每日安全简讯(20170218)

1、研究人员直播勒索软件Hermes分析解密过程
2、研究人员发现藏身于网站数据库SQL恶意代码
3、安卓远控工具OmniRAT被用于攻击ISIS支持者
4、苹果音乐软件GarageBand被发现代码执行漏洞
5、企业移动管理沙盒工具数据隔离机制可被绕过
6、微软公司推迟随后取消二月份的例行安全更新

【安天】搜集整理（来源：bleepingcomputer、softpedia、bleepingcomputer、securityweek、threatpost、solidot）

1、研究人员直播勒索软件Hermes分析解密过程
标题：Hermes Ransomware Decrypted in Live Video by Emsisoft's Fabian Wosar

作者信息：February 16, 2017 07:41 PM By Lawrence Abrams

//BEGIN
Emsisoft CTO and Malware Researcher Fabian Wosar has stated in the past that he wanted to perform an educational live stream about reversing malware. Today, after GData security researcher Karsten Hahn discovered a new ransomware called Hermes, Fabian decided to use it as the sample for his first live streaming session.  
The best part of it is that it turns out that this ransomware was able to be decrypted. This allowed those of us who were watching the live stream to get a first hand view of how a malware researcher analyzes and creates a decryptor for a new ransomware.
视频现场直播解密勒索软件！
这真是够抢眼的了：来自Emsisoft公司的恶意代码分析师以及CTO就这样做了！
他以前就想直播一个逆向分析恶意代码的教学的场景，这个愿望终于也实现了。他拿一个Gdata德国安全公司的研究人员发现的一个勒索软件样本做素材了。经过Emsisoft的工程师分析，发现这个勒索软件的确可以解密，而不用给勒索者支付虚拟货币了，同时也给其他的研究人员一个第一手资料，也就是如何分析并破解勒索软件，进而如何创建一个解密工具给那些被勒索加密受困的用户。
该勒索软件与其他同类不同的是，它并不改写被加密文件的扩展名，但是会在被加密的文件（真实的内容部分，而不是文件名）的尾部增加字符串HERMES，其实这也就是该勒索软件的由来。

//END
This ransom note includes two methods that a victim can contact the developer in order to get payment instructions. These are a Bitmessage address of BM-2cXfK4B5W9nvci7dYxUhuHYZSmJZ9zibwH@bitmessage.ch and the email address x2486@india.com. At this time it is not known how much the developer is demanding for the ransom payment.
The good news is that now that a decryptor is imminent, victim's will not have to pay to get their files back.  In the meantime, for those who wish to discuss this ransomware or receive support, you can use the Hermes Ransomware Help & Support Topic.
该勒索软件会自动删除Windows系统的备份目录。其加密完成后，会留下两种联系方式来和勒索软件开发者联系并支付赎金。一个是比特币的支付地址，另外一个就是一个联系邮件地址。到目前为止还是不清楚勒索者索要的赎金是多少。
当然好消息是马上我们就能见到解密工具了，因此根本不需要去联系开发者，就能解密被加密的文件。

点评：对付勒索软件，建议采用备份备份再备份的3B原则：Backup、Backup、Backup（Beifen、Beifen、Beifen）。

2、研究人员发现藏身于网站数据库SQL恶意代码
标题：New Self-Healing Malware Targets Online Shops Running on Magento
The malware hides in the website's database

作者信息：Feb 16, 2017 10:34 GMT  By Gabriela Vatu

//BEGIN
Security experts have discovered a new malware strain targeting online shops running on Magento, one of the most popular e-commerce platforms.What sets this malware apart is the fact that it can self-heal by using code hidden in the website's database.
研究恶意代码的安全研究人员最近有了新的发现：他们在电子商务的在线平台的数据库中发现了恶意代码！虽然这并不是第一次，但却是首次发现SQL数据库被这样做。
因此我们可以说：传统的单纯扫描文件的办法，已经不能适应检测木马的唯一手段了：以后恐怕得加上扫描数据库了。
其攻击非常有针对性：只有发现某特定的用户登录才会释放恶意代码，进行盗取用户信用卡等重要隐私信息。前提当然是要先拿下某些特定网站，进行水坑攻击。
另外该恶意代码还有一个显著的特点是能自修复：每次有用户登录数据库，该恶意代码都会检查其是否存在，先检查头部、然后尾部，版权信息以及CMS块等。当然如果任何地方都没发现，那么就会重新加载该恶意软件。

//END
Dutch researcher Willem de Groot has updated the Magereport and the Malware Scanner with this new class of malware to help out show owners who want to do a sweep.
We have reached out to Magento and will update when we hear back.
Magento数据库平台已经被通知该问题的存在，一旦有更新消息，会立即公布。

点评：SQL里也可以藏毒！真是无孔不入。

3、安卓远控工具OmniRAT被用于攻击ISIS支持者
标题：ISIS Supporters Targeted with Android OmniRAT Malware

作者信息：February 16, 2017 10:30 AM By Catalin Cimpanu

//BEGIN
Islamic State supporters are being targeted with a modified version of the Telegram Android app that contains a version of the OmniRAT remote access toolkit.
ISIS的支持者最近受到了远控工具OmniRAT的攻击，攻击方采用了一个改编了的Telegram在Android下的应用，而这个应用里面其实包含着OmniRAT远控木马。该APK的文件名为plus_gram.apk，而且是通过ISIS的Telegram的通道进行传播。一些成员已经发现了异常，并提醒其他用户注意安全。发现该远程木马的技术人员不愿意透露其真实身份。
OmniRAT是一个在线的商业远控木马，其感染平台包括Android、Windows、Mac以及Linux系统等工具包，能通过跨平台感染确实非常容易。其中一个Android平台下OmniRAT的功能包括：读写电话通话记录、读取短信内容、获取手机GPS定位坐标、静默安装APP、打开麦克风、打开摄像头以及访问手机的内存等。

//END
Amateurish attempt
According to both FourOctets and the anonymous researcher, whoever put together the plus_gram.apk app has no expertise in working with malware.
"They didn't even try to hide what it was," FourOctets said. "[OmniRAT]  It's still in the XML file."
"I'm thinking it's just old code repacked for Android, using a common vector," the anonymous researcher also added. The researcher described the person put the malware together as "an amateur/hobbyist."
Below is a video presentation of OmniRAT.
虽然OmniRAT工具功能这么强，但是其实它还是很幼稚，可以猜想编写恶意代码的经验还不是很多。因为其没有做任何伪装，而这个伪装术是大多数恶意代码都会采用的伎俩之一。它们很可能是在旧由的恶意代码的基础上稍加修改编写而来的。这也显示了其并非“职业选手”。

点评：Android安全，推荐AVL Pro！

4、苹果音乐软件GarageBand被发现代码执行漏洞
标题：Apple Patches Code Execution Flaw in GarageBand

作者信息：February 16, 2017 By Eduard Kovacs

//BEGIN
An update released this week by Apple for the music creation app GarageBand addresses a high severity vulnerability that can be exploited for arbitrary code execution.
苹果的音乐制作软件GarageBand被CISCO的安全研究小组Talos发现了一个任意代码执行漏洞，这是本周公布的，不过其实发现时间早在两个月前的去年12月份中旬。其利用方式是让受害者打开一个特制的GarageBand工程文件，该文件的扩展名是band.为了修补该漏洞，苹果公司连续发布了几次补丁程序。漏洞标号也分别为：CVE-2017-2374 和 CVE-2017-2372.

//END
This is not the first time Talos researchers have found vulnerabilities in Apple software. In July 2016, they reported discovering several remote code execution vulnerabilities in iOS and OS X that could be exploited using specially crafted image files.
其实这已经不是第一次由Talos研究小组发现苹果的软件漏洞了。2016年的7月份，该小组还发现了几个远程代码执行漏洞，受影响的操作系统为iOS平台和OS X平台，要想利用这些只需要打开特制的图形文件即可。

点评：快补！

5、企业移动管理沙盒工具数据隔离机制可被绕过
标题：DIVIDE BETWEEN WORK, PERSONAL DATA ON ANDROID BREACHED

作者信息：February 16, 2017 , 1:50 pm By Tom Spring

//BEGIN
SAN FRANCISCO–Researchers here at the RSA Conference demonstrated Thursday a way a hacker can bypass enterprise mobility management sandboxing tools known as Android for Work that are designed to segregate work and personal data on Android devices.
周四的RSA2017大会上，一个安全人员展示了企业移动管理沙盒工具的绕过方法，该工具的名字是Android for Work，其设计的初衷就是当采用移动Android办公时，将工作数据与个人的隐私数据相隔离。

//END
“The apps outlined in our research illustrate real-world exposure risks,” Amit told Threatpost. “Apps that utilize the relevant
Accessibility and Notification permissions are prevalent in Google Play and other sources – while most are used for good reasons,” he said.
“Because of the flaws we outline in our research, they are by design endangering the most sensitive corporate data stored on Android business profiles.”
虽然谷歌不怎么认同这个发现为严重的漏洞，但是这里提到的应用，在现实中也可能会遇到。主要是以下两种权限（含Accessibility 和 Notification ）在Google 商店里非常流行，当然大部分都是出于善意的目的的。

点评：Android安全，推荐AVL Pro！

6、微软公司推迟随后取消二月份的例行安全更新
{CHN}
标题：微软取消二月例行更新

作者信息：2017年02月17日 20时15分 星期五 By pigsrollaroundinthem

//BEGIN
微软推迟随后取消了二月份的例行更新，下一次更新将是3月份的第二周星期二（即 3 月 14 日）。微软对导致更新推迟的原因保持沉默。这次更新原计划将要修复正被利用崩溃系统的 SMB 文件共享协议漏洞，改变 Windows 7、8.1、Server 2008 R2、Server 2012 和 Server 2012 R2等操作系统的更新模式——软件的安全更新包现在/未来将与操作系统的更新包分开。SMB 的漏洞导致远程利用的风险相对比较低。

//END
Microsoft cancels February Patch Tuesday despite 0-day in wild
Fixes are delayed until March 14.
PETER BRIGHT - 2/17/2017, 1:31 AM
https://arstechnica.com/informat ... pite-0-day-in-wild/
As the second Tuesday of the month, Valentine's Day should have been a day for patches in addition to lovers. There's a known and widely publicized crashing flaw in Microsoft's SMB file-sharing protocol, and a fix for this bug (and, no doubt, several others) is widely anticipated. A few hours before the patches were due to go live, Microsoft announced that they were "delayed" due to an unspecified "last-minute issue."
The company now says that this delay means that the patches won't be coming in February at all. Instead, they'll be rolled into March's update, which should arrive on March 14.
Of course, off-cycle updates are also unpopular, with many IT departments planning ahead of time and scheduling their testing and deployment around Microsoft's Patch Tuesday calendar; skipping a month and waiting until March may well be the easier solution for these organizations.

点评：2.14的更新推迟到3.14,希望不是常态。