Microsoft's Jeff Williams gives an update on Microsoft's part in continued action to eradicate the Win32/Rustock botnet.

Over a year ago Microsoft marshalled a unique botnet-fighting team. Made up of others in industry and some folks in academia, they used a combination of legal and technical means to  take control of the Win32/Waledac botnet as the first milestone action in project MARS (Microsoft Active Response for Security.)

A similar action in the past couple of days has had its legal seal opened that allowed Microsoft to talk more openly about the Win32/Rustock botnet.

Sure, Waledac was a simpler and smaller botnet than Rustock, but because of lessons learned with it, Microsoft was able to take on the much larger Rustock botnet.

Rustock is estimated to've infected over a million computers and was spewing out millions of spams daily

In fact, some statistics have suggested that at its peak, Rustock accounted for a staggering 80% of all spam traffic in volume and were sending at a rate of over 2,000 messages per second.

What was so impressive in the botnet takedown was the scope of things: the seizure of command and control servers was under court order from the U.S. District Court for the Western District of Washington; the order was carried out by the U.S. Marshals Service and by authorities in the Netherlands.

That alone would be a fairly big deal, but here's the kicker: investigators are now going through evidence seized from five hosting centers in seven locations to learn more about those responsible and their activities.

This was a collaboration with others such as Pfizer (whose brands were infringed on from fake-pharma spam coming from Rustock), FireEye, and the University of Washington.

All three gave valuable statements to the court on the behaviors of Rustock and also the specific dangers to public health which is in addition to those effecting the Internet.

On Microsoft's side, the efforts are represented by a partnership between Microsoft's Digital Crimes Unit, the Microsoft Malware Protection Center, and Microsoft Trustworthy Computing.

We applaud Microsoft and its partners for pulling this off. Their continued work with CERT and ISPs around the world is the only way to reach those whose computers are infected and help defeat and remove these viruses.

Among the most important parts of keeping any computer secure is to update the OS when fixes become available. Microsoft Windows 7 SP1 Beta has been available for test release since July of 2010 while the formal release began late last month (Feb 2011).

To update, users can select the Windows 7 SP1 update in Windows Update (which is the easiest way for one PC), or do it manually by downloading and installing as a separate file (which is the easiest way if you have several machines to update).

The x86 version is about 527 MB while the x64 tips the scales around 903 MB.

Besides fixes and improvements for stability, there are about 80 other fixes generally classified into hotfixes and security updates by our friends in Redmond.

The majority of these can be grouped as follows:

• 25 fixes to help prevent Remote Code Execution  
• 8 Internet Explorer Updates
• 7 Kernel fixes to prevent Elevation of Service 
• 6 .NET framework 3.5, 3.51, and 4.0 fixes
• 5 Elevation of Service fixes related to various vulnerabilities
• 5 Vulnerability fixes that could allow Denial of Service
• 3 Application Compatibility Updates
• 3 Updates  including Rollup/Security updates for Active X, and
• 2 Updates for XML Core Services

While we here are all very much proponents and strong advocates of antivirus firewall software to help keep a PC secure, it's an understatement to say it's important to take advantage of security fixes like these, too.

Put another way: if you haven't applied SP1 to your PCs yet, now's a good time to hop to it.

As if we all hadn't learned the hard-learned lessons from 2001, including (among other things), not to open attachments we're not expecting and to not click links in emails when we're not expecting them, there's a new worm making its rounds today.

With this newest, latest, greatest iteration of the computer worm, this one dubbed "Here you have" or W32/VBMania@MM, we're taught apparently we need to re-learn some of those old lessons once more.

Here are what two of the worm's emails look like:

Subject: Here you have

Hello: This is The Document I told you about,you can find it Here. http://www.sharedocuments.com/library/PDF_Document21.025542010.pdf Please check it and reply as soon as possible. Cheers,

Subject: Just For you

Hello: This is The Free Dowload Sex Movies,you can find it Here. http://www.sharemovies.com/library/SEX21.025542010.wmv Enjoy Your Time. Cheers,

A fairly sophisticated worm, according to the write-up on it on McAfee's Antivirus blog, it spreads itself the following ways:

1. via Outlook, spamming itself to everyone in your contact list
2. over network shares
3. AutoRun on removable media (i.e. flash/thumb drives)

All-in-all, it's a combination of the techniques of the old-school Outlook viruses and those of the more recent multi-vector worms, including disabling antivirus software.

Sneaky for sure.

On top of that, it's disguising itself as a .pdf file, when in fact it's an executable program.

As users, we've all been trained for so long that .pdf files are harmless, when in fact they're not, themselves having become an attack vector more than once recently.

At least as far as good news goes, the malware:

1. isn't auto-executing (as the Outlook viruses were a few years ago)
2. requires that a user click a link and run the file
3. is being caught by most antivirus software

As the folks at Kaspersky point out in their post about the "Here You Have Virus",

The difference with those earlier attacks is that the emails typically carried the malicious file itself and didn't rely on a link to a downloading site.

"But the technique used to entice users to click on the attachment or malicious link is the same: Offer the user something he wants to see.

Which brings up a point that can't be repeated enough:

• No matter how tempting: Avoid opening emails from strangers. Subject lines like the ones in this worm are a dead giveaway to their content.
• If you absolutely must open a stranger's email, don't click on links in them
• If you absolutely must click the link (or do so accidentally), if you're prompted to 'Run' a file, don't. Just don't.

No matter how tempting, I assure you, you're not missing out on anything except for anger, frustration, tears, heartache, and a trip to your local computer store.

Antivirus firms BitDefender and Sunbelt Software, among others, have identified new malware they're calling, "Trojan.Generic.3783603"

According to Sunbelt, The malware immediately creates a backdoor to the user's system, which then allows remote access for cyber-criminals to obtain confidential information or install more malicious software.

While the delivery vehicle isn't unique, it targets its victims randomly through spam emails, this appears to be the first one disguised as a so-called, "Windows 7 Compatibility Checker." Even though Windows 7 has been widely available since October 2009, here we are over six months later with unsuspecting users now being duped into installing this scumware.

BitDefender says in their notice,

The infection rates reflected by the BitDefender Real-Time Virus Reporting System indicate the beginning of a massive spreading of Tojan.Generic.3783603.

"Although this phenomenon has just started, it seems that it’s just a matter of time before the cybercriminals control a huge number of systems.

"Infection rates are also expected to boom because of the effective social engineering ingredient of this mechanism, namely the reference to the highly popular Microsoft® Windows® OS.

While security professionals shouldn't have to keep saying it, evidently it needs to be said:

1. Never, ever open an attachment from unknown contacts
2. Be wary of opening an attachment sent from someone you know when you're not expecting it first. (Many computers have been infected when one person's computer gets infected then the virus emails itself to everyone in the infected person's address book.)
3. Install, run, and keep updated the best antivirus firewall software or Internet security suite you can afford.

With the November 2009 Microsoft "Patch Tuesday," as it's called, there were a number of important security exploits that were dealt with.

If you haven't recently updated your Windows OS, we urge you to do so now. Here's one way to to so:

1. Open Internet Explorer
2. Click Tools
3. Windows Update
4. Select "Express" or "Custom"
5. Select All applicable updates
6. Download & install updates

Now for our take on the latest vulnerabilities and patches...

November 2009 Microsoft Updates

	Microsoft Security Bulletin ID	Microsoft Knowledge Base Article ID
	MS09-063	973565
Vulnerability Summary	Vulnerability in License Logging Server Could Allow Remote Code Execution
Executive Summary Highlights	This security update resolves a privately reported vulnerability in the Web Services on Devices Application Programming Interface (WSDAPI) on the Windows operating system. "The vulnerability could allow remote code execution if an affected Windows system receives a specially crafted packet. "Only attackers on the local subnet would be able to exploit this vulnerability.
Our Take	This vulnerability affects a ton of different systems, and while Microsoft says an attacker would have to be on the same local subnet, they leave out an important detail as to what this means. What they don't explain is that this means anyone using a free wireless connection (i.e. like those at the airport or a coffee shop) could easily be affected, and the way wireless works, the attacker wouldn't necessarily have to be in the same room as you. They could be around the corner or even down the street Microsoft rates this as "Critical."

	Microsoft Security Bulletin ID	Microsoft Knowledge Base Article ID
	MS09-064	974983
Vulnerability Summary	Vulnerability in License Logging Server Could Allow Remote Code Execution
Executive Summary Highlights	This security update resolves a privately reported vulnerability in Microsoft Windows 2000. "The vulnerability could allow remote code execution if an attacker sent a specially crafted network message to a computer running the License Logging Server. "An attacker who successfully exploited this vulnerability could take complete control of the system. "Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter.
Our Take	This vulnerability only affects Windows 2000 systems, but if you're still running W2K, Microsoft gives this vulnerability a "critical" rating. So, even if you are running antivirus firewall software (which should help mitigate the risk from this vulnerability), you should still patch your machine(s). Microsoft rates this as "Critical."

	Microsoft Security Bulletin ID	Microsoft Knowledge Base Article ID
	MS09-065	969947
Vulnerability Summary	Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution
Executive Summary Highlights	This security update resolves several privately reported vulnerabilities in the Windows kernel. "The most severe of the vulnerabilities could allow remote code execution if a user viewed content rendered in a specially crafted Embedded OpenType (EOT) font. "In a Web-based attack scenario, an attacker would have to host a Web site that contains specially crafted embedded fonts that are used to attempt to exploit this vulnerability. "In addition, compromised Web sites and Web sites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability. "...an attacker would have to convince the user to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes the user to the attacker's site.
Our Take	Pretty much every Windows system appears to be affected except for Windows 7. There are some caveats to this for Vista and Windows Server 2008, so if you're running either of those OSes you should consult the Security Bulletin and Knowledge Base Article for complete details. This is a classic case where, as Microsoft points out, you can get a virus or other malware installed on your machine just from visiting a web site. And, as they also point out, it's also possible for your machine to be infected if someone has taken over a site you trust or if you're visiting a site that has user-provided content. While this is unlikely to affect Facebook, this is the type of thing Microsoft is talking about: sites where the users provide content--even things like chat or forums. This is also a classic case where Internet security software is often able to minimize the risks from these types of attacks. Microsoft rates this as "Critical."

	Microsoft Security Bulletin ID	Microsoft Knowledge Base Article ID
	MS09-066	973309
Vulnerability Summary	Vulnerability in Active Directory Could Allow Denial of Service
Executive Summary Highlights	This security update resolves a privately reported vulnerability in Active Directory directory service, Active Directory Application Mode (ADAM), and Active Directory Lightweight Directory Service (AD LDS). "The vulnerability could allow denial of service if stack space was exhausted during execution of certain types of LDAP or LDAPS requests. "This vulnerability only affects domain controllers and systems configured to run ADAM or AD LDS.
Our Take	Lots of affected systems with this one, although apparently only systems running Active Directory Active Directory Application Mode (ADAM) Active Directory Lightweight Directory Service Microsoft rates this as "Important."

	Microsoft Security Bulletin ID	Microsoft Knowledge Base Article ID
	MS09-067	972652
Vulnerability Summary	Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution
Executive Summary Highlights	This security update resolves several privately reported vulnerabilities in Microsoft Office Excel. "The vulnerabilities could allow remote code execution if a user opens a specially crafted Excel file. "An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user. "Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Our Take	Anyone running Microsoft Excel is likely to be affected, and while MS rates this as only "Important," we have to beg to differ. We believe this merits a "critical" rating since so many people run Excel and since all versions of the exploit allow for remote code execution. Anytime there's remote code execution, it means an attackers may be able to completely take over your system. Better safe than sorry. If you're running an older version of Windows like Windows 2000 or Windows XP, you'll need to manually update your Microsoft Office to get this patch. Here's one way to do it: Open Internet Explorer Go to: Microsoft Office Update Look for "Update Office" Follow the on-screen instructions Note: You may have to visit this site several times and reboot to get all patches needed if your MS Office hasn't been updated in a while. Also worth pointing is the value of using accounts with limited user rights (i.e. do NOT use Administrator for your daily activities). Microsoft rates this as "Important."

	Microsoft Security Bulletin ID	Microsoft Knowledge Base Article ID
	MS09-068	976307
Vulnerability Summary	Vulnerability in Microsoft Office Word Could Allow Remote Code Execution
Executive Summary Highlights	This security update resolves a privately reported vulnerability that could allow remote code execution if a user opens a specially crafted Word file. "An attacker who successfully exploited this vulnerability could take complete control of an affected system. "An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. "Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Our Take	As with the above Excel vulnerability, there are many affected people because practically everyone runs Microsoft Word. You're at less risk if you're running the best antivirus software and if you're not using the Administrator account (or an account with Administrator privileges), but this is another update to be sure you get. Microsoft rates this as "Important."

There's a lot of hoopla about how much better Windows 7 is than prior versions at keeping viruses and other malware at bay and keeping people safe online.

What's the reality though?

Are the default settings in the Windows 7 User Account Control (UAC) all that's needed to protect your PC?

A lot of people want to know, and here's what we found out from antivirus vendor Sophos.

"We grabbed the next 10 unique samples that arrived in the SophosLabs feed to see how well the newer, more secure version of Windows and UAC held up.

"Unfortunately, despite Microsoft's claims, Windows 7 disappointed just like earlier versions of Windows.

"The good news is that, of the freshest 10 samples that arrived, 2 would not operate correctly under Windows 7."

Hrm... well, that doesn't sound good. Does the UAC work at all?

As it turns out, yes. In the Sophos' tests they saw that the UAC blocked 1 of the malware samples. At least that's a start.

Chester Wisniewski, the writer of the piece, goes on to say,

"User Account Control did block one sample; however, its failure to block anything else just reinforces my warning [Editor's note: registration required] prior to the Windows 7 launch that UAC's default configuration is not effective at protecting a PC from modern malware.

"Lesson learned? You still need to run anti-virus on Windows 7.

"Microsoft, in the Microsoft Security Intelligence Report released yesterday, stated that 'The infection rate of Windows Vista SP1 was 61.9 percent less than that of Windows XP SP3.'"

We'll go a step further. It isn't just antivirus software these days that's needed. It's firewall software, too.

Putting the two together (along with solid antispyware), as the Internet security suites do, along with using the Windows 7 UACs offers the best, most complete combination of software to protect your PC.

That said, is the upgrade to Windows 7 worth it from a security standpoint?

We think so.

Regardless of the failure of it to block 9 in 10 sample malware, that's what it's doing today. Give the engineers at Microsoft some time with their next service packs for Windows 7, and they'll no doube improve it even more.

Another thing to consider is that the sample size of 10 viruses isn't terribly big. With a greater number of threats, more representative of those you might actually encounter online, the UACs may help thwart some of the viruses.

But, as we see here, there's still no substitute for antivirus software.

"'The only thing I can guess at is the person who created this is scared,' said Eric Sites, chief technology officer with Sunbelt Software and a member of the working group.

"'This thing has cost so many companies and people money to get fixed, if they ever find the guys who did this, they're going away for a long time.'"

This from a Network World write-up on Conficker, 1 year later.

What a lot of folks find perhaps most interesting about Conficker is,

"Despite its size, Conficker has rarely been used by the criminals who control it.

"Why it hasn't been used more is a bit of a mystery.

"Some members of the Conficker Working Group believe that Conficker's author may be reluctant to attract more attention, given the worm's overwhelming success at infecting computers."

Regardless of whether or not it has been used a lot 'til now, the fact of the matter is, that the Conficker Working Group estimates 7 million PCs have been infected thus far with variants A and B of the worm.

Another thing that caught our eye about the worm was that it's apparently very (perhaps most?) common in China and Brazil, which according to the Network World piece (although we could not confirm this) cites the Conficker Working Group, as,

"suspect[ing] that many of the infected PCs are running bootlegged copies of Microsoft Windows, and are therefore unable to download the patches or Microsoft's Malicious Software Removal Tool, which could remove the infection."

This policy of Microsoft's is definitely a subject of some debate.

Clearly, regrettably, a lot of people pirate Microsoft's software; that Microsoft in effect actually punishes others by helping to perpetuate the worm by refusing to allow the pirates to update their copies of Windows (or download the Malicious Software Removal Tool), really doesn't make sense.

Microsoft's belief, no doubt, is that if pirates can't use their computers because of the worms, they'll wise-up and buy legitimate copies of Windows.

I doubt it.

If a computer is infected, the solution to the pirate is most often just to re-install their OS from scratch if needed and to take other steps (i.e. like installing antivirus software) to prevent re-infection. Others just think their computers are slow and don't know why or ignore the worm altogether and go on about their day.

Whatever the case in the mean time though, by preventing updates, Microsoft's policy allows Conficker to spread, grow, and perpetuate.

There was a lot of noise starting back in February 2009 when Microsoft began pushing out a secret .NET plugin/add-on to Mozilla Firefox.

Among other problems was that Microsoft was installing the plugin to Firefox anytime you did a Windows update.

The complaints about this plugin were:

1. There was no notification of the update.
2. There was no practical way to prevent the update.
3. Disabling the plugin was a supreme headache.
4. Firefox isn't even a Microsoft product!

The good news about this is that Mozilla Firefox developers are now blocking the .NET plugin.

Given the list of problems cited above with this plugin, it's no wonder Mozilla devs moved to block the add-on.

We're not alone in wishing it had happened sooner, regardless though we're glad they have.

Sure, Microsoft has ever right to make a .NET plugin for Firefox. The problem is/was that they weren't giving users any notice the plugin was being installed.

They just did it.

Oh, and good luck getting it disabled once it's in there.

If Microsoft wants to make the download available as an optional installation AND make it possible to easily disable the plugin, that's fine.

What they did though is unacceptable as it was nigh impossible to disable for most users. If a security issue had arisen with it for which Microsoft, as they do from time-to-time, declines to issue a patch (or are slow to issue a patch), users would be hard pressed to disable the plugin to mitigate the risk.

Whoever at Microsoft was responsible for making this plugin work the way it did could have made it work the way they did for a few reasons:

	Microsoft's Possible Reasoning	Why Their Reasoning Was Unsound
1.	Give everyone a similar experience in Firefox they would have with Internet Explorer.	Fine. Just give users the choice to opt out easily. Give users the chance to disable easily the add-on at any time after installation if they don't like/want it.
2.	Making it optional confuses too many people.	If you're confused about what it is or how it works, how do you expect anyone to know what they're missing by not having the .NET add-on?
3.	Making it difficult to remove makes it hard for people to miss out on the experience.	What if there's a security issue? What if there's a stability issue? What if I just don't want it? How can anyone minimize the security risk or test for stability issues if it's so difficult to remove?
4.	Making it difficult to remove lets Microsoft extend its reach into Firefox.	Why create more browser-related problems for Microsoft, which already has plenty of issues to contend with in the antitrust arena?

How would users feel if suddenly, without notifying users they were doing it, without giving users a chance to opt-out, and without users having a way easily undo what Microsoft had done, Microsoft started changing setting or adding "features" to something like Internet security software?

While not exactly Internet security software, per se, Firefox is installed by users because in many ways it does provide greater security than Internet Explorer.

No matter how you look at it, the way Microsoft chose to install the plugin, essentially injecting its own code into another company's product, without users' knowledge or consent, was unwise at best and while not exactly malicious, almost certainly not on the up-and-up.

I'm just glad Mozilla finally disabled the .NET add-on.

If you haven't updated your Firefox (or haven't yet tried it), you can download Firefox--the latest version, of course--and get the .NET plug-in disabled.

We got wind today of a research project out of the University of California Santa Barbara (UCSB) that took over one of the most notorious botnets, Mebroot.

In an article on the takeover of the Mebroot botnet, the scope of the Mebroot problem is revealed: They found more than 6,500 websites hosting malicious code that redirected nearly 340,000 visitors to malicious sites.

Mebroot gained notoriety for taking over legitimate web sites and infecting those sites with malicious javascript code.

The idea behind such an attack was for the cybercriminal botnet operators to have a massively distributed network for attacking PCs visiting a range of legitimate websites, and thus for it to be much, much harder to stop and much, much more likely to be a stable place for them to get more end users' PCs to do their real bidding: cybercrime.

"'Once upon a time, you thought that if you did not browse porn, you would be safe,' says Giovanni Vigna, a UCSB professor of computer science and one of the paper's authors.

"'But staying away from the seedy places on the Internet is no longer an assurance of staying safe.'"

So the botnet worked like this:

1. Take over legimate websites
2. Infect these legimate websites with hidden malicious javascript that redirects visitors going to the legitimate sites to illegitimate websites where
3. End users' PCs are then infected via a drive-by-download that silently takes over the visitors computer
4. Use these end users' infected PCs to perform their cybercrimes (i.e. credit card theft, password theft, bank fraud, identity theft, etc.)

The article closes with this not-so-surprising detail:

"The researchers also discovered that nearly 70 percent of those redirected by Mebroot--as classified by Internet address--were vulnerable to one of almost 40 vulnerabilities regularly used by the most popular infection toolkits designed to compromise computer systems.

"About half that number were vulnerable to the six specific vulnerabilities used by the Mebroot toolkit.

"The research suggests that users need to update more often, says UCSB's Vigna.

"'Patches are very good at reducing the exposure of the end users, but users are not very good at updating their system,' he says."

The notion of patching more frequently is one we've covered in our site numerous times, and it's a message that warrants repeating regularly.

Why computer users, regardless of whether or not they're running the latest antivirus firewall software or not, don't do so is puzzling.

Updating your OS is an extremely simple process and is well worth the few minutes of time it takes in most cases. (Even when it takes longer, it's still worth it vs. the consequences of not doing so, and having your computer be more susceptible to takeover.

Here's how:

1. Open Internet Explorer
2. Click 'Tools' in the upper menu
3. Click 'Windows Update'
4. Click Express Update (or Custom Update to get full details on what you're updating
5. Install any updates that Microsoft recommends

 Typically, you'll have to reboot after this. Then do it again, as some updates cannot be installed concurrently with others, so sometimes a couple of update cycles are needed.

Ever read .PDFs or watch something in Flash?

Most people do. In fact, something like 99% of all computers have Flash installed likewise a huge portion of computers have Acrobat Reader, too.

As such, if you're in that 99% pool, you're probably vulnerable, as roughly 80% of all computers still are according to internet security firm Trusteer.

A couple of weeks ago, we covered the Flash / Acrobat Reader Security Advisory, and now there's more warning on WebProNews about the same Flash / Acrobat vulnerabilities.

In the posting there by Chris Crum he quotes Trusteer's CEO, Mickey Boodaei, as saying,

"Adobe is facing some major security challenges and one of its biggest hurdles is its software update mechanism.

"For some reason, it is not effective enough in distributing security patches to the field.

"Given the lack of attention this situation has received to date, it appears that few people understand the magnitude of the problem. We recommend that all enterprises and individuals install the latest Flash and Acrobat updates immediately.

[Editor's note: emphasis is mine.]

We originally covered this vulnerability two weeks ago saying,

"...there's an urgent update that Adobe has just made to Acrobat, Flash Player, and Adobe Reader."

So, now that there are others adding their voices to the chorus, and we're all saying this is a big deal, please visit this page on Adobe's site which covers the Acrobat/Flash security update.

If you're reading this article, please, stop what you're doing, go to that URL, *read* it, and follow Adobe's instructions.

Regardless of if the rest of your Windows OS is patched, regardless of whether or not you have a software firewall running, and regardless of whether or not you've installed the best antivirus software or an Internet security suite, you still need to do this. 

Acrobat and Flash live outside of the normal Windows Update mechanism, and thus, they can not be upgraded via Windows Update and are best upgraded manually, (i.e. don't rely on the Adobe autoupdater.)

In our humble opinion, this vulnerability has every bit the potential to be even bigger than the Conficker worm from early April this year because of the enormous install base Acrobat and Flash have.