TechNet UK

Useful tools, tips & resource for IT professionals including daily news, downloads, how-to info and practical advice from the Microsoft UK TechNet team, partners and MVP's

November, 2013

UK  TechNet Flash Newsletter
  • Surviving the winter weather: how to remote work successfully!

    You may have been blown off course by the wind, been late because of leaves on the line, and are rightly worried about any kind of snow (not just the wrong kind), but why not just stay at home instead.

    I have highlighted different technologies that'll ensure you can get work done from the comfort of your own home and in this post I want to contrast and compare these.

    If your IT is under the control of Active Directory it is a relatively simple matter to allow you or your users to tunnel into work from Windows 7 and later to connect to a Windows Server 2012 server the Direct Access role.  You can lock this down with two factor authentication using things like smart cards, to make it as secure as you need to. Just as importantly, all that needs to be done on the clients is join them to a designated group and mange them centrally within group policy, so it’s low maintenance using familiar tools.  To give you an idea of how well it works, I can continue a Skype or Lync call while I am connecting and it only requires the SSL port ( 443) to be open on firewalls so as well as working at home you can get stuff done on planes trains and automobiles (but not while driving please).  Direct Access moved on Windows Server 2012 and no longer depends on Forefront UAG making it easier to deploy. How much easier will vary according to your security needs, but there are great lab guides to work though for most of the common scenarios including the ability to load balance Direct Access Servers for resiliency.

    Not everyone has domain joined devices to connect in from, so you could augment your Direct Access in two ways.

    Firstly you may employ a lot of contractors and vendors who have their own Windows devices that you don’t manage. In this scenario you could build a standard desktop deployment and setup special memory stick like certified devices with Windows-To-Go (WTG).  You can configure the desktop you deploy to this device to be Direct Access aware and the latest devices can be bitlocker enabled to make them as secure as your other desktops.  There’s a step by step guide to doing this here, and while this may work on a non-supported device it’ll burn out a conventional memory stick in a few hours.

    That’s only going to work on x86 devices so Direct Access can additionally be configured to provide a VPN which would allow authenticated users to connect in from other kinds of devices.  In Windows Server 2012R2 it is possible to auto trigger a connection when a user requests a network resource and there’s even a lab for you to try this.  However what can they do when they get there?  Chances are they won’t have Office on these devices so while they might be able to open files editing is going to be difficult and not a great experience, though of course some access is better than none if you’re at home.

    Another completely separate option is to create a Virtual Desktop Infrastructure (VDI), This is a pretty straightforward process the only tricky bit is opening this up via the dedicated Remote Desktop Gateway role which is designed to be installed on a perimeter network with restricted communication between it and the rest of the VDI.

    A final variation on this theme is to use the same infrastructure but just use it to provide access to specific applications your users need rather than giving them whole desktops. If you’re remote workforce is on windows 7 or later they can save the links to these applications (known as RD-RemoteApp) as standard desktop shortcuts, if not then each one can be accessed from the remote desktop services web portal.

    The big advantage of using remote desktops in the last two scenarios is that you as an administrator retain total control. The application or desktop is run from servers you administer and you can restrict such things as cut, copy and paste as well access to local resources to ensure that your data doesn’t leak out onto an unmanaged device.  There are other ways of dealing with this and Simon has a compete post on those aspects in this recent post.

    One final thought: Whilst writing this article I’ve been suffering from man-flu and these tools have enabled me to work from home, when I am not really up to fighting my way in to work staying at home helps me from spreading whatever it is I have.  Of course some ill effects (not mine!) are alcohol related at this time of year, and your body can process about a unit of alcohol an hour. This means if you are out late on the sauce then you may well be over the legal alcohol limit for driving the following day, so be safe and work from home!



  • iOS in the Enterprise

    Active Directory is the source of identity in the enterprise and iOS devices should be identified in and by AD in order to provide access to resources, in this article published on WServer News I explain the process of supporting iOS devices in your AD DS with Windows Server 2012 R2 and the Device Registration Service. The post iOS in the Enterprise appeared first on Devices, Services, Life: Simon May's Blog ....(read more)
  • Our protection metrics – October results

    ​Last month we introduced our monthly protection metrics and talked about our September results. Today, we’d like to talk about our results from October. If you want a refresh on the definition of the metrics we use in our monthly results, see our prior post: Our protection metrics – September results.

    During October 2013, while our rate of incorrect detections remained low, and our performance metrics stayed fairly consistent, the infection rate of 0.18 percent was higher in comparison to the average daily infection rate of 0.1 percent in the first half of the year.

    In September, we talked about a family called Win32/Sefnit that was the driver behind the increase in our infection rate. We mentioned that the distributors of Sefnit are using some sneaky techniques to infect computers. This includes programs that install legitimate software, and occasionally install legitimate software with bonus material (Sefnit). Many of these installer programs were previously determined to be clean. However, with this change in behavior (installing the Sefnit malware), they now meet our detection criteria.

    Sefnit is a bot that can take instructions from remote servers to do practically anything. We’ve observed it using infected computers for click fraud, which makes money by pretending to be a person clicking on ads from your computer or by redirecting your search results. It may also abuse your computer’s resources through Bitcoin mining.

    The two installer families related to Sefnit that were behind the high active infection rate in October are Win32/Rotbrow and Win32/Brantall. Rotbrow is a program that claims to protect you from browser addons.  Brantall pretends to be an installer for other, legitimate programs. Brantall might install those legitimate programs as well as malware. These previously legitimate software programs were prevalent in comparison to most malware families, and so most of our detections in October were on active infections.

    The Malicious Software Removal Tool, which scans 600-700 million computers each month, has found and removed more than two million Sefnit infections on computers protected by current, real-time antimalware during the past two months. Until our antimalware partners target not only Sefnit, but also the Sefnit installers, people may struggle with reinfections.

    Like us, many antimalware vendors have previously classified these programs as clean or potentially unwanted rather than high or severe malware. We’ve even had a tester ask us recently if our detection for one of these programs was an incorrect detection. Based on the installation of Sefnit, these programs absolutely meet our detection criteria, even if they had previously developed a reputation as a clean program.

    We’ve identified related samples for our antimalware partners so that they can protect their customers against these threats if they have not already.

    If you want to check your computer for Rotbrow or Brantall, you can install Microsoft Security Essentials, enable Windows Defender (on Windows 8), or use the Microsoft Safety Scanner if you already have current antimalware installed. They’re all provided to you for free to make good on our pledge to help keep you all safe. You can read more about our security software on the Microsoft Malware Protection Center website.

    Our goal is to provide great antimalware solutions for our consumer and business customers. I hope this blog demonstrates how committed we are in raising the bar for ourselves and others in the industry for doing so. We're monitoring our results, performance, and progress closely, prioritizing for real threats that might affect our customers and applying lessons learned to make our products even better. Plus, we support our antimalware partners in order to build a strong ecosystem to fight malware – the true adversary. More next month!

    Holly Stewart


  • Avoid the tech-nightmare before Christmas: the yearly upgrade cycle.



      By Mike Resseler, Product Strategy Specialist for Veeam and MVP for System Center Cloud and Datacenter Management


    Here comes December, which for most means happy family moments, gifts, and a nice bearded guy traveling around the world in his deer driven sled.
    For some of us, this announces the quietest time of the year, and that means happy upgrade moments, patches, and a nice IT guy traveling around the datacenter to apply upgrades.
    If you get well organised you should be able to have both… but sometimes a glitch comes and you spend your holiday season with scary crashing servers, bugs, and an exhausted IT pro running around the datacenter…
    What side do you want to be on?

    The tech-nightmare before Christmas.. and how to avoid it.

    The short period between Christmas and New Year is often the ideal time for a yearly maintenance cycle. During this week, many companies are shut or are running with limited staff due to the holiday season. This allows IT professionals hassle-free spare time to do maintenance work. I’ve been in this situation many years working in an internal IT team. All the patches, upgrades and whatever else we couldn’t do during the rest of the year is planned during that week.

    There's always enough reasons to explain why we do it during that week; there isn’t enough time during the year; we can’t do it because we're not allowed to bring those services offline or maybe because we don’t have enough resources in our small IT team… the list goes on!

    While most of us have looked forward to (finally) tackling a lot of the issues with these updates and patches, we're always very nervous, what if things go wrong? What if an update goes crazy and the service doesn’t start anymore. What if…

    Unfortunately, I've been in the situation where this has happened and it hit us pretty hard. Upgrading and patching servers suddenly became fixing and restoring a lot of our services, and consequently missing New Year’s Eve and New Year itself, something that isn’t easy to explain to the family, but as true IT Pro’s, we had to get everything up and running again, and family came second at that time. That time, I was the exhausted IT pro running around the datacenter instead of having family time.

    First thing you do afterwards is to review the lessons learned. We don’t want to have the same issues twice. So our first round of analysis was looking at the technical things that went wrong to avoid future failures. We had to look it from a process point of view.

    The quick and easy answer to avoid such problems is (of course) test out before implementing. But that’s easier said than done. You might have a test environment where you can try out your upgrades, but even if you've that, it will never be an exact copy of your production environment, which still means that there could be issues. Or you just don’t have a test environment at all, so you don’t have the answer.

    In those days, testing out upgrades was an extremely difficult process, required many days of work and a lot of investment. Something, as I already stated, we didn’t have.

    Fortunately, a few years ago Santa put some nice gifts under the IT tree, and today there are solutions to these problems.

    Christmas, the upgrade, and Greean Santa.

    The first component of this solution is called Virtualisation. It is now well deployed in most datacenters and keeps getting bigger. The recent Hyper-V 2012 R2 release just gave you one more reason (a couple of months in advance of Christmas) to go for it! Now, combine this with one of Veeam Backup & Replication’s nicest features, called Virtual Lab, you will have a way to save your family time.

    Veeam Virtual Lab allows you to restore your virtual environment (including the one on that shiny new Windows Server 2012 R2) into an isolated network for testing purpose.
    This isn't a similar environment to your production… This isn't the same software but on another hardware… This is an actual identical copy of your production environment!

    Based on any of your backups, the virtual lab will be running your virtual machines on the same hardware and hypervisor, just in an isolated network to avoid any conflicts.

    Why does it matter?
    Because this means before you start that scary update on your production environment, you can test all you want in the Veeam Virtual Lab. You can apply the patch/upgrade there, see if it works and document it precisely before running it in production. What if the upgrade doesn't work? Just shut down the lab, restart a new one from a clean copy and try again. No impact on your production, no impact on your backup.

    So, for next Christmas, will you try to run you upgrades on production or in a look-alike environment?
    Or, will you rather ask the Veeam Greean Santa to pack you a nice Virtual Lab so you can test it calmly, and then go to your New Year dinner relaxed and confident it will be all fine?



    Author BIO: Mike Resseler is a Product Strategy Specialist for Veeam.  Mike is focused on technologies around Hyper-V and System Center.  With years of experience in the field he presents on many occasions on large events such as MMS, TechEd and TechDays.  Mike has been an awarded the MVP for System Center Cloud and Datacenter Management since 2010.  His major hobby is discussing and developing solid Disaster Recovery scenarios.  Additionally, he has enterprise-class experience in Private Cloud architecture, deployment with marked focus on protection from the bottom to the top.  He holds certifications in many Microsoft Technologies such as MCITP. Follow Mike on Twitter @MikeResseler or @Veeam

  • 5 Tips to cope with the BYOD post-holiday rush

    It’s that time of year again. Tech gifts are set to be the most popular this year again (after socks) and tablets are top of that tech gifts list. When you get back to work lots of your users will have shiny new Android, iOS and Windows devices that they’ll probably bring to the office. Some will use them as a distraction from work but many will want to use them to enable working in new ways. Not only that but this year it’s not just the tech trendsetters that will be getting tablets, it’s everyone at all levels in your organisation. Some people will just leave those devices at home for a start but some won’t and that will encourage more and more people to start bringing them into the office. It’s probably not tenable to just ban them outright any more – this season will put pay to that ability for most I think. So what can you do? We have two months and a few small upgrades might get you right to where you need to be.

    1. Email

    There can be no doubt that for almost every organisation on the planet email is the number one productivity, communications, CRM, sales, marketing and lol cat tool in our arsenal. If you’re going to spot a crunch point this will be it. If you’re running your email on-premises still it might be time to start considering a move to the cloud and my personal, favourite approach here is to go hybrid.


    Enabling a BYOD solution for your business at enterprise scale is going to mean you’ll have more and more people wanting to connect more and more devices to your email servers. Within Microsoft we have a limit of 10 which I recently found myself exceeding. Following this year’s holiday buying fest it’s quite likely that any individual might have: a mobile phone, a small tablet (7-8 inch, a present this year from the other half), a larger tablet (10 inch, bought last year as a present to themselves), a company provided laptop, a hot desk computer (only for when the user forgets their laptop). All those devices are going to “require” email access to make them useful. Of course this is also the tip of the iceberg, next year it’ll be wearables.

    Moving the email boxes of users who are entering a BYOD program over to Office 365 and leaving those with more traditional requirements on-premises could be a really smart move. Office 365 gives you this option like no other cloud email service can, integrating into your existing Exchange infrastructure providing that seamless familiar experience that users are used to. It’s too much to go into deep detail in this article about next steps but there are plenty of guides around the web.

    2. Work Place Join, Enterprise Registration

    The chances are that you know who everyone in your company is, what they do and what they should have access to do. The same is probably also true of your company owned laptops and desktops. The reason is of course that these people and devices have accounts within Active Directory (AD) and those accounts then let you specify what those users and computers are allowed to do and what resources they are allowed to access.


    Of course not all devices are created equal, they don’t all run Windows today and even if they do with BYOD they might not be members of your domain, known to AD. Essentially they are ghosts, visible but at the same time hidden. Within the Windows Server 2012 R2 wave we have a feature that helps us manage those ghosts and pull away their white sheet of invisibility, making them known to AD. The feature is the Device Registration Service otherwise commonly known as Workplace Join. This feature is complemented in Windows 8.1 with the ability to workplace join the device and iOS also has a similar ability, although the UI isn’t as slick. When a device is registered by the Device Registration service a few things happen, first an identity is created for the device within AD with a unique GUID (device names Aren’t-used per-se, although it is an attribute of the record) because a device can be enrolled multiple times, potentially by different people. Second a certificate is issued to the device to identify it. Now that our device is known to AD there is all sorts we can do to given the device.

    To deploy Device Registration you’ll need to deploy Windows Server 2012 R2, deploy the Active Directory Federation Services (AD FS) role, update the schema, issue some certificates and make some DNS changes. There’s a good guide to building this out in a lab here.

    3. Publish your internal sites, externally, safely

    Not all your internal websites are the most secret things your company has to offer. The intranet might have some proprietary information on it but you could still publish it securely and safely to people. Especially since we now know not only who they are but from what device they’re connecting. Going hand in hand with deploying AD FS in Windows Server 2012 R2 is going the new Web Application Proxy role which takes internal resources and publishes them externally safely using either claims based auth (AD FS) or pass through auth.

    Using rules for those published services, called relying parties in AD FS parlance, it’s possible to restrict the level of access over those published services using authorization rules that take a look at the claims an incoming request is making. Those claims can include device claims, so we can easily publish our intranet and create a rule that says if this device isn’t registered with AD don’t let the connection through, if the device is registered with AD and the user is allowed access to the intranet then allow the request.

    It’s actually the Web Application Proxy that publishes the enterprise registration service mentioned previously out to the internet. The Web Application Proxy also acts as an AD FS proxy allowing you to keep your AD FS server inside your network and taking these two services and linking them with Office 365 we can easily develop a single sign on environment.

    4. Device Governance

    It’s tough to require the ability to control all aspects of an individual’s personal device, in fact in some places it may soon contravene the law to remote wipe someone’s device without their permission, something you may want to do for example when they level the company. The idea of “governance” however is to allow access to specific resources – such as applications or remote help, once the individual has allowed you specific access to their devices.

    With this power comes the responsibility to not do such things as wholesale wipe their device. Once a device has been workplace joined we have the ability to start to selectively wipe the corporate aspects of their device. For example we could revoke the certificate that we placed on their device when they workplace joined. If they pulled any data down to their device and we’ve encrypted it with EFS, we would then be able to break the chain of trust that allows the device to access said data. Likewise we can do the same for sideloaded corporate apps.

    5. Data Governance

    It would be nice if we all knew all of the data inside our organisations. Sadly we don’t, especially when we consider the data explosion and how much data we will be storing in the future (I think storage space is like your salary: the more you earn the more you spend; the more storage you have the more you use!) Our users aren’t much good at managing their data either – they generally don’t understand ACLs and how to correctly permission their data. It would be far better if there were a better, more automatic way. Thankfully there is…

    Windows Server 2012 introduced Dynamic Access Control (DAC) and dynamic file classification through File Server Resource Manager (FSRM). Essentially this means that, given some rules, we can have our file servers look at the data they are hosting and apply access controls based upon the content of that data. For example we could look at all the Word documents on our file share and if they contain something that looks like a credit card number (using RegEx) we can classify the files as only for the eyes of people in our customer finance department (this is just file classification not DAC). The DAC part of the equation comes into play when we start to use those applied classifications in addition to the claims being made by the party accessing the files.

    The party accessing the files is going to be a user, but the device that the user is using to access the files could vary. In Windows Server 2012 we could take a devices identity in AD (the computer account) and decide that only users with a specific OS can access the files. Now that we have device registration in play too we can not only do this for Windows devices that are domain joined but also for Windows devices and iOS devices that are workplace joined. The upshot being that we could allow Jane from Finance access to a file with a credit card number in only from her Windows 8.1 domain joined device but not from her iOS device unless she registers the device and we therefore have the ability to track the data. All of this has been done without IT needing to understand the specific document or the specific device she used.


    Hopefully this article has been a little thought provoking. It’s probably a very big ask for you to get this stuff into production in time for the holidays but at least you can start to think about building a lab to try this out with those devices that Santa leaves for you. You’ll need some lab guides, and the Windows Server 2012 R2 and Windows 8.1 Enterprise Evals to be able to do just that – luckily it’s all free to try, our present to you.

  • Molnsatsning lyfter SATS

    En aggressiv molnstrategi med tyngdpunkt på produkter från Microsoft ger träningskedjan SATS en bättre IT-miljö. Därmed underlättas företagets fortsatta expansion samtidigt som kunderna erbjuds bättre service.

    Träningstrenden i Sverige håller i sig med oförminskad styrka. Ett tecken på detta är att antalet deltagare i utmanande lopp slår alla rekord – nästa års upplaga av Vasaloppet blev fulltecknat bara tio minuter efter att biljetterna släpptes i mars.

    Det betyder också att det finns en god marknad för landets träningskedjor. Tätplatsen i Norden innehavs av SATS som har 108 träningscenter med 275.000 medlemmar. På nordisk nivå har SATS cirka 4.500 medarbetare som arbetar hel-eller deltid. En majoritet av dessa tillbringar sina arbetsdagar ute på träningscentren vilket kräver att IT-miljön ska fungera även i en decentraliserad verksamhet.

    För att bättre kunna möta den utmaningen har SATS valt en molnlösning med Microsoft Office 365 och Microsoft CRM Online.

    - Det handlar om alla delar i lösningen: mail, Sharepoint intranät, Lync och CRM. Alla medarbetare har snabb och smidig tillgång till mail och eftersom vi är spridda över flera orter och flera länder används Lync i stor utsträckning för den interna kommunikationen, säger Arvid Johansson, CIO på SATS.

    Tidigare använde SATS samma produkter men lokalt och i egen drift. Den nya lösningen gör det möjligt för företaget att fokusera mer på att utveckla själva träningsverksamheten.

    - Vi är en relativt liten organisation och vi har stort fokus på att driva utvecklingen framåt gentemot verksamheten. Basteknik är dyrt och vi jobbar för att tjänstefiera den bland annat genom att använda molntjänster. I och med att vi växer kan vi nu hantera det på ett mycket bättre sätt, det blir mycket lättare att öppna nya center.

    Övergången till en molnbaserad IT-miljö har tagits emot väl av personalen, enligt Arvid Johansson.

    - Skiftet att gå över till molnet är i sig inget som användarna egentligen ser annat än att systemen förhoppningsvis blir snabbare. På sikt innebär det att underhåll och uppgraderingar kommer att kunna ske per automatik.

     SATS har också vävt in den digitala tekniken i sina tjänster, 2012 lanserades introduktionsprogrammet SATS YouTM som är byggt på CRM Online. Genom denna får medlemmarna ett skräddarsytt träningsprogram på åtta veckor samt tillgång till en personlig tränare för att få hjälp att komma igång och anpassa programmet.  Träningen följs upp digitalt genom att medlemmar via webb eller mobilapp kan nå sitt träningsprogram samt titta på inspirerande videor och få tillgång till instruktioner och träningstips.

    - Den personlige tränaren kan sköta hela dialogen med medlemmen via dator eller mobil och kunden har möjlighet att enkelt följa upp sin egen utveckling och sina framsteg, säger 
    Arvid Johansson.  

    Och den digitala utvecklingen kommer att fortsätta hos SATS.

    - Det är definitivt en bana som vi kommer att följa och vi ser just nu på en massa olika möjligheter. De digitala tjänsterna inspirerar våra medlemmar att träna mer och gör att det trivs ännu bättre hos oss, säger Maja Thermaenius, Projektledare för utvecklingen hos SATS.


    Arvid Johansson, CIO, SATS
    Tel: 073-373 24 06

  • Industridesigners möjliggör för fler att jobba hemma

    Microsoft som under två år drivit initiativet Jobba hemma-dagen tar nu hjälp av tre inspiratörer för att lösa problem och utmaningar med att jobba utanför kontoret.

    Tack vare modern IT är det en självklarhet för många att arbeta hemifrån eller från andra platser utanför kontoret. Men alla utmaningar med det moderna arbetslivet kan inte lösas med IT. Därför tar Microsoft nu hjälp av tre industridesigners – vi kallar dem för inspiratörer, för att få fram nya produkter och lösningar som ska underlätta det nya arbetslivet.

    Mikaela, Bashar och Björn är de lovande industridesigners som fått i uppdrag av Microsoft att under sex månader ta fram lösningar som möjliggör för fler att få jobbet gjort, oavsett var de jobbar. De har fria händer och kommer själva att få välja vilken utmaning de vill ta sig an. Arbetet avslutas med en vernissage den 10 april i Stockholm där inspiratörerna presenterar sina färdiga lösningar. Vi kommer följa inspiratörerna under arbetets gång. Dels genom deras egna sociala medier och även i Microsofts sociala medier. 

    Som ung entreprenör är detta en fantastisk möjlighet. Jag ser fram emot att få bidra med min kreativitet för att få fram innovativa koncept som kan främja flexibelt arbete, säger Mikaela Rehnmark, en av inspiratörerna och Industridesigner på R-ID.

    De tre inspiratörerna är:





    Mikaela Rehnmark, nyutexaminerad Industridesigner som driver eget företag. Har bland annat designat en möbel för Arlanda.
    Designprocess för Arlanda möbelprojekt där man kan följa hela resan, idé till färdig möbel:





    Bashar Mansour, Industridesigner som driver eget företag inom design och produktutveckling.






    Björn Fjaestad, studerar industridesign vid Lunds Tekniska Universitet.
    hemsida(kombinerad portfolio blogg):


    Om jobba hemma-dagen
    Jobba hemma-dagen äger rum den 5 februari 2014 och är ett initiativ från Microsoft som manifesterar fördelarna med flexibelt arbete. Deltagare i jobba hemma-dagen har en gemensam tro på att arbete inte är en plats man går till utan något man gör. Flexibelt kontorsarbete har fördelar för såväl företag som medarbetare – det ger ökad produktivitet och enklare vardag. För att attrahera rätt medarbetare idag och i framtiden, krävs en flexibel syn på arbete.

    För mer information
    Anna Averud
    Affärsområdeschef för Office på Microsoft
    073-408 29 22

  • Carberp-based trojan attacking SAP

    Recently there has been quite a bit of buzz about an information-stealing trojan that was found to be targeting the logon client for SAP. We detect this trojan as TrojanSpy:Win32/Gamker.A.

    SAP is a global company with headquarters in Germany and operations in 130 countries worldwide. SAP develops enterprise software applications for tracking and managing business operations, and is used by an estimated 86% of Forbes 500 companies. These business operations can range from applications such as tracking the manufacture of a product in a factory, managing human resources processes, or tracking and managing customer sales. Needless to say, the data contained in SAP systems is often sensitive and the security surrounding SAP systems is a recurring topic in the information security field.

    A few weeks ago, another vendor reported a trojan in the wild specifically including functionality targeting SAP. This is believed to be the first malware developed by criminals targeting SAP.

    In this blog we will present our analysis on how this trojan targets SAP and how it has code in common with Win32/Carberp.


    Based on Carberp source

    Carberp is an infamous banking trojan whose source-code was leaked earlier this year, and Gamker clearly shares part of its code with Carberp's code. Gamker has code-matches to the remote control code contained in Carberp:

    • Carberp/source - absource /pro/all source/RemoteCtl/hvnc2/libs/hvnc/hvnc/

    The following relative files match through the string constants that are encrypted within Gamker:

    This usage of the virtual network computing (VNC) code indicates that Gamker has the capability to remotely control an infected machine. It is unclear if there is a larger connection between Gamker and Carberp since the remainder of Gamker’s code differs from Carberp's publicly leaked code.


    SAP targeting

    Gamker is a general banking and information-stealing trojan. Among its targets are online banking web-browser sessions, BitCoin wallets, public and private keys, cryptography tools, and finance-related software applications. In this section we go into detail on the threat this trojan poses to SAP.

    The malware records keystrokes per application, generating keylog records in plaintext format to the file "%APPDATA%\<lowercase letters>". An example of these recorded keylogs is as follows:

    Example keylogs

    Figure 1: Example of recorded keylogs


    In addition to this keylogging, hardcoded inside the payload is a list of application names which are used as triggers to record additional information. Among this list is the SAP Logon for Windows client, as seen in Figure 2: 

    Highlighted targeted saplogon.exe component

    Figure 2: Targeting of SAP saplogon.exe component


    Table 1 - List of triggers used to record screenshots and command-line arguments

    Executable name trigger

    Category assigned by trojan author




    Client for Remote Administration



    Unknown Russian payment-related tool



    Unknown, likely a tool use to perform HTTP POST operations



    Unknown, likely a tool use to perform HTTP POST operations



    Tool by Western Union Inc






    Client for VPN remote access to computers



    Tool used to manage TrueCrypt protected filesystems



    Tool used to manage BestCrypt protected filesystems



    SAP Logon for Windows









    Application by Omikron related to electronic banking



    Application by Omikron related to electronic banking



    Application by Omikron Systemhaus GmbH related to electronic banking



    Application by UniCredit Bank Australia






    Maybe Deutsche Bundesbank Eurosystem



    Maybe Deutsche Bundesbank Eurosystem






    Profibanka by Komercní banka






    Banking application, Komercní banka


    When the keylogging component is loaded into a process that matches one of the executable names in Table 1, it then additionally records the command-line arguments passed to the application, and begins to capture screenshots of the entire desktop periodically. It captures 10 screenshots spaced about one second apart from each other before transmitting them to the C&C server.

    In addition to these listed triggers, there are also two other application lists used as screen and command-line argument-recording triggers included in Table 3 and Table 4 below, under the category names "IT" and "ETC" respectively.

    An example of the recorded data after executing "saplogon.exe" with command-line arguments "-test" can be seen in Figure 3 below:

    Screenshot of recording of command-line arguments passed into saplogon.exe

    Figure 3: Recording of command-line arguments passed into saplogon.exe


    With screenshots captured every one second in the "%APPDATA%\<lowercase letters>\scrs\" directory seen in Figure 4 below:

    Screenshots captured after running saplogon.exe

    Figure 4: Screenshots captured after executing saplogon.exe


    In summary, this is an attempted attack on SAP and not just a harmless data-gathering operation to determine if SAP is installed. The attackers are using the execution of the SAP component "saplogon.exe" to trigger recording of the command-line arguments passed into it, combined with a series of 10 screenshots to the C&C server. These three types of information sent to the server will, in many cases, include critical information such as:

    1. Keylogs:
    • SAP password and sometimes the user name.
    • Screenshots:
    • SAP user name, server name, some confidential data, and more.
    • Command-line arguments:
    • Unlikely to contain sensitive information based on initial analysis of the ‘saplogon.exe’ binary.
    • VNC:
    • A VNC session can be initiated by the attacker to grab any additional information necessary to compromise the SAP server, as well as attack the SAP server directly from the infected machine.

    This trojan’s targeting of businesses, as opposed to individuals, is an alarming move and we will be monitoring this for further developments to protect and inform our customers.


    Mitigating the risk

    To reduce the risk of and mitigate the damages caused by an attack like the one on SAP, there are a number of recommended security policies. Some general recommended policies are as follows:

    • Access control. Grant users the minimum access privilege level required to complete their job. This reduces the amount of data compromised in a successful attack.
    • Two-factor authentication. A two-factor authentication process may stop this attack from being successful.
    • Security education. Schedule training courses for all employees. A security-smart employee may be able to avoid infection in the first place.
    • Antimalware solution. Run antimalware software on all workstations and monitor compliance. This may detect the trojan prior to infecting the workstation.
    • Network intrusion detection system. This may create alerts on the suspicious VNC connection, detect the data exfiltration, or may also detect the trojan C&C communication on the network.
    • Security management. Ensure workstations are running up-to-date versions of Windows with the latest security patches applied. All security critical software such as Java, Adobe Flash, Adobe Reader, Microsoft Office, and web-browser clients are up-to-date. Compliance needs to be monitored and enforced.

    For further recommendations, guidelines, and information on additional SAP security products it is recommended to consult SAP and read through their security solutions.



    Geoff McDonald





    Table 2 – Reference checksums for analyzed samples





    MD5: c9197f34d616b46074509b4827c85675



    Injects the trojan into all processes.


    MD5: efe6cd23659a05478e28e08a138df81e


    Carberp-based password and information stealer.


    Table 3 – Additional screen and command-line capture triggers under the category "IT"









    IDProtect Monitor.exe





    Table 4 – Additional screen and command-line capture triggers under the category "ETC"














































































  • Windows Phone 8 växer med Instagram

    Nu finns Instagram och Waze till Windows Phone 8. Apparna är bara två i raden av de nu över 190 000 apparna i Windows Phone Store.

    Instagram är den mest sökta appen till Windows Phone 8, så självklart känns det fantastiskt roligt att våra användare idag kan ladda hem den. Det är verkligen ett styrkebesked att allt fler utvecklare satsar på Windows Phone 8, dagligen utökas utbudet med nästan 500 appar, säger Anna Ström, affärsområdeschef för Windows Phone på Microsoft i Sverige

    Med över 150 miljoner användare runt om i världen är Instagram en av de absolut populäraste apparna för smartphones, och nu finns den till Windows Phone 8. Appen har fullt stöd för Live Tiles samtidigt som den kommer fullpackad med alla fotofilter som du känner igen från andra plattformar.


    Idag släpps även den populära trafik- och navigeringsappen Waze till Windows Phone 8. Tillsammans med dina medtrafikanter samlar du in och delar rådande trafikförhållande längs med våra vägar. Något som kan spara både tid och pengar när du ska köra någonstans. Genom att ha Waze igång när du kör skickas löpande information som andra användare kan använda sig av när de planerar sin egen resa. Du kan även manuellt rapportera in olyckor eller andra vägproblem och på så sätt varna dina medtrafikanter.

    Enligt IDC är Windows Phone 8 den snabbast växande plattformen på marknaden. Något som självklart är glädjande, även om jag inte blir förvånad. Vi har ett personligt och unikt erbjudande med ett stort urval av telefoner i flera olika prisklasser, säger Anna Ström

    Instagram och Waze är bara två exempel på starka tillskott till Windows Phone 8 under de senaste veckorna. Efterfrågade appar som Vine och Swish och Windows Phone 8-unika appen PicHit.Me är bra exempel på nya tillskott i app-utbudet. Idag lanserade även Swedavia sin flygplatsapp. Även Windows Phone 8-plattformen fortsätter att utvecklas, förra månaden berättade vi om Windows Phone 8 Update 3 som rullas ut just nu.

    Ladda hem Instagram här
    Ladda hem Waze här
    Ladda hem Vine här
    Ladda hem Swish här
    Ladda hem PicHit.Me här
    Ladda hem Swedavias flygplatsapp här

  • Swedavias flygplatsapp för Windows Phone 8 och Windows 8

    Nu lanseras Swedavias flygplatsapp även för Windows Phone 8 och Windows 8. I appen får resenärerna tillgång till en rad ”on the go” funktioner förknippade med resan. Resenärerna får enkelt information om ankomst- och avgångstider i realtid såväl som gate- och boardingtime. Nu går det också att snabbt ta reda på ankomsttiden för bagaget.

    Idag lanseras Swedavias app specifikt för Windows samtidigt som den befintliga appen för Android och iPhone uppdateras. Nu kan även Windows-användarna följa ankomst- och avgångstider i realtid, få gate- och bordingtime, se utbudet av restauranger och butiker och på ett smidigt sätt förboka parkering vid Stockholm Arlanda Airport och Göteborg Landvetter Airport.

    - De resenära funktionerna i appen underlättar vistelsen på flygplatsen och är uppskattade av våra resenärer. Förutom att ge snabb tillgång till information vill vi även inspirera genom att lyfta fram vårt övriga utbud på flygplatsen som parkering, mat och shopping, säger Michael Persson Gripkow, marknadsdirektör på Swedavia.

    - Vi tycker det är roligt att Swedavia väljer att satsa på Windows Phone 8 och Windows 8. Det stärker vårt apputbud lokalt samtidigt som det ger våra användare mycket bra information inför och under resan, säger Anna Ström, affärsområdeschef för Windows Phone.

    Följande information kommer att finnas för samtliga flygplatser i Swedavias app för Windows Phone 8 och Windows 8

    - Möjlighet att välja flygplats
    - Avgående: information om avgångar inklusive gate och boardingtime
    - Ankommande: information om ankomster inklusive bagaget kommer
    - Information om flygplatsens utbud av restauranger och caféer
    - Information om flygplatsens utbud av butiker och serviceutbud
    - Nyheter från flygplatsen
    - Kontaktinformation

    Ytterligare flygplatsspecifika funktioner

    - Karta över flygplatsens terminaler: Arlanda och Landvetter
    - Parkeringsbokning: Arlanda och Landvetter
    - Parkeringskarta: Arlanda, Landvetter, Bromma Stockholm Airport och Malmö Airport

    Hämta appen Swedavia Swedish Airports här:

    Till Windows Phone 8

    Till Windows 8

    Följande flygplatser ingår i appen: Stockholm Arlanda Airport, Göteborg Landvetter Airport, Bromma Stockholm Airport, Malmö Airport, Ronneby Airport, Visby Airport, Åre Östersund Airport, Umeå Airport, Luleå Airport samt Kiruna Airport