شماره: IRCNE2015112698
تاريخ: 09/04/94

روز دوشنبه شركت Dell هشدار داد كه يك حفره امنيتي رايانه هاي تازه عرضه شده اين شركت را تحت تاثير قرار مي دهد و مي تواند كاربران را در معرض خطر حملات هك قرار دهد.
اين مساله رايانه هايي را تحت تاثير قرار مي دهد كه داراي يك برنامه خاص سرويس مشتري مي باشند. اين برنامه مي تواند رايانه را در برابر نفوذ هكرها آسيب پذير كند و مي تواند به هكرها اجازه دهد تا به پيام هاي رمزگذاري شده دسترسي يابند. هم چنين اين احتمال وجود دارد كه مهاجمان بتوانند مسير ترافيك اينترنتي را تغيير دهند.
شركت Dell اعلام كرد كه مشتريان بايد جهت حذف يك گواهينامه از روي لپ تاپ ها اقداماتي را انجام دهند و نحوه حذف دستي را در مستندي تشريح كرده است. هم چنين اين شركت قصد دارد تا نرم افزار به روز رساني را براي لپ تاپ ها منتشر كند تا گواهينامه مورد نظر را از روي سيستم ها حذف كند.
Round Rock، مدير شعبه تگزاس Dell گفت: امنيت و حريم خصوصي مشتريان از اوليت هاي شركت و بالاترين نگراني ما است.
اين شركت جزئيات بيشتري در خصوص اين حفره امنيتي منتشر نكرده است.

Number: IRCNE2015112699
Date: 2015/11/25

According to “tripwire”, security researchers have spotted a type of malware that uses social engineering to trick users into enabling it to automatically install apps on their Android devices.
Michael Bentley, the head of research and response at mobile cybersecurity firm Lookout, has published a blog post in which he explains how a so-called “trojanized adware” known as Shedun attempts to assume control of the Android Accessibility Service, a service which is designed to provide users with alternate ways of interacting with their mobile devices.
The malware tries to trick users with the message that by turning on “accessibilit features.
Once Shedun has assumed control of the Accessibility Service, it can then install whichever apps it wants with little-to-no user interaction and engage in “aggressive advertising”.
The malware is one of three app families–Shedun, Shuanet, and ShiftyBug–that masquerades as legitimate apps, such as Facebook and Candy Crush, on third-party Android app stores. If a user installs one of these apps, Shedun or one of the other malware will root the device and install itself as a system application, thereby making it very difficult for victims to uninstall.
As Ars Technica warns, users should be cautious when installing apps from third-party stores and should be suspicious of any apps that attempt to gain control of the Accessibility Service.

Number: IRCNE2015112698
Date: 2015/11/25

According to “cnet”, computer maker Dell warned late Monday of a security hole affecting recently shipped computers that could leave users vulnerable to hackers.
The issue affects computers made by Dell that come with a particular preinstalled customer service program. Through a certificate that would identify the computer to Dell support staff, this program makes the computers vulnerable to intrusions and could allow hackers to access encrypted messages to and from the machines, Dell said. There is also a risk that attackers could attempt to reroute Internet traffic to sites that look genuine but are in fact dangerous imitations.
Dell said that customers should take steps to remove the certificate from their laptops, offering instructions on how to do that manually. Starting Tuesday, it also plans to push a software update to computers to check for the certificate and then remove it.
"Customer security and privacy is a top concern and priority," the Round Rock, Texas-based company said in a statement. Dell did not respond to a request for more information.

شماره: IRCNE2015112697
تاريخ: 09/03/94

بررسي صدها ميان افزار در دسترس براي مسيرياب ها، مودم هاي DSL، تلفن هاي VoIP، دوربين هاي IP و ساير دستگاه هاي تعبيه شده نشان مي دهد كه در تعداد قابل توجهي از آن ها آسيب پذيري هاي پرخطر وجود دارد. اين تحقيقات توسط محققان اروپايي در فرانسه و آلمان صورت گرفته است.
محققان كار خود را با جمع آوري تصاوير 1925ميان افزار مبتني بر لينوكس براي دستگاه هاي تعبيه شده از 54 شركت شروع كردند اما توانستند تنها 246 تصوير را مورد بررسي قرار دهند. هدف آن ها انجام بررسي پوياي آسيب پذيري بر روي واسط هاي مديريتي مبتني بر وب بسته هاي ميان افزار با استفاده از ابزار تست نفوذ منبع باز بود. نتايج اين بررسي وجود 225 آسيب پذيري پر خطر را بر روي 46 ميان افزار نشان داد. هم چنين آن ها تواستند 307 رخنه را در 515 بسته ميان افزار شناسايي كنند.
اين محققان بررسي هاي ايستا خود را با ابزار منبع باز ديگري عليه كد PHP استخراج شده از تصاوير ميان افزار دستگاه ها ادامه دادند و نتيجه آن وجود 9046 آسيب پذيري در 145 ميان افزار بود.
در مجموع محققان با استفاده از روش هاي پويا و ايستا دريافتند كه مهم ترين آسيب پذيري ها مانند اجراي دستور، تزريق SQL و اسكريپت بين سايتي در واسط مديريتي مبتني بر وب در يك چهارم از ميان افزارهاي مورد بررسي وجود دارد.
نسخه برخي از ميان افزارهايي كه مورد بررسي قرار گرفته اند، آخرين نسخه نيست در نتيجه تمامي مشكلات شناسايي شده zero-day نيستند و ممكن است بسياري از آن ها در نسخه هاي به روز شده اصلاح شده باشند. اما نكته قابل توجه آن است كه به كاربران اين دستگاه ها نسبت به ارتقاء سيستم و نصب اصلاحيه ها هشداري داده نمي شود و تعدادي زيادي از آن ها بدون اصلاحيه باقي ماندند.
جزئيات اين تحقيقات به طور عمومي منتشر نشده است. محققان قصد دارند ابتدا اين گزارش را براي شركت هاي توليد كننده منتشر كننند تا آن ها بتوانند نسبت به رفع مشكلات اقدام نمايند.

شماره: IRCNE2015112696
تاريخ: 09/03/94

يك تبليغ افزار شناخته شده با استفاده از يك ويژگي ويندوز كه براي امنيت طراحي شده است مانع نصب محصولات آنتي ويروس بر روي سيستم كاربران مي شود.
اين برنامه كه Vonteera ناميده شده است، از عملكرد بررسي امضاي ديجيتال توسط كنترل دسترسي كاربر ويندوز (UAC) براي فايل هاي اجرايي، سوء استفاده مي كند.
UAC قبل از اجراي فايل هاي exe از كاربر تاييده مي گيرد. اين امر باعث مي شود تا بدافزارها نتوانند بي صدا دسترسي كامل سيستم را بدست آورند. اين ويژگي بر اساس آنكه آيا فايل هاي اجرايي توسط توليدكننده معتبري امضاء شده است يا خير، تاييديه متفاوتي با سطح خطر مختلف نمايش مي دهد.
برنامه Vonteera كه قصد آن ارتباط ربايي مرورگر و نمايش تبليغات مخرب است، مي تواند از اين رفتار UAC براي ممانعت از نصب محصولات امنيتي سوء استفاده كند.
محققان شركت امنيتي Malwarebytes دريافتند كه اين برنامه مخرب، 13 امضاي ديجيتال متعلق به محصولات آنتي ويروس و امنيتي را كپي برداري كرده است و آن ها را در فهرست گواهينامه هاي نامعتبر ويندوز قرار مي دهد. اين گواهينامه هاي نامعتبر مربوط به شركت هاي Avast Software، AVG Technologies، Avira، Baidu، ESET، ESS Distribution، Lavasoft، Malwarebytes، ThreatTrack Security، بيت ديفندر، مك آفي، پاندا و ترند ميكرو مي باشد.
اين بدافزار در بازه هاي زماني خاص بررسي مي كند كه آيا اين 13 امضاء در فهرست گواهينامه هاي نامعتبر قرار دارند يا نه و در صورت كامل نبودن، فهرست مربوطه را اضافه مي كند.
البته اين بدافزار تنها نصب محصولات جديد را تحت تاثير قرار مي دهد و درايورهاي سيستم و سرويس هايي كه قبلا توسط آنتي ويروس ها ايجاد شده است تحت تاثير آن قرار ندارند.
كاربران آلوده راه هاي متعددي براي دور زدن اين بدافزار دارند تا بتوانند محصول امنيتي را بر روي سيستم نصب كنند. آن ها مي توانند با غيرفعال كردن UAC اين كار را انجام دهند اما به دليل آن كه امنيت سيستم را كاهش مي دهد توصيه نمي شود.
هم چنين مي توانند به صورت دستي با استفاده از ابزارWindows Certificate Manager ، فهرست ذخيره شده گواهينامه هاي نامعتبر را حذف كنند و به سرعت قبل از بازگرداندن اين ليست توسط بدافزار، بايد عمليات نصب آنتي ويروس را انجام دهند.
شركت Malwarebytes دسته بندي برنامه Vonteera را از برنامه ناخواسته به برنامه مخرب تغيير داده است و آن را به عنوان تروجان شناسايي مي كند. ساير آنتي ويروس هاي ديگر مانند بيت ديفندر و ESET نيز چنين تغييري را ايجاد كرده اند.

شماره: IRCNE2015112695
تاريخ: 09/03/94

محققان دو ابزار جديد را شناسايي كردند كه مربوط به بدافزار wiper مي باشد. اين بدافزار سال گذشته شبكه كامپيوتري Sony Pictures را تخريب كرد.
پس از سرقت هويت اطلاعات لاگين مشتري، مهاجمان توانستند با استفاده از بدافزار حذف كننده “Destover” فايل هاي شركت را حذف نمايند.
هفته گذشته، ويل مك دونالد و لوسيف خاروني از محققان شركت Damballa گزارشي را منتشر كردند كه در آن دو ابزار مورد استفاده مهاجمان براي عدم تشخيص در شبكه سوني توضيح داده شده است. اين دو ابزار setMFT و afset ناميده شده اند.
imestomping روشي است كه اين دو ابزار از آن استفاده مي كردند تا بتوانند فايل هاي مخرب را در دايركتوري مخفي كنند. بررسي هاي فارنسيكي در تاريخ ثبت فايل ها و احتمالا لاگ فايل ها مي تواند مشخص نمايد كه كدام فايل ها timestomp شده مي باشند و با اين روش ايجاد شده اند.
اين دو محقق هم چنين خاطر نشان كردند كه ابزار setMFT از طريق خط فرمان با مهاجمان در تعامل بوده است. ابزار ديگر يك ابزار Timestomping بوده است كه لاگ هاي ويندوز مايكروسافت را حذف مي كرده است.
اين دو ابزار با كمك هم باعث شده است تا مهاجم خرابكار به شبكه سوني نفوذ نمايد، راه حل هاي دفاعي را غيرفعال كند و ردگيري ها را پنهان كند. اگر اين بدافزار در آن زمان توسط آنتي ويروسي با موفقيت شناسايي نمي شد، مهاجمان مي توانستند با استفاده اين دو ابزار براي مدت قابل توجهي غير قابل ردگيري باقي بمانند.

Number: IRCNE2015112697
Date: 2015/11/24

According to “computerworlduk”, an analysis of hundreds of publicly available firmware images for routers, DSL modems, VoIP phones, IP cameras and other embedded devices uncovered high-risk vulnerabilities in a significant number of them, pointing to poor security testing by manufactuers.
The study was performed by researchers from the Eurecom research center in France and Ruhr-University Bochum in Germany, who built an automated platform capable of unpacking firmware images, running them in an emulated environment and starting the embedded Web servers that host their management interfaces.
The researchers started out with a collection of 1,925 Linux-based firmware images for embedded devices from 54 manufacturers, but they only managed to start the Web server on 246 of them.
The goal was to perform dynamic vulnerability analysis on the firmware packages' Web-based management interfaces using open-source penetration testing tools. This resulted in 225 high-impact vulnerabilities being found in 46 of the tested firmware images.
A separate test involved extracting the Web interface code and hosting it on a generic server so it could be tested for flaws without emulating the actual firmware environment. This test had drawbacks, but was successful for 515 firmware packages and resulted in security flaws being found in 307 of them.
The researchers also performed a static analysis with another open-source tool against PHP code extracted from device firmware images, resulting in another 9046 vulnerabilities being found in 145 firmware images.
In total, using both static and dynamic analysis the researchers found important vulnerabilities like command execution, SQL injection and cross-site scripting in the Web-based management interfaces of 185 unique firmware packages, affecting devices from a quarter of the 54 manufacturers.
Some of the firmware versions in their latest dataset were not the latest ones, so not all of the discovered issues were zero-day vulnerabilities -- flaws that were previously unknown and are unpatched. However, their impact is still potentially large, because most users rarely update the firmware on their embedded devices.
Details about the vulnerabilities have not yet been shared publicly because the IoT Village organizers, from security firm Bitdefender, intend to report them to the affected vendors first so they can be patched.

Number: IRCNE2015112696
Date: 2015/11/24

According to “computerworld”, a well-known adware program is preventing users from installing antivirus products by leveraging a Windows feature that was designed for security.
The program, known as Vonteera, abuses the digital signature check performed by the Windows User Access Control (UAC) for executable files.
UAC prompts users for confirmation whenever a program wants to make a system change that requires administrator-level privileges. It therefore prevents malware from silently gaining full system access if executed from a limited user account.
Depending on whether an executed file is digitally signed by a trusted publisher, the UAC displays confirmation prompts indicating different levels of risk.
It seems that the creators of Vonteera, whose purpose is to hijack browsers and display ads, have figured out that they can abuse this UAC behavior to prevent users from installing security products.
The program copies 13 digital certificates that were used to sign antivirus programs and security tools to the "Untrusted Certificates" store in Windows, researchers from security firm Malwarebytes said in a blog post.
The blacklisted certificates are from Avast Software, AVG Technologies, Avira, Baidu, Bitdefender, ESET, ESS Distribution, Lavasoft, Malwarebytes, McAfee, Panda Security, Trend Micro and ThreatTrack Security.
Vonteera creates a service that periodically checks if these certificates are present in the "Untrusted Certificates" store and adds them back if they're not.
Fortunately, this blacklisting of vendor certificates is only partially effective, said Bogdan Botezatu, a senior e-threat analyst at antivirus vendor Bitdefender. The technique only prevents new product installations or the execution of stand-alone removal tools that need administrator privileges. System drivers and services created by antivirus products that are already running would not be affected, he said.
Affected users have several options to bypass Vonteera's changes to the Windows certificate blacklist so they can install an antivirus product. They could disable UAC entirely, but this is not recommended because it reduces the system's security.
They could also manually remove the certificates from the "Untrusted Certificates" store by using the Windows Certificate Manager tool, but then they have to act fast before Vonteera puts them back.
Because of this intrusive behavior, Malwarebytes has changed Vonteera's classification from a potentially unwanted application to a clearly malicious application, detecting it as a Trojan. Other antivirus products including Bitdefender and ESET also have detection routines for it.

Number: IRCNE2015112695
Date: 2015/11/24

According to “tripwire”, researchers have discovered two new utilities that are closely associated with the wiper malware used to disrupt the computer networks of Sony Pictures Entertainment last year.
After phishing for employees’ login information, the attackers responsible for the breach used a strain of wiper malware known as “Destover” to wipe the files off of company workstations, thus rendering them inoperable.Last week, however, Willis McDonald and Loucif Kharouni, senior threat researchers with advanced threat protection firm Damballa, published a blog post in which they explain two tools that the attackers used to evade detection in Sony’s networks. Both utilities had usage statements, and they were called setMFT and afset.
Timestomping is a technique that when combined with similarly named files allows a file to blend into a directory. A forensic investigation into files’ record dates and possibly log files could reveal that a particular file has been timestomped.
McDonald and Kharouni also note that the setMFT tool interacts with the attacker on the command line and is neither delivered nor executed by a dropper without interaction. The other utility, afset, is another timestomping tool that can clean Microsoft Windows logs.
Together, setMFT and afset enable a malicious attacker to breach a network, disable defenses, and hide their tracks. Given the fact that only one anti-virus solution successfully detected the tools, attackers employing these utilities could remain undetected for a considerable length of time.

Number: IRCNE2015092632
Date: 2015/09/22

According to “tripwire”, a recent report by Panda Security revealed a record high in the creation of new malware samples, reaching more than 21 million new threats over the course of just three months.
In the second quarter of 2015, the Spanish security firm saw an average of 230,000 new types of malware each day – an increase of 43 percent compared to the same period last year.
“A large number of the new types of [malware] are mainly variants or mutations of previously known malware, and cybercriminals are multiplying the types of malware so as to avoid being detected by the antivirus laboratories,” read the report.
Panda Security noted the most common malware detected continues to be Trojans, accounting for 71 percent of all samples witnessed during Q2. The second most common types of malware created are traditional viruses, although they only accounted for 11 percent of all samples.
Additional findings from the report included the countries with the highest infection rates. China registered the highest percentage of infections (47 percent), followed by Turkey (43 percent) and Peru (42 percent).
Meanwhile, countries with the lowest rates of infection included Sweden (21 percent), Norway (22 percent) and Japan (23 percent).
“Now is the time to adopt advanced defenses that block and detect any type of intrusion, and that gather forensic information on any type of attack on workstations and servers,” the report concludes.