Archive

Archive for November, 2011

Forefront Protection 2010 for Exchange Server – Frequently Asked Questions

November 30th, 2011 No comments

With the variety of Forefront configuration options available, often our users have questions about how our products work together to form a comprehensive server protection solution. Microsoft’s Forefront Protection 2010 for Exchange Server engineers recently sat down to answer some of the most frequently asked questions about FPE. If you are interested in finding out more about FPE and Edge transport integration, reporting, policies, or spam quarantine access rights, head over to the updated Forefront Protection 2010 for Exchange Server (FPE 2010) FAQ on the TechNet wiki. You will find answers not only to users’ scenario questions but also a high-level overview of the Forefront Protection 2010 for Exchange Server product.

After looking through the FAQ, let us know what you think by leaving a comment on the wiki page or this blog post. Do you have questions we didn’t cover in the FAQ? Check out the full list of help documents in the TechNet FPE 2010 library at Microsoft Forefront Protection 2010 for Exchange Server.

Timothy Rich – Technical Writer for Office User Assistance

Categories: FPE 2010 Tags:

Forefront Protection 2010 for Exchange Server – Frequently Asked Questions

November 30th, 2011 No comments

With the variety of Forefront configuration options available, often our users have questions about how our products work together to form a comprehensive server protection solution. Microsoft’s Forefront Protection 2010 for Exchange Server engineers recently sat down to answer some of the most frequently asked questions about FPE. If you are interested in finding out more about FPE and Edge transport integration, reporting, policies, or spam quarantine access rights, head over to the updated Forefront Protection 2010 for Exchange Server (FPE 2010) FAQ on the TechNet wiki. You will find answers not only to users’ scenario questions but also a high-level overview of the Forefront Protection 2010 for Exchange Server product.

After looking through the FAQ, let us know what you think by leaving a comment on the wiki page or this blog post. Do you have questions we didn’t cover in the FAQ? Check out the full list of help documents in the TechNet FPE 2010 library at Microsoft Forefront Protection 2010 for Exchange Server.

Timothy Rich – Technical Writer for Office User Assistance

Categories: FPE 2010 Tags:

Forefront Protection 2010 for Exchange Server – Frequently Asked Questions

November 30th, 2011 No comments

With the variety of Forefront configuration options available, often our users have questions about how our products work together to form a comprehensive server protection solution. Microsoft’s Forefront Protection 2010 for Exchange Server engineers recently sat down to answer some of the most frequently asked questions about FPE. If you are interested in finding out more about FPE and Edge transport integration, reporting, policies, or spam quarantine access rights, head over to the updated Forefront Protection 2010 for Exchange Server (FPE 2010) FAQ on the TechNet wiki. You will find answers not only to users’ scenario questions but also a high-level overview of the Forefront Protection 2010 for Exchange Server product.

After looking through the FAQ, let us know what you think by leaving a comment on the wiki page or this blog post. Do you have questions we didn’t cover in the FAQ? Check out the full list of help documents in the TechNet FPE 2010 library at Microsoft Forefront Protection 2010 for Exchange Server.

Timothy Rich – Technical Writer for Office User Assistance

Categories: FPE 2010 Tags:

Forefront Protection 2010 for Exchange Server – Frequently Asked Questions

November 30th, 2011 No comments

With the variety of Forefront configuration options available, often our users have questions about how our products work together to form a comprehensive server protection solution. Microsoft’s Forefront Protection 2010 for Exchange Server engineers recently sat down to answer some of the most frequently asked questions about FPE. If you are interested in finding out more about FPE and Edge transport integration, reporting, policies, or spam quarantine access rights, head over to the updated Forefront Protection 2010 for Exchange Server (FPE 2010) FAQ on the TechNet wiki. You will find answers not only to users’ scenario questions but also a high-level overview of the Forefront Protection 2010 for Exchange Server product.

After looking through the FAQ, let us know what you think by leaving a comment on the wiki page or this blog post. Do you have questions we didn’t cover in the FAQ? Check out the full list of help documents in the TechNet FPE 2010 library at Microsoft Forefront Protection 2010 for Exchange Server.

Timothy Rich – Technical Writer for Office User Assistance

Categories: FPE 2010 Tags:

MS11-028 – Critical : Vulnerability in .NET Framework Could Allow Remote Code Execution (2484015) – Version: 2.4

Severity Rating: Critical
Revision Note: V2.4 (November 30, 2011): Corrected the bulletin replacement information for .NET Framework 4 on Windows 7 for x64-based Systems Service Pack 1, Windows Server 2008 R2 for x64-based Systems Service Pack 1, and Windows Server 2008 R2 for Itanium-based Systems Service Pack 1. This is a bulletin change only. There were no changes to the detection or security update files.
Summary: This security update resolves a publicly disclosed vulnerability in Microsoft .NET Framework. The vulnerability could allow remote code execution on a client system if a user views a specially crafted Web page using a Web browser that can run XAML Browser Applications (XBAPs). Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The vulnerability could also allow remote code execution on a server system running IIS, if that server allows processing ASP.NET pages and an attacker succeeds in uploading a specially crafted ASP.NET page to that server and then executes the page, as could be the case in a Web hosting scenario. This vulnerability could also be used by Windows .NET applications to bypass Code Access Security (CAS) restrictions.

Categories: Uncategorized Tags:

Hang up on phone scams

November 29th, 2011 No comments

If you receive a phone call from someone who claims to be from Microsoft and says that your computer has a virus, hang up.

This call is probably from a cybercriminal who wants to charge you for a bogus service or trick you into installing malicious software on your computer that could capture sensitive data. Then, they might even charge you to remove the software that they tricked you into installing.

Microsoft does not make unsolicited calls to ask for personal information or to charge you for computer updates. You can update your computer automatically and for free with Windows Update.

For more information, see Phone Scammers: Here to help…themselves.

If you think you might have already been a victim of this scam, learn how to report it.

Get more information about how to avoid tech support phone scams.

The Case of the Installer Service Error

November 29th, 2011 No comments

This case unfolds with a network administrator charged with the rollout of the Microsoft Windows Intune client software on their network. Windows Intune is a cloud service that manages systems on a corporate network, keeping their software up to date…(read more)

Categories: Uncategorized Tags:

Stay safer when you shop online (part 3 of 3)

November 25th, 2011 No comments

For the third and last installment in our series on how to stay safer when you shop online this holiday season, we have a few tips on what to do if you think you might already be a victim of a shopping scam.

Check your statements. If you think you might have given away personal or financial information to a cybercriminal, check your bank and credit card statements. You should do this regularly, especially over the holidays.

Get more information about what to do if you think you’ve been a victim of a scam.

Change your passwords. Change your passwords on shopping sites, your email account, bank account, and other online financial institutions. Don’t use the same passwords for each of these accounts.

Get more information about creating strong passwords.

Report scams, fraud, identity theft, or other abuse.

  • If you think you are on a suspicious site, in Internet Explorer click the gear icon () and then point to Safety. Then click Report Unsafe Website and use the web page that is displayed to report the website.
  • If you receive a suspicious shopping email message in Hotmail, click the check box next to the message in your Hotmail inbox. Click Mark as and then point to Phishing scam.
  • Report the scam to the website or service, to your local police, and the bank, credit card company, or other financial institution.
  • Report identity theft in the United States to the U.S. Federal Trade Commission (FTC) or call toll free: (877) 438-4338.
  • Report scams or fraud in the United States to the FTC or call toll free: (877) 382-4357.

For more information about how to stay safer when you shop online, see part one and part two in this series.

Think twice before you broadcast holiday plans

November 23rd, 2011 No comments

Your best friend from high school is probably not a cat burglar. But do you know everyone on your friends’ and followers’ lists (or everyone on their lists) on your social networking sites? If not, don’t post information about your holiday travel plans.

More information about social networking safety.

While you’re at it, take a few minutes to adjust the privacy settings on your social networking site and any apps on your smart phone that share your location information.

More information about using location services more safely.

Also, avoid giving vacation details in an automated “out of office” email.

More information about email and web scams.

Categories: Facebook, phishing, scams, social engineering Tags:

MSRT November: Dofoil

November 22nd, 2011 No comments

As previously noted, one of the three families added to the November release of the Microsoft Malicious Software Removal Tool is Win32/Dofoil. TrojanDownloader:Win32/Dofoil is a configurable downloader. Dofoil will attempt to receive control instructions from a remote server. The response contains encrypted configuration data containing download URLs and execution options, as visible in a partially decrypted Dofoil configuration shown below:

Partially decrypted Dofoil configuration

Figure 1. Partially decrypted Dofoil configuration

The current generation of Dofoil can be purchased on illicit online marketplaces. Prices are advertised in US dollar equivalent WebMoney values. Depending on the version purchased, the price ranges between 150-250 $US for the main malware component. The cost for plugins ranges from an additional 25-150 $US. One example plugin is a password stealing component which targets many FTP, IM, poker and email clients.

Whilst often seen as an attachment as part of a spam campaign, the MMPC has observed Win32/Dofoil distributed and installed via other mechanisms such as by exploit. In the wild Win32/Dofoil variants are employed to download rogue security software such as Trojan:Win32/FakeSysdef and spam capable malware such as Trojan:Win32/Danmec.L.

Among observed spam campaigns, here is a small selection of spam lures employed during the last two months:

IRS

From: pay.damages@irs.gov
Subject: IRS Notification

Tax notice,

There are arrears reckoned on your account over a period of 2010-2011 year.
You will find all calculations according to your financial debt, enclosed.
You have to sick the debt by the 17 December 2011.

Sincerely,
IRS.

 

————————

iTunes

From: account.sn.5890@itunes.apple.com
Subject: Your iTunes Gift Certificate

Hello,

You have received an Itunes Gift Certificate in the amount of $50
You can find your certificate code in attachment below.

Then you need to open iTunes. Once you verify your account, $50 will be credited to your account.
So you can start buying video, music, games right away.

iTunes Store.

 

————————

Xerox

Subject: Fwd: Scan from a Xerox W. Pro #16389356

Please open the attached document. It was scanned and sent to you using a Xerox WorkCentre Pro.

Sent by: Guest
Number of Images: 4
Attachment File Type: ZIP [DOC]

WorkCentre Pro Location: machine location not set
Device Name: RXX135OO6MSX6732224

 

————————
 
German

From: “Deutsche Post” (service@deutschepost.de)
Subject: Holen Sie ihre Postsendung ab.

Lieber Kunde,

Es ist unserem Boten leider misslungen einen Postsendung an Ihre Adresse zuzustellen.
Grund: Ein Fehler in der Leiferanschrift.
Sie konnen Ihre Postsendung in unserer Postabteilung personlich kriegen.
Anbei finden Sie einen Postetikett.
Sie sollen dieses Postetikett drucken lassen, um Ihre Postsendung in der Postabteilung empfangen zu konnen.

Vielen Dank!
Deutsche Post AG.

————————

The Malicious Software Removal Tool reported variants of Win23/Dofoil on 13,488 unique machines this month. Forty-seven percent of these machines were running Windows XP, whilst approximately twenty-nine percent were running Windows 7. Looking at the geographic distribution of the machines which reported a Win32/Dofoil detection:

 
Geographic distribution of machines reporting 

 Figure 2. Geographic distribution of machines reporting

Whilst most prevalent in the United States, the MMPC observed those attempting to distribute Win32/Dofoil employing the use of localized lures targeting recipients in Germany, France Italy and Australia.

 
As we begin to wrap up 2011, we give to you another monthly installment of the MSRT to wrap up another malware family.
 
Scott Molenkamp
MMPC Melbourne

 

Categories: MSRT, spam, Win32/Dofoil Tags:

Forefront TMG SP2 at Security Talk Show

November 22nd, 2011 No comments
Categories: Uncategorized Tags:

Easy Money: Program:Win32/Pameseg (part 2)

November 21st, 2011 No comments

In the previous post, we gave an introduction to how file partnership programs work and how they make money off unsuspecting users by charging them for installing software that is actually free. In this post, we’ll walk you through a sample of these “paid archives”. The following “paid archive” simulates the appearance of the Adobe Flash Player 10 installer. Let’s look deeper into this sample and try to figure out what the typical scenario is. We detect this sample as Program:MSIL/Pameseg.G (with SHA1 1929bab927a6e2f6df164dfbf819ce04dd29ad90). It is created by means of the Packer software distributed by the ZipArchive.com file partnership.

Adobe Flash Player installer

Figure 1: The program looks exactly like the legitimate Adobe installer

At this point, the program pretends it’s doing something, although the user may notice that there’s no CPU load while it is unpacking. The program tries to make the user believe that the true Adobe player is being installed. The next installation step is, unexpectedly to the user, the activation dialogue (see Figure 2). This screen looks like a part of the original Adobe installation process, although the legit Adobe installer never asks a user for activation. At no point in the installation of the “paid archive” is the user ever asked to buy the “paid archive”. Instead, the program asks for activation while keeping the look and feel of the real Adobe installer. This is purely a social engineering tactic designed to trick users and keep the monetary aspect of it below the radar.

Activation dialogue for Adobe paid archive

Figure 2: “Paid archive” activation dialogue

After finishing the unpack simulation, but before unpacking the actual data, the Packer connects to a command server  with the query shown as in Figure 3:

Query to the command server

Figure 3: Query to the command server

The server assigns a session key and returns with the country list available for billing (see Figure 4); that is, where the premium SMS service is supported:

Country list

Figure 4: Country list – Russia, Ukraine, Kazakhstan, Belorussia, Slovenia, Uzbekistan, India, Brazil…

The dialog in Figure 2 prompts the user to select the country in which he or she is located. When a country is selected, the server replies with the parameters as in Figure 5: the SMS-aggregator short number (which is country-specific) and a service code.

HTTP dump for country selection

Figure 5: HTTP dump for the country selection dialogue

It then prompts the user to send an SMS to this number, which is a premium number, and thus causes the user to be charged a premium amount, as we discussed in the previous post. If the user sends the SMS, an “activation code” is sent in reply. As shown in Figure 6, this number has to be entered in the activation password field and then sent to the command server. Figure 7 then shows how the entered activation password is verified by the server.

Activation input area

Figure 6: Activation code input area

HTTMP dump for activation code

Figure 7: HTTP dump for activation code verification dialogue

The server checks if the activation number entered is valid. If an error occurs, the server replies with a “FAIL” status; otherwise it transmits “OK” and optionally sends the unlock password for the embedded archive. The next step is that the Packer performs decompression of the embedded archive and optionally transfers control to its content.

In the end, the user may manage to install a free-to-download program at the cost of an SMS sent at a higher cost than normal. This is more or less the standard scenario for such “paid archives”.

Epilogue:

The websites that distribute “paid archives” are usually profitable businesses. Most of them are located in Russia and former Soviet territories, although they accept payments in many countries. Different affiliate programs offer attractive deals for partners (high “convert rate”), anti-abuse hosting, and rewards for invited Adverts.

Some partnerships directly claim that they perform “cleaning” or “archives auto-update” on a regular basis. This means they offer a service for Adverts who experience a low “convert rate” because their “paid archives” have been detected by antivirus programs. This feature is what these partnerships have in common with pure viral- and exploit-based partnerships, which use a Pay-per-Install affiliate model.

Categories: Uncategorized Tags:

Microsoft Security Essentials beta registration opens

November 18th, 2011 No comments
Today we announce that the Beta for the next version of Microsoft Security Essentials is open for registration.
 
Do you want to try out our latest innovations in protection and performance?
Are you interested in helping to improve Security Essentials?
 
The number of users than can participate in the Beta is limited, so sign up today and we will notify you once the Beta is available for download. We anticipate the Microsoft Security Essentials beta to be available to the general public by the end of the year.
 
New features in the Beta of Microsoft Security Essentials include:
  • Enhanced protection through automatic malware remediation – The Beta will clean high-impact malware infections automatically, with no required user interaction.
  • Enhanced performance – The Beta includes many performance improvements to make sure your PC performance isn’t negatively impacted.
  • Simplified UI – Simplified UI makes Microsoft Security Essentials Beta easier to use.
  • New and improved protection engine – The updated engine offers enhanced detection and cleanup capabilities.

The Security Essentials team

Categories: beta, Microsoft Security Essentials Tags:

Stay safer when you shop online (part 2 of 3)

November 18th, 2011 No comments

Last week we gave you three tips to help protect yourself when you shop online. Here are three more tips to help keep cybercriminals from ruining your holiday.

Never make online financial transactions on a public or shared computer. Public computers in libraries, internet cafés and copy shops are convenient, but not always safe. It’s fine to use them to browse for gifts, but make sure you use a secure computer whenever you enter your credit card information.

More information about using a public computer.

Give only enough information to make the purchase. Be wary if a merchant asks for additional information like bank account information, social security number, or other personal information. You could be on a fraudulent site.

More information about email and web scams.

Protect your credit card online. You don’t have to limit your shopping to the most popular retailers to stay safe online. You can use a third-party payment service like PayPal to shield your credit card number from online merchants.

More information about third-party payment services.

How do you protect yourself when you shop online? Let us know in the comment section below.

Keep your Facebook friends close and your antivirus closer

November 17th, 2011 No comments

Facebook malware attacks are not new. Scams spreading via status updates have been around for a long time, but in recent weeks one threat has been getting creative in terms of social engineering. Backdoor:Win32/Caphaw.A can intercept URL requests in both Firefox and Internet Explorer and it has been observed to post very personable updates on friends’ walls in Facebook, gaining access if the user is logged in.

Facebook friend post

The message links to a video posted on a Youtube-like website, which suggests that the user update the browser with a bogus ActiveX object. The malware’s authors also went one step further in making sure the video landing page looks as legitimate as possible:

Fake youtube site

This download is actually Backdoor:Win32/Caphaw.A, a sophisticated firewall-bypassing backdoor armed with almost everything. It installs an FTP server, a proxy server, and a keylogger on the computer. It also has built-in remote desktop functionality based on the open source VNC project. We received a report that a user found this in his computer and also discovered that money had been transferred from his bank account by an unknown party. The keylogging component, coupled with the remote desktop functionality, makes it entirely possible for this to have happened.

The backdoor “calls home” to domains such as commonworld<removed>.cc or web<removed>es.cc to get the data that it posts on the friends’ Facebook walls. Its main module, in the meantime, is hosted on <removed>youtube.com.

Facebook friend wall post

The good thing to do when spotting such fishy wall posts is to warn your friends whose accounts have been compromised. You can mark the message as spam to help prevent others from downloading the backdoor; Facebook is quite diligent about filtering these posts once they have been reported.

The presence of this threat on your computer threatens your whole online identity, so we recommend that you change the passwords to all of your sensitive accounts – email, online shopping, and online banking, for example. And while you’re at it, remind your affected friends to change their Facebook passwords, too. Finally, scan your machine with an up-to-date antivirus solution to remove this malware from your computer.

Here are some SHA1s of files detected by our products as Backdoor:Win32/Caphaw.A:

  • c10ad13419ea44ba85cd8e83e2cd7ac8313e91de
  • 54d9f40156cc4a2561252f8ad30b4afdcc5e93b4
  • ebbd8790eab8a9822a80c2afaa575a4b2c2f3b55

— Mihai Calota, MMPC

Use ISA/TMG to distribute your custom WPAD configuration file

November 16th, 2011 No comments

In ISA 2006 SP1 and TMG RTM it’s possible to configure ISA/TMG to distribute
your own custom WPAD configuration file. This can be quite handy if you already
did write your own WPAD configuration file, which had been distributed on a
separate server, or if you want to use the ISA/TMG provided WPAD configuration
file as baseline for some changes, e.g. configure your clients to connect to the
NLB IP instead of using the Client CARP mechanism, which is used by ISA/TMG by
design.

To configure ISA/TMG to use your custom WPAD configuration file, you need to
follow these steps:

1. Please download the compressed file from http://www.isatools.org/tools/KB953293.zip
(Thanks Jim!)

2. Copy & Unzip die File on your ISA/TMG Server.

3. Copy the WPAD configuration file you want to distribute with your ISA/TMG
server to the ISA/TMG local hard drive.

4. Before you proceed importing the WPAD configuration file in your ISA/TMG
configuration, you have to make sure, that there are no non-ASCII Characters in
your WPAD configuration file, as the import process won’t import the complete
file if there are any non-ASCII characters included.

Note: if you use a WPAD configuration file which had been
distributed by ISA 2006, the file will most likely include non-ASCII Characters
at the end of the file.
To remove those characters you have to
delete this part:

function HashString(str, h){
for(var i=0; i<str.length; i++){
var c = str.charAt(i);
if(c
==’:’ || c == ‘/’) break;
c =
CharToAscii(c.toLowerCase());
h = (h
>>> 4) ^ h_tbl[(h ^ c) & 15];
h = (h >>> 4) ^ h_tbl[(h ^ (c>>>4)) & 15]; h
= MakeInt(h); } return h; }

and replace this part with those lines:

function HashString(str, h){
var hashstr=str.toLowerCase();
for(var i=0; i< hashstr.length; i++){
var c = hashstr.charAt(i);
if(c ==’:’ || c == ‘/’) break;
c = hashstr.charCodeAt(i);
h
= (h >>> 4) ^ h_tbl[(h ^ c) & 15];
h = (h >>> 4) ^ h_tbl[(h ^ (c>>>4)) & 15]; h
= MakeInt(h); } return h; }

afterwards you have to delete this line:

var Chars =”
!\”#$%&\'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~€???????????Ž????????????ž?
¡¢£¤¥¦§¨©ª«¬¬®¯°±²³´µ¶•¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþ
“; function CharToAscii(c){ return Chars.indexOf(c) + 32; }

5. After you prepared your WPAD configuration file, use the script attached
to import the file to the ISA/TMG configuration, e.g. by executing this command:

to operate on the current array, use ‘.’ as the array name or omit this
option:

cscript kb953293.wsf /array:. /net:internal /script:<FullPathToScript>

For a full list of options please refer to the readme.txt provided in the ZIP
file.

Remark: Please be aware, that any changes you configure in the ISA/TMG
UI will not be applied to the WPAD configuration file after you submit the
custom WPAD configuration file to your configuration. If you want to apply
changes to your WPAD configuration file once you’ve imported it to your
configuration, you have to manually edit the WPAD file and reimport it using the
script again.

If you want to stop using your custom WPAD configuration file and go back
using the ISA/TMG script you have to execute the following command:

cscript kb953293.wsf /array:arrayname /net:internal /del

Hope that helps!

Author

Philipp Sand
Microsoft CSS Forefront Security Edge Team

Technical Reviewer

Frank Heilmann
Microsoft CSS Forefront Security Edge Team

Categories: wpad Tags:

Tips to help you stay safer when you shop online (part 1 of 3)

November 15th, 2011 No comments

Whether you start your holiday shopping on Black Friday, Cyber Monday, or right now, here are three tips to help you avoid scams and fraudulent websites when you buy gifts online.

This is part one in a three part series. Read part two and part three. And if we missed something, let us know in our comments section below.

Use an updated web browser. Check your browser to see if it provides the protection you need. Internet Explorer 9  is the newest version of the Microsoft web browser. It helps protect you when you shop online. Download Internet Explorer 9 now.

More information about Internet Explorer 9.

Use a secure website. When you enter your credit card, look for signs that the webpage is secure—a web address with https and a closed padlock beside it are good indications that the webpage is secure.

More information about secure websites.

Choose strong passwords. If you store your information at an online shopping site, make sure to choose a strong password that uses eight or more characters.

More information about strong passwords.

Get more tips on how to shop online more safely.

SSO to SharePoint 2010 through UAG when using two authentication schemas

November 15th, 2011 No comments

Hi everyone, this is Dror from the Forefront UAG product group.

One of our customers ran into an issue with their SharePoint deployment and we thought it is worth sharing with you all the ways that UAG can be leveraged.

Let’s assume a topology like this one:

clip_image002[7]

In this case, two different categories of users gain access to the SharePoint farm via UAG: internal users (while outside of the company network), and partner users. Windows Integrated authentication is used in SharePoint for internal users, while form-based authentication is used for partner users. However, the SharePoint URL is the same for both types of users. As such, we have a case where SharePoint 2010 is configured with two authentication schemes for the same Intranet Zone.

clip_image004[5]

Normally, in SharePoint 2010 in a scenario where you configure more than one authentication per zone, users are presented with a form where they need to choose which authentication method to use:

clip_image006[4]

Till now everything is cool…

Most customers wish to have a single sign-on (SSO) experience for their users. That means that once users are logged in to UAG, they will not be prompted for credentials again. This is the SSO functionality that UAG offers. The question we faced in this specific case was: how can we achieve the same end-user experience of no additional prompts to the end-user, in this case where the “Multi-authentication selection” page is required by SharePoint?

There are 2 ways to handle this “Multi-authentication selection” page:

1. Auto-submit the page with a pre-defined selection – The UAG administrator can decide on the selected option by applying a custom setting. In this case, when the page sent by the SharePoint server is received by UAG, and before UAG sends it on its way to the client browser, UAG injects into the “Multi-authentication selection” page some code, in order to cause the page, as soon as it’s displayed on the user’s browser, to be automatically submitted with a predefined option, either Windows Authentication or Forms Authentication, without requiring any end-user interaction.

Here is a sample of this customization, using a custom AppWrap file, which shows the steps. Note that this example cannot be used ‘as is’ since all the values in the SEARCH and REPLACE fields need to be BASE64-encoded.

<APP_WRAP ver=”3.0″ id=”RemoteAccess_HTTPS.xml”>

<MANIPULATION>

<MANIPULATION_PER_APPLICATION>

<APPLICATION_TYPE>SharePoint14AAM</APPLICATION_TYPE>

<DATA_CHANGE>

<URL case_sensitive=”false”>.*/_login/default\.aspx.*</URL>

<SAR>

<SEARCH encoding=”base64″><option selected=”selected” value=”none”></option></SEARCH>

<REPLACE encoding=”base64″><option selected=”selected” value=”Forms”>Forms Authentication</option></REPLACE>

</SAR>

<SAR>

<SEARCH encoding=”base64″></body></SEARCH>

<REPLACE encoding=”base64″>

<SCRIPT language=”JavaScript”>

function FormLoginSubmit()

{

var o = document.getElementById(‘ctl00_PlaceHolderMain_ClaimsLogonSelector’);

var evt = document.createEventObject();

o.fireEvent(‘onchange’,evt);

o=null;

}

</SCRIPT>

<SCRIPT language=”JavaScript”>

var gSafeOnload = new Array();

function FormLoginOnload()

{

for (var i=0; i < gSafeOnload.length; i++)

{

gSafeOnload[i]();

}

}

if (window.onload) {

gSafeOnload[0] = window.onload;

gSafeOnload[gSafeOnload.length] = FormLoginSubmit;

window.onload = FormLoginOnload;

}

else

{

window.onload = FormLoginSubmit;

}

</SCRIPT>

</body></REPLACE>

</SAR>

</DATA_CHANGE>

</MANIPULATION_PER_APPLICATION>

</MANIPULATION>

</APP_WRAP>

2. Auto-submit the page with a selection based on a session (user) parameter – This is an extension of the first method, as shown above. Using this method, the selection between Windows or Forms authentication is not pre-defined and constant for all UAG sessions, and instead it can be dynamically set for each UAG session. The UAG administrator can set a parameter with one of two values, which UAG will later use to decide which authentication method to choose when submitting the “Multi-authentication selection” form. This parameter is stored within the context of the UAG session and it can be set by using the UAG customization mechanism. UAG makes its decision using the conditional AppWrap mechanism.

In the example below the Contoso administrator uses a custom ValidateSuccess.inc file to insert a parameter named AuthenticationMethodVar into the UAG session. In this file, VBScript code is used to check if the user’s UPN is part of the Contoso domain. If yes, the value of AuthenticationMethodVar is set to WINDOWS, otherwise it is set to FORM. In the custom AppWrap file we use this value to decide which of the authentication methods will be selected.

<%

‘ Add a session variable based on user internal/external

MyUserUDomain = “contoso\”

if Left(Session(“LeadUser”), Len(MyUserUDomain)) = MyUserUDomain then

SetSessionParam g_cookie, “AuthenticationMethodVar”, “FORM”

else

SetSessionParam g_cookie, “AuthenticationMethodVar”, “WINDOWS”

end if

end if

%>

 

Here is a sample of this customization, using a custom AppWrap file, which shows the steps. Note that this example cannot be used ‘as is’ since all the values in the SEARCH and REPLACE fields need to be BASE64-encoded.

<APP_WRAP ver=”3.0″ id=”RemoteAccess_HTTPS.xml”>

<MANIPULATION>

<MANIPULATION_PER_APPLICATION>

<APPLICATION_TYPE>SharePoint14AAM</APPLICATION_TYPE>

<DATA_CHANGE>

<URL case_sensitive=”false”>.*/_login/default\.aspx.*</URL>

<SAR conditional_variable=” AuthenticationMethodVar ” conditional_var_value=”WINDOWS”>

<SEARCH encoding=”base64″><option selected=”selected” value=”none”></option></SEARCH>

<REPLACE encoding=”base64″><option selected=”selected” value=”Windows”>Internal User</option></REPLACE>

</SAR>

<SAR conditional_variable=” AuthenticationMethodVar ” conditional_var_value=”FORM”>

<SEARCH encoding=”base64″><option selected=”selected” value=”none”></option></SEARCH>

<REPLACE encoding=”base64″><option selected=”selected” value=”Forms”>Partner User</option></REPLACE>

</SAR>

<SAR>

<SEARCH encoding=”base64″></body></SEARCH>

<REPLACE encoding=”base64″>

<SCRIPT language=”JavaScript”>

function FormLoginSubmit()

{

var o = document.getElementById(‘ctl00_PlaceHolderMain_ClaimsLogonSelector’);

var evt = document.createEventObject();

o.fireEvent(‘onchange’,evt);

o=null;

}

</SCRIPT>

<SCRIPT language=”JavaScript”>

var gSafeOnload = new Array();

function FormLoginOnload()

{

for (var i=0; i < gSafeOnload.length; i++)

{

gSafeOnload[i]();

}

}

if (window.onload) {

gSafeOnload[0] = window.onload;

gSafeOnload[gSafeOnload.length] = FormLoginSubmit;

window.onload = FormLoginOnload;

}

else

{

window.onload = FormLoginSubmit;

}

</SCRIPT>

</body></REPLACE>

</SAR>

</DATA_CHANGE>

</MANIPULATION_PER_APPLICATION>

</MANIPULATION>

</APP_WRAP>

Once this form is submitted, the flow will continue according to the selection submitted back from the client browser (remember, the end-user has no say and no interaction with the form, as the selection is made on the end-user’s behalf by the UAG administrator, by using one of the two methods described above). For Windows Integrated authentication, the SharePoint server returns an HTTP 401 response to which UAG answers on behalf of the user. For FBA, the SharePoint server returns its authentication form, which UAG handles in its normal way of handling SSO to backend web sites that use FBA – UAG injects some content into that form, before sending it to the browser, then, once the browser receives it from UAG, it renders the page and immediately submits it back, without any user interaction (due to code injected by UAG) and SSO is completed.

Note that in order for both of these options to work, in the UAG Management console the authentication for the SharePoint application should be configured to Use SSO for Both (which means UAG should be ready to handle HTTP 401 responses, as well as the HTML form of the SharePoint server).

clip_image008[4]

 

Author:

Dror Melovany, Software Development Engineer, Microsoft Forefront UAG

Categories: Sharepoint Publishing Tags:

MS11-037 – Important : Vulnerability in MHTML Could Allow Information Disclosure (2544893) – Version: 2.1

Severity Rating: Important
Revision Note: V2.1 (November 15, 2011): Corrected the install verification registry keys, update log file name, and removal information for Windows XP and Windows Server 2003. This is an informational change only.
Summary: This security update resolves a publicly disclosed vulnerability in the MHTML protocol handler in Microsoft Windows. The vulnerability could allow information disclosure if a user opens a specially crafted URL from an attacker’s web site. An attacker would have to convince the user to visit the web site, typically by getting them to follow a link in an e-mail message or Instant Messenger message.

Categories: Uncategorized Tags:

Easy Money: Program:Win32/Pameseg (part one)

November 14th, 2011 No comments

Nowadays many people believe in the opportunity to achieve great wealth without much effort, not leaving the house, not interrupting their favorite computer games, forums, social networking and so on. This type of opportunity is widely marketed by companies providing paid digital content services. You may have seen online advertising banners such as:

Make a million bucks without picking your backside off the chair! Vasya Pupkin earned 2000 a day practically doing nothing and it’s not the end, you can do more! Earnings over the Internet – what could be easier?!

In most cases, the offers are based on participation in different multi-level marketing and affiliate program schemes as an Advert. Affiliate program schemes are usually controlled by entities that own different paid services, such as online dating, adult services, paid archives, and so on. Let’s look deeper into paid archives as they seem to be the most profitable while remaining legitimate and virtually immune against the law. This is the first blog post in a series that discusses the affiliate program scheme.

Affiliate program schemes are composed of two entities: an affiliate program partner called an Advert, and the service owner who recruits the Advert. The Advert is the person who does all the dirty work, relieving the service owner from any legal responsibility. Adverts install specially designed software (at the prompting of the service owner) called Packer on their computers. With this software, Adverts can create “paid archives” of arbitrary content (although the content has to follow the affiliate program rules). Note that in all cases, the service owners are not responsible for what content is created by the Adverts. The owner only provides the Packer, hosting services, landing pages containing descriptions and download links, and finally oversees the financial side of things: billing and distribution of funds received from users.

Relationship between Advert and service owner

Figure 1: The relationship between an Advert and the service owner

In case the Advert is not interested in creating their own content, the Packer program provides certain templates. These include standard dialogs, images, icons, and so on. These templates may even look very similar to well-known software installers. What the Advert needs to do is just choose a template, specify the location of files that should be included in the installation, and hooray! The paid archive is ready. The Packer program deflates source files into a password-protected 7Zip archive (the password is created and stored on a network server), then it embeds the archive into the output file so that user who choose to install this file will be asked for a password/unlock code. All the samples we have seen use 7Zip as an archiver as it is open source.

Templates to create paid archive

Figure 2: Templates to create “paid archives” – the Flash Player bundled into the archive (1929bab927a6e2f6df164dfbf819ce04dd29ad90) is detected as Program:MSIL/Pameseg.G

So far, this sounds pretty straightforward – an entity recruits people to create content for them.

But this is where it gets tricky: usually, the service owners suggest the Adverts to create archives of content that is either distributed free of charge or not protected by copyright. Let’s take Skype as an example. Here’s a “paid archive” with an embedded Russian-language Skype installer.

Skype installation when bundled with a paid archive

Figure 3: Skype installation when bundled into a “paid archive” – the archive (0d31ff577cb45d765f2fae3df51f8b1a4ba95dcf) is detected as Program:MSIL/Pameseg.G

This “paid archive” copies the appearance of the installer for Skype, although it is not digitally signed. At some point in the installation process the program will ask the user to send an SMS to a premium (unbeknownst to the user) number, thus incurring charges for the user. In other instances, the program asks the user to send his or her mobile phone number to “receive an SMS free of charge”. In fact, when the user enters his number, he receives an SMS asking for his age or any other piece of information, supposedly as “confirmation”.

At this point, again, the user is charged for sending SMS messages to a premium number. The charge is usually between 5 and 20 USD (after currency conversion), depending on the “price category” defined by the author of the archive. Then the user receives an SMS message in reply, which contains the password for the archive and thus can continue installation of what is otherwise a free program.

Now we are faced with the direct fraud scheme that tricks users into basically paying for a service when they don’t need to. They could simply go to the official program website and download the installer straight from there, instead of paying money for a so-called “file sharing service” (as it’s called in the EULA). So the money they just paid via the premium SMS goes not to the legitimate owners or copyright holders of the program, but instead goes to the service owners and the Adverts, both of whom have no right to profit from the program. We detect these paid archives as potentially unwanted software – Program:Win32/Pameseg and Program:MSIL/Pameseg.

Coming up in part 2 of this series: an example of how the “paid archive” scheme works.

Categories: malware research Tags: