oracle Java SE に存在するリモートコード実行の脆弱性」（CVE-2013-2463）も悪用されていることをシマンテックは確認しています。他の脆弱性が悪用されている可能性も否定できません。

Infostealer.Bankeiya による典型的な攻撃の手順は、以下のとおりです。

1. 攻撃者が正規の Web サイトに侵入し、訪問者のコンピュータに感染するための悪用コードを仕掛けます。
2. 脆弱性が残っているコンピュータを使ってユーザーがこのサイトにアクセスすると、システムが Infostealer.Bankeiya に感染します。
3. Infostealer.Bankeiya は、IP アドレス、Mac アドレス、OS のバージョン、インストールされているセキュリティソフトウェアなど、侵入先のコンピュータに関する情報をアップロードします。
4. 次に、暗号化された設定データをダウンロードします。これには、Infostealer.Bankeiya の更新版が置かれている場所として、次のいずれかの情報が指定されています。
   
   1. 暗号化されたデータホストすることだけを目的としたブログページ上のプロファイル
   2. 侵入先 Web サイトの特定の URL
5. 更新が見つかった場合には、新しいバージョンをダウンロードし、自身を置き換えます。更新版には、新しいコマンド & コントロール（C&C）サーバーの場所に関する情報が含まれています。
6. 標的となったオンラインバンキングサイトに被害者がログインすると、偽のポップアップウィンドウが表示されます。言うまでもなく、被害者にオンラインバンキングの情報を入力させることを狙ったものです。
7. ここで入力した情報は C&C サーバーに送信されて保存され、攻撃者が取得できるようになります。

図 1. Infostealer.Bankeiya の C&C サーバーのログインページ

シマンテックは、コンピュータに侵入した Infostealer.Bankeiya からそれ以上のデータが攻撃者に送信されないように、既知の C&C サーバーをシンクホールに捕捉しました。また、被害者のコンピュータからのアクセスログを記録してサーバーを監視し、この攻撃の拡散状況も概算しました。シマンテックがこれを実行したのは 3 月中旬のある 1 週間ですが、その結果によると最大 20,000 台のコンピュータが感染していたことになります。その大多数が日本国内の IP アドレスからのアクセスで、そのことに驚きはありませんが、感染件数を考えるといささか深刻です。以下に示す数字はインターネット上でサーバーにアクセスしていたデバイスの数に基づいており、一部のデバイスは感染していないシステムのため除外されていることに注意してください。

図 2. C&C サーバーにアクセスしていたデバイス

シンクホールのデータによれば、日本に次いで被害が多かったのは香港です。これは、CVE-2014-0322 の悪用コードに狙われたコンピュータについて以前のブログで示したデータとも一致していますが、それには理由があります。シマンテックの調査では、ファイルを使って Bitcoin をマイニング（採掘）する別種の攻撃との関連性も確認されています。侵入を受けた香港のフォーラムサイトにアクセスするユーザーを標的とした攻撃もあります。このケースでは、コンピュータのハードウェアを悪用して Bitcoin を採掘するために、jhProtominer という Bitcoin マイニングソフトウェアを被害者のコンピュータにダウンロードして実行する目的で CVE-2014-0322 の悪用コードが使われています。攻撃者は、国境を越えた別のユーザーを標的にすることにも意欲的なようで、利益のためならどのような機会も利用しようと狙っています。

マルウェア感染の多くは、侵入を受けた正規のサイトにアクセスしたために起きています。あらゆるソフトウェア製品は、最新のパッチを適用して頻繁に更新することが重要です。Infostealer.Bankeiya に悪用された脆弱性のケースのように、パッチが公開されていない場合もあります。そのような場合でも、セキュリティソフトウェアはコンピュータのセキュリティを強化するために効果があるので、セキュリティソフトウェアをインストールして最新の状態に保つようにしてください。こうした推奨事項に従えば、ほとんどの感染は予防できるものです。

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

先週、Twitter アカウントが大量に侵入を受け、「miracle diet（奇跡のダイエット）」スパムを拡散するスパマーに悪用されました。侵入されたのは、有名人のアカウントだけではなく、一般の Twitter ユーザーのアカウントも被害に遭っています。

図 1. Twitter の「奇跡のダイエット」スパム

見覚えのある攻撃
ダイエットスパムは珍しいものではなく、さまざまなソーシャルネットワークサイトに登場しており、Twitter も例外ではありません。シマンテックは何年にもわたって、最近のダイエット熱に乗じようと多種多様な活動が繰り返されていることを確認しています。今回のケースでは、スパマーは Women's Health の Web サイトに酷似したデザインのページで、ガルシニアの抽出物を売り込もうとしています。

図 2.この攻撃のスパマーが使っている偽の宣伝ページ

侵入を受けた著名なアカウント
今回のスパム攻撃では、スポーツ選手、政治家、テレビプロデューサー、ブロガー、コメディアンといった有名人のアカウントが侵入を受け、何十万というフォロワーに向けて爆発的な勢いで拡散に利用されました。

図 3.侵入を受けた 2 人の有名人のアカウント

ツイートの多くには、「I couldn't believe it when I lost 6 lbs（信じられない、3 キロも痩せるなんて!）」、「I was skeptical, but I really lost weight!（半信半疑でしたが、本当に痩せられました!）」などというメッセージが記され、Bitly.com を使った短縮 URL が続いています。

有名人、著名人が商品の推薦役として利用されるのはよくあることです。今回侵入を受けたアカウントのなかには、世界最高の筋肉美モデルと言われるジェイミー・イーソン（Jamie Eason）さんも含まれていました。ジェイミーさんのようなアカウントに侵入したスパマーは、ユーザーをそそのかしてリンクをクリックさせ、スパムを拡散させたうえで、あわよくばダイエット商品を購入させようとしています。

被害を受けた有名人の中には、単にスパムツイートを削除した人もいれば、アカウントが侵入を受けたことを率直に認めている人もいます。

Well, I *did* lose some weight recently. (No idea where that came from.)

— Jason Kottke (@jkottke) 2014 年 4 月 1 日

Thank you for tweeting about your recent weight loss strange hacker but please stop. Sorry for those tweets, I got hacked!

— Sebastian Vollmer (@SebVollmer) 2014 年 4 月 1 日

Looks like I got hacked. Sorry about that folks. I was not truly amazed by that diet link.

— JJ Redick (@JJRedick) 2014 年 3 月 31 日

侵入を受けた Web サイト
今回のスパム攻撃が過去のスパムに比べて際立っているのは、大量の Web サイトにも侵入を果たしており、それが「奇跡のダイエット」宣伝ページへのリダイレクトに使われていることです。

図 4.侵入を受けた Web サイト。サポート対象外の Joomla が稼働している

侵入を受けていることをシマンテックが確認した Web サイトでは、コンテンツ管理システム Joomla の古いバージョンが稼働しています。具体的にはバージョン 1.5 で、これは 2012 年 9 月に、開発者によるサポートが終了しています。

図 5.スパムのリンクから、脆弱な Joomla の拡張機能が明らかに

このスパマーは、Joomla 用の jNews 拡張コンポーネントに存在する脆弱性も標的にしている節があります。シマンテックは、多くのサイト管理者に接触して、侵入を受けていることを通知しました。

Pinterest スパムとの関連
3 月の末には TechCrunch が Pinterest 上のスパムに関する記事を公開しました。TechCrunch 共同編集人のひとりがアカウントに侵入を受け、ダイエットの写真をピンするために使われたのです。シマンテックの調査によると、リダイレクトとして機能している画像の説明と感染サイトは、今回の Twitter に対する攻撃で使われていたものと似ているため、この 2 つの攻撃は、同じスパマーによるものと思われます。

図 6. TechCrunch 共同編集人が侵入を受けた Pinterest アカウント

結論
ダイエットスパムは今やおなじみになり、ソーシャルネットワークはスパマーが無防備なユーザーから金銭を巻き上げる格好の場となっています。今回のスパマーが一連の Twitter アカウントに侵入した手口はまだ判明していませんが、このページの手順に従って自身のアカウントを保護することをお勧めします。Web サイトを運営している場合には、コンテンツ管理システムを最新バージョンに移行することを検討してください。また、セキュリティパッチをすべて適用して拡張機能を更新し、Web サーバーでディレクトリのアクセス許可も再確認してください。

シマンテックは、今回の攻撃の監視を続けており、Twitter 社にも Bitly 社にもサポートを依頼したところです。

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

Contributor: Parag Sawant

Phishers continuously come up with various plans to enhance their chances of harvesting users’ sensitive information. Symantec recently observed a phishing campaign where data is collected through a fake voting site which asks users to decide whether boys or girls are greater.

The phishing page, hosted on a free Web hosting site, targets Facebook users and contains a fake voting campaign, “WHO IS GREAT BOYS OR GIRLS?” along with the “VOTE” button to register votes. The page is also embedded with pair of bar charts representing voting ratio and displays the total votes gained for the last four years. These give a more legitimate feel to the fake application.

Figure 1. The Facebook application asks users to register their votes

The first phishing page contains a button to initiate the voting process. After the button is clicked, a pop-up window appears, asking for a user’s login ID and password, as shown below:

Figure 2. A pop-up windowrequesting for user account information

The pop-up also contains two option buttons to vote for either male or female, and a button to submit the vote. After all the details and fields have been entered and filled up, the page then redirects the user to an acknowledgement page to confirm his or her voting information.

Figure 3. A voting confirmation message is displayed after user information is entered

We then tried returning to the first page and found that the vote count increases periodically. The number was previously 4,924,055 but has now increased to 4,924,096.

Figure 4. A comparison of the previous vote count and the current vote count

The phishers used the following phishing URL, and a subdomain to indicate that it is an application:
[http://]smartapps.[REMOVED].com

If any user falls victim to the site, the phishers would then have successfully stolen personal user information for identity theft purposes.

The use of fake applications as bait is not uncommon, and Symantec advises Internet users to follow these best practices to avoid becoming victims of phishing attacks:

• Check the URL in the address bar when logging into your account to make sure it belongs to the website that you want to visit
• Do not click on suspicious links in email messages
• Do not provide any personal information when replying emails
• Do not enter personal information in a pop-up page or window
• Ensure that the website is encrypted with an SSL certificate by looking for the padlock image/icon, “HTTPS”, or the green address bar when entering personal or financial information
• Use comprehensive security software, such as Norton Internet Security or Norton 360, to be protected from phishing and social networking scams
• Exercise caution when clicking on enticing links sent through emails or posted on social networks

Are you struggling to find the best settings to use for the shortcut content in your Enterprise Vault environment? There a myriad of options available, and all these add up to many different combinations of settings where it sometimes difficult to determine the overall effect that it might have on your environment and on your end users.

Should you strip attachments? These can obviously take up lots of space in the mailbox.
How many characters of the original email item should be included in the shortcut? 10, 100, 1000?
How will users access these items? From their PC, via Outlook Web App, mobile device, tablet computer?
How often will users access these items? Are you really only talking about data which is over a year old, or recent items too?

All these sorts of things and more are questions that need to be asked if you are going to arrive at an optimal shortcut content for a particular environment.

There are also lots of other things to consider, all relating to your environment. For example:

Are you trying to use Enterprise Vault to reclaim back the maximum amount of space in your environment? 
Are you trying to make it easier for end-users to manage their mailbox? 
Are you making it so that people can search for archived content more easily?

Picking the shortcut content policy is tricky, because there are many different things to consider. Lets discuss 2 important considerations right now, which will help us reach an optimal shortcut content setting for our environment.

Attachments

Strip attachments from messages will recover lots of space. Attachments are quite large on the whole, so removing them from archived items will definitely mean that the items in the mailbox will be much smaller. It is also worth considering the advanced setting relating to non-shortcut items, particularly calendar items, where they can also have the attachments stripped. This is especially useful if you live in an environment where people have lots of meetings where presentations or documents for review are distributed before hand. Of course stripping attachments will also reduce the usability of the items, particularly if they need to be retrieved often. But think about the possibility of 'long since' happened meetings, and whether the content of the meeting request/appointment will ever be re-read months down the line. If it's not very likely in your organisation then removing the attachments will not lessen the usability of the item.

Number of Characters

Fewer characters in the message body will also recover a lot of space. This in particular affects those long email threads where the body of the message just gets bigger and bigger over the course of the conversation. It's the sheer amount of text that we're going to get rid of which will help reduce the size. On the flip side of this though, having only a few characters in the message body will mean that usability of the shortcut might be impaired. End users might not be able to figure out what the actual message is about later on down the line. And that will lead them to not liking your policy decisions.

Other things to consider

Another thing that will help guide users in the right direction is the contents and usability of the 'banner' which can be added by Enterprise Vault when it creates the shortcut. The banner should be helpful to users, and be very obvious that it is covering a shortcut to an item. This will be useful to the end user because it will help trigger their education which says 'this is an archived item, it will behave a bit differently to normal'.

Picking the right combination of shortcut content (number of characters) and whether or not to strip attachments will have a big impact on your environment and the usability of archived items with in it. It is worth spending some time figuring out the possibilities, and even perhaps taking some old sample messages, and producing mock-ups that can be shared with users. Ask users whether this 30-strong conversation-topic-reply thing is still helpful to them when it's been shortened to just 200 characters. Ask users if they retrieve calendar items 6 months after they have taken place. Here are some more questions, which you can tailor to your needs:

- This mail has gone back and forth 30 times. It's now 6 months later. Does only seeing 200 characters matter?

- This calendar item to review the specification document for a new engine part took place 3 months ago. Do you refer back to it? Do you open the calendar item? Do you open the attachment? How often? And why?

- Does your archiving policy potentially archive very young items? Do you have users that use devices like Blackberry, or iPhone? Turning ANY of these type of items in to shortcuts will impact the usability in a bad way.

- Do you even need shortcuts for very old items? How often are things retrieved after they have aged beyond 1 year? 2? 5?

The answers to these questions will help govern what shortcut content you should go for. Remember it is very important in the Enterprise Vault world, because rebuilding the shortcut content is a very, very, intensive process for Enterprise Vault to do.

While news of the downfall of the Blackhole Exploit Kit (often referred to as “BHEK”) isn’t new, its rise and subsequent collapse is the stuff of internet crime legend. Originally appearing in late 2010, the Blackhole Exploit Kit rose to popularity due to its ease of use and overall effectiveness. Version 1 BHEK quickly became the de facto standard among exploit kits, wreaking havoc throughout 2011 and spawning a subsequent version 2 in late 2012. After the alleged creator of the BHEK, a Russian man known by the handle “Paunch”, was arrested by Russian authorities in October of 2013, a marked downturn of BHEK activity was observed by Symantec MSS. A second lesser known exploit kit named “Cool EK”, supposedly authored by Paunch as well, suffered a similar fate. Both kits have all but disappeared from widespread use on the internet by the end of 2013, with only a small number of holdouts (existing campaigns or old infrastructure) still employing them. This post is meant to highlight the last year of the most successful exploit kit we’ve ever witnessed, and to detail the newcomers filling the void left by the notorious Blackhole.

This graph illustrates the last 12 months of Symantec MSS validated incidents of successful BHEK exposure, exploitation, and resulting infection. This graph does not represent spam, exposure, failed exploitation, or partially successful BHEK events. Theories about the pre-arrest downturn in BHEK (May 2013) include a focus shift to Cool EK, potential Paunch cooperation with law enforcement, or Paunch’s possible knowledge of an ongoing investigation into his actions.

This graph demonstrates the downturn in unique computer exposures to Blackhole and Cool exploit kit landing pages as reported by Symantec endpoint products. The distinct drop in activity from September to October 2013 is clear. (Provided by Symantec Security Response)

How do exploit kits work?

Exploit kits are designed and used by criminals for a single purpose: to compromise computers and install malware. The resulting infections are motivated by the usual ends: financial gain, botnet creation, or identity theft perpetrated by the attacker.

By redirecting users to a website running an exploit kit, attackers expose endpoint machines to a quick and dirty assessment followed by an eventual exploitation attempt(s). A continuously updated series of client-side vulnerabilities are exploited by these kits, with common operating systems and popular applications being targeted. The repeatedly beleaguered client-side software includes popular web browsers (ex. Internet Explorer, Chrome, Firefox), Adobe Flash, Adobe Acrobat/Reader, Oracle Java, and more. Depending on the patch level, configuration, and security systems in place by the victim machine, exploit attempts by BHEK often result in successful infection.

Most exploit kits are offered for “rent” or outright sale on underground crime forums. More successful kits are constantly updated as new vulnerabilities are discovered and often come with customer support direct from the kit’s creators. Profits from the sale of these kits is regularly used to improve the quality or exclusivity of kit functionality and exploit variety. New 0-days are often employed by authors of these exploit kits to gain extra effectiveness and maintain a competitive edge in the underground market. High dollar payments for new exploits was a well-known facet of Blackhole and eventually Cool exploit kits.

Due to the portable and configurable nature of exploit kits, their widespread use and resulting infections are greatly varied. Such kits are oftentimes employed to spearhead the exploitation and delivery of malware associated with numerous malicious campaigns. Initial exposure to Blackhole and other kits usually stems from redirections found in everything from spam email to malicious ads and watering hole attacks.

The process usually plays out like this…

1. An attacker sets up a website hosting an exploit kit (landing page + backend exploit engine).
2. An endpoint user is exposed to the exploit kit landing page via malicious advertisement, redirection, spam link, etc.
3. The exploit kit begins by “profiling” the victim via PluginDetect or similar, looking for vulnerable versions of popular operating systems, browsers, or plugins.
4. If a vulnerable application or plugin version is detected, the exploit kit will deliver an appropriate exploit file (ex. JAR, PDF, SWF, crafted webpage).
5. If the exploit was successful, a malicious payload will be dropped and executed on the victim host. This will vary greatly depending on the attacker’s preference, but usually involves some flavor of trojan, rootkit, or bot.

Beyond Blackhole

The resulting vacuum created by the evaporation of Blackhole and Cool exploit kits has seen a rise in new players. While none have climbed to the level of BHEK at its height, there is a very active crop of new and existing kits available. In the realm of Symantec MSS and its customers, several of the dozens of active kits stand out in recent months.

As seen below, the DotkaChef, Neutrino, and Sweet Orange exploit kits were the immediate “winners” after BHEK fell off the radar. In recent months, RedKit and relative newcomers Magnitude and Fiesta kits have played significant parts in the threat landscape.

This graph shows the breakdown of the heaviest hitting non-Blackhole/Cool exploit kits in the 6 months immediately after the arrest of “Paunch”. These numbers represent ALL activity observed (successful and otherwise) in MSS customer environments, from initial exposure to payload requests and infections. While Blackhole still played a lingering part in the exploit kit field, it was quickly outpaced by almost all of the newcomers listed above.

Exploit kits and Symantec MSS

Exploit kits have been a continuous threat to businesses and individuals across the Managed Security Services customer landscape. Such kits, when paired with effective delivery methods, have been responsible for countless malware outbreaks.

Due to the prevalence of these kits as exploitation and delivery mechanisms for malware, MSS and Symantec as a whole take detection and alerting very seriously. We’ve got a myriad of detection methods for not only the kits themselves, but the resulting malware and infrastructure used in the accompanying campaigns. A combination of signatures and heuristics are employed by both in house mechanisms as well as MSS supported third party vendor devices at customer sites (Sourcefire, Emerging Threats, Palo Alto, FireEye, McAfee, ISS, and more).

More reading

• Symantec Connect (2-Feb-2011): http://www.symantec.com/connect/blogs/blackhole-theory
• Krebs on Security (6-Dec-2013): http://krebsonsecurity.com/2013/12/meet-paunch-the-accused-author-of-the-blackhole-exploit-kit/
• Krebs on Security (9-Dec-2013): http://krebsonsecurity.com/2013/12/who-is-paunch/
• Contagio (8-Jan-2014): http://contagiodump.blogspot.com/2010/06/overview-of-exploit-packs-update.html

This post was brought to you by Eric Gonzalez (research) and Andrew Larson (research and wordsmithing).

A number of customer have been reporting a number of increased connections to their EMC Centera Devices.

I thought I’d investigate a little further, I wrote a test app using the EMC Centera SDK, spun up 10 threads using the same poolref

C:\tools>RetrieveContent.exe

Enter the IP address or DNS name of the cluster(s):  10.14.96.21,10.14.96.22,10.14.96.23,10.14.96.24

 [10.14.96.21] Opened Pool, using poolref: 348777130463956

Press ENTER to continue.

Opened Clip:BLGE3TDLPU5FPe2VCP2NS8BOHV3G4185NGU78J0H2I8N0JK09FF2S

Opened Clip:16995546G1S78e0J6C74GH4F9D5G4185NH3TM609CDUCRNH56LDFP

Opened Clip:9CJLJ21FFI1G5eA9HDEQ07JENT5G4185NML7760DB1V1KQ5OMCKL9

Opened Clip:CUVD1C17HQHI7e1LF2HJITQT4DEG418FA7MIAA0R4GRLR7MQEEFK8

Opened Clip:0SDHQGQ2C5U26eAQ9G4R6JURLJRG418FENIELL0R5AFE52NKMJN3Q

Opened Clip:BP4CJJ66S6794e34PHJ2GFURC0AG418FENKNNE0P0ALMKSKHE08J6

Opened Clip:47BSSCJKJ0VLFeFVL4RP4TN49U0G418FEOEQLQ0R1V5RIBSIFO8TA

Opened Clip:4PGHG674NIEK0e9298KBEPIM86HG418FEOH3NH0G4EBQIKSDN8U0C

Opened Clip:8A8LF6D0C32LGeFSNHNLIR2T76LG418FEOL7GP0LF2UK5PAJ4QLPB

Opened Clip:FN5IOVTVGEPJ1eECMM7VU7ND3OKG418FEOT0LS0PDDHGFC9JB0IH6

and pausing....

Press ENTER to continue

I have 4 Access Nodes (AN), and the SDK looks like it opens one connection per AN:

I noticed I had quite a few StorageFileWatch connections, so using a Dtrace filter of poolref:

25,659 14:53:56.843 [5,692] (StorageFileWatch) <7912> EV:M CPools::Open (Increment) -- Connection string: 10.14.96.21, PoolRef: 342777130463912, Usage count: 10

25,670 14:53:56.865 [5,692] (StorageFileWatch) <7912> EV:M CPools::Open (Increment) -- Connection string: 10.14.97.61,10.14.97.62,10.14.97.63,10.14.97.60, PoolRef: 350233193691504, Us

26,009 14:53:56.911 [5,692] (StorageFileWatch) <7492> EV:M CVaultStoreEMCCentera::PoolOpen - Using existing PoolRef: 342777130463912

26,027 14:53:56.935 [5,692] (StorageFileWatch) <7336> EV:M CVaultStoreEMCCentera::PoolOpen - Using existing PoolRef: 342777130463912

26,059 14:53:56.951 [5,692] (StorageFileWatch) <5732> EV:M CVaultStoreEMCCentera::PoolOpen - Using existing PoolRef: 342777130463912

26,080 14:53:56.976 [5,692] (StorageFileWatch) <7904> EV:M CVaultStoreEMCCentera::PoolOpen - Using existing PoolRef: 342777130463912

26,098 14:53:57.011 [5,692] (StorageFileWatch) <7744> EV:M CVaultStoreEMCCentera::PoolOpen - Using existing PoolRef: 342777130463912

26,116 14:53:57.035 [5,692] (StorageFileWatch) <5424> EV:M CVaultStoreEMCCentera::PoolOpen - Using existing PoolRef: 342777130463912

26,288 14:53:57.067 [5,692] (StorageFileWatch) <7912> EV:M CPools::Close (Decrement) -- Connection string: 10.14.96.21, PoolRef: 342777130463912, Usage count: 9

26,293 14:53:57.082 [5,692] (StorageFileWatch) <7912> EV:M CPools::Close -- Enable normal timeout -- Connection string: 10.14.97.61,10.14.97.62,10.14.97.63,10.14.97.60, PoolRef: 35023

26,466 14:54:56.868 [5,692] (StorageFileWatch) <5632> EV:M CPools::Open (Increment) -- Connection string: 10.14.96.21, PoolRef: 342777130463912, Usage count: 10

26,477 14:54:56.889 [5,692] (StorageFileWatch) <5632> EV:M CPools::Open (Increment) -- Connection string: 10.14.97.61,10.14.97.62,10.14.97.63,10.14.97.60, PoolRef: 350233193691504, Us

26,809 14:54:56.925 [5,692] (StorageFileWatch) <7492> EV:M CVaultStoreEMCCentera::PoolOpen - Using existing PoolRef: 342777130463912

26,827 14:54:56.949 [5,692] (StorageFileWatch) <7264> EV:M CVaultStoreEMCCentera::PoolOpen - Using existing PoolRef: 342777130463912

26,845 14:54:56.974 [5,692] (StorageFileWatch) <5168> EV:M CVaultStoreEMCCentera::PoolOpen - Using existing PoolRef: 342777130463912

26,884 14:54:57.000 [5,692] (StorageFileWatch) <4680> EV:M CVaultStoreEMCCentera::PoolOpen - Using existing PoolRef: 342777130463912

26,902 14:54:57.023 [5,692] (StorageFileWatch) <7336> EV:M CVaultStoreEMCCentera::PoolOpen - Using existing PoolRef: 342777130463912

26,926 14:54:57.047 [5,692] (StorageFileWatch) <6136> EV:M CVaultStoreEMCCentera::PoolOpen - Using existing PoolRef: 342777130463912

27,095 14:54:57.082 [5,692] (StorageFileWatch) <5632> EV:M CPools::Close (Decrement) -- Connection string: 10.14.96.21, PoolRef: 342777130463912, Usage count: 9

27,100 14:54:57.096 [5,692] (StorageFileWatch) <5632> EV:M CPools::Close -- Enable normal timeout -- Connection string: 10.14.97.61,10.14.97.62,10.14.97.63,10.14.97.60, PoolRef: 35023

I see two poolref’s as per my connection list:

select PartitionName,IPAddressList from PartitionEntry

ggg Ptn4    10.14.96.21,10.14.97.61

ggg Ptn9    10.14.96.21

So in summary an EV Server can have multiple processes (StorageCrawler, StorageFileWatch, StorageArchive, etc.) that connect to a Centera.  If all connections within a single process use the same connection string we will open one PoolRef.  Therefore multiple threads within a single process will share the same PoolRef.  PoolRef sharing can only occur within a single process.  

In EV10, a number (1+) of StorageCrawler processes (default of max 10) will be maintained on each Storage server to handle indexing requests. Processes are only launched on a ‘need to’ basis so it is possible that none will be running if no work is being requested from that particular Storage Server. This model will boost StorageCrawler’s ability to cope with 64-bit demand from multiple Indexing servers and reduces the existing single point of failure.

Updated:  April 7, 2014  - We have launched a new and improved tool called Backup Exec Partner Toolkit (BEPT). The BEPT now includes a faster deplication assessment component.  To learn more please visit the BEPT blog on Symantec Connect.

************

What is it?

The Backup Exec Deduplication Assessment Tool (BEDAT) is a utility designed to help partners demonstrate the value of Backup Exec and its deduplication technology to their customers. BEDAT scans user-selected data sets on one or more Windows-based systems in a customer’s network environment and estimates the deduplication savings that would be experienced if the same systems were protected using Backup Exec or the Backup Exec 3600 Appliance and deduplication. BEDAT returns global deduplication results, per resource deduplication results, and per data type deduplication results. BEDAT does not actually capture or transport any customer data during the assessment process; it only captures deduplication fingerprint information and transmits this data to be included in deduplication results.

New! Front-end Capacity Analysis Feature

The Backup Exec Deduplication Assessment Tool (BEDAT) now also supports the analysis of front-end capacity of Windows-based servers and volumes in a customer’s network environment.  After scanning the selected Windows servers and volumes, BEDAT returns global front-end capacity results as well as per-server capacity results. The front-end capacity analysis process takes only moments to complete, and operates separately from the deduplication scanning process.  BEDAT does not actually capture or transport any customer data during the assessment process; it only captures front-end capacity metadata.  This feature allows partners to quickly and easily understand the total front-end capacity of an environment, streamlining the licensing of the Backup Exec 2012 Capacity Edition product.

How does it work?

The Backup Exec Deduplication Assessment Tool (BEDAT) installs to almost any Windows-based, x86 or x64 computer system. When run, it can calculate deduplication results for the system on which it is installed, as well as other systems available on the network. When capturing deduplication data from remote network systems, a small agent is temporarily installed to the remote servers and removed after deduplication calculations have been completed. BEDAT is designed to be as simple and as easy to use as possible. It is a wizard-driven utility that does not require any specific IT expertise to use successfully.

Who is it for?

The Backup Exec Deduplication Assessment Tool (BEDAT) is designed to be used by Backup Exec partners as they help customers understand the storage optimization benefits of the deduplication technology found in Backup Exec and the Backup Exec 3600 Appliance.

Where can I get it?

The Backup Exec Deduplication Assessment Tool (BEDAT) is available for partners to download at the Symantec PartnerNet site. For end user customers interested in using BEDAT in their environments, please contact a local Symantec partner.

It’s free!

The Backup Exec Deduplication Assessment Tool (BEDAT) is made available to Symantec partners at no charge. However, a PartnerNet account is required in order to access and download the tool.

What platforms and data types are supported?

 The Backup Exec Deduplication Assessment Tool (BEDAT) supports Windows 2003 and Windows 2008 x86 and x64 platforms, including both physical and virtual systems. It supports estimating deduplication results for file system data, Exchange data, and SQL data.

Notes

While designed to be highly accurate, the results offered by the Backup Exec Deduplication Assessment Tool (BEDAT) represent estimates of the storage savings that would be gained by using Backup Exec  or the Backup Exec 3600 Appliance and deduplication.

********

Do you know about the NetBackup Analyzer tool?    Have you used it?    Do you use it yearly?  

All questions that every NetBackup customer should be asking themselves.  The following story came to me recently from one of our Account Executives, Derek Hunter.  It reinforces the value of information and the use of a simple tool to improve the operation of an ever changing backup landscape.  

Recently, Derek received a call from a frustrated NetBackup customer that was not able to make their backup windows. Following a short conversation, the customer agreed to run the NetBackup Analyzer to give us potential clues on their issue and to get a basic overview of their environment. 
 
The NBU Analyzer took the customer ten minutes to run (a simple script) on their end and within 24 hours they received a call from Derek with results, a report and a suggestion to fix their concern.  By upgrading a media server that was running NetBackup 7.1 to NBU 7.6 and adding the Accelerator option, their problem was solved!  

The customer is now interested in retiring old media servers with NetBackup Appliances to make upgrading even easier. 

Moral of the story:  

Run the NetBackup Analyzer yearly for a view into your NetBackup environment and remember that as your backup landscape changes we at Symantec stay ahead of the changes by continually improving with every release.  Check out NetBackup 7.6 and upgrade!

Windows PowerShell, the Microsoft scripting language, has made the headlines recently due to malware authors leveraging it for malicious purposes. Symantec has identified more PowerShell scripts being used for nefarious purposes in attacks. Unlike other PowerShell scripts that we have identified previously, the new script, which Symantec detects as Backdoor.Trojan, has different layers of obfuscation and is able to inject malicious code into “rundll32.exe” so that it can hide itself in the computer while still running and acting like a back door.

Figure 1. The original Microsoft Windows PowerShell script

As seen from the previous image, the script is obfuscated to prevent users from seeing the clear text. However, the attacker has used the parameter “-EncodedCommand” in order to encode the entire script in base64. Once decoded, the script is still obfuscated and it looks like the following:

Figure 2. PowerShell script’s first layer of decryption

After this, the script will again decode a portion of itself from base64 to plain text and the decoded part of the script is passed through a decompression function. The decompressed data is the latest stage of the deobfuscated PowerShell script, which will be executed through the “Invoke-Expression” command.

Figure 3. A deobfuscated PowerShell script

The attacker uses the command “CompileAssemblyFromSource” so that they can compile and execute on-the-fly embedded code which hides itself on the computer. The compiled code will then try to execute “rundll32.exe” in a suspended state, inject malicious code into the newly created process and restart the “rundll32” thread. This method is used to prevent detection on the computer.

The injected code will then try to connect to a remote computer and it then waits to receive a buffer of instructions. The code will subsequently store these instructions with EXECUTE_READWRITE permissions, so that they can be executed in a stealthy way.

The following picture shows how the injected code allocates the memory and receives the instructions that are later executed.

Figure 4. Malicious code injected into rundll32.exe

Symantec customers are currently protected from this attack with the detection Backdoor.Trojan. To avoid being infected, we recommend that customers should use the latest Symantec technologies and update their virus definitions. Users should avoid running unknown PowerShell scripts and should not lower PowerShell’s  default execution settings in order to prevent potential malicious scripts from executing.