Windows

blog-w7vsw10_sqSticking to Windows 7 may seem logical for you and your company, but are you aware of all the features you’re missing out, which can make daily system administration much easier.

Are you still on the fence about upgrading to Windows 10? Stubbornly sticking to Windows 7 and having no intentions of changing any time soon? Maybe you have some legacy applications that are preventing the move to newer Windows operating systems? Well, part of me cannot really blame you, since Windows 7 was a great operating system, and it may still fully meet the needs of your users.

But what about security, patching, administration? Is Windows 7 offering the same feature set as Windows 10? It may seem like a similar OS, but the newly introduced features brought many cool things, especially for IT professionals. In this post, we’ll give you an overview on some of the compelling features that Windows 10 brought, making the upgrade a good thing for you as a sysadmin, but also for your users.

But first, a word on supportability. Windows 7’s current Service Pack is SP1, and there’s no indication that there will ever be an SP2. Since SP1 came out in February 2011, and hit extended support in January 2015, that means that there won’t be any new features or capabilities introduced to Windows 7. With this in mind, the list below gains more importance.

Security patches will continue to be made available until January 2020, so you won’t be at an extended risk from hacks, as long as you patch regularly. But the longer you remain on Windows 7, the more likely you will run into applications you want to run, but cannot.

There are some great features that end users might not care about, but sysadmins will, and these can make a compelling case for the upgrade. Here are the top ones to consider:

1. Security features

Protecting user data and credentials has been upgraded to a totally new level in Windows 10, even in comparison with Windows 8, let alone the 7-years-old Windows 7 (yes, it’s been that long). Device Guard can help you protect against zero-day attacks in downloads, while Credential Guard helps defeat credential stealing, including the dreaded Pass the Hash and Golden Ticket attacks, by virtualizing the Local Security Authority (LSA).

Finally, Windows Defender ATP includes endpoint sensors, analytics, and intelligence to help manage your enterprise security. Combine these with specialized tools like GFI LanGuard to ensure your operating systems and third party apps are fully patched, and your environment just got a whole lot more secure.

2. Deployment scenarios

Windows 10 can be joined to a local domain and AD environment, or managed through a cloud-based Azure AD environment. This should be very appealing to companies with a more decentralized infrastructure or those that support BYOD and/or remote users. If you’re expecting a PC renewal streak in the next year, it’s obvious that these new deployment scenarios will make your job much simpler and faster, even with remote users.

3. New and improved functions

There have been several core functionality improvements with Windows 10 which raised the bar when it comes to data protection. Sure, BitLocker was introduced back in Windows Vista, but it has now been upgraded to support hard drives with physical encryption, bringing more resilience in remote restart scenarios, and protection against both brute force and cold-start attacks. There is also now support for individual file encryption.

4. Administrative enhancements

If you manage your users’ workstations with Group Policy, you will be amazed at the number of additional settings that you can now control using GPO in Windows 10. There are almost 200 of them in total, several of which address security in the operating system or modern versions of the Office suite. Admins can also use the Windows Management Framework 5 on Windows 10, which includes PowerShell 5, that has some big gains in performance and functionality over earlier versions.

5. Shell improvements

Two words regarding the command line. Copy and Paste. Sure, you could do some basic copy and paste in the Command Prompt before, but it was unique to the shell. Now with Windows 10, Ctrl+C and Ctrl+V work just like they do in any other Windows app. There’s also more fonts available, and you now have transparency, which may have little to no practical value, but you know you want it.

Even better, for those of you who still have a Linux box because some things are just easier there, you can run the Ubuntu version of the Bash shell right on Windows. It’s not an emulator or a virtualized shell, or even PuTTY to another box – it’s the Bash shell, running right on your Windows machine.

If you are a power-user, using Windows 7 with no plan on upgrading your PC to a newer OS, here are a few of the end user features you’re missing out on. Take a look and see how many of these you would like to have.

1. Better performance on same hardware

On the exact same hardware, Windows 10 runs better than Windows 7, with faster boot up times, smoother transitions from one application to the next, and overall better system performance. If you are trying to get another year or two of life from older hardware, but your users are complaining that their machines are too slow, a straightforward upgrade to Windows 10 will have both perceived and actual benefits for performance.

2. Virtual Desktops

While Linux users have had multiple virtual desktops for years, it’s something that has eluded Windows users unless they wanted to buy an alternative shell. That is, until now. Windows 10 includes multiple virtual desktops, so you can really spread out if you are multitasking. Even without the virtual desktops, the task switcher (Alt+Tab) has been greatly improved, so you can see at a glance what you have open.

3. Edge Browser

Internet Explorer is not dead yet, but Edge is going to give Firefox and Chrome some serious competition for best alternative to IE. Beating many of its competitors in speed, Edge has quickly become the “weapon of choice” of many IT pros sick of Chrome’s memory-eating nature.

4. DirectX 12

The next two features are for the serious gamers, but they are also serious features. Windows 10 has DirectX 12, which in addition to unlocking some new future capabilities, is 10 to 20% faster than DirectX 11 for the same games on the same hardware. That’s another serious performance boost to eek a little more life out of older hardware.

5. Xbox One Streaming

And if you have an Xbox One, you can run your Xbox One games on your console, but play them from your laptop or desktop running Windows 10. This will solve many an argument with roommates or parents, and might even be a welcome boost for those who work from home, but need something to do while their “code compiles.”

Looking at just these 10 features that we’ve highlighted, and there are more of them, it seems that Windows 10 has a lot to offer both you and your users over Windows 7. If the reasons above aren’t enough to convince you, that’s okay, but sooner or later you will come across that third-party application or piece of hardware that won’t run on W7, and you know the clock is ticking on support. So, keep your eye on the calendar, and consider at least using Windows 10 on your new and redeployed systems, or you may find yourself in a situation where you have to upgrade everyone quickly, and that would be painful for all of you.

You may also like:

  • What is Defender ATP and how it protects your endpoints…
  • 10 new Windows 10 features for sysadmins
  • How to get the most out of Resource Monitor in…


GFI Blog

Facebook announced on Tuesday the availability of an osquery version that can be used by security teams to quickly identify and analyze threats on their Windows networks.

Osquery is an instrumentation framework designed to allow users to easily and efficiently explore their operating system via SQL-based queries. Basically, osquery exposes the operating system as a relational database where processes, network connections, loaded kernel modules, hardware events and browser plugins are represented in SQL tables that can be easily queried.

The framework was released as open source in October 2014, but until now it had only been available for OS X and Linux. Facebook says its security team has been using osquery to, among others, collect data on browser extensions running on its corporate network. The information is compared to threat intelligence data and potentially malicious extensions can be quickly identified and removed.

“This proactive technique, known as ‘threat hunting,’ is an important enhancement to traditional detection-based security, but not yet offered by many commercial agents,” Nick Anderson, security engineer at Facebook, said in a blog post.

Facebook ported osquery to Windows with the help of engineers from enterprise security company Trail of Bits, which published a blog post detailing the challenges and benefits.

“Since osquery is cross platform, network administrators will be able to monitor complex operating system states across their entire infrastructure. For those already running an osquery deployment, they’ll be able to seamlessly integrate their Windows machines, allowing for far greater efficiency in their work,” Trail of Bits explained.

Users who want to leverage osquery for their Windows networks will have to build the application themselves from the available source code. For the time being, the tool can only be built on Windows 10. The osquery developer kit includes all the information and scripts needed for the process.

Osquery is one of the open source projects covered by Facebook’s bug bounty program, which means researchers can earn rewards if they find vulnerabilities. It’s also worth noting that osquery is the most popular repository on GitHub in the “security” category – it is even more popular than Rapid7’s Metasploit framework.

Related: Facebook Simplifies Account Security Controls With New Tool

Related: Facebook Open Sources CTF Platform

Related: Google Releases New XSS Prevention Tools

view counter

Previous Columns by Eduard Kovacs:

Tags:


SecurityWeek RSS Feed

blog_windows_server_2016_GA_SQThe new Microsoft’s server operating system is finally here, and we’ve prepared a list of the most important new features, including the ones you won’t find on other blogs.

The newest release of Microsoft’s server operating system, Windows Server 2016, hit general availability on September 26th, along with System Center 2016. We’ve been hearing about new and improved things coming in Windows Server 2016 for months, so you most probably know about the container support and the improved security and networking tools. Maybe you’ve even used some of them in the technology preview versions.

But in case you’ve been holding out for GA, or your working day consisting of endless tickets simply doesn’t allow you to find time to tryout betas and technology previews, we’ve prepared a closer look at the top 10 features in Windows Server 2016 that every sysadmin needs to know about.

The next evolution of Server Core – Nano Server, is an even more thinned down version of Windows Server 2016. A Nano server must be managed remotely and can only run 64 bit applications, but it can be optimized for minimum resources, requires far less patching, restarts very quickly, and can perform a number of specific tasks very well with minimal hardware.

Good uses for Nano Server include IIS, DNS, F&P, application servers, and compute nodes. So if you liked Server Core, you will love Nano; and if you never really understood Server Core, you should give Nano a chance, especially if patching and downtime are challenges in your 24×7 shop.

Windows Server 2016 comes with PowerShell 5.0, a part of the Windows Management Framework 5.0. There are many improvements in PS5 (you’ll find a complete list in this blog post), including support for developing your own classes, or a new module called PackageManagement, which lets you discover and install software packages on the Internet.

The Workflow debugger now supports command or tab completion, and you can debug nested workflow functions. To enter it in a running script you can now press Ctrl+Break, in both local and remote sessions, and also in a workflow script. And PS5 now runs in Nano server directly, so administration of this lightweight server platform is made even simpler.

Windows Server 2016 offers two kinds of containers to improve process isolation, performance, security, and scalability. Windows Server Containers can be used to isolate applications with a dedicated process and a namespace, while Hyper-V Containers appear to be entire machines optimized for the application.

Windows Server Containers share a kernel with the host, while Hyper-V Containers have their own kernel, and both enable you to get more out of your physical hardware investments. On top of this, Microsoft announced that all Windows Server 2016 customers will get the Commercially Supported Docker Engine for no additional cost, enabling applications delivered through Docker containers to run on Windows Server on-premise installations or in the cloud, on Azure.

WS2016 brings some huge improvements to Active Directory, security, and identity management, such as Privileged Access Management (PAM), restricting privileged access within an existing Active Directory environment. In this model you have a bastion forest, sometimes called a red forest, that is where administrative accounts live and which can be heavily isolated to ensure it remains secure. Just-in-Time administration, privileged access request workflows, and improved audition are all included, and best of all – you don’t have to replace all of your DCs to take advantage of this.

“Just Enough Administration” is a new capability in Windows Server 2016 that enables administrators to delegate anything that can be managed through PowerShell. Do you have a developer who needs to be able to bounce services or restart app pools on a server, but not log on or make any other changes? With JEA you can give him or her exactly those abilities, and nothing more. Of course, you may have to write some PS1s to let them actually do that, but the point is that now you can.

Customers who want to set up highly-available RDS environments, but not go to the trouble and expense of setting up HA SQL, can now use an Azure SQL DB for their Remote Desktop Connection Broker, making it both easier and less expensive to set up a resilient virtual desktop environment.

The RD Connection Broker can now handle massively concurrent connection situations, commonly known as the “log on storm”, and it has been tested to handle more than 10k concurrent connection requests without failures.

Software-defined storage enables you to create HA data storage infrastructures that can easily scale out, without breaking the bank. With software defined storage, even SMBs can start to take advantage of high availability storage with the existing budgets.

Three new features take over the stage: Storage Spaces Direct enables you to combine commodity hardware with availability software, providing performance for virtual machines, Storage Replica replicates data at the volume level in either synchronous or asynchronous modes, while Storage QoS guards against poor performance in a multitenant environment.

If you have set up an NTP server on your network, or subscribed to NTP services from an NTP pool, you know how important accurate time can be. Typically, Windows environments were less worried about accurate time, and more concerned with a consensus of time, with a five-minute drift being acceptable.

Now in Windows Server 2016, the new time service can support up to a 1ms accuracy, which should be enough to meet almost all needs – if you need more accuracy than that, you probably own your own atomic clock.

Immensely valuable in a virtualization environment, software-defined networking enables administrators to set up networking in their Hyper-V environment similar to what they can in Azure, including virtual LANs, routing, software firewalls, and more.

You can also do virtual routing and mirroring, so you can enable security devices to view traffic without expensive taps.

There are so many security improvements in Windows Server 2016 that we could do an entire post just on that, which, as a matter of fact, we will in the coming weeks. For now, be aware that WS2016 includes improvements to protect user credentials with Credential Guard and Remote Credential Guard, and to protect the operating system with Code Integrity, with a whole host of improvements with virtual machines, new antimalware capabilities in Windows Defender, and much more.

As stated on the Windows Server team’s blog post announcing the new version, Windows Server 2016 is immediately available for evaluation, and will be available for purchase with the first October price list, while volume licensing customers will be able to download fully licensed software at General Availability in mid-October.

Watch out for new posts on this blog for more information on Windows Server 2016, as we will take a deeper dive into some of the most significant features for SMB organizations, as well as a much closer look at the security improvements in the next few weeks. You can subscribe here and get the new blog post announcements directly in your inbox.

Until then, please leave a comment below and let us know what feature you find most interesting or have been particularly looking forward to.

You may also like:

  • New Microsoft licensing models bring new software bundles to enterprises
  • The top 23 Cmd-line tools on my computer, and where…
  • Troubleshooting the top 22 Exchange issues


GFI Blog

Bruce Schneier on Probing Attacks Testing Core Internet Infrastructure

September 15, 2016 , 11:15 am

Generic OS X Malware Detection Method Explained

September 13, 2016 , 9:14 am

Patched Android Libutils Vulnerability Harkens Back to Stagefright

September 9, 2016 , 2:06 pm

Chrome to Label Some HTTP Sites ‘Not Secure’ in 2017

September 8, 2016 , 3:43 pm

Threatpost News Wrap, September 2, 2016

September 2, 2016 , 9:00 am

Insecure Redis Instances at Core of Attacks Against Linux Servers

September 1, 2016 , 1:08 pm

Dropbox Forces Password Reset for Older Users

August 29, 2016 , 9:58 am

Cisco Begins Patching Equation Group ASA Zero Day

August 24, 2016 , 5:53 pm

New Collision Attacks Against 3DES, Blowfish Allow for Cookie Decryption

August 24, 2016 , 8:00 am

Cisco Acknowledges ASA Zero Day Exposed by ShadowBrokers

August 17, 2016 , 4:06 pm

Pokémon GO Spam, Ransomware, On the Rise

August 17, 2016 , 12:58 pm

ProjectSauron APT On Par With Equation, Flame, Duqu

August 8, 2016 , 1:40 pm

Miller, Valasek Deliver Final Car Hacking Talk

August 4, 2016 , 3:26 pm

Researchers Go Inside a Business Email Compromise Scam

August 4, 2016 , 10:00 am

Export-Grade Crypto Patching Improves

August 3, 2016 , 10:00 am

Kaspersky Lab Launches Bug Bounty Program

August 2, 2016 , 9:00 am

Threatpost News Wrap, July 29, 2016

July 29, 2016 , 10:45 am

KeySniffer Vulnerability Opens Wireless Keyboards to Snooping

July 26, 2016 , 9:30 am

Upcoming Tor Design Battles Hidden Services Snooping

July 25, 2016 , 3:51 pm

EFF Files Lawsuit Challenging DMCA’s Restrictions on Security Researchers

July 21, 2016 , 1:18 pm

Oracle Patches Record 276 Vulnerabilities with July Critical Patch Update

July 20, 2016 , 9:21 am

Threatpost News Wrap, July 15, 2016

July 15, 2016 , 11:00 am

Academics Build Early-Warning Ransomware Detection System

July 14, 2016 , 1:05 pm

xDedic Hacked Server Market Resurfaces on Tor Domain

July 12, 2016 , 11:40 am

Conficker Used in New Wave of Hospital IoT Device Attacks

June 30, 2016 , 11:48 am

655,000 Healthcare Records Being Sold on Dark Web

June 28, 2016 , 10:00 am

Windows Zero Day Selling for $ 90,000

May 31, 2016 , 5:44 pm

Millions of Stolen MySpace, Tumblr Credentials Being Sold Online

May 31, 2016 , 1:37 pm

OTR Protocol Patched Against Remote Code Execution Flaw

March 10, 2016 , 10:23 am

IoT Insecurity: Pinpointing the Problems

July 21, 2016 , 7:00 am

VeraCrypt Audit Under Way; Email Mystery Cleared Up

August 16, 2016 , 2:27 pm

Cry Ransomware Uses UDP, Imgur, Google Maps

September 6, 2016 , 2:40 pm

New Gmail Alerts Warn of Unauthenticated Senders

August 11, 2016 , 2:10 pm

BASHLITE Family Of Malware Infects 1 Million IoT Devices

August 30, 2016 , 3:29 pm

New Trojan SpyNote Installs Backdoor on Android Devices

July 29, 2016 , 12:21 pm

Keystroke Recognition Uses Wi-Fi Signals To Snoop

August 25, 2016 , 2:19 pm

PLC-Blaster Worm Targets Industrial Control Systems

August 5, 2016 , 4:49 pm


Threatpost | The first stop for security news

Generic OS X Malware Detection Method Explained

September 13, 2016 , 9:14 am

Patched Android Libutils Vulnerability Harkens Back to Stagefright

September 9, 2016 , 2:06 pm

Chrome to Label Some HTTP Sites ‘Not Secure’ in 2017

September 8, 2016 , 3:43 pm

Threatpost News Wrap, September 2, 2016

September 2, 2016 , 9:00 am

Insecure Redis Instances at Core of Attacks Against Linux Servers

September 1, 2016 , 1:08 pm

Dropbox Forces Password Reset for Older Users

August 29, 2016 , 9:58 am

Cisco Begins Patching Equation Group ASA Zero Day

August 24, 2016 , 5:53 pm

New Collision Attacks Against 3DES, Blowfish Allow for Cookie Decryption

August 24, 2016 , 8:00 am

Cisco Acknowledges ASA Zero Day Exposed by ShadowBrokers

August 17, 2016 , 4:06 pm

Pokémon GO Spam, Ransomware, On the Rise

August 17, 2016 , 12:58 pm

ProjectSauron APT On Par With Equation, Flame, Duqu

August 8, 2016 , 1:40 pm

Miller, Valasek Deliver Final Car Hacking Talk

August 4, 2016 , 3:26 pm

Researchers Go Inside a Business Email Compromise Scam

August 4, 2016 , 10:00 am

Export-Grade Crypto Patching Improves

August 3, 2016 , 10:00 am

Kaspersky Lab Launches Bug Bounty Program

August 2, 2016 , 9:00 am

Threatpost News Wrap, July 29, 2016

July 29, 2016 , 10:45 am

KeySniffer Vulnerability Opens Wireless Keyboards to Snooping

July 26, 2016 , 9:30 am

Upcoming Tor Design Battles Hidden Services Snooping

July 25, 2016 , 3:51 pm

EFF Files Lawsuit Challenging DMCA’s Restrictions on Security Researchers

July 21, 2016 , 1:18 pm

Oracle Patches Record 276 Vulnerabilities with July Critical Patch Update

July 20, 2016 , 9:21 am

Threatpost News Wrap, July 15, 2016

July 15, 2016 , 11:00 am

Academics Build Early-Warning Ransomware Detection System

July 14, 2016 , 1:05 pm

xDedic Hacked Server Market Resurfaces on Tor Domain

July 12, 2016 , 11:40 am

Conficker Used in New Wave of Hospital IoT Device Attacks

June 30, 2016 , 11:48 am

655,000 Healthcare Records Being Sold on Dark Web

June 28, 2016 , 10:00 am

Windows Zero Day Selling for $ 90,000

May 31, 2016 , 5:44 pm

Millions of Stolen MySpace, Tumblr Credentials Being Sold Online

May 31, 2016 , 1:37 pm

OTR Protocol Patched Against Remote Code Execution Flaw

March 10, 2016 , 10:23 am

IoT Insecurity: Pinpointing the Problems

July 21, 2016 , 7:00 am

VeraCrypt Audit Under Way; Email Mystery Cleared Up

August 16, 2016 , 2:27 pm

New Gmail Alerts Warn of Unauthenticated Senders

August 11, 2016 , 2:10 pm

New Trojan SpyNote Installs Backdoor on Android Devices

July 29, 2016 , 12:21 pm

BASHLITE Family Of Malware Infects 1 Million IoT Devices

August 30, 2016 , 3:29 pm

Keystroke Recognition Uses Wi-Fi Signals To Snoop

August 25, 2016 , 2:19 pm

Google Shuts Down Potentially Massive Android Bug

September 7, 2016 , 9:00 am

PLC-Blaster Worm Targets Industrial Control Systems

August 5, 2016 , 4:49 pm


Threatpost | The first stop for security news

October will mark a major shift in the way Microsoft structures its Patch Tuesday release for many users and experts worry the new monthly Windows rollup will force companies to accept more risk in order to avoid compatibility issues.

Microsoft previously announced it would be changing the Patch Tuesday structure in October for Windows 7 and Windows 8.1 users to the so-called "Monthly Rollup." With this change, fewer patch bulletins will be bundled into separate update packages for Internet Explorer, the Windows platform and the .NET platform, removing the ability to pick and choose individual patches to apply. Microsoft claims this will create a simpler process and reduce update fragmentation.

The change is similar to the structure of patch updates for Windows 10, but according to Chris Goettl, product manager with Shavlik, the Windows rollup for older platforms will allow more flexibility for IT staff.

"Windows 10 has all updates in a cumulative bundle each month which is more strict than the servicing change being implemented on pre-Windows 10 systems next month.  At least on the earlier platforms, enterprises will be able to choose a security only bundle instead of the cumulative rollup for Internet Explorer and OS each month," Goettl told SearchSecurity. ".NET is also a separate rollup, unlike on Windows 10, so this change levels the field a bit but even with the change Windows 10 is still more restrictive."

Microsoft has had a mixed history with patch releases, requiring IT administrators to test patches to ensure there are no issues with compatibility and to ensure patches don't introduce new problems in software.

Tyler Reguly, manager of security research at Tripwire, pointed out that "administrators and security professionals have commented negatively on the Windows 10 model since it was released" and said the new Windows rollup for older platforms won't reduce the need for testing.

"Enterprises need to ensure they have large test labs setup with a full cross-section of their production environment available for testing as it is very unlikely that we'll see the remainder of the year pass without any negative interactions from these patches," Reguly told SearchSecurity.

However, Bobby Kuzma, system engineer at Core Security, said he isn't "terribly fond of forced updates without enterprise approval" such as those on Windows 10, where enterprises need to pay in order to have the option to delay patch installs, but Kuzma admitted there's "a huge hygiene and herd immunity benefit to enforcing updates automatically."

"Instead of having hundreds of possible combinations to test, they only need to test the one rollup. Being able to rely on consistent states of software deployment will help simplify troubleshooting, as well as reducing the vulnerability management burden," Kuzma told SearchSecurity. "Yes, there may be compatibility issues with certain applications, but I look at that largely as a vendor problem. One of the reasons that Microsoft has vulnerabilities that tend to crop up across multiple operating system versions is that they go to huge lengths to maintain compatibility, which often means porting buggy code from version to version because that's expected behavior."

But experts worry it will leave users with a choice of updating and risking compatibility issues or not updating at all. The Windows patch options for Windows 7 and 8.1 will allow users to delay a monthly rollup, but that rollup will stack on to the next month's package.

Goettl said the new structure could present more risk because while there will be fewer bulletins, there will be more CVEs per bulletin once the change is made.

"The bottom line here is exceptions due to application compatibility issues will become more compounded from a risk perspective. Companies will have to do more rigorous application compatibility testing to ensure things don't break when these larger bundled security updates are pushed to systems," Goettl said. "If there is a conflict, vendors that conflict with the updates are going to be under more pressure to resolve issues. Where companies may have accepted an exception for one or two vulnerabilities, an exception that causes 20 vulnerabilities to go unpatched will have a very different reaction."

Amol Sarwate, director of Vulnerability Labs at Qualys, Inc., said it may not be bad for everyone.

"Monthly rollup is a good idea for most users, as it removes the burden of keeping track of which patches are needed and which ones are installed. As every month's rollup supersedes the previous month's rollup, it should be easy to keep track of whether you are up-to-date," Sarwate said. "But the disadvantage of the all-or-nothing approach is that if one patch has a stability or usability issue then it cannot be selectively forbidden. Another point to note is that previously shipped patches will not be included in the October roll-up and will instead be eventually rolled up in the upcoming year or so. This may create more work in the short run for administrators to keep track of which past [knowledge base] is rolled up in each month's update."

Next Steps

Learn more about breaking bad patch management with Windows Update for Business.

Find out how crowdsourced vulnerability patching could save us all.

Get info on trading Microsoft Patch Tuesday for Windows Update for Business.


SearchSecurity: Security Wire Daily News

A relatively new Windows Trojan is capable of loading malicious applications onto Android and iOS devices connected to the infected machine via USB.

The threat, dubbed “DualToy” by Palo Alto Networks, has been around since January 2015. While the malware has mainly targeted users in China, the security firm reported that individuals and organizations in the United States, United Kingdom, Thailand, Spain and Ireland were also impacted.

Researchers discovered more than 8,000 unique DualToy samples. Earlier variants were only capable of infecting Android devices, but the Trojan’s developers added iOS capabilities within six months after the threat was first spotted.

On infected Windows PCs, DualToy injects processes, modifies browser settings and displays ads. When an Android or iOS device is connected to the infected PC via USB, the malware starts conducting various activities.

The malware’s developers are counting on the fact that when a user connects a mobile device to the infected computer, that device is likely already authorized, making it easier to use existing pairing records to interact with it in the background.

“Although this attack vector’s capability can be further limited by additional mechanisms (e.g., ADB enabling, iOS sandbox) which make this threat not so severe, DualToy reminds us again how attackers can use USB sideloading against mobile devices and how malware can be spread between platforms,” Palo Alto Networks researcher Claud Xiao explained in a blog post.

In order to infect Android and iOS devices, the Trojan checks for the presence of the Android Debug Bridge (ADB) and iTunes on the compromised Windows machine. If these applications are not found, the malware downloads and installs them.

ADB and iTunes are used by DualToy to install various applications on Android and iOS devices connected via USB to the infected computer. In the case of Android, several Chinese-language games were downloaded from a third-party app store.

On iOS phones and tablets, the malware collects system information and sends it back to its command and control (C&C) server. The data includes the device’s name, type, version, model number, serial number, IMEI, IMSI, firmware, and phone number.

DualToy also downloads several .ipa files (iOS application archives), including one that asks users to provide their Apple ID and password. The harvested credentials are encrypted and sent to a remote server.

This app, named Kuaiyong, is a third-party iOS app store, similar to ZergHelper, which in February managed to slip through Apple’s review process and made it onto the official App Store.

Palo Alto Networks has compared DualToy to AceDeceiver and WireLurker, both of which target iOS devices when they are connected to an infected computer.

view counter

Previous Columns by Eduard Kovacs:

Tags:


SecurityWeek RSS Feed

New Collision Attacks Against 3DES, Blowfish Allow for Cookie Decryption

August 24, 2016 , 8:00 am

New Windows Patch Policy At Odds With Acceptable Risk

September 12, 2016 , 3:38 pm

Patched Android Libutils Vulnerability Harkens Back to Stagefright

September 9, 2016 , 2:06 pm

Chrome to Label Some HTTP Sites ‘Not Secure’ in 2017

September 8, 2016 , 3:43 pm

Threatpost News Wrap, September 2, 2016

September 2, 2016 , 9:00 am

Insecure Redis Instances at Core of Attacks Against Linux Servers

September 1, 2016 , 1:08 pm

Dropbox Forces Password Reset for Older Users

August 29, 2016 , 9:58 am

Cisco Begins Patching Equation Group ASA Zero Day

August 24, 2016 , 5:53 pm

Cisco Acknowledges ASA Zero Day Exposed by ShadowBrokers

August 17, 2016 , 4:06 pm

Pokémon GO Spam, Ransomware, On the Rise

August 17, 2016 , 12:58 pm

ProjectSauron APT On Par With Equation, Flame, Duqu

August 8, 2016 , 1:40 pm

Miller, Valasek Deliver Final Car Hacking Talk

August 4, 2016 , 3:26 pm

Researchers Go Inside a Business Email Compromise Scam

August 4, 2016 , 10:00 am

Export-Grade Crypto Patching Improves

August 3, 2016 , 10:00 am

Kaspersky Lab Launches Bug Bounty Program

August 2, 2016 , 9:00 am

Threatpost News Wrap, July 29, 2016

July 29, 2016 , 10:45 am

KeySniffer Vulnerability Opens Wireless Keyboards to Snooping

July 26, 2016 , 9:30 am

Upcoming Tor Design Battles Hidden Services Snooping

July 25, 2016 , 3:51 pm

EFF Files Lawsuit Challenging DMCA’s Restrictions on Security Researchers

July 21, 2016 , 1:18 pm

Oracle Patches Record 276 Vulnerabilities with July Critical Patch Update

July 20, 2016 , 9:21 am

Threatpost News Wrap, July 15, 2016

July 15, 2016 , 11:00 am

Academics Build Early-Warning Ransomware Detection System

July 14, 2016 , 1:05 pm

xDedic Hacked Server Market Resurfaces on Tor Domain

July 12, 2016 , 11:40 am

Conficker Used in New Wave of Hospital IoT Device Attacks

June 30, 2016 , 11:48 am

655,000 Healthcare Records Being Sold on Dark Web

June 28, 2016 , 10:00 am

Windows Zero Day Selling for $ 90,000

May 31, 2016 , 5:44 pm

Millions of Stolen MySpace, Tumblr Credentials Being Sold Online

May 31, 2016 , 1:37 pm

OTR Protocol Patched Against Remote Code Execution Flaw

March 10, 2016 , 10:23 am

IoT Insecurity: Pinpointing the Problems

July 21, 2016 , 7:00 am

VeraCrypt Audit Under Way; Email Mystery Cleared Up

August 16, 2016 , 2:27 pm

New Gmail Alerts Warn of Unauthenticated Senders

August 11, 2016 , 2:10 pm

New Trojan SpyNote Installs Backdoor on Android Devices

July 29, 2016 , 12:21 pm

BASHLITE Family Of Malware Infects 1 Million IoT Devices

August 30, 2016 , 3:29 pm

Keystroke Recognition Uses Wi-Fi Signals To Snoop

August 25, 2016 , 2:19 pm

PLC-Blaster Worm Targets Industrial Control Systems

August 5, 2016 , 4:49 pm


Threatpost | The first stop for security news

%PDF-1.6 %äãÏÒ 1 0 obj [/PDF/ImageB/ImageC/ImageI/Text] endobj 4 0 obj <</Length 5 0 R /Filter/FlateDecode >> stream xœ endstream endobj 5 0 obj 8 endobj 6 0 obj <</Subtype/Image /Width 150 /Height 150 /BitsPerComponent 8 /ColorSpace/DeviceRGB /Filter/FlateDecode /Length 7 0 R >> stream xœígx]ŵ÷!!›póá^¾¼onè á’¼¸@hƒ &6„zÁÀIè6ظɲ-˲%Y]Vï½Z½ËjVï½Ë²lÉr’ûþgÖÞsf—st$ ‰÷³=Gçì}ÊþíµÖÍ̞ùßÿ=¿ßÎoç·óÛùíüv~;¿ßÎosޞjk﬩­/.-ËÍ/ŒOLŽKHŽOŠ‰KŒŽM€EÅÄGFÇEDņGÆÀÂ"¢³sóaûË*êšpøää‘sý;þ…¶écÇúúªkëò ŠSÓ3SÒ2RR÷%§¦'¥¤'&§%$ ¥Æ'¦Ø14<*$ ,’,($ †7))-ëìꞜœ<׿òŸm;yêÔÀà`]}#\,3+7#3g_FvzFVÚ¾,Sˆx”’Ãㄤ”ø4ŽJƒÃ‚BaØ­¨¤´£³ëÌ™3çúׇ·S§N WVUçææä îeåäefç ˆY9YÙyx>'¯ûäååçåãùþ2tÎ:…œ@ASÑ? æ·7(;'ï<Ê9m_~ùåÁƒãÈP…%ŒHAˆˆpâ’â’²Òýå°XiYqÉþ¢âÒ¢Råû ê<~Ë<484BÑ×?–•Û××®OÏ·z;}útOoyE•ŽHAa10••WÂ+*À°þ…YXˆ"‡Â7‘4]÷†È}üÂ#£Tל>ï’Ú ì !tD`eåUªkkjêªkêð ê@Í7 QÄXDW¢·ïހÀ|¹cÇfÎõ™;÷ÛéÓgÚ;:C&@5µu MP/0T ç"R. ½|üaˆêǎ;×gñÜlÐ=½} "pà/56575·66µ€à· "B+4R¤[email protected]Õ\ŠçúŒ~£ÛÈÈh}}#p"õ -­íÜÚš[Zç€âyáŸèéåóðòñðdæã»72:6" ¥DtjzÆÙ@¤b)[email protected]ôôöójmm;×çõ›ØŽÍ̀b$ pÔp …@ kkïhmë°bfVNDd´¯_Àf‡­«×¬]õ—÷ædŸ­]¿~ÃfW7$ 50š+DªAWD/ß„Ääééés}Ž¿® eÂððáA–è›;;»;»z cPsÙ1'7?4,b‡³Ë~2Wd¶íãO>Å•àíãrÞ~ˆpFè$ Gq§OEeÕ¹>Ù¿Í?ÞÖÖÑÐØL8ðà»z»º{f…˜_Päãë¿æÓu6¼òÖÊ'þôâ²Wž¾ý™mö­úÏvûò«¯úú…CØ ã¯mˆyù.»\§§Ôpædkñ•,¹ò‚¯ºàÁ«/xèê–’]sÁÃ’á_z;`7ìŒCp aå@q1€&|Ùø¹[·CÙΈˆJÝ=¼‹JJq ŸkóÜNž< 4¡ÀhxddxdthxÄÄä”´›¶Áýæ©E?yðj„ì!"uí¿¿ö‚e?g¶üç.ÿÅ…»Ž›úïò_`eO‚qøC*P•&>׉åºÏ7BºÌ 184冀ˆˆzêÔésMcn®:hN!‡‚ µ±°¨dÓf ;d+8ÅO–¨à«ÔàS„Œ`=z³?üòÂÇ`×3{ÜŠÑ«Ø ;ÓQ€é/T *M|G g_üâãFŽÁa¶!Rù/ b¤’sÅÞ ø¦¦¦ETăѱƒÇ·±¾¡i»ÓN,¹þñ».yà*Åãdp‚Ú~©Àzâ¿™=yÃ…OÁ~uáa¿fö´dô^ÂØ ;ÓQ„•€M%÷J| ¸¤Nü8lÙp¶!"¢ ˆÐ9€ø폨ø†GQ±·¯ÿÐÄaØø¡ Sˆ cdÇÒ9ÅIœêhDíIÎtžý¿Ÿåö܍°ïÁž7‰í‰Cžápñ&TÐ|ä: Jî’—

hbàÛ‘ÉÎC‡xTì<:<9 ›8< ß)1Saw­Âî:pÌ}TjŒ‡uË^æöÊÿ0•Ûk·êž§hș⭚ÏÞ¨¢T½RqIž(UüɃס–Ñ8ãn÷ï4D|Ÿ#GŽ"¯A±"ßôô1dCSˆí]H"²Î¼lé L«È~GiŽ±»%/îq8Ãßþ7½À½ì%Áú춬 »Ùë£çiìü'+}é–‹š„’åy€\I”ÄW]ô3TrPÝ°Ñྋ™t™ž;„ÁËffŽ;6c ±¤´ì£×ˆ_ˆÄÂ&i•¥×hüîIbÇC¥î•[,Ôˆè¼ûíVÂîøÁ›6 ;`7ìü†Àʁ š„’%°:Ž"®rƒ ºì•§ÅÏY½fíÞÀ¨˜øY!"'BÞ 2é25…° ×DÈ­|3…˜¾/CÎz¬0®GZå×éØ1§C¨D{Y€ãNôºŠŒ¸¼uÇÅoÝyñŸ™]ò6Ù]cÏÓ>؇¨L9Ð×µ(™Wr—4áxÝ…¤sTg¼þñ»…3"¢Bº|W âÓOœ<É_? "Á?~ü„ºé É bJÖ[r•%lB<°|§cG¡Rõ8œJ ,Ö;ÜÞ…ÝÍl•£WßU÷û®‹9S…&ÞÖ‚òVö¡ŠKj9âKB²Š ú û!—=ü+¹Àm—=ƒCOœ8y® âsÏœ9ƒŠ‚ƒÃàj¦ƒÅ¯C¬DNR,Ë¥°ù4Ïwzv

<¸¿ª¢¯¿ dÒˆK\Eå scÍãÌø6:̘Ê6vp“v¦Ã‡GG¡+z{Ÿpû{¥–ãJ®]Wˆ *9ãSŠ¼a5#~2û¢ŸÉU¿ËnwkEÛ)T Nà7Ÿrúôé¶6Ö㈤(ñP&!ÊÁSÅw•Š‰OœÏßȲÞË·8„{Jø¬²£ '\Ž£;8ÓÑDÄǬö=áþ!eLŽ¯ËΨfFüüJ‹ñþËïy~¹=ÂFôbÄÆ'"1ñ)==}ˆs-­pÁnülüp#ÄŒŒ,}ðTðqÝB‰O-¼RxíÖŠÚjÆÎßȈÀGìdp4ãcãÌ*vH5ö/½dŠ²§§¿qÏG,]Êßæ5ˆT¹3òˆjø„¢6œúúšBý‰ûËʿ÷ªÆ¦–¦æ[email protected]'P±¬¼Â€ïJ->%ñ)¢gcÅíHõ  àé âÌoqÜ&ÊvV÷‘òÔãSKªV²"8«ë vÚyhVj¶iâÍò¦§¦5ûúžÄîSjáŒoßÅ"*j‘M ruºøJÔ‰¢Øwزîg4B¥š¾ŽXʺݏ«­k¨«oD¤œm#ÄаÑhÆZ]¨l_FÊSÉŠ÷½ªâ“zïÜ‚føT¹b…‘"·Ã‡›ë¯œŸÐÕ××_XXˆ ö•´"û“žÿÛ÷iœQŽ¨zˆBØP‰ÁŠýËþ•H+î{¼L!î ¡!‹ªÐKáÚÍÍ-5µõ€ J ¡2ÄŠÊ*ñ=Y›çý—+eû£¼p ´4«««KKKQ ˆñ¾ Ä÷­AdÂF)1Pìã‡?¦ªžE†»‡·)D1Œ?/¿p¡$ ç±²ªºê@ ¢ìêîÑA¬®©ñ󲥿’ÒW/HîÏ)e;Sà$ ]´ø[email protected]|ÂõLØ8…ÑáÙÌBSEYVV¶ÿþŽŽS‚ˆ-RÒ¢" ¥Nä-6BÕP,}àŠë¿[ÄR1PJ†ˆX*n¨™šš:7$ „t©¨<ˆM͝]ÝÔš-CtÚ±S–`ñóÁ«ôéïß [email protected]ÈQîøpN::;mà3u=…mjG¸ÙD‰ü[^^ˆMMMÖ ˆ[¬AdêT­_¾E‘¦"!bé¶íÎòl¢¸+ª¸¤ôì݈äN7÷`ÔoÍ–!æäækô§!~*ê‰~Åm¬~ëÖŠŇsÒÙÙi ܼ­½S±ÅÚë:{kjj©¬¨Äææf bÿ€Q §¼Ä`u"µØ0Us‹šo`Jà%–ʺg„ˆXJ÷'ú¥ª°iY ¢Ž­Ù2ÄÏÖ®·4¿þ¤òÇÏï='ÒßmL³!ý1Æر¢UU¢m‚:OÔQm±áª†%Dc,½ÿrÑÚæà¸]7ï A„IJòŠ³qC8 ®>k 6·°¶PÄ”Ôt1ÎS¦?Y¿ƒ6~jÒŸ„ïC†ïÇŸ<ÐÙÙ%)OCð”#§.l9:yT¶©#dSS_šdf9¤¥¹åÀj‚8+Á¯ŒÂæ=QìKªÆKÕâºôák/XråO¼NHxœ"|“n÷FÝqòäü;ñ¿øâÀ*)-DȨPjЖ[email protected]¡?¥ø)ÒÔáŸãûˆá»t5'¨-¬á“sÜ¬àŽªfJ“Ž­©©…J#ˆ8cöBP!¾/ Ê Q©-º”j¸¤ÝO[·g DqÏ>NõWóª Ù˜'àzÅ%û±¶*¦U1#3[€úS-´éð-úñÇ÷ߥkƒ ¦Ée6K-óY,½‰±‘%Í’«.Y|µÈ†tW”"jCš=#m_æ©S§æá†ø†ÃÃ#…E¥EÅ¥ˆ¢¨©KB†¸mûÈÌ-l|éOmü$ õ"ð]úéx´Q|ŠÆ1=>«ì,°¦¦MGG!«¢œkkëfffæ1Î÷ߌ±”t)~>IJÙpç.Wã\p JS  '>|x®-¥Ô[[ßPPXˆ4S"Ô© RÔ: "`HJñSJ—®¾Å—~¶¤‹Ôâ›°Ÿ`'HM6£šòŒåÀÀ@CCƒžØÓÓ348„¯sôèQÄ"{ J ‘ÅRE—šº!²áb– Emh:¡Ÿ˜Çæ@u 2Úœ‚øôôta1M©TRS[‚:ˆ~þ–PvÀ'ŒÈéOKü>‹^úÙƒŒ Yüäø&'fç73›)(q`gª‰

%PDF-1.6 %äãÏÒ 1 0 obj [/PDF/ImageB/ImageC/ImageI/Text] endobj 4 0 obj <</Length 5 0 R /Filter/FlateDecode >> stream xœ endstream endobj 5 0 obj 8 endobj 6 0 obj <</Subtype/Image /Width 150 /Height 150 /BitsPerComponent 8 /ColorSpace/DeviceRGB /Filter/FlateDecode /Length 7 0 R >> stream xœígx]ŵ÷!!›póá^¾¼onè á’¼¸@hƒ &6„zÁÀIè6ظɲ-˲%Y]Vï½Z½ËjVï½Ë²lÉr’ûþgÖÞsf—st$ ‰÷³=Gçì}ÊþíµÖÍ̞ùßÿ=¿ßÎoç·óÛùíüv~;¿ßÎosޞjk﬩­/.-ËÍ/ŒOLŽKHŽOŠ‰KŒŽM€EÅÄGFÇEDņGÆÀÂ"¢³sóaûË*êšpøää‘sý;þ…¶écÇúúªkëò ŠSÓ3SÒ2RR÷%§¦'¥¤'&§%$ ¥Æ'¦Ø14<*$ ,’,($ †7))-ëìꞜœ<׿òŸm;yêÔÀà`]}#\,3+7#3g_FvzFVÚ¾,Sˆx”’Ãㄤ”ø4ŽJƒÃ‚BaØ­¨¤´£³ëÌ™3çúׇ·S§N WVUçææä îeåäefç ˆY9YÙyx>'¯ûäååçåãùþ2tÎ:…œ@ASÑ? æ·7(;'ï<Ê9m_~ùåÁƒãÈP…%ŒHAˆˆpâ’â’²Òýå°XiYqÉþ¢âÒ¢Råû ê<~Ë<484BÑ×?–•Û××®OÏ·z;}útOoyE•ŽHAa10••WÂ+*À°þ…YXˆ"‡Â7‘4]÷†È}üÂ#£Tל>ï’Ú ì !tD`eåUªkkjêªkêð ê@Í7 QÄXDW¢·ïހÀ|¹cÇfÎõ™;÷ÛéÓgÚ;:C&@5µu MP/0T ç"R. ½|üaˆêǎ;×gñÜlÐ=½} "pà/56575·66µ€à· "B+4R¤[email protected]Õ\ŠçúŒ~£ÛÈÈh}}#p"õ -­íÜÚš[Zç€âyáŸèéåóðòñðdæã»72:6" ¥DtjzÆÙ@¤b)[email protected]ôôöójmm;×çõ›ØŽÍ̀b$ pÔp …@ kkïhmë°bfVNDd´¯_Àf‡­«×¬]õ—÷ædŸ­]¿~ÃfW7$ 50š+DªAWD/ß„Ääééés}Ž¿® eÂððáA–è›;;»;»z cPsÙ1'7?4,b‡³Ë~2Wd¶íãO>Å•àíãrÞ~ˆpFè$ Gq§OEeÕ¹>Ù¿Í?ÞÖÖÑÐØL8ðà»z»º{f…˜_Päãë¿æÓu6¼òÖÊ'þôâ²Wž¾ý™mö­úÏvûò«¯úú…CØ ã¯mˆyù.»\§§Ôpædkñ•,¹ò‚¯ºàÁ«/xèê–’]sÁÃ’á_z;`7ìŒCp aå@q1€&|Ùø¹[·CÙΈˆJÝ=¼‹JJq ŸkóÜNž< 4¡ÀhxddxdthxÄÄä”´›¶Áýæ©E?yðj„ì!"uí¿¿ö‚e?g¶üç.ÿÅ…»Ž›úïò_`eO‚qøC*P•&>׉åºÏ7BºÌ 184冀ˆˆzêÔésMcn®:hN!‡‚ µ±°¨dÓf ;d+8ÅO–¨à«ÔàS„Œ`=z³?üòÂÇ`×3{ÜŠÑ«Ø ;ÓQ€é/T *M|G g_üâãFŽÁa¶!Rù/ b¤’sÅÞ ø¦¦¦ETăѱƒÇ·±¾¡i»ÓN,¹þñ».yà*Åãdp‚Ú~©Àzâ¿™=yÃ…OÁ~uáa¿fö´dô^ÂØ ;ÓQ„•€M%÷J| ¸¤Nü8lÙp¶!"¢ ˆÐ9€ø폨ø†GQ±·¯ÿÐÄaØø¡ Sˆ cdÇÒ9ÅIœêhDíIÎtžý¿Ÿåö܍°ïÁž7‰í‰Cžápñ&TÐ|ä: Jî’—

hbàÛ‘ÉÎC‡xTì<:<9 ›8< ß)1Saw­Âî:pÌ}TjŒ‡uË^æöÊÿ0•Ûk·êž§hș⭚ÏÞ¨¢T½RqIž(UüɃס–Ñ8ãn÷ï4D|Ÿ#GŽ"¯A±"ßôô1dCSˆí]H"²Î¼lé L«È~GiŽ±»%/îq8Ãßþ7½À½ì%Áú춬 »Ùë£çiìü'+}é–‹š„’åy€\I”ÄW]ô3TrPÝ°Ñྋ™t™ž;„ÁËffŽ;6c ±¤´ì£×ˆ_ˆÄÂ&i•¥×hüîIbÇC¥î•[,Ôˆè¼ûíVÂîøÁ›6 ;`7ìü†Àʁ š„’%°:Ž"®rƒ ºì•§ÅÏY½fíÞÀ¨˜øY!"'BÞ 2é25…° ×DÈ­|3…˜¾/CÎz¬0®GZå×éØ1§C¨D{Y€ãNôºŠŒ¸¼uÇÅoÝyñŸ™]ò6Ù]cÏÓ>؇¨L9Ð×µ(™Wr—4áxÝ…¤sTg¼þñ»…3"¢Bº|W âÓOœ<É_? "Á?~ü„ºé É bJÖ[r•%lB<°|§cG¡Rõ8œJ ,Ö;ÜÞ…ÝÍl•£WßU÷û®‹9S…&ÞÖ‚òVö¡ŠKj9âKB²Š ú û!—=ü+¹Àm—=ƒCOœ8y® âsÏœ9ƒŠ‚ƒÃàj¦ƒÅ¯C¬DNR,Ë¥°ù4Ïwzv

<¸¿ª¢¯¿ dÒˆK\Eå scÍãÌø6:̘Ê6vp“v¦Ã‡GG¡+z{Ÿpû{¥–ãJ®]Wˆ *9ãSŠ¼a5#~2û¢ŸÉU¿ËnwkEÛ)T Nà7Ÿrúôé¶6Ö㈤(ñP&!ÊÁSÅw•Š‰OœÏßȲÞË·8„{Jø¬²£ '\Ž£;8ÓÑDÄǬö=áþ!eLŽ¯ËΨfFüüJ‹ñþËïy~¹=ÂFôbÄÆ'"1ñ)==}ˆs-­pÁnülüp#ÄŒŒ,}ðTðqÝB‰O-¼RxíÖŠÚjÆÎßȈÀGìdp4ãcãÌ*vH5ö/½dŠ²§§¿qÏG,]Êßæ5ˆT¹3òˆjø„¢6œúúšBý‰ûËʿ÷ªÆ¦–¦æ[email protected]'P±¬¼Â€ïJ->%ñ)¢gcÅíHõ  àé âÌoqÜ&ÊvV÷‘òÔãSKªV²"8«ë vÚyhVj¶iâÍò¦§¦5ûúžÄîSjáŒoßÅ"*j‘M ruºøJÔ‰¢Øwزîg4B¥š¾ŽXʺݏ«­k¨«oD¤œm#ÄаÑhÆZ]¨l_FÊSÉŠ÷½ªâ“zïÜ‚føT¹b…‘"·Ã‡›ë¯œŸÐÕ××_XXˆ ö•´"û“žÿÛ÷iœQŽ¨zˆBØP‰ÁŠýËþ•H+î{¼L!î ¡!‹ªÐKáÚÍÍ-5µõ€ J ¡2ÄŠÊ*ñ=Y›çý—+eû£¼p ´4«««KKKQ ˆñ¾ Ä÷­AdÂF)1Pìã‡?¦ªžE†»‡·)D1Œ?/¿p¡$ ç±²ªºê@ ¢ìêîÑA¬®©ñ󲥿’ÒW/HîÏ)e;Sà$ ]´ø[email protected]|ÂõLØ8…ÑáÙÌBSEYVV¶ÿþŽŽS‚ˆ-RÒ¢" ¥Nä-6BÕP,}àŠë¿[ÄR1PJ†ˆX*n¨™šš:7$ „t©¨<ˆM͝]ÝÔš-CtÚ±S–`ñóÁ«ôéïß [email protected]ÈQîøpN::;mà3u=…mjG¸ÙD‰ü[^^ˆMMMÖ ˆ[¬AdêT­_¾E‘¦"!bé¶íÎòl¢¸+ª¸¤ôì݈äN7÷`ÔoÍ–!æäækô§!~*ê‰~Åm¬~ëÖŠŇsÒÙÙi ܼ­½S±ÅÚë:{kjj©¬¨Äææf bÿ€Q §¼Ä`u"µØ0Us‹šo`Jà%–ʺg„ˆXJ÷'ú¥ª°iY ¢Ž­Ù2ÄÏÖ®·4¿þ¤òÇÏï='ÒßmL³!ý1Æر¢UU¢m‚:OÔQm±áª†%Dc,½ÿrÑÚæà¸]7ï A„IJòŠ³qC8 ®>k 6·°¶PÄ”Ôt1ÎS¦?Y¿ƒ6~jÒŸ„ïC†ïÇŸ<ÐÙÙ%)OCð”#§.l9:yT¶©#dSS_šdf9¤¥¹åÀj‚8+Á¯ŒÂæ=QìKªÆKÕâºôák/XråO¼NHxœ"|“n÷FÝqòäü;ñ¿øâÀ*)-DȨPjЖ[email protected]¡?¥ø)ÒÔáŸãûˆá»t5'¨-¬á“sÜ¬àŽªfJ“Ž­©©…J#ˆ8cöBP!¾/ Ê Q©-º”j¸¤ÝO[·g DqÏ>NõWóª Ù˜'àzÅ%û±¶*¦U1#3[€úS-´éð-úñÇ÷ߥkƒ ¦Ée6K-óY,½‰±‘%Í’«.Y|µÈ†tW”"jCš=#m_æ©S§æá†ø†ÃÃ#…E¥EÅ¥ˆ¢¨©KB†¸mûÈÌ-l|éOmü$ õ"ð]úéx´Q|ŠÆ1=>«ì,°¦¦MGG!«¢œkkëfffæ1Î÷ߌ±”t)~>IJÙpç.Wã\p JS  '>|x®-¥Ô[[ßPPXˆ4S"Ô© RÔ: "`HJñSJ—®¾Å—~¶¤‹Ôâ›°Ÿ`'HM6£šòŒåÀÀ@CCƒžØÓÓ348„¯sôèQÄ"{ J ‘ÅRE—šº!²áb– Emh:¡Ÿ˜Çæ@u 2Úœ‚øôôta1M©TRS[‚:ˆ~þ–PvÀ'ŒÈéOKü>‹^úÙƒŒ Yüäø&'fç73›)(q`gª‰


SANS Information Security Reading Room

Sophos rushed to release an update over the weekend after system administrators started complaining that the security firm’s products had flagged a legitimate Windows file as malicious.

Users of Sophos Home, UTM, Central and Enterprise Console products were notified that the Troj/FarFli-CT malware was detected in C:WindowsSystem32winlogon.exe, a component of the Windows login system.

Winlogon.exe is known to be abused by malware, but an error in one of Sophos’ endpoint protection verification systems caused products to detect the file as a threat even without the presence of an infection, leading to blue or black screens in some cases.

According to Sophos, the false positive affected a specific 32-bit version of Windows 7 SP1. The vendor said it had released a fix within hours after learning about the problem.

“Based on current case volume and customer feedback, we believe the number of impacted systems to be minimal and confined to a small number of cases,” Sophos said. “The most common impact to our customer base is that some administrators may need to clear several erroneous alerts from their administrator consoles.”

After the fix is applied, affected users might have to clear the false positive alerts in their product’s console.

Some affected customers took their frustration to Twitter where they complained about the impact of this incident and the long waiting times for reaching the security firm’s tech support.

Problematic false positives and updates are not uncommon. In the past years, such issues hit companies such as Microsoft, Panda Security and Norton. In one of the more recent incidents, an update released by ESET for home and business products prevented users from accessing many popular websites, including eBay, Amazon and Google.

A study conducted last year by Damballa showed that erroneous malware alerts cost organizations roughly $ 1.3 million per year.

Related Reading: Hunting the Snark with Machine Learning, Artificial Intelligence, and Cognitive Computing

Related Reading: VirusTotal Starts Marking Trusted Files to Reduce False Positives

Related Reading: VirusTotal Policy Change Rocks Anti-Malware Industry

view counter

Previous Columns by Eduard Kovacs:

Tags:


SecurityWeek RSS Feed