每日安全简讯(20161211)

1、安全厂商发布2016年勒索软件变革情况
2、安全团队发布敲诈者木马免疫技巧分析
3、研究人员发布Floki Bot僵尸网络分析
4、垃圾广告借Facebook群组传播恶意代码
5、安全厂商发布2017年网络安全八个预测
6、研究表明互联网用户常用密码发生改变

【安天】搜集整理（来源：securelist、freebuf、talosintel、neowin、trendmicro、easyaq）

1、安全厂商发布2016年勒索软件变革情况
标题：Kaspersky Security Bulletin 2016. The ransomware revolution
Story of the year

作者信息：December 8, 2016. 8:54 am By Fedor Sinitsyn, Anton Ivanov, Santiago Pontiroli, David Emm

//BEGIN
Introduction
In 2016, ransomware continued its rampage across the world, tightening its hold on data and devices, and on individuals and businesses.
The numbers speak for themselves:
62 new ransomware families made their appearance.
There was an 11-fold increase in the number of ransomware modifications: from 2,900 new modifications in January/March, to 32,091 in July/September.
Attacks on business increased three-fold between January and the end of September: the difference between an attack every 2 minutes and one every 40 seconds.
For individuals the rate of increase went from every 20 seconds to every 10 seconds.
One in five small and medium-sized business who paid the ransom never got their data back.
2016年被称为勒索软件元年。本报告就是对在即将过去的2016年就勒索软件这个主题的总结。
总的来说，这一年勒索软件在世界范围内泛滥成灾，它们对数据进行加密，对部分设备进行加锁。针对的对象不仅有个人，也有企业。
让我们看一组数字：62；11；3；2；20%。
整年出现了62种新的勒索软件变种；
勒索软件的变种增加了11倍：从第一季度的2900种到第三季度的32091种；
针对企业的勒索攻击速度年末相对年初增加了3倍：从每120秒感染一家企业缩短到每40秒一家；
个人用户的感染速度增加了2倍：从每20秒感染一个缩短到每10秒感染一个；
20%的中小企业支付赎金但并未找回他们想要的数据。

//END
Why you shouldn’t pay – advice from the Dutch National High Tech Crime Unit
You become a bigger target.
You can’t trust criminals – you may never get your data back, even if you pay.
Your next ransom will be higher.
You encourage the criminals.
Can we ever win the fight against ransomware?
We believe we can – but only by working together. Ransomware is a lucrative criminal business. To make it stop the world needs to unite to disrupt the criminals’ kill-chain and make it increasingly difficult for them to implement and profit from their attacks.
来自荷兰国家高科技犯罪预防中心的建议：对勒索软件绝对不能屈服，更不能向勒索者支付赎金。
原因在于4个方面：
首先，支付赎金您会成为一个更大目标，因为勒索者已经知道了您有钱！
其次：即便您支付了赎金，也存在找不回数据的可能。勒索者的话，有多少值得相信呢？
第三：如果下次再次中招，赎金毫无疑问会更高；
最后：支付赎金的行为毫无疑问增强了勒索者的继续作恶的信心！有什么比助纣为虐更可怕的呢。
为了打赢勒索软件的战斗：安全圈必须团结起来，一齐来铲断其传播链条、增加其进入用户计算机的难度，另外得对用户加强宣传和教育：广而告之勒索者常用的伎俩和方法。

//下载： The ransomware revolution Kaspersky Security Bulletin 2016.pdf (3.67 MB, 下载次数: 223)

2016-12-11 22:05 上传

点击文件名下载附件

文件名：The ransomware revolution Kaspersky Security Bulletin 2016.pdf
文件大小：3，848，129 bytes
MD5     : CCF0C9E92AB7B3533FCBDD9E4F03F76A

点评：针对个人用户，预防勒索软件，建议备份备份再备份。

2、安全团队发布敲诈者木马免疫技巧分析
{CHN}
标题：从Locky新变种谈敲诈者木马的一些免疫技巧

作者信息：2016-12-09 By 360安全卫士

//BEGIN
0×1 前言
Locky敲诈者木马算是敲诈者木马中传播时间较长，变种较多的一款。在最近一段时间里，其变种Thor、Aesir开始频繁出现。这些Locky变种之间的核心加密功能代码几乎是相同的，只是改动了加密的后缀名，不过相比较老版本的Locky敲诈者，此类新变种在自我防御机制上有了较大改变，例如利用全局原子表代替注册表项存储标志字符串以应对对于相关注册表项的检测。不过即使填补了旧版Locky的坑，Locky新变种依然存在一些可以用来免疫的点，本文就旨在通过对Locky新变种的一些技术细节的分析来谈谈对此类木马的免疫手段。

//END
0×4总结
以上分享了一些利用Locky新变种的固有缺陷或者考虑不周的特性来免疫它的攻击的方法，对于个人用户而言虽具有一定效果和加之{原文如此：每日简讯备注}，但想更全面的抵御各类木马的侵袭，依然需要安全软件的防护。
安全意识的提高、安全习惯的养成、安全软件的防护，只有这三方面共同的协作，才能真正有效而全面的保障大家的安全。三者缺一不可，切不能掉以轻心。

点评：针对个人用户，预防勒索软件，建议备份备份再备份。

3、研究人员发布Floki Bot僵尸网络分析
标题：Floki Bot Strikes, Talos and Flashpoint Respond

作者信息：WEDNESDAY, DECEMBER 7, 2016 by Ben Baker, Edmund Brumaghin, Mariano Graziano和Jonas Zaddach

//BEGIN
Floki Bot is a new malware variant that has recently been offered for sale on various darknet markets. It is based on the same codebase that was used by the infamous Zeus trojan, the source code of which was leaked in 2011. Rather than simply copying the features that were present within the Zeus trojan "as-is", Floki Bot claims to feature several new capabilities making it an attractive tool for criminals. As Talos is constantly monitoring changes across the threat landscape to ensure that our customers remain protected as threats continue to evolve, we took a deep dive into this malware variant to determine the technical capabilities and characteristics of Floki Bot.
来自Intel的Talos和Flashpoint的分析团队的消息：最近在暗网中发现了一种称为Floki的新的僵尸网络程序。它是在2011年开源的Zeus木马的基础上修改而来，但是增加了很多新的特性，以使得这个新的僵尸网络难以检测，更有甚者，该僵尸网络的很多新的特性很适合网络犯罪份子的口味。这个新的僵尸网络是一个在暗网上出售的商用僵尸网络程序。

//END
Floki Bot is another example of what happens when the source code of successful malware kits gets leaked online. As we have seen several times since the Zeus source code became available, new malware variants based on this codebase continue to emerge. Floki Bot is unique in that the authors of this malware have put effort into expanding upon the functionality that was present in Zeus and have implemented new functionality making Floki Bot very attractive to criminals.
As Floki Bot is currently being actively bought and sold on several darknet markets it will likely continue to be seen in the wild as cybercriminals continue to attempt to leverage it to attack systems in an aim to monetize their efforts. As the leak of the Zeus source code continues to have ripple effects across the threat landscape, Talos will continue to monitor this and other threats that are actively being used in the wild to ensure that customers remain protected as new threats emerge or as existing threats change over time.
目前该僵尸网络还继续在暗网中出售，因此可以预见未来可能会有一波新的疫情出现。

点评：暗网，暗网，又是暗网。

4、垃圾广告借Facebook群组传播恶意代码
标题：Facebook malware allegedly spreading celebrity sex tapes through Chrome extension [Update]

作者信息：Dec 9, 2016 By Justin Luna

//BEGIN
A new spam campaign has recently been seen spreading on Facebook, which allegedly contains sex videos of celebrities. In reality, it leads unsuspecting users into downloading a malicious Chrome extension.
Facebook也被恶意作者利用来传播恶意代码了：不过采用的是社工的方式。
其信息假称有某名人的性爱视频mp4，而其实这些只是标准的pdf文件，一旦用户打开这些pdf文件，就继续欺骗用户“只有安装”了所谓的专用浏览器才能播放。而这个过程就会被安装恶意的Chrome插件。而且用户不能查看和卸载。

//END
A Facebook spokesperson has provided the following statements to Neowin regarding the issue:
“We use automated systems to help stop harmful links and files from appearing on Facebook. These systems blocked the majority of the malicious activity, and the affected extensions are no longer active on our platform. The relevant parties have also removed these extensions from their browser stores.”
Moreover, the company stated that the malware's impact on Facebook is very limited, and that simply clicking on a link would not infect a computer on its own. Also, in order to keep users protected, Facebook will notify them if they see any suspicious behavior, and provide them with a free anti-virus scan.
事主Facebook的新闻发言人对本事件反应迅速。声称已经部署了自动识别系统来鉴别这些有害的URL了，目前已经能捕获该恶意链接。实际上该系统的部署已经拦截了很多的恶意代码。
Facebook会密切监视其平台上出现的恶意代码，并会及时提醒用户可能存在的安全风险，同时还会针对这个提供一个免费的杀毒软件进行扫描，以确保用户的安全。

点评：对抗社工的方法还是得抵抗住诱惑，不过能成功的人不多，因此还得靠大厂自身的防御机制。

5、安全厂商发布2017年网络安全八个预测
标题：THE NEXT TIER Trend Micro Security Predictions for 2017

作者信息：  [时间未标注]            By TrendMirco

//BEGIN
People waking up to the threat landscape of 2017 will say it is both familiar and unchartered terrain. After all, while our predictions for 2016 have become
reality, they only opened doors for more seasoned attackers to explore an even broader attack surface. In 2016, online extortion exploded, a smart device failure indeed caused damage, the need for Data Protection Officers (DPOs) became ever more pressing, and data breaches became as commonplace as ever.
年关将近，人们在展望2017年的网络安全形势时，觉得那将是既熟悉又会有些陌生。不管怎么样，过去的一年的预期都已经变成现实了。对即将到来的一年，更有资源和意志力的黑客们拥有更加宽广的攻击面。过去的一年中，勒索软件大行其道；一些智能设备的配置不当导致灾难的发生；DPO数据保护官的需求越来越迫切；数据泄露像往常一样司空见惯。

//END
Machine learning is not a new-fangled security technology, but it is poised to be a crucial element in battling known and unknown ransomware threats and exploit kit attacks, among others. Machine learning is deployed through a layered system with human- and computer-provided inputs running through mathematical algorithms. This model is then pitted against network traffic, allowing a machine to make quick and accurate decisions about whether the network content—files and behaviors—are malicious or not.
Enterprises must also ready themselves with proven protection against the anti-evasion techniques that threat actors will introduce in 2017. This challenge calls for a combination (versus a silver-bullet type approach) of different security technologies that should be available across the network to form a connected threat defense. Technologies like:
Advanced anti-malware (beyond blacklisting)
Antispam and antiphishing at the Web and messaging gateways
Web reputation
Breach detection systems
Application control (whitelisting)
Content filtering
Vulnerability shielding
Mobile app reputation
Host- and network-based intrusion prevention
Host-based firewall protection
机器学习不是什么新鲜的东西，但是对于新出现的已知和未知的勒索软件和漏洞利用工具EK却有着先天的优势。分层次采用人工和机器提供输入素材的情况下，利用一定的数学算法可部署实用的机器学习模型。该模型与网络中的传输流量弥合，能使得计算机系统能快速而准确的识别出网络中传输的内容或者行为是恶意还是无害的。
2017年可能会出现以下的新的反恶意代码科技动向：
高级的反恶意代码技术；
网关防垃圾邮件以及防钓鱼技术；
WEB信用技术；
数据泄露检测系统；
应用控制技术；
内容过滤系统；
漏洞修补技术；
移动APP信用技术；
基于主机和网络的入侵防护技术；
主机防火墙技术。


//下载： THE NEXT TIER Trend Micro Security Predictions for 2017.pdf (1.68 MB, 下载次数: 218)

2016-12-11 22:13 上传

点击文件名下载附件

文件名：THE NEXT TIER Trend Micro Security Predictions for 2017.pdf
文件大小：1，760，040 bytes
MD5     : 3BBCCFEB7EABF761830E1A80C08245EC

点评：年关了，各大厂商已经开始盘点过去、展望来年。

6、研究表明互联网用户常用密码发生改变
{CHN}
标题：研究发现“爱”、“女孩”和“天使”是最常用密码

作者信息：2016-12-10 02:35 By cnbeta

//BEGIN
一项最新研究表明，互联网用户不再坚持使用“123456”这类型的数字密码，而是选择一些令人惊讶的容易猜到的单词。CBT Nuggets在分析了50000个泄漏的电子邮件和密码的数据后，它发现密码最常用的词是“爱”（love）、“星”（star）、“女孩”（girl）和“天使”（angel），其次是岩石（rock）、地狱（hell）、麦克（mike）和约翰（john）。
这项研究也揭示，最容易被黑客破解的美国常见姓名密码是迈克/迈克尔（Mike/Michael）、克里斯/克里斯托弗（Chris/Christopher）、约翰/乔纳森（John/Jonathan）和戴维/大卫（Dave/David）。

//END
根据最新研究，男性更容易被黑客入侵。有趣的是，25到34岁的人比其他人群更容易被黑客入侵。他们也恰巧是最有可能是使用Mike，Chris，John或Dave姓名的人。这项研究表明，有42%的帐户被黑客入侵时实际上是使用的是用户名。最常用的是姓名的遍体，如Amy，Lisa和Scott。
CBT Nuggets研究显示，雅虎帐户最有可能被黑，其次是Hotmail（现在称为Outlook）和Gmail。然而，雅虎账户被黑的机率高达47.5%。因此，保护您帐户最佳方式是使用一个很难猜到密码加上双因素身份验证。

点评：应该出一个中文版的类似报告。