每日安全简讯(20170210)

1、新型勒索软件Erebus使用新手段绕过微软UAC
2、以Go语言编写的远控木马Athena使用匿名网络
3、后门Hummingbad成为Android智能手机常见威胁
4、安全厂商发现Windows版本僵尸网络Mirai bot
5、F5安全产品被发现远程攻击漏洞Ticketbleed
6、研究人员发现七成匿名浏览历史可以找到真人

【安天】搜集整理（来源：securityweek、securityweek、zdnet、securityaffairs、securityweek、solidot）

1、新型勒索软件Erebus使用新手段绕过微软UAC
标题：Erebus Ransomware Bypasses UAC for Privilege Elevation

作者信息：February 08, 2017 By Ionut Arghire

//BEGIN
A newly observed ransomware variant is using a technique to bypass User Account Control (UAC) in order to elevate its privileges without displaying a UAC prompt, researchers have discovered.

UAC：User Account Control 用户账户权限控制
非系统执行程序运行时，不显示UAC提示，而直接提升用户权限的行为是不正常的。但这就是最新的勒索软件Erebus采用的伎俩。这是安全公司BleepingComputer最近发布的信息。
这个名为Erebus的勒索软件，从功能看起来好像是全新的，但是实际上其部分零散功能已经在2016年9月份就出现过了。不过，从这两个恶意App的不同特性看，这个新发现的变种要么是完全不同的恶意代码，要么是一个完全重写的。


//END
The ransom note contains the user’s unique ID, a list of encrypted files, and a button that takes the victim to the TOR payment site. On that site, users are provided with payment instructions. The requested ransom amount is .085 Bitcoin, or around $90 at the moment, which is one of the lowest when compared to other ransomware families out there.
勒索软件加密完后给用户的提示界面显示了：用户的唯一的ID、加密文件的列表以及一个按钮能引导用户直接进入TOR支付网站。该该TOR网站上，有提示告诉用户如何付钱。赎金是0.085比特币，当前相对于90美金，与目前已经存在的勒索软件相比，价格算是最低的了。

点评：对付勒索软件，建议采用备份备份再备份的3B原则：Backup、Backup、Backup（Beifen、Beifen、Beifen）。

2、以Go语言编写的远控木马Athena使用匿名网络
标题：AthenaGo RAT Uses Tor2Web for C&C Communication

作者信息：February 09, 2017 By Ionut Arghire

//BEGIN
A newly observed Remote Access Trojan (RAT) targeting Windows systems is using Tor2Web proxies for communication with the command and control (C&C) server, Cisco Talos security researchers warn.
The RAT was written in Go, which is rather unusual for Windows malware, and its author refers to it as Athena, which determined the security researchers to call it AthenaGo. The Trojan, Cisco Talos threat researcher Edmund Brumaghin explains, can download and run additional binaries on the infected system, besides relying on Tor2Web proxies for communication purposes.

RAT：Remote Access Trojan 远控木马
Tor2Web：通过Web访问Tor网站

一种新型的远控木马RAT专门针对Windows操作系统，其与C&C服务器通讯的方式是通过Tor2Web代理服务器。这是Cisco的Talos安全研究组发出的警示。
RAT的编程语言是Google的Go语言，这在Windows 操作系统而言，不是太常见。其作者称呼其为Athena，基于此，安全研究人员称呼该木马为AthenaGo。除了依靠Tor2Web代理服务器通讯外，AthenaGo木马在Windows系统下载和安装二进制文件。

//END
“Malware authors will continue to evolve their attacks as they identify ways to effectively reduce their risk of being caught. This includes relying on C&C infrastructure hosted on Tor, making use of varying levels of encryption to protect the nature and content of network communications with their malware, and limiting their attacks to targeted attacks against specific targets or demographics. AthenaGo is an example of changes in the way malware is being written in an attempt to evade network defenses and successfully compromise target environments,” Cisco Talos’ researcher concludes.
恶意代码将继续改进其攻击策略，其目的无非就一个：那就是尽可能减少被发现的几率。其中之一的策略就是采用基于Tor进行C&C通信。为了保障与木马的通信的过程加密，因此得采用不同的加密方式，将其目标定位与某些特定的目标。

点评：Tor匿名网络的流量如何监控？

3、后门Hummingbad成为Android智能手机常见威胁
标题：This modular backdoor malware is now the most common threat to Android smartphones
For the first time in a year, Hummingbad isn't the most prolific form of malware on mobile devices.

作者信息：February 8, 2017  16:34 GMT (00:34 GMT+08:00) By Danny Palmer

//BEGIN
It's taken a whole year for it to be dislodged, but Hummingbad has finally been overtaken as the leading form of mobile malware.
The Hummingbad Android malware is still likely making its creators hundreds of thousands of dollars a month, and continues to infect millions of devices, but the Triada malware has taken the top spot in the first month of the year, Check Point's Threat Impact Index for January has revealed.

TII:Threat Impact Index 威胁影响指数

整整历时一年，Hummingbad终于被超越了。虽然当下Hummingbad每月还能给其作者挣上万美元，并继续感染其他众多移动设备。不过根据安全公司CheckPoint的威胁影响指数TII显示，今年的第一个月恶意代码排行，却是Triada拔得头筹，出现频率最高。其实原来Triada一直跟在Hummingbad后面的，但是最近被超越。第三位的是Hiddad。

//END
The RookieUA information stealer, the Nivdort bot, the Zeus banking Trojan, the Ramnit banking Trojan, and the Necurs botnet round out the list.
"The wide range of threats seen during January, utilizing all the available tactics in the infection chain, demonstrates the size of the task IT teams face in securing their networks against attack," says Nathan Shuchami, head of threat prevention at Check Point.
进入榜单的还有信息窃取木马RookieUA，Nivdort 僵尸网络，Zeus网银木马，Ramnit网银木马以及Necurs僵尸网络等等。
恶意代码数量众多、种类也各种各样，各显神通，利用一系列的感染路径。这种数量多、攻击面宽的网络威胁的现实情况，给组织的IT部门提出了严厉的挑战。

点评：Hello,Hummingbad!

4、安全厂商发现Windows版本僵尸网络Mirai bot
标题：Researchers at Dr Web spotted a Windows version of the Mirai bot

作者信息：February 8, 2017  By Pierluigi Paganini

//BEGIN
Researchers at the antivirus firm Dr.Web discovered a new strain of the Mirai bot, a Windows variant, targeting more ports.

RDP：Remote Desktop Protocol 远程桌面协议
DBMS：Database Management System 数据库管理系统
DVR：Digital Video Record 数字视频录像
CCTV： Closed Circuit Television 闭路电视监控系统
IoT：Internet of Things物联网

来自俄罗斯的安全公司Dr.Web最近发现了一种新的Mirai僵尸网络变种，不过这回不是在Linux平台，而是在Windows平台。

//END
“The only exception is a connection via RDP protocol: in this case, none of the instructions are executed. Besides that, while connecting to the Linux device via Telnet protocol, it downloads a binary file on the compromised device, and this file subsequently downloads and launches Linux.Mirai.”
仅有的例外是其通过RDP协议连接，如果确是该协议，那么就不执行任何命令。除此而外，通过Telnet协议连接到Linux设备，在感染的设备上下载一个二进制文件。这个文件随后会下载并执行恶意代码Linux.Mirai!

点评：又见Mirai!

5、F5安全产品被发现远程攻击漏洞Ticketbleed
标题："Ticketbleed" Flaw Exposes F5 Appliances to Remote Attacks

作者信息：February 09, 2017 By Eduard Kovacs

//BEGIN
F5 Networks BIG-IP appliances are affected by a serious vulnerability that can be exploited by a remote attacker to extract memory. An Internet scan showed that hundreds of hosts had been exposed by the flaw.

CDN:Content Delivery Network 内容传送加速协议
SSL:Security Socket Layer 安全套接字层

涉及有漏洞的产品是BIG-IP，其来源于F5 网络安全公司，漏洞还很严重，成功利用的话，可能被远程攻击者解析内存。通过互联网可以扫描，同时也能发现很多的感染主机。

//END
Valsorda has provided detailed technical information on the vulnerability and made some recommendations for security vendors that might consider trying to detect potential Ticketbleed attacks.
安全专家给该漏洞提供了详细的技术细节，并对检测Ticketbleed攻击推荐了几个安全厂商。

点评：以前是心Heart出血Bleed，这回是Ticket；下回是？

6、研究人员发现七成匿名浏览历史可以找到真人
{CHN}
标题：72%的匿名浏览历史可以联系到真人

作者信息：2017年02月08日 17时57分 星期三 By pigsrollaroundinthem

//BEGIN
斯坦福和普林斯顿的研究人员发现，今天的用户更可能点击朋友或朋友的朋友在社交网络上分享的链接。根据这一点，研究人员发现很容易将一个匿名的浏览历史与社交网络上的公开信息对接起来，识别用户的真实身份。在论文《De-anonymizing Web Browsing Data with Social Networks》中，研究人员报告他们的算法
对374套匿名浏览历史记录的测试取得了70%左右的成功率。

//END
Your Browsing History Alone Can Give Away Your Identity
Researchers have found a way to connect the dots between people’s private online activity and their Twitter accounts—even for people who have never tweeted.
KAVEH WADDELL  FEB 6, 2017
https://www.theatlantic.com/tech ... ry-identity/515763/
Advertisers would give just about anything to be able to lurk over your shoulder as you browse the internet. They want to know what sites you visit, how you get to them, how long you spend on them, and where you go next—along with as much personal information about you as they can get.
Of course, they don’t have to be in the room to figure any of that out. Dozens of trackers embedded in nearly every website collect information about how you interact with the page, and cookies stored in your browser tell advertisers how often you’ve visited the site before. But the holy grail is the ability to string all this information together to create profiles that corresponds to each individual user—that is, creating a complete picture of each person on the internet, beyond just scattered data points.

//下载： browsing-history-deanonymization.pdf (773.75 KB, 下载次数: 187)

2017-2-10 22:21 上传

点击文件名下载附件

文件名：browsing-history-deanonymization.pdf
文件大小：792，315 bytes
MD5     : FCE3D2C73CBD1993F5AFDF8420BD64C7


点评：真人还是假人？