This site uses cookies.
Some of these cookies are essential to the operation of the site,
while others help to improve your experience by providing insights into how the site is being used.
For more information, please see the ProZ.com privacy policy.
Freelance translator and/or interpreter, Verified site user
Data security
This person has a SecurePRO™ card. Because this person is not a ProZ.com Plus subscriber, to view his or her SecurePRO™ card you must be a ProZ.com Business member or Plus subscriber.
Affiliations
This person is not affiliated with any business or Blue Board record at ProZ.com.
Japanese to English: Microsoft Windows XP Support Also Ending in the Malware Community!? General field: Tech/Engineering Detailed field: IT (Information Technology)
Source text - Japanese マルウエアの世界でも Windows XP のサポートは終了か!?
先日Windows XP では動作しない Backdoor.Trojan を発見しました。調査を進めるにつれターゲットアタックに使うためにあえて特殊なトリックを施したであろうと思われましたので その動作を報告します
今回紹介する事例では、fseek 関数の振る舞いを利用しています。 この関数はファイルの中にあるデータを処理する際に使われるもので、 例えばファイルの先頭から100バイトのところにあるデータを読み込むといった時に「100バイト移動する」という処理を担当するのが fseek 関数です。
ところがこのプログラムをWindows Vista 以降で実行した場合、正常に動作します。この違いはどこからくるのでしょうか?
Visual Studio 2005以降 における fseek 関数の動作は
(http://msdn.microsoft.com/en-us/library/75yw9bf3(v=VS.80).aspx)
となっていますが、Visual Studio 2003 (http://msdn.microsoft.com/en-us/library/75yw9bf3(v=vs.71).aspx) 以前にはそのような記述はありませんでした。
fseek関数の引数にNULLポインタが渡されたときにどのように処理をするかが変更になったのだと思われます。攻撃者はこの変更を意図的に利用し、Windows XPでは動かないプログラムを作成したのです。
2013年1月の OSシェアでWindows XP は4割のシェアがあります。逆に言えば、Windows XP で動作しないマルウエアを配布すると、作者は感染させられるかもしれない貴重なチャンスを失ってしまうことになります。作者がそこまでしてでも特殊なプログラムを書く理由はなんなのでしょうか?
一つの可能性はSandboxでの検知を避ける目的です。Web 版のAutomated Threat Analysis systems を提供している8つのWebページに今回の検体を提出して記録された挙動を比較してみたところ、どの Sandbox も挙動を検知することはできませんでした。このマルウェアの感染活動のコードが、上記のfseek関数のトリック以降にあるためと思われます。
この事例については、Windows XP ベースの動きをするSandbox ではなくWindows Vista 以降の動きをする Sandbox であれば動作を検知できたかもしれません。
Sandboxに検知されないのであれば、目立った破壊活動を行わずにじっと身をひそめるタイプのマルウェアなら長時間感染を続けることも可能です。攻撃者にとってこのメリットは計り知れません。
一般的なバックドアがインストールされているOS の種類や、CPU の動作周波数、インストールされているアンチウイルス製品を調べるのは「いつものこと」ですが、この検体がユニークな点は上記に加え、
Wireless Network Cardsの有無
DRAM の種類をSynchronous DRAM, Cache DRAM, 3DRAM, SDRAM などといった詳細なレベルで調べる
BIOS の Manufacturer, SerialNumber, Version
Printer の Caption
Battery の Description, DeviceID
と非常に広範囲にわたっていたことです。
普通の攻撃者は Battery がどうなっているかなどは気にしません。この攻撃者には、企業内部の情報を詳細に知りたいという強い意志があると思われます
結論
現時点でシマンテックは この検体を非常に大きな国際企業等の2か所からのみ受け取っていて、大規模な感染活動などを観測していません。
ここまでのことを総合的に判断しますと この攻撃は ターゲット企業ではWindows Vista 以降を使用していると知っている攻撃者 が あえて Windows XP では動作しないマルウエアを送り込んだターゲットアタックであったと考えられます。
ターゲット企業の管理者等がこの検体を不審に思って sandboxで動作させてみてもマルウェアとしての活動が検出されない可能性があります。
シマンテックは、今回のブログで紹介したようなマルウエアの作者が繰り出す新しい脅威と手口について、今後も監視を続けていく予定です。ユーザーの側でも、信用できないプログラムは実行せず、システムとウイルス対策ソフトウェアは常に最新の状態に保つことをお勧めします。
Translation - English Microsoft Windows XP Support Also Ending in the Malware Community!?
Recently, I discovered a back door Trojan horse that does not work on Microsoft Windows XP. I would like to present some of the details of this threat, especially as the malware author encoded a special trick into the functionality of the Trojan. The trick appears to have been designed to allow the threat be used in targeted attacks.
The fseek function
In this threat, the author uses the fseek function, which is unusual as it is normally used to process data. For example, if the program reads 100 bytes of data from the top of the file, the fseek function process is used to move the 100 bytes.
However, in the case of this Trojan, there are three functions that continue in a loop:
1. Append one string to another string (strcat)
2. Move zero bytes from the end of the file (fseek)
3. Split a string into tokens (strtok)
Usually, code reads or writes data after the fseek function, but in this case this process does not happen. It is also strange that such a function is written in a loop.
Looking at the code in greater detail, the fseek function works with a NULL pointer as a file handle. This means that there is no file to control. Because the fseek function controls a non-existent file, the threat crashes when it is executed on Microsoft Windows XP.
If the file is executed on Microsoft Windows Vista or later, it works fine. So what is the difference between Microsoft Windows XP and later versions of Windows?
According to the MSDN Library for Microsoft Visual Studio 2005 or later, the fseek function is documented as follows:
“If stream is a null pointer, or if origin is not one of allowed values described below, fseek and _fseeki64 invoke the invalid parameter handler, as described in Parameter Validation. If execution is allowed to continue, these functions set errno to EINVAL and return -1.”
However, there is no mention of this in the Microsoft Visual Studio .NET 2003 MSDN Library.
I think the fseek code changed when a file handle with a NULL pointer is passed as a parameter to the function. The malware author used this change intentionally in order to create a program that doesn’t run on Microsoft Windows XP.
Microsoft Windows XP has just under 40% usage share of the operating system market as of March 2013. If a malware author creates a program that doesn’t run on Microsoft Windows XP, valuable opportunities to compromise a large number of computers will be lost. So, why would someone create malware such as this?
Why not run on Microsoft Windows XP?
One possibility is an attempt to avoid detection in sandboxes. I submitted a sample file to eight Automated Threat Analysis Systems found on the Internet and none of these systems logged the sample file behavior. I believe the reason for this is that the malicious code is found after the fseek function trick. If the sandboxes ran on Microsoft Windows Vista, or rather any operating system later than Microsoft Windows XP, they may have logged the malware’s behavior. (Please see this blog for a further details regarding how Automated Threat Analysis Systems are used by antivirus companies to analyze malware.)
If malware runs without performing any destructive or disruptive activities in silence, it can continue to compromise computers for a long time, for which the merits to the malware author cannot be overstated.
Back door Trojan horse programs usually check the operating system, CPU clock, and the installed antivirus product, if any. This threat is unusual because it also gathers the following information:
• Whether the compromised computer has a wireless network card
• The dynamic random-access memory (DRAM) type, such as Synchronous DRAM, Cache DRAM, 3DRAM, or SDRAM
• The BIOS manufacturer settings, serial number, and version
• The printer caption
• The battery description and device ID
Normally malware authors wouldn’t worry about the battery on the computer. However, the author of this threat evidently has a strong interest in the targeted company.
Conclusion
At the time of writing this blog, Symantec has only received two samples of this threat from large customers and no major infections have been recorded.
From what I can gather from my analysis of this threat, it was used in a targeted attack and the author knew that the targeted company uses Microsoft Windows Vista or later on their computers and hence attempted to infect their network with malware that does not work on Microsoft Windows XP.
If the administrator of the targeted company were to notice suspicious behavior about the malware and hence run it on an Automated Threat Analysis System, it is possible that malicious activity may not be logged.
Symantec will continue to monitor malicious code and techniques outlined in this blog. We also recommend that users not run suspicious programs and keep their operating system and antivirus software up to date.
More
Less
Experience
Years of experience: 23. Registered at ProZ.com: Jul 2013.
My experience:2006 - Current: Freelance translator
Projects I have undertaken include, but not limited to, those listed below and have been delivered to direct customers and/or working for translation agencies. Some of them have been entirely my own work, as a translator or reviewer while others have been a team effort including other translators or reviewers:
Global consumer research reports for a large Japanese corporation
Various development studies for an NPO
Press releases
Website translation
Various manuals, including those for a medical manufacturer, printing company, computer manufacturer, and e-learning companies
Numerous business and sales presentations for various Japanese companies
Financial documents
Clinical research report prepared for the US FDA
2005 – 2013: Technical Writer at Symantec Corporation
Over 8 years of experience as a technical writer at Security Response, the team responsible for analyzing malware at Symantec, working closely with the engineers to publish information about malware and other security-related topics.
Lead editor and writer of in-house newsletter regarding security topics and information related to our security products.
False positive testing for customer software detected by Symantec products as security risks.
Editing blogs, security research documents, and white papers.
Blog translation for Japanese engineers.
2002 – 2005: Translator at Sezax Corporation
Translated manuals, pamphlets, and other related documentation for various consumer electronic goods, including printers, scanners, multi-function machines, mobile phones, and cameras.
Project manager for Kodak USA translation projects.
Visited clients with sales people to discuss up-coming translation projects.
2001 – 2002: Liaison to Canon USA
On-loan from Sezax Corporation to Canon Japan, I spent one year as the liaison officer to Canon USA for a manual creation project for the department creating multi-function machine, scanner, and printer documentation. Main duties included:
Translating emails from Canon USA into Japanese and from Canon Japan into English
Translating all relevant documents created by both sides for the project
Interpreting at the weekly conference call
Mediate disagreements between the two teams
Working environment:
Windows 8, MS Office 2013, Felix (CAT software) (I also have experience with Trados and WordFast), and extensive experience with InDesign and Photoshop.
My professional qualifications:
B.A. in Political Science and Asian Studies from Murdoch University, Perth, Australia
Japanese Proficiency Test Level 1