每日安全简讯(20170112)

1、勒索软件新家族Spora拥有复杂支付赎金网站
2、研究者发现释放挖矿机的新漏洞利用包Terror
3、安全厂商发布乌克兰变电站被黑事件分析报告
4、安全厂商发布僵尸网络Death黑雀攻击分析报告
5、安全厂商发现针对Netflix用户网络钓鱼活动
6、微软发布今年首个补丁包修复两个关键漏洞

【安天】搜集整理（来源：bleepingcomputer、securityweek、secjia、venustech、fireeye、threatpost）

1、勒索软件新家族Spora拥有复杂支付赎金网站
标题：Spora Ransomware Works Offline, Has the Most Sophisticated Payment Site as of Yet

作者信息：January 10, 2017 05:57 PM  By Catalin Cimpanu

//BEGIN
A new ransomware family made its presence felt today, named Spora, the Russian word for "spore." This new ransomware's most notable features are its solid encryption routine, ability to work offline, and a very well put together ransom payment site, which is the most sophisticated we've seen from ransomware authors as of yet.
First infections with Spora ransomware were spotted on the Bleeping Computer and Kaspersky forums. Below is an analysis of the Spora ransomware mode of operation provided by Bleeping Computer's Lawrence Abrams, with some information via MalwareHunterTeam and Fabian Wosar of Emsisoft.
勒索软件新家族Spora当前只在俄罗斯传播，勒索的文字也都是俄语的。采用了到目前为止最为复杂的加密和勒索机制，它还可以离线工作。当前被多家安全公司捕获并提供了详细的分析报告。


//END
From the different security researchers we spoken to, the new Spora appears to be a professional ransomware put together by a crew with previous experience in ransomware distribution.
Last year, in the months of January and February, the world was introduced to ransomware families such as Locky and Cerber, which plagued users all over the world during 2016, and which security firms had failed to break their encryption.
Spora seems to be a ransomware family as advanced and well-run as Cerber and Locky, and we may soon see its operators expand from Russia to other countries across the world.
多位分析过该勒索软件的安全专家称：这个新的勒索软件Spora与以前出现过的勒索软件相比更加“专业“。就在去年的年初，当时最流行的勒索软件Locky和Cerber也震惊了全世界，但与当前爆出的这个Spora勒索软件相比，后者会更加高级以及运行周密。虽然当前主要是在俄罗斯流传，但是可以想象不久的将来会在全球流行开来。

点评：对付勒索软件，建议采用备份备份再备份的3B原则：Backup、Backup、Backup（Beifen、Beifen、Beifen）。

2、研究者发现释放挖矿机的新漏洞利用包Terror
标题：New Terror Exploit Kit Emerges

作者信息：January 10, 2017 By Ionut Arghire

//BEGIN
After the fall of the Nuclear and Angler exploit kits (EKs), overall activity generated from exploit kits has dropped to only a fraction of what used to be.
Cybercriminals, however, are attempting to take advantage of this gap with new threats, including the recently observed "Terror" exploit kit.
Unlike other toolkits, Terror stands out in the crowd because its author(s) appears to be doing everything on their own. The developer has been actively updating the threat over the past several weeks, and is using the EK to drop a cryptocurrency miner to the compromised machines, which is effective enough for a one-man operation, Trustwave security researchers say.
新的名为Terror的漏洞利用包EK是继Nuclear和Angler2种利用包后的“新贵”，后两者销声匿迹后，一度被人们认为可能难有起色的漏洞利用包EK重出江湖。而且Terror很有特点的是应该是单人行动，并没啥系统性的组织，而且升级频繁。该作者利用这些EK在受害的机器上挖矿。利用的漏洞不下8个之多，将这些漏洞打包在一起利用，漏洞涉及IE、FLASH、FIREFOX等等。这个挖矿看起来有利可图不大，但是如果是一个人进行操作的话，那么只要坚持，那么还是很值得做的：资源稳定，只要受害者的机器一直开着，那么挖矿就会一直进行下去，这样就会轻松获利。


//END
The EK was observed using 64bit only executables as droppers and miners, and the researchers tracked the activity to PasteBin and GitHub, where the miner’s configuration is hosted. The malware author is looking to mine the Monero cryptocurrency, which has seen a boost in value on the underground markets recently.
Apparently, the attacker's subscription to Sundown has ended and no changes were seen in the GitHub repo for the past couple of weeks, although new domains associated with the EK continue to be registered, the researchers say.
“Given that there is a lot of chatter in the underground from people looking to buy client side exploits and the creation of new exploit kits, there is clearly high demand and scarce supply for these in the market. Given this, we might see this kit continue to evolve or similar DIY kits popping up at any time,” Trustwave’s researchers conclude.
漏洞利用包EK利用64位的可执行文件作为下载器和挖矿机器。这个EK看来是由另外一种名为Sundown的EK演变而来的。EK的市场需要一直存在，而且好像还会越来越迫切，那么随时都可能出现一种新的EK。


点评：虚拟货币是很多恶意作者的“”资源“”，他们会常挖不止。

3、安全厂商发布乌克兰变电站被黑事件分析报告
{CHN}
标题：乌克兰变电站Ukrenergo被黑事件始末 绿盟科技报告称攻击者是Telebots组织

作者信息：2017年1月10日 10:47 By 绿盟科技

//BEGIN
Ukrenergo是乌克兰国内的主要能源供应企业，2016年12月17日晚，该公司经历了一次供电故障，影响到基辅附近诺威佩特里夫茨村的北部变电站自动化控制系统，该停电事故主要影响的范围是基辅（乌克兰首都）北部及其周边地区。
停电事件发生后30分钟，Ukrenergo工程师将设备切换为手工模式，并开始恢复供电；75分钟后完全恢复供电。
2016年12月18日上午，Ukrenergo负责人Vsevolod Kovalchuk在Facebook上发布信息描述了上述经过，并称本次停电的原因可能是设备故障，也可能是由于网络攻击。

//END
此次攻击和BlackEnergy类似，攻击者使用带有Microsoft Excel文档的spearphishing电子邮件，其中包含恶意宏作为初始感染向量。不同的是这次恶意文档没有使用任何社会工程学的方法来诱导受害者点击启动宏按钮，这样攻击是否成功只能完全依靠受害者是否点击它。宏病毒运行后释放恶意文件，开始执行恶意功能。

//下载： ukraine-ukrenergo-power-attacked-analysis.pdf (2.28 MB, 下载次数: 303)

2017-1-12 21:31 上传

点击文件名下载附件

文件名  ：ukraine-ukrenergo-power-attacked-analysis.pdf
文件大小：2，390，531 bytes
MD5     : A94C5168028C94E051B46778951B643A
另外：对此感兴趣的也可以读读去年2月份的这篇分析文章：
http://www.antiy.com/response/A_ ... er_Grid_Outage.html

点评：又见网络攻击导致停电？！

4、安全厂商发布僵尸网络Death黑雀攻击分析报告
{CHN}
标题：黑雀攻击—揭秘“Death”僵尸网络背后的终极控制者

作者信息：2017-01-10 By 启明星辰ADLab

//BEGIN
本报告将通过数据的统计分析、逆向分析并结合样本特征逐一为大家揭秘“ Death ”僵尸网络中的黑吃黑乱象及隐藏于僵尸网络中的“黑雀”攻击、“Death”僵尸的黑客产业链，以及“Death”僵尸与Nitol僵尸和鬼影僵尸的关系。报告中分析的“Death”僵尸网络是一款被三个级别的黑客同时控制的僵尸网络，其中第三级的每个黑客控制单个僵尸网络，但第三级黑客所不知道的是，其发展的僵尸网络背后还受到第二级和第一级黑客的控制，同样第二级黑客也不知道他们的背后还存在一个超级控制者（第一级黑客）同时控制着他们所控制的所有“Death”僵尸网络。这三级黑客以及其中暗藏的攻击现象我们称为“黑雀”攻击。

//END
“Death”僵尸攻击特点：
（1）第一级黑客(大黑雀)利用第二级黑客（黑雀）和第三级黑客（螳螂）发展自己的僵尸网络资源。
（2）第一级黑客(大黑雀)在出售的僵尸中自留后门。
（3）该僵尸被大量黑客用来感染另外一批黑客。
（4）第二级黑客（黑雀）也同样在僵尸程序中配置有后门。
（5）该僵尸被绑定在另外一些黑客配置工具中，攻击并控制下游黑客。
（6）通过自带用户名和密码字典进行内网感染与扩散。
（7）控制肉鸡使用IE打开存在漏洞的链接。
（8）可在感染机中添加系统后门账号。
      另外，我们从关联的部分样本中发现，该僵尸程序还被绑定在一些黑客工具上，比如“Billgate”DDoS攻击的配置工具，这样哪怕是处于最末端的黑客也同样充当了攻击另外一些黑客的角色。

//下载： 启明星辰ADLab《黑雀攻击-揭秘Death僵尸网络背后的终极控制者》.pdf (2.46 MB, 下载次数: 242)

2017-1-12 21:31 上传

点击文件名下载附件

文件名  ：启明星辰ADLab《黑雀攻击-揭秘Death僵尸网络背后的终极控制者》.pdf
文件大小：2，583，376 bytes
MD5     : 514A355E671C628FAA467DF5672E83C9

点评：40页的大部头，慢慢读和学习。

5、安全厂商发现针对Netflix用户网络钓鱼活动
标题：CREDIT CARD DATA AND OTHER INFORMATION TARGETED IN NETFLIX PHISHING CAMPAIGN

作者信息：January 09, 2017  By Mohammed Mohsin Dalla

//BEGIN
Introduction
Through FireEye’s Email Threat Prevention (ETP) solution, FireEye Labs discovered a phishing campaign in the wild targeting the credit card data and other personal information of Netflix users primarily based in the United States.
This campaign is interesting because of the evasion techniques that were used by the attackers:
The phishing pages were hosted on legitimate, but compromised web servers.
Client-side HTML code was obfuscated with AES encryption to evade text-based detection.
Phishing pages were not displayed to users from certain IP addresses if its DNS resolved to companies such as Google or PhishTank.
At the time of posting, the phishing websites we observed were no longer active.
Attack Flow
The attack seems to start with an email notification – sent by the attackers – that asks the user to update their Netflix membership details. The phishing link inside the email body directs recipients to a page that attempts to mimic a Netflix login page, as seen in Figure 1.
Upon submitting their credentials, victims are then directed to webpages requesting additional membership details (Figure 2) and payment information (Figure 3). These websites also attempt to mimic authentic Netflix webpages and appear legitimate. Once the user has entered their information, they are taken to the legitimate Netflix homepage.
黑客这回盯上了Netflix视频租赁分享网站的会员。采取的方式是首先黑掉一些正规的网站，然后将木马上传到这些网站上。在受害者的视角上看，他们首先会收到一个貌似正规的官方邮件，要求用户升级其会员资格：输入其登录账号和密码；然后输入其支付账号和密码等等。这一切完成了以后，才会给用户转到真正的官方网站。
客户侧看到的HTML网页是被加密的，通过普通的方式难以发现黑客们的真实目的同时也规避了简单的通过字符串进行过滤的安全机制。


//END
Technical Details
The phishing kit uses techniques to evade phishing filters. One technique is the use of AES encryption to encode the content presented at the client’s side, as seen in Figure 4. The purpose of using this technique is code obfuscation, which helps to evade text-based detection. By obfuscating the webpage, attackers try to deceive text-based classifiers and prevent them from inspecting webpage content. This technique employs two files, a PHP and a JavaScript file that have functions to encrypt and decrypt input strings. The PHP file is used to encrypt the webpages at the server side, as seen in Figure 5. At the client side, the encrypted content is decoded using a defined function in the JavaScript file, as seen in Figure 6. Finally, the webpage is rendered using the ‘document.write’ function.
Another technique is the host-based evasion, as seen in Figure 7. The host name of organizations such as ‘phishtank’ and ‘google’ are blacklisted. The host name of the client is compared against a list of blacklisted host names. If there is a match against the blacklist, a “404 Not Found” error page is presented.
As with the majority of phishing attacks, this campaign uses PHP mail utility to send the attacker the stolen credentials. The advantage of using this technique is that the attacker can host their phishing kits on a number of websites and still get the stolen credentials and other information from a single email account. This enables attackers to extend their reach.
Tips to Secure your Netflix Account
To learn more about securing your Netflix account, Netflix provides additional information on how to keep your account safe from phishing scams and other fraudulent activity at https://www.netflix.com/security.
钓鱼组件采用了2种技术手段来规避监测：第一采用加密手段。能加密网页的内容，这样采用普通的检测方法就不能发现。同时在主机端和服务器端进行，采用的语言有PHP和JavaScript等。
第二采用的是主机名的黑名单技术。一旦遇到在黑名单中的主机，就不会显示此钓鱼页面。这些所谓黑名单的主机，很可能就是有能力发现其破坏行为的。

点评：钓鱼行动还是很有针对性！

6、微软发布今年首个补丁包修复两个关键漏洞
标题：MICROSOFT ISSUES RECORD LOW NUMBER OF PATCH TUESDAY BULLETINS

作者信息：January 10, 2017 , 3:52 pm By Tom Spring

//BEGIN
Microsoft’s first Patch Tuesday update of 2017 is one of the smallest in the history of the program with four bulletins released today, including three rated important along with Adobe’s monthly Flash Player update for Internet Explorer and Edge, which was rated critical by the vendor.
The Microsoft bulletins were for vulnerabilities in Office 2016, its Edge browser and its Local Security Authority Subsystem Service (LSASS).
2017年MS的第一个补丁周二是历史上最小的补丁集之一！一共只发布了4个（编号从MS17-001到MS17-004）。漏洞存在于Office 2016及其Edge浏览器和本地安全授权子系统服务。

//END
Today’s Patch Tuesday, the first of 2017, marks the first monthly cycle that Microsoft is doing away with bulletins for newer products. Instead, Microsoft patches will be delivered in one installable package. Under the new patch management regime Microsoft’s Vista operating system will still get bulletins however.
Microsoft’s Patch Tuesday coincides with the release with cumulative updates for nearly all versions of Windows 10 including the Anniversary Update for PCs (Build 14393.693). The update did not introduce new features, rather fixed several security-related features such as fingerprint authentication, App-V Connection Group and an issue that had allowed two similar input devices to work on the same machine.
这些补丁会以一个安装包的形式提供。Vista系统依然可以获得补丁。而且这些补丁与Windows10的年度更新集重合。该升级补丁没有增加什么新功能，而是修补了一些与安全相关的特性。

点评：补快！