TechNet UK

Useful tools, tips & resource for IT professionals including daily news, downloads, how-to info and practical advice from the Microsoft UK TechNet team, partners and MVP's

September, 2013

UK  TechNet Flash Newsletter
Featured
  • Common Uses & Examples of Automation

    David1

     

     

      By David Allen, Microsoft System Center MVP.

     

     

     

    IT process automation is the ability to orchestrate and integrate tools, people and processes through a workflow. Automation benefits include, reduced human errors, faster response to problems and more efficient allocation of resources.

    By increasing the levels of automation and eliminating common, repetitive tasks, companies can reduce operational costs, as well as reduce the amount of specialized staff needed to manage its systems.  This also means, highly skilled IT professionals can be freed up to manage more strategic company projects and initiatives, and ultimately provide a higher quality of service to this business. Although the benefits of automation meets the business these objectives of reducing costs, increasing productivity, and maximizing efficiency, the biggest concern is integration between applications and infrastructures. Automation should be a best practice in most organizations as it will assist in managing and integrating across increasingly complex infrastructures.

    Below are three common uses & examples of IT automation that save time and money in the data centre:

    1. Self Service

    · Although self-service isn’t a specific example of automation, it is a very important offering that is driven by automation. As processes become automated, the next logical step is to provide a portal for end-user self-service, which will further reduce the amount of time required by IT staff and further the reduction in cost.

    The Windows Azure Pack for Windows Server provides a portal, consistent with Azure, to provide users with a consistent view of the self-service services available within the data centre, a service provider, or Windows Azure.

    clip_image002

    Figure 1 - Windows Azure Pack

    The Windows Azure Pack, once implemented, provides the portal as shown in the image above. This portal allows administrators to define self-service services that are available to users, whether they be virtual machine, website or database provisioning. The real power of Windows Azure Pack for Windows Server though is in its extensibility, as the portal can be easily updated to include any company specific automated processes, such as application or user provisioning.

    2. Virtual machine provisioning

    · In today’s virtual world, the provisioning, and de-provisioning, of virtual machines is common place, and many hours are spent following the business processes for this to occur and to technically perform the work required. However, in most scenarios, the provisioning and de-provisioning of a virtual computer can be automated, and with System Center 2012 it’s not only possible to achieve this for single computers, but for multiple computers as part of an application; the deployment of multiple virtual computers, with different configurations, based on a template, can be fully automated.

    clip_image003

    Figure 2 - System Center Virtual Machine Manager Service Template

    A service template, as shown above, defines the configuration of a service. The service template includes information about the virtual machines that are deployed as part of the service, which applications to install on the virtual machines, and the networking configuration needed for the service. A great example is shown in the image above, where there is a SQL Server provisioned with a number of DAC packages applied, a middle tier computer configured with an application delivered by Server App-V, and a web tier computer with the required roles and features enabled, and all communicating on the same network.

    3. New User Provisioning

    · The provisioning of new user accounts in Active Directory is usually a very repeatable task, which over a length of time can consume a large number of work hours. By automating this basic task, accounts can be created in a reliable and standardized way, and can free up resources for other more important IT tasks.

    clip_image004

    Figure 3 - System Center Orchestrator Runbook

    This example is one that can be extended to provide far more functionality than simply creating a user account and mail enabling the user. Some great examples of automated user provisioning have included, setting group memberships based on department, generating a random password and emailing to manager, setting network access permissions, setting expiry date and assigning to the relevant group or organisational unit.

     

     

    The above are three common examples of automation, and for each there will be more than one way to achieve the desired outcome. With the use of Microsoft Windows Server and System Center, automation can be provided not only across the Microsoft stack of products, but also the majority of other third party products, with out of the box integration into VMWare ESX and XenServer, support for cross-platform operating systems, and integration into HP, IBM, CA, BMC and other vendor applications. This diversity provides everything required to implement automation in almost any data centre, as you do not have to have all the System Center products deployed; automation can still be achieved if a CA product is used for service management, for example.

    In summary, automation helps to automate, integrate, and orchestrate operational processes across multiple data, departmental, and application silos. Using System Center for automation can enable and enforce best practices in an IT organization and help align IT services with business objectives through repeatable, reliable, and standardized best practices. However, it must be remembered that having great tools available will not make bad process better. It is important to make sure the business processes are fit for purpose before automation of the process is attempted.

    So, where to start…. Well, initiatives such as ITIL outline best practices for all IT activities, and the service support areas of ITIL are, incident, problem, configuration, change, and release management, and these make up the daily operational tasks within IT. As ITIL best practices are continued to be implemented, this is a good place to start with automation since these are usually the most critical areas of IT operations.

    Find out more information on Windows Azure Pack for Windows Server, Windows Server and System Center.

  • Tech.Days Windows Server 2012 IT Camps

            

    Tech.Days

    The Microsoft UK IT Pro Team are back on the road this October delivering IT Camps to venues up and down the UK.  These days proved to be incredibly popular last year, showing IT pros across the UK Windows Server 2012 and giving them the chance to get hands on in just a day.

    If you haven’t been to a camp before they are day long, hands on interactive event where you can talk to industry colleagues and discuss the technology with Microsoft experts, Andrew Fryer and Simon May as well as some special guests.

    This season’s camps will focus on virtualisation, since we know that many virtualisation admins are being asked to investigate Hyper-V with little (or no) training. If you’re really new to virtualisation on a Microsoft platform then Andrew and Simon can assist you to transfer your skills, but since this is a fast paced day you’ll need to know the basics. Check out ‘Why Microsoft’ for virtualisation beforehand.
    These hands-on sessions will give you an introduction to Windows Server 2012 and System Center 2012 Virtual Machine Manager as well as other parts of the System Center suite.
    The agenda will be set by you – so you should come with questions, but some of the topics that are likely to be covered include:

       
    • Understanding the Windows Server 2012 Fabric
    • Getting to HA, DR with multiple processors
    • Software Defined Networking
    • Software Defined Storage
    • Managing heterogeneous servers and services

    We’ve worked really hard to keep this a zero-fee event and places usually go fast. with limited spacing, its important to sign up well in advance! If for any reason you can’t attend then please let us know as your non-attendance will stop someone else from attending.

    Just a quick note we will not be covering anything around device management through System Centre Configuration Manager 2012, Identity Access and Protection in Windows Server 2012, going deep on AD or spending time talking about Client Devices.

    Find out just below to see whether we have a camp near you!

    The UK IT Pro Team

     
     
     

    Events

     

    London, 28 October – Cardinal Place (Use code: C0ADCC)

     

    clip_image001[2]

    Register Now

     

     

    London, 29 October – Cardinal Place (Use Code: A177D1)

     

    clip_image001[3]

    Register Now

     

     

    Birmingham, 13 November – Maple House (Use Code: FBD204)

     

    clip_image001[5]

    Register Now

     

     

    Birmingham, 14 November – Maple House (Use Code: 73B973)

     

    clip_image001[6]

    Register Now

     

     

    Glasgow, 27 November –  St Vincent Street (Use Code: 75BE2F)

     

    clip_image001[8]

    Register Now

     

     

    Glasgow, 28 November – St Vincent Street (Use Code: D1AB6C)

     

    clip_image001[9]

    Register Now

     
     
  • Become an IT transformer: Create a battle plan

    IMG_8912_cropped_lo

     

      By Asavin Wattanajantra, writer at Metia.

     

     

     

    In a busy IT department it can be difficult to think about long-term planning. But there are (rare!) times when you've successfully fought all the fires you need to that day and you’ve freed some time to strategically plan; to really think about how to make your organisation’s technology run more smoothly.  Here are some activities for all the time you free up, all of which could make your job much easier in the long run.

    Assess your IT

    If it's been a while since you reviewed your technology, your business may have already outgrown its software and hardware. Have a look at where you can make changes. Questions you could ask include:

    • How long are your employees spending on basic tasks?
    • How many people are using your network?
    • Are your newer applications running properly?
    • Is your hardware and software keeping pace?
    • Do your systems comply with security and compliance regulations?

    Find ways of saving money

    Although the economy is improving, budgets are tight. That's why you may have to think about cloud computing, which moves resources outside of the business. This means you can reduce the burden on your IT, spread your costs, and instantly upgrade. Think about software such as Office 365, which provides business-class work tools for a monthly subscription.

    Virtualisation could be an option, which allows you to use less system hardware and extend its lifetime. You can also reduce management and maintenance costs, while more efficient servers make it easier to deploy software so your business becomes more agile. Windows Server 2012 may be a good choice if you're heading down this road – it has built-in virtualisation technology. 

    Get the right expertise in

    Sometimes it pays to get in the experts. If you suspect your business will find it difficult to perform a full-scale upgrade by itself, then it could make sense to bring in a reseller which does. Reputable resellers will help you pick the hardware and software suitable for your business, with little downtime. They can:

    • Reduce additional costs
    • Realise business benefits
    • Ensure business continuity
    • Provide technical knowledge and experience

    Look into the future

    Is it time to upgrade your systems? Sometimes it’s a necessity. IT departments running Windows XP are going to have major problems from next April as support is ending, leaving them without required security patches from that date forwards. IT managers need to seriously consider its replacement, such as Windows 8, and be ready for a touchscreen and Bring Your Own Device (BYOD) future.

    Any purchases or upgrades you make need to fit into your long-term IT strategy. You should understand the big picture. IT is such an important part of any business that any decisions you make will cause ripples from top to bottom. Of course, doing nothing is always an option, but do you want to take that risk?

     

     

     

  • Empowering End Users via Automation

    Jeremy%20Thake_jpg

     

      By Jeremy Thake, VP of Global Product Innovation at AvePoint Inc.

     

     

     

     

    You’ve got your Microsoft SharePoint deployment up and running, and your SharePoint Admins have spent countless hours tidying things up to ensure your infrastructure architecture is under control. But there has to be an easier way to keep your SharePoint running at an optimal level without devoting the IT man hours right? Well there is – through automation.

    An enterprise platform like SharePoint allows individuals to get together and share information in a container (a room, site, bucket, etc.). This container will have a lifecycle from the time it’s provisioned to the time it’s deprovisioned, and guess what - provisioning a new container is a task that can be automated too. But there are a host of other events that occur during the lifecycle that can be automated and taken off the plate of your IT department.

    Here’s my top 10 SharePoint automation list

    1) Self-service granting/removing access – The most common task a container will go through is the granting of permissions and removing of permissions to that container so users can be part of the collaboration.

    2) Self-service transferring/cloning access – The ability to transfer permissions from one individual to another or give someone the same permissions as another user is a very common scenario.

    3) Self-service onboarding content – When containers get created, often there is content that already exists in file shares, on local drives, and in people’s My Sites that needs to be moved into the new container.

    4) Self-service change business contact – Typically a business contact might change during its life, either due to people changing roles and responsibilities or leaving the organisation. Keeping track of who is accountable for the container is one of the most important points as they go through the lifecycle.

    5) Self-service deployment of customisations – Customisations such as branding, content types/document types, extra functionalist, or apps being added.

    6) Self-service archiving of container – Often business contacts will want to clean up existing containers where information that has been created over three years ago, and not accessed or modified, can be archived off to the Enterprise Archival System, deleted completely, or simply marked as an archived area.

    7) Scheduled lease renewal of container – With all containers, at some point they will need to be deprovisioned. The business contact is reached out to on a scheduled basis to ask whether they still require this container.

    8) Scheduled inactivity alerts of container – With all containers, sometimes they will go dormant and unused for a while. This is a good opportunity to reach out to the business contact through a scheduled alert to find out if they really still need the site.

    9) Scheduled security audit recertification – This is especially important in financial services or public sector industries. This is a scheduled alert to the business contact who is accountable for a container to recertify that the people who have access to the content should have access.

    10) Scheduled archiving of old content – As well as self-service cleanup, scheduled archiving profiles can clean up proactively rather than waiting for business contacts to keep them accurate and up to date with quality content.

    By automating these tasks, you’re taking the burden off of your IT department to manually perform each one, while empowering the end user to take some control of their own content. This will allow your IT department to spend their time on more important issues, while still ensuring that your SharePoint deployment stays neat and tidy.

     

    About the Author:

    As AvePoint’s Vice President of Global Product Innovation, Jeremy utilises his software consulting, development, and architect experience as well as his deep expertise in Microsoft technologies – recognised as a Microsoft SharePoint MVP since 2009 – to educate the global SharePoint community. Jeremy also works directly with enterprise customers and AvePoint’s research & development team to develop solutions that will set the standard for the next generation of collaboration platforms, including Microsoft SharePoint 2013.

     

     

  • #TechNetTidy – The good, the bad and the dangerous.

    Last month, we at Microsoft were acting good on our monthly theme of sprucing up over the summer.

    I personally was cleaning in and around my desk, which seemed to be a larger job than first thought, mostly down to the jungle of warped wires which had accrued between my monitor, laptop and other desk appliances.

    This being just around the same time we were thinking of competition idea’s we could run to provide you guys and girls a few freebies - the #TechNetTidy idea was born.

    A small fun competition kicked off through our social channels this month, giving you the chance to share with us and the world wide web an insight into your technical room heaven or hell, and of course to win a few Microsoft goodies along the way.

    Two awards were up for grabs -

    1. The not so tidy - ‘Chaotic Cabled Colin’.

    2.  The perfectly organised - ‘Super Server Sammy’.

    Type 1 - Chaotic Cabled ColinType 2 - Super Server Sammy

    The results for this month are in *Drum Roll Optional*…

    Firstly, a big shout out to all who entered.. we had some great entry's this month - less super servers than we expected, more server room nightmares. An honourable mention goes out to this month’s mascot 'Dangerous Brian'.

    However, after much thought and consideration we agreed upon this month’s winners.

    BS70C_JCAAEg-cT

    BU25aD-CYAEhMb1

     
     Chaotic Cabled Colin – Andy Roberts          Super Server Sammy – TechCare UK


















     Congratulations, an Exclusive #TechNetTidy T-shirt, and award related goodies are on their way out to both of you in the post.

    Anyone who has entered the competition thus far, don’t fear as #TechNetTidy will continue next month, there is still plenty of time to win exclusive goodies, whilst also sharing your server room heaven or hell with us and the TechNet audience.

    To find out how you can get involved, or to check out our rules and T&C’s, click here.

      

  • IT security firestarters and how to manage them

    IMG_8912_cropped_lo

     

      By Asavin Wattanajantra, writer at Metia.

     

     

     When we’re talking about fire risk in IT, security is the tinder dry forest waiting for a wayward spark. While it’s great to have the tools and processes in place to put out fires and minimise their impact when they inevitably start, prevention is always better than cure.

    If you can stop the fires starting in the first place, you’ll have more time to focus on the business, comfortable in the knowledge that systems are secure.

    Windows 8.1 has numerous features to help ensure that the risk of a security-related fire starting in your business is minimised. Here are five of the top risks and how Windows 8.1 can help:

    1. Risky personal devices

    Windows 8.1 is part of our quest to make sure that as many devices as possible, both enterprise and consumer, have the tools that make life a whole lot easier for IT administrators.

    Windows 8.1 continues the trend of building security devices or chips with cryptography functions into laptops – a Trusted Platform Module (TPM) can make hardware ready out-of-the-box for Bring Your Own Device (BYOD) requirements. TPM 2.0 is required for all connected standby (InstantGo) devices, which Windows 8.1 is designed for.

    2. Devices without encryption

    Whether it's due to a mistake by an employee or the work of an opportunist thief, there's always a chance of IT equipment going missing. A criminal might get more use out of financial details held on in Excel spreadsheet than from the stolen laptop itself.

    BitLocker Drive Encryption prevents criminals from accessing confidential information by scrambling the data on entire volumes. With Windows 8.1 there is BitLocker support for device encryption on x86 and x64-based computers, with a TPM that supports InstantGo.

    3. Corporate data leakage

    Encryption is good, but control is better. Windows 8.1 wipes corporate content from a device if needed, while keeping personal data untouched.

    Workplace Join gives employee access to enterprise files from their device, but restricts access to the whole system. By giving them permissions, they can only work with the files they've been briefed to work with.

    4. Forgotten passwords

    We know passwords can be hard to remember. For simplicity people often use the same password for every login. But in making life easier they also create a significant security risk. Biometrics solves the issue: a unique identifier that can’t be forgotten or stolen.

    We now support biometric security devices with fingerprint readers running Windows 8.1. Every time a user sees a Windows credential prompt, they can use biometrics, thereby eliminating the need for a password for secure sites and in-app user account validations.

    5. Malware

    IT departments wage a daily war against ever-evolving viruses, worms, Trojans and other malware. Windows 8.1 has been battle-hardened with enhancements. Improved Windows Defender offers real-time protection against threats, with high-performance monitoring that can detect bad behaviours in the memory, registry or file system, before signatures are even created.

    Be ready

    As every fire fighter knows, we’re never going to reduce the risk of fires starting to zero. We need to expect them to happen and be ready to respond quickly when they do. But steps can be taken to minimise the likelihood of security being breached in the first place, and Windows 8.1 gives you the tools that mean you’ll be able to get on the front foot.

  • After Hours - Canon EOS talking to a Surface Pro over wifi

    Please note This an after hours post, specifically about connecting a Canon EOS 6D to windows 8/8.1.  I have written it for two reasons -  so I can remember how to do it and because this you might need to do something like this for a camera enthusiast that you know who isn’t a networking guy.

    Canon have made it relatively easy to connect the new EOS 6D 70D etc. to your Android or IOS device and to a wifi hotspot to which your PC/laptop is connected.  However what I wanted to do was to  configure windows 8 as an ad hoc wireless connection point so I could remote shoot via wireless from my Surface Pro anywhere I happened to be; jungles, mountains, and the various events I go to.  However Windows 8 doesn’t have a UI for this anymore so you need to run a couple of netsh commands from an elevated prompt to get this working:

    netsh wlan set hostednetwork mode=allow ssid=MyWIFI key=MyPassword

    netsh wlan start hostednetwork

    ..where MyWIFI is the wireless network name you want and MyPassword is the password to connect to it. What this does is to add a new adapter into network connections..

    image

    In my case I renamed my connection to Canon and also note that Deep6 has a three after it as I tried this  a few times! Another thing you may see on forums is that you need to setup sharing when creating connections like this and that’s only true if you want to do the old internet connection sharing. I don’t need to do this for this scenario which is just as will as our IT department have prevented me from doing this in group policy

    On  my Canon EOS6D I need to enable wifi
    IMG_6285

    then set it up by selecting the wifi function which is now highlighted.  From here I want to set up a C connection which is the Remote Control (EOS Utility option)..

    IMG_6288

    I have already don this a few times ..

    IMG_6291

    so to set up a new connection I choose unspecified. Now I ned to find the network I created on my Surface Pro by finding a network..

    IMG_6292

    My ad hoc network is called Deep6 as opposed to FAF which is my home wireless network..

    IMG_6293

    my key is in ASCII so I select that on the next screen and then I get this dialog to enter my password ..

    IMG_6295

    Note you have to use the Q button on the back of the camera to enter the text window. I am asked about ip addresses I select automatic as my wireless network will do that for me. Then I can confirm I want to start pairing devices..

    IMG_6297

    and then I will see this..

    IMG_6298

    I can now check that my 6D is talking to my new wireless access point (which I have called Deep6.

    image

    as you can see I have one device connected.

    So now I can use the supplied Canon software, the EOS Utility,  to control my camera. Or so I thought,  only all the control options are greyed out.  This is because you need to change the preferences to install and configure the wft utility which detects your Canon and allows you to control it. To do this select the option add WFT pairing software to the startup folder

    image

    You’ll then get a little camera icon In your system tray and when your Canon is connected it’ll pop up this window..

    image

    click connect and  you’ll see an acknowledgement and confirmation on the camera..

    IMG_6299

    in my case my Surface is called Vendetta. I click OK, and I am good to go and the camera saves the settings for me, which is great and in fact I can save 3 of them. In my case I have saved my surface connection and FAF to connect to my home wireless router.

    The Canon EOS  Utility will now work..

    IMG_6308

    Now I can start to have fun with this setup and my shots get saved to my Surface Pro..

    IMG_0003

  • Mevade and Sefnit: Stealthy click fraud

    ​Recently Trojan:Win32/Mevade made news for being the first large botnet to use Tor to anonymize and hide its network traffic. Within a few weeks, starting mid-August, the number of directly connecting Tor users increased by almost 600 percent - from about 500,000 users per day to more than 3,000,000.

    Last week we concluded, after further review, that Mevade and Sefnit are the same family and our detections for Mevade have now been moved to join the Sefnit family.

    Win32/Sefnit is a well-known family which includes a component capable of performing click fraud. From our observations in the wild, this particular component disappeared near the end of 2011. In June 2013 we discovered a new click fraud component which we originally classified as Mevade.  

    Despite its recent notoriety due to the Tor activity, there is still a bit of mystery around how the latest version of Sefnit is spreading and the monetization techniques it uses.

    In this blog I’ll be going into a bit more detail on the new stealthy click fraud technique used and how it has contributed to Sefnit being largely undetected by AV vendors for the last couple of years. Additionally, we will discuss a few of the attack vectors used by the Sefnit authors to deliver the latest version of the malware.

    Interestingly, TrendLabs now believe they have identified the online identities of the actors behind the threat.

    An interconnected threat

    The Sefnit threat is composed of multiple components dedicated to different tasks. Among the observed samples, we have identified three distinct components. Figure 1 illustrates what is known currently about how these components interconnect as well as their intended purpose. Figure 2 provides sample references.

    The Sefnit malware structure

    Figure 1: The Sefnit malware structure

     
     
    Component
    Sha1 Subset
    Service Name
    Updater and Installer Service
    Trojan:Win32/Sefnit.AU
    5451cfa12c9acfae6e91f7c13e4b946038bacef4
    942860bedf408cc4c6a1831ef3744a3f9e68b375
    Adobe Flash Player Update Service”
    Click Fraud Service
    Trojan:Win32/Sefnit.AS
    014ace48897e81052b9552a5a7ab04d00a8e5227
    04bb63c3c71b4d033f49434f59a9225d08b4ea70
    05a8fb5e61aad8be003a0ab461b39a86767fda23
    0e246f6b95a9fd2d2a0c905be87074f5aadc7be0
    0f8be849f287cf705ebc0409527fd06670438470
    21bfcc14ac5abc6cb8b6fc802038e66ac4e24686
    2d10aaf57c45bde69d8f52e23bdabc10a192da20
    5d28316acb73e06a5f4c00858b3bf095cfe6b2bf
    72d705af606df58aaaec3cc271f46d3d2e4c0499
    7c5091177ea375eb3d1a4c4a2bbd5eb07a4cc5cc
    8528769281709abd231a46f13ffdfaaa13232336
    89c28f7203f9db0762d1c64e42422a5d89c6a83f
    a6b055df9ad3d374acaf2dfacded3ba88d20f5cd
    a7a41a0c6998f83839c5c6b58840b62a28714b17
    a81b04724ab71e4a71e939204e476bb762adc506
    bf4151bece1d94d8304df46b2598c14214d9834e
    c5af760e62f230ed0f55ff19d2c2215568e6a199
    ccd1fa1bf48665270128700bc94043c5fec39984
    Trusted Installer”
     
    “Bluetooth LE Services Control Protocol”
    Peer-to-peer File Seeding Service and More
    Trojan:Win32/Sefnit.AT
    Trojan:Win32/Sefnit.gen!D
    1aba915c0f75432f788fa672a6c7798af5acc94e
    5afaadfe20c4776d12001212dc579f5d3851852b
    9378acb5a7b6368e07ac2953459be911a84686cc
    9dbca75ff98d49bdd211a2a7c8cac506789d6d29
    a1733ba81255104c91e916943bb96875bf39d4d9
    a5dd1b1d6105a773d1bdbdf961d36be2bbc56de1
    abbd69ddb25b1b95c944b8fdb9531963556ea666
    b55051915a2cc1a58284679d7753b55cb11bd9b0
    d149bb1c2a4767f538a3de4d72f0a5d21ae46165
    d95eb268e489928ed3d4bad8f56c0aa9ba0f0160
    e50aa43d2df250ec56c92b4efd8df83e440cb167
    edc7a434f18424d73c1403a15ee417fbd59eea95
    Windows Internet Name Service”
    Software Bundlers
    Trojan:Win32/Sefnit.AU
    c5758309136cd1e7e804d2003dc5ca27ae743ac3
    n/a
     
    Figure 2: Known Trojan:Win32/Sefnit Components
     

    Sefnit’s stealthy new click fraud methodology

    The new Sefnit click fraud method is a departure from the method previously used back in 2011. This new, stealthier methodology is believed to be largely responsible for Sefnit being able to evade AV vendor detection during the last couple of years.

    The old version of Sefnit relied on click hijacking for performing click fraud. When an infected user was browsing the internet and clicked on a search engine result (such as from Google), sometimes the clicks would be hijacked to travel through advertising agencies to a similar webpage as the intended destination. These clicks are generally considered quite high-value and are hard to detect from an anti-fraud perspective.

    Although this is very stealthy from an advertising agency anti-fraud data analytics perspective, it is not stealthy for the user whose click was hijacked. If detection was missing, some observant users would realize they did not land at the intended website, investigate the cause, and submit samples to antimalware researchers for detection. As a result this always brought attention to the malware.

    In 2011, the Sefnit authors were observed to have stopped releasing new versions of the component responsible for this click hijacking and consequently were later believed to no longer be active in the wild. At the end of June 2013, we rediscovered Sefnit using a new click fraud strategy.

    The Sefnit click fraud component is now structured as a proxy service based on the open-source 3proxy project. The botnet of Sefnit-hosted proxies are used to relay HTTP traffic to pretend to click on advertisements.

    In this way, the new version of Sefnit exhibits no clear visible user symptoms to bring attention to the botnet. This allowed them to evade attention from antimalware researchers for a couple years. The figure below illustrates how the hosted 3proxy servers are used to relay Internet traffic through the botnet clients to perform a fake advertisement click.

    The Sefnit botnet uses the hosted 3proxy servers to redirect internet traffic and perform fake advertisement clicks

    Figure 3: The Sefnit botnet uses the hosted 3proxy servers to redirect internet traffic and perform fake advertisement clicks

    A recorded example of this click fraud path is shown below by using the legitimate affiliate search engine mywebsearch.com to simulate a search for "cat" and fake a click on an advertisement provided by Google to defraud the advertiser Groupon.

    The landing page for this click fraud instance

    Figure 4: The landing page for a click fraud instance

    The end result is Groupon paying a small amount of money for this fake advertisement "click" to Google. Google takes a portion of the money and pays the rest out to the website hosting the advertisement – mywebsearch. The Sefnit authors likely signed up as an affiliate for mywebsearch, resulting in the Sefnit criminals then receiving a commission on the click.

    Sefnit authors avoid raising red flags on their advertisement affiliate accounts by preceding each clickfraud incident with a large time-gap and simulated normal user Internet browsing behaviour.

    From experience, the interval between click fraud incidents is once per multiple-day period or longer. If the trojan simulates fake advertisement clicks too quickly, the anti-fraud team within the advertising agency would be able to detect the fraud, cancel the payout to the affiliate, and return the money to the defrauded advertisers.

    Delivery by File Scout

    We have been able to identify some of the infection vectors for the new version of Sefnit. One of the prominent methods is an installer for an application called "File Scout." When this application is installed, it will also install Trojan:Win32/Sefnit silently in the background:

    File Scout installer that silently installs Trojan:Win32/Sefnit as the same time

    Figure 5:  File Scout installer that silently installs Trojan:Win32/Sefnit as the same time

    The installed File Scout application is a tool that replaces the standard "Open with" dialog for unrecognized files with a new dialog:

    File Scout replacement for the “Open With” dialog

    Figure 6:  File Scout replacement for the "Open with" dialog

    There is evidence suggesting that this File Scout application is developed by the Trojan:Win32/Sefnit developers. Specifically, it expects a similar format xml structure for the C&C-download and execute commands, both applications are distributed together, and the two applications were compiled 15 minutes apart with the same compiler.

    Similarly, Trojan:Win32/Sefnit bears code similarity to some InstallBrain software bundler installers, such as the same string encryption algorithm and the same packer.

    We have also seen Trojan:Win32/Sefnit spread through the eMule peer-to-peer file network.

    Downloading and running files from any peer-to-peer network as well as downloading applications from untrusted sources puts you at a high risk of being infected by malware.

    This latest version of Sefnit shows they are using multiple attack vectors, even going as far as writing their own bundler installers to achieve the maximum number of infections that make this type of clickfraud a financially viable exercise.

    The authors have adapted their click fraud mechanisms in a way that takes user interaction out of the picture while maintaining the effectiveness. This removal of the user-interaction reliance in the click fraud methodology was a large factor in the Sefnit authors being able to stay out of the security-researchers' radars over the last couple of years.

    Microsoft is working towards thwarting this type of crime as we describe in another blog, "Another way Microsoft is disrupting the malware ecosystem." The more computers we can protect, the less financially viable this type of malware becomes.

    We will continue to monitor the family and keep detection in place to limit further fraud by the criminals.

    Geoff McDonald

    MMPC

     
  • End of support for Java SE 6

    ​If you’re running Java SE 6, we have some news for you: Oracle stopped providing public updates to it after February 2013.

    Enterprise customers will still have access to long term help through their support channels.

    For everyone else, you should upgrade to Java SE 7 and remove Java SE 6 - remember Java doesn’t remove older versions by default. 

    Malware exploiting vulnerabilities in Java isn’t new. We’ve written about Java vulnerabilities on this blog before. In fact, since July this year Exploit:Java/CVE-2013-2465 has been making the rounds and targeting Java SE 6.

    Oracle has done a great job of releasing Java updates to patch these vulnerabilities.

    However, Java SE 6 is about seven years old, and Java SE 7 was released more than two years ago. This means it’s time to think about alternatives for the aging version.

    While we’re talking about end-of-support software - technical assistance for Windows XP will no longer be available from April 8, 2014.

    This includes the updates that help protect your PC against security risks and malware. It’s a good time to think about installing Windows 8 on your PC.

     
  • System Center Community/MVP Update

    As many of you have probably seen today, I have announced my resignation from Microsoft to go to a System Center partner company.  Friday will be my last official day at Microsoft, but I don’t plan on changing my personal level of commitment to the System Center community.  I’ll still be blogging, answering questions on forums, presenting at conferences, and working very closely with Microsoft on channeling the feedback I see on the community into building great solutions.

    For me, this move is simply one of those situations where it was an opportunity for me to feed my inner entrepreneur and software developer.  System Center is alive and well.  Amazing things are happening and will continue to happen.  I’m excited to continue to be a part of the evolution of System Center, albeit in a different role.

    I recently hired System Center MVP Christian Booth (@chbooth) to my team at Microsoft.  I am especially thankful today that he is filling my shoes.  He is an outstanding community contributor, extremely knowledgeable about System Center, and influential inside and out of Microsoft.  He has been and will continue to manage Microsoft’s relationship with the System Center Cloud and Datacenter Management MVPs and community at large.

    Microsoft also has a phenomenal team of people sitting literally right next to Christian that are producing really great content around Windows Server and System Center on the Building Clouds blog.  Definitely check that out!

    Microsoft is committed to community.  I’m committed to the community.  Not much really changes except for my email address.  I’ll see you out there!