A pirated version of Windows 7 Release Candidate infected with a Trojan horse has created a botnet with tens of thousands of bots under its control, according to researchers at security firm Damballa.
The software, which first appeared on April 24, spread as quickly as several hundred new bots per hour, and controlled roughly 27,000 bots by the time Damballa took over the network's command and control server on May 10, the firm said Tuesday.
The pirated software was spread via popular piracy sites and online forums, Damballa said.
The software is primarily designed to download and install other malicious packages under a "pay-per-install" scheme, under which the botmasters are paid based on the number of other pieces of malware they cause to be installed, Damballa said.
Infected installations are continuing to appear at a rapid rate, according to the company.
"We continue to see new installs happening at a rate of about 1,600 per day with broad geographic distribution," Tripp Cox, Damballa's vice president of engineering, said in a statement. "Since our takedown (of the command and control server), any new installs of this pirated distribution of Windows 7 RC are inaccessible by the botmaster."
However, the botmaster still controls the existing installations, Damballa said. The infected systems are mainly concentrated in the U.S., with 10 percent, and the Netherlands and Italy, with 7 percent each.
Windows 7 RC has been used as a lure by other malware distributors since its launch on May 5, according to security experts. On Monday, Trend Micro said it found the Trojan horse TROJ_DROPPER.SPX masquerading as a copy of the release candidate.
Botnets are one of the most serious threats on the Internet, according to security experts, and are typically used to carry out denial-of-service attacks or phishing schemes or to send junk mail. Last month, SecureWorks researcher Joe Stewart suggested that technology was not enough to stop botnets, arguing that the IT industry should look to new law-enforcement measures.
The legitimate version of Windows 7 RC is available from Microsoft's Web site.
Matthew Broersma of ZDNet UK reported from London.
Microsoft has failed to remove a long-recognized Windows Explorer security risk from Windows 7, according to security company F-Secure.
The "hide extensions" feature, which was present in Windows NT, 2000, XP, and Vista, is also included in the Windows 7 release candidate, Mikko Hypponen, F-Secure's chief research officer, said Tuesday in a blog. The feature could allow virus writers to trick users into opening and running malicious files, he added.
"In Windows NT, 2000, XP and Vista, Explorer used to hide extensions for known file types," Hypponen said. "And virus writers used this 'feature' to make people mistake executables for stuff such as document files."
For example, malicious code writers could name a "virus.exe" file as "virus.txt.exe" or "virus.jpg.exe," he said. Windows Explorer would then hide the .exe part of the filename, meaning that the user would only see "virus.txt" or "virus.jpg." Additionally, virus writers could change the icon displayed with the file in Windows Explorer so it looks like the icon of a text file or an image. Users might then click on the disguised file.
The blog post appeared on the same day that Microsoft had been scheduled to make the Windows 7 RC1 available for download to the public, although the OS release did in fact arrive early. Microsoft made its Windows 7 release candidate available to MSDN and TechNet subscribers Thursday. Microsoft hasn't yet given a release date for the final product.
Microsoft had not responded to a request for comment at the time of writing.
Tom Espiner of ZDNet UKreported from London.
In the wake of the Conficker worm spreading via removable storage devices among other methods, Microsoft said on Tuesday it is making a change to the way Windows 7 handles USB drives.
As a result of the change, most USB drives will not be able to automatically launch a program using a Windows feature known as AutoRun, Microsoft said in a post on its Security Research & Defense Blog.
So, if an infected USB drive is inserted on a machine then the AutoRun task will not be displayed, Microsoft said.
Fixed removable media, such as CDs and DVDs will still be able to use AutoRun. Also, some specialized "smart" USB flash drives such as those containing U3 software will still be able to appear as DVD drives, effectively allowing them to also use AutoRun, Microsoft cautioned.
The change will show up in the release candidate version of Windows 7 that is being released to developers this week and publicly on May 5.
Microsoft said it is planning on making the change available on Windows Vista and Windows XP, as well.
In February, Microsoft released an update for Windows AutoRun that allows people to selectively disable the AutoRun functionality for drives on a system or network to provide more security. The update addressed an issue that prevented the NoDriveTypeAutoRun registry key from functioning as expected. Disabling AutoRun functionality can help prevent the execution of arbitrary code when a removable storage device is used.
The AutoRun functionality has been blamed for malware that has infected USB thumb drives, leading to a temporary ban on their use at the U.S. Defense Department, and digital photo frames, among other storage types.
Microsoft detailed additional security features in Windows 7 during the RSA security conference last week.
Before the change, the malware is leveraging AutoRun (box in red) to confuse the user.
(Credit: Microsoft)
After the change, AutoRun will no longer automatically launch when most USB drives are attached, so the AutoPlay options are safe.
(Credit: Microsoft)
With Windows Vista, alerts pop up any time a change is being made to the system. In Windows 7, a user can choose how often to get such warnings and, by default, alerts are shown only when it is a piece of software trying to make the changes to a system.
(Credit: CNET News)Microsoft is facing increasing heat over the security implications of a change designed to make Windows 7 less annoying than its predecessor.
One of the chief complaints with Windows Vista is frustration with all the warnings that pop up to notify users that changes are being made to the operating system. With Windows 7, Microsoft has changed the feature so that users see fewer messages by default and also so they have more control in deciding how often they are notified.
The problem, say some, is that by making the prompts less frequent by default, Microsoft is potentially paving the way for malicious software to makes changes without the user's consent.
Jon DeVaan
(Credit: Microsoft)Unlike with Windows Vista, where users were alerted of all major changes to their system, the default setting in Windows 7 provides users with warnings only when it is a piece of software on its own making the changes.
Blogger Long Zheng has detailed several issues he says are created by that change. Last week, he noted that the changes could allow for malicious code that would turn the prompts off entirely without warning the user.
In recent days, Zheng said he notified Microsoft of a second issue in the Windows 7 beta, which he went public with on Wednesday. The latest issue, he says, could allow a program to elevate its rights to administrator level without properly notifying the user.
Microsoft said that latter issue, which still would require malware to make it onto a system, has been fixed in a more recent build of Windows 7 issued internally. That fix is likely to make its way to the public when Microsoft reaches its next public milestone, a so-called "release candidate" build.
As for the broader issue with regards to the User Account Control (UAC) feature, Microsoft says that the criticisms don't take into account real-world behavior. With Vista, the prompts were seen as so annoying by average users that many were ignoring the warnings or turning them off entirely, said Jon DeVaan, the head of Microsoft's core operating system development unit.
"It is pretty clear that we drove...that behavior," DeVaan said in an interview on Wednesday.
He likens it to a recent move by his bank to increase its security measures. By making the system harder to use, DeVaan said the main change in behavior it prompted was for him to consider changing banks.
Although in the abstract it may seem like Microsoft is making the system less secure by default, DeVaan said that the company's real world testing shows that users will actually pay more attention to the prompts when they see fewer of them.
DeVaan also said that the recent wave of criticism also ignores the advances that Windows 7 has made in reducing the likelihood of malware making it onto the system in the first place. Internet Explorer 8, which is built into Windows 7, offers protection against new types of attacks, such as clickjacking.
"Those are designed to help people know before someone is trying to compromise the system," DeVaan said. "In the current feedback we are seeing from people, there has not been any addressing of those parts we have improved."
Mounting concerns
Still, some critics say the changes to UAC are ill-advised.
"You are trading some security for the benefit of fewer prompts," said John Moyer, CEO of BeyondTrust. Moyer, whose firm creates software to allow businesses deeper control over which applications get elevated privileges, has been a longstanding critic of the degree to which the UAC feature can mitigate security risks.
Chris Wysopal, chief technology officer at security provider Veracode, said while the changes Microsoft made in ratcheting down the security feature don't constitute a vulnerability in the true sense of the word, they do create a risk for end users.
"Microsoft has chosen by design to include a setting in the UAC, which really renders UAC off, since at medium setting malware could turn it off. It's not clear that they thought through all the implications of the medium setting," he said. "The confusion stems from the fact that this is the medium setting, not off, but its behavior can lead to it being turned off by malware. If the user thinks they are getting some protection with this setting but they are not, it is a problem."
But, others acknowledge that the issue of how and when to prompt users is a thorny one.
"Security and usability are often a trade off, unfortunately," said McAfee spokesman Joris Evers. "If you get heavier locks and security on your house, it often takes you a bit more time to get in and out. If it is too much work every day, you may end up removing some of the locks, or leaving them unlocked, for convenience."
Nitesh Dhanjani, a security expert and senior manager at Ernst & Young, said even if its goals were laudable, there is probably more work that Microsoft can and should do.
"Even though the Windows 7 team has made good choices in reducing the number of UAC prompts, I feel there are further improvements they can make, such as mapping hardware events to software events to further reduce user interaction," Dhanjani said. "I can see how this may be a more complex solution than what it immediately appears to be."
Some have suggested that Microsoft should change the default setting so that, at a minimum, changes to the UAC settings, would always require user approval.
DeVaan said Microsoft is still evaluating whether it will make changes to either the UAC settings or to the default option before the operating system is shipped in final form.
"We're taking every piece of feedback seriously and carefully considering it," he said.
CNET News' Elinor Mills contributed to this report.
Microsoft's efforts to make Windows 7 less annoying than Vista may also be making it less secure than its predecessor.
With Windows Vista, the operating system popped up a warning any time a major change was being made to the system, whether by the OS or by a third-party application. With Windows 7, users can choose how often to be notified, with the current default set to notify only when a third-party application is making a change.
Blogger Long Zheng, however, is drawing attention to an apparent shortcoming in that approach. Because changes to the user account control setting itself are being made within the OS--and not by a third party--malicious code could turn off such alerts entirely with the user getting little notice that such a change had been made. Zheng said he and fellow blogger Rafael Rivera have come up with a simple proof-of-concept code to show the vulnerability.
Microsoft is trying to thread a difficult needle here. The prompts issued by the User Account Control program, though annoying, help alert users to changes to their system. But if the prompts are so annoying that people turn off the setting--or stick with older operating systems--than things aren't secure either.
Zheng proposes, at a minimum, that Microsoft's default setting also warn users if a change is being made to UAC itself. That seems reasonable to me.
A Microsoft representative was not immediately available for comment.
Windows 7's "Action Center" alerts users if they don't have antivirus software installed, pointing them to a Microsoft Web site with links to download various antivirus software products.
(Credit: CNET News)Despite the fact that security programs are often some of the toughest code to make work with a new operating system, Windows 7 already has several companies ready with products aimed at keeping it safe from attackers.
By comparison, only one antivirus firm--McAfee--had its security software commercially ready by the time Microsoft launched Vista for businesses in November 2006.
That said, it stands to reason, given that Microsoft was making far more dramatic changes to the operating system's underlying architecture in Vista than it is in Windows 7.
This time around, it is AVG, Kaspersky, and Symantec that have products that are being touted from Microsoft's site. McAfee said it will have support by the time Windows 7 launches, while Trend Micro is working to have a compatible product in the next month or so.
"It is great to see that these partners were able to have their solutions working so early in our development process," Microsoft's Brandon LeBlanc said in a blog posting.
Dave Cole, a senior director of product management at Symantec, said his company decided to offer up a test version of its Norton 360 product for use with Windows 7, even though the company knows there are still a few things left to work out.
"We determined that we could run reasonably well under Windows 7," Cole said. "There are bugs that we know about, but we're comfortable enough with the effectiveness of the product that when they called us to participate we took them up on the offer."
Having the support lined up is important to Microsoft, which built an "action center" into the operating system that warns users if it detects there is no antivirus software installed. The action center then points to a page on Microsoft's Web site with links to Windows 7-compatible security software.
The page lists Kaspersky, AVG, and Norton, but adds that "Microsoft is actively working with additional security software independent software vendors (ISVs) so that security software solutions will be available for Windows 7 Beta and (the final release of) Windows 7."
As far as Windows 7's approach to security, it appears to draw heavily from the investments the company made with Windows Vista.
The most notable change is probably the fact that users now have the option to choose how often they are required to authorize changes to their system. One of the most frequent criticisms of Vista was the annoyance of the User Account Control dialog boxes that forced users to authenticate many types of changes to their systems.
Microsoft spent a fortune securing Vista, both in engineering new features as well as in testing. The software maker corralled a significant chunk of the world's penetration testers to help poke at Vista ahead of its release.
The software maker plans some penetration testing for Windows 7, but declined to say how much or whether it would be comparable to its Vista effort.
CNET News' Elinor Mills contributed to this report.
In Windows 7, the Windows Security Center will be replaced with the Windows Action Center
(Credit: Robert Vamosi/CNET Networks; Microsoft)Since Monday, I have been running a prebeta copy of Windows 7, the next operating system from Microsoft.
At first glance, build 6801 of Windows 7 appears very much like Windows Vista; that's because enhancements to the look and feel part of the operating system typically come late in the development process. Right now, the core programming is being set, and there are already some changes in how Windows 7 will handle computer security.
Gone is the Security Center, introduced in Windows XP SP2. Instead, there will be an "Action Center" that incorporates alerts from 10 existing Windows features: Security Center; Problem, Reports, and Solutions; Windows Defender; Windows Update; Diagnostics; Network Access Protection; Backup and Restore; Recovery; and User Account Control.
Changes to the User Account Control (UAC) may raise an eyebrow or two. While vastly unpopular in Windows Vista, the dialog boxes that pop up whenever a user tries to install new software, among other reasons, served a purpose.
In Windows 7, users can adjust consent prompt behavior using a slider control, if they have administrative privileges. Microsoft says they'll still be protected against malicious software, even if they never see another alert. I'm wondering if that's actually a bad idea: if people never see an alert, they might think nothing bad ever happens to their computer. We lose an element of user education.
Windows 7, which Microsoft unveiled at its PDC 2008 event this week, also introduces something called the Windows Filtering Platform (WFP). The idea is that third parties can take advantage of aspects of the Microsoft Windows Firewall in their own products. Microsoft says "third-party products also can selectively turn parts of the Windows Firewall on or off, enabling you to choose which software firewall you want to use and have it coexist with Windows Firewall."
I mentioned this feature to one major security vendor, which responded by saying it couldn't imagine running its product side by side with Windows Firewall. Also, if Microsoft had a compelling component in its firewall, this vendor said it would just build its own version, not use Microsoft's.
Other security features have been tweaked in the current build of the next Windows operating system. Scrollbars were removed in the configuration settings screen, as has the Software Explorer feature, and real-time protection in Windows 7 has been improved to reduce the impact on overall system performance.
Windows 7 extends BitLocker drive encryption support to removable storage devices, such as flash memory drives and portable hard drives. This means that users can keep sensitive data on all of their USB storage devices.
Biometrics enhancements include easier reader configurations, allowing users to manage the fingerprint data stored on the computer and control how they log on to Windows 7.
And System Restore includes a list of programs that will be removed or added, providing users with more information before they choose which restore point to use. Restore points are also available in backups, providing a larger list to choose from, over a longer period of time.
Returning from Windows Vista are Kernel Patch Protection, Service Hardening, Data Execution Prevention, Address Space Layout Randomization, and Mandatory Integrity Levels.
This information could change, as Microsoft nears the final build. Microsoft still expects to ship Windows 7 "within three years of Windows Vista," which means that it could be available sometime before January 2010.
- prev
- 1
- next
