每日安全简讯(20161101)

1、Mirai源码存在缓冲区溢出，可阻止部分DDoS攻击
2、研究者发现IoT设备DDoS僵尸网络恶意代码Aidra
3、W3C Web蓝牙API被发现漏洞，可影响物联网设备
4、谷歌研究人员发现OS X和iOS系统的内核提权漏洞
5、Joomla已修复的严重漏洞被黑客用于入侵众多网站
6、研究者发现英国苹果用户面临新一轮短信钓鱼活动

【安天】搜集整理（来源：itsecuritynews、malwaremustdie、softpedia、feng、securityweek、ibtimes）

2016年10月【安天每日安全简讯来源统计】：
统计时间段和范围：2016年10月1日到10月31日，每日6条新闻，一共186条。
这186条新闻的来源51家（上月48家）网站，继续呈现出“长尾”现象（只采用1篇文章），一共是35家（上月是30家）。
采集简讯的来源前3名，新闻条数共103条(上月91条），超过半数。
三甲具体排名与上月稍有变化，回归3S模式：第三名由securityaffairs代替了freebuf：
softpedia： 57条（上月47）
securityweek 25条（上月26）
securityaffairs 21条

Mirai未来、物联网、DDOS相关主题[序号 发布日期 标题 URL]：
01 20161024 安天发布美国DDoS攻击事件分析报告
http://www.antiy.com/response/Mirai/Mirai.html

02 20161027 CNNVD发布IoT漏洞引发网络攻击事件通报
http://www.cnnvd.org.cn/notice/show/id/7802

03 20161004 僵尸网络Mirai程序代码被作者公开
https://krebsonsecurity.com/2016 ... net-mirai-released/

04 20161005 安全厂商发布Mirai僵尸网络调查分析报告
https://www.malwaretech.com/2016 ... net-case-study.html

05 20161010 安全团队发布物联网恶意代码mirai分析报告
http://mp.weixin.qq.com/s?__biz= ... cf8d357a3db6261f8fb

06 20161010 DDoS僵尸网络利用国产摄像头默认密码传播
http://toutiao.secjia.com/xiongmai-technologies-dvr-root-password

07 20161014 恶意软件Mirai几乎感染了全球物联网设备
https://www.easyaq.com/newsdetail/id/1162661789.shtml

08 20161016 Mirai IoT DDoS木马已瞄准蜂窝网络设备
http://news.softpedia.com/news/m ... ipment-509310.shtml

09 20161020 利用Mirai发动DDoS攻击在源码公开增加
http://www.securityweek.com/mira ... s-after-source-leak

10 20161020 物联网新威胁：Hajime蠕虫比Mirai更复杂
https://www.easyaq.com/newsdetail/id/364671781.shtml

11 20161023 DNS服务提供商遭DDoS攻击影响美国大量站点
http://www.freebuf.com/news/117403.html

12 20161024 黑客组织承认发动美国大规模DDoS攻击
http://bobao.360.cn/news/detail/3679.html

13 20161028 新加坡也被IoT设备僵尸网络DDoS攻击
http://news.softpedia.com/news/s ... evices-509673.shtml

14 20161028 美国互联网瘫痪背后为10万物联网设备
http://news.softpedia.com/news/b ... attack-509687.shtml

15 20161030 Mirai僵尸网络感染设备涉及164个国家
http://www.securityweek.com/mira ... vices-164-countries

16 20161030 实验型僵尸网络Rex开始引入Mirai组件
http://news.softpedia.com/news/t ... 0-bots-509768.shtml

17 20161031 意大利开发支持IPv6的新型IoT僵尸网络
http://securityaffairs.co/wordpr ... telnet-malware.html

18 20161031 对美国DNS服务提供商Dyn攻击或为误伤
http://www.freebuf.com/news/117830.html

19 20161015 新Linux木马NyaDrop出现，威胁物联网领域
http://news.softpedia.com/news/a ... dscape-509278.shtml

20 20161018 国外黑客发现国产摄像机存在XXE漏洞
http://www.freebuf.com/vuls/116613.html

21 20161024 犯罪组织以默认密码攻击巴西家用路由
http://www.welivesecurity.com/20 ... efault-credentials/
===================================
搜集范围：20161001-20161031
来源：安天每日安全简讯
整理发布：20161101
特别说明：整理发布不代表同意或者支持作者的观点和主张，除了第一条

文件： 安天201610每日简讯集.pdf
MD5：  5C17384101A70C0A1C4DE5F407F0789C
大小： 549，184 bytes
下载： 安天201610每日简讯集.pdf (536.31 KB, 下载次数: 416)

2016-11-1 06:18 上传

点击文件名下载附件

1、Mirai源码存在缓冲区溢出，可阻止部分DDoS攻击
标题：Bug in Mirai Source Code Could Stop Some DDoS Attacks Dead in Their Tracks

作者信息：Oct 30, 2016 20:30 GMT By Catalin Cimpanu

//BEGIN
Scott Tenaglia, Research Director at Invincea Labs, says that a bug in the Mirai IoT malware source code can be used to stop certain types of DDoS attacks launched by the botnet.
由Mirai发起的僵尸网络攻击，可能由于其IoT恶意代码的源代码存在缓冲区溢出而终止部分基于HTTP的DDOS攻击，而不是先前基于DNS的攻击（据称后者导致Dyn停止服务，从而影响很多网站对外提供访问服务。）

//END
Mirai botnet reaches 775,000 bots
Tenaglia says that this bug can't be used to remove Mirai from infected hosts, but merely stop their attacks.
The only way to remove Mirai from a host is to reboot the device, but researchers say that if the Telnet port remains open to the Internet and the user continues to use factory default passwords, the device is likely to be compromised between two and five minutes.
Mirai, which appeared at the start of September, is one of today's most dangerous malware families, with around 775,000 bots, according to data from Qihoo 360(http://data.netlab.360.com/mirai-scanner), and responsible for the world's largest DDoS attacks, on sites such as Dyn, KrebsOnSecurity, and French ISP OVH.

研究人员称，该bug不会导致Mirai的自动消失，只会导致其预设的攻击失效。目前清除该IoT恶意代码的方法是重启设备，并关闭Telnet登录端口，同时修改默认的用户登录密码；否则的话，2-5分钟后，即使重启，设备又将继续被感染。九月份出现的Mirai目前是最危险的恶意代码家族，按照Qihoo360的统计数字：目前的规模达到78万左右，该僵尸网络导致DYN、KrebsOnSecurity以及法国的ISP OVH遭受了有史以来最大的DDOS攻击。

点评：IoT设备安全继续领跑....

2、研究者发现IoT设备DDoS僵尸网络恶意代码Aidra
标题：MMD-0059-2016 - Linux/IRCTelnet (new Aidra) - A DDoS botnet aims IoT w/ IPv6 ready

作者信息：Friday, October 28, 2016 By unixfreaxjp

//BEGIN
This post is a report of what it seems to be a new IRC botnet ELF malware, that is obviously used for performing DDoS attack via IRC botnet. It was coded with partially is having specification as per Tsunami/Kaiten protocol, but it is a re-coded one with the different way, with adding some more features in messaging and malicious/attack vectors used. The malware (the bot client) is designed to aim IoT device via telnet protocol, by using its originally coded telnet scanner function, which is brute-forcing the known vulnerable credential of the Linux IoT boxes, via command sent from a CNC malicious IRC server.
这是一个关于Linux的ELF格式的恶意代码的技术报告：利用它可以组成僵尸网络，并通过这个僵尸网络由聊天工具IRC发起DDOS攻击。其采用的协议类型与以前的某些协议有相似之处，但是显然经过重新编写，增加了通过消息和恶意攻击的方法。其目标对象是物联网设备，通过Telnet协议扫描功能进行，采取强制用户名和口令的方式来感染Linux系统的IoT设备。该恶意代码的名称是Linux/IRCTelnet (Aidra的新变种)。


//END
Threat mitigation and prevention Mitigation for Linux/IRCTelnet (new Aidra) infection is as per also mentioned in the previous analysis about protecting your IoT.
There is a lot of badness aiming global served telnet open service, if you don't really need it, please turn the service off, or use it with the access restriction and avoid the usage of the known vulnerable usernames or passwords. Linux/IRCTelnet (new Aidra) doesn't have any persistence autostart or rootkit or anything that can damage your IoT. This varient can be easily removed by rebooting the infecting device. But if you don't secure the telnet after reboot, it will come to infect you again. CNC server is having the list of the infected nodes, so the actor can make a re-infection effort as soon as he realizes the bot client is wiped off.
预防该恶意代码攻击的方式有：首先如果不需要，建议就不要打开设备了；如果要用的话，应设置设备的访问限制策略，同时避免采用默认的用户名和密码。该恶意代码并无持续驻留设备以及开机就能自动启动的特性，因此只要重新启动，就能清除。但是如果不对Telnet进行限制的话，那么重新启动就会再次被感染。

点评：还是IoT设备的安全.....

3、W3C Web蓝牙API被发现漏洞，可影响物联网设备
标题：New W3C Web Bluetooth API Is a Privacy Nightmare
Privacy expert raises some questions about Web Bluetooth API

作者信息：Oct 30, 2016 20:40 GMT  By Catalin Cimpanu

//BEGIN
The World Wide Web Consortium's (W3C) new Web Bluetooth API is riddled with potential security holes which, if left unaddressed during the specification's drafting, will open the door for user fingerprinting and potentially IoT equipment hacking.
W3C Web蓝牙API接口技术草案被安全专家发现漏洞，可用来攻击物联网设备。

//END
He also criticized the W3C's Proximity Sensor API, which he said could be reliably used to fingerprint users across different websites, based on how close they hold the device next to their face.
不仅仅是蓝牙，包括传感器API在内也可能导致定位用户的具体位置。

点评：还是IoT设备安全.....

4、谷歌研究人员发现OS X和iOS系统的内核提权漏洞
{CHN}
标题：尴尬! 谷歌团队发现OS X和iOS系统内核漏洞

作者信息：2016-10-30 By 新浪科技

//BEGIN
北京时间10月30日消息，谷歌两年前成立了专注于零日漏洞的Project Zero团队。近期，该团队发现了苹果OS X和iOS中的一个漏洞。这可能导致在非最新版操作系统中攻击者的权限升级，获得根权限。

//END
9月20日，苹果通过OS X 10.12提供了“紧急修复”。苹果表示，这一紧急修复能缓解问题的影响，但无法彻底解决这一问题。10月3日，苹果在Mac OS 10.12.1 beta 3版本尝试了更有效的修复方案，而这一方案也于两天前发布。

点评：从零开始....

5、Joomla已修复的严重漏洞被黑客用于入侵众多网站
标题：Many Joomla Sites Hacked via Recently Patched Flaws

作者信息：October 31, 2016 By Eduard Kovacs

//BEGIN
Less than 24 hours after Joomla released patches for a couple of critical account creation vulnerabilities, researchers noticed that malicious actors had already started exploiting the flaws in the wild.
Joomla在公布其漏洞后的24小时内，安全研究人员已经发现有利用未修补漏洞进行的攻击。

//END
The security firm believes all websites that haven’t been patched immediately are likely already compromised. Joomla website administrators have been advised to check their logs for activity from the IP addresses identified by Sucuri, and look for any suspicious admin accounts.
安全专家称所有还未修复的Joomla网站非常有可能被利用来攻击，建议系统管理员要密切关注系统账号同时注意查看系统日志，防范来自黑客的攻击。

点评：公布漏洞也有两面性：公开漏洞意味着攻击者能迅速找到弱点，并对那些还未来得及打补丁的用户、网站发起攻击。

6、研究者发现英国苹果用户面临新一轮短信钓鱼活动
标题：UK Apple users targeted with phishing campaign as the clocks go back
Hackers leveraged daylight saving to send out spam SMS messages to potential victims.

作者信息：October 31, 2016 04:45 GMT By India Ashok

//BEGIN
As the clocks went back an hour in the UK, hackers began targeting Apple users with a phishing scam in the hopes of stealing personal details. Via the new campaign hackers posing as Apple send out a scam SMS, which informs users about the immediate expiry of their Apple IDs.
在刚刚过去的一个小时内，英国的苹果手机的用户收到了一条钓鱼短信，它意在偷取用户的个人信息，当然表面上它告知用户其苹果的ID快要过期了，需要马上更新。

//END
This is not the first time that Apple users having been targeted via a phishing campaign. In May, Apple users in the UK were targeted with similar attacks, wherein users received text messages that claimed that their iCloud account had been deactivated. In June, cybersecurity firm FireEye noted that Apple users in China as well as UK were being targeted by "several phishing campaigns".
The consistent phishing scams even prompted Apple to issue a warning to users to be wary of suspicious emails and/or text messages.
这已经不是第一次出现这种情况了。今年5月份，英国的苹果手机用户曾经遭到类似的攻击，不过当时是欺骗用户的iCloud快过期了。有安全公司称中国和英国的苹果用户都遭受了严重的钓鱼短信攻击，因此苹果公司发布了正式声明，提醒用户注意可疑的邮件以及短信。


点评：这个是典型的社会工程学攻击....不能上当呀。