每日安全简讯(20170120)

1、勒索软件Locky和银行木马Dridex活动出现停滞
2、勒索软件活动盯上美国非营利性癌症服务组织
3、研究人员发现今年首个Mac恶意软件Quimitchin
4、研究人员发现针对谷歌Chrome用户恶意软件活动
5、研究人员发现特殊表情符号可导致iOS设备重启
6、安全媒体揭秘美国总统奥巴马在任期间通信设备

【安天】搜集整理（来源：thehill、securityaffairs、slashdot、wccftech、securityaffairs、easyaq）

1、勒索软件Locky和银行木马Dridex活动出现停滞
标题：Decline in two families of malware has researchers stumped

作者信息：01/17/17 01:51 PM EST BY JOE UCHILL

//BEGIN
A brief lull in the campaigns to distribute two major pieces of malware has security researchers baffled and in some cases on edge.
The ransomware Locky and the banking Trojan Dridex have dramatically scaled back distribution campaigns over the past month, and no one is quite sure why.
“16 days into the year and we continue to see no Locky, Dridex, vastly decreased spam volumes etc. Before new year we were getting 100k+/day,” tweeted researcher Kevin Beaumont.
Similar results have been found by a number of other experts. The antivirus firm Avast could track upwards of 100,000 Locky attacks per day until around Christmas, when attacks almost completely disappeared.
At their peak, Locky and Dridex raked in more than a million dollars a week.
不知道什么原因，勒索软件Locky和银行木马Dridex的活动在2017年新年来到后出现了滞涨，这种情况从元旦一直持续了16天；而上一次出现停滞则是在去年的10月份。具体表现是传播这两者的垃圾邮件的整体流量大幅减少，而在去年的量基本上平均每天会有10万之多，最高峰时其每周的获利可能达到百万美金。

//END
Avast is concerned that the lull in Locky attacks will not last much longer.
“The longest lull before this was a few weeks in October,” said Tony Anscombe, senior security evangelist at Avast. “But the malware came roaring back.”
Anscombe notes that there is no technical reason that Locky would slow its campaign. Ransomware of Locky’s ilk encrypts files and forces users to pay a ransom to have their files decrypted. Usually, Ransomware only declines because it is no longer profitable — like when researchers release software to decrypt files without needing to pay the ransom. As of yet, that hasn’t happened with Locky.
Anscombe speculates the decline is a big data-type decision.
“Maybe they’ve found that during holidays they can't make as much profit,” he said.  
有业内安全专家称这只会是暂时的消停，不会持续太久，但它们还会回来的。因为从技术角度讲：这两个恶意代码并没有出现被加密的情况。以前只是出现过勒索软件完全被安全公司解密并公开发布解密工具，勒索软件发布者无利可图，这才会导致传播量的停滞或者锐减。虽然以前曾经出现过这种情况，但是勒索软件Locky和银行木马Dridex不属于这种情况。有安全专家分析称，之所以出现这种停滞的原因可能还是因为节假日期间反倒出现中招者减少、收入锐减，这样勒索者才主动这样，才出现了目前的这种现象。

点评：对付勒索软件，建议采用备份备份再备份的3B原则：Backup、Backup、Backup（Beifen、Beifen、Beifen）。

2、勒索软件活动盯上美国非营利性癌症服务组织
标题：US cancer agency targeted by a singular ransomware attack

作者信息：January 18, 2017  By Pierluigi Paganini

//BEGIN
A new ransomware campaign has targeted the not-for-profit cancer services organisation “Little Red Door” requesting a US$44,000 ransom.
一家名为Little Red Door(小红门）来自美国的非盈利癌症服务组织最近遭遇了勒索软件的攻击，并索要赎金44000美元。当然该组织并不打算支付赎金，希望安全公司和相关组织能帮助其恢复数据和组织机构的运行。
该组织的主要职能是帮助癌症患者减轻财政困难以及减轻其心理负担。感染发生的时间为2017年1月11日周三的晚上10点左右，其主要数据保存在一个不太安全的云服务商处。比较特别之处还在于，这个勒索者直接与受害者通过电话和邮件沟通、甚至还发送信息，索要赎金。

//END
The agency plans to replace the server with a “secure cloud-based” platform and hopes to be restored operations within the week.
The attack was reported by the organization to the FBI.
该机构目前已经向FBI报案，同时也在寻求一个更加安全的云存储方案，希望能在一周内恢复整个机构的运行。


点评：对付勒索软件，建议采用备份备份再备份的3B原则：Backup、Backup、Backup（Beifen、Beifen、Beifen）。

3、研究人员发现今年首个Mac恶意软件Quimitchin
标题：Malwarebytes Discovers 'First Mac Malware of 2017

作者信息：Wednesday January 18, 2017 07:45PM By BeauHD  

//BEGIN
Security researchers have a uncovered a Mac OS based espionage malware they have named "Quimitchin." The malware is what they consider to be "the first Mac malware of 2017," which appears to be a classic espionage tool. While it has some old code and appears to have existed undetected for some time, it works. It was discovered when an IT admin noticed unusual traffic coming from a particular Mac, and has been seen infecting Macs at biomedical facilities.
Mac电脑的首个恶意代码最近被发现，起因是IT管理员通过监控发现了来自该Mac电脑的异常流量。而其实这是由一个传统的间谍工具软件导致的。其被命名为Quimitchin。从分析来看，似乎已经感染一段时间了。

//END
From SecurityWeek.com: "Quimitchin comprises just two files: a .plist file that simply keeps the .client running at all times, and the .client file containing
the payload. The latter is a 'minified and obfuscated' perl script that is more novel in design. It combines three components, Thomas Reed, director of Mac offerings at Malwarebytes and author of the blog post told SecurityWeek: 'a Mac binary, another perl script and a Java class tacked on at the end in the __DATA__ section of the main perl script. The script extracts these, writes them to /tmp/ and executes them.' Its primary purpose seems to be screen captures and webcam access, making it a classic espionage tool. Somewhat surprisingly the code uses antique system calls. 'These are some truly ancient functions, as far as the tech world is concerned, dating back to pre-OS X days,' he wrote in the blog post. 'In addition, the binary also includes the open source libjpeg code, which was last updated in 1998.' The script also contains Linux shell commands. Running the malware on a Linux machine, Malwarebytes 'found that -- with the exception of the Mach-O binary -- everything ran just fine.' It is possible that there is a specific Linux variant of the malware in existence -- but the researchers have not been able to find one. It did find two Windows executable files, courtesy of VirusTotal, that communicated with the same CC server. One of them even used the same libjpeg library, which hasn't been updated since 1998, as that used by Quimitchin."
而这个Quimitchin的恶意代码由2个文件组成：第一个是.plist；第二个是.client，前者会让后者一直运行，而后者其实就是恶意代码，采用Perl的脚本语言编写，它由三个部件组成：二进制文件、另外一个Perl脚本以及Java类。脚本会解压缩，并将他们写入到临时目录tmp下。其主要功能看样子像是截屏、或者录屏，这些都是经典的间谍软件的必要元素。


点评：Windows、Linux，现在轮到Mac了？

4、研究人员发现针对谷歌Chrome用户恶意软件活动
标题：Don’t Fall for This Malware Campaign That Targets Google Chrome Users

作者信息： Jan 18, 2017 By Rafia Shaikh

//BEGIN
Researchers have discovered a new malware campaign that is specifically targeting Google Chrome users on Windows computers. First noticed in December, the campaign uses the infamous EITest chain that has been used in multiple exploit kits leading to identity theft, ransomware and other kinds of attacks. This time, however, it is being used in more targeted attacks rather than being used in exploit kits.
安全研究人员在Windows系统的机器上发现了专门针对谷歌Chrome浏览器的恶意代码。首次时间是12月份，但是那时的主要目标是盗取用户ID，进行勒索，采用的方式是漏洞利用。但是这次不是漏洞利用，而是定向攻击。

//END
“Because actors are finding it more difficult (and therefore less profitable) to achieve conversions (i.e., malware installations) via exploit kit, they are
turning to new strategies,” researchers said. “As with other threats, actors are exploiting the human factor and are tricking users into loading the malware themselves, this time via selective injects into websites that create the appearance of problems along with the offer of fake solutions.”
漏洞利用的方式获利比较困难，不如恶意代码来得快，而这个策略需要借助人的因素，会引诱用户主动安装恶意代码。这里的情况是想办法把Chrome的页面显示搞乱，然后再冒充字体安装恶意程序进入用户的电脑。

//下载：
文件名：chrome-exploit.gif`
文件大小：2，213，310 bytes
MD5    : E0394A3E57895EA0EE15C78D51EC065D

点评：钓鱼新手段。

5、研究人员发现特殊表情符号可导致iOS设备重启
标题：Crashing iPhone Or iPad with a simple Emoji text message

作者信息：January 19, 2017  By Pierluigi Paganini

//BEGIN
A simple sequence of three character-long text message containing Emoji can cause the block and the reboot os iPhones and iPads running iOS 10.1 or below.
简单的三个字符串：白色旗帜、数字零和彩虹组成的信息，就可能导致iPhone和iPad（操作系统iOS 10.1以及以下）重启。
图片：

//END
The iPhone-freezing video was first discovered by EverythingApplePro, it is a short .mp4 clip of someone standing by a bed with the words “Honey” written across the screen.
网络上有视频显示该过程。

点评：发现者还是很有才。

6、安全媒体揭秘美国总统奥巴马在任期间通信设备
{CHN}
标题：揭秘美国总统奥巴马在任期间的专用通信设备

作者信息：2017-01-19 09:00 By E安全

//BEGIN
E安全1月19日文 2017年1月10日晚，在气候阴冷的芝加哥，美国总统奥巴马发表了告别演讲，宣布他八年总统生涯即将走向结束。过去几年以来，E安全和大家一样都一直在关注奥巴马所使用的各类安全及非安全通信手段——无论其身在白宫、夏季度假居所抑或是空军一号、陆军一号。
而随着唐纳德·特朗普将在1月20日接任美国总统职位，现在正是作出回顾的好时机，E安全将对奥巴马在任期间所使用的各类通信设备进行全面总结回顾。另外需要一提的是，本篇文章的背景源自2016年4月《纽约时报》发布的报道，同时涉及多位对奥巴马白宫通信系统确有了解的消息人士。

//END
新的计算机
除了引入新的电话系统外，美国白宫信息技术主任大卫·雷柯顿还安装了一套新的计算机网络。根据《纽约时报》报道，他首先在白宫围墙内部署数公里以太网线缆与电话线路。他的技术团队最终发现并移除了约5.9吨已经不再使用的废弃线缆。
“这些原有线缆由不同企业提供且使用不同的技术与标准，且跨越数十年中的数个时代，”雷柯顿表示。“他们发现了这些管线，其中仍埋设有大量被切断并不再使用的线缆，所以我们动手将其清理了出来。”
在线路部署完成后，雷柯顿开始利用新型设备、固态硬盘及高速处理器取代旧有计算机，同时安装了大量彩色打印机。目前白宫中的WiFi已经足以在罗斯福室内进行Facebook直播。
最后，白宫开始要求用户们利用智能卡与PIN码作为双因素身份验证进行计算机登录。

点评：不知道这些通信系统的网络安全如何？