Adobe, Apple, Microsoft & Mozilla Issue Critical Patches

Adobe, Apple, Microsoft and Mozilla all released updates on Tuesday to fix critical security flaws in their products. Adobe issued a patch that corrects four vulnerabilities in Shockwave Player, while Redmond pushed updates to address four Windows flaws. Apple slipped out an update that mends at least 17 security holes in its version of Java, and Mozilla issued yet another major Firefox release, Firefox 8.

The only “critical” patch from Microsoft this month is a dangerous Windows flaw that could be triggered remotely to install malicious software just by sending the target system specially crafted packets of data. Microsoft says this vulnerability may be difficult to reliably exploit, but it should be patched immediately. Information on the other three flaws fixed this week is here. The fixes are available via Windows Updates for most supported versions of the operating system, including XP, Vista and Windows 7.


Adobe’s Shockwave update also fixes critical flaws, but users should check to see if they have this program installed before trying to update it. To test whether you have Shockwave installed, visit this page; if you see an animation, it’s time to update. If you see a prompt to install Shockwave, there is no need to install it. Mozilla Firefox users without Shockwave Player installed may still see “Shockwave Flash” listed in the “Plugins” directory of the browser; this merely indicates that the user has Adobe’s Flash Player installed.

The vulnerabilities fixed by this update exist in versions of Shockwave 11.6.1.629 and earlier. The latest version, v. 11.6.3.633, is available here.  As I noted earlier this year, I haven’t had Shockwave on my system for some time now and don’t seem to have missed it. I’m sure it has its uses, but to me Shockwave is just another Adobe program that requires constant care and feeding. What’s more, like Adobe’s Flash Player, Shockwave demands two separate installation procedures for IE and non-IE browsers.

Hat tip to the SANS Internet Storm Center for the heads up on the Java fix from Apple. This update, available via Software Update or Apple Downloads, essentially brings Snow Leopard and Lion up to date with the Oracle patches released last month in Java 6 Update 29 (Apple maintains its own version of Java).

If you use Mozilla Firefox or Thunderbird, you may have noticed that Mozilla is pushing out another major upgrade that includes critical fixes to these programs; both have now been updated to version 8. If you’re still running Firefox version 3.6.x, Mozilla has updated that to 3.6.24 (if anyone can help decipher Mozilla’s timeline for exactly how long it will continue to support this workhorse version of Firefox, please drop a line in the comments below). Perhaps I’m becoming a curmudgeon, but I’m growing weary of the incessant update prompts from Firefox. It seems that almost every time I start it up it’s asking to restart the browser or to remove plugins that no longer work with the latest version. I’ve been gradually transitioning more of my work over to Google Chrome, which seems faster and updates the browser and any installed plugins silently (and frequently patches oft-targeted plugins like Flash Player even before Adobe officially releases the update). Read More...

Zero-Day Exploit Used for DUQU

We have been closely monitoring developments on the DUQU malware since our initial blog post when the threat broke the news. And just recently, the Hungary-based security laboratory that initially reported about DUQU released more information that sheds more light into the nature of the said threat.

Their report indicates that a Microsoft Word document that triggers a zero-day kernel exploit was identified as the dropper for DUQU. Upon successful exploitation, the Microsoft Word file drops the installer files that load the DUQU components that were initially reported a couple of weeks back.

The installer files are composed of a .SYS file detected as RTKT_DUQU.B, and a .DLL file detected as TROJ_DUQU.B. RTKT_DUQU.B loads TROJ_DUQU.B into the system. TROJ_DUQU.B, on the other hand, drops and decrypts the DUQU components, RTKT_DUQU.A, TROJ_DUQU.ENC, and TROJ_DUQU.CFG. Below is a simple behavior diagram of the threat.

Details regarding the zero-day exploit used have not yet been disclosed. However, Microsoft is expected to release information on it soon. As a member of the Microsoft Active Protections Program (MAPP), if Microsoft provides information on ways we can protect customers while a security patch is being developed, we will add these protections to our products as quickly as possible and update you with that information.


This new information allows us to have more educated theories of how the DUQU attack took place. Considering the usage of a Microsoft Word document, it is likely that this was initially deployed through email messages sent to employees in the targeted organization.This further verifies our earlier hypothesis that DUQU is part of a highly targeted attack aimed at exfiltrating information from targeted entities. For more information on DUQU and the nature of highly targeted attacks, please check the following reports:

• DUQU Uses STUXNET-Like Techniques to Conduct Information Theft
• Anatomy of a Data Breach

We have created the proactive detections of TROJ_DUQUCFG.SME and RTKT_DUQU.SME to address future variants of DUQU component files. Also, the Threat Discovery Appliance (TDA) protects enterprise networks by detecting network activity and the malwares’ connection to the C&C server through the rules 473 TCP_MALICIOUS_IP_CONN, 528 HTTP_Request_DUQU, and 529 HTTP_Request_DUQU2.

Update as of November 3, 2011, 8:30 PM PST

Microsoft released a security advisory regarding the vulnerability used by DUQU.
The vulnerability exists in the Win32k TrueType font parsing engine and allows elevation of privilege. According to the advisory, a successful exploitation can allow an attacker to run arbitrary code in kernel mode.
We are currently collecting more information about this, and will update this blog entry with our findings as soon as possible. Read More...

Patch Internet Explorer Now

Yesterday was Microsoft's Patch Tuesday for the month of October. There were a total of eight new security bulletins--not too many, but enough to keep IT admins busy for a while. While most of the vulnerabilities addressed are not imminent threats, security experts are virtually unanimous that patching Internet Explorer should be priority one.

First, let's take a brief look at the security bulletins Microsoft released for Patch Tuesday:

Internet ExplorerSecurity experts agree that patching Internet Explorer is a priority.MS11-075 (Vulnerability in Microsoft Active Accessibility Could Allow Remote Code Execution): Could be exploited to run malicious code from a rogue DLL file. MS11-076 (Vulnerability in Windows Media Center Could Allow Remote Code Execution): Addresses a publicly disclosed vulnerability in Windows Media Center that could be used to run malicious code from a rogue DLL file.

MS11-077 (Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution): Fixes four different vulnerabilities in Microsoft Windows, including one that could allow an attacker to execute malicious code by luring someone to open a malicious font file.

MS11-078 (Vulnerability in .NET Framework and Microsoft Silverlight Could Allow Remote Code Execution): Fixes a critical vulnerability in .NET Framework and Microsoft Silverlight that can be exploited to run malicious code when someone visits a compromised website.

MS11-079 (Vulnerabilities in Microsoft Forefront Unified Access Gateway Could Cause Remote Code Execution): Resolves five vulnerabilities in Microsoft Forefront Unified Access Gateway, one of which could enable an attacker to execute malicious code by luring the user to visit a compromised website.

MS11-080 (Vulnerability in Ancillary Function Driver Could Allow Elevation of Privilege): Deals with a possible elevation of privileges vulnerability, but an attacker would have to log on locally to the system using valid credentials, so this presents very little risk.

MS11-081 (Cumulative Security Update for Internet Explorer): This month's Cumulative Security Update for Internet Explorer addresses eight vulnerabilities, including one which can be used to execute malicious code simply by luring a user to visit a compromised website.

MS11-082 (Vulnerabilities in Host Integration Server Could Allow Denial of Service): Deals with two vulnerabilities in Host Integration Server that could be used for a denial of service attack.

To average users and many IT admins, the descriptions all sound somewhat ominous, and--to be fair--they are all updates that should be applied if you use the affected products or services. But, only two of the security bulletins (MS11-078 and MS11-081) are rated as Critical by Microsoft, and only one of them is being pushed as a top priority by security experts.

Joshua Talbot, security intelligence manager, Symantec Security Response, says, "Internet Explorer vulnerabilities are very common targets of attackers and it will probably be no different with these. Users and IT departments should patch these right away."

Paul Henry, security and forensic analyst at Lumension, stresses about MS11-081, "None of the patched issues are related to active exploits; however users are urged to patch this as a high priority."

Andrew Storms, director of security operations at nCircle, implores, "Patching Internet Explorer should be at the top of everyone's list."

Amol Sarwate, Manager of Vulnerability Labs for Qualys, agrees, "The highest priority should be given to MS11-081 which patches a code execution vulnerability in Internet Explorer."

VMWare's Jason Miller, and Marcus Carey from Rapid7 also cite updating Internet Explorer as the number one priority from this Patch Tuesday. I think it is safe to say that we have a general consensus on which update is the most urgent.

Make sure you apply all updates that affect your systems as soon as possible. But, if you have testing and patch rollout processes to deal with, make sure you address MS11-081 first. Read More...

Apple slaps another security band-aid on iTunes

Summary: Apple patches 79 gaping security holes in the iTunes for Windows software.

Apple has shipped iTunes 10.5 to fix mountains of security problems that expose Windows users to dangerous hacker attacks.

The security patch, available for Windows 7, Windows Vista and Windows XP SP2, fixes a total of 79 documented vulnerabilities.  The most serious of these flaws could allow remote code execution attacks via booby-trapped image or movie files.

The bulk of the vulnerabilities affect the open-source WebKit rendering engine that powers the iTunes Store and iTunes LP.

Details on the vulnerabilities can be found in this Apple security advisory.
iTunes 10.5 is being distributed via the Windows software update utility.
 Alternatively, it can be downloaded directly from the iTunes web page.

Read More...

Internet Explorer 9 haunted by 'critical' security vulnerabilities

Summary: Microsoft fixes drive-by download flaws in the latest version of its dominant Internet Explorer browser and warns that exploits could emerge within 30 days.

Microsoft’s shiny new Internet Explorer 9 browser contains critical security vulnerabilities that expose users to drive-by download attacks, the company warned today.

The IE warning highlights this month’s batch of security patches from Microsoft where the company shipped eight security bulletins (two critical, six important) to cover gaping holes in Internet Explorer, .NET Framework & Silverlight, Microsoft Windows, Microsoft Forefront UAG and Microsoft Host Integration Server.follow Ryan Naraine on twitter

According to Microsoft, the IE vulnerabilities could be exploited if a user simply surfs to a maliciously rigged website.

The IE update (MS11-081), available for all users or Microsoft Windows and all versions of Internet Explorer, covers at least eight documented security holes in the world’s most widely used browser. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

The update fixes the vulnerabilities by modifying the way that Internet Explorer handles objects in memory and the way that Internet Explorer allocates and accesses memory, Microsoft explained.

Microsoft is urging all Windows users to treat this with the utmost priority because of the likelihood of reliable exploit code within 30 days. Malicious hackers typically reverse-engineer the patches to identify the flaws and write exploits immediately to launch malware attacks.

The second “critical” update (MS11-078) addresses a vulnerability in .NET Framework and Microsoft Silverlight that could expose users to remote code execution attacks.

The vulnerability could allow remote code execution on a client system if a user views a specially crafted Web page using a Web browser that can run XAML Browser Applications (XBAPs) or Silverlight applications. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The vulnerability could also allow remote code execution on a server system running IIS, if that server allows processing ASP.NET pages and an attacker succeeds in uploading a specially crafted ASP.NET page to that server and then executes the page, as could be the case in a Web hosting scenario. This vulnerability could also be used by Windows .NET applications to bypass Code Access Security (CAS) restrictions.

Microsoft warns that a victim could be exploited if he/she browses to a malicious webpage with aSilverlight-enabled browser.

As with the IE patch, Microsoft exploits to see “reliable exploits” for Silverlight 3 over the next 30 days.

The company also raised an alert for a third bulletin (MS11-077) that covers at least four documented vulnerabilities in Windows kernel-mode drivers (Win32k.sys).

The most severe of these vulnerabilities could allow remote code execution if a user opens a specially crafted font file (such as a .fon file) in a network share, a UNC or WebDAV location, or an e-mail attachment, the company explained.

The security update addresses the vulnerabilities by correcting the way that the Windows kernel-mode drivers validate input passed from user mode, handle the TrueType font type, allocate the proper buffer size before writing to memory, and manage kernel-mode driver objects.

This month’s Patch Tuesday batch also covers five privately reported vulnerabilities in Forefront Unified Access Gateway (UAG). The most severe of these vulnerabilities could allow remote code execution if a user visits an affected Web site using a specially crafted URL.

It also provides fixes for a solitary flaw in the Microsoft Windows Ancillary Function Driver (AFD) and two publicly disclosed vulnerabilities in Host Integration Server.

The Host Integration Server vulnerabilities could allow denial of service if a remote attacker sends specially crafted network packets to a Host Integration Server listening on UDP port 1478 or TCP ports 1477 and 1478. Read More...

Microsoft Patches 22 Security Holes, 12 Highly Exploitable, in October

Microsoft released eight security updates on Tuesday, repairing 22 security holes in its October patch release, with 12 of the 22 described as "consistently exploitable" by the company.

The October patch release includes two bulletins that Microsoft rated "critical" to patch holes. The two cumulative updates, reparing a clutch of vulnerabilities in the Internet Explorer Web browser and .NET and Silverlight frameworks could be used to enable remote attacks in which malicious code was planted and run on vulnerable systems, Microsoft said.

The release follows guidance released on October 7. Microsoft warned that the critical holes could allow remote attackers to run malicious code on vulnerable systems, enabling remote attacks using drive by download Web pages and other means. MS11-081, one of the two critical patches, fixes eight vulnerabilities in Internet Explorer Versions 6 through 9 running on a variety of Windows versions. The vulnerabilities, reported to Microsoft by third party vulnerability researchers working at McAfee, TipppingPoint, Google and other firms, include several methods for triggering remote code execution vulnerability using Internet Explorer elements that control how IE accesses an object that has been deleted. According to Microsoft, the vulnerability could be used to corrupt memory on the system running IE in such a way that an attacker could execute arbitrary code in the context of the logged-on user.

MS11-078, the second patch that was rated critical, fixes a remote code execution hole affects a wide range of versions of .NET Framework and Microsoft Silverlight for most supported versions of the Windows- and Windows Server operating systems. According to Microsoft, the patched vulnerabilities could have allowed an attacker to create an XAML Browser Application (XBAP) or Silverlight application to run malicious code on end user systems. The holes could also allow remote code execution on a server system running Internet Information Server (IIS), assuming the attacker could upload a malicious ASP.NET page to the vulnerable IIS server, and that the server was configured to run ASP.NET pages.

As has been noted, however, Microsoft's severity rating system is biased towards vulnerabilities that might be used to power self replicating malicious code, not necessarily based on its ability to be used in malicious attacks. The company's exploitability index is a better measure of how likely a particular vulnerability is to be used in that way.

According to the Exploitability Index Microsoft included with its October patch, MS11-076, -077 and -079 also appear to be more serious than their "Important" rating would suggest. The -076 patch - a fix for the Windows Media Center application - contains a fix for an library loading vulnerability with an exploitability rating of "1", indicating that Microsoft's analysis suggests that an attacker could consistently exploit that vulnerability against the latest releases of affected software. MS11-079, a cumulative patch for versions of Microsoft's Office Suite and related applications, contains fixes for four vulnerabilities with an exploitability rating of "1" against current versions of the company's software. Read More...

NSS Labs offers reward money for fresh exploits

The company has set aside $4,400 for rewards for working exploits for 12 vulnerabilities

NSS Labs is sweetening the pot for its ExploitHub marketplace by offering rewards to security gurus who can write working exploits for a dozen "high-value" vulnerabilities.

The company, which has set aside $4,400 in reward money, plans to give $100 to $500 to the first people to submit a working exploit for the vulnerabilities. Ten of the vulnerabilities concern Microsoft's Internet Explorer browser, and two were found in Adobe's Flash multimedia program.

[ The Web browser is your portal to the world -- as well as the conduit that lets in many security threats. InfoWorld's expert contributors show you how to secure your Web browsers in this "Web Browser Security Deep Dive" PDF guide. ]

The exploits must be client-side remote exploits that can result in code execution. Proof-of-concept code and denial-of-service conditions do not qualify. NSS Labs will pay the developer with American Express gift cards. Residents from countries that the U.S. has a standing embargo against are not allowed to participate.

NSS Labs said that those who win can then sell their exploits on ExploitHub, a marketplace the company set up for penetration testers to acquire exploits to test against their infrastructure. ExploitHub was set up to help with the development of penetration testing tools and to assist computer security researchers.

Those who write the winning exploits may then sell their code on ExploitHub, with NSS Labs taking a 30 percent commission. Penetration testers can also make requests via the marketplace for exploits for specific vulnerabilities. Those who want to buy exploits are vetted by NSS Labs to ensure the marketplace is not abused.

ExploitHub also only sells exploits for vulnerabilities that have been patched and does not host ones for zero-day vulnerabilities. The vulnerabilities that NSS Labs is offering the reward for are:

1. CVE-2011-1256: Microsoft Internet Explorer CElement Memory Corruption
2. CVE-2011-1266: Microsoft Internet Explorer VML vgx.dll Use After Free
3. CVE-2011-1261: Microsoft Internet Explorer selection.empty Use After Free
4. CVE-2011-1262: Microsoft Internet Explorer Redirect Memory Corruption
5. CVE-2011-1963: Microsoft Internet Explorer XSLT Memory Corruption
6. CVE-2011-1964: Microsoft Internet Explorer Style Object Memory Corruption
7. CVE-2011-0094: Microsoft Internet Explorer CSS Use After Free Memory Corruption
8. CVE-2011-0038: Microsoft Internet Explorer 8 IESHIMS.DLL Insecure Library Loading
9. CVE-2011-0035: Microsoft Internet Explorer Deleted Data Source Object Memory Corruption
10. CVE-2010-3346: Microsoft Internet Explorer HTML Time Element Memory Corruption
11. CVE-2011-2110: Adobe Flash Player ActionScript Function Variable Arguments Information
12. CVE-2011-0628: Adobe Flash Player Remote Integer Overflow Code Execution

Read More...

Google Pushes Update For Chrome to Fix Faulty Microsoft Malware Detection

Google has pushed out an update for its Chrome browser that fixes a problem caused by the incident last week in which Microsoft Security Essentials mistakenly detected the browser as the Zeus bot and removed it from some machines. The update should automatically fix any damaged Chrome installations.

The problem was caused by an erroneous update in the Microsoft Security Essentials antimalware tool that on Friday began detecting the Chrome file as a piece of malware called "PWS:Win32/Zbot", which is another name for the Zeus bot, the infamous banking Trojan that has been wreaking havoc for several years. Users immediately began noticing the problem and Microsoft pushed out an emergency update to the antimalware suite to fix the issue on their end.

But some users still had problems and couldn't get Chrome to work again, even after it was reinstalled. So Google has released an update for the browser that will repair it. The company said that if the browser is running fine on your PC, then there's no need to take any further actions. The new update to Chrome should prevent users from having to uninstall and reinstall Chrome themselves.

There's more information on the new updates on the Google Chrome Releases blog. The company also has step-by-step instructions for users who need to know how to manually uninstall and reinstall the browser. Read More...

Windows 8 anti-virus has a long way to go

When Microsoft unveiled the Developer Preview of Windows 8 two weeks ago one of the items to get the most attention was it's included unmanaged anti-virus solution.

I was interested in what capabilities it might have and how it would present itself to users who stumble across something malicious.

Naturally I installed it on a virtual machine and to a spare disk on a full workstation in my lab. What to test first?
If there is one thing guaranteed to be safe and still be an effective test it would be EICAR.

According to the EICAR website the EICAR test file allows someone to safely trigger a "virus incident in order to test their corporate procedures, or of showing others in the organisation what they would see if they were hit by a virus."
That's perfect. I need a detection, but I prefer not to handle live malware. Safely testing live malware samples is scary dangerous.

There are some very thorough testing organizations that can evaluate protection much more effectively than most home grown testing operations.
That is why we always use EICAR, as every (or so I thought!) anti-virus and security product will detect EICAR to allow for safe testing.

I first tried to download the EICAR test file from eicar.org using Internet Explorer 10. IE informed me that this was a malicious download and would not allow me to save it. Pass!
I then opened notepad and pasted in the 68 magical bytes, chose Save As and named it EICAR.COM. It showed up in my explorer window with no complaints.

I then tried to click the file and it vanished!? No warning, no messages logged in Event Viewer (that I could find). Fail! EICAR should always cause an alert...
So I tried another test and inserted a USB memory stick with EICAR.COM preloaded onto it. When I tried to copy the file from the USB stick to the Documents folder it did so without complaint.

If I tried to run EICAR.COM it gives an error, which is expected as EICAR is a DOS program and cannot execute on Windows 8, but I *should* get a virus warning, shouldn't I?



I was very confused and began to wonder whether Windows 8 really had anti-virus at this point.

I took one of my virtual machines into our lab to test it against a few samples to see what would happen.

All of the samples were between six and twelve months old, so nothing bleeding edge here. I tested Mac, Linux and Windows malware to see if it had cross-platform capabilities as well.



The result? It captured about 50% of the malware samples I threw at it. Clearly there is a lot of work to be done with regard to detection.

It did successfully pick up quite a few fake anti-virus samples for Mac and Windows, as well as some copies of Linux/RST-B.

It also recorded some events under the Windows Defender category in Event Viewer for the detections it alerted me to.



This is an early preview and I am sure many improvements are planned. It's good to see Microsoft is detecting malicious software for the three major platforms.
Microsoft does need to fix the detection of EICAR. The way things work currently will only encourage people to take unnecessary risks with real malware samples for testing.

If you are testing Windows 8 on a live network, I would recommend you install a third-party anti-virus program as well. While Windows Defender caught some samples, it isn't ready for prime time yet.

Have an opinion on Windows 8? Why not answer our poll to see where you fit in with other Naked Security readers?

Read More...

The next frontier in fearing the iPad

Some in IT keep looking for another reason to say no to the world of consumerized IT; mobile DLP is their latest attempt to regain control

In 2010, scaredy-cat IT and security folks wrung their hands over users bringing in their own smartphones and tablets. In early 2011, they wrung their hands over how to control the applications on those devices. Now they're wringing their hands over data leakage from those devices, prompting security vendors to offer mobile DLP (data loss prevention) tools. Zenprise is the first, but you can bet more will follow. (Have you heard of any iPad- or iPhone-related data breaches? I didn't think so.)

I have to give these folks credit: They're persistent in finding ways to say no to modern technology and the realities of today's "consumerized IT," or at least to look for new ways to bind it up in hopes maybe it'll strangle to death. (Good luck with that.) Of course, it's the iPad that seems to stoke these folks' fears the most -- ironically, because it can connect to business systems and actually work with much business data, so people want and use it.

[ Apple has much to learn about securing Mac OS X -- and Microsoft could teach it how. Luckily, iOS security is much, much better. | Compare the security and management capabilities of iOS, Android, WebOS, Windows Phone 7, and more in InfoWorld's Mobile Management Deep Dive PDF report. ]

Let's be clear: There is data to protect, and I don't believe "anything goes" is the the right policy. And there is some technology worth considering to do so, as I describe later. But I see another agenda behind much of these claims over security concerns. I notice, for example, that companies citing fears over sensitive data emailed to an iPad or of users having unapproved apps on an Android tablet don't have the same concern over data emailed to computers or over the fact that they happily let employees work after hours from home computers full of personal apps. There's a double standard that reeks of a hidden agenda to block the shift to employee-driven technology or to assert new levels of self-justified control in a perverse land grab for relevance or job security.

A good test of whether a security policy is legitimate is if it is applied equally to all endpoints. These days, many endpoints are in use, and we will not go back to the day of employees all working at a corporate office on corporate PCs unconnected to the Internet and locked out from the rest of the world. It's 2011, not 1981. A second good test is whether its cost (in money, lost flexibility, lost opportunity, and time) is worth whatever is being secured.

The fact is, the iPad and all the other mobile devices that have enjoyed so much uptake by individuals and enlightened businesses bring tremendous benefit. More work can be done in more places, improving customer satisfaction and the company's bottom line. Employees can use the tools and devices that fit their personal style, reflecting and honoring what they bring to the table -- they are not robots, after all. And they can use a mix of personal and business tools, which helps the business because now they work more and across additional hours of the day. Additionally, this compensates the employee by letting them reclaim some of that time for their personal lives.


Proposing one problem, but addressing another

Back to this third wave of fear over data on iPads: This week, Zenprise announced an iPad app and related server software that lets iPad users access SharePoint files on their tablets, with the permissions and restrictions honored on the iPad. That's great -- Microsoft's approach to SharePoint has been to restrict it to Windows PCs and Windows Phone 7 smartphones, which only encourages employees to copy the files to cloud storage, email them, and otherwise work outside of SharePoint when they're using an iPad, Android tablet, Mac, or a home PC. This tool addresses some of the security risk created by Microsoft's lock-in strategy for SharePoint. (Zenprise plans a version for Android next year. It started with iPads because they are so widely used in business.)

But Zenprise's pitch didn't start so constructively. It first took the fearmongering route, using an example of the increasingly common practice of boards of directors using iPads to work with the sensitive documents in board meetings rather than going with paper copies. In this regard, corporate boards aren't alone: I learned during a work trip earlier this year that several counties in Florida now give their boards of supervisors iPads to review legislative and regulatory proposals, as they are easier to set up and use than computers.

The Zenprise pitch was that a DLP tool would keep such sensitive documents secure -- except it wouldn't. If the data were emailed, as I was informed, once the data left the organization to its legitimate, DLP-approved recipients, those files could be abused as desired on an iPad, a computer, or any other device with email access. Plus, in Zenprise's case, its DLP is limited to files accessed directly from SharePoint, so it wouldn't address an emailed document. For any documents accessed directly from SharePoint that the user had permission to edit locally, that local copy is not managed by SharePoint or the Zenprise app (it's now in another app, for editing), so it's now free for abuse. The tool does not address the example problem.

The other scary scenario in the pitch was the notion that IT set the data security policies. That's a mistake. Document access policies are a legal and business decision, not one that IT should make. IT should provide the tools to implement the policies and to monitor their compliance, but if IT has to decide what to protect -- or even if someone has to go to IT to protect a document, rather than do it directly -- something is seriously wrong with your technology management.

I don't mean to pick on Zenprise. The folks there try to balance the demands of their customers (for a security vendor, that means the most paranoid ones) with the realities of the users who ultimately deploy their customers' tools. But when a nuanced vendor like Zenprise goes down the fearmongering path, you can only imagine what the more old-school firms will say when they decide to join in.

A better approach to securing corporate data on the iPad

What's changed in business in the last decade (it started with working at home, not with iPads) is that information has to flow to be useful, because different people who may not even be in your organization need to create, refine, and act on it. That means it goes through multiple endpoints and a variety of tools. The old-fashioned approach was to standardize everything on a common platform and toolset, with the common security layer across it all -- the classic model for IT control. But that doesn't work when the world is heterogeneous and by definition not standardized. That's what it is today in most places, and traditional IT control doesn't fit that new world.

Within a SharePoint context, letting iPad users participate within the same rules as Windows users is a good thing. But at the end of the day, it's a partial solution attacking the wrong problem. And let's be honest, Zenprise is not offering a DLP tool but a mobile SharePoint client. That's a good thing for many companies in the here and now that use SharePoint, but it only works in the SharePoint context. If anything, the "consumerization of IT" phenomenon should teach IT that point solutions are insufficient in a heterogeneous context.

So, if you were to use the Zenprise SharePoint client, you couldn't stop there. You might also want to deploy a remote access tool that has the iPad user work with the data virtually so that sensitive information never leaves the managed server -- not just SharePoint servers -- in the first place. That approach of course requires expensive, management-heavy, and bandwidth-intensive desktop virtualization.

Of course, there's a simpler twist on that approach: Using services like Accellion and Box.net that let you set up access-managed shared folders, where documents are restricted to a managed workspace on the mobile device. The problem with these services is that they restrict the users to basic reading and commenting; an employee who wants to work on a proposal or presentation is either prevented from doing so or moves the files to another app, breaking the management control over that file. But that could change: both companies, as well as GoodReader and six others are looking to implement MobileIron's content management API in their apps; not yet in beta, this technology would let IT set policies for content via an MDM tool that the apps would enforce.

A better approach for many companies than all of these would be to extend traditional DLP to mobile devices. DLP works by funneling data traffic to a server that analyzes the content and applies its rules to it (usually just flagging suspect transmissions, but sometimes acting on them, such as to block the transmission).

That way, you're handling all apps and communications, regardless of the
endpoint device, through a universal filter at the data center, where this effort should happen anyhow. In fact, the endpoint device isn't involved, so you don't need to worry about if an app or OS gives you the visibility you need; all you need to do at the endpoint is ensure that its communication is routed through the DLP server. I suspect we'll see DLP tools get extended just that way to handle the new generation of mobile devices -- I sure hope so.

But over the longer term, DLP itself suffers from being an island. It can handle data sent over communications channels, but there are other means to get data from devices, such as local file copying. Ultimately, what we need is digital rights management that works across apps and platforms -- a universal standard that carries the DLP rules with the data itself. Until it exists (if it ever does, considering how proprietary the tech industry has become again, though MobileIron's effort could be a jumpstart), IT is stuck with old approaches that don't fit the new world in which IT still has to provide security.

No easy answers for legitimate IT security needs

Even IT and security leaders who aren't looking to enrich security vendors by asking for more tools that won't really work have a problem: How to secure all the data (and just the data) that needs to be protected while supporting the shift to employee-provided technology and its accompanying flexibility. However, there's no good answer -- yet.

Flexibility and control are a hard combination to get. But users will accept that goal and work with you on it. Remember, not all problems are solved with technology; people are good tools, too. You can start by not trying to recapture mainframe-era IT control, but instead figuring out what data really needs to be protected. From there, you can manage, monitor, and log access to the data so that it's available to those you trust. If it leaks, you might also know who's broken that trust.

If you try to use security to block the flexibility that consumerized IT is really all about, you'll drive your users underground (which increases your security risk), waste lots of money on tools that don't work as you want, and get in the way of your business's ability to work well, setting a path to failure and, ultimately, oblivion. Read More...

Microsoft security update treats Chrome as malware

Redmond releases same-day correction, but not before Windows Security purges Chrome from user systems

Microsoft issued today an update to its security software that wrongly identified Google Chrome as malware and purged it from users' systems accordingly. The Redmond giant has since fixed the mistake, but it has left Google with the task of dealing with the fallout.

Coincidentally (of course), the faux pas comes on the heels of news from StatCounter that Chrome is poised to overtake Firefox this year as the No. 2 most-popular browser in the world.

"Google Chrome has been incorrectly marked as malware by Microsoft security software. Please update your Microsoft security software to version 1.113.672.0, which resolves this issue," according to an alert over at the over at the Google Chrome forums.

Microsoft, meanwhile, posted a somewhat vague alert of its own, starting that it had released a security update today with "an incorrect detection for PWS:Win32/Zbot," a password-stealing Trojan that monitors for visits to certain websites. However, Microsoft neglected to specify in its update just what impact this "incorrect detection" had; the update doesn't even mention Chrome. Evidently, Microsoft would prefer to let Chrome users and Google deal with figuring why, exactly, Microsoft Security Center suddenly started deeming Chrome a security threat and purging it from users' systems.

To Microsoft's credit, it did issue a second update the same day that addresses the error: Signature versions 1.113.672.0 and higher include this update.

One affected Chrome user, with the screen name chasd.harris, started a thread on the Google Chrome forums to report his experience. "I have been using Chrome on my office PC for over a year. This morning, after I started up the PC, a Windows Security box popped up and said I had a security problem that needed to be removed," he wrote. "I clicked the Details button and saw that it was 'PWS:Win32/Zbot.' I clicked the Remove button and restarted my PC. Now I do not have Chrome. It has been removed or uninstalled. The Chrome.exe file is gone. Was there really a problem, or is this just a way for Microsoft to stick it to Google?"

Google reps also provided instructions as to how to go about re-installing Chrome.

1. Check that Chrome has been uninstalled.
2. Go to Microsoft Security Essentials (MSE) and update, then verify that the version has a signature of 1.113.672.0 of higher.
3. Reinstall Chrome.
4. Perform a full scan of MSE again.

 

Read More...

Microsoft Pushes Emergency Update After Security Products Call Chrome "Banking Trojan"

Microsoft was forced to push out an emergency update to its Security Essentials and Forefront products Friday after users complained that an updated virus signature intended to spot the Zeus Trojan was, instead, flagging and even removing instances of Google's Chrome Web browser.

The fireworks began early Friday, after Microsoft released an otherwise innocuous signature update for the common Zeus - or Zbot - banking Trojan.

Shortly after it was released, users of Microsoft's Windows Security Essentials and Forefront Security began complaining on Twitter that the products were flagging Chrome as evidence of a Zbot infection and encouraging users to uninstall the product. The Redmond, Washington software firm responded quickly to the complaints, releasing an update to the signature within hours that corrected the detection problem, according to a post on Microsoft's Web page.

"On September 30th, 2011, an incorrect detection for PWS:Win32/Zbot was identified. On September 30th, 2011, Microsoft released an update that addresses the issue." the company said, without mentioning that it was the Chrome browser that was affected.

But users took notice, with many, mindful of Microsoft's reputation as a no-holds-barred competitor, wondering whether the bad signature was a slip-up or a stealth effort to grab back some market share.

"Classifying your competition as malware might be taking things too far MS," wrote a Twitter user with the handle @bryanbrannigan. "Love it! Microsoft Security Essentials just zapped my Google Chrome browser. Let the war begin!" wrote a Twitter user with the handle @EnukSears.

Chrome users who took the bait and allowed their browser to be removed by the Microsoft anti malware were less pleased. Uninstalling Chrome can cause the loss of bookmarks and other browser plug-ins, as well as require a restart of the "infected" system.

Zeus is a ubiquitous Trojan horse program that is often used to steal credentials from online banking customers using both Windows and common mobile platforms. The Zeus source code was leaked online in May and now Zeus components are showing up in a wide range of malware.

Read More...

Faulty Microsoft AV update nukes Chrome browser

Summary: Microsoft has confirmed that its security tools erroneously removed the Google Chrome browser from Windows machines, marking it as a variant of the notorious Zeus (Zbot) malware family.

UPDATE: Microsoft has confirmed that this was caused by a faulty anti-virus definition update that affected about 3,000 Windows users.

Here’s Microsoft’s statement:

“On September 30th, 2011, an incorrect detection for PWS:Win32/Zbot was identified and as a result, Google Chrome was inadvertently blocked and in some cases removed from customers PCs. We have already fixed the issue — we released an updated signature (1.113.672.0) at 9:57 am PDT — but approximately 3,000 customers were impacted. 

A Microsoft spokesperson says affected users should manually update Microsoft Security Essentials (MSE) with the latest signatures. 

“To do this, simply launch MSE, go to the update tab and click the Update button, and then reinstall Google Chrome. We apologize for the inconvenience this may have caused our customers,” the spokesperson said.

ORIGINAL REPORT:

There are numerous reports circulating that the Microsoft Security Essentials anti-malware utility is flagging Google’s Chrome browser as a password-stealing trojan.

In what appears to be a crucial false-positive, Microsoft’s security tools are removing Chrome from Windows machines, marking it as a variant of the notorious Zeus (Zbot) malware family.

Complaints from Chrome users are lighting up support forums this morning:

I have been using Chrome on my office PC for over a year.  This morning, after I started up the PC, a Windows Security box popped up and said I had a Security Problem that needed to be removed.  I clicked the Details button and saw that it was “PWS:Win32/Zbot”.  I clicked the Remove button and restarted my PC.  Now I do not have Chrome.  It has been removed or uninstalled.  The Chrome.exe file is gone.  Was there really a problem, or is this just a way for Microsoft to stick it to Google?  If I reinstall Chrome, will it have my bookmarks and other settings?  Not sure what to do about this, but I much prefer Chrome to Explorer.

And another:

I just tried to reinstall Chrome, and Windows Security stopped it.  Again citing a “severe” threat, “PWS:Win32/Zbot”.  What is going on here?

This Chrome user narrows down the problem:

I have the issue as well. Microsoft Security Essentials is removing it.

MSE Versions:

Security Essentials Version: 2.1.1116.0
Antimalware Client Version: 3.0.8402.0
Engine Version: 1.1.7702.0
Antivirus definition: 1.113.656.0
Antispyware definition: 1.113.656.0

In addition to Microsoft Security Essentials, the Microsoft Forefront Endpoint Protection product is also detecting and removing Google Chrome as a malware threat.  Both products share the same anti-malware engine. Read More...

The Inside Story of the Kelihos Botnet Takedown

Earlier this week, Microsoft released an announcement about the disruption of a dangerous botnet that was responsible for spam messages, theft of sensitive financial information, pump-and-dump stock scams and distributed denial-of-service attacks.

Kaspersky Lab played a critical role in this botnet takedown initiative, leading the way to reverse-engineer the bot malware, crack the communication protocol and develop tools to attack the peer-to-peer infrastructure. We worked closely with Microsoft’s Digital Crimes Unit (DCU), sharing the relevant information and providing them with access to our live botnet tracking system.

A key part of this effort is the sinkholing of the botnet. It’s important to understand that the botnet still exists – but it’s being controlled by Kaspersky Lab. In tandem with Microsoft’s move to the U.S. court system to disable the domains, we started to sinkhole the botnet. Right now we have 3,000 hosts connecting to our sinkhole every minute. This post describes the inner workings of the botnet and the work we did to prevent it from further operation.

Let's start with some technical background: Kelihos is Microsoft's name for what Kaspersky calls Hlux. Hlux is a peer-to-peer botnet with an architecture similar to the one used for the Waledac botnet. It consists of layers of different kinds of nodes: controllers, routers and workers. Controllers are machines presumably operated by the gang behind the botnet. They distribute commands to the bots and supervise the peer-to-peer network's dynamic structure. Routers are infected machines with public IP addresses. They run the bot in router mode, host proxy services, participate in a fast-flux collective, and so on. Finally, workers are infected machines that do not run in router mode, simply put. They are used for sending out spam, collecting email addresses, sniffing user credentials from the network stream, etc. A sketch of the layered architecture is shown below with a top tier of four controllers and worker nodes displayed in green.

Figure 1: Architecture of the Hlux botnet

Worker Nodes

Many computers that can be infected with malware do not have a direct connection to the Internet. They are hidden behind gateways, proxies or devices that perform network address translation. Consequently, these machines cannot be accessed from the outside unless special technical measures are taken. This is a problem for bots that organize infected machines in peer-to-peer networks as that requires hosting services that other computers can connect to. On the other hand, these machines provide a lot of computing power and network bandwidth.

A machine that runs the Hlux bot would check if it can be reached from the outside and if not, put itself in the worker mode of operation. Workers maintain a list of peers (other infected machines with public IP addresses) and request jobs from them. A job contains things like instructions to send out spam or to participate in denial-of-service attacks. It may also tell the bot to download an update and replace itself with the new version.


Router Nodes

Routers form some kind of backbone layer in the Hlux botnet. Each router maintains a peer list that contains information about other peers, just like worker nodes. At the same time, each router acts as an HTTP proxy that tunnels incoming connections to one of the Controllers. Routers may also execute jobs, but their main purpose is to provide the proxy layer in front of the controllers.

Controllers

The controller nodes are the top visible layer of the botnet. Controllers host a nginx HTTP server and serve job messages. They do not take part in the peer-to-peer network and thus never show up in the peer lists. There are usually six of them, spread pairwise over different IP ranges in different countries. Each two IP addresses of a pair share an SSH RSA key, so it is likely that there is really only one box behind each address pair. From time to time some of the controllers are replaced with new ones. Right before the botnet was taken out, the list contained the following entries:

193.105.134.189
193.105.134.190
195.88.191.55
195.88.191.57
89.46.251.158
89.46.251.160

The Peer-to-Peer Networks

Every bot keeps up to 500 peer records in a local peer list. This list is stored in the Windows registry under HKEY_CURRENT_USER\Software\Google together with other configuration details. When a bot starts on a freshly infected machine for the first time, it initializes its peer list with some hard-coded addresses contained in the executable. The latest bot version came with a total of 176 entries. The local peer list is updated with peer information received from other hosts. Whenever a bot connects to a router node, it sends up to 250 entries from its current peer list, and the remote peer send 250 of his entries back. By exchanging peer lists, the addresses of currently active router nodes are propagated throughout the botnet. A peer record stores the information shown in the following example:

m_ip: 41.212.81.2
m_live_time: 22639 seconds
m_last_active_time: 2011-09-08 11:24:26 GMT
m_listening_port: 80
m_client_id: cbd47c00-f240-4c2b-9131-ceea5f4b7f67

The peer-to-peer architecture implemented by Hlux has the advantage of being very resilient against takedown attempts. The dynamic structure allows for fast reactions if irregularities are observed. When a bot wants to request jobs, it never connects directly to a controller, no matter if it is running in worker or router mode. A job request is always sent through another router node. So, even if all controller nodes go off-line, the peer-to-peer layer remains alive and provides a means to announce and propagate a new set of controllers.

The Fast-Flux Service Network

The Hlux botnet also serves several fast-flux domains that are announced in the domain name system with a TTL value of 0 in order to prevent caching. A query for one of the domains returns a single IP address that belongs to an infected machine. The fast-flux domains provide a fall-back channel that can be used by bots to regain access to the botnet if all peers in their local list are unreachable. Each bot version contains an individual hard-coded fall-back domain. Microsoft unregistered these domains and effectively decommissioned the fall-back channel. Here is the set of DNS names that were active before the takedown – in case you want to keep an eye on your DNS resolver. If you see machines asking for one of them, they are likely infected with Hlux and should be taken care of.

hellohello123.com
magdali.com
restonal.com
editial.com
gratima.com
partric.com
wargalo.com
wormetal.com
bevvyky.com
earplat.com
metapli.com

The botnet further used hundreds of sub-domains of ce.ms and cz.cc that can be registered without a fee. But these were only used to distribute updates and not as a backup link to the botnet.

Counteractions

A bot that can join the peer-to-peer network won't ever resolve any of the fall-back domains – it does not have to. In fact, our botnet monitor has not logged a single attempt to access the backup channel during the seven months it was operated as at least one other peer has always been reachable.

The communication for bootstrapping and receiving commands uses a special custom protocol that implements a structured message format, encryption, compression and serialization. The bot code includes a protocol dispatcher to route incoming messages (bootstrap messages, jobs, SOCKS communication) to the appropriate functions while serving everything on a single port. We reverse engineered this protocol and created some tools for decoding botnet traffic. Being able to track bootstrapping and job messages for a intentionally infected machine provided a view of what was happening with the botnet, when updates were distributed, what architectural changes were undertaken and also to some extend how many infected machines participate in the botnet.

Figure 2: Hits on the sinkhole per minute

This Monday, we started to propagate a special peer address. Very soon, this address became the most prevalent one in the botnet, resulting in the bots talking to our machine, and to our machine only. Experts call such an action sinkholing – bots communicate with a sinkhole instead of its real controllers. At the same time, we distributed a specially crafted list of job servers to replace the original one with the addresses mentioned before and prevent the bots from requesting commands. From this point on, the botnet could not be commanded anymore. And since we have the bots communicating with our machine now, we can do some data mining and track infections per country, for example. So far, we have counted 49,007 different IP addresses. Kaspersky works with Internet service providers to inform the network owners about the infections.

Figure 3: Sinkholed IP addresses per country

What now?

The main question is now: what is next? We obviously cannot sinkhole Hlux forever. The current measures are a temporary solution, but they do not ultimately solve the problem, because the only real solution would be a cleanup of the infected machines. We expect that the number of machines hitting our sinkhole will slowly lower over time as computers get cleaned and reinstalled.

Microsoft said their Malware Protection Center has added the bot to their Malicious Software Removal Tool. Given the spread of their tool this should have an immediate impact on infection numbers. However, in the last 16 hours we have still observed 22,693 unique IP addresses. We hope that this number is going to be much lower soon.

Interestingly, there is one other theoretical option to ultimately get rid of Hlux: we know how the bot's update process works. We could use this knowledge and issue our own update that removes the infections and terminates itself. However, this would be illegal in most countries and will thus remain theory.
Read More...

Microsoft's botnet shutdown won't stop Mac malware

There has been much discussion of the shutdown of the Kelihos botnet this week by Microsoft and Kaspersky. It is the third such action by the Microsoft Active Response for Security (MARS) initiave in recent memory.

Taking down botnets is always good news and even better Microsoft named an individual defendant in their US court case this time.
The owner of the cz.cc domain, Dominique Alexander Piatti, was named and Microsoft received permission from the court to disable the entire cz.cc domain and several other abused .com registrations.

cz.cc subdomains are frequently seen being used for all sorts of botnet control, fake anti-virus, spam sites and for other malicious purposes.

SophosLabs have protected our Sophos Web Security Appliance and endpoint web customers from cz.cc domains for quite some time due to the high number of dangerous sites.

Some journalists were also commenting on Microsoft's mention of the Mac Defender malware having been hosted on cz.cc domains. Some suggested that this would stop the criminals from targeting OS X users.

The vanishing of Mac Defender is much more likely the result of Pavel Vabrlevsky being arrested and other FBI fake anti-virus arrests.

We have seen two new Trojans for OS X just this week which join botnets and can be used to steal sensitive data. One was built to look like a PDF file and the one Graham wrote about today pretended to be a Flash Player updater.

The sad fact is that Mac users are increasingly being targeted by these digital thugs and need to take security very seriously. Even without the threat from cz.cc domains Mac users should take advantage of our free Sophos Anti-Virus for Mac Home Edition.

The same as there are now botnets, data stealers and remote control malware for OS X, criminals will find domain name registration services other than cz.cc.
While all of us will be little safer without Kelihos and cz.cc, we still need to take security seriously for our own peace of mind (and data security).

Read More...

Blowback: Microsoft, OnStar Pump the Breaks on Location Tracking

Redmond, Washington software giant, Microsoft, and Detroit based GM subsidiary, OnStar backtracked on policies widely seen as egregious privacy violations following lawsuits and public outcry. Here's the news:

Windows Phone Update Requires User Consent For Tracking

Microsoft released their “Mango” update, which, according to a report by Tom Warren on Winrumors, updates the Windows Phone, addressing widespread accusations and a related lawsuit that the company had been tracking device locations without reasonable consent.

In a location and privacy FAQ on the Microsoft website, the company staunchly claims that the location information stored within the Windows Phone 7 devices is intended to gather information about nearby Wi-Fi access points and provide users with location based services more efficiently and effectively; this information does not uniquely identify or track devices, they say.

However, the company also says they discovered that some of that information had been periodically relayed back to Microsoft when users access the camera application and use its US-English voice command feature. (Whoops!) This relay of information, Microsoft claims, is an unintended behavior. The latest update resolves these and other issues. Now users will have to agree if they want to the Camera application to tag photo location. Voice Command will no longer request location information at all.

For more information, read the FAQ here.

OnStar Won't Force Automated Location Tracking

OnStar found itself in a similar situation after it was discovered that the vehicle navigation and emergency notification service was to begin monitoring the speed and location of vehicles equipped with OnStar technology on December 1, even if those owners decided to opt-out or cancel OnStar’s services.

A press release published yesterday on the OnStar website announced that the company is revising their proposed terms and conditions to make it clear that customer data will not be collected after a customer cancels their OnStar service.
“We realize that our proposed amendments did not satisfy our subscribers,” OnStar President Linda Marshall said in the statement. “This is why we are leaving the decision in our customers’ hands. We listened, we responded and we hope to maintain the trust of our more than 6 million customers.”

The appearance of GPS and other location tracking technologies in mobile phones, cars and other devices has raised concerns among privacy and civil liberties advocates in the U.S. and elsewhere. An analysis by the Wall Street Journal found that iPhones running version 4 of the company's iOS operating system appeared to track a user's location and movement of whether the user enabled or disabled location tracking. Like Microsoft, Apple claimed that the phones weren't tracking specific users' movements, just using the company's huge user base to assemble an accurate list of active cell phone towers and WiFi hotspots. Software vendors, also, have been discovered to be collecting location data, often quite apart from the kind of service they are providing. In just one example, the mobile phone application for the Pandora music streaming service was found to be harvesting user location data.

Security experts have wondered, aloud, how else the company might use the location and movement data that is collected, including how it might be used by third party advertisers. Read More...

Zenprise offers iPad app for secure SharePoint access

Positioned as a data loss prevention tool, the app and server software focus on enforcing SharePoint content policies on iOS devices

Zenprise on Wednesday announced that the new version of its MobileManager mobile device management (MDM) suite will include a component that lets iPad and iPhone users access Microsoft SharePoint project files and transfer them from their iOS device into a secure container. The module will honor the access policies set in SharePoint, both the on-premise and Office 365 versions; thus, files can be set as read-only or uncopyable via email or transfer to other iOS apps. An Android version is planned for early 2012.

The company calls this module a data loss prevention (DLP) capability. However, unlike traditional DLP tools, it does not scan outgoing information from the corporate network to see if the sender and recipient have permission to access that data. Instead, it extends the existing SharePoint controls to iOS.

[ Stay ahead of the key tech business news with InfoWorld's Today's Headlines: First Look newsletter. | Read Bill Snyder's Tech's Bottom Line blog for what the key business trends mean to you. ]

Microsoft does not support iOS or other mobile operating systems except its own Windows Phone, causing many SharePoint users working on mobile devices to copy project files outside the SharePoint environment so that they can be used when traveling. Zenprise spokesman Ahmed Datoo says the DLP module is meant to address that gap in SharePoint's reach outside Microsoft enviroments.

Zenprise expects the updated MobileManager product to be available by December; pricing has not been set.

 

Read More...

Microsoft kills botnet that hosted MacDefender scareware

Summary: The botnet contained about 41,000 computers worldwide and was capable of sending 3.8 billion spam e-mails per day.

Microsoft’s Digital Crimes Unit has shut down a botnet that was investigated for hosting the MacDefender scareware that preyed on Mac OS X users.

The botnet, known as Kelihos or “Waledac 2.0,” has been linked to spam messages, ID-theft attacks, pump-and-dump stock scams and websites promoting the sexual exploitation of children, according to Microsoft senior attorney Richard Domingues Boscovich.

The botnet contained about 41,000 computers worldwide and was capable of sending 3.8 billion spam e-mails per day.

For the first time since Microsoft’s anti-cybercrime team started disabling botnets, the company moved to the U.S. court system and identified a defendant that allegedly owned the domain that controlled the botnet.

In the complaint [PDF], Microsoft names Dominique Alexander Piatti alongside dotFREE Group SRO and John Does 1-22 and said they owned domains and subdomains that were used to operate and control the Kelihos botnet.

“Our investigation showed that while some of the defendant’s subdomains may be legitimate, many were being used for questionable purposes with links to a variety of disreputable online activities,” Boscovich said.

In addition to hosting the Kelihos botnet, Microsoft said its investigations revealed that the defendants’ cz.cc domain was previously linked to sub-domains responsible for delivering MacDefender, a type of scareware that infects Apple’s operating system.

In May 2011, Google temporarily blocked subdomains hosted by the cz.cc domain from its search results after it discovered it was hosting malware, although Google reinstated the subdomains after the defendant allegedly corrected the problem.  (See this public gripe from Piatti about the blocked domains).

Boscovich said the botnet was also used to promote potentially dangerous counterfeit or unapproved generic pharmaceuticals from unlicensed and unregulated online drug sellers. Kelihos also abused Microsoft’s Hotmail accounts and Windows operating system to carry out these illegal activities.

[T]his case highlights an industry-wide problem pertaining to the use of subdomains. Under U.S. law, even pawn brokers are more effectively regulated to prevent the resale of stolen property than domain owners are to prevent the use of their digital properties for cybercrime. For example, pawn shop operators must require a name, address and proper identification from customers, while by contrast there are currently no requirements necessitating domain hosts to know anything about the people using their subdomains –making it easy for domain owners to look the other way.

Through this case, we hope to demonstrate that if domain owners don’t hold themselves accountable for knowing their customers, they will be held accountable for what is happening on their infrastructure. Our goal is for this case to spur an industry-wide discussion for more public and accountable subdomain registration practices to enable a safer, more secure Internet for all users.

Piatti, who is based in the Czech Republic, has been served notice of the lawsuit.  Microsoft said it is in discussions with Piatti to determine which of his sub-domains were being used for legitimate business, so that those customers could be reconnected.

Read More...

Alureon Rootkit Morphs Again, Adds Steganography

The Alureon rootkit has become not just a major headache for its victims, with its insidious infection routines and persistence once on a machine. But it also has proved to be a challenge for researchers engaged in trying to identify new versions and unwind its new tactics and techniques. The latest hurdle thrown up by Alureon is the use of steganography to hide configuration files to update infected machines with new instructions.

The steganography usage has shown up in a specific version of Alureon that often is downloaded by a Trojan and then installed on the victim's machine. The malware has a new function that goes out to a remote Web site and downloads a new component called "com32", which, once decrypted, presents a list of URLs hosted on LiveJournal and WordPress. Each of the pages simply hosts a series of image files, which look to be harmless at first glance. But when researchers at Microsoft looked deeper into the code that is responsible for retrieving the image files, they discovered that the code looks specifically for some IMG HTML tags.

The rootkit then tries to pull down the JPEGs, and along with the image data comes a long string of characters that looks to be a password of some kind, according to the analysis by Scott Molenkamp of Microsoft's Malware Protection Center.

"After further investigation, I was able to determine that embedded within each of the JPGs was a complete configuration file using steganography. One of the critical sections of the configuration file contains the list of command and control servers. The purpose of the publically hosted data was revealed -- it's there to provide a layer of redundancy and defense against existing domains that might become unavailable. In the event that no command and control server could be contacted, Alureon would then seek to retrieve an updated configuration file from these 'backup' locations," Molenkamp wrote.

The images being used to hide the configuration file look to be completely random, unless the attacker behind Alureon is a health nut who loves his grandma and "Tropic Thunder." The JPEGs include a picture of an elderly woman, a bowl of something sort of health-food looking and...Tom Cruise.

Alureon, which also is known as TDSS or TDL4, has been a serious problem for a couple of years now. The addition of a steganography routine is just the latest in a line of new features added to the malware in the last few months. Earlier this year researchers came across a version of Alureon that was using an older brute-force technique in order to decrypt some components of its own code that are encrypted. And in June another variant appeared that had its own self-replicating loader which allowed Alureon to spread via network shares once it's on a victim's machine.

nb : threatpost Read More...

Microsoft Defends Secure Boot in Windows 8

Microsoft officials are seeking to assuage concerns that its implementation of UEFI in Windows 8 will prevent users from loading non-Microsoft operating systems or applications on their machines. Despite concerns raised by security researchers and open-source advocates about vendor lock-in and other issues arising from the use of a secure boot sequence in the upcoming OS, Microsoft says "the customer is in control of their PC."

In the days since Microsoft began talking about the details of Windows 8 and the security measures that it has added to the new version of the OS, security researchers and others have raised questions about the consequences of the implementation of the secure boot sequence that includes UEFI instead of a traditional BIOS underneath the firmware. The boot sequence for Windows 8, which is due in 2012, will be markedly different from that of its predecessors. The most notable difference is that the firmware will only load code that is signed and authenticated by a key that's embedded in the PC hardware. Any module that isn't signed won't be loaded.

The goal of this is to prevent malware such as rootkits and bootkits from staying resident on machines and reloading each time the machine is restarted. Such malware variants have become more popular in recent years as attackers have looked for new methods of keeping their attack tools on infected machines for a long period of time. That kind of malware can be difficult to detect and remove, and so Microsoft is hoping that the secure boot sequence using UEFI will help prevent it and other malicious software from making its way onto the PC in the first place.

"In most PCs today, the pre-operating system environment is vulnerable to attacks by redirecting the boot loader handoff to possible malicious loaders. These loaders would remain undetected to operating system security measures and antimalware software," Microsoft's Tony Mangefeste wrote in a post explaining the architectural change.

However, critics have raised concerns that the system also gives Microsoft the ability to prevent users from running third-party operating systems such as Linux on their PCs. Ross Anderson, a security researcher at the University of Cambridge, said in a blog post yesterday that the move by Microsoft could have serious consequences.

"The extension of Microsoft’s OS monopoly to hardware would be a disaster, with increased lock-in, decreased consumer choice and lack of space to innovate. It is clearly unlawful and must not succeed," Anderson wrote.

Mangefeste said that the secure boot sequence is designed to prevent malware from loading and not to stop users from loading other software they want to run, including alternate operating systems.

"At the end of the day, the customer is in control of their PC. Microsoft’s philosophy is to provide customers with the best experience first, and allow them to make decisions themselves. We work with our OEM ecosystem to provide customers with this flexibility. The security that UEFI has to offer with secure boot means that most customers will have their systems protected against boot loader attacks. For the enthusiast who wants to run older operating systems, the option is there to allow you to make that decision," Mangefeste wrote.

"A demonstration of this control is found in the Samsung tablet with Windows 8 Developer Preview that was offered to //BUILD/ participants. In the screenshot below you will notice that we designed the firmware to allow the customer to disable secure boot. However, doing so comes at your own risk."

nb : threatpost Read More...