Archive

Archive for June, 2011

Safety tips for chatting with Facebook friends in Hotmail

June 30th, 2011 No comments

Did you know that you can chat with Facebook friends within Hotmail? Just connect your Facebook account to Windows Live and be sure the “Chat with my Facebook friends in Messenger” box is selected.

 

No matter where you’re chatting, it’s a good idea to be cautious. There are a few basic chatting and social networking tips to help you avoid identity theft and other scams:

  • Never include passwords, financial information, or other sensitive information in chat.
  • Be careful clicking on links in chat windows, especially if you don’t know the person you’re chatting with.
  • If you allow your kids to chat or use a social networking site, be sure they meet the minimum age requirement.

For more information, see 11 tips for social networking safety.

Categories: Facebook, hotmail, social engineering Tags:

Microsoft Security Advisory (2501584): Release of Microsoft Office File Validation for Microsoft Office

Revision Note: V2.0 (June 30, 2011): Announced that the Office File Validation Add-in described in Microsoft Knowledge Base Article 2501584 is available through the Microsoft Update service.Summary: Microsoft is announcing the availability of the Office File Validation feature for supported editions of Microsoft Office 2003 and Microsoft Office 2007. The feature, previously only available for supported editions of Microsoft Office 2010, is designed to make it easier for customers to protect themselves from Office files that may contain malformed data, such as unsolicited Office files received from unknown or known sources, by scanning and validating files before they are opened.

Categories: Uncategorized Tags:

MS11-046 – Important: Vulnerability in Ancillary Function Driver Could Allow Elevation of Privilege (2503665) – Version:1.1

Severity Rating: Important – Revision Note: V1.1 (June 30, 2011): Corrected the Affected Software table to include MS10-058 as a bulletin replaced by this update. This is an informational change only. There were no changes to the security update files or detection logic.Summary: This security update resolves a publicly disclosed vulnerability in the Microsoft Windows Ancillary Function Driver (AFD). The vulnerability could allow elevation of privilege if an attacker logs on to a user’s system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit the vulnerability.

Categories: Uncategorized Tags:

Microsoft Security Advisory (2501584): Release of Microsoft Office File Validation for Microsoft Office

Revision Note: V2.0 (June 30, 2011): Announced that the Office File Validation Add-in described in Microsoft Knowledge Base Article 2501584 is available through the Microsoft Update service.Summary: Microsoft is announcing the availability of the Office File Validation feature for supported editions of Microsoft Office 2003 and Microsoft Office 2007. The feature, previously only available for supported editions of Microsoft Office 2010, is designed to make it easier for customers to protect themselves from Office files that may contain malformed data, such as unsolicited Office files received from unknown or known sources, by scanning and validating files before they are opened.

Categories: Uncategorized Tags:

Microsoft Security Advisory (2501584): Release of Microsoft Office File Validation for Microsoft Office

Revision Note: V2.0 (June 30, 2011): Announced that the Office File Validation Add-in described in Microsoft Knowledge Base Article 2501584 is available through the Microsoft Update service.Summary: Microsoft is announcing the availability of the Office File Validation feature for supported editions of Microsoft Office 2003 and Microsoft Office 2007. The feature, previously only available for supported editions of Microsoft Office 2010, is designed to make it easier for customers to protect themselves from Office files that may contain malformed data, such as unsolicited Office files received from unknown or known sources, by scanning and validating files before they are opened.

Categories: Uncategorized Tags:

2501584 – Release of Microsoft Office File Validation for Microsoft Office – Version: 2.0

Revision Note: V2.0 (June 30, 2011): Announced that the Office File Validation Add-in described in Microsoft Knowledge Base Article 2501584 is available through the Microsoft Update service.
Summary: Microsoft is announcing the availability of the Office File Validation feature for supported editions of Microsoft Office 2003 and Microsoft Office 2007. The feature, previously only available for supported editions of Microsoft Office 2010, is designed to make it easier for customers to protect themselves from Office files that may contain malformed data, such as unsolicited Office files received from unknown or known sources, by scanning and validating files before they are opened.

Categories: Uncategorized Tags:

Release of Microsoft Office File Validation for Microsoft Office – Version: 2.0

Revision Note: V2.0 (June 30, 2011): Announced that the Office File Validation Add-in described in Microsoft Knowledge Base Article 2501584 is available through the Microsoft Update service.
Summary: Microsoft is announcing the availability of the Office File Validation feature for supported editions of Microsoft Office 2003 and Microsoft Office 2007. The feature, previously only available for supported editions of Microsoft Office 2010, is designed to make it easier for customers to protect themselves from Office files that may contain malformed data, such as unsolicited Office files received from unknown or known sources, by scanning and validating files before they are opened.

Categories: Uncategorized Tags:

Microsoft Security Advisory (2501584): Release of Microsoft Office File Validation for Microsoft Office – Version: 2.0

Severity Rating:
Revision Note: V2.0 (June 30, 2011): Announced that the Office File Validation Add-in described in Microsoft Knowledge Base Article 2501584 is available through the Microsoft Update service.
Summary: Microsoft is announcing the availability of the Office File Validation feature for supported editions of Microsoft Office 2003 and Microsoft Office 2007. The feature, previously only available for supported editions of Microsoft Office 2010, is designed to make it easier for customers to protect themselves from Office files that may contain malformed data, such as unsolicited Office files received from unknown or known sources, by scanning and validating files before they are opened.

Categories: Uncategorized Tags:

Microsoft Security Advisory (2501584): Release of Microsoft Office File Validation for Microsoft Office – Version: 2.0

Revision Note: V2.0 (June 30, 2011): Announced that the Office File Validation Add-in described in Microsoft Knowledge Base Article 2501584 is available through the Microsoft Update service.
Summary: Microsoft is announcing the availability of the Office File Validation feature for supported editions of Microsoft Office 2003 and Microsoft Office 2007. The feature, previously only available for supported editions of Microsoft Office 2010, is designed to make it easier for customers to protect themselves from Office files that may contain malformed data, such as unsolicited Office files received from unknown or known sources, by scanning and validating files before they are opened.

Categories: Uncategorized Tags:

MS11-046 – Important : Vulnerability in Ancillary Function Driver Could Allow Elevation of Privilege (2503665) – Version: 1.1

Severity Rating: Important
Revision Note: V1.1 (June 30, 2011): Corrected the Affected Software table to include MS10-058 as a bulletin replaced by this update. This is an informational change only. There were no changes to the security update files or detection logic.
Summary: This security update resolves a publicly disclosed vulnerability in the Microsoft Windows Ancillary Function Driver (AFD). The vulnerability could allow elevation of privilege if an attacker logs on to a user’s system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit the vulnerability.

Categories: Uncategorized Tags:

Microsoft Security Advisory (2501584): Release of Microsoft Office File Validation for Microsoft Office – 6/30/2011

Revision Note: V2.0 (June 30, 2011): Announced that the Office File Validation Add-in described in Microsoft Knowledge Base Article 2501584 is available through the Microsoft Update service. Advisory Summary:Microsoft is announcing the availability of the Office File Validation feature for supported editions of Microsoft Office 2003 and Microsoft Office 2007. The feature, previously only available for supported editions of Microsoft Office 2010, is designed to make it easier for customers to protect themselves from Office files that may contain malformed data, such as unsolicited Office files received from unknown or known sources, by scanning and validating files before they are opened.

Categories: Uncategorized Tags:

SCM v2 Beta: What happened to the EC + SSLF?

June 29th, 2011 No comments

I can feel this becoming a FAQ, so I wanted to blog on this early in the Beta . 🙂 I forgot to mention in my Beta announcement anything about the new ‘severity’ you see on settings, whoops. The text below is a copy and paste from the IE9 Security Guide…(read more)

SCM v2 Beta: What happened to the EC + SSLF?

June 29th, 2011 No comments

I can feel this becoming a FAQ, so I wanted to blog on this early in the Beta . 🙂 I forgot to mention in my Beta announcement anything about the new ‘severity’ you see on settings, whoops. The text below is a copy and paste from the IE9 Security Guide…(read more)

SCM v2 Beta: What happened to the EC + SSLF?

June 29th, 2011 No comments

I can feel this becoming a FAQ, so I wanted to blog on this early in the Beta . 🙂 I forgot to mention in my Beta announcement anything about the new ‘severity’ you see on settings, whoops. The text below is a copy and paste from the IE9 Security Guide…(read more)

SCM v2 Beta: What happened to the EC + SSLF?

June 29th, 2011 No comments

I can feel this becoming a FAQ, so I wanted to blog on this early in the Beta . 🙂 I forgot to mention in my Beta announcement anything about the new ‘severity’ you see on settings, whoops. The text below is a copy and paste from the IE9 Security Guide…(read more)

Forefront Endpoint Protection 2010 Update Rollup 1

 By Adwait Joshi

Hello,

An Update Rollup for Forefront Endpoint Protection 2010 is now available here: http://go.microsoft.com/fwlink/?LinkId=223229 .

 In addition to hotfixes, this Update also includes some important changes to note:

  1. Support for Windows Embedded 7 platforms:  With this update, the FEP client software is supported on certain Windows Embedded 7 platforms (including Windows Thin PC) and Windows Server 2008 Server Core.  For more information about the additional support, see Prerequisites for Deploying Forefront Endpoint Protection on a Client Computer.
  2. Signature Update Automation Tool used with Configuration Manager Software Update:  This tool automates downloading FEP definition updates using Configuration Manager 2007 Software Updates.  This is a command line tool that uses Configuration Manager APIs to get new definitions from Microsoft Update via the Configuration Manager software update feature, distribute the content to distribution points, and deploy the updates to Endpoint Protection clients on a recurring schedule.  The automation of the tool is done through the Windows task scheduler. To download the tool, see http://go.microsoft.com/fwlink/?LinkID=221205
  3. Two new preconfigured policy templates for the following server workloads:
    1. Microsoft Forefront Threat Management Gateway
    2. Microsoft Lync 2010

You can find more details in the “What’s New” document on the  Technet site.  Please check out this KB article for a full list of fixes included in this Update Rollup.

Thanks,

Adwait Joshi

Sr. Technical Product Manager

Forefront Endpoint Protection

Forefront Endpoint Protection 2010 Update Rollup 1

 By Adwait Joshi

Hello,

An Update Rollup for Forefront Endpoint Protection 2010 is now available here: http://go.microsoft.com/fwlink/?LinkId=223229 .

 In addition to hotfixes, this Update also includes some important changes to note:

  1. Support for Windows Embedded 7 platforms:  With this update, the FEP client software is supported on certain Windows Embedded 7 platforms (including Windows Thin PC) and Windows Server 2008 Server Core.  For more information about the additional support, see Prerequisites for Deploying Forefront Endpoint Protection on a Client Computer.
  2. Signature Update Automation Tool used with Configuration Manager Software Update:  This tool automates downloading FEP definition updates using Configuration Manager 2007 Software Updates.  This is a command line tool that uses Configuration Manager APIs to get new definitions from Microsoft Update via the Configuration Manager software update feature, distribute the content to distribution points, and deploy the updates to Endpoint Protection clients on a recurring schedule.  The automation of the tool is done through the Windows task scheduler. To download the tool, see http://go.microsoft.com/fwlink/?LinkID=221205
  3. Two new preconfigured policy templates for the following server workloads:
    1. Microsoft Forefront Threat Management Gateway
    2. Microsoft Lync 2010

You can find more details in the “What’s New” document on the  Technet site.  Please check out this KB article for a full list of fixes included in this Update Rollup.

Thanks,

Adwait Joshi

Sr. Technical Product Manager

Forefront Endpoint Protection

Facebook uses Microsoft tool to help prevent child exploitation

June 28th, 2011 No comments

Pornographic images of children circulate on the Internet at an alarming rate. Since 2002, the National Center for Missing & Exploited Children (NCMEC) have reviewed and analyzed nearly 49 million photos and videos of child pornography–more than 13 million in 2010 alone–according to Ernie Allen, NCMEC president and CEO.

PhotoDNA is a technology developed by Microsoft that helps find and remove some of the “worst of the worst” images on the Internet. Microsoft donated the PhotoDNA technology to the NCMEC who developed a PhotoDNA-based program for Internet companies. Recently, Facebook announced that they would be using the service on their site.

For more information, see 500 million friends against child exploitation. To learn more about other ways Microsoft continues to advocate for a safer Internet, see the Microsoft Digital Crimes Unit Newsroom

Malware packer integrates with UPX

June 27th, 2011 No comments

Recently while I was analyzing a bunch of samples packed by custom packers, one of them struck me as a bit different than any others I saw before. At first glance, the outer layer of packing is a UPX stub, which is commonly used in malware. Especially when combined with a custom packer, UPX can provide an excellent compression ratio.

Since it’s packed by UPX, I first unpacked it with a static unpacker and examined the dump. The heavily obfuscated code at the entry point easily leads me to think there is another layer of packing, so let’s trace a bit to see what happens. The inner packing eventually ends up with a dead loop, which is calling Kernel32!GetUserDefaultLCID in each iteration.

Figure 1. The obfuscated dead loop

 

From the above figure, it’s very clear that this is a closed loop without an exit condition and the code is mainly useless. But the blackbox analysis shows it’s actually doing something. Going backwards to the entry point, I carefully look through the code and find two interesting spots.

Figure 2. The first check by UPX

 

Although there is plenty of code before the ‘or eax, eax’ instruction in Figure 2 above, none of them change the value of register EAX, but this UPX packer assigns a pointer from the stack to EAX before jumping to OEP (see Figure 3 below). So, on the versions of Windows where the register EAX is zero when the file loads, if the file is unpacked and then run, the sample will know it and jump to the closed loop.

 

Figure 3. The initialization of EAX in UPX

 

Another code snippet from the inner packer does additional checks against the presence of UPX. To satisfy this check, the EAX must equal to ESP + 0x11C, which matches the EAX value initialized by the UPX stub code.

Figure 4. Another check by UPX

 

If either of the checks fail, it leads to a dead loop or an unhandled exception. Now we know that to debug or emulate this sample, the UPX stub code can’t be skipped by a static unpacker. By bypassing or including the UPX stub code in the execution, the malware underneath is finally revealed to be a member of the Bamital malware family. I also compared the size of UPX, packed and unpacked, and notice a big difference in file sizes, so I decide to dig more. The encrypted file underneath occupies a big portion of the file and looks to be filled with a lot of padding. By looking through the encryption this packer uses, it’s clear that it appends tons of useless padding bytes (0x6A in this case) to the compressed code and re-orders the whole buffer, so that the compressed code blends into the padding, making it look like junk data that can avoid entropy checking and other similar techniques.

 

Figure 5. Mixed compressed code with padding

 

Figure 6. Compressed code appended by padding

 

The malware author may have tried out this technique to avoid detection, but we’re on to them. With our antivirus products such as Microsoft Security Essentials, this trick is handled well and we detect the malware underneath as Trojan:Win32/Bamital.I.

Shawn Wang

Categories: debugger, debugging, EAX, EIP, hex, opcode, packers, UPX Tags:

SCM v2 (BETA) + New Baselines Available to Download

June 27th, 2011 No comments

[ UPDATE: September 6th, 2011 ] The Beta review period for SCM2 ended August 31st, 2011 (and the download is no longer available). We’ve been working on stabilizing the build and meeting release requirements. Look for the RTW of SCM2 on September 15th…(read more)