Security Response

先日、このブログの別の担当者から、6 月のマイクロソフト月例パッチで公開された脆弱性のひとつが現在悪用され、被害が出ているという報告がありました。こうした場合の常として、シマンテックでは何が起きるかを観察するために、ハニーポットコンピュータでこの悪用による危殆化を再現してみることにしました。

この悪用について最初に注目したのは、調査のために転送されてきた、あるユーザー宛の電子メールメッセージです。このメッセージは利用者の多い Web メールサービス上にホストされているアカウントから送信され、送信者は中国の大学生と称していますが、文法は誤りだらけでした。メールは、特定の話題について助言を求める内容か、最近のプレゼンテーションについて受信者に謝意を述べたうえでそのプレゼンテーションについて質問するというものです。ある中華レストランへのリンクが掲載されていますが、リンク先のこの Web ページに、Internet Explorer 8 に伴う脆弱性の悪用が仕掛けられています。

図 1: cnzz へのリンクに加え、統計目的と思われる隠し iframe タグが確認できる

本件のシナリオは、いわゆる「標的型攻撃」と表現することもできますが、どの攻撃も程度の差こそあれ巧妙化してきているので、「標的型」かどうかという定義も、ケースに応じて変わりがちです。今回の場合、受信者が中国人ではなく、大学ともまったく無関係であり、まして助言を請われている話題にも、言及されているプレゼンテーションにもまったく心当たりがないことから考えると、なぜメール本文をもっと受信者に該当しそうな内容に直さなかったのか、という疑問が残ります。このメールが見つかった状況としては明らかに場違いであり、...

Our friends at Microsoft recently blogged about a new variant of a bootkit Trojan from the family they call Popureb. The variant, Win32/Popureb.E, introduced a driver component to prevent a malicious master boot record (MBR) and other malicious components from being cleaned.

At least one tech writer was quick to pick up on the implications of the following sentence from the Microsoft blog:

"If your system is infected with Trojan:Win32/Popureb.E, we advise fixing the MBR  using the Windows Recovery Console to return the MBR to a clean state."

Mark Hachman wrote an article for pcmag.com entitled "Microsoft's Answer to Vicious Malware? Reinstall Windows." In the article, Mark refers to a blog post on the Symantec Connect site that at first glance may appear to...

Recap

I left off promising to reveal the mysterious application that was consuming my friend Derek’s bandwidth and trying to figure out how it got on his computer in the first place. Please note that all images (except one from this point on) were not actually taken from Derek’s computer, but instead were captured from a recreation of events using a honeypot computer inside our virus lab, and therefore may not accurately reflect what exactly took place on Derek’s machine.
 
Recalling events

Roughly a week prior to asking for my help, Derek had been surfing the Web, reading blogs, chatting with friends, and checking out some of his favorite sites as usual. That day he came across a video trailer for a movie that had just been released and decided to watch it. After downloading it onto his computer—which, as...

Email hoaxes are nothing new, dating back at least as far as 1994 with what is widely believed to have been the first email hoax—referred to as the "Goodtimes virus" or the "Goodtimes virus hoax" after the subject of the email. The message in the early version was short and to the point, advising recipients not to open email messages with the subject "Good Times" because doing so would ruin their files. This, of course, was not true, but in cases where the recipient complied with the warning, it obviously had the effect of ruining their chances of actually reading any legitimate email messages with that very subject.

Before email, normal postal mail (known fondly by many as "snail-mail") chain-letter hoaxes regularly did the rounds, and sometimes still do even today. The difference between a simple hoax and a chain-letter hoax is that the latter encourages the recipient to forward the letter or email on to others, usually family...