每日安全简讯(20161208)

1、勒索软件Locky新变种借助Excel文档传播
2、勒索软件感染医疗系统影响2800患者预约
3、安全厂商发现广告横幅用于隐藏恶意代码
4、苏格兰足球协会被黑向球迷发送恶意软件
5、研究者揭示Linux内核提权漏洞技术细节
6、新的脏牛漏洞可将恶意代码直接写入进程

【安天】搜集整理（来源：securityweek、softpedia、arstechnica、softpedia、360、trendmicro）

1、勒索软件Locky新变种借助Excel文档传播
标题：Locky Variant Osiris Distributed via Excel Documents

作者信息：December 07, 2016 By Ionut Arghire

//BEGIN
The infamous Locky ransomware has once again switched to a new extension to append to encrypted files, but reverted to malicious Office documents for distribution, security researchers have discovered.
臭名昭著的勒索软件Locky家族又添加新成员了，不仅体现在其增加的文件扩展名上，而且还在于其传播方式。最新发现的扩展名是osiris，传播方式是采用xls的文档格式。该xls文件中含有宏，这个宏一旦被用户启用，就会以dll的文件下载勒索软件，并在系统的支持下自动运行起来勒索软件。以后的进程就是大部分经典的过程了：勒索软件搜索本地以及映射盘中的有价值文件，并加密他们。

//END
To stay protected, users should avoid downloading attachments coming from sources they don’t recognize. They should also pay attention to macro-enabled documents, as they often hide malware. Installing an anti-malware solution and keeping it updated at all times should also help prevent infections from happening.
为了免受该勒索软件的攻击，对于一般客户而言，应该避免从不熟悉来源的邮件中下载其附件；在启用文档的宏的过程中要特别注意，因为这些都可能导致恶意代码的引入。当然安装一个杀病毒软件并保持持续更新也是非常重要的。

点评：对付勒索软件，个人用户建议备份备份再备份。

2、勒索软件感染医疗系统影响2800患者预约
标题：Hospital Cancels Appointments of 2,800 Patients Due to Ransomware Infection
Systems were shut down to remove the infection

作者信息：Dec 6, 2016 13:24 GMT By Bogdan Popa

//BEGIN
Systems belonging to the Northern Lincolnshire and Goole NHS Foundation Trust suffered a major ransomware infection in October which caused operations to be interrupted for no less than four days.
原来据称是从USB传入恶意代码的事件被更正为确认是由勒索软件造成的。侵害的对象是Northern Lincolnshire和Goole NHS Foundation Trust机构，时间是今年10月份，该次勒索软件侵害事件导致了2800例患者预约受到影响，同时至少4天的手术中断。

//END
Systems were infected with Globe2 ransomware, and the hospital officials claim that all compromised files were cleaned and systems are now running normally.
勒索软件的名称为Globe2，医院的官员称所有的感染文件都已经被清除，目前系统运行正常。也没有向勒索者支付赎金，客户的资料和信息都是安全的。

点评：对付勒索软件，个人用户建议备份备份再备份。

3、安全厂商发现广告横幅用于隐藏恶意代码
标题：Millions exposed to malvertising that hid attack code in banner pixels
Manipulated images are almost impossible to detect by the untrained eye.

作者信息： 12/7/2016, 6:16 AM By DAN GOODIN

//BEGIN
Millions of people visiting mainstream websites over the past two months have been exposed to a novel form of malicious ads that embed attack code in
individual pixels of the banners.
您浏览的网页广告栏可能含有恶意代码！只要是IE浏览器，而且未打补丁，那么就有可能。该恶意代码的行动代号被命名为Stegano或者AdGholas。从2014年就已经开始了。但是直到今年的10月份，这个恶意代码通过搞定大型的新闻网站，并通过修改这些新闻页面的广告横幅的图形文件，使其含有恶意代码，类似水坑攻击。采用的漏洞是CVE-2016-0162、CVE-2015-8641、 CVE-2016-1019以及CVE-2016-4117等四个。

//END
Despite targeting only people using IE and unpatched versions of Flash, Stegano is noteworthy for its concealment of exploit code in the pixels of the banner ads. There's no reason future campaigns—or possibly ongoing ones that have yet to be discovered—couldn't exploit zero-day vulnerabilities that infected a much larger base of people. Until ad networks get much better at detecting malvertising campaigns, the scourge is likely to continue.
虽然目前发现的这个恶意代码只是针对未打补丁的IE和Flash，但是不得不注意的是还可能有未被发现的行动正在进行中，或者是采用0day漏洞的不是不可能。大型网站应该网络安全防护以避免类似的大型水坑攻击，造成用户大面积感染和受控。

点评：点击广告页面的图形也可能感染！

4、苏格兰足球协会被黑向球迷发送恶意软件
标题：Scottish Football Association Hacked to Send Malware to Fans
Users recommended to delete the mails as soon as possible

作者信息：Dec 6, 2016 09:55 GMT By Bogdan Popa

//BEGIN
The Scottish Football Association has just confirmed that “a third-party email database” was compromised by hackers, who managed to access subscriber
emails and send spam that included malware.
苏格兰足球协会的邮件服务器被黑，并以其的官方名义给其订阅用户发送恶意邮件。官方建议收到的用户删除这些恶意邮件。邮件的主要内容显示一个URL链接，催用户在48小时内付款。然而其真实的目的是能给用户的机器下载恶意代码。

//END
Users who received the emails from the SFA and clicked on the included attachments are recommended to install antivirus software and scan for possible
malware on their computers.
来源可能是位于中国的服务器。已经点击链接的用户建议安装杀毒软件检测其机器，确保安全。

点评：得小心钓鱼邮件。

5、研究者揭示Linux内核提权漏洞技术细节
{CHN}
标题：【漏洞预警】CVE-2016-8655inux内核通杀提权漏洞（21:45更新POC）

作者信息：2016-12-08 16:46:09 By adlab_mickey

//BEGIN
漏洞发现人：Philip Pettersson
漏洞编号：CVE-2016-8655
漏洞危害：高危，低权限用户利用该漏洞可以在Linux系统上实现本地提权。
影响范围：Linux内核（2011年4月19日发行）开始就受影响了，直到2016年11月30日修复。

//END
Philip Pettersson在Linux (net/packet/af_packet.c)发现条件竞争漏洞，可以让低权限的进程获得内核代码执行权限。
这个bug最早出现于2011年4月19号的代码中，详细请参考：
https://github.com/torvalds/linu ... e83e5ac6828b638603a
它于2016年11月30号被修复，详细请参考：
https://git.kernel.org/cgit/linu ... 91617700174c2c19b0c

点评：快补 Linux漏洞！

6、新的脏牛漏洞可将恶意代码直接写入进程
标题：New Flavor of Dirty COW Attack Discovered, Patched

作者信息：December 6, 2016 5:44 pm By Veo Zhang

//BEGIN
Dirty COW (designated as CVE-2016-5195) is a Linux vulnerability that was first disclosed to the public in October 2016. It was a serious privilege
escalation flaw that allowed an attacker to gain root access on the targeted system. It was described as an “ancient bug” by Linus Torvalds and was quickly patched once it was disclosed, with most Linux distributions pushing the patch to their users as soon as possible.
十月份被公布的Linux漏洞Dirty COW，是一个严重的提权漏洞，能让攻击者获得ROOT权限。被发现者称为一个古老的bug。该消息一经公布，修复补丁立即被发布。

//END
We have notified Google about this flaw. Dirty COW was initially patched as part of the November 2016 round of Android updates, but the fix did not become mandatory until the December 2016 round of updates. Users can check with their device manufacturer and/or phone carriers when their devices will receive this update.
Google已经知道该漏洞，虽然11月份的补丁已经修复，但是我们还是要等到12月份的补丁才能全部完成修复。因此用户要特别留意其系统是否修补成功。

点评：快补 Linux漏洞+1!