Archive for November, 2011

Security researcher gets root on Windows 8 with bootkit

Friday, November 18th, 2011

At the upcoming MalCon security conference in Mumbai, Austrian independent developer and security analyst Peter Kleissner is scheduled to release the first known “bootkit” for Windows 8—an exploit that is able to load from a hard drive’s master boot record and reside in memory all the way through the startup of the operating system, providing root access to the system. The exploit allegedly defeats the security features of Windows 8’s new Boot Loader. However, Kleissner said in a message exchange with Ars Technica that the exploit did not currently target the Unified Extensible Firmware Interface (UEFI), but instead went after legacy BIOS. Kleissner said he has shared his research and paper and the paper he plans to present, “The Art of Bootkit Development,” with Microsoft.

Kleissner previously developed the Stoned bootkit, a proof-of-concept exploit that could attack Windows XP, Vista, and 7, as well as Windows Server 2003. Stoned, which is available as source code from Kleissner’s site, was able to install itself into the Windows kernel and gain unrestricted access to the entire system, even on systems with encrypted drives—because the master boot record on those drives remains unencrypted.

The details of the Windows 8 bootkit have not yet been shared, but Kleissner said in his Twitter feed this morning that the new bootkit, called Stoned Lite, has an infector file that is only 14 kilobytes in size, and the bootkit can be started from a USB drive or CD. He added that he was considering adding “in-memory patching of msv1_0!MsvpPasswordValidate.” That exploit, previously demonstrated against Windows XP as part of a bootkit, changes the password validation routine in Windows to accept any password as valid for an account.

Windows 8’s boot loader has added a number of security features to prevent malware and security breaches, including a measure that requires any software loaded at boot time to be authenticated with a valid digital signature. Microsoft advertised this feature as a malware killer, because it would in theory block any unsigned software from loading into memory before startup. But the new boot loader has caused concern in the open-source world, because Linux distributions such as Red Hat and Ubuntu don’t come with a digital signature.


U.S. water utility reportedly hacked last week, expert says

Friday, November 18th, 2011

Intruders compromised a water utility network last week and destroyed a pump, according to a state government report cited by a critical infrastructure security expert today.

It appears that hackers breached the network of a company that makes SCADA (supervisory control and data acquisition) and stole customer usernames and passwords, said Joe Weiss, managing partner of Applied Control Solutions. “There was damage–the SCADA system was powered on and off, burning out a water pump,” he wrote in a brief blog post.

The report did not identify the water utility attacked or the SCADA software vendor compromised, Weiss said in an interview with CNET. He declined to say where the utility is based because the report, released by a state terrorism information center, is marked “For Official Use Only.” However, a Department of Homeland Security representative indicated the facility was located in Springfield, Ill.

“It is unknown, at this time, the number of SCADA usernames and passwords acquired from the software company’s database and if any additional SCADA systems have been attacked as a result of this theft,” he said, reading from a report entitled “Public Water District Cyber Intrusion.” It was released November 10, two days after the water utility attack was discovered, he said.

“This is a really big deal,” said Weiss, an industry provocateur who pushes for stronger security practices and better disclosure in the industry. The incident has not been disclosed by the Department of Homeland Security’s ICS-CERT (Industrial Control Systems Cyber Emergency Response Team) or any other officials, he said, adding “What are we doing with disclosure?”

The DHS said in a statement to CNET that it was investigating the incident but declined to comment on whether a security breach had occurred.

“DHS and the FBI are gathering facts surrounding the report of a water pump failure in Springfield Ill.,” DHS spokesman Peter Boogaard said in a statement. “At this time there is no credible corroborated data that indicates a risk to critical infrastructure entities or a threat to public safety.”

Weiss disputed this statement.

“The statement is inconsistent with the report from the Illinois Statewide Terrorism and Intelligence Center Daily Intelligence Notes dated November 10, 2011, titled ‘Public Water District Cyber Intrusion,'” he said.

The water utility had noticed minor glitches in the remote access to the SCADA system for two to three months before it was identified as a cyber attack, Weiss said. This is similar to the 2000 hacking (PDF) in Queensland, Australia, in which a wastewater treatment plant failed to notice dozens of attempts to access the system. Using wireless radio and stolen control software, a consultant on the project who was angry over not getting a job was eventually able to get in and release up to one million liters of sewage into the river and coastal areas, killing marine life and turning a creek black.

“We don’t have cyber forensics, so when they see (issues) they don’t think it’s a cyber problem. They just think it’s a glitch in the system,” Weiss said. “Why won’t we have a cyber Pearl Harbor? Because we won’t know it.”

Weiss could not say how the SCADA vendor was breached, but speculated that programmable logic controllers (PLCs) were involved in the attacks. “I would be surprised if it didn’t,” he said. “This is a water utility and they are very dependent on PLCs.”

The Stuxnet attack of last year, which is believed to have been the first computer attack targeting critical infrastructure systems, targeted PLCs from Siemens. PLCs are used to automate mechanical devices in utilities, power plants, and other industrial control environments. They are known to use hard-coded passwords that can not be easily changed in the event of a compromise.

Weiss also said the report indicated that the IP address used in the water utility attack was traced back to Russia. However, that doesn’t mean the attack was launched from there because tracks of hackers can so easily be hidden and made to look like they originated elsewhere.

Utilities and energy companies would be attractive targets for hackers wanting to cause damage to a community, but it’s unclear who is behind the attack.

While reports of utilities being hacked are rare, experts say the incidents that make the news are likely only the tip of the iceberg of what is really happening. For instance, Weiss said he came across news of a previously undisclosed SCADA system breach of a Southern California water department in a posting on LinkedIn in February.

Source:  CNET

Microsoft to move to license-by-core for SQL Server 2012

Wednesday, November 16th, 2011

Hmmm…think back to 2005, Microsoft is marketing its plans to release a new version of Microsoft SQL Server (2005) –remember how Microsoft executives were swearing that “unlike Oracle”, they would never count the number of cores, only the number of physical processors? Well, Oracle changed its licensing model in 2008 and in 2012 so will Microsoft. But in reverse – Oracle got a bit looser and Microsoft will be getting tighter.

With the release of Microsoft SQL Server 2012 (projected for first half of 2012), Microsoft is changing some recent and some long standing licensing rules.  The following is based upon the licensing details released by Microsoft as of November 3, 2011. Things can change, so make sure you’re looking at the most current documentation (and I’ll try to keep you current here as well).

Microsoft SQL Server Editions:

  1. Enterprise Edition – license only as per core model (last day to buy Enterprise Edition in Server/CAL model is 6/30/2012 with some potential exceptions for existing agreements – see “Software Assurance Implications” below).
  2. Business Intelligence – included in the Enterprise Edition or license separately but only as server/CAL (Client Access License)
  3. Standard Edition – license in either server/CAL or per core model.
  4. Additional editions without licensing changes:
    1. Web Edition (only available for hosting companies through the SPLA agreement)
    2. Developer
    3. Express
    4. Compact
  5. Discontinued editions:
    1. Datacenter (migrate to Enterprise)
    2. Workgroup (migrate to Standard)
    3. Standard for Small Business (migrate to Standard)

For more information on what these editions can (and can’t) do, take a look at the edition comparison.

Core versus Processor Licensing:

Prior to SQL Server 2012 (going back as far as SQL Server 2000), Microsoft SQL Server could be purchased as either a Server/CAL licensing model or a (physical) Processor licensing model. Under the Server/CAL model the server was licensed and each user (person or device) needed a CAL. For situations where the number of users was large or could not be counted, Processor licensing was more appropriate as it licensed the server by physical processors regardless of the number of users.

For example, one of my clients has their SQL Server environment running on a quad processor box with each processor having 10 cores. They are running all of their SQL on this environment (approximately 15 virtual servers).  To license this under Microsoft SQL Enterprise 2008R2 they licensed it with 4 processor licenses (each allowing up to 4 virtuals of either Standard or Enterprise).  To license under Microsoft SQL Server Enterprise 2012 they would license it as 40 (4×10) core licenses. (See the note about “Software Assurance Implications” below).  However; under the 2012 licensing this would now allow them to have unlimited virtuals (and since they licensed it with Microsoft Windows Datacenter edition for the operating system they are covered there as well).

Core based licenses will be sold in two core packs. According to Microsoft, the cost for a core license will be priced at ¼ the price of a SQL Server 2008R2 processor license. So, if you’re running a ratio of 4 cores per physical processor the end cost for you shouldn’t change – but anything more than that and your costs will be going up.


  1. All cores in the server must be licensed
  2. A minimum of 4 core licenses required for each physical processor


  1. Individual virtual machines may be licensed (as opposed to all cores in the physical server)
  2. A minimum of 4 core licenses per virtual machine


Microsoft SQL Server 2012 will handle virtualization under two options:

  1. License individual virtual machines (either by server/CAL or by core)
    1. Remember, there is a minimum of 4 core licenses per virtual machine.
  2. License the physical machine for all virtual machines by licensing by physical core andpurchasing/maintaining Microsoft Software Assurance.
    1. Licensing this way allows for unlimited virtual machines (this is referring to SQL Server only, don’t forget you still have to license the Microsoft Windows Operating System).
    2. Note the requirement to have SA in order to license all virtuals!

Software Assurance Implications

For customers who have active Microsoft Software Assurance (SA) on their SQL Server licenses as of the release of Microsoft SQL Server 2012, there are some special rules and benefits (read: evaluate your environment to see if you need to acquire some licenses with SA before the release).

Existing SQL Server Processor licenses (Standard or Enterprise) with SA:

May upgrade to SQL Server 2012 at no additional cost.
At the end of the SA benefit term, these licenses will transition to Core licenses at a minimum of 4 core licenses per processor or for the actual number of cores in use. Customers who are using more than should perform a self-inventory (with a tool that will provide an accurate time/date stamped inventory of hardware tied to the SQL Server installations) to ensure that they have documentation to receive all of the core licenses that they are entitled to receive.

Existing SQL Datacenter Processor licenses with SA:

Same as above for Standard or Enterprise but the conversion is a minimum of 8 core Enterprise Edition licenses.

Existing SQL Server Enterprise Edition Server/CAL with SA:

May upgrade to SQL Server 2012 at no additional cost and Enterprise Edition server SA can be maintained through end of term. However; these servers are limited to a 20 core per server license maximum.

At the end of the SA benefit term, these licenses will transition to Core licenses at a minimum of 4 core licenses per processor or for the actual number of cores in use up to the maximum of 20 outlined above. Customers who are using more than should perform a self-inventory (with a tool that will provide an accurate time/date stamped inventory of hardware tied to the SQL Server installations) to ensure that they have documentation to receive all of the core licenses that they are entitled to receive.

Special Rules for Volume Licensing:

Enterprise and Enrollment for Enterprise Application (EAP) agreements that have SQL Server Enterprise enrolled as a product: Can continueto purchase Enterprise edition as Server/CAL or Processor license through the end of their agreement term. At the end of the agreement the licenses will transition to Core licenses as outlined above for SA benefits.

Please note, this right to continue purchasing the Enterprise edition as Server/CAL or Processor license does not apply to Microsoft Select or Select Plus customers unless SQL is on a current EA or EAP.

In my opinion, this is a major change in Microsoft licensing so there is every possibility that things might change a bit between now and when the product is actually released. I recommend making sure you are receiving up to date information and are pre-planning for how this change will impact your organization as there are some opportunities to leveraging SA benefits at time of license conversion.

FYI, for those wondering…no – as of this time there is no indication that this type of licensing change will be applied to other Microsoft software…but remember, licensing terms are constantly changing!


Unemployed Romanian Hacker Accused of Breaking Into NASA

Wednesday, November 16th, 2011

Romanian authorities have arrested a 26-year old hacker who is accused of breaking into multiple NASA servers and causing US$500,000 in damages to the U.S. space agency’s systems.

Robert Butyka, 26, was arrested on Tuesday in Cluj, a city in Western Romania, following an investigation by the Romanian Directorate for Investigating Organized Crime and Terrorism (DIICOT).

According to local reports, the hacker used the online moniker of “Iceman.” He does not have a higher education or an occupation, a DIICOT spokeswoman said.

Butyka is accused of hacking into several NASA servers over a period of time that started on Dec. 12, 2010. The authorities claim that the hacker destroyed protected data and restricted access to it.

The charges brought against Butyka include obtaining unauthorized access and causing severe disruptions to a computer system, modifying, damaging and restricting access to data without authorization and possession of hacking programs.

The man will spend 24 hours in police custody while prosecutors seek a court order to extend the detention period. Authorities seized several computers at his home during a raid.

“Through criminal activity, the accused severely affected the operation of computer servers by introducing, modifying and damaging electronic data and restricting access to it,” DIICOT said in a statement. The hacker will be tried in Romania as there is no extradition request in his case.

Butyka is not the first Romanian hacker to break into computer systems belonging to NASA. In fact, the U.S. space agency is a common target for hackers looking to prove their skills.

Victor Faur, a Romanian man who hacked into multiple servers belonging to NASA, the U.S. Department of Energy and the U.S. Navy in 2005, is currently appealing a court verdict ordering him to pay damages of $240,000 to the U.S. government.

Faur received a 16-month suspended prison sentence in November 2008, but he claimed that he didn’t damage the systems he accessed without authorization. According to his legal defense team, the U.S. government failed to provide sufficient proof that would justify the damage calculation.

Another Romanian hacker who calls himself TinKode has built an online reputation by breaking into high-profile servers. TinKode’s list of compromised systems includes multiple NASA Web servers.


The 25 Worst Passwords of 2011

Wednesday, November 16th, 2011

The annual list of the 25 worst passwords is out, based on actual compromises. After all these years, why are “monkey” and “qwerty” still on this list?

Whenever idiotic passwords are discussed, the following story always comes up: five years ago, a group of Slovak hackers breached Slovakia’s National Security Bureau (abbreviated NBU), which stores tons of classified information. It was an easy hack. The NBU’s master login/password was simply nbusr/nbusr123. After cracking it, the hackers publicized the information, much to the NBU’s embarrassment.

What’s even worse? Days later, the password was still “nbu123.”

That was five years ago, but bad passwords still abound. SplashData, a password management app maker, compiled a list of the 25 worst passwords of 2011, based on millions of stolen passwords that were dumped online. Typically after hackers compromise a server, like Sony’s or’s, they post all these personal details online.

Many of the passwords are sequential numbers like “12345” or “654321,” while others contained messages like “letmein” and “trustno1”. Even if you thought you were being clever with “qazwsx,” (look at your keyboard, you’ll get it) it’s number 23 on the list. “Monkey,” “password,” and “qwerty” are ALWAYS on these lists. I know I’m preaching to the choir here but, seriously?

1. password

2. 123456

3. 12345678

4. qwerty

5. abc123

6. monkey

7. 1234567

8. letmein

9. trustno1

10. dragon

11. baseball

12. 111111

13. iloveyou

14. master

15. sunshine

16. ashley

17. bailey

18. passw0rd

19. shadow

20. 123123

21. 654321

22. superman

23. qazwsx

24. michael

25. football

Excerpt from

Laser display could mean 3D sans screens

Wednesday, November 16th, 2011

When “Star Wars” projected a hologram of Princess Leia in 1977, lots of viewers surely dreamed that the technology could one day become real.

Some 34 years later, Japanese display company Burton is working on something akin to George Lucas’ vision with a projector that focuses laser light into moving 3D shapes capable of being displayed in air or under water.

If this technology continues to advance, we could one day have 3D experiences without the need for glasses or even a screen. To create the effect, focused laser light excites the naturally occurring oxygen and nitrogen atoms in the air, otherwise known as plasma excitation.

The current prototype can manifest up to 50,000 points of light at 10-15 frames per second, while efforts are already underway to improve that to a film-like 24-30fps. Those cringing at the Unix-esque green scheme can be rest assured this 3D display is not limited to just green: the traditional red, green, and blue color mix can be combined to create full-color 3D moving images.

Burton worked in collaboration with the original developers of the technology, AIST and Keio University.

A device like this put in the hands of marketers would ensure that ads like the 3D Jaws 19 advertisement that scared Marty McFly in “Back to the Future 2” could one day be real. Alternatively, Star Wars geeks could project an image of Endor (and the second Death Star floating nearby) in their basements while giving a solid Admiral Ackbar impersonation.

Source:  CNET

High-resolution microscopy advance could shrink CPUs beyond current limits

Tuesday, November 15th, 2011

Modern life would be very, very different if it weren’t for photolithography, a very simple step in the processes for making an integrated circuit. Essentially, you use a slide projector to project an image of the circuit pattern on a wafer. Exposing the wafer to a light pattern modifies a chemical layer on top of the wafer, creating a mask. The mask allows selected parts of the wafer to be processed to create the circuit.

Despite its relative simplicity, photolithography is the limiting step that governs the rate at which power consumption drops, speed goes up, and the number of transistors increases. As you might imagine, a lot of people have spent a lot of time trying to improve or replace photolithography with a history of success.

There are worries those heady days may be nearing an end, however. Current photolithographic systems are linear optical systems, so the minimum feature that they can project is limited by the size and precision of the optics. Because all optics have a finite size, there is a minimum feature size that can be created, called the diffraction limit.

Current systems go beyond that with a number of tricks, such as changing the refractive index of the material the light travels through after it leaves the projection system, or by limiting the exposure time and double patterning, so each wafer is exposed twice with a slight offset between exposures. These tricks have given us factors of two to three in resolution improvement.

Unfortunately, there seems to be little room left for tricks now, and radical new technology must be introduced. A dark horse option is something near and dear to my heart: a modification to stimulated emission depletion imaging (STED).

STED imaging

STED imaging, as it is currently implemented, is totally useless for photolithography, but it does allow the diffraction limit to be beaten. In a STED microscope, one stains a sample with a fluorescent dye. To image the sample, you illuminate it with two lasers. One laser puts all the dye molecules in the focal point of the laser in excited state. If left to themselves, the dye molecules will relax by emitting a photon, leaving you with an image with diffraction-limited features.

But, the second laser doesn’t leave the dye to itself. This laser has a special spatial profile that contains a dark area. When it illuminates the sample, it stimulates the dye molecules to emit, leaving only the dye molecules in the dark area in the excited state. They will emit after a bit of a delay. By scanning the dark spot over the sample, an image with a resolution that is the same as the size of the dark spot is created.

The best thing is that the size of the dark area is not governed by the diffraction limit—instead, it is governed by the intensity of the light beam: the brighter the laser, the smaller the dark area. In other words, if you want to see smaller features, crank up the laser power.

It didn’t take people long to realize that this process might be applied to photolithography.

No one took the idea too seriously for two reasons. One problem is that, although you might be able to make features that are 6nm in size, those features will be separated by the diffraction limit. In other words, the feature density is too low. To overcome that, the wafer must be stepped a few nanometers at a time and the different parts of the circuit imaged at each step. If that doesn’t sound like a nightmare, you have never tried to do precision mechatronics before.

The second problem is that you need two masks: the first mask is the standard circuit mask, while the second provides the nodes that thin out all the features to provide the resolution. Alignment of the masks and laser systems would be very, very difficult.

That is what makes this latest bit of research so interesting. It works with just a single mask, making the alignment procedure no more difficult than with current machines. The basic idea is the same, but instead of fluorescent dyes, they use a resist coating that will oxidize in the presence of ultraviolet light. The resist, however, has an unsual electronic state, which I will call a dark state, from which the UV cannot induce the resist to oxidize.

STED meets the dark state

This means that if you illuminate the wafer with UV and with a laser that puts the resist into the dark state, then only those resist molecules that are not in the dark state will oxidize. Indeed, if the laser is powerful enough, oxidation is prevented entirely. The mask, then, is simply designed to introduce dark spots into the laser illumination. The combination of the two light sources results only in exposed features where the laser light is dark.

There are still, unfortunately, a couple of catches. For instance, the mask cannot be an ordinary mask. It has to be produced in such a way that the dark areas get smaller as the laser intensity increases. In principle, it is possible to make arbitrary patterns that do this, but all practical implementations have been either lines—line patterns were used as the example in the work described here—or dots. So, I think there will have to be some thought given to the mask design.

The second problem is that the line spacing is still limited to something like half a wavelength. In the researcher’s example, the closest line spacing was about 300nm, while their linewidth was less than 80nm. To get closer linespacing, you have to move the wafer, which is what the researchers did. When you think about 6nm features—6nm is the best resolution reported by STED so far—then, we are talking about 25 wafer steps just to expose one part of the wafer. If you consider the accumulation of positioning uncertainty, this represents a major technical challenge. For instance, a positioning accuracy of 0.06nm corresponds to an overall line position accuracy of 0.3nm in a 25 step process. That is likely well beyond the error budget allowed in current processes, let alone one that has a feature size of just 6nm.

In this proof-of-principle demonstration, the researchers showed a 78nm feature size—or more than twice that of the current processes. However, in this case, the resolution scales as the square root of the laser intensity, so increasing the laser intensity by a factor 6 (and that is not much to ask), will get the researchers to the same resolution as the current node. The final thing to note is that the oxidation process was a combination of a light controlled, voltage controlled electrochemical process. At present, it simply isn’t very fast, with exposure times in the range of hours. The take home message: there is a lot of optimization to be done, but this looks hopeful.


Seven accused in $14 million click-hijacking scam

Thursday, November 10th, 2011

The U.S. Department of Justice said today that it has uncovered a large, sophisticated Internet scam ring that netted $14 million by infecting millions of computers with malware designed to redirect their Web searches to sites that generated ad revenue.

Six people have been arrested in Estonia and a Russian is being sought on charges of wire fraud and computer intrusion, the FBI said. They are accused of infecting about 4 million computers in more than 100 countries–500,000 in the U.S. alone, including NASA–with malware called DNSChanger. The malware altered the Domain Name Server settings on the computers so they could be automatically redirected to rogue DNS servers and then on to specific Web sites.

In essence, the malware hijacked the computers when certain Web searches were done, redirecting them to sites that would pay them money when people visited or clicked on ads.

“When users of infected computers clicked on the link for the official Web site of iTunes, for example, they were instead taken to a Web site for a business unaffiliated with Apple Inc. that purported to sell Apple software,” an FBI statement said.

In addition, the malware would redirect infected computers searching for Netflix to a business called “BudgetMatch” and searches or the IRS to H&R Block, according to the FBI.

Defendants also allegedly replaced legitimate ads on sites with ads that triggered payments to them. For instance, they are accused of replacing an American Express ad on the Wall Street Journal home page with an ad for “Fashion Girl LA,” and an Internet Explorer 8 ad on with one for an e-mail marketing firm.

Computers became infected with DNSChanger when they visited certain Web sites or downloaded particular software to view videos online. In addition to altering the DNS server settings, the malware also prevented antivirus and operating systems from updating, according to officials.

The defendants allegedly created companies that masqueraded as legitimate advertising publisher networks. The operation began in 2007 and ended in October with the completion of the two-year FBI investigation called “Operation Ghost Click,” the FBI alleges.

The rogue DNS servers used in the operation have been replaced with legitimate servers in the hopes that infected computers will still be able to access the Internet. Owners of infected computers will need to clean the malware off their machines. People can see if their computer is infected by typing in their DNS information on this FBI Web page.

The indictment filed in the U.S. District Court of New York was unsealed today.

Source:  CNET

Disaster preparedness and recovery planning – is your company ready?

Friday, November 4th, 2011

Disaster recovery and business continuity planning is something nobody wants to think about, but preparing ahead of time can be the difference between a significant lapse in operations causing irreversible damage to your business and that same interruption being relegated to a minor inconvenience.

Microsoft has provided a valuable resource to help IT and operations managers assess their company’s contingency plans for disaster scenarios.  The disaster preparedness guide and emergency checklist, if nothing more, can provide talking points for your next departmental meeting.  Although the middle of the document devolves into the typical self-promotional Microsoft product bonanza, focus particularly on the beginning and end, as that is where the truly useful assessment tools are found.

As always, Gyver Networks is available to assist you at each stage of the process, from planning to recovery.  Contact us today for a free consultation.

Vulnerability in TrueType Font Parsing Could Allow Elevation of Privilege

Friday, November 4th, 2011

Microsoft Security Advisory (2639658)

Executive Summary

Microsoft is investigating a vulnerability in a Microsoft Windows component, the Win32k TrueType font parsing engine. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. The attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. We are aware of targeted attacks that try to use the reported vulnerability; overall, we see low customer impact at this time. This vulnerability is related to the Duqu malware.

Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.

We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers.

Mitigating Factors

  • The vulnerability cannot be exploited automatically through e-mail. For an attack to be successful, a user must open an attachment that is sent in an e-mail message.

Advisory Details

Issue References

For more information about this issue, see the following references:

References Identification
Malicious Software Duqu
CVE Reference CVE-2011-3402
Microsoft Knowledge Base Article 2639658

Affected Software

 This advisory discusses the following software.

Affected Software
Windows XP Service Pack 3
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2**
Windows Server 2008 for x64-based Systems Service Pack 2**
Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows 7 for 32-bit Systems and Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems and Windows 7 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems and Windows Server 2008 R2 for x64-based Systems Service Pack 1**
Windows Server 2008 R2 for Itanium-based Systems and Windows Server 2008 R2 for Itanium-based Systems Service Pack 1

**Server Core installation not affected. This advisory does not apply to supported editions of Windows Server 2008 or Windows Server 2008 R2 as indicated, when installed using the Server Core installation option. For more information on this installation option, see the TechNet articles, Managing a Server Core Installation and Servicing a Server Core Installation. Note that the Server Core installation option does not apply to certain editions of Windows Server 2008 and Windows Server 2008 R2; see Compare Server Core Installation Options.

Excerpt from

VMware’s phone software runs one OS for business, another for pleasure

Thursday, November 3rd, 2011

VMWareVMWare this week showed off a solution to separate the personal and professional lives of smartphone users – on the same phone.

VMWare’s Mobile Virtualization Platform software essentially places two copies of the operating system on the phone. One, unlocked and modifiable, is for personal use. The other, provisioned by a company’s IT administrator, uses the apps and policies used by the company’s internal network.

In the future, callers will be able to dial one number for business and another for personal use, and reach the same phone, executives said.

The software was originally announced earlier this year at the Mobile World Conference in Barcelona. Phones based on the technology from LG and Samsung are expected “in the coming months,” VMware said. VMware executives showed off the technology running on a Galaxy S II smartphone.

VMWareVMWare’s solution addresses the so-called “consumerization of IT,” where consumer devices owned by company employees are being asked to do dual duty as corporate devices. In some cases, that can mean data that should otherwise remain confidential can be exposed to an employee’s child, who picks up the phone.

“You need to separate those two, and give the employee the best of both worlds,” said Hoofar Razavi, director of product management for mobile solutions at VMware. “And, given the choice, every employee would choose to have a single device.”

The solution? Two copies of the phone’s operating system running on the phone, with the more secure corporate environment running in a virtualized state. Doing so will require the phone to “check in” on a regular basis to report its secure status. But that can also be done according to an IT admin’s policies, so a phone could be left out of range while on an overseas vacation, Razavi said.

VMWareA demonstration of the Horizon Mobile software was exceedingly simple: on the surface, the Galaxy S II appeared as a standard consumer phone, with the sort of apps and widgets you might use in your own personal life. Tapping a “work phone” icon brought up a screen where Razavi entered a PIN. From there, he was launched inside the work environment. At least in the demonstration, the shift was fast and seamless. When he was completed, another click on a “personal phone” icon brought Razavi back to the original personal phone screen.

In the demo, the virtualized phone even ran a different version of the operating system: Android 2.2, versus the Android 2.3 version used on the “personal” version of the phone.

Provisioning the device requires a manufacturer to add a portion of the software, and then the IT administrator to provision the phone over the air. That process should take between 10 to 15 minutes, Rasavi said.

The data and operating systems are isolated from one another, so that recording a long birthday party video, for example, won’t erase sensitive data. But the software also includes a shared notification bar, so that alerts for emails for the work environment can notify the phone in personal mode, Rasavi said.


Researchers discover zero-day Windows exploit in Duqu virus

Thursday, November 3rd, 2011

Hungarian researchers have discovered a  previously unknown Windows kernel vulnerability that is used by the installer for Duqu, the Stuxnet-like Trojan first detected in October. The researchers at the Laboratory of Cryptography and System Security at Budapest University of Technology and Economics (CrySyS), who were the first to discover the Duqu virus, have reported the vulnerability to Microsoft and other organizations, and a patch is in development.

According to a Symantec analysis of the exploit, Duqu’s installer was delivered to target systems embedded in a seemingly legitimate Microsoft Word document. When the document is opened, the installer embedded in the document is activated, and executes Windows shell code to install the malware’s .DLL and driver file to the system by hijacking Windows’ services control manager.

The shell code discovered in the Duqu worm by CrySyS was written to only allow installation of the virus during an eight-day period in August. Once the virus is installed, it can spread to other computers over networked file shares, and connect back to a command-and-control network over the Internet. Researchers found that when the virus infects systems not directly connected to the Internet, it uses a file-sharing protocol to connect with computers that have Internet access to form a relay back to the command and control network.

So far, confirmed Duqu infections have been reported in France, the Netherlands, Switzerland, the UK, Ukraine, Austria, Hungary, Iran, Sudan, Vietnam and Indonesia. The virus communicated with servers in Belgium, which have been shut down. But it’s unknown if the virus has since been modified and used for other attacks.


Parallels update offers new ways to install Lion and Windows

Thursday, November 3rd, 2011

If you plan on running multiple operating systems on your Mac, one route you can take besides a direct installation like Windows in Boot Camp is to use a virtual machine, which installs the OS within OS X so it and its applications will run alongside your OS X applications.

There are several virtualization options for OS X, including VMware Fusion and Parallels Desktop, both of which offer robust solutions for running multiple operating systems that integrate the guest operating system well with the Mac OS. Recently, Parallels released an update to its latest version of Parallels Desktop that, in addition to a round of bug fixes, includes new options for installing and managing operating systems.

In Parallels Desktop 7, the new Wizard interface for setting up virtual machines has a Convenience Store feature for purchasing copies of Windows, in addition to direct links for downloading and installing other popular operating systems such as Ubuntu, Chrome, and Fedora, and even installing OS X Lion using its Recovery HD partition.

Parallels showing Lion installationWith the latest update, the Parallels Wizard now includes a quick way to access and install the latest Windows 8 developer preview in a virtual machine so you can test out Microsoft’s latest OS. In addition, the update also provides a way to install OS X Lion directly from the Lion installation application that you download from the Mac App Store. While you could previously install Lion from the Mac App Store download, you first needed to open the installer package and access the InstallESD image file directly. Now you just need to select the installer application to install Lion.

While it may seem a bit odd to install Lion within Lion, in some instances it may be a useful thing to do, for example if you wish to test a software package before installing it in your main OS. Sequestering the software on a virtual machine will help you see how it installs and how it may run, and if a problem occurs you can easily remove the virtual machine and set it up again.

The update to Parallels Desktop 7 is available through the Parallels Desktop updater (access this from the Parallels menu within the program), but also can be downloaded from the Parallels Desktop Web site.

Source:  CNET

Symantec uncovers cyber espionage of chemical, defense firms

Tuesday, November 1st, 2011

Hackers targeted about 50 organizations–including chemical and defense companies–in a global wave of cyber espionage attacks this summer, Symantec said in a report released today.

The goal apparently was to steal intellectual property such as design documents, formulas, and manufacturing processes. “The purpose of the attacks appears to be industrial espionage, collecting intellectual property for competitive advantage,” according to the report. (PDF)

Meanwhile, French nuclear power group Areva was reportedly targeted in a cyber attack in September.

The wave of espionage attacks on the chemical and other firms started in late July and continued through mid-September, but command and control servers were in use back in April, the Symantec report said. The parties responsible are believed to have launched other targeted attacks against firms in other industries.

“The attackers have changed their targets over time. From late April to early May, the attackers focused on human rights related NGOs. They then moved on to the motor industry in late May,” the report said. From June until mid-July no activity was detected. At this point, the current attack campaign against the chemical industry began.”

Targets include multiple Fortune 100 companies that do research and development of chemical compounds and develop manufacturing infrastructure for the chemical and advanced materials industry, firms that develop advanced materials for military vehicles, Symantec said.

In one two-week period, researchers saw more than 100 unique IP addresses contact a command-and-control server with traffic that appeared to come from an infected machine. The IP addresses were from 52 different ISPs or organizations located in 20 countries, according to the report.

The attackers sent e-mails to employees within the companies, usually pretending to be meeting invitations from existing business partners or to be an important software security update. They were accompanied by an attachment that had a self-extracting executable containing PoisonIvy, a common Trojan that opens a backdoor onto the computer, researchers said.

It’s unclear who is behind the attacks, although the report said the attacks were traced back to a virtual private server in the U.S. that was owned by a resident of China’s Hebei region who is in his 20s. Researchers have given the man the code name of “Covert Grove” based on a translation of his name.

“We are unable to determine if Covert Grove is the sole attacker or if he has a direct or only indirect role,” the report concluded. “Nor are we able to definitively determine if he is hacking these targets on behalf of another party or multiple parties.”

Around the same time as the attacks, other hackers were targetings ome of the same chemical companies, sending malicious PDF and DOC files which drop a variant of Backdoor.Sogu, according to the report.

Historically, computer attacks on companies aren’t reported publicly. But more reports on attacks on corporations and critical infrastructure providers are becoming more common. In August, McAfee released a report on a cyber-espionage campaigns that stole government secrets, sensitive corporate documents, and other intellectual property for five years from more than 70 public and private organizations in 14 countries.

Google was the first big company in recent years to announce an attack on its network. It announced in early 2010 that hackers, probably from China, had attacked it and a number of other companies in targeted attacks designed to steal information.

Source:  CNET