Latest Flame/W32 Malware protection released in market

Speculations about the ‘most sophisticated cyber weapon yet unleashed’ especially in the middle-east has remediation, exactly interpreting Newton’s Third Law of motion “For every action there is an equal and opposite reaction”. That’s why the antivirus giants are made for..!

Flame/W32 Malware

Cyber attacks are becoming increasingly sophisticated through programs that can operate many actions remotely without being detected easily. This Notice will illustrate the function of “Worm.W32/FLAME” a malware targeting Windows based systems (XP, Vista and Windows 7), presenting an incredible set of features that would capture sensitive information and send it to remote servers for criminal, espionage or other malicious activities.

I just reviewed our antivirus protection labs online which says that we are protected with this outbreak. I confirmed to my colleagues for not to be panic as that our infrastructure running McAfee ePO - McAfee DAT protection has taken care of this virus/malware coz. we were currently running 6727 Dat ver. released yesterday. The AV & ASpyware coverage for W32/Skywiper was included in 6726 version itself.

http://www.mcafee.com/us/about/skywiper.aspx << Mcafee Labs briefings

[AV / MWG Coverage is provided in the 6726 DATs released on May 29) as "Skywiper"]

http://blogs.mcafee.com/mcafee-labs/jumping-in-to-the-flames-of-skywiper

In a nutshell: (..also read my article about - Information Security Awareness)

Spreading method

The malware spreads via networks or removable media; it may also hold different names as described in a table in the Appendix B of this document.

Risks

The most direct and immediate risk highlighted by this event is the theft of sensitive information or records. In general, the risks are multiple when considering the number of existing or upgradeable functions that this malware allows to plug-in.

Detection

Watch carefully for the presence of the following files on your system:

1. Perform a search for the file ~DEB93D.tmp. Its presence on a system means that it either is or has been infected by Flame.

2. Check the registry key HKLM_SYSTEM\CurrentControlSet\Control\Lsa\ Authentication Packages.
    If you find mssecmgr.ocx or authpack.ocx in there - you are infected with Flame.

3. Check for the presence of the following catalogs. If present - you’re infected.
    C:\Program Files\Common Files\Microsoft Shared\MSSecurityMgr
    C:\Program Files\Common Files\Microsoft Shared\MSAudio
    C:\Program Files\Common Files\Microsoft Shared\MSAuthCtrl
    C:\Program Files\Common Files\Microsoft Shared\MSAPackages
    C:\Program Files\Common Files\Microsoft Shared\MSSndMix

4. Perform a search for the following files:

svchost1ex.mof

Svchostevt.mof

frog.bat

netcfgi.ocx

authpack.ocx

~a29.tmp

rdcvlt32.exe

to961.tmp

authcfg.dat

Wpab32.bat

ctrllist.dat

winrt32.ocx

winrt32.dll

scsec32.exe

grb9m2.bat

winconf32.ocx

watchxb.sys

sdclt32.exe

scaud32.exe

pcldrvx.ocx

mssvc32.ocx

mssui.drv

modevga.com

indsvc32.ocx
comspol32.ocx
comspol32.dll

browse32.ocx

Recommendations/Risk Mitigation

The following actions will help to contain and remove the infection of the malware:

·         Patch your Windows system, office applications and instant messenger applications

·         Update your antivirus/antimalware solution

·         Specific removal tools exist as vendors have started to deploy them. From McAfee Labs stinger tools are available here.

Virus detected by AV software

The malware can have various names and here is a list below with has been identified with different naming:

Antivirus          Result

AhnLab-V3       -

AntiVir             TR/Flamer.A

Antiy-AVL        -

Avast   -

AVG     -

BitDefender    Trojan.Flame.A

ByteHero         -

CAT-QuickHeal            -

ClamAV           -

Commtouch    -

Comodo           -

DrWeb             Win32.HLLW.Flame.1

Emsisoft          Worm.Win32.Flame!IK

eSafe   -

F-Prot -

F-Secure          Trojan.Flame.A

Fortinet           -

GData Trojan.Flame.A

Ikarus Worm.Win32.Flame

Jiangmin          -

K7AntiVirus     EmailWorm

Kaspersky        Worm.Win32.Flame.a

McAfee           SkyWiper

McAfee-GW-Edition    Artemis!BDC9E04388BD

Microsoft        Worm:Win32/Flame.gen!A

NOD32            Win32/Flamer.A

Norman           -

nProtect          Worm/W32.Flame.6166528

Panda -

PCTools           Malware.Flamer

Rising -

Sophos             W32/Flame-Gen

SUPERAntiSpyware     -

Symantec        W32.Flamer

TheHacker       -

TotalDefense   -

TrendMicro     WORM_FLAMER.A

TrendMicro-HouseCall           -

VBA32             BScope.Trojan.MTA.01233

VIPRE   Worm.Win32.Flame.a

ViRobot           Worm.Win32.S.Flame.6166528

VirusBuster     -

.. more Antivirus & Antispyware
.. more Antivirus Free recommended Downloads

Windows 7 starts with a temporary profile

i'm posting the below nature of concern which we commonly noticed in our environment and was quite frustrating.
This can happen if an admin deletes the domain user profile (say xyz) from c:\users\xyz and thereafter  the same deleted user (xyz) logins to the system.

Note that if a user is logged in with a temporary  profile means that any changes he/she makes  while the user is logged in will be saved temporarily under c:\users\temp folder which also means that when the user logs off from the system the saved changes will be deleted automatically. So, unless the actual issue is resolved this vanishing pattern would remain same.

simple remediation:

ask the user to logoff again.
go to registry .. take a backup of registry values as a best practice before any modification.

select the user profile HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList  and delete the duplicate profile list as highlighted in the picture. (In one of the duplicated profilelist you can see the ProfilImagePath value set to c:\users\Temp. So, delete the profilelists related to the temp and user (in our case xyz user) profile  with extention .bak under ProfileList). 

problem should be resolved.

home made wines

VENTEJ^® GRAPE WINE RECIPE 

(RED, Greenish YELLOW, Dark Pink: varies with what colour grapes are used)

..note: this wine was purely made at my home.. one of my kitchen hobbies.. there is no cut and paste either in this recipe or in any part of this blog site.

Making homemade wine isn't as complicated as it may seem.

Yes, you can do it.!

I have been making grape wine in different flavours and distributing among friends and families for fun..!

and of course more you store, the more tastier it is..!

 The basic ground rule in wine making is keeping things clean and sterile. This is to ensure that the brew does not get contaminated with bacteria which may spoil the brew instead of allowing it to ferment.

Ingredients:
*	Fresh Red Grapes (2 Kg)	`
*	Sugar (clear white) (1 Kg for 2Kg grapes) .. if you need more sweeter wine, add more sugar.
*	Beetroot (medium sized cut to small cubes)
*	Yeast (2 Teaspoon)
*	Whole Wheat grain (2 Tablespoon). Wash and clean the grains.
*	Clean and pure Water (1 Lt)	Boiled and cooled.
*	Salt 2 table spoon	To soak and wash the grapes
Materials/ Tools Required:
*	Porcelain jar or Earthen Pot	Big enough to store 5 litters (2 kgs grapes + 1 ltr water + 1 kg sugar + 20% free space). Preferably must have a lid.
*	Wooden pestle / potato masher	Will be used to mash grapes.
*	Long wooden spoon	This should be long enough to reach the bottom of wine jar while stirring.
*	meshed filter

Steps:

1.   Firstly, make sure the jar or the container used for wine making is cleaned well and sanitized. Porcelain jars or earthen pots are ideal and the best. However, for those who cannot find a pot or jar, can go for an air tight bucket too.

2.    Boil the water for at least 5 mins. to kill any bacteria or germs in it. Let it cool down. Leave it until room temperature before you can use it.

3.     Take a large bowl filled with lukewarm water. Mix with 2 table spoon Salt. Put the bunch of grapes in the bowl. Let it remain soaked for 15 mins. This will kill the worms, germs and dirt if any. Now rinse thoroughly and drain the salty water. Rinse again with clean water and drain water completely. Allow it to dry off the excess water. Now remove the grapes from the bunch one-by-one and put it in the wine jar.

4.     Mash the grapes with a potato masher or wooden pestle/ spatula (if you don't have masher just chop it in a mixer-blender). Rupture the grapes. There's no need to remove the skins first. 

5.   Add sugar to the jar and stir with wooden spoon (preferably) for a couple of mins. No need to dissolve completely. Then add yeast. (better if yeast is prepared by dissolving the yeast powder in lukewarm water). Stir again. [Sugar proportion may be slightly varied depending on individuals taste]

Why wooden spoon? Bacteria grow faster on plastic and metal spoons. Wooden spoons are biodegradable and they tend to be a good shape for stirring!

6.    Add wheat grains and beetroot cubes (The fermentation patterns of beetroot are remarkable and will add natural red colour to your wine. The wheat contains starch which undergo fermentation to give maltose)

7.     Fill the remaining space in the wine jar with water (1 lt; as per the measurement mentioned under ingredients). Stir again. A couple of stir will do. Cover the jar with cotton cloth and tight with lid. Now store in dark and dry place.

8.     Place the jar in a dark place. 2^nd day and there after everyday either morning or evening open the lid carefully and slowly. Stir evenly the contents using wooden spoon. Ensure the spoon is 100% clean and dry every time you stir. Continue this process for 21 days. [If it's winter season 21 days is required. However, for summer season 15days is sufficient for fermentation. There will be no air bubbles on the top. This indicates that the wine is ready to be strained].

9.      On the 22^nd day filter the brew: Strain the wine into another container using fine meshed filter. Finally, pour into dark coloured glass bottles (close tightly with a cork; if available) and store it.

The older the stored wines, the better it tastes and stronger it becomes!!

Tips:

i)              Sour grapes make sweet wine.   Wine colour may vary with different grapes. Beetroot; apart from its fermentation power will release more reddish colour. If you are using green grape avoid adding beetroot, this way you get greenish yellow wine. Add the below spices on day 1 of fermentation if you need  added flavour.

ii)             Optionally you may add 1 small cinnamon stick  OR 1-2 cardamoms  OR 1-2 cloves for varying flavours..!. For natural grape wine flavour no need to add the above spices. However, if you want to bottle wines in different flavours try adding those spices during the fermentation stage.

iii)          To the sieved solution, and before storing into bottles, add sugar caramel (more sugar means more sweetness) and let it set for another 2 weeks. Do not open the jar during this period. The sugar caramel solution is added for extra color and sweetness.

Enjoy drinking something made at home, easier and cheaper.

posting soon.. VENTEJ® GINGER WINE WITH CARAMELIZED SUGAR RECIPE

Three-Tier SharePoint 2010 Architecture

-  Uninterrupted SharePoint 2010 Farm

-  Scalable SharePoint Farm 

-  wfe cluster scalable upto 32 nodes

-  High availability SharePoint 2010 Farm

-  SharePoint 2010 Fail-over Farm

I had a great time during the migration process from MOSS 2007 (2-Tier) to SharePoint 2010 (3-Tier) architectural transition.
..migration was completed in April 2012.

Three-Tier SharePoint 2010 Architecture

network diagram showing 3-Tier SharePoint 2010 Farm: web front-end layer, application layer and database layer. The above architecture was successfully designed, tested and implemented by me.

The above scenario is scalable and highly available systems reliably provides an acceptable level of service with minimal downtime and finally easy to manage & maintain during patch management schedules.

Our aim was to:

* verify that each web request (http port 80) were distributed automatically to the available cluster WFE servers. .yes that’s how it works..!
* Shutdown WFE02 and make sure there is minimal downtime and automatic load distribution.. yes in case of abrupt failure of 1 web front end node, clients notices fraction of seconds delay in web response time however redundancy works magnificently as expected..! we will have sufficient time to plan and rebuild the failed server in such scenarios.

* Shutdown application layer and see if the intranet works uninterrupted... yes intranet works still uninterrupted..! coz.. 'Microsoft SharePoint Foundation Web Application' service runs only on WFE servers. Two other services which we enabled on wfe servers are: i) 'Search Query and Site Settings Service ' and ii) 'SharePoint Server Search' services.

* Shutdown Active SQL server and see if the Passive SQL server takes over or not.. yes it works..!

* Performance was superb..!

Three-Tier SharePoint 2010 Architecture 

showing uninterrupted farm in the event of multiple failures

network diagram showing 3-Tier SharePoint 2010 Farm with fail-over scenarios

microsoft reference

I have explained in my blog quick clustering steps for SQL 2008 R2 cluster and fail-over farm including best practices.

next steps:

our next step is to setup disaster recovery site and setup a test and development intranet environment.

so we have to scrap the existing disaster recovery intranet site and upgrade the architecture from 32bit to 64 bit OS.. from Server 2003 to Server 2008 R2 Enterprise and SQL 2005 32bit to SQL 2008 R2 64bit Enterprise edition environment and then upgrade Microsoft Office SharePoint Server (MOSS 2007) to SharePoint 2010. And finally start real-time replication from production farm to the disaster recovery farm.

currently we are using DocAve from AvePoint for real-time replication of SharePoint portal.

we can also achieve this directly from SQL DB replication technology, either via log-shipping or mirroring. however we will test this as the current databases are huge. ..I will shortly scribble the procedure while accomplishing this task

where can you find saved documents which was directly edited from email attachments?

retrieve missing saved documents:

If you open email attachment and then edit that file directly and save it, the file by default stores under temporary cached location.

for windows 7: locate the file at C:\Users\{authenticated username}\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\

for XP: C:\Documents and Settings\{authenticated username}\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\

Check the file by sorting the date. It should be there.

Best Practice: SharePoint 2010 - Take advantage of using Network Load Balancing (NLB)

Enhance performance of the application tier (WFE) servers by fine tuning NLB

You can specify that a filtering mode apply to a numerical range of ports. You do this by defining a port rule with a set of configuration parameters that define the filtering mode. Each rule consists of the following configuration parameters:

The virtual IP address that the rule should be applied.

The TCP or UDP port range for which this rule should be applied.

The protocols for which this rule should apply, including TCP, UDP, or both.

The filtering mode that specifies how the cluster handles traffic described by the port range and protocols. In addition, you can select one of three options for client affinity: None, Single, and Class C. Single and Class C are used to ensure that all network traffic from a particular client be directed to the same cluster host. In order to allow Network Load Balancing to properly handle IP fragments, you should avoid using None when selecting UDP or Both for your protocol setting. Also the rules entered on each host in the cluster must have matching cluster IP addresses, port ranges, protocol types, and filtering modes.

Reference: http://technet.microsoft.com/en-us/library/cc778263(v=ws.10).aspx

Network Load Balancing references the dedicated IP address only when a single network adapter is used to handle both client-to-cluster traffic and other network traffic that must go specifically to the dedicated IP address. Network Load Balancing ensures that all traffic to the dedicated IP address is unaffected by the Network Load Balancing current configuration, including:

When this host is running as part of the cluster

When Network Load Balancing is disabled due to parameter errors in the registry

Typically, both the dedicated IP address and the cluster IP address, entered during setup in the Network Load Balancing Properties dialog box, must also be entered in the Internet Protocol (TCP/IP) Properties dialog box. Make sure that the addresses are the same in both places (in fact cluster ip address is automatically added to all cluster servers at the time of NLB convergence)

Reference:  http://technet.microsoft.com/en-us/library/cc778263(v=ws.10).aspx

Multicast support is not enabled by default. To enable it, see Enable multicast support. However, if you do not enable multicast support, you are advised to consider using at least two network adapters (with one network adapter dedicated to handling client-to-cluster traffic) in order to achieve optimum performance and the full range of networking functionality. For more information, see Multiple network adapters and Optimizing network performance

Reference: http://technet.microsoft.com/en-us/library/cc778263(v=ws.10).aspx

following article specifies the IIS response to Load-Balanced Application Pool Behaviours

http://technet.microsoft.com/en-us/library/cc757659(v=WS.10).aspx

following article specifies the Best Practices used for configuring NLB.

http://technet.microsoft.com/en-us/library/cc740265(v=ws.10).aspx

Network Load Balancing at its best for SharePoint 2010

Configuring NLB for SharePoint 2010 

The concept behind Network Load Balancing is pretty simple: Each server in a Load Balancing Cluster is configured with a 'virtual' IP address. This IP address is configured on all the servers that are participating in the load balancing 'cluster' (a loose term that's unrelated to the Microsoft Cluster Service). Whenever a request is made on this virtual IP a network driver on each of these machines intercepts the request for the IP address and re-routes the request to one of the machines in the Load Balancing Cluster based on rules that you can configure for each of the servers in the cluster. Microsoft this process Network Load Balancing (NLB). Figure 1 shows how the process works graphically.

A network load balancing cluster routes requests to a single virtual IP to available servers in the load balancing cluster. Note that each machine is self-sufficient and runs independent of the others duplicating all of the resources on each server. The database sits on a separate box(es) accessible by all servers.

actually no need to configure a heart-beat adapter address for NLB. Single adapter is enough with an IP address on each server which can be part of your server LAN address. Importantly make sure that if your network switch is multicast enabled then the NLB Cluster mode needs to be in multicast mode or else the communication will be interrupted. If multicast is not enabled on switch, opt for unicast cluster mode in NLB.

out of umpteen blogs I referred, let me share few of the helpful blogs which I felt had acted upon and suited our infrastructure without much hassles.. 

reference 1

video ref 2
reference 3
reference 4
reference 5

- make sure you configure port rules on NLB for better performance.

- configure perfmon to verify the load on each cluster web front end servers.

Best Practice: SharePoint 2010
Three-Tier-SharePoint-2010-Architecture