Tag Archives: Microsoft

Windows 10 Controlled folder access

Microsoft describes the new Windows 10 feature ‘Controlled folder access in Windows Defender Antivirus’ in the article Announcing Windows 10 Insider Preview Build 16232 for PC + Build 15228 for Mobile. The article specifically mentions ransomware as one of the threats against which it is likely to be effective.

The article states that ‘Controlled folder access monitors the changes that apps make to files in certain protected folders. If an app attempts to make a change to these files, and the app is blacklisted by the feature, you’ll get a notification about the attempt. You can complement the protected folders with additional locations, and add the apps that you want to allow access to those folders.’

It’s not clear what criteria are used to blacklist an application: as I read it, it may simply use Windows Defender’s scanning engine to determine the status of an app. I guess I’ll wait for more information before deciding how much additional protection this really provides.

Zeljka Zorz comments for Help Net Security :

Whether this security feature will be enough to stop ransomware remains to be seen, especially if ransomware can get a whitelisted application to bypass the protection and offer a way in.

I wasn’t really thinking of this in terms of whitelisting until I read that, but the feature does, in fact, allow the user to add protected locations apart from the default folders, and also to ‘ Allow an app through Controlled folder access’.  Which opens the door to social engineering as well as subversion of apps, but then that’s a persistent issue with whitelisting applications.

David Harley

WannaCryptor news updates

Because of the apparent seriousness of the issue, I borrowed my earlier blogs on this topic for ITsecurity UK. So it’s only fair that I borrow back a couple of updates from that article.

You may have seen that someone was able to ‘switch off’ the attack by registering a domain. (‘Accidental hero’ finds kill switch to stop spread of ransomware cyber-attack.) While it sounds as if this bought the world some time, it doesn’t mean there won’t be further attacks. I still recommend that you patch if you can.

There are reports of further variants, including one which is alleged not to include a kill switch. That might not be an accurate report, but certainly no-one should be relying on the neutralization of kill-switch domains rather than patching.

And if you have been caught out by the malware and were thinking of paying up, be warned that payment may not get your files back, according to Checkpoint: WannaCry – Paid Time Off?

Analysis by Microsoft here. MS recommends that you update to Windows 10 (no comment…) and/or apply the MS17-010 update. If that’s not possible, they recommend that you:

Hat tip to Artem Baranov for links to further information.

David Harley

 

WannaCryptor – XP patch available

Unusually, Microsoft has provided a patch for systems that are no longer supported, but are vulnerable to the Microsoft Security Bulletin MS17-010 flaw exploited by WannaCryptor (a.k.a. WannaCrypt among other names). These include Windows XP, Windows 8, and Windows Server 2003. A patch for later operating systems (i.e. those versions of Windows still supported) was made available in March 2017.

If you didn’t take advantage of the patch for Windows 8.1 and later at the time, now would be a good time to do so. (A couple of days earlier would have been even better.)

If you’re running one of the unsupported Windows versions mentioned above (and yes, I appreciate that some people have to), I strongly recommend that you either upgrade or take advantage of the new patch.

Microsoft’s announcement is here: Customer Guidance for WannaCrypt attacks, with links to the update and further information. Detection of the threat has also been added to Windows Defender.

Kudos to Microsoft for going the extra mile…

Additional analysis and/or commentary by ESET – Huge ransomware outbreak disrupts IT systems worldwide, WannaCryptor to blame, Malwarebytes – The worm that spreads WanaCrypt0r, and Sophos: Wanna Decrypter 2.0 ransomware attack: what you need to know. Among other vendors, of course. [Added subsequently: Symantec – What you need to know about the WannaCry Ransomware]

David Harley

Security Essentials or Support Scam?

Microsoft describes a malicious program that masquerades as an installer for Microsoft’s own Security Essentials program. What Hicurdismos actually does is generate a fake Blue Screen of Death (BSoD) including a ‘helpline number’: so yes, it’s essentially a malware-aided tech support scam. It is spread by drive-by-download, and takes a number of steps to make itself look like a serious system issue, such as hiding the mouse cursor and disabling Task Manager.

Security Essentials is still available from Microsoft’s own support site for Windows version 7 and below. Windows 8.x and 10 users should note that it can’t be used on their systems,. However, they don’t need it since the version of Windows Defender that comes with 8.x and 10 has equivalent functionality (unlike the version on earlier Windows versions). However, apart from the pointer to the ‘helpline’, the fake BSoD closely resembles an error message that may be seen in those versions. Would that convince 8.x and 10 users that they also need the fake Essentials? Microsoft seems to think so.

Fortunately, it’s widely detected.

SHA1: e1e78701049a5e883a722a98cdab6198f7bd53a1

SHA256: 7dcbd6a63cb9f56063d2e8c5b17b3870bb2cbaeaafff98ce205d742cce38ba96

VirusTotal report: at 24th October 2016, 42 out of 56 vendors were shown as detecting it.

Commentary from The Register: Microsoft: Watch out millennials for evil Security Essentials

David Harley

Ransomlock.AT: ransomware meets support scams

It’s been a while since I’ve had occasion to talk about the issues that sometimes link tech support scams and ransomware, but now a couple of relevant items have come along more or less simultaneously. First, let’s look at the malware Symantec calls Trojan.Ransomlock.AT.

Symantec describes ‘a new ransomware variant that pretends to originate from Microsoft and uses social engineering techniques to trick the victim into calling a toll-free number to “reactivate” Windows.’ (That is, to unlock the computer.) The article is here: New ransomware mimics Microsoft activation window. The Symantec researchers tried to contact the ‘helpline’ number 1-888-303-5121 but gave up after 90 minutes of on-hold music and messages. Interestingly, a web search for that number turns up dozens of links to sites claiming to help ‘remove’ the number, which Symantec believes to have been promoted by the ransomware operators or their affiliates.

Fortunately, they spent less time on concealing the unlock code, for the moment at any rate. Symantec tells us that ‘Victims of this threat can unlock their computer using the code: 8716098676542789’.

iYogi tech support – sued by State of Washington

The name iYogi will not be unfamiliar to you, if you’ve been following how the tech support scam has been evolving over the past few years.

In Fake Support, And Now Fake Product Support I described how a legitimate and ethical AV company outsourced its support to the iYogi company  in India. This must have seemed at the time an entirely reasonable way of addressing a difficulty that faces security companies with a product version that is free to consumers: what happens when users of that product need support? Running a tech support operation is a significant cost even for companies that charge for all their products (time-limited trials excepted, of course). The idea was that Avast! customers would get free support for Avast!-related queries, but would then be offered an upgrade to a for-fee iYogi support package. However, the AV company’s understanding was that:

here at AVAST, we never phone our customers (unless they specifically ask us to of course) and none of the partners we work with do either.

Unfortunately, it seemed that iYogi’s understanding of the situation was rather different. According to Brian Krebs, reported incidents of tech support scam coldcalls from “Avast customer service” did indeed turn out to have originated with iYogi.

While someone describing himself as the co-founder and president of marketing at iYogi strongly denied any connection with the usual gang of out-and-out scammers, Avast! found it necessary to suspend its arrangement with the company. Avast!’s later arrangements for customer support are discussed on the company’s blog here.

iYogi’s recent activities seem to have continued to attract controversy.  A recent article from Help Net Security tells us that Washington State has announced a lawsuit against iYogi, alleging that ‘iYogi’s tactics are unfair and deceptive business practices that violate Washington’s Consumer Protection Act.’ The activities in which the company is alleged to have engaged have a familiar ring, involving deceptive online advertisements, misleading ‘diagnostics’, aggressive selling of support plans and the company’s own anti-virus software. In a twist I haven’t encountered before, the Washington suit filed in King County Superior Court claims that:

iYogi tells the consumer that upgrading to Windows 10 from Windows 7 or 8 costs $199.00 if the upgrade is done independently, but that the upgrade is “included” for free as part of iYogi’s five-year service package or for $80 as part of iYogi’s one-year package. In fact, an upgrade to Windows 10 is free for Windows 7 or 8 users who choose to do so independently. In addition, iYogi incorrectly tells consumers that their computers will stop working if they do not upgrade to Windows 10 soon.

Help Net quotes Microsoft as estimating that 71,000 residents of Washington lose $33m each year, a sizeable proportion of the 3.3m Americans who are estimated to lose $1.5b in a year.

 David Harley

Tech Support Scam Updates

The following links have been added to the tech support scam resources page:

“Since May 2014, Microsoft has received over 175,000 customer complaints regarding fraudulent tech support scams. This year alone, an estimated 3.3 million people in the United States will pay more than $1.5 billion to scammers.”

Scary…

David Harley

NOD32 beta test versions

As we all know, there is, never has been, and never could be any Mac or Linux malware. If it did, no Mac or Linux user would fall for it, and if they did it would be their own fault. Microsoft-loving antivirus companies are simply looking for excuses to line their pockets.

(Guys, this is called irony! )

There you go. Now I’ve said it for you, there’s no need to clutter this page and my mailbox with fanboi comments and hatemail.

However, in case you’re gullible enough to believe that ESET, like other security companies, really believes that Mac and Linux users sometimes need anti-malware protection, we have now public beta test versions of our scanner available for OS X and for Linux desktop.

http://beta.eset.com/linux
http://beta.eset.com/macosx 

Declaration of interest: yes, I do currently work for ESET. And I am that gullible.

David Harley FBCS CITP CISSP
Chief Operations Officer, AVIEN
Director of Malware Intelligence, ESET

Also blogging at:
http://www.eset.com/threat-center/blog
http://dharley.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/

 

Security Smörgåsbord

Wow! December already – well, it’s been a fast and furious year, kicking off with the media fest that was the Conficker worm, through various other disasters and debacles all of which have only confirmed to many of us in the industry that our utopian malware free world is not likely to arrive any time soon (sorry David, you’ll have to delay that retirement for a while).

Things haven’t slowed down much, and over the last days a few things have caught my ever roving eye,

Firstly, there was a rather amusing spat caused by software company Prevx firstly accusing Microsoft security patches for causing a ‘black screen of death’, (which of course was fixed by their own patch), and later retracting the statement when it became clear that it wasn’t the security patches, but more likely the actions of malware on the systems that causes the problem. (Link: http://news.bbc.co.uk/2/hi/technology/8388253.stm). One has to wonder how the Prevx patch was supposed to really fix the problem if they had no real idea of the cause – at least, they hadn’t checked whether it really was the fault of MS.

Secondly, there was the rather splendid news that the URL shortening service bit.ly – among the most popular shorteners for users of sites like Twitter – has signed up with three major security vendors (Sohpos, Verisign and Websense) to try to block spam and malicious links on their site. This can only be a “Good Thing” (TM). (Link: http://www.wired.com/epicenter/2009/11/bitly-partners-with-security-firms-to-block-spams-scams-from-twitter/). Some of the other services offer previewing of the links, but this is extra annoyance for users and also pushes the decision on whether to visit the site to the user (not a Good Thing).

Thirdly, there is some heartening news from Facebook in that they’re going to offer more granular control over content privacy. There have been quite a few articles and papers on this subject, (including one by yours truly) so it’s good to see that the issues have been considered. I don’t know that it will solve all of the problems, but it may well highlight the privacy issue to more FB users who perhaps weren’t aware that, say, joining a Network exposes their content to all the members of that network unless they specifically block that (Link: http://blog.facebook.com/blog.php?post=190423927130). Social networks are great things for keeping up with people, particularly if you’re a continent hopping researcher with friends all over the world, but the rapid explosion in their use has led to frequent lapses in security and the discovery that – as is often the case – security and privacy issues have been secondary to service development and uptake.

Lastly, and I hope you’ll forgive me for the quick tune on my own trumpet, I’m happy to announce that K7 Security Solutions are now available in German, and can be found at http://k7.de (Disclosure of interest: I am also the CTO of K7 Computing Ltd).

Andrew Lee CISSP
AVIEN CEO