摘要

360CERT监测到NetSarang在Kaspersky的"ShadowPad: How Attackers hide Backdoor in Software used by Hundreds of Large Companies around the World”报告中加入了对此事件的声明。

360CERT在获得NetSarang官方许可后转载了该声明。

目前360安全卫士已全面拦截被植入恶意代码的nssock2.dll文件，具体事件见[参考]一节。

公告

NetSarang声明

"长期以来为应对层出不穷的网络攻击，NetSarang公司采取了一系列的方法和举措来强化自身产品线的安全性，避免被恶意代码感染、商业间谍组织渗入的情况发生。

遗憾的是，在2017年7月18日发布的全线产品在内的版本，均被植入了一份后门性质的恶意代码，该后门可能可以被攻击者直接利用。

我们深知，客户和用户的安全是我们公司最高的优先级和根本，更是我们的职责所在。当今世界，通过攻击商业、合法性质的软件来获利或蓄意攻击其用户的攻击团伙和组织正在日益增长是一个真切的现实问题，在这里，NetSarang会和其它计算机软件行业里的公司一样，认真的应对这一挑战。

NetSarang致力于保护用户的隐私安全，且已经整合了一套坚实的体系来保证不会再有类似的具有安全缺陷的产品被输送到用户手中。NetSarang会继续评估和改进我们的安全，这不仅仅是为了打击来自世界各处的网络间谍团伙，更是为了让公司的忠实用户能够继续信任我们。"

目前Kaspersky的产品已经支持检测名为“Backdoor.Win32.ShadowPad.a”的ShadowPad样本。

Kaspersky实验室建议用户尽快更新到NetSarang产品软件的最新版本，在最新版本中恶意代码已经被移除，此外建议检测系统是否有对应的恶意域名访问记录。相关的C2域名和后门恶意代码技术信息已经在相关的技术报告中提及。

关于NetSarang

NetSarang Computer, Inc. 是一家致力于全球安全连接解决方案领域的研发，市场，和支撑的公司。公司开发了一系列包括PC X服务和SSH客户端软件在内的软件，兼容PC-to-Unix和PC-to-Linux，且扩展了相关的TCP/IP网络技术给相关的互联网企业。公司的产品和服务覆盖全球90多个国家。

原文

链接: https://www.kaspersky.com/about/press-releases/2017_shadowpad-how-attackers-hide-backdoor-in-software-used-by-hundreds-of-large-companies-around-the-world

NetSarang Statement

“To combat the ever-changing landscape of cyberattacks NetSarang has incorporated various methods and measures to prevent our line of products from being compromised, infected, or utilized by cyberespionage groups. Regretfully, the Build release of our full line of products on July 18th, 2017 was unknowingly shipped with a backdoor which had the potential to be exploited by its creator.

The security of our customers and user base is our highest priority and ultimately, our responsibility. The fact that malicious groups and entities are utilizing commercial and legitimate software for illicit gain is an ever-growing concern and one that NetSarang, as well as others in the computer software industry, is taking very seriously.

NetSarang is committed to its users’ privacy and has incorporated a more robust system to ensure that never again will a compromised product be delivered to its users. NetSarang will continue to evaluate and improve our security not only to combat the efforts of cyber espionage groups around the world but also in order to regain the trust of its loyal user base.”

All Kaspersky Lab products detect and protect against the ShadowPad malware as “Backdoor.Win32.ShadowPad.a”.

Kaspersky Lab advises users to updateimmediately to the latest version of the NetSarang software, from which the malicious module has been removed, and to check their systems for signs of DNS queries to unusual domains. A list of the command server domains used by the malicious module can be found in the Securelist blogpost, which also includes further technical information on the backdoor.

About NetSarang

NetSarang Computer, Inc. develops, markets and supports secure connectivity solution in the global market. The company develops a family of PC X server and SSH client software for PC-to-Unix and PC-to-Linux, and is expanding its TCP/IP network technologies to other Internet businesses. The company offers its products and services to more than 90 countries around the world.

参考

1.nssock2.dll恶意代码预警|影响Xshell,Xmanager等多款产品

https://cert.360.cn/warning/detail?id=07450801f090579304c01e9338cb0ffb

2.XShell后门事件

http://bobao.360.cn/news/detail/4263.html

3.XShell后门DNS Tunnel编码分析

http://bobao.360.cn/learning/detail/4258.html

4.ShadowPad in corporate networks

https://securelist.com/shadowpad-in-corporate-networks/81432/

5.ShadowPad: How Attackers hide Backdoor in Software used by Hundreds of Large Companies around the World

https://www.kaspersky.com/about/press-releases/2017_shadowpad-how-attackers-hide-backdoor-in-software-used-by-hundreds-of-large-companies-around-the-world