每日安全简讯(20170108)

1、山寨超级马里奥跑酷安装银行木马Marcher
2、研究人员发布恶意软件GM Bot变种分析报告
3、卡巴斯基反病毒产品存在SSL证书验证缺陷
4、伊朗APT组织OilRig仿冒Juniper和牛津网站
5、研究人员警告黑客通过网络摄像头监视用户
6、维基解密声称将公开部分推特用户私人信息

【安天】搜集整理（来源：zscaler、securityaffairs、techtarget、securityweek、dailystar、slashdot）

1、山寨超级马里奥跑酷安装银行木马Marcher
标题：Android Marcher now posing as Super Mario Run
Attackers seek to use the game's popularity to spread malware

作者信息：January 05, 2017 By Viral Gandhi

//BEGIN
Nintendo recently released Super Mario Run for the iOS platform. In no time, the game became a sensational hit on the iTunes store. However, there is not yet an Android version and there has been no official news on such a release. Attackers are taking advantage of the game's popularity, spreading malware posing as an Android version of Super Mario Run.
热门游戏是黑客们钟爱的题材之一。这里讲的Marcher网银木马甚至利用的是一个还未上市的热门游戏来吸引不明真相的用户点击下载、安装，而实际上其的目标是用户的网银账里的钱财！这个未上市的游戏指的是超级马里奥跑酷。官方其实只发布了iOS版，但是并未发布Android版本。但是黑客们正是利用了这一点，伪装成该游戏，欺骗用户搜索、下载安装。
历史上看，这点并不奇怪，Pokemon GO也曾经被同样的办法利用。
Marcher是一个存在于Android平台下的恶意代码，其目标是各种网银、财经应用App以及信用卡App等，采用的手段就是覆盖正常的页面显示，一旦这些正常的App提示输入用户的认证信息时，后台的木马会自动弹出界面，用户一不小心就会将一些重要的信息“主动”提供给了黑客，它们会被直接会上传至黑客控制的C&C服务器。
目标App来自18家主流网银应用，分布的国家和地区有：澳大利亚、英国以及法国等。


//END
Android Marcher has been around since 2013 and continues to actively target mobile users' financial information. To avoid becoming a victim of such malware, it is a good practice to download apps only from trusted app stores such as Google Play. This practice can be enforced by unchecking the "Unknown Sources" option under the "Security" settings of your device.
Zscaler ThreatLabZ is actively monitoring this variant of the Android Marcher malware to ensure that Zscaler customers are protected.
这个Marcher不是崭新出来了，其历史可以追溯到2013年。为了预防该木马的侵害，建议用户：首先不要从非官方渠道下载各种热门游戏应用，特别不要相信什么破解版等；另外手机的设置一定要开启认证：不要信任来路不明的APP的直接安装。最后安装可信任的第三方安全软件。


点评：Android平台的安全，建议安装AVL Pro!

2、研究人员发布恶意软件GM Bot变种分析报告
标题：Analyzing a variant of the GM Bot Android malware

作者信息：January 6, 2017  By Pierluigi Paganini

//BEGIN
My friends at CyberBlog decided to analyze the GM Bot Android Malware as exercise aiming to receive feedback sand suggestions from the security community.
GM是Ganga Man的缩写，是一个非洲国家的地名。这里是被用来做一个Android平台的恶意代码的名称。本篇文章是一个技术分析报告，分了5个小部分来解析：
1 公开分析 Public Analysis
2 静态分析 Static Analysis
3 解压缩调试 Packer Debugging
4 DEX 解压以及反编译 DEX Extraction and De-compilation
5 动态分析 Functional & Dynamic Analysis


//END
Summary
The sample appears to be a specifically customised variant that is being used in a campaign to target the Danske Bank MobilePay application. We see evidence that it is probably not the original GM Bot authors work – the coding style compared with the public source code is different, and the mix of languages in the resource files implies the sample has been adapted in a “quick and dirty” fashion to achieve the objectives.
This is a good example of how once released, complex code can be quickly and easily forked by less skilled authors and a pattern we also see today with the release of the Mirai botnet code. Quickly we see a spread of variants of the codebase that become harder to trace and detect and importantly attribute to any individual or group.
As ever, the best advice to prevent becoming a victim of such malware is to ensure that your phone is not configured to install 3rd party applications, and always review requests for permissions carefully – eg, are they aligned with the expected purpose of the application?
通过以上的详细的技术分析，发现这个变种好像并不是原始作者的作品，应该是源码泄露后，一些类似脚本小子类的低级黑客们改巴改巴参数、语言文字显示、C&C地址等重新生成“新的”恶意样本。
这个套路业内已经很流行了，比如最近引起全球轰动的物联网僵尸网络Mirai的源代码被公开后，一些类似的变种就接踵而至就是一个例证。可以预见的是在不久的将来，这些事例还会上演。
作为防范建议，还是不要安装非正规市场中的APP应用，这样就可以显著减少被感染和攻击的机会。确实需要安装APP时，也要特别留意这些待安装的APP其索要的权限是否合适和必须。

//分析报告下载： Analyzing a variant of the GM Bot Android malware.pdf (1.08 MB, 下载次数: 273)

2017-1-9 19:00 上传

点击文件名下载附件

文件名：Analyzing a variant of the GM Bot Android malware.pdf
文件大小：1，133，557 bytes
MD5     : A3C0BE981F8C428C9BB6778983808858

点评：Android平台的安全，建议安装AVL Pro!

3、卡巴斯基反病毒产品存在SSL证书验证缺陷
标题：SSL certificate validation flaw discovered in Kaspersky AV software

作者信息：04 Jan 2017 By Peter Loshin

//BEGIN
Google Project Zero discovers more antivirus vulnerabilities. This time, the issues are with how Kaspersky Lab handles SSL certificate validation and CA root certificates.
Tavis Ormandy continues his war on buggy antivirus software, as the Google Project Zero researcher reported two serious vulnerabilities, including an SSL certificate validation flaw, in Kaspersky Lab's popular antivirus offering.
Google公司的Project Zero（代号：0号工程）分析小组近期对安全软件进行了安全分析，发现正是这些安全软件存在一些严重的漏洞，可能导致中间人攻击，拦截用户所有的对外SSL链接！这些安全软件包括卡巴斯基和赛门铁克的反病毒软件。

//END
Last September, Project Zero reported more critical vulnerabilities in Symantec's antivirus software related to the use of unpatched open source code. Kaspersky Antivirus also previously received attention from Project Zero in 2015 for a number of bugs leading to memory corruption that occurred when parsing crafted malicious files using several different formats.
这些安全软件由于采用了一些开源的未打补丁的代码，从而导致严重的安全问题：内存泄露、被控等等。

点评：安全软件本身的安全性也确实值得重视。是不是有些讽刺和尴尬呢。

4、伊朗APT组织OilRig仿冒Juniper和牛津网站
标题：Iranian Group Delivers Malware via Fake Oxford University Sites

作者信息：January 06, 2017 By Eduard Kovacs

//BEGIN
An Iran-linked advanced persistent threat (APT) group dubbed OilRig has used a fake Juniper Networks VPN portal and fake University of Oxford websites to deliver malware to victims.
据称与伊朗相关的APT组织OilRig通过假冒知名网站进行攻击，这些假冒的网站包括Juniper的网络VPN门户网站以及英国牛津大学的网站。
具体的办法是攻击者建立一个仿冒的网站，在这些网站上设立假冒邮箱，吸引用户输入自身隐私信息。显然其以后只需要想办法诱导用户进入该网站即可。
该组织OilRig至少从2015年开始被业内关注，多个不同的安全厂商都发布过相关的分析报告。该APT组织的攻击对象比较杂：沙特、以色列、美国、土耳其、阿联酋、黎巴嫩、科威特以及卡塔尔等，攻击的部门包括各国政府部门、金融机构以及科技公司等。


//END
While attribution is often difficult, evidence found by researchers suggests that OilRig is based in Iran, including the use of the Persian language in the malware samples, and information associated with the command and control (C&C) domains used by the group.
事实上，归因到伊朗还是比较困难的。但是恶意代码中的语言设置以及文字，另外其C&C地址域名等这些因素关联起来，基本就可以确定该组织来源于这个阿拉伯国家。

点评：提到APT，通常让人想到的是美俄大佬。

5、研究人员警告黑客通过网络摄像头监视用户
标题：WARNING: Hackers are SPYING on you through YOUR webcam - here’s how to stop them
CODE red, code red. Hackers are gaining access to your webcam and spying on your without your knowing.

作者信息：7th January 2017 By Luke Johnson  

//BEGIN
Thanks to Facebook, Twitter and Instagram - not forgetting the odd Snapchat-sent naked selfie - we’re all sharing far more than we should. But how would you feel if you were being spied on through your smartphone’s camera without even knowing?
各大社交网站上充斥着大量的各种自拍照，甚至是一丝不挂版本的，其中的一部分是我们主动分享出去的，当然还有的就是黑客通过一些手段获取的：控制电脑或者手机的摄像头就是一个重要的途径。

//END
Facebook founder and CEO raised eyebrows last year when a photo revealed he placed stickers over his laptop’s camera as a way of preventing people snooping on him.
As much as the internet scoffed at his simplistic prevention method, it’s actually the most effective means of being caught on camera unawares.
“The ultimate security control is to cover the lens,’’ IT security expert, Steven Fox said.
“If your webcam doesn’t come with a lens cover, use an adhesive bandage or even a yellow sticky note to cover it up.”
去年脸书的CEO小扎被拍到其电脑上的摄像头被贴了一个大头贴，引起各方议论纷纷。各色人等纷纷建议“终极”预防偷拍的方法：给自己的电脑的摄像头来搞个黄胶带！是不是也有点讽刺？

点评：黄色的小胶带尴尬了谁？

6、维基解密声称将公开部分推特用户私人信息
标题：WikiLeaks Threatens To Publish Twitter Users' Personal Info

作者信息： Friday January 06, 2017  By  BeauHD

//BEGIN
WikiLeaks said on Twitter earlier today that it wants to publish the private information of hundreds of thousands of verified Twitter users. The group said an online database would include such sensitive details as family relationships and finances. USA Today reports:
推特上的认证用户从2009年以来，已经发展到成千上万了。
近日维基解密声称将公布其掌握的这些人的信息：家庭关系、工作、住房以及财务信息等。

//END
"We are thinking of making an online database with all 'verified' twitter accounts [and] their family/job/financial/housing relationships," the WikiLeaks Task Force account tweeted Friday. The account then tweeted: "We are looking for clear discrete (father/shareholding/party membership) variables that can be put into our AI software. Other suggestions?" Wikileaks told journalist Kevin Collier on Twitter that the organization wants to "develop a metric to understand influence
networks based on proximity graphs." Twitter bans the use of Twitter data for "surveillance purposes." In a statement, Twitter said: "Posting another person's private and confidential information is a violation of the Twitter rules." Twitter declined to say how many of its users have verified accounts but the Verified Twitter account which follows verified accounts currently follows 237,000. Verified accounts confirm the identity of the person tweeting by displaying a blue check mark. Twitter says it verifies an account when "it is determined to be an account of public interest." Twitter launched the feature in 2009 after celebrities complained about people impersonating them on the social media service.
2009年推特因为一些名人的投诉，设置了类似实名认证的服务。同时采用不同于普通图标的方式来识别：蓝色标识。
推特拒绝透露到底有多少人进行了认证。

点评：社交媒体上还是不要放些自己隐私信息为好！不管你是大写的V还是小写的草民。