每日安全简讯(20161215)

1、安卓木马Loki变种具Root设备能力
2、多款低端手机固件被植入恶意代码
3、IoT僵尸网络Mirai变种加入DGA特性
4、KFC上校俱乐部部分会员帐户被入侵
5、俄罗斯领事馆网站被黑影响3万用户
6、安全厂商发布前三季度网络安全报告

【安天】搜集整理（来源：bleepingcomputer、drweb、securityweek、cnbeta、softpedia、mcafee）

1、安卓木马Loki变种具Root设备能力
标题：Loki Trojan Infects Android Libraries and System Process to Get Root Privileges

作者信息： December 13, 2016 07:16 AM By Catalin Cimpanu

//BEGIN
Malware authors have released a new version of the Android Loki trojan, which can now infect native Android OS libraries after an earlier version had previously gained the capabilities to infect core operating system processes.
This trojan, named Loki, was first seen in February 2016 and was discovered by Russian antivirus vendor Dr.Web.
来自俄罗斯的安全公司大蜘蛛最近发布了一个新的变种。其原始版本是在今年年初2月份发现的。该病毒是在Android平台下的，被命名为Loki.与今年2月份能感染内核系统进程不同的是，新的Loki变种能感染原生态的Android系统库文件。

//END
The difference between the two Loki versions, the February and the December variants, is the files they targeted. The February version targeted the native Android "system_server" process.
The December variant modifies a native system library and adds an extra dependency that loads one of Loki's three components (libz.so, libcutils.so or
liblog.so). Whenever the Android OS needs the tainted library, it also loads the Loki trojan, which starts its malicious activity as root, the standard user
under which all core libraries execute.
Fortunately, just like in February, this malware is currently used to show annoying ads only. If Loki would be used as part of banking trojans, ransomware, or cyber-surveillance toolkits, this malware would be a force to be reckoned with. Because Loki entangles itself deep in the Android OS files, the only way to remove the trojan is to reinstall (reflash) the entire operating system.
这两者的感染对象不同，一个是System_server进程，一个是靠修改系统的库文件，增加一层依赖关系。这样只要系统调用其感染的库文件，这个木马就会被一起调用。这样即使是普通的用户运行，也能被提权到Root权限执行。
幸运的是，直到目前该恶意代码的唯一作用还只是显示广告，下载APP等。但是如果将来该恶意代码一旦与其他的耳熟能详的网银、勒索软件、网络监控软件等合体，那么后果将是极其严重的。
原因就在这个木马是侵入的Android的OS的内核，普通的手段根本无法清除。

点评：原生态的Android被植入恶意代码，只能靠重新刷机解决？

2、多款低端手机固件被植入恶意代码
标题：Doctor Web discovers Trojans in firmware of well-known Android mobile devices

作者信息：December 12, 2016 By Dr.Web

//BEGIN
Doctor Web’s security researchers found new Trojans incorporated into firmwares of several dozens of Android mobile devices. Found malware programs are stored in system catalogs and covertly download and install programs.
One of these Trojans, dubbed Android.DownLoader.473.origin, was found in firmwares of a large number of popular Android devices operating on the MTK platform. At the time this news article went to posted, the Trojan was detected on the following 26 models of smartphones:
俄罗斯的安全厂商大蜘蛛最近发布通报指出多款智能手机的出厂固件时就带有恶意代码！其中包含国内的联想手机的某些机型。
这些恶意代码保存在系统目录下，一旦联网，就会偷偷下载应用程序，并在用户不知情的情况下安装一些恶意或者PUP（用户不需要的）应用程序。
恶意代码中一个被命名为Android.DownLoader.473.origin的广泛存在于MTK平台的Android设备上，数量众多。

//END
It is known that cybercriminals generate their income by increasing application download statistics and by distributing advertising software. Therefore,
Android.DownLoader.473.origin and Android.Sprovider.7 were incorporated into Android firmware because dishonest outsourcers who took part in creation of Android system images decided to make money on users.
Doctor Web has already informed smartphone manufacturers about this incident. Users of the infected devices are recommended to contact technical support specialists to get the updated system software as soon as it is ready.
Dr.Web for Android detects Android.DownLoader.473.origin and Android.Sprovider.7 so that our users can check whether the firmware is infected.
恶意代码通过用户的下载量以及安装量来挣钱。因此一些不法商贩与一些刷机手机固件厂家合作，联合作恶：给出厂的手机在固件中安装了这些恶意代码。除非重新刷机，否则很难清除这些恶意代码。

点评：国内的联想手机的某些型号固件也被感染？

3、IoT僵尸网络Mirai变种加入DGA特性
标题：New Mirai Variants Have Built-in Domain Generation Algorithm

作者信息：December 13, 2016 By Ionut Arghire

//BEGIN
Newly observed variants of the Mirai botnet pack domain generation algorithm (DGA) features that haven’t been associated with previous Mirai samples, security researchers warn.
DGA域名随机发生器已经被发现应用在了最新的Mirai未来僵尸网络中，当然这个特性与以前的Mirai未来并无直接关系。截止到今年的10月底，之前的Mirai未来僵尸网络感染了164个国家和地区，利用的就是这些物联网设备的较弱的安全认证机制。
由于Mirai的开源特性，这导致了很多根源其的变种恶意代码，根据360公司的统计，至少有53个独立的Mirai未来的样本，这些都由360的蜜罐系统捕获，这些捕获的样本分布在蜜罐的6个服务器上。

//END
After identifying the malware samples that use the DGA feature, the security researchers noticed that they all share the same DGA in terms of seed string and algorithm.
分析了采用DGA特性的恶意代码，安全人员认为它们在初始字符串以及算法上基本相同。

点评：Mirai未来看来短时间还难以消除。

4、KFC上校俱乐部部分会员帐户被入侵
{CHN}
标题：肯德基上校俱乐部部分会员被黑

作者信息：2016-12-13 22:22:42 By cnBeta

//BEGIN
快餐连锁店肯德基成了黑客攻击的最新受害者。肯德基称上校俱乐部本周早些时候被黑客入侵。肯德基已经确认了攻击行为，表示实际上只有少数账户被黑客入侵，没有个人信息被盗。然而，该公司建议用户尽快重置密码，如果在其它账户使用和上校俱乐部相同的密码，肯德基也建议用户尽快更改密码。
然而目前没有上校俱乐部成员电子邮件账户被黑的报道，肯德基表示，上校俱乐部120万个账户当中实际只有30个账户被入侵。为了确保成员受到保护，KFC向每个用户发送了一封警告电子邮件，只是为了安全考虑建议用户重置密码。

//END
此外，该公司补充说，它还将采取额外的安全措施，进一步保护会员的帐户，并预防这种事情再次发生，但是肯德基没有详细介绍这些新的安全措施。
上校俱乐部是一个属于肯德基的忠诚计划，允许会员收集所谓的鸡贴花，然后可以兑换一些奖励，包括肯德基餐厅的餐点。根据肯德基表示，上校俱乐部目前有超过100万注册用户。

点评：密码应定期修改！

5、俄罗斯领事馆网站被黑影响3万用户
标题：Russian Consulate Hacked, Passport Numbers and Personal Information Stolen
Russian consular department in the Netherlands breached

作者信息：Dec 13, 2016 07:35 GMT By Bogdan Popa

//BEGIN
Security pentester Kapustkiy has managed to hack the website belonging to a Russian consular department, accessing personal information that includes names, emails, phone numbers, and passport numbers.
以专门黑世界各国政府网站著称的黑客专业户Kapustkiy又出手了！
这次的目标是俄罗斯驻荷兰的领事馆的网站。该网站被以上黑客攻陷，并盗取了网站的一些个人信息：姓名、邮件、电话号码以及护照号码等。到发稿为止，该网站依然可以正常访问。虽然成功获取到了近3万用户的个人信息和资料但是该黑客并不打算直接全部公开，而是想给该网站的管理员一些修正的机会和时间。
除了报告给荷兰方面，黑客同时也将此情况报告给了俄罗斯当局。
最近Kapustkiy挺忙活的：不仅这次，不久前还光顾了印度的政府网站、意大利政府网站以及南美委内瑞拉部队相关网站。

//END
For the moment, we’re still waiting for a response from the Consular Department of the Embassy of the Russian Federation in the Netherlands, but we don’t expect an answer anytime soon. Without a doubt, however, they’ll become aware of the hack very soon, so the breach could be silently fixed without a public acknowledgment.
UPDATE: Site admins contacted Kapustkiy and told him that they are now looking into the breach, with more info to be released at a later time.
经过长长的等待后，Kapustkiy终于还是收到了荷兰方面的响应：已经知道此事，正在修补，稍候会发布更详细信息。

点评：世界范围的政府部门的网站也是一个垂直行业。

6、安全厂商发布前三季度网络安全报告
标题：McAfee Labs Threats Report

作者信息：December 2016 By McAfee

//BEGIN
It has been a rather eventful fall at Intel Security!
In late August, Intel security researchers joined with global law enforcement agencies to take down the WildFire ransomware botnet. In addition to assisting with the takedown, Intel Security developed a free tool that decrypts files encrypted by WildFire. Learn more about the WildFire ransomware and how to recover from it.
On September 7, it was announced that Intel Security will be partially spun off from Intel next spring, creating one of the largest independent pure-play
cybersecurity companies in the industry. Although Intel will still own 49% of Intel Security, the majority will be owned by TPG, a leading alternative asset
company. We will once again be known as McAfee.
传统网络安全企业McAfee最近又有大动作了：回归McAfee！
经历了被Intel收购后，今年9月份，公开消息显示：Intel将退居第二位，原来的McAfee又要回来了。虽然Intel还拥有49%的股份，但是大股东会是TPG,重新回归一个单一纯粹的网络安全企业。公司名称还是回到了McAfee.
而八月份，公司与全球各地的政府部门合作，端掉了一个勒索软件的僵尸网络，其名称为WildFire,同时还开发了一个免费的解密软件，可以解密已经被加密的勒索文件。


//END
Every quarter, we discover new things from the telemetry that flows into McAfee Global Threat Intelligence (McAfee GTI). The McAfee GTI cloud dashboard allows us to see and analyze real-world attack patterns that lead to better customer protection. This information provides insight into attack volumes that our customers experience. In Q3, our customers saw the following attack volumes:
McAfee Global Threat Intelligence (McAfee GTI)McAfee的GTI为全球威胁情报系统，能实时的查看和分析网络攻击态势，以便最佳的保护用户。
具体报告文件有三个：如下：

下载1： 2016 will be remembered as the year of ransomware --McAfee.pdf (3.95 MB, 下载次数: 44)

2016-12-15 21:14 上传

点击文件名下载附件

文件名：2016 will be remembered as the year of ransomware --McAfee.pdf`
文件大小：4,144,552 bytes
MD5      : 2753E3192BEA900D8910994F24EE221D

下载2： Health Warning Cyberattacks are targeting the health care industry--McAfee.pdf (1.9 MB, 下载次数: 31)

2016-12-15 21:15 上传

点击文件名下载附件

文件名：Health Warning Cyberattacks are targeting the health care industry--McAfee.pdf
文件大小：1,993,625 bytes
MD5     : FF45F82FAA303A646240FD9EF736B56E

下载3： 2017 Threats Predictions --McAfee.pdf (4.25 MB, 下载次数: 29)

2016-12-15 21:15 上传

点击文件名下载附件

文件名：2017 Threats Predictions --McAfee.pdf
文件大小：4，457，360 bytes
MD5     : 94B6F6E47C0177EDE88E17826420637C


点评：2016年网络安全届的大事不少，不过发生在McAfee身上的比较富有戏剧性：正所谓合久必分，分久必合。(比喻有点牵强^^&&^^)