Archive

Archive for November, 2015

3119884 – Inadvertently Disclosed Digital Certificates Could Allow Spoofing – Version: 1.0

Revision Note: V1.0 (November 30, 2015): Advisory published.
Summary: Microsoft is aware of unconstrained digital certificates from Dell Inc. for which the private keys were inadvertently disclosed. One of these unconstrained certificates could be used to issue other certificates, impersonate other domains, or sign code. In addition, these certificates could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against Dell customers. This issue affects all supported releases of Microsoft Windows. Microsoft is not currently aware of attacks related to this issue.

Categories: Uncategorized Tags:

The Threat Landscape in Canada – 2015 Update

November 30th, 2015 No comments

I have written about the threat landscape in Canada a couple of times over the years. Using new data from the latest volume of the Microsoft Security Intelligence Report, volume 19, I thought I’d take a fresh look at what has been happening in Canada as its been about a year since I last published an article on it.

If you are interested in reading some of the analysis I have done on the threat landscape in Canada in the past, please read these articles The Threat Landscape in Canada, The threat landscape in Canada & SecTor 2012. Additionally, last month I had the opportunity to speak at the Security Education Conference Toronto (SECTor 2015), Canada’s largest cybersecurity conference. You can watch a video of the presentation I gave at the conference as well as a video interview I did there: Cyberthreats: Microsoft’s Tim Rains on Putting Old Wine in New Bottles.

Starting with the encounter rate (ER) in Canada, which is the percentage of computers running Microsoft real-time security software in Canada that reported detecting malware, or report detecting a specific threat or family, during a quarter.  Most of these encounters are from systems running Microsoft Security Essentials or Windows Defender (on Windows 8.1) reporting that they blocked malware from installing on them. As Figure 1 illustrates, the ER in Canada has been below the worldwide average for many quarters; the worldwide average encounter rate in the second quarter of 2015 (2Q15) was 14.8%, while the ER in Canada was 12.5% during the same period.

Figure 1: the long-term encounter rate (ER) for Canada and the worldwide average per quarter for the period between the 3rd quarter of 2012 through the 2nd quarter of 2015
113015_01

Although Canada’s ER has been below the worldwide average and that of France for some time, it has been elevated in some time periods compared to the ERs of the United Kingdom and the United States as illustrated in Figure 2.

Figure 2: the long-term encounter rates (ER) for Canada, France, the United Kingdom, the United States, and the worldwide average per quarter for the period between the 3rd quarter of 2012 through the 2nd quarter of 2015
113015_02

Figure 3 illustrates the long-term view of malware categories encountered by systems in Canada for the time period between the third quarter of 2012 (3Q12) and the second quarter of 2Q15. This data helps us understand the types of threats that Canadians encounter most frequently in each time period. Attackers change their tactics over time to favor malware types that they hope will successfully compromise systems. But any success they have is fleeting as Microsoft and the rest of the security industry update protections to mitigate any threats that attempt to become relatively prevalent.

Figure 3: the long-term view of malware category encounter rates (ER) for Canada per quarter for the period between the 3rd quarter of 2012 through the 2nd quarter of 2015
113015_03

Figure 3 shows us that the ER spike seen in Canada in 3Q14 was primarily due to an increase in encounters with malware families in the Trojan Downloaders & Droppers category. This category of threats was popular with attackers back in 2007, but we’ve seen a resurgence of these threats in more recent time periods.  The level of encounters with Exploits is also noteworthy as it suggests that Canadians have encountered exploit kits at relatively high frequency; Figures 4 and 5 support this supposition. Figure 4 shows us that the ER for Exploits was higher in Canada than the worldwide average in 2Q15. Figure 5 provides a list of the top 10 malware threats encountered by Canadians in 2Q15, where 3 of the top 10 malware families encountered in Canada were exploit kits.

Figure 4: malware category encounter rates for Canada versus the worldwide average in the 2nd quarter of 2015
113015_04

Figure 5: the top malware families encountered in Canada in the 2nd quarter of 2015
113015_05

Malware encounters are much more common than malware infections; i.e. a system has to encounter malware before there’s a chance for it to get infected with malware. On average, about 17.0 percent of reporting computers worldwide encountered malware over the four quarters ending in 2Q15. At the same time, the Microsoft Windows Malicious Software Removal Tool (MSRT) removed malware from about 7.1 out of every 1,000 computers, or 0.71 percent. Figure 6 illustrates the ER and the malware infection rate (CCM) for Canada and the worldwide average for recent time periods.

Figure 6: malware encounters and infections in Canada between the 3rd quarter of 2014 and the 2nd quarter of 2015
113015_06

Figure 7 provides the top 10 list of malware families that infected systems in Canada in 2Q15. Notice that many of the threats on this list are different from the list of threats that were encountered in Canada during the same period (Figure 5). Many of these threats leverage social engineering and require user interaction in order to infect systems. You can get additional details on many of these threats in the Microsoft Malware Protection Center’s malware encyclopedia.

Figure 7: top threat families by infection rate (CCM) in 2Q15
113015_07

A few noteworthy threats include Win32/Kilim, Win32/Alureon, and Win32/Zbot. Kilim is a threat family that can install malicious Google Chrome browser plug-ins and can then use your social media profiles to like, share, and follow pages without your permission. Alureon is a family of data-stealing Trojans can give a malicious hacker access to collect confidential information stored on a compromised PC, such as user names, passwords, and credit card data. They can also send malicious data to your PC and corrupt some driver files, making them unusable. Zbot is a family of Trojans that are created by kits known as “Zeus”. These kits are bought and sold on the black market and they can monitor online banking activities by hooking API addresses and injecting code into webpages.

Figure 8: top threat families by infection rate (CCM) in 2Q15
113015_08

Many times, compromised systems are used to host malware hosting sites, phishing sites, drive-by download sites, etc. The relative levels of these web-based threats differ by country/region. Figure 8 shows us that in Canada levels of Phishing sites and malware hosting sites are slightly elevated above the worldwide average. To help put this into context, an example of a location with very high level of phishing sites is Bulgaria with 98.5 phishing sites per 1,000 hosts. A location with a high number of malware hosting sites is Brazil with 40.97 malware hosting sites per 1,000 hosts.

I hope you’ve found this analysis useful.

Tim Rains
Chief Security Advisor
Enterprise Cybersecurity Group

3119884 – Inadvertently Disclosed Digital Certificates Could Allow Spoofing – Version: 1.0

Revision Note: V1.0 (November 30, 2015): Advisory published.
Summary: Microsoft is aware of unconstrained digital certificates from Dell Inc. for which the private keys were inadvertently disclosed. One of these unconstrained certificates could be used to issue other certificates, impersonate other domains, or sign code. In addition, these certificates could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against Dell customers. This issue affects all supported releases of Microsoft Windows. Microsoft is not currently aware of attacks related to this issue.

Categories: Uncategorized Tags:

MS15-109 – Critical: Security Update for Windows Shell to Address Remote Code Execution (3096443) – Version: 1.2

Severity Rating: Critical
Revision Note: V1.2 (November 30, 2015): Bulletin revised to clarify that the 3093513 update is only offered to Windows 7 systems if the Tablet PC Components feature is enabled. This is an informational change only. Customers who have already successfully updated their systems do not need to take any action.
Summary: This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow remote code execution if a user opens a specially crafted toolbar object in Windows or an attacker convinces a user to view specially crafted content online.

Categories: Uncategorized Tags:

MS15-109 – Critical: Security Update for Windows Shell to Address Remote Code Execution (3096443) – Version: 1.2

Severity Rating: Critical
Revision Note: V1.2 (November 30, 2015): Bulletin revised to clarify that the 3093513 update is only offered to Windows 7 systems if the Tablet PC Components feature is enabled. This is an informational change only. Customers who have already successfully updated their systems do not need to take any action.
Summary: This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow remote code execution if a user opens a specially crafted toolbar object in Windows or an attacker convinces a user to view specially crafted content online.

Categories: Uncategorized Tags:

3119884 – Inadvertently Disclosed Digital Certificates Could Allow Spoofing – Version: 1.0

Revision Note: V1.0 (November 30, 2015): Advisory published.
Summary: Microsoft is aware of unconstrained digital certificates from Dell Inc. for which the private keys were inadvertently disclosed. One of these unconstrained certificates could be used to issue other certificates, impersonate other domains, or sign code. In addition, these certificates could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against Dell customers. This issue affects all supported releases of Microsoft Windows. Microsoft is not currently aware of attacks related to this issue.

Categories: Uncategorized Tags:

Shields up on potentially unwanted applications in your enterprise

November 26th, 2015 No comments

Has your enterprise environment been bogged down by a sneaky browser-modifier which tricked you into installing adware from a seemingly harmless software bundle? Then you might have already experienced what a potentially unwanted application (PUA) can do.

The good news is, the new opt-in feature for enterprise users in Windows can spot and stop PUA in its tracks. If you are an enterprise user, and you are running System Center Endpoint Protection (SCEP), or Forefront Endpoint Protection (FEP), it's good to know that your infrastructure can be protected from PUA installations when you opt-in to the PUA protection feature.  If enabled, PUA will be blocked at download and install time.

 

What is PUA and why bother?

Potential Unwanted Application (PUA) refers to unwanted application bundlers or their bundled applications.

These applications can increase the risk of your network being infected with malware, cause malware infections to be harder to identify among the noise, and can waste helpdesk, IT, and user time cleaning up the applications.

Since the stakes are higher in an enterprise environment, the potential disaster that PUA brings can be a cause of concern. Hence, it is important to deliver trusted protection in this field.

Typical examples of behavior that we consider PUA include ad-injection, many types of software bundling, and persistent solicitation for payment for services based on fraudulent claims.

 

PUA protection for enterprise

The Potentially Unwanted Application protection feature is available only for enterprise customers.  If you are already one of Microsoft's existing enterprise customers, you need to opt-in to enable and use PUA protection.

PUA protection updates are included as part of the existing definition updates and cloud protection for Microsoft's enterprise customers. No additional configuration is required besides opting into PUA protection.

 

Deploying PUA protection

Systems administrators can deploy the PUA protection feature as a Group Policy setting by the following registry key policy setting according to your product version:

System Center Endpoint Protection, Forefront Endpoint Protection

Key Path:            HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftMicrosoft AntimalwareMpEngine

Value Name:      MpEnablePus

 

Note: The following configuration is available for machines that are managed by System Center Endpoint Protection.

Windows Defender

Key Path:            HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindows DefenderMpEngine

Value Name:      MpEnablePus

 

The group policy value for MpEnablePus can be configured as a DWORD type as follows:

Value (DWORD)    Description
 0 (default) Potentially Unwanted Application protection is disabled
1 Potentially Unwanted Application protection is enabled. The applications with unwanted behavior will be blocked at download and install-time.

 

After enabling this feature, PUA blocking takes effect on endpoint clients after the next signature update or computer restart. Signature updates take place daily under typical circumstances.

The user experience can vary according to the policy settings that are configured in your enterprise. However, when enabled, the default behavior is that PUA will be blocked and automatically quarantined.

 

PUA threat file-naming convention

When enabled, we will start identifying unwanted software with threat names that start with “PUA:”, such as, PUA:Win32/Creprote.

Specific researcher-driven signatures identify the following:

  • Software bundling technologies
  • PUA applications
  • PUA frameworks

 

What does PUA protection look like?

By default, PUA protection quarantines the file so they won’t run. PUA will be blocked only at download or install-time. A file will be included for blocking if it meets one of the following conditions:

  • The file is being scanned from the browser
  • The file has Mark of the Web set
  • The file is in the %downloads% folder
  • Or if the file in the %temp% folder

 

The user experience of the blocking depends on the product you have installed.

With System Center Endpoint Protection deployed, the following dialog box will be shown upon detection:

SCEP dialog box indicates detection status

 The user can view the blocked software in the History tab.

You can take a look at the list of blocked applications from the History tab

In Windows 10, where its endpoints including Windows Defender are managed, the following dialog box will be shown:

Detection message in Windows Defender

PUA protection roll-out scenario

Like all good processes, it is best to plan your PUA protection deployment to get the most out of it. Here are some best practices to plan your PUA protection roll-out.

As blocking PUA in your enterprise is an explicit choice, it is best practice to do the necessary due diligence such as having a corporate policy or guidance that defines that potentially unwanted applications are not to be installed or downloaded in your corporate environment.

With a corporate policy or guidance in place, it's recommended to also sufficiently inform your end-users and your IT Helpdesk about the updated policy or guidance so that they are aware that potentially unwanted applications are not allowed in your corporate environment. This will preemptively inform your end-users as to why SCEP or FEP is blocking their download. By informing your helpdesk about your new policy or guidance, they can resolve end-user questions.

Finally, if you expect a lot of end-users in your environment to be downloading or installing PUA, then it is recommended that machines be gradually enrolled into the PUA protection. In other words, deploy the PUA opt-in policy to a subset of machines, observe the number of detections, determine if you'd want to allow any of them in your enterprise, add exclusions for them (all exclusions mechanisms are supported – file name, folder, extension, process) and then gradually roll-out the opt-in policy to a larger set of machines

 

Handling false positives

If you think that an application has been wrongfully identified as PUA, submit the file here, and add ‘PUA’ along with the detection name in the comments section.

 

We look forward to providing you with a great protection experience.

Geoff McDonald, Deepak Manohar, and Dulce Montemayor

MMPC

Shields up on potentially unwanted applications in your enterprise

November 26th, 2015 No comments

Has your enterprise environment been bogged down by a sneaky browser-modifier which tricked you into installing adware from a seemingly harmless software bundle? Then you might have already experienced what a potentially unwanted application (PUA) can do.

The good news is, the new opt-in feature for enterprise users in Windows can spot and stop PUA in its tracks. If you are an enterprise user, and you are running System Center Endpoint Protection (SCEP), or Forefront Endpoint Protection (FEP), it's good to know that your infrastructure can be protected from PUA installations when you opt-in to the PUA protection feature.  If enabled, PUA will be blocked at download and install time.

 

What is PUA and why bother?

Potential Unwanted Application (PUA) refers to unwanted application bundlers or their bundled applications.

These applications can increase the risk of your network being infected with malware, cause malware infections to be harder to identify among the noise, and can waste helpdesk, IT, and user time cleaning up the applications.

Since the stakes are higher in an enterprise environment, the potential disaster that PUA brings can be a cause of concern. Hence, it is important to deliver trusted protection in this field.

Typical examples of behavior that we consider PUA include ad-injection, many types of software bundling, and persistent solicitation for payment for services based on fraudulent claims.

 

PUA protection for enterprise

The Potentially Unwanted Application protection feature is available only for enterprise customers.  If you are already one of Microsoft's existing enterprise customers, you need to opt-in to enable and use PUA protection.

PUA protection updates are included as part of the existing definition updates and cloud protection for Microsoft's enterprise customers. No additional configuration is required besides opting into PUA protection.

 

Deploying PUA protection

Systems administrators can deploy the PUA protection feature as a Group Policy setting by the following registry key policy setting according to your product version:

System Center Endpoint Protection, Forefront Endpoint Protection

Key Path:            HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Microsoft Antimalware\MpEngine

Value Name:      MpEnablePus

 

Note: The following configuration is available for machines that are managed by System Center Endpoint Protection.

Windows Defender

Key Path:            HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\MpEngine

Value Name:      MpEnablePus

 

The group policy value for MpEnablePus can be configured as a DWORD type as follows:

Value (DWORD)    Description
 0 (default) Potentially Unwanted Application protection is disabled
1 Potentially Unwanted Application protection is enabled. The applications with unwanted behavior will be blocked at download and install-time.

 

After enabling this feature, PUA blocking takes effect on endpoint clients after the next signature update or computer restart. Signature updates take place daily under typical circumstances.

The user experience can vary according to the policy settings that are configured in your enterprise. However, when enabled, the default behavior is that PUA will be blocked and automatically quarantined.

 

PUA threat file-naming convention

When enabled, we will start identifying unwanted software with threat names that start with “PUA:”, such as, PUA:Win32/Creprote.

Specific researcher-driven signatures identify the following:

  • Software bundling technologies
  • PUA applications
  • PUA frameworks

 

What does PUA protection look like?

By default, PUA protection quarantines the file so they won’t run. PUA will be blocked only at download or install-time. A file will be included for blocking if it meets one of the following conditions:

  • The file is being scanned from the browser
  • The file has Mark of the Web set
  • The file is in the %downloads% folder
  • Or if the file in the %temp% folder

 

The user experience of the blocking depends on the product you have installed.

With System Center Endpoint Protection deployed, the following dialog box will be shown upon detection:

SCEP dialog box indicates detection status

 The user can view the blocked software in the History tab.

You can take a look at the list of blocked applications from the History tab

In Windows 10, where its endpoints including Windows Defender are managed, the following dialog box will be shown:

Detection message in Windows Defender

PUA protection roll-out scenario

Like all good processes, it is best to plan your PUA protection deployment to get the most out of it. Here are some best practices to plan your PUA protection roll-out.

As blocking PUA in your enterprise is an explicit choice, it is best practice to do the necessary due diligence such as having a corporate policy or guidance that defines that potentially unwanted applications are not to be installed or downloaded in your corporate environment.

With a corporate policy or guidance in place, it's recommended to also sufficiently inform your end-users and your IT Helpdesk about the updated policy or guidance so that they are aware that potentially unwanted applications are not allowed in your corporate environment. This will preemptively inform your end-users as to why SCEP or FEP is blocking their download. By informing your helpdesk about your new policy or guidance, they can resolve end-user questions.

Finally, if you expect a lot of end-users in your environment to be downloading or installing PUA, then it is recommended that machines be gradually enrolled into the PUA protection. In other words, deploy the PUA opt-in policy to a subset of machines, observe the number of detections, determine if you'd want to allow any of them in your enterprise, add exclusions for them (all exclusions mechanisms are supported – file name, folder, extension, process) and then gradually roll-out the opt-in policy to a larger set of machines

 

Handling false positives

If you think that an application has been wrongfully identified as PUA, submit the file here, and add ‘PUA’ along with the detection name in the comments section.

 

We look forward to providing you with a great protection experience.

Geoff McDonald, Deepak Manohar, and Dulce Montemayor

MMPC

Shields up on potentially unwanted applications in your enterprise

November 26th, 2015 No comments

Has your enterprise environment been bogged down by a sneaky browser-modifier which tricked you into installing adware from a seemingly harmless software bundle? Then you might have already experienced what a potentially unwanted application (PUA) can do.

The good news is, the new opt-in feature for enterprise users in Windows can spot and stop PUA in its tracks. If you are an enterprise user, and you are running System Center Endpoint Protection (SCEP), or Forefront Endpoint Protection (FEP), it’s good to know that your infrastructure can be protected from PUA installations when you opt-in to the PUA protection feature.  If enabled, PUA will be blocked at download and install time.

 

What is PUA and why bother?

Potential Unwanted Application (PUA) refers to unwanted application bundlers or their bundled applications.

These applications can increase the risk of your network being infected with malware, cause malware infections to be harder to identify among the noise, and can waste helpdesk, IT, and user time cleaning up the applications.

Since the stakes are higher in an enterprise environment, the potential disaster that PUA brings can be a cause of concern. Hence, it is important to deliver trusted protection in this field.

Typical examples of behavior that we consider PUA include ad-injection, many types of software bundling, and persistent solicitation for payment for services based on fraudulent claims.

 

PUA protection for enterprise

The Potentially Unwanted Application protection feature is available only for enterprise customers.  If you are already one of Microsoft’s existing enterprise customers, you need to opt-in to enable and use PUA protection.

PUA protection updates are included as part of the existing definition updates and cloud protection for Microsoft’s enterprise customers. No additional configuration is required besides opting into PUA protection.

 

Deploying PUA protection

Systems administrators can deploy the PUA protection feature as a Group Policy setting by the following registry key policy setting according to your product version:

System Center Endpoint Protection, Forefront Endpoint Protection

Key Path:            HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftMicrosoft AntimalwareMpEngine

Value Name:      MpEnablePus

 

Note: The following configuration is available for machines that are managed by System Center Endpoint Protection.

Windows Defender

Key Path:            HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindows DefenderMpEngine

Value Name:      MpEnablePus

 

The group policy value for MpEnablePus can be configured as a DWORD type as follows:

Value (DWORD)    Description
 0 (default) Potentially Unwanted Application protection is disabled
1 Potentially Unwanted Application protection is enabled. The applications with unwanted behavior will be blocked at download and install-time.

 

After enabling this feature, PUA blocking takes effect on endpoint clients after the next signature update or computer restart. Signature updates take place daily under typical circumstances.

The user experience can vary according to the policy settings that are configured in your enterprise. However, when enabled, the default behavior is that PUA will be blocked and automatically quarantined.

 

PUA threat file-naming convention

When enabled, we will start identifying unwanted software with threat names that start with “PUA:”, such as, PUA:Win32/Creprote.

Specific researcher-driven signatures identify the following:

  • Software bundling technologies
  • PUA applications
  • PUA frameworks

 

What does PUA protection look like?

By default, PUA protection quarantines the file so they won’t run. PUA will be blocked only at download or install-time. A file will be included for blocking if it meets one of the following conditions:

  • The file is being scanned from the browser
  • The file has Mark of the Web set
  • The file is in the %downloads% folder
  • Or if the file in the %temp% folder

 

The user experience of the blocking depends on the product you have installed.

With System Center Endpoint Protection deployed, the following dialog box will be shown upon detection:

SCEP dialog box indicates detection status

 The user can view the blocked software in the History tab.

You can take a look at the list of blocked applications from the History tab

In Windows 10, where its endpoints including Windows Defender are managed, the following dialog box will be shown:

Detection message in Windows Defender

PUA protection roll-out scenario

Like all good processes, it is best to plan your PUA protection deployment to get the most out of it. Here are some best practices to plan your PUA protection roll-out.

As blocking PUA in your enterprise is an explicit choice, it is best practice to do the necessary due diligence such as having a corporate policy or guidance that defines that potentially unwanted applications are not to be installed or downloaded in your corporate environment.

With a corporate policy or guidance in place, it’s recommended to also sufficiently inform your end-users and your IT Helpdesk about the updated policy or guidance so that they are aware that potentially unwanted applications are not allowed in your corporate environment. This will preemptively inform your end-users as to why SCEP or FEP is blocking their download. By informing your helpdesk about your new policy or guidance, they can resolve end-user questions.

Finally, if you expect a lot of end-users in your environment to be downloading or installing PUA, then it is recommended that machines be gradually enrolled into the PUA protection. In other words, deploy the PUA opt-in policy to a subset of machines, observe the number of detections, determine if you’d want to allow any of them in your enterprise, add exclusions for them (all exclusions mechanisms are supported – file name, folder, extension, process) and then gradually roll-out the opt-in policy to a larger set of machines

 

Handling false positives

If you think that an application has been wrongfully identified as PUA, submit the file here, and add ‘PUA’ along with the detection name in the comments section.

 

We look forward to providing you with a great protection experience.

Geoff McDonald, Deepak Manohar, and Dulce Montemayor

MMPC

​​Does prevalence matter? A different approach to traditional antimalware test scoring

November 25th, 2015 No comments

Most well-known antimalware tests today focus on broad-spectrum malware.  In other words, tests include malware that is somewhat indiscriminate (isn't necessarily targeted), at least somewhat prevalent and sometimes very prevalent. Typically, tests are not focused on specialized threats that are highly targeted, and most avoid including programs that walk the line between good and evil, such as adware and other programs that we call unwanted software as opposed to malware.  Files that are in most test sets are files that antimalware vendors agree a customer would never want and are generally pervasive in the ecosystem.

The traditional test score counts each file equally. That is, if there are 100 files, each file is worth 1% of the test.  In the real world, however, people don't encounter malware at exactly the same rate. Some malware is incredibly prevalent while other malware families are not as pervasive.  Likewise, some malware might focus on certain regional demographics or languages and not affect other parts of the world.  When it comes to real customer impact, not all malware has the same distribution or prevalence.  Yet, they are treated as such in traditionally scored tests.

Collaborating to create a more applicable scoring model

Microsoft has been partnering with AV-Comparatives to create a scoring model that incorporates prevalence to represent true customer impact.  At Virus Bulletin (VB) this year, Peter Stelzhammer (AV-Comparatives co-founder) and I presented this model.  Today, AV-Comparatives is releasing the prevalence-weighted results from the most recent file detection test in a PDF report and also on the impact section of their website.  This test compares detection rates of vendors against a very comprehensive malware set – 166k Portable Executable (PE) files.

After working with AV-Comparatives for many years, I have personally developed a great respect for the way they curate files for their tests. They work diligently to select files that are relevant, are not in that "unwanted" category (which vendors would lobby to dispute out of their test), and they are able to source hundreds of thousands of recent files for the test.  That said, one thing we found is that it is incredibly difficult, if you're using a traditional scoring model, to attempt to source a perfect number of files that represent ecosystem prevalence. 

For one, many malware families rely on non-PE components to spread. Jenxcus is a good example – its VBS (Visual Basic script) component is one of the most frequently blocked files on our customers' computers. However, its PE component is seen comparatively rarely, so it's quite difficult to source enough Jenxcus PE files for a test to equate to that family's ecosystem prevalence.  Samples from some families might be easier to source than others (more willing to be found or submitted to public sources).  These constraints make it practically impossible to select a test set that perfectly equates to the ecosystem.

Looking at the prevalence model

Enter the prevalence model.  AMTSO through the Realtime Threat List (RTTL) has been making strides lately to encourage vendors to share malware prevalence information with testers to help testers build better test sets.  While we have been moving toward critical mass and getting closer to the needed features to make that project work, Microsoft offered to sponsor AV-Comparatives and provide telemetry details from over 200 million computers in over 100 different countries to them to create a prevalence-weighted model.

The following chart shows how the test set stacks up to the ecosystem (# of files in comparison to ecosystem prevalence). 

 In general, files selected for the most prevalent malware families (those in the high category) were underrepresented using the traditional method of scoring and those in the low category were overrepresented

Figure 1:  In general, files selected for the most prevalent malware families (those in the high category) were underrepresented using the traditional method of scoring and those in the low category were overrepresented.

When you drill down a layer to the highly prevalent malware families, you can start to see why the numbers don't line up.  Some of the file infector families, like Sality and Virut, had a very large sample set (a great representation of the family in fact). However, other prevalent families, like Gamarue, Dorv, Jenxcus, and Sventore were underrepresented.  Sventore was new – there was only one file to represent that family.  Gamarue, Dorv, and especially Jenxcus didn't have nearly enough recent PE files available for the test to allow them to equate to their ecosystem prevalence.

A tabulated sample of the test score impact

 Figure 2:  Another example of the test scores not lining up.

The prevalence-weighted model takes into account the prevalence of the tested file, the malware family associated with the file, and the malware family's partition (high, moderate, low, very low) to calculate each file's impact to the test which balances the score with the actual customer impact in the ecosystem.

For more details about the exact calculation method, you can see the AV-Comparatives report released today.

The charts above show how the prevalence model balanced test scores to make them more accurately represent a vendor's detection capabilities.  In essence, missed files were scored to represent the malware people were more likely to encounter, which is good information for consumers.  However, prevalence-weighting the score can mean that vendors (at least those who monitor malware prevalence) might have very similar test scores.  Therefore, additional context is probably needed to help consumers make decisions.

Geolocation is one context we analyzed. In the report, we broke down vendor test scores by country using each country's malware prevalence profile. There are some examples of vendors that did great in some countries and not so great in others. Scores didn't always line up with vendors that were co-located in the target region.  If you're interested in a specific country, be sure to check out AV-Comparative's regional maps in the report.

Organizations, especially those that might have special security concerns, might need other differentiation.  After Peter and I presented at VB this year, we got lots of great feedback from people at the conference.  One of the ideas we discussed was differentiating malware prevalence specifically affecting enterprises and even showing the differences between verticals.  Other discussions centered around showing detection differences by type of threat – ransomware in comparison to information stealers, etc.

Prevalence is but one model that provides additional insight to help people make better-informed decisions when choosing their protection provider. Through partnerships like this one with AV-Comparatives and others in the industry, productive discussions and innovative models result in even better antimalware testing and provide greater benefits to consumers and enterprises alike. 

Holly Stewart

MMPC

​​Does prevalence matter? A different approach to traditional antimalware test scoring

November 24th, 2015 No comments

Most well-known antimalware tests today focus on broad-spectrum malware.  In other words, tests include malware that is somewhat indiscriminate (isn't necessarily targeted), at least somewhat prevalent and sometimes very prevalent. Typically, tests are not focused on specialized threats that are highly targeted, and most avoid including programs that walk the line between good and evil, such as adware and other programs that we call unwanted software as opposed to malware.  Files that are in most test sets are files that antimalware vendors agree a customer would never want and are generally pervasive in the ecosystem.

The traditional test score counts each file equally. That is, if there are 100 files, each file is worth 1% of the test.  In the real world, however, people don't encounter malware at exactly the same rate. Some malware is incredibly prevalent while other malware families are not as pervasive.  Likewise, some malware might focus on certain regional demographics or languages and not affect other parts of the world.  When it comes to real customer impact, not all malware has the same distribution or prevalence.  Yet, they are treated as such in traditionally scored tests.

Collaborating to create a more applicable scoring model

Microsoft has been partnering with AV-Comparatives to create a scoring model that incorporates prevalence to represent true customer impact.  At Virus Bulletin (VB) this year, Peter Stelzhammer (AV-Comparatives co-founder) and I presented this model.  Today, AV-Comparatives is releasing the prevalence-weighted results from the most recent file detection test in a PDF report and also on the impact section of their website.  This test compares detection rates of vendors against a very comprehensive malware set – 166k Portable Executable (PE) files.

After working with AV-Comparatives for many years, I have personally developed a great respect for the way they curate files for their tests. They work diligently to select files that are relevant, are not in that "unwanted" category (which vendors would lobby to dispute out of their test), and they are able to source hundreds of thousands of recent files for the test.  That said, one thing we found is that it is incredibly difficult, if you're using a traditional scoring model, to attempt to source a perfect number of files that represent ecosystem prevalence. 

For one, many malware families rely on non-PE components to spread. Jenxcus is a good example – its VBS (Visual Basic script) component is one of the most frequently blocked files on our customers' computers. However, its PE component is seen comparatively rarely, so it's quite difficult to source enough Jenxcus PE files for a test to equate to that family's ecosystem prevalence.  Samples from some families might be easier to source than others (more willing to be found or submitted to public sources).  These constraints make it practically impossible to select a test set that perfectly equates to the ecosystem.

Looking at the prevalence model

Enter the prevalence model.  AMTSO through the Realtime Threat List (RTTL) has been making strides lately to encourage vendors to share malware prevalence information with testers to help testers build better test sets.  While we have been moving toward critical mass and getting closer to the needed features to make that project work, Microsoft offered to sponsor AV-Comparatives and provide telemetry details from over 200 million computers in over 100 different countries to them to create a prevalence-weighted model.

The following chart shows how the test set stacks up to the ecosystem (# of files in comparison to ecosystem prevalence). 

 In general, files selected for the most prevalent malware families (those in the high category) were underrepresented using the traditional method of scoring and those in the low category were overrepresented

Figure 1:  In general, files selected for the most prevalent malware families (those in the high category) were underrepresented using the traditional method of scoring and those in the low category were overrepresented.

When you drill down a layer to the highly prevalent malware families, you can start to see why the numbers don't line up.  Some of the file infector families, like Sality and Virut, had a very large sample set (a great representation of the family in fact). However, other prevalent families, like Gamarue, Dorv, Jenxcus, and Sventore were underrepresented.  Sventore was new – there was only one file to represent that family.  Gamarue, Dorv, and especially Jenxcus didn't have nearly enough recent PE files available for the test to allow them to equate to their ecosystem prevalence.

A tabulated sample of the test score impact

 Figure 2:  Another example of the test scores not lining up.

The prevalence-weighted model takes into account the prevalence of the tested file, the malware family associated with the file, and the malware family's partition (high, moderate, low, very low) to calculate each file's impact to the test which balances the score with the actual customer impact in the ecosystem.

For more details about the exact calculation method, you can see the AV-Comparatives report released today.

The charts above show how the prevalence model balanced test scores to make them more accurately represent a vendor's detection capabilities.  In essence, missed files were scored to represent the malware people were more likely to encounter, which is good information for consumers.  However, prevalence-weighting the score can mean that vendors (at least those who monitor malware prevalence) might have very similar test scores.  Therefore, additional context is probably needed to help consumers make decisions.

Geolocation is one context we analyzed. In the report, we broke down vendor test scores by country using each country's malware prevalence profile. There are some examples of vendors that did great in some countries and not so great in others. Scores didn't always line up with vendors that were co-located in the target region.  If you're interested in a specific country, be sure to check out AV-Comparative's regional maps in the report.

Organizations, especially those that might have special security concerns, might need other differentiation.  After Peter and I presented at VB this year, we got lots of great feedback from people at the conference.  One of the ideas we discussed was differentiating malware prevalence specifically affecting enterprises and even showing the differences between verticals.  Other discussions centered around showing detection differences by type of threat – ransomware in comparison to information stealers, etc.

Prevalence is but one model that provides additional insight to help people make better-informed decisions when choosing their protection provider. Through partnerships like this one with AV-Comparatives and others in the industry, productive discussions and innovative models result in even better antimalware testing and provide greater benefits to consumers and enterprises alike. 

Holly Stewart

MMPC

​​Does prevalence matter? A different approach to traditional antimalware test scoring

November 24th, 2015 No comments

Most well-known antimalware tests today focus on broad-spectrum malware.  In other words, tests include malware that is somewhat indiscriminate (isn’t necessarily targeted), at least somewhat prevalent and sometimes very prevalent. Typically, tests are not focused on specialized threats that are highly targeted, and most avoid including programs that walk the line between good and evil, such as adware and other programs that we call unwanted software as opposed to malware.  Files that are in most test sets are files that antimalware vendors agree a customer would never want and are generally pervasive in the ecosystem.

The traditional test score counts each file equally. That is, if there are 100 files, each file is worth 1% of the test.  In the real world, however, people don’t encounter malware at exactly the same rate. Some malware is incredibly prevalent while other malware families are not as pervasive.  Likewise, some malware might focus on certain regional demographics or languages and not affect other parts of the world.  When it comes to real customer impact, not all malware has the same distribution or prevalence.  Yet, they are treated as such in traditionally scored tests.

Collaborating to create a more applicable scoring model

Microsoft has been partnering with AV-Comparatives to create a scoring model that incorporates prevalence to represent true customer impact.  At Virus Bulletin (VB) this year, Peter Stelzhammer (AV-Comparatives co-founder) and I presented this model.  Today, AV-Comparatives is releasing the prevalence-weighted results from the most recent file detection test in a PDF report and also on the impact section of their website.  This test compares detection rates of vendors against a very comprehensive malware set – 166k Portable Executable (PE) files.

After working with AV-Comparatives for many years, I have personally developed a great respect for the way they curate files for their tests. They work diligently to select files that are relevant, are not in that “unwanted” category (which vendors would lobby to dispute out of their test), and they are able to source hundreds of thousands of recent files for the test.  That said, one thing we found is that it is incredibly difficult, if you’re using a traditional scoring model, to attempt to source a perfect number of files that represent ecosystem prevalence. 

For one, many malware families rely on non-PE components to spread. Jenxcus is a good example – its VBS (Visual Basic script) component is one of the most frequently blocked files on our customers’ computers. However, its PE component is seen comparatively rarely, so it’s quite difficult to source enough Jenxcus PE files for a test to equate to that family’s ecosystem prevalence.  Samples from some families might be easier to source than others (more willing to be found or submitted to public sources).  These constraints make it practically impossible to select a test set that perfectly equates to the ecosystem.

Looking at the prevalence model

Enter the prevalence model.  AMTSO through the Realtime Threat List (RTTL) has been making strides lately to encourage vendors to share malware prevalence information with testers to help testers build better test sets.  While we have been moving toward critical mass and getting closer to the needed features to make that project work, Microsoft offered to sponsor AV-Comparatives and provide telemetry details from over 200 million computers in over 100 different countries to them to create a prevalence-weighted model.

The following chart shows how the test set stacks up to the ecosystem (# of files in comparison to ecosystem prevalence). 

 In general, files selected for the most prevalent malware families (those in the high category) were underrepresented using the traditional method of scoring and those in the low category were overrepresented

Figure 1:  In general, files selected for the most prevalent malware families (those in the high category) were underrepresented using the traditional method of scoring and those in the low category were overrepresented.

When you drill down a layer to the highly prevalent malware families, you can start to see why the numbers don’t line up.  Some of the file infector families, like Sality and Virut, had a very large sample set (a great representation of the family in fact). However, other prevalent families, like Gamarue, Dorv, Jenxcus, and Sventore were underrepresented.  Sventore was new – there was only one file to represent that family.  Gamarue, Dorv, and especially Jenxcus didn’t have nearly enough recent PE files available for the test to allow them to equate to their ecosystem prevalence.

A tabulated sample of the test score impact

 Figure 2:  Another example of the test scores not lining up.

The prevalence-weighted model takes into account the prevalence of the tested file, the malware family associated with the file, and the malware family’s partition (high, moderate, low, very low) to calculate each file’s impact to the test which balances the score with the actual customer impact in the ecosystem.

For more details about the exact calculation method, you can see the AV-Comparatives report released today.

The charts above show how the prevalence model balanced test scores to make them more accurately represent a vendor’s detection capabilities.  In essence, missed files were scored to represent the malware people were more likely to encounter, which is good information for consumers.  However, prevalence-weighting the score can mean that vendors (at least those who monitor malware prevalence) might have very similar test scores.  Therefore, additional context is probably needed to help consumers make decisions.

Geolocation is one context we analyzed. In the report, we broke down vendor test scores by country using each country’s malware prevalence profile. There are some examples of vendors that did great in some countries and not so great in others. Scores didn’t always line up with vendors that were co-located in the target region.  If you’re interested in a specific country, be sure to check out AV-Comparative’s regional maps in the report.

Organizations, especially those that might have special security concerns, might need other differentiation.  After Peter and I presented at VB this year, we got lots of great feedback from people at the conference.  One of the ideas we discussed was differentiating malware prevalence specifically affecting enterprises and even showing the differences between verticals.  Other discussions centered around showing detection differences by type of threat – ransomware in comparison to information stealers, etc.

Prevalence is but one model that provides additional insight to help people make better-informed decisions when choosing their protection provider. Through partnerships like this one with AV-Comparatives and others in the industry, productive discussions and innovative models result in even better antimalware testing and provide greater benefits to consumers and enterprises alike. 

Holly Stewart

MMPC

A Single, Unified Trust Center for the Microsoft Cloud

November 23rd, 2015 No comments

Today we’re pleased to announce that we have created a single Microsoft Trust Center at www.microsoft.com/trustcenter, which unifies the trust centers of our enterprise cloud services—Microsoft Azure, Microsoft Dynamics CRM Online, Microsoft Intune, and Microsoft Office 365.

Increasingly, our customers deploy multiple Microsoft cloud services, and many expressed a desire for a single point of reference for cloud trust resources. They have come to rely on the trust centers to document the adherence of our cloud services to international and regional standards, describe privacy and data protection policies and processes, and inform them about data transfer and location policies, as well as security features and functionality.

The Microsoft Trust Center gives everyone a single view into the commitments that we put at the heart of our trusted cloud: security of operations, data protection and privacy, compliance with local requirements, and transparency in how we do business. Now, customers can view a single page documenting which of our services comply with such standards as ISO 27018 or HIPAA, or our data location policies across services.

Information in the Trust Center is organized by our four underlying principles of security, privacy and control, compliance and transparency:

Security: Get an overview of how security is built into the Microsoft Cloud from the ground up, with protection at the physical, network, host, application, and data layers so that our online services are resilient to attack. Sections describe the individual security features of Azure, CRM Online, Office 365, and Intune.

Privacy and Control: Here we outline Microsoft Cloud privacy principles:

  • You own your own data describes Microsoft Cloud policies for data ownership; we will use your customer data only to provide the services we have agreed upon.
  • You are in control of your customer data provides datacenter maps for each service, and policies for data portability, retention, and access.
  • Responding to government and law enforcement requests to access customer data outlines our processes for responding, including our commitment to transparency and limits in what we will disclose.
  • We set and adhere to stringent privacy standards describes how privacy in the Microsoft Cloud is grounded in the Microsoft Privacy Standard and the Microsoft Secure Development Lifecycle, and backed with strong contractual commitments to safeguard customer data in the Microsoft Online Services Terms.

Compliance: Our combined compliance site contains comprehensive information on Microsoft Cloud certifications and attestations such as EU Model Clauses, FedRAMP, HIPAA, ISO/IEC 27001 and 27018, PCI-DSS, and SOC 1 and SOC 2. Each compliance page provides background on the certification, a list of compliant services, and detailed information such as implementation guides and best practices.

Transparency: The Microsoft Cloud is built on the premise that for you to control your customer data in the cloud, you need to understand as much as possible about how that data is handled. You’ll find a summary of the policies and procedures here.

We are committed to providing you the most trusted cloud on the planet though our foundational principles of security, privacy & control, compliance, and transparency.

Visit http://www.microsoft.com/TrustCenter

Doug Hauger
General Manager
National Cloud Programs

Categories: Cloud Computing Tags:

Changes from the Windows 8.1 baseline to the Windows 10 (TH1/1507) baseline

November 19th, 2015 No comments

In collaboration with Windows security experts from US and UK government organizations and from the Center for Internet Security, we conducted a thorough review not just of the new settings introduced in Windows 10 but of all the accumulated settings…(read more)

Categories: Uncategorized Tags:

Changes from the Windows 8.1 baseline to the Windows 10 (TH1/1507) baseline

November 19th, 2015 No comments

In collaboration with Windows security experts from US and UK government organizations and from the Center for Internet Security, we conducted a thorough review not just of the new settings introduced in Windows 10 but of all the accumulated settings…(read more)

Categories: Uncategorized Tags:

Changes from the Windows 8.1 baseline to the Windows 10 (TH1/1507) baseline

November 18th, 2015 No comments

In collaboration with Windows security experts from US and UK government organizations and from the Center for Internet Security, we conducted a thorough review not just of the new settings introduced in Windows 10 but of all the accumulated settings inherited from past security baselines. Two goals of the review were to remove settings that do not address contemporary threats, and to remove the enforcement of Windows default settings that require administrative control to change and that are unlikely to be changed by an authorized administrator. The result is that we have removed 122 settings that had been enforced in the Windows 8.1 baseline that aren’t needed. We have added only 38 new settings, and have changed 9. The spreadsheet attached to this blog post lists all the changes from the Windows 8.1 and IE11 baseline to the Windows 10 (Threshold 1, a.k.a, version 1507) baseline, including updated IE11 settings.

Why aren’t we enforcing more defaults?

As mentioned, we’re enforcing defaults only for security-sensitive settings that are otherwise likely to be set to an insecure state by an authorized user. So, for example, on Windows client the User Rights Assignment, “Change the time zone” (SeTimeZonePrivilege) is granted to Administrators, Users, and Local Service. In the past we enforced that through the security baseline. Changing that setting requires administrative rights, and it’s unlikely that an authorized administrator would change it to a less-secure value. On the other hand, administrators are known to disable User Account Control, so we enforce that default.

Another reason not to enforce defaults in some cases is that it makes it harder for an organization to use a valuable Windows feature that is not enabled by default. “Offer Remote Assistance” is one such feature. It is not inherently insecure, but like many features – especially those involving network communication – it is disabled and should be disabled if it’s not used. But when security guidance says to disable it and that guidance is enforced through mandatory Group Policy settings, an enterprise choosing to use the feature often has to fight compliance auditors, Group Policy administrators, and other security experts and bureaucracies to enable it. Many will misinterpret the purpose of that element in the guidance to infer that “Offer Remote Assistance” opens a gaping hole and that if you enable it you may as well outsource your entire IT management to the criminals.

Including more settings in the baseline also increases cost of configuration, testing, validation, and maintenance. The security baselines aren’t intended to defend all secure default settings against compromise by a malicious actor that has already gained administrative rights. There are approximately 3.71 bajillion values in the registry that should never be messed with and that would cause havoc if messed with. While it may be worth monitoring them to ensure that they haven’t been altered, it’s not practical to enforce them all with a configuration baseline, and not really what the configuration baseline is for. As an example, someone could modify the registry value HKLM System CurrentControlSet Services LanmanServer DefaultSecurity ! SrvsvcShareAdminConnect and grant Everyone “full control” through the administrative shares (e.g., C$, ADMIN$). We could add that registry value to the baseline and ensure that Group Policy sets it back to its default, and using a similar mechanism, periodically verify that it hasn’t been altered. But if we go down that path, the baseline will quickly become unmanageable as we enforce defaults throughout much of HKLMSoftware, HKLMSystem, and the file system.

Removed settings

This section summarizes some of the 122 settings that went from a configured value to “Not Configured.” For many of these settings, such as Windows Update settings, specific configuration is best left to the organization. For others, organizations can continue enforcing settings, but we do not consider their enforcement to be necessary.

  • Windows Firewall, “Allow location connection security rules” and “Allow local firewall rules” for the Domain and Private profiles.

  • The MSS settings, AutoAdminLogon, SafeDllSearchMode, ScreenSaverGracePeriod, and WarningLevel. (We also redefined the ancient MSS settings from Security Options to a custom ADMX for supportability reasons.)

  • “Configure Offer Remote Assistance”

  • BitLocker: removed the requirement for smart cards and the prohibition on passwords, enforcements of defaults on hardware encryption, enforcement of specific recovery options, and disallowing use of BitLocker in the absence of a TPM.

  • Internet Explorer settings requiring ActiveX Filtering, disabling geolocation and AutoComplete for forms, control of browser history and proxy settings, unneeded settings in the “Locked Down” security zones, and a couple of settings that became not-applicable after Windows XP but survived past purges of old controls.

  • Specific Windows Update settings.

  • The security option, “Accounts: Block Microsoft accounts.” If this setting is enforced, Cortana won’t work.

  •  Security options to shut down the system if a security audit fails to log, control who can “format and eject removable media,” display of last user name at logon, password-change notifications, and numerous others.

  • Enforcement of Ctrl+Alt+Del at logon to protect credentials from theft. This is not particularly strong protection. First, it depends on a user that’s looking at a spoofed logon screen remembering that he or she hadn’t pressed Ctrl+Alt+Del before typing a password. Second, so many apps prompt the user for the same credentials on the user’s desktop that the credentials can easily be stolen there. Third, if the adversary has gained administrative control of the computer, the “secure desktop” is no longer a protected space. Finally, with devices offering more keyboard-free logon experiences such as facial recognition, Ctrl+Alt+Del becomes an annoying interference.

  • The UAC setting to switch to the secure desktop is redundant with the recommended UAC settings for elevation prompt behavior.

  • Explicitly denying batch and service logon to the Guests group.

New settings

This section summarizes the 38 net-new settings that were added to the Windows 10 baseline that weren’t in the Windows 8.1 baseline.

  • Two new Advanced Auditing settings that were introduced in Windows 10, and auditing removable storage events.

  • Enabling local password management through the Local Administrator Password Solution (LAPS). Note that LAPS requires an Active Directory schema extension.

  • Two MSS settings that were not configured before. (They are probably both very low risk.)

  • Hardened UNC paths for the default shares on domain controllers.

  • Prohibit connecting to non-domain and domain networks at the same time.

  • Disable Wi-Fi Sense.

  • Enable Credential Guard.

  • Block another type of DMA device that can be used to bypass BitLocker protections.

  • Block GDI from handling untrusted fonts. GDI’s font parser executes in kernel mode.

  • Disallowing AutoPlay and AutoRun.

  • Additional EMET protections (EMET 5.5, currently in beta)

  • More consistent and complete enforcement for SmartScreen in IE and Edge.

  • Disallow password manager in Edge (to be consistent with IE settings)

  • Encrypt RPC traffic.

  • Do not store domain passwords in credential manager.

Changed settings

This section summarizes the 9 existing settings that have changed since our Windows 8.1 baseline:

  • Advanced auditing setting for “Security State Change” was “Success and Failure.” The default is just “Success,” and it turns out there is no code path in Windows that can log a Failure event for a security state change, so we are now enforcing “Success”.

  • Disabling display of firewall notifications for the Domain and Private profiles. It’s generally not useful to display complex and confusing error messages to users, particularly when they can’t do anything with them. Leaving the default in place for the Public profile – if a user sees a firewall notification there, they should probably contact an administrator.

  • Disallowing custom, per-computer firewall rules for the Public profile.

  • Continuing to deny write access to removable drives not protected by BitLocker, but no longer disallowing write access to devices configured in another organization.

  • Fixed minor misconfiguration in “Show security warning for potentially unsafe files” in the Internet and Restricted Sites zones.

  • Allowing only Administrators to authenticate to the computer’s network interfaces such as SMB shares and RPC. Note that this does not apply to Remote Desktop.

 

Win81-to-Win10TH1-Diffs.xlsx

Categories: Uncategorized Tags:

Microsoft Security Intelligence Report Volume 19 is now available

November 18th, 2015 No comments

We’ve just published hundreds of pages of new threat intelligence available for free download at www.microsoft.com/sir.

This includes threat data from the first half of 2015 as well as longer term trend data on the industry vulnerabilities, exploits, malware, and malicious websites that your organization should use to assess your current security posture. We are also providing threat data for over 100 countries/regions.

Additionally, this volume of the report includes a case study and profile on a determined adversary code name “Strontium.” This case study provides insight into the techniques that these modern threat actors are using. My colleagues in the Microsoft Malware Protection Center have written an article on Strontium that will give you more details and context: http://blogs.technet.com/b/mmpc/archive/2015/11/18/microsoft-security-intelligence-report-strontium.aspx.

Also included in this volume of the report is an in-depth look at the malware behind much of the bank fraud that has characterized the threat landscape in Brazil for the better part of the last decade. This is required reading for financial services customers.

One of my favorite new data-sets in this report is exploit detection data from the IExtensionValidation interface in Internet Explorer 11. Essentially this interface enables real-time security software to block ActiveX controls from loading on malicious web pages. When Internet Explorer loads a webpage that includes ActiveX controls, if the security software has implemented IExtensionValidation, the browser calls the security software to scan the HTML and script content on the page before loading the controls themselves. If the security software determines that the page is malicious (for example, if it identifies the page as an exploit kit landing page), it can direct Internet Explorer to prevent individual controls or the entire page from loading. The interface helps protect our customers and the data it provides helps us understand how attackers are evolving their web-based attacks such as drive-by download attacks and watering hole attacks. The data in figure 1 shows how attackers have shifted from attacking Flash and Java controls in almost the same frequency to targeting Flash almost 100% of the time. This illustrates the importance of ensuring that Flash is being patched efficiently in your environment.

Figure 1: ActiveX controls detected on malicious webpages through IExtensionValidation, 3Q14–2Q15, by control type
111615_01

And of course, the report also contains the guidance your organization can use to protect its data and assets.

You can download Volume 19 of the Microsoft Security Intelligence Report at www.microsoft.com/sir.

Tim Rains
Chief Security Advisor
Worldwide Cybersecurity & Data Protection

Microsoft Security Intelligence Report: Strontium

November 18th, 2015 No comments

The Microsoft Security Intelligence Report (SIR) provides a regular snapshot of the current threat landscape, using data from more than 600 million computers worldwide.

The latest report (SIRv19) was released this week and includes a detailed analysis of the actor group STRONTIUM  – a group that uses zero-day exploits to collect the sensitive information of high-value targets in government and political organizations.

Since 2007, the group has targeted:

  • Government bodies
  • Diplomatic institutions
  • Military forces and installations
  • Journalists
  • Political advisors and organizations

Attack vectors: How they manage to get in

A STRONTIUM actor attack usually has two components:

  1. A spear phishing attempt that targets specific individuals within an organization. This phishing attempt is used to gather information about potential high-value targets and steal their login credentials. 
  2. A second phase that attempts to download malware using software vulnerabilities to further infect the target computers and spread through networks.

Spear phishing

We estimate the STRONTIUM actor targeted several thousand people with spear phishing attacks during the first half of 2015. The goal of the spam email attack is to get a list of high-value individuals with access to sensitive information.

The phishing email usually attempts to trick the target into believing there has been an unauthorized user accessing their account, as shown in Figure 1:

STRONTIUM phishing email

Figure 1: Example of a STRONTIUM  phishing email

The email includes a link to a website under the attacker’s control that prompts the victim to change their password. If the attack is successful, the stolen credentials can be used to access the victim’s email account.

Visiting the malicious website can also send sensitive information to the attacker, even when no credentials are entered. The sensitive information can include details of the victim’s PC -including its IP address, browser and operating system versions, and any browser add-ons installed. This information can be used to target the individual with software exploits.

Malware downloads

The second phase of a STRONTIUM actor attack is to install malware on the compromised machine in an attempt to gain access to other machines on the network.

Usually, the malware is installed through a malicious link in an email. However, we have also seen social networks used to spread malicious links. The highly-targeted emails use current events, such as an upcoming conference, to entice the victim to click a link for “additional information”. The email is sent from well-known email providers and sender names that are designed to look credible, as shown in  Figure 2.

STRONTIUM targeted email

Figure 2: Example of a STRONTIUM  targeted email with malicious links

When the link is clicked, a drive-by-download attack is launched using software vulnerabilities. The attacks often use zero-day exploits that target vulnerabilities for which the affected software vendor has not yet released a security update.

If the attack is successful the attacker tries to compromise other machines within the targeted organization to gather more sensitive information.

See the Microsoft Security Intelligence Report (SIRv19) for more technical details on the methods used by STRONTIUM.

Preventing attacks

You can reduce the likelihood of a successful compromise in a number of ways. Use an up-to-date real-time security product, such as Windows Defender for Windows 10.

In an enterprise environment you should also:

  • Keep all your software up-to-date and deploy security updates as soon as possible
  • Enforce segregation of privileges on user accounts and apply all possible safety measures to protect administrator accounts from compromise
  • Conduct enterprise software security awareness training, and build awareness about malware infection prevention
  • Institute multi-factor authentication

TheMicrosoft Security Intelligence Report (SIRv19) has more advice and detailed analysis of STRONTIUM, as well as other information about malware and unwanted software.

The Microsoft Malware Protection Center’s November Threat Intelligence Report also includes detailed information, resources, and advice to mitigate the risk of advanced persistent threats (APTs).

Categories: Uncategorized Tags:

Microsoft Security Intelligence Report: Strontium

November 18th, 2015 No comments

The Microsoft Security Intelligence Report (SIR) provides a regular snapshot of the current threat landscape, using data from more than 600 million computers worldwide.

The latest report (SIRv19) was released this week and includes a detailed analysis of the actor group STRONTIUM  – a group that uses zero-day exploits to collect the sensitive information of high-value targets in government and political organizations.

Since 2007, the group has targeted:

  • Government bodies
  • Diplomatic institutions
  • Military forces and installations
  • Journalists
  • Political advisors and organizations

Attack vectors: How they manage to get in

A STRONTIUM actor attack usually has two components:

  1. A spear phishing attempt that targets specific individuals within an organization. This phishing attempt is used to gather information about potential high-value targets and steal their login credentials. 
  2. A second phase that attempts to download malware using software vulnerabilities to further infect the target computers and spread through networks.

Spear phishing

We estimate the STRONTIUM actor targeted several thousand people with spear phishing attacks during the first half of 2015. The goal of the spam email attack is to get a list of high-value individuals with access to sensitive information.

The phishing email usually attempts to trick the target into believing there has been an unauthorized user accessing their account, as shown in Figure 1:

STRONTIUM phishing email

Figure 1: Example of a STRONTIUM  phishing email

The email includes a link to a website under the attacker’s control that prompts the victim to change their password. If the attack is successful, the stolen credentials can be used to access the victim’s email account.

Visiting the malicious website can also send sensitive information to the attacker, even when no credentials are entered. The sensitive information can include details of the victim’s PC -including its IP address, browser and operating system versions, and any browser add-ons installed. This information can be used to target the individual with software exploits.

Malware downloads

The second phase of a STRONTIUM actor attack is to install malware on the compromised machine in an attempt to gain access to other machines on the network.

Usually, the malware is installed through a malicious link in an email. However, we have also seen social networks used to spread malicious links. The highly-targeted emails use current events, such as an upcoming conference, to entice the victim to click a link for “additional information”. The email is sent from well-known email providers and sender names that are designed to look credible, as shown in  Figure 2.

STRONTIUM targeted email

Figure 2: Example of a STRONTIUM  targeted email with malicious links

When the link is clicked, a drive-by-download attack is launched using software vulnerabilities. The attacks often use zero-day exploits that target vulnerabilities for which the affected software vendor has not yet released a security update.

If the attack is successful the attacker tries to compromise other machines within the targeted organization to gather more sensitive information.

See the Microsoft Security Intelligence Report (SIRv19) for more technical details on the methods used by STRONTIUM.

Preventing attacks

You can reduce the likelihood of a successful compromise in a number of ways. Use an up-to-date real-time security product, such as Windows Defender for Windows 10.

In an enterprise environment you should also:

  • Keep all your software up-to-date and deploy security updates as soon as possible
  • Enforce segregation of privileges on user accounts and apply all possible safety measures to protect administrator accounts from compromise
  • Conduct enterprise software security awareness training, and build awareness about malware infection prevention
  • Institute multi-factor authentication

TheMicrosoft Security Intelligence Report (SIRv19) has more advice and detailed analysis of STRONTIUM, as well as other information about malware and unwanted software.

The Microsoft Malware Protection Center’s November Threat Intelligence Report also includes detailed information, resources, and advice to mitigate the risk of advanced persistent threats (APTs).

Categories: Uncategorized Tags:

New Microsoft Enterprise Cybersecurity Group to Provide Greater Security Capabilities

November 18th, 2015 No comments

We’ve worked hard to earn our customers trust when it comes to making their data more secure and we recently announced some significant advances in this area. As part of that news, my team’s newly formed Enterprise Cybersecurity Group, provides a significant new cybersecurity asset to Microsoft commercial and public sector customers. Microsoft’s Enterprise Cybersecurity Group will deliver security solutions, expertise and services that will empower our customers to leverage their investment in Microsoft products and services in order to modernize their IT platforms and keep data safe from modern security risks.

Cybersecurity is a topic that continues to garner the attention of the C-suites and Boards of Directors across all industries and in markets around the world. Many of the customers I have talked to over the past 18 months have been assigning significant resources and focus on cybersecurity programs designed to help their organizations manage risk in a more holistic way. The high profile data breaches at companies such as Sony, J.P. Morgan Chase, Experian and Scottrade to name a few, have accelerated these efforts among many of our customers.

The “protect and recover” security strategy that we have seen so many organizations struggle with, assumes that if organizations can implement and manage protective risk mitigations well enough, they will prevent attackers from successfully breaching their environment. This strategy has proved to be both risky and unrealistic an era characterized by the success of modern attackers.

Today, more and more organizations approach their security strategy with the assumption that they will be breached. This approach allows IT teams to evolve their outdated “protect and recover” security strategies into one that includes capabilities to help protect, detect, and respond to security threats. It also enables security teams to put resources into containment, which will help make it harder for attackers to move around an environment that has been compromised.

The market demand for trusted partners with broad cybersecurity insight and expertise has never been greater. Microsoft has unique, industry-leading cybersecurity capabilities that extend from the world’s most used client operating systems to the most trusted cloud in the world. The Enterprise Cybersecurity Group will use our deep security perspective and experience to help secure our customers data, and their customers’ data, by optimizing their investment in Microsoft products and technologies. We have unique, tailored solutions that can help our customers monitor, analyze and prioritize threats within their environments. In addition, we offer industry-leading tactical and strategic response capabilities backed with unique access to deep product expertise. This combination of cybersecurity consulting services, on-premises and cloud-based solutions, will help modernize and support our commercial and public sector customers’ security strategies.

The formation of the Enterprise Cybersecurity Group is an important step in our ongoing efforts to help protect and secure our customers. To learn more, please see http://www.microsoft.com/security/default.aspx or ask your account team for more details.

Susan Hauser
Corporate Vice President
Enterprise and Partner Group

Categories: cybersecurity Tags: