Swedish Windows Security User Group

The independent security research and testing organization, NSS Labs, just released two reports that say Internet Explorer leads the field in protection against socially engineered malware, specifically fake links that you might see in an email or on your social networking site. 

 According to the report, Internet Explorer caught 96% of this kind of malware.

Source: NSS Labs, August 2011 – Global Socially Engineered Malware Protection

Read the full report. (PDF)

More information about how Internet Explorer 9 protects your computer from malware. 

As some of you might be aware, we’ve recently been seeing low levels of reports of Win32/Morto – a worm that causes headaches for users who may have less than ideal password policies – so we thought we’d look at this in more detail.

The number of computers reporting infections or infection attempts continues to remain quite low. In total, the MMPC has seen only a few thousand unique computers report this issue.  For an idea of how this kind of volume compares to other families, see the following chart that shows the volume of several families (Sality, IRCbot, and Morto) by unique computers last Sat. (Aug. 27, 2011).

This threat is reaching both consumer and corporate users alike in 87 country/regions so far.  At first, the majority of telemetry we received was from computers on older platforms, mostly Windows XP.  More recent telemetry shows that newer platforms are also seeing this worm:

We’ve also discovered that Morto attempts to compromise more than just the ‘Administrator’ account when trying to brute force RDP connections with its simple dictionary attack. Initially it tests the affected machine’s Internet connectivity by attempting to connect to IP 74.125.71.104 (this is an IP owned by a legitimate corporation and is otherwise unrelated to the malware). If this attempt is not successful, it then cycles through IP addresses on the affected computer’s subnet and attempts to connect to targeted hosts using the following usernames:

1
actuser
adm
admin
admin2
administrator
aspnet
backup
computer
console
david
guest
john
owner
root
server
sql
support
support_388945a0
sys
test2
test3
user
user1
user5 

It’s important to remember that this malware does not exploit a vulnerability in Remote Desktop Protocol, but instead relies on weak passwords (you can see the passwords used by Morto in our encyclopedia). If you haven’t already, check if these usernames are being used in your environment and change the associated passwords to ones that are strong (and definitely not on the password list).  Even computers that have been cleaned of this threat can be easily reinfected if the passwords are not changed and the computer remains unprotected.

The role that passwords play in securing an organization’s network is often underestimated and overlooked. Passwords provide a first line of defense against unauthorized access to your organization.

We encourage people to use strong passwords to help protect their systems. (You can even test the strength of your proposed password using our password checker.) We also encourage enterprise users in particular to enforce both strong passwords and regular password changes via policy.

Holly Stewart and Matt McCormack
MMPC Melbourne and Redmond

Today we’re releasing Security Advisory 2607712, to address at least one fraudulent digital certificate issued by DigiNotar, a root certificate authority. DigiNotar has since revoked the digital certificate. This is not a Microsoft security vulnerability; however, the certificate potentially affects Internet users attempting to access websites belonging to Google. A fraudulent certificate may be used to spoof Web content, perform phishing attacks or perform man-in-the-middle attacks against end users.

We continue to work with the certificate authority to understand the scope of this issue, and have taken steps to further help protect customers by removing the DigiNotar root certificate from the list of trusted root certificates on Windows. Web sites with certificates issued by DigiNotar will no longer be trusted by Windows Vista and above. This protection is automatic and no customer action is required.

Click here for more information about the Windows Root Certificate Program and automatic updates. Customers should continue to utilize Internet Explorer’s Security Status bar located on the right side of the address bar to verify that the site being visited is valid and secure.

If you have not done so already, we highly recommend registering for our comprehensive security alerts. Sign up here: Microsoft Technical Security Notifications.

Thanks,

Dave Forstrom

Director, Trustworthy Computing

Revision Note: V2.0 (August 29, 2011): Revised to correct erroneous advisory number.Summary: Microsoft is aware of at least one fraudulent digital certificate issued by DigiNotar, a certification authority present in the Trusted Root Certification Authorities Store, on all supported releases of Microsoft Windows. Although this is not a vulnerability in a Microsoft product, Microsoft is taking action to protect customers.

Revision Note: V2.0 (August 29, 2011): Revised to correct erroneous advisory number. Advisory Summary:Microsoft is aware of at least one fraudulent digital certificate issued by DigiNotar, a certification authority present in the Trusted Root Certification Authorities Store, on all supported releases of Microsoft Windows. Although this is not a vulnerability in a Microsoft product, Microsoft is taking action to protect customers.

Revision Note: V1.0 (August 29, 2011): Advisory published. Advisory Summary:Microsoft is aware of at least one fraudulent digital certificate issued by DigiNotar, a certification authority present in the Trusted Root Certification Authorities Store, on all supported releases of Microsoft Windows. Although this is not a vulnerability in a Microsoft product, Microsoft is taking action to protect customers.

We’ve had reports of a new worm in the wild and that generates increased RDP traffic for our users on port 3389. Although the overall numbers of computers reporting detections are low in comparison to more established malware families, the traffic it generates is noticeable. The worm is detected as Worm:Win32/Morto.A and you can see a detailed description of it at Worm:Win32/Morto.A.

Morto attempts to compromise Remote Desktop connections in order to penetrate remote systems, by exploiting weak administrator passwords. Once a new system is compromised, it connects to a remote server in order to download additional information and update its components. It also terminates processes for locally running security applications in order to ensure its activity continues uninterrupted. Affected users should note that a reboot may be required in order to complete the cleaning process.
 
This particular worm highlights the importance of setting strong system passwords. Using strong passwords can go a long way towards protecting your environment — and  the ability of attackers to exploit weak passwords shouldn’t be underestimated. For example, Morto tries the following passwords:
 
*1234
0
111
123
369
1111
12345
111111
123123
123321
123456
168168
520520
654321
666666
888888
1234567
12345678
123456789
1234567890
%u%
%u%12
1234qwer
1q2w3e
1qaz2wsx
aaa
abc123
abcd1234
admin
admin123
letmein
pass
password
server
test
user
 
When creating strong passwords, remember that the key to a strong password is length and complexity. Here’s a few tips to keep in mind:

• An ideal password is long and has letters, punctuation, symbols, and numbers.
• Whenever possible, use at least 14 characters or more.
• The greater the variety of characters in your password, the better.
• Use the entire keyboard, not just the letters and characters you use or see most often.

For more advice on creating (and remembering) strong passwords, visit our Safety and Security Center. 
 
For your information here are some examples of files that are being detected as Win32/Morto:
0x48AE936692FFBD14782D5C97DD067402FBB52356
0x6929EAD324EFA7A667BAE88A041F546DBBECBF26
0x188BA0E3A03BFFFF4B9C96721AC70EF68D19A86E
 
Hil Gradascevic
MMPC Melbourne

Our friend Tim Rains over at Trustworthy Computing (TwC) has just concluded a six-part series in which he took a closer look at the threat landscape in locations that have the lowest infection rates in the world. Using data from our Security Intelligence Report, the series investigates why the same countries and regions consistently pop up as having relatively low malware infection rates, as normalized using a metric called Computers Cleaned per Mille (CCM).

The series is available in the following articles:

• Lessons from Some of the Least Malware Infected Countries in the World – Part 1
• Austria – Lessons from Some of the Least Malware Infected Countries in the World – Part 2
• Finland – Lessons from Some of the Least Malware Infected Countries in the World – Part 3
• Germany – Lessons from Some of the Least Malware Infected Countries in the World – Part 4
• Japan – Lessons from Some of the Least Malware Infected Countries in the World – Part 5
• Finale – Lessons from Some of the Least Malware Infected Countries in the World – Part 6

What was commonly found in these locations that have low malware infection rates includes the following:

1. A strong relationship between public and private entities that led to efficient and proactive responses to malware threats
2. The presence of CERTs, ISPs, and other entities that monitor malware that enable rapid response
3. An intelligent and well-trained IT culture where system administrators are able to sufficiently respond to threats
4. The establishment of policies and processes to quarantine infected computers and prevent malware from spreading across networks
5. Education campaigns and media participation that raise awareness of security issues
6. Low software piracy rates and timely and widespread use of Windows Update and Microsoft Update

A big thank you to Tim and the TwC, who collated all this information to help us understand what certain countries and regions are doing right regarding keeping malware away. We strongly encourage users to employ the best practices found in the countries that have these low malware infection rates.

– MMPC

Severity Rating: Moderate – Revision Note: V1.1 (August 23, 2011): Added an update FAQ to announce a detection change for KB2539636 that corrects an installation issue. This is a detection change only. There were no changes to the security update files. Customers who have already successfully updated their systems do not need to take any action.Summary: This security update resolves a privately reported vulnerability in Microsoft .NET Framework. The vulnerability could allow information disclosure if a user views a specially crafted Web page using a Web browser that can run XAML Browser Applications (XBAPs). In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker’s Web site. This vulnerability could also be used by Windows .NET applications to bypass Code Access Security (CAS) restrictions.

Identify, classify, and protect data across targeted file servers in your organization
The Solution Accelerators team is pleased to announce that the Data Classification Toolkit for Windows Server 2008 R2 is now available for download.
Download…(read more)

Identify, classify, and protect data across targeted file servers in your organization
The Solution Accelerators team is pleased to announce that the Data Classification Toolkit for Windows Server 2008 R2 is now available for download.
Download…(read more)

Identify, classify, and protect data across targeted file servers in your organization
The Solution Accelerators team is pleased to announce that the Data Classification Toolkit for Windows Server 2008 R2 is now available for download.
Download…(read more)

Here’s an interesting thing for you security types to be aware of.  Many of you probably are careful to screen attachment types to make sure that you don’t unintentionally execute code that might be malicious.

Malware authors have discovered that by embedding a unicode control character in file names, they can cause the file name to read right-to-left (instead of the normal English left-to-right) and therefore obfuscate file extensions.

For example, “innocuous_cod.exe” could have the RLO character inserted after the underscore, and then it would read as “innocuous_exe.doc” (everything after the “_” is read right-to-left).

Here’s a write-up with links to detected variants: http://blog.commtouch.com/cafe/malware/exe-read-backwards-spells-malware/

Here’s an interesting thing for you security types to be aware of.  Many of you probably are careful to screen attachment types to make sure that you don’t unintentionally execute code that might be malicious.

Malware authors have discovered that by embedding a unicode control character in file names, they can cause the file name to read right-to-left (instead of the normal English left-to-right) and therefore obfuscate file extensions.

For example, “innocuous_cod.exe” could have the RLO character inserted after the underscore, and then it would read as “innocuous_exe.doc” (everything after the “_” is read right-to-left).

Here’s a write-up with links to detected variants: http://blog.commtouch.com/cafe/malware/exe-read-backwards-spells-malware/

Here’s an interesting thing for you security types to be aware of.  Many of you probably are careful to screen attachment types to make sure that you don’t unintentionally execute code that might be malicious.

Malware authors have discovered that by embedding a unicode control character in file names, they can cause the file name to read right-to-left (instead of the normal English left-to-right) and therefore obfuscate file extensions.

For example, “innocuous_cod.exe” could have the RLO character inserted after the underscore, and then it would read as “innocuous_exe.doc” (everything after the “_” is read right-to-left).

Here’s a write-up with links to detected variants: http://blog.commtouch.com/cafe/malware/exe-read-backwards-spells-malware/

Users like you make all the difference in the quality of our products.  The Microsoft Assessment and Planning (MAP) Toolkit Team will soon start recruiting Beta participants for our next version’s Beta program.

We’re currently recruiting users of Forefront Endpoint Protection 2010.  We of course welcome anybody who is interested in the MAP product. Click here to find more about what MAP has to offer. MAP helps customers and partners with a host
of scenarios as software usage tracking, software and hardware inventory, assessments for migration, virtualization and the cloud.

We really look forward to having you involved in our Beta program and hearing your thoughts on the features we’ve added.

As a way of saying thank you there will be prizes.  We don’t have all the details yet but in the past we gave away prizes such as Xbox 360s, Kinect for Xbox, and Zune media Players to a randomly selected subset of participants.

Sincerely,

The Map Toolkit Team

To proactively express your interest in MAP please

• Go to http://connect.microsoft.com and click “Sign In” (in the upper right of the page)
• If you are not already registered with Microsoft® Connect, it will guide you through a quick (and free) registration process
• Make sure you say “yes” to being contacted about participating in new Microsoft Connect programs
• Once you have completed the registration, sign in to Microsoft® Connect
• Search for “Microsoft Assessment and Planning Toolkit”
• Click join and you will be notified of beta programs and opportunities!

This announcement is sponsored by the Microsoft Solution Accelerators Team.
You can contact us at mapfdbk@microsoft.com

Beth writes:

“I could not get my Windows Defender to work after installing Microsoft Security Essentials. Why?”

Windows 7 and Windows Vista both come with antispyware software called Windows Defender. If you want to protect your computer from more than spyware, you can install Microsoft Security Essentials for free.

Download Microsoft Security Essentials.

Because you don’t need both programs, when you install Microsoft Security Essentials it will automatically disable (but not uninstall) Windows Defender. For more information, see Do I need both Microsoft Security Essentials and another antivirus software program?

Need security for your business?

Microsoft Security Essentials is available for small businesses with up to 10 PCs. If your business has more than 10 PCs, you can protect your computers with Microsoft Forefront Endpoint Protection.

If you run into an issue where you are unable to download or save certificates using Internet Explorer 9 (IE 9) and the Certificate Authority Web Enrollment service of a certification authority, you should be sure to disable the enhanced security option of Internet Explorer. See TechNet Wiki article: http://social.technet.microsoft.com/wiki/contents/articles/you-cannot-download-ca-certificate-from-web-enrollment-pages.aspx for more details.

Severity Rating: Important – Revision Note: V1.1 (August 17, 2011): Corrected the hyperlink for CVE-2011-1967.Summary: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application designed to send a device event message to a higher-integrity process. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.

Severity Rating: Important
Revision Note: V1.1 (August 17, 2011): Corrected the hyperlink for CVE-2011-1967.
Summary: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application designed to send a device event message to a higher-integrity process. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.