Computer Security Articles

The rumors have been circulating for months, but it appears that service pack 1 is now available for Windows 7 and Windows 2008 R2.

Microsoft has been working on this landmark update to Windows 7 for more than a year and the official launch date has been established as February 22nd, 2011. While few enhancements have been made to Microsoft’s flagship product, stability and performance improvements abound.

Microsoft has shipped 796 bug fixes and security improvements to Windows 7 and Windows 2008 R2. This is a huge improvement and simplifies the distribution of these platforms for organizations looking to streamline their upgrades. Many of these fixes have been available via Windows Update.

Microsoft introduced two new functions in this update. They now support a feature called Dynamic Memory for Hyper-V users. This feature allows dynamic allocation of memory to virtual guests based upon their needs at any given time. Windows 2008 R2 hosts can benefit from increased efficiency for heavily loaded systems with this feature.

The second add-on is called RemoteFX. This addition allows a “richer media experience” for virtualized desktops according to Microsoft. The idea is to streamline video playback and 3D capabilities using Microsoft’s remote desktop functionality.

The download of SP1 varies between 44MB and 1G depending upon the installation method you choose. See the chart below for the details.

Hopefully this will accelerate the adoption of Windows 7. For the our recommendations on Windows 7 deployments check out our paper.

Windows Express Help is a rogue security product in the Privacy Center family that pretends to find system and registry errors on a victim’s machine in order to frighten him or her into purchasing this useless application.

Windows Express Help graphic interface

(Click on graphic to enlarge)

Windows Express Help install screen

(Click on graphic to enlarge)

How to remove Windows Express Help:

If Windows Express Help has infected your PC, you should remove it immediately. Click here to use VIPRE to remove Windows Express Help from your computer now.

Multiple security vulnerabilities have been found within the current Java runtime environments, both for client computers and for servers. These allow attackers to infect computers for example with a Trojan just by luring victims into visiting manipulated websites. Oracle now released updated software which users and administrators should install as soon as possible! Security holes in outdated Java versions get exploited very often on the Internet, thus updating minimizes the attack surface for cyber criminals.

In Windows operating systems – currently verified are Windows XP SP3 and Windows Server 2003 SP2 – a new security vulnerability has been found. It allows to take over a Windows PC which has network shares enabled. A patch has not been released yet. Especially in public places the firewall should be configured to block the TCP and UDP ports 138, 139 and 445, respectively, or Windows file sharing should be disabled until a patch is available.

Dirk Knop
Technical Editor

A new vulnerability has been discovered exploiting SMBcomponent of Windows. The attack involves sending of malformed Browser Election requests leading the heap overflow within the mrxsmb.dll driver.The vulnerability is known to be able to cause DoSand fully control of vulnerable machines. Proof of concept code for DoShad been released. There are reports that this exploit only work on local network segment (this hasn’t been verified).
The general practice of block port 138, 139 and 445 should be observed especially with this 0-day.
More information on this exploit
http://www.vupen.com/english/advisories/2011/0394

(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Windows User Satellite is a rogue security product in the Privacy Center family that pretends to find system and registry errors and malicious code on a victim’s machine in order to frighten him or her into purchasing this useless application.

VIPRE detection name: Trojan.Win32.Generic.pak!cobra

Windows User Satellite graphic interface

(Click on graphic to enlarge)

Windows User Satellite warning screen

 
(Click on graphic to enlarge)

How to remove Windows User Satellite:

If  Windows User Satellite has infected your pc, you should remove it immediately. Click here to use VIPRE to remove Windows User Satellite from your computer now.

Windows Problems Solution is a rogue security product in the Privacy Center family that pretends to find system and registry errors and malicious code on a victim’s machine in order to frighten him or her into purchasing this useless application.

Windows Problems Solution graphic interface

 
(Click on graphic to enlarge)

Windows Problems Solution warning screen

(Click on graphic to enlarge)

Windows Problems Solution install screen

(Click on graphic to enlarge)

How to remove Windows Problems Solution:

If Windows Problems Solution has infected your pc, you should remove it immediately. Click here to use VIPRE to remove Windows Problems Solution from your computer now.

July 2, 2010

Windows blockers remain a major virus threat in Russia. In June, malicious programs demanding that users refill cell phone account balances belonging to criminals constituted 30 percent of Windows blockers incidences. Regular visitors to social networking web sites were also targeted. Visitors who attempted to log on to favourite sites received messages informing them that their accounts had been suspended, and that to unfreeze them, they needed to send paid text messages. Meanwhile, banking Trojans attacked European bank customers, forcing them to surrender their TAN codes to cyber criminals. Such codes are used by some banks for one-time transaction authorizations. However, sometimes even such extreme precautions on the part of banks can’t prevent cyber criminals from inflicting damage.

Windows blockers countermeasures

While Windows blockers continued to terrorize users, Doctor Web did its best to help those whose systems were compromised by malicious programs of this type.

In January 2010, Doctor Web launched its Dr.Web Unlocker web site. The site includes web forms offering unblocking codes for certain phone numbers and text messages displayed by Trojans. Later an unlock code generator was also introduced. The site is updated on a regular basis to address the latest trends in the development of system blocking malware.

In addition, since June 23, 2010, Doctor Web has made its support service available free of charge to every user (regardless of the anti-virus involved) whose system has been blocked by a Windows blocker program and who can’t get help at the unlocker site. To further fight the outbreak, Doctor Web cooperates with law enforcement agencies and provides up-to-date information to the widest audience possible about the current status of the epidemic, including prevention and curing techniques.

During June, Doctor Web’s statistics server registered over 420,000 instances of detection of Windows blockers, down from the previous month’s figure of 940,000+. Most of these programs were detected by Dr.Web anti-viruses as Trojan.Winlock, Trojan.Adultban, and Trojan.Packed.20343.

By the end of June, Trojans demanding cell phone balance refills as ransom amounted to 30 percent of all blockers. Doctor Web’s analysts studied numerous cases of systems being infected by such programs and concluded that, in most cases, users wouldn’t receive unlock codes even if they paid the ransom. Once again the facts confirm this rule: no matter how desperate you are, never give money to criminals!.

Below is a gallery of screenshots showing June’s most common Windows blockers.

Social networking web sites – an attraction for criminals

Many users contacting Doctor Web’s technical support service in June were unable to visit social networking and free e-mail service web sites. When trying to load web pages, users got messages informing them that their accounts had been suspended for spamming, and that to continue they would have to send paid text messages. Dr.Web software detected the malicious programs responsible for such messages as Trojan.Hosts.

Reports received at the end of June indicated new modifications to Trojan.Hosts’ demand to refill cell phone balances, demands similar to those made by Windows blockers.

Because Trojan.Hosts and Trojan.Winlock are parts of schemes with similar mechanisms for converting acquired funds into actual money, Doctor Web also helps those whose support requests concern such viruses.

Internet banking users in danger

European bank customers who make wide use of Internet banking, particularly those of Volksbank Austria and German Postbank, became the primary targets of malware in Europe. Banks use TAN codes to achieve better security for online transactions. Each transaction has its own unique TAN code which allows customers to carry out transactions without disclosing their individual PIN codes. But cyber criminals have found a loophole: Users whose computers were infected by malicious programs like Trojan.PWS.Banker or Trojan.PWS.Bancos are prompted to enter TAN codes whenever they try to use an Internet banking system. Codes submitted by users get into the hands of criminals.

The Trojans were able to detect a browser used to access an Internet-banking web site and sprang into action only if the browser was Internet Explorer, demonstrating once again that users of other browsers are better protected from threats lurking on the Internet.

ПGeneral trends of June include the still active Oficla botnet, with four modifications of Trojan.Oficla found among the top 20 malware threats most frequently detected in e-mail. Intruders also often resorted to malicious scripts detected by Dr.Web anti-viruses as JS.Redirector.based.3. Embedded in HTML documents attached to spam messages, they redirect users to web sites that spread malware or to advertisements that typically promote pharmaceutical products.

Malicious files detected in mail traffic in June

Malicious files detected on user machines in June

Windows Optimal Settings is a rogue security product the Privacy Center family that pretends to find system and registry errors on a victim’s machine in order to frighten him or her into purchasing this useless application.

Windows Optimal Settings graphic interface

(Click on graphic to enlarge)

How to remove Windows Optimal Settings:

If Windows Optimal Settings has infected your pc, you should remove it immediately. Click here to use VIPRE to remove Windows Optimal Settings from your computer now.

Nokia announced today that they will adopt Windows Phone as the primary operating system for its future smart phones.

Coming from the world’s largest mobile phone manufacturer, this is an historic announcement.

While the vast majority of PC malware is written for Windows, Windows Phone 7 is a entirely different ballgame.

The security model of Windows Phone 7 is quite different from Windows XP/Vista/7/et cetera, and includes features such as Application Certification, Isolated Storage, and Application Isolation. For example, third party applications can not run in the background because of security concerns.

Windows Phone 7 and XBOX are the only Microsoft platforms where applications must be pre-approved by Microsoft before users can run them.

As a result, we don’t expect any major mobile malware outbreaks just because of Nokia’s partnership.

On 11/02/11 At 11:44 AM

Windows Optimal Solution is a rogue security product in the Privacy Center family. It pretends to find malware as well as system and registry errors on a victim’s machine in order to frighten him or her into purchasing this useless application.

Windows Optimal Solution graphic interface

(Click on graphic to enlarge)

Fake Microsoft Security Essentials alert screen

(Click on graphic to enlarge)

Windows Optimal Solution install screens

(Click on graphic to enlarge)

(Click on graphic to enlarge)

How to remove Windows Optimal Solution:

If Windows Optimal Solution has infected your PC, you should remove it immediately. Click here to use VIPRE to remove Windows Optimal Solution from your computer now.

When a call starts off with I think we’ve had an incident or something isn’t right actual proof of an event or incident has really occurred is a must*.If it’s some odd happening on Windows, then it’s time to look at the Windows event logs. Windows has three standard event logs: application, system and security. The one most security folks need to keep an eye on is the security event log.

Some questions to ask or ponder about your Windows security logs

Do you review or monitor them?
How big are the log files?
What happens when the log file are full?
Do you know if security audit policies in place?
Do you have different audit policies for certain systems?
Are allyour machines using the same time reference?
Can you recognize the event ID that could mean trouble?

Each company has its own policies and procedures on how their systems are designed built, configured and managed, but as incident responders we should know these basic details about the security event log.

A common stumbling block for security teams is actually viewing the security logs on other computers. Access to the security logs, by default, is only to a user with local admin right on the machine. There is a nifty way to allow security staff to view them, while not give them full admin access to the remote machines and is recommended by Microsoft [1]. This avoids upsetting the Windows admin team – who are by now still deploying the latest Ms patches and thus pretty busy.

Microsoft has produced a number of helpful guides on how to configure and apply polices [2 3] and there are a large number of other references out there. Working with the Windows admin team help them identify some of the warning signs that appear in the security logs, such as multiple account lock outs, brute force account guessing attacks and what certain event ID are [4]

Let’s say you have all the right audit policies in place and can view the security logs, but you’re attempting to piece together an attack over 50 machines. Just viewing that many separate Windows event logs will make you go crazy. Jason Fossen, author of SANS Windows track, has a wonderful script [5] to convert event logs in to CSV files. Use tools, such as trusty old Ms Excel, to parser the data from CSV files and correlate them in to events timelines. This makes spotting trends, events or incidents much easier as you can look at the combined dataand even turn it in tographs.

By having the correct information logged and access to the security logs it should take the guessing out of whether a dozen accounts have been locked out is a co-incidence or an actual security incident.

If you have any other suggestions or advice on using the Windows security logs, please feel free to add a comment.

[1] How to set event log security locally or by using Group Policy in Windows Server 2003 for non-admins to access them:
http://support.microsoft.com/kb/323076

[2] Configuring Audit Policies Windows 2000/2003:
http://technet.microsoft.com/en-us/library/dd277403.aspx

[3] Advanced Security Auditing in Windows 7 and Windows Server 2008 R2:
http://social.technet.microsoft.com/wiki/contents/articles/advanced-security-auditing-in-windows-7-and-windows-server-2008-r2.aspx

[4] My favourite place to find what Security Event ID mean:
http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/Default.aspx

[5] Dump Windows Event Logs to CSV Text Files
http://blogs.sans.org/windows-security/2009/06/30/dump-windows-event-logs-to-csv-text-vbscript/

Recommended Event Logs sizes in windows:
http://support.microsoft.com/kb/957662

* Gut feelings, aching bones, birds flying in weird formation or milk suddenly turning sour is all very nice, but isn’t going to help prove an event or incident has taken place to others.
Chris Mohan — ISC Handler on Duty

(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Windows Risk Eliminator is a rogue security product that pretends to find system and registry errors on a victim’s machine in order to frighten him or her into purchasing this useless application. It’s a clone of the PrivacyCenter rogue.

(Click on graphic to enlarge)

(Click on graphic to enlarge)

How to remove WindowsRiskEliminator:

If Windows Risk Eliminator has infected your pc, you should remove it immediately. Click here to use VIPRE to remove WindowsRiskEliminator from your computer now.

Windows Universal Tool is a rogue security product that pretends to find system and registry errors on a victim’s machine in order to frighten him or her into purchasing this useless application.

Windows Universal Tool graphic interface

(Click on graphic to enlarge)

How to remove Windows Universal Tool:

If Windows Universal Tool has infected your PC, you should remove it immediately. Click here to use VIPRE to remove Windows Universal Tool from your computer now.

Among yesterday’s optional software updates from Microsoft was Update for Windows XP/Vista/non-Windows 7 (KB971029).

It’s an “important, non-security update” that restricts “AutoRun entries in the AutoPlay dialog to only CD and DVD drives”.

Excellent. This could really help curb AutoRun worms. If you’re using an older Windows computer, we highly recommend you go and apply this optional update.

You’ll need to visit update.microsoft.com and select “Custom” updates.

And you’ll find KB971029 in the “Software, Optional” category.

This update restricts USB AutoRun functionality in the AutoPlay dialog. You may also wish to take further steps and disable AutoPlay completely. See here and here for posts on that topic.

On 09/02/11 At 01:13 PM

Windows Care Tool is a rogue security product in the Privacy Center family that pretends to find system and registry errors on a victim’s machine in order to frighten him or her into purchasing this useless application.

Windows Care Tool graphic interface

(Click on graphic to enlarge)

Windows Care Tool install screen

(Click on graphic to enlarge)

How to remove Windows Care Tool:

If Windows Care Tool has infected your pc, you should remove it immediately. Click here to use VIPRE to remove Windows Care Tool from your computer now.

Windows Antispyware Solution is a rogue security product that pretends to find system or registry errors or malware on a victim’s machine in order to frighten him or her into purchasing this useless application. It is the latest member of the PrivacyCenter family of rogues.

VIPRE detection name:  Trojan.Win32.Generic.pak!cobra

Windows Antispyware Solution graphic interface

 
(Click on graphic to enlarge)
WindowsAntispywareSolution install screen

(Click on graphic to enlarge)

How to remove Windows Antispyware Solution:

If Windows Antispyware Solution has infected your PC, you should remove it immediately. Click here to use VIPRE to remove WindowsAntispywareSolution from your computer now.

“The Enhanced Mitigation Experience Toolkit v2.0 (EMET) is a utility designed to help IT Professionals protect systems from common threats. EMET works by applying security mitigation technologies to arbitrary applications to block against exploitation through common attack vectors.”

Microsoft has made EMET very easy to use and free of charge. It significantly hardens Windows machines against Zero Day malware and hack attacks. You can download EMET v2.0 here:
http://go.microsoft.com/fwlink/?LinkID=200220&clcid=0×409


NOTE: This site appears to be under attack, and Microsoft has repeatedly changed the link, so you made need to search Google.

After you install EMET, you will need to tell it how much protection to provide. First, click on the Configure System button:

Updated 12-1-2010

Windows Wise Protection is a rogue security product in the Privacy Center family that pretends to find system and registry errors on a victim’s machine in order to frighten him or her into purchasing this useless application.

Windows Wise Protection graphic interface

(Click on graphic to enlarge)

Windows Wise Protection install screen

 (Click on graphic to enlarge)

How to remove Windows Wise Protection:

If Windows Wise Protection has infected your PC, you should remove it immediately. Click here to use VIPRE to remove Windows Wise Protection from your computer now.

Following reports about pirated Trojan-Infested Windows 7 Builds, it is quite interesting to see what wrappers are used at the “crack stores” to lure as many people as possible. Some of these wrappers look pretty hilarious:

———– Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org

(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Windows Safety Protection is a rogue security product that pretends to find system and registry errors on a victim’s machine in order to frighten him or her into purchasing this useless application. It’s a member of the Privacy Center family.

VIPRE detection name: Trojan.Win32.Generic.pak!cobra

Windows Safety Protection graphic interface

 
(Click on graphic to enlarge)

WindowsSafetyProtection install screen

 
(Click on graphic to enlarge)

How to remove Windows Safety Protection:

If  Windows Safety Protection has infected your pc, you should remove it immediately. Click here to use VIPRE to remove Windows Safety Protection from your computer now.

Windows Software Guard is a rogue security product in the Privacy Center family that pretends to find system and registry errors on a victim’s machine in order to frighten him or her into purchasing this useless application.

Windows Software Guard graphic interface

(Click on graphic to enlarge)

Windows Software Guard install screen

(Click on graphic to enlarge)

How to remove Windows Software Guard:

If  Windows Software Guard has infected your pc, you should remove it immediately. Click here to use VIPRE to remove Windows Software Guard from your computer now.

The Emsisoft malware research team has discovered a new outbreak of the  Windows Problems Protector adware. Emsisoft Anti-Malware detects this malware as Adware.Win32.WindowsProblemsProtector.

Windows Problems Protector is a rogue application. This is another variant of Windows Shield Center, Windows Problems Remover, Windows Health Center, Windows Antispyware Solution, Windows Universal Tools, Windows Risk Eliminator, Windows Security & Control, Windows Utility Tool, Windows Optimization & Security, Windows Optimization Center and Privacy Guard 2010. A rogue application tries to trick you by displaying false positive/misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new file:

• %UserProfile%\Application Data\%random%.exe

Create/modify registry entries:

• HKEY_CURRENT_USER\software\Microsoft\Windows NT\CurrentVersion\Winlogon
  (String) Shell = %UserProfile%\Application Data\%random%.exe
• HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\SystemRestore
  (DWORD) DisableSR = 0×00000001 (1)
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\egui.exe
  (String) Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\ekrn.exe
  (String) Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\msascui.exe
  (String) Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\msmpeng.exe
  (String) Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\msseces.exe
  (String) Debugger = svchost.exe

Screenshots:

How to remove the infection of Windows Problems Protector (Adware.Win32.WindowsProblemsProtector)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Full story: Emsisoft New Malware Blog