本帖最后由 ELOHIM 于 2015-5-2 22:25 编辑
社会工程手段打开宏恶意软件攻击的大门 — — 我们如何关闭它?
Social engineering tricks open the door to macro-malware attacks - how can we close it?
28 Apr 2015 9:00 AM
The macro malware-laden documents that target email users through email spam are intentionally crafted to pique any person's curiosity. With subjects that include sales invoices, federal tax payments, courier notifications, resumes, and donation confirmations, users can be easily tricked to read the email and open the attachment without thinking twice.The user opens the document, enables the macro, thinking that the document needs it to function properly – unknowingly enabling the macro malware to run.Just when you think macro malware is a thing of the past, over the past few months, we have seen an increasing macro downloader trend that affects nearly 501,240 unique machines worldwide. Figure 1: Increasing trend of macro downloaders from April 2014 to 2015We have seen majority of the macro-malware attacks in the United States and United Kingdom. Figure 2: Macro downloaders’ prevalence in affected countries  Figure 3: Macro malware distribution heat mapMacro malware infection chainAs stated in the previous macro blog, macro downloaders serve as the gateway for other nasty malware to get in. The following diagram shows how a typical macro downloader gets into the system and deliver its payload. Figure 4: Macro downloader infection chainThe macro malware gets into your PC as a spam email attachment. The spam email recipient then falls for a social engineering technique, opens the attachment, thereby enabling the macro inside the document.We have identified some of these macro downloader threats, but not limited to:When a malicious macro code runs, it either downloads its final payload, or it downloads another payload courier in the form of a binary downloader.We have observed the following final payload, but is not limited to:We have also observed the following binary downloaders to be related to these macros, but not limited to:After the macro malware is downloaded, the job is pretty much done. The torch is passed to either the final payload or the binary downloader.We have observed the following threats being downloaded by the binary downloaders, but not limited to: Prevention: How do you close that door?If you know that social engineering tricks through spam emails open the door to macro malware attacks, what can you do to help protect your enterprise software security infrastructure in closing that door?Be careful on enabling macrosMacro threats, as payload couriers, seem to gain popularity as an effective infection vector. But unlike exploit kits, these macro threats require user consent to run. To avoid running into trouble because of these macro threats, see Before you enable those macros, for details on prevention.You can also read more about the macro configuration options to understand the scenarios when you can enable or disable them. See Microsoft Project - how to control Macro Settings using registry keys for details.Aside from that, be aware of the dangers in opening suspicious emails. That includes not opening email attachments or links from untrusted sources.If you are an enterprise software security administrator, what can you do?Most, if not all of the macro malware received are in .doc file format (D0 CF) which are seen in Microsoft Office 2007 and older versions.If you are in charge of looking after your enterprise software security infrastructure, you can:- Update your Microsoft security software. Microsoft detects this threat and encourages everyone to always run on the latest software version for protection.
- Ensure that your Trust Center settings are configured not to load older Office versions:
- Go to Word Options, and select Trust Center. Click Trust Center Settings.
 - In the Trust Center dialog box, select File Block Settings. Then, select the Word versions that you need to block.
 Doing so blocks older Office versions from opening.
You can check if MAPS feature is enabled in your Microsoft security product by selecting the Settings tab and then MAPS. MMPC
##################################################
总结:
务必小心点击垃圾邮件及其附件,邮件接收联系发件人确认内容,处理好office程序的宏设置,阻止高危版本生成的文件,同时,打开Microsoft Security Essentials的MAPS服务,打开浏览器的Smart Screen功能(附图二张,上是IE 11,下是Microsoft Edeg)。
同时,处理在网上发布的信息,照片,邮箱,电话,IM,住址,生日,朋友信息,家人信息等。做好身边人安全意识教育,因为你不说,不能保证不懂的人不说,一个环节出错,就会崩盘。社会工程学真的挺可怕的,比如人肉搜索。点到即止。
原文链接:
http://blogs.technet.com/b/mmpc/archive/2015/04/28/social-engineering-tricks-open-the-door-to-macro-malware-attacks-how-can-we-close-it.aspx
清理误导性广告
http://blogs.technet.com/b/mmpc/archive/2015/04/28/cleaning-up-misleading-advertisements.aspx
PS:社工学,用安软是不能阻止的。隐私保护除了限定cookies外,只能靠个人。
|
发表于 2015-5-2 15:37:11
,6月1日执行,误导性的广告程序和网站,会被Edge和MA杀
楼主