Aug 31 2015

Microsoft accused of adding spy features to Windows 7, 8

Windows' network activity continues to be scrutinized amid privacy concerns. Windows 10 was first put under the microscope with both new and old features causing concern. With its Cortana digital personal assistant, Windows 10 represents a new breed of operating system that incorporates extensive online services as an integral part of the platform. But its older predecessors haven't escaped attention, and questions are now being asked of Windows 7 and 8's online connectivity.

Windows 8 included many of the same online features as are now raising hackles around the Internet. While it had no Cortana, it nonetheless integrated Web and local search, supported logging in and syncing settings with Microsoft Account, included online storage of encryption keys, and so on and so forth. While a few privacy advocates expressed concern at these features when the operating system was first released, the response was far more muted than the one we see today about Windows 10. But a new addition has led to accusations that Windows 8 now mimics one of Windows 10's more problematic features: it reports information to Microsoft even when told not to.

Back in April, Microsoft released a non-security update for both Windows 7 and 8. This update, 3022345, created a new Windows service called the Diagnostics Tracking service. Microsoft describes this service as doing two things. First, it increase the amount of diagnostic data that the Customer Experience Improvement Program (CEIP) can collect in order to better diagnose problems. Second, it collects data for third party applications that use the Application Insights service. Application Insights is a preview that allows app developers to track performance issues, crashes, and other problems of their applications. The Diagnostics Tracking service collects this data and sends it to Microsoft.

Read 7 remaining paragraphs | Comments

Aug 31 2015

Best practices for preventing Dridex infections

Mitigating the Dridex threat at multiple levels like file, registry, url and ip address can be achieved at various layers of McAfee security products. Browse the product guidelines available here (click Knowledge Center, and select Product Documentation from the Support Content list) to mitigate the threats based on the behavior described below in the Characteristics and symptoms section.

We build several documentations regarding DRIDEX and variants :

  1. https://kc.mcafee.com/corporate/index?page=content&id=PD25689 – W97M/Downloader
  2. https://kc.mcafee.com/corporate/index?page=content&id=PD25982 – Dridex

Basic rules on handling emails:

Email from unknown senders should be treated with caution. If an email looks strange, do the following: ignore it, delete it, and never open attachments or click on URLs.

Opening file attachments, especially from unknown senders, harbors risks. Attachments should first be scanned with an antivirus program and, if necessary, deleted without being opened.

Never click links in emails without checking the URL. Many email programs permit the actual target of the link to be seen by hovering the mouse over the visible link without actually clicking on it (called the mouse-over function).

Configuring Access Protection in VirusScan Enterprise

 Refer to the following KB articles to configure Access Protection rules in VirusScan Enterprise:

How to create a user-defined Access Protection Rule from a VSE 8.x or ePO 5.x console

How to use wildcards when creating exclusions in VirusScan Enterprise 8.x

Dridex usually copies itself into the Administrator’s Application Data folder using edge or edg with the random numeric numbers at the end, like the following examples:

On Win XP:

 C:Documents and SettingsAdministratorApplication DataLocal Settingsedge or edg[random.hex].exe

 WIN7:

C:UsersAdministratorAppdatalocaledge or edg[random.hex].exe

Users can configure and test Access Protection Rules to restrict the creation of new files and folders when there are no other legitimate uses.

Select New files being created and add the following file location in File or folder name to block:

  • [OS installed drive]Documents and Settings[administrator]Application DataLocal Settingsedge or edg[random.hex].exe

[random. hex] can be replaced with a ‘*’ thus for example you can either input edge*.tmp or edge123.tmp.

Example Access Protection Rules

Windows 7:

 Premier

 Windows XP:

Second

For the dropped DLL:

WINDOWS XP

Troisieme

Windows 7

222

Configuring Host Intrusion Prevention

  • To blacklist applications using a Host Intrusion Prevention (Host IPS) custom signature refer to KB71329.
  • To create an application blocking rules policies to prevent the binary from running refer to KB71794.
  • To create an application blocking rules policies that prevents a specific executable from hooking any other executable refer to KB71794.
  • To block attacks from a specific IP address through McAfee Nitrosecurity IPS refer to KB74650.

*** Disclaimer: Usage of *.* in access protection rules will prevent all types of files from running and being accessed from that specific location. If specifying a process path under “Processes to Include”, the use of wildcards for Folder Names may lead to unexpected behavior. Users are requested to make this rule as specific as possible.

Nouvelles technologies:

You need to know that McAfeeThreat Intelligence Exchange in cooperation with à Advanced Threat Defense can give you a very efficient protection level against DRIDEX variants. In addition through these technologies you might used IOC or IOA to find other infections sources or patient zero in your network:

https://www.youtube.com/watch?v=Wxvizasvj8k&feature=player_embedded

With TIE the rule:  Malware Dropped by Infected Microsoft Office Documents gives you a way to proactively scan and detect DRIDEX behaviors :  : https://community.mcafee.com/docs/DOC-6908

In addition McAfee Application Control gives you a full protection against DRIDEX.

Conclusion:

Even if DRIDEX infections technics are not new, this is always tricky to block all variants by only using signatures based approach.

GTI activation and samples submissions are still very efficient in order to increase the global detection level.  However the Best Approach is to build a security Connected platform and connect technologies such as TIE , ATD to work on behaviors and code analysis https://community.mcafee.com/docs/DOC-6462

This approach gives you also the ability to share the intelligence between the different component in your network and by this way to increase your global security posture.

Thanks to my colleagues, Emmanuel Flores, Vinoo Thomas and John Health.

The post Best practices for preventing Dridex infections appeared first on McAfee.

Aug 31 2015

Six UK teens arrested for being “customers” of Lizard Squad’s DDoS service

On August 28, the United Kingdom’s National Crime Agency announced the arrest of six teenagers, ranging in age from 15 to 18, for launching distributed denial of service attacks against multiple websites. The attacks were carried out using an attack tool created by Lizard Squad, the group behind denial of service attacks on gaming networks and the 8Chan imageboard site last winter. Called Lizard Stresser, the tool exploited compromised home routers, using them as a robot army against targeted sites and services.

The six arrested “are suspected of maliciously deploying Lizard Stresser, having bought the tool using alternative payment services such as Bitcoin in a bid to remain anonymous,” an NCA spokesperson wrote in an official statement on the case. “Organizations believed to have been targeted by the suspects include a leading national newspaper, a school, gaming companies, and a number of online retailers.” Those sites, according to a source that spoke with Bloomberg Business, included Microsoft’s Xbox Live, Sony’s Playstation network, and Amazon.com.

The timing of the attacks wasn’t mentioned by NCA. However, the user database of Lizard Stresser was leaked in January of this year. The NCA has been investigating individuals listed in the database and has identified a substantial number of them living in the UK. “Officers are also visiting approximately 50 addresses linked to individuals registered on the Lizard Stresser website, but who are not currently believed to have carried out attacks,” the NCA spokesperson noted. “A third of the individuals identified are under the age of 20, and the activity forms part of the NCA’s wider work to address younger people at risk of entering into serious forms of cyber crime.”

Read 3 remaining paragraphs | Comments

Aug 31 2015

Malware infecting jailbroken iPhones stole 225,000 Apple account logins

A newly discovered malware family that preys on jailbroken iPhones has collected login credentials for more than 225,000 Apple accounts, making it one of the largest Apple account compromises to be caused by malware.

KeyRaider, as the malware family has been dubbed, is distributed through a third-party repository of Cydia, which markets itself as an alternative to Apple's official App Store. Malicious code surreptitiously included with Cydia apps is creating problems for people in China and at least 17 other countries, including France, Russia, Japan, and the UK. Not only has it pilfered account data for 225,941 Apple accounts, it has also disabled some infected phones until users pay a ransom, and it has made unauthorized charges against some victims' accounts.

Researchers with Palo Alto Networks worked with members of the Chinese iPhone community Weiphone after members found the unauthorized charges. In a blog post published Sunday, the Palo Alto Networks researchers wrote:

Read 2 remaining paragraphs | Comments