每日安全简讯(20161217)

1、勒索软件BandarChor变种以恶意广告传播
2、360发布2016敲诈者病毒威胁形势分析报告
3、NoMoreRansom计划为受害者免费解密文件
4、Ubuntu又发现音频文件触发代码执行漏洞
5、Ubuntu崩溃记录器存在远程执行代码漏洞
6、苹果磁盘加密程序密码可被廉价硬件获取

【安天】搜集整理（来源：bleepingcomputer、360、zdnet、arstechnica、softpedia、slashdot）

1、勒索软件BandarChor变种以恶意广告传播
标题：New BandarChor Ransomware Variant Spreads via Malvertising on Adult Sites

作者信息：December 15, 2016 02:49 PM By Catalin Cimpanu

//BEGIN
Malicious ads displayed on several adult websites and a store selling quadrocopters (drones) are infecting visitors with a new version of the BandarChor
ransomware.
Spotted by Proofpoint security researcher Kafeine, the new BandarChor version was confirmed by Bleeping Computer's Lawrence Abrams, and security researcher Malwareforme, who contributed to this report.
这个名为BandarChor看起来可能有点陌生，但是实际上它可是有点历史，是与大名鼎鼎的勒索软件系列同出江湖的，比如： CTB-Locker, CryptoWall, TorrentLocker以及TeslaCrypt。第一次被发现的时间是2年前2014年的11月份，后来在2015年的3月份由芬兰的F-Secure公司发布了一个专门的分析报告。最新的感染案例出现在当用户访问一些成人网站或者购买一些无人机的网站时，由多位安全专家在不同地区同时发现并报告。
虽然已经2年了，但是该勒索软件的手法基本没啥变化，之所以到目前还能出现变种，部分原因可能是其感染的面积小，不太引人注意。

//END
As it appears, this BandarChor variant is yet another minor update to an continuing threat that has managed to survive all these years. This is most likely due to the small number of infections it made, which allowed it to avoid drawing attention from law enforcement agencies.
如果文件遭到勒索侵害，那么其修改文件名的模式为：[original_file_name].id-[ID]_[EMAIL_ADDRESS]，其中original_file_name是原始的文件全名，ID是识别号。而EMAIL_ADDRESS是help@decryptservice.info，因此如果原始的文件名是test.jpg，那么被加密后其文件名会变为：test.jpg.id-1235240425_help@decryptservice.info。其中ID部分针对不同用户会有不同的数值。

点评：对付勒索软件，建议备份备份再备份。某些特殊的网站（你懂滴）可能就藏有勒索软件哟。

2、360发布2016敲诈者病毒威胁形势分析报告
{CHN}
标题：2016敲诈者病毒威胁形势分析报告发布

作者信息：2016-12-16 10:15:13 By 360安全中心

//BEGIN
360互联网安全中心发布了《2016敲诈者病毒威胁形式分析报告》，报告显示，作为新型网络犯罪生力军的敲诈者病毒已经泛滥成灾。今年以来，全国至少有497万多台电脑遭遇其攻击，下半年达到高峰，360安全产品单日拦截到的攻击次数超过2万次。360首席反诈骗专家裴智勇表示，360公司推出敲诈者先赔服务，对于开启该服务的个人用户，一旦中招，将获得最高3个比特币（约13000元）的赎金保障。对于安装了360天擎的企业用户中招者，360企业安全集团负责赔付赎金，每个企业最高获得一百万元的先赔保障。

//END
敲诈者病毒主要采用不对称加密的方式进行高强度加密，计算机通过穷举法暴力解锁需要上万年，在这种情况下，受害者几乎不可能在不支付赎金的情况下自行解密文件，再加上比特币这种虚拟货币的使用以及匿名通信网络的兴起，病毒的传播更为嚣张。

//下载： 2016年敲诈者木马威胁形势分析报告-360.pdf (2.84 MB, 下载次数: 1033)

2016-12-17 17:42 上传

点击文件名下载附件

文件名：2016年敲诈者木马威胁形势分析报告-360.pdf
文件大小：2，981，434 bytes
MD5     : 47C48FE567B9B12F07641EDDF621693D

点评：上万年太长，只争朝夕：备份备份再备份。

3、NoMoreRansom计划为受害者免费解密文件
标题：Hit by ransomware? No More Ransom portal adds 32 more free decryption tools to help you
Bitdefender, Check Point, Emsisoft and Trend Micro have joined the No More Ransom scheme - allowing more victims of ransomware to get their files back without paying criminals.

作者信息：December 15, 2016 16:21 GMT (00:21 GMT+08:00) By Danny Palmer

//BEGIN
A scheme which enables victims of ransomware to decrypt their files and data for free is now offering even more decryption tools thanks to new partners pledging to help take the fight to cybercriminals.
Launched by Europol, the Dutch National Police, Intel Security, and Kaspersky Lab in July this year, the No More Ransom initiative provides keys to unlocking encrypted files, as well as information on how to avoid getting infected in the first place.
由欧洲刑警总部、荷兰国家警察署、Intel安全公司以及卡巴斯基等联合在今年7月份发起的No More Ransom（天下无勒索）计划，日前增加了多个解密工具，免费提供给可能遭受勒索攻击的用户。
该计划吸引了更多的业内安全公司加入。
No More Ransom（天下无勒索）计划以一个网站的形式发布，最开始只有英文版，目前已经增加了多国语言：荷兰语、法语、意大利语、葡萄牙语以及俄罗斯语等，以便能更方便世界各地的受害者能快速找到想要的解密工具。当然其他的语言也正在开发中，估计也很快推出。

//END
No More Ransom recommends protection measures such as regularly backing up systems so ransomware can't destroy personal data, using robust security software and warns PC users not to trust any suspicious-looking links in messages.
Ransomware has boomed during 2016, with the cost of ransomware attacks expected to amount to more than $1 billion by the end of the year.
https://www.nomoreransom.org/
No More Ransom（天下无勒索）计划推荐诸如定期有效备份用户的关键数据的办法来对付勒索软件，并采用灵活可用的安全软件来预防勒索的侵入，并嘱咐用户不要相信邮件中的发来的可疑链接。勒索软件在2016年爆发至今，可能明年还会继续，全年可能导致10亿美金的损失。

点评：保险赔付不如提供这种免费解密工具更实在！但是记住对付勒索软件：备份备份再备份。

4、Ubuntu又发现音频文件触发代码执行漏洞
标题：0-days hitting Fedora and Ubuntu open desktops to a world of hurt
If your desktop runs a mainstream release of Linux, chances are you're vulnerable.

作者信息：12/16/2016, 5:36 AM By DAN GOODIN

//BEGIN
If you run a mainstream distribution of Linux on a desktop computer, there's a good chance security researcher Chris Evans can hijack it when you do nothing more than open or even browse a specially crafted music file. And in the event you're running Chrome on the just-released Fedora 25, his code-execution attack works as a classic drive-by.
Linux看上去比Windows和OS X更安全，直到最新被安全专家发现了一个利用音频文件就可以触发的漏洞。这些媒体播放程序包括Game Music Emu、GStreamer、GNOMER桌面视频播放器、Video thumnnailer等等。
发现者用视频演示了在两种情况下的漏洞利用情况：Fedora 25 + Google Chrome以及Ubuntu 16.04 LTS 漏洞等。
这是一个在Linux的桌面操作系统下发现的0day漏洞，在服务器的操作系统下并不有效。只要用户远程打开一个特制的含有漏洞利用代码的音乐文件，那么机器就能被控制。

//END
For anyone who's versed in software development or security engineering, Tuesday's post offers a spectacularly deep dive into the mechanics of exploiting what at first blush appeared to be a non-exploitable flaw. The larger message coming out of Evans' recent work—which has already inspired the development of at least one other serious code-execution exploit—is that at the very least, desktop Linux is no more immune than Windows and OS X to catastrophic exploits. And given the past decade of top-flight security talent Microsoft and Apple have hired to lock down their OSes, it's arguable that key parts of desktop Linux are less hardened. To think otherwise may not be just wrong, it could be dangerous as well.
即使对于软件开发或者安全工程相当精通的所谓专业人士，这个Linux平台发现的0day漏洞也是很少见的，甚至可能会认为不可能的。目前已经有部分软件开发人员正试图利用这个漏洞，然而其真正的意义可能还在于打破了人们的传统观点：那就是认为桌面版的Linux可能比Windows和OS X更安全。几十年来，Windows和Apple的专业人士们夜以继日的想办法开发更加安全的系统，Linux并没有这样做并不意味着其更安全。从最坏处着手，也可能导致系统更加安全。

点评：系统没有不能攻破的。想起Mikko的AVAR2016演讲Nothing is unbreakable....

5、Ubuntu崩溃记录器存在远程执行代码漏洞
标题：Ubuntu App Crash Reporter Bug Allows Remote Code Execution
Flaw already patched, make sure you update ASAP

作者信息：Dec 16, 2016 06:28 GMT By Bogdan Popa

//BEGIN
A security researcher has discovered a vulnerability in Ubuntu’s crash reporter that would allow remote code execution, making it possible for an attacker to compromise a system using just a malicious file.
Donncha O'Cearbhaill writes that the security bug resides in the Apport crash reporting tool on Ubuntu, which can be tricked into opening a malicious crash file that includes Python code executed on launch.
Apport Crash reporter就是名为Apport的崩溃记录器，Ubuntu系统下的这类文件也可能导致严重漏洞：远程代码执行。黑客只要简单的利用一个恶意文件，就可以通过Python代码远程控制这个计算机系统。


//END
O'Cearbhaill ends his research note with a piece of advice for security researchers to audit free and open-source software because vulnerabilities like this can still exist, allowing attackers to take control of unpatched systems.
He notes that researchers are often approached to sell the vulnerabilities they find, and only in this case, he was offered $10,000 to provide all the details of the crash reporting app bug. O'Cearbhaill emphasizes that companies need to offer bigger incentives to researchers for their work, explaining that Google and Microsoft are going in the right direction with their bug bounty programs.
对免费以及开源的软件，应该进行类似这个的安全检查，以避免被黑客远程控制。
有人花一万美金让其提供所有的这些漏洞以及利用细节，安全专家说软件巨头微软和Google都已经推出了类似的漏洞或者bug发现奖励计划，这是为了使得系统更安全，朝着正确的方向上迈进了一大步。

点评：Windows下的Dump文件会不会被利用？

6、苹果磁盘加密程序密码可被廉价硬件获取
标题：A $300 Device Can Steal Mac FileVault2 Passwords

作者信息：Thursday December 15, 2016 @08:30PM By the 30-seconds-or-less dept

//BEGIN
Swedish hardware hacker Ulf Frisk has created a device that can extract Mac FileVault2 (Apple's disk encryption utility) passwords from a device's memory before macOS boots and anti-DMA protections kick in. The extracted passwords are in cleartext, and they also double as the macOS logon passwords. The attack requires physical access, but it takes less than 30 seconds to carry out. A special device is needed, which runs custom software (available on GitHub), and uses hardware parts that cost around $300. Apple fixed the attack in macOS 10.12.2. The device is similar to what Samy Kamker created with Poison Tap.
一个来自瑞典的硬件安全专家设计了一个硬件装置，可以利用它来破解Apple的磁盘加密应用，而且速度还很快，用时不到30秒，唯一的不便是必须和Appl设备直接相连。这个设备上必须安装定制的软件，而且目前被公开了源代码。
不过Apple已经在其最新版macOS 10.12.2中修补了该漏洞。


//END


点评：软硬兼施，没有攻不破的系统：Nothing is unbreakable....