Archive

Archive for November, 2012

Another way Microsoft is disrupting the malware ecosystem

November 29th, 2012 No comments

Like it or not, in today’s world, online advertising plays a large and important role in supporting the web.
Pay-per-click (PPC) advertising, born in 1998, created a system whereby advertisers only pay when potential customers click on an advertisement’s link. This system allowed companies to target very specific market segments, better gauge sales campaign performance and to only pay for what was clicked. This helped drive demand for publishers. Publishers are those people with websites or apps that attract visitors. These publishers display advertisements and get paid by an advertiser when one of their visitors clicks on an advertisement.

 

Online click-fraud is the intentional misappropriation of advertising revenue by generating a click that doesn’t originate from a potential customer, or by hijacking a click from the rightful publisher.
A very simple example of this could be John Doe creating a web site and displaying advertising links on this website, and then clicking on those links himself. The advertiser would be paying John Doe for those clicks under the assumption they were from real customers who are potentially interested in a product.

 

So what does this mean to you?
Online advertising is a large business. $32 billion was spent on it in 2011 (Olmstead, 2012), supporting key web services that we all use. And click-fraud is rampant, with 22% of all ad-clicks being fraudulent (Vacha Dave, 2012).
Consumers pay more, albeit fractionally, for products whose marketing revenue is stolen by spurious clicks.
Apps and services that are offered free of charge (such as search engines and smart phone games) are supported by online advertising. This kind of crime, known as click-fraud, erodes that support.
The overall health of digital commerce depends upon having a safe and secure market place where businesses can thrive.

 

One particular way criminals make money via click-fraud is to put malicious software (malware) on your computer to perpetrate spurious clicks.
In the simple case of John Doe above, it would be easy to detect all of his clicks because they came from a single IP address and never yielded a “conversion”. A conversion is defined by the advertiser as the desired action taken by the potential customer after clicking on an advertisement; this could include purchasing a product or signing up for a service.
But if these fraudulent clicks were coming from various geographies all over the world, each behaving as unique as an individual while browsing the internet, it becomes much harder to detect them.
And since it is not a simple relationship of who benefits directly from a malicious click, nor is the advertising market structurally designed for accountability, it is challenging to detect and prevent this fraud.
Typically these fraudulent clicks go through many layers of publishers, affiliates and syndication schemes. Affiliates produce traffic to sites, and advertisements are syndicated from site A to site B to site C, where each site takes a cut of the advertisement’s profit on a click.
The complexity and opaqueness of where traffic comes from, and who benefits from a single click, is a new digital “Wild West”, fertile for unscrupulous cyber-slingers.
And though the actual malware author may make a small fraction of money from a click, through this Gordian web of publishers, affiliates and syndications, done enough times it can all add up to be quite lucrative.

 

The Microsoft Malware Protection Center (MMPC) has teamed up with the Microsoft Online Forensics team in AdCenter to thwart criminals from using malware to profit in this way.
Since 60% to 70% of malware today employs some form of click-fraud to monetize (NSS Labs, 2012), this is an important link to target in any comprehensive disruption plan.
We are intersecting large data sets between malware telemetry and ad-clicks to detect anomalous behavior correlated to malware. And we are taking two relatively disparate domains of expertise and tools, namely malware and online advertising, and creating prevention systems and processes for identifying the entire chain of benefactors of click-fraud malware. In this way, we’re stopping the flow of illicit money at the AdCenter level. To date, we have identified three malicous software families monetizing in this manner and have recouped those ill-gotten gains from the benefactors.

 

We are doing this to create the highest quality online market for businesses, to provide the best possible online user experience for our customers, and to reduce the economics of malware monetizing via click-fraud.

 

 

-Nikola Livic
MMPC

 

Works cited

NSS Labs, M. (2012). Internal study.
Olmstead, K. (2012). Digital: By the Numbers. The State of the News Media 2012, An Annual Report of American Journalism.
Vacha Dave, S. G. (2012). Measuring and Fingerprinting Click-Spam in Ad Neworks. SIGCOMM.

Categories: Uncategorized Tags:

Microsoft vs. the botnets

November 29th, 2012 No comments

A botnet is a network of “zombie” computers infected with malware that enables cybercriminals to commit undetected fraud and other harmful acts.

To help disrupt an emerging botnet, the Microsoft Digital Crimes Unit (DCU) recently took legal action against cybercriminals who were responsible for distributing 500 different strains of malware with the potential for targeting millions of innocent people.

Microsoft discovered that retailers were selling computers loaded with counterfeit versions of Windows software embedded with harmful malware that allowed criminals to steal people’s personal information and send fake scam emails and social media posts to victims’ family, friends, and coworkers.

Watch a video about botnets and counterfeit software

For more information, see How to better protect your PC with botnet protection and avoid malware.

 

 

 

 

 

 

 

Categories: Uncategorized Tags:

Shop online with care this holiday season

November 27th, 2012 No comments

Holiday shopping is in full swing and so are the scams. The following tips can help you stay safe when you shop online.

Use a modern browser. Internet Explorer 9 and Internet Explorer 10 (available with Windows 8) include the SmartScreen filter.  SmartScreen helps protect you from fraudulent shopping websites that seek to acquire personal information such as user names and passwords. Learn more about SmartScreen.

Use strong passwords for online retail sites and keep your passwords secret. Make your passwords eight or more characters. Use a combination of numbers, symbols, and uppercase and lowercase letters (the greater the variety of characters, the stronger the password). Also, make sure you don’t use the same password for all the sites you use. Check the strength of your password.

Be careful when you shop online using a public Wi-Fi connection. If possible, save your financial transactions for a secured home connection. Passwords, credit card numbers, or other financial information are less secure on a public network. If you have to make a purchase, choose the most secure connection—even if that means you have to pay for access. Learn more about Wi-Fi safety.

Get more advice for safer online shopping

UAG published website is not fully rendered

November 27th, 2012 No comments

 

Consider a scenario where you are publishing one or more internal websites via UAG 2010 and UAG is configured in an array of two or more nodes. Also, you are load balancing the UAG nodes using an F5 Big-IP device.

Symptoms:

External users accessing one or more of these published web sites, via the Virtual IP of the F5, may experience one or both of the following symptoms:

· Improper page rendering where a number of page items (i.e. graphics, etc.) may not display correctly.

· IE shows “The page cannot be displayed”

 

 

Possible Cause:

The F5 Big-IP LTM may have the “OneConnect” feature enabled.

 

More Information:

The OneConnect feature is a system that is meant to improve web application performance. OneConnect reuses TCP connections to each load balanced server (UAG) for multiple clients. Please go to www.f5.com for more information on the OneConnect feature of the F5 Big-IP device.

 

 

Resolution:

As a test, try disabling the OneConnect feature. If, after disabling the OneConnect feature, your published web sites start rendering correctly, please contact F5 support for assistance with the OneConnect feature.

 

Author

Richard Barker – Sr Security Support Escalation Engineer, Microsoft CSS Forefront Security Edge Team

Categories: Uncategorized Tags:

UAG published website is not fully rendered

November 27th, 2012 No comments

 

Consider a scenario where you are publishing one or more internal websites via UAG 2010 and UAG is configured in an array of two or more nodes. Also, you are load balancing the UAG nodes using an F5 Big-IP device.

Symptoms:

External users accessing one or more of these published web sites, via the Virtual IP of the F5, may experience one or both of the following symptoms:

· Improper page rendering where a number of page items (i.e. graphics, etc.) may not display correctly.

· IE shows “The page cannot be displayed”

 

 

Possible Cause:

The F5 Big-IP LTM may have the “OneConnect” feature enabled.

 

More Information:

The OneConnect feature is a system that is meant to improve web application performance. OneConnect reuses TCP connections to each load balanced server (UAG) for multiple clients. Please go to www.f5.com for more information on the OneConnect feature of the F5 Big-IP device.

 

 

Resolution:

As a test, try disabling the OneConnect feature. If, after disabling the OneConnect feature, your published web sites start rendering correctly, please contact F5 support for assistance with the OneConnect feature.

 

Author

Richard Barker – Sr Security Support Escalation Engineer, Microsoft CSS Forefront Security Edge Team

Categories: Uncategorized Tags:

UAG published website is not fully rendered

November 27th, 2012 No comments

 

Consider a scenario where you are publishing one or more internal websites via UAG 2010 and UAG is configured in an array of two or more nodes. Also, you are load balancing the UAG nodes using an F5 Big-IP device.

Symptoms:

External users accessing one or more of these published web sites, via the Virtual IP of the F5, may experience one or both of the following symptoms:

· Improper page rendering where a number of page items (i.e. graphics, etc.) may not display correctly.

· IE shows “The page cannot be displayed”

 

 

Possible Cause:

The F5 Big-IP LTM may have the “OneConnect” feature enabled.

 

More Information:

The OneConnect feature is a system that is meant to improve web application performance. OneConnect reuses TCP connections to each load balanced server (UAG) for multiple clients. Please go to www.f5.com for more information on the OneConnect feature of the F5 Big-IP device.

 

 

Resolution:

As a test, try disabling the OneConnect feature. If, after disabling the OneConnect feature, your published web sites start rendering correctly, please contact F5 support for assistance with the OneConnect feature.

 

Author

Richard Barker – Sr Security Support Escalation Engineer, Microsoft CSS Forefront Security Edge Team

Categories: Uncategorized Tags:

UAG published website is not fully rendered

November 27th, 2012 No comments

 

Consider a scenario where you are publishing one or more internal websites via UAG 2010 and UAG is configured in an array of two or more nodes. Also, you are load balancing the UAG nodes using an F5 Big-IP device.

Symptoms:

External users accessing one or more of these published web sites, via the Virtual IP of the F5, may experience one or both of the following symptoms:

· Improper page rendering where a number of page items (i.e. graphics, etc.) may not display correctly.

· IE shows “The page cannot be displayed”

 

 

Possible Cause:

The F5 Big-IP LTM may have the “OneConnect” feature enabled.

 

More Information:

The OneConnect feature is a system that is meant to improve web application performance. OneConnect reuses TCP connections to each load balanced server (UAG) for multiple clients. Please go to www.f5.com for more information on the OneConnect feature of the F5 Big-IP device.

 

 

Resolution:

As a test, try disabling the OneConnect feature. If, after disabling the OneConnect feature, your published web sites start rendering correctly, please contact F5 support for assistance with the OneConnect feature.

 

Author

Richard Barker – Sr Security Support Escalation Engineer, Microsoft CSS Forefront Security Edge Team

Categories: Uncategorized Tags:

UAG 2010 Service Pack 3 is in the works

November 26th, 2012 No comments

The Forefront Unified Access Gateway (UAG) Product Team is excited to let you know that we are currently developing Service Pack 3 for UAG 2010, and we expect to make it available during the first quarter of calendar year 2013 (Q1 CY2013).

 

Service Pack 3 will provide support for: 

  • Windows 8 with Internet Explorer 10 clients, including DirectAccess
  • Office 2013 clients (e.g. Outlook, Word, Excel, PowerPoint)
  • Publishing Exchange 2013
  • Publishing SharePoint 2013
  • RDP 8.0 client for Windows 7 SP1 (KB 2592687)

 

Thank you,

The UAG Product Team

 

Categories: Uncategorized Tags:

UAG 2010 Service Pack 3 is in the works

November 26th, 2012 No comments

The Forefront Unified Access Gateway (UAG) Product Team is excited to let you know that we are currently developing Service Pack 3 for UAG 2010, and we expect to make it available during the first quarter of calendar year 2013 (Q1 CY2013).

 

Service Pack 3 will provide support for: 

  • Windows 8 with Internet Explorer 10 clients, including DirectAccess
  • Office 2013 clients (e.g. Outlook, Word, Excel, PowerPoint)
  • Publishing Exchange 2013
  • Publishing SharePoint 2013
  • RDP 8.0 client for Windows 7 SP1 (KB 2592687)

 

Thank you,

The UAG Product Team

 

Categories: Uncategorized Tags:

UAG 2010 Service Pack 3 is in the works

November 26th, 2012 No comments

The Forefront Unified Access Gateway (UAG) Product Team is excited to let you know that we are currently developing Service Pack 3 for UAG 2010, and we expect to make it available during the first quarter of calendar year 2013 (Q1 CY2013).

 

Service Pack 3 will provide support for: 

  • Windows 8 with Internet Explorer 10 clients, including DirectAccess
  • Office 2013 clients (e.g. Outlook, Word, Excel, PowerPoint)
  • Publishing Exchange 2013
  • Publishing SharePoint 2013
  • RDP 8.0 client for Windows 7 SP1 (KB 2592687)

 

Thank you,

The UAG Product Team

 

Categories: Uncategorized Tags:

UAG 2010 Service Pack 3 is in the works

November 26th, 2012 No comments

The Forefront Unified Access Gateway (UAG) Product Team is excited to let you know that we are currently developing Service Pack 3 for UAG 2010, and we expect to make it available during the first quarter of calendar year 2013 (Q1 CY2013).

 

Service Pack 3 will provide support for: 

  • Windows 8 with Internet Explorer 10 clients, including DirectAccess
  • Office 2013 clients (e.g. Outlook, Word, Excel, PowerPoint)
  • Publishing Exchange 2013
  • Publishing SharePoint 2013
  • RDP 8.0 client for Windows 7 SP1 (KB 2592687)

 

Thank you,

The UAG Product Team

 

Categories: Uncategorized Tags:

Online fraud: Get practical advice

November 22nd, 2012 No comments

Need help spotting an online scam? Download our new free 12-page booklet called Online Fraud: Your Guide to Prevention, Detection, and Recovery.

This guide includes:

  • Real-world examples of false promises made in fake emails
  • Images of scam emails to help you avoid them
  • Tips for guarding your computer and your sensitive information
 

For more information, see the Trustworthy Computing blog.

An analysis of Dorkbot’s infection vectors (part 2)

November 21st, 2012 No comments

In part 1 of this series, we talked about Dorkbot and its spreading mechanisms that required user interaction. In this post, we’ll talk about how Dorkbot spreads automatically, via drive-by downloads and Autorun files.

Spreading vectors not requiring user interaction: Drive-by downloads and Autorun files

Dorkbot can also spread automatically, without user interaction. We recently encountered a malicious Java applet that exploits the vulnerability described in CVE-2012-4681 to distribute the Dorkbot worm. We detect the applet as Exploit:Java/CVE-2012-4681.HD. Let’s take a closer look at how this exploit works.

Java applets that are not digitally signed are considered untrusted. They are executed with limited permissions by the Java Runtime Environment. Before it can download and execute arbitrary files, Exploit:Java/CVE-2012-4681.HD has to disable the security manager, which defines the security policy of the applet. The security manager can be disabled with a call to System.setSecurityManager(null), but applets are restricted from calling this method directly.

The exploit relies on vulnerabilities in the implementation of the following two methods:

  • Method com.sun.beans.finder.ClassFinder.findClass(String,ClassLoader)
  • Method com.sun.beans.finder.MethodFinder.findAccessibleMethod(Class,String,Class[])

We decompiled the method ClassFinder.findClass to determine why it was vulnerable. As shown in Figure 8, ClassFinder.findClass calls the method Class.forName in its internal implementation. The method Class.forName in turn only looks at the immediate caller to perform security checks. As you can see, the vulnerability lies in the way Class.forName is used, and not in the method Class.forName itself.

The fix was to perform an additional package access check at the beginning of method ClassFinder.findClass, a check that fails if an applet attempts to access a restricted Java class (Figure 8).

Figure 8: The vulnerability in com.sun.beans.finder.ClassFinder.findClass(String,ClassLoader)

Another issue, this time in the implementation of the method sun.awt.SunToolkit.getField(Class,String), allows one to access private members of Java classes. The method SunToolkit.getField would not be accessible by default to user code, but the exploit calls it with the help of a java.beans.Expression object. java.beans.Expression.execute() is also vulnerable because it relies on the two vulnerable methods described above.

Exploit:Java/CVE-2012-4681.HD calls SunToolkit.getField to modify a private member of a java.beans.Statement object and set the access control context to “all permissions”. The class Statement can be used to invoke methods from arbitrary classes with modified access control context value. The exploit relies on a Statement object with modified access control context to invoke the privileged method System.setSecurityManager. After this, it has the permission to download additional malware (Figure 9).

Figure 9: Execution flow of Exploit:Java/CVE-2012-4681.HD

As is typical for Java exploits nowadays, the code of Exploit:Java/CVE-2012-4681.HD is heavily obfuscated to try to bypass AV detection. Figure 10 shows how the exploit retrieves the private field “acc” of the java.beans.Statement class, a field that defines the access control context.

Figure 10: Obfuscated code in Exploit:Java/CVE-2012-4681.HD

Exploits for CVE-2012-4681 are guaranteed to work if the Java Runtime Environment is vulnerable (unlike exploits for memory corruptions, for instance). They are also platform independent (so they can also infect *nix and Mac users) and target a huge base of Java installations.

Unsurprisingly, as shown in Figure 11, our telemetry indicates that exploits for CVE-2012-4681 have been widely used to distribute malware since the vulnerability was first made public in late August 2012. A security update to resolve it was released around the same time.

Figure 11: Infections attempts with CVE-2012-4681 Java exploits reported from September 15th to October 17th, 2012

To avoid getting infected through drive-by downloads, make sure your software is up to date – for Java specifically, we talked about that in a previous post.

Worm:Win32/Dorkbot can also infect removable drives, by creating an autorun.inf file that points to a copy of the worm. If you have Autorun enabled in your computer, Dorkbot automatically runs whenever the removable drive is accessed. Fortunately, this distribution method is not very effective anymore as explained in a previous blog post. Please keep your Windows up-to-date to deal with this infection vector.

Conclusion

As we previously mentioned, malware these days use a variety of ways to infect computers and Dorkbot is no exception. And its access to a C&C server allows for a certain level of dynamic behavior. Because of this, we advise users to be more vigilant against all the different channels that Dorkbot uses.

And finally, always make sure your definitions are up-to-date for your antivirus solution. If you don’t have one and you’re running Windows XP, Vista, or 7, you can download and install Microsoft Security Essentials for free. If you’re using Windows 8, make sure your antivirus program is enabled and running properly.

The following are the SHA1s of the samples that we’ve analyzed for this blog post:

  • Exploit:Java/CVE-2012-4681.HD – f624121d44b87369ba9ffa975db64fbb7bc395b3
  • Worm:Win32/Dorkbot spreading component – 11a2ddb73af46060802537dec0f8799e2a0dc13f
  • Worm:Win32/Dorkbot.A – 4176f4193b1ef64569bf0ab220113cce6074df4e
  • Worm:Win32/Dorkbot.I – 37c09e044ebe57eb66aa6c72cb039140b3b985f1

Horea Coroiu, MMPC Munich

Manage your privacy settings in one place

November 20th, 2012 No comments

MS12-073 – Moderate : Vulnerabilities in Microsoft Internet Information Services (IIS) Could Allow Information Disclosure (2733829) – Version: 2.1

Severity Rating: Moderate
Revision Note: V2.1 (November 20, 2012): Added missing Server Core installation entries to the Severity table. This is a bulletin change only. There were no changes to the Affected Software table.
Summary: This security update resolves two privately reported vulnerabilities in Microsoft Internet Information Services (IIS). The more severe vulnerability could allow information disclosure if an attacker sends specially crafted FTP commands to the server.

Categories: Uncategorized Tags:

MS12-058 – Critical : Vulnerabilities in Microsoft Exchange Server WebReady Document Viewing Could Allow Remote Code Execution (2740358) – Version: 2.2

Severity Rating: Critical
Revision Note: V2.2 (November 20, 2012): Corrected the update package names, registry verification keys, and log file names for the KB2756497 and KB2756496 updates where incorrect in this bulletin. These are informational changes only. The download pages and associated Knowledge Base articles already contained the correct information.
Summary: This security update resolves publicly disclosed vulnerabilities in Microsoft Exchange Server WebReady Document Viewing. The vulnerabilities could allow remote code execution in the security context of the transcoding service on the Exchange server if a user previews a specially crafted file using Outlook Web App (OWA). The transcoding service in Exchange that is used for WebReady Document Viewing is running in the LocalService account. The LocalService account has minimum privileges on the local computer and presents anonymous credentials on the network.

Categories: Uncategorized Tags:

KB: Error message when you try to install System Center 2012 Endpoint Protection for Mac: “There were errors with the installation”

November 19th, 2012 No comments

imageThis Knowledge Base article talks about an issue where installing System Center 2012 Endpoint Protection for Mac fails with “There were errors with the installation" :

Symptoms

When you try to install Microsoft System Center 2012 Endpoint Protection for Mac (SCEP), you receive an error message that resembles the following:

There were errors with the installation. You may want to try installing again.
The Installation failed.

Resolution

To resolve this issue, use the following methods. If Method 1 does not resolve the issue, go to Method 2:

Method 1

1. Click Close to close the error message window.
2. On the Go menu, click Applications.
3. Double-click System Center 2012 Endpoint Protection for Mac.
4. Verify that System Center 2012 Endpoint Protection for Mac starts as expected. To do this, click the System Center Endpoint Protection for Mac icon in the menu bar, and then click Open System Center 2012 Endpoint Protection.

Method 2

If System Center 2012 Endpoint Protection for Mac does not start as expected, follow these steps:
1. Restart the system into safe mode
2. Delete all SCEP applications bundles from /Application folder that you can found in it
3. Make a normal restart
4. Run 4.5.9X Uninstaller from 4.5.X dmg
5. execute from Terminal: rm -Rf ~/.scep/
6. cd /Library/Application\ Support/Microsoft/
7. sudo rm -Rf *scep/

NOTE: install.log can be found at /var/log/install.log

=====

For the most current version of this article please see the following:

2695614 – Error message when you try to install System Center 2012 Endpoint Protection for Mac: "There were errors with the installation"

J.C. Hornbeck | Knowledge Engineer | Management and Security Division

Get the latest System Center news on Facebook and Twitter:

clip_image001 clip_image002

App-V Team blog: http://blogs.technet.com/appv/
ConfigMgr Support Team blog: http://blogs.technet.com/configurationmgr/
DPM Team blog: http://blogs.technet.com/dpm/
MED-V Team blog: http://blogs.technet.com/medv/
Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
Operations Manager Team blog: http://blogs.technet.com/momteam/
SCVMM Team blog: http://blogs.technet.com/scvmm
Server App-V Team blog: http://blogs.technet.com/b/serverappv
Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center Essentials Team blog: http://blogs.technet.com/b/systemcenteressentials
WSUS Support Team blog: http://blogs.technet.com/sus/

The Forefront Server Protection blog: http://blogs.technet.com/b/fss/
The Forefront Endpoint Security blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

Categories: Uncategorized Tags:

KB: Error message when you try to install System Center 2012 Endpoint Protection for Mac: “There were errors with the installation”

November 19th, 2012 No comments

imageThis Knowledge Base article talks about an issue where installing System Center 2012 Endpoint Protection for Mac fails with “There were errors with the installation" :

Symptoms

When you try to install Microsoft System Center 2012 Endpoint Protection for Mac (SCEP), you receive an error message that resembles the following:

There were errors with the installation. You may want to try installing again.
The Installation failed.

Resolution

To resolve this issue, use the following methods. If Method 1 does not resolve the issue, go to Method 2:

Method 1

1. Click Close to close the error message window.
2. On the Go menu, click Applications.
3. Double-click System Center 2012 Endpoint Protection for Mac.
4. Verify that System Center 2012 Endpoint Protection for Mac starts as expected. To do this, click the System Center Endpoint Protection for Mac icon in the menu bar, and then click Open System Center 2012 Endpoint Protection.

Method 2

If System Center 2012 Endpoint Protection for Mac does not start as expected, follow these steps:
1. Restart the system into safe mode
2. Delete all SCEP applications bundles from /Application folder that you can found in it
3. Make a normal restart
4. Run 4.5.9X Uninstaller from 4.5.X dmg
5. execute from Terminal: rm -Rf ~/.scep/
6. cd /Library/Application\ Support/Microsoft/
7. sudo rm -Rf *scep/

NOTE: install.log can be found at /var/log/install.log

=====

For the most current version of this article please see the following:

2695614 – Error message when you try to install System Center 2012 Endpoint Protection for Mac: "There were errors with the installation"

J.C. Hornbeck | Knowledge Engineer | Management and Security Division

Get the latest System Center news on Facebook and Twitter:

clip_image001 clip_image002

App-V Team blog: http://blogs.technet.com/appv/
ConfigMgr Support Team blog: http://blogs.technet.com/configurationmgr/
DPM Team blog: http://blogs.technet.com/dpm/
MED-V Team blog: http://blogs.technet.com/medv/
Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
Operations Manager Team blog: http://blogs.technet.com/momteam/
SCVMM Team blog: http://blogs.technet.com/scvmm
Server App-V Team blog: http://blogs.technet.com/b/serverappv
Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center Essentials Team blog: http://blogs.technet.com/b/systemcenteressentials
WSUS Support Team blog: http://blogs.technet.com/sus/

The Forefront Server Protection blog: http://blogs.technet.com/b/fss/
The Forefront Endpoint Security blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

Categories: Uncategorized Tags:

Updates: AdExplorer v1.44, Contig v1.7, Coreinfo v3.2, Procdump v5.1

November 16th, 2012 No comments

AdExplorer v1.44: This release fixes a bug that caused AdExplorer to crash when it encountered corrupted extended rights schemas.

Contig v1.7: Contig is a command-line file defragmentation and fragmentation analysis utility. v1.7 has more detailed fragmentation analysis reporting, fixes a bug that enables creation of contiguous files larger than 8GB, and adds support for setting the valid data length on files to avoid zero-fill overhead.

Coreinfo v3.2: Coreinfo, a command-line utility that dumps processor topology and feature support, now reports the presence of many additional features, including SMAP, RDSEED, BMI1, ADX, HLE, RTM, and INVPCID.

Procdump v5.1: This major update to Procdump, a command-line utility for creating process crash dump files based on triggers or on-demand, adds support for Silverlight applications and the ability to register Procdump as the just-in-time (JIT) debugger for more advanced scenarios.

Smoke and mirrors and Win32/Phorpiex

November 16th, 2012 No comments

This month one of the families introduced to MSRT is Win32/Phorpiex, a worm that spreads via removable drives and has IRC controlled backdoor functionality.

In most respects Phorpiex is another worm, with typical command and control via IRC as well as spreading via removable drives. Like many other malware it usually does this by using Autorun, copying itself to the removable drive and writing an “autorun.inf” file to ensure execution on access, assuming the system is configured to allow autorun.

Win32/Phorpiex differs from most other malware by also using another trick to dupe unsuspecting users. This is another variation on the usual theme of getting users to click to execute the malware.

Phorpiex checks if a particular removable drive contains any folders; the following is a genuine example of a removable drive with folders:

 

So there it is, a group of innocuous folders sitting there, and along comes Phorpiex looking for them. After which this happens:

 

Yes, these appear to be the same folders as before, but notice the little shortcut arrows on the folder icons. That is correct – Phorpiex has replaced the folders with shortcuts containing folder icons! We delve further by displaying hidden items in Explorer:

 

The original folders have been hidden, but there appears to be another hidden folder. Let’s go take a look inside:

 

And there we have it – three versions of Win32/Phorpiex with the same names as the original three folders hiding inside.
OK, but what does this mean? When someone clicks on one of the shortcuts with the folder icon what will be running is Win32/Phorpiex.

Here is where the illusion breaks down, because the user expects to go into the folder in Explorer to view its contents. In this case there is no feedback after clicking on one of the shortcuts.

More malware smoke and mirrors and a good reason to disable autorun functionality if you haven’t already –  and here’s how to do it.

Ray Roberts
MMPC Melbourne

Categories: Uncategorized Tags: