Five year old “new” malware discovered “by Kaspersky”

Yesterday Russian security company Kaspersky has released an analysis of what it claims is previously undiscovered malware, which has come to be known as Salron. Kaspersky’s analysis is incomplete, but contains more detail than was generally available in public beforehand. They admit it’s “probably” been around for five years, and this is true; but it’s not exactly unknown. The unknown group  behind the attacks has become known as Strider, and they’re using a backdoor program called Remsec. Details of this were published by Symantec a week ago.

Kaspersky’s conclusion is that this is a “Nation State” level piece of malware. It’s possible, but other than being very competently produced, I have seen no conclusive evidence to back the claim at this stage, but there’s quite a bit that’s circumstantial. According to Symantic, it’s been used to target relatively few organisations – mostly in Russia, with a Chinese airline and an unspecified embassy located in Europe. In other words, that naughty Mr Putin is at it again. Or is it the Chinese attacking their neighbour?

Based on the public analysis, it was written by some very smart people and avoids the mistakes made in previous systems such as Stuxnet. Kaspersky points to it being a rung up the technology ladder as an indication it was another government-sponsored effort, although in practice, anyone could learn the same lessons and produce a new generation.

AV companies have been detecting this for over a week, and it hasn’t thrown up a large number of infections. This is intriguing. Also, the way it works  to circumvent very specific and uncommon high-end security software indicates its in the APT category.

Microsoft, who’s operating systems it attacks, has yet to comment.

Microsoft Windows Backup Dramas

brokengreenglassAlways take a backup. Everyone knows that. There are plenty of articles on the web singing the virtues of the the new (Windows 7, 8 and 10) backup utility, and how easy it is to use. But none on how to actually restore your data when things go wrong. ‘sfunny that.

A week ago, when my Windows PC decided to scramble its hard disk I felt smug for having followed my long-standing advice. I’d taken an Image Backup of the entire system disk with the applications installed, data files were shadowed on a server (FreeBSD of course) and I had last month’s “User files” Windows backup to bring the system up-to-date (the odd Windows update notwithstanding). And even better, the system was still in a condition to boot albeit with a few warnings about corrupted DLLs, none of which were important.

Ha!

The first stage in any situation like this is to make an exact copy of the trashed drive in case things go horribly wrong. This involves mounting the disk on a working system and copying the drive as data. If you;re reading this because you are having problems, but don’t have the ability to image a drive, please find someone who can do this for you. The remainder of this diatribe assumes that you either know what you’re about, or at least have a safe copy of the disk you’re about to try and resurrect.

Only when the drive is imaged and safe is it okay to to try to boot the machine and run CHKDSK.  No hardware faults were found in this case, but it fixed numerous errors in the directories and it was pretty obvious that nothing on the disk could be trusted. Windows had obviously gone ape and trashed the disk itself. so it was necessary to restore from a Backup Image to ensure the system was clean. And this is where my fun really started.

You have to reboot the PC into recovery mode (Windows RE). This is achieved by holding down a function key on boot  and selecting the “Recovery” option from possible boot disks (details vary by manufacturer), or if you’re running Windows already you can find it under Advanced Options on System Restore – it will reboot to Windows RE mode for you. Then all you need to is select the image you want to restore, which in my case was on the network, so I entered the server details and login as requested. No dice.

Re image Your Computer

An internal error occurred. The following information
might help to resolve the error:

The network location cannot be reached. For information
about network troubleshooting, see Windows Help (0x0800704CF)

The restore utility must be wrong, and a quick Google search threw up some possible explanations. In my case it was nothing to do with the file permissions; it was on a FreeBSD cluster and I’m very confident I have control over the file permissions on that.

So what next? A Windows Image backup (since Windows 7) creates a .vhd file (Virtual Hard Disk). This is Microsoft’s half-arsed equivalent to being able to mount a file as an device and then using an FS on it. You can mount (Attach) a .vhd file from the “Mange Computer” console, using menu that pops up when you right-click on the “Disk Management” part of the tree on the left, which is not obvious. (Even less obvious: to detach it you need to right-click on the left-hand area representing the drive in the partition map on the right).

Please generate and paste your ad code here. If left empty, the ad location will be highlighted on your blog pages with a reminder to enter your code. Mid-Post

So, if Windows RE couldn’t read the image across the network I decided to use Windows itself to copy the files back manually by mounting the .vhd from the backup location. This isn’t that simple; you can’t copy the OS back while it’s running so you need to boot from somewhere else before you finish the job, but its better than a poke in the eye with a sharp stick.

Again, no dice.

“This image was created by a different version of Windows”

What? No way! It was created by this version of Windows; on this PC, no less.

This may have been because, for some bonkers reason, you can’t mount a backup .vhd as read-only, at least the first time its mounted on anything. It doesn’t tell you this, it just says that its an incompatible version. You must un-check the Read-Only box; and if you’re like me, you’ll make a backup of the backup before doing this. But it still didn’t work.

I tried again with the backup .vhd I’d made, largely because it had a much shorter name, and bingo! It mounted and all my files were visible. What’s going on? It wasn’t a permissions issue – of that I’m certain. The only explanation I’ve have is that the path name was too long before, with the Microsoft names being a UUID (GUID). Try shortening the name/path if you can’t mount a .vhd.

Armed with this knowledge that the .vhd really was good, I fiddled the file names and associated links and tried Windows RE image restore again, but with the same 0x800704CF error code as a result. A bit more digging, and it turns out this means that basically the system isn’t talking to the network card, probably because there is no driver. Microsoft’s solution is to install the driver with the disk that came with the card. But this Lenovo PC came with pre-installed Windows and NIC – Microsoft doesn’t supply Windows OEM on a disk any more, never mind a driver CD. One might assume, given that Windows RE happily asked me for network credentials as I supplied it with the network address of the image, that it had the network driver pre-installed. But that would be to sensible.

Rather than messing about looking for a suitable NIC driver and burning it to a CD, I just copied the “WindowsImageBackup” folder to the root of a USB-connected and disk and it restored just fine. Actually, it only worked after I moved the USB drive from its normally USB 3 slot to a USB 2 slot, because presumably Windows RE doesn’t have a driver for USB 3 hardware either. A pattern was emerging.

The image was restored; all my software was back. The only snag is that there were more than 200 Microsoft updates; taking another four hours to install. But at least I knot it’s now a clean install, and as a reward for my hard work I was able to put put of installing the Windows 10 “upgrade” nagware (KB2952664 and KB2976978 if you’re interested – it doesn’t identify itself as such).

So what have I learned from all of this? “Don’t Trust Microsoft”? Well I haven’t trusted a Microsoft backup solution since MS-DOS 2.1, and with good reason. But from now on I’ll always take the trouble to use dd image for imaging drives in future, even if that means taking them out of the PC to do it.

How to stop Microsoft Windows 10 upgrade

Famously, Microsoft announced that the “upgrade” to Windows 10 would be free of charge. How nice of them. Given that historically Microsoft has made a lot of money selling consumer upgrades, this is a little puzzling until you realise what happened to Windows 8 in the commercial IT world. Basically, it’s as popular as a rattlesnake in a bran tub. Commercial users are still demanding, and getting, Windows 7 whilst home lusers have had no choice – having only Windows 8 pre-installed.

Since then, Windows some users have been “encouraged” to “upgrade” to Windows 10 by having a pop-up nag screen turn up on top of their work at regular intervals. This is produced by an update called GWX (“Get Windows Ten” in Roman numerals). An update you don’t seem able to un-install. Nice!

However, Microsoft has bottled out of doing this on Enterprise versions of Windows. They’re not that crazy. Imagine what would happen if every corporate customer got “upgraded” to a version of Windows that didn’t support their bespoke CMS, all at once. Every IT support person in the world would be heading for Seattle with a pitch-fork and flaming touch. ARM and embedded Windows won’t auto-upgrade either; nor (I believe) will machines connected to a domain controller – indicative of being used in a business.

As usual, it’s the voiceless SMEs using Windows 7 Pro that left paying the price for choosing Microsoft, and I’ve heard of plenty of people falling for the nag screen and getting in to trouble.

In repose to customers’ requests, demands and threats of physical violence, Microsoft has told the world how to disable the activities of GWX, in a KB article found here. Basically you have to add the following registry keys and it should stop. To disable OS upgrading add:

Subkey: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DWORD value: DisableOSUpgrade = 1

And to stop the nag screen add:

Subkey: HKLM\Software\Policies\Microsoft\Windows\Gwx
DWORD value: DisableGwx = 1

The free “upgrade” offer only extends until July this year, so it will be interesting to see what happens then. In spite of Microsoft’s threats to drop it, Windows 7 is still being used in new installations, and from where I’m sitting, it’s the default option.

Microsoft Security Essentials hangs during a full scan

First off, can I be clear about one thing – endpoint virus scanners don’t make your computer “secure”. A lot of the most dangerous stuff gets past them, but trusting lusers believe they’re safe and will therefore take risks they outerwise wouldn’t. See my posts and academic papers passim ad nauseam. Now that’s out of the way, I favour Microsoft Security Essentials (or Microsoft Endpoint Security) on Windows as I find it less likely to make the system unusable. I don’t recommend it, except as the least-worst option.

On with the problem…

Sometimes, especially in the last year or so, I’ve found Security Essentials will stall when its doing a background scan. You may not notice its done this, but some symptoms are that web browser file downloads won’t work (it’ll download 100% but never finish) and the PC won’t hibernate automatically using the power-saving settings.

I’ve looked for solutions to this, as well as searching the web for an answer. You’ll often see people posting (without references) that this is bug and Microsoft are working on, or have now fixed it. I’ve tried theories myself to see if it’s caused by compression or archive formats causing a decompresser to break (I’ve noticed this often fits the facts), but this is little help when finding a solution, and even then it sometimes still hangs when the option to check compressed files is turned off.

What I’ve yet to find is anyone giving a real solution, so here it is:

  1. Deinstall Security Essentials.
  2. Download and install Security Essentials.

I’ve never known this not to work. On the other hand, I’ve known all the other theories you see posted on forums fail to work pretty consistently.

 

Microsoft plans to dump OneDrive unlimited and Windows 7

Microsoft continues to lose the plot. This week saw the announcement that OneDrive customers have a year to shift their data way, and business have a year to switch from Windows 7 to Linux Windows 10.

The problem they’re having with OneDrive is that when they sold it on the basis of “unlimited” storage, they didn’t realise the punters would actually believe them. After all, who believes what Microsoft says about any of their products? But, apparently, some credulous customers have been using it for backing up all their stuff and this has caught the folks in Redmond by surprise. So they’re withrawing the product, and users have a (at least) year to shift their stuff off, after which the Office365 subscription would have lapsed anyway. The maximum storage available after that date will be 1Tb, but they have yet explain what will happen to the excess.

And in the same week, Microsoft announced that Windows 7 will no longer be available in a year. It may surprise some to hear that it’s still available, as anyone buying a domestic PC from the high street has only had Windows 8 since 2013. However, if you buy a business machine from a business supplier, chances are it will still have Windows 7 pre-installed, with a set of Windows 8 downgrade disks in the box to satisfy an “everything now ships with Windows 8” clause in some OEM deal. Businesses don’t want Windows 8, and voted with their cheque books to keep Windows 7.

Microsoft now plans to take that choice away, and force everyone on to Windows 10. This is hardly unexpected, but now it’s official. The reasons aren’t clear to me. Okay, Windows 10 has the creepy doll sending user data back at Redmond, in order to deliver a richer user experience (and targeted adverts) and make the world a better place (for Microsoft shareholders). Possibly a case of corporate Google-envy? Is Microsoft so keen on the Google business model that they’d risk hacking off the loyal customers who’ve been buying Windows XP and Windows 7 for years? Ironically, Google is pushing it’s paid-for cloud apps, and I suspect, would like to get a larger revenue stream from selling SaaS.

Listen up, Microsoft. People buy Windows because it runs the applications they want. It has nothing to do with whether the like the colour scheme. Windows XP runs DOS stuff; Windows 7 does, just about, because it has XP emulation. This is a concept known as Backward compatibility, and Intel knows all about exploiting this and making mega $$$ if you need a reminder. Lightweight home users and kids might be impressed by the new and shiny, but business wants something that works, and if it ain’t broke, don’t fix it.

The beneficiaries of this will probably be Linux (including Android), Google GDrive and other cloud storage providers, and alternatives to Office: (Google Docs, OpenOffice.org and smaller companies like SoftMaker. The latter has just released SoftMaker Office 2016, with an offer to make it free for use in schools.

Windows 10 – just say no

I’ve had a lot of people ask me about Windows 10. Here’s the simple answer: No thanks.

Apparently it’s a bit faster than Windows 7 on the same hardware, although I’m not convinced people who say this have tested it scientifically. In other words, it may have been faster as a clean install compared with a crufty old Windows 7 installation, and in theory it could have been written to be fundamentally faster, but actually writing code that’s more efficient that previous versions isn’t really Microsoft’s style. Although the new web browser (Edge) is promising. But will it still be faster when it fully functional (i.e. supports HTML5 and suchlike properly).

That’s the good bit. Everything else is bad compared to Windows 7. Compared to Windows 8, yes, it’s better. That’s from a user’s perspective. From my perspective, it’s a big “no thanks” to the added spyware, telling Redmond exactly what you’re up to all the time and the enforced software updates, that I have an nasty suspicion are going to end up mandatory even on the business (Pro) version. Basically I don’t see what Microsoft has done to restore any trust I once had in them.

If you’ve got Windows 7, stick with it. If you’re on Windows 8 it’s swings and roundabouts but you might want to take a serious look at a Linux instead.

Unfortunately, because this is Microsoft, there’s a good chance that we’ll all be forced to use Windows 10 whether we like it or not. They had the sense to keep Windows 7 for serious users when they rebelled against Windows 8; I somehow see them fighting hard to force the issue when it comes to Windows 10.

Microsoft’s Windows 10 Security Update Plan

The headlines on luser news media are all about Windows 10 being the last ever release of Windows. Apparently Microsoft’s plan is to issue incremental updates thereafter. As those in the know, know, this has always been the way. Microsoft only releases a new version when it wants to flog it to the punters as the next great thing, and it does this by giving the latest snapshot of the code a new name (e.g. Windows 7, Windows Vista). Okay, there have been major step-ups; for example Window 2000 was the marketing name for Windows NT 5.0 (ditching some of the disastrous code in Windows NT 4.x), then came 5.1 – sold to the public as XP. Windows Vista was the next re-write; technically it was Windows 6.0. Confusingly to the punters, 6.1 was flogged as 7 and Windows 8.0 and 8.1 were 6.2 and 6.3 respectively. The reality is that OEM versions of Windows appear frequently, to track the new hardware as it turns up in production machines. It’s only the retail customers that believe in these retail versions. So what is Microsoft really doing?

Well, one effect of having a retail version of Windows is that every three years the punters stop buying new PCs, waiting for the next “version”. As Microsoft actually makes a lot more of its revenue from selling OEM licenses (bundled with PCs) than the retail versions, keeping the hardware manufacturers happy by killing off the boom/bust cycle is probably A Good Thing.

Is Microsoft getting a bit humble, acknowledging that hardware makers have a choice and Windows isn’t the only game in town? I don’t believe they do; the punters want Windows on their desktop PCs, and that’s that. So what is in it for Microsoft?

The clue is in what Terry Myerson was saying at Ignite 2015 in Chicago last week. The new version of Windows will feature greatly enhanced on-line update capabilities, with peer-to-peer patch distribution and a lot more. Patch Tuesday is to be abolished, with updates rolled out on a continuous basis. And all in the name of security.

Let’s play devil’s advocate here, and pretend that Microsoft has other reasons. First off, Patch Tuesday, the monthly release of non-critical Windows updates in an ordered manner, will become obsolete. The policy was originally formulated to avoid patches coming out willy-nilly at odd times in the month and catching IT departments off-guard; and now they’re going back to the old chaotic system. A broken update can knock your IT systems out at any time of the day or night. If this sounds like a recipe for disaster, don’t despair – according to Terry Myerson, patches will be rolled out to the lucky home users first, which means that it can be pulled and business won’t be affected if an update screws up. Enterprise customers will still be given the choice as to which updates they install; it would have been a hard sell to knowledgable IT people otherwise.

Is this actually going to improve Windows security? Peer-to-peer patch distribution? 24/7 patches coming from Redmond as soon as they’re presumed ready? What could possibly go wrong?

Rather than looking at this as a security fix, I think the policy should be taken in to consideration alongside Microsoft’s move towards licensing, rather than selling, software. They want a continual revenue stream and they don’t like their software pirated. Who does? By moving to an OS model that requires the host to be Internet connected and constantly patching itself, it becomes much harder for cracked versions of the OS or applications to exist. (Microsoft’s own applications, that is). Peer-to-peer updates will make updates harder to block. If a crack turns up in the wild, the next day a patch to kill it can appear from Redmond. And if your stop paying the license fee, your copy of Windows stops working. This last aspect isn’t being talked about openly. I’m just guessing here. But considering Microsoft’s penchant for licensed/rented software of recent years, Windows 10 being released with a mechanism that appears ideal for licence enforcement should they ever decide to move to the rental business model, I think it’s a good guess.

Or it could simply be that Microsoft is panicking over the less-than-warm reception the world gave Windows 8/8.1 and had decided that releasing new retail versions frightens the horses.

Error 0x8002007 installing Security Essentials

Good one this! If you’re trying to install Microsoft Security Essentials and it crashes out with Error 0x8002007, clicking on the Help link doesn’t really help.

If you read the technet blurb it relates to the Windows Update service not working, and if you believe this you’re going to waste a lot of time trying to repair it. I did. But the solution was really simple.

If you’re using Windows XP the Microsoft site will give you the Vista/Windows 7 version by default! Hunt around for the Windows XP 32-bit version, download that and it’ll probably work. Just don’t click the “Download Now” button because it doesn’t check which one you need – or give you the choice.

Some genuis programmers at Microsoft didn’t bother to check the version number as soon as start to run the installer. I wonder why not.

The one you get by default is:

mssefullinstall-x86fre-en-us-vista-win7

The one you probably want is:

mssefullinstall-x86fre-en-us-xp