Archive

Archive for October, 2012

All copy and paste makes Jack a bored boy

October 31st, 2012 No comments

We recently came across what appeared to be a new sample, but was actually part of malware discovered in 2010. This new-old sample is built from publicly available source code and, like many of its kind, is frequently rebranded. Because of all the changes that malware authors have made, we have detection for each customized iteration. One such iteration (SHA1 8d81462089f9d1b4ec4c7423710cf545be2708e7) is commonly deployed under private obfuscators (such as H1N1 or Umbra). We detect this threat as TrojanSpy:Win32/SSonce.C(the sample also has a message for antivirus researchers, asserting that our job is monotonous and boring.)

Other backdoors that originate from the same source code are currently detected as Backdoor:Win32/Bezigate.A and Backdoor:Win32/Talsab.C, and Backdoor:Win32/Nosrawec.C. What we are seeing here is rampant use of copy/paste in the code. Because of this, all these spying families share common features, such as: reverse-connection to an attacker’s server, plugins capable of file transfers, screen capture and anti-virus software disabling. Although the code is publicly available, there are some features, such as mouse/keyboard control, which are only available in private versions, as seen from the Facebook page of one of the authors.

A high number of version builds and obfuscator updates is characteristic of these types of threats, as the malware authors are constantly struggling to bypass our scanner’s detection.

So essentially, because antivirus researchers are doing their job well, malware authors have to copy/paste code over and over again. Well, we think that’s boring.

Mihai Calota
MMPC Munich

Categories: malware research Tags:

Happy Halloween from the MMPC

October 31st, 2012 No comments

One of my pet peeves working in computer security has always been the use of emotive language. I have always felt that using highly emotive terms to discuss malware greatly adds to the already-considerable FUD (fear, uncertainty and doubt) that surrounds a lot of malware information. The FUD, in turn, leads users to think that this is a problem that is too big for them – too daunting, too scary – when that simply isn’t true.

Malware are computer programs just like other computer programs; what makes them different is that they have been created with the intent to benefit their author to the detriment of an affected user.

However, seeing as it’s that time of the year, I thought we’d take a look back at a few of the “terrifying” terms that have been used to describe malware over the years. Those of a piquish disposition should look away now and unplug your Ethernet cable. You have been warned.

  • Virus. The original big bad. Once a useful metaphor to describe programs that replicate by infecting and utilizing a host file (similar in behavior to their biological namesake). These days, more often used as a catchall for any malicious program.
     
  • Spyware. This would have to be my least favorite descriptor (and by saying ‘least favorite’, I’m really just being polite). Sure, you could say that the creation of a spyware category to describe the behavior of a set of programs that capture personally identifiable information and send it to a remote location was a necessary evil as the nature of online marketing became more insidious, and the value of personal data increased. Or you could say that the term was created and used indiscriminately by some software purveyors that sought to scare users into thinking that they needed to pay for additional protection beyond antivirus. Regardless, the term remains in use today (we detect some programs as spyware) but perhaps doesn’t instill the same dread it did in the early days of grayware research.
     
  • Scareware. Another term for Rogue antivirus software. These programs display false and misleading malware infection alerts to scare users into paying to have these so-called infections removed. Not a bad descriptive term, really, when ultimately they’re a set of programs that perform fraud via extortion via fear. I doubt these programs would have flourished if less fear was used in marketing security software in the past (see above).
     
  • Ransomware. Speaking of extortion, here’s another class of programs that stop you from using your computer by either locking your screen or encrypting your files, and then asking for money to unlock your computer or decrypt your files. I don’t like this term as it smacks of sensationalism. However, it does describe what’s happening pretty well, as affected users’ computers are unusable until the ransom is paid. More recent examples of this class of program add additional incentive to hand over the money by masquerading as local law enforcement agencies and telling the user that they have been caught accessing illicit material online – the ransom becoming a fine.
     
  • Browser Hijacker. Was using the term hijacker really necessary? Surely “redirector” would have sufficed. A browser hijacker (*sigh*) is a program that interefers with your Internet experience by directing your browser to places not of your choosing.
     
  • Crimeware. A particularly unnecessary term that is used to describe malware that exists for the purposes of committing crime. We have another term for this behavior. It’s “malware”.
     
  • Badware. Aren’t they all?
     
  • Cocktail threat – ok, so this isn’t such a scary term, but one I always remember when I think of possibly inappropriate security terms. Also known as a ‘blended’ threat, or rather a threat that combines malware with vulnerability exploitation. It doesn’t scare me, but it does make me think of cool bars and tall drinks. Not really the glamorous image I generally associate with the world of AV Research. 😉

Malware is bad, but FUD is worse. I hope I haven’t scared you too much with these gruesome details.

Hope you all have a safe and happy Halloween online.

 

Heather Goudey
MMPC Melbourne

Categories: Uncategorized Tags:

Spooky antivirus software

October 30th, 2012 No comments

Judy writes:

My virus protection doesn’t seem to want to stay on. I’ve been able to turn it back on, but when I shut down and then restart my computer later, the virus protection is off again.

Is this some kind of Halloween trick?

Having a virus is no treat

Achieving 100 percent protection from viruses is like chasing a phantom, and Judy’s antivirus software might be turning off because she has a virus.

Learn more about viruses and other malicious software

Having reliable support helps remove the mystery

If your computer is running Windows XP, Windows Vista, or Windows 7, Microsoft Security Essentials is available as a free download. If you’re already using it and it has unexpectedly turned off, you can uninstall it and reinstall it. And if doing that doesn’t fix the problem, you can contact support.

Learn more about Microsoft Security Essentials

Antivirus protection in Windows 8

If you’re running Windows 8, you don’t need to download Microsoft Security Essentials or install any other antivirus software. Windows Defender and Windows SmartScreen are built-in security features that provide real-time scanning to help protect your computer from viruses, spyware, and malware.  

Learn more about security in Windows 8

 

The Case of the Unexplained FTP Connections

October 30th, 2012 No comments

A key part of any cybersecurity plan is “continuous monitoring”, or enabling auditing and monitoring throughout a network environment and configuring automated analysis of the resulting logs to identify anomalous behaviors that merit investigation. This…(read more)

What’s new in Windows 8

October 26th, 2012 No comments

Windows 8 is now available to buy at the Microsoft Store and other retailers. You can also upgrade at Windows.com.

Windows 8 has several built-in security features that are built in and ready to go. Windows 8 also comes with Internet Explorer 10, designed with innovations that can help you control your personal information and be more aware of online threats.

Learn more about the security and privacy features and about additional security settings that you can use to help protect family members online.

Categories: Microsoft, Windows 8, Windows Defender Tags:

Simplifying Big Data Interop – Apache Hadoop on Windows Server & Windows Azure

October 24th, 2012 No comments

(This blog was originally posted on our Interoperability blog)

As a proud member of the Apache Software Foundation, it’s always great to see the growth and adoption of Apache community projects. The Apache Hadoop project is a prime example. Last year I blogged about how Microsoft was engaging with this vibrant community, Microsoft, Hadoop and Big Data. Today, I’m pleased to relay the news about increased interoperability capabilities for Apache Hadoop on the Windows Server and Windows Azure platforms and an expanded Microsoft partnership with Hortonworks.

Microsoft Technical Fellow David Campbell announced today new previews of Windows Azure HDInsight Service and Microsoft HDInsight Server, the company’s Hadoop-based solutions for Windows Azure and Windows Server.

Here’s what Dave had to say in the official news about how this partnership is simplifying big data in the enterprise.

“Big Data should provide answers for business, not complexity for IT. Providing Hadoop compatibility on Windows Server and Azure dramatically lowers the barriers to setup and deployment and enables customers to pull insights from any data, any size, on-premises or in the cloud.”

Dave also outlined how the Hortonworks partnership will give customers access to an enterprise-ready distribution of Hadoop with the newly released solutions.

And here’s what Hortonworks CEO Rob Bearden said about this expanded Microsoft collaboration.

“Hortonworks is the only provider of Apache Hadoop that ensures a 100% open source platform. Our expanded partnership with Microsoft empowers customers to build and deploy on platforms that are fully compatible with Apache Hadoop.”

An interesting part of my open source community role at MS Open Tech is meeting with customers and trying to better understand their needs for interoperable solutions. Enhancing our products with new Interop capabilities helps reduce the cost and complexity of running mixed IT environments. Today’s news helps simplify deployment of Hadoop-based solutions and allows customers to use Microsoft business intelligence tools to extract insights from big data.

Categories: Uncategorized Tags:

Get rid of your old devices more safely

October 23rd, 2012 No comments

If you have an old computer, phone, gaming system, or other device that you want to sell, recycle, or give away, the first step is to erase all your personal information from the hard drive.

You can do this yourself, but we recommend using a refurbisher that can also help you with donation or disposal, if needed.

Read our step-by-step guidance on backing up your files and choosing which method of data removal is right for you.

How to more safely dispose of computers and other devices

Categories: id theft, phishing, refurbisher, scams, security Tags:

MS12-066 – Important : Vulnerability in HTML Sanitization Component Could Allow Elevation of Privilege (2741517) – Version: 1.3

Severity Rating: Important
Revision Note: V1.3 (October 23, 2012): Added Microsoft Windows SharePoint Services 3.0 Service Pack 3 (32-bit version) and Microsoft Windows SharePoint Services 3.0 Service Pack 3 (64-bit version) to the Affected Software section. This is a bulletin change only. There were no changes to the detection logic or security update files.
Summary: This security update resolves a publicly disclosed vulnerability in Microsoft Office, Microsoft Communications Platforms, Microsoft Server software, and Microsoft Office Web Apps. The vulnerability could allow elevation of privilege if an attacker sends specially crafted content to a user. clicks a specially crafted URL that takes the user to a targeted SharePoint site.

Categories: Uncategorized Tags:

Summary for October 2012 – Version: 1.3

Revision Note: V1.3 (October 23, 2012): For MS12-066, added Microsoft Windows SharePoint Services 3.0 Service Pack 3 (32-bit version) and Microsoft Windows SharePoint Services 3.0 Service Pack 3 (64-bit version) to the Affected Software and Download Locations section. This is an informational change only. There were no changes to detection logic or security update files.
Summary: This bulletin summary lists security bulletins released for October 2012.

Categories: Uncategorized Tags:

MSRT October ’12 – Nitol by the numbers

October 23rd, 2012 No comments

As mentioned in our previous post, Microsoft’s study [PDF] behind Operation b70 found that PC consumers might be at risk of malware infection even with brand new computers, if the computers come pre-installed with counterfeit versions of Windows software. This is what happened to some consumers in China who purchased their computers from an untrusted supply chain. A staggering 4 out of 20 machines were found to be infected with malware, and one of those infectors was Nitol.

MMPC’s infection figures for Win32/Nitol reflect the Microsoft study, placing China on the top spot with a whopping 31.60%, way above the United States (18.51%) and Taiwan (16.79%). Thailand and Korea round out the top five. The complete list is shown below in Figure 1:

Figure 1 - Top 10 countries with Win32/Nitol detections (January to October 2012)

Figure 1 – Top 10 countries with Win32/Nitol detections (January 2012 to October 2012)

We’ve had detection for Win32/Nitol as early as December 2010, though the chart in Figure 1 shows its prevalence report from January 2012 to present. Figure 2 shows the global daily volume report from the same period. As seen in Figure 2, there was a significant infection increase starting mid-April, followed by a smaller incline. We improved the detection to have even better coverage after the takedown; which explains at least part of the spike in the later part of September.

Figure 2 – Win32/Nitol daily report volume from the top four countries (January 2012 to October 2012)

Figure 2 – Win32/Nitol daily report volume from the top four countries (January 2012 to October 2012)

DDos:Win32/Nitol.A and DDoS:Win32/Nitol.B variants were the most active, comprising 99% of the combined Win32/Nitol family detection. Thus, they were the variants most directly affected by the takedown. As shown in Figure 3, Win32/Nitol detections rose sharply from April to early-September. Then, after the takedown, detection reports promptly fell.

Figure 3 – Monthly report volume for Win32/Nitol (January 2011 to October 2012)

Figure 3 – Monthly report volume for Win32/Nitol (January 2011 to October 2012)

The MSRT effect

This month’s MSRT included two prevalent families – Win32/Onescan, which is a Korean rogue software, and Win32/Nitol. Within the first two days of MSRT release, Win32/Onescan was our top family detected and cleaned by the MSRT tool, while Win32/Nitol took the 9th spot.

After one week of report monitoring, while Win32/Onescan was still on top and had been cleaned from almost 1,000,000 machines, Win32/Nitol had slipped to the 11th spot, having been removed from over 36,000 machines.

Win32/Nitol’s numbers are something within our expectation. The recent takedown which disrupted a large percentage of Win32/Nitol’s C&C (command and control) infrastructure is a big factor in explaning why Win32/Nitol’s prevalence has been dropping considerably.

Figure 4 – MSRT top 10 families

Figure 4 – MSRT top 15 families after one week

 

Rex Plantado
MMPC Vancouver

Categories: Uncategorized Tags:

Know your enemy – protect yourself

October 19th, 2012 No comments

Of the many weapons and tricks in an attacker’s arsenal, none is more dangerous or insidious than the ability to hide and continuously compromise a system from within. This is the role of a rootkit. Malware uses rootkits, or rootkit functionality, in order to hide their presence on an affected computer and thus impede their removal. Once compromised by a rootkit, any information returned by an affected system can no longer be trusted and must be regarded as suspect (which is exactly how they hide themselves and their components from you – by modifying requests for information that might give them away).

However, here’s the rub – in all likelihood if you have a rootkit, you will not know that the information being returned by the system is wrong and suspicion bells are unlikely to ring. Thus you are unlikely to take more stringent measures to protect yourself as you haven’t realized the compromise in the first place. Without being alarmist, let’s be straight about this – rootkits are bad news.

The MMPC has released a short paper that discusses rootkit fundamentals and looks at how they are used by attackers. Importantly, the paper also includes guidance on how to guard against the threat and steps you can take if you believe you have been compromised.
Know your enemy and protect yourself by learning about these threats.

You can download the paper here.

Categories: Uncategorized Tags:

Updates: Coreinfo v3.1, Desktops v2.0, Livekd v5.3, PsPasswd v1.23, Testlimit v5.22, Whois v1.11

October 19th, 2012 No comments

Coreinfo v3.1: This update to Coreinfo, a command line utility that reports detailed information about a system’s processor topology, CPU features, and cache topology, fixes a bug affecting the calculation of NUMA node costs and adds support for several more processor features, including RDRAND, LAHF/SAHF, Prefetchw and Intel Speedstep.

Desktops v2.0: Desktops, a virtual desktop utility for Windows that lets you create up to three additional workspaces, is now compatible with Windows 8, properly supporting Winkey hotkey sequences (like Winkey+R to bring up the Run dialog) on alternate desktops and switching back to the primary desktop’s start screen when you hit Winkey.

Livekd v5.3: LiveKd, a command-line utility that enables you to use the Windows kernel debuggers to examine live systems as well as virtual machines, now support Windows 8.

PsPasswd v1.23: PsPasswd, a Pstools utility for remoting changing local machine passwords, now includes support for changing domain account passwords.

Testlimit v5.22: This release of TestLimit, an educational tool for testing the way Windows handles exhaustion of various resource types such as system commit, fixes an output formatting bug that could have it report KB instead of MB.

Whois v1.11: Whois v1.11, a tool for looking up domain name registration information, includes bug fixes that could cause it to crash if provided with malformed domain name input strings.

Categories: Coreinfo, Desktops, LiveKd, PsPasswd, Testlimit, Whois Tags:

Beware of deceptive downloads

October 18th, 2012 No comments

The Microsoft Security Intelligence Report (SIR) analyzes online threats using data from Internet services and over 600 million computers worldwide. Volume 13 of the SIR is now available and focuses on vulnerability disclosures from the first and second quarters of 2012.

A featured article, Deceptive Downloads: Software, Music, and Movies, highlights a growing trend of malware infection associated with unsecure supply chains, including legitimate sites that make shareware and music available for public downloads.

Download the latest report

MSRT October ’12 – Nitol: Counterfeit code isn’t such a great deal after all

October 15th, 2012 No comments

Just recently, Microsoft shut down the command-and-control infrastructure (C&C) of Win32/Nitol malware – one of the most active DDoS-performing malware families today. The take down, dubbed as “Operation b70“, was a great success. To amplify its disruption, DDoS:Win32/Nitol was included in this month’s Malicious Software Removal Tool (MSRT) release.

Microsoft’s study [PDF] behind Operation b70 found that PC consumers might be at risk of getting infected by malware even with brand-new computers, if the computers come pre-installed with counterfeit versions of Windows software. This is what happened to some consumers in China who purchased their computers from an untrusted supply chain. A staggering 4 out of 20 machines were found to be infected with malware, and one of those infectors was Nitol.

In this blog post, we’ll tackle the technical aspect of Nitol and why malware found in counterfeit software seems to be counterfeit itself. In the follow-up blog post, to be released next Tuesday, we’ll talk about the numbers we’ve seen around Nitol, both before and after the takedown.

 

Nitol source code

An interesting discovery from a researcher’s perspective is that a relevant portion of Nitol’s code was found to be copied or heavily borrowed from at least two malware sources freely available in Chinese websites. As proof, Figure 1 shows a code snippet from a particular Nitol function that performs a denial of service attack by sending very distinct and recognizable strings. Figure 2 shows the original source code likely copied by the Nitol authors. With the help of certain tools, it’s very easy to see that Nitol is the copycat, not the other way around. Other Nitol samples were also found to be copied from another C++ source code, though not discussed further in this blog.

Figure 1 – Decompiled Win32/Nitol variant in IDA

 

Figure 2 – Snapshot of actual source code available from a Chinese website

 

Our analysis also revealed that the Nitol family could be part of a larger DDoS malware class. The most active variants, Nitol.A and Nitol.B, could just be rehashes from old variants, which closely resemble the DDoS threats analyzed sometime ago by Damballa and Arbor Networks and called IMMDOS and Avzhan respectively. There is currently no evidence that they were all created by the same authors.

 

Nitol behavior

Win32/Nitol variants may behave slightly differently from each other, but their DDoS’ing functionalities are very much alike. Most of the variants are composed of two components: the loader executable and the DLL component. The loader executable drops the DLL component (usually from its resource section) and installs it by setting it up as an NT service or a legacy driver. Some variants may run the DLL immediately by calling the DLL’s main function from the loader (EXE component), while others may wait until the next reboot.

It’s interesting to note that most of the recent Nitol samples use the name “lpk.dll”, which is the same file name as a legitimate Windows file that’s always loaded when support for East Asian languages is installed in your computer.  The purpose is not clear, but one possibility is to utilize an old well-documented Windows vulnerability called “DLL preloading” by dropping the “lpk.dll” file to every folder that contains an EXE, RAR or ZIP file on all local and removable drives. The DLL is modified such that, when loaded, the LpkInitialize() export function is executed which, in turn, runs its appended malicious code.

When the DLL component runs, it creates a thread, acts as a server, and starts talking with the remote command and control (C&C) server. It knows which C&C server to connect to, as the server address is indicated in the binary code. More than 50% of the Win32/Nitol families were observed to connect to the subdomain 3322.org as their primary C&C server. This server was located in China. This server was taken offline as part of the Microsoft takedown.

Nitol could collect system information such as computer name, version of the operating system, processor speed, installed RAM, and the infected machine’s geographical location. It could then send the information to the C&C server after encrypting the data with a simple algorithm.

The bot master may issue a command to launch a DoS attack to target domains or websites using different DDoS options such as SYN, UDP, TCP, HTTP, and ICMP flooding. The bot master uses a simple token to synchronize the botnets. The C&C may command the botnet to sleep for a specified time and become dormant. DDoS commands are not permitted when the bot is in dormant mode.

The bot master may also carry out other malicious behaviors, such as downloading and executing additional malware (or Nitol updates) into the infected machines. Nitol may also open a URL, which could be malicious, using Internet Explorer. The bots may also receive commands to uninstall themselves from the computer should the bot master wishes to. For more information, please read the Win32/Nitol family description.

 

Rex Plantado
MMPC Vancouver

Categories: Uncategorized Tags:

KB: Information on Forefront Endpoint Protection support on Itanium (IA-64) based computers

October 15th, 2012 No comments

imageHere’s a new Knowledge Base article we published. This one explains Forefront Endpoint Protection support on Itanium (IA-64) based computers.

=====

Summary

Support for installing Microsoft Windows Server IA64/Itanium with System Center Configuration Manager with Forefront Endpoint Protection (FEP) is as follows:

System Center Configuration Manager 2007 supports Microsoft Windows Server 2008 R2 IA64 (Itanium)
System Center Configuration Manager 2007 supports Microsoft Windows Server 2008 R2 x64
System Center Configuration Manager 2012 supports Microsoft Windows Server 2008 R2 x64
System Center Configuration Manager 2012 does not support Microsoft Windows Server 2008 R2 IA64 (Itanium)
Forefront Endpoint Protection 2010 supports Microsoft Windows Server 2008 R2 x64
Forefront Endpoint Protection 2010 does not support Microsoft Windows Server 2008 R2 IA64 (Itanium)
System Center Endpoint Protection 2012 supports Microsoft Windows Server 2008 R2 x64
System Center Endpoint Protection 2012 does not support Microsoft Windows Server 2008 R2 IA64 (Itanium)

=====

For the most current version of this article please see the following:

2764901 – Information on Forefront Endpoint Protection support on Itanium (IA-64) based computers

J.C. Hornbeck | Knowledge Engineer | Management and Security Division

Get the latest System Center news on Facebook and Twitter:

clip_image001 clip_image002

App-V Team blog: http://blogs.technet.com/appv/
ConfigMgr Support Team blog: http://blogs.technet.com/configurationmgr/
DPM Team blog: http://blogs.technet.com/dpm/
MED-V Team blog: http://blogs.technet.com/medv/
Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
Operations Manager Team blog: http://blogs.technet.com/momteam/
SCVMM Team blog: http://blogs.technet.com/scvmm
Server App-V Team blog: http://blogs.technet.com/b/serverappv
Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center Essentials Team blog: http://blogs.technet.com/b/systemcenteressentials
WSUS Support Team blog: http://blogs.technet.com/sus/

The Forefront Server Protection blog: http://blogs.technet.com/b/fss/
The Forefront Endpoint Security blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

Categories: Uncategorized Tags:

KB: Information on Forefront Endpoint Protection support on Itanium (IA-64) based computers

October 15th, 2012 No comments

imageHere’s a new Knowledge Base article we published. This one explains Forefront Endpoint Protection support on Itanium (IA-64) based computers.

=====

Summary

Support for installing Microsoft Windows Server IA64/Itanium with System Center Configuration Manager with Forefront Endpoint Protection (FEP) is as follows:

System Center Configuration Manager 2007 supports Microsoft Windows Server 2008 R2 IA64 (Itanium)
System Center Configuration Manager 2007 supports Microsoft Windows Server 2008 R2 x64
System Center Configuration Manager 2012 supports Microsoft Windows Server 2008 R2 x64
System Center Configuration Manager 2012 does not support Microsoft Windows Server 2008 R2 IA64 (Itanium)
Forefront Endpoint Protection 2010 supports Microsoft Windows Server 2008 R2 x64
Forefront Endpoint Protection 2010 does not support Microsoft Windows Server 2008 R2 IA64 (Itanium)
System Center Endpoint Protection 2012 supports Microsoft Windows Server 2008 R2 x64
System Center Endpoint Protection 2012 does not support Microsoft Windows Server 2008 R2 IA64 (Itanium)

=====

For the most current version of this article please see the following:

2764901 – Information on Forefront Endpoint Protection support on Itanium (IA-64) based computers

J.C. Hornbeck | Knowledge Engineer | Management and Security Division

Get the latest System Center news on Facebook and Twitter:

clip_image001 clip_image002

App-V Team blog: http://blogs.technet.com/appv/
ConfigMgr Support Team blog: http://blogs.technet.com/configurationmgr/
DPM Team blog: http://blogs.technet.com/dpm/
MED-V Team blog: http://blogs.technet.com/medv/
Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
Operations Manager Team blog: http://blogs.technet.com/momteam/
SCVMM Team blog: http://blogs.technet.com/scvmm
Server App-V Team blog: http://blogs.technet.com/b/serverappv
Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center Essentials Team blog: http://blogs.technet.com/b/systemcenteressentials
WSUS Support Team blog: http://blogs.technet.com/sus/

The Forefront Server Protection blog: http://blogs.technet.com/b/fss/
The Forefront Endpoint Security blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

Categories: Uncategorized Tags:

Do you feel safe from online deception?

October 15th, 2012 No comments

October is National Cyber Security Awareness Month (NCSAM), and Microsoft supports the national campaign for cyber security education and awareness put forth by the National Cyber Security Alliance (NCSA).

Our support includes releasing the results of the NCSAM 2012 online scam defense survey. The research revealed that U.S. adults have encountered roughly eight different online scams on average. Most respondents feel they’re unlikely to fall victim, but few feel completely protected because newer scams are taking advantage of social networks to impersonate friends, loved ones, or others they know and trust. When it comes to online deception, adults most feared impersonation scams such as fake antivirus alerts (40%).

Read the full results from the survey.

 Watch a video about the online scams survey.

Help protect yourself and your family from online deception with our top cyber security tips:

  • Be defensive with sensitive information
  • Create varied and strong passwords or phrases
  • Boost your computer’s security
  • Connect with others carefully
  • Watch out for scams

For free brochures, fact sheets, and more, see Digital Citizenship in Action or visit STOP.THINK.CONNECT.  Want to get involved? Find out how.

October 2012 Security Bulletin Webcast, Q&A, and Slide Deck

October 11th, 2012 No comments

Hello,

Today we published the October Security Bulletin Webcast Questions & Answers page. During the webcast, we fielded five questions focusing primarily on Security Advisory 2661254 addressing trust certificates with RSA keys less than 1024 bit key lengths. One additional question was answered after the webcast. All questions are included on the Q&A page.

We invite our customers to join us for the next public webcast on Wednesday, November 14th at 11 a.m. PST (-8 UTC), when we will go into detail about the November bulletin release and answer questions live on the air.

Customers can register to attend at the link below:
Date: Wednesday, November 14, 2012
Time: 11:00 a.m. PDT (UTC -7)
Register: Attendee Registration

Thanks,
Yunsun Wee
Director, Trustworthy Computing.

Fraud alert: Microsoft Services Agreement email scam

October 11th, 2012 No comments

We’ve received reports of a recent email scam that spoofs the Microsoft Services Agreement.

View the real agreement.

The scam email message replaces legitimate links in the agreement with links that can compromise your computer when clicked. If you receive mail that looks like the real agreement or asks you to click a suspicious link or to provide personal information, delete the message or report the scam.

For more information, see Email and web scams: how to help protect yourself.

ELAM Is Black and White

October 11th, 2012 No comments

At the Virus Bulletin conference this year, there was a talk about the limitations and suggested enhancements for the Early Launch Anti-Malware (ELAM) environment. The main observation, complaint if you will, was that there is no way for an anti-malware (AM) engine to perform a deep scan. However, there is a very good reason for why ELAM does not allow that: it is not meant to.

The purpose of ELAM is exactly to perform black- and/or white-listing of drivers until the full AM engine is loaded as part of the boot process. At that point, the full AM engine can take over and perform deep scanning of everything that loads after it, along with everything that loaded before it which the ELAM driver could not classify. The ELAM driver can make a list of the drivers which it did not recognise, and pass this to the full AM engine.

If for some reason any of those drivers can’t be found by the AM engine, then that alone is cause for suspicion, and the driver details can be added to the black-list for blocking on the next reboot.

The ELAM driver has a very restricted environment, in terms of memory and time. However, both of these restrictions exist for performance reasons. The small memory requirement means that only hashes can be used for classifying drivers, but this is fine because there are not that many drivers to classify. There was a question about polymorphic drivers, but this is largely irrelevant – the driver would need to be re-signed after modification, meaning that we could simply block the certificate that was used. A variation of this attack would involve using Return-Oriented Programming (ROP), where a clean driver is loaded for no purpose except to cause a sufficient number of “gadgets” to be present in memory for a second driver to use. This second driver would not be malicious as such, but by constructing a chain of gadgets, it would be possible to create a block of code which can perform malicious actions. However, again, this would appear no different from the polymorphic case, since the second driver would need to re-sign itself after creating the list of gadget offsets in the clean driver.

The small time requirement forces the ELAM driver to perform only a hash-based classification, but this is the only form of scanning that is viable at that point anyway. The time restriction is intended to take away the temptation to construct a virtual file system in order to access the file image manually.

So there you have it. ELAM is not intended for deep scanning, and any suggestion that it should be enhanced in such a way that it can be simply misses the point.

Read more about ELAM here.

– Peter Ferrie

Categories: conference, malware research Tags: