Archive

Archive for January, 2012

Don’t be fooled by fake Halo 4 beta sites

January 31st, 2012 No comments

Microsoft’s Halo 4 Xbox video game won’t be released until December 2012, but some scammers are already launching fake Halo 4 beta websites designed to trick you into giving away your personal information or installing malicious software.

Don’t be fooled.

Get tips on how to report, recognize, and avoid scams.

Blank User Activity Report if domain or username contains accented characters

January 30th, 2012 No comments

Blank User Activity Report if domain or username contains accented characters

Administrators creating a User Activity Report for users where the domain or user name contain characters that are not included in the

english alphabet, may not be able to see any activity for these users. The report will be generated, but it will not contain any information and only contain the report headers.

Please find an example from my test environment below:

clip_image002

Result:

clip_image003

This problem occurs because of a character conversion problem during the generation of the report.

Fortunatelly, we can control this conversion behavior by setting the follow registry key on the TMG Report Server:

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RAT\Stingray\Debug\COM\

DWORD

USE_ACP_FOR_FILTER

Value: 1

 

After a reboot, let’s make a test with the same user again.

Now, the report looks better.

clip_image004

Author:

Arpad Gulyas

Microsoft CSS Forefront Security Edge Team

Technical Reviewer:

Lars Bentzen

Sr. Escalation Engineer

Microsoft CSS Forefront Security Edge Team

Categories: report, TMG Tags:

When imitation isn’t a form of flattery

January 30th, 2012 No comments

When I was at school (many, many years ago…) a teacher once told me that if someone copies you, it’s a sign of flattery. Well, right now there are numerous “companies” copying us, but we are far from flattered.

 

For some time now, rogue security programs have been trying their hardest to look just like Microsoft security products. I suppose they figure that the more they look like us, the more likely unsuspecting users are to hand over their hard earned cash to have their computers “cleaned” by these imposters.

 

Lately, we have seen a resurgence in rogue activity (one particularly obnoxious threat going by the name Security Defender – aka Win32/Defmid – has been making the rounds of late); rogue security programs attempt to trick users into paying for fake antivirus software, when Microsoft consumer products, namely Microsoft Security Essentials, Safety Scanner and Windows Defender are available to all genuine Windows users at no cost. This in turn causes affected users to voice their concerns and dissatisfaction through a number of Microsoft customer feedback channels, often after being tricked into paying for the bogus antivirus to remove threats that were more than likely never present on their computer. Below are some images of imitation scans and messages displayed by rogues:

 

Figure 1: ‘Scan results’ displayed by a Win32/FakeRean variant, Privacy Protection

 

Figure 2: ‘Windows Security Center’ message displayed by a Win32/FakeRean variant

 

Figure 3: ‘Scanner’ displayed by a Win32/FakeVimes variant

 

Figure 4: ‘Scan results’ displayed by a Win32/FakeVimes variant

 

Figure 5: ‘Security settings options’ displayed by a Win32/FakeVimes variant

 

In addition to an increase in the number of people being affected by rogues, there seems to be increase in users receiving calls, allegedly from Microsoft support, about their “infected” computers (which Microsoft has blogged about before). To set the record straight, Microsoft would never call a user to tell them that their computer was infected.

 

So, allow me to clarify a few things:

  • Our consumer products, namely Microsoft Security Essentials, Safety Scanner and Windows Defender are available to all genuine Windows users for free. That’s right – we offer these products at no cost! So please, do not enter your credit card details into a program that looks like one of ours, as this is most likely a rogue.
  • We do not pop up on your screen every 30 seconds, minute, 90 seconds, etc. Rogues, however, will pester you and pester you until you either a) click OK and concede to buy their malicious program, or b) remove them once and for all with a reputable antivirus.
  • Microsoft will never cold-call a user. Ever. If you receive one of these phone calls, hang up.

 

We will continue to fight the good fight, and do what we can to prevent the spread of malicious programs; but in the meantime, stay safe online, and think twice before handing over your credit card details to a third party you cannot verify – like one displaying pop-ups, or on the end of an unsolicited phone call.

 

Jasmine Sesso
MMPC Melbourne

Categories: Uncategorized Tags:

Decommissioning an Old Certification Authority without affecting Previously Issued Certificates and then Switching Operations to a New One

January 27th, 2012 No comments

Jonathan Stephens posted an excellent Blog about this topic; however, it didn’t include the steps. As a result, I decided to type this Blog detailing the steps required. The following assumptions have to be met before proceeding with these steps:

1- There is a new valid Certification Authority configured

2- There is a new distribution point configured for AIA and CDP locations named http://crl.contoso.com/CertData

Steps:

1- Logon to the old Enterprise Certification Authority as an Enterprise Administrator.

2- Identify the AIA and CDP distribution points

  1. a. Open the Certification Authority Console
  2. b. Right click the Certification Authority name and click Properties
  3. c. Click the “Extensions” tab
  4. d. Document the distribution points configured for CRL Distribution Point (CDP) – as an example http://<serverDNSnname>/CertEnroll/<CANAME>CRLNameSuffix><DeltaCRLAllowed>.crl which refers to local IIS installed on the server, or http://pki.contoso.com/Certenroll/<CAName><CRLNameSuffix><DeltaCRLAllowed>.crl

Note: Ignore the LDAP and C:\%windir% locations

  1. e. In the “Extensions” tab, select Authority Information Access (AIA) from the drop down menu
  2. f.  Document the distribution points configured for the AIA extensions – as an example http://<ServerDNSName>/Certenroll/<ServerDNSName>_<CAName><CertificateName>.crt  which refers to the local IIS installed on the server or http://pki.contoso.com/Certenroll/<ServerDNSName>_<CAName><CertificateName>.crt

Note: Ignore the LDAP and C:\%windir% locations

3- Disable Delta CRL and Issue a long Certificate Revocation List (CRL)

  1. a. Open the Certification Authority Console
  2. b. Right click “Revoked Certificates”, and then click “Properties”
  3. c. Uncheck “Publish Delta CRL”
  4. d. Change the “CRL publication Interval” to 99 years and then click OK
  5. e. Open the command line with elevated privileges
  6. f.  Run Certutil –crl  to issue a new Certificate Revocation List (CRL)

4- Copy the old Certification Authority’s certificate (CRT) and certificate revocation list (CRL) files to the server hosting website http://crl.contoso.com/CertData 

  1. a. On the old Certification Authority, navigate to %windir%\System32\CertSrv\CertEnroll
  2. b. Copy the Certification Authority’s certificate (CRT) and certificate revocation list (CRL) to the directory hosting http://crl.contoso.com/CertData

5- Redirect the Authority Information Access (AIA) and Certificate Revocation List (CRL) distribution points  of the old Certification Authority to http://crl.contoso.com/certdata

  1. a. This can be done using an IIS redirect, or a DNS CNAME redirect to redirect Authority information Access (AIA) and Certificate Revocation List (CRL) of the old Certification Authority documented in steps 2.d and 2.f to the new web server http://crl.contoso.com/certdata

6- Document and remove all  certificate templates available on the old Certification Authority to prevent it from issuing new certificates

  1. a. Open the command line with elevated privileges
  2. b. Run Certutil –catemplates > c:\catemplates.txt  to document all available certificate templates at the old Certification Authority
  3. c. Launch the Certification Authority console
  4. d. Navigate to “Certificate Templates”
  5. e. Highlight all templates in the right pane, right click and then click “Delete”

At this point, the old Certification Authority can’t issue any certificates, and has all of its Authority Information Access (AIA) and Certificate Revocation List (CRL) redirected to a new web site http://crl.contoso.com/CertData The next steps will detail how to document the certificates issued by templates from the old Certification Authority and how to make them available at the new Certification Authority.

7- Identify and document the certificates issued based on certificate templates by sorting the Certification Authority database

  1. a. Highlight “Issued Certificates”
  2. b. Navigate to the right, and sort by “Certificate Templates”
  3. c. Identify the certificates issued by default certificate template types
  4. d. Identify the certificates issued by custom certificate templates – any template other than the default certificate templates mentioned earlier

8- Dump the certificates based on the default certificate template types:

  1. a. Open the command line with elevated privileges
  2. b. Run Certutil -view -restrict “Certificate Template=Template” -out “SerialNumber,NotAfter,DistinguishedName,CommonName” > c:\TemplateType.txt
  3. c. Examine the output of c:\TemplateType.txt and document all the certificates needing immediate action – i.e. requiring issuance from the new CA infrastructure if needed such as Web SSL.
  4. d. Consult with the application administrator using the certificates to determine the best approach to replace the certificates if needed

Note: Replace Template with the correct template name.

9- Dump the certificates based on the custom certificate template types:

  1. a. Open the Certification Authority Console
  2. b. Right click “Certificate Templates” and click “Manage”
  3. c. Double click the certificate template and click on “Extensions” tab
  4. d. Click on “Certificate Template Information”
  5. e. Copy the Object Identifier (OID) number – the number will look similar to 1.3.6.1.4.1.311.21.8.12531710.13924440.6111642.16676639.10714343.69.16212521.10022553
  6. f. Open the command line with elevated privileges
  7. g. Run Certutil -view -restrict “Certificate Template=OIDNumber” -out “SerialNumber,NotAfter,DistinguishedName,CommonName” > c:\CustomTemplateType.txt

Note: Replace OIDNumber with the number identified in step 9.e

  1. h. Examine the output of c:\CustomTemplateType.txt and document all the certificates needing immediate action – i.e. requiring issuance from the new CA infrastructure if needed such as custom SSL certificates.
  2. i. Consult with the application administrator using the certificates to determine the best approach to replace the certificates if needed

Note: You don’t need to take any action if the certificate was auto-enrolled because the certificate holder will renew the certificate when it expires from the new CA infrastructure.

10- Enable the Certificate Templates needed based on the results of steps 7-9 on the new Certification Authority

  1. a. Logon to the new Certification Authority as an Enterprise Administrator
  2. b. Right Click “Certificate Templates”, click “New” and then click “Certificate Template to Issue”
  3. c. Choose all the certificate templates needed in the “Enable Certificate Templates” window and click “OK”

11- <Optional> At this point you can uninstall the Certification Authority Role on the old Certification Authority

  1. a. Backup the old Certification Authority using the steps outlined in Disaster Recovery Procedures for Active Directory Certificate Services (ADCS)
  2. b. Uninstall Certificate Services from the old Certification Authority
  3. c. Decommission the server unless it is running other applications

12- Once all certificates are issued by the new infrastructure, you can safely remove all the Authority Information Access (AIA) and Certificate Revocation List (CRL) files from you infrastructure by following the steps in How to Decommission a Windows Enterprise Certification Authority and How to Remove All Related Objects and from the web server hosting http://crl.contoso.com

 

Amer F. Kamal

Senior Premier Field Engineer

Decommissioning an Old Certification Authority without affecting Previously Issued Certificates and then Switching Operations to a New One

January 27th, 2012 No comments

Jonathan Stephens posted an excellent Blog about this topic; however, it didn’t include the steps. As a result, I decided to type this Blog detailing the steps required. The following assumptions have to be met before proceeding with these steps:

1- There is a new valid Certification Authority configured

2- There is a new distribution point configured for AIA and CDP locations named http://crl.contoso.com/CertData

Steps:

1- Logon to the old Enterprise Certification Authority as an Enterprise Administrator.

2- Identify the AIA and CDP distribution points

  1. a. Open the Certification Authority Console
  2. b. Right click the Certification Authority name and click Properties
  3. c. Click the “Extensions” tab
  4. d. Document the distribution points configured for CRL Distribution Point (CDP) – as an example http://<serverDNSnname>/CertEnroll/<CANAME>CRLNameSuffix><DeltaCRLAllowed>.crl which refers to local IIS installed on the server, or http://pki.contoso.com/Certenroll/<CAName><CRLNameSuffix><DeltaCRLAllowed>.crl

Note: Ignore the LDAP and C:\%windir% locations

  1. e. In the “Extensions” tab, select Authority Information Access (AIA) from the drop down menu
  2. f.  Document the distribution points configured for the AIA extensions – as an example http://<ServerDNSName>/Certenroll/<ServerDNSName>_<CAName><CertificateName>.crt  which refers to the local IIS installed on the server or http://pki.contoso.com/Certenroll/<ServerDNSName>_<CAName><CertificateName>.crt

Note: Ignore the LDAP and C:\%windir% locations

3- Disable Delta CRL and Issue a long Certificate Revocation List (CRL)

  1. a. Open the Certification Authority Console
  2. b. Right click “Revoked Certificates”, and then click “Properties”
  3. c. Uncheck “Publish Delta CRL”
  4. d. Change the “CRL publication Interval” to 99 years and then click OK
  5. e. Open the command line with elevated privileges
  6. f.  Run Certutil –crl  to issue a new Certificate Revocation List (CRL)

4- Copy the old Certification Authority’s certificate (CRT) and certificate revocation list (CRL) files to the server hosting website http://crl.contoso.com/CertData 

  1. a. On the old Certification Authority, navigate to %windir%\System32\CertSrv\CertEnroll
  2. b. Copy the Certification Authority’s certificate (CRT) and certificate revocation list (CRL) to the directory hosting http://crl.contoso.com/CertData

5- Redirect the Authority Information Access (AIA) and Certificate Revocation List (CRL) distribution points  of the old Certification Authority to http://crl.contoso.com/certdata

  1. a. This can be done using an IIS redirect, or a DNS CNAME redirect to redirect Authority information Access (AIA) and Certificate Revocation List (CRL) of the old Certification Authority documented in steps 2.d and 2.f to the new web server http://crl.contoso.com/certdata

6- Document and remove all  certificate templates available on the old Certification Authority to prevent it from issuing new certificates

  1. a. Open the command line with elevated privileges
  2. b. Run Certutil –catemplates > c:\catemplates.txt  to document all available certificate templates at the old Certification Authority
  3. c. Launch the Certification Authority console
  4. d. Navigate to “Certificate Templates”
  5. e. Highlight all templates in the right pane, right click and then click “Delete”

At this point, the old Certification Authority can’t issue any certificates, and has all of its Authority Information Access (AIA) and Certificate Revocation List (CRL) redirected to a new web site http://crl.contoso.com/CertData The next steps will detail how to document the certificates issued by templates from the old Certification Authority and how to make them available at the new Certification Authority.

7- Identify and document the certificates issued based on certificate templates by sorting the Certification Authority database

  1. a. Highlight “Issued Certificates”
  2. b. Navigate to the right, and sort by “Certificate Templates”
  3. c. Identify the certificates issued by default certificate template types
  4. d. Identify the certificates issued by custom certificate templates – any template other than the default certificate templates mentioned earlier

8- Dump the certificates based on the default certificate template types:

  1. a. Open the command line with elevated privileges
  2. b. Run Certutil -view -restrict “Certificate Template=Template” -out “SerialNumber,NotAfter,DistinguishedName,CommonName” > c:\TemplateType.txt
  3. c. Examine the output of c:\TemplateType.txt and document all the certificates needing immediate action – i.e. requiring issuance from the new CA infrastructure if needed such as Web SSL.
  4. d. Consult with the application administrator using the certificates to determine the best approach to replace the certificates if needed

Note: Replace Template with the correct template name.

9- Dump the certificates based on the custom certificate template types:

  1. a. Open the Certification Authority Console
  2. b. Right click “Certificate Templates” and click “Manage”
  3. c. Double click the certificate template and click on “Extensions” tab
  4. d. Click on “Certificate Template Information”
  5. e. Copy the Object Identifier (OID) number – the number will look similar to 1.3.6.1.4.1.311.21.8.12531710.13924440.6111642.16676639.10714343.69.16212521.10022553
  6. f. Open the command line with elevated privileges
  7. g. Run Certutil -view -restrict “Certificate Template=OIDNumber” -out “SerialNumber,NotAfter,DistinguishedName,CommonName” > c:\CustomTemplateType.txt

Note: Replace OIDNumber with the number identified in step 9.e

  1. h. Examine the output of c:\CustomTemplateType.txt and document all the certificates needing immediate action – i.e. requiring issuance from the new CA infrastructure if needed such as custom SSL certificates.
  2. i. Consult with the application administrator using the certificates to determine the best approach to replace the certificates if needed

Note: You don’t need to take any action if the certificate was auto-enrolled because the certificate holder will renew the certificate when it expires from the new CA infrastructure.

10- Enable the Certificate Templates needed based on the results of steps 7-9 on the new Certification Authority

  1. a. Logon to the new Certification Authority as an Enterprise Administrator
  2. b. Right Click “Certificate Templates”, click “New” and then click “Certificate Template to Issue”
  3. c. Choose all the certificate templates needed in the “Enable Certificate Templates” window and click “OK”

11- <Optional> At this point you can uninstall the Certification Authority Role on the old Certification Authority

  1. a. Backup the old Certification Authority using the steps outlined in Disaster Recovery Procedures for Active Directory Certificate Services (ADCS)
  2. b. Uninstall Certificate Services from the old Certification Authority
  3. c. Decommission the server unless it is running other applications

12- Once all certificates are issued by the new infrastructure, you can safely remove all the Authority Information Access (AIA) and Certificate Revocation List (CRL) files from you infrastructure by following the steps in How to Decommission a Windows Enterprise Certification Authority and How to Remove All Related Objects and from the web server hosting http://crl.contoso.com

 

Amer F. Kamal

Senior Premier Field Engineer

Don’t let phishing threaten your small business

January 27th, 2012 No comments

We recently received this message from a small business owner:

I am stunned by the number of fake emails I get through my store’s email system, and some of them are quite sophisticated. I get them all the time from “UPS,” the “Better Business Bureau,” and today, “Bank of America.” Most of the time, they encourage me to open an attachment and fill out a form to prevent my account from being closed or to address a customer complaint. But sometimes the language and graphics are really quite professional. How can I protect my business against this kind of fraud?

The messages described here are known as phishing and if a phishing message appears in your email inbox, you can delete it or report it by using the newest versions of Internet Explorer, Hotmail, and Microsoft Office Outlook.  

Use Microsoft tools to report a suspected scam

  • Internet Explorer. If you are on a site that seems suspicious, click the gear icon and then point to Safety. Then click Report unsafe website and use the web page that appears to report the website.
  • Hotmail. If you receive a suspicious email message that asks you for personal information, click the check box next to the message in your Hotmail inbox. Click Mark as and then point to Phishing scam.
  • Microsoft Office Outlook. Attach the suspicious email message to a new email message and forward it to reportphishing@antiphishing.org. To learn how to attach an email message to an email message, see Attach a file or other item to an email message.

You can also download the Microsoft Junk E-mail Reporting Add-in for Microsoft Office Outlook.

Reduce the number of phishing emails you receive

  • Use email software with built-in spam filtering
  • Keep your spam and phishing filters current
  • Be careful about sharing your email or instant message address

 

Categories: fraud, phishing Tags:

MS12-004 – Critical : Vulnerabilities in Windows Media Could Allow Remote Code Execution (2636391) – Version: 1.2

Severity Rating: Critical
Revision Note: V1.2 (January 27, 2012): Corrected the aggregate severity rating for the KB2631813 update package in the Affected Software table for all supported editions of Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. This is a bulletin change only. There were no changes to the security update files or detection logic. Customers should apply all update packages offered for the software installed on their systems. See the update FAQ for details.
Summary: This security update resolves two privately reported vulnerabilities in Microsoft Windows. The vulnerabilities could allow remote code execution if a user opens a specially crafted media file. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Categories: Uncategorized Tags:

Summary for January 2012 – Version: 2.1

Revision Note: V2.1 (January 27, 2012): For MS12-004, corrected the aggregate severity rating for the KB2631813 update package for all supported editions of Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. See the MS12-004 bulletin for details.
Summary: This bulletin summary lists security bulletins released for January 2012.

Categories: Uncategorized Tags:

Independent social welfare site hacked to serve malware?

January 26th, 2012 No comments

We received a submission from one of our customers that downloaded some suspicious files from a certain website. We checked the files, confirmed that they are actually malicious and added detection for them as Trojan:BAT/Delosc.A. Everything seemed normal, until we looked at the website that the files were downloaded from, which suggested that there’s more to it than meets the eye.

The website in question is a Romanian website, asistentasociala [dot] info. The term “asistenta sociala” translates to “social welfare”, and is apparently quite popular. Doing a web search for the term “asistenta sociala” on various search engines, we found that the website is ranked within the first two pages of the results.

The website contains various official documents and examples on how they are filled out. It seems to have been hacked, because the original documents have been replaced with malicious executable files (detected as Trojan:BAT/Delosc.A – sample SHA1 759e3dc00415809d0df748e23dcbec1c0265afc1), as seen in Figure 1 below:

DOC replaced with EXE file

Fig. 1 The .doc file is replaced by an .exe file. The word “cerere” translates to “request” or “application”)

The malicious files have the same icon as the original documents, so that when they are saved to your computer, you might not notice anything out of the ordinary. In Figure 2 below, the downloaded malicious executables have the icons of an Excel file, a PDF file, and a Word file:

regular icons but EXE files

Fig. 2 The malicious executable using misleading icons.

When run, the malicious executable drops the original document, as in Figure 3. This is probably done to make it appear as if nothing unexpected has occurred:

EXE drops original DOC

Fig. 3 The malicious executable drops the original document.

It also drops a BAT file (also detected as Trojan:BAT/Delosc.A – SHA1 ECD0C54B085BDBBECF25FA44EEF69F9B5F776621) in the Temporary Files folder as “open_file.bat”. This file does the rest of the malicious actions.

The BAT file tries to delete files and folders from two software solutions mainly used in Romanian institutions: Indaco (software that offers services for legal documentation) and Aplxpert (a document management system based on regulations designed for public administration).

It also proceeds to delete folders (along with the files inside) that contain the following strings: “aplxpert”, “indaco” (as previously mentioned), “mondo”, “agr”, “factur” (invoice), “gami”, “multi”, “glob”, “alocati”, “arenda”, “social”, “assist”, “vmg”, “asf”, “lemne” (wood), “incalz” (heating) on the C, D, E, F, G, H drives, as you can see from the malware code in Figure 4:

malware code

Fig. 4 The malware code showing the strings.

Based on these actions, it seems like if you’re working for a Romanian government institution and your computer gets infected by this malware, you may no longer be able to use either of these tools. In addition, folders containing files pertinent to your work may be deleted if you named your folders using any of the mentioned strings.

Aside from government employees, it also looks like this malware could cause trouble for a user who is searching for documents related to social welfare. For example, if you’re looking for help on how to fill out a form for heating assistance, you might end up inadvertently having files deleted from your computer if you saved them within a folder that uses any of these strings.

The website owner has been contacted and the malicious files have been removed.

Replacing the original documents with malicious executables is something we have seen before. But this trojan is deleting files that the user seems to be looking for help for, while at the same time posing as those very files. In the process, actual important official documents may be deleted, thus posing a very real threat to users.

We recommend that you always pay attention to the downloaded files and look out for files that have the icon for one file type but the extension for another. And as always, run an antivirus solution to protect your computer against these kinds of threats. For website owners, make sure you take steps to harden your website so that you can protect its integrity.

Andrei Saygo && Daniel Radu

MMPC Dublin

Categories: Uncategorized Tags:

What’s your online reputation?

January 25th, 2012 No comments

Most of us put a boundary between our personal and professional lives. Online that’s not easy to do.

In the Official Microsoft blog, Brendon Lynch, Microsoft Chief Privacy Officer, writes, “Every piece of personal information that exists online about you — whether posted by you or by others — has the potential to impact how you are perceived by family and friends, an employer, a mortgage lender, and more.”

That’s why, on Data Privacy Day 2012, Microsoft is providing information and resources about how you can manage your personal information online.

Top tips to manage your information online

  1. Stay vigilant and conduct your own “reputation report” from time to time.
  2. Consider separating your professional and personal profiles.
  3. Adjust your privacy settings.

 Get the rest of these tips and learn more about how to safeguard your online reputation:

A different breed of downloader

January 24th, 2012 No comments

In our everyday world, we sometimes make use of thin clients, which don’t have a lot of functionality but are easy to maintain, as their functionality is based on data they receive from remote servers. Malware authors have adopted a similar technique, in which malware is able to download executable code without actually downloading an executable image. We’re talking about malware that isn’t a typical trojan downloader.

The typical routine for trojan downloaders is that the downloaded file is normally modified on the server side, and the downloader itself offers only a download and execute function, which is cheap to produce and therefore expendable in terms of antivirus detection. As a result, we currently detect over eight million trojan downloaders for Windows, most of which download the executable to disc or inject it into other processes.

Unfortunately there is no need for malware writers to download an executable at all. We recently analyzed a sample, TrojanDownloader:Win32/Poison.A (SHA1: 2cc1b2cca8d07b55144141625aea3e61f2eca182), that downloads a blob of position-independent code, and executes it in the context of a previous non-malicious application.

At first, the sample appeared to be a very small Visual Basic-written application that accesses the website of a Tibetan restaurant. I expected a trojan downloader using the normal routine, but during fast static analysis I couldn’t see any file access operation, or any other suspicious system call. Instead, it simply displayed Figure 1 below:

Error message displayed when run on an isolated machine

Figure 1: Error message displayed when run on an isolated machine

Once the application was run on a machine with a simulated Internet connection, it got the contents of the HTML page of the restaurant website mentioned previously. The application copied itself to the Windows system folder as “misys.exe” (as shown in Figure 2 below), and started keylogging, although the static analysis did not indicate this kind of functionality.

The file misys.exe on a computer connected to the Internet

Figure 2: The file “misys.exe” on a computer connected to the Internet

The question is: where does that file come from? The mystery was solved when I looked at the HTML code of the restaurant webpage, which begins with the following hex instructions:

&H55, &H8B, &HEC

These characters make up the standard x86 function prolog:

The assembly code for the hex instructions

Figure 3: The assembly code for the hex instructions

So the VB Application is extending its functionality dynamically by downloading and executing x86 instructions in the context of its own process. The “downloader” becomes malware by executing this downloaded blob of x86 instructions. And the downloaded instructions will be not injected to a different process and not dropped to disc, they will be executed in the process context of the “downloader”, thus the “downloader” inherits the malware functionality.

After the whole HTML page was converted into binary as in Figure 4, the file name in Figure 2 was clearly visible:

The file name is visible after conversion to binary

Figure 4: The file name is visible after conversion to binary

The downloaded binary blob is a variant of the Win32/Poison family. The functionality of the downloaded code is widely documented in its entry in the MMPC Encyclopedia.

The Win32/Poison trojan can be created with an easy-to-use Builder Tool, which allows malware authors to customize a build according to what they want to steal. We discuss the kit and its distribution in the MMPC Threat Report – Poison Ivy paper we released in November of this year. A possible reason why Win32/Poison is so prevalent, although it’s quite an old trojan, is the fact that it allows malware authors to create with one click of the mouse, position-independent code that has the trojan functionality, instead of creating an executable, as shown in Figure 5:

Win32/Poison builder allowing shellcode or PE creation

Figure 5: Win32/Poison builder allowing shellcode or PE creation

So while the malware we discussed here, TrojanDownloader:Win32/Poison.A, is a different kind of trojan that takes a while to build, in minutes it was just another threat detected by Microsoft AV products.

 

— MMPC

Categories: Uncategorized Tags:

EFS Certificates may be recovered as CNG certificates when CAPI CSP is required

January 23rd, 2012 No comments

If a Key Recovery Agent (KRA) certificate is stored in a Cryptography Next Generation (CNG) Key Service Provider (KSP), the certutil -RecoverKey command will by default recover a key as a CNG certificate. This default behavior could cause an issue if you are recovering a Rivest, Shamir and Adleman (RSA) key for the Encrypting File System (EFS). EFS supports KSPs only for Elliptic Curve Diffie-Hellman (ECDH) keys.

A workaround for this problem is to specify the switch -csp “Microsoft Strong Cryptographic Provider” with certutil -importpfx to ensure that the key is recovered in the appropriate format.

Categories: EFS Key Recover Tags:

EFS Certificates may be recovered as CNG certificates when CAPI CSP is required

January 23rd, 2012 No comments

If a Key Recovery Agent (KRA) certificate is stored in a Cryptography Next Generation (CNG) Key Service Provider (KSP), the certutil -RecoverKey command will by default recover a key as a CNG certificate. This default behavior could cause an issue if you are recovering a Rivest, Shamir and Adleman (RSA) key for the Encrypting File System (EFS). EFS supports KSPs only for Elliptic Curve Diffie-Hellman (ECDH) keys.

A workaround for this problem is to specify the switch -csp “Microsoft Strong Cryptographic Provider” with certutil -importpfx to ensure that the key is recovered in the appropriate format.

Categories: EFS Key Recover Tags:

Fake Seattle traffic ticket notification leads to malware

January 20th, 2012 No comments

Our partners at the City of Seattle sent us a warning today about a phishing campaign which targets users very close to home — specifically, Seattle Washington. They’re seeing spam mail circulating that claims to be from Seattle Department of Motor Vehicles, stating that the victim is charged with a traffic offense, and requesting that they fill out a linked form:

Fake Seattle traffic ticket spam

Variations of this email are turning up; all of them have similar content and a “check sum” tag line. Only the hyperlink and the time and date of the “offense” changes among iterations of the spam. It’s interesting to note that the “Date of Offense” is in European format (DD/MM/YYYY), which is a strange deviation from the date format used in most of the U.S. (MM/DD/YYYY). So far, we’ve seen the hyperlink point to several recently registered domains.

If the link is visited, the browser requests the page and loads an IFrame from yet another site, which was registered on January 16, 2012 and is hosted in the Ukraine at IP 93.190.44.171. This Ukrainian site contains an obfuscated JavaScript that attempts to exploit an issue in MDAC (Microsoft Security Bulletin MS06-014) that was mitigated by a Windows security update in 2006.

If the exploit is successful, it will download and execute a file named “info.exe” from the domain “doofyonmycolg.ru”. At the time of writing, we detect this file as Worm:Win32/Cridex.B (SHA1: 2f9ccfcf645162856ec92d79fa983e22e1024051). Once the malware is running, it tries to connect to “jahramainso.com” (IP 95.57.120.104, registered January 11, 2012) using SSL. The malware is able to update itself through communicating with the server. At present, this host is serving the exact same file as the malware running on the affected computer (SHA1: 2f9ccfcf645162856ec92d79fa983e22e1024051).

We started seeing reports of this file earlier today, although we were not previously aware of the distribution vehicle until the City of Seattle alerted us about the spam. It’s also interesting to note that the doofyonmycolg.ru domain was registered only a few days ago, so this is a new spam campaign.

While this particular campaign is new, Win32/Cridex variants originated around September 2011. As is usually the case, the malware authors attempted to evade detection by updating the malware and altering the hosts that it communicates with. You can read more about Worm:Win32/Cridex.B in the MMPC malware encyclopedia.

The best way to remain protected against this type of attack is to:

• Keep your security software and Windows security updates current
• Teach yourself to recognize and avoid phishing emails and other messages

Also, note that neither the Seattle Police Department nor Department of Motor Vehicles (DMV) sends tickets by email — only by “snail mail” (post). The Seattle Police Department published an alert on their site at the following link: http://spdblotter.seattle.gov/2012/01/19/beware-phishy-email-titled-seattle-traffic-ticket/

— Tareq Saade, Microsoft Security Response Center 

Categories: phishing, Seattle, Win32/Cridex Tags:

Income tax scams already!?

January 19th, 2012 No comments

You’d have to be a real early bird to be expecting your income tax return in the United States already. And yet, we’ve begun to see phishing scams that appear to come from support@irs.gov and offer links where you can check the status of your return.

The message uses language straight from the IRS website and goes something like this:

You filed your tax return and you’re expecting a refund. You have just one question and you want the answer now – Where’s My Refund?

Access this secure Web site to find out if the IRS received your return and whether your refund was processed and sent to you.

To get to your refund status, you’ll need to provide the following information as shown on your return:

Your first and last name
Your Social Security Number (or IRS Individual Taxpayer Identification Number)
Your Credit Card Information (for the successful complete of the process)

This email is a scam. Don’t respond and don’t send them any personal information.

Here are several common scam techniques that this message and others might use:

  • Looking like a large organization or company. The text and images in this email were stolen from the IRS website and make the email look legitimate.
  • Requests for personal or financial information. The IRS does not ask for personal information like this in email.
  • Bad grammar or spelling. The only part of the email that was not copied from the IRS website was the section requesting credit card information. It’s no coincidence that this is also the section with grammatical and spelling errors.

If you receive a message like this, delete it or report it. Learn more about how to recognize, avoid, and report scams like this one.

 

Microsoft Security Advisory (2641690): Fraudulent Digital Certificates Could Allow Spoofing – Version: 3.0

Revision Note: V3.0 (January 19, 2012): Revised to announce the release of an update for Windows Mobile 6.x, Windows Phone 7, and Windows Phone 7.5 devices.
Summary: Microsoft is aware that DigiCert Sdn. Bhd, a Malaysian subordinate certification authority (CA) under Entrust and GTE CyberTrust, has issued 22 certificates with weak 512 bit keys. These weak encryption keys, when broken, could allow an attacker to use the certificates fraudulently to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against all Web browser users including users of Internet Explorer. While this is not a vulnerability in a Microsoft product, this issue affects all supported releases of Microsoft Windows.

Categories: Uncategorized Tags:

2641690 – Fraudulent Digital Certificates Could Allow Spoofing – Version: 3.0

Revision Note: V3.0 (January 19, 2012): Revised to announce the release of an update for Windows Mobile 6.x, Windows Phone 7, and Windows Phone 7.5 devices.
Summary: Microsoft is aware that DigiCert Sdn. Bhd, a Malaysian subordinate certification authority (CA) under Entrust and GTE CyberTrust, has issued 22 certificates with weak 512 bit keys. These weak encryption keys, when broken, could allow an attacker to use the certificates fraudulently to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against all Web browser users including users of Internet Explorer. While this is not a vulnerability in a Microsoft product, this issue affects all supported releases of Microsoft Windows.

Categories: Uncategorized Tags:

Fraudulent Digital Certificates Could Allow Spoofing – Version: 3.0

Revision Note: V3.0 (January 19, 2012): Revised to announce the release of an update for Windows Mobile 6.x, Windows Phone 7, and Windows Phone 7.5 devices.
Summary: Microsoft is aware that DigiCert Sdn. Bhd, a Malaysian subordinate certification authority (CA) under Entrust and GTE CyberTrust, has issued 22 certificates with weak 512 bit keys. These weak encryption keys, when broken, could allow an attacker to use the certificates fraudulently to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against all Web browser users including users of Internet Explorer. While this is not a vulnerability in a Microsoft product, this issue affects all supported releases of Microsoft Windows.

Categories: Uncategorized Tags:

Microsoft Security Advisory (2641690): Fraudulent Digital Certificates Could Allow Spoofing – Version: 3.0

Severity Rating:
Revision Note: V3.0 (January 19, 2012): Revised to announce the release of an update for Windows Mobile 6.x, Windows Phone 7, and Windows Phone 7.5 devices.
Summary: Microsoft is aware that DigiCert Sdn. Bhd, a Malaysian subordinate certification authority (CA) under Entrust and GTE CyberTrust, has issued 22 certificates with weak 512 bit keys. These weak encryption keys, when broken, could allow an attacker to use the certificates fraudulently to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against all Web browser users including users of Internet Explorer. While this is not a vulnerability in a Microsoft product, this issue affects all supported releases of Microsoft Windows.

Categories: Uncategorized Tags:

MS12-006 – Important : Vulnerability in SSL/TLS Could Allow Information Disclosure (2643584) – Version: 1.1

Severity Rating: Important
Revision Note: V1.1 (January 18, 2012): Added MS10-085 as a bulletin replaced by the KB2585542 update for Windows 7 for 32-bit Systems, Windows 7 for x64-based Systems, Windows Server 2008 R2 for x64-based Systems, and Windows Server 2008 R2 for Itanium-based Systems. This is an informational change only. There were no changes to the detection logic or the update files.
Summary: This security update resolves a publicly disclosed vulnerability in SSL 3.0 and TLS 1.0. This vulnerability affects the protocol itself and is not specific to the Windows operating system. The vulnerability could allow information disclosure if an attacker intercepts encrypted web traffic served from an affected system. TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are not affected.

Categories: Uncategorized Tags: