Author Archives: Author

Nano Server notes, Part SDK

I don’t have the dedication to it that PJ Naughter does, but when these variations on the Windows OS theme are released I’m interested in version numbers and product type flags, too. The last time I looked at Nano Server was with Windows 2016 Technical Preview 3 last year; now with TP5 out, I took a look at what the numbers say now:

WinNT Version 10.0.14300, Type 0x03, Suite 0x0110, ProductType 0x00000090, “14300.rs1_release_svc.160324-1723”

From left to right, that starts with OSVERSIONINFO(EX) data: major/minor version (10.0), build number (14300), product type (VER_NT_SERVER), and suite mask (the VER_SUITE_TERMINAL and VER_SUITE_SINGLEUSERTS … Read more

Nano Server notes, Part 2

Fixing the time zone in a “new” Windows VM guest always bugs me. This is one of those pet-peeves that fortunately only has to be fixed once. Changing the time zone in Windows was designed for the real world, where a mobile device physically changes time zones; Windows just changes the UTC-offset. In the virtual world, guests often start with the host time, but not the host’s UTC-offset; for new Windows VM guests that assume the BIOS clock is local time, we have to change both. Actually, the local time is correct and changing the UTC-offset messes up the … Read more

Nano Server notes, Part 1

Microsoft released Windows Server 2016, Technical Preview 5 (TP5) somewhere around the middle of last week and all I found time to do at the time was go download the ISO image from TechNet Evaluation Center.

My main curiosity is Nano Server; I missed TP4 (more or less) and last spent time with the TP3 release last year shortly after the Windows 10 RTM build. Nano Server has a smaller footprint than even a Windows Preinstallation Environment (WinPE) build and given that it’s “headless” and 64-bit only, I was interested to see what types of my utilities would run. … Read more

Locky, Cerber ransomware still expecting, targeting UAC

Today was a heavy spam day, with the bad guys installing Locky and Cerber crypto-ransomware (among other things) where they could. Ransomware like Locky and Cerber are novelties again after dropping off the mainstream news radar long enough, but they never left the stage. Today’s Locky and Cerber samples show they are still defeating the “Admin Culture” of Windows, even while they are targeting the minority of users that don’t run as full admins.

Locky and Cerber are still targeting User Account Control (UAC), but their success lies with users that are still running Windows XP or have turned off … Read more

“Oh no, not again.”

I got what I paid for: those Windows laptops were cheap, but then that’s because they were…cheap.

It isn’t just the crapware that has to be removed, some OEMs leave behind a nasty “birth defect” in the security of the Windows machine.  TL;DR: if you’re going to lockdown that laptop you bought, do that first — it’s likely going to require a clean reinstall.

Duo Labs recently published a paper on current OEM practices in other areas of system security that nicely sums up the problem: “Bring Your Own Dilemma”

I bought two Acer laptops 3-4 years ago with Windows … Read more

Microsoft patches AppCompat UAC bypass vulnerability

As an addendum to two previous posts, Microsoft recently issued an optional patch for Windows 7 Service Pack 1, Windows 8, and related Windows Server versions to address the User Account Control (UAC) bypass vulnerability that downloader and installer malware have been using for the past several months. Microsoft KB article 3045645, “Update to force a UAC prompt when a customized .sdb file is created in Windows,” was released last week as a part of a set of optional Windows updates and can be installed via Windows Update in the Control Panel or by manual download and … Read more

More Upatre privilege escalation

It looks like the Upatre downloader malware has added a new tool that takes advantage of PCs that are missing Windows Update patches from last fall (well, last Northern Hemisphere fall).  In the past few weeks, newer versions of the Upatre malware can silently elevate their payload (the closely-coupled Dyre/Dyreza banking malware) to run as full admin.  These newer versions are using a vulnerability that Microsoft patched in October; however if a PC is not patched, even non-admin users tricked into running Upatre can have the malware elevated to SYSTEM.

Upatre continues to incorporate the AppCompat UAC bypass technique … Read more

Malware using AppCompat for automatic UAC elevation, continued

As noted last time, a blog from last month already documented how the dropper for the Dridex banking trojan uses the UAC auto-elevation feature introduced with Windows 7 along with an Application Compatibility (AppCompat) “shim” to invisibly elevate to full admin on the local machine:
http://www.confer.net/kill-chain-the-confer-blog/80-firewall-rule-changes-and-compatibility-trickery

Dridex is currently being delivered via a separate “wave” of workday/weekday spam emails that attach Office files with VB macros. (Those macros then go off and download the Dridex dropper/installer.) The Dynamoo blog analyzes a lot of these; for example, here’s one from today:
http://blog.dynamoo.com/2015/02/malware-spam-minuteman-press-west-loop.html

The Dridex dropper uses the same auto-elevate bypass … Read more

Upatre downloader malware using AppCompat for automatic UAC elevation

Upatre is a trojan downloader that accompanies work-day/weekday spam email (often via the Cutwail spam botnet).  Sometimes it is delivered by persuading us to click on a link to malicious website; sometimes it is attached to the email, with the message persuading us to open the attached document.  Once started, Upatre’s primary downloads (if not its primary download) are banking trojans — originally Gameover Zeus, now Dyreza.  Over its life Upatre has evolved in several areas, including how it installs the downloaded payload; its usage of a recent technique to automatically gain full admin rights for itself and its delivered … Read more