Swedish Windows Security User Group

Recent disruption of the Ramnit malware family was successful due to a multinational collaboration, led by Europol’s European Cybercrime Center (EC3), in partnership with Financial Services and Information Sharing & Analysis Center (FS-ISAC), Symantec, AnubisNetworks, Microsoft’s Digital Crimes Unit (DCU), and the Microsoft Malware Protection Center (MMPC).

The MMPC has been closely monitoring Ramnit since its discovery in April 2010, as you can see by reading: Ramnit – The renewed bot in town and Little Red Ramnit: My, what big eyes you have, Grandma!

The Ramnit threat tampers with antivirus software and disables Windows Update to prevent computers from getting critical security updates through Windows Update and antivirus software. We recommend using Microsoft Safety Scanner to scan and clean the threat. Additional technical details about what Ramnit can do, and how to clean it up, can be found by visiting the Malware Protection Center and help-page respectively.

During the past six months, Microsoft detected approximately 500,000 instances of computers infected with Ramnit.

 Figure 1: Ramnit infection trend from the past six months

 

Ramnit is a module-based malware which concentrates on stealing credential information from banking websites.

Ramnit is configured to hide itself, disable security defences, and establish a connection with the Ramnit command and control server (C&C).

Ramnit generates 300 domains through a Domain Generation Algorithm (DGA), which is a function of rand and a hard-coded seed in the threat. Then, it tries to communicate to each through a custom protocol using port 443. Ramnit expects a reply from the C&C server that is signed using a RSA 1024-bit key, and uses RC4 encryption for the communication.

C&C server that is signed using a RSA 1024-bit key, and uses RC4 encryption for the communication.

See the Python implementation of DGA below:

  Figure 2: Sample Python code

 

Ramnit's design is modular to accommodate dynamic modules from the C&C server that can add additional functionality to the threat. This allows different malware modules that are pushed from the C&C server to plug into the malware framework on the user's computer and allows it to operate diskless (off of RAM).

To accomplish this, when an infected computer first contacts a C&C server, it can download one or more malware modules which give it new capabilities. For example, one module is designed to steal sensitive files from the user's computer, while a different module is designed to steal user credentials when the user logs into the website of a targeted financial institution, etc.

We have observed that Ramnit uses the following modules:

Figure 3: What a web page looks like before and after a Ramnit infection

We observed two different control servers:

• • C&C1 – the server that is contacted through DGA that controls what modules are downloaded, to provide command and VNC interface to the bot controller.
  • C&C2 – exists in the configuration file that is designed to handle web-injection responsible for stealing extra credential information.

By having two disassociated C&C, the threat gains the following advantages from its architecture:

1. 1. Dynamic content injected into webpages can change more rapidly and be tailored to the victim according to the country where the victim is located in and the websites visited.
   2. This can also act as a camouflage to hide the C&C2 from researchers, as this server is not referenced in the malware binary, reverse engineering the binary wouldn't reveal it. Identifying this server requires decryption of the configuration file sent by C&C1. The encryption algorithm used is RC4 with a machine specific key that also protects and increases the difficulty in finding it.
   3. The website content might update frequently. Updates for the website require the retrieval of a new configuration file. With this new server, it gives Ramnit bot controller the ability to put a portion of the injection code in a remote server.
   4. It allows credential information to be stored and managed separately. Figure 4 shows how the Ramnit C&C servers are organized.

Figure 4: A high-level flow of how Ramnit C&C servers operate

• Anti-AV Module

There is a significant Anti-AV function that is part of the Ramnit installer. When Ramnit is installed, it disables the following Windows components:

• Windows Firewall
• Windows Update
• Windows Defender
• Windows User Account Control

When the C&C connection was established, the C&C server sent a blacklist of more than 300 types of antivirus applications. See the detailed list in this blog: Ramnit – The renewed bot in town.

This dynamic module sent from the server was first observed in 2013 with the name "Antivirus Trusted Module v1.0.” See the technical details in this blog: Ramnit – The renewed bot in town

In recent months, this blacklist shrunk to Microsoft Anti-AV application core executables.

• FTP Grabber

The FTP Grabber enables Ramnit to steal credentials from FTP applications. One of Ramnit's propagation techniques is to implant those files with either Ramnit itself or other malware so that a user who downloads one of those files will be infected with Ramnit. See Win32/Ramnit for the detailed list of FTP Applications targeted by Ramnit. .

• Cookie Grabber

The Cookie Grabber enables Ramnit to steal browser cookie information or to forge cookies. A cookie is a piece of information sent by the web server during a web session. In the case of a banking session, the cookie might contain user credential identification information. Ramnit steals that cookie information for later use in defrauding the user.

It also shows the list of websites that the user visited so that the C&C server can send a tailored spy configuration module. See Win32/Ramnit for the detailed list of browsers targeted by Ramnit.

• VNC Module

The VNC module enables the Ramnit botnet controller to directly access and control the user's computer through a virtual network computing (VNC) connection. In other words, this allows the herder to access and completely control the user's computer. Machines with a properly configured firewall, or sit behind network address translation (NAT) won't be affected.

• Drive Scan Module

The Drive Scan module enables Ramnit to gather credential information in addition to the information gathered by the Hook-Spy module. By achieving this, this module scans the computer looking for interesting files that contain specific key words, typically associated with banking credentials. Figure 5 shows a list of keywords that this module looks for as it attempts to identify files to steal. If the Ramnit running on a user's computer can locate file names with these keywords in them, it will upload the file to the C&C server.

The Ramnit botnet controller then collects that file and reviews it for information to more effectively target the computer user.

 Figure 5: The list of keywords that Ramnit looks for

In summary, Ramnit has a hot pluggable modular framework design that gives it plenty of flexibility to extend new functionality on demand.

As always, we urge Windows users to be vigilant against malware:

• Exercise caution when opening emails or social media messages from unknown users.
• Be wary about downloading software from websites other than the program developers.
• Run an antivirus software regularly.

If you're using Windows 8 or later versions, Windows Defender is built-in. If you're running an older operating system, you can install Microsoft Security Essentials.

As a reminder to organizations invested in security, MMPC has a Coordinated Malware Eradication Program. If your organization is interested in joining or initiating an eradication campaign or participate in the CME program, please see the CME program page. You can also reach out to us at cme-invite@microsoft.com for more information. 

 

Tanmay Ganacharya, Karthik Selvaraj, and Tim Liu

MMPC

 

Recent disruption of the Ramnit malware family was successful due to a multinational collaboration, led by Europol’s European Cybercrime Center (EC3), in partnership with Financial Services and Information Sharing & Analysis Center (FS-ISAC), Symantec, AnubisNetworks, Microsoft’s Digital Crimes Unit (DCU), and the Microsoft Malware Protection Center (MMPC).

The MMPC has been closely monitoring Ramnit since its discovery in April 2010, as you can see by reading: Ramnit – The renewed bot in town and Little Red Ramnit: My, what big eyes you have, Grandma!

The Ramnit threat tampers with antivirus software and disables Windows Update to prevent computers from getting critical security updates through Windows Update and antivirus software. We recommend using Microsoft Safety Scanner to scan and clean the threat. Additional technical details about what Ramnit can do, and how to clean it up, can be found by visiting the Malware Protection Center and help-page respectively.

During the past six months, Microsoft detected approximately 500,000 instances of computers infected with Ramnit.

 Figure 1: Ramnit infection trend from the past six months

 

Ramnit is a module-based malware which concentrates on stealing credential information from banking websites.

Ramnit is configured to hide itself, disable security defences, and establish a connection with the Ramnit command and control server (C&C).

Ramnit generates 300 domains through a Domain Generation Algorithm (DGA), which is a function of rand and a hard-coded seed in the threat. Then, it tries to communicate to each through a custom protocol using port 443. Ramnit expects a reply from the C&C server that is signed using a RSA 1024-bit key, and uses RC4 encryption for the communication.

C&C server that is signed using a RSA 1024-bit key, and uses RC4 encryption for the communication.

See the Python implementation of DGA below:

  Figure 2: Sample Python code

 

Ramnit's design is modular to accommodate dynamic modules from the C&C server that can add additional functionality to the threat. This allows different malware modules that are pushed from the C&C server to plug into the malware framework on the user's computer and allows it to operate diskless (off of RAM).

To accomplish this, when an infected computer first contacts a C&C server, it can download one or more malware modules which give it new capabilities. For example, one module is designed to steal sensitive files from the user's computer, while a different module is designed to steal user credentials when the user logs into the website of a targeted financial institution, etc.

We have observed that Ramnit uses the following modules:

Figure 3: What a web page looks like before and after a Ramnit infection

We observed two different control servers:

• • C&C1 – the server that is contacted through DGA that controls what modules are downloaded, to provide command and VNC interface to the bot controller.
  • C&C2 – exists in the configuration file that is designed to handle web-injection responsible for stealing extra credential information.

By having two disassociated C&C, the threat gains the following advantages from its architecture:

1. 1. Dynamic content injected into webpages can change more rapidly and be tailored to the victim according to the country where the victim is located in and the websites visited.
   2. This can also act as a camouflage to hide the C&C2 from researchers, as this server is not referenced in the malware binary, reverse engineering the binary wouldn't reveal it. Identifying this server requires decryption of the configuration file sent by C&C1. The encryption algorithm used is RC4 with a machine specific key that also protects and increases the difficulty in finding it.
   3. The website content might update frequently. Updates for the website require the retrieval of a new configuration file. With this new server, it gives Ramnit bot controller the ability to put a portion of the injection code in a remote server.
   4. It allows credential information to be stored and managed separately. Figure 4 shows how the Ramnit C&C servers are organized.

Figure 4: A high-level flow of how Ramnit C&C servers operate

• Anti-AV Module

There is a significant Anti-AV function that is part of the Ramnit installer. When Ramnit is installed, it disables the following Windows components:

• Windows Firewall
• Windows Update
• Windows Defender
• Windows User Account Control

When the C&C connection was established, the C&C server sent a blacklist of more than 300 types of antivirus applications. See the detailed list in this blog: Ramnit – The renewed bot in town.

This dynamic module sent from the server was first observed in 2013 with the name "Antivirus Trusted Module v1.0.” See the technical details in this blog: Ramnit – The renewed bot in town

In recent months, this blacklist shrunk to Microsoft Anti-AV application core executables.

• FTP Grabber

The FTP Grabber enables Ramnit to steal credentials from FTP applications. One of Ramnit's propagation techniques is to implant those files with either Ramnit itself or other malware so that a user who downloads one of those files will be infected with Ramnit. See Win32/Ramnit for the detailed list of FTP Applications targeted by Ramnit. .

• Cookie Grabber

The Cookie Grabber enables Ramnit to steal browser cookie information or to forge cookies. A cookie is a piece of information sent by the web server during a web session. In the case of a banking session, the cookie might contain user credential identification information. Ramnit steals that cookie information for later use in defrauding the user.

It also shows the list of websites that the user visited so that the C&C server can send a tailored spy configuration module. See Win32/Ramnit for the detailed list of browsers targeted by Ramnit.

• VNC Module

The VNC module enables the Ramnit botnet controller to directly access and control the user's computer through a virtual network computing (VNC) connection. In other words, this allows the herder to access and completely control the user's computer. Machines with a properly configured firewall, or sit behind network address translation (NAT) won't be affected.

• Drive Scan Module

The Drive Scan module enables Ramnit to gather credential information in addition to the information gathered by the Hook-Spy module. By achieving this, this module scans the computer looking for interesting files that contain specific key words, typically associated with banking credentials. Figure 5 shows a list of keywords that this module looks for as it attempts to identify files to steal. If the Ramnit running on a user's computer can locate file names with these keywords in them, it will upload the file to the C&C server.

The Ramnit botnet controller then collects that file and reviews it for information to more effectively target the computer user.

 Figure 5: The list of keywords that Ramnit looks for

In summary, Ramnit has a hot pluggable modular framework design that gives it plenty of flexibility to extend new functionality on demand.

As always, we urge Windows users to be vigilant against malware:

• Exercise caution when opening emails or social media messages from unknown users.
• Be wary about downloading software from websites other than the program developers.
• Run an antivirus software regularly.

If you're using Windows 8 or later versions, Windows Defender is built-in. If you're running an older operating system, you can install Microsoft Security Essentials.

As a reminder to organizations invested in security, MMPC has a Coordinated Malware Eradication Program. If your organization is interested in joining or initiating an eradication campaign or participate in the CME program, please see the CME program page. You can also reach out to us at cme-invite@microsoft.com for more information. 

 

Tanmay Ganacharya, Karthik Selvaraj, and Tim Liu

MMPC

 

Severity Rating: Critical
Revision Note: V1.1 (February 18, 2015): Bulletin revised to add an Update FAQ that explains why there are two packages on the Microsoft Download Center pages for affected editions of Windows Server 2003, Windows Server 2008, and Windows Vista. The additional package (3037639) is not needed to be protected from the vulnerabilities addressed by the 3013455 update; it simply corrects a text quality problem that some customers experienced after installing the 3013455 update on the indicated systems.
Summary: This security update resolves six privately reported vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if an attacker convinces a user to open a specially crafted document or to visit an untrusted website that contains embedded TrueType fonts. To exploit the vulnerability an attacker would need to convince a user to open a specially crafted document or visit an untrusted website that contains embedded TrueType Fonts.

Severity Rating: Critical
Revision Note: V1.1 (February 18, 2015): Bulletin revised to add an Update FAQ that explains why there are two packages on the Microsoft Download Center pages for affected editions of Windows Server 2003, Windows Server 2008, and Windows Vista. The additional package (3037639) is not needed to be protected from the vulnerabilities addressed by the 3013455 update; it simply corrects a text quality problem that some customers experienced after installing the 3013455 update on the indicated systems.
Summary: This security update resolves six privately reported vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if an attacker convinces a user to open a specially crafted document or to visit an untrusted website that contains embedded TrueType fonts. To exploit the vulnerability an attacker would need to convince a user to open a specially crafted document or visit an untrusted website that contains embedded TrueType Fonts.

Today Microsoft announced its continued commitment to further protect customers’ privacy by obtaining the globally recognized ISO/IEC 27018 privacy standard for Microsoft Azure, Office 365, and Dynamics CRM Online. This achievement is designed to help assure customers of all sizes, that their most sensitive personal data will receive the strong privacy protections detailed in this standard.

We know that our customers rely on us as their cloud service provider, to continually enhance security, ensure data privacy and manage compliance expectations. There are a lot of certifications to pursue; you can be confident we’ll cut through the clutter and focus on what’s important. Microsoft’s achievement of the ISO 27018 standard will ensure additional practices are put in place to help protect your data. For more details on this important milestone, please read Brad Smith’s blog.

 

Revision Note: V2.3 (February 16, 2015): Revised advisory to announce the planned date for disabling SSL 3.0 by default in Internet Explorer 11.
Summary: Microsoft is aware of detailed information that has been published describing a new method to exploit a vulnerability in SSL 3.0. This is an industry-wide vulnerability affecting the SSL 3.0 protocol itself and is not specific to the Windows operating system. All supported versions of Microsoft Windows implement this protocol and are affected by this vulnerability. Microsoft is not aware of attacks that try to use the reported vulnerability at this time. Considering the attack scenario, this vulnerability is not considered high risk to customers.

Revision Note: V2.3 (February 16, 2015): Revised advisory to announce the planned date for disabling SSL 3.0 by default in Internet Explorer 11.
Summary: Microsoft is aware of detailed information that has been published describing a new method to exploit a vulnerability in SSL 3.0. This is an industry-wide vulnerability affecting the SSL 3.0 protocol itself and is not specific to the Windows operating system. All supported versions of Microsoft Windows implement this protocol and are affected by this vulnerability. Microsoft is not aware of attacks that try to use the reported vulnerability at this time. Considering the attack scenario, this vulnerability is not considered high risk to customers.

Microsoft has a new anti-malware platform update package available for the following clients:

– Microsoft System Center 2012 R2 Configuration Manager Endpoint Protection clients
– System Center 2012 Endpoint Protection Service Pack 1 (SP1) clients
– Microsoft Forefront Endpoint Protection 2010 clients

These packages update Endpoint Protection client services, drivers and UI components.

For all the details regarding the improvements and updates, please see the following:

KB3036437 – February 2015 anti-malware platform update for Endpoint Protection Clients (http://support.microsoft.com/kb/3036437)

J.C. Hornbeck | Solution Asset PM | Microsoft GBS Management and Security Division

Get the latest System Center news on Facebook and Twitter:

Main System Center blog: http://blogs.technet.com/b/systemcenter/

Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
Data Protection Manager Team blog: http://blogs.technet.com/dpm/
Orchestrator Team blog: http://blogs.technet.com/b/orchestrator/
Operations Manager Team blog: http://blogs.technet.com/momteam/
Service Manager Team blog: http://blogs.technet.com/b/servicemanager
Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Microsoft Intune: http://blogs.technet.com/b/microsoftintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
RMS blog: http://blogs.technet.com/b/rms/
App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv

Forefront Endpoint Protection blog: http://blogs.technet.com/b/clientsecurity/
Forefront Identity Manager blog: http://blogs.msdn.com/b/ms-identity-support/
Forefront TMG blog: http://blogs.technet.com/b/isablog/
Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/
Application Proxy blog: http://blogs.technet.com/b/applicationproxyblog/
The Surface Team blog: http://blogs.technet.com/b/surface/

SCEP 2012 R2 ConfigMgr 2012 R2

Microsoft has a new anti-malware platform update package available for the following clients:

– Microsoft System Center 2012 R2 Configuration Manager Endpoint Protection clients
– System Center 2012 Endpoint Protection Service Pack 1 (SP1) clients
– Microsoft Forefront Endpoint Protection 2010 clients

These packages update Endpoint Protection client services, drivers and UI components.

For all the details regarding the improvements and updates, please see the following:

KB3036437 – February 2015 anti-malware platform update for Endpoint Protection Clients (http://support.microsoft.com/kb/3036437)

J.C. Hornbeck | Solution Asset PM | Microsoft GBS Management and Security Division

Get the latest System Center news on Facebook and Twitter:

Main System Center blog: http://blogs.technet.com/b/systemcenter/

Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
Data Protection Manager Team blog: http://blogs.technet.com/dpm/
Orchestrator Team blog: http://blogs.technet.com/b/orchestrator/
Operations Manager Team blog: http://blogs.technet.com/momteam/
Service Manager Team blog: http://blogs.technet.com/b/servicemanager
Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Microsoft Intune: http://blogs.technet.com/b/microsoftintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
RMS blog: http://blogs.technet.com/b/rms/
App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv

Forefront Endpoint Protection blog: http://blogs.technet.com/b/clientsecurity/
Forefront Identity Manager blog: http://blogs.msdn.com/b/ms-identity-support/
Forefront TMG blog: http://blogs.technet.com/b/isablog/
Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/
Application Proxy blog: http://blogs.technet.com/b/applicationproxyblog/
The Surface Team blog: http://blogs.technet.com/b/surface/

SCEP 2012 R2 ConfigMgr 2012 R2

Since 2010 at least fifty governments have published strategies or initiatives that focus on cloud computing, with the trend accelerating in the last year. This growing focus on cloud adoption demonstrates that governments, like businesses, have a keen interest in realizing the benefits of cloud computing – often not just for the public sector, but their countries as a whole. By using cloud services, governments can achieve far greater computing power, better availability and resilience of data, and improved security even as they dramatically reduce their costs. Most importantly, scalable, on-demand cloud computing services can help government organizations focus on key public priorities with increased agility. In addition to saving governments direct costs, government use of cloud computing can encourage national use of a technology that is proven to empower new job creation, democratize computing and social inclusion, and increase national competitiveness.

These varied benefits and the divergent emphasis put upon them are reflected in the diversity of approaches governments have undertaken with regards cloud computing, and these paths are not set in stone. For ease of understanding we have categorized the government cloud initiatives into the following groups:

• Explanatory: These governments have taken a narrowly focused approach to cloud computing, which oftentimes results in only basic levels of cloud adoption. Their initiatives may define cloud computing and the different deployment models and apply the existing legal frameworks to the technology. While nascent government cloud project are frequently introduced, there is little debate of the risk and benefits of cloud computing. Countries in this category are as diverse as Mauritius and Denmark.
• Operational: Governments in this category take a much more actionable approach to cloud computing. They are mindful of cloud computing benefits and risks, setting practical goals for and criteria to evaluate government adoption. Moreover, they are most focused on managing public sector environments and answering current operational questions for government agencies. Countries in this category include Malaysia and Qatar.
• Aspirational: Finally, governments in the aspirational category demonstrate intentions to absorb significant benefits of cloud computing through wide adoption. Those focused on the public sector aim to increase or organize government procurement of cloud services, advancing aggressive ideas for resolving issues that might inhibit adoption. Those focused on both the public and private sectors aim to increase not only government procurement but also private-sector use of cloud services. Singapore and the European Union fall into this group.

A cursory examination of a small sample proves this: whether we look at the evolution of the cloud first model adopted by the U.S. and Australian governments and their changes over the years, the procurement-based approach introduced in the United Kingdom with G-cloud, national cloud paths being currently considered in the Philippines, Moldova or Slovenia, or the security-focused virtual data embassy initiative in Estonia, one thing is clear – no single model has emerged as predominant.

In the coming months, I will publish a series of blogs that outline what we learned from working with governments on cloud security concerns in particular. In these, I will introduce issues such as risk management, data classification and governance processes and examine whether there is a cloud strategy that governments could utilize to examine their security and compliance risk and help them on the path to realizing broader cloud benefits. Stay tuned.

 

 

Microsoft has a new anti-malware platform update package available for the following clients:

– Microsoft System Center 2012 R2 Configuration Manager Endpoint Protection clients
– System Center 2012 Endpoint Protection Service Pack 1 (SP1) clients
– Microsoft Forefront Endpoint Protection 2010 clients

These packages update Endpoint Protection client services, drivers and UI components.

For all the details regarding the improvements and updates, please see the following:

KB3036437 – February 2015 anti-malware platform update for Endpoint Protection Clients (http://support.microsoft.com/kb/3036437)

J.C. Hornbeck | Solution Asset PM | Microsoft GBS Management and Security Division

Get the latest System Center news on Facebook and Twitter:

Main System Center blog: http://blogs.technet.com/b/systemcenter/

Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
Data Protection Manager Team blog: http://blogs.technet.com/dpm/
Orchestrator Team blog: http://blogs.technet.com/b/orchestrator/
Operations Manager Team blog: http://blogs.technet.com/momteam/
Service Manager Team blog: http://blogs.technet.com/b/servicemanager
Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Microsoft Intune: http://blogs.technet.com/b/microsoftintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
RMS blog: http://blogs.technet.com/b/rms/
App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv

Forefront Endpoint Protection blog: http://blogs.technet.com/b/clientsecurity/
Forefront Identity Manager blog: http://blogs.msdn.com/b/ms-identity-support/
Forefront TMG blog: http://blogs.technet.com/b/isablog/
Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/
Application Proxy blog: http://blogs.technet.com/b/applicationproxyblog/
The Surface Team blog: http://blogs.technet.com/b/surface/

SCEP 2012 R2 ConfigMgr 2012 R2

Today we are making Beta 1 of the EF6.1.3 release available. This patch release contains only high priority bug fixes.

 

What are the 6.1.3 release timelines?

At this stage we are planning for our next release to be the RTM. This may change if we get additional reports of high priority bugs that we decide should be fixed in 6.1.3.

We expect to ship the next release sometime next month but this may change if we decided to take additional changes.

 

What’s in Beta 1?

EF6.1.3 will just contain fixes to high priority issues that have been reported on the 6.1.2 release. The fixes included in beta 1 are:

• Query: Regression in EF 6.1.2: OUTER APPLY introduced and more compex queries for 1:1 relationships and “let” clause
• TPT problem with hiding base class property in inherited class
• DbMigration.Sql fails when the word ‘go’ is contained in the text

 

Where do I get the beta?

The runtime is available on NuGet. Follow the instructions on our Get It page for installing the latest pre-release version of Entity Framework runtime.

The tooling for Visual Studio 2012 and Visual Studio 2013 is available on the Microsoft Download Center.

 

Support

This is a preview of changes that will be available in the final release of EF6.1.3 and is designed to allow you to try out the new features and report any issues you encounter. Microsoft does not guarantee any level of support on this release.

If you need assistance using the new features, please post questions on Stack Overflow using the entity-framework tag.

Antimalware vendors write signatures so that their corresponding products can detect and take action on malicious files. Every once in a while, a signature also detects a clean file – a file that doesn’t do anything malicious at all. The antimalware industry calls this a “false positive”, also referred to as an “incorrect detection”. It’s not pretty when an application or program is flagged as a false positive – users can’t run the program, customer support for that program gets deluged with calls, and the detecting antimalware/s gets a reputation hit. We, like other antimalware vendors, continuously try and make an effort to minimize the chances of us, partners, and our customers getting a false positive both as a software development company, and as a provider of antimalware solutions.

As part of this effort, we have been working closely with our partner VirusTotal – a well-known, reputable and industry-vetted online security portal where antimalware and security industry researchers, law enforcement organizations and customers can submit files and check for the presence of malicious code.

The result of this collaboration is something really exciting: VirusTotal has announced and released a new feature, called “Trusted source”. This feature communicates to the user with utmost confidence that a file can be trusted if it falls under a “Trusted source” criteria. And the first “Trusted source” feeding into this effort, we’re proud to say, is Microsoft via our Microsoft Clean-File MetaData. Now, if a user uploads a file to VirusTotal, and VirusTotal sees that the file metadata is part of Microsoft Clean-File Metadata, then VirusTotal returns this:

This can also be seen in the Additional Information tab as well:

This feature is now live for everyone to use.

The other use of this feature is that any time an antimalware solution detects a file marked as coming from a trusted source, such as Microsoft, VirusTotal informs the antimalware provider, shortening the time frame for the antimalware provider to address the problem.

With that said, we see that this feature is and will be of huge value to the industry, as well as to Microsoft customers, and there will be further improvements on this effort that can be expected as a result of our continuous collaboration with VirusTotal and the industry. We encourage other software development companies to participate in VirusTotal’s initiative.

Ivan Macalintal

Antimalware vendors write signatures so that their corresponding products can detect and take action on malicious files. Every once in a while, a signature also detects a clean file – a file that doesn’t do anything malicious at all. The antimalware industry calls this a “false positive”, also referred to as an “incorrect detection”. It’s not pretty when an application or program is flagged as a false positive – users can’t run the program, customer support for that program gets deluged with calls, and the detecting antimalware/s gets a reputation hit. We, like other antimalware vendors, continuously try and make an effort to minimize the chances of us, partners, and our customers getting a false positive both as a software development company, and as a provider of antimalware solutions.

As part of this effort, we have been working closely with our partner VirusTotal – a well-known, reputable and industry-vetted online security portal where antimalware and security industry researchers, law enforcement organizations and customers can submit files and check for the presence of malicious code.

The result of this collaboration is something really exciting: VirusTotal has announced and released a new feature, called “Trusted source”. This feature communicates to the user with utmost confidence that a file can be trusted if it falls under a “Trusted source” criteria. And the first “Trusted source” feeding into this effort, we’re proud to say, is Microsoft via our Microsoft Clean-File MetaData. Now, if a user uploads a file to VirusTotal, and VirusTotal sees that the file metadata is part of Microsoft Clean-File Metadata, then VirusTotal returns this:

This can also be seen in the Additional Information tab as well:

This feature is now live for everyone to use.

The other use of this feature is that any time an antimalware solution detects a file marked as coming from a trusted source, such as Microsoft, VirusTotal informs the antimalware provider, shortening the time frame for the antimalware provider to address the problem.

With that said, we see that this feature is and will be of huge value to the industry, as well as to Microsoft customers, and there will be further improvements on this effort that can be expected as a result of our continuous collaboration with VirusTotal and the industry. We encourage other software development companies to participate in VirusTotal’s initiative.

Ivan Macalintal

Credential theft and reuse attacks continue to be top of mind for many of the CISOs I have talked to recently. We have discussed this topic several times in the past:

• New Strategies and Features to Help Organizations Better Protect Against Pass-the-Hash Attacks
• New Guidance to Mitigate Determined Adversaries’ Favorite Attack: Pass-the-Hash
• Targeted Attacks Video Series
• You asked, we answered: #AskPtH Questions and Answers

Although pass-the-hash credential theft and reuse attacks aren’t new, more recently security researchers have been focusing on attack methods for Kerberos authentication. Kerberos authentication is achieved by the use of tickets enciphered with a symmetric key derived from the password of the server or service to which access is requested. To request such a session ticket, a special ticket, called the Ticket Granting Ticket (TGT) must be presented to the Kerberos service. The TGT is enciphered with a key derived from the password of the krbtgt account, which is known only by the Kerberos service[i].

A stolen krbtgt account password can wreak havoc on an organization because it can be used to impersonate authentication throughout the organization thereby giving an attacker access to sensitive data.

One way to help mitigate the risk of a bad actor using a compromised krbtgt key to forge user tickets is by periodically resetting the krbtgt account password. Resetting this password on a regular basis reduces the useful lifetime of krbtgt keys, in case one or more of them is compromised.

Today we are sharing the krbtgt account password reset script and associated guidance that will enable customers to interactively reset and validate replication of the krbtgt account keys on all writable domain controllers in the domain. By providing this script and associated guidance, we hope to help customers perform the reset in a way which reduces the likelihood of authentication errors caused by delayed distribution of the new krbtgt account keys in their environment.

The Reset-KrbtgtKeyInteractive-v1.4 enables customers to:

1. Perform a single reset of the krbtgt account password (it can be run multiple times for subsequent resets).
2. Validate that all writable DC’s in the domain have replicated the keys derived from the new password, so they are able to begin using the new keys.

The krbtgt account password reset script guide includes detailed information on how to use the reset script and its three modes- Informational, Estimation Mode, and Reset and offers:

1. A step-by-step list of tasks associated with performing the krbtgt account password reset.
2. Information for customers wishing to invalidate all existing TGTs by performing a double reset of the krbtgt account secret during a comprehensive Active Directory recovery.

We’ve also provided a detailed guide which helps system administrators understand the required tasks, impact to the organization, schedule and timeline, and other considerations. Together, this combination covers necessary tasks, tests, and validations that should be performed before and after the reset.

It is important to remember that resetting the krbtgt is only one part of a recovery strategy and alone will likely not prevent a previously successful attacker from obtaining unauthorized access to a compromised environment in the future. We strongly advise that customers create a comprehensive recovery plan using guidance found in the Mitigating Pass-the-Hash and Other Credential Theft, version 2.

[i] https://technet.microsoft.com/en-us/library/cc733924(v=ws.10).aspx

Today, as part of Update Tuesday, we released nine security bulletins – three rated Critical and six rated Important in severity, to address 56 unique Common Vulnerabilities and Exposures (CVEs) in Microsoft Windows, Microsoft Office, Internet Explorer, and Microsoft Server software. 

We encourage you to apply all of these updates. For more information about this month’s security updates, including the detailed view of the Exploitability Index (XI) broken down by each CVE, visit the Microsoft Bulletin Summary webpage. If you are not familiar with how we calculate the XI, a full description can be found here.

We re-released one Security Bulletin:

• MS14-083 Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution

One new Security Advisory was released:

• Update for Windows Command Line Auditing (3004375).

One Security Advisory was revised:

• Vulnerability in SSL 3.0 Could Allow Information Disclosure (3009008).

We also announced changes related to SSL 3.0 and you can read more about these on the IE blog.

For the latest information, you can follow the Microsoft Security Response Center (MSRC) team on Twitter at @MSFTSecResponse.

MSRC Team

Today, as part of Update Tuesday, we released nine security bulletins – three rated Critical and six rated Important in severity, to address 56 unique Common Vulnerabilities and Exposures (CVEs) in Microsoft Windows, Microsoft Office, Internet Explorer, and Microsoft Server software. 

We encourage you to apply all of these updates. For more information about this month’s security updates, including the detailed view of the Exploitability Index (XI) broken down by each CVE, visit the Microsoft Bulletin Summary webpage. If you are not familiar with how we calculate the XI, a full description can be found here.

We re-released one Security Bulletin:

• MS14-083 Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution

One new Security Advisory was released:

• Update for Windows Command Line Auditing (3004375).

One Security Advisory was revised:

• Vulnerability in SSL 3.0 Could Allow Information Disclosure (3009008).

We also announced changes related to SSL 3.0 and you can read more about these on the IE blog.

For the latest information, you can follow the Microsoft Security Response Center (MSRC) team on Twitter at @MSFTSecResponse.

MSRC Team

Revision Note: V1.0 (February 10, 2015): Advisory published.
Summary: Microsoft is announcing the availability of an update for supported editions of Windows 7, Windows 8, Windows Server 2008R2 and Windows Server 2012 that expands the Audit Process Creation policy to include the command information passed to every process. This is a new feature that provides valuable information to help administrators monitor, troubleshoot, and investigate security-related activities on their networks. For more information, see Microsoft Knowledge Base Article 3004375.

One year ago today, Microsoft asked people across the globe to #Do1Thing to stay safer and more secure online by taking what may have been a first step toward safeguarding their digital lifestyles. Today, on Safer Internet Day 2015, we want everyone to add to last year’s pledges and #Do1MoreThing to become cyber savvy. In addition, we’re launching new interactive resources for young people on the Microsoft YouthSpark Hub to further encourage safer online habits and practices.

Our goal is to help educate, engage and inspire people to better protect themselves and others online –all rooted firmly in the spirit of the Safer Internet Day 2015 theme: “Let’s create a better Internet together.” The hope is that each person’s one (more) thing will become a long-lasting best practice that will be shared with others and, in turn, lead to an ever-increasing number of safer online behaviors. Research shows that such effects can help create safer online experiences for every individual and a more secure online ecosystem for all.

Last year, some of the most popular “1 Thing” pledges included positive practices such as always using a four-digit PIN (personal identification number) to lock mobile devices; promises to convert to and use “strong” passwords for all devices and accounts and trying to refrain from constant phone-checking and instead “be present” in personal interactions. This year, visitors to the new online safety section of the Microsoft YouthSpark Hub may be further inspired by other online safety tips and ideas as well. One of my favorite parts of the new website is the opening section, designed to pull young people into the site, calling on them to: “Be awesome in real life and online.” From there, youth can explore comic strips, respond to polls and quizzes, and learn interesting facts and figures.

In addition, Microsoft is proud to again help sponsor the official U.S. Safer Internet Day 2015 event being held today in California. Managed by ConnectSafely.org, “Safer Internet Day 2015: Actions & Activism Toward a Better Net and World” is bringing together youth leaders, educators, policymakers, parents, Internet safety experts and representatives from the technology industry to focus not just on problems, but also on solutions for building a safer and better Internet.

When asked about this year’s theme, Larry Magid, co-director of ConnectSafely.org said Safer Internet Day’s “Let’s create a better Internet together” theme “reminds us that online and mobile safety are much more than just the absence of danger, but the presence of positive actions to improve not just the Internet but the world at large. It’s also a recognition that we’re in this together. Everyone— kids, parents, young adults, seniors, corporations, organizations and governments—has a stake and a role to play in making the Internet an even better tool for empowering the world’s citizens.”

Building on its near 20-year history in online safety, Microsoft remains committed to doing its part to help grow and shape a better and safer Internet for youth and, indeed, everyone.

For more information about staying safer and more secure online, I invite you to visit this site.

This month we added three new families to the Microsoft Malicious Software Removal Tool (MSRT) to help protect our customers: Win32/Escad, Win32/Jinupd and Win32/NukeSped.

While this blog focuses on Escad and NukeSped, we want to note that Jinupd is point-of-sale malware that steals sensitive data, such as credit card information and sends it to a malicious hacker. 

The Escad and NukeSped malware families have backdoor capabilities that have been used as part of targeted attacks.

It is clear from the binaries that we've analyzed that Escad has varying functionalities. It can perform a number of routines on a compromised machine that can be used to gather sensitive files and information, including:

• Acting as a proxy server.
• Copying files and sending them to a remote IP address.
• Downloading files remotely into the infected system.
• Enumerating files in any folder.
• Gathering machine information, such as PC name, TCP connections and network adapter information.
• Modifying firewall settings.
• Modifying IP settings.

All of these routines are components of an information-stealing payload that leaves the infected system open to other remote attacks – including the downloading and running of other malware.

It drops files to install itself as a service in order to run at system startup. We’ve seen it drop and use the following files for this purpose:

• ansi.nls    
• dayipmr.tbl         
• netmonsvc.dll       
• pmsconfig.msi       
• pmslog.msi          
• rdmgr.dll           
• remoteevtmanager.dll
• tmscompg.msi       

Accordingly, the presence of any of these files could indicate an Escad infection.

Figures 1 and 2 show the prevalence and distribution of Escad malware in recent months. 

 

Figure 1: Escad detections since December

 

Figure 2: Location of machine infected with Escad

We have recently seen NukeSped variants installed during targeted attacks against machines compromised by Escad. NukeSped can arrive on the system with one of the following file names:

• comon32.exe
• diskpartmg16.exe
• dpnsvr16.exe
• expandmn32.exe
• hwrcompsvc64.exe
• mobsynclm64.exe
• rdpshellex32.exe
• recdiscm32.exe
• taskchg16.exe
• taskhosts64.exe

The dropper that we detect as Trojan:Win32/NukeSped.A!dha installs itself as a service named WinsSchMgmt. It also drops a text file that contains a list of potentially compromised IP addresses. Part of NukeSped’s functionality is to connect to a malicious hacker from an infected machine with the ability to do any of the following:

• Check for an Internet connection.
• Download and run files (including updates or other malware).
• Enable/disable full access to these folders in compromised machine: 

• Systemroot  (root directory)
• Syswow64
• System32

• Report a new infection to its author.
• Receive configuration data.
• Receive instructions from a malicious hacker.
• Search for your PC location.
• Upload information taken from your PC.

It also drops other files such as igfxtrayex.exe, which we detect as Trojan:Win32/NukeSped.B!dha. This variant is also registered as a service named brmgmtsvc.  It drops copies of this file in the current directory with the file name taskhostxx.exe – where xx can be any letter.  It checks the architecture of the infected system and can drop either a 32-bit or 64-bit third-party driver to %Temp%usbdrv3.sys. This legitimate file is used by the malware for modifying sectors of the master boot record that prevents the machine from booting. 

It also disables the following services in the infected system:

• MSExchangeIS
• MSDEPSVC
• SSIS
• SSRS
• Termservice
• W3SVC
• WMServer

Trojan:Win32/NukeSped.B!dha also drops the file iissvr.exe in the default windows directory. We detect this file as Trojan:Win32/NukeSped.C!dha. This variant has an embedded image/sound file that is launched as an HTML page with a message that scrolls to notify the user that files on the system have been compromised by a group of hackers.

 

 

Figure 3: Page launched by Trojan:Win32/NukeSped.C!dha 

Microsoft security products, such as Microsoft Security Essentials, include detection for Escad, Jinupd and NukeSped. To help stay protected you should keep your security software up-to date and regularly run a full scan of your PC.

Joining the Microsoft Active Protection Service Community (MAPS) can also help your Microsoft security product take full advantage of Microsoft's cloud protection service.

You should also make sure you back up your files regularly to help prevent data loss that could result from a malware infection.

Marianne Mallen
MMPC