Archive

Archive for June, 2013

Bring Your Own Device (BYOD) – New Windows Server 2012 R2 Device Access and Information Protection

As you will have seen at Microsoft TechEd North America and Europe, we have just delivered the Preview Release of Windows Server 2012 R2 with a stunning amount of new capability that is Cloud First.

My name is Adam Hall and I look after one of the solution areas within People-centric IT that we call “Access & Information Protection”. In this post I will provide more information about what this actually is and the focus areas we have around Bring Your Own Device (BYOD) and the Consumerization of IT.

People-centric IT is about helping organizations empower their users to work on the devices they choose without compromising their information integrity or compliance. The challenge this presents to customers is that as soon as their user works on a device that they do not manage or even have any knowledge of, it becomes very difficult to retain control of sensitive corporate information, and to be able to respond to situations such as the device being sold, lost or stolen.

With our Access & Information Protection solutions, we deliver capabilities that help our customers solve this very challenging problem in the following ways:

Simple registration and enrollment for users adopting Bring Your Own Device programs (BYOD).

Users can register their device using Workplace Join which creates a new device object in Active Directory and installs a certificate on the device, allowing IT to take into account the users device authentication as part of conditional access policies. Users can also opt-in to the Windows Intune management service for consistent access to applications (including internal LOB apps and links to public app stores), management of their own devices and to gain access to their data.

Users can work from the device of their choice to access corporate resources regardless of location.

New in Windows Server 2012 R2 are the Web Application Proxy and Work Folders. The Web Application Proxy provides the ability to publish access to internal resources and perform Multi-Factor Authentication at the edge. Work Folders is a new file sync solution that allows users to sync their files from a corporate file server to all their devices both internally and externally.

 

IT can better protect corporate information and mitigate risk by being able to manage a single identity for each user across both on-premises and cloud-based applications.

As users blend their work and personal lives, and organizations adopt a mixture of traditional on-premises and cloud based solutions, IT needs a way to consistently manage the user’s identity and provide users with a single sign-on to all their resources.  Microsoft helps our customers by providing users with a common identity across on-premises or cloud-based services leveraging existing Windows Server Active Directory investments and then connecting to Windows Azure Active Directory.  In Windows Server 2012 R2, we have significantly enhanced Active Directory Federation Services (ADFS) to be easier to deploy and configure, tightly integrated with the Web Application Proxy for simple publishing and federating between Active Directory and Azure AD. 

 

IT can access managed mobile devices to remove corporate data and applications in the event that the device is lost, stolen, or retired from use.

Whether a device is lost, stolen or simply being repurposed, there will be times when IT needs to ensure that the corporate information stored on the device is no longer accessible. With Windows Server 2012 R2, System Center configuration Manager 2012 R2 and Windows Intune, companies have the ability to selectively wipe corporate information while leaving personal data intact.

IT can set policy-based access control for compliance and data protection.

With users working on their own devices, the accessing of corporate resources and storage of information on these devices presents some challenges for ensuring compliance needs are met and information remaining secure.  Windows Server 2012 R2, through the Web Application Proxy, ADFS and Work Folders provides compelling and powerful solutions to make it easy for our customers to make resources available but also remain in control of information.  As we showed in the TechEd Europe keynote in Madrid this week, Work Folders is integrated with Dynamic Access Control, providing the ability to automatically classify information based on content, and perform tasks such as protecting with Rights Management Services, even for data that is created and stored on clients!

 

To see People-centric IT, including System Center 2012 R2 Configuration Manager, Windows Intune, and Windows Server 2012 R2 in action, you can watch a complete presentation and end-to-end demonstration from the TechEd North America Foundational Session. You can also learn more about People-centric IT by downloading the People-centric IT Preview Guide.

Be sure to download System Center 2012 R2 Preview Configuration Manager and Windows Server 2012 R2 Preview today!

Don’t post your email address in a blog comment

June 27th, 2013 No comments

To post a comment or a question on one of our blog posts, use the Comments form at the bottom of the post. We appreciate your comments and questions, and we read all of them. Although we don’t answer them individually, we do use the information to answer the most popular questions in new blog posts.

Your comment is public

Please don’t post your email address or any other personal information in the comment section on our blog or any other blog. These comments and questions are published on the web and can be viewed by anyone. You should always be careful where you post your email address publicly online because spammers and cybercriminals use sophisticated tools to scan the web and harvest email addresses to use for sending spam and scam emails. If you publicly post your email address online, a spammer will find it.

Get more tips on how to help keep spam out of your inbox.

Categories: id theft, privacy Tags:

Another year, another rogue. Not what the doctor ordered

June 27th, 2013 No comments

Another new year is almost upon us. Or at least that’s what the distributors of Rogue:Win32/Winwebsec would have us believe – releasing a new branding System Doctor 2014 just prior to the middle of 2013.

Figure 1: System Doctor 2014 user interface

For some time, Winwebsec has had only one branding active at a time. While there have been a number of name changes, the interface and behavior have otherwise remained mostly unchanged.

System Doctor 2014 represents a departure from this, with the previous incarnation System Care Antivirus remaining the most active and prevalent version of Winwebsec. Indeed, System Doctor 2014 even checks for signs of a System Care Antivirus installation and will stop running if it finds any.

Figure 2: System Care Antivirus user interface

The appearance and behavior of System Doctor 2014 is also somewhat different to other Winwebsec variants. In the past, most rogues have asked for payment before “removing” the fake threats they report. System Doctor 2014 successfully “cleans” some of the threats before asking for payment, but not all of them. It recommends activation in order to remove the rest of the threats for which cleaning “failed”.

Figure 3: System Doctor 2014 reporting cleaning failure

Figure 4: System Doctor 2014 reporting cleaning failure

Regular readers of this blog and our encyclopedia may also notice that the names of the threats falsely reported by System Doctor 2014 have a certain resemblance to the names of threats reported by Microsoft’s antimalware products. The brief descriptions of the threats also appear to be lifted directly from our encyclopedia.

For example, in Figure 3 the threat name displayed in the rogue’s detections lists Win32/Sality.XX but is referred to as Win32/Sality.AT in the description below it. Our description for Virus:Win32/Sality.AT also begins with the same sentence: “Virus:Win32/Sality.AT is a detection for a virus that spreads by infecting Windows executable files and by copying itself to removable and remote drives.”

While there are differences between the two Winwebsec variants, they also have a number of behaviors in common: both have used the same custom obfuscation in an attempt to avoid detection by antimalware products, both use a similar request format when sending details of their installation to the distributors’ server, and both attempt to prevent all other programs from running apart from a few that appear on a specified whitelist.

Interestingly, both variants also use exactly the same activation code.

When someone pays to register rogue software, they receive an activation code that they need to convert the rogue to the full version. Once activated, the rogue will report that it has cleaned all of the fake threats it detected earlier. It will also stop trying to block other programs from running. This can help make it easier to remove the rogue from an infected computer. Figure 4 shows the System Doctor 2014 user interface after cleaning the remaining fake threats.

Figure 5: System Doctor 2014 after its activation code has been entered

In the case of Winwebsec, all variants appear to use the same activation code. Of course, we strongly recommend that you do not ever pay to obtain an activation code.

Another approach is to use Windows Explorer to copy the file you want to run to the desktop, rename the new copy to explorer.exe or other filename on the whitelist, and run the new copy. You can find the whitelists for System Care Antivirus and System Doctor 2014 in their respective descriptions. For example, you could use this approach with Task Manager (taskmgr.exe) to end the Winwebsec process. After doing this, you should be able to perform any cleanup activities you need without further hindrance from Winwebsec.

However, the simplest method of removing Winwebsec – or any other malware that prevents you from downloading updates or running other software – is Windows Defender Offline.

The way Windows Defender Offline works is by allowing you to:

  1. Download a copy of the tool from a computer that has access to the internet
  2. Save a copy of the recovery tool to a removable drive, in order to create bootable media
  3. Run the recovery tool on a compromised computer

This allows you to boot from the removable media, and scan the affected computer with the latest antimalware definitions before any malware has a chance to start running.

There are more instruction on how to use this tool on the Windows Defender Offline download page.

David Wood
MMPC Melbourne

Categories: Uncategorized Tags:

Another year, another rogue. Not what the doctor ordered

June 27th, 2013 No comments

Another new year is almost upon us. Or at least that’s what the distributors of Rogue:Win32/Winwebsec would have us believe – releasing a new branding System Doctor 2014 just prior to the middle of 2013.

Figure 1: System Doctor 2014 user interface

For some time, Winwebsec has had only one branding active at a time. While there have been a number of name changes, the interface and behavior have otherwise remained mostly unchanged.

System Doctor 2014 represents a departure from this, with the previous incarnation System Care Antivirus remaining the most active and prevalent version of Winwebsec. Indeed, System Doctor 2014 even checks for signs of a System Care Antivirus installation and will stop running if it finds any.

Figure 2: System Care Antivirus user interface

The appearance and behavior of System Doctor 2014 is also somewhat different to other Winwebsec variants. In the past, most rogues have asked for payment before “removing” the fake threats they report. System Doctor 2014 successfully “cleans” some of the threats before asking for payment, but not all of them. It recommends activation in order to remove the rest of the threats for which cleaning “failed”.

Figure 3: System Doctor 2014 reporting cleaning failure

Figure 4: System Doctor 2014 reporting cleaning failure

Regular readers of this blog and our encyclopedia may also notice that the names of the threats falsely reported by System Doctor 2014 have a certain resemblance to the names of threats reported by Microsoft’s antimalware products. The brief descriptions of the threats also appear to be lifted directly from our encyclopedia.

For example, in Figure 3 the threat name displayed in the rogue’s detections lists Win32/Sality.XX but is referred to as Win32/Sality.AT in the description below it. Our description for Virus:Win32/Sality.AT also begins with the same sentence: “Virus:Win32/Sality.AT is a detection for a virus that spreads by infecting Windows executable files and by copying itself to removable and remote drives.”

While there are differences between the two Winwebsec variants, they also have a number of behaviors in common: both have used the same custom obfuscation in an attempt to avoid detection by antimalware products, both use a similar request format when sending details of their installation to the distributors’ server, and both attempt to prevent all other programs from running apart from a few that appear on a specified whitelist.

Interestingly, both variants also use exactly the same activation code.

When someone pays to register rogue software, they receive an activation code that they need to convert the rogue to the full version. Once activated, the rogue will report that it has cleaned all of the fake threats it detected earlier. It will also stop trying to block other programs from running. This can help make it easier to remove the rogue from an infected computer. Figure 4 shows the System Doctor 2014 user interface after cleaning the remaining fake threats.

Figure 5: System Doctor 2014 after its activation code has been entered

In the case of Winwebsec, all variants appear to use the same activation code. Of course, we strongly recommend that you do not ever pay to obtain an activation code.

Another approach is to use Windows Explorer to copy the file you want to run to the desktop, rename the new copy to explorer.exe or other filename on the whitelist, and run the new copy. You can find the whitelists for System Care Antivirus and System Doctor 2014 in their respective descriptions. For example, you could use this approach with Task Manager (taskmgr.exe) to end the Winwebsec process. After doing this, you should be able to perform any cleanup activities you need without further hindrance from Winwebsec.

However, the simplest method of removing Winwebsec – or any other malware that prevents you from downloading updates or running other software – is Windows Defender Offline.

The way Windows Defender Offline works is by allowing you to:

  1. Download a copy of the tool from a computer that has access to the internet
  2. Save a copy of the recovery tool to a removable drive, in order to create bootable media
  3. Run the recovery tool on a compromised computer

This allows you to boot from the removable media, and scan the affected computer with the latest antimalware definitions before any malware has a chance to start running.

There are more instruction on how to use this tool on the Windows Defender Offline download page.

David Wood
MMPC Melbourne

Categories: Uncategorized Tags:

Transforming your Datacenter with Software-Defined Networking (SDN): Part II

A couple of weeks ago, we addressed how Microsoft’s Software-Defined Networking solutions can help you transform your datacenter.  For those of us who prefer to learn visually, the video below illustrates our approach. 

Experience the flexibility, automation and control delivered by our SDN solution by deploying Windows Server 2012 and System Center 2012 SP1 today.

You can also evaluate our latest and greatest SDN capabilities by using the Windows Server 2012 R2 Preview and System Center 2012 R2 Preview bits that we announced this week. 

Storage Transformation for your Datacenter

A few weeks ago, we addressed storage transformation in this blog – and how onsite storage, cloud storage, and recovery options are evolving.  Below is a brief video overview of some of our key storage solutions.  In this post, we will explore how storage is changing inside your datacenter, and how we transform industry standard disks into reliable, high-performance onsite storage for you datacenter.

A common model today is for new deployments of important workloads like virtualization and line of business applications to utilize a storage-area network (SAN) to achieve the performance and reliability the workload needs.

 

In this model, the virtual machines running on the physical hosts access virtualized volumes of storage over the network.  These volumes are provided by the SAN, which contains a set of physical disks, some hardware, and software that work together to provide performance, reliability, and a level of storage virtualization.

If you have a significant investment in a SAN infrastructure, you can rest assured Microsoft is continuing to integrate key technologies into products like Windows Server to keep it the best operating system to use with SANs.  We’ve introduced Offload Data Transfers (ODX) and virtual fibre channel adapter support to help increase the performance of physical and virtual workloads.  We also have TRIM/UNMAP support for thin provisioning and flexible and efficient storage utilization.

But there are other options.  Historically Windows Server file-based storage was a great option for user data – workloads like file servers and SharePoint.  But starting with Windows Server 2012, we dramatically improved the performance and reliability of the file server, enabling it to serve as a direct replacement for more traditional storage options.

 

In this model, the Windows Server cluster contains the disks, hardware, and software to provide high-performance, reliable virtualized storage volumes over the network.  Storage Spaces, introduced in Windows Server 2012, aggregates the physical disks into these virtual volumes.

The performance needed for this solution is delivered by a host of features – including improvements in the SMB protocol, such as SMB Direct and SMB Multichannel which make use of multiple network connections and RDMA.  Performance is further enhanced with Windows Server 2012 R2 which adds storage tiering capabilities to Storage Spaces.  SSDs and spinning disks can both be part of the virtualized volumes, and Windows Server automatically stores the more frequently accessed data on the faster physical storage for dramatically higher total performance.  You can read more about the storage performance of Windows Server 2012 in an ESG Lab report.

An additional upcoming report includes additional performance validation, such as the table below, which compares 2, 4, 6, and 8 VM SQL workload transactions per second across various storage architectures.

 

Windows Server 2012 also improved the reliability of File and Storage Services clusters.  Such clusters no longer suffer the brief downtime previously associated with failover scenarios.  Instead, the failure of one node is detected immediately, and service is provided by another cluster node so quickly, the virtualization hosts are not disrupted – they retain access to storage.

The benefits of such a solution are clear. 

  • While it’s always been possible to achieve high levels of performance and reliability, in the past, this required higher costs and proprietary storage management solutions.
  • As both hardware and software technologies have evolved, these capabilities can be delivered with industry-standard hardware, at lower costs.
  • These solutions are easy to scale out as needs grow – as opposed to making bulk investments in proprietary solutions.
  • Your traditional IT administrators can manage familiar file shares with ease

You can explore these storage capabilities in your own environment.  The Windows Server 2012 R2 Preview  is now available for download.  Try it out for yourself.

People-Centric IT with the System Center 2012 R2 and Windows Server 2012 R2 Preview

Hello from the System Center team and all of you participating in TechEd Europe 2013.  We wanted to take this opportunity to provide more technical details on System Center 2012 R2, Intune and Windows Server 2012 R2 so you’ll see some new blog posts today and later this week.  Let’s start first with Windows Server 2012 R2.

Windows Server is the foundation OS for many of our products and it is important to know what we are delivering with the next release. The file system and storage capabilities have been an important role for any server operating system, and that continues today with virtualization and cloud services.  See the Windows Server teams blog post, “Storage Transformation for Your Datacenter” for information on SMB Direct, SMB Multichannel and other storage improvements.

Storage is an integral part of many applications or services and System Center obviously needs to store information about devices it manages in your environment.  This device landscape is vast and includes operating systems other than Windows. Jason Leznek wrote, “Preview New People-centric IT Products Now!” to expand on these capabilities. In that post you will get information on the device operating systems we support, what you can test today, and what is coming in the next release of Windows Intune (not yet available for testing).

Content and Downloads

If the information in the blog posts seems foreign and you want to learn more, be sure to check out all of the sessions in the TechEd Europe 2013 course catalog.  You can watch the sessions live or on-demand.  The sessions are organized by tracks and you can filter in a variety of ways to find a particular topic.

Ready to try the previews for yourself?  Go get the Windows Server 2012 R2, System Center 2012 R2 or SQL Server 2014 R2 previews at the download center.  Enjoy!

 

 

MS12-079 – Critical : Vulnerability in Microsoft Word Could Allow Remote Code Execution (2780642) – Version: 1.1

Severity Rating: Critical
Revision Note: V1.1 (June 26, 2013): Added a link to Microsoft Knowledge Base Article 2780642 under Known Issues in the Executive Summary.
Summary: This security update resolves a privately reported vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a user opens a specially crafted RTF file. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Categories: Uncategorized Tags:

Build, save and print your own custom book of TechNet Library articles

June 25th, 2013 No comments

imageEveryone knows there is a lot of great information in the TechNet Library, but what if there was a way to save and organize a custom set of articles with only the information you really want? Or maybe you do a lot of work offsite where you may not have direct access to TechNet and need to take those articles with you on your phone, tablet or laptop for reading offline? Well now you can do all of that. With the Print Multiple Topics beta for TechNet you can build your own custom book of TechNet Library articles, group them in a collection that persists across web sessions, and then print them or export them to a file for later viewing. You’ll need a current browser and a Microsoft ID so assuming you have those already here’s how to get started.

To begin creating your own personal collection, go to http://technet.microsoft.com/en-us/library/export/help/. This is the starting page and includes an explanation of the process and a quick guide to show you how it all works. When you’re ready, click on the Start button at the bottom of that page. That will start a new browser window that looks something like this. Note the new toolbar at the top of the page:

image

From there simply browse TechNet like you normally would and find the article or topic you’re interested in. Then right-click on the article or topic and choose Add This Topic to add the article to your collection, or choose Add This Set of Topics to add all topics under the link in the table of contents in the navigation bar on the left.

image

 

Once you’re done adding all of your articles, you can view your collection by clicking the Collection link in the toolbar at the top of the page.

image

That will bring up the contents of your collection where you can review and rearrange your topics, then print them or save them to HTML or a PDF. Here’s the collection I created, and I’ve decided to save it as a PDF:

image

Once it was done processing the collection I was prompted to download the file which looks like this.

image

Now I can take those articles with me or go back and view this custom collection online any time I like. Go ahead and try it out – It’s a really handy feature that I think you’ll end up using quite a bit. I know I do.

J.C. Hornbeck | Knowledge Engineer | Microsoft GBS Management and Security Division

Get the latest System Center news on Facebook and Twitter:

clip_image001 clip_image002

System Center All Up: http://blogs.technet.com/b/systemcenter/
System Center – Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
System Center – Data Protection Manager Team blog: http://blogs.technet.com/dpm/
System Center – Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
System Center – Operations Manager Team blog: http://blogs.technet.com/momteam/
System Center – Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center – Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Windows Intune: http://blogs.technet.com/b/windowsintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The AD RMS blog: http://blogs.technet.com/b/rmssupp/

App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv

The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

Categories: Uncategorized Tags:

How to get rid of a computer virus

June 25th, 2013 No comments

Is your computer running more slowly than usual? Does it stop responding or freeze often? It might have a virus.

If you can connect to the Internet

These instructions are different depending on which operating system you’re using.

Check your operating system

Windows 8

If your computer is running Windows 8, you can use the built-in Windows Defender to get rid of the virus or other malware.

Windows 7, Windows Vista, Windows XP

If your computer is running Windows 7, Windows Vista, or Windows XP, do the following:

  • Run the Microsoft Safety Scanner. The scanner can be used with any kind of antivirus software (not just antivirus software from Microsoft).
  • Download Microsoft Security Essentials for free. (Note: Some viruses will prevent you from downloading Microsoft Security Essentials.)

If you can’t connect to the Internet

Windows Defender Offline works with Windows 8, Windows 7, Windows Vista, and Windows XP.

Use another computer to download Windows Defender Offline and create a CD, DVD, or USB flash drive.

Windows Defender (built in to Windows 8), Microsoft Security Essentials, and other antivirus software use the Internet to download the latest updates to fight new malware. Windows Defender Offline helps protect against advanced malware that can’t always be detected by antivirus software.

Learn how to use Windows Defender Offline

Learn more

Security researchers: Get paid to thwart cybercriminals. We want your help fighting potential viruses. Microsoft has announced three new bounty programs that offer cash payments in exchange for reporting certain vulnerabilities in and techniques for exploiting Internet Explorer, Windows, and other Microsoft programs. Visit Microsoft.com/BountyPrograms for details.

Microsoft Windows Server 2012 R2 Preview is Now Available for Download

Today at TechEd Europe 2013 we announced availability of the System Center 2012 R2 and Windows Server 2012 R2 previews.  You can download these products right now from the evaluation center.

Windows Server 2012 R2 and System Center 2012 R2 provide a wealth of new advancements to help IT organizations build and deliver private and hybrid cloud infrastructure for their businesses.  Some of the highlights include:

  • Windows Server 2012 R2 Preview Now Available for DownloadEnabling hybrid cloud – Windows Server Hyper-V and System Center enable virtual machine portability across customer, service provider and Windows Azure clouds, while a new System Center Management Pack for Windows Azure enhances cross-cloud management of virtual machine and storage resources.  Windows Azure Backup and Hyper-V Recovery Manager provide offsite backup and disaster recovery options.
  • Windows Azure Pack provides Windows Azure technology that enterprises and services providers can run on their Windows Server infrastructure for multi-tenant web and virtual machine cloud services. 
  • Built-in software-defined networking – Site-to-Site VPN Gateway helps customers seamlessly bridge physical and virtual networks and extend them from their datacenter to service provider datacenters. 
  • High performance, cost effective storage Features such as Storage Spaces Tiering, VHDX resizing and de-duplication for virtual desktop infrastructure provide high performance for critical on-premises workloads (like SQL and Hyper-V) using lower-cost, industry-standard hardware.
  • Empowering employee productivity – Windows Server Work Folders, Web App Proxy, improvements to Active Directory Federation Services and other technologies will help companies give their employees consistent access to company resources on the device of their choice.

This and a number of other announcements are highlighted on the Server and Cloud Blog post, “TechEd Europe Launches with Cloud OS Product Previews, Partner Announcements and Customer Case Studies”.  Be sure to take a look at it.  There is a wealth of information on the products, Brad Anderson’s keynote and blog post links, press release links and more!

For those of you interested in the TechEd sessions for Windows Server, be sure and review the Modern Datacenter track in the catalog. Additional filtering can be applied with the tagging to get right at the Windows Server sessions you might be interested in.  There are sessions on virtualization, storage, manage, security, etc. Enjoy!

Microsoft System Center 2012 R2 Preview is Now Available for Download

Today at TechEd Europe 2013 we announced availability of the System Center 2012 R2 and Windows Server 2012 R2 previews.  You can download these products right now from the evaluation center

Windows Server 2012 R2 and System Center 2012 R2 provide a wealth of new advancements to help IT organizations build and deliver private and hybrid cloud infrastructure for their businesses.  Some of the highlights include:

  • Download System Center 2012 R2 PreviewEnabling hybrid cloud – Windows Server Hyper-V and System Center enable virtual machine portability across customer, service provider and Windows Azure clouds, while a new System Center Management Pack for Windows Azure enhances cross-cloud management of virtual machine and storage resources.  Windows Azure Backup and Hyper-V Recovery Manager provide offsite backup and disaster recovery options.
  • Windows Azure Pack provides Windows Azure technology that enterprises and services providers can run on their Windows Server infrastructure for multi-tenant web and virtual machine cloud services. 
  • Built-in software-defined networking – Site-to-Site VPN Gateway helps customers seamlessly bridge physical and virtual networks and extend them from their datacenter to service provider datacenters. 
  • High performance, cost effective storage Features such as Storage Spaces Tiering, VHDX resizing and de-duplication for virtual desktop infrastructure provide high performance for critical on-premises workloads (like SQL and Hyper-V) using lower-cost, industry-standard hardware.
  • Empowering employee productivity – Windows Server Work Folders, Web App Proxy, improvements to Active Directory Federation Services and other technologies will help companies give their employees consistent access to company resources on the device of their choice.

This and a number of other announcements are highlighted on the Server and Cloud Blog post, “TechEd Europe Launches with CloudOS Product Previews, Partner Announcements and Customer Case Studies”.  Be sure to take a look at it.  There is a wealth of information on the products, Brad Anderson’s keynote and blog post links, press release links and more!

For those of you interested in the TechEd sessions for System Center, be sure and review the Modern Datacenter track in the catalog. Additional filtering can be applied with the tagging to get right at the System Center sessions you are looking for.

MS13-029 – Critical : Vulnerability in Remote Desktop Client Could Allow Remote Code Execution (2828223) – Version: 2.0

Severity Rating: Critical
Revision Note: V2.0 (June 25, 2013): Revised bulletin to rerelease the 2813347 update for Remote Desktop Connection 7.0 Client on Windows XP Service Pack 3. Microsoft recommends that customers running the affected software apply the rereleased security update immediately. For more information, see the Update FAQ.
Summary: This security update resolves a privately reported vulnerability in Windows Remote Desktop Client. The vulnerability could allow remote code execution if a user views a specially crafted webpage. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Categories: Uncategorized Tags:

MS13-029 – Critical : Vulnerability in Remote Desktop Client Could Allow Remote Code Execution (2828223) – Version: 2.0

Severity Rating: Critical
Revision Note: V2.0 (June 25, 2013): Revised bulletin to rerelease the 2813347 update for Remote Desktop Connection 7.0 Client on Windows XP Service Pack 3. Microsoft recommends that customers running the affected software apply the rereleased security update immediately. For more information, see the Update FAQ.
Summary: This security update resolves a privately reported vulnerability in Windows Remote Desktop Client. The vulnerability could allow remote code execution if a user views a specially crafted webpage. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Categories: Uncategorized Tags:

Summary for April 2013 – Version: 4.0

Revision Note: V4.0 (June 25, 2013): For MS13-029, revised bulletin to rerelease the 2813347 update for Remote Desktop Connection 7.0 Client on Windows XP Service Pack 3. See bulletin for details.
Summary: This bulletin summary lists security bulletins released for April 2013.

Categories: Uncategorized Tags:

Investigation of a new undocumented instruction trick

June 25th, 2013 No comments

While investigating some new malware samples this week, we came across a few interesting files that use a new trick with an undocumented instruction. We had to do a bit of digging around the Intel instructions list to solve this little mystery. While it turned out that the trick itself isn’t effective in complicating debugging and disassembly, we think it’s worth sharing anyway, as we’re now seeing three different malware variants using it.

One of the samples flagged by our systems (SHA1:3d85cc93115c1ebfdeba17b54d6570e06c1bb2f5) looked nothing out of the ordinary in the beginning. It has the usual custom packer to deter analysis and detection, and is malformed to confuse various tools:

DESCRIPTION

DESCRIPTION

The really interesting part though is immediately at the entry point:

DESCRIPTION

According to Intel manuals, the instructions highlighted are invalid instructions, which would make the application crash if executed. This actually contradicts our experience – in our systems, the file ran in a virtual machine. Because of this, we decided that we should dig deeper and check to see where the problem resides.

We tried to see if other tools that we commonly use correctly interpreted and disassembled the instructions:

DESCRIPTION

DESCRIPTION

DESCRIPTION

All tools gave different results for the same instructions. At this point, we suspected that we were dealing with an undocumented instruction in which the tools weren’t aware.

To continue investigation, we chose to use a disassembler library from Intel, which gave us the following disassembly:

DESCRIPTION

Searching for these instructions revealed that they are undocumented FPU instructions, leading to incorrect disassembly in different reversing tools.

Because this had piqued our curiosity, we asked ourselves who employs this trick and when did it first appear in the wild.

The first sample we noticed using this trick reached our systems on January 10, 2013, from a VirusTotal submission. The sample (SHA1: 7403f5e5a88b26001295fd201d490fbb4854e061) is detected as Backdoor:Win32/Farfli.AV. This sample was not packed or protected in any way and was only using this instruction trick.

Since January we have also seen the Trojan:Win32/Danglo family and Backdoor:Win32/Zegost.B using this trick.

Searching the underground forums for mentions of this trick didn’t yield any results. The number of families using this technique is relatively small so it raises some interesting questions: are these families related? How are the authors, if they’re different people, sharing information?

One thing is for sure, malware authors continue to struggle in their attempts to evade detection.

Daniel Radu
MMPC Munich

Categories: Uncategorized Tags:

Investigation of a new undocumented instruction trick

June 25th, 2013 No comments

While investigating some new malware samples this week, we came across a few interesting files that use a new trick with an undocumented instruction. We had to do a bit of digging around the Intel instructions list to solve this little mystery. While it turned out that the trick itself isn’t effective in complicating debugging and disassembly, we think it’s worth sharing anyway, as we’re now seeing three different malware variants using it.

One of the samples flagged by our systems (SHA1:3d85cc93115c1ebfdeba17b54d6570e06c1bb2f5) looked nothing out of the ordinary in the beginning. It has the usual custom packer to deter analysis and detection, and is malformed to confuse various tools:

DESCRIPTION

DESCRIPTION

The really interesting part though is immediately at the entry point:

DESCRIPTION

According to Intel manuals, the instructions highlighted are invalid instructions, which would make the application crash if executed. This actually contradicts our experience – in our systems, the file ran in a virtual machine. Because of this, we decided that we should dig deeper and check to see where the problem resides.

We tried to see if other tools that we commonly use correctly interpreted and disassembled the instructions:

DESCRIPTION

DESCRIPTION

DESCRIPTION

All tools gave different results for the same instructions. At this point, we suspected that we were dealing with an undocumented instruction in which the tools weren’t aware.

To continue investigation, we chose to use a disassembler library from Intel, which gave us the following disassembly:

DESCRIPTION

Searching for these instructions revealed that they are undocumented FPU instructions, leading to incorrect disassembly in different reversing tools.

Because this had piqued our curiosity, we asked ourselves who employs this trick and when did it first appear in the wild.

The first sample we noticed using this trick reached our systems on January 10, 2013, from a VirusTotal submission. The sample (SHA1: 7403f5e5a88b26001295fd201d490fbb4854e061) is detected as Backdoor:Win32/Farfli.AV. This sample was not packed or protected in any way and was only using this instruction trick.

Since January we have also seen the Trojan:Win32/Danglo family and Backdoor:Win32/Zegost.B using this trick.

Searching the underground forums for mentions of this trick didn’t yield any results. The number of families using this technique is relatively small so it raises some interesting questions: are these families related? How are the authors, if they’re different people, sharing information?

One thing is for sure, malware authors continue to struggle in their attempts to evade detection.

Daniel Radu
MMPC Munich

Categories: Uncategorized Tags:

Enhancements to Behavior Monitoring and Network Inspection System in the Microsoft anti-malware platform

June 24th, 2013 No comments

Behavior Monitoring (BM) has been a vital part of finding new malware through our telemetry and sample collection processes since 2010. It’s also a protection feature, which I’ll discuss below. Our recent antimalware platform update has introduced network real-time inspection (NRI) to BM, giving much-needed network behavior coverage. NRI uses the same components as another feature in the platform, Network Inspection System (NIS), but does so in a significantly different way…

Read the complete post at http://blogs.technet.com/b/configmgrteam/archive/2013/06/24/enhancements-to-behavior-monitoring-and-network-inspection-system-in-the-microsoft-anti-malware-platform.aspx

    Categories: Uncategorized Tags:

    Enhancements to Behavior Monitoring and Network Inspection System in the Microsoft anti-malware platform

    June 24th, 2013 No comments

    Behavior Monitoring (BM) has been a vital part of finding new malware through our telemetry and sample collection processes since 2010. It’s also a protection feature, which I’ll discuss below. Our recent antimalware platform update has introduced network real-time inspection (NRI) to BM, giving much-needed network behavior coverage. NRI uses the same components as another feature in the platform, Network Inspection System (NIS), but does so in a significantly different way…

    Read the complete post at http://blogs.technet.com/b/configmgrteam/archive/2013/06/24/enhancements-to-behavior-monitoring-and-network-inspection-system-in-the-microsoft-anti-malware-platform.aspx

      Categories: Uncategorized Tags:

      Enhancements to Behavior Monitoring and Network Inspection System in the Microsoft anti-malware platform

      June 24th, 2013 No comments

      Behavior Monitoring (BM) has been a vital part of finding new malware through our telemetry and sample collection processes since 2010. It’s also a protection feature, which I’ll discuss below. Our recent antimalware platform update has introduced network real-time inspection (NRI) to BM, giving much-needed network behavior coverage. NRI uses the same components as another feature in the platform, Network Inspection System (NIS), but does so in a significantly different way…

      Read the complete post at http://blogs.technet.com/b/configmgrteam/archive/2013/06/24/enhancements-to-behavior-monitoring-and-network-inspection-system-in-the-microsoft-anti-malware-platform.aspx

        Categories: Uncategorized Tags: