Archive

Archive for the ‘Digital Crimes Unit’ Category

Microsoft teams up with law enforcement and other partners to disrupt Gamarue (Andromeda)

December 4th, 2017 No comments

Today, with help from Microsoft security researchers, law enforcement agencies around the globe, in cooperation with Microsoft Digital Crimes Unit (DCU), announced the disruption of Gamarue, a widely distributed malware that has been used in networks of infected computers collectively called the Andromeda botnet.

The disruption is the culmination of a journey that started in December 2015, when the Microsoft Windows Defender research team and DCU activated a Coordinated Malware Eradication (CME) campaign for Gamarue. In partnership with internet security firm ESET, we performed in-depth research into the Gamarue malware and its infrastructure.

Our analysis of more than 44,000 malware samples uncovered Gamarues sprawling infrastructure. We provided detailed information about that infrastructure to law enforcement agencies around the world, including:

  • 1,214 domains and IP addresses of the botnets command and control servers
  • 464 distinct botnets
  • More than 80 associated malware families

The coordinated global operation resulted in the takedown of the botnets servers, disrupting one of the largest malware operations in the world. Since 2011, Gamarue has been distributing a plethora of other threats, including:

A global malware operation

For the past six years, Gamarue has been a very active malware operation that, until the takedown, showed no signs of slowing down. Windows Defender telemetry in the last six months shows Gamarues global prevalence.

Figure 1. Gamarues global prevalence from May to November 2017

While the threat is global, the list of top 10 countries with Gamarue encounters is dominated by Asian countries.

Figure 2. Top 10 countries with the most Gamarue encounters from May to November 2017

In the last six months, Gamarue was detected or blocked on approximately 1,095,457 machines every month on average.

Figure 3. Machines, IPs, and unique file encounters for Gamarue from May to November 2017; data does not include LNK detections

The Gamarue bot

Gamarue is known in the underground cybercrime market as Andromeda bot. A bot is a program that allows an attacker to take control of an infected machine. Like many other bots, Gamarue is advertised as a crime kit that hackers can purchase.

The Gamarue crime kit includes the following components:

  • Bot-builder, which builds the malware binary that infects computers
  • Command-and-control application, which is a PHP-based dashboard application that allows hackers to manage and control the bots
  • Documentation on how to create a Gamarue botnet

A botnet is a network of infected machines that communicate with command-and-control (C&C) servers, which are computer servers used by the hacker to control infected machines.

The evolution of the Gamarue bot has been the subject of many thorough analyses by security researchers. At the time of takedown, there were five known active Gamarue versions: 2.06, 2.07, 2.08, 2.09, and 2.10. The latest and the most active is version 2.10.

Gamarue is modular, which means that its functionality can be extended by plugins that are either included in the crime kit or available for separate purchase. The Gamarue plugins include:

  • Keylogger ($150) Used for logging keystrokes and mouse activity in order to steal user names and passwords, financial information, etc
  • Rootkit (included in crime kit) Injects rootkit codes into all processes running on a victim computer to give Gamarue persistence
  • Socks4/5 (included in crime kit) Turns victim computer into a proxy server for serving malware or malicious instructions to other computers on the internet
  • Formgrabber ($250) Captures any data submitted through web browsers (Chrome, Firefox, and Internet Explorer)
  • Teamviewer ($250) Enables attacker to remotely control the victim machine, spy on the desktop, perform file transfer, among other functions
  • Spreader Adds capability to spread Gamarue malware itself via removable drives (for example, portable hard drives or flash drives connected via a USB port); it also uses Domain Name Generation (DGA) for the servers where it downloads updates

Gamarue attack kill-chain

Over the years, various attack vectors have been used to distribute Gamarue. These include:

  • Removable drives
  • Social media (such as Facebook) messages with malicious links to websites that host Gamarue
  • Drive-by downloads/exploit kits
  • Spam emails with malicious links
  • Trojan downloaders

Once Gamarue has infected a machine, it contacts the C&C server, making the machine part of the botnet. Through the C&C server, the hacker can control Gamarue-infected machines, steal information, or issue commands to download additional malware modules.

Figure 4. Gamarues attack kill-chain

Gamarues main goal is to distribute other prevalent malware families. During the CME campaign, we saw at least 80 different malware families distributed by Gamarue. Some of these malware families include:

The installation of other malware broadens the scale of what hackers can do with the network of infected machines.

Command-and-control communication

When the Gamarue malware triggers the infected machine to contact the C&C server, it provides information like the hard disks volume serial number (used as the bot ID for the computer), the Gamarue build ID, the operating system of the infected machine, the local IP address, an indication whether the signed in user has administrative rights, and keyboard language setting for the infected machine. This information is sent to the C&C server via HTTP using the JSON format:

Figure 5. Information sent by Gamarue to C&C server

The information about keyboard language setting is very interesting, because the machine will not be further infected if the keyboard language corresponds to the following countries:

  • Belarus
  • Russia
  • Ukraine
  • Kazahkstan

Before sending to the C&C server, this information is encrypted with RC4 algorithm using a key hardcoded in the Gamarue malware body.

Figure 6. Encrypted C&C communication

Once the C&C server receives the message, it sends a command that is pre-assigned by the hacker in the control dashboard.

Figure 7. Sample control dashboard used by attackers to communicate to Gamarue bots

The command can be any of the following:

  • Download EXE (i.e., additional executable malware files)
  • Download DLL (i.e., additional malware; removed in version 2.09 and later)
  • Install plugin
  • Update bot (i.e., update the bot malware)
  • Delete DLLs (removed in version 2.09 and later)
  • Delete plugins
  • Kill bot

The last three commands can be used to remove evidence of Gamarue presence in machines.

The reply from the C&C server is also encrypted with RC4 algorithm using the same key used to encrypt the message from the infected machine.

Figure 8. Encrypted reply from C&C server

When decrypted, the reply contains the following information:

  • Time interval in minutes time to wait for when to ask the C2 server for the next command
  • Task ID – used by the hacker to track if there was an error performing the task
  • Command one of the command mentioned above
  • Download URL – from which a plugin/updated binary/other malware can be downloaded depending on the command.

Figure 9. Decrypted reply from C&C server

Anti-sandbox techniques

Gamarue employs anti-AV techniques to make analysis and detection difficult. Prior to infecting a machine, Gamarue checks a list hashes of the processes running on a potential victims machine. If it finds a process that may be associated with malware analysis tools, such as virtual machines or sandbox tools, Gamarue does not infect the machine. In older versions, a fake payload is manifested when running in a virtual machine.

Figure 10. Gamarue checks if any of the running processes are associated with malware analysis tools

Stealth mechanisms

Gamarue uses cross-process injection techniques to stay under the radar. It injects its code into the following legitimate processes:

  • msiexec.exe (Gamarue versions 2.07 to 2.10)
  • wuauclt.exe, wupgrade.exe, svchost.exe (version 2.06)

It can also use a rootkit plugin to hide the Gamarue file and its autostart registry entry.

Gamarue employs a stealthy technique to store and load its plugins as well. The plugins are stored fileless, either saved in the registry or in an alternate data stream of the Gamarue file.

OS tampering

Gamarue attempts to tamper with the operating systems of infected computers by disabling Firewall, Windows Update, and User Account Control functions. These functionalities cannot be re-enabled until the Gamarue infection has been removed from the infected machine. This OS tampering behavior does not work on Windows 10

Figure 11. Disabled Firewall and Windows Update

Monetization

There are several ways hackers earn using Gamarue. Since Gamarues main purpose is to distribute other malware, hackers earn using pay-per-install scheme. Using its plugins, Gamarue can also steal user information; stolen information can be sold to other hackers in cybercriminal underground markets. Access to Gamarue-infected machines can also be sold, rented, leased, or swapped by one criminal group to another.

Remediation

To help prevent a Gamarue infection, as well as other malware and unwanted software, take these precautions:

  • Be cautious when opening emails or social media messages from unknown users.
  • Be wary about downloading software from websites other than the program developers.

More importantly, ensure you have the right security solutions that can protect your machine from Gamarue and other threats. Windows Defender Antivirus detects and removes the Gamarue malware. With advanced machine learning models, as well as generic and heuristic techniques, Windows Defender AV detects new as well as never-before-seen malware in real-time via the cloud protection service. Alternatively, standalone tools, such as Microsoft Safety Scanner and the Malicious Software Removal Tool (MSRT), can also detect and remove Gamarue.

Microsoft Edge can block Gamarue infections from the web, such as those from malicious links in social media messages and drive-by downloads or exploit kits. Microsoft Edge is a secure browser that opens pages within low privilege app containers and uses reputation-based blocking of malicious downloads.

In enterprise environments, additional layers of protection are available. Windows Defender Advanced Threat Protection can help security operations personnel to detect Gamarue activities, including cross-process injection techniques, in the network so they can investigate and respond to attacks. Windows Defender ATPs enhanced behavioral and machine learning detection libraries flag malicious behavior across the malware infection process, from delivery and installation, to persistence mechanisms, and command-and-control communication.

Microsoft Exchange Online Protection (EOP) can block Gamarue infections from email uses built-in anti-spam filtering capabilities that help protect Office 365 customers. Office 365 Advanced Threat Protection helps secure mailboxes against email attacks by blocking emails with unsafe attachments, malicious links, and linked-to files leveraging time-of-click protection.

Windows Defender Exploit Guard can block malicious documents (such as those that distribute Gamarue) and scripts. The Attack Surface Reduction (ASR) feature in Windows Defender Exploit Guard uses a set of built-in intelligence that can block malicious behaviors observed in malicious documents. ASR rules can also be turned on to block malicious attachments from being run or launched from Microsoft Outlook or webmail (such as Gmail, Hotmail, or Yahoo).

Microsoft is also continuing the collaborative effort to help clean Gamarue-infected computers by providing a one-time package with samples (through the Virus Information Alliance) to help organizations protect their customers.

 

 

Microsoft Digital Crimes Unit and Windows Defender Research team

 

 

Get more info on the Gamarue (Andromeda) takedown from the following sources:

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

 

HOW TO: Report the Microsoft phone scam

September 18th, 2014 No comments

If someone calls you from Microsoft technical support and offers to help you fix your computer, mobile phone, or tablet, this is a scam designed to install malicious software on your computer, steal your personal information, or both.

Do not trust unsolicited calls. Do not provide any personal information.

You can report this scam to the following authorities:

Whenever you receive a phone call or see a pop-up window on your PC and feel uncertain whether it is from someone at Microsoft, don’t take the risk. Reach out directly to one of our technical support experts dedicated to helping you at the Microsoft Answer Desk. Or you can simply call us at 1-800-426-9400 or one of our customer service phone numbers for people located around the world. 

HOW TO: Report the Microsoft phone scam

September 18th, 2014 No comments

If someone calls you from Microsoft technical support and offers to help you fix your computer, mobile phone, or tablet, this is a scam designed to install malicious software on your computer, steal your personal information, or both.

Do not trust unsolicited calls. Do not provide any personal information.

You can report this scam to the following authorities:

Whenever you receive a phone call or see a pop-up window on your PC and feel uncertain whether it is from someone at Microsoft, don’t take the risk. Reach out directly to one of our technical support experts dedicated to helping you at the Microsoft Answer Desk. Or you can simply call us at 1-800-426-9400 or one of our customer service phone numbers for people located around the world.

Microsoft takes on world’s worst cybercriminals

July 15th, 2014 No comments

Microsoft recently took legal action against a group of cybercriminals suspected of spreading malicious software to millions of unsuspecting computer users.

These social media–savvy cybercriminals have not only spread the malware themselves, but they’ve also promoted their malicious tools across the Internet, offering step-by-step instructions to completely control millions of unsuspecting victims’ computers to conduct illicit crimes.

For more information on the legal action, see Microsoft takes on global cybercrime epidemic in tenth malware disruption.

To help protect yourself against cybercrime

  • Keep your operating system and other software updated.
  • Use antivirus software (and keep it updated).
  • Don’t open suspicious email messages, links, or attachments.

Get more guidance at How to boost your malware defense and protect your PC.

ZeroAccess criminals wave white flag: The impact of partnerships on cybercrime

December 19th, 2013 No comments

The following is a post from Richard Domingues Boscovich, Assistant General Counsel, Microsoft Digital Crimes Unit.


Two weeks after Microsoft filed its civil case in the U.S. District Court for the Western District of Texas against the notorious Sirefef botnet, also known ZeroAccess, I am pleased to report that our disruption effort has been successful, and it appears that the criminals have abandoned their botnet. As a result, last week Microsoft requested that the court close the civil case in order to allow law enforcement to continue their investigative efforts in the matter.

As stated at the outset of this disruption effort, Microsoft and its partners did not expect to fully eliminate the ZeroAccess botnet because of the complexity of the threat. Rather, our focus was to protect people by cleaning the computers infected with the malware so they could no longer be used for harm. As we expected, less than 24 hours after our disruptive action, the cybercriminals pushed out new instructions to the ZeroAccess-infected computers in order to continue their fraud schemes. However, because we were monitoring their actions and able to identify new Internet Protocol (IP) addresses the criminals were using to commit their crimes, Europol’s European Cybercrime Centre (EC3) took immediate action to coordinate with member country law enforcement agencies, led by Germany’s Bundeskriminalamt’s (BKA) Cyber Intelligence Unit, to quickly track down those new fraud IP addresses.

After BKA’s quick response, the bot-herders released one additional update to the infected computers that included the message “WHITE FLAG,” which we believe symbolizes that the criminals have decided to surrender control of the botnet. Since that time, we have not seen any additional attempts by the bot-herders to release new code and as a result, the botnet is currently no longer being used to commit fraud.

The cybercriminals’ decision to halt their activities underscores how effective partnerships are in the fight against cybercrime. Microsoft’s partnership with EC3 was crucial to the success of this disruption. In turn, EC3’s coordination with member-state law enforcement agencies like BKA in Germany and the National Hi Tech Crime Units from the Netherlands, Latvia, Switzerland and Luxembourg demonstrates the need for international cross-jurisdictional cooperation at a speed equal to the criminal cyber threats affecting people globally.

We would like to thank all of our partners for their work to combat the ZeroAccess botnet. Microsoft is committed to protecting the public from cyber threats, and trustworthy partnership with the research and law-enforcement community is a critical component of this. We will continue to work closely with the security community globally in disruptive actions that help protect our customers and put cybercriminals out of business.

Now that Microsoft has closed the civil case, and law enforcement continues their criminal investigations to pursue the individuals behind the botnet, we must continue to focus our efforts on working with ecosystem partners around the world to notify people if their computer is infected.

As we originally shared, ZeroAccess is very sophisticated malware, and it actually blocks attempts to remove it, so we recommend that people visit http://support.microsoft.com/botnets for detailed instructions on how to clean their computers.

ZeroAccess was the first botnet operation completed since Microsoft opened the Cybercrime Center in November. The Cybercrime Center, which combines Microsoft’s legal and technical expertise with cutting-edge tools and technology to fight cybercrime, enables DCU to more effectively work with partners to fight cybercrime. I am confident you’ll hear of additional important work coming out of the Center in the months ahead.

To stay up to date on the latest developments on the fight against cybercrime, follow the Microsoft Digital Crimes Unit on Facebook and Twitter.

Categories: botnets, Digital Crimes Unit Tags:

Microsoft, Europol, FBI and industry partners disrupt notorious ZeroAccess botnet that hijacks search results

December 5th, 2013 No comments

The following is a post from Richard Domingues Boscovich, Assistant General Counsel, Microsoft Digital Crimes Unit.


For the third time this year, Microsoft’s Digital Crimes Unit has successfully disrupted a dangerous botnet that has impacted millions of innocent people. Today, we’re pleased to announce that Microsoft, in conjunction with Europol’s European Cybercrime Centre (EC3), the Federal Bureau of Investigation and technology industry leaders such as A10 Networks, has taken action against the rampant Sirefef botnet, also known as ZeroAccess. The ZeroAccess botnet has infected nearly two million computers all over the world and cost online advertisers upwards of $2.7 million each month.

ZeroAccess targets all major search engines and browsers, including Google, Bing and Yahoo!. The majority of computers infected with ZeroAccess are located in the U.S. and Western Europe. Similar to the Bamital botnet, which Microsoft and industry partners took action against in February, ZeroAccess is responsible for hijacking search results and directing people to potentially dangerous websites that could install malware onto their computer, steal their personal information or fraudulently charge businesses for online advertisement clicks. ZeroAccess also commits click fraud.

Due to its botnet architecture, ZeroAccess is one of the most robust and durable botnets in operation today, and was built to be resilient to disruption efforts, relying on a peer-to-peer infrastructure that allows cybercriminals to remotely control the botnet from tens of thousands of different computers. Most often, computers become infected with ZeroAccess as a result of “drive-by-downloads,” where the cybercriminals create a website that downloads malware onto any unprotected computer that happens to visit that site. Computers can also become infected through counterfeit and unlicensed software, where criminals disguise ZeroAccess as legitimate software, tricking a person into downloading the ZeroAccess malware onto their computer.

Because of the sophistication of the threat, Microsoft and its partners do not expect to fully eliminate the ZeroAccess botnet. However, we do expect this legal and technical action will significantly disrupt the botnet’s operation by disrupting the cybercriminals’ business model and forcing them to rebuild their criminal infrastructure, as well as preventing victims’ computers from committing the fraudulent schemes. We would like to thank A10 Networks, who provided Microsoft with advanced technology to support the disruptive action.

Microsoft is working with ecosystem partners around the world to notify people if their computer is infected, and will be making this information available through its Cyber Threat Intelligence Program (C-TIP). ZeroAccess is very sophisticated malware, blocking attempts to remove it, and we therefore recommend that people visit http://support.microsoft.com/botnets for detailed instructions on how to remove this threat. Because Microsoft found that the ZeroAccess malware disables security features on infected computers, leaving the computer susceptible to secondary infections, it is critical that victims rid their computers of ZeroAccess by using malware removal or anti-virus software as quickly as possible.

This is the first botnet action since the Nov. 14 unveiling of the new Microsoft Cybercrime Center – a center of excellence for advancing the global fight against cybercrime – and marks Microsoft’s eighth botnet action in the past three years. Similar to Microsoft’s Citadel botnet case, ZeroAccess is part of an extensive cooperative effort with industry partners and law enforcement to take out cybercriminal networks to ensure that people worldwide can use their computing devices and services with confidence.

More information about Thursday’s news against ZeroAccess is available here. This case and operation are ongoing, and we’ll continue to provide updates as they become available. To stay up to date on the latest developments on the fight against cybercrime, follow the Microsoft Digital Crimes Unit on Facebook and Twitter.

Categories: botnets, Digital Crimes Unit, security Tags:

Microsoft Disrupts Botnet Hijacking Search Results and Exploiting Search Engines

December 5th, 2013 No comments

Today, Microsoft’s Digital Crimes Unit (DCU), in partnership with law enforcement and industry partners, announced the successful disruption of the Sirefef botnet, also known as ZeroAccess. This dangerous botnet is responsible for hijacking people’s search results and taking them to potentially dangerous websites that could install malware onto their computer, steal their personal information, or fraudulently charge businesses for online advertisement clicks. ZeroAccess also commits click fraud. According to the latest Microsoft Security Intelligence Report, by the end of 2012, malicious or compromised websites had emerged to become the top threats facing enterprises as well as consumers.  This botnet specifically targets search results on the major online search and advertising platforms including Google, Bing and Yahoo!, and is estimated to cost online advertisers $2.7 million each month. Read more

…(read more)

“Cyber Crime Department” scam

March 21st, 2013 No comments

We’ve received increased reports of a new phishing scam email message that uses the name and official logo of the Microsoft Digital Crimes Unit (DCU). The wording varies, but it looks like a security measure and says you need to validate your account by confirming your user name and password or by opening a file attached to the message.  

This is a fake message, but DCU is a real worldwide team of lawyers, investigators, technical analysts, and other specialists working to transform the fight against digital crime through partnerships and legal and technical breakthroughs that destroy the way cybercriminals operate. The DCU is a unique team in the tech industry, focused on disrupting some of the most difficult cybercrime threats facing society today – including malicious software crimes fueled by the use of botnets and technology-facilitated child sexual exploitation.

DCU does not send email to individuals asking them to validate their account information.  If you get one of these email messages, it is a scam. 

There are legitimate times when, in the course of a botnet cleanup effort, DCU will work to inform known victims of a particular threat to help them remove the botnet malware and regain control of their computer.  Sometimes Microsoft will work with Internet service providers (ISPs) and Computer Emergency Response Teams, who in turn will work to inform malware victims by communicating through their already-established relationship with their ISP customers. This enables ISPs to be able to reach victims in a way that is clearly verifiable to botnet victims as legitimate.  Other times, Microsoft may indeed notify victims directly – but not in email and not to verify account information, as the phishing scams claim. 

When DCU does inform victims directly about a known malware infection on their computer, like in the recent case involving the Bamital botnet takedown, it will not ask people to click on a link or download an attachment.  Rather, DCU’s communication will be done over a secured connection and will be readily verifiable as legitimately coming from Microsoft.  These notifications will often also be accompanied by a high profile public information campaign that outlines the notification process, which will also help people independently verify that a warning is real and actually coming from Microsoft.

If you receive an email message claiming to be from the DCU, do not click on links or open any attachments.  Instead, you can either just delete it or you can report it.

Here’s a copy of the fake message:

This message contains three common signs of a scam:

  • Impersonation of a well-known company or organization
  • Time-sensitive threats to your account
  • Requests to click an attachment or link

Get more information on how to recognize phishing email messages, links, or phone calls.

Clean up malware resulting from the Bamital botnet

February 8th, 2013 No comments

On February 6, Microsoft announced that its Digital Crimes Unit had worked with Symantec to successfully deactivate a major botnet called Bamital. Below is an overview of Bamital and how you can remove it from your computer.

Botnets are networks of compromised computers, controlled remotely by criminals who use them to  secretly spread malware, steal personal information, and commit fraud. Bamital was designed to hijack internet search results and take people to websites that were potentially dangerous.

To learn more about botnets, see How to better protect your PC with botnet protection and avoid malware.

A majority of computers affected by Bamital were running Windows XP and not using a firewall and antivirus software or having monthly security updates installed.

You might have malware on your computer if you see this page:

To help clean Bamital and other malware from your computer, you can install antivirus and antispyware programs that are available online from a provider that you trust.

Microsoft and Symantec each provide free malware removal tools:

For more information about how to remove malware, visit the Virus and Security Solution Center from Microsoft Support.

Read more at the Official Microsoft Blog.

Clean up malware resulting from the Bamital botnet

February 8th, 2013 No comments

On February 6, Microsoft announced that its Digital Crimes Unit had worked with Symantec to successfully deactivate a major botnet called Bamital. Below is an overview of Bamital and how you can remove it from your computer.

Botnets are networks of compromised computers, controlled remotely by criminals who use them to  secretly spread malware, steal personal information, and commit fraud. Bamital was designed to hijack internet search results and take people to websites that were potentially dangerous.

To learn more about botnets, see How to better protect your PC with botnet protection and avoid malware.

A majority of computers affected by Bamital were running Windows XP and not using a firewall and antivirus software or having monthly security updates installed.

You might have malware on your computer if you see this page:

To help clean Bamital and other malware from your computer, you can install antivirus and antispyware programs that are available online from a provider that you trust.

Microsoft and Symantec each provide free malware removal tools:

For more information about how to remove malware, visit the Virus and Security Solution Center from Microsoft Support.

Read more at the Official Microsoft Blog.

Fraud alert: Microsoft Digital Crimes Unit scam

August 24th, 2012 No comments

We’ve received reports about a new phishing scam email that tells “email users across the world” to validate their email account or it will be deleted from “the world email server.”

This email is fake, but it does use the official logo of the Microsoft Digital Crimes Unit (DCU). The Microsoft DCU is a real worldwide team of lawyers, investigators, technical analysts, and other specialists partnering internationally to disrupt cybercrime and transform the fight against digital crime to make the world safer.

If you receive an email like this you can ignore it and delete it. You can also report it.

This email contains three of the common signs of a scam:

  • Impersonation of a well-known company or organization
  • Time-sensitive threats to delete your account
  • Requests to click a link in an email

Get more information on how to recognize phishing email messages, links, or phone calls.

Combating social engineering tactics, like cookiejacking, to stay safer online

May 28th, 2011 No comments

You may have seen articles recently that highlight a social engineering technique called “cookiejacking” and how a particular instance may currently affect Internet Explorer.

It’s important to note that we have not seen widespread attacks related to this specific case. However we take security very seriously and to ensure customers are protected, we are working on an update to Internet Explorer.

Cookiejacking is a variant of an industry-wide attack type known as clickjacking. All Internet browsers are potentially susceptible to clickjacking which is a form of social engineering attack, so as well as talking about this issue we wanted to highlight some more general best practices for staying safe online.

We also wanted to put this specific issue in context. In order to be exposed to risk a number of things would need to happen. You’d need to be tricked into interacting with malicious content on a website. Only after this could a third party steal cookies from a website that you were previously logged into. While this threat has been demonstrated by a security researcher, to date we are not aware of any actual attacks online.

The InPrivate Browsing feature in Internet Explorer will prevent cookies from earlier browsing sessions being stored on your PC, and mean they are not vulnerable to cookiejacking even in the circumstances described.

This is a form of social engineering attack and these kinds of threats will remain a concern for Internet users on all browsers. Software vulnerabilities are not needed for these kinds of threats to be successful so it is always a good idea to follow best practices – regardless of the browser you are using – in order to stay safe..

Some social engineering scams can be easily recognized by containing any of the following:

  • Odd messages from friends on social networking sites to participate in games or offers you must act upon immediately.
  • Alarmist messages and threats of account closures.
  • Promises of money for little or no effort.
  • Deals that sound too good to be true.
  • Requests to donate to a charitable organization after a disaster that has been in the news.
  • Bad grammar and misspellings.

To learn more about identifying social engineering scams and how to protect against them, please see Microsoft’s guidance on email and web scams. One of the basic rules on the Internet, as in life, is to use common sense and be suspicious of contacts from strangers, things that don’t look quite right or offers that appear too good to be true.

Internet Explorer includes some industry leading features to help protect against other forms of socially engineered attacks.

Our SmartScreen filter technology helps detect phishing websites. SmartScreen Filter can also help protect you from installing malicious software or malware, which are programs that demonstrate illegal, viral, fraudulent, or malicious behavior.

As well as the SmartScreen service, we’ve also invested in Microsoft Security Essentials, – free anti-virus software for Windows customers. In addition, we work with other anti-virus vendors around the world to share information about software security issues which allows them to develop better protections, faster, for their customers. This is what we refer to as community based defense.

Socially engineered attacks are criminal activities and Microsoft fights these battles on the legal front as well. Our Digital Crimes Unit (DCU) works with law enforcement and government agencies daily to take down major botnets that are responsible for huge amounts of spam and social engineering attacks across the Internet.

Social engineering is a threat across the industry, and at Microsoft we’re diligently working to help keep customers safe online.

Combating social engineering tactics, like cookiejacking, to stay safer online

May 28th, 2011 No comments

You may have seen articles recently that highlight a social engineering technique called “cookiejacking” and how a particular instance may currently affect Internet Explorer.

It’s important to note that we have not seen widespread attacks related to this specific case. However we take security very seriously and to ensure customers are protected, we are working on an update to Internet Explorer.

Cookiejacking is a variant of an industry-wide attack type known as clickjacking. All Internet browsers are potentially susceptible to clickjacking which is a form of social engineering attack, so as well as talking about this issue we wanted to highlight some more general best practices for staying safe online.

We also wanted to put this specific issue in context. In order to be exposed to risk a number of things would need to happen. You’d need to be tricked into interacting with malicious content on a website. Only after this could a third party steal cookies from a website that you were previously logged into. While this threat has been demonstrated by a security researcher, to date we are not aware of any actual attacks online.

The InPrivate Browsing feature in Internet Explorer will prevent cookies from earlier browsing sessions being stored on your PC, and mean they are not vulnerable to cookiejacking even in the circumstances described.

This is a form of social engineering attack and these kinds of threats will remain a concern for Internet users on all browsers. Software vulnerabilities are not needed for these kinds of threats to be successful so it is always a good idea to follow best practices – regardless of the browser you are using – in order to stay safe..

Some social engineering scams can be easily recognized by containing any of the following:

  • Odd messages from friends on social networking sites to participate in games or offers you must act upon immediately.
  • Alarmist messages and threats of account closures.
  • Promises of money for little or no effort.
  • Deals that sound too good to be true.
  • Requests to donate to a charitable organization after a disaster that has been in the news.
  • Bad grammar and misspellings.

To learn more about identifying social engineering scams and how to protect against them, please see Microsoft’s guidance on email and web scams. One of the basic rules on the Internet, as in life, is to use common sense and be suspicious of contacts from strangers, things that don’t look quite right or offers that appear too good to be true.

Internet Explorer includes some industry leading features to help protect against other forms of socially engineered attacks.

Our SmartScreen filter technology helps detect phishing websites. SmartScreen Filter can also help protect you from installing malicious software or malware, which are programs that demonstrate illegal, viral, fraudulent, or malicious behavior.

As well as the SmartScreen service, we’ve also invested in Microsoft Security Essentials, – free anti-virus software for Windows customers. In addition, we work with other anti-virus vendors around the world to share information about software security issues which allows them to develop better protections, faster, for their customers. This is what we refer to as community based defense.

Socially engineered attacks are criminal activities and Microsoft fights these battles on the legal front as well. Our Digital Crimes Unit (DCU) works with law enforcement and government agencies daily to take down major botnets that are responsible for huge amounts of spam and social engineering attacks across the Internet.

Social engineering is a threat across the industry, and at Microsoft we’re diligently working to help keep customers safe online.

Combating social engineering tactics, like cookiejacking, to stay safer online

May 28th, 2011 No comments

You may have seen articles recently that highlight a social engineering technique called “cookiejacking” and how a particular instance may currently affect Internet Explorer.

It’s important to note that we have not seen widespread attacks related to this specific case. However we take security very seriously and to ensure customers are protected, we are working on an update to Internet Explorer.

Cookiejacking is a variant of an industry-wide attack type known as clickjacking. All Internet browsers are potentially susceptible to clickjacking which is a form of social engineering attack, so as well as talking about this issue we wanted to highlight some more general best practices for staying safe online.

We also wanted to put this specific issue in context. In order to be exposed to risk a number of things would need to happen. You’d need to be tricked into interacting with malicious content on a website. Only after this could a third party steal cookies from a website that you were previously logged into. While this threat has been demonstrated by a security researcher, to date we are not aware of any actual attacks online.

The InPrivate Browsing feature in Internet Explorer will prevent cookies from earlier browsing sessions being stored on your PC, and mean they are not vulnerable to cookiejacking even in the circumstances described.

This is a form of social engineering attack and these kinds of threats will remain a concern for Internet users on all browsers. Software vulnerabilities are not needed for these kinds of threats to be successful so it is always a good idea to follow best practices – regardless of the browser you are using – in order to stay safe..

Some social engineering scams can be easily recognized by containing any of the following:

  • Odd messages from friends on social networking sites to participate in games or offers you must act upon immediately.
  • Alarmist messages and threats of account closures.
  • Promises of money for little or no effort.
  • Deals that sound too good to be true.
  • Requests to donate to a charitable organization after a disaster that has been in the news.
  • Bad grammar and misspellings.

To learn more about identifying social engineering scams and how to protect against them, please see Microsoft’s guidance on email and web scams. One of the basic rules on the Internet, as in life, is to use common sense and be suspicious of contacts from strangers, things that don’t look quite right or offers that appear too good to be true.

Internet Explorer includes some industry leading features to help protect against other forms of socially engineered attacks.

Our SmartScreen filter technology helps detect phishing websites. SmartScreen Filter can also help protect you from installing malicious software or malware, which are programs that demonstrate illegal, viral, fraudulent, or malicious behavior.

As well as the SmartScreen service, we’ve also invested in Microsoft Security Essentials, – free anti-virus software for Windows customers. In addition, we work with other anti-virus vendors around the world to share information about software security issues which allows them to develop better protections, faster, for their customers. This is what we refer to as community based defense.

Socially engineered attacks are criminal activities and Microsoft fights these battles on the legal front as well. Our Digital Crimes Unit (DCU) works with law enforcement and government agencies daily to take down major botnets that are responsible for huge amounts of spam and social engineering attacks across the Internet.

Social engineering is a threat across the industry, and at Microsoft we’re diligently working to help keep customers safe online.

Microsoft helps defeat major spam botnet

April 7th, 2011 Comments off

Watch experts from Microsoft and other organizations explain how botnets work and how Microsoft and Pfizer helped bring down the Rustock botnet, a notorious source of spam, fraud, and cybercrime.

Watch the video from CNBC World Business:

Rustock Takedown Is Part of Larger War on Spam

Operation b107 – Rustock Botnet Takedown

March 18th, 2011 Comments off

Just over one year ago, Microsoft- with industry and academic partners- utilized a novel combination of legal and technical actions to take control of the Win32/Waledac botnet as the first action in Project MARS (Microsoft Active Response for Security).  Today, a similar action has had its legal seal opened allowing us to talk more openly about recent activities against the Win32/Rustock botnet.

Comparatively, Waledac was a much simpler- and smaller- botnet than Rustock.  It is, however, because of legal and technical lessons learned in that set of actions that we were able to take on the much larger challenge of Rustock- a botnet with an estimated infection count above one million computers and capable of sending billions of spam messages per day. Some statistics suggest that, at peaks, it represented as much as 80% of spam traffic and in excess of 2000 spam messages per second.

 

Our efforts here represent a partnership between Microsoft’s Digital Crimes Unit, the Microsoft Malware Protection Center and Trustworthy Computing. This was a multi-month effort which had its denouement yesterday with a coordinated seizure of command and control servers under court order from the U.S. District Court for the Western District of Washington carried out by the U.S. Marshals Service as well as authorities in the Netherlands.  Investigators are now inspecting the evidence captured in these seizures from five hosting centers in seven locations in order to, potentially, learn more about those responsible and their activities.

 

Efforts like this are not possible without collaboration with others.  For this effort, we worked with Pfizer—whose brands were infringed by fake-pharma spam coming from Rustock. We also worked with our colleagues at FireEye and the University of Washington.  All three provided valuable declarations to the court on the behaviors of Rustock and the specific dangers posed by this threat- dangers to public health in addition to those affecting the Internet. 

 

We are continuing our work with both CERTs and ISPs around the world to reach out to those whose computers are infected and help clean them of viruses. If you believe a computer under your care or that of a family member, friend or colleague may be infected, please make a concerted effort to clean it and get protected with a full antivirus product from a trusted provider.  More support information is available at http://support.microsoft.com/botnets. The announcement from Microsoft’s Digital Crimes Unit can be found on the Official Microsoft Blog and the Microsoft on the Issues blog.

 

 –Jeff Williams