Archive

Archive for November, 2013

Microsoft har Sveriges snyggaste kontor

November 29th, 2013 No comments

Igår, den 28 november, hade Microsofts fastighetschef Lotta Bergius det stora nöjet att ta emot priset för Sveriges Snyggaste Kontor 2013, på en prisutdelningsceremoni på Oscarsteatern i Stockholm. Priset består av, förutom äran och uppmärksamheten, en skulptur av Ernst Billgren som nu står i Microsofts reception.
 
Tidigare i år blev Microsoft Sverige utnämnt till Sveriges bästa arbetsplats av Great Place To Work. Båda dessa pris är tillsammans en bekräftelse på att vi tänker rätt, inte bara när det gäller tekniken, utan även när det de övriga två delarna  – platsen och personerna – som krävs för framgångsrika förändringsprojekt.

– Det är fantastiskt kul att vi uppmärksammas för vårt långsiktiga arbete med att forma arbetsplatsen till Det nya arbetslivet. Intresset är enormt stort från andra verksamheter, vi har redan haft tusentals besökare som inspirerats sedan vi invigde det nya kontoret i april, säger Heléne Lidström, projektledare för Det nya arbetslivet.

Tävlingen Sveriges Snyggaste Kontor arrangeras av Lokalnytt och i år är det tredje året i rad som man uppmärksammar det kontor som bedöms bäst utifrån kriterierna stil, arbetsmiljö och nytänkande.

Under hösten har företag över hela Sverige kunnat nominera sina kontor till tävlingen. Tre finalbidrag har röstats fram, där en kvalificerad jury, under ledning av arkitekten Magnus Månsson, har utsett vinnaren.

Priset vanns i hård konkurrens av fastighetsbolaget Vasakronan i Stockholm som kom tvåa, trea kom AMF Fastigheter, också i Stockholm.

 

 

Avoid Affordable Care Act scams

November 28th, 2013 No comments

It’s no secret that the website designed to help Americans sign up for health insurance under the new Affordable Care Act has had technical issues. We’ve heard reports that scammers are taking advantage of the technical glitches to send out fake email messages or posts on social networking websites.

These scams, known as “phishing,” are designed to trick you into installing malicious software or to direct you to fraudulent websites, where you are asked to enter credit card and other personal or financial information.

To avoid getting tricked by these and other kinds of scams, or to minimize the damage they cause:

Categories: fraud, scams Tags:

Microsoft Releases Security Advisory 2914486

November 27th, 2013 No comments

Today we released Security Advisory 2914486 regarding a local elevation of privilege (EoP) issue that affects customers using Microsoft Windows XP and Server 2003. Windows Vista and later are not affected by this local EoP issue. A member of the Microsoft Active Protections Program (MAPP) found this issue being used on systems compromised by a third-party remote code execution vulnerability. These limited, targeted attacks require users to open a malicious PDF file. The issues described by the advisory cannot be used to gain access to a remote system alone.

While we are actively working to develop a security update to address this issue, we encourage customers running Windows XP and Server 2003 to deploy the following workarounds as described in the advisory:

Delete NDProxy.sys and reroute to Null.sys
For environments with non-default, limited user privileges, Microsoft has verified that the following workaround effectively blocks the attacks that have been observed in the wild.

We also always encourage people to follow the “Protect Your Computer” guidance of enabling a firewall, applying all software updates and installing anti-virus and anti-spyware software. We also encourage folks to exercise caution when visiting websites and avoid clicking suspicious links, or opening email messages from unfamiliar senders. Additional information can be found at www.microsoft.com/protect.

We hope this doesn’t disrupt any holiday plans you may have, but we did want to provide you with actionable information to help protect your systems. We continue to monitor the threat landscape closely and will take appropriate action to help protect customers.

Thank you,
Dustin Childs
Group Manager, Response Communications
Trustworthy Computing

Microsoft Releases Security Advisory 2914486

November 27th, 2013 No comments

Today we released Security Advisory 2914486 regarding a local elevation of privilege (EoP) issue that affects customers using Microsoft Windows XP and Server 2003. Windows Vista and later are not affected by this local EoP issue. A member of the Microsoft Active Protections Program (MAPP) found this issue being used on systems compromised by a third-party remote code execution vulnerability. These limited, targeted attacks require users to open a malicious PDF file. The issues described by the advisory cannot be used to gain access to a remote system alone.

While we are actively working to develop a security update to address this issue, we encourage customers running Windows XP and Server 2003 to deploy the following workarounds as described in the advisory:

Delete NDProxy.sys and reroute to Null.sys
For environments with non-default, limited user privileges, Microsoft has verified that the following workaround effectively blocks the attacks that have been observed in the wild.

We also always encourage people to follow the “Protect Your Computer” guidance of enabling a firewall, applying all software updates and installing anti-virus and anti-spyware software. We also encourage folks to exercise caution when visiting websites and avoid clicking suspicious links, or opening email messages from unfamiliar senders. Additional information can be found at www.microsoft.com/protect.

We hope this doesn’t disrupt any holiday plans you may have, but we did want to provide you with actionable information to help protect your systems. We continue to monitor the threat landscape closely and will take appropriate action to help protect customers.

Thank you,
Dustin Childs
Group Manager, Response Communications
Trustworthy Computing

Microsoft Security Advisory (2914486): Vulnerability in Microsoft Windows Kernel Could Allow Elevation of Privilege – Version: 1.0

Revision Note: V1.0 (November 27, 2013): Advisory published.
Summary: Microsoft is investigating new reports of a vulnerability in a kernel component of Windows XP and Windows Server 2003. We are aware of limited, targeted attacks that attempt to exploit this vulnerability.

Categories: Uncategorized Tags:

Our protection metrics – October results

November 27th, 2013 No comments

​Last month we introduced our monthly protection metrics and talked about our September results. Today, we’d like to talk about our results from October. If you want a refresh on the definition of the metrics we use in our monthly results, see our prior post: Our protection metrics – September results.

During October 2013, while our rate of incorrect detections remained low, and our performance metrics stayed fairly consistent, the infection rate of 0.18 percent was higher in comparison to the average daily infection rate of 0.1 percent in the first half of the year.

In September, we talked about a family called Win32/Sefnit that was the driver behind the increase in our infection rate. We mentioned that the distributors of Sefnit are using some sneaky techniques to infect computers. This includes programs that install legitimate software, and occasionally install legitimate software with bonus material (Sefnit). Many of these installer programs were previously determined to be clean. However, with this change in behavior (installing the Sefnit malware), they now meet our detection criteria.

Sefnit is a bot that can take instructions from remote servers to do practically anything. We’ve observed it using infected computers for click fraud, which makes money by pretending to be a person clicking on ads from your computer or by redirecting your search results. It may also abuse your computer’s resources through Bitcoin mining.

The two installer families related to Sefnit that were behind the high active infection rate in October are Win32/Rotbrow and Win32/Brantall. Rotbrow is a program that claims to protect you from browser addons.  Brantall pretends to be an installer for other, legitimate programs. Brantall might install those legitimate programs as well as malware. These previously legitimate software programs were prevalent in comparison to most malware families, and so most of our detections in October were on active infections.

The Malicious Software Removal Tool, which scans 600-700 million computers each month, has found and removed more than two million Sefnit infections on computers protected by current, real-time antimalware during the past two months. Until our antimalware partners target not only Sefnit, but also the Sefnit installers, people may struggle with reinfections.

Like us, many antimalware vendors have previously classified these programs as clean or potentially unwanted rather than high or severe malware. We’ve even had a tester ask us recently if our detection for one of these programs was an incorrect detection. Based on the installation of Sefnit, these programs absolutely meet our detection criteria, even if they had previously developed a reputation as a clean program.

We’ve identified related samples for our antimalware partners so that they can protect their customers against these threats if they have not already.

If you want to check your computer for Rotbrow or Brantall, you can install Microsoft Security Essentials, enable Windows Defender (on Windows 8), or use the Microsoft Safety Scanner if you already have current antimalware installed. They’re all provided to you for free to make good on our pledge to help keep you all safe. You can read more about our security software on the Microsoft Malware Protection Center website.

Our goal is to provide great antimalware solutions for our consumer and business customers. I hope this blog demonstrates how committed we are in raising the bar for ourselves and others in the industry for doing so. We’re monitoring our results, performance, and progress closely, prioritizing for real threats that might affect our customers and applying lessons learned to make our products even better. Plus, we support our antimalware partners in order to build a strong ecosystem to fight malware – the true adversary. More next month!

Holly Stewart

MMPC

Categories: Uncategorized Tags:

Our protection metrics – October results

November 27th, 2013 No comments

​Last month we introduced our monthly protection metrics and talked about our September results. Today, we’d like to talk about our results from October. If you want a refresh on the definition of the metrics we use in our monthly results, see our prior post: Our protection metrics – September results.

During October 2013, while our rate of incorrect detections remained low, and our performance metrics stayed fairly consistent, the infection rate of 0.18 percent was higher in comparison to the average daily infection rate of 0.1 percent in the first half of the year.

In September, we talked about a family called Win32/Sefnit that was the driver behind the increase in our infection rate. We mentioned that the distributors of Sefnit are using some sneaky techniques to infect computers. This includes programs that install legitimate software, and occasionally install legitimate software with bonus material (Sefnit). Many of these installer programs were previously determined to be clean. However, with this change in behavior (installing the Sefnit malware), they now meet our detection criteria.

Sefnit is a bot that can take instructions from remote servers to do practically anything. We’ve observed it using infected computers for click fraud, which makes money by pretending to be a person clicking on ads from your computer or by redirecting your search results. It may also abuse your computer’s resources through Bitcoin mining.

The two installer families related to Sefnit that were behind the high active infection rate in October are Win32/Rotbrow and Win32/Brantall. Rotbrow is a program that claims to protect you from browser addons.  Brantall pretends to be an installer for other, legitimate programs. Brantall might install those legitimate programs as well as malware. These previously legitimate software programs were prevalent in comparison to most malware families, and so most of our detections in October were on active infections.

The Malicious Software Removal Tool, which scans 600-700 million computers each month, has found and removed more than two million Sefnit infections on computers protected by current, real-time antimalware during the past two months. Until our antimalware partners target not only Sefnit, but also the Sefnit installers, people may struggle with reinfections.

Like us, many antimalware vendors have previously classified these programs as clean or potentially unwanted rather than high or severe malware. We’ve even had a tester ask us recently if our detection for one of these programs was an incorrect detection. Based on the installation of Sefnit, these programs absolutely meet our detection criteria, even if they had previously developed a reputation as a clean program.

We’ve identified related samples for our antimalware partners so that they can protect their customers against these threats if they have not already.

If you want to check your computer for Rotbrow or Brantall, you can install Microsoft Security Essentials, enable Windows Defender (on Windows 8), or use the Microsoft Safety Scanner if you already have current antimalware installed. They’re all provided to you for free to make good on our pledge to help keep you all safe. You can read more about our security software on the Microsoft Malware Protection Center website.

Our goal is to provide great antimalware solutions for our consumer and business customers. I hope this blog demonstrates how committed we are in raising the bar for ourselves and others in the industry for doing so. We’re monitoring our results, performance, and progress closely, prioritizing for real threats that might affect our customers and applying lessons learned to make our products even better. Plus, we support our antimalware partners in order to build a strong ecosystem to fight malware – the true adversary. More next month!

Holly Stewart

MMPC

Categories: Uncategorized Tags:

Security and policy surrounding bring your own devices (BYOD)

November 27th, 2013 No comments

As the proliferation of devices continues to capture the imagination of consumers, and has ignited what is referred to as bring your own device (BYOD) revolution, many IT departments across the globe are now facing increased security considerations. While organizations encourage BYOD for cost savings and productivity, it is also important to have robust security policies supporting BYOD.

Last week, several media reports surfaced of an attack on the European Parliament in which some members allegedly had their email unlawfully accessed. Initial media speculations inaccurately implied that the attack used a vulnerability in Microsoft’s Exchange ActiveSync. While details and specifics of this attack unfold, based on our initial assessment, we have determined this is not a vulnerability in the ActiveSync protocol; the issue is how third party devices handle authentication of certificates.  

This type of attack has been previously discussed at the Black Hat 2012 Conference. Enhancements to newer versions of Windows Phone block this type of attack automatically. In fact, Microsoft’s implementation of Exchange ActiveSync on Windows Phone regularly protects customers from this type of attack, as it does not allow a malicious certificate to be trusted by the device. 

Third party software developers license, and can modify, Exchange ActiveSync from Microsoft to ensure that customers can receive their email on any device. Third party developers are responsible for ensuring that their implementation of the Exchange ActiveSync protocol is secure. That said, there are also ways in which customers can help protect themselves from similar types of attacks:

  • Become familiar with “Understanding security for Exchange ActiveSync
  • Configure Exchange ActiveSync to use a trusted certificate
  • Set restrictions based on device model and device type to only allow well-implemented clients
  • Clearly define policy to ensure devices support the security functionality required and only use devices that do not accept automatic or prompted certificate renewal

We strongly encourage all customers evaluating a BYOD business strategy to ensure they fully understand the various security features and capabilities of the devices that are brought into their organization. 

Matt Thomlinson
General Manager
Trustworthy Computing Security

Categories: Uncategorized Tags:

Security and policy surrounding bring your own devices (BYOD)

November 27th, 2013 No comments

As the proliferation of devices continues to capture the imagination of consumers, and has ignited what is referred to as bring your own device (BYOD) revolution, many IT departments across the globe are now facing increased security considerations. While organizations encourage BYOD for cost savings and productivity, it is also important to have robust security policies supporting BYOD.

Last week, several media reports surfaced of an attack on the European Parliament in which some members allegedly had their email unlawfully accessed. Initial media speculations inaccurately implied that the attack used a vulnerability in Microsoft’s Exchange ActiveSync. While details and specifics of this attack unfold, based on our initial assessment, we have determined this is not a vulnerability in the ActiveSync protocol; the issue is how third party devices handle authentication of certificates.  

This type of attack has been previously discussed at the Black Hat 2012 Conference. Enhancements to newer versions of Windows Phone block this type of attack automatically. In fact, Microsoft’s implementation of Exchange ActiveSync on Windows Phone regularly protects customers from this type of attack, as it does not allow a malicious certificate to be trusted by the device. 

Third party software developers license, and can modify, Exchange ActiveSync from Microsoft to ensure that customers can receive their email on any device. Third party developers are responsible for ensuring that their implementation of the Exchange ActiveSync protocol is secure. That said, there are also ways in which customers can help protect themselves from similar types of attacks:

  • Become familiar with “Understanding security for Exchange ActiveSync
  • Configure Exchange ActiveSync to use a trusted certificate
  • Set restrictions based on device model and device type to only allow well-implemented clients
  • Clearly define policy to ensure devices support the security functionality required and only use devices that do not accept automatic or prompted certificate renewal

We strongly encourage all customers evaluating a BYOD business strategy to ensure they fully understand the various security features and capabilities of the devices that are brought into their organization. 

Matt Thomlinson
General Manager
Trustworthy Computing Security

Categories: Uncategorized Tags:

Download Windows Server 2012 R2 and Get Free Training on the New Capabilities from MVA

5 tips for sharing photos of family and friends

November 26th, 2013 No comments

Last week we talked about the ever-increasing trend of uploading pictures to photo sharing and social media sites over the holidays. As you celebrate Thanksgiving this year in the United States, don’t forget about online privacy. Be careful what you post about yourself, but also be careful what you post about others. You might be more comfortable sharing photographs and personal details than your friends and family are.

Here are 5 tips for sharing more safely this holiday season

  1. Ask permission before you post a picture of someone else online. If the picture is of a minor, ask their parent or guardian.
  2. Talk with your friends about what you do and do not want to be shared. Ask them to remove anything that you do not want disclosed.
  3. Before you put anything online, think about what you are posting, who you are sharing it with, and how it will reflect on you and anyone included in the picture or post. Would all of you be comfortable if others saw it? Or saw it ten years from now?
  4. Make it clear to children that they should never say, text, or post anything that would hurt or embarrass someone.
  5. Assume that what you publish on the web is permanent. Anyone on the Internet can easily print out a blog post or save it to a computer.

For more information about online privacy, see Take charge of your online reputation.

Categories: holiday, online privacy Tags:

Gobble gobble! 8 apps you need to make it through Thanksgiving!

November 26th, 2013 No comments

2538_Bing-FD-1_42D2678D

Thanksgiving is a time to celebrate the things we’re thankful for and reconnect with family and friends over a good meal. Here are eight apps for Windows and Windows Phone to help make sure you have a safe, hassle-free and enjoyable holiday.

Bing Food & Drink

The Bing Food & Drink app is a must-have on your tablet or laptop for Thanksgiving. The new app makes it easy to explore recipes from all around the world, choose from more than 100,000 wines and cocktails, and learn tips from celebrity chefs like Wolfgang Puck and Tom Colicchio to make your next meal a taste-tempting success with family and friends. Not that you have to be a celebrity chef to cook a mean bird or get those garlic mashed potatoes just right.

Bing Food & Drink provides immaculate photos (as seen in the screenshot above), easy-to-follow instructions and tools such as a shopping list and meal planner to help you prepare your Thanksgiving dinner. You can also use the app to enter notes or upload your own favorite recipes, and then share them with a single tap of your finger – a great way to make the relatives happy when they ask for your sweet potato pie recipe!

One of the coolest features of the app is its “Hands Free Mode.” Here’s how it works: Let’s say you’re preparing Swedish meatballs and you’re ready to move on to the next step in the recipe, only your hands are all sticky from handling the ingredients. No worries in THIS kitchen. With the “Hands Free Mode,” you can navigate recipes with a simple wave of your hand. No more messy fingers on your device’s glossy, pristine gorilla glass!

On a related note, the Rachael Ray show will feature Colicchio on Dec. 3. During the show, he will show off some of his favorite cooking items, including the Bing Food & Drink app. Don’t miss it!

Thanksgiving Recipes

Thanksgiving Recipes by iFood.TV

Thanksgiving Recipes by ifood.tv has everything you need to prepare an awesome meal. As soon as I open the app on my Surface, I’m greeted by a menu of tiles that includes video recipe categories such as cakes, casseroles, drinks, gravy, pie, sauce, soup and stuffing. And, of course, there are countless turkey recipes – roast turkey, cider brined turkey, turkey with almonds and apricots and more.

You can also search by course, ingredients, method, taste and interest. Maybe you don’t want to do the traditional turkey, mashed potatoes and stuffing meal. My wife is from New Orleans, which means I eat a lot of Southern food. We’re giving serious consideration to replacing one of our regular side dishes with a chicken and sausage gumbo recipe that we found in the Thanksgiving Recipes app.

If you’re like me and you have more success watching someone else prepare a recipe as opposed to following one from a book, then Thanksgiving Recipes and its massive library of thousands of videos might just be right up your alley. You can find it in the Windows Store.

Prefer to cook with your Windows Phone close by? I also recommend Yumvy and AllRecipes.

Cocktail Flow

Cocktail Flow for Windows

Cocktail Flow is one of my favorite apps for when my wife and I entertain guests. I am not a connoisseur of cocktails by any stretch of the imagination, but this app for Windows and Windows Phone sure goes a long way in helping me make passable drinks for my friends and family.

The first thing you’ll notice about the app is its sleek, sparse and easy-to-navigate set-up. You don’t need to know a thing about making cocktails to get started. The app has three guides for entry-level cocktail creation that go into measurement units (what does it mean when a recipe calls for “one part Bourbon whiskey, one part Sambuca”?), glassware, barware and garnishes.

One of my favorite features in Cocktail Flow is the Cabinet. Here’s how it works: you swipe through a menu of spirits, mixers and liqueurs, selecting the ones you have in your actual bar cabinet and Cocktail Flow will generate drink ideas for you. For example: in your bar you’ve got some vodka, gin and bourbon whiskey, as well as some sugar syrup, grenadine, lemon juice and orange juice and some triple sec. Whammo! Cocktail Flow comes up with 11 different drinks you can make for your guests.

The app also breaks down drinks by spirit and by color. So, if someone asks for something with rum in it, all you have to do is tap on the rum category. If someone asks for something red or blue, all you have to do is tap the red or blue category. Easy peasy!

Alcohol Free Drink Recipes

And for those Thanksgiving guests who don’t drink, there’s always the Alcohol Free Drink Recipes app for Windows Phone.

The app has more than 200 alcohol-free drink recipes to choose from. The app breaks down drinks by category – soft drinks, shakes, cocoa, cocktails and coffee and tea.

Wait, cocktails? You bet. Ever heard of an Afterglow? It’s one part grenadine, 4 parts orange juice and 4 parts pineapple juice. Mix and serve over ice. Done. What about a Cranberry Bomber? Four ounces of cranberry juice, ½ ounce of OJ, two tablespoons of grenadine, one tea spoon of honey and a dash of cola. Garnish with a slice of lemon. (Of course.)

You can also add any drinks you have a particular taste for to your Favorites list using the menu bar.

Instagram

Instagram

Thanksgiving is a great time to reconnect with those family and friends you don’t get to see as often as you’d like throughout the year, and one of the best ways to capture those precious moments is on your smartphone’s camera. Pair that with the newly arrived Instagram app for Windows Phone, and you’ve got a great combination. Grab a picture from your Windows Phone Photos Hub, choose a filter to transform its look and feel, then post to Instagram – it’s that easy.

You can even share to Facebook, Twitter, Tumblr and Foursquare right from the app. Turn everyday moments into works of art with Instagram for Windows Phone 8. The new app is now available for free in the Windows Phone Store!

Waze

Waze for Windows Phone 8

Over the river and through the woods to Grandmother’s house we go, right? Lots of us spend at least a little time in the car and on the roads on or around Thanksgiving, shuttling from one relative’s house to another. The last thing we want to deal with is holiday traffic, if it can be at all avoided.

Sometimes, your best sources for the most up-to-date traffic and road reports are other drivers ahead of you – and the free Waze app now available for Windows Phone 8 devices can deliver their advice exactly when you need it.

Using crowd-sourced info, Waze plugs you into a network of drivers who share real time traffic alerts and road info to find you the best route in real-time. With just a tap, you can join the Waze community of drivers and share your own reports about traffic, accidents, road closures and more to improve everyone’s daily commute.

Other perks include automatic re-routing as conditions on the road change, and personalization as the app learns your frequent destinations, commuting hours and preferred routes. Waze can also notify a person that you’re on your way by sending a live ETA and a link showing you as you drive, and also helps find the cheapest gas station along your route.

Bing Weather App

Bing Weather App for Windows Phone

It’s equally important to stay mindful of the weather as you travel about by plane, train and automobile for the Thanksgiving holiday. It’s easy to do that with the Bing Weather App for both Windows and Windows Phone.

The app helps you prepare for the latest conditions with hourly, daily and 10-day forecasts. It allows you to compare weather from multiple providers, check radar maps and view historical weather. You can also get current weather information for your location and for the other places you care about, like a family member’s city or your next vacation destination.

The Maps feature allows you to go deep in detail with radar, temperature, precipitation, cloud and satellite maps. And for those planning to hit the slopes while on vacation over Thanksgiving, there’s even a feature that lets you check the weather at ski resorts around the world with snow forecasts, ski trail maps, ski deals and news, Web cams and 360-degree panoramas.

Bing Sports App

Bing Sports App for Windows Phone

Watching football on Thanksgiving has become as much a staple of our holiday tradition as cranberry sauce and apple pie. As in years past, there will be three NFL games televised: The Green Bay Packers versus the Detroit Lions at 12:30 p.m. ET on Fox, the Oakland Raiders versus the Dallas Cowboys at 4:30 p.m. ET on CBS and the Pittsburgh Steelers versus the Baltimore Ravens at 8:30 p.m. ET on NBC.

It won’t be easy though, keeping up with all that football between eating dinner, catching up with old friends and family and shooting photos with your Windows Phone. So, you’d better have the Bing Sports App for Windows Phone so you can stay up to speed on the top scores, top stories, slideshows and videos. Both the Windows and Windows Phone apps are highly customizable, so I can follow news, scores and stats from my favorite sports and my favorite teams. Plus, I can even pin my favorite team to my start screen, creating a tile for one-touch access to all the latest team updates.

You might also be interested in:

· Wave your hands to control content on Redbox Instant by Verizon for Xbox One
· New Walgreens app for Windows 8 makes prescription refills and photo printing easy
· German hospital uses Microsoft technologies to create an intelligent operating room

Posted by Jeff Meisner
Editor, The Official Microsoft Blog

Microsoft Cybersecurity Report: Top 10 Most Wanted Enterprise Threats

November 26th, 2013 No comments

In my travels abroad over the years, I have had the great opportunity to meet with many enterprise customers to discuss the evolving threat landscape.  In addition to helping inform customers, these meetings have provided me with an opportunity to learn more about how customers are managing risk within their environments.   Many of these customers are interested in learning about the top threats found in enterprise environments.  Visibility into what threats are most common in enterprise environments helps organizations assess their current security posture and better prioritize their security investments.  Given the high level of interest in this information, I thought it would be helpful to take a close look at the top 10 threats facing enterprise customers based on new intelligence from the latest Microsoft Security Intelligence Report (SIRv15). 

The latest report found that in the enterprise environment, on average about 11% of systems encountered malware, worldwide between the third quarter of 2012 (3Q12) and the second quarter of 2013 (2Q13).  The “encounter rate” is defined as the percentage of computers running Microsoft real-time security software that report detecting malware – typically resulting in a blocked installation of malware. This is different from the number of systems that actually get infected with malware, a measure called computers cleaned per mille (CCM).  Read more

…(read more)

Update Rollup 5 for System Center Advisor is available

November 25th, 2013 No comments

downloadMicrosoft has released the on-premises client Update Rollup 5 for Microsoft System Center Advisor. This update is dated November 12, 2013. The article linked below describes the following information about the update:

  • The issues that the update fixes
  • How to obtain the update
  • The prerequisites for installing the update
  • Whether you have to restart the computer after you install the update

For all the details please see the following:

KB2900542: Update Rollup 5 for System Center Advisor is available (http://support.microsoft.com/kb/2900542)

J.C. Hornbeck | Solution Asset PM | Microsoft GBS Management and Security Division

Get the latest System Center news on Facebook and Twitter:

clip_image001 clip_image002

System Center All Up: http://blogs.technet.com/b/systemcenter/
System Center – Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
System Center – Data Protection Manager Team blog: http://blogs.technet.com/dpm/
System Center – Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
System Center – Operations Manager Team blog: http://blogs.technet.com/momteam/
System Center – Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center – Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Windows Intune: http://blogs.technet.com/b/windowsintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The AD RMS blog: http://blogs.technet.com/b/rmssupp/

App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv

The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

Categories: Uncategorized Tags:

Join our ITPro Customer Panel and help shape future Microsoft Virtualization, Cloud, and Datacenter Management Products

November 21st, 2013 No comments

imageMicrosoft Windows Server and Systems Center Customer Research team is looking for ITPros to participate on an IT Pro panel.

As a member of the panel, you will have the opportunity to provide vision and feedback to the Cloud and Data Center Management Product team through surveys, focus groups, usability sessions, early design concept reviews, and customer interviews.

We are looking for very specific expertise profiles. Use of Microsoft products IS NOT required. To help us identify if you qualify we ask that you start by completing a short survey.

Please note, we can only accept customers located in the US but are working toward extending to an international audience soon. You do not have to use Microsoft products to participate. Interested? Want to learn more?

To access the survey click on the link below.

Access the survey

Here is the full survey URL: https://illumeweb.smdisp.net/collector/Survey.ashx?Name=CDM_interview_survey_openposts

J.C. Hornbeck | Solution Asset PM | Microsoft GBS Management and Security Division

Get the latest System Center news on Facebook and Twitter:

clip_image001 clip_image002

System Center All Up: http://blogs.technet.com/b/systemcenter/
System Center – Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
System Center – Data Protection Manager Team blog: http://blogs.technet.com/dpm/
System Center – Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
System Center – Operations Manager Team blog: http://blogs.technet.com/momteam/
System Center – Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center – Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Windows Intune: http://blogs.technet.com/b/windowsintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The AD RMS blog: http://blogs.technet.com/b/rmssupp/

App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv

The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

Categories: Uncategorized Tags:

Watch out for Typhoon Haiyan online donation scams

November 21st, 2013 No comments

The Internet is a great way to donate to typhoon survivors in the Philippines, but there are a few things you should know before you give.

Watch out for online scams. Criminals have set up fake donation sites to scam generous donors who want to help. This fraud is known as phishing. Pronounced “fishing,” this is a type of online identity theft that uses email, social networking, and fraudulent websites designed to steal your personal data, such as credit card numbers, passwords, account data, or other information.  

Use a reputable website. Donate to a known organization, such as the Red Cross. If you’re unsure whether a site is safe, see How do I know if I can trust a website?

Be careful with your personal information. To help avoid online scams, never provide your social security number, banking information, or credit card number over the phone, in an email or text message, or through your social networking site.

Do not click links in donation email messages or social networking posts. Type the web address directly into your browser instead.

Don’t send cash. If a donation website asks for cash or a wire transfer, this could be an online scam. It’s safer to pay with a credit card or a check.

For more information, read our article about donation scams, or go to the consumer information page about donations on the Federal Trade Commission (FTC) website.

Categories: phishing, scams Tags:

Molnsatsning lyfter SATS

En aggressiv molnstrategi med tyngdpunkt på produkter från Microsoft ger träningskedjan SATS en bättre IT-miljö. Därmed underlättas företagets fortsatta expansion samtidigt som kunderna erbjuds bättre service.

Träningstrenden i Sverige håller i sig med oförminskad styrka. Ett tecken på detta är att antalet deltagare i utmanande lopp slår alla rekord – nästa års upplaga av Vasaloppet blev fulltecknat bara tio minuter efter att biljetterna släpptes i mars.

Det betyder också att det finns en god marknad för landets träningskedjor. Tätplatsen i Norden innehavs av SATS som har 108 träningscenter med 275.000 medlemmar. På nordisk nivå har SATS cirka 4.500 medarbetare som arbetar hel-eller deltid. En majoritet av dessa tillbringar sina arbetsdagar ute på träningscentren vilket kräver att IT-miljön ska fungera även i en decentraliserad verksamhet.

För att bättre kunna möta den utmaningen har SATS valt en molnlösning med Microsoft Office 365 och Microsoft CRM Online.

– Det handlar om alla delar i lösningen: mail, Sharepoint intranät, Lync och CRM. Alla medarbetare har snabb och smidig tillgång till mail och eftersom vi är spridda över flera orter och flera länder används Lync i stor utsträckning för den interna kommunikationen, säger Arvid Johansson, CIO på SATS.

Tidigare använde SATS samma produkter men lokalt och i egen drift. Den nya lösningen gör det möjligt för företaget att fokusera mer på att utveckla själva träningsverksamheten.

– Vi är en relativt liten organisation och vi har stort fokus på att driva utvecklingen framåt gentemot verksamheten. Basteknik är dyrt och vi jobbar för att tjänstefiera den bland annat genom att använda molntjänster. I och med att vi växer kan vi nu hantera det på ett mycket bättre sätt, det blir mycket lättare att öppna nya center.

Övergången till en molnbaserad IT-miljö har tagits emot väl av personalen, enligt Arvid Johansson.

– Skiftet att gå över till molnet är i sig inget som användarna egentligen ser annat än att systemen förhoppningsvis blir snabbare. På sikt innebär det att underhåll och uppgraderingar kommer att kunna ske per automatik.

 SATS har också vävt in den digitala tekniken i sina tjänster, 2012 lanserades introduktionsprogrammet SATS YouTM som är byggt på CRM Online. Genom denna får medlemmarna ett skräddarsytt träningsprogram på åtta veckor samt tillgång till en personlig tränare för att få hjälp att komma igång och anpassa programmet.  Träningen följs upp digitalt genom att medlemmar via webb eller mobilapp kan nå sitt träningsprogram samt titta på inspirerande videor och få tillgång till instruktioner och träningstips.

– Den personlige tränaren kan sköta hela dialogen med medlemmen via dator eller mobil och kunden har möjlighet att enkelt följa upp sin egen utveckling och sina framsteg, säger 
Arvid Johansson.  

Och den digitala utvecklingen kommer att fortsätta hos SATS.

– Det är definitivt en bana som vi kommer att följa och vi ser just nu på en massa olika möjligheter. De digitala tjänsterna inspirerar våra medlemmar att träna mer och gör att det trivs ännu bättre hos oss, säger Maja Thermaenius, Projektledare för utvecklingen hos SATS.

Kontaktperson

Arvid Johansson, CIO, SATS
Tel: 073-373 24 06
arvid.johansson@sats.se

Categories: CRM, Getitdone, Lync, Office 365, sats, SharePoint Tags:

Industridesigners möjliggör för fler att jobba hemma

November 21st, 2013 No comments

Microsoft som under två år drivit initiativet Jobba hemma-dagen tar nu hjälp av tre inspiratörer för att lösa problem och utmaningar med att jobba utanför kontoret.

Tack vare modern IT är det en självklarhet för många att arbeta hemifrån eller från andra platser utanför kontoret. Men alla utmaningar med det moderna arbetslivet kan inte lösas med IT. Därför tar Microsoft nu hjälp av tre industridesigners – vi kallar dem för inspiratörer, för att få fram nya produkter och lösningar som ska underlätta det nya arbetslivet.

Mikaela, Bashar och Björn är de lovande industridesigners som fått i uppdrag av Microsoft att under sex månader ta fram lösningar som möjliggör för fler att få jobbet gjort, oavsett var de jobbar. De har fria händer och kommer själva att få välja vilken utmaning de vill ta sig an. Arbetet avslutas med en vernissage den 10 april i Stockholm där inspiratörerna presenterar sina färdiga lösningar. Vi kommer följa inspiratörerna under arbetets gång. Dels genom deras egna sociala medier och även i Microsofts sociala medier. 

– Som ung entreprenör är detta en fantastisk möjlighet. Jag ser fram emot att få bidra med min kreativitet för att få fram innovativa koncept som kan främja flexibelt arbete, säger Mikaela Rehnmark, en av inspiratörerna och Industridesigner på R-ID.

De tre inspiratörerna är:

 

 

 

 

Mikaela Rehnmark, nyutexaminerad Industridesigner som driver eget företag. Har bland annat designat en möbel för Arlanda.
Twitter: https://twitter.com/MikaelaRehnmark
Portfolio: http://www.behance.net/MikaelaRehnmark
Designprocess för Arlanda möbelprojekt där man kan följa hela resan, idé till färdig möbel:
http://www.behance.net/gallery/Airport-Furniture-Stockholm-Arlanda-Airport/4417121
Företagshemsida: http://r-id.se/

 

 

 

 

Bashar Mansour, Industridesigner som driver eget företag inom design och produktutveckling.
Twitter: https://twitter.com/bashar_mansour
Blogg: http://kodaform.se/?page_id=20
Facebook: www.facebook.com/BashaaarM
Instagram: http://instagram.com/basharm
LinkedIn: http://www.linkedin.com/pub/bashar-mansour/76/baa/894

 

 

 

 

 

Björn Fjaestad, studerar industridesign vid Lunds Tekniska Universitet.
Facebook: https://www.facebook.com/bjorn.fjaestad
Twitter: https://twitter.com/Icebjorn
hemsida(kombinerad portfolio blogg): fjaestaddesign.com

 

Om jobba hemma-dagen
Jobba hemma-dagen äger rum den 5 februari 2014 och är ett initiativ från Microsoft som manifesterar fördelarna med flexibelt arbete. Deltagare i jobba hemma-dagen har en gemensam tro på att arbete inte är en plats man går till utan något man gör. Flexibelt kontorsarbete har fördelar för såväl företag som medarbetare – det ger ökad produktivitet och enklare vardag. För att attrahera rätt medarbetare idag och i framtiden, krävs en flexibel syn på arbete.

För mer information
Anna Averud
Affärsområdeschef för Office på Microsoft
073-408 29 22
annaa@microsoft.com

Carberp-based trojan attacking SAP

November 21st, 2013 No comments

Recently there has been quite a bit of buzz about an information-stealing trojan that was found to be targeting the logon client for SAP. We detect this trojan as TrojanSpy:Win32/Gamker.A.

SAP is a global company with headquarters in Germany and operations in 130 countries worldwide. SAP develops enterprise software applications for tracking and managing business operations, and is used by an estimated 86% of Forbes 500 companies. These business operations can range from applications such as tracking the manufacture of a product in a factory, managing human resources processes, or tracking and managing customer sales. Needless to say, the data contained in SAP systems is often sensitive and the security surrounding SAP systems is a recurring topic in the information security field.

A few weeks ago, another vendor reported a trojan in the wild specifically including functionality targeting SAP. This is believed to be the first malware developed by criminals targeting SAP.

In this blog we will present our analysis on how this trojan targets SAP and how it has code in common with Win32/Carberp.

 

Based on Carberp source

Carberp is an infamous banking trojan whose source-code was leaked earlier this year, and Gamker clearly shares part of its code with Carberp’s code. Gamker has code-matches to the remote control code contained in Carberp:

  • Carberp/source – absource /pro/all source/RemoteCtl/hvnc2/libs/hvnc/hvnc/

The following relative files match through the string constants that are encrypted within Gamker:

This usage of the virtual network computing (VNC) code indicates that Gamker has the capability to remotely control an infected machine. It is unclear if there is a larger connection between Gamker and Carberp since the remainder of Gamker’s code differs from Carberp’s publicly leaked code.

 

SAP targeting

Gamker is a general banking and information-stealing trojan. Among its targets are online banking web-browser sessions, BitCoin wallets, public and private keys, cryptography tools, and finance-related software applications. In this section we go into detail on the threat this trojan poses to SAP.

The malware records keystrokes per application, generating keylog records in plaintext format to the file “%APPDATA%\<lowercase letters>”. An example of these recorded keylogs is as follows:

Example keylogs

Figure 1: Example of recorded keylogs

 

In addition to this keylogging, hardcoded inside the payload is a list of application names which are used as triggers to record additional information. Among this list is the SAP Logon for Windows client, as seen in Figure 2: 

Highlighted targeted saplogon.exe component

Figure 2: Targeting of SAP saplogon.exe component

 

Table 1 – List of triggers used to record screenshots and command-line arguments

Executable name trigger

Category assigned by trojan author

Description

rclient.exe

CFT

Client for Remote Administration

CyberTerm.exe

CTERM

Unknown Russian payment-related tool

WinPost.exe

POST

Unknown, likely a tool use to perform HTTP POST operations

PostMove.exe

POST

Unknown, likely a tool use to perform HTTP POST operations

Translink.exe

WU

Tool by Western Union Inc

webmoney.exe

WM

Unknown

openvpn-gui

CRYPT

Client for VPN remote access to computers

truecrypt.exe

CRYPT

Tool used to manage TrueCrypt protected filesystems

bestcrypt.exe

CRYPT

Tool used to manage BestCrypt protected filesystems

saplogon.exe

SAP

SAP Logon for Windows

ELBA5STANDBY.exx

ELBALOCAL

Unknown

ELBA5.exx

ELBALOCAL

Unknown

oseTokenServer.exe

MCSIGN

Application by Omikron related to electronic banking

OEBMCC32.exe

MCLOCAL

Application by Omikron related to electronic banking

OEBMCL32.exe

MCLOCAL

Application by Omikron Systemhaus GmbH related to electronic banking

ebmain.exe

BANKATLOCAL

Application by UniCredit Bank Australia

bcmain.exe

BANKATCASH

Unknown

hbp.exe

HPB

Maybe Deutsche Bundesbank Eurosystem

Hob.exe

HPB

Maybe Deutsche Bundesbank Eurosystem

bb24.exe

PSHEK

Unknown

KB_PCB.exe

PSHEK

Profibanka by Komercní banka

SecureStoreMgr.exe

PSHEK

Unknown

Pkkb.exe

PSHEK

Banking application, Komercní banka

 

When the keylogging component is loaded into a process that matches one of the executable names in Table 1, it then additionally records the command-line arguments passed to the application, and begins to capture screenshots of the entire desktop periodically. It captures 10 screenshots spaced about one second apart from each other before transmitting them to the C&C server.

In addition to these listed triggers, there are also two other application lists used as screen and command-line argument-recording triggers included in Table 3 and Table 4 below, under the category names “IT” and “ETC” respectively.

An example of the recorded data after executing “saplogon.exe” with command-line arguments “-test” can be seen in Figure 3 below:

Screenshot of recording of command-line arguments passed into saplogon.exe

Figure 3: Recording of command-line arguments passed into saplogon.exe

 

With screenshots captured every one second in the “%APPDATA%\<lowercase letters>\scrs\” directory seen in Figure 4 below:

Screenshots captured after running saplogon.exe

Figure 4: Screenshots captured after executing saplogon.exe

 

In summary, this is an attempted attack on SAP and not just a harmless data-gathering operation to determine if SAP is installed. The attackers are using the execution of the SAP component “saplogon.exe” to trigger recording of the command-line arguments passed into it, combined with a series of 10 screenshots to the C&C server. These three types of information sent to the server will, in many cases, include critical information such as:

  1. Keylogs:
    • SAP password and sometimes the user name.
  2. Screenshots:
    • SAP user name, server name, some confidential data, and more.
  3. Command-line arguments:
    • Unlikely to contain sensitive information based on initial analysis of the ‘saplogon.exe’ binary.
  4. VNC:
    • A VNC session can be initiated by the attacker to grab any additional information necessary to compromise the SAP server, as well as attack the SAP server directly from the infected machine.

This trojan’s targeting of businesses, as opposed to individuals, is an alarming move and we will be monitoring this for further developments to protect and inform our customers.

 

Mitigating the risk

To reduce the risk of and mitigate the damages caused by an attack like the one on SAP, there are a number of recommended security policies. Some general recommended policies are as follows:

  • Access control. Grant users the minimum access privilege level required to complete their job. This reduces the amount of data compromised in a successful attack.
  • Two-factor authentication. A two-factor authentication process may stop this attack from being successful.
  • Security education. Schedule training courses for all employees. A security-smart employee may be able to avoid infection in the first place.
  • Antimalware solution. Run antimalware software on all workstations and monitor compliance. This may detect the trojan prior to infecting the workstation.
  • Network intrusion detection system. This may create alerts on the suspicious VNC connection, detect the data exfiltration, or may also detect the trojan C&C communication on the network.
  • Security management. Ensure workstations are running up-to-date versions of Windows with the latest security patches applied. All security critical software such as Java, Adobe Flash, Adobe Reader, Microsoft Office, and web-browser clients are up-to-date. Compliance needs to be monitored and enforced.

For further recommendations, guidelines, and information on additional SAP security products it is recommended to consult SAP and read through their security solutions.

 

 

Geoff McDonald

MMPC

 

Appendix

 

Table 2 – Reference checksums for analyzed samples

Checksum

Detection

Comment

SHA1:4e2da5a532451500e890d176d71dc878844a9baa

MD5: c9197f34d616b46074509b4827c85675

 

 

Injects the trojan into all processes.

SHA1:6a9e1f85068fe1e4607b993774fc9cb229cd751b

MD5: efe6cd23659a05478e28e08a138df81e

TrojanSpy:Win32/Gamker.A

Carberp-based password and information stealer.

 

Table 3 – Additional screen and command-line capture triggers under the category “IT”

TelemacoBusinessManager.exe

Ceedo.exe

FileProtector.exe

Telemaco.exe

CeedoRT.exe

contoc.exe

StartCeedo.exe

legalSign.exe

IDProtect Monitor.exe

dikeutil.exe

SIManager.exe

bit4pin.exe

 

Table 4 – Additional screen and command-line capture triggers under the category “ETC”

iscc.exe

rmclient.exe

Dealer.exe

visa.exe

SACLIENT.exe

info.exe

eclnt.exe

QUICKPAY.exe

ClientBK.exe

SXDOC.exe

WClient.exe

Client32.exe

UNISTREAM.exe

OnCBCli.exe

RETAIL32.exe

IMBLink32.exe

client6.exe

iWallet.exe

BUDGET.exe

UARM.exe

Bk_kw32.exe

ClntW32.exe

bitcoin-qt.exe

ARM\\ARM.exe

CLB.exe

BC_Loader.exe

el_cli.exe

Pmodule.exe

WUPostAgent.exe

PRCLIENT.exe

elbank.exe

LFCPaymentAIS.exe

RETAIL.exe

ProductPrototype.exe

EELCLNT.exe

selva_copy.exe

UpOfCards.exe

QIWIGUARD.exe

MWCLIENT32.exe

ASBANK_LITE.exe

EximClient.exe

Payments.exe

OKMain.exe

JSCASHMAIN.exe

MMBANK.exe

bb.exe

PaymMaster.exe

CSHELL.exe

EffectOffice.Client.exe

BBCLIENT.exe

startclient7.exe

ubs_net.exe

CNCCLIENT.exe

WFINIST.exe

BCLIENT.exe

terminal.exe

LPBOS.exe

ContactNG.exe

ETSRV.exe

xplat_client.exe

bankcl.exe

fcClient.exe

BANK32.exe

BBMS.exe

PinPayR.exe

kb_cli.exe

Edealer.exe

URALPROM.exe

bk.exe

DTPayDesk.exe

cb193w.exe

Qiwicashier.exe

TERMW.exe

SAADM.exe

W32MKDE.exe

RTADMIN.exe

RTCERT.exe

litecoin-qt.exe

Transact.exe

Ibwn8.exe

clcard.exe

avn_cc.exe

sapphire.exe

srclbclient.exee

Client2.exe

WebLogin.exe

rpay.exe

KBADMIN.exe

Sunflow.exe

CliBank.exe

KLBS.exe

AdClient.exe

payment_processor.exe

NURITSmartLoader.exe

Omeg\\M7.exe

SGBClient.exe

iquote32.exe

plat.exe

ibcremote31.exe

WinVal.exe

Payroll.exe

CLBank.exe

LBank.exe

 

Categories: Uncategorized Tags:

Carberp-based trojan attacking SAP

November 21st, 2013 No comments

Recently there has been quite a bit of buzz about an information-stealing trojan that was found to be targeting the logon client for SAP. We detect this trojan as TrojanSpy:Win32/Gamker.A.

SAP is a global company with headquarters in Germany and operations in 130 countries worldwide. SAP develops enterprise software applications for tracking and managing business operations, and is used by an estimated 86% of Forbes 500 companies. These business operations can range from applications such as tracking the manufacture of a product in a factory, managing human resources processes, or tracking and managing customer sales. Needless to say, the data contained in SAP systems is often sensitive and the security surrounding SAP systems is a recurring topic in the information security field.

A few weeks ago, another vendor reported a trojan in the wild specifically including functionality targeting SAP. This is believed to be the first malware developed by criminals targeting SAP.

In this blog we will present our analysis on how this trojan targets SAP and how it has code in common with Win32/Carberp.

 

Based on Carberp source

Carberp is an infamous banking trojan whose source-code was leaked earlier this year, and Gamker clearly shares part of its code with Carberp’s code. Gamker has code-matches to the remote control code contained in Carberp:

  • Carberp/source – absource /pro/all source/RemoteCtl/hvnc2/libs/hvnc/hvnc/

The following relative files match through the string constants that are encrypted within Gamker:

This usage of the virtual network computing (VNC) code indicates that Gamker has the capability to remotely control an infected machine. It is unclear if there is a larger connection between Gamker and Carberp since the remainder of Gamker’s code differs from Carberp’s publicly leaked code.

 

SAP targeting

Gamker is a general banking and information-stealing trojan. Among its targets are online banking web-browser sessions, BitCoin wallets, public and private keys, cryptography tools, and finance-related software applications. In this section we go into detail on the threat this trojan poses to SAP.

The malware records keystrokes per application, generating keylog records in plaintext format to the file “%APPDATA%\<lowercase letters>”. An example of these recorded keylogs is as follows:

Example keylogs

Figure 1: Example of recorded keylogs

 

In addition to this keylogging, hardcoded inside the payload is a list of application names which are used as triggers to record additional information. Among this list is the SAP Logon for Windows client, as seen in Figure 2: 

Highlighted targeted saplogon.exe component

Figure 2: Targeting of SAP saplogon.exe component

 

Table 1 – List of triggers used to record screenshots and command-line arguments

Executable name trigger

Category assigned by trojan author

Description

rclient.exe

CFT

Client for Remote Administration

CyberTerm.exe

CTERM

Unknown Russian payment-related tool

WinPost.exe

POST

Unknown, likely a tool use to perform HTTP POST operations

PostMove.exe

POST

Unknown, likely a tool use to perform HTTP POST operations

Translink.exe

WU

Tool by Western Union Inc

webmoney.exe

WM

Unknown

openvpn-gui

CRYPT

Client for VPN remote access to computers

truecrypt.exe

CRYPT

Tool used to manage TrueCrypt protected filesystems

bestcrypt.exe

CRYPT

Tool used to manage BestCrypt protected filesystems

saplogon.exe

SAP

SAP Logon for Windows

ELBA5STANDBY.exx

ELBALOCAL

Unknown

ELBA5.exx

ELBALOCAL

Unknown

oseTokenServer.exe

MCSIGN

Application by Omikron related to electronic banking

OEBMCC32.exe

MCLOCAL

Application by Omikron related to electronic banking

OEBMCL32.exe

MCLOCAL

Application by Omikron Systemhaus GmbH related to electronic banking

ebmain.exe

BANKATLOCAL

Application by UniCredit Bank Australia

bcmain.exe

BANKATCASH

Unknown

hbp.exe

HPB

Maybe Deutsche Bundesbank Eurosystem

Hob.exe

HPB

Maybe Deutsche Bundesbank Eurosystem

bb24.exe

PSHEK

Unknown

KB_PCB.exe

PSHEK

Profibanka by Komercní banka

SecureStoreMgr.exe

PSHEK

Unknown

Pkkb.exe

PSHEK

Banking application, Komercní banka

 

When the keylogging component is loaded into a process that matches one of the executable names in Table 1, it then additionally records the command-line arguments passed to the application, and begins to capture screenshots of the entire desktop periodically. It captures 10 screenshots spaced about one second apart from each other before transmitting them to the C&C server.

In addition to these listed triggers, there are also two other application lists used as screen and command-line argument-recording triggers included in Table 3 and Table 4 below, under the category names “IT” and “ETC” respectively.

An example of the recorded data after executing “saplogon.exe” with command-line arguments “-test” can be seen in Figure 3 below:

Screenshot of recording of command-line arguments passed into saplogon.exe

Figure 3: Recording of command-line arguments passed into saplogon.exe

 

With screenshots captured every one second in the “%APPDATA%\<lowercase letters>\scrs\” directory seen in Figure 4 below:

Screenshots captured after running saplogon.exe

Figure 4: Screenshots captured after executing saplogon.exe

 

In summary, this is an attempted attack on SAP and not just a harmless data-gathering operation to determine if SAP is installed. The attackers are using the execution of the SAP component “saplogon.exe” to trigger recording of the command-line arguments passed into it, combined with a series of 10 screenshots to the C&C server. These three types of information sent to the server will, in many cases, include critical information such as:

  1. Keylogs:
    • SAP password and sometimes the user name.
  2. Screenshots:
    • SAP user name, server name, some confidential data, and more.
  3. Command-line arguments:
    • Unlikely to contain sensitive information based on initial analysis of the ‘saplogon.exe’ binary.
  4. VNC:
    • A VNC session can be initiated by the attacker to grab any additional information necessary to compromise the SAP server, as well as attack the SAP server directly from the infected machine.

This trojan’s targeting of businesses, as opposed to individuals, is an alarming move and we will be monitoring this for further developments to protect and inform our customers.

 

Mitigating the risk

To reduce the risk of and mitigate the damages caused by an attack like the one on SAP, there are a number of recommended security policies. Some general recommended policies are as follows:

  • Access control. Grant users the minimum access privilege level required to complete their job. This reduces the amount of data compromised in a successful attack.
  • Two-factor authentication. A two-factor authentication process may stop this attack from being successful.
  • Security education. Schedule training courses for all employees. A security-smart employee may be able to avoid infection in the first place.
  • Antimalware solution. Run antimalware software on all workstations and monitor compliance. This may detect the trojan prior to infecting the workstation.
  • Network intrusion detection system. This may create alerts on the suspicious VNC connection, detect the data exfiltration, or may also detect the trojan C&C communication on the network.
  • Security management. Ensure workstations are running up-to-date versions of Windows with the latest security patches applied. All security critical software such as Java, Adobe Flash, Adobe Reader, Microsoft Office, and web-browser clients are up-to-date. Compliance needs to be monitored and enforced.

For further recommendations, guidelines, and information on additional SAP security products it is recommended to consult SAP and read through their security solutions.

 

 

Geoff McDonald

MMPC

 

Appendix

 

Table 2 – Reference checksums for analyzed samples

Checksum

Detection

Comment

SHA1:4e2da5a532451500e890d176d71dc878844a9baa

MD5: c9197f34d616b46074509b4827c85675

 

 

Injects the trojan into all processes.

SHA1:6a9e1f85068fe1e4607b993774fc9cb229cd751b

MD5: efe6cd23659a05478e28e08a138df81e

TrojanSpy:Win32/Gamker.A

Carberp-based password and information stealer.

 

Table 3 – Additional screen and command-line capture triggers under the category “IT”

TelemacoBusinessManager.exe

Ceedo.exe

FileProtector.exe

Telemaco.exe

CeedoRT.exe

contoc.exe

StartCeedo.exe

legalSign.exe

IDProtect Monitor.exe

dikeutil.exe

SIManager.exe

bit4pin.exe

 

Table 4 – Additional screen and command-line capture triggers under the category “ETC”

iscc.exe

rmclient.exe

Dealer.exe

visa.exe

SACLIENT.exe

info.exe

eclnt.exe

QUICKPAY.exe

ClientBK.exe

SXDOC.exe

WClient.exe

Client32.exe

UNISTREAM.exe

OnCBCli.exe

RETAIL32.exe

IMBLink32.exe

client6.exe

iWallet.exe

BUDGET.exe

UARM.exe

Bk_kw32.exe

ClntW32.exe

bitcoin-qt.exe

ARM\\ARM.exe

CLB.exe

BC_Loader.exe

el_cli.exe

Pmodule.exe

WUPostAgent.exe

PRCLIENT.exe

elbank.exe

LFCPaymentAIS.exe

RETAIL.exe

ProductPrototype.exe

EELCLNT.exe

selva_copy.exe

UpOfCards.exe

QIWIGUARD.exe

MWCLIENT32.exe

ASBANK_LITE.exe

EximClient.exe

Payments.exe

OKMain.exe

JSCASHMAIN.exe

MMBANK.exe

bb.exe

PaymMaster.exe

CSHELL.exe

EffectOffice.Client.exe

BBCLIENT.exe

startclient7.exe

ubs_net.exe

CNCCLIENT.exe

WFINIST.exe

BCLIENT.exe

terminal.exe

LPBOS.exe

ContactNG.exe

ETSRV.exe

xplat_client.exe

bankcl.exe

fcClient.exe

BANK32.exe

BBMS.exe

PinPayR.exe

kb_cli.exe

Edealer.exe

URALPROM.exe

bk.exe

DTPayDesk.exe

cb193w.exe

Qiwicashier.exe

TERMW.exe

SAADM.exe

W32MKDE.exe

RTADMIN.exe

RTCERT.exe

litecoin-qt.exe

Transact.exe

Ibwn8.exe

clcard.exe

avn_cc.exe

sapphire.exe

srclbclient.exee

Client2.exe

WebLogin.exe

rpay.exe

KBADMIN.exe

Sunflow.exe

CliBank.exe

KLBS.exe

AdClient.exe

payment_processor.exe

NURITSmartLoader.exe

Omeg\\M7.exe

SGBClient.exe

iquote32.exe

plat.exe

ibcremote31.exe

WinVal.exe

Payroll.exe

CLBank.exe

LBank.exe

 

Categories: Uncategorized Tags: