First of all, before I really start, I hope that you all had a great start in 2009. Mine was actually pretty mixed. The good side was, how my year really started and what I saw when I looked out the window at January 1st (yes, I was on vacation skiing and this was how the view was almost each and every morning):

But honestly, this is not the only reason, why I wrote this post. There is another one which is much, much more serious:

Unfortunately there are still plenty of customers playing Russian Roulette with their network. This term was actually used by one of our security engineers – who was kind of upset to say the least – who had to work December 31st and January 1st because of customers still not having rolled out MS08-067 – and not just one! We ran to our limits with regards to support capacity in EMEA.

Just to remind you: This is the Out of Band security update we released back on October 23rd and which then was pretty soon attacked by Conficker.A. But it seems that a lot of customer did not care back then – they were not attacked, so why bother? In the last days of 2008 Conficker.B broke out and even though it was not spread too widely, the customers who were hit (or still are hit) are hit very, very badly. Account Lockouts all over the place, admin passwords that were grabbed (often the Domain Admins) etc – and we had some really upset engineers as they had to work instead of having off because some customers were not up to their duty (and this is what it is for me!).

And this is not the end of the story:

• For quite a while, our Anti-Malware solution was the only one, which was able to remove the thing. And without an Anti-Malware solution it is close to impossible to actually get rid of it. As always, all the information about the malware was shared amongst VIA (Virus Information Alliance) to all the partners.
• NT got infected as well and the calls came: What shall we do now? Well, there is not too much you can do. As you might know, Windows NT is out of support for a long time (since December 31st, 2004 - see our Lifecycle Page if you need more information). Isolate your Windows NT boxes (as you should have done a long time ago) and migrate away from it. I know that there are still a lot of machines with NT embedded – isolate them and work with the vendors to get to an up to date version of the OS.

Let me add a final comment: The story above is not a Microsoft-only story. The same processes and technologies around patch management have to be applied to each and every component of your environment. Back after the Blaster times, we start to tell the consumer to apply three things to their PC to protect it:

1. Switch on your Firewall
2. Keep your Software Updated
3. Run an Anti-Malware software and keep it updated

Guess what: If you would have applied 2 and 3 to your network, you would not have been hit by this problem.

Roger

Over the last few days I blogged several times about Conficker and some of the posts caught quite some press attention. Especially when I talked about the Russian Roulette.

Today I have very, very good news: The Malicious Software Removal Tool (MSRT) which we will release today includes signatures to remove Conficker as far as we know this beast today. Let me be clear upfront: MSRT is cleaning up after the fact and is no replacement for an updated Anti-Malware solution!

The information in this post is the information as far as I have it as of today. The links below give you the ultimate guidance:

How do you realize that you are infected?

Trust me, you will know! If you have Account Lockout Policies set, your accounts will be locked as Conficker.B does a brute-force against the accounts. In parallel, you will see a significant increase of authentication requests on your DCs due to that fact. Most probably you find a significant increase of network traffic as well and last but not least your clients may behave strange.

If you have it what can you do against it?

Patch first! So, before you do anything else, deploy MS08-067. I already said once, that you played Russian Roulette if you did not. From there on, you have to clean the mess. But first, make sure you use strong passwords (Conficker is trying to break them). Here you find some good information and guidance on passwords:

If you want to change all your local Admin passwords and manage them, Steve Riley provided a tool called Passgen

Then clean up…

You have different options to do the clean up:

• Forefront and OneCare have been one of the first solutions to clean Conficker since quite a while. Our free online scanner does it too (since quite a while). You can find it on http://safety.live.com
• The updated Malicious Software Removal Tool removes it as well. However, remember that Conficker breaks Automatic Updates too. So, if you are infected you have to manually download and deploy it. Here are the relevant KBs:
  • KB890830 The Microsoft Windows Malicious Software Removal Tool helps remove specific, prevalent malicious software from computers that are running Windows Vista, Windows Server 2003, Windows XP, or Windows 2000 http://support.microsoft.com/kb/890830
  • KB891716 Deployment of the Microsoft Windows Malicious Software Removal Tool in an enterprise environment http://support.microsoft.com/kb/891716
• There are definitely other AV products that remove it as well. Make sure and check back with your vendor whether it removes or just detects it.

One final thing: If you are infected, do NOT log onto the system with a Domain account, if at all possible. Especially NOT a Domain Admin account. Log on as a local user account. The malware appears to impersonate the logged on user and access network resources under those users credentials so it can spread.

So, that’s it for the moment.

I hope it helps

Roger

You might have seen the advisory of the US-CERT titled Microsoft Windows Does Not Disable AutoRun Properly – if not, you will definitely have seen one of the articles covering this issue and telling you that our advice on how to prevent Conficker is flawed.

This statement is not quite true the way it came out initially and US-CERT in the meantime already adjusted their advisory:

Our advice in http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/91525.mspx?mfr=true works if you apply http://support.microsoft.com/kb/953252

US-CERT already updated their advisory:

Update:

Microsoft has provided support document KB953252, which describes how to correct the problem of NoDriveTypeAutoRun registry value enforcement. After the update is installed, Windows will obey the NoDriveTypeAutorun registry value. Note that this fix has been released via Microsoft Update to Windows Vista and Server 2008 systems as part of the MS08-038 Security Bulletin. Windows 2000, XP, and Server 2003 users must install the update manually. Our testing has shown that installing this update and setting the NoDriveTypeAutoRun registry value to 0xFF will disable AutoRun as well as the workaround described above.

Remark: A few weeks ago I made a post where I asked you about the correlation between Piracy and Security. I was talking about Piracy (stolen software) and got a lot of answers about Privacy (Data Protection) . So the following post is about stolen and illegal software…

I was recently asked in a panel whether there is a correlation between piracy rates and malware infections in a given country. I am convinced that this is the case in the consumer space because I suspect many pirated copies are not protected. But can I prove it?

You might have seen it: We recently filed some cases regarding piracy in different countries. These cases go after software resellers who allegedly violated Microsoft’s copyrights and/or trademarks by illegally selling counterfeit software and software components via online auction sites – which is a serious kind of fraud.

But where I would really like to understand more is when it comes to the relationship between Piracy and Security/Patching. To me, there are different “types of piracy”, which might have different impact on security:

• Criminals that steal software and then sell it. From my personal experience the end-user is often unaware of the fact that he/she is running non-genuine software. So, there is a good chance that Automatic Update is switched on
• People downloading pirated copies of software from peer-to-peer networks or other sources. Here the problem is different as these people most probably do not have any patch management solution switched on.

To be clear: Some time ago, we decided to deliver critical security updates via Automatic Update to non-genuine versions of our products. This is not to protect the thieves but to protect the ecosystem. I often get push-back that this is not true, so let me clarify.If you go to the download center or Microsoft Update you will not be able to access these sites with pirated copies but switching on Automatic Update will allow you to get the critical Security Updates.

The reason why I am telling you this is because I would like to do some statistical exercises with you. There is data on Malware Infection Rates in our Security Intelligence Report. This data is compiled from results of the Malicious Software Removal Tool which is mainly delivered through Microsoft Update and Automatic Update. So, we will see mainly machines that are getting regular updates.

So, this is about malware.

So, what does this tell us? Well, nothing really yet. So, from here, what we could do is looking at the rankings. (Being an engineer, I love to play with figures :-))

I started to compare the rankings of the different countries and tried to understand the difference in the relative ranking between Piracy and Malware Infection Rate. Let me give you an example: Switzerland ranks 5^th lowest on Malware and 2nd lowest on Piracy. So, the difference there is 3. Ukraine, on the other side ranks 22nd on Malware but 51st on Piracy – so, there is a difference of 29 which is significant. So, they are doing about average when it comes to the malware infections but really bad in Piracy (actually in Ukraine 83% of all software is not genuine).

If we draw a graph with these differences it shows a clearer picture than the tables above:

So this tells us that most of the countries just rank about 5 places apart between Malware and Piracy!

Even though we are only covering PCs with the Malicious Software Removal Tool running in the malware infection rate, most countries that are bad/good on infection rate are bad/good on piracy.

But with this statement, this would lead us to the next question: Why is this the case? There might be different reasons for that:

• We know that Peer-to-Peer networks are a source for malware. So there is a good chance that people who deliberately steal software have it on Peer-to-Peer networks, or other untrustworthy sources, and get the malware from there.
• People who pirate software are careless anyway and do not run Anti-Malware software, or have it but do not update it
• People who pirate software do not patch their PCs because, in their mind, they think that running Microsoft Update or any other update mechanism will lead to them being caught. This would be interesting to investigate further but unfortunately I have no data I can make public on Microsoft Update hit rates in the countries above.

To make one point clear: The statements above are mere speculation. Today I have not enough intelligence available in order to strengthen one of the points above. On the other hand I think I have shown that there might be a correlation between Piracy and Security and I would guess it would be easier to convince consumers to patch their machines (and therefore get basic protection) if they run genuine copies rather than stolen copies!

Roger

My latest blog post on this matter generated quite some attention. Based on what happened since then, let me be clear on what I wanted to say (and still want to say):

If you decide not to roll out a security update which is so critical that we decide to go out of band, you play Russian Roulette with your network as you can guess that there will be attacks exploiting this vulnerability pretty soon. The same is actually true if you do not run and maintain an appropriate Anti-Malware solution. There were just a few that are able to detect and remove Conflicker (ours was one of the first!)

Now, if we look at Conficker.B: This is really an ugly beast: You need just one infected machine in your network in order to have it spread across your network fast and aggressively. You can get it even through a USB-stick.

So, drawing the conclusion that I said every customer having Conflicker.B did not patch and therefore playing Russian Roulette is completely inaccurate and not what I said!

it just needs one unpatched/infected machine…

Roger