每日安全简讯(20161029)

1、安卓勒索软件使用新手段实现开机启动
2、匈牙利出现勒索软件Locky山寨版Hucky
3、研究者发现AtomBombing代码注入手段
4、网银木马CloudFanta通过云存储应用传播
5、乌克兰黑客组织泄露普京助手2337封邮件
6、海豚捕杀季引发匿名者新一轮DDoS攻击

【安天】搜集整理（来源：softpedia、softpedia、softpedia、securityaffairs、softpedia、softpedia）

1、安卓勒索软件使用新手段实现开机启动
标题：Android Ransomware Gets Around Auto-Start Restrictions by Hiding as Launcher App
Newest trick in Android.Lockscreen's playbook

作者信息：Oct 27, 2016 15:20 GMT By Catalin Cimpanu

//BEGIN
Mobile malware authors have come up with a new trick that helps Android.Lockscreen, a ransomware strain that targets Google's mobile OS, to start automatically whenever the user reboots his device.
与Windows下木马或者恶意代码能轻易的、且采用各种姿势自动启动不同，Android下要想实现每次开机都自动启动还是有些费劲的。但是黑客们还是找到了一种新办法：伪装成Launcher APP,使得一个新的勒索软件变种Anroid.Lockscreen能在受害者的手机上自动启动。

//END
"Users can prevent the malware from running by carefully selecting the default Android launcher, or any other legitimate launcher that they may have installed, and choosing 'Always' instead of 'Just Once'," the Symantec team recommends.
If you find yourself infected with something Android.Lockscreen, but have yet to use the launcher app, go to your phone's Apps section and uninstall the app ASAP.
为了预防这类勒索软件对手机的侵害，在手机启动时，用户可以仔细选择一个Android默认的启动程序Launcher，或者自己主动安装的其他合法的启动程序，不要选择其他不明的程序自动启动。同时将设置选择为每次都选择那个正确的，不要设置为一次有效。
清除该勒索软件的办法：卸载已经安装的恶意程序。

点评：Android手机的安全，建议安装AVL Pro.....

2、匈牙利出现勒索软件Locky山寨版Hucky
标题：Hungarian Developer Most Likely Behind Hucky Ransomware
New Locky clone discovered by Avast researchers

作者信息：Oct 27, 2016 13:20 GMT By Catalin Cimpanu

//BEGIN
A new ransomware is going around that's trying to disguise itself as the more dangerous Locky, but is, in fact, a cheap knock-off, which based on available evidence, might be the work of a Hungarian malware author.
一个貌似Locky的勒索软件最近在匈牙利被发现，据研究人员根据对其代码和行为的分析，发现这很可能是专门针对匈牙利的勒索软件：虽然被加密后的文件的扩展名是.locky，但是与原始的Locky勒索软件相比还是存在差别：编程语言不同、恶意软件中存在匈牙利语言文字、勒索文字显示为匈牙利语等等特征均指向其可能的始作俑者来源。

//END
"We can conclude that Hucky is a new ransomware strain currently targeting Hungarian users only. Based on the aforementioned leads, there is a fair chance that its author is a native Hungarian speaker," Kroustek says. "The Hungarian orientation is probably also the reason why Hucky’s prevalence is low at the moment."
研究人员根据各种因素判断，该Hucky勒索软件就是针对匈牙利的新的勒索软件变种，而其作者很可能就是匈牙利人，正因为如此，到目前为止该勒索软件流行度较低。

点评：Locky会不会出现针对我国的Chucky?

3、研究者发现AtomBombing代码注入手段
标题：Malware Abuses Windows Atom Tables for Novel Code Injection Technique
Microsoft can't patch against AtomBombing technique

作者信息：Oct 27, 2016 17:10 GMT By Catalin Cimpanu

//BEGIN
Security researchers from enSilo have discovered a new way to inject malicious code into legitimate processes, which helps malware bypass security solutions.“  An atom table is a system-defined table that stores strings and corresponding identifiers. An application places a string in an atom table and receives a 16-bit integer, called an atom, that can be used to access the string. A string that has been placed in an atom table is called an atom name.  ”
研究人员最近发现了恶意代码的一种新动向：利用它可以将恶意代码轻松注入到合法的程序进程中，这样就非常容易能躲过安全软件的监控和查杀。这种方法被称为AtomBombing. atom table原子表是一个系统定义的表：它可以存储字符串以及相应的标识符。

//END
AtomBombing can't be patched
The enSilo researcher says that AtomBombing affects all Windows versions. The bad news is that this is a design flaw and not a vulnerability, which means that Microsoft can't patch it without changing how the entire OS works, an unfeasible solution.
AtomBombinb joins the list of various code injection techniques discovered in the past, such as SQL injection, XSS, hotpatching, code hooking, and more.
Earlier in the month, Trend Micro researchers uncovered a PoS malware variant named FastPOS that abuses the Windows Mailslots mechanism to store data before exfiltration from infected systems.
AtomBombing对所有的Windows操作系统版本都有影响。坏消息是这是一个设计缺陷而不是一个漏洞，这就意味着微软公司不能通过打补丁的方式来解决这个问题，除非完全改造Windows操作系统，而这看起来不大可能。
其实代码注入除了这个AtomBombing外，以前还用过各种技术来实现：SQL注入、跨站脚本XSS、热补丁、代码hooking等等。
另外，在本月的早些时候，安全公司还发现了一个PoS恶意代码变种滥用Windows的Mailslot的机制来存储从感染系统偷到的敏感数据。

点评：原来还有一种叫设计缺陷的东东，瞬间藐视各种day漏洞...

4、网银木马CloudFanta通过云存储应用传播
标题：CloudFanta Malware Steals Banking Information Via Cloud Storage Apps

作者信息：October 27, 2016  By Pierluigi Paganini

//BEGIN
Watch out, threat research labs Netskope spotted the CloudFanta Malware Stealing Banking Information Via Cloud Storage Apps.
安全公司发现了一例能通过云存储应用来盗取网银信息的恶意代码，其名字为CloudFanta。

//END
There are various steps businesses and individuals can take to prevent cloud-malware from infecting their sensitive information, for example, policy to block executable files with type “image/png,” end-to-end encryption software, enable “view known file extension” in windows explorer, two-factor authentication, Virtual Private Network (VPN) software, updated antivirus, and keep system updated.
IT pros should also make a practice to keep tracks and detect unauthorized cloud services and ensure policies regarding prevention of data loss, managing data entry, and back-up of sensitive data stored in the cloud.
为了预防这类通过云来传播的恶意代码来盗取用户的敏感信息，企业和个人都可以采取一些技术措施来防范。比如说可以采用的策略包括禁止带有image/png图象格式的可执行文件的执行；对于使用的软件采用端对端加密，以预防被中间人劫持MitM；在Windows的文件浏览器中打开查看所有的文件扩展名；采用双因子认证的办法；启用VPN；及时升级安全软件并保持操作系统OS始终处于最新版。
对于云的应用而言，IT维护人员应该紧紧跟踪云服务的使用情况、及时发现未授权的访问、采取确实有效的措施来防止数据的丢失、数据的出入一定要有相关的管理措施、即使是保存在云中，如果是敏感信息的话，也要做好及时妥善的异地备份工作。

//下载： CloudFanta Malware Report20161025.pdf (1.76 MB, 下载次数: 426)

2016-10-29 17:44 上传

点击文件名下载附件

文件名  ：CloudFanta Malware Report20161025.pdf
文件大小：1，846，515 bytes
MD5     : 5847E19328E03E95FBE6438F71B28892

点评：Cloud Security云应用安全的一部分:AVAR2016的主题还是AV即将死去？这都跑云上去了，离死是不是更远了呢？

5、乌克兰黑客组织泄露普京助手2337封邮件
标题：Ukrainian Hackers Leak Sensitive Emails from Kremlin Official
Russia faces its own Guccifer 2.0 after controversial leak

作者信息：Oct 28, 2016 02:45 GMT By Catalin Cimpanu

//BEGIN
A group of hackers that goes by the name of CyberHunta has leaked 2,337 emails, which they claim came from the email account of Vladislav Surkov, advisor to President Vladimir Putin.
乌克兰黑客组织CyberHunta泄露普京助手2337封邮件。但是俄官方否认了其真实性。不过俄罗斯国内非官方人士认为是真的。

//END
CyberHunta is the Ukraine's Guccifer 2.0, promises more leaks
CyberHunta is a newly formed hacking group that describes itself as a "Ukrainian community of hackers and analysts who oppose foreign aggression and fight internal enemies."
The group also promised to "continue to extract and analyze email and correspondence 'iconic' figures in Russia."
CyberHunta黑客组织为了证实其真实性，可能还会进一步泄露更多的俄方邮件以及通信记录。虽然这个组织是刚刚成立不久，但据称其成立的目的是为了反抗外部侵略，同时也会针对内鬼。

点评：俄乌的话题太长了，新角色还会不断涌现并粉墨登场。

6、海豚捕杀季引发匿名者新一轮DDoS攻击
标题：Dolphin Killing Season Brings New Waves of Anonymous DDoS Attacks
Hacktivist group doesn't let up. Reembarks on #OpKillingBay

作者信息：Oct 27, 2016 21:45 GMT By Catalin Cimpanu

//BEGIN
Hacktivists still active in the once mighty Anonymous hacker collective have restarted DDoS attacks on Japanese institutions as part of their ancient OpKillingBay campaign.
黑客中有动物保护倾向者发起了一个匿名的DDOS攻击活动，对日本的各种机构和团体发起攻击。还给这个活动起了名字OpKillingBay.

//END
Despite the lack of media attention for Anonymous campaigns in recent months, and especially OpKillingBay, the group is strong on its position to force Japan to stop whale and dolphin killing, even if it's through illegal means.
即使是采用非法的DDOS攻击手段，黑客们也在所不惜，该组织声称其就是要反对日本进行的季度采杀鲸鱼和海豚的活动。

点评：岛国这个习惯还没改呀？明年不要总是DDOS了，能不能提高点技术含量，想点更彻底点的办法？^^^