Microsoft Malware Protection Center

Hello! Greetings from Dublin!

As mentioned by Jakub in a previous post, we are presenting at the Virus Bulletin International Conference 2009 in Geneva next week.

It’s an understatement to say that we're excited about attending the conference – and not just about presenting our papers, but about getting the chance to meet the other delegates.

From the technical stream we have Elda and Francis:

We’re presenting our paper entitled "Blast from the Past: Application of the MS08-067 Exploit in Real World Malware". Together with our colleague, Scott Wu from the team in Redmond, we'll talk about the MS08-067 vulnerability and how it was exploited by different malware, including Conficker. 

The presentation explains the Server service vulnerability addressed in the MS08-067 security bulletin and shows how different malware families utilized this exploit. We also present some interesting data from the field on the malware families involved.

We’re the first presenters for the technical stream, so we’ll see you on Wednesday morning!

From the corporate stream we have Ina and Marian:

We are presenting our paper, "The Cloud or the Mist?". Those of you who are Stephen King fans might be familiar with his novella “The Mist”, in which an evil mist invades a town and wreaks havoc. In the same way, cloud technology is a buzzword right now, and some people are hyping it as the next evolution of the Internet. Yet there are a lot of valid concerns, especially about privacy and security.

Our paper talks about the potential security risks of the cloud: what dangers exist when we store personal and sometimes highly profitable information in the cloud? What social engineering techniques exist that have only emerged with cloud technology? And what malware families exploit the cloud to perform their malicious routines?

We are presenting on Friday right before lunch, but we promise our slides will be just as filling!

We'd all love to meet those of you who will be attending and especially those of you who are interested in our research.

See you there! Kita kits! (Filipino) Ne vedem acolo! (Romanian) Slán go fóill! (Gaelic)

- Elda, Francis, Ina and Marian

As Jakub mentioned, I'll soon be presenting at the Virus Bulletin conference in Geneva. I've spent a lot of time looking at rogue security software in the last year, so I'm looking forward to sharing some of my findings.

The subject of rogues (or "scareware") is a timely one. You may have heard reports in the past few days of a couple of malware attacks which involved rogues. One of these was an attack where visitors to the New York Times web site were seeing pop-ups telling them that their computer was infected, then being redirected to a fake online malware scanner. There have also been several reports of "hackers" exploiting the news of Patrick Swayze's death in order to direct people to (you guessed it) a fake online scanner.

Not only were both of these attacks distributing rogues, they were both pushing the same rogue. We call it Win32/FakeXPA.

Win32/FakeXPA has been using these distribution methods for a while now. The New York Times attack was accomplished through a malicious advertisement; these have been used to distribute rogues via legitimate web sites at least since early 2007. The second attack was not an attempt to exploit the death of Patrick Swayze specifically, but rather part of an ongoing campaign that Win32/FakeXPA's distributors have been running to poison results from search engines to lure people to their malicious sites. Most popular search terms are exploited in this way, by rogues like Win32/FakeXPA and other types of malware too.

These are the same techniques that have made Win32/FakeXPA the most prevalent rogue for some time. Despite the press, we are not seeing increased activity from Win32/FakeXPA through our telemetry or from our customers.

I'll be talking about both of these distribution techniques (and a lot more about rogues) in Geneva. I hope to see you there!

- Hamish O'Dea

At last year’s VB conference, my talk “Playing with shadows - exposing the black market for online game password theft”  discussed malware being sold on the black market for password stealing purposes.  During the “Q & A” time, someone asked a question regarding the technical details of Dogrobot, a family of malware that can penetrate the protection offered by a ‘hard disk recovery card’ (used to restore a machine to a known, clean state). Unfortunately, I don’t think I gave a satisfactory answer due to my limited research on it at that time. I’ve been feeling guilty since then and the experience encouraged me to spend more time studying it.

After crawling around in file system drivers and Dogrobot drivers for a few months, I finally managed to get a comprehensive understanding of the technical details of this malware. Unfortunately, “I can’t go back to yesterday” to answer the question again; fortunately, the VB committee gave me a second chance - they accepted my paper entitled ‘'I can't go back to yesterday, because I was a different person then'’ which will be presented at VB2009, on 23rd September in Geneva. In the presentation, delegates will hear about: 

• Malware designed to specifically target the recovery hardware used in Internet Cafés in China - how it works, and why?
• Malware that has caused 8 billon RMB (1.2 billion USD) in losses but doesn’t infect files
• Further details of the black market for malware

Are you interested in this? See you in Geneva.

Chun Feng

Another year has passed, and the time of the most important annual anti-malware event is upon us. The Virus Bulletin International Conference 2009 takes place on 23-25 September at The Crowne Plaza Hotel in Geneva, Switzerland.

As usual, the program is packed to the rafters with malware-related material, with presentations spread across two parallel streams, and three busy days that, no doubt, will be filled with research papers, discussions and heated but friendly arguments.

A strong contingent from Microsoft is attending, including authors and presenters discussing the results of their latest research. The delegates can see the following Microsoft presentations:

On Wednesday, September 23, a paper titled “Blast from the past: application of the MS08-067 exploit in real world malware” by Elda Dimakiling, Francis Allan Tan Seng and Scott Wu.

On the same day, and also in the Technical stream, the paper “I can't go back to yesterday, because I was a different person then” by Chun Feng.

On Thursday, in the Corporate stream, the paper “How to reclaim your sender reputation” by Terry Zink from the FOSE team.

During Friday's proceedings, in the Corporate stream, the paper: “The cloud or the mist?” by Marian Radu and Hilda Larina Ragragio.

On the same day, as the last presentation of the conference, and just before the closing panel discussion, the paper: “The modern rogue - malware with a face” by Hamish O’Dea.

Traditionally, every VB Conference attracts big interest and large crowds, making each event a perfect venue for various industry meetings – and it's no different this year - the AVPD and the WildList meetings are already scheduled for the same time, at the same location.

Jakub Kaminski

This month we added both Win32/Bredolab and Win32/Daurso families to the latest MSRT release.

Win32/Bredolab is a trojan downloader that garnered industry attention over the middle stages of 2009. This is due to a number of spam campaigns employing e-mail lures with parcel delivery themes. The e-mail messages appear to originate from legitimate sources such as UPS (United Parcel Service of America) or DHL (Dalsey, Hillblom and Lynn). However, Win32/Bredolab is a not a new family of malware. Its origins date back at least three years, having gone through a number of evolutions during this time.

Win32/Bredolab has been observed to download malware from a vast array of families. This includes families of trojan downloaders, rogues, worms, spam bots, password stealers and just about everything in between. From the beginning of 2009, the MMPC has observed variants of Win32/Bredolab downloading malware from over 100 unique families. To give you an idea, below is a short  list of the more prevalent and well-known families downloaded, many of which are families addressed by MSRT.

Win32/Alureon
Win32/Ambler
Win32/Boaxxe
Win32/Busky
Win32/Cbeplay
Win32/Cutwail
Win32/Danmec
Win32/Daurso
Win32/Emold
Win32/FakeRean
Win32/FakeSpypro
Win32/FakeXPA
Win32/Harnig
Win32/Haxdoor
Win32/Hiloti
Win32/Koobface
Win32/Momibot
Win32/Oderoor
Win32/Oficla
Win32/Otlard
Win32/Phdet
Win32/Rlsloup
Win32/Rugzip
Win32/Rustock
Win32/Sinowal
Win32/Srizbi
Win32/Tedroo
Win32/Ursnif
Win32/Vundo
Win32/Waledac
Win32/Wantvi
Win32/Winwebsec
Win32/Wopla
Win32/Zbot

The 2nd family added to the September release of MSRT is a password stealing trojan known as Win32/Daurso. It attempts to steal stored FTP credentials and could be referred to as a sibling of Win32/Bredolab due to some of the code shared by the installation wrapper. Additionally, the control server that Win32/Bredolab variants contact is exactly the same as that used by Win32/Daurso. Finally, Win32/Daurso is often downloaded by Win32/Bredolab itself.

Win32/Daurso has the capability to retrieve passwords stored locally by popular 3rd party FTP clients such as ‘CuteFTP’, ‘FlashFXP’ and ‘Core FTP’. Credentials residing in protected storage are also targeted by Win32/Daurso.

It may come as no surprise to our readers, however, that we see that user credentials continue to be a valuable commodity for malware authors. The value of FTP credentials lies in the likelihood that the compromised account is associated with web hosting capability. This could easily be employed for nefarious purposes, either by inserting malicious content or for simple (malware) hosting purposes, for example.

Scott Molenkamp

In a previous blog, you may have read about rogues using a fake YouTube page to entice users into downloading and installing a rogue security trojan. We are now showing you the ‘real deal’. We discovered a page (there are probably more) within the real YouTube.com (fig. 1) website trying to benefit from its user database by redirecting them, by means of social engineering (i.e. viewing an episode of a popular cartoon series) to another page (fig. 2). The malicious page pushes a fake video codec to install a copy of the trojan “Win32/Winwebsec”.

Figure 1 - Malicious YouTube post

Figure 2 - Fake video codec install request

Below, you can see a dialogue window that suggest that your computer is vulnerable, unstable and infected, and instructs you to buy the fake (rogue) security trojan to correct the ‘found’ (yet non-existent) malware. The UI displays a ‘credible’ interface with ‘controls’ commonly found in security applications such as “System Scan”, “Update” and “Settings”. After a ‘scan’, the rogue will commonly display a list of ‘discovered’ malware as in the example shown below.

Figure 3 - Winwebsec Fake Detections

To compliment the simulated scan, the rogue creates fake error messages as well to provide more convincing ‘evidence’ that your computer is compromised as in the examples shown below. Note the typo in the error message window title bar.

Figures 4 & 5 - WinWebsec generated error messages

Of course, after you realize you’ve been fooled by the rogue, you will want to uninstall it. When you attempt to remove Winwebsec, you’ll discover that it doesn’t allow you to easily accomplish this and a <sarcasm> helpful FAQ </sarcasm> provides some insight that you can download another piece of software (fig. 6), which could represent another way for attackers to compromise your machine:

Figure 6 - ‘FAQ’

This file is also detected by our products as “Win32/Winwebsec”.

Be safe!
Marian Radu, MMPC Dublin

PS: There is no security issue or vulnerability in YouTube.com. This is just a case of a user abusing a free service.

This month we added another rogue to the MSRT family list - Win32/FakeRean. Win32/FakeRean is generally very similar to Win32/InternetAntivirus and Win32/FakeXPA, which we continue to see in large numbers each month.
 
Following the fashion, Win32/FakeRean is distributed as several variants, each with a different name and a different "skin". Its interface is actually rendered from HTML stored inside the fake scanner's executable file. Because of this they can often look quite similar. Compare the interfaces for "Home Antivirus 2010" and "PC Antispyware 2010", for example.

Of course, this allows the creators of the malware to produce new variants with different names quite easily. Despite this, some elements of the interface are surprisingly static. The "Protection level", for example, is always displayed as "LOW". On the other hand, this isn't really surprising once you know that the program reports the same list of infections whether there is any malware on the system or not.

While fabricated infection reports are not remarkable - indeed they are what defines this class of malware - the way in which Win32/FakeRean generates these reports is particularly unusual. It installs a copy of the ClamAV open source anti-virus scan engine along with a signature file specifically produced for the rogue. It then creates files with random names in various locations on local drives and uses the ClamAV engine and signatures to detect them. The files it creates and reports are harmless junk, not even executable. They appear to be filled with essentially random data, but are created in such a way that the rogue's signatures will detect them. So the rogue performs a real scan and detects real files that you would not expect to find on your computer, possibly making its claims more plausible.

Win32/FakeRean is often downloaded by other malware, such as Win32/Renos, but it is also distributed through web sites that look fairly credible at first glance. Again, the different variants are often very similar, right down to the "testimanials" (sic).

More information on rogues can be found in the latest Security Intelligence Report (SIR).

-- Hamish O'Dea

On July 14, the MMPC added another fake security software program (rogue), Win32/FakeSpyPro, to the MSRT release. As of July 29, MSRT removal of FakeSpyPro had been reported from 187,258 machines worldwide. Rogues continue to be disruptive worldwide. Three families (FakeSpyPro, InternetAntivirus and FakeXPA) that feature in the following list of top threats worldwide reported by MSRT are rogues.

Data from countries such as China and Brazil shows a different threat landscape, however. None of these rogues were seen in the top threats detected in either China or Brazil.  Additionally:

• Five of the top threat families in China are online game PWS.  They are Ceekat, Frethog, Lolyda, Corripio and Zuten. Only one of them, Frethog, is in the top detected threats list worldwide.  This may be explained by the fact that massively multiplayer online role-playing game (MMORPG) are extremely popular in China.
  
• Three of the top detected families, Bancos, Banker and Banload in Brazil are online banking PWS, none of which are in the most detected threat list worldwide. This indicates that criminals continue to see value and therefore continue to invest in targeting online banking sites in Brazil (even though these PWS appeared in the wild more than four years ago).
  
• Hupigon is very prevalent in China while not seen as much worldwide. It is a complicated backdoor that employs stealth and contains keylogging and PWS payloads.
  
• Taterf and Frethog are the two MMORPG PWS that are prevalent in Brazil and also prevalent worldwide. Games such as Rainbow Island, Cabal Online, Lineage, MapleStory, Legend of Mir, World Of Warcraft, etc. targeted by these threats have a large fan base worldwide, apparently including Brazil.

Refer to this list to obtain and install a full AV product for your computer to get protected from these PWS threats.

--Scott Wu

We’ve been working hard, have heard your feedback, and are excited to announce V2 of the MMPC Portal!  This new portal contains several new features including stream-lined sample submission and tracking, which is made possible by creating an MMPC profile. When you log in, the information saved in your MMPC profile auto-populates the sample submission form, thereby expediting the submission process. You can then monitor the status of your submission online – if you are logged in (using your MMPC profile) while submitting a sample, we will allow you to view details for all samples you have submitted in the past. In effect we now have ‘one stop shopping’ for sample submission and tracking.

MMPC Portal V2 includes a change log which allows you to see new and updated detections in the most recent definition versions.  We have also implemented RSS feeds for encyclopedia entries, active malware lists, and the change log to allow you to stay up to date.  We have stream-lined our UI to improve accessibility to content, extended existing content, and created new content. The new content includes a ‘guidance and advice’ section, improved encyclopedia content/organization, expanded glossary, a list of recent research papers, updates on news and events,  highlights around awards and certifications, as well as an introduction to our team.

We’re also looking forward to the new security blog aggregator page on the Microsoft web site that will be live tomorrow. This new page consolidates the latest blog posts from several teams including the MMPC and our colleagues in the MSRC, and is a great way to keep up to date on the latest security news from Microsoft.

We hope you enjoy the new portal as much as we do!

-- Monilee Atkinson

Users today are offered choices among many security products, any number of which are sufficient, and none perfect.  Along with these products are myriads of product test results and certifications, all there to help you make a better, more informed decision on which product to use.  And as product developers, we’ll point to the tests and reviews that best represent our product. (Like this recent report on the just released Microsoft Security Essentials Beta and the most current AV-Comparatives test showing Windows Live OneCare (OneCare) reaching the vaunted status of Advanced+.)

But are the tests doing what they ought to do?

I would like to take this opportunity to present a case for advancing the methodology of testing security products.

In all the time that this industry has been in place, product testing has been conducted by way of throwing huge numbers of malware at the product and seeing how well the product can detect that malware.  "Improvement" in testing was measured by increasing the number of samples.  "Comprehensiveness" was to have millions instead of thousands, and coverage of the many types instead of just lots of malware.  And only recently, consideration for false positives (FPs) finally is influencing the interpretation of the test results. 

(An example: it is this concept of false positives that allowed OneCare to win the latest AV-Comparatives test.  There were two other comparable products, one scoring a detection rate higher and one the same as OneCare.  But, because they also were among the highest in FPs (over 15 FPs), both fell to Advanced. OneCare only had 0-2 false positives, the lowest of all tested products, and the only one in this lowest category.)

Because false positives cause unnecessary upheaval that may result in nonfunctioning machines, and because a high detection rate is often directly correlated with the propensity to FP, we would like to recognize AV-Comparatives, and all the other testers and certifications that do not blindly judge detection capability without consideration for false positives.  And our hat's off to Virus Bulletin for having had a no-FP requirement for its VB100 Award for the longest time.

So, the recognition that false positives are an important consideration in the interpretation of test results is now becoming standard.  What next to make tests more meaningful for the real user? 

As I mentioned before, the standard way of testing is to throw lots and lots of malware at the products and present a detection percentage.  This is then presented as a measure of the quality of the product.

But does that really represent quality for the average user?  The tests do not simulate the likely scenario on our machines at home or at the office.  So, how is the result then meaningful?  If a product misses 1% more than another, are those 10,000 samples in a million meaningful to you?  Maybe it's 10,000 distinct samples of a single server-side polymorphic trojan from one site that your browser happens to warn you not to visit?  Or, they might be mostly comprised of a set of targeted attacks.  Important to the targeted entity and the products they use, but for you or me?

How do we fix this?

One of the best advances in the security industry in recent years is the ability we have to capture telemetry about the malware cases we encounter.  The data associated with malware infections enables us to produce the semiannual Security Intelligence Report.  And selective use of prevalence reports enables us to make decisions each month regarding the best way for the MSRT to protect the eco-system.  Others in the industry make use of their telemetry to also produce reports, and free tools to clean up the most prevalent malware affecting the eco-system.

What we need to do is to incorporate this data in the tests.  To accomplish this, the Microsoft Malware Protection Center (that’s us), in its arrangements that give other security vendors access to the malware we collect, has started to also provide normalized prevalence data to other security vendors, security industry testers, and the WildList Organization.

Tony Lee manages our collection of malware and its distribution to our partner security vendors who care to participate in the Microsoft Virus Information Alliance (VIA).  He will contribute the next section of this blog…

Malware manages to evolve in its ability to distribute, mutate and update itself at an increasingly fast pace – we’re often talking about hours and days here. Malware also targets various sizes and groups of the population. These infection characteristics pose challenges to AV product testing, both in the demographic and chronological sense. In order to meaningfully reflect a product's ability to protect its users, the testing methodology employed needs to have an up-to-date and accurate view of the threat landscape.

Through telemetry collected by our various antimalware products, we are able to observe what is statistically significant to reflect the state of threat activities in the wild, in near real time. For example, by observing first seen, last seen dates of a threat, and its occurrences during various periods of time, we can assess the age, severity and activity trend at both file and threat levels.

Recently, I established an experimental program to share this prevalence data with our security partners. We have received very positive feedback and suggestions. At the core of this program is an automation process that monitors noticeable new threat activities as they are taking place in the field. The process then aggregates, analyzes and publishes this data to security partners in an encrypted channel, on a daily basis. Recipients of this information can assimilate this data over time and construct a view similar to the example below:

SHA1: 18375FD78CDE1E1B7291FBC37831CB36013895FD
MD5: 9FFCA5614A1032B0709ECAB67DF10F49
Total Reports: 17,052
File Size: 96,047
 
We also share weekly information in a Top 100 list; the top 20 in the report generated July 10th are shown here:

* ITW Index is an abstract representation of one element against another; it does not represent actual count.

We hope that sharing this type of information can help security vendors prioritize resources to combat malicious threats in the wild; it is also in our goal to encourage, by example, other security vendors to share data with AV product testers; the testers can then analyze and aggregate this data to better assess the relevance of threats and weigh them meaningfully in their tests.

[- Tony]

The examples above make a very good contrast to a password stealer that I encountered when someone passed me a spam message from within an MMORPG I was playing  (SHA1: 3BC300E799D57601004692D3E1282637535257FA, MD5: A662DF230142E1E10DB4E8A2865E3AB7). I downloaded it and submitted it so our products would be able to protect against it.  And to this day, there has been no outside telemetry of this piece of malware.  But from a tester’s perspective, my password stealer and each of the above examples shown by Tony are all the same, despite the fact that all of Tony’s samples have been noticed on users’ machines significantly more times.

So, I would propose this method for a test strategy to get people to start thinking along these lines:

1. Test samples are gathered with accompanying telemetry.
2. Statistics are then normalized per contributor - so a larger company with more seats does not overwhelm another contributor’s normalized telemetry.
3. After the application of a function to rate the significance of the individual test samples, samples are granted values.
4. Detection of a sample results in points corresponding to that sample’s granted value.

Here is an example:

                       Prevalence
Sample A:            50
Sample B:            25
Sample C:            15
Sample D:            5
Sample E:            2
Next 100 samples: 3
 
If a product misses only E, it would have a score of 98.
If a product only detects A,B,C,D,E, it would score a 97.
If a product only misses A and gets everything else, it would get a 50.
 
I’ve simplified the example greatly.  But you should be able to see basically that the product is being rated for its ability to detect what users are likely to encounter (and have encountered).  The significance is that it is far more important to be protected against sample A because it is so much more prevalent as it alone accounted for half of all infections!

It will take some time, just as it took some time for most testers to fully recognize that detection scores cannot disregard the accompanying false positives.  And even if the testers don’t fully embrace this type of testing, we hope that we have opened their minds to consider a better representation of their test set to something that would be more meaningful to their constituents, the computer-using public.

-- Jimmy Kuo and Tony Lee

The family added to the July MSRT release is Win32/FakeSpypro. As is often the case with rogues, they employ the use of multiple "names" over time. The current branding used by Win32/FakeSpypro is "Antivirus System PRO" with the previous incarnation being "Spyware Protect 2009".

The "user interface":

Typically, Win32/FakeSpypro assaults the user with a barrage of system tray warnings, fake firewall messages and other pop-ups displaying fake warning messages.

The ultimate goal of course is the part the end user with their money. On websites which look like the following, you may purchase a copy of Win32/FakeSpypro for the princely sum of $49.95 US!

Win32/FakeSpypro also drops and installs a browser helper object (BHO). This component is able to redirect queries to internet search engines such as "live.com". The redirection is performed selectively, such as when a search term like "antivirus" is used. The user will then be presented with a fraudulent warning page in the browser such as the one displayed below:

Win32/FakeSpypro may arrive on a system via different paths. For example, It may be dropped by Win32/Preald, downloaded by Win32/Branvine, Win32/Bredolab or even downloaded by prevalent spam bots such as Win32/Waledac and Win32/Cutwail. The MMPC has also observed Win32/FakeSpypro being installed via common exploit "kits" in the wild.

--Scott Molenkamp

Since Independence Day just passed, this probably looked appealing for the Waledac guys to drops us another campaign. The Waledac malware family is known for using special and recent events to try to increase their chances of infecting computers. We’ve blogged about past Waledac spam runs in the past such as during Valentines and the US presidential elections last year. We’ve also seen Waledac take advantage of this event to send out another campaign.
 
The “Independence” spammed e-mail  looks like this:

Please be advised that the actual subject/body of the e-mail may vary as well as the links that you are redirected to. But the idea is the same, to get you to watch the “Independence fireworks”.

Other websites may include, but not limited to, one of the following:

movie4thjuly.com
video4thjuly.com
moviefireworks.com
4thfirework.com
fireholiday.com
etc.

Waledac usually uses quite a large list of new domains for each campaign so the list is actually larger.
Once you pay a visit to the “Independence” website, you’ll be directed to a fake youtube-lookalike webpage. Presumably here you are supposed to watch a video with amazing fireworks and some other “goodies”
 

Actually, what happens here is that you’ll be asked to run some executable instead, as you can see in the next picture, which is in this case  “setup.exe”. This is similar to the old trick with the fake codec, just a tad different.

Please bear in mind that the actual filename might change to something enticing like "movie.exe", "fireworks.exe", etc

If you run this on a machine protected by Microsoft products (Microsoft Forefront, Windows Live Onecare, Microsoft Security Essentials), you’ll get a pop-up saying that Trojan:Win32/Waledac.gen!A was detected and stopped.

In the words of Capt. Steven Hiller (Will Smith) from Independence Day (the movie)  “Didn't I promise you fireworks? ”.
 
We also advise you to stay away from any "fireworks" e-mails you may receive.

-- Andrei Saygo && Patrik Vicol

Hi, Ziv Mador again. This week I’m attending the FIRST conference in Kyoto, Japan along with four of my Microsoft colleagues: Steve Adegbite, Andrew Cushman, Jonathan Ness and Dan Wolff.

Today Jonathan, Steve and I gave a presentation about Microsoft's response to the attacks which exploited a 0-day vulnerability back in the fall of 2008. Microsoft released a security update MS08-067 that fixed that vulnerability. Given the wormable nature of that vulnerability, we had strongly encouraged customers to install the security update, for example in the following blog post.  In the days, weeks and months following the bulletin release, malware exploiting MS08-067 has been launched, including the widely known Conficker worm. In our presentation we described the evolution of those exploits and the steps that Microsoft has taken to mitigate the threats.

FIRST is a worldwide organization of response teams and the annual FIRST conference is an international event. Nearly 400 researchers from 52 countries are attending the event this year. It is a great example of collaboration and information sharing in the security industry. Microsoft is a member and returning sponsor of FIRST. We participate in FIRST in order to share our experience and best practices and to encourage collaboration and community based defense to meet current and future challenges. Microsoft also participates in other forums. For example, it participates in the Conficker Working Group which helps mitigate the Conficker worm.

Kyoto includes many different historical sites as it used to be the Imperial capital of Japan for about a thousand years. One of these sites is the Nijō Castle.

The architects of this castle designed and created several defense systems. There are two rings of fortifications; each one of them uses a wall and a wide moat. That obviously made an attack on the castle more difficult. But another interesting security feature was used there:  the floors in the corridors were built in a way that they chirp like birds when people step on them. That’s why they are called uguisubari or nightingale floors. This feature helped the defenders of the castle immediately know when someone entered the castle, possibly with a malicious intent. It is probably one of the earliest security warning systems ever developed. This castle or the Red Fort in Agra which David described in an earlier blog post, represent some of the basic ideas in defense systems also for modern computers networks: in order to secure them there is a need for an effective warning system, multiple security defense layers, and plans for response and recovery. Conficker can be used as a good example here. The later variants of this worm, spread using multiple vectors: they exploit MS08-067 to infect other computers on the network but also spread through shares with weak passwords and through removable media and auto-run. That means that even if an organization fully deploys all the security updates as soon as they are released, they still haven’t mitigated the risk of infections. To minimize that risk, the organization must also ensure that shares use strong passwords, disable auto-run (or educate users to select only the legit options), use an up to date AV, enterprise firewall, IPS systems etc. That said, modern computer networks should be protected the same way as the Nijō castle: a multi-layered defense approach.

Keep safe,
Ziv Mador

On May 28, our colleagues at The Microsoft Security Response Center released advisory 971778 which elaborated on a new vulnerability in Microsoft DirectShow effecting Windows 2000, Windows XP and Windows Server 2003. You can obtain more details on how to protect your environment from this vulnerability from the Microsoft SRD blog.

We have been closely monitoring the malware landscape for threats related  to leveraging exploits against this new vulnerability. We subsequently developed and released a generic detection for malformed media files, Exploit:Win32/CVE-2009-1537, based on MAPP information provided to us. Also, we have developed detections for the known malicious web pages, as Exploit:JS/Mult.BM or Trojan:HTML/Redirector.I. Our security products, such as Windows Live OneCare, Microsoft Security Essentials, and Forefront Client Security can block access to these malformed media files with signature definition update version 1.59.798 or higher.

While we are aware of several distinct files containing these exploits, based on our telemetry, the number of affected customers is very low. For our fellow researchers in other security companies, here are some SHA1 hashes of malformed media files:

The known exploits are typical drive-by attack scenario as shown in the following diagram:

Users, upon visiting a specially constructed web page that invokes the vulnerable media plug-in, will encounter exploit shellcode, which further execute and download additional malware to the infected machines.  Intending to bypass antimalware protection, malware binaries are encrypted in the download data stream.

New dog, same old tricks. To wrap up the attack scene, under the cover of the new exploits are the old long-lived online-game password stealers:

PWS:Win32/Wowsteal.AP (drops PWS:Win32/Wowsteal.AP.dll)
TrojanDropper:Win32/Dozmot.C (drops PWS:Win32/Dozmot.C and VirTool:WinNT/Dozmot.A)
TrojanSpy:Win32/Lydra.AE

We recommend you revisit these security tips during your online and gaming adventures. As usual, be cautious when visiting web sites and opening movie files from untrusted sources, and make sure your antivirus software is up to date. Microsoft will release a security update for this issue and once that happens, install it immediately.

-- Lena Lin, Cristian Craioveanu, Josh Phillips & Patrick Nolan