每日安全简讯(20161124)

1、安全厂商勒索软件解密工具加入Crysis支持
2、勒索软件Locky以假冒ISP投诉钓鱼邮件传播
3、安卓银行木马具备阻止反病毒程序启动功能
4、OneDrive商用账户被发现用于传播恶意软件
5、攻击者试图利用ask.com工具栏传播恶意软件
6、美国政府修订规则，允许入侵全球嫌疑用户

【安天】搜集整理（来源：securityaffairs、securityweek、securityweek、betanews、securityaffairs、easyaq）

1、安全厂商勒索软件解密工具加入Crysis支持
标题：ESET Crysis decryptor to rescue files encrypted by the Crysis ransomware

作者信息：November 22, 2016  By Pierluigi Paganini

//BEGIN
ESET security firm has included master decryption keys into a decryption tool that allows rescuing the encrypted files without paying the ransom.
Good news for the victims of the Crysis ransomware, ESET security firm has included master decryption keys into a tool that allows rescuing the encrypted files.
安全公司已经发布了一个勒索软件Crysis的解密工具，其根据是一个未知用户在安全论坛上发布的一个帖子，内容是发布了解密勒索文件的C文件头，利用这个含有解密秘钥的文件头，安全公司开发出了专用工具来解密。

//END
It is not clear why crooks dropped the decryption keys, likely they tried to ease the pressure of law enforcement that were trying to identify the operators behind the malware.
ESET has included the decryption keys in a free tool,  ESET Crysis decryptor, and published instructions to use it.
到目前为止还不清楚，为什么这些解密的秘钥被公开发布，一种猜测是受到了法律强制部门的威慑，另外一种是勒索软件的开发者的意见分歧也能导致外泄。如论如何，对受害的用户可能是个好消息。该勒索软件可以加密200种有价值的文件类型，同时感染的地区有俄罗斯、日本、南韩、北朝鲜以及巴西等。

//下载： esetcrysisdecryptor.rar (429.41 KB, 下载次数: 33)

2016-11-24 16:02 上传

点击文件名下载附件

文件名：esetcrysisdecryptor.exe
文件大小：477，312 bytes
MD5     : 7D7B585BEF4421AD8286CE5B149280DF

点评：对付勒索软件，还是建议备份备份再备份。

2、勒索软件Locky以假冒ISP投诉钓鱼邮件传播
标题：Fake ISP Complaint Emails Distribute Locky Ransomware Variant

作者信息：November 22, 2016 By Ionut Arghire

//BEGIN
Distributed via spam emails pretending to be complaints from an Internet Service Provider (ISP), a newly observed Locky ransomware variant appends the .AESIR extension to the encrypted files, security researchers reveal.
曾经最为风光的勒索软件Locky还在通过垃圾邮件进行传播，不过马夹更换了：这次他们假装是从用户的ISP服务商那里来的投诉，声称用户发送了过多的垃圾邮件。而其实这个邮件包含的ZIP附件是一个勒索软件。一个比较显著的特点是被加密后的有价值的文件的后缀名增加了字符串AESIR.

//END
The ZIP file includes a JavaScript that, when opened, downloads an encrypted DLL that is decrypted into the %Temp% folder on the infected machine. Loaded using the legitimate Windows program Rundll32.exe, the DLL will install and execute the Locky ransomware.
As soon as the installation process has been completed, the ransomware scans the computer and network shares (including the unmapped ones) for specific file types and starts encrypting them. Encrypted files are renamed and appended the .AESIR extension.
After the encryption process has been completed, the malware displays a ransom note informing the victim on what happened with their files and providing instructions on how to pay the ransom to decrypt the files.
经过分析发现，传播勒索软件的垃圾邮件的附件包括的是一个JavaScript文件，当被打开后，会自动下载一个加密的DLL文件到系统的临时文件目录TEMP.该DLL会被系统正常的Rundll32.exe文件来调用，成功执行后，会安装和执行Locky勒索软件。
一旦安装成功，勒索软件就会自动搜索机器的本地或者影像磁盘驱动器，并加密目标文件。一切都完成后，才会提示用户如何缴纳赎金，如何解密等等。

点评：对付勒索软件，还是建议备份备份再备份。

3、安卓银行木马具备阻止反病毒程序启动功能
标题：Android Trojan Prevents Security Apps From Launching

作者信息：November 22, 2016 By Ionut Arghire

//BEGIN
A newly discovered Android banking Trojan has been designed not only to be resilient to anti-malware applications, but also to counter them by preventing them from launching, Fortinet security researchers warn.
Detected as Android/Banker.GT!tr.spy, the new malware family was designed to steal banking information from the users of 15 different mobile banking apps for German banks. What’s more, the Trojan’s authors can control the list of targeted applications from the command and control (C&C) server, meaning that they could easily target more of them.
运行在Android平台下的网银木马不满足与仅仅被动逃避反病毒软件的查杀，如今已经主动出击，阻止这些正规的反木马程序的运行。其盗取的目标对象是来自德国不同银行的15个网银APP应用程序，从该木马的设计来看，黑客作者完全可以改变这些APP的对象，从而扩展其目标范围。


//END
The malware communicates with the C&C server via HTTPS. In addition to the stolen banking credentials, it sends information such as device IMEI, the ISO country code, Android build version, device model, and phone number. It also collects a list of installed applications and sends it to the server.
To remove the Trojan, users should first disable its administrator rights by heading to Settings -> Security -> Device administrators -> Device Admin ->
Deactivate. Next, they can uninstall the malicious program with the help of ADB (Android Debug Bridge) by using the command ‘adb uninstall [packagename]’.
该网银木马采用HTTPS与其C2服务器通讯，处理盗取银行相关认证信息外，还顺带盗取了用户的移动终端信息：手机的IMEI码、国家代码、Android版本、手机型号、电话号码等，同时搜集一些已经安装的应用程序的列表，并将其发送到C2服务器上。清除该木马的方式，首先得暂停或者终止其管理员权限：设置/安全/管理员权限/系统管理员/Disabled!然后才可以通过ADB命令来卸载安装的恶意网银木马。


点评：Android反病毒建议采用AVL Pro！

4、OneDrive商用账户被发现用于传播恶意软件
标题：OneDrive for Business accounts used to spread malware

作者信息：2016-11-22 By Ian BarkerPublished

//BEGIN
Malware purveyors have been making use of cloud services for some time, sending cloud-storage links that host malware to victims is an efficient way for cyber criminals to operate.
In a new twist to the technique, Forcepoint Security Labs has discovered that cybercriminals have been utilizing compromised Microsoft OneDrive for Business accounts to host malware since at least August of this year.
微软的OneDrive商用用户中招，其账户被用来传播恶意软件。这种恶意传播更具有欺骗性，原因在于其利用了MS以及云服务等一般用户都不会怀疑，而且也没有鉴别能力。

//END
"The abuse of online cloud storage services are a cost effective and highly disposable approach for cybercriminals to spread malware," says Forepoint
researcher Rolan Dela Paz writing on the company's blog. "However, as this tactic already known to many people nowadays, cybercriminals may be looking for alternative ways to keep their social engineering ploys effective. The abuse of Microsoft OneDrive for Business service may aid them in this case. Since it is a paid service for businesses, malicious download links hosted by the platform adds a layer of 'trust' to prospective victims to inadvertently downloading malware".
You can find out more about the attacks and how they work on the Forcepoint website.
滥用云存储服务并进而传播恶意代码，这是一个相当隐秘的传播通道。当然随着安全届曝光的增多，越来越多的手段正在被采用，这里提到的OneDrive商用账号其实是收费的，因此更具有欺骗性。

点评：一般小白用户很难有高级的鉴别能力，无必要也不现实，建议还是聘请高级的专业的可信的安全公司保驾护航。

5、攻击者试图利用ask.com工具栏传播恶意软件
标题：Ask.com infected toolbar gets stopped in its tracks before it gets started

作者信息：November 22, 2016  By Pierluigi Paganini

//BEGIN
Security experts at Red Canary discovered attackers who were trying to use the Ask.com Toolbar as a vector to spread malware.
传播恶意代码的黑客们眼镜盯上了ask.com的工具条，它通常可能嵌入到浏览器中。

//END
The initial .exe spawned an additional .png file which was in itself executing additional code, another red flag which further alerted the fast acting
research team at Red Canary.
EXE文件还可能被用户调用PNG图形文件，正是这个图形文件导致恶意代码的执行。这个途径同样需要引起关注。

点评：这个利用工具栏很少见，无孔不入呀。

6、美国政府修订规则，允许入侵全球嫌疑用户
{CHN}
标题：美国政府修订规则 下月起允许入侵全球嫌疑用户

作者信息：2016-11-23 11:23 By E安全

//BEGIN
E安全11月23日讯 美国政府准备修订《联邦刑事诉讼程序规则》第 41 条的相关条款，而修订行为会损害全球个人的信息安全。美国许多社群以及个人大声疾呼，反对修订第41条规则。美国司法部却双手称赞，因为下月美国政府将生效新规则，允许他们更易潜在侵入刑事侦查中涉及的数以千计甚至数以万计计算机，并在位置未知的情况下取得侵入计算机的授权许可（warrant）。
另一方面，批评家担心司法部的新权利将引发大规模入侵和跨境入侵，而不受监督、争论或指导。

//END
电子前沿基金会也强烈反对修订，并表示，实质性权利的变更和政府入侵新渠道应必须经国会批准。
知名技术专家反对修订该规则，并指出，大规模入侵不只会破坏罪犯的计算机，还会破坏受害者的计算机。Tor由美国政府开发，并在很大程度上由美国政府资助。

点评：新时代的世界警察，必将加剧网络安全的对抗烈度。