Over the last few days I blogged several times about Conficker and some of the posts caught quite some press attention. Especially when I talked about the Russian Roulette.

Today I have very, very good news: The Malicious Software Removal Tool (MSRT) which we will release today includes signatures to remove Conficker as far as we know this beast today. Let me be clear upfront: MSRT is cleaning up after the fact and is no replacement for an updated Anti-Malware solution!

The information in this post is the information as far as I have it as of today. The links below give you the ultimate guidance:

How do you realize that you are infected?

Trust me, you will know! If you have Account Lockout Policies set, your accounts will be locked as Conficker.B does a brute-force against the accounts. In parallel, you will see a significant increase of authentication requests on your DCs due to that fact. Most probably you find a significant increase of network traffic as well and last but not least your clients may behave strange.

If you have it what can you do against it?

Patch first! So, before you do anything else, deploy MS08-067. I already said once, that you played Russian Roulette if you did not. From there on, you have to clean the mess. But first, make sure you use strong passwords (Conficker is trying to break them). Here you find some good information and guidance on passwords:

If you want to change all your local Admin passwords and manage them, Steve Riley provided a tool called Passgen

Then clean up…

You have different options to do the clean up:

• Forefront and OneCare have been one of the first solutions to clean Conficker since quite a while. Our free online scanner does it too (since quite a while). You can find it on http://safety.live.com
• The updated Malicious Software Removal Tool removes it as well. However, remember that Conficker breaks Automatic Updates too. So, if you are infected you have to manually download and deploy it. Here are the relevant KBs:
  • KB890830 The Microsoft Windows Malicious Software Removal Tool helps remove specific, prevalent malicious software from computers that are running Windows Vista, Windows Server 2003, Windows XP, or Windows 2000 http://support.microsoft.com/kb/890830
  • KB891716 Deployment of the Microsoft Windows Malicious Software Removal Tool in an enterprise environment http://support.microsoft.com/kb/891716
• There are definitely other AV products that remove it as well. Make sure and check back with your vendor whether it removes or just detects it.

One final thing: If you are infected, do NOT log onto the system with a Domain account, if at all possible. Especially NOT a Domain Admin account. Log on as a local user account. The malware appears to impersonate the logged on user and access network resources under those users credentials so it can spread.

So, that’s it for the moment.

I hope it helps

Roger

Well, we call it simply DaRT. You know the feeling: A machine does not boot anymore, crashed, has a virus you cannot clean with the OS in a running state or any of the other nightmare scenarios in daily operations of computers. Since quite some time there are recovery toolsets out there but with our acquisition of the sysinternal tools, the value of ours grew significantly. I just tested the latest version for Vista and believe me – it rocks (as far as a tool can rock that tries to recover me from a crash…). If you need information on this, there you go: Microsoft Diagnostics and Recovery Toolset

Let me give you a very brief insight:

Basically DaRT is based on the Vista Recovery Toolset. So, when you boot, you get a pretty familiar screen:

The only different is, that you see the link at the bottom to the Microsoft Diagnostic and Recovery Toolset – where all the magic happens J. If you decide to choose them, you get a broad selection of tools:

ERD Registry Editor: A registry editor for the OS you selected during the boot time

Explorer: Speaks for itself: Browse through the disks

Locksmith: With locksmith you can reset the passwords of all the local accounts. (you need physical access to the box to do this and have a look at this post before we start a big discussion on this: Windows Vista Recovery Console and the Password)

Solution Wizard: This is a cool thing. If you are unsure which tool you need to use, try this wizard and you are guided to the solution:

Crash Analyzer: If you have a mini-dump on the disk and include a debugger, you can look at crash dumps

TCP/IP Config: Obvious thing – but. Often I failed to access any resource on the network with these recovery toolsets as I could not change the network configuration (e.g. I have a fixed IP, am on a different network and should simply switch DHCP on).

File Restore: Restore accidentally deleted files

Hotfix Uninstall: If your system does not boot anymore because of a hotfix, this is the way to remove it (even though this never happens, does it?)

Disk Commander: Tools to fix your disk if you have problems with it.

SFC Scan: As the title says: Repair your system files

Disk Wipe: Securely erase your disk

Search: Hmm, cannot remember what this tool does J

Computer Management: It is not the "normal" Computer Management Console as the OS does not run but a console to do some repair activities:

Standalone System Sweeper: I do not like this too much as it is a tool to look for malware, rootkits etc.

So, this tool is definitely something you should look into. Download the trial!

Roger

Since Blaster/Slammer, namely since the start of Trustworthy Computing I am working at Microsoft in a publically facing security role. I went through all the blaming and had to take all the heat of what we did wrong and how bad we are – and I admitted there and still do today that security was not a priority for Microsoft back then (and if you quote me, please quote the whole sentenceJ). However, we changed dramatically and I am convinced that Microsoft is one of the few companies of such a size having the capability to change within the timeframe we did and the change will go on.

When I did my first presentation on Trustworthy Computing, I stated publically that this is an industry initiative and not a "Microsoft only thing" – and the people laughed at me. They told me that Microsoft is THE problem and that we will never change. When I looked at the figures of e.g. vulnerabilities back then, we saw from the beginning that we were much better than everybody else but have been the bigger target and the one that actually made much, much more noise. Finally, we were best in class with incident and vulnerability response. This is my true belief when I look back to that time and it still is if I am looking at today's industry!

Since that time until today, I never participated in the discussion about "who is more secure? – Windows, Linux, Mac,…". Why? Well, that is pretty straight forward to tell: There is no value to this discussion from my point of view. We have to know where we stand – this helps to judge where to set the priorities but basically our customers expect us to deliver the best in class for the market – and they shall do this! This has to be our target.

Now you might ask, why I am writing this. Each time a vendor has a major security problem, the discussion starts again. This time Apple got the blame. People were talking of "Mega-Patch" and so on. There started a blog "war" on which OS is more secure. There were titles like:

• Diving back into the Mac Vs. Windows debate
• Operating systems aren't any more secure than the idiot using it

And there are people trying to do a comparison: "I don't use Windows! I'm invincible!"

Does this really add any steps towards a solution of the problem? Most people that are actually "comparing" security of the different Operating Systems are geeks and they are all assuming that everybody is a geek as well.

Instead of blaming around, I think it is time to come together and look for solutions within the industry. We are competitors in certain areas but to address the "security challenge" the companies have to come together! We support and sometimes even initiated different forums/alliances already to do exactly what I said:

• VIA (Virus Information Alliance): An alliance where all the major AV-vendors are part of to share information on malware.
• SAFECode (see my earlier blog): An alliance that helps to share best practices around building secure products
• …

So, instead of wasting time to complain and tell everybody that A is better than B or complaining that people are stupid or telling everybody that you are the one knowing how to configure a system but you do anyway not trust the vendors (typically us), I ask you for a constructive dialogue. We can start it here or you can mail me:

• Knowing what we are doing already (e.g. Security Development Lifecycle), what do we have to do to improve security for mom and dad?
• What can we do – from your point of view – to improve our communication?
• What has the industry to do to even get better?
• If you are working for a major ISV – join SAFECode to move the industry as a whole.

I am open for any constructive and open dialogue but not for blaming and bashing.

Looking forward to your feedback

Roger

I have to admit: When I first learned about Windows 7 XP Mode I was quite surprised. How can we actually ship an XP Virtual Machine with Windows 7? Well, then I started to think (no, it did not hurt too much)… But before I share my findings with you, let me tell you a story:

A few months back, a friend of mine called me. He was desperate. He is the owner of a car dealer close to where I live (a pretty big one for Swiss terms) and had decided to renew the business’s IT system. So, they moved to Windows Server 2008 Terminal Server and Windows Vista as a client. They hired an IT shop to do it for them and the migration went pretty smoothly – up until they wanted to start the web application of the car manufacturer. It is one of the German car makes you definitely know and which is well known for the quality of its cars. Unfortunately the web application did not run with Internet Explorer 7. So, they went back to the car manufacturer to learn that they knew about this but had no plans to make it compatible with neither IE 7 not IE 8. An alternative browser was not an option either as the latest versions broke this application as well. He needed a solution, which I could not provide – unfortunately. Finally they decided to let one PC run on XP with IE 6, just to get around the problem for this one task. So, basically they did “Windows 7 XP Mode” – just physical.

Now, let’s consider such scenarios. I know of companies that have decided to stay with XP and not move to Windows Vista because of concerns over compatibility issues with other applications they run. Their systems no doubt run, but they are depriving themselves of security and privacy enhancements designed to cope with modern threats – bear in mind that XP was designed in 2001 to cope with the threats back then – threats which changed significantly over the last eight years! The impact of Windows Vista as a secure platform is significant, and Windows 7 will built on that foundation.

Additionally we know that the browser is one of the most targeted attack vectors in the ecosystem. We shouldn’t be surprised by this as the browser is the window to the outside world and has to defend the computer against everything coming from the Internet. The security of the browser increased tremendously from Windows XP to Windows Vista, and will again with Windows 7. I deliberately did not say from IE 6 to 7 to 8 – even though this is true at least as much as with the OS. But the OS provides additional protection like IE 7 Protected Mode on Windows Vista which we simply cannot deliver on Windows XP or Address Space Layout Randomization or … That these design changes pay off can be seen if you look at our Microsoft Security Intelligence Report (SIR):

In Windows XP, 42% of the successful attacks came through our software, in Windows Vista, this changed tremendously:

This data is in the Security Intelligence Report v5. If we look at the malware infections per operating system in the most recent SIR version 6, there is another reason to migrate to Windows Vista/Windows 7:

Looking at all of this, our task basically boils down to “How can we help our customers benefit from the much better protection on today’s Operating Systems and in parallel ensure compatibility.” It is the classical security vs. compatibility problem. Of course we make a huge investment to ensure the operating system is as compatible with old applications as possible but we all know that there will be a point where we simply have to draw a line and put security needs above compatibility.

From this viewpoint Windows 7 XP Mode all of a sudden makes sense. It allows our customers to migrate to Windows 7 and significantly lowers the risk, for example, of web browsing or running 98% of their application software. The last 2%, which would have been issues that could have prevented migration, have so far been covered by the XP Mode. Now to be completely clear here: XP Mode has to be a temporary solution! The only effective long-term answer is to migrate applications to a version that is compatible with today’s Operating Systems. It also has to be managed and protected like any other machine – it is a full blown Windows XP with Internet Explorer 6 connected to the network. So it has to be used wisely and very, very limited but it allows you to migrate to the more secure environment for the every day’s tasks.

And finally, XP Mode from a user perspective can be set up in a way that the user only sees the legacy application running seamlessly in the Windows 7 environment. So, there is not necessarily a Windows XP, where the user can do everything they want: You just give them the legacy applications you want. Here is a picture how this looks like:

If you look at it like that it is simply a risk management decision: Which risk is higher? Leaving our customers on an 8-10 year old operating system for another few years, or helping them to migrate to a modern one, accepting the drawback with XP Mode? With XP Mode, we could have helped my friend above without actually having to force him to run a PC just for the sake of this single application!

For more information on VirtualPC on Windows 7, please look at http://blogs.technet.com/windows_vpc/ (I “borrowed” the last picture from there)

Roger

I just read a post on slashdot:

During a recent trip to an eye doctor, I noticed that she was still using Windows XP. After I suggested that she might need to upgrade soon, she said she couldn't because she couldn't afford the $10,000 fee involved with the specialty medical software that has been upgraded for Windows 7. Software written for medical professionals is not like mass market software. They have a limited market and can't make back their money in volume because there isn't the volume for an eye doctor's database product like there is for Office or Quicken. With many expecting Microsoft's upcoming end-of-support for XP to cause a security nightmare of unsupported Windows devices in the wild, it seems a good time to ask how many users may fall into the category of wanting an upgrade, but being priced out by expensive but necessary third-party software. More importantly, can anything be done about it?

Let me briefly give you some insight into a discussion I had a few years ago: I was in touch with a regulator for medical devices as I wanted to understand their approach to patch management for embedded software. The reason behind my ask was, that I talked to hospitals in this country and the CIOs all told me that they are not allowed to patch/upgrade because they would violate the accreditation of the device. So, when I talked to the regulator, they told me that they require only a proper risk management process by the vendor of the device (not an effective, just a process) and from there on they do not want to act. They told me that the hospitals need to increase pressure on the vendors to keep software updated and the vendor does not have the incentive.

This is one of the key scenarios, which scare me around Windows XP end of life. Machines which cannot be upgraded for legal reasons or because of economic pressure as described above.

Roger