Tag Archives: Digital Crimes Unit

Realmadrid App for passionate fans, tools to fight human trafficking and new research to keep data safe in the cloud – Weekend Reading: May 22nd edition

Welcome to another edition of Weekend Reading. Microsoft technology and employees played big roles in many ways this week, from powering the passion of soccer fans to building a “lockbox in the cloud” to connecting students thousands of miles apart. Before you start your holiday weekend, take a quick spin through the news.

Microsoft_RealMadrid_2267 (2)

Microsoft and Real Madrid C.F. continued their technological revolution of futbol and the club with the release of the Realmadrid App, a new way for the club’s 450 million passionate, global fans to connect with their favorite team.

Built on the Microsoft Cloud platform, the app features multi-angle match viewing, fan competitions, game replays, comprehensive player and team stats, and lots more.

“The new app truly empowers the fans’ passion no matter where they are in the world,” writes Orlando Ayala, Microsoft chairman and corporate vice president of Emerging Businesses. Part of a vision to digitally transform the sports industry, the app is available for Windows Phone, IOS and Android.

human-trafficking-hands-2-640x249

Microsoft technology also has a key role in a completely different arena: combatting human trafficking. Arthur Thomas (A.T.) Ball, Microsoft’s managing director of Public Safety and National Security in Asia, highlighted the company’s efforts to “help disrupt the global scourge of human trafficking.”

The efforts include the work by the Microsoft Digital Crimes Unit and PhotoDNA, an image-matching technology that helps identify and rescue online child pornography victims.

It was a big week for Microsoft researchers, who debuted their “lockbox in the cloud,” a new system to store data in the cloud, even when it’s being accessed to make calculations.

The new technology, called Verifiable Confidential Cloud Computing or VC3, gives an extra layer of security to companies that safeguard very sensitive information, such as financial data or personal records. The innovative project was released Monday at the IEEE Symposium on Security and Privacy.

office-for-android1-640x358

Have a giant to-do list? Good thing Office is continuing its transformation into a cross-platform, cross-device solution to help you get more done. The Preview of Office apps for Android phones debuted this week, combining the familiar look and quality of Office with a touch-friendly design for Android phones.

Word, Excel and PowerPoint documents open and render beautifully, and navigation is easy for on-the-go reading, reviewing and editing.

4x6-Shawn-Du-Lac-20150515_194628-1024x576

Microsoft’s new Tech Talent for Good program again lived up to its name, when a group of Microsoft employees used their tech skills to support troops and their families at a recently remodeled USO center at Seattle-Tacoma International Airport.

The employees prepped 20 Surface tablets with updated software and apps for the center, so soldiers, sailors and their families can use them at the airport while traveling. Being able to email, Skype with a loved one, or play “Call of Duty” and “Minecraft” helps ease the journey.

Skype

Skype in the Classroom also helped connect people thousands of miles of apart. Independent journalist Anna Therese Day helped students on the Pacific island of Kiribati Skype with students in Seattle, while reporting on the impact of climate change on the island’s future.

Timid at first, the Kiribati students sang songs in English and talked about their chores, which included feeding the pigs. That prompted one Seattle boy to exclaim, “You guys get to have pigs?!”

The-Witcher-3-Wild-Hunt-Xbox-One-640x360

In app and game news (besides the Realmadrid App), visual stunner “The Witcher 3: Wild Hunt” became available for Xbox One. The new Salesforce App for Outlook became available for free. And this week’s Red Stripe Deals went old-school, with discounts for “Dragon’s Lair,” a flashback to the ‘80s arcade game, and “Final Fantasy III,” whose first title dates back to the early ‘90s.

Finally, on our global adventure to find people who #DoMore on the Microsoft Instagram page, we met Jeremy Lacy, the artist behind Downshift Studio, a collection of motorcycle and car concept designs he creates with the help of a Surface Pro 3.

domore

Thanks for reading and we’ll see you next week!

Posted by Vanessa Ho
Microsoft News Center Staff

Microsoft takes on global cybercrime epidemic in tenth malware disruption

The following post is from Richard Domingues Boscovich, Assistant General Counsel, Microsoft Digital Crimes Unit.


Playing offense against cybercriminals is what drives me and everyone here at the Microsoft Digital Crimes Unit. Today, Microsoft has upped the ante against global cybercrime, taking legal action to clean up malware and help ensure customers stay safer online. In a civil case filed on June 19, Microsoft named two foreign nationals, Mohamed Benabdellah and Naser Al Mutairi, and a U.S. company, Vitalwerks Internet Solutions, LLC (doing business as No-IP.com), for their roles in creating, controlling, and assisting in infecting millions of computers with malicious software—harming Microsoft, its customers and the public at large.

We’re taking No-IP to task as the owner of infrastructure frequently exploited by cybercriminals to infect innocent victims with the Bladabindi (NJrat) and Jenxcus (NJw0rm) family of malware. In the past, we’ve predominately seen botnets originating in Eastern Europe; however, the authors, owners and distributors of this malware are Kuwaiti and Algerian nationals. The social media-savvy cybercriminals have promoted their wares across the Internet, offering step-by-step instructions to completely control millions of unsuspecting victims’ computers to conduct illicit crimes—demonstrating that cybercrime is indeed a global epidemic.

Free Dynamic DNS is an easy target for cybercriminals

Dynamic Domain Name Service (DNS) is essentially a method of automatically updating a listing in the Internet’s address book, and is a vital part of the Internet. However, if not properly managed, a free Dynamic DNS service like No-IP can hold top-rank among abused domains. Of the 10 global malware disruptions in which we’ve been involved, this action has the potential to be the largest in terms of infection cleanup. Our research revealed that out of all Dynamic DNS providers, No-IP domains are used 93 percent of the time for Bladabindi-Jenxcus infections, which are the most prevalent among the 245 different types of malware currently exploiting No-IP domains. Microsoft has seen more than 7.4 million Bladabindi-Jenxcus detections over the past 12 months, which doesn’t account for detections by other anti-virus providers. Despite numerous reports by the security community on No-IP domain abuse, the company has not taken sufficient steps to correct, remedy, prevent or control the abuse or help keep its domains safe from malicious activity.

For a look at how cybercriminals leverage services like No-IP, and advice for customers to help ensure a safer online experience, please see the graphic below.

Microsoft legal and technical actions

On June 19, Microsoft filed for an ex parte temporary restraining order (TRO) from the U.S. District Court for Nevada against No-IP. On June 26, the court granted our request and made Microsoft the DNS authority for the company’s 23 free No-IP domains, allowing us to identify and route all known bad traffic to the Microsoft sinkhole and classify the identified threats. The new threat information will be added to Microsoft’s Cyber Threat Intelligence Program (CTIP) and provided to Internet Service Providers (ISPs) and global Computer Emergency Response Teams (CERTs) to help repair the damage caused by Bladabindi-Jenxcus and other types of malware. The Microsoft Digital Crimes Unit worked closely with Microsoft’s Malware Protection Center to identify, reverse engineer and develop a remedy for the threat to clean infected computers. We also worked with A10 Networks, leveraging Microsoft Azure, to configure a sophisticated system to manage the high volume of computer connections generated by botnets such as Bladabindi-Jenxcus.

As malware authors continue to pollute the Internet, domain owners must act responsibly by monitoring for and defending against cybercrime on their infrastructure. If free Dynamic DNS providers like No-IP exercise care and follow industry best practices, it will be more difficult for cybercriminals to operate anonymously and harder to victimize people online. Meanwhile, we will continue to take proactive measures to help protect our customers and hold malicious actors accountable for their actions.

This is the third malware disruption by Microsoft since the November unveiling of the Microsoft Cybercrime Center—a center of excellence for advancing the global fight against cybercrime. This case and operation are ongoing, and we will continue to provide updates as they become available. To stay up to date on the latest developments on the fight against cybercrime, follow the Microsoft Digital Crimes Unit on Facebook and Twitter. Microsoft provides free tools and information to help customers clean and regain control of their computers at www.microsoft.com/security.

Microsoft takes on global cybercrime epidemic in tenth malware disruption

Editor’s Note: This blog post was updated with the following new information at 8 a.m. on July 9:

On Monday, June 30, Microsoft filed a civil suit in a Nevada federal court to disrupt Bladabindi-Jenxcus, a pervasive family of malware that put millions of customers at risk.

Today both Microsoft Corporation and Vitalwerks Internet Solutions, LLC announce they have reached a settlement in the matter of Microsoft Corporation v. Mutairi, et al.

Microsoft has reviewed the evidence provided by Vitalwerks and enters into the settlement confident that Vitalwerks was not knowingly involved with the subdomains used to support malware. Those spreading the malware abused Vitalwerks’ services.

Microsoft identified malware that had escaped Vitalwerks’ detection. Upon notification and review of the evidence, Vitalwerks took immediate corrective action allowing Microsoft to identify victims of this malware. The parties have agreed to permanently disable Vitalwerks subdomains used to control the malware.

In the process of redirecting traffic to its servers for malware detection, Microsoft acknowledges that a number of Vitalwerks customers were impacted by service outages as a result of a technical error. Microsoft regrets any inconvenience these customers may have experienced.

The following post from Richard Domingues Boscovich, Assistant General Counsel, Microsoft Digital Crimes Unit, was originally published on June 30:


Playing offense against cybercriminals is what drives me and everyone here at the Microsoft Digital Crimes Unit. Today, Microsoft has upped the ante against global cybercrime, taking legal action to clean up malware and help ensure customers stay safer online. In a civil case filed on June 19, Microsoft named two foreign nationals, Mohamed Benabdellah and Naser Al Mutairi, and a U.S. company, Vitalwerks Internet Solutions, LLC (doing business as No-IP.com), for their roles in creating, controlling, and assisting in infecting millions of computers with malicious software—harming Microsoft, its customers and the public at large.

We’re taking No-IP to task as the owner of infrastructure frequently exploited by cybercriminals to infect innocent victims with the Bladabindi (NJrat) and Jenxcus (NJw0rm) family of malware. In the past, we’ve predominately seen botnets originating in Eastern Europe; however, the authors, owners and distributors of this malware are Kuwaiti and Algerian nationals. The social media-savvy cybercriminals have promoted their wares across the Internet, offering step-by-step instructions to completely control millions of unsuspecting victims’ computers to conduct illicit crimes—demonstrating that cybercrime is indeed a global epidemic.

Free Dynamic DNS is an easy target for cybercriminals

Dynamic Domain Name Service (DNS) is essentially a method of automatically updating a listing in the Internet’s address book, and is a vital part of the Internet. However, if not properly managed, a free Dynamic DNS service like No-IP can hold top-rank among abused domains. Of the 10 global malware disruptions in which we’ve been involved, this action has the potential to be the largest in terms of infection cleanup. Our research revealed that out of all Dynamic DNS providers, No-IP domains are used 93 percent of the time for Bladabindi-Jenxcus infections, which are the most prevalent among the 245 different types of malware currently exploiting No-IP domains. Microsoft has seen more than 7.4 million Bladabindi-Jenxcus detections over the past 12 months, which doesn’t account for detections by other anti-virus providers. Despite numerous reports by the security community on No-IP domain abuse, the company has not taken sufficient steps to correct, remedy, prevent or control the abuse or help keep its domains safe from malicious activity.

For a look at how cybercriminals leverage services like No-IP, and advice for customers to help ensure a safer online experience, please see the graphic below.

Microsoft legal and technical actions

On June 19, Microsoft filed for an ex parte temporary restraining order (TRO) from the U.S. District Court for Nevada against No-IP. On June 26, the court granted our request and made Microsoft the DNS authority for the company’s 23 free No-IP domains, allowing us to identify and route all known bad traffic to the Microsoft sinkhole and classify the identified threats. The new threat information will be added to Microsoft’s Cyber Threat Intelligence Program (CTIP) and provided to Internet Service Providers (ISPs) and global Computer Emergency Response Teams (CERTs) to help repair the damage caused by Bladabindi-Jenxcus and other types of malware. The Microsoft Digital Crimes Unit worked closely with Microsoft’s Malware Protection Center to identify, reverse engineer and develop a remedy for the threat to clean infected computers. We also worked with A10 Networks, leveraging Microsoft Azure, to configure a sophisticated system to manage the high volume of computer connections generated by botnets such as Bladabindi-Jenxcus.

As malware authors continue to pollute the Internet, domain owners must act responsibly by monitoring for and defending against cybercrime on their infrastructure. If free Dynamic DNS providers like No-IP exercise care and follow industry best practices, it will be more difficult for cybercriminals to operate anonymously and harder to victimize people online. Meanwhile, we will continue to take proactive measures to help protect our customers and hold malicious actors accountable for their actions.

This is the third malware disruption by Microsoft since the November unveiling of the Microsoft Cybercrime Center—a center of excellence for advancing the global fight against cybercrime. This case and operation are ongoing, and we will continue to provide updates as they become available. To stay up to date on the latest developments on the fight against cybercrime, follow the Microsoft Digital Crimes Unit on Facebook and Twitter. Microsoft provides free tools and information to help customers clean and regain control of their computers at www.microsoft.com/security.

Microsoft takes on global cybercrime epidemic in tenth malware disruption

Editor’s Note: This blog post was updated with the following new information at 8 a.m. on July 9:

On Monday, June 30, Microsoft filed a civil suit in a Nevada federal court to disrupt Bladabindi-Jenxcus, a pervasive family of malware that put millions of customers at risk.

Today both Microsoft Corporation and Vitalwerks Internet Solutions, LLC announce they have reached a settlement in the matter of Microsoft Corporation v. Mutairi, et al.

Microsoft has reviewed the evidence provided by Vitalwerks and enters into the settlement confident that Vitalwerks was not knowingly involved with the subdomains used to support malware. Those spreading the malware abused Vitalwerks’ services.

Microsoft identified malware that had escaped Vitalwerks’ detection. Upon notification and review of the evidence, Vitalwerks took immediate corrective action allowing Microsoft to identify victims of this malware. The parties have agreed to permanently disable Vitalwerks subdomains used to control the malware.

In the process of redirecting traffic to its servers for malware detection, Microsoft acknowledges that a number of Vitalwerks customers were impacted by service outages as a result of a technical error. Microsoft regrets any inconvenience these customers may have experienced.

The following post from Richard Domingues Boscovich, Assistant General Counsel, Microsoft Digital Crimes Unit, was originally published on June 30:


Playing offense against cybercriminals is what drives me and everyone here at the Microsoft Digital Crimes Unit. Today, Microsoft has upped the ante against global cybercrime, taking legal action to clean up malware and help ensure customers stay safer online. In a civil case filed on June 19, Microsoft named two foreign nationals, Mohamed Benabdellah and Naser Al Mutairi, and a U.S. company, Vitalwerks Internet Solutions, LLC (doing business as No-IP.com), for their roles in creating, controlling, and assisting in infecting millions of computers with malicious software—harming Microsoft, its customers and the public at large.

We’re taking No-IP to task as the owner of infrastructure frequently exploited by cybercriminals to infect innocent victims with the Bladabindi (NJrat) and Jenxcus (NJw0rm) family of malware. In the past, we’ve predominately seen botnets originating in Eastern Europe; however, the authors, owners and distributors of this malware are Kuwaiti and Algerian nationals. The social media-savvy cybercriminals have promoted their wares across the Internet, offering step-by-step instructions to completely control millions of unsuspecting victims’ computers to conduct illicit crimes—demonstrating that cybercrime is indeed a global epidemic.

Free Dynamic DNS is an easy target for cybercriminals

Dynamic Domain Name Service (DNS) is essentially a method of automatically updating a listing in the Internet’s address book, and is a vital part of the Internet. However, if not properly managed, a free Dynamic DNS service like No-IP can hold top-rank among abused domains. Of the 10 global malware disruptions in which we’ve been involved, this action has the potential to be the largest in terms of infection cleanup. Our research revealed that out of all Dynamic DNS providers, No-IP domains are used 93 percent of the time for Bladabindi-Jenxcus infections, which are the most prevalent among the 245 different types of malware currently exploiting No-IP domains. Microsoft has seen more than 7.4 million Bladabindi-Jenxcus detections over the past 12 months, which doesn’t account for detections by other anti-virus providers. Despite numerous reports by the security community on No-IP domain abuse, the company has not taken sufficient steps to correct, remedy, prevent or control the abuse or help keep its domains safe from malicious activity.

For a look at how cybercriminals leverage services like No-IP, and advice for customers to help ensure a safer online experience, please see the graphic below.

Microsoft legal and technical actions

On June 19, Microsoft filed for an ex parte temporary restraining order (TRO) from the U.S. District Court for Nevada against No-IP. On June 26, the court granted our request and made Microsoft the DNS authority for the company’s 23 free No-IP domains, allowing us to identify and route all known bad traffic to the Microsoft sinkhole and classify the identified threats. The new threat information will be added to Microsoft’s Cyber Threat Intelligence Program (CTIP) and provided to Internet Service Providers (ISPs) and global Computer Emergency Response Teams (CERTs) to help repair the damage caused by Bladabindi-Jenxcus and other types of malware. The Microsoft Digital Crimes Unit worked closely with Microsoft’s Malware Protection Center to identify, reverse engineer and develop a remedy for the threat to clean infected computers. We also worked with A10 Networks, leveraging Microsoft Azure, to configure a sophisticated system to manage the high volume of computer connections generated by botnets such as Bladabindi-Jenxcus.

As malware authors continue to pollute the Internet, domain owners must act responsibly by monitoring for and defending against cybercrime on their infrastructure. If free Dynamic DNS providers like No-IP exercise care and follow industry best practices, it will be more difficult for cybercriminals to operate anonymously and harder to victimize people online. Meanwhile, we will continue to take proactive measures to help protect our customers and hold malicious actors accountable for their actions.

This is the third malware disruption by Microsoft since the November unveiling of the Microsoft Cybercrime Center—a center of excellence for advancing the global fight against cybercrime. This case and operation are ongoing, and we will continue to provide updates as they become available. To stay up to date on the latest developments on the fight against cybercrime, follow the Microsoft Digital Crimes Unit on Facebook and Twitter. Microsoft provides free tools and information to help customers clean and regain control of their computers at www.microsoft.com/security.

Microsoft helps FBI in GameOver Zeus botnet cleanup

The following post is from Richard Domingues Boscovich, Assistant General Counsel, Microsoft Digital Crimes Unit.


Following Monday’s multi-national action against the GameOver Zeus botnet, we’re pleased to announce that Microsoft, working closely with the FBI and industry partners, has taken action to remove malware, so that infected computers can no longer be used for harm.

GameOver Zeus, a variant of the Zeus (or Zbot) family of malware, is a highly prevalent password-stealing trojan, according to research by the Microsoft Security Intelligence Report. Dell SecureWorks Counter Threat Unit reports that it was the most active banking trojan of 2013. However, the impact of GameOver Zeus is not limited to the financial industry – nearly all major business and public sector organizations are impacted. Security researchers estimate that between 500,000 and 1 million computers worldwide are infected, and the FBI estimates that Gameover Zeus is responsible for more than $100 million in losses.

The FBI-led legal action and private-sector-led technical action against GameOver Zeus has taken down a portion of the command-and-control (C&C) infrastructure linked to domains generated by the malware and registered by the cyber-criminals. In this operation, codenamed b157, the FBI seized the registered domains. Microsoft did not file a civil action in this matter, unlike some of its previous actions. Unlike most botnet centralized C&C servers, GameOver Zeus uses peer-to-peer (P2P) technology, making its C&C decentralized, more elusive and more resilient than its predecessors.

Microsoft’s role in this technical action was to conduct analysis on the P2P network and develop a cleaning solution. Also, through an additional feed from Shadow Server, we are able to augment our visibility into the number of impacted IP addresses that feed into Microsoft’s Cyber-Threat Intelligence Program (C-TIP), and work closely with global Community Emergency Response Teams (CERTs) and Internet service providers (ISPs) to help owners of compromised computers regain control of their systems. Based upon these actions, it is anticipated that the cybercriminals’ business model will be disrupted, and they will be forced to rebuild their criminal infrastructure. More importantly, victims of GameOver Zeus have been, and will continue to be, notified and their infected computers cleaned to prevent future harm.

This is the second botnet operation by Microsoft since the Nov. 14 unveiling of the new Microsoft Cybercrime Center – a center of excellence for advancing the global fight against cybercrime – and marks Microsoft’s ninth involvement in a botnet operation. Similar to Microsoft’s December 2013 ZeroAccess botnet case, GameOver Zeus is part of a cooperative effort with industry partners and law enforcement to take out cybercriminal networks to ensure that people worldwide can use their computing devices and services with confidence.

sampleemailGOZ

About GameOver Zeus

GameOver Zeus is spread through drive-by downloads, where the cybercriminals create a website that downloads malware onto any unprotected computer that visits that site. It is also distributed through the Cutwail spam botnet via phishing, where cybercriminals send counterfeit emails that appear to be legitimate communications from well-known businesses and organizations. These deceptive emails contain realistic language that could entice the recipient to click on a link or attachment, which ultimately deploys the GameOver Zeus malware onto the victim’s computer. The botnet automatically begins key logging when a user of an infected computer types into the Web browser, unwittingly giving cybercriminals access to passwords and private account information. The infected computer sends stolen data to the botnet’s C&C server, and stores it there for later use by the criminal.

GameOver Zeus has many similar properties to Zeus, such as logging keystrokes to steal banking credentials, but it also comes packaged with malicious functions that allow it to launch distributed denial-of-service (DDoS) attacks against financial institutions. Variants have allowed GameOver Zeus to circumvent perimeter security including firewalls, webfilters and network intrusion detection systems, by disguising itself as an encrypted .EXE file. GameOver Zeus also deploys a process known as “web injects,” which provide the ability to modify the HTML of a target website, and inject additional form fields to dupe a victim into entering sensitive information beyond standard banking credentials. In addition to targeting financial institutions, GameOver Zeus has deployed web injects targeting department stores, social networking sites and webmail services. Most recently, a variant is targeting job seekers and recruiters by attempting to steal log-in credentials for popular job search sites. Unlike some of the earlier versions of Zeus, such as ICE IX, Spy Eye and Citadel, GameOver Zeus has not been marketed and offered for sale in the public domain.

This case and operation are ongoing, and we will continue to provide updates as they become available. To stay up to date on the latest developments on the fight against cybercrime, follow the Microsoft Digital Crimes Unit on Facebook and Twitter.

Visit http://support.microsoft.com/gp/cu_sc_virsec_master for detailed instructions on how to remove the GameOver Zeus trojan using malware removal or anti-virus software as quickly as possible.