Trustworthy Computing Security and Privacy Blogs./blogs/default.aspxThis page consolidates and features blogs from Microsoft’s Trustworthy Computing (TwC) group, The team charged with working to deliver more secure, private and reliable computing experiences to customers and the globe. Drop by to read about Microsoft’s long-term vision and strategy, for computing privacy and security.Windows 10: protection, detection, and response against recent Depriz malware attackshttps://blogs.technet.microsoft.com/mmpc/2016/12/09/windows-10-protection-detection-and-response-against-recent-attacks/https://blogs.technet.microsoft.com/mmpc/2016/12/09/windows-10-protection-detection-and-response-against-recent-attacks/#respondSat, 10 Dec 2016 01:34:40 +0000https://blogs.technet.microsoft.com/mmpc/?p=10015A few weeks ago, multiple organizations in the Middle East fell victim to targeted and destructive attacks that wiped data from computers, and in many cases rendering them unstable and unbootable. Destructive attacks like these have been observed repeatedly over the years and the Windows Defender and Windows Defender Advanced Threat Protection Threat Intelligence teams are working on protection, detection, and response to these threats.

Microsoft Threat Intelligence identified similarities between this recent attack and previous 2012 attacks against tens of thousands of computers belonging to organizations in the energy sector. Microsoft Threat Intelligence refers to the activity group behind these attacks as TERBIUM, following our internal practice of assigning rogue actors chemical element names.

Although the extent of damage caused by this latest attack by TERBIUM is still unknown, Windows 10 customers are protected. Windows 10 has built-in proactive security components, such as Device Guard, that mitigate this threat; Windows Defender customers are protected through multiple signature-based detections; and Windows Defender Advanced Threat Protection (ATP) customers are provided extensive visibility and detection capabilities across the attack kill chain, enabling security operation teams to respond quickly. Microsoft’s analysis has shown that the components and techniques used by TERBIUM in this campaign trigger multiple detections and threat intelligence alerts in Windows Defender Advanced Threat Protection.

Attack composition

Microsoft Threat Intelligence has observed that the malware used by TERBIUM, dubbed “Depriz” by Microsoft, reuses several components and techniques seen in the 2012 attacks, and has been highly customized for each targeted organization.

We do not see any indicators that a zero-day exploit is being used by TERBIUM.

Step 1: Writing to disk

The initial infection vector TERBIUM uses is unknown. As credentials have been hard-coded in the malware TERBIUM uses, it is suspected that TERBIUM has harvested credentials or infiltrated the target organization previously. Once TERBIUM has a foothold in the organization, its infection chain starts by writing an executable file to disk that contains all the components required to carry out the data-wiping operation. These components are encoded in the executables resources as fake bitmap images.

shamoon-depriz-implants

Figure 1. The components of the Trojan are fake bitmap images

We decoded the components as the following files:

  • PKCS12 – a destructive disk wiper component
  • PKCS7 – a communication module
  • X509 – 64-bit variant of the Trojan/implant

Step 2: Propagation and persistence through the target network

We have seen TERBIUM use hardcoded credentials embedded in the malware to propagate within a local network. The availability of these credentials to the activity group suggests that the attacks are highly targeted at specific enterprises.

The propagation and persistence is carried out as follows:

  1. First, it tries to start the RemoteRegistry service on the computer it is trying to copy itself to, then uses RegConnectRegistryW to connect to it.
  2. Next, it attempts to disable UAC remote restrictions by setting the LocalAccountTokenFilterPolicy registry key value to “1”.
  3. Once this is done, it connects to the target computer and copies itself as %System%\ntssrvr32.exe or %System%\ntssrvr64.exe before setting either a remote service called “ntssv” or a scheduled task.

Step 3: Wiping the machine

Next, the Trojan installs the wiper component. Note: TERBIUM establishes a foothold throughout the organization and does not proceed with the destructive wiping operation until a specific date/time: November 17, 2016 at 8:45 p.m.

The wiper component is installed as %System%\<random name>.exe. During our testing, it used the name “routeman.exe”, but static analysis shows it can use several other names that attempt to imitate file names of legitimate system tools.

The wiper component also contains encoded files in its resources as fake bitmap images.

The first encoded resource is a legitimate driver called RawDisk from the Eldos Corporation that allows a user mode component raw disk access. The driver is saved as %System%\drivers\drdisk.sys and installed by creating a service pointing to it using “sc create” and “sc start”. This behavior can be observed in the process tree available in the Windows Defender ATP portal. The below alert represents an example of the generic detections in Windows Defender ATP:

Screenshot of Windows Defender ATP alert: Depriz starting ephemeral service to load RawDisk driver "drdisk"

Figure 2. Windows Defender ATP alert: Depriz starting ephemeral service to load RawDisk driver “drdisk”


Screenshot of Windows Defender ATP event tree: Depriz Trojan dropping the wiper component (named “routeman” in this instance), which in turn drops the RawDisk driver “drdisk”

Figure 3. Windows Defender ATP event tree: Depriz Trojan dropping the wiper component (named “routeman” in this instance), which in turn drops the RawDisk driver “drdisk”

 

There are two interesting things worth noting about RawDisk:

  • It requires a valid license key from Eldos Corporation to run. However, the license key included in Depriz is the same as the one used in the 2012 attacks – and this license key was only valid for a short period in 2012. TERBIUM works around this by changing the system time on targeted computers to a valid period in 2012.
  • It is the same as the driver used in the 2012 attacks.

 

Screenshot of Depriz license key (the same as the one used in 2012 attacks) and its limited validity period

Figure 4. Depriz license key (the same as the one used in 2012 attacks) and its limited validity period

 

The wiper component uses an image file to overwrite files in locations listed in the following:

  • Master Boot Records (MBR)
  • HKLM\System\CurrentControlSet\Control\SystemBootDevice
  • HKLM\System\CurrentControlSet\Control\FirmwareBootDevice
  • C:\Windows\System32\Drivers
  • C:\Windows\System32\Config\systemprofile
  • Typical user folders like “Desktop”, “Downloads”, “Documents”, “Pictures”, “Videos” and “Music

Microsoft is also aware of a second threat that uses a distinct wiping component. We detect this as Trojan:Win32/Cadlotcorg.A!dha in Defender and generic detections with Defender ATP. Microsoft is continuing to monitor for additional information on this threat.

Step 4: Rendering the machine unusable

Finally, the following command is used to reboot the system into the intended unusable state:

shutdown -r -f -t 2

When the computer attempts to restart after shutting down, it is unable to find the operating system because the MBR was overwritten in step 3. The machine will no longer boot properly.

Mitigation: Multiple layers of protection from Microsoft

Windows 10 protects, detects and responds to this threat. Windows 10 has built-in proactive security components, such as Device Guard, that mitigate this threat by restricting execution to trusted applications and kernel drivers.

In addition, Windows Defender detects and remediates all components on endpoints as Trojan:Win32/Depriz.A!dha, Trojan:Win32/Depriz.B!dha, Trojan:Win32/Depriz.C!dha, and Trojan:Win32/Depriz.D!dha.

Windows Defender Advanced Threat Protection (ATP), our post-breach security service, provides an additional layer of security to enterprise users. With threat intelligence indicators, generic detections, and machine learning models, Windows Defender ATP (trial link) provides extensive visibility and detection capabilities across the attack kill chain of threats like TERBIUM.

Appendix – Indicators of compromise

We discovered the following SHA1s in relation to TERBIUM:

SHA1 hashes for malicious files

  • 5c52253b0a2741c4c2e3f1f9a2f82114a254c8d6
  • e7c7f41babdb279c099526ece03ede9076edca4e
  • a2669df6f7615d317f610f731b6a2129fbed4203
  • 425f02028dcc4e89a07d2892fef9346dac6c140a
  • ad6744c7ea5fee854261efa403ca06b68761e290

SHA1 hashes for legitimate RawDisk drivers

  • 1292c7dd60214d96a71e7705e519006b9de7968f
  • ce549714a11bd43b52be709581c6e144957136ec

Signature names for malicious files

 

Mathieu Letourneau

Windows Defender Advanced Threat Protection Threat Intelligence Team

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 
 

 

]]>
https://blogs.technet.microsoft.com/mmpc/2016/12/09/windows-10-protection-detection-and-response-against-recent-attacks/feed/0
Making Microsoft products more accessible: What to expect in 2017https://blogs.msdn.microsoft.com/accessibility/2016/12/02/making-microsoft-products-more-accessible-what-to-expect-in-2017/https://blogs.msdn.microsoft.com/accessibility/2016/12/02/making-microsoft-products-more-accessible-what-to-expect-in-2017/#respondFri, 02 Dec 2016 17:03:43 +0000https://blogs.msdn.microsoft.com/accessibility/?p=2445The following is a post from Jenny Lay-Flurrie, Microsoft Chief Accessibility Officer


 

Tomorrow is International Day of Persons with Disabilities and this year’s theme is focused on achieving goals of the future that we want. In the spirit of the day, I thought I’d take the opportunity to give an update on the important progress made on Microsoft’s product accessibility goals this year and the road ahead next year to keep the momentum going into the future.

First, a quick moment of reflection… Wow, what a year it’s been! At the beginning of 2016, Microsoft introduced new organizational investments across the company as well as a product roadmap for the year. As you’ve seen in the months since, we’ve been hard at work delivering on those commitments, and the feedback from all of you throughout this year has been incredibly powerful and energizing. If you haven’t yet watched this video from Windows and this video from Office, you should definitely go check them out. They are great examples of the cool stuff that has been underway around here this year. We’re delighted to be so close to meeting each one of the goals we laid out for 2016 and thrilled to see the impact that technology is having for our customers. And if you saw the demos at the Microsoft Shareholders Meeting this week – where we featured things like Narrator and Built-in Learning Tools in Word and the one-touch way for creating slides with PowerPoint Designer – you know that there’s more coming all the time.

But we also know there’s still so much to do. And as we look ahead, our three companywide guiding principles established this year will continue to guide us in the coming year:

  • Transparency, to commit to sharing our plans to ensure that Microsoft’s products are accessible.
  • Accountability, for prioritizing inclusive design and accessibility in the creation of our products and services.
  • Inclusivity, in order to keep all of our customers and their abilities top of mind.

So, with all that in mind, let’s talk about what’s coming up in 2017:

 

Windows 10 and Narrator: The Windows 10 Creators Update will include improvements to Narrator. Some of these new Narrator experiences are already available on Insider Builds and others will be available in early 2017. For example:

  • Braille: Support for braille is coming! The Creators Update will include beta support for braille input and output. The beta will support braille displays from more than 35 manufacturers, using more than 40 languages and multiple braille variants, including grade 2 contracted braille.
  • Unassisted installation: Users will soon be able to install the Windows 10 Creators Update using Narrator throughout the installation process, including from within Windows RE/PE for setup & troubleshooting.
  • New way to launch Narrator: We have changed the quick keys used to launch Narrator to address feedback from many Windows 10 users. Users can now launch Narrator by clicking CTRL + WIN + ENTER. WIN + ENTER no longer launches Narrator. Users can still launch Narrator from Cortana or from the Settings Window.
  • New text to speech voices and capabilities: We are adding more than 10 new voices. In addition, there will be Narrator support for multilingual reading, so that Narrator seamlessly switches between languages when you have the corresponding voices installed.
  • Improved audio experiences: We implemented dynamic ducking, so Narrator will only reduce the volume of other applications like Groove or Pandora when it is speaking. The handshake between Narrator and Cortana is also improved, so Cortana won’t transcribe what Narrator (or other screen readers) is speaking.
  • More general reliability and usability improvements: We added features to make it easier to understand the context of a control with which you are interacting and to make it possible to discover information about objects like the background color of a table cell. Narrator will remember and maintain your mode, e.g. scan mode, across applications. Narrator cursor positioning improvements include stopping and starting where you expect when reading in scan mode and when reading by line, paragraph and in continuous reading.
  • Easier web browsing with Edge: Narrator responsiveness is improved with Edge and several new features have been added, including the ability to jump directly to a form element like a check box, text field or button, and the ability to navigate by heading level.
  • Improvements across devices: It will be now be possible to use a controller to drive Narrator interactions on Xbox. The ability to adjust the pitch and speed of the Narrator voice on Xbox has also been added.

Customer choice and partnerships with 3rd party assistive technologies continue to be a crucial part of our strategy. We are working closely with partners to ensure that they have what they need to deliver great user experiences with Edge, Office and other Windows apps. And, we continue to offer the Window Eyes screen reader free of charge for customers using Office 365. For more information, check out: http://www.windoweyesforoffice.com/

 

Office 365: Office 365 applications on every platform will continue to evolve monthly, to empower you to consume, create and collaborate on content independently, efficiently and confidently. Noteworthy new capabilities rolling out to Office 365 subscribers in early 2017 include:

  • Built-in controls for authoring accessible content: We will be introducing more accessible templates to help you get started, making it easy to insert alternative text descriptions for images and meaningful display names for hyperlinks as well as making the accessibility checker available in more Office applications. Watch this short accessible authoring demonstration to learn more about these capabilities.
  • Built-in controls for personalizing reading experiences: Inspired by the profound impact the introduction of Learning Tools for OneNote has had in classrooms and are making these tools to promote concentration and comprehension available in more Office applications. Settings to read text aloud with simultaneous highlighting, increase text spacing and break words into syllables are already rolling out in Word for PCs to Office Insider and First Release program members and are coming next to Word Online and OneNote Online. Watch this short Learning Tools demonstration to learn more about these capabilities.
  • Support for creating professional, polished content with assistive technologies: Making it easy to use new cloud-powered, intelligent services in Office applications with assistive technologies such as screen readers and alternative keyboards. Services such as Designer in PowerPoint, Researcher and Editor in Word can reduce the effort you spend on tasks such as formatting, citing and proofing your work and let you focus on refining the ideas you’d like to communicate.

For details on these and more, check out the Accessibility in Office 365 – enabling greater digital inclusion blog today, and stay tuned to our Office 365 accessibility blog series for more updates in the future.

 

Feedback: I simply cannot overstate how valuable your feedback has been and will continue to be for these efforts. Its not just important, its essential! We need to know what you think, what works, what doesn’t, what you want to see next. Help us to build the list and keep us grounded as we go forward! Your feedback is welcome anytime at UserVoice and the Disability Answer Desk is at the ready if you have questions.

Of course, this is just a glimpse of the exciting things underway – there’s only so much one blog can cover. If you want to learn more, please do check out our Microsoft Accessibility website (which we are continuing to evolve and grow), the Microsoft Inclusive Hiring site and stay in touch with our Twitter handle. And remember, we are always hiring, so if you know of great candidates that you think could help make our products even better, make sure to point them to our Inclusive Hiring website.

2016 has been amazing. And humbling to be a part of. And I can’t wait for 2017I We are all deeply inspired at the opportunity to work with you and others around the world on this journey. Together, I know we will push the boundaries of what technology can do to empower people to achieve more. So thank you and please keep the feedback coming!

]]>
https://blogs.msdn.microsoft.com/accessibility/2016/12/02/making-microsoft-products-more-accessible-what-to-expect-in-2017/feed/0
Don’t let this Black Friday/Cyber Monday spam deliver Locky ransomware to youhttps://blogs.technet.microsoft.com/mmpc/2016/11/23/dont-let-this-black-friday-cyber-monday-spam-deliver-locky-ransomware-to-you/https://blogs.technet.microsoft.com/mmpc/2016/11/23/dont-let-this-black-friday-cyber-monday-spam-deliver-locky-ransomware-to-you/#respondThu, 24 Nov 2016 00:55:09 +0000https://blogs.technet.microsoft.com/mmpc/?p=9575We see it every year: social engineering attacks that take advantage of the online shopping activities around Black Friday and Cyber Monday, targeting customers of online retailers. This year, we’re seeing a spam campaign that Amazon customers need to be wary of. The fake emails pretend to be notifications from the online retailer that a purchase has been sent out for delivery. To appear legitimate, the emails may also spoof delivery companies.

These email messages start an infection chain that leads to a ransomware infection. You don’t want to find yourself at the end of this chain, because by then, your files will have been encrypted by the malware.

blackfridayspam3

Figure 1: The Black Friday/Cyber Monday themed spam triggers an infection chain that leads to a ransomware infection

But, as it’s a chain of events, you can stop the infection at several points. Let’s trace the infection chain:

  1. The email is a fake Amazon notification. You can detect that it’s fake, because even if it tries to look as legitimate as possible, it still doesn’t look like the usual Amazon email. Amazon lists components of a fake email here: https://www.amazon.com/gp/help/customer/display.html?nodeId=15835501
  2. The attachment is a ZIP file. Don’t open this attachment.  It contains as JavaScript (.js) file, not a file type often sent in legitimate email communications.
  3. The JavaScript in the ZIP file is obfuscated. Don’t open this script. It’s a Nemucod malware that downloads the payload. Windows Defender detects this JavaScript downloader.
  4. The downloaded file is a ransomware detected as Ransom:Win32/Locky.A. Windows Defender detects this malware.

Locky is a ransomware family that encrypts files using a public key. It’s been known to be spread by the downloader Nemucod. We have been tracking the Nemucod-Locky tandem, and we have seen it evolve over time, changing attachment file names and social engineering lures. This Black Friday/Cyber Monday version is just the latest of what looks like a continuous campaign.

Here are samples of the fake Amazon email messages:

black-friday-email-1

Figure 2: A sample fake Amazon email that also spoofs Royal Mail as the courier

black-friday-email-2

Figure 3: A sample fake Amazon email that also spoofs FedEx as the courier

black-friday-email-3

Figure 4: A sample fake Amazon email that also spoofs DHL as the courier

In what looks like an attempt to evade anti-spam solutions that depend on the hash of the email body, the character “=” is added in random places in the email. The malware authors could have reused the message from a previous spam campaign, and needed only to change the positions of the added character. This changes the hash of the email body, and it might prove effective against some email filters.

The email attachment is a ZIP file that contains an obfuscated JavaScript (.js) file, detected as TrojanDownloader:JS/Nemucod:

black-friday-spam-javascript-in-zip

Figure 5: The ZIP attachment contains a malicious JavaScript file

black-friday-spam-obfuscated-javascript

Figure 6: The JavaScript file is obfuscated

When opened, the JavaScript connects to the following URLs to download a file:

  • hxxp:// livingnetwork .co.za/hfvg623?zvMNzYWImo=zvMNzYWImo
  • hxxp:// ayurvedic .by/hfvg623?zvMNzYWImo=zvMNzYWImo
  • hxxp:// marcelrahner .com/hfvg623?zvMNzYWImo=zvMNzYWImo
  • hxxp:// copeigoan .net/hfvg623?zvMNzYWImo=zvMNzYWImo
  • hxxp:// sheerfoldy .com/hfvg623?zvMNzYWImo=zvMNzYWImo

The downloaded file is an encrypted blob, which the JavaScript decrypts to a .DLL file and then executes. This file is a DLL version of Ransom:Win32/Locky.A.

Ransom:Win32/Locky.A encrypts files and renames them to this format: [victim computer ID] – [hexadecimal file identifier].aeris. The extension .aeris is the latest in a list that Locky has used for the files it encrypts: .locky, .zepto, .odin, .shit, and .thor.

The ransomware assigns an ID to the victim computer, which it uses for the file name of encrypted files. It then connects to command-and-control (C&C) servers to report this ID and other information about the infected computer.

It drops the following ransom note, which instructs the victim to pay to regain access to the files: %Desktop%\-INSTRUCTION.bmp:

black-friday-infection-ransom-note

Figure 7: Ransom:Win32/Locky.A leaves this ransom note

The malware analyzed for the blog post have the following SHA1:

  • TrojanDownloader:JS/Nemucod (JavaScript downloader)
    • 4ef30bdcf4e858f6ed28c88434786c014b027fcc
    • 5e484feb2b9b7639b3a8c61a726f28087fbf3709
    • df774d57a6491d83c0add823f4c04ca83b0d8b6c
    • ec2046c728094f08e701339cde7dd205d4126d43
  • Ransom:Win32/Locky.A (Decrypted payload)
    • 1734ef2d44bdc71bdf81de0726a8da072d352ded
    • 449e33faef1646a667a44ea7d0e1bf0e924afade

Prevention and mitigation

To avoid falling prey to this new ransomware, here are some tips:

For end users

  • Use an up-to-date, real-time antimalware product, such as Windows Defender for Windows 10.
  • Think before you click. Do not open emails from senders you don’t recognize.  Upload any suspicious files here: https://www.microsoft.com/en-us/security/portal/submission/submit.aspx. This campaign spoofs Amazon and the delivery companies Royal Mail, DHL, and FedEx. The attachment is a ZIP file, which may be a common attachment type, but it contains a .JS file. Be mindful of what the attachment is supposed to be (in this case, most likely a document) and the actual file type (a script).

For IT administrators

 

Duc Nguyen and Wei Li

MMPC

]]>
https://blogs.technet.microsoft.com/mmpc/2016/11/23/dont-let-this-black-friday-cyber-monday-spam-deliver-locky-ransomware-to-you/feed/0
Exploring ideas for making visual art more inclusivehttps://blogs.msdn.microsoft.com/accessibility/2016/11/18/exploring-ideas-for-making-visual-art-more-inclusive/https://blogs.msdn.microsoft.com/accessibility/2016/11/18/exploring-ideas-for-making-visual-art-more-inclusive/#respondFri, 18 Nov 2016 23:37:22 +0000https://blogs.msdn.microsoft.com/accessibility/?p=2425All good innovation comes from experimentation. Check out the Microsoft Research blog today to learn more about a fascinating experimental project where research is meeting art to create interactive audio experiences that could make visual art more accessible for everyone.

]]>
https://blogs.msdn.microsoft.com/accessibility/2016/11/18/exploring-ideas-for-making-visual-art-more-inclusive/feed/0
Office 365 Education: New Resources to Create More Inclusive and Personalized Learning Environmentshttps://blogs.msdn.microsoft.com/accessibility/2016/11/15/office-365-education-new-resources-to-create-more-inclusive-and-personalized-learning-environments/Wed, 16 Nov 2016 00:08:44 +0000https://blogs.msdn.microsoft.com/accessibility/?p=2415The following is a post from Malavika Rewari, product marketing manager, Microsoft Office 365


In October, the Microsoft Office and Microsoft Education teams partnered with a Microsoft Innovative Educator Expert to raise awareness of free tools built into Office 365 and Windows 10 that can help special and general education teachers give students with disabilities a learning environment that is personalized, differentiated and yet as close to their peers’ experience as possible.

We invite you to get introduced to these tools in this Office blog post and get a closer look in this Education blog post at some key capabilities inspired by inclusive design principles recently released/coming soon in Office 365 Education applications. It is worth noting that Learning Tools, introduced earlier this year for OneNote for PCs, are becoming available this month in Office Lens for iOS, Word for PCs and Word Online. Watch this short demonstration to learn more:

 

Demonstration of Learning Tools built into Office Lens, Word Desktop and Word Online

 

To connect with the Microsoft Office team to further discuss this topic, join us in person later this week on Thursday, November 17 (or virtually after that) at our upcoming presentation at the Accessing Higher Ground conference.

Bookmark our Office blog series and Microsoft Mechanics video series to stay up to date as more accessibility capabilities release that can help students work independently, efficiently and confidently in a format that best suits them. Remember the Office 365 Education is free for students and teachers, and you can get started with it by typing a valid school email address at www.office.com/education.

]]>
Fake fax ushers in revival of a ransomware familyhttps://blogs.technet.microsoft.com/mmpc/2016/11/15/fake-fax-ushers-in-revival-of-a-ransomware-family/https://blogs.technet.microsoft.com/mmpc/2016/11/15/fake-fax-ushers-in-revival-of-a-ransomware-family/#respondTue, 15 Nov 2016 23:38:41 +0000https://blogs.technet.microsoft.com/mmpc/?p=9405“Criminal case against you” is a message that may understandably cause panic. That’s what a recent spam campaign hopes happens, increasing the likelihood of recipients opening the malicious attachment.

We recently discovered a new threat that uses email messages pretending to be fax messages, but in truth deliver a ransomware downloader. The attachment used in this campaign, “Criminal Case against_You-O00_Canon_DR-C240IUP-4VF.rar”, is password-protected RAR archive file that, when extracted, is a trojan detected as TrojanDownloader:JS/Crimace.A.

Email message masquerading as a fax but carrying TrojanDownloader:JS/Crimace.A as attachment

Figure 1. Email message masquerading as a fax but carrying TrojanDownloader:JS/Crimace.A as attachment

The malicious email ticks all the boxes to fake a fax:

  • The subject is a simple “PLEASE READ YOUR FAX T6931”
  • The message body lists fax protocol, date and time, fax channel and number of pages
  • The attachment file name spoofs a popular fax machine brand
  • The attached archive file contains a file that has the fake meta-data “—RAW FAX DATA—“

The use of a password-protected RAR file attachment is a clear attempt to evade AV scanners. The password is provided in the email message body. The archive file contains no fax, but Crimace, a malicious Windows Script File (.WSF) developed in JScript.

When the recipient falls for the lure and opens the attachment, Crimace displays the following message to complete the fax pretense:

Crimace displays a message to signify the fake fax cannot be displayed

Figure 2. Crimace displays a message to signify the fake fax cannot be displayed

Unsuspecting victims might think that is the end of it. But Crimace goes ahead with its intention to download its payload, a ransomware detected as Ransom:Win32/WinPlock.B.

WinPlock is a family of ransomware that has been around since September 2015 but did not have significant activity until recently. The discovery of this new variant signals that it’s back to wreak havoc.

Ransom:Win32/WinPlock.B can search for and encrypt a total of 2,630 file types.

Ransom:Win32/WinPlock.B’s ransom note contains instructions to pay

Figure 3. Ransom:Win32/WinPlock.B’s ransom note contains instructions to pay

It asks for a ransom of .55 Bitcoin, which the ransom note indicates as converting to ~US$386. However, using current conversion rates, it converts a little higher:

Bitcoin to US Dollar conversion on November 11, 2016 shows a higher rate than what is indicated in the ransom note

Figure 4. Bitcoin to US Dollar conversion on November 15, 2016 shows a higher rate than what is indicated in the ransom note (data from Coinbase)

Interestingly, when this ransomware family was first discovered in September 2015, it asked for ransom of 1 Bitcoin, which at the time converted to ~US$300. The market has changed since then, with more and more ransomware families and better technologies to detect ransomware. The increase in ransom amount indicates the actors behind this ransomware family are tracking Bitcoin exchange rates, and aim for potentially bigger gain.

And, just like the fake fax that delivers Crimace, Ransom:Win32/WinPlock.B attempts to cause panic by setting a timer that gives a victim 120 hours to pay the ransom:

data:text/mce-internal,content,%3Cimg%20width%3D%22538%22%20height%3D%22118%22%20class%3D%22alignnone%20size-full%20wp-image-9515%22%20alt%3D%22Bitcoin%20to%20US%20Dollar%20conversion%20on%20November%2011%2C%202016%20shows%20a%20higher%20rate%20than%20what%20is%20indicated%20in%20the%20ransom%20note%22%20src%3D%22https%3A//msdnshared.blob.core.windows.net/media/2016/11/winplock-bitcoin-us-dollar-conversion.png%22%20/%3E

Figure 5. Ransom:Win32/WinPlock.B sets a timer

TrojanDownloader:JS/Crimace.A has a lot of functions to download and execute

TrojanDownloader:JS/Crimace.A arrives as a malicious .WSF file contained in a RAR archive attached to emails:

The attachment is a RAR archive containing a malicious .WSF file

Figure 6. The attachment is a RAR archive containing a malicious .WSF file

Inspecting the .WSF file shows that it is obfuscated script file:

crimace-obfuscated-script

Figure 7. The .WSF file before unobfuscated form

Decrypting the file reveals a lot of suspicious functions including download and execute capabilities:

  • function CheckWSFInAutorun()
  • function CheckWSFInFolder()
  • function CopyWSFToFolder()
  • function DecRequest()
  • function Download()
  • function EncRequest()
  • function Execute()
  • function GetCurrentFile()
  • function GetInstallPath()
  • function GetRandHASH()
  • function GetRandomName()
  • function GetStrHASH()
  • function GetWSFGuid()
  • function HTTPRequest()
  • function HTTPRequestRaw()
  • function IsUserAdmin()
  • function MakeAutorun()
  • function SelfDelete()
  • function UnitChange()
  • function UnitPing()
  • function UnitRequest()

The header of the file is its configuration code and is embedded on the file as an array:

The header of the decrypted script is the configuration code

Figure 8. The header of the decrypted script is the configuration code

When decrypted, the configuration includes data including campaign number, download links, and installation paths:

Decrypted configuration

Figure 9. Decrypted configuration

Ransom:Win32/WinPlock.B encrypts 2,620 file types

Ransom:Win32/WinPlock.B is downloaded by Crimace as a Nullsoft Scriptable Install System (NSIS) package. Once executed it may create the following desktop shortcut:

NSIS package icon used by malware

Figure 10. NSIS package icon used by malware

When the malicious file is extracted from the NSIS package, it uses the following icon:

Icon used by malware after extraction from package

Figure 11. Icon used by malware after extraction from package

The malware’s file information also shows campaign ID as internal name and version:

The malware file information

Figure 12. The malware file information

When successfully executed, Ransom:Win32/WinPlock.B encrypts files with extensions in its list of 2,630. Notably, the ransom note contains an email address to contact for support. It asks for ransom of .55 Bitcoins.

Ransom:Win32/WinPlock.B’s ransom note contains support information

Figure 13. Ransom:Win32/WinPlock.B’s ransom note contains support information

The ransom note also lists websites where victim can buy Bitcoins:

Ransom:Win32/WinPlock.B’s ransom note lists information for acquiring Bitcoins

Figure 14. Ransom:Win32/WinPlock.B’s ransom note lists information for acquiring Bitcoins

Clicking the “Show files” lists all the encrypted files. Unlike other ransomware, Ransom:Win32/WinPlock.B does not change the extension of the encrypted files:

List of encrypted files

Figure 15. List of encrypted files

It also creates additional files to remind users that their computer is infected:

The malware creates additional files to indicate that files have been encrypted

Figure 16. The malware creates additional files to indicate that files have been encrypted

Prevention and mitigation

To avoid falling prey to this new ransomware campaign, here are some tips:

For end users

  • Use an up-to-date, real-time antimalware product, such as Windows Defender for Windows 10.
  • Keep Windows and the rest of your software up-to-date to mitigate possible software exploits.
  • Think before you click. Do not open emails from senders you don’t recognize.  Upload any suspicious files here: https://www.microsoft.com/en-us/security/portal/submission/submit.aspx. This campaign uses a RAR archive file, which may be a common attachment type, but it contains a .WSF file. Be mindful of what the attachment is supposed to be (in this case, a fax) and the actual file type (a script).

For IT Administrators

Additional information

To learn more about how Microsoft protects you from ransomware, you can read the following:

 

Francis Tan Seng

MMPC

]]>
https://blogs.technet.microsoft.com/mmpc/2016/11/15/fake-fax-ushers-in-revival-of-a-ransomware-family/feed/0
No payment necessary: Fighting back against ransomwarehttps://blogs.technet.microsoft.com/mmpc/2016/11/11/no-payment-necessary-fighting-back-against-ransomware/https://blogs.technet.microsoft.com/mmpc/2016/11/11/no-payment-necessary-fighting-back-against-ransomware/#commentsFri, 11 Nov 2016 17:10:12 +0000https://blogs.technet.microsoft.com/mmpc/?p=9385Any IT professional who’s ever had an experience with malware knows how fast an intrusive attack can happen, and how difficult it can be to educate employees to be vigilant against such threats. And with ransomware attacks only growing, having information, tools and technologies to help protect your network can mean the difference between serious business disruption and business as usual.

Those of us in the Microsoft Malware Protection Center are constantly on the hunt for new malware variants, and working to improve Microsoft’s security-oriented technology to block them from reaching our customers.

In that vein, we just released a new white paper that details a full set of technologies Microsoft has developed or enhanced to provide Windows customers with an array of protection options.

Please check out the Windows Business blog from Rob Lefferts “Defending against ransomware with Windows 10 Anniversary Update“, which offers an overview of those protections. You can also read the full white paper “Ransomware protection in Windows 10 Anniversary Update (PDF).

]]>
https://blogs.technet.microsoft.com/mmpc/2016/11/11/no-payment-necessary-fighting-back-against-ransomware/feed/2
November 2016 security update releasehttps://blogs.technet.microsoft.com/msrc/2016/11/08/november-2016-security-update-release/https://blogs.technet.microsoft.com/msrc/2016/11/08/november-2016-security-update-release/#respondTue, 08 Nov 2016 18:10:32 +0000https://blogs.technet.microsoft.com/msrc/?p=2615Today we released security updates to provide additional protections against malicious attackers. As a best practice, we encourage customers to apply security updates as soon as they are released.

More information about this month’s security updates and advisories can be found in the Security TechNet Library.

MSRC team

]]>
https://blogs.technet.microsoft.com/msrc/2016/11/08/november-2016-security-update-release/feed/0
Furthering our commitment to security updateshttps://blogs.technet.microsoft.com/msrc/2016/11/08/furthering-our-commitment-to-security-updates/https://blogs.technet.microsoft.com/msrc/2016/11/08/furthering-our-commitment-to-security-updates/#respondTue, 08 Nov 2016 18:00:40 +0000https://blogs.technet.microsoft.com/msrc/?p=2616Microsoft is committed to delivering comprehensive security updates to our customers.

Information about the security updates we release are currently made available on the Microsoft Security Bulletin website. However, our customers have asked for better access to update information, as well as easier ways to customize their view to serve a diverse set of needs.

This month we released a preview of our new single destination for security vulnerability information, the Security Updates Guide. Instead of publishing bulletins to describe related vulnerabilities, the new portal lets our customers view and search security vulnerability information in a single online database.

Using the new portal you can:

  • Sort and filter security vulnerability and update content, for example, by CVE, KB number, product, or release date.
  • Filter out products that don’t apply to you, and drill down to more detailed security update information for products that do.
  • Leverage a new RESTful API to obtain Microsoft security update information. This eliminates the need for you to employ outdated methods like screen-scraping of security bulletin web pages to assemble working databases of necessary and actionable information.

Security update information will be published as bulletins and on the Security Updates Guide until January 2017. After the January 2017 Update Tuesday release, we will only publish update information to the Security Updates Guide.

You can send feedback on the new portal to portalfback@microsoft.com.

]]>
https://blogs.technet.microsoft.com/msrc/2016/11/08/furthering-our-commitment-to-security-updates/feed/0
MSRT November 2016: Unwanted software has nowhere to hide in this month’s releasehttps://blogs.technet.microsoft.com/mmpc/2016/11/08/msrt-november-2016-unwanted-software-has-nowhere-to-hide-in-this-months-release/https://blogs.technet.microsoft.com/mmpc/2016/11/08/msrt-november-2016-unwanted-software-has-nowhere-to-hide-in-this-months-release/#commentsTue, 08 Nov 2016 16:00:56 +0000https://blogs.technet.microsoft.com/mmpc/?p=9235We came across a browser modifier that sports rootkit capabilities. Not only does the threat, detected as BrowserModifier:Win32/Soctuseer, cross the line that separates legitimate software from unwanted, it also takes staying under the radar to the next level.

Rootkit capabilities, which make it difficult to detect and remove applications, are usually associated with malware. Yet Soctuseer uses rootkit capabilities to conceal its presence on a computer, ultimately making it difficult for affected users to control their device and browsing experience.

Apart from hiding its presence, Soctuseer installs itself without using your browser’s supported extensibility model for installation. And, once installed and running, it takes away the control you should have about how it operates. You can’t enable or disable it from your browser settings. The result is that you can be served webpage content that is modified without your consent.

No matter how it attempts to hide, though, most Soctuseer installations and system modifications will be uncovered and removed by the Microsoft Malicious Software Removal Tool (MSRT). We’re adding detections for BrowserModifier:Win32/Soctuseer in this month’s MSRT release, helping to lessen interference to your browsing experience.

 

More than a million machines infected

Just like most browser modifiers, Soctuseer is distributed by software bundlers. We have seen Soctuseer brought along by other unwanted software that we detect as SoftwareBundler:Win32/InstallMonster and SoftwareBundler:Win32/Techrelinst.

Since September 2016, we have seen over 1.2 million infected machines, 40% of which are in the US, Indonesia, and India.

Map showing location of observed Soctuseer infections. The United States, Indonesia and India account for 40% of infections

Figure 1: Map showing location of observed Soctuseer infections. The United States, Indonesia and India account for 40% of infections.

 

Ads for discounted products tailored to your search activities

Soctuseer’s main objective is to display advertisements while you browse the internet. It pops up ads based on searches you make on specific websites. For example, if you were searching for “laptop” on your favorite online retailer, Soctuseer pops up ads for other sites offering laptops, supposedly at discounted rates. The ads have the attribute name “Social2Search”.

Screenshot of Social2Search ads for “red shoes” on Microsoft Edge

Figure 2: Social2Search ads for “red shoes” on Microsoft Edge

Screenshot of Social2Search ads for a “laptop” on Internet Explorer

Figure 3: Social2Search ads for a “laptop” on Internet Explorer

 

Soctuseer uses the following methods to display ads:

  • Installing a NetFilter driver
  • Injecting a DLL directly to the browser’s process

Both methods meet the evaluation criteria that Microsoft Malware Protection Center (MMPC) uses for identifying unwanted software. MMPC categorizes as unwanted software any program that changes the browsing experience without using the browsers’ supported extensibility models. The Microsoft browser extension policy states: “Programs should use the supported mechanisms for extending or modifying the behavior or user experience of Microsoft Edge and Internet Explorer, or the content displayed by these browsers. These supported extension mechanisms are designed to ensure that users are able to customize and extend their browser with software of their choice, while maintaining safe and uninterrupted use of their browser and PC.”

System changes made by Soctuseer are reversed by MSRT

Folder and files

Soctuseer creates a random 32-digit hexadecimal subfolder under the Program Files folder. It then adds all its files in the subfolder. All the files follow the same 32-digit hexadecimal format.

Folder and files created by Soctuseer follow the same 32-digit hexadecimal format

Figure 4: Folder and files created by Soctuseer follow the same 32-digit hexadecimal format

 

Rootkit

Some Soctuseer versions have rootkit capabilities, which is not very common in browser modifiers. These versions install a driver that limits access to its files. Only the following processes, which are related to certain system files, web browsers, and its own uninstaller, can access its files, effectively hiding Soctuseer’s files from any other process not on this list:

Only the processes on this list have access to Soctuseer’s files

Figure 5: Only the processes on this list have access to Soctuseer’s files

To demonstrate this, the following screenshot shows two command prompt windows. The window on the left is the normal cmd.exe, while the one on the right shows what happens when you rename cmd.exe to one of the process names above (for example, browser.exe):

Modifying the file name of a command prompt to one of the process names above allows you to access the folder and list the files inside it

Figure 6: Modifying the file name of a command prompt to one of the process names above allows you to access the folder and list the files inside it

Service

Soctuseer creates a service that automatically executes at system startup. The service uses a randomly generated name in 32-digit hexadecimal format, but always uses “Enhances experience when browsing the web” as the description:

Screenshot showing Soctuseer’s service name also uses the 32-digit hexadecimal format

Figure 7: Soctuseer’s service name also uses the 32-digit hexadecimal format

 

Scheduled Task

Some versions of Soctuseer also install an updater component that runs in a scheduled task. The updater is a PowerShell script that checks and downloads updates, if available. It also uses the same 32-digit hexadecimal format for the task name. The task file is located in the Windows folder (usually C:\Windows),

In this example, the scheduled task runs every 20 minutes:

Screenshot showing that Soctuseer also creates a Scheduled Task to download updates

Figure 8: Soctuseer also creates a Scheduled Task to download updates

 

Start Menu shortcuts

Soctuseer adds various shortcuts to the user’s Start Menu.

Example of shortcuts created by Soctuseer in Start Menu

Figure 9: Example of shortcuts created by Soctuseer in Start Menu

 

Uninstall entry

Interestingly, Soctuseer adds an uninstall entry using the name “Social2Search”.

Screenshot that shows Soctuseer’s uninstallation entry with the name “Search2Search”

Figure 10: Soctuseer’s uninstall entry with the name “Search2Search”

 

Prevention, detection, and recovery

To help stay protected:

  • Keep your Windows Operating System and antivirus up-to-date and, if you haven’t already, upgrade to Windows 10.
  • Use Microsoft Edge. It can:
    • Help warn you about sites that are known to be hosting exploits
    • Help protect you from socially-engineered attacks such as phishing and malware downloads
    • Automatically detect bad changes and protects settings
  • Use the Settings app to reset to Microsoft recommended defaults if your default apps were changed.
    • Launch the Settings app.
    • Navigate to the Default apps page.
      • From Home go to System > Default apps.
      • Click Reset.
  • Avoid browsing web sites that are likely to host malware (such as illegal music, movies and TV, and pirated software download sites)
  • Ensure your antimalware protection (such as Windows Defender and Microsoft Malicious Software Removal Tool) is up-to-date.
    • If you are using Windows Defender, you can check your exclusion settings to see whether the malware added some entries in an attempt to exclude folders from being scanned.
      • To check and remove excluded items in Windows Defender:
        1. Navigate to Settings > Update & security > Windows Defender > Add an exclusion.
        2. Go through the lists under Files and File locations, select the excluded item that you want to remove, and click Remove.
        3. Click OK to confirm.
  • Use cloud protection to help guard against the latest malware threats. It’s turned on by default for Microsoft Security Essentials and Windows Defender for Windows 10. Go to All settings > Update & security > Windows Defender and make sure that your Cloud-based Protection settings is turned On.

 

Related information

See How Microsoft antimalware products identify malware: unwanted software and malicious software for the objective criteria details.

For additional information about what Browser Extensibility Models are, and why we require programs to use them, see the following pages:

 

James Patrick Dee

MMPC

]]>
https://blogs.technet.microsoft.com/mmpc/2016/11/08/msrt-november-2016-unwanted-software-has-nowhere-to-hide-in-this-months-release/feed/1
Moving Beyond EMEThttps://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/#respondThu, 03 Nov 2016 17:48:34 +0000https://blogs.technet.microsoft.com/srd/?p=3985EMET – Then and Now

Microsoft’s Trustworthy Computing initiative was 7 years old in 2009 when we first released the Enhanced Mitigation Experience Toolkit (EMET). Despite substantial improvements in Windows OS security during that same period, it was clear that the way we shipped Windows at the time (3-4 years between major releases) was simply too slow to respond quickly to emerging threats. Our commercial customers were particularly exposed since it often took years to deploy new OS versions in large scale environments. And thus, EMET was born as a stop-gap solution to deliver tactical mitigations against certain zero-day software vulnerabilities.

For Microsoft, EMET proved useful for a couple of reasons. First, it allowed us to interrupt and disrupt many of the common exploit kits employed by attackers at the time without waiting for the next Windows release, thus helping to protect our customers. Second, we were able to use EMET as a place to assess new features, which directly led to many security innovations in Windows 7, 8, 8.1, and 10.

But EMET has serious limits as well – precisely because it is not an integrated part of the operating system. First, many of EMET’s features were not developed as robust security solutions. As such, while they blocked techniques that exploits used in the past, they were not designed to offer real durable protection against exploits over time. Not surprisingly, one can find well-publicized, often trivial bypasses, readily available online to circumvent EMET.

Second, to accomplish its tasks, EMET hooks into low-level areas of the operating system in ways they weren’t originally designed. This has caused serious side-effects in both performance and reliability of the system and the applications running on it. And this presents an ongoing problem for customers since every OS or application update can trigger performance and reliability issues due to incompatibility with EMET.

Finally, while the OS has evolved beneath it, EMET hasn’t kept pace. While EMET 5.5x was verified to run on Windows 10, its effectiveness against modern exploit kits has not been demonstrated, especially in comparison to the many security innovations built-in to Windows 10. 

Windows 10 – A New OS for a Dangerous World

Not surprisingly, the top customer feedback on EMET has consistently been to build such protections directly into the operating system. But to do that, Microsoft first had to change how we shipped Windows so that customers won’t have to wait years for new protections to come online.

Beginning with Windows 10, that’s exactly what we did with the move to Windows as a Service. Since its initial launch in July 2015, there have already been two major updates released and that pace is expected to continue. More importantly, each major update of Windows 10 has brought with it substantial new innovations in security. For example, the Microsoft Edge browser was built from the start with security as a top feature. Revolutionary new Windows 10 features like Device Guard, Credential Guard, and Windows Defender Application Guard (coming soon) use hardware virtualization to protect against vulnerability exploits and malware. Windows Defender Advanced Threat Protection (ATP) provides post-breach detection and response for Windows 10 enterprise users. And, of course, Windows 10 includes all of the mitigation features that EMET administrators have come to rely on such as DEP, ASLR, and Control Flow Guard (CFG) along with many new mitigations to prevent bypasses in UAC and exploits targeting the browser.

With the types of threats enterprises face today, we are constantly reminded of this simple truth: modern defense against software vulnerabilities requires a modern platform. That platform is Windows 10 – an always up-to-date version of Windows that is continually improved to help protect against the latest threats. To help make the transition to Windows 10, we will publish a detailed guide for administrators currently using EMET.

Updated Support End Date for EMET 5.5x

Finally, we have listened to customers’ feedback regarding the January 27, 2017 end of life date for EMET and we are pleased to announce that the end of life date is being extended 18 months. The new end of life date is July 31, 2018. There are no plans to offer support or security patching for EMET after July 31, 2018. For improved security, our recommendation is for customers to migrate to Windows 10.

 

Jeffrey Sutherland

]]>
https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/feed/0
Our commitment to our customers’ securityhttps://blogs.technet.microsoft.com/mmpc/2016/11/01/our-commitment-to-our-customers-security/https://blogs.technet.microsoft.com/mmpc/2016/11/01/our-commitment-to-our-customers-security/#commentsTue, 01 Nov 2016 18:47:27 +0000https://blogs.technet.microsoft.com/mmpc/?p=9186This guest blog post is by Terry Myerson / Executive Vice President, Windows and Devices Group

Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. And we take this responsibility very seriously.

Recently, the activity group that Microsoft Threat Intelligence calls STRONTIUM conducted a low-volume spear-phishing campaign. Customers using Microsoft Edge on Windows 10 Anniversary Update are known to be protected from versions of this attack observed in the wild. This attack campaign, originally identified by Google’s Threat Analysis Group, used two zero-day vulnerabilities in Adobe Flash and the down-level Windows kernel to target a specific set of customers.

We have coordinated with Google and Adobe to investigate this malicious campaign and to create a patch for down-level versions of Windows. Along these lines, patches for all versions of Windows are now being tested by many industry participants, and we plan to release them publicly on the next Update Tuesday, Nov 8.

We believe responsible technology industry participation puts the customer first, and requires coordinated vulnerability disclosure. Google’s decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk.

To address these types of sophisticated attacks, Microsoft recommends that all customers upgrade to Windows 10, the most secure operating system we’ve ever built, complete with advanced protection for consumers and enterprises at every layer of the security stack. Customers who have enabled Windows Defender Advanced Threat Protection (ATP) will detect STRONTIUM’s attempted attacks thanks to ATP’s generic behavior detection analytics and up-to-date threat intelligence.

-Terry

STRONTIUM: A brief history

Microsoft aggregates the details of threat activity—malware, infrastructure, victim classes, and attacker techniques—into activity groups to improve our readers’ ability to understand the reasons behind cyber attacks. STRONTIUM is an activity group that usually targets government agencies, diplomatic institutions, and military organizations, as well as affiliated private sector organizations such as defense contractors and public policy research institutes. Microsoft has attributed more 0-day exploits to STRONTIUM than any other tracked group in 2016. STRONTIUM frequently uses compromised e-mail accounts from one victim to send malicious e-mails to a second victim and will persistently pursue specific targets for months until they are successful in compromising the victims’ computer. Once inside, STRONTIUM moves laterally throughout the victim network, entrenches itself as deeply as possible to guarantee persistent access, and steals sensitive information.

The exploits

STRONTIUM must accomplish three objectives in order for the attack to succeed:

  1. Exploit Flash to gain control of the browser process
  2. Elevate privileges in order to escape the browser sandbox
  3. Install a backdoor to provide access to the victim’s computer

Microsoft has several threat prevention and exploit mitigation features available to counter these steps.

Adobe Flash exploitation: CVE-2016-7855

Based on the analysis performed by the Windows Defender ATP Exploit research team and the Microsoft Security Response Center (MSRC), the vulnerability in Adobe Flash leveraged by STRONTIUM was found to be a use-after-free issue affecting ActionScript runtime code. Adobe has since released an update to fix this vulnerability. Microsoft is actively partnering with Adobe to implement additional mitigations against this class of exploit.

Elevation of privileges

The Windows kernel vulnerability targeted by STRONTIUM’s EoP exploit is present in Windows Vista through Windows 10 Anniversary Update. However, prior to this attack, Microsoft implemented new exploit mitigations in the Windows 10 Anniversary Update version of the win32k kernel component. These Windows 10 Anniversary Update mitigations, which were developed based on proactive internal research, stop all observed in-the-wild instances of this exploit.

Backdoor installation

Following successful elevation of privilege, a backdoor is downloaded, written to the file system, and executed into the browser process. However, the backdoor DLL (along with any other untrusted software) can be blocked by implementing strict Code Integrity policies. Microsoft Edge natively implements Code Integrity to prevent this common post-exploitation step. Users of Internet Explorer and other browsers can also be protected through the use of Device Guard.

Detecting the attack with Windows Defender ATP

Multiple behavioral and machine learning detection rules alert on various elements of the kill chain throughout STRONTIUM’s current attack. Windows Defender ATP can generically detect, without any signature, multiple stages of the attack such as the creation of uncommon DLL libraries on disk from the browser process, unexpected changes of process token and integrity levels (EoP), and the loading of recently created DLL libraries under abnormal process conditions (Figure 3).

 

Windows Defender ATP demonstrates a timeline of attack

Figure 3: Windows Defender ATP Detection of Kernel EOP used by STRONTIUM

Additionally, threat intelligence and IOCs specific to this attack unearthed by Microsoft Threat Intelligence have been added to Windows Defender ATP and Office 365 ATP. These alerts work alongside the existing threat summary and in-depth profiles on STRONTIUM available in the Windows Defender ATP customer portal.

For more information, check out the features and capabilities of the Windows Defender ATP service in Windows 10 and read more about why a post-breach detection approach is a key component of any enterprise security stack.

 

Special thanks to Neel Mehta and Billy Leonard of Google’s Threat Analysis Group for their assistance in investigating these issues.

]]>
https://blogs.technet.microsoft.com/mmpc/2016/11/01/our-commitment-to-our-customers-security/feed/9
BlueHat v16 Keynote announcedhttps://blogs.technet.microsoft.com/bluehat/2016/11/01/bluehat-v16-keynote-announced/https://blogs.technet.microsoft.com/bluehat/2016/11/01/bluehat-v16-keynote-announced/#respondTue, 01 Nov 2016 15:05:35 +0000https://blogs.technet.microsoft.com/bluehat/?p=2075Microsoft is excited to announce David Kennedy, CEO of TrustedSec and Binary Defense Systems, as the BlueHat v16 keynote speaker. David is a well-known speaker from the community, a published author, and the founder of the DerbyCon Security Conference. His keynote, entitled “The Security Monty Python and the Holy Grail”, will open the general conference this Thursday. We look forward to welcoming him here for the conference.

The schedule has also been updated with a few last minute changes. I am excited as BlueHat v16 has now arrived!

Phillip Misner

Principal Security Group Manager

Microsoft Security Response Center

]]>
https://blogs.technet.microsoft.com/bluehat/2016/11/01/bluehat-v16-keynote-announced/feed/0
Microsoft Event Kicks Off with Video about Building Windows for Each of Ushttps://blogs.msdn.microsoft.com/accessibility/2016/10/26/microsoft-event-kicks-off-with-video-about-building-windows-for-each-of-us/Wed, 26 Oct 2016 22:07:29 +0000https://blogs.msdn.microsoft.com/accessibility/?p=2405The following is a post from Jenny Lay-Flurrie, Microsoft Chief Accessibility Officer


 

At Microsoft, our mission is to empower every person and organization on the planet to achieve more. Today at a Microsoft event in New York, we opened the show with a video about how our team has been inspired to build Windows – not for all of us, but for each of us.

Some of the people on our teams who are dedicated to making Windows for everyone are featured here, along with many of the improvements we’ve delivered as part of the Windows 10 Anniversary Update.

(Descriptive audio version can be found at: https://youtu.be/ki58TvG3PtA)

There’s a lot more that’s not covered in the video, so if you want to learn more, do check out the additional Windows 10 resources below. These include information about the features highlighted in the video and advice for those using AT about upgrading to Windows 10.

In the video, we feature some early concept design options for Xbox avatars with wheelchairs. We’re all so excited about the Gaming for Everyone program and continue to work with the advocacy community and our fans on the designs and look forward to sharing additional images in the future. These are early concept designs, so please, help us with the process. Pop your ideas and feedback on either Xbox Feedback site or the Microsoft Accessibility UserVoice Forum.

In addition to what’s featured in the video today, do check out the great improvements from Microsoft Office, who have been partnering closely with the Windows teams to enhance the accessibility and usability of productivity experiences on Windows 10 devices. If you have the Windows 10 Anniversary Update and are part of the Office Insiders program, you can be the first to experience the improvements as they roll out in Office 365 Windows Desktop and Office Windows Mobile applications. Experience improvements while using Office Online applications in the Edge browser with Windows 10 assistive technologies such as Narrator and ease of access settings such as High Contrast Mode. Read the Office Blog to learn more about the key accessibility improvements in Office 365: Productivity and inclusion—Office 365 accessibility update

Exciting day for us in the office! Please let us know what you think, pop ideas, thoughts and feedback on our Microsoft Accessibility UserVoice Forum and enjoy creating.

 

]]>
Office 2013 can now block macros to help prevent infectionhttps://blogs.technet.microsoft.com/mmpc/2016/10/26/office-2013-can-now-block-macros-to-help-prevent-infection/https://blogs.technet.microsoft.com/mmpc/2016/10/26/office-2013-can-now-block-macros-to-help-prevent-infection/#commentsWed, 26 Oct 2016 20:56:07 +0000https://blogs.technet.microsoft.com/mmpc/?p=9185In response to the growing trend of macro-based threats, a new feature in Office 2016 allows an enterprise administrator to block users from running macros in Office documents that originated from the Internet.

This feature was documented back in March: New feature in Office 2016 can block macros and help prevent infection, and the predominant customer request we received was for this feature to be added to Office 2013.

We are pleased to announce that, as of September 2016, this feature is now part of Office 2013 – and it works in the same way as it does in Office 2016.

Administrators can enable this feature for Word, Excel, and PowerPoint by configuring it under the respective application’s Group Policy Administrative Templates for Office 2013.

For more information on how this feature works, and some background information on how macros can be abused for malware, see our blog from March 2016.

]]>
https://blogs.technet.microsoft.com/mmpc/2016/10/26/office-2013-can-now-block-macros-to-help-prevent-infection/feed/5
Beware of Hicurdismos: It’s a fake Microsoft Security Essentials installer that can lead to a support call scamhttps://blogs.technet.microsoft.com/mmpc/2016/10/21/beware-of-hicurdismos-its-a-fake-microsoft-security-essentials-installer-that-can-lead-to-a-support-call-scam/https://blogs.technet.microsoft.com/mmpc/2016/10/21/beware-of-hicurdismos-its-a-fake-microsoft-security-essentials-installer-that-can-lead-to-a-support-call-scam/#commentsSat, 22 Oct 2016 00:22:48 +0000https://blogs.technet.microsoft.com/mmpc/?p=9105Wouldn’t it be a shame if, in trying to secure your PC, you inadvertently install malware and run the risk of being scammed?

We recently discovered a threat detected as SupportScam:MSIL/Hicurdismos.A that pretends to be a Microsoft Security Essentials installer. Microsoft Security Essentials is our antimalware product for Windows 7 and earlier. In Windows 10 and Windows 8, Windows Defender provides antimalware protection and is installed and enabled by default when Windows is installed. However, some users may believe they also need to download and install Microsoft Security Essentials.

Hicurdismos uses a fake Windows error message (sometimes called a “blue screen of death”, or BSoD) to launch a technical support scam. A real BSoD is a fatal error in which the screen turns blue and the computer crashes. Recovery from a BSoD error typically requires the user to reboot the computer.

The fake BSoD screen includes a note to contact technical support. Calling the indicated support number will not fix the BSoD, but may lead to users being encouraged to download more malware under the guise of support tools or software that is supposed to fix a problem that doesn’t exist.

Interestingly, the fake BSoD screen used by Hicurdismos mimics an error message used in Windows 8 and Windows 10, so users of these new Windows versions could also be at risk of being tricked by Hicurdismos.

The threat of technical support scams has been around for years, but it’s recently been observed to be growing. We’ve seen attackers becoming more sophisticated with their social engineering tactics to try to mislead users into calling for technical support and then they are asked for payment to “fix the problem” on the PC that does not exist. Real error messages from Microsoft do not include support contact details. See the bottom of this blog for links and information on how to contact Microsoft Support.

Hicurdismos displays a fake BSoD message that has contact details for fake support. Note: The real messages do not include support contact details, nor when you call for support are you asked for payment.

Figure 1. Hicurdismos displays a fake BSoD message that has contact details for fake support. Note: The real messages do not include support contact details, nor when you call for support are you asked for payment.

Hicurdismos is an installer that arrives via a drive-by download. SmartScreen Filter in Internet Explorer and Microsoft Edge flags this threat using the below prompts cautioning the user to not run or save the malware:

You will not get warnings like these when downloading and installing legitimate programs from Microsoft.

If the malicious installer is downloaded on the computer, it mimics the real Microsoft Security Essentials installer by using a similar icon. However, closer inspection will reveal differences in the file properties, including the filename. Hicurdismos uses the file name setup.exe.

Screenshot of the SmartScreen message checking the user whether they really intend to run the executable file

Figure 2. SmartScreen message notifying you about running an executable file that could harm your PC.

A screenshot of the SmartScreen message notifying the user that the publisher of the executable can't be verified and checking whether they would still want to run it

Figure 3. SmartScreen message notifying you that the program you are about to run hasn’t been verified, and doing an extra check of whether you’d still run it.

The Hicurdismos installer (left) attempts to mimic the icon of the real Microsoft Security Essentials installer (right), but file properties reveal that it is not the same.

Figure 4. The Hicurdismos installer (right) attempts to mimic the icon of the real Microsoft Security Essentials installer (left), but file properties reveal that it is not the same.

The file setup.exe is a SmartInstaller package, which contains a malicious file that pretends to be Microsoft Security Essentials. Unlike the installer, the malicious file has the same file property information as the legitimate Microsoft Security Essentials executable:

The file property information of Hicurdismos has the same details as Microsoft Security Essentials.

Figure 5. The file property information of Hicurdismos has the same details as Microsoft Security Essentials.

When run, the malware immediately renders the fake BSoD experience. To do so, it performs the following:

  • Hides the mouse cursor (to make the user think the system is not responding)
  • Disables Task Manager (to prevent the user from terminating the process)
  • Displays the BSoD image, which occupies the entire screen (to prevent the user from using the PC)

Disassembly shows how the malware hides the cursor and disables Task Manager

Figure 6. Disassembly shows how the malware hides the cursor and disables Task Manager

Disassembly shows how the malware displays the fake BSoD

Figure 7. Disassembly shows how the malware displays the fake BSoD

The malware drops a copy of itself in the following path:

    “%SystemRoot%\bluesquarez llc\sysprotector\microsoft security essentials.exe

It also creates an auto start launch point in the registry:

   In subkey: HKEY_USERS\<SID/user>\Software\Microsoft\Windows\CurrentVersion\Run

   Sets value: “Sysprotector

   With data: “%SystemRoot%\bluesquarez llc\sysprotector\microsoft security essentials.exe

 

Mitigation and Prevention

Hicurdismos misleads users and lures them into calling a number that can lead to a fake technical support scam. Like most social engineering techniques, it can be avoided by knowledge and alertness. Some important things to note:

  • Real error message screens do not include a support phone number, instead they will provide you with an error code and instructions to search for more information.
  • On Windows 10, Windows Defender is built-in, so there is no need to install Microsoft Security Essentials.
  • Microsoft installers are signed by a Microsoft certificate.

If you are infected with this scam, use Windows Defender Offline to scan your PC.

Comparing the real BSoD screen (left) and the fake BSoD (right) side-by-side shows the additional line that contains the fake support contact details

Figure 8. Comparing the real BSoD screen (left) and the fake BSoD (right) side-by-side shows the additional line that contains the fake support contact details

 

Report the incident to Microsoft and contact your local scam-reporting organization. Organizations for the United States, Canada, United Kingdom, and Australia include:

When you receive a phone call or see a pop-up window on your PC and you are uncertain whether it is from someone at Microsoft, don’t take the risk. Reach out directly to one of our technical support experts dedicated to helping you at the Microsoft Answer Desk.

In case you have already engaged with and paid for a fake support:

  • Apply all security updates as soon as they are available. Do a full scan to remove the threat.
  • Change your passwords.
  • Call your credit card provider to reverse the charges, if you have already paid.
  • Monitor anomalous logon activity. Block traffic to services that you would not normally access.

Reference SHA1: e1e78701049a5e883a722a98cdab6198f7bd53a1

 

Francis Tan Seng and Alden Pornasdoro

MMPC

]]>
https://blogs.technet.microsoft.com/mmpc/2016/10/21/beware-of-hicurdismos-its-a-fake-microsoft-security-essentials-installer-that-can-lead-to-a-support-call-scam/feed/5
The new .LNK between spam and Locky infectionhttps://blogs.technet.microsoft.com/mmpc/2016/10/19/the-new-lnk-between-spam-and-locky-infection/https://blogs.technet.microsoft.com/mmpc/2016/10/19/the-new-lnk-between-spam-and-locky-infection/#commentsWed, 19 Oct 2016 18:28:01 +0000https://blogs.technet.microsoft.com/mmpc/?p=9036Just when it seems the Ransom:Win32/Locky activity has slowed down, our continuous monitoring of the ransomware family reveals a new workaround that the authors might be using to keep it going.

The decline in Locky activity can be attributed to the slowdown of detections of Nemucod, which Locky uses to infect computers. Nemucod is a .wsf file contained in .zip attachments in spam email (see our Nemucod WSF blog for details). Locky has also been previously distributed by exploit kits and spam email attachments with other extensions such as .js, .hta, etc.

The graph shows that Locky machine encounters has recently been low

Figure 1. The graph shows that Locky machine encounters has recently been low

 

Nemucod detection peaked early in October 2016

Figure 2: Nemucod detection peaked early in October 2016

 

We observed that the Locky ransomware writers, possibly upon seeing that some emails are being proactively blocked, changed the attachment from .wsf files to shortcut files (.LNK extension) that contain PowerShell commands to download and run Locky.

An example of the spam email below shows that it is designed to feign urgency. It is sent with high importance and with random characters in the subject line. The body of the email is empty.

Example of a spam email that could lead to a Locky infection

Figure 3: Example of a spam email that could lead to a Locky infection

 

The spam email typically arrives with a .zip attachment, which contains the .LNK files. We’ve observed that the attachment is named bill, possibly meant to trick users into thinking it is a bill they need to pay. In opening the .zip attachment, users trigger the infection chain.

.LNK file inside the zip attachment

Figure 4: .LNK file inside the zip attachment

 

Inspecting the .LNK file reveals the PowerShell script.

Embedded PowerShell command in the shortcut file

Figure 5: Embedded PowerShell command in the shortcut file

 

This threat is detected as TrojanDownloader:PowerShell/Ploprolo.A.

When the PowerShell script successfully runs, it downloads and executes Locky in a temporary folder (for example, BJYNZR.exe), completing the infection chain.

Embedded PowerShell command used to download the payload

Figure 6: Embedded PowerShell command used to download the payload

 

The payload malware is the recent version of Locky that has the following characteristics:

  • Encrypted file extension:
    • .odin
  • Decryption instruction files:
    • _440_HOWDO_text.html
    • _HOWDO_text.bmp
    • _HOWDO_text.html

 

For details, see the Win32/Locky family description.

The static configuration inside the binary contains the following information:

 

Static configuration variables Values
AffiliateId 5
DGA seed 74311
Language skipped Russian
URL path /apache_handler.php
Hard coded C&C addresses used ·         93.170.104.126

·         185.46.11.73

Offline encryption allowed using public key BgIAAACkAABSU0ExAAgAAAEAAQA7cxE2y7KzaqNzjzvUMZHpLzaCnLlnDkPn3W74o09zNmJNhvjw

qEcwUOJBZmpRCjIoeCnH+NZVPLvdXjfHJGU3WguCLrOE97HEZaXd/uHW95UE8AZW+r4zPdCClnN1

mfHF+CvvLJGjiTv+8OMJXNxYA/TJlyXqDhpWarPN79UMGrWApdYkkUiPiN+EBXlJWJsnXfWi5d9N

xrb/vfPIZIzSXmOkOtEg5D1/MlElPrKYJ2yXwCAkSWDzeYXU06uIG6OYeCOrxKIy26wYmCdv+7yE

KJ6tXZYH3enbsiwXw+6VR2EAwyD7/U6GnWq4LTT0M/u58dY5WlyGuWIvBrzQ2xXO

 

 

The following SHA1s were used in this analysis:

 

Mitigation and prevention

To avoid falling prey to this new Locky ransomware campaign, here are some tips:

For end users

  • Use an up-to-date, real-time antimalware product, such as Windows Defender for Windows 10.
  • Keep Windows and the rest of your software up-to-date to mitigate possible software exploits.
  • Disable the loading of macros in Office programs.
  • Think before you click. Do not open emails from senders you don’t recognize.  Upload any suspicious files here: https://www.microsoft.com/en-us/security/portal/submission/submit.aspx. It is uncommon and quite suspicious for people to send legitimate applications with such extensions through email. Do not click or open such attachments:
    • Files with .LNK extension
    • Files with.wsf extension
    • Files with double dot extension (for example, profile-d39a..wsf)

For IT Administrators

  • Use the AppLocker group policy to prevent dubious software from running. Add .LNK,.wsf, and ..wsf to the file types to block in your AppLocker Group Policy.

To learn more about what’s new in Windows 10 security, go here: https://technet.microsoft.com/en-us/itpro/windows/whats-new/security

     

    Francis Tan Seng and Duc Nguyen

    MMPC

    ]]>
    https://blogs.technet.microsoft.com/mmpc/2016/10/19/the-new-lnk-between-spam-and-locky-infection/feed/2
    Empowering IT professionals to advance accessibility initiativeshttps://blogs.msdn.microsoft.com/accessibility/2016/10/13/empowering-it-professionals-to-advance-accessibility-initiatives/Thu, 13 Oct 2016 14:32:59 +0000https://blogs.msdn.microsoft.com/accessibility/?p=2396The tools and technologies available to IT pros to advance accessibility in their organizations are growing. Recently, the Office 365 team hosted discussions with IT pros at the Microsoft Ignite conference to explore ways that organizations are working to enhance accessibility in their working environments. The event also included some deep dives into tools available today in Office 365 as well as a look ahead at some additional enhancements launching in the coming months. Read more on the Office blog.

    ]]>
    MSRT October 2016 release: Adding more unwanted software detectionshttps://blogs.technet.microsoft.com/mmpc/2016/10/11/msrt-october-2016-release-adding-more-unwanted-software-detections/https://blogs.technet.microsoft.com/mmpc/2016/10/11/msrt-october-2016-release-adding-more-unwanted-software-detections/#commentsTue, 11 Oct 2016 20:22:50 +0000https://blogs.technet.microsoft.com/mmpc/?p=8976Unwanted software often piggy-backs on program downloads, delivered by software bundlers. These bundles, which you might have downloaded, can include software that you do not want, and some that are harmful.

    The bundled or “extra” software can perform actions on your device that run the gambit from unwanted to annoying to malicious. The threat that comes with it can go beyond changing your browser settings without your consent, or affecting your productivity and computing experience. The nuisance can run as deep as putting your PC’s security at risk (for example, installing malware in your PC, or preventing your PC from running your antivirus tools properly).

    This month, we are adding detections for the families BrowserModifier:Win32/Sasquor, BrowserModifier:Win32/SupTab, and Trojan:Win32/Ghokswa to Microsoft Malicious Software Removal Tool (MSRT) release.

    In combination with the families Trojan:Win32/Xadupi and Trojan:Win32/Suweezy added last month, these cover a suite of malware that can hijack browser settings, exclude entire drives from being scanning by Windows Defender and some other anti-malware apps, and install potentially unwanted or malicious software without your consent.

    Entry point

    In most cases, these malware families initially arrive as offers installed by software bundlers such as SoftwareBundler:Win32/Mizenota, SoftwareBundler:Win32/ICLoader and SoftwareBundler:Win32/InstallMonster.

    SupTab and Sasquor have been offered by bundlers under many names, including:

    • Istartpageing
    • Omniboxes
    • Yoursearching
    • iStart123
    • Hohosearch
    • Yessearches
    • Youndoo
    • Trotux

     

    Screenshot SoftwareBundler:Win32/InstallMonster being downloaded with details of its offering SupTab under the name "Yoursearching"

    Figure 1: SoftwareBundler:Win32/InstallMonster offers SupTab under the name “Yoursearching”

    Some bundlers show SupTab or Sasquor offers not as an app they will install, but simply as a change to your browser search and homepage settings.

     

    Screenshot of the SoftwareBundler:Win32/SquareNet licensing agreement offering SupTab under the name "iStart123".

    Figure 2: SoftwareBundler:Win32/SquareNet offering SupTab under the name “iStart123”. Note: While the bundler claims that agreeing to this offer will change your browser settings, if you click “Agree & Install” it will also install SupTab services that perform other actions.

     

    The Xadupi malware family comes in three different forms, which go by the names CornserSunshine, WinZipper, and QKSee.

    Like Sasquor and SupTab, Xadupi can be delivered by software bundlers, but it is also often downloaded silently by Sasquor or SupTab themselves. This silent installation technique is common to most of the families in this group – Sasquor, SupTab and Xadupi all install services and/or scheduled tasks that regularly query remote servers for instructions, and are occasionally instructed to download and install additional apps. This download and installation happens without your consent or even notice. For example, weeks after Sasquor has been installed through a bundler, you may suddenly find WinZipper and QKSee on your machine, with .ZIP, .RAR, and other archive files suddenly associated with WinZipper. A few days after that, you may find your browser settings silently changed by SupTab or Ghokswa.

    These diagrams illustrate some of the most common ways these families interact:

    A relational diagram indicating how the unwanted software and malware are being installed by each other

     

    MSRToct4

    In addition to these common installation chains, Sasquor, SupTab, and Xadupi can be instructed by its malware hosts to install each other at any point. Such behavior can help keep the malware alive on a machine longer – if one component is left behind, it can reinstall the others.

    What does all this malware do in addition to installing other bits of malware?

    Each family can serve multiple purposes and change over time, but here’s a summary:

    BrowserModifier:Win32/Sasquor: Changes browser search and homepage settings to circumvent the browser’s supported methods and bypass your consent. It generally targets Google Chrome and Mozilla Firefox users. It also installs services and scheduled tasks that regularly install other malware like Trojan:Win32/Xadupi. It also sometimes installs Trojan:Win32/Suweezy.

    BrowserModifier:Win32/SupTab: Changes browser search and homepage settings, circumventing the browser’s supported methods and bypass your consent. It usually targets Internet Explorer, Microsoft Edge, Google Chrome and Mozilla Firefox. It also installs services and scheduled tasks that regularly install additional or another type of malware.

    Trojan:Win32/Suweezy: Attempts to modify settings for Windows Defender, Microsoft Security Essentials, AVG Antivirus, Avast Antivirus and Avira Antivirus, to exclude certain folders from being scanned. This can prevent detection and removal of the related malware like Sasquor and SupTab, as well as any other malware or unwanted software the machine might encounter. Suweezy usually adds C:\ to the exclusion list, which includes everything under that path, hence creating a significant and imminent danger to your computer’s overall security, by making that path unprotected by your antimalware software.

    Trojan:Win32/Xadupi: Installs a service that regularly installs other apps, including Ghokswa and SupTab. This service is ostensibly an update service for an app that has some user-facing functionality – CornerSunshine displays weather information on the taskbar, WinZipper can open and extract archive files, and QKSee can be used to view image files.

    Trojan:Win32/Ghokswa: Installs a customized version of Chrome or Firefox browsers. The Chrome version represents itself as Google Chrome, but is modified to use a different home page and search engine front-end. If Google Chrome is already installed when Ghokswa is downloaded by Xadupi, the Ghokswa installer will silently stop any running Google Chrome processes, and replace all shortcuts and associations for the real Google Chrome with ones pointing to its own version.

    Together, these malware families can greatly harm your Windows user experience, and in many cases seriously reduce your computer’s security by tampering with anti-virus apps and introducing new harmful software over time.

    Prevention, detection, and recovery

    To help stay protected:

    • Keep your Windows Operating System and antivirus up-to-date and, if you haven’t already, upgrade to Windows 10.
    • Use Microsoft Edge. It can:
      • Help warn you about sites that are known to be hosting exploits
      • Help protect you from socially-engineered attacks such as phishing and malware downloads
      • Automatically detect bad changes and protects settings
    • Use the Settings app to reset to Microsoft recommended defaults if your default apps were changed.
      • Launch the Settings app.
      • Navigate to the Default apps page.
        • From Home go to System > Default apps.
        • Click Reset.
    • Avoid browsing web sites that are likely to host malware (such as illegal music, movies and TV, and pirated software download sites)
    • Ensure your antimalware protection (such as Windows Defender and Microsoft Malicious Software Removal Tool) is up-to-date.
      • If you are using Windows Defender, you can check your exclusion settings to see whether the malware (for example, Trojan:Win32/Suweezy) added some entries in an attempt to exclude folders from being scanned.
        • To check and remove excluded items in Windows Defender:
          1. Navigate to Settings > Update & security > Windows Defender > Add an exclusion.
          2. Go through the lists under Files and File locations, select the excluded item that you want to remove, and click Remove.
          3. Click OK to confirm.
    • Enable Microsoft Active Protection Service (MAPS) to get the latest cloud-based unwanted software detection and blocking.

    Related information

    See How Microsoft antimalware products identify malware: unwanted software and malicious software for the objective criteria details.

    For additional information about what Browser Extensibility Models are, and why we require programs to use them, see our previous blogs:

     

    MMPC

    ]]>
    https://blogs.technet.microsoft.com/mmpc/2016/10/11/msrt-october-2016-release-adding-more-unwanted-software-detections/feed/2
    October 2016 security update releasehttps://blogs.technet.microsoft.com/msrc/2016/10/11/october-2016-security-update-release/https://blogs.technet.microsoft.com/msrc/2016/10/11/october-2016-security-update-release/#respondTue, 11 Oct 2016 17:01:11 +0000https://blogs.technet.microsoft.com/msrc/?p=2585Today we released security updates to provide additional protections against malicious attackers. As a best practice, we encourage customers to apply security updates as soon as they are released.

    More information about this month’s security updates and advisories can be found in the Security TechNet Library.

    MSRC team

    ]]>
    https://blogs.technet.microsoft.com/msrc/2016/10/11/october-2016-security-update-release/feed/0
    BlueHat IL 2017 Announcedhttps://blogs.technet.microsoft.com/bluehat/2016/09/28/bluehat-il-2017-announced/https://blogs.technet.microsoft.com/bluehat/2016/09/28/bluehat-il-2017-announced/#respondWed, 28 Sep 2016 19:41:45 +0000https://blogs.technet.microsoft.com/bluehat/?p=2035Microsoft is thrilled to announce BlueHat IL 2017. This will mark the first time BlueHat is held in Tel Aviv and it will take place on January 24-25, 2017. Given its location, Israel further serves as a harness which draws in researchers from across Europe, Asia and the Middle East.

    The Israeli edition will focus on research and researchers bringing forth the latest in security research and trends (no vendor, sales, product pitches etc. will be allowed).

    BlueHat IL will be an exclusive, 2-day, single track event which will host hundreds of by-invitation only global security top professionals from the cyber security community including industry, startups, academia, intelligence, independent research institutes and more.

    At this time we are also opening the call for papers which will run September 26th through November 11th, 2016. We are looking for true cyber research revolutionaries, game changers or thought leaders to submit an abstract for a chance to take the stage in front of our audience of top security professionals. Some possible themes we are interested in seeing abstracts on are:

    • Virtualization & Cloud-based research, exploits, and defense
    • How customers are getting owned (case studies and research)
    • New Exploit techniques
    • Emerging Threats & Trends
    • Anti-exploitation techniques
    • Identity & Authentication research, exploits, and defense
    • Infrastructure & IoT Security research, exploits, and defense
    • Machine learning & security analytics

    There are limited slots available to present so bring your best proposals forward. Successful submissions typically have strong calls for action, focus on engineering and security audiences and incorporate how this impacts the threat environment. Come challenge us and help shape how professionals thinks about security! Submit your abstracts here: http://aka.ms/bhilcfp

    Like its Redmond counterpart, BlueHat IL will bring the security community and Microsoft together to learn about the current threat landscape and to challenge the thinking and actions that lead us when we take on the ever-evolving field of security.

    Watch this blog over the fall as we will release more information and previews for BlueHat IL 2017. We look forward to hearing from you and seeing you in Tel Aviv.

     

    Phillip Misner,

    Principal Security Group Manager, MSRC

    ]]>
    https://blogs.technet.microsoft.com/bluehat/2016/09/28/bluehat-il-2017-announced/feed/0
    Update to the Microsoft Edge Web Platform on Windows Insider Preview Bug Bounty Program termshttps://blogs.technet.microsoft.com/msrc/2016/09/28/update-to-the-microsoft-edge-web-platform-on-windows-insider-preview-bug-bounty-program-terms/https://blogs.technet.microsoft.com/msrc/2016/09/28/update-to-the-microsoft-edge-web-platform-on-windows-insider-preview-bug-bounty-program-terms/#respondWed, 28 Sep 2016 18:00:56 +0000https://blogs.technet.microsoft.com/msrc/?p=2575On August 4, 2016 we launched a bounty program that targets Remote Code Execution (RCE) vulnerabilities in Microsoft Edge on the Windows Insider Preview Slow (WIP slow). Today, we will be making additions to this bounty program. Since security is a continuous effort and not a destination, we prioritize acquiring different types of vulnerabilities in different points of time. Currently, we are focusing on vulnerabilities that lead to violation of W3C standards that compromise privacy and integrity of important user data, and RCEs. This program now includes:

    • Same Origin Policy bypass vulnerabilities (example: UXSS)
    • Referer Spoofing vulnerabilities
    • Remote Code Execution vulnerabilities in Microsoft Edge on Windows Insider Preview
    • Vulnerabilities in open source sections of Chakra
    • The bounty will run August 4, 2016 through May 15, 2017 and vulnerabilities on UXSS and referer spoofing submitted to secure@microsoft.com after August 4, 2016 will be retroactively rewarded
    • Bounty payouts will range from $500 USD to $15,000 USD
    • If a researcher reports a qualifying vulnerability already found internally by Microsoft, a payment will be made to the first finder at a maximum of $1,500 USD
    • Vulnerabilities must be reproducible on the latest Windows Insider Preview (Slow track)
    • All security bugs are important to us and we request you report all Microsoft Edge browser security bugs to secure@microsoft.com

    For the latest information on new Windows features included in the Insider Previews, please visit the Windows 10 Insider Program Blog.

    As always, the most up-to-date information about the Microsoft Bounty Programs can be found at https://aka.ms/BugBounty and in the associated terms and FAQs.

    Akila Srinivasan and Crispin Cowan

    ]]>
    https://blogs.technet.microsoft.com/msrc/2016/09/28/update-to-the-microsoft-edge-web-platform-on-windows-insider-preview-bug-bounty-program-terms/feed/0
    Security Engineering Evolution in Office 2016 for Machttps://blogs.technet.microsoft.com/srd/2016/09/28/security-engineering-evolution-in-office-2016-for-mac/https://blogs.technet.microsoft.com/srd/2016/09/28/security-engineering-evolution-in-office-2016-for-mac/#respondWed, 28 Sep 2016 13:44:18 +0000https://blogs.technet.microsoft.com/srd/?p=3975

    Security is a critical component in all our products at Microsoft. An emphasis on strong security starts at the beginning of all our work, including threat modelling as part of the design process and the consideration of Apple’s own security recommendations for our products on Apple’s platforms. As an example of this approach, I’d like to share some of the work we’re doing to help secure Mac Office 2016.

    For Mac Office 2016 and the Office 365 subscription system, we keep our tooling system “evergreen”. With Mac Office 2016, we ship an update every month and test and adopt the latest versions of Xcode and its internal tools as they are released. We mitigate the risks of compiler changes with extensive automated testing. We have a farm of hundreds of Mac Minis that run tens of thousands of scenario-based tests every day, and we investigate every failure or unexpected behavior change that the automation system reports.

    We augment our automated scenario testing with static analysis of our code wherever possible, and we include input fuzzing with intentionally corrupted files and data to identify improper expectations in our code. Across all of Office we are investing in ever-more-intelligent fuzzing tools and running them on a continuous basis. This drives better data validation, particularly in older code, and makes applications more stable and secure.

    By using the latest toolchain we get the security benefits from compiler improvements. These updates constantly bring new code warnings; we enable them all by default and treat warnings as errors. This improves our code quality with every new compiler release. Not all compiler warnings imply a security problem, but those that do trigger errors that we work to fix immediately. We also look for new optional compiler security features (such as -fstack-protector and -D_FORTIFY_SOURCE=2) in each release and turn them on. The toolchain updates bring new macOS and iOS SDKs with annotations for new APIs as well as deprecated or insecure APIs in the OS. We take those annotations seriously and update our code to remove the use of the latter.

    Xcode 7 introduced a new tool called the Address Sanitizer (ASan). This tool can help identify bugs with potential security ramifications, however it requires more memory than a non-ASan build and isn’t practical for large 32-bit applications. Mac Office 2016 is now 64-bit, and we produce an internal ASan-instrumented build daily and run it through the same automation tests as the regular product. Any ASan issue that the automation system discovers becomes a bug report to be investigated and resolved.

    We also make security improvements beyond code changes forced by the new toolchain or by the 64-bit transition. We re-engineered the Office suite to use restricted executable memory pages only where necessary and we maintain a blacklist of APIs that are considered inherently insecure or that allow insecure coding practices. We routinely audit the codebase to ensure that none of these APIs are used. We also build our applications with Position-Independent Execution enabled. With that flag, with our minimum supported OS of 10.10, and the fact that all our Office applications for Mac are now 64-bit, the macOS can apply Address Space Layout Randomization to our apps as another layer of defense.

    Although it is optional for macOS applications, we also turn on the macOS sandbox for our applications. Opting into the sandbox adds yet another roadblock for nearly every threat we evaluate, making exploits more difficult. We consider this a best practice for Mac applications. The sandbox changes how the applications interact with the OS, requiring us to revisit several existing Office features to make them sandbox-compliant and still leverage the capabilities of the full Office suite.

    These security improvements apply to the latest versions of our applications. Our automatic update tool itself benefits from almost every improvement listed above. Every update package is signed by Microsoft and that signature is verified every time a package is downloaded. We are routinely improving the user experience to reduce the effort to install updates and make it an invisible action that completes automatically. This encourages our users to always have the most secure application version installed.

    Putting all these changes together makes Office 2016 for the Mac our most secure version yet. We turn on stricter compiler security features at compile time, we build and link expecting ASLR to locate us randomly in memory at boot, we audit for insecure APIs and ban them from the codebase, we fuzz input to verify data parsing, we disallow heap-execution, we opt into the macOS sandbox, we look for possible security flaws at runtime with the Address Sanitizer, and we make it more likely for users to have the latest security updates. All of this places a very tall set of hurdles in front of possibly-nefarious code, helping to protect your applications, your data, and your Mac.

    Erik Schwiebert, Principal Software Engineer, Office for Mac
    ]]>
    https://blogs.technet.microsoft.com/srd/2016/09/28/security-engineering-evolution-in-office-2016-for-mac/feed/0
    Accessibility standards helping organizations be inclusive and complianthttps://blogs.msdn.microsoft.com/accessibility/2016/09/19/accessibility-standards-helping-organizations-be-inclusive-and-compliant/Mon, 19 Sep 2016 18:21:34 +0000https://blogs.msdn.microsoft.com/accessibility/?p=2375Today, Microsoft Europe shared an update on the exciting momentum happening on emerging global accessibility standards, such as ETSI EN 301 549 (EN), across Europe and beyond. You can read more about it on our EU Policy Blog.

    If you are an organization looking for information about how Microsoft’s products conform to accessibility standards, be aware that Microsoft has recently published conformance statements for how our products meet EN 301 549 and WCAG standards, in addition to the conformance statements we have self-reported previously on US Section 508 standards.

     

    ]]>
    MSRT September 2016 release feature: Prifouhttps://blogs.technet.microsoft.com/mmpc/2016/09/13/msrt-september-2016-release-feature-prifou/https://blogs.technet.microsoft.com/mmpc/2016/09/13/msrt-september-2016-release-feature-prifou/#respondWed, 14 Sep 2016 00:38:03 +0000https://blogs.technet.microsoft.com/mmpc/?p=8925As part of our ongoing effort to provide better malware protection, the Microsoft Malicious Software Removal Tool (MSRT) release this September includes detections for:

     

    This blog discusses BrowserModifier:Win32/Prifou (Prifou). Windows Defender detects this threat because it limits your choice and control over your browser and operating system. The unwanted behaviors are detailed in Microsoft’s objective criteria on detecting unwanted software and malicious behavior:

    • Lack of choice:
      • The threat bypasses your consent options from the browser or operating system.
      • The threat fails to clearly indicate when it is active, and may attempt to hide or disguise its presence.
    •  Lack of control:
      • The threat does not use the browser’s supported extensibility model for installation, execution, disabling, and removal.
      • The threat prevents or limits you from viewing or modifying browser features or settings.
      • The threat modifies or manipulates webpage content without your consent.

     

    Distribution

    Prifou is mainly distributed by software bundlers. A software bundler, in the context of unwanted software malware analysis, installs unwanted software on your PC at the same time as the legitimate software that you are trying to install, without adequate consent.

    In the last two months, we have seen around 6.8 Million machines infected by this threat.

    This heatmap shows the geographical spread of Prifou-infected machines

    Figure 1: This heatmap shows the geographical spread of Prifou-infected machines.

     

    Symptoms

    Displays advertisements

    Like most BrowserModifiers and Adwares, this threat makes money from site visits through advertisements. It displays ads for products usually with discounted or lower prices, related to the product that the user is searching for on another online shopping websites.

    Earlier versions of this threat added an extension to the browser. Browser extensions can be viewed, enabled, disabled and removed from the browser. This gives you full control over the browser extensions. But this threat automatically enables the extension that it adds and bypasses your choice and control.

    Example of extensions added:

    Figure 2: Screenshot of the threat as it displays as PriceFountain in the Toolbars and Extension section in the Manage Add-ons page.

    Figure 2: Screenshot of the threat as it displays as PriceFountain in the Toolbars and Extension section in the Manage Add-ons page.

     

    However, we have seen a new version of this threat that directly injects ads to your browser’s process and no longer installs a browser extension. This does not use the supported browser extensibility and it also hides its presence from the user, thus restricting the user’s control over it.

    We have seen it display ads from the following browsers:

    • Internet Explorer
    • Mozilla Firefox

    Note: During our tests, it did not display ads when using Microsoft Edge or Google Chrome.

    The advertisements have the attribute name “Price Fountain”. Displaying ads slows down the user’s browsing experience. Thus, the webpages that the user visits may take additional time to load.

    See some of the advertisement samples below:

    From Internet Explorer:

    Figure 3: Screenshot of Prifou ads as it displays in Internet Explorer .

    Figure 3: Screenshot of Prifou ads as it displays in Internet Explorer.

     

    From Mozilla Firefox:

    Figure 4: Screenshot of Prifou ads as displayed in Mozilla FireFox

    Figure 4: Screenshot of Prifou ads as displayed in Mozilla Firefox.

     

    Adds scheduled tasks

    This threat also adds two scheduled tasks in your PC without your consent to:

    • To automatically execute it every time you log into the infected machine.
    • To check and download updates (if available) every hour.

    Example of scheduled tasks added:

    Earlier version:

    Figure 5: Screenshot of the scheduled tasks that Prifou adds in its earlier variants.

    Figure 5: Screenshot of the scheduled tasks that Prifou adds in its earlier variants.

    New version:

    Figure 6: Screenshot of the scheduled tasks that Prifou adds in its recent variants.

    Figure 6: Screenshot of the scheduled tasks that Prifou adds in its recent variants.

    Adds uninstallation entry

    This threat also adds two uninstallation entries: one for the main program, and the other for the updater component.

    While other browser modifiers add uninstallation options which do not work, if at all, we have tested the following Prifou uninstallation entries and observed that it can remove the threat from the infected machine.

    See the screenshot of the uninstallation entries:

    Figure 7: You can go in and uninstall the PriceFountain entries from your PC.

    Figure 7: You can go in and uninstall the PriceFountain software soon as you see them in your PC.

    Prevention and detection

    To help stay protected:

    Related information

    See How Microsoft antimalware products identify malware: unwanted software and malicious software for the objective criteria details.

    For additional information about what Browser Extensibility Models are, and why we require programs to use them, see our previous blogs:

     

    James Patrick Dee

    MMPC

    ]]>
    https://blogs.technet.microsoft.com/mmpc/2016/09/13/msrt-september-2016-release-feature-prifou/feed/0
    September 2016 security update releasehttps://blogs.technet.microsoft.com/msrc/2016/09/13/september-2016-security-update-release/https://blogs.technet.microsoft.com/msrc/2016/09/13/september-2016-security-update-release/#respondTue, 13 Sep 2016 17:01:57 +0000https://blogs.technet.microsoft.com/msrc/?p=2555Today we released security updates to provide additional protections against malicious attackers. As a best practice, we encourage customers to apply security updates as soon as they are released.

    More information about this month’s security updates and advisories can be found in the Security TechNet Library.

    MSRC Team

    ]]>
    https://blogs.technet.microsoft.com/msrc/2016/09/13/september-2016-security-update-release/feed/0
    Announcing a Microsoft .NET Core and ASP.NET Core Bug Bountyhttps://blogs.technet.microsoft.com/msrc/2016/09/01/announcing-an-ongoing-microsoft-net-core-and-asp-net-core-bug-bounty/https://blogs.technet.microsoft.com/msrc/2016/09/01/announcing-an-ongoing-microsoft-net-core-and-asp-net-core-bug-bounty/#respondFri, 02 Sep 2016 01:00:17 +0000https://blogs.technet.microsoft.com/msrc/?p=2515It’s our pleasure to announce another exciting expansion of the Microsoft Bounty Programs. Today, we will be adding .NET Core and ASP.NET Core to our suite of ongoing bounty programs. We are offering a bounty on the Windows and Linux versions of .NET Core and ASP.NET Core starting on September 1, 2016. The program highlights are:

    • Microsoft will pay a bounty for critical and important vulnerabilities on the latest RTM version, or supported Beta or RC releases of latest versions of Microsoft .NET Core, ASP.NET Core
    • It includes vulnerabilities in the default ASP.NET Core templates provided with the ASP.NET Web Tools Extension for Visual Studio 2015 or later
    • Also included is Kestrel, Microsoft’s new web server
    • The supported platforms are Windows and Linux versions of .NET Core and ASP.NET Core
    • The vulnerability must both be submitted on and reproduce on the latest RTM version, or on supported Beta or RC releases above the current RTM version to qualify for a bounty
    • The better the quality of your report, the greater will be the payment
    • The bounty will begin on September 1, 2016 and run indefinitely (ending at Microsoft’s discretion)
    • Bounty payouts will range from $500 USD to $15,000 USD

    You can install the current RTM version and subsequent betas from https://dot.net/This new bounty will be in addition to our currently ongoing Microsoft Edge RCE, Online Services, and Mitigation bypass and Bounty for Defense bounty programs. These additions are a part of the rigorous security programs at Microsoft. Bounties will be worked alongside the Security Development Lifecycle (SDL), Operational Security Assurance (OSA) framework, regular penetration testing of our products and services, and Security and Compliance Accreditations by third party audits.

    As always, the most up-to-date information about the Microsoft Bounty Programs can be found at https://aka.ms/BugBounty and in the associated terms and FAQs.

    Happy hacking!

    Jason Shirk and Akila Srinivasan

    ]]>
    https://blogs.technet.microsoft.com/msrc/2016/09/01/announcing-an-ongoing-microsoft-net-core-and-asp-net-core-bug-bounty/feed/0
    BlueHat v16 Schedule Announcedhttps://blogs.technet.microsoft.com/bluehat/2016/09/01/bluehat-v16-schedule-announced/https://blogs.technet.microsoft.com/bluehat/2016/09/01/bluehat-v16-schedule-announced/#respondThu, 01 Sep 2016 20:47:46 +0000https://blogs.technet.microsoft.com/bluehat/?p=2015Over the summer we had overwhelming response to our BlueHat v16 call for papers. We would like to give a special thanks to all who submitted papers for consideration. The range of content and quality of content was exceptional. So with that, today we are happy to announce our schedule for the general audience portion of the conference.

     

    Thursday, November 3rd, 2016

    General Audience

    TRACK Time Speaker Company Talk Subject
    Keynote 9:00 – 9:50 AM David Kennedy TrustedSec/Binary Defense Systems The Security Monty Python and the Holy Grail
    Track 1-

    Opening

    10:00 – 10:50 AM Alex Weinert
    Dana Kaufman
    Microsoft Identity Protection at scale – A Year in the Trenches with Microsoft Identity Protection team
    11:00 – 11:50 AM Daniel Edwards
    Stirling McBride
    Microsoft What is Threat Intelligence?
    Track 1-

    Threat Landscape

    1:00 – 1:50 PM Peter Hlavaty Tencent You didnt see it’s coming? “Dawn of hardened Windows Kernel”
    2:00 – 2:50 PM Genghis Karimov Microsoft Win32k Security Improvements: Past & Present
    3:00 – 3:50 PM  Jessy Campos ESET Visiting the Bear Den
    4:00 – 4:50 PM Cooper Quintin Electronic Frontier Foundation I Got a Letter From the Government the Other Day… Unveiling a Campaign of Intimidation, Kidnapping, and Malware in Kazakhstan

     

    Friday, November 4th, 2016

    General Audience

    TRACK Time Speaker Company Talk Subject
    Track 1-

    The Cloud

    9:00 – 9:50 AM Satoshi Tanda Crowdstrike Hypervisors in Your Toolbox: Monitoring and Controlling System Events with HyperPlatform
    10:00 – 10:50 AM Saruhan Karademir Microsoft Breaking Things Early: Designing Secure Containers
    11:00-11:50 AM Pete Loveless
    Fred Aaron
    Microsoft In-memory compromise detection as an Azure service
    11:30 – 11:55 AM Michael Scovetta
    Jan Vandenbos
    Microsoft Security of Open Source at Microsoft
    Track 1-

    Exploit, Parry, Strike

    1:00 – 1:50 PM Haifei Li Intel Security Analysis of the Attack Surface of Microsoft Office from User’s Perspective
    2:00 – 2:50 PM Yunhai Zhang NSFOCUS How to Avoid Implement An Exploit Friendly JIT
    3:00 – 3:50 PM Daniel Bohannon Mandiant Invoke-Obfuscation: Powershell obFUsk8tion Techniques & How To (Try To) D””e’Tec’T ‘Th’+’em’
    4:00 – 4:50 PM David Weston
    Matt Miller
    Peleus Uhley
    Microsoft/Adobe A Year of Hardening Adobe Flash Player
    Track 2-

    Discovery

    9:00 – 9:50 AM Alex Ionescu Crowdstrike Gaining Visibility into Linux Binaries on Windows – How to defend and understand WSL
    10:00 – 10:50 AM Andrea Allievi
    Richard Johnson
    Microsoft/Cisco Systems Harnessing Intel Processor Trace on Windows for Vulnerability Discovery
    11:00-11:25 AM Casey Smith Veris Group ATD Trusted Things That Execute
    11:30 -11:55 AM John Booth Microsoft Detecting Malicious Masquerading Processes
    Track 2-

    Landscape Reaction

    1:00 – 1:50 PM Michiko Short Microsoft Windows Credential Protections: Where are we now?
    2:00 – 2:50 PM Stephen Hufnagel
    Sven Groot
    Microsoft Windows Subsystem for Linux (WSL)
    3:00 – 3:25 PM Jon DeHart Microsoft Redesigning the Edge with Just-In-Time Network Access
    3:30 – 3:55 PM Marianne Malle
    Patrick Estavillo
    Microsoft Ransomware Threat Landscape and Retrospect
    4:00 – 4:50 PM David Molnar Microsoft Fuzzing Cloud “Project Springfield”

     

    Planning for the conference is well underway. This time around we have secured a little more space so that we can accommodate even more participants. For external community members this is an invite-only conference. The initial round of external invites will go out later today with details on how to register and the timeframe for response. The registration site is live for external participants.

    Keep watching here for more updates as we get closer to the event.

     

    Thursday, November 3rd, 2016 | General Audience

    KEYNOTE

    9:00 – 9:50 AM | David Kennedy | TrustedSec and Binary Defense Systems

    The Security Monty Python and the Holy Grail

    In Monty Python, the search is clear – find the Holy Grail that can solve all of the world’s problems and bring world peace. While a comedy, we face the same issues with security. Today, the search continues for the Holy Grail of security. The way to defeat or make it significantly more difficult for attackers. Attackers hoard attack methods, researchers are releasing new bypass methods, users continue to click, and we still see an elevated rate of compromise. This talk focuses on the offensive and defensive strategies that work for both sides (the red and the blue). We dive into methods of how attacks today still continue to work, look at social-engineering methods, and look at what actually prevents us from getting into organizations.

    The time is right for the red and blue to come together to pave a way for purple and the way to the Holy Grail.

    Track 1 – Opening

    10:00 – 10:50 AM | Alex Weinert and Dana Kaufman | Microsoft

    Identity Protection at scale – A Year in the Trenches with Microsoft Identity Protection team

    Microsoft is one of the largest identity providers in the world. Between Microsoft account, Microsoft’s consumer system which supports Outlook, Xbox, OneDrive, and more; and Azure Active Directory, which supports virtually all enterprise identity deployments, Microsoft’s Identity team supports more than 2B identities in every market and services over 14B logins every day. The Identity Protection team is responsible for ensuring that access is granted only to account owners, and that those account owners are not fraudsters. In this session, we’ll provide an overview of the protection systems in play, including our new Azure Active Directory Identity Protection product, how we see fraudsters adapting to different protection systems, and industry trends in a world where the high stakes attacks meet high tech adaptive countermeasures. We’ll punctuate the talk with a few scary stories front lines, and our forecast for the future of identity protection.

    11:00 – 11:50 AM | Daniel Edwards and Stirling McBride | Microsoft

    What is Threat Intelligence?

    The new buzzword on the street is Threat Intelligence. What exactly is threat intelligence? How does a piece of data go from ordinary data to threat intelligence? This talk will first walk you through the process of taking data and producing Threat Intelligence and then how one might integrate such a data source into their service.

    Track 1 – Threat Landscape

    1:00 – 1:50 PM | Peter Hlavaty | Tencent

    You didnt see it’s coming? “Dawn of hardened Windows Kernel”

    Past few years our team was focusing on different operating systems including Microsoft windows kernel. Honestly our first pwn at Windows kernel was not that challenging. Number of available targets with friendly environment for straightforward pwn, from user up to reliable kernel code execution.

    However, step by step, security policies continue to evolve, and it becomes more troublesome to choose ideal attack surface from various sandboxes. In addition, what steps to follow for digging security holes is highly dependent upon the chosen target. In general, a few common strategies are available for researchers to choose: e.g choose “unknown” one which hasn’t been researched before; Select well fuzzed or well audited one, or research on kernel module internals to find “hidden” attack surfaces which are not explicitly interconnected. In the first part of the talk we introduce our methodology of selecting, alongside with cost of tricks around to choose seemingly banned targets, illustrated by notable examples.

    After getting hands on potential bug available from targeted sandbox, it is time for Microsoft windows taking hardening efforts to put attacker into corner. Strong mitigations are being introduced more frequently than ever, with promising direction which cuts lots of attack surface off, and a several exploitation techniques being killed.   We will show difficulties of developing universal exploitation techniques, and demonstrate needed technical level depending on code quality of target. We will examine how different it becomes with era of Redstone and following versions even with those techniques and good vulnerability in hand. How it changed attacker landscape and how it will (and will not) kill those techniques and applications. However will it really change the game or not?

    2:00 – 2:50 PM | Genghis Karimov | Microsoft

    Win32k Security Improvements: Past & Present

    Win32k is large subsystem of the Windows OS responsible for UI, graphics and input tasks. Having been part of most Windows releases, from Windows 3.x to Windows 10, the Win32k subsystem teaches a unique lesson in managing a large codebase through its natural growth, from the perspective of reliability and security. This talk chronicles the codebase through out the major releases; how macro and micro design decisions within the component translate to security risk; what famous attacks Win32k vulnerabilities were leveraged for. Most of the discussion will be dedicated to technical overview of Win32k-specific vulnerabilities and the mitigations for them.

    3:00 – 3:50 PM | Jessy Campo | ESET

    Visiting the Bear Den

    Sednit, a.k.a. Fancy Bear/APT28/Sofacy, is a group of attackers operating since at least 2006 and whose main objective is to steal confidential information from specific targets. Over the past two years, this group’s activity increased significantly, in particular with numerous attacks against foreign affairs ministries and embassies all over the world. Technically speaking, Sednit is probably one of the best espionage group out there. Not only have they created a complex software ecosystem — composed of tens of different components –, but they also regularly come out with 0-day exploits. Also remarkable is their ability to very quickly integrate newly published techniques in their toolkit.   This talk presents the results of a two-year hunt after Sednit, during which we dug up and analyzed many of their software. In particular, we will delve into technical details of their most impressive components:

    • DOWNDELPH, a mysterious downloader deployed in rare cases and with advanced persistence methods. In particular, we found a Windows bootkit dropping this component, and also a Windows rootkit, both never documented.
    • XTUNNEL, a network proxy tool able to transform an infected machine into a pivot to contact computers normally unreachable from the Internet. Heavily obfuscated, and based on a custom encrypted protocol, XTUNNEL is a major asset in Sednit post-infection toolkit.
    • XAGENT, the flagship Sednit backdoor, for which Windows, Linux and iOS versions have been developed. Built as a modular framework around a so-called “kernel”, it allows to build flexible backdoors with, for example, the ability to switch between various network protocols.
    • SEDKIT, a full-fledged exploit-kit, which depending on the target’s configuration may drop 0-day exploits or revamped exploits.

    During our tracking, we also gained a great visibility on Sednit post-infection modus operandi, a world full of Mimikatz and various custom hacking tools.

    4:00 – 4:50 PM | Cooper Quintin | Electronic Frontier Foundation

    I Got a Letter From the Government the Other Day… Unveiling a Campaign of Intimidation, Kidnapping, and Malware in Kazakhstan

    This report covers a campaign of phishing and malware which we have named “Operation Manul” and which, based on the available evidence, we believe is likely to have been carried out on behalf of the government of Kazakhstan against journalists, dissidents living in Europe, their family members, known associates, and their lawyers. Many of the targets are involved in litigation with the government of Kazakhstan in European and American courts whose substance ranges from attempts by the government of Kazakhstan to unmask the administrators behind an anonymous website that publishes leaks alleging government corruption (Kazaword) to allegations of kidnapping.

    Our research suggests links between this campaign and other campaigns that have been attributed to an Indian security company called Appin Security Group. A hired actor is consistent with our findings on the Command and Control servers related to this campaign, which included web-based control panels for multiple RATs, suggesting that several campaigns were being run at once. A hired actor may also explain the generic and uninspired nature of the phishing, which often took the form of an email purporting to contain an invoice or a legal document with an attachment containing a blurry image. This talk will cover the report in detail. We will also go into detail about the often low-tech, unsophisticated attack methods which are commonly used against journalists and dissidents, and what security researchers and defenders at microsoft and elsewhere can do to stop these sorts of attacks and keep people safe from authoritarian governments.

    Friday, November 4th, 2016 | General Audience

    Track 1 – The Cloud

    9:00 – 9:50 AM | Satoshi Tanda | Crowdstrike

    Hypervisors in Your Toolbox: Monitoring and Controlling System Events with HyperPlatform

    Virtualization software has been extensively used for security research, and countless of analysis systems based on virtualization technology (VT) have been invented for more than a decade. Regardless, there is no suitable hypervisor as a platform to develop such VT-based analysis systems on Windows. Lightweight hypervisors for Windows lack support of modern platforms, and comprehensive, consumer-oriented hypervisors and emulators are either overly intricate to quickly take advantage of VT or excessively slow for day-to-day usage.   This talk presents HyperPlatform, a thin hypervisor designed as a VM-exit filtering platform for Windows. Using Intel VT-x and extended page tables, this platform provides researchers ability to flexibly handle a new class of system events and rapidly implement hypervisor-based tools with high compatibility and efficiency. In this talk will also introduce some HyperPlatform-based tools with live demo against real exploits demonstrating various example application scenarios of HyperPlatform.

    10:00 – 10:50 AM | Saruhan Karademir | Microsoft

    Breaking Things Early: Designing Secure Containers

    In Windows Server 2016, we introduced Windows Server Containers – a modern way to deploy software. This allows our internal and external customers to leverage the Windows platform in the new ‘cloud’ architecture model of microservices and continuous integration. Along with Windows Server Containers, we also introduced Hyper-V Containers, which has a strictly enforced isolation boundary that’s purpose-built for hostile multi-tenant scenarios. Hosting and utilizing containers is a large part of Azure’s future strategy, including components such as the Azure Container Service and AzureML. The Windows Container platform also lays the foundation of many future features in client and server Windows. Because of the critical nature of this feature, WDG Security Assurance embedded its members into the development process of Windows Containers. This new approach integrated security knowledge into the design and implementation of the features themselves, moving the bar for how security teams should collaborate with feature teams.     In this talk, we will discuss the architecture of Windows Containers and highlight the differences between the Hyper-V containers and Windows Server Containers. This will include a comparison of the threat model between the two flavors as well as a deeper look at the changes made to Hyper-V. In addition, we will present the details about our embedded security partnership with the feature teams that helped build Containers. We will show the resulting impact of this collaboration by diving into specific design changes. This will include changes in the user model of Windows Containers as well as the Xenon storage subsystem.

    11:00 – 11:50 AM | Pete Loveless and Fred Aaron | Microsoft

    In-memory compromise detection as an Azure service

    Security analysis of Azure crash dumps is a new Azure threat detection service, and in this talk we’ll explore some of the most sophisticated malware it’s found. We’ll present an overview of how our service runs in Azure, and explain where the dumps we’re analyzing come from. We’ll explain in detail some of the key behavioral attributes our service looks for in order to detect malicious activity, for example: PEB locator functionality used in shellcode to access core Windows APIs, reflective injection using reflective loaders, custom PE or stripped MZ headers, and process hollowing. We’ll describe a few examples of malware we’ve found that demonstrate the very behaviors and attributes our service is designed to detect. Finally, we’ll discuss ways in which the security community can collaborate with us to help us build even better detections that help Azure and Azure customers defend against security threats.

    11:30 – 11:55 AM | Michael Scovetta and Jan Vandenbos | Microsoft

    Security of Open Source at Microsoft

    Microsoft uses a vast and increasing number of open source components to deliver products and services to customers. These components provide enormous value, but introduce some significant security risk. During this session, we’ll cover the following challenges and how we’re addressing them: * How exposed are Microsoft products and services to vulnerabilities present in open source components? * What security work should engineers be doing when using open source? * Which metrics can be used to indicate the risk inherited when using an open source component? * How well do available security tools find actionable vulnerabilities? * How can machine learning and related approaches be used to identify security risk across many projects, including detection of intentional backdoors in open source components? * How do we handle responsible disclosure when critical vulnerabilities are found in open source components? We’ll conclude with a demo of some tooling available today and present a few of the notable vulnerabilities found through the processes created.

    Track 1 – Exploit, Parry, Strike

    1:00 – 1:50 PM | Haifei Li | Intel Security

    Analysis of the Attack Surface of Microsoft Office from User’s Perspective

    In this presentation, I will talk about the unexplored attack surface on Microsoft Office from real-world user’s perspective. Specifically, I will examine the real-world scenarios about how an Office-based threat is delivered into a personal computer or an organization, and what could happen when an Office file is opened. I will also share the details of the weird issues I’ve found, as case studies. I hope this talk will shed some light on a better, practical security detection & defense against Office-based threats, which is quite important for the overall enterprise security.

    2:00 – 2:50 PM | Yunhai Zhang | NSFOCUS

    How to Avoid Implement An Exploit Friendly JIT

    JIT compilation is widely used in modern software to improve performance nowadays. For example, all popular web browsers implement JIT compilation in their JavaScript Engine. So, are those implement of JIT compilation secure enough? The answer seems to be NO. This talk will discuss several mitigation bypass techniques that abusing JIT compilation to exploit. After demystifying the details of each technique, some guidelines will be proposed based on the root cause of those issues.

    3:00 – 3:50 PM | Daniel Bohannon | Mandiant

    Invoke-Obfuscation: Powershell obFUsk8tion Techniques & How To (Try To) D””e’Tec’T ‘Th’+’em’

    The very best attackers hide their PowerShell commands from A/V and application whitelisting technologies using encoded commands and memory-only payloads. These techniques thwart Blue Teams from determining what was executed on a target system. However, network defenders are catching on, and state-of-the-art detection tools now monitor the command line arguments for powershell.exe either in real-time or from event logs.

    This talk will highlight a dozen never-before-seen techniques for obfuscating PowerShell command line arguments. As an incident responder at Mandiant, I have seen attackers use a handful of these methods to evade basic command line detection mechanisms. As I share these techniques I will emphasize the value each technique provides the attacker. Next, I will introduce three new layers of obfuscation that can be applied independently or collectively to any PowerShell command. These layers include: 1) directly manipulating PowerShell and .Net cmdlets, functions and arguments, 2) string manipulation applied to single commands or entire scripts, and 3) PowerShell command input parameters that enable one to hide command line arguments from appearing for powershell.exe.

    Updated PowerShell event logging mitigates many of the detection challenges that obfuscation introduces. However, many organizations do not or can not enable these features. Therefore, I will provide techniques the Blue Team can use to detect the presence of these obfuscation methods in command line arguments. I will also highlight methods using C# within powershell.exe that enable the attacker to execute .Net functions without being recorded in PowerShell event logs. Additionally I will discuss ways to perform remote downloads via SendKeys and ComObjects. I will conclude this talk by highlighting the public release of Invoke-Obfuscation.ps1. This tool applies the aforementioned obfuscation techniques to user-provided commands and scripts to evade command line detection mechanisms.

    4:00 – 4:50 PM | David Weston, Matt Miller and Peleus Uhley | Microsoft/Adobe

    A Year of Hardening Adobe Flash Player

    Adobe Flash Player has become a preferred target for browser-based attacks over the past year and a half. In response to this shift, Adobe, Microsoft, and Google have collaborated on hardening Adobe Flash Player to make it more difficult for attackers to find and exploit Flash Player vulnerabilities. In this presentation, we’ll analyze the timeline and trends related to attacks against Flash Player and describe the hardening improvements that have been made along the way. We’ll show how attackers have responded to these improvements and conclude with a summary of what the landscape looks like today.

     

    Track 2 – Discovery

    9:00 – 9:50 AM | Alex Ionescu | Crowdstrike

    Gaining Visibility into Linux Binaries on Windows – How to defend and understand WSL

    The release of the Windows Subsystem for Linux (WSL) brings exciting new changes to the Windows ecosystem — the ability to run unmodified Linux ELF Binaries in an environment that provides a 75%+ system call compatibility layer with the Linux Kernel API/ABI, access to sockets, the file system, pipes, and a private driver/IPC bus mechanism, all while leveraging the DrawBridge “Pico Process” research. At the same time, today’s defense products and engines are not adapted to this reality. Forensically difficult to understand, poorly internally documented outside of some technical blog posts, and unusual-by-design (ELF binaries utilizing a kernel driver for I/O, leveraging poorly understood NTFS features), WSL is a great place for future attackers to invade, if the blue team doesn’t get there first.

    This presentation will expose some of the difficulties in dealing with WSL processes for forensics, IR, and endpoint detection and response. It will also call out certain undisclosed risks and actual vulnerabilities, regarding file system EoP attacks, mitigation bypasses, system call vulnerabilities, and bugs regarding Windows handle usage. As future Windows releases increase the capabilities of WSL, it’s important to address these issues systematically with fuzzing, SDL processes, and a better understanding of the risks and interactions between NT and Linux. Finally, we’ll provide ideas & suggestions for how security-minded vendors and administrators can get some visibility into WSL.

    10:00 – 10:50 AM | Andrea Allievi and Richard Johnson | Microsoft/Cisco Systems

    Harnessing Intel Processor Trace on Windows for Vulnerability Discovery

    This talk will explore Intel Processor Trace, the new hardware branch tracing feature included in Intel Skylake processors. We will explain the design of Intel Processor trace and detail how the current generation implementation works including the various filtering modes and output configurations.

    This year we designed and developed the first opensource Intel PT driver for the Microsoft Windows operating system. We will discuss the architecture of the driver and the large number of low level programming hurdles we had to overcome throughout the development of the driver to program the PMU, including registering Performance Montering Interrupts (PMI), locating the Local Vector Table (LVT) Performance Monitor timer register, bypassing the TLB and cache through managing physical memory, and more. We will demonstrate the usage of Intel PT in Windows environments for diagnostic and debugging purposes and then discuss how we’ve harnessed this branch tracing engine for guided fuzzing.

    This year we have added the Intel PT tracing mode as an engine for targeting Windows binaries in the widely used evolutionary fuzzer, American Fuzzy Lop. This fuzzer is capable of using random mutation fuzzing with a code coverage feedback loop to explore new areas. Using our new Intel PT driver for Windows, we provide the fastest hardware supported engine for targeting binaries with evolutionary fuzzing. In addition we have added new functionality to AFL for guided fuzzing, which allows users to specify targeted areas on a program control flow graph that are of interest. This can be combined with static analysis results or known-vulnerable locations to help automate the creation of trigger inputs to reproduce a vulnerability without the limits of symbolic execution. To keep performance as the highest priority, we have also created new methods for efficiently encoding weighted graphs into an efficiently comparable bytemap.

    11:00 – 11:25 AM | Casey Smith | Veris Group ATD

    Trusted Things That Execute

    As organizations are embracing the new whitelisting model, it becomes imperative to understand what applications you trust. Solutions such as AppLocker, and DeviceGuard go a long way to provide increased defense. However, attackers can leverage existing, default, signed tools to execute arbitrary code. This talk will describe multiple utilities that have been discovered to execute code in unexpected ways. The methods we use do not rely on exploitation at all. In fact they follow recommended patterns for developers. The purpose of this talk is to inform defenders, as well as provide insight into uncovering these patterns at scale.

    11:30 – 11:55 AM | John Booth | Microsoft

    Detecting Malicious Masquerading Processes

    Every year thousands of organizations are victims of cyber-attacks leading to potential misuse of their resources, loss of billions of records and damage to their reputation. The attacker will typically run malicious code on victim machines to collect data, control the machine or for other common purposes. One way to achieve this is to drop a malicious binary with a name similar to that of a common process; the attacker intent is to go unnoticed by the analyst human eye. Another option is to inject malicious code into an existing process making the malicious code appear to be running as part of a legitimate process. In this talk, we will discuss a method to scan a large amount of windows process creation event data to detect some of the attacker tactics above. We suggest a scoring model to decide which processes to present to the analyst as suspicious, and show how we’ve applied this work to internal and customer data.

    Track 2 – Landscape Reaction

    1:00 – 1:50 PM | Michiko Short | Microsoft

    Windows Credential Protections: Where are we now?

    To understand how to protect against credential theft & lateral traversal attacks (Pass-the-Hash), we need to understand the conditions required for credential theft. Then it is easy to see how the various Windows and Domain Controller features address various parts of the problem.

    2:00 – 2:50 PM | Stephen Hufnagel and Sven Groot | Microsoft

    Windows Subsystem for Linux (WSL)

    The Windows Subsystem for Linux (WSL) allows for execution of unmodified Linux binaries by emulating a Linux kernel interface on top of the Windows NT kernel.   This talk will discuss the security models around WSL and techniques used for security testing. For the security model, we will cover the interaction between traditional Windows processes and processes running in the WSL, how WSL emulates the Linux security model, and how WSL processes interact with devices managed by NT. We will also describe the fuzzers used for testing, pen testing, and vulnerabilities found.

    3:00 – 3:25 PM | Jon DeHart | Microsoft

    Redesigning the Edge with Just-In-Time Network Access

    With the development of built-in application layer security on the rise, so must come advances in network security. The antiquated model of edge based access control via firewall is proving to be more taxing on network administrators and less maintainable as asset footprint increases. In order to combat this, network security must be brought back down to the host layer, and firewalls must be re-engineered to act as central command for users and groups while taking advantage of standard OS security functionality. This talk will conceptually discuss the opportunity to replace edge firewalls with request based ACL changes managed by a centralized logic engine.

    3:30 – 3:55 PM | Marianne Malle and Patrick Estavillo | Microsoft

    Ransomware Threat Landscape and Retrospect

    In 2016 alone, ransomware campaigns have become even more prominent, showing more activity than was seen in the past few years. For this BlueHat session, we will share some key summaries about what has happened in the ransomware threat landscape over the last 10 months, and how it continues to be a growing problem for customers. As part of this, we will focus a portion of the presentation on a deep-dive on top ransomware families which have been steadily on the rise for the past months. We will also explore methods of delivery, variant updates, and behaviors that these threats exhibit.   At the end of this talk, we will also share insight about current research and response efforts, as well as future plans on our fight against ransomware versus ransomware infection, how we can mitigate against these threats and recommendations when faced with these types of threats.

    4:00 – 4:50 PM | David Molnar | Microsoft

    Fuzzing Cloud “Project Springfield”

    Fuzzing is an effective method for finding security bugs, but getting results is tricky because it needs expertise, machine power, and process changes to deploy. “Project Springfield” packages Microsoft’s best practices, combined with a decade of research into machine reasoning and “Whitebox fuzzing,” into a cloud service that makes it easy to rapidly deploy fuzzing across an organization.   Come hear how Microsoft customers and internal teams have embraced the cloud to gain scale, speed, and unique technology for finding serious security bugs — and how you can do he same. Learn lessons from building and operating a fuzzing platform that aims to help everyone, everywhere, test their security critical code. The talk will start with an overview of the Project Springfield cloud platform, including a demonstration of the web front end and an SDK for integration. The talk will then focus on a guided discussion of future directions for fuzzing – we want to hear from attendees what they need and what would work for them! Attendees will come away with a Project Springfield account to let them experiment with cloud fuzzing at home.

     

    About BlueHat

    Our sixteenth BlueHat Security Conference is set for November 3-4, 2016 at the Microsoft Conference Center here in Redmond. BlueHat is a unique opportunity for Microsoft engineers and the security community to come together learn about the current threat landscape and challenge the thinking and we actions we do in security. This past January saw 1,000 participants from around the world engage in this forum.

     

    Phillip Misner,

    Principal Security Group Manager, MSRC

    ]]>
    https://blogs.technet.microsoft.com/bluehat/2016/09/01/bluehat-v16-schedule-announced/feed/0
    Double-click me not: Malicious proxy settings in OLE Embedded Scripthttps://blogs.technet.microsoft.com/mmpc/2016/08/29/double-click-me-not-malicious-proxy-settings-in-ole-embedded-script/https://blogs.technet.microsoft.com/mmpc/2016/08/29/double-click-me-not-malicious-proxy-settings-in-ole-embedded-script/#commentsTue, 30 Aug 2016 00:31:08 +0000https://blogs.technet.microsoft.com/mmpc/?p=8725Attackers have been using social engineering to avoid the increasing costs of exploitation due to the significant hardening and exploit mitigations investments in Windows. Tricking a user into running a malicious file or malware can be cheaper for an attacker than building an exploit which works on Windows 10. In our previous blog, Where’s the macro, we reviewed how attackers leverage social engineering to misuse the legitimate Office object linking and embedding (OLE) functionality to trick users into enabling and downloading malicious content.

    We recently came across a threat that uses the same social engineering trick but delivers a different payload. Its primary purpose is to change a user’s browser Proxy Server setting which could result in the theft of authentication credentials or other sensitive information. We detect this JScript malware as Trojan:JS/Certor.A.

    What’s not unique is that the malware gets into the victim’s computer when the victim clicks the email attachment from a spam campaign.

    Sample email lures potential Certor victim shows as it pretends to be a document (.docx file) from a legitimate company

    Figure 1: The sample email shows how the threat pretends to be a document (.docx file) from a legitimate company.

     

    Inside the .docx file is an OLE Embedded Object which runs a script when double-clicked. It tries to mask itself by changing its icon to something that resembles an invoice or receipt.

    The file contains text written in German: Um Quittung zu sehen, klicken Sie zwei Mal auf dem Bild, which translates: “To see a receipt, click twice on the screen.”

    Figure 2: The file contains text written in German: Um Quittung zu sehen, klicken Sie zwei Mal auf dem Bild, which translates: “To see a receipt, click twice on the screen.”

     

    Double-clicking the image runs the JScript that is disguised to appear as a harmless file.

    The JS file typically has file names such as, paypal_bestellung.js and post.ch_65481315.js.

    Figure 3: The JS file typically has file names such as, paypal_bestellung.js and post.ch_65481315.js.

     

    But if the script was executed, it would proceed with its malicious objective which is described in the remainder of this blog post.

    What is in the script?

    The JScript is obfuscated to hide its code and the other script it contains.

    A screnshot of the JScript malware that we detect as Trojan:JS/Certor.A

    Figure 4: We detect this JScript malware as Trojan:JS/Certor.A

     

    Upon deobfuscation, the main script code is revealed.

    Screenshot of the script that is responsible for dropping, executing its components, and modifying registry keys related to the browser’s proxy settings.

    Figure 5: This is the script that is responsible for dropping, executing its components, and modifying registry keys related to the browser’s proxy settings.

     

    The main JScript code contains encrypted PowerShell scripts and its own certificate. The certificate is later used to enable monitoring of HTTPS content and traffic.

    Screenshot of the other script components are decrypted using the above function.

    Figure 6: The other script components are decrypted using the above function.

     

    The following component files would be dropped in the temp folder and executed.

    Screenshot of sample component files dropped.

    Figure 7: Sample component files dropped

     

    The malware carries a certificate of its own (cert.der).

    Screenshot of the sample certificate information from this malware.

    Figure 8: Sample certificate information from this malware

     

    Screenshot of the sample certificate details

    Figure 9: Sample certificate details

     

    Screenshot of certificate details

    Figure 10: Further certificate details

     

    The threat adds the cert.der file as certificate so it can monitor HTTPS content and traffic.

    certor11

    Figure 11: A screenshot of the sample certificate added by this threat

     

    The ps.ps1 file is responsible for making sure the certificate is installed.

    Screenshot of the PowerShell code that we detect as Trojan:PowerShell/Certor.A

    Figure 12: We detect these PowerShell code as Trojan:PowerShell/Certor.A

     

    The psf.ps1 file is responsible for adding its certificate to Mozilla Firefox browser. This is necessary because Firefox uses its own certificate store instead of the one provided by the operating system.

    Screenshot of a sample script that the threat used to add the certificate in Firefox.

    Figure 13: Sample script that the threat used to add the certificate in Firefox

     

    The pstp.ps1 file is responsible for installing the Tor client, task scheduler and proxifier. This is another malware technique to tamper with the browser’s Proxy Settings.

    Screenshot of sample script that the threat used to install the Tor client, task scheduler and proxifier

    Figure 14: Sample script that the threat used to install the Tor client, task scheduler and proxifier

     

    The main JScript changes the following registry key to modify Internet Explorer’s proxy settings.

    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    Sets value: AutoConfigURL
    With data: http://pysvonjm6a7idbkz.onion/rejtyahf.js?ip=<host ip address>

    Screenshot of the registry entry that this threat changes

    Figure 15: Screenshot of the registry entry that this threat changes

     

    When the URL is invoked, the following script code is returned. This code suggests that it is redirecting URLs to a specific proxy which may lead to websites hosting phishing and ad campaigns.

    Screenshot of the function that is revealed upon the script deobfuscation: function FindProxyForURL(url,host){return"DIRECT"}

    Figure 16: Upon the script deobfuscation, the following readable function is revealed: function FindProxyForURL(url,host){return”DIRECT”}

     

    At this point the system is fully infected and the web traffic, including HTTPS, can be seen by the proxy server it assigned. This enables attackers to remotely redirect, modify and monitor traffic. Sensitive information, or web credentials could be stolen remotely, without user awareness.

    Recommendations

    To avoid attacks like we have just detailed, it is recommended that you only open, and interact with messages from senders and websites that you recognize and trust. For added defense-in-depth, you can reduce the risk from this threat by following the guidance in our previous blog post on how to adjust the registry settings to help prevent OLE Embedded Objects from executing altogether, or from running without your explicit permission.

     

    Alden Pornasdoro and Vincent Tiu

    MMPC

    ]]>
    https://blogs.technet.microsoft.com/mmpc/2016/08/29/double-click-me-not-malicious-proxy-settings-in-ole-embedded-script/feed/1
    Productivity and inclusion—Office 365 accessibility updatehttps://blogs.msdn.microsoft.com/accessibility/2016/08/25/productivity-and-inclusion-office-365-accessibility-update/Thu, 25 Aug 2016 17:38:24 +0000https://blogs.msdn.microsoft.com/accessibility/?p=2365This morning, the Office team outlined the latest accessibility enhancements in Office 365 to help ensure both that people with disabilities can communicate, consume and create content on any device, and that everyone can easily create accessible content. To learn more, read the blog post from John Jendrezak, accessibility lead and partner director of program management for the Office Engineering team, on the Office blog.

     

    ]]>
    MSRT August 2016 release adds Neobar detectionhttps://blogs.technet.microsoft.com/mmpc/2016/08/09/msrt-august-2016-release-adds-neobar-detection/https://blogs.technet.microsoft.com/mmpc/2016/08/09/msrt-august-2016-release-adds-neobar-detection/#commentsWed, 10 Aug 2016 04:34:23 +0000https://blogs.technet.microsoft.com/mmpc/?p=8585As part of our ongoing effort to provide better malware protection, the August 2016 release of the Microsoft Malicious Software Removal Tool (MSRT) includes detections for BrowserModifier: Win32/Neobar, unwanted software, and Win32/Rovnix, a trojan malware family.

    This blog discusses BrowserModifier:Win32/Neobar and its inclusion in MSRT supports our unwanted software family detections in Windows Defender, along with other protection features in our Windows 10 protection stack.

    BrowserModifier:Win32/Neobar has been classified as unwanted software because it violates the following Objective Criteria:

    • Lack of choice – the threat bypasses user consent options from the browser or operating system.
    • Lack of control – the threat could prevent or limit the user from viewing or modifying browser features or settings.

    Distribution

    We have seen BrowserModifier:Win32/Neobar being distributed by various software bundlers that we detect as SoftwareBundler:Win32/InstallMonster,  SoftwareBundler:Win32/ICLoader, and SoftwareBundler:Win32/Dlboost.

    We have seen this threat use different application names:

    • advPlugin
    • Best YouTube Downloader
    • Best Youtube Saver
    • BonusBerry
    • Currency Converter
    • Goodshop app
    • I Like It Extension
    • Media Saver
    • OdPodarki
    • Torrent Search
    • Video Saver
    • Video Saver 2
    • VK Downloader
    • VK OK AdBlock
    • VPN TOOLBAR
    • WebBars
    • Youtube AdBlock

     

    The following heatmap shows the geographical spread of Neobar-infected machines:

    BrowserModifier:Win32/Neobar heatmap

    Figure 1: Geographic distribution of BrowserModifier:Win32/Neobar infection from March to August 2016.

     

    Installation

    When BrowserModifier:Win32/Neobar is installed on your PC, it could change your default search provider. It also adds a toolbar to your browser, schedule tasks to automatically run itself, and add an uninstallation option.

    We have seen this threat add a toolbar to the following browsers:

    • Internet Explorer
    • Google Chrome
    • Mozilla Firefox

    Screenshot of Neobar toolbar in Internet Explorer

    Figure 2: Neobar toolbar in Internet Explorer

     

    Screenshot of Neobar toolbar in Google Chrome

    Figure 3: Neobar toolbar in Google Chrome

     

    Screenshot of Neobar toolbar in Mozilla Firefox

    Figure 4: Neobar toolbar in Mozilla Firefox

     

    Symptoms

    Adds a toolbar to browser

    This threat adds a toolbar to the user’s browser and automatically enable it, thus, preventing the browser to display a consent dialog for the user to choose to enable it.

    Screen capture of what Neobar adds in the Toolbar

    Figure 5: Manage Add-on page shows the toolbar that BrowserModifier:Win32/Neobar added in Internet Explorer.

     

    neobar_2

    Figure 6: Extensions page shows what BrowserModifier:Win32/Neobar added in Chrome.

     

    neobar_3

    Figure 7: Extensions page shows what BrowserModifier:Win32/Neobar added in Firefox.

     

    Changes to default search provider

    We have seen this threat change the user’s default search provider.

    A screenshot of a sample setting change that Neobar does in Chrome

    Figure 8: A sample setting change in Chrome.

     

    After this threat has set the default search provider, it restricts the user from changing it.

    A Neobar-infected machine prompts users with a message indicating that they cannot change the search provider setting that the threat configured as default.

    Figure 9: A Neobar-infected machine prompts users with a message indicating that they cannot change the search provider setting that the threat configured as default.

     

    Adds scheduled tasks

    This threat adds scheduled tasks to automatically execute itself, and to check and download updates.

    Sample scheduler entry in a Neobar-infected machine

    Figure 10: Sample scheduler entry in a Neobar-infected machine

     

    Adds an uninstallation option

    This threat adds an uninstallation option in the Programs and Features section.

    Users can use the uninstallation option to remove this software from the system.

    Figure 11: Users can use the uninstallation option to remove this software from the system.

     

    Prevention

    To prevent this threat from disrupting your computing experience:

    • Keep your Windows Operating System and antivirus up-to-date and, if you haven’t already, upgrade to Windows 10.
    • Use Microsoft Edge to get SmartScreen protection. It can help warn you about sites that are known to be hosting exploits, and help protect you from socially-engineered attacks such as phishing and malware downloads.
    • Avoid browsing web sites that are known for hosting malware (such as illegal music, movies and TV, and software download sites).

    Detection

     

    James Patrick Dee

    MMPC

    ]]>
    https://blogs.technet.microsoft.com/mmpc/2016/08/09/msrt-august-2016-release-adds-neobar-detection/feed/2
    August 2016 security update releasehttps://blogs.technet.microsoft.com/msrc/2016/08/09/august-2016-security-update-release/https://blogs.technet.microsoft.com/msrc/2016/08/09/august-2016-security-update-release/#respondTue, 09 Aug 2016 17:00:01 +0000https://blogs.technet.microsoft.com/msrc/?p=2497Today we released security updates to provide additional protections against malicious attackers. As a best practice, we encourage customers to apply security updates as soon as they are released.

    More information about this month’s security updates and advisories can be found in the Security TechNet Library.

    MSRC team

    ]]>
    https://blogs.technet.microsoft.com/msrc/2016/08/09/august-2016-security-update-release/feed/0
    New Accessibility Documentation for the Windows 10 Anniversary Updatehttps://blogs.msdn.microsoft.com/accessibility/2016/08/09/new-accessibility-documentation-for-the-windows-10-anniversary-update/Tue, 09 Aug 2016 16:23:52 +0000https://blogs.msdn.microsoft.com/accessibility/?p=2345The following blog post was written by Seth Oglesby, a Content Developer on the Windows Content Publishing team.

    ————————–

    We’ve been hard at work updating our documentation for the Windows 10 Anniversary Update, and we’re excited to share new resources to help you learn about new and updated accessibility features.

    Narrator content improvements

    For the first time we’ve published in-depth content to help you Get started with Narrator! It explains the basics of how to use Narrator with a desktop PC to get going quickly. Highlights include navigation basics, using Scan Mode (a new navigation and reading mode), getting info about text through new verbosity and punctuation features, reading text, and a full list of commands and touch gestures. We plan to add more chapters soon, so check back often.

    Updated keyboard shortcuts

    Keyboard shortcuts can help you be more productive. See the following pages to learn about the different keyboard shortcuts in Windows and apps:

    If you forget a keyboard shortcut, ask Cortana. For example, say “keyboard shortcut for Narrator” to find the keyboard shortcut for turning on Narrator.

    Make your PC more accessible

    If you’re new to Windows 10 and want to make your PC more accessible, check out the Get Started app (search for Get Started to find it). It’s your one stop shop for learning about what’s new in the Anniversary Update.

    There’s info, including new videos, about how to help make your PC easier to hear and see, improve focus on tasks, and use the mouse and keyboard more effectively. In the app, select the Browse category, then Ease of Access to get started.

    Developer? We’ve got you covered

    For developers, we’ve published new content to help you make your apps more accessible. There’s a new accessibility developer hub, articles about how to design inclusive software, develop inclusive Windows apps, and videos about developing for accessibility and building accessible Universal Windows Platform (UWP) apps:

    Additionally:

    Send us feedback

    Your input helps us improve Windows. If you have feedback about our documentation, or know something we should write about, let us know! Visit the Microsoft Accessibility User Voice website and leave your comments.

    For technical support with Microsoft assistive technologies, contact the Microsoft Disability Answer Desk.

    ]]>
    ICYMI: Accessibility – in oneweekhttps://blogs.msdn.microsoft.com/accessibility/2016/08/05/icymi-accessibility-in-oneweek/Fri, 05 Aug 2016 22:35:41 +0000https://blogs.msdn.microsoft.com/accessibility/?p=2325The following is a post from Jenny Lay-Flurrie, Microsoft Chief Accessibility Officer


     

    There has been so much fantasticness (if that’s a word) in the last couple of weeks on the accessibility front, I wanted to just take a moment to look back on some of the highlights. Between the availability of Windows 10 Anniversary Edition and Learning Tools for OneNote, the //oneweek hackathon, the Imagine Cup and the Gleason documentary release (which you really have *got* to see) – there’s just a lot to keep up on.

     

    Last week was an exciting time at Microsoft as the company rallied around our third annual //oneweek event, which brought together employees from across the company to learn, share and create. It was an incredibly packed week, including a massive global hackathon, a product fair and university students showcasing technologies that will change the world during the Imagine Cup. Put simply, //oneweek is our opportunity to go beyond our daily jobs, to invest time in projects we are passionate about, to make new connections and really bring about innovation that can empower people with disabilities. Let’s have a look at some of exciting things that came out of //oneweek!

     

    ‘Gleason’ Premiere

    One of the most successful projects to come out of a //oneweek Ability Hackathon has been our partnership with former NFL player Steve Gleason, who was diagnosed in 2011 with amyotrophic lateral sclerosis (ALS), or Lou Gehrig’s disease. At our very first //oneweek back in 2014, this hack ended up winning the whole hackathon that year and went onto become a full time project in Microsoft Research. The Microsoft Enable team continues to work on the technology that enables Steve to communicate and move his wheelchair independently with his eyes, with the goal of making it ready to share with others with ALS and other disabilities. Watch the video to learn more about the project, and go see the incredible new documentary on Steve’s life, ‘GLEASON’, that has opened in select theaters across the U.S.. It will make you laugh, cry, and remember what is most important in life – it’s a must see!

     

    ‘Ability’ Hacks at //oneweek

    Our third annual //oneweek hackathon was bigger than ever and brought together over 14,000 employees from across Microsoft to use their talent and imaginations to build innovative technologies. What’s really exciting is the rapidly-growing momentum around projects focused on enabling people with disabilities. In 2014, we had 10 ‘Ability’ Hacks focused on people with disabilities. Last year, it was over 40. This year, we had over 100. Now that is progress!

     

    Hackers bring a ton of energy and passion to the table during the hackathon and focus their skills on creating assistive technologies, adapting existing technologies or taking something as mind blowing as the HoloLens and seeing what applications it could have for disabilities from blindness to deafness to quadriplegia. With over 100 ‘Ability’ hacks, there were so many great examples of empowering people with disabilities – here are a couple of examples of what hack teams have developed:

     

    A team hacking in Israel created the “LittleHero” shirt which is an E-Textile wearable for children with autism to enable them to be able to communicate effectively in a fun and engaging manner. The team designed and embroidered clear interactive communication symbols, which are made of touchable, special threads, and touching a certain symbol triggers a fun, visual and audible feedback. The shirt is also equipped with multiple sensors, such as an accelerometer and a GPS, and is connected to a cloud service that continuously analyzes the various signals and provides insights and alerts.

     

    Another team out of Silicon Valley created a project called ‘Mind the Gap,’ which breaks down communication barriers for paralyzed and speech-impaired individuals by rapidly developing a more practical form of communication using a combination of facial muscle movements, minute head movements and even intentional states of mind.

     

    Remember, these are ‘hack’ projects, not products. You won’t find them on the shelves anytime soon. But I (and many around the company) walked away motivated by the passion, technical depth and understanding of the customer experience and disability experience. Employees with disabilities were sought after all week to be part of the hack teams to help ensure that their project was based in reality. Some from the disability community were part of 3 or 4 or even 5 project teams. The results speak for themselves; high quality hacks and smart ideas that can really make a difference.

     

    Microsoft Imagine Cup ‘Ability’ Award Winner

    On our campus last week, we also hosted hundreds of the top tech students from around the world, competing in the annual Imagine Cup. The event is often viewed as the World Cup of student technology, where students work in teams to show off their ability to solve problems and empower people through technology. This year, a group of students from China ‘Team BoneyCare’ won the Ability Award for their project, an app they designed to help people with speech impairments such as stammering. The project is powered by Microsoft Azure and a cloud-based language recognition, wave analysis and emotion recognition technology. This team will be coming back to Redmond and spending a week with my team and teams across the business to help advance their project.

     

    Wow! That’s a lot of awesome packed into a short amount of time! And in addition to all the advancements in research, we’ve had some big news on product accessibility from Microsoft recently as well:

     

    Windows 10 Anniversary Update Adds New Features for Assistive Technologies

    Starting on August 2, Microsoft’s Windows 10 Anniversary Update began rolling out for our customers around the world. You can learn more about the progress on accessibility we’ve made with the Windows 10 Anniversary Update, including an overview of new features, here. If you use assistive technologies and are still using Windows 7 or Windows 8.1 and want to upgrade to Windows 10, don’t forget that you will still have the opportunity to upgrade at no cost even though the Windows 10 free upgrade offer ended for the general public on July 29. As promised, we rolled out a new webpage to help customers who use assistive technologies to navigate the process and access the free upgrade offer extension for Windows 10 at: www.microsoft.com/accessibility/windows10upgrade. Feedback so far is good, but please keep it coming. If you have questions, give Disability Answer Desk a call, and any specific feedback please get it into UserVoice.

     

    Learning Tools for OneNote Go Mainstream

    Learning Tools for OneNote, the winning project from last year’s hackathon to help people with learning differences, is now out of preview and generally available. The Learning Tools feature has helped users dramatically increase reading speeds and inspired students with dyslexia to want to read. For more information about Learning Tools, including a link to download it and details on how students and teachers can get it for free, visit Office Blogs.

     

    And that… was //oneweek. I am deeply inspired by the passion and progress taking hold on accessibility right now. We have a lot to do, and it’s not just efforts at Microsoft that are inspiring, but I do get excited at the possibilities. So please, check out Imagine Cup, //oneweek hackathon articles, Windows 10 and OneNote and let us know what you think! And, seriously, go see the GLEASON documentary – you will be very glad you did.

     

    To stay up to speed on the latest on accessibility from Microsoft, visit https://www.microsoft.com/accessibility and follow us on Twitter at Microsoft Accessibility (@MSFTEnable).

    ]]>
    Microsoft Bounty Programs Expansion – Microsoft Edge Remote Code Execution (RCE) Bountyhttps://blogs.technet.microsoft.com/msrc/2016/08/04/microsoft-bounty-programs-expansion-microsoft-edge-remote-code-execution-rce-bounty/https://blogs.technet.microsoft.com/msrc/2016/08/04/microsoft-bounty-programs-expansion-microsoft-edge-remote-code-execution-rce-bounty/#respondThu, 04 Aug 2016 18:30:23 +0000https://blogs.technet.microsoft.com/msrc/?p=2465I’m very happy to announce another addition to the Microsoft Bounty Programs. Microsoft will be hosting a bounty for Remote Code Execution vulnerabilities in Microsoft Edge on Windows Insider Preview builds.

    This bounty continues our partnership with the security research community in working to secure our platforms, in pre-release stages of the development process. The Windows Insider program is built to help shape the future of Windows, and represents the latest in features, including new security features and mitigations. For the latest information on new Windows features included in the Insider Previews, please visit the Windows 10 Insider Program Blog.

    As the bounty programs are pushing forward into earlier releases of software, there may be more instances of a vulnerability being reported which Microsoft is already working to resolve. In the event this occurs, as recognition for the real effort put into finding these vulnerabilities, a payment of up to $1,500 USD will be made to the first external researcher who reports the issue.

    To find out more about the Microsoft Edge Remote Code Execution Bounty, please visit https://aka.ms.BugBounty. The program highlights are:

    • Remote Code Execution vulnerabilities in Microsoft Edge on Windows Insider Preview
    • Also, Includes Open Source sections of Chakra
    • The bounty will run August 4, 2016 through May 15, 2017
    • Bounty payouts will range from $500 USD to $15,000 USD
    • If a researcher reports a qualifying vulnerability already found internally by Microsoft , a payment will be made to the first finder at a maximum of $1,500 USD
    • Vulnerabilities must be reproducible on the latest Windows Insider Preview (Slow track)

    This new bounty will be in addition to our ongoing Online Services, and Mitigation bypass and Bounty for Defense bounty programs. These additions are a part of the rigorous security programs at Microsoft. Bounties are worked alongside the Security Development Lifecycle (SDL), Operational Security Assurance (OSA) framework, regular penetration testing of our products and services, and Security and Compliance Accreditations by third party audits.

    As always, the most up-to-date information about the Microsoft Bounty Programs can be found at https://aka.ms/BugBounty and in the associated terms and FAQs.

    Start your fuzzers!

    Jason Shirk

    ]]>
    https://blogs.technet.microsoft.com/msrc/2016/08/04/microsoft-bounty-programs-expansion-microsoft-edge-remote-code-execution-rce-bounty/feed/0
    Windows 10 free upgrade page for people who use assistive technologieshttps://blogs.msdn.microsoft.com/accessibility/2016/07/29/windows-10-free-upgrade-page-for-people-who-use-assistive-technologies/https://blogs.msdn.microsoft.com/accessibility/2016/07/29/windows-10-free-upgrade-page-for-people-who-use-assistive-technologies/#commentsFri, 29 Jul 2016 17:09:36 +0000https://blogs.msdn.microsoft.com/accessibility/?p=2305With the end of the free Windows 10 upgrade offer today for the general public, we want to remind customers who use assistive technologies that the deadline will not apply to you. As promised, we are rolling out a new webpage, starting today, to help customers who use assistive technologies to navigate the process and access the free upgrade offer extension for Windows 10 at: www.microsoft.com/accessibility/windows10upgrade.

    With more than a billion people with disabilities in the world, we are excited for customers to experience the new accessibility features in the Windows 10 Anniversary Update. These include improving the screen reading experience with Narrator, the accessibility of experiences and apps like Microsoft Edge, Mail and the Start menu, as well as better tools and resources for developers to build more accessible apps and experiences.

    For more information about Windows accessibility, check out https://www.microsoft.com/en-us/Accessibility/windows. And, as always, keep the feedback coming. It’s critically important to us as we keep working to give you a great experience.

    ]]>
    https://blogs.msdn.microsoft.com/accessibility/2016/07/29/windows-10-free-upgrade-page-for-people-who-use-assistive-technologies/feed/2
    Nemucod dot dot..WSFhttps://blogs.technet.microsoft.com/mmpc/2016/07/23/nemucod/https://blogs.technet.microsoft.com/mmpc/2016/07/23/nemucod/#commentsSat, 23 Jul 2016 21:03:23 +0000https://blogs.technet.microsoft.com/mmpc/?p=8366The latest Nemucod campaign shows the malware distributing a spam email attachment with a .wsf extension, specifically ..wsf (with a double dot) extension.

    It is a variation of what has been observed since last year (2015) – the TrojanDownloader:JS/Nemucod malware downloader using JScript. It still spreads through spam email attachment, typically inside a .zip file, using a file name of interest with .js or .jse as extension.

    The following screenshots show how the malicious file attachment looks like in the recent campaign:

    Example of how an email spam containing the latest version of Nemucod might look like

    Figure 1: Example of how an email spam containing the latest version of Nemucod might look like

     

    Example of how Nemucod malware looks like when extracted and opened with an archive viewer.

    Figure 2: Example of how Nemucod malware looks like when extracted and opened with an archive viewer

    What the double dots mean: Social engineering for unsuspecting eyes

    As seen in the following file name samples, the double dot paired with the uncommon .wsf extension creates an illusion that the file name was either abbreviated, was intentionally omitted, or shortened by the system because it was too long:

    • profile-d39a..wsf
    • profile-e3de..wsf
    • profile-e7dc..wsf
    • profile-f8d..wsf
    • profile-fb50..wsf
    • spreadsheet_07a..wsf
    • spreadsheet_1529..wsf
    • spreadsheet_2c3b..wsf
    • spreadsheet_36ff..wsf
    • spreadsheet_3a8..wsf

    Some might look at the sample file names and assume that they might originally have been a long unique string identifier consisting of random letters and numbers that could be a transaction ID, receipt number or even user ID:

    • profile-d39as1u3e8k9i3m4wsf
    • profile-e3dee1uwl8s10f3m4wsf
    • profile-e7dc4d1u3e83m4wsf
    • profile-f8dsdwsfe8k4i38wsf
    • profile-fb50s1u3l8k9i3m4wsf
    • spreadsheet_07as133e3k9i3e4wsf
    • spreadsheet_1529s15se8f9i3o6wsf
    • spreadsheet_2c3bs1u5dfk9i3m6wsf
    • spreadsheet_36ffs1ure8koei3d5ws
    • spreadsheet_3a8s1udwsf8s9i323wsf

    However, this is not the case. These are script files that might contain malicious code which could harm your system.

    Underneath the WSF

    Windows Scripting File is a text document containing Extensible Markup Language (XML) code. It incorporates several features that offer you increased scripting flexibility. Because Windows script files are not specific to a script language, the underlying code can have either JavaScript or VBScript, depending on language declaration in the file. WSF acts as a container.

    Underneath the WSF is the same typical Nemucod JScript code.

    Nemucod code inside WSF: has encrypted code and the decryption is written under @cc_on (conditional compilation)

    Figure 3: Nemucod code inside WSF: has encrypted code and the decryption is written under @cc_on (conditional compilation)

     

    This Nemucod version leverages the @cc_on (conditional compilation) command. Such a command can possibly evade AV scanner detection. It tricks the AV scanners to think the command is part of a comment, thus preventing the AV scanners from interpreting it as an executable code.

    Upon code decryption, the following URLs – where the malware payload is being hosted – are revealed:

    • hxxp://right-livelihoods.org/rpvch
    • hxxp://nmfabb.com/rgrna1gc
    • hxxp://www.fabricemontoyo.com/v8li8

    Recent spam campaign and trends

    The latest Nemucod telemetry for the past 15 days shows that it has constantly been active, although there haven’t been any huge spikes.

    Daily detection trend for Nemucod. These are the unique machine encounters per day

    Figure 4: Daily detection trend for Nemucod. These are the unique machine encounters per day

     

    Geographic distribution of Nemucod. Data taken from July 3 to July 18, 2016

    Figure 5: Geographic distribution of Nemucod. Data taken from July 3 to July 18,2016

     

    Other than using ..wsf and @cc_on technique, we’ve also seen different and old tricks used as part of its social engineering tactics. This includes, but is not limited to:

    • Double extension (for example: <filename>pdf.js)
    • Invoice, receipt, and delivery related file names such as DHL, FedEx delivery, and so forth

    Nemucod infection chain

    Nemucod infection chain showing spam email distributing WSF which downloads and runs malware

    Just like the Nemucod campaigns before this, the malware downloader payload includes ransomware, such as:

    Mitigation and prevention

    To avoid falling prey from this new Nemucod malware campaign:

    Francis Tan Seng and Alden Pornasdoro
    MMPC

    ]]>
    https://blogs.technet.microsoft.com/mmpc/2016/07/23/nemucod/feed/5
    Kovter becomes almost file-less, creates a new file type, and gets some new certificateshttps://blogs.technet.microsoft.com/mmpc/2016/07/22/kovter-becomes-almost-file-less-creates-a-new-file-type-and-gets-some-new-certificates/https://blogs.technet.microsoft.com/mmpc/2016/07/22/kovter-becomes-almost-file-less-creates-a-new-file-type-and-gets-some-new-certificates/#commentsFri, 22 Jul 2016 21:15:29 +0000https://blogs.technet.microsoft.com/mmpc/?p=8375Trojan:Win32/Kovter is a well-known click-fraud malware which is challenging to detect and remove because of its file-less persistence on infected PCs. In this blog, we will share some technical details about the latest changes we have seen in Kovter’s persistence method and some updates on their latest malvertising campaigns.

    New persistence method

    Since June 2016, Kovter has changed their persistence method to make remediation harder for antivirus software.

    Upon installation, Kovter will generate and register a new random file extension (for example, .bbf5590fd) and define a new shell open verb to handle this specific extension by setting the following registry keys:

    Registry setup for Kovter

    Figure 1: Registry setup for Kovter

    With this setup, every time a file with the custom file extension (.bbf5590fb) is opened, the malicious Kovter command contained in the registry key is executed via the shell extension open verb.

    Therefore, all Kovter needs to do to run on infected machines is open a file with their custom file extension .bbf5590fb – causing the malicious shell open command to run. This in turn runs a command using mshta.

    Mshta is a clean tool that is used by Kovter to execute malicious JavaScript. This JavaScript then loads the main payload from another registry location, HKCU\software\67f1a6b24c\d0db239. To trigger this shell open command on a regular basis, Kovter drops several garbage files with its custom file extension in different locations, for example:

    The contents of these files are not important, since the malicious code is contained within the shell open verb registry key. The last step in the installation process is setting up the auto-start mechanism to automatically open the above files. Kovter uses both a shortcut file and a batch (.bat) file for this:

    Using a shortcut file

    Kovter drops a shortcut file (.lnk) in the Windows startup folder which points to the garbage files. We have seen it drop the following shortcut file:

    • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\28dd1e3d.lnk

    The target command of the shortcut file is the following:

    C:\Windows\System32\cmd.exe /C start “” “C:\Users\Admin\AppData\Roaming\33e58839\3ad319e6.bbf5590fd”

    Once executed at startup, this command will open the file, causing the malicious shell open verb to run the malicious mshta command previously set up in the registry system (see Figure 1).

    Using a batch script file

    Kovter will drop a batch script file (.bat) and set a registry run key to execute the .bat file. The .bat file will be dropped in a randomly generated folder, such as:

    The .bat file has the following content:

    Content of the .bat file setup in run key

    Figure 2: Content of the .bat file setup in run key

     

    Once executed, this bat will also run the dropped file, which then executes the malicious shell open verb.

    Instead of just adding the mshta script directly as a run key registry as in the old variant, Kovter is now using this shell open trick to start itself. Although Kovter is technically not fully file-less after this latest update, the majority of the malicious code is still held only within the registry. To remove Kovter completely from an infected computer, antivirus software needs to remove all of these dropped files as well as the registry change.

    Windows Defender is able to successfully clean up and remove these new versions of this threat.

    Kovter malvertising updates

    Since our last blog on Kovter spreading through malicious advertisements as a fake Adobe Flash update, we have observed some changes.

    On top of the fake Adobe Flash updates, Kovter is now also pretending to be a Firefox update. Kovter has also rotated through a series of new digital certificates, including the following:

    Certificate signer hash Valid from Valid until
    7e93cc85ed87ddfb31ac84154f28ae9d6bee0116 Apr 21 2016 Apr 21 2017
    78d98ccccc41e0dea1791d24595c2e90f796fd48 May 13 2016 May 13 2017
    c6305ea8aba8b095d31a7798f957d9c91fc17cf6 Jun 22 2016 Jun 22 2017
    b780af39e1bf684b7d2579edfff4ed26519b05f6 May 12 2016 May 12 2017
    a286affc5f6e92bdc93374646676ebc49e21bcae May 13 2016 May 13 2017
    ac4325c9837cd8fa72d6bcaf4b00186957713414 Nov 18 2015 Nov 17 2016
    ce75af3b8be1ecef9d0eb51f2f3281b846add3fc Dec 28 2015 Dec 27 2016

    Table 1: List of certificates used by Kovter

     

    We’ve notice that every time Kovter actors release a new wave of samples signed with a new certificate they hit a lot of machines. This can be seen in our telemetry for the past three months, with spikes on May 21, June 14, and the first week of July.

    Kovter’s prevalence for the past two months

    Figure 3: Kovter’s prevalence for the past two months

     

    Besides fake Adobe Flash and Firefox updates, Kovter also pretends to be a Chrome update (chrome-update.exe).

    We have seen Kovter downloaded from a large list of URLs, including:

    • hxxps://eepheverseoftheday.org/2811826639187/2811826639187/146819749948281/FlashPlayer.exe
    • hxxps://deequglutenfreeclub.org/8961166952189/8961166952189/146809673281840/FlashPlayer.exe
    • hxxps://zaixovinmonopolet.net/5261173544131/5261173544131/146785099939564/FlashPlayer.exe
    • hxxps://feehacitysocialising.net/7561659755159/1468089713424429/firefox-patch.exe
    • hxxps://eepheverseoftheday.org/1851760268603/1851760268603/1468192094476645/firefox-patch.exe
    • hxxps://uchuhfsbox.net/8031143191240/8031143191240/1467996389305283/firefox-patch.exe
    • hxxps://ierairosihanari.org/1461656983266/1461656983266/1467987174641688/firefox-patch.exe
    • hxxps://anayimovilyeuros.net/7601143032510/7601143032510/1465468888898207/chrome-patch.exe

    For reference, here are some SHA1s corresponding to each certificate used by Kovter:

    Certificate Signer Hash SHA1
    7e93cc85ed87ddfb31ac84154f28ae9d6bee0116 7177811e2f7be8db2a7d9b1f690dc9e764fdc8a2
    78d98ccccc41e0dea1791d24595c2e90f796fd48 da3261ceff37a56797b47b998dafe6e0376f8446
    c6305ea8aba8b095d31a7798f957d9c91fc17cf6 c3f3ecf24b6d39b0e4ff51af31002f3d37677476
    b780af39e1bf684b7d2579edfff4ed26519b05f6 c49febe1e240e47364a649b4cd19e37bb14534d0
    a286affc5f6e92bdc93374646676ebc49e21bcae 3689ff2ef2aceb9dc0877b38edf5cb4e1bd86f39
    ac4325c9837cd8fa72d6bcaf4b00186957713414 e428de0899cb13de47ac16618a53c5831337c5e6
    ce75af3b8be1ecef9d0eb51f2f3281b846add3fc b8cace9f517bad05d8dc89d7f76f79aae8717a24

    Table 2: List of Kovter SHA1 for each certificate

     

    To protect yourself from this type of attack, we encourage users to only download and install applications or their updates from their original and trusted websites.

    Using an up-to-date version of an antimalware scanner like Windows Defender will also help you to stay protected from Kovter.

    Duc Nguyen
    MMPC

    ]]>
    https://blogs.technet.microsoft.com/mmpc/2016/07/22/kovter-becomes-almost-file-less-creates-a-new-file-type-and-gets-some-new-certificates/feed/2
    Reverse engineering DUBNIUM –Stage 2 payload analysishttps://blogs.technet.microsoft.com/mmpc/2016/07/14/reverse-engineering-dubnium-stage-2-payload-analysis/https://blogs.technet.microsoft.com/mmpc/2016/07/14/reverse-engineering-dubnium-stage-2-payload-analysis/#respondThu, 14 Jul 2016 20:35:18 +0000https://blogs.technet.microsoft.com/mmpc/?p=8086Recently, we blogged about the basic functionality and features of the DUBNIUM advanced persistent threat (APT) activity group Stage 1 binary and Adobe Flash exploit used during the December 2015 incident (Part 1, Part 2).

    In this blog, we will go through the overall infection chain structure and the Stage 2 executable details. Stage 2 executables are the core of this activity groups’ operation, as it is the final payload delivered to possible targets that matches its profile.

    Infection chain overview

    The picture below shows the overall infection chain we analyzed.

    Flow chart describing how Dubnium is installed

    Figure 1: Infection chain overview

     

    In most cases, the daily operation of the DUBNIUM APT depends on social engineering through spear-phishing. They are observed to mainly rely on an .LNK file that has an icon that looks like a Microsoft Word file. If the victim clicks the file thinking it’s a Microsoft Office Word file, it downloads a simple dropper that will download and execute next stage binary – which in this case, has the file name of kernelol21.exe.

    The Stage 1 binary extensively checks-up on the system for the existence of security products or usual analysis tools for the reverse engineers or security analysts. It will pass the client’s IP address, hostname, MAC address, software profile information, and locale information to the download server. When the server thinks that the client matches profile for possible prospect, the next stage dropper will be downloaded.

     

    Stage 0: Social Engineering vs. Exploits

    In our previous blogs we described the Adobe Flash Exploit the malware recently used. In this blog we want to provide a brief overview of the social engineering method DUBNIUM uses for its daily infection operations. The activity group uses the .LNK file with an icon image of a Word document as one of its social engineering methods.

    Shortcut icon disguised as Word document

    Figure 2: Shortcut icon disguised as Word document

     

    The shortcut contains commands to download and execute the next level executable or script. Unsuspecting victims will double click this icon and will be unknowingly launching a PowerShell command.

    The commands in the shortcut

    Figure 3: The commands in the shortcut

     

    For example, the following shows the script that downloads a binary and executes it on the target system using PowerShell.

    PowerShell script for downloading and execution of next stage binary

    Figure 4: PowerShell script for downloading and execution of next stage binary

     

    To make the attack more benign, the dropper drops an Office Word document and displays it on the screen. One of the samples we saw had content similar to the following screenshot:

    Fake document contents - North Korean style language and mentions on North Korean leaders with New year’s celebration

    Figure 5: Fake document contents – North Korean style language and mentions on North Korean leaders with New year’s celebration

     

    Stage 2 infection process

    Acquiring a Stage 2 binary is very difficult for the analysts because the download server is very selective upon the infection targets. The main direction of the infection strategy is not to infect as many as it can, instead it focuses on infecting targets that matches the desired profile, and avoids detection from security products. One very interesting fact is that the command and control (C2) server we have been observing didn’t go down for months. Overall security product coverage on Stage 2 executables is very poor, and so the strategy with this activity group (with a very selective Stage 2 infection) appears to have been effective.

    The following diagram shows the transition from Stage 1 to Stage 2 through the downloaded binary.

    Stage 1 to 2 transition

    Figure 6: Stage 1 to 2 transition

     

    The dropped binary (Dropper PE module) is never written to disk and directly injected to a new process created. In this case plasrv.exe is used, but the process name can actually vary each time. The dropper PE module will drop kbkernelolUpd.dll and kernelol21.exe (which happens to have the same name as the Stage 1 binary – but different contents). The dropper PE module will look for usual system processes, for example dwm.exe in this case, and will inject kbkernelolUpd.dll.

    This is the main C2 client that will communicate with the C2 server and process downloaded commands. It performs the extra work of creating a process of usual Windows binary under systems folder and injecting the kernelol21.exe binary into it. This is a process persistency module, which will re-inject kbkernelolUpd.dll if the process is killed for some reason. The kbkernelolUpd.dll module also constantly monitors the existence of the kernelol21.exe injected process and will re-launch and re-inject the module if the infected host process is killed. This makes a process persistency loop.

    The following screenshot shows the typical process tree when the Stage 2 infection happens. The dwm.exe and cipher.exe processes are infected with kbkernelolUpd.dll and kernelol21.exe.

    Typical process list with Stage 2 infection

    Figure 7 Typical process list with Stage 2 infection

     

    The persistency of whole infection is carried by the Windows logon key shown in the following picture.

    kernelol21.exe load key

    Figure 8 kernelol21.exe load key

     

    The following table shows the infection targets used for each stage. All infection target process files are default Windows executables under the system32 folder.

    Components Injection targets Description
    Stage 1 dropper PE module
    • plasrv.exe
    • wksprt.exe
    • raserver.exe
    • mshta.exe
    • taskhost.exe
    • dwm.exe
    • sdiagnhost.exe
    • winrshost.exe
    • wsmprovhost.exe
    Creates new process
    Stage 2 kbkernelolUpd.dll
    • dwm.exe
    • wuauclt.exe
    • ctfmon.exe
    • wscntfy.exe
    Injects into existing process

    If the process is killed, svchost.exe will be created by stage kernelol21.exe.

    Stage 2 kernelol21.exe
    • cipher.exe
    • gpupdate.exe
    • services.exe
    • sppsvc.exe
    • winrshost.exe
    Creates new process

    Table 1: DUBNIUM infection targets

     

    Process image replacement technique

    When the main C2 client module, kbkernelolUpd.dll, is injected, it uses LoadLibrary call that is initiated through CreateRemoteThread API. This is a very typical technique used by many malware.

    Injected LoadLibrary code

    Figure 9: Injected LoadLibrary code

     

    But, for dropper PE module in Stage 1 and kernelol21.exe injection in Stage 2, it uses a process image replacement technique. It creates the usual Windows process, injects the PE module to this process, fabricates PEB information and modifies startup code to achieve process injection.

     

    Writing PE Image

    The technique starts with creating a process from the executable under Windows system folder. Table 1 shows each target processes the injection will be made into, depending on the stage and the binary. The process is created as suspended and modifications will be performed on the image. The first step is injecting the infection PE image upon the process. It uses WriteProcessMemory APIs.

    Figure 10 shows the code that injects the PE header, and Figure 11 shows the memory of the target process where the PE header is injected.

    Injecting PE header

    Figure 10: Injecting PE header

     

    PE header written on target process

    Figure 11 PE header written on target process

     

    After the injection of PE header, it will go through each section of the source PE image and inject them one by one to the target process memory space.

    PE section injection

    Figure 12: PE section injection

     

    The injected PE module has dependencies on the hardcoded base and section addresses. If VirtualAlloc function upon the desired base or section addresses fails, the whole injection process will fail.

     

    Acquiring context and PEB information

    The next step of infection is using GetThreadContext API to retrieve current context of the target process.

    GetThreadContext

    Figure 13: GetThreadContext

     

    One of the thread contexts retrieved is shown in the following image.

    Retrieved Context

    Figure 14: Retrieved Context

     

    When the process is started as suspended, the ebx register is initialized with the pointer to PEB structure. The following shows the original PEB data from the target process. The ImageBaseAddress member is at offset of +8 and the value is 0x00e0000 in this case. This is the image base of the main module of the target process.

    Original PEB structure

    Figure 15: Original PEB structure

     

    After retrieving the PEB.ImageBaseAddress from the target process (Figure 16), it will replace it with the base address of the injected module (Figure 17).

    Reading PEB.ImageBaseAddress

    Figure 16: Reading PEB.ImageBaseAddress

    Overwriting PEB.ImageBaseAddress

    Figure 17: Overwriting PEB.ImageBaseAddress

     

    The PEB.ImageBaseAddress of the target process is replaced, as in the following figure, to point to the base address of the injected PE module.

    Overwritten PEB.ImageBaseAddress

    Figure 18: Overwritten PEB.ImageBaseAddress

     

    Overwriting wmainCRTStartup

     

    After overwriting PEB.ImageBaseAddress to an injected module’s base address, the next step is patching wmainCRTStartup code from the original main module.

    wmainCRTStartup patch code

    Figure 19: wmainCRTStartup patch code

     

    The following code shows original disassembly from wmainCRTStartup code.

    Original code

    Figure 20: Original code

     

    After patch, it will just jump to the entry code of the injected module located at address of 0x4053d0, which is the entry point of the injected module. When ResumeThread is called upon this thread, it will start the main module from the injected module’s entry code.

    Patched code

    Figure 21: Patched code

     

    Main C2 Client (kbkernelolUpd.dll)

    As kbkernelolUpd.dll is the main module of the infection chain, we are going to focus on the analysis of this binary. As we stated before, the detection coverage and information on this specific component is limited in the security industry.

     

    The string for the C2 server hostname and URI is encoded in a configuration block inside the binary.

    C2 server string decoding

    Figure 22: C2 server string decoding

     

    From the following disassembly list, get_command uses wininet.dll APIs to send basic client information and to retrieve commands from the server. The process_command is the routine that will parse message and execute designated commands.

    C2 command fetch & execution loop

    Figure 23: C2 command fetch & execution loop

     

    Between each contact to the C2 server, there is a timeout. The timeout value is saved inside the encoded configuration block in the binary. For example, the sample we worked on had a 30-minute time out between each contact request to the server.

    Sleep interval between C2 accesses

    Figure 24: Sleep interval between C2 accesses

     

    Cryptographic C2 channel and message format

    The following diagram shows the basic message format of the C2 server payload that is downloaded when the client contacts the server.

    Decrypting C2 message

    Figure 25: Decrypting C2 message

     

    The message from the C2 server can be encoded in various ways. The first byte in the payload is the XOR key that is used to decode following bytes. The encryption type byte indicates what encryption algorithm is used in the code. It has three different encryption schemes (0x50, 0x58, 0x70) supported.

    From our static analysis, 0x58 is for AES 256 encryption algorithm, 0x70 and 0x50 are for 3DES 168 algorithm. If this type is 0x40, no encryption will be used and it looks like 0x50 and 0x58 encryption type is not fully implemented yet. So 0x70 encryption type with 3DES 168 algorithm is the only encryption type that is fully working here.

    The decryption scheme is using an embedded RSA private key with the decryption key embedded in the binary. By calling CryptHashData upon the embedded password string and using CryptDeriveKey, it will acquire a key to decrypt the encrypted RSA private key. (Figure 26)

    Setting encryption key

    Figure 26: Setting encryption key

     

    This decryption key is used to import 0x258 bytes of private key embedded inside the binary. And this private key is used to decrypt the encrypted key (Key data 02 from Figure 25) passed through the response packet from the C2 server. Next, the IV (Initialization Vector) passed through the response packet is set as a parameter to the key object.

    Importing keys and IV

    Figure 27: Importing keys and IV

     

    Finally, the actual decryption of the payload happens through CryptDecrypt API call. The question still remains why the C2 server and the client are using such an overcomplicated encryption scheme.

    Decrypting message

    Figure 28: Decrypting message

     

    Command processor

    The C2 command processor looks very typical. It has a simple packet parser for TLV (type, length, value) data structure. The following picture shows the main routine that processes packet length and types. It will call relevant functions for each packet type.

    Main command processor function

    Figure 29: Main command processor function

     

    Each command provides usual functionalities that are typically seen in backdoors. They include registry, file system manipulations, and searching files with specific patterns, and retrieving and transferring them back to the server and gathering network status information.

    Infections statistics

    The following chart shows the relative prevalence of the threat overall. We included Stage 1 and Stage 2 payload detections in this map.

    Bar chart showing countries with most infections in China and Japan

    Figure 30: Infection distribution by countries

     

    Most of the infections we saw focused on East Asia—mostly China and Japan. We already described that the Stage 1 dropper collects and sends IP and language locale of the machines it infected to the Stage 2 dropper distribution site. We think this distribution site has a logic to determine whether to drop next payload or not.

    The Stage 1 dropper is also known to collect information on culture-specific software like messengers and security software mainly used in mainland China. If the distribution site doesn’t push back Stage 2 payload, Stage 1 payload doesn’t have any means of persistency at all. This means that with all the cost of infiltrating into the machine, the malware simply gives up the machine if the machine doesn’t fit into its profile. Based upon the actual infection map and the behavior of this Stage 1 dropper, it might be a good indication that the activity group has a good geolocation preference with their targets.

     

    Conclusion

    DUBNIUM is a very cautious actor. From the vendor detections for Stage 2 binaries, we can see that there are no serious detections upon them in the industry. This is partially due to the strategy that DUBNIUM employs. It doesn’t try to infect as many machines as possible, instead it will potentially expose important components, like C2 client modules, to unintended targets. The very long lifespan of the domain it controls and uses for C2 operation supports the story.

    Other features with DUBNIUM is that it uses encoding and encryption schemes over the executables and network protocols. Each stage has different styles of encoding and decoding schemes. Some are complicated and some are relatively simple. Stage 1 binaries have a stronger obfuscation and payload encoding scheme than Stage 2 binaries. The C2 server payload has its own format with encrypted message support.

    The other feature with DUBNIUM is that over each stages, it always checks the running environment. It focuses on security products and analyst tools on Stage 1, but it is very cautious on debugging tools on Stage 2 binaries. From Stage 1, it also collects extensive information on the client system including locale, IP and MAC address and they are sent to the Stage 2 distribution site. The distribution site also serves each client once based upon this information. Getting served on the next stage binary is sometimes very challenging as we don’t know the backend algorithm behind to determine whether to serve the next stage binary or not.

     

    Appendix – Indicators of Compromise

     

    Stage 0

    Adobe Flash Player Exploit

    3eda34ed9b5781682bcf7d4ce644a5ee59818e15 SWF File

     

    LNK

    25897d6f5c15738203f96ae367d5bf0cefa16f53

    624ac24611ef4f6436fcc4db37a4ceadd421d911

     

    Droppers

    09b022ef88b825041b67da9c9a2588e962817f6d

    35847c56e3068a98cff85088005ba1a611b6261f

    7f9ecfc95462b5e01e233b64dcedbcf944e97fca

    aee8d6f39e4286506cee0c849ede01d6f42110cc

    b42ca359fe942456de14283fd2e199113c8789e6

    cad21e4ae48f2f1ba91faa9f875816f83737bcaf

    ebccb1e12c88d838db15957366cee93c079b5a8e

    4627cff4cd90dc47df5c4d53480101bdc1d46720

     

    Fake documents displayed from droppers

    24eedf7db025173ef8edc62d50ef940914d5eb8a

    7dd3e0733125a124b61f492e950b28d0e34723d2

    24eedf7db025173ef8edc62d50ef940914d5eb8a

    afca20afba5b3cb2798be02324edacb126d15442

     

    Stage 1

    Droppers

    0ac65c60ad6f23b2b2f208e5ab8be0372371e4b3

    1949a9753df57eec586aeb6b4763f92c0ca6a895

    4627cff4cd90dc47df5c4d53480101bdc1d46720

    561db51eba971ab4afe0a811361e7a678b8f8129

    6e74da35695e7838456f3f719d6eb283d4198735

    8ff7f64356f7577623bf424f601c7fa0f720e5fb

    b8064052f7fed9120dda67ad71dbaf2ac7778f08

    dc3ab3f6af87405d889b6af2557c835d7b7ed588

     

    Stage 2

    Dropper

    2d14f5057a251272a7586afafe2e1e761ed8e6c0

    3d3b60549191c4205c35d3a9656377b82378a047

     

    kernelol21.exe

    6ce89ae2f1272e62868440cde00280f055a3a638

     

    kbkernelolUpd.dll

    b8ea4b531e120730c26f4720f12ea7e062781012

    0ea2ba966953e94034a9d4609da29fcf11adf2d5

    926ca36a62d0b520c54b6c3ea7b97eb1c2d203a9

    db56f474673233f9b62bef5dbce1be1c74f78625

     

    UserData

    147cb0d32f406687b0a9d6b1829fb45414ce0cba

     

    Acknowledgement: Special thanks to Mathieu Letourneau at MMPC for providing statistical coverage data on the DUBNIUM multi-stage samples and providing insight on the interpretation of the data. Special thanks to HeungSoo David Kang for providing screenshots from the fake Office Word document file.

     

    Jeong Wook Oh
    MMPC

     

    ]]>
    https://blogs.technet.microsoft.com/mmpc/2016/07/14/reverse-engineering-dubnium-stage-2-payload-analysis/feed/0
    Troldesh ransomware influenced by (the) Da Vinci codehttps://blogs.technet.microsoft.com/mmpc/2016/07/13/troldesh-ransomware-influenced-by-the-da-vinci-code/https://blogs.technet.microsoft.com/mmpc/2016/07/13/troldesh-ransomware-influenced-by-the-da-vinci-code/#respondWed, 13 Jul 2016 22:21:48 +0000https://blogs.technet.microsoft.com/mmpc/?p=8056We at the MMPC are constantly tracking new and emerging ransomware threats so we can be one step ahead of active campaigns and help protect our users. As part of these efforts, we recently came across a new variant of the Win32/Troldesh ransomware family.

    Ransomware, like most malware, is constantly trying to change itself in an attempt to evade detection. In this case, we’ve seen the following updates to Troldesh:

    • Tor functionality
    • Glyph/symbol errors on the wallpaper ransom note
    • Modified extension names for encrypted files
    • New malware being delivered (Trojan:Win32/Mexar.A)
    • Updates the ransom note to cover the Tor functionality

    The biggest change in this update is the addition of Tor links. Using Tor addresses as the ransom payment method (as opposed to standard www addresses) is the current fashion among ransomware.

    The ransom note now includes links to the Tor address (previously, the only method provided for obtaining decryption was an email address):

    The ransom note now includes onion.to addresses for payment

    However, upon investigation it appears that Tor has blocked the address:

    Screenshot showing that the Troldesh payment site has been blocked by Tor

    Errors have been introduced into the image that replaces the user’s desktop wallpaper (this occurred to several samples, but not all):

    Errors and unknown symbols have been seen in some versions of the wallpaper - the symbols look like blank boxes and random characters

    After encryption, Troldesh changes the file’s extension. In the latest update, we’ve seen it use the following strings:

    • .da_vinci_code
    • .magic_software_syndicate

    For example, an encrypted file might appear as follows:

    A file name that is a series of random characters and ends in .da_vinci_code

    The list of file types that Troldesh encrypts has also increased – see the Win32/Troldesh description for a full list.

    Prevention

    To help stay protected:

    • Keep your Windows Operating System and antivirus up-to-date and, if you haven’t already, upgrade to Windows 10.
    • Regularly back-up your files in an external hard-drive
    • Enable file history or system protection. On Windows 10 and Windows 8.1, set up a drive for file history
    • Use OneDrive for Business
    • Beware of phishing emails, spams, and clicking malicious attachment
    • Use Microsoft Edge to get SmartScreen protection. It can help warn you about sites that are known to be hosting exploits, and help protect you from socially-engineered attacks such as phishing and malware downloads.
    • Disable the loading of macros in your Office programs
    • Disable your Remote Desktop feature whenever possible
    • Use two factor authentication
    • Use a safe Internet connection
    • Avoid browsing web sites that are known for being malware breeding grounds (such as illegal music, movies and TV, and software download sites)

    Detection

    Recovery

    In the Office 365 “How to deal with ransomware” blog, there are several options on how you might be able to remediate or recover from a ransomware attack, including backup and recovery using File History in Windows 10 and System Restore in Windows 7.

    You can also use OneDrive and SharePoint to backup and restore your files:

      

    Patrick Estavillo
    MMPC

    ]]>
    https://blogs.technet.microsoft.com/mmpc/2016/07/13/troldesh-ransomware-influenced-by-the-da-vinci-code/feed/0
    MSRT July 2016 – Cerber ransomwarehttps://blogs.technet.microsoft.com/mmpc/2016/07/12/msrt-july-2016-cerber-ransomware/https://blogs.technet.microsoft.com/mmpc/2016/07/12/msrt-july-2016-cerber-ransomware/#commentsTue, 12 Jul 2016 18:55:01 +0000https://blogs.technet.microsoft.com/mmpc/?p=7996As part of our ongoing effort to provide better malware protection, the July 2016 release of the Microsoft Malicious Software Removal Tool (MSRT) includes detection for Win32/Cerber, a prevalent ransomware family. The inclusion in MSRT complements our Cerber-specific family detections in Windows Defender, and our ransomware-dedicated cloud protection features.

    We started seeing Cerber in February 2016, and since then it has continuously evolved and is now one of the most encountered ransomware families – beating both Exxroute and Locky. The evolution is mostly based around the way in which Cerber is being distributed – with a focus on exploit kits, compromised websites, and email distribution.

    When looking at data for the past 30 days, Cerber is the most detected ransomware, taking over a quarter of all ransomware infections.

    Ransomware family Share
    Cerber 25.97%
    Exxroute 15.39%
    Locky 12.80%
    Brolo 11.66%
    Crowti 9.97%
    FakeBsod 9.19%
    Teerac 3.94%
    Critroni 3.72%
    Reveton 2.86%
    Troldesh 1.21%
    Ranscrape 1.18%
    Sarento 0.76%
    Urausy 0.70%
    Genasom 0.65%

     

    Cerber is especially prevalent in the US, Asia, and Western Europe.

    However, infections occur across the globe, and the following heat map demonstrates the geographical spread of infected machines:
    Map showing highlighted areas in Eastern US, Western Europe, Asia, South America

     

    Cerber infection chain

    Cerber can enter your system or PC either through downloaders from spam email or exploits on malicious or compromised sites.

    Diagram showing spam email using macro and scripts to install cerber onto a PC

    When delivered via spam, we’ve seen the use of both macros and OLE objects to deliver Cerber. We described how malware authors can maliciously use OLE in our blog “Where’s the macro?“, and we’ve previously talked about how macros have been used to deliver malware (although new features in Office 2016 has seen a decrease in macro-based malware).

    In this case, we’ve seen malicious files using VisualBasic Script (VBS) and JavaScript to download Cerber from a command and control (C2) server. We’ve also seen malicious macros both downloading Cerber, and dropping VBS scripts that then download Cerber.

    The other infection vector – exploit kits – occurs when a user visits a malicious or compromised website that hosts an exploit kit. The exploit kit checks for vulnerabilities on the PC, and tailors an infection to target those vulnerabilities. This allows the exploit kit to download Cerber onto the PC.

    Neutrino, Angler, and Magnitude exploit kits have been identified as distributing Cerber.

     

    Cerber updates

    As with most other encryption ransomware, Cerber encrypts files and places “recovery” instructions in each folder. Cerber provides the instructions both as .html and .txt formats, and replaces the desktop wallpaper.

    Cerber, however, also includes a synthesized audio message.

    We described the Cerber infection process in detail in our blog “The three heads of the Cerberus-like Cerber ransomware“.

     

    Screencap showing a long note explaining how a user was infectedThere have been some updates to this family, however, including a much more detailed description of how ransomware encryption works, and how users can recover their files.

    Note that the ransom message now makes claims about Cerber attempting to help make the Internet a safer place, and they don’t mention the payment of fees or ransom to decrypt your files.

    Upon investigation, however, we have determined (as of July 8, 2016) that they are asking for a ransom in the form of bitcoins, as shown in the following screenshot of the Tor webpage:

    Note showing that Cerber is request bitcoin payment to decrypt files

     

    The Cerber desktop wallpaper has also been updated:

    Grey wallpaper with a few lines of black text showing links to decrypt files

     

    Prevention

    To help stay protected:

    • Keep your Windows Operating System and antivirus up-to-date and, if you haven’t already, upgrade to Windows 10.
    • Regularly back-up your files in an external hard-drive
    • Download and apply security patches associated with the exploit kits that are known to distribute this ransomware (for example: Neutrino).
    • Enable file history or system protection. On Windows 10 and Windows 8.1, set up a drive for file history
    • Use OneDrive for Business
    • Beware of phishing emails, spams, and clicking malicious attachment
    • Use Microsoft Edge to get SmartScreen protection. It can help warn you about sites that are known to be hosting exploits, and help protect you from socially-engineered attacks such as phishing and malware downloads.
    • Disable the loading of macros in your Office programs
    • Disable your Remote Desktop feature whenever possible
    • Use two factor authentication
    • Use a safe Internet connection
    • Avoid browsing web sites that are known for being malware breeding grounds (such as illegal music, movies and TV, and software download sites)

    Detection

    Recovery

    In the Office 365 blog “How to deal with ransomware“, there are several options on how you might be able to remediate or recover from a ransomware attack, including backup and recovery using File History in Windows 10 and System Restore in Windows 7.

    You can also use OneDrive and SharePoint to backup and restore your files:

     

    Carmen Liang and Patrick Estavillo MMPC

     

    ]]>
    https://blogs.technet.microsoft.com/mmpc/2016/07/12/msrt-july-2016-cerber-ransomware/feed/3
    July 2016 security update releasehttps://blogs.technet.microsoft.com/msrc/2016/07/12/july-2016-security-update-release/https://blogs.technet.microsoft.com/msrc/2016/07/12/july-2016-security-update-release/#respondTue, 12 Jul 2016 17:03:00 +0000https://blogs.technet.microsoft.com/msrc/?p=2455Today we released security updates to provide additional protections against malicious attackers. As a best practice, we encourage customers to apply security updates as soon as they are released.

    More information about this month’s security updates and advisories can be found in the Security TechNet Library.

    MSRC team

    ]]>
    https://blogs.technet.microsoft.com/msrc/2016/07/12/july-2016-security-update-release/feed/0
    Reverse-engineering DUBNIUM’s Flash-targeting exploithttps://blogs.technet.microsoft.com/mmpc/2016/06/20/reverse-engineering-dubniums-flash-targeting-exploit/https://blogs.technet.microsoft.com/mmpc/2016/06/20/reverse-engineering-dubniums-flash-targeting-exploit/#commentsMon, 20 Jun 2016 20:30:20 +0000https://blogs.technet.microsoft.com/mmpc/?p=7805The DUBNIUM campaign in December involved one exploit in-the-wild that affected Adobe Flash Player. In this blog, we’re going to examine the technical details of the exploit that targeted vulnerability CVE-2015-8651. For more details on this vulnerability, see Adobe Security Bulletin APSB16-01.

    Note that Microsoft Edge on Windows 10 was protected from this attack due to the mitigations introduced into the browser.

     

    Vulnerability exploitation

    Adobe Flash Player version checks

    The nature of the vulnerability is an integer overflow, and the exploit code has quite extensive subroutines in it. It tries to cover versions of the player from 11.x to the most recent version at the time of the campaign, 20.0.0.235.

    The earliest version of Adobe Flash Player 11.x was released in October 2011 (11.0.1.152) and the last version of Adobe Flash Player 10.x was released in June 2013 (10.3.183.90). This doesn’t necessarily mean the exploit existed from 2011 or 2013, but it again demonstrates the broad target the exploit tries to cover.

    Figure 1 Version check for oldest Flash Player the exploit targets

    Figure 1 Version check for oldest Flash Player the exploit targets

     

    Mainly we focused our analysis upon the function named qeiofdsa, as the routine covers any Adobe Flash player version since 19.0.0.185 (released on September 21, 2015).

    Figure 2 Version check for latest Flash Player the exploit supports

    Figure 2 Version check for latest Flash Player the exploit supports

     

    Why is this version of Flash Player so important? Because that is the release which had the latest Vector length corruption hardening applied at the time of the incident. The original Vector length hardening came with 18.0.0.209 and it is well explained in the Security @ Adobe blog https://blogs.adobe.com/security/2015/12/community-collaboration-enhances-flash.html.

    The Vector object from Adobe Flash Player can be used as a corruption target to acquire read or write (RW) primitives.

    This object has a very simple object structure and predictable allocation patterns without any sanity checks on the objects. This made this object a very popular target for exploitation for recent years. There were a few more bypasses found after that hardening, and 19.0.0.185 had another bypass hardening. The exploit uses a new exploitation method (ByteArray length corruption) since this new version of Adobe Flash Player.

    Note, however, that with new mitigation from Adobe released after this incident, the ByteArray length corruption method no longer works.

    To better understand the impact of the mitigations on attacker patterns, we compared exploit code line counts for the pdfsajoe routine, which exploits Adobe Flash Player versions earlier than 19.0.0.185, to the qeiofdsa routine, which exploits versions after 19.0.0.185. We learned that pdfsajoe has 139 lines of code versus qeiofdsa with 5,021.

    While there is really no absolute way to measure the impact and line code alone is not a standard measurement, we know that in order to target the newer versions of Adobe Flash Player, the attacker would have to write 36 more times the lines of code.

    Subroutine name pdfsajoe qeiofdsa
    Vulnerable Flash Player version Below 19.0.0.185 19.0.0.185 and up
    Mitigations No latest Vector mitigations Latest Vector mitigations applied
    Lines of attack code 139 lines 5,021 lines
    Ratio 1 36

    Table 1 Before and after Vector mitigation

     

    This tells us a lot about the importance of mitigation and the increasing cost of exploit code development. Mitigation in itself doesn’t fix existing vulnerabilities, but it is definitely raising the bar for exploits.

     

    Heap spraying and vulnerability triggering

    The exploit heavily relies on heap spraying. Among heap spraying of various objects, the code from Figure 3 shows the code where the ByteArray objects are sprayed. This ByteArray has length of 0x10. These sprayed objects are corruption targets.

    Figure 3 Heap-spraying code

    Figure 3 Heap-spraying code

     

    The vulnerability lies in the implementation of fast memory opcodes. More detailed information on the usage of fast memory opcodes are available in the Faster byte array operations with ASC2 article at the Adobe Developer Center.

    After setting up application domain memory, the code can use avm2.intrinsics.memory. The package provides various methods including li32 and si32 instructions. The li32 can be used to load 32bit integer values from fast memory and si32 can be used to store 32bit integer values to fast memory. These functions are used as methods, but in the AVM2 bytecode level, they are opcode themselves.

    Figure 4 Setting up application domain memory

    Figure 4 Setting up application domain memory

     

    Due to the way these instructions are implemented, the out-of-bounds access vulnerability happens (Figure 5). The key to this vulnerability is the second li32 statement just after first li32 one in each IF statement. For example, from the li32((_local_4+0x7FEDFFD8)) statement, the _local_4+0x7FEDFFD8 value ends up as 4 after integer overflow. From the just-in-time (JIT) level, the range check is only generated for this li32 statement, skipping the range check JIT code for the first li32 statement.

    Figure 5 Out-of-bounds access code using li32 instructions

    Figure 5 Out-of-bounds access code using li32 instructions

     

    We compared the bytecode level AVM2 instructions with the low-level x86 JIT instructions. Figure 6 shows the comparisons and our findings. Basically two li32 accesses are made and the JIT compiler optimizes length check for both li32 instructions and generates only one length check. The problem is that integer overflow happens and the length check code becomes faulty and allows bypasses of ByteArray length restrictions. This directly ends with out-of-bounds RW access of the process memory. Historically, fast memory implementation suffered range check vulnerabilities (CVE-2013-5330, CVE-2014-0497). The Virus Bulletin 2014 paper by Chun Feng and Elia Florio, Ubiquitous Flash, ubiquitous exploits, ubiquitous mitigation (PDF download), provides more details on other old but similar vulnerabilities.

    Figure 6 Length check confusion

    Figure 6 Length check confusion

     

    Using this out-of-bounds vulnerability, the exploit tries to locate heap-sprayed objects.

    These are the last part of memory sweeping code. We counted 95 IF/ELSE statements that sweep through memory range from ba+0x121028 to ba+0x17F028 (where ba is the base address of fast memory), which is 0x5E000 (385,024) byte size. Therefore, these memory ranges are very critical for this exploit’s successful run.

    Figure 7 End of memory sweeping code

    Figure 7 End of memory sweeping code

     

    Figure 8 shows a crash point where the heap spraying fails. The exploit heavily relies on a specific heap layout for successful exploitation, and the need for heap spraying is one element that makes this exploit unreliable.

    Figure 8 Out-of-bounds memory access

    Figure 8 Out-of-bounds memory access

     

    This exploit uses a corrupt ByteArray.length field and uses it as RW primitives (Figure 9).

    Figure 9 Instruction si32 is used to corrupt ByteArray.length field

    Figure 9 Instruction si32 is used to corrupt ByteArray.length field

     

    After ByteArray.length corruption, it needs to determine which ByteArray is corrupt out of the sprayed ByteArrays (Figure 10).

     

    Figure 10 Determining corrupt ByteArray

    Figure 10 Determining corrupt ByteArray

    RW primitives

    The following shows various RW primitives that this exploit code provides. Basically these extensive lists of methods provide functions to support different application and operating system flavors.

    Figure 11 RW primitives

    Figure 11 RW primitives

     

    For example, the read32x86 method can be used to read an arbitrary process’s memory address on x86 platform. The cbIndex variable is the index into the bc array which is an array of the ByteArray type. The bc[cbIndex] is the specific ByteArray that is corrupted through the fast memory vulnerability. After setting virtual address as position member, it uses the readUnsignedInt method to read the memory value.

    Figure 12 Read primitive

    Figure 12 Read primitive

     

    The same principle applies to the write32x86 method. It uses the writeUnsignedInt method to write to arbitrary memory location.

    Figure 13 Write primitive

    Figure 13 Write primitive

     

    Above these, the exploit can perform a slightly complex operation like reading multiple bytes using the readBytes method.

    Figure 14 Byte reading primitive

    Figure 14 Byte reading primitive

     

    Function object virtual function table corruption

    Just after acquiring the process’s memory RW ability, the exploit tries to get access to code execution. This exploit uses a very specific method of corrupting a Function object and using the apply and call methods of the object to achieve shellcode execution. This method is similar to the exploit method that was disclosed during the Hacking Team leak. Figure 15 shows how the Function object’s virtual function table pointer (vptr) is acquired through a leaked object address, and low-level object offset calculations are performed. The offsets used here are relevant to the Adobe Flash Player’s internal data structure and how they are linked together in the memory.

    Figure 15 Resolving Function object vptr address

    Figure 15 Resolving Function object vptr address

     

    This leaked virtual function table pointer is later overwritten with a fake virtual function table’s address. The fake virtual function table itself is cloned from the original one and the only pointer to apply method is replaced with the VirtualProtect API. Later, when the apply method is called upon the dummy function object, it will actually call the VirtualProtect API with supplied arguments – not the original empty call body. The supplied arguments are pointing to the memory area that is used for temporary shellcode storage. The area is made read/write/executable (RWX) through this method.

    Figure 16 Call VirtualProtect through apply method

    Figure 16 Call VirtualProtect through apply method

     

    Once the RWX memory area is reserved, the exploit uses the call method of the Function object to perform further code execution. It doesn’t use the apply method because it no longer needs to pass any arguments. Calling the call method is also simpler (Figure 17).

    Figure 17 Shellcode execution through call method

    Figure 17 Shellcode execution through call method

     

    This shellcode-running routine is highly modularized and you can actually use API names and arguments to be passed to the shellcode-running utility function. This makes shellcode building and running very extensible. Again, this method has close similarity with the code found with the Adobe Flash exploit leaked during the Hacking Team information leak in July 2015.

    Figure 18 Part of shellcode call routines

    Figure 18 Part of shellcode call routines

     

    Note that the exploit’s method of using the corrupted Function object virtual table doesn’t work on Microsoft Edge anymore as it has additional mitigation against these kinds of attacks.

    ROP-less shellcode

    With this exploit, shellcode is not just contiguous memory area, but various shellcodes are called through separate call methods. As you can see from this exploit, we are observing more exploits operate without return-oriented programming (ROP) chains. We can track these calls by putting a breakpoint on the native code that performs the ActionScript call method. For example, the disassembly in Figure 19 shows the code that calls the InternetOpenUrlA API call.

     

    Figure 19 InternetOpenUrlA 1st download

    Figure 19 InternetOpenUrlA 1st download

     

    This call only retrieves some portion of a portable executable (PE) file’s header, but not the whole file. It will do another run of the InternetOpenUrlA API call to retrieve the remaining body of the payload. This is most likely a trick to confuse analysts who will look for a single download session for payloads.

    Figure 20 InternetOpenUrlA 2nd download

    Figure 20 InternetOpenUrlA 2nd download

    Conclusion

    With the analysis of the Adobe Flash Player-targeting exploit used by DUBNIUM last December, we learned they are using highly organized exploit code with extensive support of operating system flavors. However, some functionalities for some operating system are not yet implemented. For example, some 64-bit support routines had an empty function inside them.

    The way the shellcode is authored makes the exploit code very extensible and flexible as changing shellcode behavior is extremely simple – as much as just changing AS3 code lines.

    The actual first stage payload download is not just performed by a single download but are split into two.

    They also use the ByteArray.length corruption technique to achieve process memory RW access. There was a hardening upon this object just after this incident and ByteArray now has better sanity checks. Therefore, the same technique would not work as straightforwardly as in this exploit for the versions after the hardening.

    The exploit relies heavily on heap-spraying techniques, and this is one major element that makes this exploit unreliable.

    This is a good example of how mitigation undermines an exploit’s stability, and how it increases exploit development cost.

    Due to the exploitation method it relies on for the Function object corruption, with Microsoft Edge you have additional protection over this new exploit method.

     

    Jeong Wook Oh
    MMPC

    ]]>
    https://blogs.technet.microsoft.com/mmpc/2016/06/20/reverse-engineering-dubniums-flash-targeting-exploit/feed/2
    Where’s the Macro? Malware authors are now using OLE embedding to deliver malicious fileshttps://blogs.technet.microsoft.com/mmpc/2016/06/14/wheres-the-macro-malware-author-are-now-using-ole-embedding-to-deliver-malicious-files/https://blogs.technet.microsoft.com/mmpc/2016/06/14/wheres-the-macro-malware-author-are-now-using-ole-embedding-to-deliver-malicious-files/#commentsTue, 14 Jun 2016 22:24:00 +0000https://blogs.technet.microsoft.com/mmpc/?p=7686Recently, we’ve seen reports of malicious files that misuse the legitimate Office object linking and embedding (OLE) capability to trick users into enabling and downloading malicious content. Previously, we’ve seen macros used in a similar matter, and this use of OLE might indicate a shift in behavior as administrators and enterprises are mitigating against this infection vector with better security and new options in Office.

    In these new cases, we’re seeing OLE-embedded objects and content surrounded by well-formatted text and images to encourage users to enable the object or content, and thus run the malicious code. So far, we’ve seen these files use malicious Visual Basic (VB) and JavaScript (JS) scripts embedded in a document.

    The script or object is surrounded by text that encourages the user to click or interact with the script (which is usually represented with a script-like icon). When the user interacts with the object, a warning prompts the user whether to proceed or not. If the user chooses to proceed (by clicking Open), the malicious script runs and any form of infection can occur.

    Packager warning

    Figure 1: Warning message prompts the users to check whether they should open the script or not.

    It’s important to note that user interaction and consent is still required to execute the malicious payload. If the user doesn’t enable the object or click on the object – then the code will not run and an infection will not occur.

    Education is therefore an important part of mitigation – as with spam emails, suspicious websites, and unverified apps. Don’t click the link, enable the content, or run the program unless you absolutely trust it and can verify its source.

    In late May 2016, we came across the following Word document (Figure 2) that used VB script and language similar to that used in CAPTCHA and other human-verification tools.

     

    Screenshot of an invitation to unlock contents

    Figure 2: Invitation to unlock contents

     

    It’s relatively easy for the malware author to replace the contents of the file (the OLE or embedded object that the user is invited to double-click or activate). We can see this in Figure 3, which indicates the control or script is a JS script.

    A screenshot of a possible JavaScript variant

    Figure 3: Possible JavaScript variant

     

    The icon used to indicate the object or content can be just about anything. It can be a completely different icon that has nothing to do with the scripting language being used – as the authors can use any pictures and any type

    Screenshot of an embedded object variant

    Figure 4: Embedded object variant

     

    It’s helpful to be aware of what this kind of threat looks like, what it can look like, and to educate users to not enable, double-click, or activate embedded content in any file without first verifying its source.

    Technical details – downloading and decrypting a binary

    On the sample we investigated, the contents of the social engineering document is a malicious VB script, which we detect as TrojanDownloader:VBS/Vibrio and TrojanDownloader:VBS/Donvibs. This sample also distinguishes itself from the typical download-and-execute routine common to this type of infection vector – it has a “decryption function”.

    This malicious VB script will download an encrypted binary, bypassing any network-based protection designed to recognize malicious formats and block them, decrypt the binary, and then run it. Figure 5 illustrates the encrypted binary we saw in this sample.

    Screenshot of the encrypted binary

    Figure 5: The encrypted binary

     

    The embedded object or script downloads the encrypted file to %appdata% with a random file name, and proceeds to decrypt it using the script’s decryption function (Figure 6).

    Screenshot of the decryption process, part 1

    Screenshot of the decryption process, part 2

    Screenshot of the decryption process, part 3

    Figure 6: Decryption process

    Lastly, it executes the now-decrypted binary, which in this example was Ransom:Win32/Cerber.

    Screenshot of the decrypted Win32 executable

    Figure 7: Decrypted Win32 executable

    Prevalence

    Our data shows these threats (TrojanDownloader:VBS/Vibrio and TrojanDownloader:VBS/Donvibs) are not particularly prevalent, with the greatest concentration in the United States.

    We’ve also seen a steady decline since we first discovered it in late May 2016.

    Worldwide prevalence of TrojanDownloader:VBS/Vibrio and TrojanDownloader:VBS/Donvibs

    Figure 8: Worldwide prevalence

    Daily prevalence of TrojanDownloader:VBS/Vibrio and TrojanDownloader:VBS/Donvibs

    Figure 9: Daily prevalence

     

    Prevention and recovery recommendations

    Administrators can prevent activation of OLE packages by modifying the registry key HKCU\Software\Microsoft\Office\<Office Version>\<Office application>\Security\PackagerPrompt.

    The Office version values should be:

    • 16.0 (Office 2016)
    • 15.0 (Office 2013)
    • 14.0 (Office 2010)
    • 12.0 (Office 2007)

     

    Setting the value to 2 will cause the  to disable packages, and they won’t be activated if a user tries to interact with or double-click them.

    The value options for the key are:

    • 0 – No prompt from Office when user clicks, object executes
    • 1 – Prompt from Office when user clicks, object executes
    • 2 – No prompt, Object does not execute

    You can find details about this registry key the Microsoft Support article, https://support.microsoft.com/en-us/kb/926530

     

    See our other blogs and our ransomware help page for further guidance on preventing and recovering from these types of attacks:

     

     

    Alden Pornasdoro

    MMPC

     

    ]]>
    https://blogs.technet.microsoft.com/mmpc/2016/06/14/wheres-the-macro-malware-author-are-now-using-ole-embedding-to-deliver-malicious-files/feed/9
    June 2016 security update releasehttps://blogs.technet.microsoft.com/msrc/2016/06/14/june-2016-security-update-release/https://blogs.technet.microsoft.com/msrc/2016/06/14/june-2016-security-update-release/#respondTue, 14 Jun 2016 17:00:30 +0000https://blogs.technet.microsoft.com/msrc/?p=2445Today we released security updates to provide additional protections against malicious attackers. As a best practice, we encourage customers to apply security updates as soon as they are released.

    More information about this month’s security updates and advisories can be found in the Security TechNet Library.

    MSRC team

    ]]>
    https://blogs.technet.microsoft.com/msrc/2016/06/14/june-2016-security-update-release/feed/0
    Reverse-engineering DUBNIUMhttps://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2/https://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2/#commentsFri, 10 Jun 2016 01:43:56 +0000https://blogs.technet.microsoft.com/mmpc/?p=7177DUBNIUM (which shares indicators with what Kaspersky researchers have called DarkHotel) is one of the activity groups that has been very active in recent years, and has many distinctive features.

    We located multiple variants of multiple-stage droppers and payloads in the last few months, and although they are not really packed or obfuscated in a conventional way, they use their own methods and tactics of obfuscation and distraction.

    In this blog, we will focus on analysis of the first-stage payload of the malware.

    As the code is very complicated and twisted in many ways, it is a complex task to reverse-engineer the malware. The complexity of the malware includes linking with unrelated code statically (so that their logic can hide in a big, benign code dump) and excessive use of an in-house encoding scheme. Their bootstrap logic is also hidden in plain sight, such that it might be easy to miss.

    Every sub-routine from the malicious code has a “memory cleaner routine” when the logic ends. The memory snapshot of the process will not disclose many more details than the static binary itself.

    The malware is also very sneaky and sensitive to dynamic analysis. When it detects the existence of analysis toolsets, the executable file bails out from further execution. Even binary instrumentation tools like PIN or DynamoRio prevent the malware from running. This effectively defeats many automation systems that rely on at least one of the toolsets they check to avoid. Avoiding these toolsets during analysis makes the overall investigation even more complex.

    With this blog series, we want to discuss some of the simple techniques and tactics we’ve used to break down the features of DUBNIUM.

    We acquired multiple versions of DUBNIUM droppers through our daily operations. They are evolving slowly, but basically their features have not changed over the last few months.

    In this blog, we’ll be using sample SHA1: dc3ab3f6af87405d889b6af2557c835d7b7ed588 in our examples and analysis.

    Hiding in plain sight

    The malware used in a DUBNIUM attack is committed to disguising itself as Secure Shell (SSH) tool. In this instance, it is attempting to look like a certificate generation tool. The file descriptions and other properties of the malware look convincingly legitimate at first glance.

    Figure 1: SSH tool disguise

    Figure 1: SSH tool disguise

     

    When it is run, the program actually dumps out dummy certificate files into the file system and, again, this can be very convincing to an analyst who is initially researching the file.

    Figure 2 Create dummy certificate files

    Figure 2 Create dummy certificate files

     

    The binary is indeed statically linked with OpenSSL library, such that it really does look like an SSH tool. The problem with reverse engineering this sample starts from the fact that it has more than 2,000 functions and most of them are statically linked to OpenSSL code without symbols.

    Figure 3: DUBNIUM functions list

    Figure 3: DUBNIUM functions list

     

    The following is an example of one of these functions – note it even has string references to the source code file name.

    Figure 4: Code snippet that is linked from OpenSSL library

    Figure 4: Code snippet that is linked from OpenSSL library

     

    It can be extremely time-consuming just going through the dump of functions that have no meaning at all in the code – and this is only one of the more simplistic tactics this malware is using.

    We can solve this problem using binary similarity calculation. This technique has been around for years for various purposes, and it can be used to detect code that steals copyrighted code from other software.

    The technique can be used to find patched code snippets in the software and to find code that was vulnerable for attack. In this instance, we can use the same technique to clean up unnecessary code snippets from our advanced persistent threat (APT) analysis and make a reverse engineer’s life easier.

    Many different algorithms exist for binary similarity calculation, but we are going to use one of the simplest approach here. The algorithm will collect the op-code strings of each instruction in the function first (Figure 5). It will then concatenate the whole string and will use a hash algorithm to get the hash out of it. We used the SHA1 hash in this case.

    Figure 5: Op code in the instructions

    Figure 5: Op code in the instructions

     

    Figure 6 shows the Python-style pseudo-code that calculates the hash for a function. Sometimes, the immediate constant operand is a valuable piece of information that can be used to distinguish similar but different functions and it also includes the value in the hash string. It is using our own utility function RetrieveFunctionInstructions which returns a list of op-code and operand values from a designated function.


    01 def CalculateFunctionHash(self,func_ea):
    02     hash_string=''
    03     for (op, operand) in self.RetrieveFunctionInstructions(func_ea):
    04            hash_string+=op
    05            if len(drefs)==0:
    06                  for operand in operands:
    07                         if operand.Type==idaapi.o_imm:
    08                                hash _string+=('%x' % operand.Value)
    09
    10     m=hashlib.sha1()
    11     m.update(op_string)
    12     return m.hexdigest()

    Figure 6: Pseudo-code for CalculateFunctionHash

    With these hash values calculated for the DUBNIUM binary, we can compare these values with the hash values from the original OpenSSL library. We identified from the compiler-generated meta-data that the version the sample is linked to is openssl-1.0.1l-i386-win. After gathering same hash from the OpenSSL library, we could import symbols for the matched functions. In this way, removed most of the functions from our analysis scope.

    Figure 7: OpenSSL functions

    Figure 7: OpenSSL functions

    (This blog is continued on the next page)

    ]]>
    https://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2/feed/3
    BlueHat v16 Announcedhttps://blogs.technet.microsoft.com/bluehat/2016/06/01/bluehatv16/https://blogs.technet.microsoft.com/bluehat/2016/06/01/bluehatv16/#respondWed, 01 Jun 2016 19:59:41 +0000https://blogs.technet.microsoft.com/bluehat/?p=1946Microsoft is pleased to announce our sixteenth BlueHat Security Conference set for November 3-4, 2016 at the Microsoft Conference Center here in Redmond. BlueHat is a unique opportunity for Microsoft engineers and the security community to come together learn about the current threat landscape and challenge the thinking and we actions we do in security. This past January saw 1,000 participants from around the world engage in this forum. We are excited to formally begin the push for our next conference!

    At this time we are also opening the call for papers. The blend of external and internal speakers that help challenge us around the security issues pressing our customers makes this conference great. The call for papers will run June 1st through August 19th, 2016. We are looking for abstract submissions with clear calls to action for our engineering focused audience. Some possible themes we are interested in seeing abstracts on are:

    • Virtualization & Cloud-based research, exploits, and defense
    • How customers are getting owned (case studies and research)
    • New Exploit techniques
    • Emerging Threats & Trends
    • Anti-exploitation techniques
    • Human Hacking & Defense
    • Identity & Authentication research, exploits, and defense
    • Infrastructure & IoT Security research, exploits, and defense
    • Machine learning & security analytics

    The field for abstracts is wide open. Come challenge us and help to shape how Microsoft thinks about security! This year we have a new tool which should make submitting abstracts easier. There are also examples of what has worked well in the past for some of the specific requirements. Submit your abstracts here: https://aka.ms/bhcfp/.   

    Watch this blog over the summer as we will release more information and previews for BlueHat v16. We look forward to hearing from you and meeting again in November.

     

    Phillip Misner,

    Principal Security Group Manager, MSRC

     

     

    BlueHat v16 Survey Completion Give-Away Rules

     

    As part of the Microsoft BlueHat BlueHat v16 Conference, Microsoft will conduct a give-away of prizes described in the prizes section below. A reconciliation of attendees and end of event survey completions will occur to determine eligible participants. Any duplications will be removed as only one entry per person is allowed. A random drawing by a disinterested party will occur based the list of eligible personnel who have submitted their end of event surveys by Midnight on 11/9/2016. All decisions regarding winners by the event organizers are final.

    Prizes: As part of the BlueHat Conference, Microsoft will select one individual to receive a Microsoft Xbox One valued at $399 and 20 individuals to receive a Starbucks gift card valued at $10 each.

    Eligibility: The give-away is open to all the BlueHat v16 attendees (to External attendees, Microsoft FTEs and Interns, and Contingent Staff) who attend the conference either in person or via Live Streaming, and COMPLETE the End of Day Surveys. Personnel who are unable to attend due to technical issues, geography, or other events that prohibit attendance are not eligible. Additionally, personnel who view only the On Demand videos after the event and event organizers are not eligible.

    Any questions regarding this give-away should be sent to bluehat@microsoft.com.

     

    BlueHat v16 Give-Away Winners

    Microsoft Xbox One Winner
    • Leith Malick (CELA)
    $10 Starbucks Gift Card Winners
    1. Al Billings
    2. Alex Berry
    3. Alex Schneider (AZURE)
    4. Bryan Dent
    5. Dmitry Samosseiko
    6. Duncan Chan
    7. Elliot Kirk
    8. Gladys Rodriguez
    9. Henri-Bastien Lamontagne
    10. Jerry Cochran
    11. Luiz Mello
    12. Mechele Gruhn
    13. Roberto Bamberger
    14. Scott Harvey
    15. Scott Robinson (NT)
    16. Stephanie Calabrese
    17. Stephen Byer
    18. Tomas Matousek
    19. Val Saengphaibul
    20. Vinay Prabhushankar

     

     

    Learn More About BlueHat v16 Call for Papers: BlueHat v16 CFP Instructions

    ]]>
    https://blogs.technet.microsoft.com/bluehat/2016/06/01/bluehatv16/feed/0
    Link (.lnk) to Ransomhttps://blogs.technet.microsoft.com/mmpc/2016/05/26/link-lnk-to-ransom/https://blogs.technet.microsoft.com/mmpc/2016/05/26/link-lnk-to-ransom/#commentsFri, 27 May 2016 05:17:43 +0000https://blogs.technet.microsoft.com/mmpc/?p=7415We are alerting Windows users of a new type of ransomware that exhibits worm-like behavior. This ransom leverages removable and network drives to propagate itself and affect more users. We detect this ransomware as Ransom:Win32/ZCryptor.A.

     

    Infection vector

    Ransom:Win32/ZCryptor.A  is distributed through the spam email infection vector. It also gets installed in your machine through other macro malware*, or fake installers (Flash Player setup).

    Once ZCryptor is executed, it will make sure it runs at start-up:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

    zcrypt = {path of the executed malware}

     

    It also drops autorun.inf in removable drives, a zycrypt.lnk in the start-up folder:

    %User Startup%\zcrypt.lnk

    ..along with a copy of itself as {Drive}:\system.exe and %APPDATA%\zcrypt.exe, and changes the file attributes to hide itself from the user in file explorer.

    For example: c:\users\administrator\appdata\roaming\zcrypt.exe

    Payload

    This ransomware will display the following ransom note to users in a dropped HTML file How to decrypt files.html:

    Screenshot of Win32/ZCryptor.A ransom note

     

    It will also target, encrypt files with the following extension, and change the file extension to .zcrypt once it is done (for example,<originalfilename.zcrypt>):

    .accdb .dwg .odb .raf
    .apk .dxg .odp .raw
    .arw .emlx .ods .rtf
    .aspx .eps .odt .rw2
    .avi .erf .orf .rwl
    .bak .gz .p12 .sav
    .bay .html .p7b .sql
    .bmp .indd .p7c .srf
    .cdr .jar .pdb .srw
    .cer .java .pdd .swf
    .cgi .jpeg .pdf .tar
    .class .jpg .pef .tar
    .cpp .jsp .pem .txt
    .cr2 .kdc .pfx .vcf
    .crt .log .php .wb2
    .crw .mdb .png .wmv
    .dbf .mdf .ppt .wpd
    .dcr .mef .pptx .xls
    .der .mp4 .psd .xlsx
    .dng .mpeg .pst .xml
    .doc .msg .ptx .zip
    .docx .nrw .r3d .3fr

     

    Infected machines are noticed to have zcrypt1.0 mutex. The mutex denotes that an instance of this ransomware is already running in the infected machine.

    We have also seen a connection to the following URL. However, the domain is already down when we were testing:

    http://<obfuscated>/rsa/rsa.php?computerid={Computer_ID} where the {Computer_ID} is entry found inside a dropped file %APPDATA%\cid.ztxt

    For example, c:\users\administrator\appdata\roaming\cid.ztxt

    Prevention

    To help stay protected:

    • Keep your Windows Operating System and antivirus up-to-date. Upgrade to Windows 10.
    • Regularly back-up your files in an external hard-drive
    • Enable file history or system protection. In your Windows 10 or Windows 8.1 devices, you must have your file history enabled and you have to setup a drive for file history
    • Use OneDrive for Business
    • Beware of phishing emails, spams, and clicking malicious attachment
    • Use Microsoft Edge to get SmartScreen protection. It will prevent you from browsing sites that are known to be hosting exploits, and protect you from socially-engineered attacks such as phishing and malware downloads.
    • Disable the loading of macros in your Office programs
    • Disable your Remote Desktop feature whenever possible
    • Use two factor authentication
    • Use a safe internet connection
    • Avoid browsing web sites that are known for being malware breeding grounds (illegal download sites, porn sites, etc.)

    Detection

    Recovery

    In Office 365’s How to deal with ransomware blog, there are several options on how one can remediate or recover from a ransomware attack. Here are some of the few that are applicable for a home user or those in the information industry like you:

    1. Make sure you have backed-up your files.
    2. Recover the files in your device. If you have previously turned File History on in Windows 10 and Windows 8.1 devices or System Protection in Windows 7 and Windows Vista devices, you can (in some cases) recover your local files and folders.

    To restore your files or folders in Windows 10 and Windows 8.1:

    • Swipe in from the right edge of the screen, tap Search (or if you’re using a mouse, point to the upper-right corner of the screen, move the mouse pointer down, and then click Search). Enter “restore your files” in the search box, and then tap or click Restore your files with File History.
    • Enter the name of file you’re looking for in the search box, or use the left and right arrows to browse through different versions of your folders and files.
    • Select what you want to restore to its original location, and then tap or click the Restore button. If you want to restore your files onto a different location than the original, press and hold, or right-click the Restore button, tap or click Restore To, and then choose a new location.

    Source: Restore files or folders using File History

    To restore your files in Windows 7 and Windows Vista

    • Right-click the file or folder, and then click Restore previous versions. You’ll see a list of available previous versions of the file or folder. The list will include files saved on a backup (if you’re using Windows Backup to back up your files) as well as restore points. Note: To restore a previous version of a file or folder that’s included in a library, right-click the file or folder in the location where it’s saved, rather than in the library. For example, to restore a previous version of a picture that’s included in the Pictures library but is stored in the My Pictures folder, right-click the My Pictures folder, and then click Restore previous versions. For more information about libraries, see Include folders in a library.
    • Before restoring a previous version of a file or folder, select the previous version, and then click Open to view it to make sure it’s the version you want. Note: You can’t open or copy previous versions of files that were created by Windows Backup, but you can restore them.
    • To restore a previous version, select the previous version, and then click Restore.

    Warning: The file or folder will replace the current version on your computer, and the replacement cannot be undone. Note: If the Restore button isn’t available, you can’t restore a previous version of the file or folder to its original location. However, you might be able to open it or save it to a different location.

    Source: Previous versions of files: frequently asked questions

    Important: Some ransomware will also encrypt or delete the backup versions and will not allow you to do the actions described before. If this is the case, you need to rely on backups in external drives (not affected by the ransomware) or OneDrive (Next step).

    Warning: If the folder is synced to OneDrive and you are not using the latest version of Windows, there might be some limitations using File History.

    1. Recover your files in your OneDrive for Consumer
    2. Recover your files in your OneDrive for Business

    If you use OneDrive for Business, it will allow you to recover any files you have stored in it. You can use either of the following options:

    Restore your files using the Portal

    Users can restore previous version of the file through the user interface. To do this you can:

    1. Go to OneDrive for Business in the office.com portal

    2. Right click the file you want to recover, and select Version History.

    3. Click the dropdown list of the version you want to recover and select restore

     

    If you want to learn more about this feature, take a look at the Restore a previous version of a document in OneDrive for Business support article.

    Create a Site Collection Restore service request

    If a large number of files were impacted, using the user interface in the portal will not be a viable option. In this case, create a support request for a ‘Site Collection Restore’. This request can restore up to 14 days in the past. To learn how to do this please take a look at the Restore Option in SharePoint Online blog post.

     

    *Related macro malware information:

     

    Edgardo Diaz and Marianne Mallen

    Microsoft Malware Protection Center (MMPC)

    ]]>
    https://blogs.technet.microsoft.com/mmpc/2016/05/26/link-lnk-to-ransom/feed/32
    Limited Periodic Scanning in Windows 10 to Provide Additional Malware Protectionhttps://blogs.technet.microsoft.com/mmpc/2016/05/26/limited-periodic-scanning-in-windows-10-to-provide-additional-malware-protection/https://blogs.technet.microsoft.com/mmpc/2016/05/26/limited-periodic-scanning-in-windows-10-to-provide-additional-malware-protection/#commentsThu, 26 May 2016 22:30:03 +0000https://blogs.technet.microsoft.com/mmpc/?p=7325Every month, Microsoft’s Malicious Software Removal Tool (MSRT) scans more than 500 million Windows devices for malware and malicious software. This tool aids in the detection and removal of malware from 1 to 2 million machines each time, even on those devices running antivirus software. Meanwhile, many Windows customers continue to use the Microsoft Safety Scanner (MSS) to manually scan their PC for malware.

    Windows 10 is the most secure operating system Microsoft has ever shipped, and we continue to make it better with regular security updates and new features. For example, we’re making malware detection and protection even easier and more seamless for our customers, whether they choose to use the built-in Windows Defender antivirus or a third-party antivirus solution. Starting with the Windows 10 Anniversary Update this summer—and available in this week’s Windows Insider build—Windows 10 will include a new security setting called Limited Periodic Scanning. Windows Insiders can enable this feature on unmanaged devices today.

    When enabled, Windows 10 will use the Windows Defender scanning engine to periodically scan your PC for threats and remediate them.  These periodic scans will utilize Automatic Maintenance—to ensure the system chooses optimal times based on minimal impact to the user, PC performance, and energy efficiency—or customers can schedule these scans. Limited Periodic Scanning is intended to offer an additional line of defense to your existing antivirus program’s real-time protection.

     

    Enabling Windows 10 Limited Periodic Scanning

    If you are not using Windows Defender as your antivirus program on Windows 10, you can enable Limited Periodic Scanning under Settings.

    1. Navigate to Settings -> Update & Security -> Windows Defender.
    2. Turn Limited Periodic Scanning on.

    Screenshot of the Limited Periodic Scanning option

    If you are already using Windows Defender as your antivirus program on Windows 10, then you already have this feature enabled. Windows Defender periodically scans your PC, also known as Scheduled scans.

     

    Notifying you of threats found on your PC

    When Windows 10 Limited Periodic Scanning is turned ON, and even if you are NOT using Windows Defender for your real-time protection, the Windows Defender user interface and History tab will allow you to view any additional threats that have been detected.

    Screenshot of Windows Defender periodic scanning settings Screenshot of the Windows Defender History settings

    When a threat is found, Windows Defender will notify you with a Windows 10 notification. In most cases, Windows Defender will also automatically take action on the threat. Clicking on the notification will open Windows Defender where you can further review the threat that was found and the action that was automatically taken.

    Screenshot of the Windows Defender scan notification

    Clicking the notification will take you to the Windows Defender main user interface, where additional actions (if required) can be taken and applied.

    At this time, Windows 10 Limited Periodic Scanning is intended for consumers. We are evaluating this feature for commercial customers, but Limited Periodic Scanning only applies to unmanaged devices for the Windows 10 Anniversary Update.

    Windows 10 is our most secure operating system yet, and we will continue to improve Windows 10 with features like Limited Periodic Scanning. With Windows 10, you can rest assured you’ll always have the latest security protections. To learn more about the security features offered in Windows 10 visit: http://www.microsoft.com/security.

     

     

    Deepak Manohar

    Microsoft Malware Protection Center

    ]]>
    https://blogs.technet.microsoft.com/mmpc/2016/05/26/limited-periodic-scanning-in-windows-10-to-provide-additional-malware-protection/feed/84
    The 5Ws and 1H of Ransomwarehttps://blogs.technet.microsoft.com/mmpc/2016/05/18/the-5ws-and-1h-of-ransomware/https://blogs.technet.microsoft.com/mmpc/2016/05/18/the-5ws-and-1h-of-ransomware/#commentsThu, 19 May 2016 06:00:40 +0000https://blogs.technet.microsoft.com/mmpc/?p=7075For the past three months, we have seen ransomware hop its way across globe. Majority of the ransomware incidents are found in the United States, then Italy, and Canada.

    Ransomware geographical distribution for from February to April 2016

    The prevalence of large-scale ransomware incidents led the United States and Canadian governments to issue a joint statement about ransomware. Due to the global ransomware incidents, the Swiss government along with some industry players will also hold the Ransomware InfoDay today, May 19, 2016, as part of the ransomware awareness campaigns.

    The following table shows the top 20 countries where ransomware is most prevalent.

    Top 20 countries with the most prevalent ransomware incidents

    This blog answers the frequently asked questions (who, what, where, when, why, and how) about a malware with an effect so tangible that it manages to lock your files, extort money from you, and disrupt important public and private operations.

    Case in point: RANSOMWARE

     

    Whom does it affect?

    You! Do you use any mobile devices, PC, laptop, or the internet for surfing, emailing, working, or shopping online?Who could be a ransomware victim?

    If yes, then you are a potential ransomware victim. Ensure that precautionary measures are taken, see the Prevention section for details.

     

     

    What is ransomware?

    Ransomware is a malware that stealthily gets installedWhat is ransomware? in your PC or mobile device and holds your files or operating system functions for ransom. It restricts you from using your PC or mobile device, and fromaccessing your files (files are sometimes locked or encrypted), unless you pay the ransom (in exchange for file decryption).

    Paying the ransom (either through credit card or Bitcoins) however, does not guarantee that you’ll get your files back. Prevention is still way better than allowing yourself to be infected and then trying to find a cure. See our Ransomware page for details.

     

     

    What does a ransomware attack look like?

    Ransomware targets your pictures, documents, files, and data that are personally invaluable.

    You can tell that you are under attack when you see any of the following:

    • Ransomware note
    • Encrypted files
    • Renamed files
    • Locked browser
    • Locked screen

    However, the ransomware attack symptom varies from one ransomware type to another:

    Sample ransomware lockscreens and ransom notes

     

    What!?! There are several ransomware types?

    Yes. From the time that it first surfaced in 1989, ransomware morphed into different forms as it assimilates to people’s computing habits, leverage recent technologies, and monetization strategies available.

    There are two types of ransomware – lockscreen ransomware and encryption ransomware.

    • Lockscreen ransomware shows a full-screen message that prevents you from accessing your PC or files. It says you have to pay money (a “ransom”) to get access to your PC again.
    • Encryption ransomware changes your files so you can’t use them. It does this by encrypting the files – see the Details for enterprises section if you’re interested in the technologies and techniques we’ve seen.

    Older versions of ransom usually claim you have done something illegal with your PC, and that you are being fined by a police force or government agency.

    These claims are false. It is a scare tactic designed to make you pay the money without telling anyone who might be able to restore your PC.

    Ransomware history from 1989 to 2016

     

    Where can a ransomware attack happen?

    R_consumer7Computers and mobile devices.

    Ransomware employs its encryption and monetization strategies across PC and mobile devices.

     

     

     

     

    When can a ransomware attack start?Ransomware attack workflow

    Potential victims can fall into the ransomware trap if they are:

    • Browsing untrusted websites
    • Not careful about downloading or opening file attachments which are known to contain malicious code from spam emails. That also includes compressed files or files inside archives. Some possible attachments can be:
      • Executables (.ade, .adp, .ani, .bas, .bat, .chm, .cmd, .com, .cpl, .crt, .hlp, .ht, .hta, .inf, .ins, .isp, .job, .js, .jse, .lnk, .mda, .mdb, .mde, .mdz, .msc, .msi, .msp, .mst, .pcd, .reg, .scr, .sct, .shs, .url, .vb, .vbe, .vbs, .wsc, .wsf, .wsh, .exe, .pif, etc.)
      • Office files that support macros (.doc, .xls, .docm, .xlsm, .pptm, etc.)
    • Installing pirated software, outdated software programs or operating systems
    • Using a PC that is connected to an already infected network

     

    Why do malware perpetrators victimize people with ransomware?

    Because they have malicious or criminal intentions, and see it as an easy way to make money. They take advantage of people’s ignorance, unpatched software vulnerability, or zero-day vulnerability.

    Ransomware in the news affecting crucial public and private services

     

    On the other hand, it mars an enterprise company’s security and reputation as some ransomware incidents halt crucial services such as hospitals – thus forcing infected users to pay up if they haven’t backed up their data.

    Why must you educate yourself about ransomware?

    Because it can take your hard-earned money in exchange of the stuff you already own – your data or files!! Exxroute ransomware, for example, demands $500 and doubles the ransom as you delay the payment. It also starts deleting your files if you delay the payment.

    It can also violate your privacy, disrupt your work or personal life, and possibly harm your reputation.

    If the ransomware perpetrators are cashing in on people’s ignorance, then educating yourself about it can help disrupt their business.

    Download the ransomware infographics here.

    How can you avoid and bounce from a ransomware attack?

    Prevention

    • Keep your Windows Operating System and antivirus up-to-date.  Upgrade to Windows 10.
    • Regularly back-up your files in an external hard-drive.
    • Enable file history or system protection. In your Windows 10 or Windows 8.1 devices, you must have your file history enabled and you have to setup a drive for file history.
    • Use OneDrive for Consumer or for Business.
    • Beware of phishing emails, spams, and clicking malicious attachment.
    • Use Microsoft Edge to get SmartScreen protection. It will prevent you from browsing sites that are known to be hosting exploits, and protect you from socially-engineered attacks such as phishing and malware downloads.
    • Disable the loading of macros in your Office programs.
    • Disable your Remote Desktop feature whenever possible.
    • Use two factor authentication.
    • Use a safe and password-protected internet connection.
    • Avoid browsing web sites that are known for being malware breeding grounds (illegal download sites, porn sites, etc.).

    Detection

    Recovery

    In Office 365’s How to deal with ransomware blog, there are several options on how one can remediate or recover from a ransomware attack. Here are some of the few that are applicable for a home user or those in the information industry like you:

    1. Make sure you have backed-up your files.
    2. Recover the files in your device. If you have previously turned File History on in Windows 10 and Windows 8.1 devices or System Protection in Windows 7 and Windows Vista devices, you can (in some cases) recover your local files and folders.

    To restore your files or folders in Windows 10 and Windows 8.1:

    • Swipe in from the right edge of the screen, tap Search (or if you’re using a mouse, point to the upper-right corner of the screen, move the mouse pointer down, and then click Search). Enter “restore your files” in the search box, and then tap or click Restore your files with File History.
    • Enter the name of file you’re looking for in the search box, or use the left and right arrows to browse through different versions of your folders and files.
    • Select what you want to restore to its original location, and then tap or click the Restore button. If you want to restore your files onto a different location than the original, press and hold, or right-click the Restore button, tap or click Restore To, and then choose a new location.

    Source: Restore files or folders using File History

    To restore your files in Windows 7 and Windows Vista

    • Right-click the file or folder, and then click Restore previous versions. You’ll see a list of available previous versions of the file or folder. The list will include files saved on a backup (if you’re using Windows Backup to back up your files) as well as restore points. Note: To restore a previous version of a file or folder that’s included in a library, right-click the file or folder in the location where it’s saved, rather than in the library. For example, to restore a previous version of a picture that’s included in the Pictures library but is stored in the My Pictures folder, right-click the My Pictures folder, and then click Restore previous versions. For more information about libraries, see Include folders in a library.
    • Before restoring a previous version of a file or folder, select the previous version, and then click Open to view it to make sure it’s the version you want. Note: You can’t open or copy previous versions of files that were created by Windows Backup, but you can restore them.
    • To restore a previous version, select the previous version, and then click Restore.

    Warning: The file or folder will replace the current version on your computer, and the replacement cannot be undone. Note: If the Restore button isn’t available, you can’t restore a previous version of the file or folder to its original location. However, you might be able to open it or save it to a different location.

    Source: Previous versions of files: frequently asked questions

    Important: Some ransomware will also encrypt or delete the backup versions and will not allow you to do the actions described before. If this is the case, you need to rely on backups in external drives (not affected by the ransomware) or OneDrive (Next step).

    Warning: If the folder is synced to OneDrive and you are not using the latest version of Windows, there might be some limitations using File History.

    3. Recover your files in your OneDrive for Consumer.

    4. Recover your files in your OneDrive for Business.

    If you use OneDrive for Business, it will allow you to recover any files you have stored in it. You can use either of the following options:

    Restoring the files using the Portal

    Users can restore previous version of the file through the user interface. To do this you can:

    1. Go to OneDrive for Business in the office.com portal.

    2. Right click the file you want to recover, and select Version History.

    3. Click the dropdown list of the version you want to recover and select restore.

     

    If you want to learn more about this feature, take a look at the Restore a previous version of a document in OneDrive for Business support article.

    Site Collection Restore service request

    If a large number of files were impacted, using the user interface in the portal will not be a viable option. In this case, create a support request for a ‘Site Collection Restore’. This request can restore up to 14 days in the past. To learn how to do this please take a look at the Restore Option in SharePoint Online blog post.

     

    Microsoft Malware Protection Center

     

    ]]>
    https://blogs.technet.microsoft.com/mmpc/2016/05/18/the-5ws-and-1h-of-ransomware/feed/4
    Malicious macro using a sneaky new trickhttps://blogs.technet.microsoft.com/mmpc/2016/05/17/malicious-macro-using-a-sneaky-new-trick/https://blogs.technet.microsoft.com/mmpc/2016/05/17/malicious-macro-using-a-sneaky-new-trick/#commentsWed, 18 May 2016 03:13:34 +0000https://blogs.technet.microsoft.com/mmpc/?p=7036We recently came across a file (ORDER-549-6303896-2172940.docm, SHA1: 952d788f0759835553708dbe323fd08b5a33ec66) containing a VBA project that scripts a malicious macro (SHA1: 73c4c3869304a10ec598a50791b7de1e7da58f36). We added it under the detection TrojanDownloader:O97M/Donoff – a large family of Office-targeting macro-based malware that has been active for several years (see our blog category on macro-based malware for more blogs).

    However, there wasn’t an immediate, obvious identification that this file was actually malicious. It’s a Word file that contains seven VBA modules and a VBA user form with a few buttons (using the CommandButton elements).

    Screenshot of VBA script editor showing the user form and list of modules

    The VBA user form contains three buttons

     

    The VBA modules look like legitimate SQL programs powered with a macro; no malicious code found there … However, after further investigation we noticed a strange string in the Caption field for CommandButton3 in the user form.

    It appeared to be some sort of encrypted string.

    We went back and reviewed the other modules in the file, and sure enough – there’s something unusual going on in Module2. A macro there (UsariosConectados) decrypts the string in the Caption field for CommandButton3, which turns out to be a URL. It uses the deault autoopen() macro to run the entire VBA project when the document is opened.

    Screenshot of the VBA macro script in Module2 that decrypts the Caption string

    The macro script in Module2 decrypts the string in the Caption field

     

    The macro will connect to the URL (hxxp://clickcomunicacion.es/<uniqueid>) to download a payload which we detect as Ransom:Win32/Locky (SHA1: b91daa9b78720acb2f008048f5844d8f1649a5c4).

    The VBA project (and, therefore, the macro) will automatically run if the user enables macros when opening the file – our strongest suggestion for the prevention of Office-targeting macro-based malware is to only enable macros if you wrote the macro yourself, or completely trust and know the person who wrote it.

    See our threat intelligence report on macros and our macro-based malware page for further guidance on preventing and recovering from these types of attacks.

    -Marianne Mallen and Wei Li
    MMPC

    ]]>
    https://blogs.technet.microsoft.com/mmpc/2016/05/17/malicious-macro-using-a-sneaky-new-trick/feed/8
    Large Kovter digitally-signed malvertising campaign and MSRT cleanup releasehttps://blogs.technet.microsoft.com/mmpc/2016/05/10/large-kovter-digitally-signed-malvertising-campaign-and-msrt-cleanup-release/https://blogs.technet.microsoft.com/mmpc/2016/05/10/large-kovter-digitally-signed-malvertising-campaign-and-msrt-cleanup-release/#respondTue, 10 May 2016 22:12:20 +0000https://blogs.technet.microsoft.com/mmpc/?p=6985Kovter is a malware family that is well known for being tricky to detect and remove because of its file-less design after infection. Users from United States are nearly exclusively being targeted, and infected PCs are used to perform click-fraud and install additional malware on your machine.

    Starting April 21, 2016, we observed a large Kovter malware attack where in just a week and a half we protected over 350,000 PCs from this threat. Interestingly, for this campaign the attackers managed to acquire trusted SSL digital certificates to secure an HTTPS SSL connection and their own code signing certificate to sign the downloaded malware with.

    Kovter carried out this attack campaign using a technique called malvertising, masquerading as a fake Adobe Flash update. In this blog we will share some research into the structure of their malvertising attack, how our MSRT release will be cleaning it up, and the technical details of how Kovter installs and attempts to remain persistent as a file-less malware after it infects a PC.

    Kovter’s digitally signed malvertising campaign

    Malvertising is a technique used by bad actors to attack your PC, where they buy advertisement space with ad networks, ad exchanges, and ad publishers. These ads then appear on many websites who use the same advertisement network, and attacks some of the users as they visit the websites.

    Unlike typical advertisements that require a user click, malvertising attacks often attack as soon as you visit a website that displays them.

    Using this technique, we’ve seen malicious attackers use varied techniques such as:

    • Displaying repeated message boxes claiming your PC is infected and encouraging you to call a support phone number for help. These are malicious and they have not detected a problem on your PC.
    • Attempting to lock your browser and demanding payment as ransomware. You can close your browser or restart your computer to escape. This type of ransomware hasn’t really locked your PC.
    • Loading an exploit kit to attack your browser or browser plugin.
    • Claiming your browser, Adobe Flash Player, or Java is out of date and in need of an update. Often they will claim the update is required to view the website content or is needed for security reasons. Keeping these applications up-to-date is really important to keep your PC safe and secure from the latest vulnerabilities. However, you should never trust a website claiming to detect security problems on your PC. Instead, let these apps update if they request to outside of your browser or search for the official websites to install the missing components.

    The recent Kovter malvertising attack falls into this last category, using a social engineering attack that states that your Adobe Flash is out of date and needs to be updated for security reasons.

    Figure 1 below illustrates the Kovter infection chain used in this attack. Users visiting effected websites are redirected to fake websites impersonating the Adobe Flash hallmark download page claiming your Flash Player is out of date, and Trojan:Win32/Kovter is automatically downloaded pretending to be “FlashPlayer.exe”.

    Kovter infection chain

    Figure 1 – Kovter’s fake Adobe update malvertising infection chain

     

    For this most recent campaign, we saw Kovter perpetrators redirecting to the following domains:

    • aefoopennypinchingpolly.com
    • ahcakmbafocus.org
    • ahxuluthscsa.org
    • caivelitemind.com
    • ierietelio.org
    • paiyafototips.com
    • rielikumpara.org
    • siipuneedledoctor.com
    • ziejaweleda.org

    The domains from this campaign and previous campaigns commonly use the same domain registration information, and can be identified by:

    Admin Email: monty.ratliff@yandex.com

    As soon as the malicious advertisement is displayed, users are redirected to the Kovter social engineering page hosted using HTTPS according to the following pattern:

    https://<domain>/<random numbers>/<random hex>.html

    For example:

    hxxps://ahxuluthscsa.org/4792924404046/89597dd177df3daa78f184fe87c4386c.html

    By using HTTPS, your browser displays a ‘secure’ lock symbol – incorrectly adding to the user trust that the website is safe while at the same time preventing most network intrusion protection systems from protecting the user. Endpoint antimalware solutions, such as Windows Defender, still protect the user however. We were unable to confirm due to the servers being taken down, but reports online suggest trial COMODO SSL certificates were being used to secure these connections for the Kovter campaigns in the past.

    When you visit the website, it automatically downloads Kovter as “FlashPlayer.exe”. It downloads from the same domains using a pattern such as:

    hxxps://ahxuluthscsa.org/1092920552392/1092920552392/1461879398769944/FlashPlayer.exe

    Some example FlashPlayer.exe downloaded files for reference are as follows:

    Sha1 Md5
    eafe025671e6264f603868699126d4636f6636c7
    c26b064b826f4c1aa6711b7698c58fc0
    0686c48fd59a899dfa9cbe181f8c52cbe8de90f0
    e0a31d6b58017428dd8c907b14ea334e
    62690c0a5a9946f91855a476b7d92447e299c89a
    18ccf307730767c4620ae960555b9237
    7a678fa58e310749362a432db9ff82aebfb6de62
    f6406681e0652e33562d013a8c5329b9
    872d157c9c844636dda2f33be83540354e04f709
    42b1b775945a4f21f6105df8e9c698c2
    37a8ad4a51b6f7b418c17abd8de9fc089a23125d
    3767f655a462c4bf13ae83c5f7656af4
    cfebfe6d4065dd14493abeb0ae6508a6d874d809
    a14a38ebe3856766d55c1af35fb1681f
    c48b21c854d6743c9ebe919bf1271cade9613890
    321f9b3717655e1886305f4ca01129ad
    4df10be4b12f3c7501184097abee681a1045f2ed
    0966f977c6d319e838be9b2ceb689fbe
    457f0f7fe85fb97841d748af04166f2a3e752efe
    7214015e37750f3ee65d5054a5d1ff8a

     

    These downloaded Kovter files were digitally signed by a trusted COMODO certificate under the company name “Itgms Ltd” as follows:

    Comodo certificateComodo certificate

     

    We notified COMODO of the code signing abuse by Kovter and they have since revoked this certificate. We suspect that the actors behind Kovter code-signed their fake Adobe Flash installer to increase the number of users who trust the downloaded file and decide to run it.

    This is one of the largest cases of trusted code-signing by malware that we have seen with more than 350,000 unique machines running our security products protected.

    Given that we haven’t seen this certificate used for non-Kovter files, we believe the private key for the certificate was not stolen but rather issued to the malware authors directly. The domain used by the contact email address to acquire the certificate (itgms.org) was registered November 10, 2015, just eight days before the certificate was acquired, but we did not observe this certificate signing files in the wild until this campaign ramped up a few weeks ago on April 21, 2016. To date, we have seen this certificate only being used to sign Kovter files.

    The sheer volume of PCs encountering Kovter during this attack, along with the attackers appearing to have been directly issued their own digital certificates is a cause for concern. Lucky for us, the digital signing actually worked to help us better identify files that are Kovter to better protect you – since we are able to uniquely identify and remove all files signed by this certificate. We will be continuing to monitor Kovter to keep you protected.

     

    MSRT coverage

    As part of our ongoing effort to provide better malware protection, the May release of the Microsoft Malicious Software Removal Tool (MSRT) includes detections for Kovter and Locky. Locky is a family of ransomware which uses infected Microsoft Office files to download the ransomware onto your PC

    By adding Kovter and Locky detections to MSRT we hope to have a bigger impact by reaching more affected machines and helping remove these threats. However, as with all threats, prevention is the best protection.

     

    Kovter Installation

    On top of the recent Kovter Adobe Flash malvertising attack, we have also seen this trojan arrive as an attachment to spam emails. We have seen this malware being downloaded by TrojanDownloader:JS/Nemucod, for example:

    • Sha1: 36e81f09d2e1f9440433b080b056d3437a99a8e1
    • Md5: 74dccbc97e6bffbf05ee269adeaac7f8

    When Kovter is installed, the malware drops its main payload as data in a registry key (HKCU\software\<random_chars> or HKLM\software\<random_chars>). For example, we have seen it drop the payload into the following registry keys:

    • hklm\software\oziyns8
    • hklm\software\2pxhqtn
    • hkcu\software\mpcjbe00f
    • hkcu\software\fxzozieg

    Kovter then installs JavaScript as a run key registry value using paths that automatically run on startup such as:

    • hklm\software\microsoft\windows\currentversion\run
    • hklm\software\microsoft\windows\currentversion\policies\explorer\run
    • hklm\software\wow6432node\microsoft\windows\currentversion\run
    • hklm\software\wow6432node\microsoft\windows\currentversion\policies\explorer\run
    • hkcu\software\microsoft\windows\currentversion\run
    • hkcu\software\classes\<random_chars>\shell\open\command

    The dropped JavaScript registry usually has the format: “mshta javascript: <malicious Kovter JavaScript>”. When executed at startup, this JavaScript loads the Kovter payload data registry key data into memory and execute it.

    One executing in memory, the malware also injects itself into legitimate processes including:

    • regsvr32.exe
    • svchost.exe
    • iexplorer.exe
    • explorer.exe

    After installation, the malware will remove the original installer from the disk leaving only registry keys that contain the malware.

     

    Payload

    Lowers Internet security settings

    It modifies the following registry entries to lower your Internet security settings:

    • In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Sets value: “1400” With data: “0
    • In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 Sets value: “1400” With data: “0

    Sends your personal information to a remote server

    We have seen this malware send information about your PC to the attacker, including:

    • Antivirus software you are using
    • Date and time zone
    • GUID
    • Language
    • Operating system

    It can also detect some specific tools you use in your PC and sends that information back to the attacker:

    • JoeBox
    • QEmuVirtualPC
    • Sandboxie
    • SunbeltSandboxie
    • VirtualBox
    • VirtualPC
    • VMWare
    • Wireshark

    Click-fraud

    This threat can silently visit websites without your consent to perform click-fraud by clicking on advertisements. It does so by running several instances of Internet Explorer in the background.

    Download updates or other malware

    This threat can download and run files. Kovter uses this capability to update itself to a new version. This update capability has been used recently to install other malware such as:

     

    Demographics

    Kovter prevalence or encounters chart

    Figure 2 – Kovter’s prevalence for the past two months shows a spike in the month of April

     

    Kovter's geographic distribution

    Figure 3 – Kovter’s geographic distribution shows that majority of the affected machines are in the United States

     

    Mitigation and prevention

    To help stay protected from Kovter, Locky and other threats, use an up-to-date Windows Defender for Windows 10 as your antimalware scanner, and ensure that MAPS has been enabled.

    Though trojans have been a permanent fixture in the malware ecosystem, there’s still something that you or your administrators can proactively do:

     

    Geoff McDonald and Duc Nguyen

    MMPC

    ]]>
    https://blogs.technet.microsoft.com/mmpc/2016/05/10/large-kovter-digitally-signed-malvertising-campaign-and-msrt-cleanup-release/feed/0
    Gamarue, Nemucod, and JavaScripthttps://blogs.technet.microsoft.com/mmpc/2016/05/09/gamarue-nemucod-and-javascript/https://blogs.technet.microsoft.com/mmpc/2016/05/09/gamarue-nemucod-and-javascript/#commentsMon, 09 May 2016 16:00:20 +0000https://blogs.technet.microsoft.com/mmpc/?p=6897JavaScript is now being used largely to download malware because it’s easy to obfuscate the code and it has a small size. Most recently, one of the most predominant JavaScript malware that has been spreading other malware is Nemucod.

    This JavaScript trojan downloads additional malware (such as Win32/Tescrypt and Win32/Crowti – two pervasive ransomware trojans that have been doing the rounds for a few years[1] – and Win32/Fareit) and installs it on a victim’s system through spam email.

    Recently, however, we’ve seen another version of Nemucod distributing Gamarue malware to users.

    Gamarue, also known as “Andromeda bot”, has been known to arrive through exploit kits, other executable malware downloaders (including Win32/Dofoil and Win32/Beebone), removable drives, and through that old stand-by: spam campaigns.

    The shift to a JavaScript-obfuscated downloader might be an attempt by the malware authors to evade the increasing detection capabilities and sophistication in antimalware products.

    A quick look into the obfuscated JavaScript code shows us that, aside from the encrypted strings, it uses variables with random names to hide its real code.

    Sample of an obfuscated JavaScript code

    Figure 1: Obfuscated code

     

    The decrypted code is shown in the following image:

    Sample of a decrypted JavaScript previously-obfuscated code

    Figure 2: De-obfuscated code

     

    Nemucod is known to have different hashes for each variant. For this one particular hash, since the detection was written in early April, 2016, it reached in total of 982 distinct machines with 4,192 reports – which indicates the number of Gamarue installations that could have occurred if it was not detected.

    Nemucod detection rate

    Figure 3:  Nemucod detection rate

     

    Gamarue has been observed stealing vital information from your PC. It can also accept commands from a command and control (C&C) server. Depending on the commands received, a malicious hacker can perform various actions on the machine. See our family description of Win32/Gamarue for more information.

     

     

    Nemucod impact

    Since the start of 2016, Nemucod has risen in prevalence.

    Rising Nemucod prevalence trend

    Figure 4:  Rising Nemucod prevalence trend shows that it peaked on April

     

    For the top 10 countries for Nemucod detections, the US takes a third, followed by Italy and Japan. The spread of infections is quite widespread across the globe.

    Nemucod geoloc distribution from January to April 2016

    Figure 5: Majority of the Nemucod infections are seen in the United States

    Overall, however, it still remains relatively low, especially when compared to Gamarue.

     

    Gamarue impact

    Unlike Nemucod, Gamarue detections started high and have remained high since late last year. Overall, numbers have dropped a small amount since the start of 2016. Interestingly, there are large troughs during every weekend, with a return to higher numbers on Monday. This can indicate that Gamarue is especially pervasive either in enterprises, or in spam email campaigns.

    Gamarue prevalence chart shows steady pattern from January to April 2016

    Figure 6: The Gamarue infection trend shows a steady pattern

     

    For Gamarue, the top 10 countries see distribution largely through India, Asia, Mexico, and Pakistan.

    Gamarue geoloc distribution from January to April 2016

    Figure 7: Majority of the Gamarue infection hits third world countries

     

    Mitigation and prevention

    To help stay protected from Nemucod, Gamarue, and other threats, use Windows Defender for Windows 10, or other up-to-date real-time product as your antimalware scanner.

    Use advanced threat and cloud protection

    You can boost your protection by using Office 365 Advanced Threat Protection and enabling Microsoft Active Protection Service (MAPS).

    Office 365 helps by blocking dangerous email threats; see Overview of Advanced Threat Protection in Exchange: new tools to stop unknown attacks, for details.

    MAPS uses cloud protection to help guard against the latest malware threats. You should check if MAPS is enabled on your PC.

    Some additional preventive measures that you or your administrators can proactively do:

     

    ———————————————————————–

    [1] We’ve published a number of blogs about Crowti, including:

    It was also featured in the July 2015 version of the Malicious Software Removal Tool (MSRT):

     

    Donna Sibangan

    MMPC

     

     

    ]]>
    https://blogs.technet.microsoft.com/mmpc/2016/05/09/gamarue-nemucod-and-javascript/feed/2
    Digging deep for PLATINUMhttps://blogs.technet.microsoft.com/mmpc/2016/04/26/digging-deep-for-platinum/https://blogs.technet.microsoft.com/mmpc/2016/04/26/digging-deep-for-platinum/#respondTue, 26 Apr 2016 19:00:41 +0000https://blogs.technet.microsoft.com/mmpc/?p=6875This blog introduces our latest report from the Windows Defender Advanced Threat Hunting team. You can read the full report at:


    There is no shortage of headlines about cybercriminals launching large-scale attacks against organizations. For us, the activity groups that pose the most danger are the ones who selectively target organizations and desire to stay undetected, protect their investment, and maximize their ROI. That’s what motivated us – the Windows Defender Advanced Threat Hunting team, known as hunters – when we recently discovered a novel technique being used by one such activity group.

    We have code named this group PLATINUM, following our internal practice of assigning rogue actors chemical element names. Based on our investigations, we know PLATINUM has been active since 2009 and primarily targets governmental organizations, defense institutes, intelligence agencies, and telecommunication providers in South and Southeast Asia. The group has gone to great lengths to develop covert techniques that allow them to conduct cyber-espionage campaigns for years without being detected.

    Uncovering these kinds of techniques is true detective work, and finding them in the wild is a challenge, but with the wealth of anonymized information we can utilize from over 1 billion Windows devices, a broad spectrum of services, Microsoft’s intelligent security graph as well as advanced analytics and machine algorithms to surface suspicious behaviors, Microsoft is in the best position to do so.

    Digging up the nugget

    Through our advanced and persistent hunting, we discovered PLATINUM is using hotpatching as a technique to attempt to cloak a backdoor they use. Using hotpatching in the malicious context has been theorized [1], [2], but has not been observed in the wild before. Finding such techniques is a focus of the Microsoft APT hunter team, and we want to provide some brief insights on how the team dug up this PLATINUM “nugget”.

    In the first part of this methodology, a hunter carves out some rough data sets from existing information and data that can be further analyzed. This could be based on rough heuristics, such as looking for files with high entropy, that were first observed recently, and that are confined to a geographic region that fits the profile of the activity group being investigated.

    Carving the data still yields large data sets that can’t be manually analyzed, and advanced threat analytics can help in sorting through the data for meaningful information in the second step. Graph inferences through the Microsoft intelligent security graph can bubble pieces of information to the top of the queue for a hunter to choose from. In the PLATINUM investigation, we identified 31 files.

    Lastly, the hunter works directly with the resulting set. During this stage of the PLATINUM investigation, a hunter found a file with unusual string (“.hotp1”). The hunter’s experience and intuition drove him to dig deeper. In this case, that further investigation led us to the malicious use of hotpatching by this activity group and the “nugget” was uncovered.

    Deconstructing the attack

    So what is hotpatching? Hotpatching is a previously supported OS feature for installing updates without having to reboot or restart a process. It requires administrator-level permissions, and at a high level, a hotpatcher can transparently apply patches to executables and DLLs in actively running processes.

    Using hotpatching in a malicious context is a technique that can be used to avoid being detected, as many antimalware solutions monitor non-system processes for regular injection methods, such as CreateRemoteThread. Hotpatching originally shipped with Windows Server 2003 and was used to ship 10 patches to Windows Server 2003. Windows 10, our most secure operating system ever, is not susceptible to this and many other techniques and attack vectors.

    What this means in practical terms is that PLATINUM was able to abuse this feature to hide their backdoor from the behavioral sensors of many host security products. We first observed a sample employing the hotpatching technique on a machine in Malaysia. This allowed PLATINUM to gain persistent access to the networks of companies it targeted and victimized over a long period without being detected.

    Thwarting the bad guys

    The Microsoft APT hunter team actively tracks activity groups like PLATINUM. We proactively identify these groups and the techniques they use and work to address vulnerabilities and implement security mitigations. The team builds detections and threat intelligence that are utilized by many of our products and services. Beta users of Windows Defender ATP can take advantage of this additional layer of protection and intelligence for a broad set of activity groups.

    We’ve included a more technical exploration of  our research and detection of the hotpatching technique in the remainder of this blog.

    You can also see a closer look at the PLATINUM activity group in our report PLATINUM: Targeted attacks in South and Southeast Asia. Windows Defender Advanced Threat Protection beta and preview users can also find the report, along with other APT activity group reports, in the Windows Defender ATP portal.

    We continue to dig for PLATINUM.

    The Windows Defender Advanced Threat Hunting Team

    Hotpatching – a case study

    We first observed the sample (Sample1) that is capable of utilizing hotpatching on a machine in Malaysia (which matches the general target profile of PLATINUM) on January 28, 2016 . The portable executable (PE) timestamp, which can be arbitrarily set by the adversary, dates back to August 9, 2015, while the unpacked version contains a PE timestamp for November 26, 2015.

    It is a DLL that runs as a service and serves as an injector component of a backdoor. Interestingly, this sample not only supported the hotpatching technique described in this post, but was able to apply more common code-injection techniques, including the following, into common Windows processes (primarily targeting winlogon.exe, lsass.exe and svchost.exe):

    • CreateRemoteThread
    • NtQueueApcThread to run an APC in a thread in the target process
    • RtlCreatUserThread
    • NtCreateThreadEx

    Hotpatching technique

    For hotpatching, the sample goes through the following steps:

    1. It patches the loader with a proper hotpatch to treat injected DLLs with execute page permissions. This step is required for DLLs loaded from memory (in an attempt to further conceal the malicious code).
    2. The backdoor is injected into svchost using the hotpatch API.

    Patching the loader is done by creating a section named “\knowndlls\mstbl.dll”. This DLL does not reside on-disk, but is rather treated as a cached DLL by the session manager.

    It then proceeds to write a PE file within that section. The PE file will have one section (“.hotp1 “) with the hotpatch header structure. This structure contains all the information necessary to perform the patching of the function “ntdll!LdrpMapViewOfSection” used by the loader, such that the loader will treat created sections as PAGE_EXECUTE_READWRITE instead of PAGE_READWRITE. The patch is successfully applied by invoking NtSetSystemInformation.

    The malware builds the information describing the first patch

    Figure 1: The malware builds the information describing the first patch

     

    The highlighted "push 4" is patched to "push 0x40", meaning that the parameter for the following API call NtMapViewOfSection is changed from PAGE_READWRITE to PAGE_EXECUTE_READWRITE.

    Figure 2: The highlighted “push 4” is patched to “push 0x40”, meaning that the parameter for the following API call NtMapViewOfSection is changed from PAGE_READWRITE to PAGE_EXECUTE_READWRITE.

    Now that the memory permission issue has been solved, the injector can proceed with injecting the malicious DLL into svchost. Again, it creates a (now executable) section named “knowndlls\fgrps.dll” and invokes NtSetSystemInformation, causing the final payload to be loaded and executed within the target process (svchost).

    Trying to hide the payload using hotpatching also falls in line with the last functional insights we have on the sample. It seems to have an expiry date of January 15, 2017 – at that point in time, the DLL will no longer perform the injection, but rather execute another PLATINUM implant:

    C:\program files\Windows Journal\Templates\Cpl\jnwmon.exe –ua

    This implant may be related to an uninstall routine. Note that we observed the sample last on the machine on September 3, 2015, which may indicate PLATINUM pulled the trigger earlier.

     


     

    [1] http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Sotirov.pdf

    [2] https://www.yumpu.com/en/document/view/14255220/alexsyscan13

    ]]>
    https://blogs.technet.microsoft.com/mmpc/2016/04/26/digging-deep-for-platinum/feed/0
    A brief discourse on ‘Changing browsing experience’https://blogs.technet.microsoft.com/mmpc/2016/04/21/a-brief-discourse-on-changing-browsing-experience/https://blogs.technet.microsoft.com/mmpc/2016/04/21/a-brief-discourse-on-changing-browsing-experience/#commentsFri, 22 Apr 2016 06:24:39 +0000https://blogs.technet.microsoft.com/mmpc/?p=6865

    In response to questions we’ve received from the software distribution and monetization industry, and following our blog announcing our browser modifier policy update, we’d like to provide some details on what we refer to in our policy as “changing browsing experience”.

    For us, “changing browsing experience” means behaviors that modify the content of webpages.

    We consider programs installed and running on a PC that make webpages look differently than they would on the same browser had those programs not been installed, to be programs that change browsing experience.  These programs are required to use the browsers’ extensibility models.

    Browsers’ extensibility models ensure user choice and control.  Extensible browsers present consent prompts that ensure users are asked to grant permission for an extension to be enabled.  It is done using a consistent language and placement that is straightforward and clear.

    By requiring programs that change browsing experience to use the extensibility models, we ensure that users are kept at the helm of their choice and control.  Programs can only make such alterations to webpages when users grant them the permission to do so, using the browsers’ consistent and reliable consent prompting.

    Some programs modify browsing access in ways that don’t insert or change web content.  We don’t consider these as changing the browsing experience.

    Examples of programs that modify browsing access include:

    • VPNs – software type that provides access
    • Parental control programs – software type that restricts access

    If these programs don’t insert or change web content, then they are not changing browsing experiences. Therefore, they are not required to use the browsers’ extensibility models.

    Our intent with this policy is clear: we are determined to protect our customers’ choice and browsing experience control.  The requirement to use the browsers’ supported extensibility models is an important pillar in achieving this goal.

     

    Barak Shein and Michael Johnson

    MMPC

    ]]>
    https://blogs.technet.microsoft.com/mmpc/2016/04/21/a-brief-discourse-on-changing-browsing-experience/feed/2
    JavaScript-toting spam emails: What should you know and how to avoid them?https://blogs.technet.microsoft.com/mmpc/2016/04/18/javascript-toting-spam-emails-what-should-you-know-and-how-to-avoid-them/https://blogs.technet.microsoft.com/mmpc/2016/04/18/javascript-toting-spam-emails-what-should-you-know-and-how-to-avoid-them/#commentsMon, 18 Apr 2016 16:00:23 +0000https://blogs.technet.microsoft.com/mmpc/?p=6733We have recently observed that spam campaigns are now using JavaScript attachments aside from Office files. The purpose of the code is straightforward. It downloads and runs other malware.

    Some of the JavaScript downloaders that we’ve seen are:

    The same JavaScript downloaders are also responsible for spreading the following ransomware:

    The spam email contains a .zip or .rar file attachment which carries a malicious JavaScript. The JavaScript attachment mostly has the following icon, depending on the system’s script software. The file names are either related to the spam campaign, or completely random:

    JS1

    Figure 1: Examples of JavaScript attachments from spam email campaigns

    Not your favorite Java

    Just like a typical email campaign, the JavaScript-toting spam finds its way in your PC after a successful social engineering trick. In bag of tricks are attachment file names intentionally crafted to pique any person’s curiosity (finance-related, etc.).

    The JavaScript attachments are heavily-obfuscated to avoid antivirus software detections. It consists of a download and execute function paired with one or two URLs hosting the malware.

    JS2

    Figure 2: Sample code and URL

     

    JS3

    Figure 3: Another code sample

     

    JS4

    Figure 4: Another code sample

     

    JS5

    Figure 5: Another code sample

     

    In some cases, the malicious JavaScript attachment is bundled with a dummy file to evade email rules.

    JS6

    Figure 6: An example of a JavaScript attachment and a dummy file

     

    JS7

    Figure 7: Another example of a JavaScript attachment and a dummy file

     

    These URLs are mostly short-lived. But when successfully downloaded, the malware, in this case Ransom:Win32/Locky, enters the system and proceeds in its destructive mission.

    It is interesting to note that an Office attachment with malicious macros typically requires two or more clicks on the document to run it. One click to open the document, and another click to enable the macros.

    On the other hand, the JavaScript attachments only takes one or two clicks for it to start executing.

    It is uncommon and quite suspicious for people to send legitimate applications in pure JavaScript file format (files with .js or .jse extension) via email. You should be wary of it and should not click or open it.

     

    JS8

    Figure 8: A screenshot of how the JavaScript attachment gets executed.

     

    Same stuff, new package

    It has been a common vector for malware to spread through email attachment. In the past months, we have seen Office file attachments that contains malicious macro. The code is simple and straightforward, it’s main objective is to download and execute other malware, such as password stealers, backdoors and ransomwares.

    The JavaScript-toting email spam is no different.

    These malicious email attachments are distributed through spam campaigns. Spam campaigns range from different social engineering areas that appeal to people’s curiosity – enough for them to take action and click what shouldn’t be clicked: from finance-related subjects like receipts, invoice and bank accounts, to resumes and shipment notifications.

     

    JS9

    Figure 9: A screenshot of a sample bank-related email spam.

     

    JS10

    Figure 10: A screenshot of a sample remittance-themed email spam.

     

    JS11

    Figure 11: A screenshot of a sample invoice-themed email spam.

     

    JS12

    Figure 12: A screenshot of a sample resume-themed email spam.

     

    JS13

    Figure 13: A screenshot of a shipment notification-themed email spam.

     

    JS14

    Figure 14: A screenshot of a sample debt case-themed email spam.

    Mitigation and prevention

    To avoid falling prey from those JavaScript-toting-emails’ social engineering tricks

    See some of the related blogs and threat reports:

     

    Alden Pornasdoro

    MMPC

    ]]>
    https://blogs.technet.microsoft.com/mmpc/2016/04/18/javascript-toting-spam-emails-what-should-you-know-and-how-to-avoid-them/feed/18
    MSRT April release features Bedep detectionhttps://blogs.technet.microsoft.com/mmpc/2016/04/12/msrt-april-release-features-bedep-detection/https://blogs.technet.microsoft.com/mmpc/2016/04/12/msrt-april-release-features-bedep-detection/#commentsTue, 12 Apr 2016 20:24:06 +0000https://blogs.technet.microsoft.com/mmpc/?p=6831As part of our ongoing effort to provide better malware protection, the Microsoft Malicious Software Removal Tool (MSRT) release this April will include detections for:

    In this blog, we’ll focus on the Bedep family of trojans.

     

    The bothersome Bedep

    Win32/Bedep was first detected in November 25, 2014 as a malware family made up of DLLs which has been distributed by Angler Exploit Kit. Microsoft detects Angler as:

    JS/Axpergle and HTML/Axpergle have been known to carry and drop Bedep around by redirecting unsuspecting users to compromised websites.

    Bedep is bothersome not only because it is carried around by an exploit kit, but because it also connects to a remote server to do the nasty:

    All of the above malware families have these in common: they steal your personal information and send them to the hacker, watch what you do online, drops other malware onto your PC, and update them too.

    • Collect information about your PC to send it off to the malware perpetrator
    • Update the downloaded malware

    The good thing is, Windows Defender detects and removes Bedep and its variants.

    This threat has been prevalent in North America, and various parts of Latin America, Europe, and Southeast Asia.

    BedepGeoDist3

    Figure 1: The map shows Win32/Bedep’s prevalence in North America, Latin America, Europe, and South East Asia in the last six months.

     

    BedepPie 

    Figure 2: The pie chart shows the Bedep distribution among the top 10 countries for the past six months

     

    The exploit shellcode sometimes loads Bedep directly in the memory from the Angler Exploit Kit, without being written to disk. However, it gets written to disk at other times.

    It can either be installed as 32bit DLL (Backdoor:Win32/Bedep.A) or 64bit DLL (Backdoor:Win64/Bedep.A), depending on the affected Windows OS version.

    This threat is initially loaded by shellcode running in an exploited browser process (for example, iexplore.exe). Then, the threat downloads a copy of itself and injects that into explorer.exe.

    We have observed that the first exploit is not enough. The attacker needs more exploits to bypass the OS or browser’s layered defenses. As a precaution, you should always be careful on clicking the User Account Control (UAC) prompts.

    We’ve also seen that Bedep can drop itself as %ProgramData%\<{CLSID}>\<filename>.dll

    Example path and file names: C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\acledit.dll.

    It then creates the following registry entries:

    In subkey: HKEY_CURRENT_USER\CLSID\%Random CLSID%\InprocServer32

    Example: HKEY_CURRENT_USER\CLSID\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}\InprocServer32

    Sets value: “ThreadingModel

    With data: “Apartment

    Sets value: “”

    With data: %Bedep Filename%

    Example: “C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\acledit.dll

    In subkey: HKEY_CURRENT_USER\Drive\ShellEx\FolderExtensions\%Random CLSID%

    Example: HKEY_CURRENT_USER\Drive\ShellEx\FolderExtensions\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}

    Sets value: “DriveMask

    With data: dword:ffffffff

     

    For details about various Bedep variants, see the following malware encyclopedia entries:

     

    Mitigation and prevention

    To help stay protected from Bedep and other threats, use an up-to-date Windows Defender for Windows 10 as your antimalware scanner, and ensure that MAPS has been enabled.

    Though trojans have been a permanent fixture in the malware ecosystem, there’s still something that you or your administrators can proactively do:

     

    Jonathan San Jose

    MMPC

    ]]>
    https://blogs.technet.microsoft.com/mmpc/2016/04/12/msrt-april-release-features-bedep-detection/feed/1
    Keeping Browsing Experience in Users’ Hands, an Update…https://blogs.technet.microsoft.com/mmpc/2016/03/23/keeping-browsing-experience-update/https://blogs.technet.microsoft.com/mmpc/2016/03/23/keeping-browsing-experience-update/#commentsThu, 24 Mar 2016 05:27:45 +0000https://blogs.technet.microsoft.com/mmpc/?p=6723Since we published the Keeping Browsing Experience in Users’ Hands blog in December 2015, we’ve received feedback from the ecosystem and engaged in discussions with the industry. Based on those discussions and feedback, we are making a couple of updates.

    We are broadening the scope of the evaluation criteria we blogged about to state:

    Programs that change the user browsing experience must only use the browsers’ supported extensibility model for installation, execution, disabling and removal. Browsers without supported extensibility models will be considered non-extensible.

    This addition addresses software that modifies the browsing experience, not just those that insert ads into the browsing experience.

    Accordingly, we are moving the criterion from the Advertising criteria to become an expansion of our BrowserModifier criteria.

    By doing so we are closing additional gaps that impact the browsing experience from outside the browser, not just ad injection software, and are pointing developers to comply with the browser’s respective extensibility models.

    Internet Explorer and Microsoft Edge’s policy, for example, can be found at aka.ms/browserpolicy.

    In addition, and due to the broadening of the policy, we are further extending the notification up until May 2, 2016.

    We continue to encourage developers who may be affected by this policy to work with us during the notification time, and fix their software to become compliant with the new criteria and follow the respective browser policies.

    Enforcement starts on May 2, 2016.

    Barak Shein and Michael Johnson

    MMPC

     

    ]]>
    https://blogs.technet.microsoft.com/mmpc/2016/03/23/keeping-browsing-experience-update/feed/2
    New feature in Office 2016 can block macros and help prevent infectionhttps://blogs.technet.microsoft.com/mmpc/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/https://blogs.technet.microsoft.com/mmpc/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/#commentsTue, 22 Mar 2016 21:45:30 +0000https://blogs.technet.microsoft.com/mmpc/?p=6674Macro-based malware is on the rise and we understand it is a frustrating experience for everyone. To help counter this threat, we are releasing a new feature in Office 2016 that blocks macros from loading in certain high-risk scenarios.

     

    Macro-based malware infection is still increasing

    Macro-based malware continues its rise. We featured macro-based malware in our Threat Intelligence report last year, but infections are still increasing.

    Despite periodic lulls, infections for the top 20 most detected macro-based malware were high over the past three months.

     

    In the enterprise, recent data from our Office 365 Advanced Threat Protection service indicates 98% of Office-targeted threats use macros.

    Note these are detections and not necessarily successful infections. To learn more about Advanced Threat Protection and other security features in Office 365, check out this blog and video.

    The enduring appeal for macro-based malware appears to rely on a victim’s likelihood to enable macros. Previous versions of Office include a warning when opening documents that contain macros, but malware authors have become more resilient in their social engineering tactics, luring users to enable macros in good faith and ending up infected.

     

    Block the macro, block the threat

    In response to the growing trend of macro-based threats, we’ve introduced a new, tactical feature in Office 2016 that can help enterprise administrators prevent the risk from macros in certain high risk scenarios. This feature:

    1. Allows an enterprise to selectively scope macro use to a set of trusted workflows.
    2. Block easy access to enable macros in scenarios considered high risk.
    3. Provide end users with a different and stricter notification so it is easier for them to distinguish a high-risk situation against a normal workflow.

    This feature can be controlled via Group Policy and configured per application. It enables enterprise administrators to block macros from running in Word, Excel and PowerPoint documents that come from the Internet. This includes scenarios such as the following:

    1. Documents downloaded from Internet websites or consumer storage providers (like OneDrive, Google Drive, and Dropbox).
    2. Documents attached to emails that have been sent from outside the organization (where the organization uses the Outlook client and Exchange servers for email)
    3. Documents opened from public shares hosted on the Internet (such as files downloaded from file-sharing sites).

    Let’s walk through a common attack scenario and see this feature in action.

    Claudia is an enterprise administrator at Contoso. After a rash of macro-based malware attacks targeting her organization, she learns of this new feature in Office 2016 and has rolled out a Group Policy update to all Office clients on the network.

    Stewart is a cybercriminal looking to attack and penetrate the Contoso network. Stewart uses macro-based malware because he’s had recent successes using it. He launches his attack campaign against Contoso by targeting James, an employee there.

    James receives an email from Stewart in his inbox that has an attached Word document. The email has content designed to pique James’s interest and influence him to open the attachment.

    Email with a macro-enabled attachment

    When James opens the Word document, it opens in Protected View. Protected View is a feature that has been available in Word, Excel, and PowerPoint since Office 2010. It is a sandboxed environment that lets a user read the contents of a document. Macros and all other active content are disabled within Protected View, and so James is protected from such attacks so long as he chooses to stay in Protected View.

    Word document instructing a user to enable macros to get out of protected view mode

     

    However, Stewart anticipates this step and has a clear and obvious message right at the top of the document designed to lure James into making decisions detrimental to his organization’s security. James follows the instructions in the document, and exits Protected View as he believes that will provide him with access to contents of the document. James is then confronted with a strong notification from Word that macros have been blocked in this document by his enterprise administrator. There is no way for him to enable the macro from within the document.

    Warning message appears in a document if macros can't be enabled

     

    James’s security awareness is heightened by the strong warning and he starts to suspect that there is something fishy about this document and the message. He quickly closes the document and notifies his IT team about his suspicions.

    This feature relies on the security zone information that Windows uses to specify trust associated with a specific location. For example, if the location where the file originates from is considered the Internet zone by Windows, then macros are disabled in the document. Users with legitimate scenarios that are impacted by this policy should work with their enterprise administrator to identify alternative workflows that ensure the file’s original location is considered trusted within the organization.

     

    Use Group Policy to enforce the setting, or configure it individually

    Administrators can enable this feature for Word, Excel, and PowerPoint by configuring it under the respective application’s Group Policy Administrative Templates for Office 2016. For example, to enable this setting for Word:

    1. Open the Group Policy Management Console, right-click the Group Policy Object you want to configure and click Edit.
    2. In the Group Policy Management Editor, go to User configuration.
    3. Click Administrative templates > Microsoft Word 2016 > Word options > Security > Trust Center.
    4. Open the Block macros from running in Office files from the Internet setting to configure and enable it.

    Group policy settings location

    You can read more about this Group Policy setting at Plan security settings for VBA macros in Office 2016.

     

    Final tips

    For end-users, we always recommend that you don’t enable macros on documents you receive from a source you do not trust or know, and be careful even with macros in attachments from people you do trust – in case they’ve been hacked.

    For enterprise administrators, turn on mitigations in Office that can help shield you from macro based threats, including this new macro-blocking feature. If your enterprise does not have any workflows that involve the use of macros, disable them completely. This is the most comprehensive mitigation that you can implement today.

    ]]>
    https://blogs.technet.microsoft.com/mmpc/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/feed/39
    No mas, Samas: What’s in this ransomware’s modus operandi?https://blogs.technet.microsoft.com/mmpc/2016/03/17/no-mas-samas-whats-in-this-ransomwares-modus-operandi/https://blogs.technet.microsoft.com/mmpc/2016/03/17/no-mas-samas-whats-in-this-ransomwares-modus-operandi/#respondFri, 18 Mar 2016 00:15:08 +0000https://blogs.technet.microsoft.com/mmpc/?p=6642

    We’ve seen how ransomware managed to become a threat category that sends consumers and enterprise reeling when it hits them.  It has become a high-commodity malware that is used as payload to spam email, macro malware, and exploit kit campaigns. It also digs onto victims’ pockets in exchange for recovering files from their encrypted form.  This is where Crowti, Tescrypt, Teerac, and Locky have been very active at.

    We’ve also observed some malware authors providing a different method of distribution in the black market called ransom-as-a-service (RaaS).  Malicious actors use RaaS to download the ransomware app builder and customize them accordingly.  We’ve seen two threats, Sarento and Enrume, built through this type of service and deployed to infect machines during the second half of 2015.

     

    How Samas is different from other ransomware?

     

    Ransom:MSIL/Samas, which surfaced in the past quarter, has a different way of getting into the system – it has a more targeted approach of getting installed.  We have observed that this threat requires other tools or components to aid its deployment:

    Figure 1:  Ransom:MSIL/Samas infection chain 

    Samas ransomware’s tools of trade

     

    The Samas infection chain diagram illustrates how Ransom:MSIL/Samas gets into the system.   It starts with a pen-testing/attack server searching for potential vulnerable networks to exploit with the help of a publicly-available tool named reGeorg, which is used for tunnelling.

    Java-based vulnerabilities were also observed to have been utilized, such as CVE-2010-0738 related to outdated JBOSS server applications.

    It can use other information-stealing malware (Derusbi/Bladabindi) to gather login credentials as well.  When it has done so, it will list the stolen credentials into a text file, for example, list.txt, and use this to deploy the malware and its components through a third party tool named psexec.exe through batch files that we detect as Trojan:BAT/Samas.B and Trojan:BAT/Samas.C.

    One of the batch files that we detect as Trojan:Bat/Samas.B also deletes the shadow files through the vssadmin.exe tool.

    Trojan:MSIL/Samas.A usually takes  the name of delfiletype.exe or sqlsrvtmg1.exe and does the following:

    1. Look for certain file extensions that are related to backup files in the system.
    2. Make sure they are not being locked up by other processes, otherwise, the trojan terminates such processes.
    3. Delete the backup files.

    Ransom:MSIL/Samas demonstrates typical ransomware behavior by encrypting files in the system using AES algorithm and renaming the encrypted file with extension encrypted.RSA. It displays the ransom note when it has encrypted the files and will delete itself with the help of a binary in its resource named del.exe.

    Figure 2: Click to enlarge the image so you can see the Samas ransom message clearly.

     

    So far, we’ve seen a new Ransom:MSIL/Samas variant that shows signs of changing its code from the simple ASCII strings to more hex encoded characters possibly to better evade detection from security vendors.  An example below shows that the files extension names to encrypt has been converted to hex strings:


    Figure 3:  Version 1 – Ransom:MSIL/Samas.A

     

    Figure 4: Version 2 – Ransom:MSIL/Samas.B

     

    It has also changed from using WordPress as its decryption service site, hxxps://lordsecure4u.wordpress.com, and moved on to a more obscure Tor site to help anonymize itself, hxxp://wzrw3hmj3pveaaqh.onion/diana.

    Figure 5: Majority of the Ransom:MSIL/Samas infections are detected in North America, and a few instances in Europe

     

    Mitigation and prevention

    But yes, you can say no mas (translation from Spanish: no more) to Samas ransomware.

    To help prevent yourself from falling prey to Samas or other ransomware attacks, use Windows Defender for Windows 10 as your antimalware scanner, and ensure that MAPS has been enabled.

    Though ransomware and macro-based malware are on the rise, there’s still something that you or your administrators can proactively do:

     

    Marianne Mallen

    MMPC

     

    ]]>
    https://blogs.technet.microsoft.com/mmpc/2016/03/17/no-mas-samas-whats-in-this-ransomwares-modus-operandi/feed/0
    The three heads of the Cerberus-like Cerber ransomwarehttps://blogs.technet.microsoft.com/mmpc/2016/03/09/the-three-heads-of-the-cerberus-like-cerber-ransomware/https://blogs.technet.microsoft.com/mmpc/2016/03/09/the-three-heads-of-the-cerberus-like-cerber-ransomware/#commentsThu, 10 Mar 2016 04:20:00 +0000https://blogs.technet.microsoft.com/mmpc/?p=6641Early this month, we saw a new ransomware family that launches a three-prong attempt to get you to hand over your hard-earned cash.

    Called “Cerber” (it replaces file extensions with .cerber), we like to think of this three-prong approach as a nod to the mythical multiple-headed hound, Cerberus.

    The attack starts with a text-to-speech (TTS) synthesized recording of a text message:

    • Attention! Attention! Attention! Your documents, photos, databases and other important files have been encrypted!

    While it’s not terribly original, originality doesn’t count for much in malware circles – if something works (that “something” usually forcing victims to pay money or lose data), then everyone just jumps on the bandwagon and before you know it, bam macros are being used to deliver malware.

    So perhaps expect to see a lot more synthesized, robotic-sounding messages making the rounds, attempting to steal your data and money.

    The use of audio files as part of a ransomware attack isn’t particularly new, Tobfy was doing it way back in 2014, but the rise of TTS through the popularity of Cortana, Siri, and Android Now might see a new (easier) way for ransomware authors to annoy their victims into paying, if only to quiet the constant TTS announcement at every logon.

    In Cerber’s case, it uses a VisualBasic Script (.vbs file) to call the Microsoft Speech API (SAPI) SpVoice.Speak method at every start up.

    VB script used to call the SAPI Speak method

    If the API can’t call the speech synthesizer, you’ll see an error message similar to this:

    Error returned when TTS is disabled or not available

    The other “prongs” in the attack are the usual flavor of current ransomware notices – a simple .html page or .txt file is opened using the native handler. The files include instructions to download the Tor browser, connect to a specific Tor site and start transferring some Bitcoins. It might display the ransom notes in different languages, based on the victim’s IP geolocation.

    HTML page with ransom payment instructions

    Plain text file with ransom payment instructions

    Ransomware has come a long way from the non-encrypting lockscreen FBI and national police authority scare warnings, and this newer “low-cost approach” is both frustrating and effective.

    Unlike other current ransomware (like Crowti) it completely renames the extension and the file name for files it targets. It’s also very selective in choosing the folders where it won’t infect. The list of folders it avoids mostly includes system folders, such as Program Files, the Users folder, the Recycle Bin and various others. It does, however, encrypt files in folders in network shares, and in all drives on the machine, and uses RSA encryption.

    The list of file types it targets is extensive, and includes common types such as Office documents, some database files (including .sql, and .sqlite), and archive files (for example, .rar and .zip).

    It stores configuration data in JSON format, which it decrypts and loads directly to memory at run time. The data includes:

    • The list of file extensions it targets
    • The folders it avoids
    • The public RSA key used for encryption (the private key is stored on the attacker’s server)
    • The mutex name format
    • The .html and .txt content used in the ransom note
    • The IP of a server it sends statistical data to

    See our malware encyclopedia entry for details on the file types and folders it targets.

    Encrypted files are given a randomized jumble of 10 characters for the file name, and the extension is changed to .cerber. Therefore, a file called kawaii.png could be renamed to something like 5kdAaBbL3d.cerber.

    The instructions presented to a victim will lead them to a website where they can choose their language (considerate!) and must enter a CAPTCHA or anti-spambot challenge (ironic!). The language-choice page begins with an instruction to “choose your language”. This phrase rotates between the 12 languages the user can choose from.

    Choice of 12 languages

    CAPTCHA to access the payment site

    After they’ve passed these gates, the site provides details on how the victim can obtain and transfer Bitcoins to the attackers. There will be a “special price” that increases based on how quickly the victim pays the ransom, which is reminiscent of Crowti and others.

    Cerber payment site, requesting Bitcoin

    Our strongest suggestion to prevent attacks from Cerber and other ransomware remains the same: use Windows Defender as your antimalware client, and ensure that MAPS has been enabled.

    Both ransomware and macro-based malware are on the rise, users can disable the loading of macros in Office programs, and administrators can disable macro loading using Group Policy settings.

    ]]>
    https://blogs.technet.microsoft.com/mmpc/2016/03/09/the-three-heads-of-the-cerberus-like-cerber-ransomware/feed/13
    MSRT March 2016 – Vonteerahttps://blogs.technet.microsoft.com/mmpc/2016/03/09/msrt-march-2016-vonteera/https://blogs.technet.microsoft.com/mmpc/2016/03/09/msrt-march-2016-vonteera/#respondWed, 09 Mar 2016 21:32:39 +0000https://blogs.technet.microsoft.com/mmpc/?p=6631As part of our ongoing effort to provide better malware protection, the March release of the Microsoft Malicious Software Removal Tool (MSRT) will include detections for Vonteera – a family of browser modifiers, and Fynloski – a family of backdoor trojans. In this blog, we’ll focus on the Vonteera family of browser modifiers.

    BrowserModifier:Win32/Vonteera

    We first detected BrowserModifier:Win32/Vonteera in August 2013, and the numbers have been pretty big; during the past six months, we’ve had over eight million detections. Encounters have been distributed among the following countries and regions:

    Vonteera distribution numbers

    We classify Vonteera as unwanted software because it violates the following objective criteria:

    • Lack of choice – the threat circumvents user consent dialogs from the browser or operating system. It installs, reinstalls, or removes software without your permission, interaction, or consent.
    • Lack of control – the threat prevents or limits you from viewing or modifying browser features or settings.
    • Installation and removal – the threat fails to use standard install/uninstall features, such as Add/Remove Programs.

    Vonteera is usually distributed by software bundlers that offer free applications or games.

    Once installed on your PC, it modifies your homepage and changes your search provider.

    It uses Group Policy to install a plug-in into the following browsers in an effort to make it difficult to remove:

    • Google Chrome
    • Internet Explorer
    • Mozilla Firefox

    This makes it more difficult to change the browser settings and remove the added Vonteera plug-in through the Manage Add-ons settings.

    Search policy message

    More recent versions of Vonteera began adding legitimate certificates that belong to a number of security and antimalware products to the untrusted certificates list that the Windows operating system maintains, which forces Windows to not trust legitimate security and antimalware products. This means that if Vonteera is present on your PC, you might not be able to run your security software.

    It also runs a service, so even if you try to delete these certificates from the untrusted list, Vonteera just adds them back to this list, so you still might not be able to run your security software.​

    DESCRIPTION

    Our malware encyclopedia entry for Win32/Vonteera has more details about this malware family.

    By adding Vonteera to the MSRT we hope to have a bigger impact and reach more affected machines and help remove this unwanted software. However, as with all threats, prevention is the best protection.

    Stay protected

    To help stay protected from this and other threats we recommend running up-to-date real-time security software such as Windows Defender for Windows 8.1 and Windows 10.

    We also recommend you:

    For more tips on preventing malware infections, including ransomware infections, see:

    ]]>
    https://blogs.technet.microsoft.com/mmpc/2016/03/09/msrt-march-2016-vonteera/feed/0
    Locky malware, lucky to avoid ithttps://blogs.technet.microsoft.com/mmpc/2016/02/24/locky-malware-lucky-to-avoid-it/https://blogs.technet.microsoft.com/mmpc/2016/02/24/locky-malware-lucky-to-avoid-it/#commentsWed, 24 Feb 2016 20:01:01 +0000https://blogs.technet.microsoft.com/mmpc/?p=6612You may have seen reports of the Locky malware circulating the web; we think this is a good time to discuss its distribution methods, and reiterate some best-practice methods that will help prevent infection.

    We’ve seen Locky being distributed by spam email, not in itself a unique distribution method, but this means that spreading is broad and not isolated to any particular region. This ransomware knows no borders, and we’ve seen high infection rates across the world.
    The Locky email attachment usually arrives as a Word document, but could also be an Excel document, that appears to be an invoice. We’ve also seen the following downloaders distribute Ransom:Win32/Locky.A:

    If you open this file and allow the macro to run, the malware is downloaded and runs on your PC, encrypting your files. A ransom message is then displayed demanding payment in order to unlock your encrypted files. Note that once your files are encrypted, the only guaranteed way to restore them is from backup. Microsoft does not recommend you pay the ransom; there is no guarantee that this will give you access to your files.

    While Microsoft detects and removes Locky, we recommend you disable macros to help prevent this and other macro-downloaded threats from infecting your PC, and then only enable macros that you trust, on a case-by-case basis. To help keep your enterprise secure, consider using a trusted location for files in your enterprise, then you can store documents that require macros there.  You can also use our cloud protection services to help boost your protection; this, and other advice on how to help keep your PC protected are outlined below.

     

    Disable all except digitally signed macros in Microsoft Word

    To help prevent malicious files from running macros that might download malware automatically, we recommend you change your settings to disable all except digitally signed macros.

    To do this:

    1. Open a Microsoft Word document.
    2. Click the File tab.
    3. Click Options.
    4. In the Trust Center, click Trust Center Settings.

    Trust Center settings

    5. Select Disable all macros except digitally signed macros.

    Macro settings in Trust Center

    6. Click OK.

     

    Block macros from running in Office files from the Internet in your enterprise

    Office 16 provides a Group Policy setting that enables you to block macros from running in Word, Excel and PowerPoint files from the Internet. Read about how to block macros from running in Office 16 files from the Internet.

     

    Only enable trusted content

    If you have disabled macros, when you open a file that has macros you’ll see a message bar similar to the following:

    Enable macro message

    Only click Enable Content if you trust the file, that is, you know where it’s from and are certain that running the macro is harmless.

     

    Use advanced threat and cloud protection

    You can boost your protection by using Office 365 Advanced Threat Protection and also enabling Microsoft Active Protection Service (MAPS).

    Office 365 helps by blocking dangerous email threats; see the Overview of Advanced Threat Protection in Exchange: new tools to stop unknown attacks, for details.

    MAPS uses cloud protection to help guard against the latest malware threats. You should check if MAPS is enabled on your PC.

     

    Help prevent malware infections on your PC

    There are a number of other things you can do to help prevent malware infections, for example:

     

    So to wrap this up: this ransomware is bad, but infection is preventable! Microsoft detects and removes this threat, but by ensuring that you only run known, trusted macros, you’ll help prevent a Locky infection – and any other malware that relies on malicious macros. Generally, a good approach is to only allow digitally signed macros that you trust to run on any of your documents.

    Stay safe, from all of us at the MMPC.

    -Jasmine Sesso, MMPC

    ]]>
    https://blogs.technet.microsoft.com/mmpc/2016/02/24/locky-malware-lucky-to-avoid-it/feed/25
    Cleaners ought to be clean (and clear)https://blogs.technet.microsoft.com/mmpc/2016/02/24/cleaners-ought-to-be-clean-and-clear/https://blogs.technet.microsoft.com/mmpc/2016/02/24/cleaners-ought-to-be-clean-and-clear/#commentsWed, 24 Feb 2016 16:00:53 +0000https://blogs.technet.microsoft.com/mmpc/?p=6621

    There are many programs that purport to clean up and optimize system performance. While Microsoft does not endorse the use of these tools with Windows, we do not view them as unwanted or malicious.

    Many programs in this category have a practice of providing a free version of their software that scans your system, presents the number of errors it found, and offers you to purchase the full version to remove these errors.

    However, some programs run on your system and display only an aggregated sum number of errors, without disclosing to you what the errors are, which items they stem from, and what benefit will you get as a result of correcting them. This lack of disclosure deprives you of the clarity and transparency you need to determine the validity of what is being called out as errors, and of the value you can expect from the action the program is proposing to be taken.

    This becomes even more accentuated when a free version of a program calls out errors and warnings, doesn’t provide you with any clarity as to what is wrong, and offers you to buy a premium version in order to fix the errors the free version found on your machine – albeit not letting you know with clear specificity what value you can expect from the purchase of the premium version of the program. This makes your purchasing decision arbitrary, and fear-based, rather than rational.

    Another example of an unwanted behavior is when system cleaner/optimizer programs present Windows-created prefetch files (.pf) as errors, or encourage you to remove them. Prefetch files are created by the Windows operating system to improve its performance by reducing the load times of programs. They are not errors (or ‘junk’ as some cleaner/optimizer programs refer to them).  Such programs should neither mislead you to think these are errors or junk files, nor should they encourage you to remove these operating system created files from your system.

    Our criteria states that you must be able to expect that the actions a system maintenance or optimization program takes towards system performance are actually beneficial. Unwanted behaviors include displaying exaggerated claims about the system’s health.

    Accordingly, to be compliant with our objective criteria, programs must provide details that back up their claims, so that you have the ability to assess what the program found and deems to be errors, and determine if you’d like to take the program’s recommended actions.

    Microsoft security products, such as Windows Defender for Windows 10, will continue to classify optimization programs that do not provide details as unwanted software, detect and remove them.

    Barak Shein
    MMPC

    ]]>
    https://blogs.technet.microsoft.com/mmpc/2016/02/24/cleaners-ought-to-be-clean-and-clear/feed/8
    MSRT February 2016https://blogs.technet.microsoft.com/mmpc/2016/02/09/msrt-february-2016/https://blogs.technet.microsoft.com/mmpc/2016/02/09/msrt-february-2016/#commentsTue, 09 Feb 2016 17:00:07 +0000https://blogs.technet.microsoft.com/mmpc/?p=6611

    The February release of the Microsoft Malicious Software Removal Tool (MSRT) includes updated detections for the following malware families:

    The updates include detections for the latest variants from these malware families. There were no new malware families added to the MSRT this month.

    The MSRT works in tandem with real-time antimalware products such as Windows Defender for Windows 10. An up-to-date real-time security product is the best protection against malware and unwanted software. It’s also important to keep all your software up-to date and regularly back up your files.

    ]]>
    https://blogs.technet.microsoft.com/mmpc/2016/02/09/msrt-february-2016/feed/3
    Enhanced Mitigation Experience Toolkit (EMET) version 5.5 is now availablehttps://blogs.technet.microsoft.com/srd/2016/02/02/enhanced-mitigation-experience-toolkit-emet-version-5-5-is-now-available/https://blogs.technet.microsoft.com/srd/2016/02/02/enhanced-mitigation-experience-toolkit-emet-version-5-5-is-now-available/#respondTue, 02 Feb 2016 17:17:28 +0000https://blogs.technet.microsoft.com/srd/2016/02/02/enhanced-mitigation-experience-toolkit-emet-version-5-5-is-now-available/The Enhanced Mitigation Experience Toolkit (EMET) benefits enterprises and all computer users by helping to protect against security threats and breaches that can disrupt businesses and daily lives. It does this by anticipating, diverting, terminating, blocking, or otherwise invalidating the most common actions and techniques adversaries might use to compromise a computer. In this way, EMET can help protect your computer systems even from new and undiscovered threats before they are formally addressed by security updates and antimalware software.

    Today we are pleased to announce the release of EMET 5.5, which includes the following new functionality and updates:

    • Windows 10 compatibility
    • Improved configuration of various mitigations via GPO
    • Improved writing of the mitigations to the registry, making it easier to leverage existing tools to manage EMET mitigations via GPO 
    • EAF/EAF+ pseudo-mitigation performance improvements
    • Support for untrusted fonts mitigation in Windows 10

    Mitigations in Windows 10

    EMET was released in 2009 as a standalone tool to help enterprises better protect their Windows clients by providing an interface to manage built-in Windows security mitigations while also providing additional features meant to disrupt known attack vectors used by prevalent malware. Since that time,  we have made substantial improvements to the security of the browser and the core OS. With Windows 10 we have implemented many features and mitigations that can make EMET unnecessary on devices running Windows 10. EMET is most useful to help protect down-level systems, legacy applications, and to provide Control Flow Guard (CFG) protection for 3rd party software that may not yet be recompiled using CFG.

    Some of the Windows 10 features that provide equivalent (or better) mitigations than EMET are:

    Device Guard: Device Guard is a combination of enterprise-related hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications. Device Guard provides hardware-based zero day protection for all software running in kernel mode, thus protecting the device and Device Guard itself from tampering, and app control policies that prevent untrusted software from running on the device.

    Control Flow Guard (CFG): As developers compile new apps, CFG analyzes and discovers every location that any indirect-call instruction can reach.  It builds that knowledge into the binaries (in extra data structures – the ones mentioned in a dumpbin/loadconfig display).  It also injects a check, before every indirect-call in your code, that ensures the target is one of those expected, safe locations.  If that check fails at runtime, the operating system closes the program.

    AppLocker: AppLocker is an application control feature introduced in Windows 7 that helps prevent the execution of unwanted and unknown applications within an organization's network while providing security, operational, and compliance benefits. AppLocker can be used in isolation or in combination with Device Guard to control which apps from trusted publishers are allowed to run.

    For more information on Windows 10 security features please review the Windows 10 Security overview whitepaper on TechNet.

    EMET 5.5 and Edge

    Given the advanced technologies used to protect Microsoft Edge, including industry leading sandboxing, compiler, and memory management techniques, EMET 5.5 mitigations do not apply to Edge.

     

    For support using EMET 5.5, please visit https://support.microsoft.com/en-us/kb/2458544.

     

    The EMET team

    ]]>
    https://blogs.technet.microsoft.com/srd/2016/02/02/enhanced-mitigation-experience-toolkit-emet-version-5-5-is-now-available/feed/0
    Triaging the exploitability of IE/EDGE crasheshttps://blogs.technet.microsoft.com/srd/2016/01/12/triaging-the-exploitability-of-ieedge-crashes/https://blogs.technet.microsoft.com/srd/2016/01/12/triaging-the-exploitability-of-ieedge-crashes/#respondTue, 12 Jan 2016 14:27:00 +0000https://blogs.technet.microsoft.com/srd/2016/01/12/triaging-the-exploitability-of-ieedge-crashes/ 

    Introduction

    Both Internet Explorer (IE) and Edge have seen significant changes in order to help protect customers from security threats. This work has featured a number of mitigations that together have not only rendered classes of vulnerabilities not-exploitable, but also dramatically raised the cost for attackers to develop a working exploit.

    Because of these changes, determining the exploitability of crashes has become increasingly complicated, as the effect of these mitigations must be taken into account during analysis. We have received a number of requests from the security community for clarification on how these mitigations affect exploitability.  To ensure that only valid issues are submitted, we thought it may be useful to offer some guidance.

     

    Use after free mitigations

    Use-after-free (UAF) is a common type of vulnerability in modern object-orientated software. They are caused when an instance of an object is freed while a pointer to the object is still kept by the program. Since the object instance has been freed, this pointer is dangling, pointing to unmapped memory. Such a vulnerability is exploitable when the unmapped memory is controllable by an attacker, and will be used when the dangling pointer is later dereferenced by the program. We can split UAF vulnerabilities into 3 classes based upon where the dangling pointer is stored: the stack, heap, and the registers.

    We have developed two primary mitigations to protect against UAFs:

    • Memory Protector (MP) [IE10 and below]

    MP is designed to protect objects against UAFs where the reference is stored on the stack, or in a register.

    • MemGC [Edge & IE11]

    MemGC is a new replacement for MP, currently enabled on Edge and IE11. Protected objects are only freed when no references exist on the stack, heap or registers, offering complete coverage. 

     

    Exploitability & Servicing

    MemGC [Edge & IE11]

    • We consider UAFs that are addressed by MemGC strongly mitigated, and will not issue a security update for them.
    • The only exception for this are rare cases where zero writing the object leads to an exploitable state, although we have yet to see an occurrence of this.

    Memory Protector [IE10 and below]

    • We consider stack and register based UAFs strongly mitigated and will not issue a security update for them, except in the circumstances explained below.
    • Heap reference based UAFs are not mitigated by MP, and so will still be addressed via a security update.

     

    Triaging crashes

    Memory protector

    Memory protector (MP) is a mitigation first introduced in July 2014 initially for all supported versions of Internet Explorer, but now only applies to IE 10 and below. It is designed to mitigate a subset of use-after-free vulnerabilities, due to dangling pointers stored on the stack or the registers. At a high level, it works as follows:

    1. When delete is called on an object instance, its contents is zero wrote, and it is placed in a queue. Once the queue has reached a threshold size, we then begin the process of seeing if it is safe to free each object instance in the queue.
    2. To test to see if it is safe to free an object instance, we scan both the registers and all pointer aligned stack entries to see if there exists a pointer to the object. If no pointer is found then the object is freed, otherwise the object is kept in the queue.

    Part (1) of the algorithm delays the potential freeing of the object to a later point in time, is controllable by an attacker, and as such is not considered a security mitigation.

    To make it easier to determine the exploitability of these issues, MP has a mode called “Stress Mode”. Under this mode the delayed free component (1) of MP is disabled: stack/register scanning happens on every free, rather than when the queue has reached a threshold length. It can be enabled with the registry key:

    HKLM:/Software/Microsoft/Internet Explorer/Main/Feature Control/FEATURE_MEMPROTECT_MODE/iexplore.exe DWORD 2

    (note that this key, and “Stress Mode” are only applicable to MP, not MemGC).

    Example crash

    With the delayed free component of MP now disabled by forcing the object instance to be freed at the earliest possible instant, we can now concentrate on determining exploitability, based on Part (2), as shown by an illustrative example below:


    In this case, we have a use-after-free vulnerability causing a near-null dereference. Tracing backwards, we can see that the value of eax was set a few instructions previously:

    If we look at this object in memory, we see that has been zero wrote, and by checking the PageHeap End Magic we can see that this heap chunk is still allocated under Stress Mode:

    Now we need to see if there are any stack references to this object instance, starting at the call frame when delete was called. This can be completed using windbg scripting: for example, scanning for references to an object with base address stored in ebx with size 0x30:

      

    Checking stack reference locations with MP

    In this case, we find a single reference to the object instance on the stack. With this information we must now check to see which call frame contains this reference.

    Here, we show an example call stack at the point when the object is deleted:

    If there is a reference to an object instance on the stack or registers, then MP will never free the object instance. Thus, if between the point delete is first called in frame_2 until the point when we crash with a near null dereference in frame_5 there is always a stack reference, the object instance cannot be freed and reallocated/controlled by an attacker.

    In this example, the reference we found by scanning the stack (at 0x1024ae9c) is stored in frame_8. Since this reference is present all of the time between the freeing point in frame_2 and the crashing point in frame_8, we consider this case as not-exploitable since it is strongly mitigated by MP.

    Two other main situations can also occur:

    1. If (for example) the stack reference was in frame_3 rather than frame_8, then there is a period between the freeing of the object and the crashing point when there are no stack references. This case may be exploitable since if the code path between these points can be slightly altered to force another call to delete, we will be left with an exploitable situation.
    2. When running under stress mode, the crash may now occur on a freed block since the delayed free component is disabled (usually due to the reference being stored on the heap). Under this circumstance, the case would be generally exploitable.

    MemGC

    MemGC is a new replacement for MP, currently available in Edge and all supported versions of IE11, and mitigates use-after-free vulnerabilities in a similar fashion as MP. However, it also offers additional protection by scanning the heap for references to protected object types, as well as the stack and registers. MemGC will zero write upon free and will delay the actual free until garbage collection is triggered and no references to the freed object are found.

    Just like MP, mitigated use-after-free vulnerabilities will most likely result in a near-null pointer dereferences or occasionally in no crash at all. If you suspect that a near-null pointer dereference is actually a mitigated use-after-free vulnerability you can verify this with the following steps:

    • Find the position where the near-null value is read, determining the base pointer of the object:

    If we dump the object, we can see that it has been zero wrote as before:


    • Trace back and find the allocation call stack for this chunk, using the base pointer that was found in the first step. If the object is allocated with edgehtml!MemoryProtection::HeapAlloc() or edgehtml!MemoryProtection::HeapAllocClear() it means that the object is tracked by MemGC e.g.


    Similarly, when the object is freed, it will be via edgehtml!MemoryProtection::HeapFree() e.g.


    To double check that the issue is successfully mitigated, we can scan for references to the object on both the heap and stack.

    For scanning the stack, we can use the same technique as described in the Memory Protector section. We can then use the same criteria as described above to determine exploitability; if there exists a stack reference between the freeing point and crashing point, we consider it strongly mitigated by MemGC.

    When scanning the heap, we use a similar method, by first scanning the heap for references with values between the base pointer and basepointer+object_size of the object we are interested in. If any references are found, we then just need to check to see what objects they are associated with. If the object containing the reference is also tracked by MemGC (i.e. allocated via HeapAlloc() or HeapAllocClear()), then MemGC will not free the object we are interested in, so we consider it strongly mitigated by MemGC.

    In this example, if we use the stack scanning command from above, we see that there is a reference on the stack preventing the object from being freed between the deletion and crashing points, making it successfully mitigated by MemGC.

    Conclusions

    In conclusion these new mitigations dramatically enhance the security by making sets of use-after-free vulnerabilities non-exploitable. When triaging issues in both IE & Edge, the behavior of these mitigations needs to be taken into account in order to determine the exploitability of these issues.

    Acknowledgments

    We would like to thank the following people for their contribution to this post:

    Chris Betz, Crispin Cowan, John Hazen, Gavin Thomas, Marek Zmyslowski, Matt Miller, Mechele Gruhn, Michael Plucinski, Nicolas Joly, Phil Cupp, Sermet Iskin, Shawn Richardson and Suha Can

    Stephen Fleming & Richard van Eeden.  MSRC Engineering, Vulnerabilities & Mitigations Team.

    ]]>
    https://blogs.technet.microsoft.com/srd/2016/01/12/triaging-the-exploitability-of-ieedge-crashes/feed/0
    Keeping browsing experience in users’ handshttps://blogs.technet.microsoft.com/mmpc/2015/12/21/keeping-browsing-experience-in-users-hands/https://blogs.technet.microsoft.com/mmpc/2015/12/21/keeping-browsing-experience-in-users-hands/#commentsMon, 21 Dec 2015 22:45:01 +0000https://blogs.technet.microsoft.com/mmpc/?p=6601

    ​In April last year we announced some changes to our criteria around Adware designed to ensure that users maintain control of their experience. These changes are described in our blog, Adware: a New Approach. Since then, we’ve taken policy and enforcement measures to address unwanted behaviors exhibited by advertising programs that take choice and control away from users.

    Ad injection software has evolved, and is now using a variety of ‘man-in-the-middle’ (MiTM) techniques. Some of these techniques include injection by proxy, changing DNS settings, network layer manipulation and other methods. All of these techniques intercept communications between the Internet and the PC to inject advertisements and promotions into webpages from outside, without the control of the browser. Our intent is to keep the user in control of their browsing experience and these methods reduce that control.

    There are many additional concerns with these techniques, some of these include:

    • MiTM techniques add security risk to customers by introducing another vector of attack to the system.
    • Most modern browsers have controls in them to notify the user when their browsing experience is going to change and confirm that this is what the user intends. However, many of these methods do not produce these warnings and reduce the choice and control of the user.
    • Also, many of these methods also alter advanced settings and controls that the majority of users will not be able to discover, change, or control.

    To address these and to keep the intent of our policy, we’re updating our Adware objective criteria to require that
    programs that create advertisements in browsers must only use the browsers’ supported extensibility model for installation, execution, disabling, and removal.

    The choice and control belong to the users, and we are determined to protect that.

    We encourage developers in the ecosystem to comply with the new criteria. We are providing an ample notification period for them to work with us as they fix their programs to become compliant.  Programs that will fail to comply will be detected and removed.

    Enforcement starts on March 31, 2016.

    Barak Shein and Michael Johnson

    MMPC

    ]]>
    https://blogs.technet.microsoft.com/mmpc/2015/12/21/keeping-browsing-experience-in-users-hands/feed/23
    Microsoft updates Trusted Root Certificate Program to reinforce trust in the Internethttps://blogs.technet.microsoft.com/mmpc/2015/12/17/microsoft-updates-trusted-root-certificate-program-to-reinforce-trust-in-the-internet/https://blogs.technet.microsoft.com/mmpc/2015/12/17/microsoft-updates-trusted-root-certificate-program-to-reinforce-trust-in-the-internet/#commentsThu, 17 Dec 2015 17:00:10 +0000https://blogs.technet.microsoft.com/mmpc/?p=6591

    At Microsoft, we are continuously working to deliver on our commitment to the security of our customers and their ecosystems. A core component of our strategy to inform Windows users about the safety of the websites, apps and software they’re accessing online is built into the
    Microsoft Trusted Root Certificate Program. This program takes root certificates supplied by authorized Certificate Authorities (CAs) around the world and ships them to your device to tell it which programs, apps and websites are trusted by Microsoft.

    Our efforts to provide a seamless and secure experience usually take place in the background, but today, we want to tell you about some changes we have made to this program. These crucial modifications will help us better guard against evolving threats affecting websites and the apps ecosystem, but they may impact a small set of customers who have certificates from affected partners.

    This past spring, we began engaging with Certificate Authorities (CA) to solicit feedback and talk about upcoming changes to our Trusted Root Certificate Program. Among other things, the changes included more stringent technical and auditing requirements. The final program changes were published in June 2015. Since then, we have been working, directly and through community forums, to help our partners understand and comply with the new program requirements.

    Through this effort, we identified a few partners who will no longer participate in the program, either because they have chosen to leave voluntarily or because they will not be in compliance with the new requirements. We’ve published a complete list of Certificate Authorities below that are out of compliance or voluntarily chose to leave the program and will have their roots removed from the Trusted Root CA Store in January 2016. We encourage all owners of digital certificates currently trusted by Microsoft to review the list and take action as necessary.

    The certificate-dependent services you manage will be impacted if the certificates you use chain up to a root certificate Microsoft removes from the store. Though the actual screens and text vary depending on which browser a customer is using, here’s what will usually happen:

    • If you use one of these certificates to secure connections to your server over https, when a customer attempts to navigate to your site, that customer will see a message that there is a problem with the security certificate.
    • If you use one of these certificates to sign software, when a customer attempts to install that software on a Windows operating system, Windows will display a warning that the publisher may not be trusted. In either case, the customer may choose to continue.

    We strongly encourage all owners of digital certificates currently trusted by Microsoft to review the list here and investigate whether their certificates are associated with any of the roots we will be removing as part of the update. If you use a certificate that was issued by one of these companies, we strongly recommend that you obtain a replacement certificate from another program provider. The list of all providers is located at
    https://aka.ms/trustcertpartners.

    With Windows 10 we will continue to work hard to provide you with safer experiences you expect from Windows, keeping you in control and helping you do great things.

    How to determine your digital certificates

    If you are unsure of how to determine the root of your digital certificates, I have included some guidance, by browser, below.  For more information on the program itself, visit
    https://aka.ms/rootcert.

    Microsoft Edge

    1. Navigate to a web page that uses your certificate.
    2. Click the
      Lock icon (in the web address field); the company under “Website Identification” is the company that owns the root.

    Internet Explorer

    1. Navigate to a web page that uses your certificate.
    2. Click the
      Lock icon (in the web address field).
    3. Click
      View Certificates then Certification Path.
    4. View the certificate name at the top of the Certificate Path.

    Chrome

    1. Navigate to a web page that uses your certificate.
    2. Click the
      Lock icon (in the web address field).
    3. Click
      Connection then Certificate Information.
    4. Click
      Certification Path.
    5. View the certificate name at the top of the Certificate Path.

    Firefox

    1. Navigate to a web page that uses your certificate.
    2. Click the
      Lock icon (in the web address field) then click the arrow on the right.
    3. Click
      More Information then View Certificate.
    4. Click
      Details.
    5. View the certificate name at the top of the Certificate Path.

    Aaron Kornblum
    Enterprise & Security Group Program Manager, Governance, Risk Management & Compliance

    ]]>
    https://blogs.technet.microsoft.com/mmpc/2015/12/17/microsoft-updates-trusted-root-certificate-program-to-reinforce-trust-in-the-internet/feed/5
    Microsoft assists law enforcement to help disrupt Dorkbot botnetshttps://blogs.technet.microsoft.com/mmpc/2015/12/02/microsoft-assists-law-enforcement-to-help-disrupt-dorkbot-botnets/https://blogs.technet.microsoft.com/mmpc/2015/12/02/microsoft-assists-law-enforcement-to-help-disrupt-dorkbot-botnets/#commentsThu, 03 Dec 2015 14:01:08 +0000https://blogs.technet.microsoft.com/mmpc/2015/12/03/microsoft-assists-law-enforcement-to-help-disrupt-dorkbot-botnets/

    Law enforcement agencies from around the globe, aided by Microsoft security researchers, have today announced the disruption of one of the most widely distributed malware families – Win32/Dorkbot. This malware family has infected more than one million PCs in over 190 countries.

    Dorkbot spreads through USB flash drives, instant messaging programs, and social networks. It steals user credentials and personal information, disabling security protection, and distributing several other prevalent malware families.

    The Microsoft Malware Protection Center (MMPC) and the Microsoft Digital Crimes Unit (DCU) led the analysis of the Dorkbot malware in partnership with ESET and Computer Emergency Response Team Polska (CERT Polska, NASK).

    We activated a Coordinated Malware Eradication (CME) campaign, performed deep research, and provided telemetry to partners and law enforcement such as CERT Polska, ESET, the Canadian Radio-television and Telecommunications Commission (CRTC), the Department of Homeland Security’s United States Computer Emergency Readiness Team (DHS/USCERT), Europol, the Federal Bureau of Investigation (FBI), Interpol, and the Royal Canadian Mounted Police (RCMP), to help take action against Dorkbot infrastructure.

    The MMPC has closely monitored Dorkbot since its discovery in April 2011 and released our research in the following blogs:

    Our real-time security software, such as Windows Defender for Windows 10, and standalone tools such as Microsoft Safety Scanner, and the Malicious Software Removal Tool (MSRT), can detect and remove Dorkbot. It’s important to keep your security software up-to-date to ensure you have the latest protection.

    Dorkbot telemetry

    During the past six months, Microsoft detected Dorkbot on an average of 100,000 infected machines each month. The top 10 countries shown in Figure 2 represent 61 percent of the total infections.

    Figure 1: Dorkbot infection trend for the past six months
     
    Dorkbot example

     

    Figure 2: Dorkbot detections by country for the past six months

    Dorkbot example

    Figure 3: Dorkbot machine detections heat map for past three months

    Dorkbot is an Internet Relay Chat (IRC) based botnet. It is commercialized by its creator as a “crime kit” called NgrBot, which hackers can buy though underground online forums. The kit includes the bot-builder kits as well as documentation on how to create a Dorkbot botnet. Figure 4 and 5 show one of the builder interfaces for Dorkbot – illustrating all available functionalities that the operator can set through the kit, including the IRC server settings and the command settings.

    Dorkbot example  
    Figure 4: Dorkbot builder IRC server settings

    Figure 5: Dorkbot builder command settings

    Distribution

    Dorkbot malware has been distributed in various ways, including:

    • Removable drives (USB “thumb-drives”)
    • Instant messaging clients
    • Social networks
    • Drive-by downloads / Exploit kits
    • Spam emails

    Dorkbot example
    Figure 6: Dorkbot distribution methods

    During a drive-by-download infection, a cybercriminal places specialized software known as an exploit kit on a website. An exploit kit is software that is designed to infect user computers that connect to the website using software vulnerabilities. These websites are known as exploit websites. Sometimes exploit websites are created by the botnet operator specifically for the purpose of spreading the infection, but in other cases they may be legitimate websites that have been hacked by the botnet operator.

    When a computer connects to an exploit website, the exploit kit tries to exploit unpatched software to install the Dorkbot worm.

    Once a machine is infected with the bot, Dorkbot will distribute itself through removable drives, instant messaging clients and social networks.

    Behaviors

    Dorkbot’s primary goal is to steal online account user names and passwords, as well as other personally identifying information.

    Dorkbot loader

    Being sold online, there are several operators utilizing Dorkbot. In the most active campaign, Dorkbot was distributed within a loader module. This loader has its own code for updating itself and distributing other malware. It is also responsible for guiding Dorkbot’s connection to another command-and-control (C&C) server. The operator appears to be abusing the older IRC-based Dorkbot variant by disabling the self-check routine, changing IRC commands, and using the loader to force it to connect to the operator’s own C&C server.
    Dorkbot example

    Figure 7: Original Dorkbot has self-check routine that was cracked by a recent operator

    Dorkbot loader – update and download other malware

    The loader module contains an encoded download URL in its binary. Currently the binaries hosted in these URLs are Dorkbot’s downloader component, self-update, and other malware families.

    Dorkbot example

    Figure 8: Decoded download URLs in the loader module

    The Dorkbot worm can receive commands to download and install additional malware on the infected computer, causing users whose computers are infected with Dorkbot to be infected with other types of malware as well. Some of the malware families that we have seen downloaded by Dorkbot worms are listed in the below:

    The Microsoft Malicious Software Removal Tool (MSRT) has detection for Dorkbot and most of these malware families.

    Dorkbot loader – guide IRC module to real C&C

    Since mid-2011, the IRC module version has remained the same and only had some byte patches performed by its operators. Patching the original C&C domain inside the IRC module has length limitations, so the operators put code inside the loader module to redirect the IRC module’s connection to a preferred C&C domain.

    The loader creates a trap process (for example, mspaint.exe) and installs a code hook on a DNS-related API (DnsQuery_A, DnsFree). The hook code will compare if the query was on the old C&C server domain, and return the DNS query value of the preferred domain.

    Dorkbot example

    Figure 9: Overview of trap process guiding to real C&C
     
    Dorkbot example

    Figure 10: C&C server overriding
    Dorkbot example  
    Figure 11: List of C&C domains

    After connecting to C&C server, the IRC module will start receiving commands.

    Dorkbot – IRC module (aka NgrBot)

    After a Dorkbot worm infects a computer, it connects to one of its pre-programmed C&C servers. Some variants communicate over IRC using encryption technology such as Secure Sockets Layer (SSL). In its first communication, the worm sends the C&C server its geolocation, the version of Windows running on the computer, and a unique computer identifier. At this point, it is ready to begin executing commands sent to it by the botnet operator. The commands available are shown in Figure 5.

    Typically, after connecting to the C&C server, the infected computer will be instructed to download other malware or spread to other computers.

    Dorkbot example

    Figure 12: Dorkbot C&C communication via IRC

    Operators keep patching string fragments such as IRC related commands (USER, PASS, NICK, PRIVMSG etc) or machine’s unique nickname format.

    Dorkbot example

    Figure 13: Comparison with the old (top) and new (bottom) version of Dorkbot

    Stealing online user credentials

    Dorkbot monitors Internet browser communications and intercepts communications with various websites. It does this by hooking network-related APIs such as the following:

    • HttpSendRequestA/W
    • InternetWriteFile
    • PR_Write

    It then steals the user name and password used to log onto the website. Some of the websites that we have seen being targeted include:

    • AOL
    • eBay
    • Facebook
    • Gmail
    • Godaddy
    • OfficeBanking
    • Mediafire
    • Netflix
    • PayPal
    • Steam
    • Twitter
    • Yahoo
    • YouTube

    Anti-security techniques

    Blocking websites

    Once connected to the C&C server, Dorkbot may be instructed to block certain security websites by blocking access to them. It does this through the hooked DnsQuery API in the IRC module. The main purpose is to prevent an infected machine from updating its antimalware definitions, thus preventing proper remediation of Dorkbot infections. The antimalware and security companies targeted by Dorkbot are listed in our Win32/Dorkbot description.

    Anti-sandbox techniques

    Whenever the loader runs on a system, it will record the time of its first execution in %TEMP%\c731200 as UTC converted to seconds. Before downloading the newest Dorkbot variant and other malware, the loader will check if current time is at least 48 hours past the time recorded on installation. This way the loader can hide the download URLs from antimalware backend analysis system.

    Remediation

    To help prevent a Dorkbot infection, as well as other malware and unwanted software:

    • Be cautious when opening emails or social media messages from unknown users.
    • Be wary about downloading software from websites other than the program developers.
    • Run antimalware software regularly.

    Our real-time security software, such as Windows Defender for Windows 10 for Windows 10 with up-to-date AV definitions will to ensure you have the latest protection against Dorkbot threats.

    Alternatively, standalone tools such as Microsoft Safety Scanner, and the Malicious Software Removal Tool (MSRT), can also detect and remove Dorkbot.

    Microsoft is also continuing the collaborative effort to help clean Dorkbot-infected computers by providing a one-time package with samples (through the Microsoft Virus Initiative) to help organizations in protecting their customers.

    If your security organization is interested in joining or initiating a malware eradication campaign, or you are just interested in participating in the CME program, see the CME program page. You can also reach out to us directly through our contact page for more information.

    Katrin Totcheva, Rodel Finones, HeungSoo Kang and Tanmay Ganacharya
    MMPC

    ]]>
    https://blogs.technet.microsoft.com/mmpc/2015/12/02/microsoft-assists-law-enforcement-to-help-disrupt-dorkbot-botnets/feed/5
    Shields up on potentially unwanted applications in your enterprisehttps://blogs.technet.microsoft.com/mmpc/2015/11/25/shields-up-on-potentially-unwanted-applications-in-your-enterprise/https://blogs.technet.microsoft.com/mmpc/2015/11/25/shields-up-on-potentially-unwanted-applications-in-your-enterprise/#commentsThu, 26 Nov 2015 01:15:24 +0000https://blogs.technet.microsoft.com/mmpc/2015/11/26/shields-up-on-potentially-unwanted-applications-in-your-enterprise/Has your enterprise environment been bogged down by a sneaky browser-modifier which tricked you into installing adware from a seemingly harmless software bundle? Then you might have already experienced what a potentially unwanted application (PUA) can do.

    The good news is, the new opt-in feature for enterprise users in Windows can spot and stop PUA in its tracks. If you are an enterprise user, and you are running System Center Endpoint Protection (SCEP), or Forefront Endpoint Protection (FEP), it’s good to know that your infrastructure can be protected from PUA installations when you opt-in to the PUA protection feature.  If enabled, PUA will be blocked at download and install time.

     

    What is PUA and why bother?

    Potential Unwanted Application (PUA) refers to unwanted application bundlers or their bundled applications.

    These applications can increase the risk of your network being infected with malware, cause malware infections to be harder to identify among the noise, and can waste helpdesk, IT, and user time cleaning up the applications.

    Since the stakes are higher in an enterprise environment, the potential disaster that PUA brings can be a cause of concern. Hence, it is important to deliver trusted protection in this field.

    Typical examples of behavior that we consider PUA include ad-injection, many types of software bundling, and persistent solicitation for payment for services based on fraudulent claims.

     

    PUA protection for enterprise

    The Potentially Unwanted Application protection feature is available only for enterprise customers.  If you are already one of Microsoft’s existing enterprise customers, you need to opt-in to enable and use PUA protection.

    PUA protection updates are included as part of the existing definition updates and cloud protection for Microsoft’s enterprise customers. No additional configuration is required besides opting into PUA protection.

     

    Deploying PUA protection

    Systems administrators can deploy the PUA protection feature as a Group Policy setting by the following registry key policy setting according to your product version:

    System Center Endpoint Protection, Forefront Endpoint Protection

    Key Path:            HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Microsoft Antimalware\MpEngine

    Value Name:      MpEnablePus

     

    Note: The following configuration is available for machines that are managed by System Center Endpoint Protection.

    Windows Defender

    Key Path:            HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\MpEngine

    Value Name:      MpEnablePus

     

    The group policy value for MpEnablePus can be configured as a DWORD type as follows:

    Value (DWORD)    Description
     0 (default) Potentially Unwanted Application protection is disabled
    1 Potentially Unwanted Application protection is enabled. The applications with unwanted behavior will be blocked at download and install-time.

     

    After enabling this feature, PUA blocking takes effect on endpoint clients after the next signature update or computer restart. Signature updates take place daily under typical circumstances.

    The user experience can vary according to the policy settings that are configured in your enterprise. However, when enabled, the default behavior is that PUA will be blocked and automatically quarantined.

     

    PUA threat file-naming convention

    When enabled, we will start identifying unwanted software with threat names that start with “PUA:”, such as, PUA:Win32/Creprote.

    Specific researcher-driven signatures identify the following:

    • Software bundling technologies
    • PUA applications
    • PUA frameworks

     

    What does PUA protection look like?

    By default, PUA protection quarantines the file so they won’t run. PUA will be blocked only at download or install-time. A file will be included for blocking if it meets one of the following conditions:

    • The file is being scanned from the browser
    • The file has Mark of the Web set
    • The file is in the %downloads% folder
    • Or if the file in the %temp% folder

     

    The user experience of the blocking depends on the product you have installed.

    With System Center Endpoint Protection deployed, the following dialog box will be shown upon detection:

    SCEP dialog box indicates detection status

    The user can view the blocked software in the History tab.

    You can take a look at the list of blocked applications from the History tab

    In Windows 10, where its endpoints including Windows Defender are managed, the following dialog box will be shown:

    Detection message in Windows Defender

    PUA protection roll-out scenario

    Like all good processes, it is best to plan your PUA protection deployment to get the most out of it. Here are some best practices to plan your PUA protection roll-out.

    As blocking PUA in your enterprise is an explicit choice, it is best practice to do the necessary due diligence such as having a corporate policy or guidance that defines that potentially unwanted applications are not to be installed or downloaded in your corporate environment.

    With a corporate policy or guidance in place, it’s recommended to also sufficiently inform your end-users and your IT Helpdesk about the updated policy or guidance so that they are aware that potentially unwanted applications are not allowed in your corporate environment. This will preemptively inform your end-users as to why SCEP or FEP is blocking their download. By informing your helpdesk about your new policy or guidance, they can resolve end-user questions.

    Finally, if you expect a lot of end-users in your environment to be downloading or installing PUA, then it is recommended that machines be gradually enrolled into the PUA protection. In other words, deploy the PUA opt-in policy to a subset of machines, observe the number of detections, determine if you’d want to allow any of them in your enterprise, add exclusions for them (all exclusions mechanisms are supported – file name, folder, extension, process) and then gradually roll-out the opt-in policy to a larger set of machines

     

    Handling false positives

    If you think that an application has been wrongfully identified as PUA, submit the file here, and add ‘PUA’ along with the detection name in the comments section.

     

    We look forward to providing you with a great protection experience.

    Geoff McDonald, Deepak Manohar, and Dulce Montemayor

    MMPC

    ]]>
    https://blogs.technet.microsoft.com/mmpc/2015/11/25/shields-up-on-potentially-unwanted-applications-in-your-enterprise/feed/20
    ​​Does prevalence matter? A different approach to traditional antimalware test scoringhttps://blogs.technet.microsoft.com/mmpc/2015/11/23/does-prevalence-matter-a-different-approach-to-traditional-antimalware-test-scoring/https://blogs.technet.microsoft.com/mmpc/2015/11/23/does-prevalence-matter-a-different-approach-to-traditional-antimalware-test-scoring/#commentsTue, 24 Nov 2015 08:00:00 +0000https://blogs.technet.microsoft.com/mmpc/2015/11/24/does-prevalence-matter-a-different-approach-to-traditional-antimalware-test-scoring/Most well-known antimalware tests today focus on broad-spectrum malware.  In other words, tests include malware that is somewhat indiscriminate (isn’t necessarily targeted), at least somewhat prevalent and sometimes very prevalent. Typically, tests are not focused on specialized threats that are highly targeted, and most avoid including programs that walk the line between good and evil, such as adware and other programs that we call unwanted software as opposed to malware.  Files that are in most test sets are files that antimalware vendors agree a customer would never want and are generally pervasive in the ecosystem.

    The traditional test score counts each file equally. That is, if there are 100 files, each file is worth 1% of the test.  In the real world, however, people don’t encounter malware at exactly the same rate. Some malware is incredibly prevalent while other malware families are not as pervasive.  Likewise, some malware might focus on certain regional demographics or languages and not affect other parts of the world.  When it comes to real customer impact, not all malware has the same distribution or prevalence.  Yet, they are treated as such in traditionally scored tests.

    Collaborating to create a more applicable scoring model

    Microsoft has been partnering with AV-Comparatives to create a scoring model that incorporates prevalence to represent true customer impact.  At Virus Bulletin (VB) this year, Peter Stelzhammer (AV-Comparatives co-founder) and I presented this model.  Today, AV-Comparatives is releasing the prevalence-weighted results from the most recent file detection test in a PDF report and also on the impact section of their website.  This test compares detection rates of vendors against a very comprehensive malware set – 166k Portable Executable (PE) files.

    After working with AV-Comparatives for many years, I have personally developed a great respect for the way they curate files for their tests. They work diligently to select files that are relevant, are not in that “unwanted” category (which vendors would lobby to dispute out of their test), and they are able to source hundreds of thousands of recent files for the test.  That said, one thing we found is that it is incredibly difficult, if you’re using a traditional scoring model, to attempt to source a perfect number of files that represent ecosystem prevalence.

    For one, many malware families rely on non-PE components to spread. Jenxcus is a good example – its VBS (Visual Basic script) component is one of the most frequently blocked files on our customers’ computers. However, its PE component is seen comparatively rarely, so it’s quite difficult to source enough Jenxcus PE files for a test to equate to that family’s ecosystem prevalence.  Samples from some families might be easier to source than others (more willing to be found or submitted to public sources).  These constraints make it practically impossible to select a test set that perfectly equates to the ecosystem.

    Looking at the prevalence model

    Enter the prevalence model.  AMTSO through the Realtime Threat List (RTTL) has been making strides lately to encourage vendors to share malware prevalence information with testers to help testers build better test sets.  While we have been moving toward critical mass and getting closer to the needed features to make that project work, Microsoft offered to sponsor AV-Comparatives and provide telemetry details from over 200 million computers in over 100 different countries to them to create a prevalence-weighted model.

    The following chart shows how the test set stacks up to the ecosystem (# of files in comparison to ecosystem prevalence).

     In general, files selected for the most prevalent malware families (those in the high category) were underrepresented using the traditional method of scoring and those in the low category were overrepresented

    Figure 1:  In general, files selected for the most prevalent malware families (those in the high category) were underrepresented using the traditional method of scoring and those in the low category were overrepresented.

    When you drill down a layer to the highly prevalent malware families, you can start to see why the numbers don’t line up.  Some of the file infector families, like Sality and Virut, had a very large sample set (a great representation of the family in fact). However, other prevalent families, like Gamarue, Dorv, Jenxcus, and Sventore were underrepresented.  Sventore was new – there was only one file to represent that family.  Gamarue, Dorv, and especially Jenxcus didn’t have nearly enough recent PE files available for the test to allow them to equate to their ecosystem prevalence.

    A tabulated sample of the test score impact

     Figure 2:  Another example of the test scores not lining up.

    The prevalence-weighted model takes into account the prevalence of the tested file, the malware family associated with the file, and the malware family’s partition (high, moderate, low, very low) to calculate each file’s impact to the test which balances the score with the actual customer impact in the ecosystem.

    For more details about the exact calculation method, you can see the AV-Comparatives report released today.

    The charts above show how the prevalence model balanced test scores to make them more accurately represent a vendor’s detection capabilities.  In essence, missed files were scored to represent the malware people were more likely to encounter, which is good information for consumers.  However, prevalence-weighting the score can mean that vendors (at least those who monitor malware prevalence) might have very similar test scores.  Therefore, additional context is probably needed to help consumers make decisions.

    Geolocation is one context we analyzed. In the report, we broke down vendor test scores by country using each country’s malware prevalence profile. There are some examples of vendors that did great in some countries and not so great in others. Scores didn’t always line up with vendors that were co-located in the target region.  If you’re interested in a specific country, be sure to check out AV-Comparative’s regional maps in the report.

    Organizations, especially those that might have special security concerns, might need other differentiation.  After Peter and I presented at VB this year, we got lots of great feedback from people at the conference.  One of the ideas we discussed was differentiating malware prevalence specifically affecting enterprises and even showing the differences between verticals.  Other discussions centered around showing detection differences by type of threat – ransomware in comparison to information stealers, etc.

    Prevalence is but one model that provides additional insight to help people make better-informed decisions when choosing their protection provider. Through partnerships like this one with AV-Comparatives and others in the industry, productive discussions and innovative models result in even better antimalware testing and provide greater benefits to consumers and enterprises alike.

    Holly Stewart

    MMPC

    ]]>
    https://blogs.technet.microsoft.com/mmpc/2015/11/23/does-prevalence-matter-a-different-approach-to-traditional-antimalware-test-scoring/feed/4
    BlueHat v15 Announces Schedule and Registrationhttps://blogs.technet.microsoft.com/bluehat/2015/11/18/bluehat-v15-announces-schedule-and-registration/https://blogs.technet.microsoft.com/bluehat/2015/11/18/bluehat-v15-announces-schedule-and-registration/#respondWed, 18 Nov 2015 13:14:00 +0000https://blogs.technet.microsoft.com/bluehat/2015/11/18/bluehat-v15-announces-schedule-and-registration/As we inch closer to the 15th BlueHat Security Conference, we are happy to announce the lineup of speakers and topics for this event.  This year will continue with a solid speaker and topic selection that engage engineers, executives, and invited guests to discuss and tackle some of the hardest problems facing the industry today.  Through this conference, our engineering teams get deep technical information and education on the latest threats from proven industry experts.

    BlueHat is set for Tuesday, January 12th through Wednesday, January 13th at Microsoft’s Redmond campus.  The first day will set the stage of the threat environment and what is impacting customers today.  The second day splits into four simultaneous tracks (two in the morning and two in afternoon) focusing on protecting customers and defense strategy, pivoting to help customers, software/service development, and attacks/exploits in the wild.

    External invites have been sent and registration is now open for BlueHat v15.  We look forward to another great conference.

     

    Tuesday, January 12th, 2016 | General Audience

    KEYNOTE

    9:00-9:50 AM| Ofir Arkin | Intel
    Keynote:  Security in a World Out of Our Control

    The traditional security models are failing as they become obsolete in a world where the environment and technology are constantly changing and advancing.The need to allow anywhere anytime access (Mobility) to enterprise resources from any user (Collaboration), and any device (BYOD), has challenged the mare existence of the fixed perimeter and the traditional defense mechanisms. In a world where IT is losing control over devices, users and even it’s own infrastructure a new security model, that takes into account these new realities, must be put in place.

    TRACK 1 – SETTING THE STAGE

    10:00-10:50 AM | Nick Carr and Matthew Dunwoody | Mandiant           
    No Easy Breach: Challenges and Lessons from One of Madiant's Most Demanding Investigations

    Every IR presents unique challenges. But – when an attacker uses PowerShell, WMI, Kerberos attacks, novel persistence mechanisms, seemingly unlimited C2 infrastructure and half-a-dozen rapidly evolving malware families across a 100k node network to compromise the environment at a rate of 10 systems per day – the cumulative challenges can become overwhelming. This talk will showcase the obstacles overcome during one of the largest and most advanced breaches Mandiant has ever responded to, the novel investigative techniques employed, and the lessons learned that allowed us to help remediate it.

    11:00-11:50 AM | Shawn Loveland |Microsoft 
    The Business of Cybercrime

    Just as the PC/computer/mobile device ecosystem has grown over the decades, so has the cybercrime industry, which today is more organized and motivated than at any time in history.  Blackhat cybercrime is a form of malicious online behavior motivated by profit and a predictable ROI.  Treating Blackhat cybercrime as a purely technological problem, makes mitigation difficult, costly, and ineffective.  By understanding the attacker’s Tools, Techniques, Motivations, and Business Models, we can understand how our products, services, and users are, and will be, victimized by Blackhat Cybercriminals.

    TRACK 2 – CUSTOMER IMPACT        

    1:00-1:50 PM |Daniel Edwards | Microsoft        
    HoneyPots & Deception – What is happening to our Azure customers?

    The theme of the talk this year will be about my experiments in running a honeypot in Azure, what I learned, how the information can be used to improve protection and a call to action.  The PowerPoint is a very basic outline meant to convey the theme of the talk.  I just haven’t had a chance to create all the diagrams but I already have all the data (and continue to collect additional data every day) that I am talking too.  The word document is a sample of the analysis that I will be incorporating.

    2:00-2:50 PM | Alex Weinert and Dana Kaufman| Microsoft
    A Year in the Trenches with Microsoft Identity Protection team

    Between Microsoft account, Microsoft’s consumer system which supports Outlook, Xbox, OneDrive, and more; and Azure Active Directory, which supports virtually all enterprise identity deployments, Microsoft’s Identity team supports more than 2B identities in every market and services over 14B logins every day. The Identity Protection team is responsible for ensuring that access is granted only to account owners, and that those account owners are not fraudsters. In this session, we’ll provide an overview of the protection systems in play, how we see fraudsters adapting to those systems, and industry trends in a world where the high stakes attacks meet high tech adaptive countermeasures. We’ll punctuate the talk with a few scary stories front lines, and our forecast for the future of identity protection.

    3:00-3:50 PM |Jonathan Birch | Microsoft          
    Unintended Authentication

    Unintended authentication to untrusted services is a common but largely ignored problem in Windows applications. In this talk, I explain how this type of vulnerability occurs and why its potential and current exploitation create a risk that application developers should work immediately to mitigate. To give reference examples, I discuss two cases where this type of vulnerability occurred and was fixed in Microsoft Office. Finally, I demonstrate how to test for and fix unintended authentication problems and best practices that can be used to prevent them from being introduced into a product.

    4:00-4:50 PM |Matt Graeber | Veris Group        
    Windows Management Instrumentation – The Omnipresent Attack and Defense Platform

    A resourceful attacker seeking to maximize his or her compromise/effort ratio will naturally target any omnipresent technology present in a homogeneous environment. Windows Management Instrumentation (WMI) is one such technology that is present and listening on every Windows operating system dating back to Windows 95. WMI is a powerful remote administration technology used to get/set system information, execute commands, and perform actions in response to events. While it is a well-known and heavily used technology by diehard Microsoft sysadmins, attackers (i.e. diehard unintended sysadmins) find such built-in technology enticing, especially those who wish to maintain a minimal footprint in their target environment. In reality, targeted and criminal actors are making heavy use of WMI in the wild and defenders need to be informed of its capabilities both from an offensive and defensive perspective. This talk aims to inform the audience of the basics of WMI, in the wild attacks, theoretical attack scenarios, and how defenders can leverage the WMI eventing system against an attacker.

    Wednesday, January 13th, 2016 | General Audience 

    TRACK 1 – DEVELOPMENT                         

    9:00-9:50 AM | Lee Holmes |Microsoft
    Attackers Hunt Sysadmins. It's time to fight back

    What do the NSA, APT groups, and run-of-the-mill attackers have in common? They. Hunt. Sysadmins. After all, what’s a better way to compromise an entire infrastructure than to target the folks with complete and unconstrained access to it? It’s time to fight back. In this talk, we introduce PowerShell Just Enough Administration, a powerful platform capability that lets you add role-based access controls to your existing PowerShell-based remote management infrastructure.

    10:00-10:50 AM | Laura Bell | SafeStack              
    Protecting our people (The Awkward Border)

    People are problematic when it comes to security. We all know and laugh about the ease with which we can lie, cheat and steal from those around us whilst stubbornly refusing to admit that the same scams would probably work on us too. A culture of fear and negative consequences spanning decades has given us a workforce that is not only scared of being attacked, but scared of saying something if they see a threat or do something wrong.

    So how do we change this? Can we enable, empower and engage _all_ of our people to protect themselves and those around them? More importantly can we do this without destroying privacy or putting those people at risk? This isn't a sales pitch. This isn't a miracle cure. This is the story of trying to protect our people and the difficult road to achieving this.

    11:00-11:25 AM | Shawn Hernan | Microsoft
    Factor-and-a-half Authentication

    Many traditional techniques for protecting the stored representation of passwords derive their security by making the password verification operation expensive. For example, a server may hash a password many times as a way to slow down brute-force attacks against an offline copy of the password database. In such a scheme, acceptable password security may result in unacceptably poor login-time performance. Memory-intensive functions like scrypt may not scale well on a server that has to support a large number of simultaneous login attempts.  Multi-factor authentication schemes based provide protection against many of the common problems that plague reusable passwords. Unfortunately, adoption rates for MFA are low in general, and many of the systems are expensive or suffer from usability issues.  This talk proposes an authentication system “factor-and-a-half authentication,” to address some of these problems. Factor-and-a-half authentication consists of “something you know,” and “something you create,” along with initial setup and verification protocols and policy management between clients and server.

    11:30-11:55 AM | Scott Longheyer | Microsoft 
    Network Defense- Isolation Enforcement

    Some things are meant to be shared, some are not. From dedicated to software-defined networks, we discuss modern solutions to enforce network isolation in extremely dynamic, often exposed, single or multi-tenant hosting environments. The tools are getting better, let’s wield them. Network certifications are not required to attend.

    TRACK 2 – Pivoting to Help Customers                                     

    1:00-1:50 PM | Amit Hilbuch |Microsoft             
    Early Detection of Fraud Storms in the Cloud

    Cloud computing resources are sometimes hijacked for fraudulent use. While some fraudulent use manifests as a small-scale resource consumption, a more serious type of fraud is that of fraud storms, which are events of large-scale fraudulent use. These events begin when fraudulent users discover new vulnerabilities in the sign up process, which they then exploit in mass. The ability to perform early detection of these storms is a critical component of any cloud-based public computing system.

    In this work we analyze telemetry data from Microsoft Azure to detect fraud storms and raise early alerts on sudden increases in fraudulent use. The use of machine learning approaches to identify such anomalous events involves two inherent challenges: the scarcity of these events, and at the same time, the high frequency of anomalous events in cloud systems. We compare the performance of a supervised approach to the one achieved by an unsupervised, multivariate anomaly detection framework. We further evaluate the system performance taking into account practical considerations of robust-ness in the presence of missing values, and minimization of the model’s data collection period. This work describes the system, as well as the underlying machine learning algorithms applied. A beta version of the system is deployed and used to continuously control fraud levels in Azure.

    2:00-2:50 PM | Christiaan Beek | Intel Security
    There’s A Pot of Gold at The End of the Ransomware Rainbow

    Ransomware is one of the threats we have seen rising over the past few years with a huge resurfacing in 2014. Mostly Windows platform but also Linux, Mobile and OSX Operating systems are getting targeted for these campaigns.  In this presentation, we will start with an overview of the different crypto-ransomwares we have seen in the past couple of year combined with some of the technical developments in the industry that assisted in making this business-model very lucrative. We continue with some examples of in-depth analysis of behavior patterns we discovered in certain families that helped us identifying them and classifying them. Besides the malware itself we will highlight some insights around how the actors in general are operating, the infrastructure they build-up, the financial infrastructure, the profit and connections with other cybercrime operations.

     3:00-3:50 PM | Jasika Bawa, Costas Boulis, and Roman Porter| Microsoft           
    Advancing SmartScreen To Disrupt The Exploit Kit Economy

    Microsoft SmartScreen integrated with Internet Explorer, Microsoft Edge, and Windows, has helped protect users from socially engineered attacks such as phishing and malware downloads since the release of Internet Explorer 7. Over time, SmartScreen reputation checks on URLs and SmartScreen Application Reputation protection in the browser and in Windows have significantly changed the socially engineered attack landscape, leaving such attacks at historic lows. However, attackers have continued to adapt—enter Exploit Kits (EKs), one of the fastest growing threats online.

    EKs often originate on trusted websites and target vulnerabilities in software used by our customers every day. Moreover, EK-based attacks do not require any user interaction—there's nothing to click, nothing to download—and infection is invisible. Approximately two-thirds of new malware is now being delivered by EKs, hardly surprising given that a single EK on a popular site can infect thousands of people in less than an hour. The recently analyzed Angler EK, for instance, was found to target almost 90,000 innocent victims each day, earning cyber criminals potentially more than $30 million annually and further proving the EK space to be an extremely financially lucrative one. But all isn't lost! Starting with the November release of Windows 10, Microsoft SmartScreen will begin protecting users from EK attacks in Internet Explorer and Microsoft Edge. In this talk, we will discuss the growing EK landscape, how it is impacting our customers, and how, with new synchronous blocks for EKs, SmartScreen once again aims to continue increasing the cost of exploitation for attackers.

    4:00-4:50 PM | Mark Novak and Dave Probert |Microsoft          
    Virtual Secure Mode and Shielded Virtual Machines

    Virtual Secure Mode is a new virtualization-assisted security technology that made its debut in Windows 10.  This talk will describe the fascinating security properties of VSM as well as cover the two new technologies that were built with its help: shielded virtual machines and Credential Guard. Microsoft developers interested in utilizing VSM in their projects should talk to folks in the WDG.

    Wednesday, January 13th, 2016 | General Audience  

    TRACK 3 – PROTECT & DEFEND     

    9:00-9:50 AM |Nils Sommer|Bytegeist
    Windows Kernel Fuzzing

    Attackers often rely on Windows kernel vulnerabilities to break out of application sandboxes and escalate privileges. To rapidly identify such vulnerabilities, we adapted techniques from browser fuzzing to assess the kernel and have reported a number of critical issues to Microsoft. All aspects of the fuzzer, from test case generation to testcase minimisation are highly distributed and it produces high quality testcases for reproduction. This talk will discuss our approach for fuzz testing the Windows kernel, from assessing the kernel's attack surface and effective test case generation, to the design and architecture of a highly distributed fuzzer that scales to many hundreds of CPU cores.

    10:00-10:50 AM | Leigh Honeywell and Ari Rubinstein | Slack   
    Secure Development for Snake People: New Ideas for the Next Generation

    Startups hear the word “process” and freak out – shipping code every day isn’t optional. What if you could build a secure development process that accelerated development, instead of slowing it down? At Slack, we have – allowing our small team to distribute security work to developers, and building up their security skills from intern to senior engineer. We’ll talk through the tools and processes we built – a flexible, open source framework including a lightweight self-service assessment tool, a checklist generator, and most importantly a chat-based process. Together, these encourage security thinking in the tools developers already spend their time in – allowing us to effortlessly document people’s thought processes around risk. By empowering developers to think about security themselves and incorporate secure practices into their own teams and workflows, we’ve defeated the fear of the checkbox and replaced it with new tooling and process that teams actually want to work with.

    11:00-11:25 AM | Jason Shirk|Microsoft             
    Microsoft Bounty Program: Making it to the MSRC Top 100

    Microsoft has been working with security researchers for a long time as part of a robust security regimen, which we continue to value and drive passionately. Bug bounties are an increasingly important part of the vulnerability research and defense ecosystem. We believe that bounties will continue to evolve over time, and will be regularly managing the Microsoft Bounty Programs. In this talk Jason will be talking about what we've seen to date, what we've learned, and diving more deeply into the data behind running the Bug Bounty Programs at Microsoft.

    11:30-11:55 AM | Eugene Bobukh|Microsoft    
    Transcending Threat Modeling Limitations

    Threat Modeling as we know it today has inherent scalability limitations. It can be shown that its computational complexity is O(N^2) with respect to the number of elements modeled. In everyday practice that places an upper limit for human driven threat modeling at approximately 20 elements. However, contemporary software is significantly more complex, consisting of thousands of logical components. What options are available to transcend that limitation? In this talk we shall explore some experimental approaches for scalable threat modeling.

    TRACK 4 – EXPLOITS/ATTACKS 

    1:00-1:50 PM | Anna Chung | Uber
    The Glocalization of the Underground Market

    Start with a general introduction of Chinese speaking cyber crime underground market, this presentation aims to discuss how international hacking tools and compromised data being used by financially motivated criminals, and what kind of adjustments were made in order to localize the business model. The talk would use cyber crime activities targeting Japanese online banking system and possibly the spread of DDoS web-based DDoS tools to explain the glocalization status in Chinese underground economy.

    2:00-2:50 PM | Nicolas Joly |Microsoft
    PWNING A WINDOWS PHONE

    Although Windows has a long history of vulnerabilities and exploit techniques, Windows Phone OS has proven to be much harder to exploit than its cousin. Low market share, little public research, high focus on IOS and Android, but also strong security policies made that target highly resistant to massive pwnage. But as often happens with exploits, a good vulnerability such as a write-what-where condition is usually enough to defeat all mitigations in place. Based on research conducted for mobile Pwn2Own 2014, this talk will depict the road taken to get a working exploit for Internet Explorer Mobile running on WP 8.1.

    3:00-3:50 PM | Kostya Kortchinsky | Google
    VMware Workstation Escape: the Virtual Printer Case

    VM Escapes, or how to execute code on the Host OS from a Guest. While they are not a new concept, they are increasingly attractive as virtualization expands, in the datacenters and elsewhere.
    This presentation, focusing on VMware Workstation, will demonstrate how arbitrary code execution in the Host was achieved from the Guest through memory corruption vulnerabilities in VMware Workstation Printer Virtualization.
    I will cover the virtual printer protocol, how to fuzz it, the vulnerabilities uncovered (through fuzzing and reading the assembly code), and finally walk through a fully working exploit for Workstation 11.1.0 on a Windows 8.1 Host.

     

    4:00-4:50 PM | Matt Miller and David Weston | Microsoft
    The Cutting Edge of Web Browser Exploitation

    Web browsers are the primary portal to the Internet for most people and it is no surprise that they continue to be one of the most preferred infection vectors for targeted and large scale attacks in-the-wild. Over the past few years, Microsoft has observed some significant changes in the trends related to how browser-based vulnerabilities are discovered and exploited in practice. In this presentation, we will explore these trends and dig into the technical details of how browser-based vulnerability exploitation has changed over the past 15 years. We will show how Microsoft has responded to these changes in the threat landscape by showcasing some of the major security investments that have been made in Windows, Internet Explorer, and the Microsoft Edge browser. We will provide an objective assessment of the impact that these investments have had thus far and explain how these hardening measures, particularly in the Microsoft Edge browser, have significantly affected the playbook that attackers have developed for exploiting browser-based vulnerabilities.

     

    **PLEASE NOTE: This schedule may be subject to change but we will endeavor to keep the final schedule as close as possible to what appears here.

     

     

    BlueHat v15 End-of Event Survey Give-Away Rules

    At the end of each conference day, please ensure you complete the End-of-Event survey located at:  

    As part of the Microsoft BlueHat BlueHat v15 Conference, Microsoft will conduct a give-away of prizes described in the prizes section below. A reconciliation of attendees and end of event survey completions will occur to determine eligible participants. Any duplications will be removed as only one entry per person is allowed. A random drawing by a disinterested party will occur based the list of eligible personnel who have submitted their end of event surveys by Midnight on 1/18/2016. All decisions regarding winners by the event organizers are final.

    Prizes: As part of the BlueHat Conference, Microsoft will select one individual to receive a Microsoft Xbox One valued at $399 and 10 individuals to receive a Starbucks gift card valued at $10 each.

    Eligibility: The give-away is open to all the BlueHat v15 attendees (to External attendees, Microsoft FTEs and Interns, and Contingent Staff) who attend the conference either in person or via Live Streaming, and COMPLETE the End of Event Surveys. Personnel who are unable to attend due to technical issues, geography, or other events that prohibit attendance are not eligible. Additionally, personnel who view only the On Demand videos after the event and event organizers are not eligible.

    Any questions regarding this give-away should be sent to bluehat@microsoft.com.

    BlueHat v15 Give-Away Winners

    Microsoft Xbox One Winner

    Christian Kuhtz

    $10 Starbucks Gift Card Winners
                                  
    Rich Eicher
    Nate Warfield
    Marius Bunescu
    Max Poliashenko
    John Bambenek
    Roman Golovin
    Samuel Jenkins
    Neil Coles
    Chris Kaler
    Angie Wilson
     

    BlueHat v15 Full Agenda_Jan12-13.pdf

    ]]>
    https://blogs.technet.microsoft.com/bluehat/2015/11/18/bluehat-v15-announces-schedule-and-registration/feed/0
    Microsoft Security Intelligence Report: Strontiumhttps://blogs.technet.microsoft.com/mmpc/2015/11/16/microsoft-security-intelligence-report-strontium/https://blogs.technet.microsoft.com/mmpc/2015/11/16/microsoft-security-intelligence-report-strontium/#commentsMon, 16 Nov 2015 22:02:15 +0000https://blogs.technet.microsoft.com/mmpc/2015/11/18/microsoft-security-intelligence-report-strontium/

    The Microsoft Security Intelligence Report (SIR) provides a regular snapshot of the current threat landscape, using data from more than 600 million computers worldwide.

    The latest report (SIRv19) was released this week and includes a detailed analysis of the actor group STRONTIUM  – a group that uses zero-day exploits to collect the sensitive information of high-value targets in government and political organizations.

    Since 2007, the group has targeted:

    • Government bodies
    • Diplomatic institutions
    • Military forces and installations
    • Journalists
    • Political advisors and organizations

    Attack vectors: How they manage to get in

    A STRONTIUM actor attack usually has two components:

    1. A spear phishing attempt that targets specific individuals within an organization. This phishing attempt is used to gather information about potential high-value targets and steal their login credentials.
    2. A second phase that attempts to download malware using software vulnerabilities to further infect the target computers and spread through networks.

    Spear phishing

    We estimate the STRONTIUM actor targeted several thousand people with spear phishing attacks during the first half of 2015. The goal of the spam email attack is to get a list of high-value individuals with access to sensitive information.

    The phishing email usually attempts to trick the target into believing there has been an unauthorized user accessing their account, as shown in Figure 1:

    STRONTIUM phishing email

    Figure 1: Example of a STRONTIUM  phishing email

    The email includes a link to a website under the attacker’s control that prompts the victim to change their password. If the attack is successful, the stolen credentials can be used to access the victim’s email account.

    Visiting the malicious website can also send sensitive information to the attacker, even when no credentials are entered. The sensitive information can include details of the victim’s PC -including its IP address, browser and operating system versions, and any browser add-ons installed. This information can be used to target the individual with software exploits.

    Malware downloads

    The second phase of a STRONTIUM actor attack is to install malware on the compromised machine in an attempt to gain access to other machines on the network.

    Usually, the malware is installed through a malicious link in an email. However, we have also seen social networks used to spread malicious links. The highly-targeted emails use current events, such as an upcoming conference, to entice the victim to click a link for “additional information”. The email is sent from well-known email providers and sender names that are designed to look credible, as shown in  Figure 2.

    STRONTIUM targeted email

    Figure 2: Example of a STRONTIUM  targeted email with malicious links

    When the link is clicked, a drive-by-download attack is launched using software vulnerabilities. The attacks often use zero-day exploits that target vulnerabilities for which the affected software vendor has not yet released a security update.

    If the attack is successful the attacker tries to compromise other machines within the targeted organization to gather more sensitive information.

    See the Microsoft Security Intelligence Report (SIRv19) for more technical details on the methods used by STRONTIUM.

    Preventing attacks

    You can reduce the likelihood of a successful compromise in a number of ways. Use an up-to-date real-time security product, such as Windows Defender for Windows 10.

    In an enterprise environment you should also:

    • Keep all your software up-to-date and deploy security updates as soon as possible
    • Enforce segregation of privileges on user accounts and apply all possible safety measures to protect administrator accounts from compromise
    • Conduct enterprise software security awareness training, and build awareness about malware infection prevention
    • Institute multi-factor authentication

    TheMicrosoft Security Intelligence Report (SIRv19) has more advice and detailed analysis of STRONTIUM, as well as other information about malware and unwanted software.

    The Microsoft Malware Protection Center’s November Threat Intelligence Report also includes detailed information, resources, and advice to mitigate the risk of advanced persistent threats (APTs).

    ]]>
    https://blogs.technet.microsoft.com/mmpc/2015/11/16/microsoft-security-intelligence-report-strontium/feed/1
    Windows Defender: Rise of the machine (learning)https://blogs.technet.microsoft.com/mmpc/2015/11/16/windows-defender-rise-of-the-machine-learning/https://blogs.technet.microsoft.com/mmpc/2015/11/16/windows-defender-rise-of-the-machine-learning/#commentsMon, 16 Nov 2015 18:00:00 +0000https://blogs.technet.microsoft.com/mmpc/2015/11/16/windows-defender-rise-of-the-machine-learning/

    Windows Defender harnesses the power of machine learning, contributing to making Windows 10 Microsoft’s most secure client operating system and providing increased protection against security threats facing consumers and commercial enterprises today.

    To reduce the number of both false negative and false positive detections our automation pipeline uses a variety of tools and technologies to process malware and unwanted software. These include:

    • Machine learning
    • Clustering
    • Cosmos
    • Azure and Cloud

    The automation process

    As seen in the diagram below, our automation typically takes a first pass at detecting malware as it is first encountered.

    This adds another layer of protection to the manual work our security researchers do to write better generic detection signatures and clean-up routines, produce malware eradication strategies, and identify control points to take malware down.

    Automated malware analysis

    Figure 1: Automation is the first part of malware analysis. Note: Stacked objects may run in parallel with each other

    Once a suspicious file is extracted and run within a virtual environment, or the features/attributes of a file are received, we use automation to sort the sample into one of the following classes:

    • Clean
    • Malware
    • Virus
    • Unwanted Software

    Each of the classes above routes to a specific output. For example, once we identify a file as malware, we ship protection for it to our cloud engine. This also means customers who have the Microsoft Active Protection Service (MAPS) turned on, enjoy the benefits of being better protected against the latest threats.

    Malware, viruses, and unwanted software can be mutated, packed, and obfuscated in a bid to evade detection. This requires targeted, and at times complex, detection signatures. Our automation can suggest or release the best type of generic signature for a certain file or cluster of files. The metrics attached to an automated signature are then automatically analyzed and various decisions can be made as to whether the signature is released or flagged for a researcher to manually analyze.

    Classifying malware families

    Our automation system can also classify a sample within the malware family to which it is most similar. If the system can’t confidently identify the real malware family, it assigns it a generic, synthetic family name. The prevalent family names for automation-classified malware are:

    Individual threats within these families usually follow the format:

    • Trojan:Win32/<family name>

    The graph below shows an example of our synthetic families and their respective encounters in the past six months.

    Encounters graph May – November 2015

    Figure 2: Synthetic family encounters May – November 2015

    Using automation helps us detect and remove malware and unwanted software faster and better protect our customers.

    To ensure you are getting the latest protection, keep your real-time security software, such as Windows Defender for Windows 10 up-to-date.

    Enable the Microsoft Active Protection Service (MAPS). MAPS uses cloud protection to help guard against the latest malware threats. It’s turned on by default for Microsoft Security Essentials and Windows Defender.

    ]]>
    https://blogs.technet.microsoft.com/mmpc/2015/11/16/windows-defender-rise-of-the-machine-learning/feed/10
    MSRT November 2015: Detection updateshttps://blogs.technet.microsoft.com/mmpc/2015/11/09/msrt-november-2015-detection-updates/https://blogs.technet.microsoft.com/mmpc/2015/11/09/msrt-november-2015-detection-updates/#commentsTue, 10 Nov 2015 09:02:00 +0000https://blogs.technet.microsoft.com/mmpc/2015/11/10/msrt-november-2015-detection-updates/

    ​The Microsoft Malicious Software Removal Tool (MSRT) is updated monthly with new malware detections – so far this year we have added 29 malware families. This month we are updating our detections for some of the malware families already included in the tool.

    We choose the malware families we add to the MSRT each month using several criteria. One of the most common reasons is the prevalence of a family in the malware ecosystem. For example, in recent months we focused on file-encrypting ransomware threats. This is due to prevalence and the impact that ransomware can have in enterprise and home user environments. Since January, we added the following ransomware families to the MSRT:

    The MSRT has remediated these threats on almost 24,000 machines.

    Reviewing our data throughout the year helps us determine the impact of our detection and remediation efforts. Analyzing our telemetry helps us to provide coverage for the most prevalent threats encountered by our customers.

    The MSRT works in tandem with real-time antimalware products such as Windows Defender for Windows 10. An up-to-date real-time security product is the best protection against malware and unwanted software. It’s also important to keep all your software up-to date and regularly back up your files.

    ]]>
    https://blogs.technet.microsoft.com/mmpc/2015/11/09/msrt-november-2015-detection-updates/feed/1
    EMET: To be, or not to be, A Server-Based Protection Mechanismhttps://blogs.technet.microsoft.com/srd/2015/10/20/emet-to-be-or-not-to-be-a-server-based-protection-mechanism/https://blogs.technet.microsoft.com/srd/2015/10/20/emet-to-be-or-not-to-be-a-server-based-protection-mechanism/#respondTue, 20 Oct 2015 15:27:00 +0000https://blogs.technet.microsoft.com/srd/2015/10/20/emet-to-be-or-not-to-be-a-server-based-protection-mechanism/Hi Folks – Platforms PFE Dan Cuomo here to discuss a common question seen in the field:

    “My customer is deploying EMET and would like to know if it is supported on Server Operating Systems.”

    On the surface there is a simple answer to this question, however with a little poking, a little prodding, the question quickly becomes:

    “Does EMET protect Server workloads?”

    This is a more complicated question that usually incurs some email-based eye-rolling when we tell them, like most questions, “It depends.”  They really didn’t mean to ask that question either and so after some more poking, and some more prodding, a number of different questions are uncovered, all of which require a little more analysis than the typical “YES” or “NO” question.  So in the next few paragraphs we’ll discuss the reasons for this question, and how to have this conversation with decision makers in the organization.

    Is EMET Supported on Server Operating Systems?

    The simple answer to the server support question is an emphatic “YES!”  As you can see in the EMET support article (summary below), EMET 5.2 can be installed on most currently supported operating systems (as of the writing of this article) and their derivatives.  For example, the Client OS’ 7, 8, and 8.1 are all supported as are the Server OS’ 2008, 2008 R2, 2012, and 2012 R2. (Note that EMET 5.5 Beta provides support for Windows 10)

    Operating System (min supported) 

    EMET 5.2 

     

    Windows 10 

     

    Windows 8.1 

     

    Windows 8  

     

    Windows Server 2012 R2 

     

    Windows Server 2012 

     

    Windows 7 Service Pack 1  

     

    Windows Server 2008 R2 Service Pack 1  

     

    Windows Server 2008 Service Pack 2  

     

    Windows Vista Service Pack 2  

    Y

     

     

    [Short and Sweet]:

    Q: Is EMET Supported on server Operating Systems?

    A: Yes, EMET is supported on currently supported server Operating Systems

    Can EMET Protect My Legacy Server Operating Systems?

    One reason customers consider deploying EMET is to protect their legacy systems such as Windows XP (EoL: April 8th, 2014) and Server 2003 (EoL: July 14th 2015).  Many customers may still be wondering if they really need to migrate or event how to get started.  This link and this Tech Ed video It’s the End of the World As You Know It…Windows Server 2003 End of Life will give you a bunch of great information.  If you want the Cliffsnotes, yes you REALLY need to migrate; one thing you won’t find on this page is a link to download EMET.

    You may be wondering if you can avoid migrating a legacy system to a newer, supported operating system if you install EMET.  The absence of EMET from the prior links as well as this video  should make it abundantly clear that that the answer is “NO.”  You still need to migrate off of the legacy operating systems.  In addition, once the server operating systems goes out of support, EMET is no longer supported on that platform.  For example, now that we’ve passed July 14th, any remaining 2003 systems in your enterprise are no longer supported.  Likewise, the EMET application on those systems is also unsupported.

    EMET primarily mitigates user-mode application exploits that target applications like Microsoft Office, Internet Explorer, and Adobe Acrobat.  As such, it may provide some additional protection while you’re migrating, however it will not protect you against all exploits targeted at this legacy platform and it is certainly not a long-term “silver-bullet” to enterprise security.  Your safest course of action is to upgrade those legacy systems to a newer, supported operating system.

    Note: Having just read that the last sentence, many of you are currently misinterpreting what I said as proof that you don’t really need to upgrade if you have a mission critical application that only runs on a legacy OS.  STOP IT!!!

    All joking aside, I will tell you that nearly every customer I have encountered thinks they’re the exception to the rule.  In reality, there are few actual exceptions.  If you don’t know what to do or how to get started, I implore you to contact us to see how we can help you.

    [Short and Sweet]:

    Q: Will EMET protect your legacy operating system?

    A: Nope.  While EMET could mitigate some potential vulnerabilities on a legacy system, it should not be considered a long-term alternative to migrating to a support OS.

    What should I protect with EMET?

    OK, let’s recap.  We now know EMET can be installed on supported server operating systems.  In addition, it can provide some level of protection while you’re migrating off a legacy OS.  But what applications should you configure EMET to protect in these environments?

    When considering an application protection strategy, keep in mind that “agents” are most likely already sprawling throughout your enterprise, consuming valuable system resources.  I’ve regularly heard customers say, “Not another agent!?”  With this in mind, focus on a risk-management based approach.  This would include applications that are:

    1)      Most likely to be exploited

    2)      Consuming content from external or untrusted sources

    Most likely to be exploited:

    In addition to being the least desirable high school yearbook award, this category describes applications that are highly targeted by attackers.  This often boils down to the widespread use of an application.  Protecting applications that attackers believe yield a high reward (for example, those that affect many people) should be considered essential.

    An example of this would be Microsoft Word or Adobe Acrobat.  Both of these applications have a large user base.  An attacker would know that if successful, the exploit would affect many customers.  In contrast, an exploit that targets a “home-grown” LOB application would yield a low-reward.

    Applications consuming content from external or untrusted sources

    This category describes applications that consume or access content from an external or untrusted source such as the internet.  For example, both Microsoft Word and Adobe Acrobat handle “untrusted” content when a user downloads and opens *.docx or *.pdf from the internet.  However, opening *.docx or *.pdf from an intranet SharePoint site is of low risk.  Another example would be any web browser that has access to the internet.

    When you first configure EMET you’re greeted with the wizard shown below:

    If you select the option to “Use Recommended Settings” (shown above), you are among other things, configuring EMET to use the “Recommended Software.xml” protection profile included with the installer.  The included applications (shown below) are recommended by the EMET Product Group and have gone through testing to verify that, by-and-large, the mitigations selected will reduce the number of false-positives and incompatibilities incurred with EMET.

    Note: False-positives and incompatibilities are likely to occur as many applications make use of the exact behavior that the mitigations intend to block.  Please review EMET mitigation guidelines for a list of known application mitigation compatibility issues. 

    Please also review Kurt Falde’s article on Troubleshooting an EMET Mitigation Application Crash for information on what to do when you find an incompatible application mitigation.

    It is imperative to thoroughly test your configuration making sure that the pilot contains a good representation of target systems.  For example, make sure to include all necessary plug-ins or add-ins to applications that will be encountered in the enterprise for both client and server operating systems.

    The included protection profiles are great low-risk way to get started.  These profiles contain the “low-hanging fruit” and provide the biggest gains.  The applications included in the recommended software protection profile (shown below) cover a range of popular applications and those that consume external or untrusted content.

    The popular protection profile is a superset of the recommended protection profile.  It adds a number of additional applications that fit the same bill.  Once you’ve tested the applications in the recommended list, test the applications in the popular list against a group of machines that are representative of your target environment.

    [Short and Sweet]:

    Q: What should you protect with EMET?

    A: Stick to the applications in the recommended and popular protection profiles.  These include applications that have been tested, are widespread, and may handle external or untrusted content.

    What about generic Microsoft processes?

    Nope.  Technically speaking, you can ask EMET to protect any application that runs on a system.  However, keep in mind that these additional applications have not been tested and may not behave as expected.  We specifically call this out in the EMET mitigations guidelines, “System and network services are also out-of-scope for EMET. Although it is technically possible to protect these services by using EMET, we do not advise you to do this.”

    This includes servers that you really care about, like domain controllers.  Between you and me, if you’re thinking about protecting LSASS.EXE or MSExchangeIS.exe, this is what we in “the biz” call an “RGE” (resume generating event).  Put down the mouse and step away slowly…

    [Short and Sweet]:

    Q: What about generic Microsoft processes?

    A: Nope, stick to the applications in the recommended and popular profile lists.

    What else should I consider?

    Some of you savvy readers out there are probably saying to yourself,

    “Now hold the phone, Dan.  We follow pretty stringent guidelines about what does or does not get installed on servers.  We have enforced rules that prevent the installation of the applications listed in the protection profiles.”

    “In fact, we even make sure that administrative users are unable to reach the internet from servers.  We’re confident that none of the applications you spoke of previously will reach our servers.

    Before completely discarding EMET, it’s important to note that EMET does provide other capabilities that you may be able to leverage, such as certificate trust pinning.  However, if you can honestly tell me that there is no way that those applications will get installed on your systems and that they can never come in contact with untrusted content, you may not need EMET on your servers.  On a side-note, if you’re looking for a PFE, I know someone who would love to work in an environment like that J

    It’s to these customers I usually recommend a Microsoft Security Risk Assessment (#ShamelessPlug) or other security assessment that helps make sure that your perception is reality.  Some of the best advice I’ve been given is, “trust, but verify.”

    In contrast, perhaps your team is just too big, or too widespread.  Maybe you don’t have the necessary process, procedure, or technology to eliminate this risk in your server environment.  In cases like these I would advise rolling out EMET to your server infrastructure as well.

    [Short and Sweet]:

    Q: What else should I consider?

    A: Look at your IT team structure.  Review your processes and procedures.  Have a third party look at them.  Verify EMET can’t help you before you decide you don’t need it!

    Summary

    As you have now seen, this seemingly simple question spirals into a complicated one very quickly.  EMET is supported on servers, and can be used to enhance security across a wide range of platforms.  Use the built-in protection profiles as a baseline and thoroughly test your target systems prior to deployment.

    Lastly, if your technology, process, and procedures for server security are foolproof, then feel free to focus your efforts elsewhere.  Otherwise consider EMET part of your IT security “flu-shot.”  Take the time now and roll it out before you have a problem.

    Thanks for reading,

    Dan Cuomo

     

    ]]>
    https://blogs.technet.microsoft.com/srd/2015/10/20/emet-to-be-or-not-to-be-a-server-based-protection-mechanism/feed/0
    Enhanced Mitigation Experience Toolkit (EMET) version 5.5 Beta is now availablehttps://blogs.technet.microsoft.com/srd/2015/10/15/enhanced-mitigation-experience-toolkit-emet-version-5-5-beta-is-now-available/https://blogs.technet.microsoft.com/srd/2015/10/15/enhanced-mitigation-experience-toolkit-emet-version-5-5-beta-is-now-available/#respondThu, 15 Oct 2015 16:13:23 +0000https://blogs.technet.microsoft.com/srd/2015/10/15/enhanced-mitigation-experience-toolkit-emet-version-5-5-beta-is-now-available/Enhanced Mitigation Experience Toolkit (EMET) version 5.5 Beta is now available

    The Enhanced Mitigation Experience Toolkit (EMET) benefits enterprises and all computer users by helping to protect against security threats and breaches that can disrupt businesses and daily lives. It does this by anticipating, diverting, terminating, blocking, or otherwise invalidating the most common actions and techniques adversaries might use to compromise a computer. In this way, EMET can help protect your computer systems even from new and undiscovered threats before they are formally addressed by security updates and antimalware software.

    EMET 5.5 Beta release includes new functionality and updates from EMET 5.2, including:

    • Windows 10 compatibility
    • Better configuration of various mitigations via GPO
    • EAF/EAF+ pseudo-mitigation performance improvements
    • Support for Windows 10’s new Untrusted font mitigation
    • Various bug fixes

     

    Benefits of EMET

    Helps raise the bar against attackers. EMET helps protect against new and undiscovered threats even before they are formally addressed through security updates or antimalware software. EMET includes many security mitigations that complement other defense in-depth security measures, such as Windows Defender and antivirus software. EMET installs with default protection profiles, which are XML files that contain preconfigured settings for common Microsoft and third-party applications.

    Works well for the enterprise. Enterprise IT professionals can easily deploy EMET through Microsoft System Center Configuration Manager and apply Group Policies in Windows Active Directory to comply with enterprise account, user, and role policies. EMET is highly customizable and administrators can choose which applications to protect with each mitigation technique.

    EMET can even provide mitigation protections for legacy enterprise software that cannot easily be rewritten, or where the source code is not available.

    The reporting capabilities in EMET are provided through a component called the EMET Agent, which allows enterprises to create logs and notifications for audit purposes. EMET customer support is available through Microsoft Premier Support Services. For more information on deploying EMET, visit the EMET Knowledge Base Article: KB2458544

    Helps protect in a wide range of scenarios. EMET works for a range of Windows client and server operating systems and is compatible with most commonly used third-party applications, from productivity software to music players. When users browse secure HTTPS sites on the Internet or log on to popular social media sites, EMET can help further protect by validating Secure Sockets Layer (SSL) certificates against a set of administrator-defined rules.

    Security mitigation technologies are designed to make it more difficult for an attacker to exploit vulnerabilities in a given piece of software. EMET enables customers to leverage these security mitigation technologies on their systems and provides several unique benefits:

    No source code needed: EMET enables administrators to apply several of the available mitigations built-in to Windows (such as Data Execution Prevention) for individual applications without recompilation. This is especially useful for deploying mitigations on legacy software that was written before the mitigations were available, or when source code is not available.

    Highly configurable: EMET provides a high degree of granularity by allowing mitigations to be individually applied on a per process basis. There is no need to enable the mitigations on an entire product or suite of applications. This is helpful in situations where a process is not compatible with a particular mitigation technology. When that happens, the administrator can simply turn that mitigation off for that process.

    Helps harden legacy applications: It’s not uncommon to have a hard dependency on old legacy software that cannot easily be rewritten and needs to be phased out slowly. Unfortunately, this can easily pose a security risk as legacy software is notorious for having security vulnerabilities. While the real solution to this is migrating away from the legacy software, EMET can help manage the risk while this is occurring by making it harder for hackers to exploit vulnerabilities in the legacy software.

    Helps verify SSL certificate trust while surfing websites: Given the increase in incidents of Certificate Authorities allowing the creation of fraudulent SSL certificates used to perform man-in-the middle attacks, EMET offers the possibility to enforce a set of pinning rules that can verify SSL certificates of specified domains against their issuing Root CA (configurable certificate pinning).

    Allows granular plugin ‘deny list’ within applications: Modules and plugins, when loaded into an application, can increase its exposure to vulnerabilities and, consequently, to potential attacks. EMET addresses this by allowing the administrator to create ‘deny lists’ to prevent unwanted modules and plugins from loading within an application.

    Ease of use: The policy for system wide mitigations can be seen and configured with EMET's graphical user interface, the command line tool or via Group Policy. There is no need to locate and decipher registry keys, or run platform dependent utilities. With EMET it is possible to adjust settings with a consistent interface regardless of the underlying platform.

    The toolkit includes several pseudo mitigation technologies aimed at disrupting current exploit techniques. These pseudo mitigations are not robust enough to stop future exploit techniques, but can help prevent systems from being compromised by many of the exploits currently in use. The mitigations are also designed so that they can be easily updated as attackers start using new exploit techniques.

    Mitigations in Windows 10

    One of EMET’s original goals was to be a testbed for mitigations to add to the operating system. With Windows 10 we have implemented many features and mitigations that can make EMET unnecessary on devices running Windows 10. EMET is most useful to help protect down-level systems, legacy applications, and to provide Anti-ROP protection for 3rd party software that may not yet be recompiled using CFG.

    Some of the Windows 10 features that provide equivalent (or better) mitigations than EMET are:

    Device Guard: Device Guard is a combination of enterprise-related hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications. Device Guard provides hardware-based zero day protection for all software running in kernel mode, thus protecting the device and Device Guard itself from tampering, and app control policies that prevent untrusted software from running on the device.

    Control Flow Guard (CFG): As developers compile new apps, CFG analyzes and discovers every location that any indirect-call instruction can reach.  It builds that knowledge into the binaries (in extra data structures – the ones mentioned in a dumpbin/loadconfig display).  It also injects a check, before every indirect-call in your code, that ensures the target is one of those expected, safe locations.  If that check fails at runtime, the operating system closes the program.

    AppLocker: AppLocker is an application control feature introduced in Windows 7 that helps prevent the execution of unwanted and unknown applications within an organization's network while providing security, operational, and compliance benefits. AppLocker can be used in isolation or in combination with Device Guard to control which apps from trusted publishers are allowed to run.

    For more information on Windows 10 security features please review the Windows 10 Security overview whitepaper on TechNet.

    EMET 5.5 Beta and Edge

    Given the advanced technologies used to protect Microsoft Edge, including industry leading sandboxing, compiler, and memory management techniques, EMET 5.5 mitigations do not apply to Edge.

     

    We welcome feedback via Microsoft Connect.

    Install EMET 5.5 Beta today!

    We want to particularly thank FireEye for partnering with us.

    EMET Team

    ]]>
    https://blogs.technet.microsoft.com/srd/2015/10/15/enhanced-mitigation-experience-toolkit-emet-version-5-5-beta-is-now-available/feed/0
    Announcing BlueHat v15 Conferencehttps://blogs.technet.microsoft.com/bluehat/2015/10/14/announcing-bluehat-v15-conference/https://blogs.technet.microsoft.com/bluehat/2015/10/14/announcing-bluehat-v15-conference/#respondWed, 14 Oct 2015 15:33:22 +0000https://blogs.technet.microsoft.com/bluehat/2015/10/14/announcing-bluehat-v15-conference/We are happy to announce the 15th version of the Microsoft BlueHat Security Conference set for January 12-13, 2016.  The annual security conference brings internal and external speakers to educate and engage Microsoft’s engineering community and their executives.  Work is under way currently to set the schedule for this event.  Attendance at BlueHat is open to Microsoft full time employees, contingent staff, and invited researchers, luminaries, partners, and customers.

    Call for Papers

    The Content Advisory Board invites thought leaders, security experts, and partners to submit original and challenging content for the security conference.  From your research to perspectives and ideas we are looking for content that will engage the engineering focused audience and executives.  We particularly invite submissions that have specific calls to action.  This year we would like to focus content around the following topics:

    • Public, Dedicated, or Hybrid Cloud service security

    • Mobile Application Security

    • Advanced Persistent Threats & Threat Intelligence

    • Mitigation and Sandbox Escapes or Defenses

    • Authentication Technologies

    • Consumer Privacy

    • New Attack Surface Areas

    A limited number of presentation spaces are available and all submissions will be reviewed by the Content Advisory Board on a rolling basis until all talk slots are filled.  We ask that all submissions be presented in abstract form no later than October 31st.  Deadlines for full content will be later in December.  Presentations should target 30 or 60 minute format with no more than three speakers specified.  Some presentations will be selected to present to Microsoft executives in a smaller format in addition to the large format at the event.  Speakers will be informed of their acceptance via email.

    Submit your presentation abstracts to bluehat@microsoft.com to be considered as a potential BlueHat speaker!

    Conference Registration

    Attendance at BlueHat v15 Conference is by invitation only. All invited attendees will receive an email with registration link and conference agenda in November.

    ]]>
    https://blogs.technet.microsoft.com/bluehat/2015/10/14/announcing-bluehat-v15-conference/feed/0
    MSRT October 2015: Tescrypthttps://blogs.technet.microsoft.com/mmpc/2015/10/12/msrt-october-2015-tescrypt/https://blogs.technet.microsoft.com/mmpc/2015/10/12/msrt-october-2015-tescrypt/#respondTue, 13 Oct 2015 09:00:00 +0000https://blogs.technet.microsoft.com/mmpc/2015/10/13/msrt-october-2015-tescrypt/

    October’s Microsoft Malicious Software Removal Tool (MSRT) includes detection and remediation for the following families:

    This blog focuses on the ransomware family Tescrypt.

    Tescrypt started showing up early in 2015 and, like most of its file-encrypting predecessors, it does what most typical ransomware does:

    1. Searches for specific file types on the infected machine (see our encyclopedia description for a list of known file extensions it targets)
    2. Encrypts the files with AES 256 hash encryption
    3. Demands payment from the PC’s user in exchange for a key or code that will decrypt the files

    It uses the same encryption method to communicate with its command and control server to generate a personalized TOR payment webpage for the infected machine. Earlier variants stored the private key as a file on the machine itself – Cisco/Talos created the Talos TeslaCrypt Decryption Tool tool that enables affected users to decrypt their files with the locally stored private key.

    Recent variants, however, store the key in the registry as binary data.

    The main callout that separates this from other ransomware threats is in the types or context of the files it targets for encryption: files related to PC games and financial or tax software in additional to other files more commonly encrypted by ransomware. The following is a list of extensions we’ve seen this threat use in relation to specific programs:

    • .arch00
    • .d3dbsp
    • .dayzprofile
    • .ibank
    • .mcgame​
    • .qdf –
    • .rofl
    • .sav
    • .t12/ .t13
    • .tax
    • .vfs0
    • .vpp_pc
    • .w3x

    Telemetry

    We saw a large spike in the number of detections for Tescrypt in late August 2015 (see Figure 1). Prior to August, infections were steady but low; after the spike, detections spiked and fell but overall have remained higher than before that first peak in late August.

    Graph showing number of Tescrypt infections during August and September 2015

    Figure 1: Tescrypt encounters since August 2015

    Globally, the United States remains the most infected, taking over a full third of the distribution. The chart in Figure 2 shows the distribution share of Tescrypt in September 2015; countries with less than a 1.0% share are grouped together.

    Pie chart of countries affected by Tescrypt, with US at 39.3%

    Figure 2: Countries most affected by Tescrypt infections

    This malware usually arrives as a payload of exploit kits. It can also be downloaded by other malware. The exploit kits we’ve seen distributing Tescrypt include:

    Tescrypt has used the alias “Tesla Crypt” (and “Alpha Crypt” in earlier variants, see Figure 3), and in some cases mimics other ransomware families such as Crilock and Crowti by displaying similar screen prompts (see Figures 4 and 5).

    Example screen showing Alpha Crypt ransom message

    Figure 3: Alpha Crypt

    Screen showing ransom message with a red background

    Figure 4: Example of Tescrypt that mimics Crilock

    Screen showing ransom message with a white background and green borders

    Figure 5: Example of Tescrypt that mimics Crowti

    More information about this malware’s behavior can be found in our encyclopedia entry Win32/Tescrypt, and information about ransomware in general on our ransomware page.

    Prevention and remediation

    Our general ransomware recommendations apply for Tescrypt.

    The best defense against ransomware is pre-defense: make sure you have important documents, files, and databases securely backed up in disconnected or remote storage. This can be as simple as a flash drive or a removable hard disk that you save files to once a week and then disconnect from your PC.

    If you are infected, Microsoft recommends you don’t pay the fine. There is no guarantee that paying the ransom will give you access to your files. Paying extortion money such as a ransom might only encourage cybercrime to be financially successful​.

    However, if you’ve already paid, see our ransomware page for help on what to do now.

    You might be able to use the Talos TeslaCrypt Decryption Tool to recover your encrypted files. However, Microsoft makes no representations or warranties that the tool will recover your files.

    Microsoft’s general antimalware remediation instructions also apply.

    Run antivirus or antimalware software

    Use the following free Microsoft software to detect and remove this threat:

    You should also run a full scan. A full scan might find hidden malware.

    Advanced troubleshooting

    To restore your PC, you might need to download and run Windows Defender Offline. See our advanced troubleshooting page for more help.

    Get more help

    You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

    If you’re using Windows XP, see our Windows XP end of support page.

    Adding a prevalent ransomware like Tescrypt, along with adding other malware, helps widen our coverage in protecting and remediating PCs that regularly run and apply the monthly MSRT update.

    The MSRT update is delivered automatically by default to PCs running Windows Vista and later. You can also manually download and run the tool at any time by visiting the Malicious Software Removal Tool page at the Microsoft Safety & Security Center.

    ]]>
    https://blogs.technet.microsoft.com/mmpc/2015/10/12/msrt-october-2015-tescrypt/feed/0
    What makes a good Microsoft Defense Bounty submission?https://blogs.technet.microsoft.com/srd/2015/09/08/what-makes-a-good-microsoft-defense-bounty-submission/https://blogs.technet.microsoft.com/srd/2015/09/08/what-makes-a-good-microsoft-defense-bounty-submission/#respondTue, 08 Sep 2015 09:57:37 +0000https://blogs.technet.microsoft.com/srd/2015/09/08/what-makes-a-good-microsoft-defense-bounty-submission/One of Microsoft’s longstanding strategies toward improving software security continues to involve investing in defensive technologies that make it difficult and costly for attackers to exploit vulnerabilities. These solutions generally have a broad and long lasting impact on software security because they focus on eliminating classes of vulnerabilities or breaking the exploitation primitives that attackers rely on. This also helps improve software security over the long run because it shifts the focus away from the hand-to-hand combat of finding, fixing, and servicing individual vulnerabilities and instead accepts the fact that complex software will undoubtedly have vulnerabilities.

    To further emphasize our commitment to this strategy and to cast a wider net for defensive ideas, Microsoft awarded the BlueHat Prize in 2012 and subsequently started the ongoing Microsoft Defense Bounty in June, 2013 which has offered up to $50,000 USD for novel defensive solutions. Last month, we announced that we will now award up to $100,000 USD for qualifying Microsoft Defense Bounty submissions. This increase further affirms the value that we place on these types of defensive solutions and we’re hopeful this will help encourage more research into practical defenses.

    In this blog post, we wanted to take this opportunity to explain how we evaluate defensive solutions and describe the characteristics that we look for in a good defense. There are a few key dimensions that we evaluate solutions based on, specifically: robustness, performance, compatibility, agility, and adoptability. Keeping these dimensions in mind when developing a defense should increase the likelihood of the defense being deemed a good candidate for the Microsoft Defense Bounty and will also go a long way toward increasing the likelihood of the defense being integrated and adopted in practice.

    Criteria for evaluating defensive solutions

    Robustness

    The first and most important criteria deals with the security impact of the defense. After all, the defense must have an appreciable impact on making it difficult and costly to exploit vulnerabilities in order for it to be worth pursuing.

    We evaluate robustness in terms of:

    • The impact the defense will have on modern classes of vulnerabilities and/or exploits.  A good defense should eliminate a common vulnerability class or break a key exploitation technique or primitive used by modern exploits. 

    • The level of difficulty that attackers will face when adapting to the defense.  A good defense should include a rigorous analysis of the limitations of the defense and how attackers are likely to adapt to it. Defenses that offer only a small impediment to attackers are unlikely to qualify.

    Performance

    The second most important criteria deals with the impact the defense is expected to have on performance. Our customers expect Windows and the applications that run on Windows to be highly responsive and performant. In most cases, the scenarios where we are most interested in applying defenses (e.g. web browsers) are the same places where high performance is expected. As such, it is critical that defenses have minimal impact on performance and that the robustness of a defense justifies any potential performance costs.

    Since performance impact is measured across multiple dimensions, it is not possible to simply distill the requirements down into a single allowed regression percentage. Instead, we evaluate performance in context using the following guide posts:

    • Impact on industry standard benchmarks. There are various industry standard benchmarks that evaluate performance in common application workloads (e.g. browser DOM/JS benchmarks). Although SPEC CPU benchmarks can provide a good baseline for comparing defense solutions, we find that it is critical to evaluate performance impact under real-world application workloads. 

    • Impact on runtime performance. This is measured in terms of CPU time and elapsed time either in the context of benchmarks or in common application scenarios (e.g. navigating to top websites in a browser). Defenses with low impact on runtime performance will rate higher in our assessment. 

    • Impact on memory performance. This is measured in terms of the how the defense affects various aspects of memory footprint including commit, working set, and code size. Defenses with low impact on memory performance will rate higher in our assessment.

    Compatibility

    One of the reasons that Windows has been an extremely successful platform is because of the amount of care that has been taken to retain binary compatibility with applications. As such, it is critical that defenses retain compatibility with existing applications or that there is a path for enabling the defense in an opt-in fashion. Rebuilding the world (e.g. all binaries that run on Windows) is not an option for us in general. As such, defenses are expected to be 100% compatible in order to rate highly in our assessment.

    In particular, we evaluate compatibility in terms of the following:

    • Binary interoperability. Any defense must be compatible with legacy applications/binaries or it must support enabling the defense on an opt-in basis.  If an opt-in model is pursued, then the defense must generally support legacy binaries (such as legacy DLLs) being loaded by an application that enables the defense. In the case where the defense requires binaries to be rebuilt in order to be protected, the protected binaries must be able to be loaded on legacy versions of Windows that may not support the defense at runtime. 

    • ABI compliant. Related to the above, any defense that alters code generation or runtime interfaces must be compliant with the ABI (e.g. cannot break calling conventions or other established contracts). For example, details on the x64 ABI for Windows can be found here

    • No false positives. Defenses must not make use of heuristics or other logic that may be prone to false positives (and thus result in application compatibility issues).

    Agility

    Given the importance of binary compatibility and the long term implications of design decisions, we also need to take care to ensure that we are afforded as much flexibility as possible when it comes to making changes to defenses in the future. In this way, we pay close attention to the agility of the design and implementation associated with a defense.  Defenses that have good properties in terms of agility are likely to rate higher in our assessment.

    Adoptability

    All defenses carry some cost with them that dictates how easy it will be to build them and integrate them into the platform or applications. This means we must take into account the engineering cost associated with building the defense and we must assess the taxes that may be inflicted upon developers and systems operators when it comes to making use of the defense in practice. For example, defenses that require developers to make code changes or system operators to manage complex configurations are less desirable. Defenses that have low engineering costs and minimize the amount of friction to enable them are likely to rate higher in our assessment.

    Conclusion

    The criteria above are intended to help provide some transparency and insight into the guidelines that we use when evaluating the properties of a defense both internally at Microsoft and for Microsoft’s Defense Bounty program. It’s certainly the case that we set a high bar in terms of what we expect from a defensive solution, but we believe we have good reasons for doing so that are grounded both in terms of the modern threat landscape and our customer’s expectations.

    We strongly encourage anyone with a passion for software security to move “beyond the bugs” and explore opportunities to invest time and energy into developing novel defenses. Aside from being a challenging and stimulating problem space, there is now also the potential to receive up to $100,000 USD for your efforts in this direction through the Microsoft Defense Bounty program. The impact that these defenses can have on reducing the risk associated with software vulnerabilities and helping keep people safe is huge.

    Matt Miller

    Microsoft Security Response Center

     

    ]]>
    https://blogs.technet.microsoft.com/srd/2015/09/08/what-makes-a-good-microsoft-defense-bounty-submission/feed/0
    MSRT September 2015: Teerachttps://blogs.technet.microsoft.com/mmpc/2015/09/06/msrt-september-2015-teerac/https://blogs.technet.microsoft.com/mmpc/2015/09/06/msrt-september-2015-teerac/#respondTue, 08 Sep 2015 09:00:00 +0000https://blogs.technet.microsoft.com/mmpc/2015/09/08/msrt-september-2015-teerac/

    As part of our ongoing effort to provide better malware protection, the September release of the Microsoft Malicious Software Removal Tool (MSRT) will include detection for the prevalent ransomware family Win32/Teerac.

    We first detected Teerac in early 2014. Since then, the family has joined Win32/Crowti and Win32/Tescrypt as one of the most prevalent ransomware families impacting our home and enterprise customers.

    Encounters

    Figure 1: Teerac encounters since April 2015

    Affected countries

    Figure 2: Countries most affected by Teerac infections

    Teerac is usually downloaded and installed from malicious spam email attachments. The malware tries to encrypt files on the infected PC using Advanced Encryption Standards (AES). It asks for a ransom payment using Bitcoins (equivalent to about USD 500) for the supposed “decryption software”.

    Encrypting ransomware families such as Teerac have proven their ability to form part of a business model for malware authors, and as a result we see some samples updated on an almost daily basis in an attempt to evade antimalware detections.

    Our malware encyclopedia entry for Win32/Teerac has more details about this malware family.

    By adding Teerac to the MSRT we hope to have a bigger impact and reach more affected machines and help remove this threat. However, as with all malware, prevention is the best protection.

    Backup your important files

    It’s a good idea to back up your important files with a cloud storage service such as OneDrive. OneDrive is integrated into Windows 10 and Windows 8.1.

    After you’ve removed a ransomware infection from your PC, you can restore previous, unencrypted versions of your Office files.

    Stay protected

    To help stay protected from this and other threats we recommend running up-to-date real-time security software such as Windows Defender for Windows 8.1 and Windows 10.

    We also recommend you:

    For more tips on preventing malware infections, including ransomware infections, see:

    ]]>
    https://blogs.technet.microsoft.com/mmpc/2015/09/06/msrt-september-2015-teerac/feed/0
    Defending against CVE-2015-1769: a logical issue exploited via a malicious USB stickhttps://blogs.technet.microsoft.com/srd/2015/08/11/defending-against-cve-2015-1769-a-logical-issue-exploited-via-a-malicious-usb-stick/https://blogs.technet.microsoft.com/srd/2015/08/11/defending-against-cve-2015-1769-a-logical-issue-exploited-via-a-malicious-usb-stick/#respondTue, 11 Aug 2015 15:37:20 +0000https://blogs.technet.microsoft.com/srd/2015/08/11/defending-against-cve-2015-1769-a-logical-issue-exploited-via-a-malicious-usb-stick/Introduction

    Today Microsoft released update MS15-085 to address CVE-2015-1769, an important severity security issue in Mount Manager. It affects both client and server versions, from Windows Vista to Windows 10.

    The goal of this blog post is to provide information on the detection guidance to help defenders detect attempts to exploit this issue.

     

    Detection Guidance

    As part of the update, we are also shipping an event log to help defenders detect attempts to use this vulnerability on their systems. The event log will be triggered every time a malicious USB that relies on this vulnerability, is mounted on the system. If such an event is recorded, it means that attempt to exploit the vulnerability is blocked. So once the update is installed, companies auditing event logs will be able to use this as detection mechanism.

    These events are logged under “System” channel and is reported as an error.

    Note: Multiple events may be raised for single exploit attempt.

    After installing the update, exploitation attempts will result in the Event (ID:100) generated with MountMgr or Microsoft-Windows-MountMgr, as its source. The CVE associated with this vulnerability will also be logged for further reference. Note that this error code can also be logged in other extremely rare circumstances. So, while there is a very small chance that this event log could be generated in non-malicious scenarios, there is a high probability that an exploitation attempt is the cause of the event.

    – Axel Souchet, Vishal Chauhan from MSRC Vulnerabilities and Mitigations Team


    ]]>
    https://blogs.technet.microsoft.com/srd/2015/08/11/defending-against-cve-2015-1769-a-logical-issue-exploited-via-a-malicious-usb-stick/feed/0
    MSRT August 2015: Vawtrakhttps://blogs.technet.microsoft.com/mmpc/2015/08/09/msrt-august-2015-vawtrak/https://blogs.technet.microsoft.com/mmpc/2015/08/09/msrt-august-2015-vawtrak/#commentsTue, 11 Aug 2015 09:00:00 +0000https://blogs.technet.microsoft.com/mmpc/2015/08/11/msrt-august-2015-vawtrak/

    As part of our ongoing effort to provide better malware protection, we are adding the following detections to the Microsoft Malicious Software Removal Tool (MSRT) this month:

    Critroni is a ransomware malware family that c​an lock your files and ask you to pay money to regain access to them. Variants in the Kasidet family can steal your sensitive information and send it to a remote attacker. This blog has more information about the Vawtrak malware family.

    Vawtrak infection chain

    Vawtrak is a family of information-stealing malware that can be used to steal banking credentials. It is also known as NeverQuest and Snifula.

    Vawtrak variants are typically distributed through one of three infection vectors:

    • Exploit kits (for example, Angler)
    • Spam email attachments (for example as a malicious zip attachment containing the Vawtrak binary)
    • Macro malware (for example, Bartallex)

    Exploit kits such as Angler exploit vulnerabilities in common software. Keeping your software up-to-date can help reduce the chance of infection through these vulnerabilities.

    Macro malware can install other malware, such as Vawtrak, on your PC when you open a malicious spam email attachment and enable macros on your PC. You can read more about this type of threat on our macro help page.

    Figure 1 shows the spam email/Bartallex infection chain:

    Infection chain

    Figure 1: Vawtrak infection chain

    Vawtrak malware details

    The Vawtrak dropper installs a DLL component to %ALLUSERPROFILE%\<random folder name>\<random file name>. The random folder and file names are generated using a linear congruential generator (LCG) algorithm and the volume serial number of system drive as the seed. It is fixed for a specific PC whenever the malware runs.

    The malware also uses the same trick to store configuration information to the registry, to make it easier for the threat to retrieve the configuration after reboot or update.

    It then injects the DLL into all running processes and browsers.
    Once Vawtrak is running in a web browser process it steal your user names and passwords for some websites. The website targeted can vary. The malware also contacts its command and control server to get configuration files and other bot commands.

    There are more details about the malware payload in our Win32/Vawtrak family description.

    Vawtrak telemetry

    Figure 2 shows the number of Vawtrak encounters we have seen during the past two months. Most infections occurred in the United States and the UK, as shown in Figure 3.

    Encounters

    Figure 2: Vawtrak encounters

    Affected countries

    Figure 3: Top 10 countries affected by Vawtrak

    Stay protected

    MSRT cleanup for Vawtrak will remove executable files and registry entries related to the malware. It will also restore the default system settings. Microsoft security products, such as Windows Defender for Windows 10, also include detection for Vawtrak and other malware families.

    It’s also always important to:

    For enterprise users:

    MMPC
    Wei Li & Zhitao Zhou

    ]]>
    https://blogs.technet.microsoft.com/mmpc/2015/08/09/msrt-august-2015-vawtrak/feed/1
    Advances in Scripting Security and Protection in Windows 10 and PowerShell V5https://blogs.technet.microsoft.com/srd/2015/06/10/advances-in-scripting-security-and-protection-in-windows-10-and-powershell-v5/https://blogs.technet.microsoft.com/srd/2015/06/10/advances-in-scripting-security-and-protection-in-windows-10-and-powershell-v5/#respondWed, 10 Jun 2015 11:25:59 +0000https://blogs.technet.microsoft.com/srd/2015/06/10/advances-in-scripting-security-and-protection-in-windows-10-and-powershell-v5/In the last several releases of Windows, we’ve been working hard to make the platform much more powerful for administrators, developers, and power users alike. PowerShell is an incredibly useful and powerful language for managing Windows domains. Unfortunately, attackers can take advantage of these same properties when performing “post-exploitation” activities (actions that are performed after a system has been compromised).

    The PowerShell team, recognizing this behavior, have significantly advanced security focused logging and detection in Windows 10 and PowerShell v5. Some capabilities take advantage of new functionality in Windows 10, others are available on Windows 8.1 and Windows Server 2012R2 with KB3000850, and the functionality that is specific to PowerShell v5 will be available on Windows 7 and Windows Server 2008R2 when the next version of the Windows Management Framework is released.

    Scripting transparency for Antimalware engines

    Antimalware engines traditionally focus the majority of their attention on files that applications (or the system) open. Scripts have historically been difficult for antimalware engines to evaluate because scripts can be so easily obfuscated. Unless the antimalware engine can emulate the particular scripting language, it will not be able to deobfuscate the script to view the actual payload.

    A new Windows 10 feature, the Antimalware Scan Interface (AMSI), lets applications become active participants in malware defense. Applications can now request antimalware evaluation of any content – not just files on disk. This gives script engines (and other applications) the ability to request evaluation of deobfuscated scripts and to request evaluation of content entered directly in to the console.

    For more information about the Antimalware Scan Interface, see http://blogs.technet.com/b/mmpc/archive/2015/06/09/windows-10-to-offer-application-developers-new-malware-defenses.aspx

     

    PowerShell Logging Improvements

    Given the incredible power of PowerShell’s shell and scripting language, we’ve made major advancements in PowerShell’s transparency for PowerShell v5:

    Improved over-the-shoulder transcription

    Previous versions of PowerShell provided the ability to transcript sessions. Unfortunately, transcripting was not globally configurable, could be easily disabled, and only worked in the interactive PowerShell console. The result was that transcripting was not very practical for detecting malicious activity.

    For PowerShell v5 and Windows 8.1/2012R2 with KB3000850, the following changes have been made for transcripting:

    • Can now be configured as a system-wide group policy
    • Provides better information about the session than the previous transcription functionality
    • Transcription works in both non-interactive and interactive PowerShell sessions

    Deep script block logging

    Previous versions of PowerShell provided “pipeline logging”, a mechanism to log all commands invoked (with the parameters). The way this information was logged made it difficult to use for security auditing and detection. In PowerShell v5 and Windows 8.1/2012R2 with KB3000850, PowerShell gains a new security focused logging mechanism called “Script Block Logging”.

    A “script block” is the base level of executable code in PowerShell. Even when a script is obfuscated, it must eventually be transformed from an obfuscated script block back in to a deobfuscated script block containing its malicious payload.

    PowerShell now provides the option to log all script blocks to the event log prior to executing them. In the case of obfuscated scripts, both the obfuscated and deobfuscated script blocks will end up being logged. This gives defenders the ability to see exactly what PowerShell code is being run on their systems.

    Protected Event Logging

    One concern when you increase logging on a machine is that the information you’ve logged may contain sensitive data. If an attacker compromises that machine, this sensitive information in the event log may be a gold mine of credentials, confidential systems, and more. To help address this concern, we’ve added Protected Event Logging to Windows 10, which lets participating applications encrypt sensitive data as they write it to the event log. You can then decrypt and process these logs once you’ve moved them to a more secure and centralized log collector.

    Miscellaneous Security Improvements

    Additional security features added to PowerShell v5 include:

    • Encryption and decryption cmdlets using the Cryptographic Message Syntax (CMS) standard
    • Secure code generation APIs for developers
    • “Constrained PowerShell” for systems that implement AppLocker policies

     

    For more information about PowerShell’s transparency improvements, Protected Event Logging, and other PowerShell security improvements, see http://blogs.msdn.com/b/powershell/archive/2015/06/09/powershell-the-blue-team.aspx

     

     

    Joe Bialek (MSRC Engineering), Lee Holmes (PowerShell)

    ]]>
    https://blogs.technet.microsoft.com/srd/2015/06/10/advances-in-scripting-security-and-protection-in-windows-10-and-powershell-v5/feed/0
    EMET 5.2 is available (update)https://blogs.technet.microsoft.com/srd/2015/03/16/emet-5-2-is-available-update/https://blogs.technet.microsoft.com/srd/2015/03/16/emet-5-2-is-available-update/#respondMon, 16 Mar 2015 12:57:00 +0000https://blogs.technet.microsoft.com/srd/2015/03/16/emet-5-2-is-available-update/Today, we’re releasing the Enhanced Mitigation Experience Toolkit (EMET) 5.2, which includes increased security protections to improve your security posture. You can download EMET 5.2 from microsoft.com/emet or directly from here.

    Following is the list of the main changes and improvements:

    • Control Flow Guard: EMET’s native DLLs have been compiled with Control Flow Guard (CFG). CFG is a new feature introduced in Visual Studio 2015 (and supported by Windows 8.1 and Windows 10) that helps detect and stop attempts of code hijacking. EMET native DLLs (i.e. EMET.DLL) are injected into the application process EMET protects. Since we strongly encourage 3rd party developers to recompile their application to take advantage of this very latest security technology, we have compiled EMET with CFG. More information on CFG are available at this Visual C++ Team blog entry.
    • VBScript in Attack Surface Reduction: the configuration for the Attack Surface Reduction (ASR) mitigation has been improved to stop attempts to run the VBScript extension when loaded in the Internet Explorer's Internet Zone. This would mitigate the exploitation technique known as “VBScript God Mode” observed in recent attacks.
    • Enhanced Protected Mode/Modern IE: EMET now fully supports alerting and reporting from Modern Internet Explorer, or Desktop IE with Enhanced Protected Mode mode enabled.

    Your feedback is always welcome, as it helps us improve EMET. Feel free to reach out to us by sending an email to emet_feedback@microsoft.com.

    3/16/2015 UPDATE: We have received reports of certain customers experiencing issues with EMET 5.2 in conjunction with Internet Explorer 11 on Windows 8.1. We recommend customers that downloaded EMET 5.2 before March 16th, 2015 to download it again via the link below, and to uninstall the previous EMET 5.2 before installing the new one.

    – The EMET Team

    ]]>
    https://blogs.technet.microsoft.com/srd/2015/03/16/emet-5-2-is-available-update/feed/0
    BlueHat v14 is almost herehttps://blogs.technet.microsoft.com/bluehat/2014/10/06/bluehat-v14-is-almost-here/https://blogs.technet.microsoft.com/bluehat/2014/10/06/bluehat-v14-is-almost-here/#respondMon, 06 Oct 2014 18:01:00 +0000https://blogs.technet.microsoft.com/bluehat/2014/10/06/bluehat-v14-is-almost-here/It’s that time of year and BlueHat v14 is almost upon us. As always, BlueHat is an opportunity for us to bring the brightest minds in security together, both internal and external, to discuss and tackle some of the hardest problems facing the industry today. Through this conference, our engineering teams get deep technical information and education on the latest threats from proven industry experts.

    BlueHat kicks off on October 9th where we will spend the day focusing on researcher methodologies such as fuzzing, red team assessments, malware analysis and BIOS attacks. On the second day, we will have three tracks starting with Security & Identity, followed by State of the Hack (focusing on next generation of advanced persistent threats and web exploit detection) and then finally, we will end with Security in Deployed Environments.

    We are very excited about interaction between Microsoft engineers and other top security experts who are coming to speak at the event. Here is a list of their talks:

    *Please note that this schedule is subject to change.

    October 9th, 2014

    START

    END

    SPEAKER

    TALK TITLE

    9:00 AM

    9:40 AM

    Chris Betz

    Keynote

    9:40 AM

    10:20 AM

    Stefano Zanero

    Botintime – Phoenix: DGA-based Botnet Tracking and Intelligence
    Its common knowledge that a malicious domain automatically generated will not become popular and also an attacker will register a domain with a Top Level Domain that does not require clearance. Hence, we use phoenix which filters out domains likely to be generated by humans. The core of Phoenix is its ability to separate DGA from non-DGA domains, using linguistic features.

    10:20 AM 10:35 AM Break

    10:35 AM

    11:15 AM

    Scott Longheyer

    Government Snooping Potentially Now Constitutes an Advance Persistent Threat
    Security is the application of Privacy’s intentions, so open the pocketbook and check your ciphers. Gain a deeper understanding of Microsoft’s position on privacy and how online services intend to protect customer data.

    11:15 AM

    11:55 AM

    Stefano Zanero

    Jackdaw talk – Automatic Malware Behavior Extraction and Tagging
    This talk will focus on our approach for extracting (interesting) behavior specifications in an automatic way from a large collection of (untagged) malware. If you wonder why? It’s because we believe in giving support to the analyst by providing a list of important behaviors, with a rough explanation, to prioritize the analysis.

    11:55 AM

    12:55 PM

    Lunch

    12:55 PM

    1:15 PM

    Xeno Kovah

    UEFI – What would it take to enable global firmware vulnerability & integrity checking?
    This talk will describe what actions are being taken to improve security for PC firmware, and what different groups in Microsoft can do to help.

    1:15 PM

    1:35 PM

    Yuriy Bulygin

    UEFI – Summary of Attacks against BIOS and Secure Boot
    A variety of attacks targeting platform firmware have been discussed publicly, drawing attention to the pre-boot and firmware components of the platform such as BIOS and SMM, UEFI secure boot and Full Disk Encryption solutions. This talk will detail and organize some of the attacks and how they work. We will cover attacks against BIOS write protection, attacks leveraging hardware configuration against SMM memory protections, attacks using vulnerabilities in SMI handlers, attacks against BIOS update implementations, attacks bypassing secure boot, and various other issues. We will describe underlying vulnerabilities and how to assess systems for these issues. After watching, you should understand how these attacks work, how they are mitigated, and how to verify if your system has any of these problems.

    1:35 PM

    2:15 PM

    Josh Thomas

    Behind the NDA: How to attack a product under deadline
    This talk will focus on a brief security assessment of the Windows Phone / Nokia Lumia platforms with the intent of exploring attack methodologies. This talk will focus on how we as consultants approach a new problem / technology and how we can quickly become productive on new and previously unknown / unexplored hardware and software components.

    2:15 PM

    2:35 PM

    Sergey Bratus, Julian Bangert

    Defining and Enforcing Intent Semantics at ABI level
    Dominant OS security policy designs treat a process as an opaque entity that has a "bag" of permissions to access some OS resources at any time, in any order. Now that the sensitive data that we most want to protect may never touch the filesystem or even cross a process boundary, these designs fail at their purpose. We introduce a design that has a much higher granularity of protection, yet is compatible with existing ABI, standard build chains, and binary utilities.

    2:35 PM

    2:50 PM

    Break

    2:50 PM

    3:30 PM

    Andrew Ruef

    Build It Break It Competition
    We created a competition where students design and implement secure programs, and identify bugs in each other’s programs. We’ll talk about the design of the competition, the data we’ve gathered from executing the competition, our plans for future competitions, and what the data is telling us about software security, programming languages, education, and software development.

    3:30 PM

    4:10 PM

    Ram Shankar Siva Kumar, John Walton

    Subverting machine learning detections for fun and profit
    If you are using Machine learning in your feature, it can be attacked! This talk is a primer on Adversarial Machine learning wherein we show how attackers can manipulate machine learning systems to get the result they want you to see. You will learn how to protect yourself and detect such attacks. You don’t need to know about Machine learning to attend this talk – we’ve got you covered.

    4:10 PM

    4:40 PM

    Lightning Talks

     

    October 10th, 2014

    9:00 AM

    10:00 AM

    Lightning Talks & Breakfast

    10:00 AM

    10:40 AM

    Benjamin Delpy, Chris Campbell,
    Skip Duckwall

    The Attacker's View of Windows Authentication and Post Exploitation part 1
    This talk will focus on the how Windows authentication works in the real world and what are the popular attacks against it. You will learn the thought process of attackers in the real world and how it differs from a defender’s perspective. We’ll also cover post-exploitation tools and techniques such as Mimikatz. Finally, we’ll discuss next steps – How do you design services that are breach-resistant and make authentication harder to crack.

    10:40 AM

    11:20 AM

    Benjamin Delpy, Chris Campbell,
    Skip Duckwall

    The Attacker's View of Windows Authentication and Post Exploitation part 2

    11:20 AM

    11:35 AM

    Break

    11:35 AM

    12:15 PM

    Ho John Lee

    Privacy and Security in a Personalized Services World
    An introduction and discussion of current policy issues around personalized mobile and cloud-based knowledge services. In this talk you will learn about some of the privacy and policy issues associated with large scale, cloud based personalization that are different from those in web search, email, or social networks. I will also present some concepts and patterns for building mobile and personalized services that honor individual user data obligations while also enabling offline data analysis and global, low latency serving infrastructure.

    12:15 PM

    12:55 PM

    Bo Qu

    The failure and success in IE fuzzing
    The road to success is often paved with failure. In this presentation we will discuss the mistakes and challenges we overcame while developing our fuzzer that has successfully discovered over 100 vulnerabilities in Internet Explorer.
    Welcome to the school of hard knocks!

    12:55 PM

    1:55 PM

    Lunch

    1:55 PM

    2:35 PM

    John Walton

    Next Generation Advanced Persistent Threat™
    What will tomorrow’s threat landscape, look like?  How can attacks become even more advanced than we are observing today? What will the adversary’s arsenal contain?  The Next Generation Advanced Persistent Threat™ talk will peer into the future and these exact questions.  Come discover how we will continue to be outmaneuvered during every phase of the cyber kill chain

    2:35 PM

    2:55 PM

    David Finn

    Fighting Cybercrime with Big Data
    The Microsoft Digital Crimes Unit (“DCU”) is a team of about 100 people, including former prosecutors, law enforcement officials, security analysts, investigators, attorneys, and intelligence analysts, dedicated to the fight against global cybercrime. In this presentation about DCU’s CSI-like blend of crime fighting and technology, find out how Big Data and analytics is revolutionizing everything DCU does – helping protect internet users, and disrupting and dismantling criminal organizations all over the world.   

    2:55 PM

    3:10 PM

    Break

    3:10 PM

    3:30 PM

    Alexandra Savelieva, Daniel Eshner,
    Nuwan Ginige, Mohammad Usman

    Data Isolation In Multitenant Cloud Environment
    In our talk, you’ll learn about a new solution that we built to address the problem of managing access to data across various fabrics and processing environments to mitigate top security threats of a cloud-based distributed application platform shared by multiple partners, including isolation of mutually distrustful tenant applications running side-by-side on a commodity server.

    3:30 PM

    4:30 PM

    Daniel Edwards

    Engineer's guide to DDOS
    Are you ready to discuss DDoS?  Can your online service be weaponized to attack?  It’s already happened to others.  Is yours next?

    ]]>
    https://blogs.technet.microsoft.com/bluehat/2014/10/06/bluehat-v14-is-almost-here/feed/0
    Bug Bounty Evolution: Online Serviceshttps://blogs.technet.microsoft.com/bluehat/2014/09/23/bug-bounty-evolution-online-services/https://blogs.technet.microsoft.com/bluehat/2014/09/23/bug-bounty-evolution-online-services/#respondTue, 23 Sep 2014 10:31:57 +0000https://blogs.technet.microsoft.com/bluehat/2014/09/23/bug-bounty-evolution-online-services/Today marks the next evolution in bounty programs at Microsoft as we launch the Microsoft Online Services Bug Bounty program starting with Office 365. In our mobile first, cloud first world, this is an exciting and logical evolution to our existing bug bounty programs.

    Office 365 is the first of our online services groups to launch a bounty for vulnerabilities found in their services and we will bring others into the program as we go forward. For a list of eligible services and program terms, please visit http://www.microsoft.com/bountyprograms. Of course, any vulnerabilities discovered in any Microsoft products or services can and should be reported according to our Coordinated Vulnerability Disclosure guidelines to us by emailing secure@microsoft.com.

    We invite you to also read the Office 365 blog post here where our colleagues there discuss some of what they are hoping to see as a result of this program. Our goal with bounty programs is ultimately unchanged and that is to uncover issues and protect customers as quickly as possible and as always, partnering with the security research community offers us the broadest way to do that.

    Happy Hunting!

    Akila Srinivasan

    ]]>
    https://blogs.technet.microsoft.com/bluehat/2014/09/23/bug-bounty-evolution-online-services/feed/0
    BlueHat v13 is Cominghttps://blogs.technet.microsoft.com/bluehat/2013/12/06/bluehat-v13-is-coming/https://blogs.technet.microsoft.com/bluehat/2013/12/06/bluehat-v13-is-coming/#respondFri, 06 Dec 2013 15:34:00 +0000https://blogs.technet.microsoft.com/bluehat/2013/12/06/bluehat-v13-is-coming/This week, starting Thursday, we’ll be hosting our 13th edition of BlueHat. I’m always so impressed with the level of knowledge we attract to each BlueHat, and while the event is invite-only, we’ll be sharing glimpses into the event via this blog and the hashtag #BlueHat.

    For each of the past six years I have had the honor to work among some of the most talented engineers I have ever met, here at Microsoft. I am inspired by the mission we embrace in securing our products, devices, and services. There are few other vantage points with as broad a footprint on the internet, since one of Microsoft’s early mottos helped put “a computer in every home.” Our job in the Microsoft Security Response Center (MSRC) is to help protect the customers who use the technology that the rest of the company works so hard to create. In everything we do in the MSRC, we strive to fulfill our mission to help insure the security and privacy of over a billion computer systems and our customers worldwide.

    In 2005, we started the BlueHat conference to educate the developers and executives of Microsoft about current and emerging threats. The idea was to bring the hackers and security researchers to us, and in doing so foster an environment where the bidirectional exchange of ideas around the balance between security and functionality could meet fertile ground in the famed “hallway track.” We hand-pick just a small number of speakers and external attendees to concentrate on learning from them in most cases, and the chance to teach some of them from what we have learned, to help enhance the security and privacy of the Internet as a whole.

    This year is no different in that we have invited speakers chosen to educate, amaze, and work with Microsoft to help us understand the emerging security threats to us and our customers. Together, we will rise to face the most important challenges in helping to secure the global Internet ecosystem.

    Beginning on Dec 12, 2013, we’ll begin this year’s BlueHat by focusing on the threat landscape, learning about determined adversaries to help us defend our own network and assets, and tools to detect and mitigate attacks. Next we’ll welcome some of the world’s top experts to discuss devices and services, from low-level hardware to web services, to help us build products, devices, and services that are more secure from the ground up.

    Finally, we’ll close out the conference with a thought-provoking track that I like to call the “Persistence of Trust,” where we will discuss the core elements that comprise the trust we rely on to support what the Internet has become – a global information sharing network that humanity uses to exchange goods, services, money, and most importantly, ideas. To support these functions, we must strengthen the technology that underlies and supports that trust, and we must design products, devices, and services that are resistant to security and privacy breaches. 

    Here’s a quick overview of the planned speaker lineup for the two days of BlueHat v13.

    Day 1: Thursday, December 12

    Microsoft Technical Fellow, Anders Vinberg, will open BlueHat’s first track, Threat Landscape. Anders will talk about a broad assurance initiative for the next wave, covering Windows Server and System Center, in close alignment with the Core OS team, identity, Office and Azure. Next, we’ll set the stage with a talk from FireEye’s Zheng Bu and YiChong Lin designed to walk us through the techniques of the average and not so average targeted attacker, and show us ways to detect and combat the adversary. Microsoft Partner Development Manager, Mario Goertzel, will then speak to some of the hard problems that we face in antimalware – specifically, how we equip customers and partners with the right tools and analysis to help us all defend our networks and assets. Closing out the Threat Landscape track, Microsoft Principal Security Program Manager Lead, Graham Calladine, and Microsoft Senior Security Software Development Engineer, Thomas Garnier, will walk us through what attackers are doing now, how our current products and practices work against us, and how we can change this.

    After lunch, the Devices & Services track kicks off with Josh Thomas, whose DARPA-funded research will reveal some hardware-level universal attacks that are possible on mobile devices. Next up we will have Microsoft’s first Mitigation Bypass Bounty recipient, James Forshaw talk about executing unsigned code on the Surface RT, without jailbreaking it. Next, Microsoft Principal Software Development Engineer, Lee Holmes, will talk with us about PowerShell. Chris Tarnovsky will then discuss Semiconductor devices and their backward steps in physical security through higher common criteria ratings. Next up, we’ll hear from Microsoft Partner Development Manager, Chris Kaler, and Microsoft Senior Program Manager, Serge Mera, about the latest in Message Analyzer. Mario Heiderich will then take us into the wilds of JavaScript MVC and templating frameworks. The afternoon will wrap up with a call to action from our own Russ McRee, followed by several lightning talks.

    Day 2: Friday, December 13

    Taking into consideration the inevitable socializing from the night before, we’re giving our attendees a slow morning. Between 9:00 AM and 12:00 noon we’ll have a recovery brunch with mimosas, lightning talks, and the famed hallway track. I’ll be the Day 2 keynote opening the track Persistence of Trust, at 12:30 noon. My talk will focus on security strategy at Microsoft, what we’re doing in terms of our defensive industry partner programs like MAPP, and of course, I’ll provide an update on our strategic Bounty programs. I’ll then handoff to Justin Troutman, who will talk about Mackerel, a cryptographic design and development framework based on the premise that real-world cryptography is not about cryptography at all; it’s about products. Peter Gutmann, famed researcher with the University of Auckland, New Zealand, will take the stage and illuminate the psychology of computer insecurity. After a short break, Alex Stamos, CTO of Artemis Internet, and Tom Ritter, Principal Security Engineer with iSEC Partners, will awaken us with tales life after elliptic curve crypto’s coming extinction. From Bromium Labs we’ll hear from Rahul Kashyap and Rafal Wojtczuk, who will discuss and demonstrate how to reliably break out of various popular sandboxes. Finally, closing BlueHat v13, renowned security and privacy expert and advocate of human rights, Morgan Marquis-Boire will explore what I call the elephant in the room, as he discusses the surveillance landscape and coercion resistant design.

    As chair of the BlueHat content board, I would be remiss in my duty to the mission of BlueHat if I ignored the revelations of the summer of 2013, and the concerns about government surveillance of the internet. Hence, we will be continuing our internal dialog with a conversation with Morgan and others in attendance on how to design products, devices, and services that are more resistant to abuse and surveillance.  For us, and for over a billion of our customers worldwide, this issue transcends borders and politics. We are a global company and part of a global community, and as such we will continue to work with our customers, partners, and even our competitors to ensure a safer, more trustworthy Internet for all.

    From the age of the great worms, to the evolution of more sophisticated and targeted attacks, to the era where modern warfare takes place on not only the information superhighway, but also on the civilian streets of the Internet, we will serve faithfully in our mission to help protect our customers from security and privacy breaches, no matter the adversary.

     

    BlueHat is coming. Brace yourselves.

     

    Katie Moussouris

    Senior Security Strategist

    Microsoft Security Response Center

    https://twitter.com/k8em0

    (that’s a zero)

     

    ]]>
    https://blogs.technet.microsoft.com/bluehat/2013/12/06/bluehat-v13-is-coming/feed/0
    Bounty Evolution: $100,000 for New Mitigation Bypass Techniques Wanted Dead or Alivehttps://blogs.technet.microsoft.com/bluehat/2013/11/01/bounty-evolution-100000-for-new-mitigation-bypass-techniques-wanted-dead-or-alive/https://blogs.technet.microsoft.com/bluehat/2013/11/01/bounty-evolution-100000-for-new-mitigation-bypass-techniques-wanted-dead-or-alive/#respondFri, 01 Nov 2013 10:20:00 +0000https://blogs.technet.microsoft.com/bluehat/2013/11/01/bounty-evolution-100000-for-new-mitigation-bypass-techniques-wanted-dead-or-alive/Those who know me personally or follow me on Twitter are familiar with my obsession with karaoke. I do it as often as I can rope people into going with me, never forcing anyone to sing, though invariably everyone does – or at least sings from the sidelines to the songs they know. One of my all-time favorite songs is Bon Jovi’s Wanted Dead or Alive, and it’s the song in my head as I write this post. By the end, I hope to have a few more people singing along. Go ahead and load it into the playlist as you read on.

    Today, Microsoft is announcing the first evolution of its bounty programs, first announced in June of 2013. We are expanding the pool of talent who can participate and submit novel mitigation bypass techniques and defensive ideas to include responders and forensic experts who find active attacks in the wild. That means more people can “sing along” to earn big bounty payouts than ever before.

    Today’s news means we are going from accepting entries from only a handful of individuals capable of inventing new mitigation bypass techniques on their own, to potentially thousands of individuals or organizations who find attacks in the wild. Now, both finders and discoverers can turn in new techniques for $100,000.

    Our platform-wide defenses, or mitigations, are a kind of shield that protects the entire operating system and all the applications running on it. Individual bugs are like arrows.  The stronger the shield, the less likely any individual bug or arrow can get through. Learning about “ways around the shield,” or new mitigation bypass techniques, is much more valuable than learning about individual bugs because insight into exploit techniques can help us defend against entire classes of attack as opposed to a single bug – hence, we are willing to pay $100,000 for these rare new techniques.

    Building upon the success of our strategic bounty programs, Microsoft is evolving the bounty landscape to the benefit of our customers. The bounty programs we have created are designed to change the dynamics and the economics of the current vulnerability market. We currently do this in a few ways:

    1. Offering bounties for bugs when other buyers typically are not buying them (e.g. during the preview/beta period) allows Microsoft to get a number of critical bugs out of the market before they are widely traded in grey or black markets and subsequently used to attack customers.

    2. Offering researchers a $100,000 bounty to teach us new mitigation bypass techniques enables us to build better defenses into our products faster and to provide workarounds and mitigations through tools such as EMET.

    3. Evolving our bounty programs to include responders and forensic experts, who can turn in techniques that are being used in active attacks, enables us to work on building better defenses in to our products. We will work whenever possible with our MAPP program and engage our community network of defenders to help mitigate these attacks more rapidly.

    In this new expansion of Microsoft’s bounty programs, organizations and individuals are eligible to submit Proof-of-Concept code and technical analysis of exploits they find in active use in the wild for our standard bounty amount of up to $100,000. Participants would also be eligible for up to $50,000 in addition if they also submit a qualifying defense idea. The submission criteria for both programs are similar – but the source may be different.

    To participate in the expanded bounty program, organizations must pre-register with us before turning in a submission by emailing us at doa [at] Microsoft [dot] com. After you preregister and sign an agreement, then we’ll accept an entry of technical write-up and proof of concept code for bounty consideration.

    We want to learn about these rare new exploitation techniques as early as possible, ideally before they are used, but we’ll pay for them even if they are currently being used in targeted attacks if the attack technique is new – because we want them dead or alive.

    This evolution of our bounty programs is designed to further disrupt the vulnerability and exploit markets. Currently, black markets pay high prices for vulnerabilities and exploits based on factors that include exclusivity and longevity of usefulness before a vendor discovers and mitigates it.  By expanding our bounty program, Microsoft is cutting down the time that exploits and vulnerabilities purchased on the black market remain useful, especially for targeted attacks that rely on stealthy exploitation without discovery.

    We shall see how the song plays out, but I for one am excited for more singers to step up to the microphone, or to sing out from the sidelines.

     

    Katie Moussouris

    Senior Security Strategist and karaoke MC

    Microsoft Security Response Center

    https://twitter.com/k8em0
    (that’s a zero)

    ]]>
    https://blogs.technet.microsoft.com/bluehat/2013/11/01/bounty-evolution-100000-for-new-mitigation-bypass-techniques-wanted-dead-or-alive/feed/0
    Nine to tide you over: Video highlights from BlueHat v12https://blogs.technet.microsoft.com/ecostrat/2013/04/09/nine-to-tide-you-over-video-highlights-from-bluehat-v12/https://blogs.technet.microsoft.com/ecostrat/2013/04/09/nine-to-tide-you-over-video-highlights-from-bluehat-v12/#respondTue, 09 Apr 2013 12:52:00 +0000https://blogs.technet.microsoft.com/ecostrat/2013/04/09/nine-to-tide-you-over-video-highlights-from-bluehat-v12/Read more]]>It has been nearly four months since we gathered in Redmond for BlueHat v12, and we’ve almost caught up on our sleep. As we prepare for what promises to be a momentous year for the BlueHat program – culminating in December with BlueHat v13 – we’ve selected nine of the most compelling, talked-about, or just plain chewy talks from last year’s festivities to share with you.

    • Fraud and Abuse: A Survey of Life on the Internet Today –> WATCH IT ON DEMAND
      Ellen Cram Kowalczyk, Principal Security Program Manager Lead, Microsoft

      Kowalczyk kicked off BlueHat v12 in the morning with a look at two of the most difficult security issues facing our customers today. When you’re in the process of becoming the leading devices and services company, this is the sort of thing that’s on your mind every morning.

    • Social Authentication –> WATCH IT ON DEMAND
      Alex Rice, Product Security, Facebook

      Over the past year, Facebook engineers have been working on various attempts to expand authentication from “something you know” to “someone you know.” Rice’s talk demonstrates some of the results and details the lessons his company has learned along the way.

    • Scriptless Attacks: Stealing the Pie Without Touching the Sill –> WATCH IT ON DEMAND
      Mario Heiderich, Dr.-Ing, Ruhr-University in Bochum, Germany

      Removing JavaScript from the cross-site scripting equation doesn’t necessarily take away the XSS pain, as Dr. Heiderich demonstrates. Learn how attackers can use seemingly benign features to build side-channel attacks that can measure and exfiltrate data from even well-protected sites – and find out what can be done to stop it.

    • Sh*t My Cloud Evangelist Says… Just Not My CSO –> WATCH IT ON DEMAND
      Chris Hoff, Senior Director and Security Architect, Juniper Networks

      In front of an audience evenly divided between developers and security folk, Chris Hoff laid out the differences in worldview between the two – yes, there are a few – and how those translate into the world of cloud computing. More secure? Less secure? Let the debate begin…

    • Don’t Stand So Close to Me: An Analysis of the NFC Attack Surface –> WATCH IT ON DEMAND
      Charlie Miller, Systems Software Engineer, Twitter

      Near-field communication (NFC) technology is growing in popularity, with mobile devices leading the communications charge. But when you tap your phone to an NFC-enabled terminal to make a credit-card payment, how do you know you haven’t been owned – or worse? Miller looks at how NFC technology expands the potential attack surface for mobile devices.

    • Building Trustworthy Windows Store Apps –> WATCH IT ON DEMAND
      David Ross, Principal Software Security Engineer, Microsoft and Crispin Cowan, Senior Program Manager, Windows Security, Microsoft

      The Windows Store environment is designed to protect consumers’ machines and data from individual apps, but that puts serious responsibility on developers to use secure coding practices. Ross and Cowan look at what that means and how developers can approach the challenge without tears.

    • Why UEFI? –> WATCH IT ON DEMAND
      Matthew Garrett, Senior Software Engineer, Nebula

      The Unified Extensible Firmware Interface (UEFI) brings far greater security to the firmware environment, letting developers build security policies that extend all the way into the most basic layers of shipped code. But do we lose platform differentiation in the process? Garrett details why that’s not necessarily the case.

    • Pass the Hash and Other Credential Theft and Reuse: Preventing Lateral Movement and Privilege Escalation –> WATCH IT ON DEMAND
      Patrick Jungles, Security Program Manager, Microsoft

      Credential theft and re-use attacks have gained in popularity in recent years, and there’s nothing tastier for some attackers than your delicious, delicious hashes. Jungles, the Microsoft PM who led the company-wide workgroup that researched and released our recent pass-the-hash whitepaper, presents an overview of the group’s findings.

    • Why Johnny Can’t Patch: And What We Can Do About It –> WATCH IT ON DEMAND
      David Seidman, Senior Security Program Manager, Microsoft

      Microsoft works hard to develop and release security bulletins as soon as we’re aware of a vulnerability that needs addressing. So how is it some users remain vulnerable to issues for which the cure has existed for months, if not years? Seidman dives deep into who doesn’t patch, why, and what might change their ways.

    Enjoy! We’re looking forward to BlueHat v13 – Return to your “C:\>”(s). We suspect there will be a lot to talk about.

    Emily Anderson
    Security Program Manager, MSRC, Microsoft

    ]]>
    https://blogs.technet.microsoft.com/ecostrat/2013/04/09/nine-to-tide-you-over-video-highlights-from-bluehat-v12/feed/0
    On the Shoulders of Blue Giantshttps://blogs.technet.microsoft.com/ecostrat/2012/12/13/on-the-shoulders-of-blue-giants/https://blogs.technet.microsoft.com/ecostrat/2012/12/13/on-the-shoulders-of-blue-giants/#respondThu, 13 Dec 2012 09:40:00 +0000https://blogs.technet.microsoft.com/ecostrat/2012/12/13/on-the-shoulders-of-blue-giants/Read more]]>
    Handle:
    k8e

    IRL:
    Katie Moussouris

    Rank:
    Senior Security Strategist Lead, Head of Microsoft’s Security Community and Strategy Team

    Likes:
    Cool vulns, BlueHat, soldering irons, quantum teleportation

    Dislikes:
    Rudeness, socks-n-sandals, licorice

    BlueHat v12 here in Redmond is in full swing – it started yesterday for full-time Microsoft employees only, and continues today as we welcome our invited guests from beyond Microsoft. I’m excited to see and contribute to this year’s content as it unfolds on stage, and even more excited for all the side meetings that take place here in the hallways of the event.  It makes sense for us to take a moment to recognize the people who have contributed to BlueHat over the years, as well as to look forward to where we are going in terms of security community outreach at Microsoft in the years to come.

    The BlueHat conference itself was groundbreaking in 2005, when the first group of hackers were invited by Window Snyder and Andrew Cushman to speak directly to Microsoft developers and executives about the products in which they were able to find security vulnerabilities. Back then, no major vendors had formally hosted an internal security conference before, but doing events like BlueHat is now an accepted industry practice for many major vendors.

    We as an industry owe Window and Andrew our thanks for blazing this path, and also many thanks to the people over the years who have developed the BlueHat conference to be what it is today. That list includes but is not limited to Kymberlee Price, Celene Temkin, Dana Hehl, Sarah Blankinship, Mike Reavey and, most recently, Emily Anderson. Part of what makes BlueHat special to the speakers and attendees are the personal touches and vision that each person on the list above contributed.

    One of the elements that makes BlueHat such a vital part of our overall security community outreach at Microsoft is the “hallway track.” This is where the invited guests and the Microsoft folks can dive deeper into the topics that are being presented, or diverge into other topics entirely – sometimes with far-reaching effects on improving security by leaps and bounds. As the conference has evolved over the years, some of the people we invite are here to meet with Microsoft engineers and to learn from the content that is presented, such as the MAPP partners we invite. It is the exchange of ideas that can help improve our products, as well as the products of others who are in attendance, that continues to make BlueHat special.

    Many other conversations that will take place in the hallways at BlueHat over this week and beyond will help shape security defense for another generation of the Microsoft computing ecosystem. The relationships being forged and reinforced among Microsoft product teams, security engineers, and the external security research community in these halls will likely bear fruit in terms of helping to improve security for existing and future products and services.

    There is an old saying that can be paraphrased as “If we can see a little further out into the horizon, it because we are standing on the shoulders of giants.”  Even as we face some familiar and not-so-familiar security frontiers such as online service security, mobile computing device security, app store security, and the ever-present human factor being exploited via social engineering attacks, we as members of a holistic global computing ecosystem will continue to benefit from the multi-directional exchange of ideas that happen at BlueHat.

    Our team continues to expand the ways and means by which we facilitate these pivotal conversations, standing on the shoulders of “blue giants” who have built the security community outreach programs like the BlueHat conference itself, and our worldwide security conference sponsorship program.  As we evolve and grow, we add new programs to the overall outreach strategy to help us get better at security today and in the future. An example of a new program we added recently is the BlueHat Prize contest for security defense, for which this year we gave away over $260,000 in cash prizes for ideas in platform-level defense.  As I said on stage at BlueHat Wednesday morning, Microsoft will continue to invest in security defense challenges — and the next iteration of the BlueHat Prize contest will be announced around the time of the BlackHat USA conference next summer.

    So to those who came before, thank you, and to those who will come after, enjoy the view.  I, for one, can’t wait to see what’s just over the horizon, and it’s looking very blue.

    Katie Moussouris
    Senior Security Strategist, MSRC
    https://twitter.com/k8em0

    ]]>
    https://blogs.technet.microsoft.com/ecostrat/2012/12/13/on-the-shoulders-of-blue-giants/feed/0
    Announcing BlueHat v12https://blogs.technet.microsoft.com/ecostrat/2012/11/21/announcing-bluehat-v12/https://blogs.technet.microsoft.com/ecostrat/2012/11/21/announcing-bluehat-v12/#respondWed, 21 Nov 2012 14:50:00 +0000https://blogs.technet.microsoft.com/ecostrat/2012/11/21/announcing-bluehat-v12/Read more]]>The days are getting shorter, the holidays are getting nearer, and looming on the horizon is a trio of 12’s – it’s almost time for the 12th BlueHat Conference, on tap for the twelfth month of 2012. We have a terrific lineup of speakers from both inside and outside the company; there’s nothing much we can do about the weather in Seattle in mid-December, but indoors we have compelling work to do on making the cloud, mobile devices, the Internet, and the rest of the computing ecosystem, safer for customers.

    Here’s a quick overview of the planned speaker lineup for the two days of BlueHat v12. For more detail, please check back here in the weeks between now and the conference.

    Day 1: Thursday, December 13

    We’ll open the conference’s first track, Anti-Fraud & Abuse, with author and Microsoft Technical Fellow Mark Russinovich. Mark will also be joining attendees for a lunchtime book-signing (have you read Trojan Horse yet?). He’ll be followed in the morning by Microsoft’s Ellen Cram Kowalczyk, speaking on fraud and abuse, and specifically looking at life on the Internet today.  Facebook’s Alex Rice will give attendees a look into how the world’s biggest social-networking site handles attempts to abuse its users. After a short break, Christopher Hadnagy, author of “Social Engineering: The Art of Human Hacking,” joins us to discuss the role social engineering plays in successful (and unsuccessful) fraud attempts. Finally, Microsoft’s Alex Weinert will give us a look at his work at Microsoft on anti-fraud.

    After lunch, the Cloud & Online Services track kicks off with Mario Heiderich, who’ll cover how, after sustained efforts to mitigate XSS and similar cross-site scripting attacks, an attack surface remains (and what can be done about that). He’s followed by Chris Hoff of Juniper Networks, speaking frankly about what cloud evangelists know…but won’t tell CSOs. We’ll have a break and rejoin the action with MSRC Engineering’s own Gavin Thomas, who looks at better security through Microsoft HPC Server and Windows Azure, followed by Tim Maletic and Chris Pogue of Trustwave discussing OPFOR. The afternoon wraps up with a call to action from Mark, followed by several lightning talks on subjects sure to surprise and delight.

    Day 2: Friday, December 14

    We’re giving you all a later start (9:45 AM), taking into consideration your socializing the night before. MSEC program manager and emcee, Leigh Honeywell, will open the second day of conference at 9:45 AM, with the Vices & Devices track. She’ll turn the floor over to Charlie Miller, who’s currently playing a major part in Twitter’s security push; he’ll talk about attack surfaces in the NFC (near-field communications) protocol stack. After a short break, Microsoft’s David Ross and Crispin Cowan dive into the world of Windows 8 applications. Matt Garrett of Red Hat joins us to answer “Why UEFI?” Lunch will feature an Online Services Security and Compliance (OSSC) Lunch n’ Learn, focusing on managing security risk to Microsoft’s global online services.

    Friday afternoon brings the conference’s final track, Hot Topics, with a combination of guests, current Microsoft employees, and alumni on tap. First, James Forshaw of Context Information Security discusses the allure for security researchers of managed languages. Next, Fermín Serna – once a Microsoft colleague, now at Google – speaks of current thinking on information-leak vulnerabilities. After a break, MSRC senior security program manager David Seidman explains why some users simply won’t, don’t, or can’t apply security updates – whatever the consequences. The afternoon will close with Mat Honan, Senior Writer for Wired, whom we think will put the conference’s conversations and revelations in perspective as he describes how all the issues we’ve discussed can touch the lives of the customers we aim to protect.

    Thanks –

    Emily Anderson
    Security Program Manager, MSRC

    ]]>
    https://blogs.technet.microsoft.com/ecostrat/2012/11/21/announcing-bluehat-v12/feed/0
    BlueHat: Something Old, Something New, All Bluehttps://blogs.technet.microsoft.com/ecostrat/2012/10/24/bluehat-something-old-something-new-all-blue/https://blogs.technet.microsoft.com/ecostrat/2012/10/24/bluehat-something-old-something-new-all-blue/#respondWed, 24 Oct 2012 17:04:00 +0000https://blogs.technet.microsoft.com/ecostrat/2012/10/24/bluehat-something-old-something-new-all-blue/Read more]]>
    Handle:
    k8e

    IRL:
    Katie Moussouris

    Rank:
    Senior Security Strategist Lead, Head of Microsoft’s Security Community and Strategy Team

    Likes:
    Cool vulns, BlueHat, soldering irons, quantum teleportation

    Dislikes:
    Rudeness, socks-n-sandals, licorice

    Reflecting on my past five years at Microsoft (I know! How time flies!), I can see with fresh perspective just how far we’ve come, while staying true to our goals of helping to protect customers and the computing ecosystem. I just recently returned from maternity leave and launched right into conference season with a bang, speaking at several conferences where I had the opportunity to hang out with old and new friends in the security researcher community. As Microsoft completes its tenth year of working with the broader security community as part of our Trustworthy Computing tenet, it’s a good time to look at how the relationship has developed so far.

    Our on-campus BlueHat Briefings started back in 2005. At the time we had two key goals: to expose our own developers and technical contacts to smart researchers both inside and outside our very large company, and to give researchers a conduit to the developers and tech folk who might not yet appreciate the value of thinking like an attacker. As you might guess, at the beginning there was suspicion and maybe even a little fear on both sides, as researchers came to Redmond, and executives and product teams came out of their comfort zones, to talk honestly about security.  But it worked, and others follow the model with similar conferences of their own now. And even as we prepare for the twelfth edition of the Briefings, it’s still great watching a researcher explain an issue directly to the developers responsible for writing the code to fix it.

    Since then, the BlueHat Briefings have evolved into part of a larger strategy to play well within the community and improve the broader computing ecosystem. In addition to the Briefings, we provide direct financial sponsorship and support for other industry events around the world – this year, 20 or so conferences across 12 countries.  Some improvements in relations with individual researchers have been simple, like establishing our bulletin acknowledgement policy and Online Services Acknowledgements policy to recognize researchers who report issues directly to us. We recognize individual talent in other ways, offering contracts for penetration testing of products in development – in fact, many of the current pen-testing contracts in effect at Microsoft right now were born from researchers that have shown their talents by reporting issues to MSRC.  Sometimes, we’re able to hire this talent to Microsoft as well; we have great talent from the researcher community working here, and we’re always looking for more. And we don’t stop finding ways to work meaningfully with the community. This past summer, we awarded $260,000 to researchers as a part of the first-ever BlueHat Prize. This prize offers financial rewards to researchers to develop security defenses that can take out entire classes of attacks.

    In seven weeks we will gather together at our 12th BlueHat Briefings here in Redmond and have this opportunity for the bidirectional exchange of ideas among people who are passionate about security, both inside and outside of Microsoft.  We have gone from listening and learning from the community to being a true part of it. As the landscape has changed, we’ve evolved our response and engagements and will continue to do so.

    Where does this working relationship with this community — and the future of security research — go over the next 10 years? We’ll focus on building cool products that the researcher community will inevitably help us secure, in their own way – by reporting issues to us via Coordinated Vulnerability Disclosure, by coming to educate and “exploitain” our developers and executives at the BlueHat Briefings, and by working for Microsoft and becoming part of our internal security community to help us defend over a billion computer systems worldwide. We’re excited to imagine what the next decade will look like and how we’ll work together, and I’m just as curious today about what is next in the cobra-mongoose battle between attackers and defenders as I was when I joined this company over five years ago.

    Stay tuned for the speaker line-up as we move closer to the event. I look forward to welcoming the next members of our elite group – our BlueHat community – as we evolve and grow together.

    Katie Moussouris
    Senior Security Strategist Lead
    MSRC

    ]]>
    https://blogs.technet.microsoft.com/ecostrat/2012/10/24/bluehat-something-old-something-new-all-blue/feed/0
    The BlueHat Prize V1.0 – And the Winners Are…https://blogs.technet.microsoft.com/ecostrat/2012/07/26/the-bluehat-prize-v1-0-and-the-winners-are/https://blogs.technet.microsoft.com/ecostrat/2012/07/26/the-bluehat-prize-v1-0-and-the-winners-are/#respondThu, 26 Jul 2012 14:40:00 +0000https://blogs.technet.microsoft.com/ecostrat/2012/07/26/the-bluehat-prize-v1-0-and-the-winners-are/Read more]]>
    Handle:
    k8e

    IRL:
    Katie Moussouris

    Rank:
    Senior Security Strategist Lead, Head of Microsoft’s Security Community and Strategy Team

    Likes:
    Cool vulns, BlueHat, soldering irons, quantum teleportation

    Dislikes:
    Rudeness, socks-n-sandals, licorice

    As we wrap up the first BlueHat Prize contest, we wanted to share what we learned while running the first competition, from a major vendor, offering a large cash prize for defensive security research. Not only did we get to motivate the development of technical mitigation technology, but we also achieved some valuable non-technical goals as well.

    We’ll announce the winners in this post, so scroll down if you can’t wait.

    Bonus #1: We identified security defense talent that we may never have encountered otherwise, and helped the world get to know them too.

    Some of the contestants were certainly well-known names in the security research community; some were people we had never heard of before. Running the BlueHat Prize contest allowed us insight into a greater number of people who are doing some deep thinking in the areas of security mitigation technology. This not only helps Microsoft find and work with talented people, but the spotlight that we can help shine on all of these contestants will hopefully help them market their ideas and talent so that the entire security industry can benefit and improve.

    Bonus #2: We aligned some of the top “offensive security” minds to work with us on defense – with excellent results.

    I often say that some of the best defenders come from the “offense” side of the security equation. I believe that you truly have to understand how to break into systems in order to devise effective plans for how to defend those systems. One of the goals we set out to accomplish with this contest was to create both an incentive and an opportunity for fame and fortune in the area of security defensive research that never existed at this scale before. We are very happy that the security community responded positively to our challenge, and some great minds chose to participate.

    With those positive bonus outcomes we will not wait any longer to announce the winners. For an in-depth technical analysis of the winning entries, with the contest judging criteria applied, please see Matt Miller’s blog post on the SRD blog.

     

    Vasilis Pappas wins $200,000 for his idea, kBouncer – an efficient and fully transparent ROP mitigation technique.

    Ivan Fratric wins $50,000 for his idea, ROPGuard – a system that can detect and prevent the currently used forms of return-oriented programming (ROP) attacks at runtime. 

    Jared DeMott wins an MSDN subscription, valued at $10,000, and was also surprised on stage live with a check for $10,000 cash for his idea, /ROP – a system that lowers the effect of address space disclosures and mitigates known ROP exploits. 

     

    So what is next for the BlueHat Prize?

    Check the BlueHat Prize website in the next several weeks for an updated page that will include information on the other contest entries. These beautiful minds all deserve the thanks and attention of the security community, and we are excited to provide them with a venue to showcase their defensive security ideas.

    One thing is certain – we will continue to invest in security defense at Microsoft, and we will continue to offer cash incentives to the security community for helping Microsoft, and the rest of the industry, to help improve the state of security for the entire ecosystem. In sports, as in life, a great team understands both offense and defense. To address the security threats of today and tomorrow, we as an industry need to appreciate both.

     – Katie Moussouris

    Senior Security Strategist, MSRC

    ]]>
    https://blogs.technet.microsoft.com/ecostrat/2012/07/26/the-bluehat-prize-v1-0-and-the-winners-are/feed/0
    The BlueHat Prize Survey at BlackHat – Submit Security Defense Questions for a Chance to Win $5000https://blogs.technet.microsoft.com/ecostrat/2012/07/16/the-bluehat-prize-survey-at-blackhat-submit-security-defense-questions-for-a-chance-to-win-5000/https://blogs.technet.microsoft.com/ecostrat/2012/07/16/the-bluehat-prize-survey-at-blackhat-submit-security-defense-questions-for-a-chance-to-win-5000/#respondMon, 16 Jul 2012 00:00:00 +0000https://blogs.technet.microsoft.com/ecostrat/2012/07/16/the-bluehat-prize-survey-at-blackhat-submit-security-defense-questions-for-a-chance-to-win-5000/Read more]]>

    Handle:
    k8e

    IRL:
    Katie Moussouris

    Rank:
    Senior Security Strategist Lead, Head of Microsoft’s Security Community and Strategy Team

    Likes:
    Cool vulns, BlueHat, soldering irons, quantum teleportation

    Dislikes:
    Rudeness, socks-n-sandals, licorice

     

    As we inch closer to Black Hat in Vegas this year, we wanted to kick off the ten-day countdown to our first BlueHat Prize contest winners’ announcement with an invitation to those attending Black Hat. Microsoft is conducting a survey at our Black Hat booth to find out what the security community thinks are the most important industry-wide security issues that need answers. When
    you participate in the survey at our booth, we’ll enter you into our BlueHat Prize Question Sweepstakes for a chance to win $5,000 USD*!

    We will give away $5,000 twice per day at random drawings at our booth On July 25 and July 26, – once around lunch and once at the end of each day, for a total of $20,000 USD in cash.

    The official rules are found here, but here are some highlights:

    • The only way to enter this contest is to visit the Microsoft booth in person at Black Hat and submit a question.
    • Only one entry per person is allowed (we’ll scan your conference badge, so no funny business!).
    • Valid entries in the sweepstakes must be a defense-oriented security question that could potentially be used in a future BlueHat Prize contest.
    • The issue you submit should be industry-wide, e.g., “Design a defense technology or strategy to defend against social engineering.” or “What would be the best approach to defend against DDoS?”

    While we may not use the specific defense-oriented questions gathered in this sweepstakes, the survey will help us shape a future BlueHat Prize contest with the input from the broader security community. We know not everyone makes it to Black Hat, but we do think there is a decent sampling of various security industry representatives there, so as a survey it works as a
    decent sample set. If you’d like to let your thoughts be heard, even if you are not at Black Hat, feel free to join the conversation on Twitter with the hashtag #BlueHatPrize.

    As for when we will announce what the next BlueHat Prize contest will be, stay tuned for that news on this blog after Black Hat. For those of you attending Black Hat in person this year, start thinking about what you believe is the biggest industry-wide security issue that needs a great defense. Microsoft may use your idea in our next BlueHat Prize contest, and you might
    win $5000!

    Katie Moussouris

    Senior Security Strategist, MSRC

    *No Purchase Necessary. Open only to registered event attendees 14+.Game ends 7/26/12. For additional details, see Official Rules posted on-site at the Microsoft booth.

    ]]>
    https://blogs.technet.microsoft.com/ecostrat/2012/07/16/the-bluehat-prize-survey-at-blackhat-submit-security-defense-questions-for-a-chance-to-win-5000/feed/0
    BlueHat Prize v1.0 Finalists – One of These People Will Win $200,000 (AKA Mad Loot)!https://blogs.technet.microsoft.com/ecostrat/2012/06/21/bluehat-prize-v1-0-finalists-one-of-these-people-will-win-200000-aka-mad-loot/https://blogs.technet.microsoft.com/ecostrat/2012/06/21/bluehat-prize-v1-0-finalists-one-of-these-people-will-win-200000-aka-mad-loot/#respondThu, 21 Jun 2012 00:00:00 +0000https://blogs.technet.microsoft.com/ecostrat/2012/06/21/bluehat-prize-v1-0-finalists-one-of-these-people-will-win-200000-aka-mad-loot/Read more]]>
    Handle:
    k8e

    IRL:
    Katie Moussouris

    Rank:
    Senior Security Strategist Lead, Head of Microsoft’s Security Community and Strategy Team

    Likes:
    Cool vulns, BlueHat, soldering irons, quantum teleportation

    Dislikes:
    Rudeness, socks-n-sandals, licorice

    When we announced the BlueHat Prize on August 3, 2011, we did something that no major vendor had ever done before – offer a large cash prize for defensive security research. While a few vendors and others were offering relatively small cash incentives for security researchers to find and report individual vulnerabilities, we decided that, as a platform provider, Microsoft would be most effective if it sought out new, platform-level, defensive technologies that could possibly help defend against entire classes of vulnerabilities. These defenses could help protect our own applications, and have the potential to protect third-party applications that run on our platform.

    We received 20 entries to our inaugural BlueHat Prize contest, a response and participation from the security research community that exceeded our expectations. We now know contestants emerged from different areas of the security community – some from academia, some recognized names in the hacker community, and some from other venues entirely. Interestingly, about half of the entries poured in during the last few days – and even the last few hours and minutes— of the contest entry period. Also of note, most of the top-rated entries were among those last-minute submissions, perhaps substantiating the old adage that brilliance emerges under the glaring pressure of a looming deadline. One thing we learned from this experience was not to set future contest deadlines for midnight on a Sunday!

    Getting down to business, here are the names of the three finalists, in alphabetical order:

    Jared DeMott

    Ivan Fratric

    Vasilis Pappas

    We will award the prizes to the winners at a 10 p.m. ceremony at our researcher appreciation party on July 26, 2012. We have notified the finalists that they have made it to the finals. The finalists won’t know who won which prize – the grand prize of $200,000 USD, the second prize of $50,000 USD, and the third prize of an MSDN subscription, valued at $10,000 USD – until we reveal it to them and the world live on July 26.

    You can read a little about each of them and their proposed solutions on our BlueHat Prize contest site. After the contest is over, we’ll also be putting up the names and abstracts of the other contestants, so stay tuned for that update sometime after Black Hat.

    For now, please join us as we congratulate all the contestants, and especially the three finalists. We appreciate their hard work, and are excited that we can help showcase their ideas that can help make advancements in platform-level security defense.

    – Katie Moussouris

    Senior Security Strategist, MSRC

    ]]>
    https://blogs.technet.microsoft.com/ecostrat/2012/06/21/bluehat-prize-v1-0-finalists-one-of-these-people-will-win-200000-aka-mad-loot/feed/0
    Inside the MAPP programhttps://blogs.technet.microsoft.com/ecostrat/2012/05/02/inside-the-mapp-program/https://blogs.technet.microsoft.com/ecostrat/2012/05/02/inside-the-mapp-program/#respondWed, 02 May 2012 22:39:00 +0000https://blogs.technet.microsoft.com/ecostrat/2012/05/02/inside-the-mapp-program/Read more]]>


    Handle:
    Cluster

    IRL:
    Maarten Van Horenbeeck

    Rank:
    Senior Program Manager

    Likes:
    Slicing covert channels, foraging in remote memory pools, and setting off page faults

    Dislikes:
    The crackling sound of crypto breaking, warm vodka martni

    Hi everyone,

    Maarten here – my team manages the Microsoft Active Protections Program (MAPP) at Microsoft. MAPP gives defenders a head start by sharing vulnerability information with them so that protection signatures are ready at the same time as security updates.

    Recently we have seen a fair amount of discussion around the MAPP program. We know that many customers and partners have questions about how MAPP works and how it helps protect customers, therefore I wanted to take this opportunity to explain how we work to facilitate the creation of active protections.

    Our goal with MAPP is to have a transparent, effective program in place. As such, we routinely evaluate MAPP partners to ensure they are adhering to program guidelines, taking action to correct any partner deviations from our program charter. We are also continually looking to strengthen our technical and legal controls to help protect our customers.

    Why the MAPP program?

    Microsoft developed the MAPP program in 2008 in response to an increase in reverse-engineering occurring around our monthly security update releases. We recognized that there were many tools available that enabled security researchers and attackers alike to very quickly identify the root cause of a vulnerability, given the update binaries. We noted that defenders, such as antivirus or intrusion prevention vendors, were in a race against attackers to reverse-engineer our updates in order to create protection signatures.

    Before the MAPP program, defenders were at a disadvantage because detecting exploits is difficult, especially if a security vendor does not have full information on the types of conditions that may trigger successful exploitation. A vendor could write a signature for every attack file they receive, but they would need to respond to every file individually, or spend significant amounts of time reverse- engineering our security updates themselves. By providing technical details about a vulnerability directly to defenders, we strengthen their ability to create more effective and accurate signatures in a shorter timeframe.

    MAPP also helps to provide a first line of defense for customers who need, or want, to do their own testing prior to deploying our updates. Microsoft thoroughly tests security updates prior to release, however, we do not have the ability to test with all Line of Business applications that corporations develop in-house.

    Given the fact that some customers prefer to perform in-house testing, which may delay installation of the security update, we sought partners that our customers already deployed , and could help protect against exploitation of software vulnerabilities. We found those partners in the anti-malware and intrusion prevention industries.


    How does the MAPP program work?

    Microsoft operates the MAPP program, free of charge, for security vendors that meet our minimum requirements on both the capability they have to protect customers and the number of customers they represent. One can find detailed information on our admission criteria here. We carefully vet and validate these criteria prior to admitting a new partner.

    Each month, our team of security engineers work diligently to create information for our partners that helps them detect the exploitation of security vulnerabilities in our products. This data includes, but is not always limited to:

    • A detailed technical write-up on the vulnerability;
    • A step-by-step process that they can follow to parse an affected file format, or network protocol, that identifies which elements need to have particular values, or exceed specific boundaries, in order to trigger the security vulnerability;
    • Information on how to detect the vulnerability, or exploitation thereof (e.g. event log entries, or stack traces);
    • A Proof-of-Concept file that is in itself not malicious, but contains the specific condition that will trigger the vulnerability. Partners can leverage this file to test detection signatures they develop using the step-by-step process we provide.

    We provide this information to participating vendors shortly in advance of the release of a security update. We base the timeframe on partners’ ability to release effective protections, while limiting the risk, should the information be inadvertently disclosed.

    Once we provide the information, our engineers remain available to discuss, in detail, steps security vendors can take to detect exploitation of a vulnerability.

    Our team also follows up with the partner vendors to better understand which vulnerabilities attackers are  exploiting in the wild, and where we need to improve guidance to account for specific exploitation methods. We regularly update guidance after the initial release to help increase the ability of partners to protect customers.


    How the MAPP program helps protect customers

    The MAPP program helps vendors build comprehensive detection for vulnerabilities that Microsoft acknowledges or addresses in a security bulletin. MAPP partners are not permitted to release their protection in advance of the security update release.

    For example, In the case of an Office exploit, our detection guidance will describe how to parse the Office file and validate which part of the file, and which elements need to be malformed in order to trigger the vulnerability. Without MAPP data, vendors would –in many cases— need to “guess” which values could trigger a crash, and which could not, which reduces the effectiveness of their signatures.

    Detection technology developed using MAPP data tends to be more accurate and more comprehensive than detection built without access to the information. Each month after the bulletin release, Microsoft follows up with each vendor individually to track the use of MAPP guidance across the signature base of our partners. When we identify that certain guidance is difficult to implement for our partner base, we work with partners to understand how we can improve the program and enable them to detect these threats more effectively.

    The vulnerability addressed in MS10-087, CVE-2010-3333 is a good example. This particular issue affected our Rich Text Format (RTF) parser in Microsoft Office. Given we have had a small sample of bulletins in this particular component; many vendors did not have an effective way of parsing the file type. We worked with our MAPP vendors to develop a tool that would quickly identify malicious files, and distributed it to our partners, despite previously addressing the issue in a security update.


    Risks and limitations

    We recognize that there is the potential for vulnerability information to be misused. In order to limit this as much as possible, we have strong non-disclosure agreements (NDA)with our partners. Microsoft takes breaches of its  NDAs very seriously. When partners do not successfully protect our intellectual property, we take action, which may include removing the partner from our program.

    In addition, we make sure to only release data shortly in advance of the security update. Prior to MAPP, vendors released detection within hours to days following the release of a security update. Today, we send MAPP data to our partners just as far in advance as they need to get that work done, only now, the protection is usually available when we release the update.

    But MAPP also has its limitations. For instance, MAPP does not protect against the exploitation of unknown, zero-day vulnerabilities. In order for MAPP to be effective, Microsoft must be aware of the vulnerability before it can distribute guidance to its MAPP partners.

    Additionally, MAPP is only useful to the degree that a product can protect against exploitation of the vulnerability. Intrusion Prevention Vendors may not always be best-positioned to detect exploits for Office vulnerabilities, as they may be encoded in a number of different ways across the network. In the same vein, host-based anti-malware products are often not best-positioned to protect against network- based exploits, such as the recent RDP vulnerability.

    We recommend our customers work closely with their protection vendors to understand the abilities and limitations of each individual product.


    The Value of MAPP

    We believe that helping to strengthen community-based defense is key to protecting customers. The MAPP program provides a critical head-start to defenders, while working to minimize risk.

    Microsoft is committed to helping customers by providing protection vendors across a wide variety of security industries with valuable protection information. The MAPP program is an important part of this strategy. While risk can never be completely eliminated, we believe the benefits of the program to our customers far outweigh the risks.

     

    Cheers!

    Maarten Van Horenbeeck
    Senior Program Manager, Microsoft Security Response Center

    ]]>
    https://blogs.technet.microsoft.com/ecostrat/2012/05/02/inside-the-mapp-program/feed/0
    BlueHat Prize entries: The final tally is…https://blogs.technet.microsoft.com/ecostrat/2012/04/03/bluehat-prize-entries-the-final-tally-is/https://blogs.technet.microsoft.com/ecostrat/2012/04/03/bluehat-prize-entries-the-final-tally-is/#respondTue, 03 Apr 2012 17:54:00 +0000https://blogs.technet.microsoft.com/ecostrat/2012/04/03/bluehat-prize-entries-the-final-tally-is/Read more]]>
    Handle:
    k8e

    IRL:
    Katie Moussouris

    Rank:
    Senior Security Strategist Lead, Head of Microsoft’s Security Community and Strategy Team

    Likes:
    Cool vulns, BlueHat, soldering irons, quantum teleportation

    Dislikes:
    Rudeness, socks-n-sandals, licorice

    The entries are in! After a last-minute wave of fresh entries to the first-ever BlueHat Prize, the final count for this year’s contest stands at twenty qualified proposals. The final entry reached our inboxes at 11:51pm on April 1. (Unfortunately, a contest entry that arrived 17 minutes later – at eight minutes after 11:59pm on April 2 – had to be disqualified out of fairness to the others, and to keep our competition in compliance with Washington State’s rules for such events.)

     

    And now? Now begins the hard and exciting part – evaluating the received entries. The BlueHat Prize Board now starts the judging process, examining, testing and discussing each entry. We expect some lively arguments and look forward to introducing the competition winners to the world at Black Hat in July. In the meantime, we truly thank everyone who delivered a contest entry, as well as everyone who spent time thoughtfully considering the issue.

     

    Talk to you in July –

    Katie Moussouris

    Senior Security Strategist, Microsoft Security Response Center.

    ]]>
    https://blogs.technet.microsoft.com/ecostrat/2012/04/03/bluehat-prize-entries-the-final-tally-is/feed/0
    Peace Games – BlueHat Prize Update and Countdownhttps://blogs.technet.microsoft.com/ecostrat/2012/03/26/peace-games-bluehat-prize-update-and-countdown/https://blogs.technet.microsoft.com/ecostrat/2012/03/26/peace-games-bluehat-prize-update-and-countdown/#respondMon, 26 Mar 2012 11:55:00 +0000https://blogs.technet.microsoft.com/ecostrat/2012/03/26/peace-games-bluehat-prize-update-and-countdown/Read more]]>
    Handle:
    k8e

    IRL:
    Katie Moussouris

    Rank:
    Senior Security Strategist Lead, Head of Microsoft’s Security Community and Strategy Team

    Likes:
    Cool vulns, BlueHat, soldering irons, quantum teleportation

    Dislikes:
    Rudeness, socks-n-sandals, licorice

    In the film WarGames, an artificial intelligence program named Joshua asked the main character, a teenage hacker, the now famous question, “Shall we play a game?” When Microsoft announced the BlueHat Prize at the Black Hat Briefings in Las Vegas last summer, we asked a different question of the security researchers of the world, focused on defense.

    Microsoft is offering over $250,000 in cash and prizes to security researchers who submit the best new security defense technology that meets the contest criteria. The top prize is $200,000 in cash, and the “mad loot” still could be yours!

    With just under a week left in the entry period for the contest, which closes April 1, security researchers still have time to enter the competition to win the first and largest prize a vendor has offered for security defense research.

    The ability to defeat the latest exploit mitigation technologies on various platforms is an extremely rare skill, as we have seen with several existing competitions that focus on vulnerability exploitation. Taking that knowledge to the level of helping to design new or enhanced mitigation technologies to help defend against exploit techniques like heapspray or Return Oriented Programming (ROP) was a challenge that we were hoping would garner at least as much interest.

    The BlueHat Prize contest has exceeded our expectations for participation. So far we’ve had ten entries to the competition, the last four of which arrived over the past couple of weeks – an impressive showing, considering the difficulty of the problem we posed and the very small estimated number of individuals worldwide who possess the knowledge and expertise to seriously compete.

    The entries cover a wide variety of ideas designed to help defend against different exploitation techniques, and it’s been great to see fresh insight into these technical areas. We’ve also been excited to see who the contestants are who have chosen to compete for the prize – some of them are security researchers with great track records in the security community, some are from academia, and some are from other venues altogether.

    For those beautiful minds who have yet to enter their ideas for the contest, here are some highlights from the official rules:

    – Complete entries must be received by midnight Pacific Time April 1, 2012.

    – Complete entries must include a verbal description of the idea in English, as well as prototype code to show the exploit mitigation idea in action.

    – For an entry to be valid, one of the criteria is that it should not be public at the time of entry (i.e., it must be new). However, a valid entry can be a new improvement on existing exploit mitigation techniques.

    – If you have more questions, see the FAQ on the BlueHat Prize website or, if you don’t see your question answered there, contact the BlueHat Prize team.

    With over $250,000 in cash and prizes on the line, we are excited that the first BlueHat Prize contest has already garnered great participation. One of my favorite quotes is from the great hockey player Wayne Gretzky, and it applies here for sure: “You miss 100% of the shots you don’t take.”

    So, shall we play a game?

    -Katie Moussouris

    Senior Security Strategist, Microsoft Security Response Center

    Follow Katie on Twitter.

    ]]>
    https://blogs.technet.microsoft.com/ecostrat/2012/03/26/peace-games-bluehat-prize-update-and-countdown/feed/0