Bifrose.FPB a new variant of Info-stealer Bifrose actively spreading in the wild

/in /by

The Dell Sonicwall Threats Research team observed reports of a Bifrose bot family named GAV: Bifrose.FPB_5 actively spreading in the wild. This is the new Variant of Popular Bifrose which is a backdoor that connects to a remote IP address using TCP port 81 or a random port.

Bifrose has been around for many years now, highly available in the cybercriminal underground, and has been used for various cybercriminal activities.

Bifrose allows an attacker to access the computer and perform various actions contains:

  • Enumeration Current processes

  • Install Key logger

  • Install backdoor Command shell

  • Manipulate files or registry keys data

  • Retrieve installed program details

  • Bypass windows firewall

Infection Cycle:

Md5: a9e403e3e341e1763a6e2114a4dfb3ac

The Malware uses the following icon:

The Malware adds the following files to the system:

  • %Userprofile%Local SettingsTempdosya1.txt

  • %Userprofile%Local SettingsTempdosya2.txt

  • %Userprofile%Local SettingsTempDosya1.exe

  • %Userprofile%Local SettingsTempDosya2.exe

  • “%Userprofile%Local SettingsTempTrojan.exe”

  • C:Program FilesBifrostchrome.exe

The Malware adds the following keys to the Windows registry to ensure persistence upon reboot:

  • HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerShell FoldersAppData

    • %Userprofile%Local SettingsTempDosya1.exe

  • HKLMSOFTWAREMicrosoftActive SetupInstalled Components{C7668D2A-5DED-1927-2D46-C169B557CC3B}stubpath

    • C:Program FilesBifrostchrome.exe s

  • HKCUSoftwareMicrosoftWindowsCurrentVersionRun5cd8f17f4086744065eb0992a09e05a2

  • HKLMSoftwareMicrosoftWindowsCurrentVersionRun5cd8f17f4086744065eb0992a09e05a2

    • “%Userprofile%Local SettingsTempTrojan.exe”

Malware modifies registry to bypass windows firewall via following keys:

  • HKLMSystemCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList%Userprofile%Local SettingsTempTrojan.exe

    • %Userprofile%Local SettingsTempTrojan.exe:*:Enabled:Trojan.exe

Malware uses an injected Explorer.exe and IExplore.exe to send packets to its own C&C Server and after some time it terminates its own process.

After that malware tried to Enumeration all processes on the target machine, here is an example:

Command and Control (C&C) Traffic

Bifrose has the C&C communication over 81 & 1979. It sends requests to statically defined IP/Domains on a regular basis. The malware sends a TCP request to the C&C servers which contains information such as the infected machines computer name, operating system version and install date, here is an example:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Bifrose.FPB_5 ( Trojan )

Spam campaign roundup: The Valentines Day Edition (Feb 13, 2015)

/in /by

With Valentine’s Day just around the corner and people search for the perfect gift for their loved ones, cybercriminals has been busy distributing an increasing amount of Valentine’s day related spam to users with links to fake advertisements, online offers, and even photos or videos.

Over the last week, the Dell SonicWALL threats research team has been tracking down all Valentine’s Day related spam emails.

Figure 1: Number of spam emails recevied per day

As Valentine’s Day approaches, we are seeing an increasing amount of spam emails with links to phony florists or online retailer who promise a deal without the guarantee of ever receiving the products or services. Below are some of the most common email subjects:

  • Valentine’s Day is unforgettable with stunning roses. 25% off!
  • Your new love life is waiting for you
  • Fall in love with these prices
  • Achieve tips to unleash your love life
  • Valentine’s Flowers: Save 50% Today! Order Now
  • Coolest iPhone Accessory / Valentine’s Gift / GPS Tracking. Only 1000 Left.
  • Bouquets of Love 25% off
  • Valentine’s Day SALE STARTS NOW! Extra 90% Off + Ray Ban

Some emails provide links to photos, videos or online greetings that a “loved one” or a “secret admirer” might have left for you. Clicking these links often lead to survey scam, phishing sites or even malware.

Figure 2: Sample Spam Emails

For others that turn to the internet for something they can do instantly and finding an inexpensive last-minute idea like sending an e-card, cybercriminals have also got that covered. Searching online for free personalized Valentine’s card will turn up with links to compromised websites that host malicious applications.

Figure 3: Example of a link to a compromised website

Clicking on the link will redirect to a website that will ask the user to download an application that will supposedly install an e-card maker. The installers may use the following variation of filenames:

  • Valentine photo card maker_10924_i31536652_il345.exe [Detected as GAV: VMProtBad.A_6 (Trojan)]
  • Valentine_Photo_Card_Maker_downloader.exe [Detected as GAV: VMProtBad.A_6 (Trojan)]
  • Templates_For_Photo_Card_Maker_downloader.exe [Detected as GAV: VMProtBad.A_6 (Trojan)]

Infection Cycle:

Upon execution, the Trojan will then silently download additional malware components.

Figure 4: Trojan sends an HTTP GET request to download additional components

The user will also be prompted to agree to install applications different from what was intended to be installed.

Figure 5: User prompt to install Internet Optimizer

We observed several other adwares being downloaded and silently installed on the system.

Figure 6: Example of several HTTP GET requests to download additional malware

The downloaded malware components are copied to the following directory:

  • %TEMP%7BlLXcbJeA.exe [Detected as GAV: Badur.FDSP (Trojan)]
  • %TEMP%aCp6I5CqLt.exe [Detected as GAV: Tuto4PC.A_7 (Adware)]
  • %TEMP%bFtBuOwbCT.exe [Detected as GAV: Swiftbrowse.A_3 (Adware)]
  • %TEMP%UnfBln5TIv.exe [Detected as GAV: Swiftbrowse.A_3 (Adware)]
  • %TEMP%HRdM16yyj6.exe [Detected as SPY: OptimizerPro.A (Adware)]
  • %TEMP%bes29A3.exe SPY: [Detected as SPY: OfferInstaller.A (Adware)]
  • %TEMP%BackupSetup.exe: [Detected as GAV: MyPcBackup.A_2 (Adware)]
  • %TEMP%PAqKNEvlB5.exe [Detected as GAV: DownloadMR.A_20 (Trojan)]

The following files were silently installed into the following directories:

  • %PROGRAMFILES%MyPC BackupBackupStack.exe [Detected as GAV: MyPcBackup.A_3 (Adware)]
  • %PROGRAMFILES%MyPC BackupConfiguration Updater.exe [Detected as GAV: MyPcBackup.A_3 (Adware)]
  • %PROGRAMFILES%MyPC BackupSignup Wizard.exe [Detected as GAV: MyPcBackup.A_3 (Adware)]
  • %PROGRAMFILES%MyPC BackupUpdater.exe [Detected as GAV: MyPcBackup.A_3 (Adware)]
  • %PROGRAMFILES%MyPC BackupMyPC Backup.exe [Detected as GAV: MyPcBackup.A_3 (Adware)]
  • %PROGRAMFILES%MyPC BackupService Start.exe [Detected as GAV: MyPcBackup.A_3 (Adware)]
  • %PROGRAMFILES%MyPC BackupSignupWizard.dll [Detected as GAV: MyPcBackup.A_3 (Adware)]
  • %PROGRAMFILES%MyPC BackupBackupStackUI.dll [Detected as GAV: MyPcBackup.A_3 (Adware)]
  • %PROGRAMFILES%Optimizer Pro 3.38OptimizerPro.exe [Detected as SPY: OptimizerPro.A (Adware)]
  • %PROGRAMFILES%Optimizer Pro 3.38OptProGuard.exe [Detected as SPY: OptimizerPro.A (Adware)]
  • %PROGRAMFILES%Optimizer Pro 3.38OptProHelper.dll [Detected as SPY: OptimizerPro.A (Adware)]
  • %PROGRAMFILES%Optimizer Pro 3.38OptProLauncher.exe [Detected as SPY: OptimizerPro.A (Adware)]
  • %PROGRAMFILES%Optimizer Pro 3.38OptProReminder.exe [Detected as SPY: OptimizerPro.A (Adware)]
  • %PROGRAMFILES%Optimizer Pro 3.38OptProSchedule.exe [Detected as SPY: OptimizerPro.A (Adware)]
  • %PROGRAMFILES%Optimizer Pro 3.38OptProSmartScan.exe [Detected as SPY: OptimizerPro.A (Adware)]
  • %PROGRAMFILES%Optimizer Pro 3.38OptProStart.exe [Detected as SPY: OptimizerPro.A (Adware)]
  • %PROGRAMFILES%Optimizer Pro 3.38OptProUninstaller.exe [Detected as SPY: OptimizerPro.A (Adware)]
  • %PROGRAMFILES%ospd_us_835ospd_us_835.exe [Detected as GAV: Tuto4PC.A_7 (Adware)]
  • %PROGRAMFILES%Pinner for PinterestPinner for Pinterest.exe [Detected as GAV: DigiPlug.A_2 (Adware)]
  • %PROGRAMFILES%PricceeLessrUiCnUMEjQbrDn.exe [Detected as GAV: DigiPlug.A_2 (Adware)]
  • %PROGRAMFILES%PricceeLessrUiCnUMEjQbrDn.dll [Detected as GAV: MultiPlug.H_20 (Adware)]
  • %PROGRAMFILES%YoutubeadblockerNIiczbdjsU56cu.exe [Detected as GAV: DigiPlug.A_2 (Adware)]
  • %PROGRAMFILES%YoutubeadblockerNIiczbdjsU56cu.dll [Detected as GAV: MultiPlug.H_20 (Adware)]
  • %PROGRAMFILES%SmileFilesdownloader.exe [Detected as GAV: VMProtBad.A_6 (Trojan)]
  • %PROGRAMFILES%SmileFilesSmileFiles.exe [Detected as GAV: SmileFiles.A (Adware)]
  • %PROGRAMFILES%SmileFilesUpdaterSmileFilesUpdater.exe [Detected as GAV: SmileFiles.A (Adware)]

Within minutes of infection this Trojan was able to download and install multiple other malicious applications. Therefore, we urge our users to always be vigilant and cautious with any unsolicited email, to avoid clicking on unknown URLs, providing any personal information and installing unfamiliar applications specially if you are not certain of the source.

Dell SonicWALL Gateway AntiVirus provides protection against these threats with the following signatures:

  • GAV: VMProtBad.A_6 (Trojan}

  • GAV: DownloadMR.A_20 (Trojan)

  • GAV: Badur.FDSP (Trojan)

  • GAV: Tuto4PC.A_7 (Adware)

  • GAV: Swiftbrowse.A_3 (Adware)

  • GAV: MyPcBackup.A_2 (Adware)

  • GAV: MyPcBackup.A_3 (Adware)

  • GAV: DigiPlug.A_2 (Adware)

  • GAV: MultiPlug.H_20 (Adware)

  • GAV: SmileFiles.A (Adware)

  • SPY: OptimizerPro.A (
    Adware)

  • SPY: OfferInstaller.A (Adware)

Adware campaign spreads on Android app stores ( Feb 12, 2015 )

/in /by

A phone is not limited to just making and receiving calls anymore, a standard smartphone today contains enough features and applications (apps) to replace a computer for light day-to-day tasks. The app ecosystem can make or break the smartphones of the current generation, every major smartphone Operating System comes with its own app-store. Google Play is probably the largest and safest place to get apps from for an Android smartphone. Even though all apps on the Play store are scanned for malicious content, there are instances when some malicious apps sneak by and infect a user’s device.

Dell SonicWALL Threats Research team received reports of some apps from Google Play which were infecting users who downloaded them. These apps pose as utility applications like flash light but they are advertisement campaigns that constantly bombard the user with ads.

Google uses a service, codenamed Bouncer, which scans the apps on the Play store for malicious behavior. But the analysis is more towards static analysis, as a result some apps that download the malicious content after waiting for a particular period pass through this scrutiny. Recently Google introduced a component that scans the apps installed on the user’s device that Verifies whether the apps are behaving in the expected manner. But this comes into effect only after the apps are installed on the device so in some cases it might be very late, regardless we can expect this service to grow better with time and further strengthen the core Android security related to applications running on the device.

Android Ice Cream Sandwich (4.0 to 4.0.4) had verify apps in Settings > Security and Google Settings > Security. The latest version Android Lollipop (5.0 to 5.1) has this setting only in Google Settings > Security. It is possible that this feature will be integrated into the OS as a default option in future releases.

As of 2014 there around 1.3 million apps for the Android ecosystem. Apart from the Play store there are a number of non-Google app stores from which you can download apps but it may not always be safe. Google recommends that apps be downloaded only from the trusted Play Store.

The package names for the apps we checked are:

  • com.keloidscaretissue.Quxicompass
  • com.keloidscaretissue.QuxiFlashlisht
  • com.flashlightcompass.wedoourbest
  • com.keloidscaretissue.puzzle2048
  • com.onlygoodcompass.wedoourbest

These apps are no longer available on the Google Play store and other popular alternate stores:

But there are still some alternate stores that are providing these apps:

When applications as simple as a flashlight, compass and a puzzle game request for permissions as below it raises suspicion about the real motives of these applications:

  • Read and write to external storage
  • Access camera
  • Read contacts
  • Process outgoing calls

Upon installing the Flashlight app it appeared to work, but after a while the icon for the app disappeared from the app drawer. To the user this app appears to be not working and no longer present on the phone, but there are background services that continue to keep running. This behavior is common for all the 5 apps listed above, hence they have been dubbed as HideIcon by researchers.


The Flashlight app gets a text file called CDN.txt from cdn2.appicano.com that contains a list of Android app package names. There are a number of virustotal reports indicating malicious files have the link cdn2.appicano.com present in them. The phone is then bombarded by advertisements at an alarming rate. The ads are typically for different applications and there is no set pattern of the type of these applications. During our analysis we observed ads for games, popular services like Uber and Social Networking applications like PalTalk. We observed the following ways in which ads are displayed to the user:

  • Play store is opened with install page for an application:
  • The screen is covered with an image for the advertisement with download links. The image has a ‘close’ button which can be used to close the ad, but sometimes it does not have one and the user is forced to click a prompted button. There is a chance that the ad may cover the screen without a way to close it:
  • There are small button overlays on not only Play Store but also general applications like the Chrome browser. If clicked, the user is taken to the download page:

Overall, these apps pose as utility applications but are in fact advertisement campaigns and they mar the users Android experience by constantly bombarding on-screen advertisements. While it is recommended to download apps only from the Play store, it would be beneficial if users are notified when an app they downloaded is being removed from the store. This would protect existing users of the apps instead of protecting only potential new users as it currently stands.

However this case highlights the need to download apps only from the Play Store as Google constantly checks and analyzes for malicious behavior of apps and if it finds something malicious then the said app is taken down. A similar take-down on other non-Google stores usually takes time to reflect, similar to the current case, and this time gap may be all that is needed for one to get his/her phone infected.

Dell SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: AndroidOS.HideIcon.QC (Trojan)
  • GAV: AndroidOS.HideIcon.FL_2 (Trojan)
  • GAV: AndroidOS.HideIcon.PZ (Trojan)
  • GAV: AndroidOS.Hideicon.FL (Trojan)

Microsoft Security Bulletin Coverage (Feb 10, 2015)

/in /by

Dell SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of February, 2015. A list of issues reported, along with Dell SonicWALL coverage information are as follows:

MS15-009 Security Update for Internet Explorer (3034682)

  • CVE-2014-8967 Internet Explorer Memory Corruption Vulnerability
    IPS: 6108 “Internet Explorer HTML Use-After-Free 6”
  • CVE-2015-0017 Internet Explorer Memory Corruption Vulnerability
    IPS: 3480 “DOM Object Use-After-Free Attack 3a”
  • CVE-2015-0018 Internet Explorer Memory Corruption Vulnerability
    IPS: 6329 “Microsoft Internet Explorer HTML Use After Free 6”
  • CVE-2015-0019 Internet Explorer Memory Corruption Vulnerability
    IPS: 6331 “Microsoft Internet Explorer Use After Free 2”
  • CVE-2015-0020 Internet Explorer Memory Corruption Vulnerability
    IPS: 6333 “Microsoft Internet Explorer Use After Free 3”
  • CVE-2015-0021 Internet Explorer Memory Corruption Vulnerability
    IPS: 6340 “Microsoft Internet Explorer Use After Free 4”
  • CVE-2015-0022 Internet Explorer Memory Corruption Vulnerability
    IPS: 9961 “Microsoft Internet Explorer Use After Free 10”
  • CVE-2015-0023 Internet Explorer Memory Corruption Vulnerability
    IPS: 9961 “HTTP Client Shellcode Exploit 15”
  • CVE-2015-0025 Internet Explorer Memory Corruption Vulnerability
    IPS: 6344 “Microsoft Internet Explorer Use After Free 6”
  • CVE-2015-0026 Internet Explorer Memory Corruption Vulnerability
    IPS: 6346 “Microsoft Internet Explorer HTML Use After Free 7”
  • CVE-2015-0027 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-0028 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-0029 Internet Explorer Memory Corruption Vulnerability
    IPS: 7645 “HTTP Client Shellcode Exploit 11c”
  • CVE-2015-0030 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-0031 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-0035 Internet Explorer Memory Corruption Vulnerability
    IPS: 9836 “Microsoft Internet Explorer Use After Free 9”
  • CVE-2015-0036 Internet Explorer Memory Corruption Vulnerability
    IPS: 6347 “Microsoft Internet Explorer Out of Bound index array (MS15-009)”
  • CVE-2015-0037 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-0038 Internet Explorer Memory Corruption Vulnerability
    IPS: 9944 “Microsoft Internet Explorer HTML Use After Free 10”
  • CVE-2015-0039 Internet Explorer Memory Corruption Vulnerability
    IPS: 6350 “Microsoft Internet Explorer HTML Use After Free 8”
  • CVE-2015-0040 Internet Explorer Memory Corruption Vulnerability
    IPS: 6351 “Microsoft Internet Explorer Use After Free 7”
  • CVE-2015-0041 Internet Explorer Memory Corruption Vulnerability
    IPS: 5097 “Microsoft Internet Explorer Use After Free 8”
  • CVE-2015-0042 Internet Explorer Memory Corruption Vulnerability
    IPS: 6320 “Microsoft Internet Explorer HTML Use After Free 9”
  • CVE-2015-0043 Internet Explorer Memory Corruption Vulnerability
    IPS: 10726 “Microsoft Internet Explorer Use After Free 11”
    IPS: 10727 “Microsoft Internet Explorer Use After Free 12”
  • CVE-2015-0044 Internet Explorer Memory Corruption Vulnerability
    IPS: 10728 “Microsoft Internet Explorer Remote Code Execution 4”
  • CVE-2015-0045 Internet Explorer Memory Corruption Vulnerability
    IPS: 10729 “Microsoft Internet Explorer Use After Free 14”
  • CVE-2015-0046 Internet Explorer Memory Corruption Vulnerability
    IPS: 10730 “Microsoft Internet Explorer Remote Code Execution 3”
  • CVE-2015-0048 Internet Explorer Memory Corruption Vulnerability
    IPS: 10731 “Microsoft Internet Explorer Use After Free 16”
  • CVE-2015-0049 Internet Explorer Memory Corruption Vulnerability
    IPS: 10732 “Microsoft Internet Explorer Use After Free 17”
  • CVE-2015-0050 Internet Explorer Memory Corruption Vulnerability
    IPS: 3310 “HTTP Client Shellcode Exploit 82”
  • CVE-2015-0051 Internet Explorer ASLR Bypass Vulnerability
    IPS: 10733 “Microsoft Internet Explorer Memory Access”
  • CVE-2015-0052 Internet Explorer Memory Corruption Vulnerability
    IPS: 10734 “Microsoft Internet Explorer Remote Code Execution 2”
  • CVE-2015-0053 Internet Explorer Memory Corruption Vulnerability
    IPS: 2067 “Microsoft Internet Explorer 7 Uninitialized Pointer (MS15-009)”
  • CVE-2015-0054 Internet Explorer Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-0055 Internet Explorer Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-0066 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-0067 Internet Explorer Memory Corruption Vulnerability
    IPS: 9948 “Microsoft Internet Explorer Uninitialized Pointer (MS15-009)”
  • CVE-2015-0068 Internet Explorer Memory Corruption Vulnerability
    IPS: 9926 “Microsoft Internet Explorer Remote Code Execution (MS15-009)”
  • CVE-2015-0069 Internet Explorer ASLR Bypass Vulnerability
    IPS: 9988 “HP Data Protector Remote Code Execution”
  • CVE-2015-0070 Internet Explorer Cross-domain Information Disclosure Vulnerability
    IPS: 9925 “Microsoft Internet Explorer Information Disclosure (MS15-009)”
  • CVE-2015-0071 Internet Explorer ASLR Bypass Vulnerability
    IPS: 9949 “Internet Explorer Memory Corruption Vulnerability (MS13-047) 12”

MS15-010 Vulnerabilities in Windows Kernel-Mode Driver Could Allow Remote Code Execution (3036220)

  • CVE-2015-0003 Win32k Elevation of Privilege Vulnerability
    This is a local vulnerability.
  • CVE-2015-0010 CNG Security Feature Bypass Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-0057 Win32k Elevation of Privilege Vulnerability
    This is a local vulnerability.
  • CVE-2015-0058 Windows Cursor Object Double Free Vulnerability
    This is a local vulnerability.
  • CVE-2015-0059 TrueType Font Parsing Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-0060 Windows Font Driver Denial of Service Vulnerability
    There are no known exploits in the wild.

MS15-011 Vulnerability in Group Policy Could Allow Remote Code Execution (3000483)

  • CVE-2015-0008 Group Policy Remote Code Execution Vulnerability
    IPS: 10735 “Group Policy Remote Code Execution Vulnerability”

MS15-012 Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (3032328)

  • CVE-2015-0063 Excel Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-0064 Office Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-0065 OneTableDocumentStream Remote Code Execution Vulnerability
    There are no known exploits in the wild.

MS15-013 Vulnerability in Microsoft Office Could Allow Security Feature Bypass (3033857)

  • CVE-2014-6362 Microsoft Office Component Use After Free Vulnerability
    There are no known exploits in the wild.

MS15-014 Vulnerability in Group Policy Could Allow Security Feature Bypass (3004361)

  • CVE-2015-0009 Group Policy Security Feature Bypass Vulnerability
    There are no known exploits in the wild.

MS15-015 Vulnerability in Microsoft Windows Could Allow Elevation of Privilege (3031432)

  • CVE-2015-0062 Windows Create Process Elevation of Privilege Vulnerability
    This is a local vulnerability.

MS15-016 Vulnerability in Microsoft Graphics Component Could Allow Information Disclosure (3029944)

  • CVE-2015-0061 TIFF Processing Information Disclosure Vulnerability
    There are no known exploits in the wild.

MS15-017 Vulnerability in Virtual Machine Manager Could Allow Elevation of Privilege (3035898)

  • CVE-2015-0012 Virtual Machine Manager Elevation of Privilege Vulnerability
    This is a local vulnerability.

One more avatar of Nuclear Exploit Kit (Feb 6th, 2015)

/in /by

Dell Sonicwall Threats Research team has recently observed an update in Nuclear Exploit Kit. The Exploit kit has added in its arsenal the latest Adobe Flash Exploit CVE-2015-0311. In addition to the new exploit, there is an update in the landing page.

Until now the landing page had obfuscated plugin detect library to determine version of Java, Adobe Flash, Adobe Reader & Silverlight plugins installed in the browser. It would then serve the corresponding exploit to compromise the user system.

But in this update we have not seen any plugin detection library and Kit targets Adobe Flash and Silverlight plugins only.

Fig-1 : old DeObfuscated Nuclear Exploit Kit landing page
Fig-2 : latest DeObfuscated Nuclear Exploit Kit landing page

On successful exploitation additional malware will be downloaded into the system. During our analysis we observed payload to be a Downloader.

Having up to date software will help in mitigating this Exploit Kit. Dell Sonicwall Threats Research team will keep on monitoring this Exploit Kit and add update mitigation signatures as required.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: MalSWF ( Trojan )

  • GAV: MalAgent.G ( Trojan )

Dyre.E: New Variant of Dyre Trojan Spreads Upatre Malware

/in /by

The Dell Sonicwall Threats Research team observed reports of a Dyre bot family named GAV: Dyre.E and Dyre.F actively spreading in the wild. This is the new Variant of Popular Dyre which is uses I2P (Invisible Internet Project) for C&C communications. I2P is an anonymity network that is similar to Tor network which uses its own self-signed SSL certificate for C&C communications.

Dyre typically arrives via a spam attachment that claims to be a fax or a package tracking notification, but actually includes an Upatre downloader that installs Dyre. The spam emails are sent with Upatre attached and the cycle repeats.

Infection Cycle:

Md5: 9651d4ffb09a507bb17502228a8dc674 , 18cf4a3a89c07aa1fb7a8848e92259ad

The Malware uses the following icon:

The Malware adds the following files to the system:

  • %Userprofile%Local SettingsTempforeveview.exe [Executable file]

  • %systemroot%wKehylcgruOagGy.exe [Executable file]

  • %Userprofile%Local SettingsTempQjGjK48.exe [Executable file]

The Malware adds the following keys to the Windows registry to ensure persistence upon reboot:

  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesgoogleupdate

    • C: HKLMSystemCurrentControlSetServicesgoogleupdateImagePath

    • %systemroot%wKehylcgruOagGy.exe

The Malware adds the following keys to modify security services on target machine:

The file wKehylcgruOagGy.exe registered as services on win32 subsystem, after next restart the malware uses an injected Svchost.exe to send packets to its own C&C Server and after some time it terminates its own process.

Command and Control (C&C) Traffic

Dyre has the C&C communication over HTTP & SSL. It sends requests to statically defined IP/Domains on a regular basis. Some requests (seems to be normal pdf file) retrieves an encrypted Dyre binary and it is decrypted by its own algorithm.

The malware sends a HTTP request to the C&C server which contains information such as the campaign it belongs to, the infected machines computer name, operating system version, here is an example:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Dyre.E ( Trojan )

  • GAV: Dyre.F ( Trojan )

SonicWall WXA 1.3 with Clustering for WAN Acceleration (WXA) Series Optimizes Bandwidth Utilization

/0 Comments/in /by

There’s been talk in the U.S. recently about increasing broadband speeds which is good news for many.

“As consumers adopt and demand more from their platforms and devices, the need for broadband will increase,” FCC Commissioner Mignon Clyburn recently said when the agency voted to change the definition of broadband. “What is crystal clear to me is that the broadband speeds of yesteryear are woefully inadequate today and beyond.”

Businesses in particular stand to benefit as the use of bandwidth-intensive applications such as file sharing, collaboration apps and social media by employees continues to grow. The end goal for any business, of course, is to be more profitable and one of the ways to do that is to improve the productivity of its workforce.

Purchasing more bandwidth is one way to help your employees be more productive if they’re feeling bogged down by slow network performance. Efficiently using what already have though may be a better, and less costly, solution. That’s where wide area network (WAN) acceleration can help.

WAN acceleration optimizes the utilization of available bandwidth by transmitting only new or changed data between sites over the internet. Eliminating redundancy cuts down the traffic volume which helps reduce the latency we’ve all experienced. It’s not just about the data however. Accessing an application that sits at the corporate headquarters from a remote site over the WAN can be a torturous experience at the best of times. When bandwidth is throttled due to an overabundance of traffic on the network, everything slows down and you end up with an unhappy and unproductive employee.

The  SonicWall WAN Acceleration Appliance (WXA) Series is a proven solution that enhances the user experience and improves productivity for employees at remote and branch sites.

Today we are releasing version 1.3 which includes a new clustering feature for the SonicWall WXA 4000, WXA 5000 and WXA 6000.

Clustering provides scalability for growing organizations by enabling you to link together multiple WXA products at each location to add more users and connections. Another nice feature of the WXA Series is that it’s an integrated add-on to  SonicWall next-generation firewalls. This means you get not only better WAN application performance, but also the added benefit of comprehensive scanning for intrusions and malware before the traffic is accelerated across the WAN or a VPN. The WXA Series is available in a variety of platform options including both hardware and virtual appliances as well as software. To learn more about WAN acceleration and the SonicWall WXA Series, visit our website. Our customers have gained significant speed with our solutions.

Microsoft Internet Explorer Same Origin Policy Bypass (CVE-2015-0072) (Feb 4, 2015)

/in /by

A same-origin policy bypass vulnerability has been reported in Microsoft Internet Explorer. A remote attacker can exploit this vulnerability to bypass the SOP and cause a cross-site scripting attack to take place.

Dell SonicWALL Threat Research Team has researched this vulnerability and released the following signature to protect their customers.

  • IPS:6288 Internet Explorer SOP Bypass

This vulnerability is referred by CVE as CVE-2015-0072.

Adobe Flash Zero day (CVE-2015-0313) (Feb 3, 2015)

/in /by

A critical vulnerability (CVE-2015-0313) exists in Adobe Flash Player 16.0.0.296 and earlier versions for Windows and Macintosh. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.This vulnerability is being actively exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8.1 and below.

Dell SonicWALL Threat Research Team has researched this vulnerability (CVE-2015-0313) and released the following signature to protect their customers.

  • SPY 4397 : Malformed-File swf.OT.28