Archive

Archive for November, 2014

2755801 – Update for Vulnerabilities in Adobe Flash Player in Internet Explorer – Version: 32.0

Revision Note: V32.0 (November 25, 2014): Added the 3018943 update to the Current Update section.
Summary: Microsoft is announcing the availability of an update for Adobe Flash Player in Internet Explorer on all supported editions of Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1. The update addresses the vulnerabilities in Adobe Flash Player by updating the affected Adobe Flash libraries contained within Internet Explorer 10 and Internet Explorer 11.

Categories: Uncategorized Tags:

Security Bulletin MS14-068 released

November 20th, 2014 No comments

Today, we released an out-of-band security update to address a vulnerability in Kerberos which could allow Elevation of Privilege. This update is for all supported versions of Windows Server and includes a defense-in-depth update for all supported versions of Windows.

We strongly encourage customers to apply this update as soon as possible by following the directions in Security Bulletin MS14-068.

Tracey Pretorius, Director
Response Communications

Categories: OOB, Security Bulletin, Windows Tags:

Security Bulletin MS14-068 released

November 20th, 2014 No comments

Today, we released an out-of-band security update to address a vulnerability in Kerberos which could allow Elevation of Privilege. This update is for all supported versions of Windows Server and includes a defense-in-depth update for all supported versions of Windows.

We strongly encourage customers to apply this update as soon as possible by following the directions in Security Bulletin MS14-068.

Tracey Pretorius, Director
Response Communications

Categories: OOB, Security Bulletin, Windows Tags:

An inside look: gathering and analyzing the SIR data

November 19th, 2014 No comments

At the Microsoft Malware Protection Center, threat data is a critical source of information to help protect our customers. We use it to understand what’s going on in the overall malware ecosystem, determine the best way to protect our customers, and find the most effective way to deliver that protection.

We also use the data to produce a number of reports to help our customers. This includes our bi-annual Security Intelligence Report (SIR). This blog post gives you a behind-the-scenes look at how we collect, analyze and evolve our SIR to better serve the needs of our customers.

Collecting the data

We start by pulling together all the data needed to generate the report. Through our real-time protection (RTP) products and the monthly-released Malicious Software Removal Tool (MSRT) we receive valuable data when customers opt in to help improve protections by sharing their malware encounters. In Windows Defender, for example, you can view this under Settings > MAPS:

Activate MAPS 

We use this information in a number of ways. For example, reports from the MSRT help us compute infection rates (the number of machines per thousand in which we detect malware). Encounter rates (the percentage value of how often we encounter that threat) are calculated using RTP product data.

Both infection rates and encounter rates are reported in the SIR. For each reporting period we break down the data based on a number of different categories: by country, by platform, by malware, and so on. We use our big data platform (COSMOS), which is the same platform that powers Bing to do a lot of the data processing and aggregating work. COSMOS can take the terabytes of telemetry we receive and turn it into organized, structured, and consumable groupings.

Analysis time

Once we have our data organized, we can begin our analysis. This is where the powerful Excel PowerBI tools come in to play. We have to say, this is our favorite part of the process. Think of it like you’re trying to solve a mystery, without knowing what mystery you are trying to solve. We start by asking a series of questions about the data – What caused a dip in the trend here, or a spike there? Why were the encounter rates for this platform a particular value for this time period? Why did some infections affect a particular country, but not others?

Sometimes the questions have obvious answers, and sometimes they don’t. Despite the abundance of telemetry that we have, the types of data we collect is limited. Sometimes we come across a question that we don’t know the answer to. For example, why is Conficker still such a prevalent threat in enterprise PCs after all these years (it’s second among the top ten families encountered in domain-joined computers for the first half of 2014)? We discovered Conficker in 2009; it’s been in MSRT since the same year, and yet it’s still prevalent. Why haven’t we totally killed it yet?

We have strong antimalware detection signatures for Conficker, and the family is effectively starved (it no longer communicates back to its authors). But Conficker does use a variety of distribution methods: removable drives, an OS vulnerability, spam, and weak passwords. It was this last condition that we found to be the answer, as we blogged about when we released the SIR in 2012.

Another question might be, why is FakePAV, a Rogue family, among the top ten encountered families for Denmark and Norway? Rogues have undergone a dramatic decline in the last few years (if you’re a regular reader of the SIR, you would have noticed this trend), yet, Denmark and Norway, which have two of the lowest encounter rates among all countries, still have FakePAV in their top ten list. Our theory is that rogues exist to steal money from people. And from a bad guys’ perspective, it makes sense to try and target wealthier countries. In the past four quarters, FakePAV only appeared in 16 countries, the majority of which are in the G20.

Continuous improvement

One last thing we consider when we’re doing our data gathering and analysis for the SIR is – as with all our products – updates and improvements. These improvements help us to gather more accurate data, and more accurate data improves our ability to provide actionable guidance to help protect our customers.

For example, in October 2014, we increased our MSRT sampling rate for our entire population from 0.1% to 10%, and then to 100%. This means that all the infection reports we get from MSRT are 100% accurate representation of the ecosystem, whereas we previously had to extrapolate infection rates based on assumptions we made about the entire population of our customers. With our improved sampling, we can now say exactly what the infection rate is and exactly which types of computers are at a greater risk of infection. Not only does this help us prioritize our protection efforts, it also helps us to more accurately gauge infections rates over time – including how different malware families impact our customers differently, and the best way to stop them.

Another recent change was the tightening of our objective criteria for adware. This meant dropping the word “potentially” from the phrase “potentially unwanted software”. Software is either wanted by the user or not. Because of this change, we now track adware encounter rates in the SIR to provide a better picture of adware prevalence, as compared to other types of threats.

The SIR is just like any other product or service: we are continuously striving to improve our features, delivery, and output. There’s a wealth of data in the latest version of the SIR.  It is our hope that by sharing our data and insights with our customers, we can help them create better security policies and programs that more effectively protect against threats for their clients, organization or region. If you haven’t seen the latest Security Intelligence Report, we encourage you to visit www.microsoft.com/sir and download your free copy today.

Ina Ragragio and Joe Blackbird
MMPC

 

Categories: Uncategorized Tags:

An inside look: gathering and analyzing the SIR data

November 19th, 2014 No comments

At the Microsoft Malware Protection Center, threat data is a critical source of information to help protect our customers. We use it to understand what’s going on in the overall malware ecosystem, determine the best way to protect our customers, and find the most effective way to deliver that protection.

We also use the data to produce a number of reports to help our customers. This includes our bi-annual Security Intelligence Report (SIR). This blog post gives you a behind-the-scenes look at how we collect, analyze and evolve our SIR to better serve the needs of our customers.

Collecting the data

We start by pulling together all the data needed to generate the report. Through our real-time protection (RTP) products and the monthly-released Malicious Software Removal Tool (MSRT) we receive valuable data when customers opt in to help improve protections by sharing their malware encounters. In Windows Defender, for example, you can view this under Settings > MAPS:

Activate MAPS 

We use this information in a number of ways. For example, reports from the MSRT help us compute infection rates (the number of machines per thousand in which we detect malware). Encounter rates (the percentage value of how often we encounter that threat) are calculated using RTP product data.

Both infection rates and encounter rates are reported in the SIR. For each reporting period we break down the data based on a number of different categories: by country, by platform, by malware, and so on. We use our big data platform (COSMOS), which is the same platform that powers Bing to do a lot of the data processing and aggregating work. COSMOS can take the terabytes of telemetry we receive and turn it into organized, structured, and consumable groupings.

Analysis time

Once we have our data organized, we can begin our analysis. This is where the powerful Excel PowerBI tools come in to play. We have to say, this is our favorite part of the process. Think of it like you’re trying to solve a mystery, without knowing what mystery you are trying to solve. We start by asking a series of questions about the data – What caused a dip in the trend here, or a spike there? Why were the encounter rates for this platform a particular value for this time period? Why did some infections affect a particular country, but not others?

Sometimes the questions have obvious answers, and sometimes they don’t. Despite the abundance of telemetry that we have, the types of data we collect is limited. Sometimes we come across a question that we don’t know the answer to. For example, why is Conficker still such a prevalent threat in enterprise PCs after all these years (it’s second among the top ten families encountered in domain-joined computers for the first half of 2014)? We discovered Conficker in 2009; it’s been in MSRT since the same year, and yet it’s still prevalent. Why haven’t we totally killed it yet?

We have strong antimalware detection signatures for Conficker, and the family is effectively starved (it no longer communicates back to its authors). But Conficker does use a variety of distribution methods: removable drives, an OS vulnerability, spam, and weak passwords. It was this last condition that we found to be the answer, as we blogged about when we released the SIR in 2012.

Another question might be, why is FakePAV, a Rogue family, among the top ten encountered families for Denmark and Norway? Rogues have undergone a dramatic decline in the last few years (if you’re a regular reader of the SIR, you would have noticed this trend), yet, Denmark and Norway, which have two of the lowest encounter rates among all countries, still have FakePAV in their top ten list. Our theory is that rogues exist to steal money from people. And from a bad guys’ perspective, it makes sense to try and target wealthier countries. In the past four quarters, FakePAV only appeared in 16 countries, the majority of which are in the G20.

Continuous improvement

One last thing we consider when we’re doing our data gathering and analysis for the SIR is – as with all our products – updates and improvements. These improvements help us to gather more accurate data, and more accurate data improves our ability to provide actionable guidance to help protect our customers.

For example, in October 2014, we increased our MSRT sampling rate for our entire population from 0.1% to 10%, and then to 100%. This means that all the infection reports we get from MSRT are 100% accurate representation of the ecosystem, whereas we previously had to extrapolate infection rates based on assumptions we made about the entire population of our customers. With our improved sampling, we can now say exactly what the infection rate is and exactly which types of computers are at a greater risk of infection. Not only does this help us prioritize our protection efforts, it also helps us to more accurately gauge infections rates over time – including how different malware families impact our customers differently, and the best way to stop them.

Another recent change was the tightening of our objective criteria for adware. This meant dropping the word “potentially” from the phrase “potentially unwanted software”. Software is either wanted by the user or not. Because of this change, we now track adware encounter rates in the SIR to provide a better picture of adware prevalence, as compared to other types of threats.

The SIR is just like any other product or service: we are continuously striving to improve our features, delivery, and output. There’s a wealth of data in the latest version of the SIR.  It is our hope that by sharing our data and insights with our customers, we can help them create better security policies and programs that more effectively protect against threats for their clients, organization or region. If you haven’t seen the latest Security Intelligence Report, we encourage you to visit www.microsoft.com/sir and download your free copy today.

Ina Ragragio and Joe Blackbird
MMPC

 

Categories: Uncategorized Tags:

Out-of-band release for Security Bulletin MS14-068

November 18th, 2014 No comments

On Tuesday, November 18, 2014, at approximately 10 a.m. PST, we will release an out-of-band security update to address a vulnerability in Windows.

We strongly encourage customers to apply this update as soon as possible, following the directions in the security bulletin.

More information about this bulletin can be found at Microsoft’s Bulletin Summary page.

Tracey Pretorius, Director
Response Communications

Categories: OOB, Security Bulletin, Windows Tags:

Out-of-band release for Security Bulletin MS14-068

November 18th, 2014 No comments

On Tuesday, November 18, 2014, at approximately 10 a.m. PST, we will release an out-of-band security update to address a vulnerability in Windows.

We strongly encourage customers to apply this update as soon as possible, following the directions in the security bulletin.

More information about this bulletin can be found at Microsoft’s Advance Notification Service page.

Tracey Pretorius, Director
Response Communications

Categories: OOB, Security Bulletin, Windows Tags:

MS14-066 – Critical: Vulnerability in Schannel Could Allow Remote Code Execution (2992611) – Version: 2.0

Severity Rating: Critical
Revision Note: V2.0 (November 18, 2014): Bulletin revised to announce the reoffering of the 2992611 update to systems running Windows Server 2008 R2 and Windows Server 2012. The reoffering addresses known issues that a small number of customers experienced with the new TLS cipher suites that were included in the original release. Customers running Windows Server 2008 R2 or Windows Server 2012 who installed the 2992611 update prior to the November 18 reoffering should reapply the update.
Summary: This security update resolves a privately reported vulnerability in the Microsoft Secure Channel (Schannel) security package in Windows. The vulnerability could allow remote code execution if an attacker sends specially crafted packets to a Windows server.

Categories: Uncategorized Tags:

MS14-NOV – Microsoft Security Bulletin Summary for November 2014 – Version: 2.0

Revision Note: V2.0 (November 18, 2014): Bulletin Summary revised to document the out-of-band release of MS14-068 and, for MS14-066, to announce the reoffering of the 2992611 update to systems running Windows Server 2008 R2 and Windows Server 2012.
Summary: This bulletin summary lists security bulletins released for November 2014.

Categories: Uncategorized Tags:

MS14-068 – Critical: Vulnerability in Kerberos Could Allow Elevation of Privilege (3011780) – Version: 1.0

Severity Rating: Critical
Revision Note: V1.0 (November 18, 2014): Bulletin published
Summary: This security update resolves a privately reported vulnerability in Microsoft Windows Kerberos KDC that could allow an attacker to elevate unprivileged domain user account privileges to those of the domain administrator account. An attacker could use these elevated privileges to compromise any computer in the domain, including domain controllers. An attacker must have valid domain credentials to exploit this vulnerability. The affected component is available remotely to users who have standard user accounts with domain credentials; this is not the case for users with local account credentials only. When this security bulletin was issued, Microsoft was aware of limited, targeted attacks that attempt to exploit this vulnerability.

Categories: Uncategorized Tags:

MS14-NOV – Microsoft Security Bulletin Advance Notification for November 2014 – Version: 2.0

Revision Note: V2.0 (November 18, 2014): Advance notification published.
Summary: This is an advance notification for one out-of-band security bulletin that Microsoft is intending to release on November 18, 2014

Categories: Uncategorized Tags:

EF6.1.2 Beta 2 Available

November 14th, 2014 No comments

Today we are making Beta 2 of the EF6.1.2 release available. This patch release contains bug fixes and some contributions from our community.

 

When will EF6.1.2 RTM?

We were originally planning to go straight to RTM from Beta 1. However, we ended up taking a number of important bug fixes after Beta 1 shipped and we decided that the churn in the code base warranted another pre-release before we RTM. The pre-releases are important because they allow our customers and provider/extension writers to report any issues before we ship the RTM release.

Our plan is to ship RTM sometime next month. This may change if we have additional high priority bugs reported on Beta 2.

 

What’s in Beta 2?

EF6.1.2 is mostly about bug fixes, you can see a list of the fixes included in EF6.1.2 on our CodePlex site.

We also accepted a couple of noteworthy changes from members of the community:

  • Query cache parameters can be configured from the app/web.configuration file
    <entityFramework>   
      <queryCache size='1000' cleaningIntervalInSeconds='-1'/>  
    </entityFramework>
  • SqlFile and SqlResource methods on DbMigration allow you to run a SQL script stored as a file or embedded resource.

  • DbContext.Database.CurrentTransaction gives you access to the transaction the underlying store connection is enlisted in.

 

Where do I get the beta?

The runtime is available on NuGet. Follow the instructions on our Get It page for installing the latest pre-release version of Entity Framework runtime.

The tooling for Visual Studio 2012, Visual Studio 2013, and Visual Studio 2015 Preview is available on the Microsoft Download Center.

 

Support

This is a preview of changes that will be available in the final release of EF6.1.2 and is designed to allow you to try out the new features and report any issues you encounter. Microsoft does not guarantee any level of support on this release.

If you need assistance using the new features, please post questions on Stack Overflow using the entity-framework tag.

 

Thank you to our contributors

We’d like to say thank you to folks from the community who have contributed to the 6.1.2 release so far:

  • BrandonDahler
  • ErikEJ
  • Honza Široký
  • martincostello
  • UnaiZorrilla

Expired antimalware software is nearly as unsafe as having no protection at all

November 12th, 2014 No comments

Analyzing data to find the root cause of infections has been a long-standing focus of the MMPC. One area we've been investigating is the correlation between endpoint protection and infection rates. Back in version 14 of the Security Intelligence Report (SIRv14), we first published data on infection rates for PCs protected with fully up-to-date antimalware software in comparison to those that either had no antimalware software or software that was not on or fully current. We discovered that PCs are 5.5 times more likely to be infected if they aren't protected with a fully up-to-date antimalware product.

This data drove the MMPC to a new tenet – get everyone protected – and led to some changes in Windows 8 to help ensure that as many people as possible are running real-time, up-to-date, antimalware software. Alas, we know that customers, even on Windows 8, are in an unprotected state, leaving their computers prone to infection. So, over the past six months we've been digging deeper in the data to learn more about unprotected PCs. We published our findings in version 17 of the Security Intelligence Report released today (SIRv17).

Here's what we found. On Windows 8, it appears that the number one reason why people are unprotected is because their antimalware has gone into an expired state. Stated another way, more than one half of all unprotected Windows 8 PCs are in an unprotected state because they are running expired security software. An expired state happens when a trial version of an antimalware product has reached the end of the trial. The product may continue to inform you that you need to pay for the software to continue receiving updates, but it stops downloading updates that protect your PC. This often happens when you buy a PC from an online or local store and that PC is preloaded with lots of software.

People may believe that an antimalware product is still protecting them even if it hasn't downloaded updates in a while. The data says otherwise. When we compared the infection rates on PCs with expired antimalware, we found that infection rates were nearly the same as PCs with no protection. The following chart shows the infection rate of  PCs with expired antimalware products and other unprotected states, in comparison to a protected  PC.

 

Expired antimalware 

A  PC with expired antimalware protection was nearly four times more likely to be infected with malware in comparison to a fully protected  PC.

So we have more work ahead of us. First, we've been working with security software vendors in our MVI program to help them understand their impact on people that are left in an expired state. Since March, we have been providing monthly reports that show their percentage of unprotected customers, their infection rates and other information to help them keep their customers safer. We also made some updates in Windows 8.1 to help close the time gap on how long a person will be left in an expired state.

Lastly, we hope that the data in SIRv17 will demonstrate that people running expired software should not be lulled into thinking that an outdated security product will provide adequate protection. We urge people to upgrade to the paid version of their antimalware product, or download a free antimalware product, such as Microsoft Security Essentials or Windows Defender (which comes pre-installed on Windows 8.1 and Windows 8).

Holly Stewart
MMPC

Categories: Uncategorized Tags:

Expired antimalware software is nearly as unsafe as having no protection at all

November 12th, 2014 No comments

Analyzing data to find the root cause of infections has been a long-standing focus of the MMPC. One area we've been investigating is the correlation between endpoint protection and infection rates. Back in version 14 of the Security Intelligence Report (SIRv14), we first published data on infection rates for PCs protected with fully up-to-date antimalware software in comparison to those that either had no antimalware software or software that was not on or fully current. We discovered that PCs are 5.5 times more likely to be infected if they aren't protected with a fully up-to-date antimalware product.

This data drove the MMPC to a new tenet – get everyone protected – and led to some changes in Windows 8 to help ensure that as many people as possible are running real-time, up-to-date, antimalware software. Alas, we know that customers, even on Windows 8, are in an unprotected state, leaving their computers prone to infection. So, over the past six months we've been digging deeper in the data to learn more about unprotected PCs. We published our findings in version 17 of the Security Intelligence Report released today (SIRv17).

Here's what we found. On Windows 8, it appears that the number one reason why people are unprotected is because their antimalware has gone into an expired state. Stated another way, more than one half of all unprotected Windows 8 PCs are in an unprotected state because they are running expired security software. An expired state happens when a trial version of an antimalware product has reached the end of the trial. The product may continue to inform you that you need to pay for the software to continue receiving updates, but it stops downloading updates that protect your PC. This often happens when you buy a PC from an online or local store and that PC is preloaded with lots of software.

People may believe that an antimalware product is still protecting them even if it hasn't downloaded updates in a while. The data says otherwise. When we compared the infection rates on PCs with expired antimalware, we found that infection rates were nearly the same as PCs with no protection. The following chart shows the infection rate of  PCs with expired antimalware products and other unprotected states, in comparison to a protected  PC.

 

Expired antimalware 

A  PC with expired antimalware protection was nearly four times more likely to be infected with malware in comparison to a fully protected  PC.

So we have more work ahead of us. First, we've been working with security software vendors in our MVI program to help them understand their impact on people that are left in an expired state. Since March, we have been providing monthly reports that show their percentage of unprotected customers, their infection rates and other information to help them keep their customers safer. We also made some updates in Windows 8.1 to help close the time gap on how long a person will be left in an expired state.

Lastly, we hope that the data in SIRv17 will demonstrate that people running expired software should not be lulled into thinking that an outdated security product will provide adequate protection. We urge people to upgrade to the paid version of their antimalware product, or download a free antimalware product, such as Microsoft Security Essentials or Windows Defender (which comes pre-installed on Windows 8.1 and Windows 8).

Holly Stewart
MMPC

Categories: Uncategorized Tags:

November 2014 Updates

November 11th, 2014 No comments

Today, as part of Update Tuesday, we released 14 security updates – four rated Critical, nine rated Important, and two rated Moderate, to address 33 Common Vulnerabilities and Exposures (CVEs) in Microsoft Windows, Internet Explorer (IE), Office, .NET Framework, Internet Information Services (IIS), Remote Desktop Protocol (RDP), Active Directory Federation Services (ADFS), Input Method Editor (IME) (Japanese), and Kernel Mode Driver (KMD).

We encourage you to apply all of these updates, but for those who need to prioritize deployment planning, we recommend focusing on the Critical updates first. For additional insight on deployment priority, review the Security Research and Defense blog “Assessing risk for the November 2014 security updates.”

For more information about this month’s security updates, including the detailed view of the Exploit Index (XI) broken down by each CVE, visit the Microsoft Bulletin Summary webpage. If you are not familiar with how we calculate XI, a full description can be found here.

We re-released one security advisory this month:

In related security news, through Microsoft Update, we are expanding best-in-class encryption protections to older, supported versions of Windows and Windows Server. To learn more, visit the Microsoft Cyber Trust blog.

For the latest information, you can follow the MSRC team on Twitter at @MSFTSecResponse.

Tracey Pretorius, Director
Response Communications

November 2014 Updates

November 11th, 2014 No comments

Today, as part of Update Tuesday, we released 14 security updates – four rated Critical, nine rated Important, and two rated Moderate, to address 33 Common Vulnerabilities and Exposures (CVEs) in Microsoft Windows, Internet Explorer (IE), Office, .NET Framework, Internet Information Services (IIS), Remote Desktop Protocol (RDP), Active Directory Federation Services (ADFS), Input Method Editor (IME) (Japanese), and Kernel Mode Driver (KMD).

We encourage you to apply all of these updates, but for those who need to prioritize deployment planning, we recommend focusing on the Critical updates first. For additional insight on deployment priority, review the Security Research and Defense blog “Assessing risk for the November 2014 security updates.”

For more information about this month’s security updates, including the detailed view of the Exploit Index (XI) broken down by each CVE, visit the Microsoft Bulletin Summary webpage. If you are not familiar with how we calculate XI, a full description can be found here.

We re-released one security advisory this month:

In related security news, through Microsoft Update, we are expanding best-in-class encryption protections to older, supported versions of Windows and Windows Server. To learn more, visit the Microsoft Cyber Trust blog.

For the latest information, you can follow the MSRC team on Twitter at @MSFTSecResponse.

Tracey Pretorius, Director
Response Communications

November 2014 Updates

November 11th, 2014 No comments

Today, as part of Update Tuesday, we released 14 security updates – four rated Critical, nine rated Important, and two rated Moderate, to address 33 Common Vulnerabilities and Exposures (CVEs) in Microsoft Windows, Internet Explorer (IE), Office, .NET Framework, Internet Information Services (IIS), Remote Desktop Protocol (RDP), Active Directory Federation Services (ADFS), Input Method Editor (IME) (Japanese), and Kernel Mode Driver (KMD).

We encourage you to apply all of these updates, but for those who need to prioritize deployment planning, we recommend focusing on the Critical updates first. For additional insight on deployment priority, review the Security Research and Defense blog “Assessing risk for the November 2014 security updates.”

For more information about this month’s security updates, including the detailed view of the Exploit Index (XI) broken down by each CVE, visit the Microsoft Bulletin Summary webpage. If you are not familiar with how we calculate XI, a full description can be found here.

We re-released one security advisory this month:

In related security news, through Microsoft Update, we are expanding best-in-class encryption protections to older, supported versions of Windows and Windows Server. To learn more, visit the Microsoft Cyber Trust blog.

For the latest information, you can follow the MSRC team on Twitter at @MSFTSecResponse.

Tracey Pretorius, Director
Response Communications

November 2014 Updates

November 11th, 2014 No comments

Today, as part of Update Tuesday, we released 14 security updates – four rated Critical, nine rated Important, and two rated Moderate, to address 33 Common Vulnerabilities and Exposures (CVEs) in Microsoft Windows, Internet Explorer (IE), Office, .NET Framework, Internet Information Services (IIS), Remote Desktop Protocol (RDP), Active Directory Federation Services (ADFS), Input Method Editor (IME) (Japanese), and Kernel Mode Driver (KMD).

We encourage you to apply all of these updates, but for those who need to prioritize deployment planning, we recommend focusing on the Critical updates first. For additional insight on deployment priority, review the Security Research and Defense blog “Assessing risk for the November 2014 security updates.”

For more information about this month’s security updates, including the detailed view of the Exploit Index (XI) broken down by each CVE, visit the Microsoft Bulletin Summary webpage. If you are not familiar with how we calculate XI, a full description can be found here.

We re-released one security advisory this month:

In related security news, through Microsoft Update, we are expanding best-in-class encryption protections to older, supported versions of Windows and Windows Server. To learn more, visit the Microsoft Cyber Trust blog.

For the latest information, you can follow the MSRC team on Twitter at @MSFTSecResponse.

Tracey Pretorius, Director
Response Communications

3010060 – Vulnerability in Microsoft OLE Could Allow Remote Code Execution – Version: 2.0

Revision Note: V2.0 (November 11, 2014): Advisory updated to reflect publication of security bulletin.
Summary: Microsoft has completed the investigation into a public report of a vulnerability. We have issued Microsoft Security Bulletin MS14-064 to address this issue. For more information about this issue, including download links for an available security update, please review the security bulletin. The vulnerability addressed is the Windows OLE Remote Code Execution Vulnerability – CVE-2014-6352.

Categories: Uncategorized Tags:

MSRT November 2014 – Tofsee

November 11th, 2014 No comments

This month we added the Win32/Tofsee and Win32/Zoxpng malware families to the Malicious Software Removal Tool.

Zoxpng is a backdoor component that can execute remote commands from a malicious hacker. It is related to Win32/Hikiti and the other threats added to the MSRT last month. Let’s take a closer look at Tofsee, the email-spamming malware family.

Tofsee is a multi-component malware family made up of three components: a loader, its main spambot payload, and plugins. Its primary payload is a spambot that is used to send spam email messages with malicious attachments from an infected PC. 

Tofsee loader and telemetry

The loader component of the Tofsee malware family is usually distributed via spam, phishing and via social engineering, and exploit kits (such as Nuclear EK). Its purpose is to drop and execute the spambot binary. Similar to other malware, this payload binary tries to hides its malicious activity by spawning and injecting into the svchost process.

The spambot persists on system reboot by modifying one of the following autorun registries:

In subkey: HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun

Sets value: "MSConfig"
With data:  <PayloadBinary_Path>

or

Sets value: "SessionInit"
With data: <PayloadBinary_Path>

The graphs below show the machine and file prevalence trending for Tofsee during the past 12 months. Telemetry shows that more than 50 percent of October detections were for the injected malicious codes into the svchost process. The rest of the telemetry data comprises the dropper, payload, and plugins that are usually detected by our generic signatures. 

Machine telemetry 

Figure 1: Monthly machine telemetry for Tofsee

Tofsee telemetry 
Figure 2: Monthly file telemetry for Tofsee

Spambot component

Tofsee creates spamming emails with an attached html file. The html file is generated dynamically based on the template received from the remote command and control server.

Below is an example snapshot of the spam email.
 

spam email 

Figure 3: Snapshot of Tofsee spam email

The template is huge and it contains variables that can also be replaced by the data retrieved from the C&C server. For example, inside the configuration information there is a configuration variable named %LO_BODY_5FARM. It has predefined html template, similar to this:

<html><head><meta http-equiv="Content-Type" content="text/html; charset=%CHARSET"><title>%RT_2</title></head><body bgcolor="#F%RND_HEXF%RND_HEXF%RND_HEX" text="#0%RND_DIGIT0%RND_DIGIT0%RND_DIGIT">%SYS_RN<div id="%RND_char[3-8]" style='font-size:22pt'><b>%{Dear}{Hello}{Hey}{Hi}{Good day}{Good Afternoon}{Good Evening}{Good time}{Greetings}%{ }{, } <u>%TO_NAME</u>%RND_DEXL Your health is our main concern%RND_DEXL</b></div>%SYS_RN<div style='color:#F%RND_HEXF%RND_HEXF%RND_HEX; font-size:%RND_NUM[2-5]px'>%{%RT_1}{%RT_1. %RT_1}%{}{.}</div>%SYS_RN<div id='%RND_char[3-8]' style='color:#F%RND_HEX0%RND_HEX0%RND_HEX; font-size:18pt'>%{Look at}{Take a look at}{Note}{Check out} our new <b>AUTUMN</b> offers and save HUGE on the best %{meds}{drugs}{medications}%RND_DEXL</div>%SYS_RN<div style='color:#F%RND_HEXF%RND_HEXF%RND_HEX; font-size:%RND_NUM[2-5]px'>%{%RT_1}{%RT_1. %RT_1}%{}{.}</div>%SYS_RN<div id='%RND_char[3-8]' style='font-size:18pt'><b>%{Today&#39;s Bestsellers}{Bestsellers}{Most Popular Products}{The Best Products}{Bestseller Products}{Best-Selling Products}{Top Bestsellers}{The Best Prices For}{Top-Sellers Today}{Best Prices On}{Unprecedented Prices On}:</b></div>%SYS_RN<div style='color:#F%RND_HEXF%RND_HEXF%RND_HEX; font-size:%RND_NUM[2-5]px'>%{%RT_1}{%RT_1. %RT_1}%{}{.}</div>%SYS_RN<table cellspacing='%RND_NUM[4-12]'>%SYS_RN<tr>%SYS_RN<td><font color='#0%RND_HEX0%RND_HEX8%RND_HEX'>MEN&#39;S SEXUAL HEALTH:</font></td>%SYS_RN<td><font color='#0%RND_HEX0%RND_HEX8%RND_HEX'>GENERAL HEALTH:</font></td>%SYS_RN</tr>%SYS_RN<tr>%SYS_RN<td>- <b>Viagra</b> as low as <font color='#F%RND_HEX0%RND_HEX0%RND_HEX'><b>$0.99</b></font><br>%SYS_RN- <b>Cialis</b> as low as <font color='#F%RND_HEX0%RND_HEX0%RND_HEX'><b>$1.59</b></font><br>%SYS_RN- <b>Viagra <font size='-1'>Super Active+</font></b> as low as <font color='#F%RND_HEX0%RND_HEX0%RND_HEX'><b>$2.55</b></font><br>%SYS_RN- <b>Levitra</b> as low as <font color='#F%RND_HEX0%RND_HEX0%RND_HEX'><b>$2.50</b></font><br>%SYS_RN- <b>Viagra <font size='-1'>Professional</font> </b>as low as <font color='#F%RND_HEX0%RND_HEX0%RND_HEX'><b>$3.50</b></font><br>%SYS_RN<font color='#8%RND_HEX8%RND_HEX8%RND_HEX'><i>and more…</i></font></td>%SYS_RN<td>- <b>SleepWell</b> as low as <font color='#F%RND_HEX0%RND_HEX0%RND_HEX'><b>$38.9</b></font><br>%SYS_RN- <b>Synthroid</b> low as <font color='#F%RND_HEX0%RND_HEX0%RND_HEX'><b>$0.35</b></font><br>%SYS_RN- <b>Celebrex</b> as low as <font color='#F%RND_HEX0%RND_HEX0%RND_HEX'><b>$0.59</b></font><br>%SYS_RN- <b>Prednisolone</b> as low as <font color='#F%RND_HEX0%RND_HEX0%RND_HEX'><b>$0.15</b></font><br>%SYS_RN- <b>Acomplia </b>as low as <font color='#F%RND_HEX0%RND_HEX0%RND_HEX'><b>$2.50</b></font><br>%SYS_RN<font color='#8%RND_HEX8%RND_HEX8%RND_HEX'><i>and more…</i></font></td>%SYS_RN</tr>%SYS_RN<tr>%SYS_RN<td><font color='#0%RND_HEX0%RND_HEX8%RND_HEX'>ANTI-ALLERGIC/ASTHMA:</font></td>%SYS_RN<td><font color='#0%RND_HEX0%RND_HEX8%RND_HEX'>ANTIBIOTICS:</font></td>%SYS_RN</tr>%SYS_RN<tr>%SYS_RN<td>- <b>Ventolin</b> as low as <font color='#F%RND_HEX0%RND_HEX0%RND_HEX'><b>$21.50</b></font><br>%SYS_RN- <b>Advair</b> as low as <font color='#F%RND_HEX0%RND_HEX0%RND_HEX'><b>$24.95</b></font><br>%SYS_RN- <b>Spiriva</b> as low as <font color='#F%RND_HEX0%RND_HEX0%RND_HEX'><b>$28.90</b></font><br>%SYS_RN<font color='#8%RND_HEX8%RND_HEX8%RND_HEX'><i>and more…</i></font></td>%SYS_RN<td>- <b>Amoxicillin</b> as low as <font color='#F%RND_HEX0%RND_HEX0%RND_HEX'><b>$0.52</b></font><br>%SYS_RN- <b>Zithromax</b> as low as <font color='#F%RND_HEX0%RND_HEX0%RND_HEX'><b>$0.75</b></font><br>%SYS_RN- <b>Cipro</b> as low as <font color='#F%RND_HEX0%RND_HEX0%RND_HEX'><b>$0.30</b></font><br>%SYS_RN<font color='#8%RND_HEX8%RND_HEX8%RND_HEX'><i>and more…</i></font></td>%SYS_RN</tr>%SYS_RN</table>%SYS_RN<div style='color:#F%RND_HEXF%RND_HEXF%RND_HEX; font-size:%RND_NUM[2-5]px'>%{%RT_1}{%RT_1. %RT_1}%{}{.}</div>%SYS_RN<table %{}{border='0'} cellspacing='%RND_NUM[5-12]'>%SYS_RN<tr>%SYS_RN<td>%SYS_RN<h3 id='%RND_char[3-8]'><b>%{Click Bellow}{Follow the URL bellow}{Follow this Link}{Follow the Link} to Visit %{Canadian}{World-Best}{The Best}{The Cheapest}{Popular}{Well-known}{Inexpensive}{Reasonable}{Affordable}{Express} %{Drugstore}{Drugstore Center}{Drugstore Mall}{Pharmacy}{Drug Mall}{Drugs Discounter}{Medications Mall}{Medications Discounter}%RND_DEXL</b></h3>%SYS_RN</td>%SYS_RN</tr>%SYS_RN<tr>%SYS_RN<td>%SYS_RN<h1 id='%RND_char[3-8]' align='center'><a href='%EVA_AUTOURL%{?}{&#63;}%RNDPARS'>%CLICKHERE</a></h1>%SYS_RN</td>%SYS_RN</tr>%SYS_RN<tr>%SYS_RN<td><b>%{Our Advantages}{Our Benefits}{Benefits of Our Store}{Advantages of Our Drugstore}{Our Features}{Features of Our Store}{Features of Our Drugstore}:</b></td>%SYS_RN</tr>%SYS_RN<tr>%SYS_RN<td>- We %{Take}{Accept} <font color='#0%RND_HEX0%RND_HEX8%RND_HEX'><b>Visa</b></font>, <font color='#0%RND_HEX0%RND_HEX8%RND_HEX'><b>MasterCard</b></font>, <font color='#0%RND_HEX0%RND_HEX8%RND_HEX'><b>%{AMEX}{American Express}</b></font>, <font color='#0%RND_HEX0%RND_HEX8%RND_HEX'><b>Discover</b></font> and <font color='#0%RND_HEX0%RND_HEX8%RND_HEX'><b>E-check</b></font>!<br>%SYS_RN- We Deliver to ALL destinations Worldwide!<br>%SYS_RN- Order 3+ goods and get free Airmail Shipping!<br>%SYS_RN- Free Tablets Included in Each Order!<br>%SYS_RN- Meds Expiration Date of Over %RND_NUM[2-4] Years!<br>%SYS_RN- No Imitations! 100% Authentic Meds!<br>%SYS_RN- Secure and Confidential Online Shopping!<br>%SYS_RN- Easy Refunds and 24/7 Customer Support!</td>%SYS_RN</tr>%SYS_RN</table>%SYS_RN<p><font size='1' color='#8%RND_HEX8%RND_HEX8%RND_HEX'>%RND_CHERTA<br>%SYS_RNOur %{Mall}{Shop}{Discounter}{Drugstore} is licensed pharmacy, international %{license #}{lic #}{license num:}{lic number:}%RND_DIGIT[6-12] issued %RND_NUM[1-28] %{Jan}{Feb}{Mar}{Apr}{Mar}{Jun}{Jul}{Aug}{Sep}{Oct}{Nov}{Dec} 200%RND_DIGIT[1]</font></p>%SYS_RN<div style='color:#F%RND_HEXF%RND_HEXF%RND_HEX; font-size:%RND_NUM[2-5]px'>%{%RT_1}{%RT_1. %RT_1}%{}{.}</div>%SYS_RN</body></html>

In this template there are many variables, such as %RND_DEXL, %RND_DIGITF, %RT_1, %SYS_RN and %EVA_AUTOURL. All of the variables have relative data defined inside the configuration information, such as variable %AOL_FURL which has the following data defined:

  • profiline.org.ua/fonts/<removed>.html
  • profkitchen.org/js/<removed>.html
  • project-zabota.ru/libraries/<removed>.html
  • prokopovich.com.ua/includes/<removed>.html
  • prosto.megatemka.ru/engine/<removed>.html
  • protect.co.ua/plugins/<removed>.html
  • psychic-pauldean.co.uk/phocaemail/<removed>.html
  • ptf.by/wp-content/<removed>.html
  • pudel.mneniya.ru/nursing/<removed>.html
  • pump-parts.ru/cli/<removed>.html
  • pustotina.ru/libraries/<removed>.html
  • putmashservis.com/includes/<removed>.html
  • pwsh-ptn.bip-ip.by/<removed>.html
  • pypy.ru/wp-content/<removed>.html
  • qpokna.biz/img/<removed>.html
  • qptova.ru/school/<removed>.html
  • qubada.esy.es/55/<removed>.html
  • quitehost.net/demo-images/<removed>.html
  • rabota-na-avtomate.ru/images/<removed>.html
  • radiotvonline.info/components/<removed>.html
  • rams62.ru/libraries/<removed>.html
  • raskrutka-gruppy-vkontakte.ru/<removed>.html
  • rastim.com.ua/includes/<removed>.html
  • ratibor-samara.ru/lightbox2.05/<removed>.html
  • rationalfeed.net/cache/<removed>.html
  • raznyemonety.ru/xmlrpc/<removed>.html
  • rda-06.com/fr/<removed>.html
  • rdt.com.ua/core/<removed>.html
  • rd-wc.com/Config/<removed>.html
  • realvillage.info/<removed>.html
  • reinm.hhos.ru/prunams/<removed>.html
  • reklama.inf.ua/banner_v3/<removed>.html
  • reklama.semey24.kz/wp-content/<removed>.html
  • reklama.webalania.ru/js/<removed>.html
  • reklamabm.ru/images/<removed>.html
  • remont-32.ru/upgrade/<removed>.html
  • remontbenzogeneratora.ru/wp-admin/<removed>.html
  • remontgeneratoraspb.ru/logs/<removed>.html
  • remontikvartir.ru/assets/<removed>.html
  • remontpostroika.ru/dizajn-spalni/<removed>.html
  • remstyle-samara.ru/img/<removed>.html
  • report.htc.ua/templates/<removed>.html
  • re-postspot.ru/images/<removed>.html
  • rerayte.ru/wp-includes/<removed>.html
  • reviewidget.com/Adam/<removed>.html
  • reviewidget.com/css/<removed>.html
  • rezinovaya-kraska-kupit.ru/laki/<removed>.html
  • rfpphoto.com/2011-desktop-billboard/<removed>.html
  • ridgidshop.ru/discounts_image/<removed>.html
  • rimecoproducts.com/download/<removed>.html
  • riraiting.ru/userfiles/<removed>.html
  • rna-cs.com/newsletter/<removed>.html
  • rnd-video.ru/style/<removed>.html
  • rnglounge.com/Scripts/<removed>.html
  • rodent-club.com/Sources/<removed>.html
  • rodente.info/logs/<removed>.html
  • roman.hdsale.us/images/<removed>.html
  • rost.dn.ua/wp-admin/<removed>.html
  • rostovexp.hol.es/includes/<removed>.html

When the html is created, one of these values will replace the variable inside the html.

DLL Plugins and other malware

In addition to sending spam messages, some Tofsee variants can extend their malicious functionalities by downloading and running additional plugin components.

These DLL plugins rely on the information downloaded as configuration data from the C&C server. The functions of these plugins can vary from DDoS attacks to Bitcoin mining.

The DLLs always contain one export function named plg_init that the malware invokes. We have identified the following malicious plugins:

  • plg_antibot – terminates processes
  • plg_ddos – DDOS attacks on websites
  • plg_locs – steals email credentials
  • plg_protect – protects itself from uninstallation
  • plg_proxy – acts as proxy server
  • plg_miner – a digital coin miner
  • plg_smtp – sends spam using outlook  
  • plg_sniff – sniffs traffic 
  • plg_spread1 – sends messages on Facebook, Twitter, and Skype
  • plg_spread2 – replicates via removable drives
  • plg_sys – collects system information
  • plg_text – used for logging malware activity
  • plg_webm – sends spam using web mail
  • plg_webb – steals cookies

These plugins are detected as Backdoor:Win32/Tofsee.A!dll. The malware author can use this framework to distribute new and undetected plugins. We have also seen Tofsee downloading other threats, such as PWS:Win32/Fareit.

The Microsoft Malware Protection Center will continue to track this family and update our detections to help remove this threat from infected PCs. 

We recommend running an up-to-date, real-time security product such as Microsoft Security Essentials to help protect your PC from malware and unwanted software.

There are more details about each the families added to the MSRT this month in the Win32/Tofsee and Win32/Zoxpng descriptions.

Rodel Finones & Steven Zhou 
MMPC
 

Categories: Uncategorized Tags: