OpenSSL X509_cmp_time DoS

After receiving the certificate(either from client to server or server to client) OpenSSL calls X509_cmp_time to perform various checks on the certificate including comparison of notBefore and notAfter validity times against the current time. The function allocates buffer to store bytes in VisibleString. The malformed VisibleString can lead to a read read-access violation, which leads to termination of application

Using crafted certificate with malformed UTCTime or GeneralizedTime field Remote attacker can exploit this vulnerability causing denial of service.

Dell SonicWALL has released an IPS signature to detect and block exploitation attempts targeting this vulnerability. The signature is listed below:

  • 11109 OpenSSL X509 DoS
  • 11110 OpenSSL X509 DoS 1

The vulnerability is referred by CVE as CVE-2015-1789.

Unravelled VBE script drops Banking Trojan (Aug 28th, 2015)

The Dell Sonicwall Threats Research team have discovered a malicious obfuscated VBE script which is used to drop additional malware onto the infected system. The script is obfuscated and uses encryption in an attempt to hide its inner functionality.

Infection Cycle:

The Trojan makes the following DNS queries:

The Trojan adds the following files to the filesystem:

  • %APPDATA%MicrosoftWindowsTemplatesLb305a.exe [Detected as GAV: Dropper.A_1492 (Trojan)]
  • %APPDATA%MicrosoftWindowsTemplatesTp305iG3N.exe [Detected as GAV: Banker.MMUO (Trojan)]
  • %APPDATA%MicrosoftWindowsTemplatesXp806Np7F.7z [Detected as GAV: Dropper.VBE_2 (Trojan)]
  • %TEMP%tmp.exe [Detected as GAV: Kryptik.CQXR (Trojan)]
  • %TEMP%Zp806b9h.exe (7z utility)

The Trojan adds the following registry key to enable startup after reboot:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun Tp305iG3N.exe “%APPDATA%MicrosoftWindowsTemplatesTp305iG3N.exe”

The VB script is obfuscated:

Using freely available tools it was easy to deobfuscate the script thus revealing its functionality. It contains code to download a 7z archive from a remote webserver:

It also downloads the 7z utility program that is used to extract files from 7z archives.

The 7z archive is password protected. The script contains the password for the 7z archive:

      pass = "vaio1010"

Using this password it extracts the malicious files contained in the archive:

The script contains the following decryption routine:

      Function fCrypt(sPlainText, sPassword)
        Dim aBox(255), aKey(255), sTemp, a, b, c, i, j, k, iCipherBy, sTempswap, iLength, sO
        i = 0:j = 0:b = 0
        iLength = Len(sPassword)
          For a = 0 To 255
            aKey(a) = Asc(Mid(sPassword, (a Mod iLength)+1, 1))
            aBox(a) = a
          For a = 0 To 255
            b = (b + aBox(a) + aKey(a)) Mod 256
            sTempswap = aBox(a)
            aBox(a) = aBox(b)
            aBox(b) = sTempswap
          For c = 1 To Len(sPlainText)
          i = (i + 1) Mod 256
          j = (j + aBox(i)) Mod 256
            sTemp = aBox(i)
            aBox(i) = aBox(j)
            aBox(j) = sTemp
            k = aBox((aBox(i) + aBox(j)) Mod 256)
            iCipherBy = Asc(Mid(sPlainText, c, 1)) Xor k
            sO = sO & Chr(iCipherBy)
        fCrypt = sO
      End Function

The URL’s and filenames to be used are encrypted in the script. The script uses the function above to decrypt this data at runtime. It uses 5F4156472559703C6B6E2B as the decryption key:

      linkA = fCrypt(HexToString("440A21CC6E364E7210D0757DA70C34B7397B47F8035587856AAFCA5196D980FB83DEF77D6BBC725532"), "5F4156472559703C6B6E2B")

      NmFile = fCrypt(HexToString("740E6D8C62571122239F2C66"), "5F4156472559703C6B6E2B")
      linkZip = fCrypt(HexToString("440A21CC6E364E7210D0757DA70C34B7397B47F8035587856AAFCA5196D980FBC7D4F33638B5"), "5F4156472559703C6B6E2B")

      ZipFile = fCrypt(HexToString("760E6D8C627B587D4BD46379"), "5F4156472559703C6B6E2B")

      fileA = fCrypt(HexToString("601C668C61784F701DD4"), "5F4156472559703C6B6E2B")
      fileB = fCrypt(HexToString("780E668C617026262B9F7E64AF"), "5F4156472559703C6B6E2B")

The script runs Tp305iG3N.exe [Detected as GAV: Banker.MMUO (Trojan)]. This banker Trojan announces its presence to its operators by issuing the following HTTP request to a remote webserver:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Psyme.KYA (Trojan)
  • GAV: Banker.MMUO (Trojan)
  • GAV: Kryptik.CQXR (Trojan)
  • GAV: Dropper.A_1492 (Trojan)
  • GAV: Dropper.VBE_2 (Trojan)

Are You Compromising Your Business Security

As advances in networking continue to provide tremendous benefits, businesses are increasingly challenged by sophisticated attacks designed to disrupt communication, degrade performance and compromise data. Striking the perfect balance between network security and performance is no easy task. Meeting these demands can be especially daunting for small businesses, which usually cannot afford the same degree of protections as their larger counterparts.

The good news is that, with technology, higher performance and superior security are possible. By minimizing the attack surface that a business presents to the world, security can emerge as a differentiator rather than an inhibitor.

The first line of defense for any business “” large or small “” is an updated and properly configured firewall. In fact, if your business is still using a traditional firewall to protect against malicious threats, you may not even realize that you are woefully unprotected. Though firewalls are an essential part of network security, many (especially traditional firewalls) offer limited protection. They can monitor and block traffic based on source and destination information. But they can’t look inside packets to detect malware, identify hacker activity or help you manage what end users are doing on the internet. Even if you have purchased a firewall just a few years ago, it might not be able to inspect encrypted traffic, leaving you exposed to encrypted malware.

Securing the small business

Just because your business is small doesn’t mean you are at any less risk for a security breach than a larger business. The reality is that cyber-criminals use automated scanning programs that don’t care whether your company is big or small; they are only looking for holes in your network security to exploit.

With tight budgets and fewer resources, small businesses need to make sure their firewalls are delivering maximum protection without sacrificing productivity. To achieve this goal, IT administrators should insist on solutions that provide:

  • Blazing-fast performance: Your firewall must not become a network bottleneck. If it holds up network traffic, then users complain about poor performance and slow response times. Administrators respond by easing security restrictions. The result? The business compromises its security to maintain acceptable performance. It’s a dangerous trade-off that should never happen.
  • Exceptional security: Insist on a firewall that includes deep packet inspection (DPI) technology to decrypt and inspect Secure Sockets Layer (SSL) traffic into and out of the network. Unfortunately, traditional firewalls lack this capability, which means hackers and cybercriminals can smuggle malware right through the firewall just by concealing it in SSL traffic. Many say their firewalls do inspect SSL traffic but fail to tell you how this impacts performance.
  • Low total cost of ownership (TCO): Security solutions that operate in silos can result in gaps and complexity that can kill efficiency and squander resources. Look for an integrated firewall that can be quickly set up and fine-tuned. Easy-to-use features, such as graphical interfaces and setup wizards, can save administration time and help reduce operation and maintenance costs.

As small business’ growing use of cloud applications, the security perimeter becomes blurred between your network and the internet so there is nothing as essential as a solution that draws the line to keep out unwanted intrusions. Your network provides access to critical applications and houses sensitive company and customer data. A single network breach can shut down your operations for days, or allow a hacker to steal vital business data. If you are not currently using or evaluating a next-generation firewall, you should be there’s too much at stake.

Thanks to advances in firewall protection technology, achieving robust network security without sacrificing performance is possible and affordable. To read more tips on how to keep your small business network more efficient and secure, read the e-book, “Securing your small business.”

5 Security Tips Small Businesses Can’t Afford to Ignore

I returned to Las Vegas earlier this month to attend the Black Hat USA 2015 hacker conference where I learned about the latest and most shocking vulnerabilities discovered by security researchers from around the world. It’s fascinating to see some of the incredible security exploits being demonstrated there which I thought were possible only in sci-fi films. But that’s not the case at the Black Hat convention where top researchers revealed what was once impossible to hack is now possible. In past years researchers published their findings on how computers, mobile devices, routers, wireless access points, webcams, security systems, and smart appliances such as televisions, refrigerators, and thermostats can be made to do things that they were never designed to do once they are taken control by skilled hackers. This year, the scariest headlines focused on hacked cars and Internet of Things (IoT) devices. Just imagine hackers taking complete control of cars in the middle of a busy highway and doing the unthinkable or turning printers, VoIP phones or other office devices into transmitters broadcasting decodable radio waves to send data. Attacks this sophisticated threaten the world’s economy, our daily lives and in some case, our national security. You quickly realize that even your most concealed data and individual safety are at heightened risk in today’s digitally connected world.

If you are a small business owner, how is this relevant to you? Many of these pieces of office equipment are at the core of your daily business operations. The ugly truth is that these devices are deployed and often neglected. This makes them unsecured and targets for exploitations because they are rarely patched once they are installed. Thus, many network intrusion entry points and data breaches have been known to occur through these devices unbeknownst to the company. Just because you are a small business, you may think you’re not worth breaking into. The reality is cyber-criminals know most small businesses have poor security practices, weak network defenses and vulnerable devices which makes them easy and lucrative targets for automated attacks because they have the same valuable information (e.g. personal, customer and financial) as larger organizations. CNBC recently reported that companies with less than 250 employees accounted for almost one third of cyber-attacks in 2014. With the hacking economy valued at several billion dollars annually, it’s almost certain there are plenty of malware developers out there who are bent by greed developing new hacking techniques to make their millions at the expense of small businesses.

If you are unsure about whether or not you have implemented enough security measures to protect your small business, we recommend that you immediately boost your cyber security defense posture. SonicWall Security offers the following security tips to help enhance your chance at preventing a data breach.

  1. Enforce a privacy policy if your business collects, handles or stores sensitive data including personal and financial information about your employees or your customers, you need to establish a privacy policy to ensure their information is protected and secured in compliance with legal obligations.
  2. Conduct annual security awareness training for employees social engineering, online fraud, phishing emails, fake websites and free software downloads are successful tactics commonly used by cyber-criminals to get users to inadvertently share personal or business details on social networks and voluntarily install malicious software such as fake anti-virus or computer clean-up tools that are ultimately used for nefarious purposes. Employee awareness and recognition of common security risks when accessing the Internet are the first important steps to prevent a network breach.
  3. Control access to data implement rigorous access policies where access to specific data should be granted only to those individuals who have a specific clearance and use of that data.
  4. Establish multiple layers of security
    1. Protect endpoint devices with strong password enforcement, two-factor authentication, disk encryption, anti-virus, anti-spam and web content filtering.
    2. Control network access with secure mobile access technology to identify and stop unauthorized access attempts.
    3. Combine multiple network defense capabilities including intrusion detection, firewall, web filtering, application control, and anti-malware protection to prevent unauthorized network access and stop malicious code from infecting the network.
    4. Subscribe to around-the-clock threat counter-intelligence services to receive continuous protection against new threats that emerge.
  5. Secure your Wi-Fi network – make sure your wireless access point Service Set Identifier (SSID) name is not publically broadcasted, default password is changed and access is restricted to authorized devices and users only with preset expiration dates.

For additional information about the latest network security technology and how it can help protect your business from today’s advanced cyber-attacks, download this exclusive, “Securing Your Small Business eBook“.

SYNNEX Partners with SonicWall at Upcoming SonicWall Security Peak Performance 2015

The following is a guest post from Reyna Thompson, vice president of Product Marketing at SYNNEX Corporation.

SYNNEX is proud to be the newest distributor to carry the  SonicWall solutions portfolio, and we’re excited to be a Platinum Sponsor at this year’s Security Peak Performance Conference in Las Vegas, NV, Aug. 30-Sept. 2. Our SonicWall Team is ready to help you find, manage and close your next network security deal.

As part of our launch, we’re providing resellers with five free vulnerability assessments. These assessments, performed on the end customers’ network, can be used to show where existing security vulnerabilities lie or to demonstrate proof of performance post-installation. We not only cover the cost of these assessments but provide you with experienced network security personnel who read the data, interpret the findings and make any necessary recommendations.

We’re also here to help you scale and, ultimately, grow your business. Key to that is ensuring you have both bandwidth and geographical reach when it comes to professional services. Just a few of the SYNNEX value-adds for your company are:

  • Deal registration services
  • Skilled engineering resources­
  • Ability to manage rollouts
  • Flexible financing options SYNNEX provides a multitude of options to ensure you have a financial vehicle to support even the largest opportunities.
  • SYNNEX-exclusive promotionsEmail to ask us how you can win a December trip for two to Key West
  • Nationwide professional services SYNNEX offers nationwide site assessment and deployment services, helping you expand your geographical reach

Whether you need two SonicWall TZ firewall appliances installed and configured or a network security overhaul for a Fortune 500 company, SYNNEX has the skills and service personnel to get the job done on time and under budget.

As a distributor of the full SonicWall line, we’re excited to round out our portfolio with SonicWall’s award-winning SonicWall security. Visit our booth at the SonicWall Security Peak Performance conference, and find out more about our service offerings and how our team can support you. Follow the conference hashtag #SonicWallPeak and enter the conference #SonicWallPeakSelfie Social Meida Sweepstakes on Twitter @SonicWall and Facebook.

Reyna Thompson, vice president of Product Marketing at SYNNEX CorporationReyna Thompson, Vice President, Product Marketing

Reyna Thompson is vice president of Product Marketing at SYNNEX Corporation. She is responsible for the ConvergeSOLV Secure Networking Business at SYNNEX. Mrs. Thompson joined the SYNNEX team in 2002, as Associate Vice President of Solutions Marketing for the Technology Solutions Division.

Prior to working for SYNNEX, Thompson worked for Gates/Arrow Distributing, where she held various roles dating back to 1993.

Antidetect.AB , a Malware uses Microsoft Register Server to avoid detection by Anti-Virus programs.

The Dell Sonicwall Threats Research team observed reports of a New Malware family named GAV: Antidetect.AB actively spreading in the wild. This time attacker uses Microsoft Register Server and Manipulates windows registry to avoid detection by Anti-Virus programs.

Infection Cycle:

The Malware uses the following icon:


  • 9d994203fc51b31aa3f661a1dfe5374b

The Malware adds the following file to the system:

  • Malware.exe

    • %Userprofile%Local SettingsApplication Data[Random Name][Random Name].exe

The Malware adds the following keys to the Windows registry to ensure persistence upon reboot:

  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun

The malware manipulates the windows registry; even if you run Msconfig.exe or Regedit.exe you would not be able to see any evidence of the malware.

Here is an example:

Once the computer is compromised, the malware copies its own executable file to %Userprofile%Local SettingsApplication Data folder With Random name and then injects Regsvr32.exe to collects information from target system.

Here is an example of the Malware injection:

The malware tries to transfers your personal information to its own C&C server such as following domains:

Command and Control (C&C) Traffic

Antidetect.AB performs C&C communication over 80 and 443 ports. The malware sends your system information to its own C&C server via following format, here are some examples:

We have been monitoring varying hits over the past few days for the signature that blocks this threat:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Antidetect.AB (Trojan)

Microsoft Internet Explorer Memory Corruption Vulnerability (Aug 18, 2015)

Microsoft has released an out-of-band security advisory on Aug 18, 2015 to address a critical Memory Corruption Vulnerability. It has been referred as MS15-093.

This vulnerability exists in Internet Explorer when the vulnerable versions of Internet Explorer improperly parse specially crafted webpage. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. It affects all versions of Internet Explorer.

The affected users are suggested to install the update immediately, or apply the workarounds from the advisory. Dell SonicWALL released the IPS signature at the same day to protect their customers:

  • IPS: 11089 Internet Explorer Memory Corruption Vulnerability (MS15-093)

The vulnerability is referred by CVE as CVE-2015-2502.

Now Available: New SonicWall Email Security eLearning Course

SonicWall SES eLearning course has had a makeover! And how! With recent upgrades to the SonicWall SES product suite, it was only natural that the free, Web-based online training that SonicWall offers to various partner channels would also be revised.

Change needs to beget Changed Content!

The newly launched course contains up-to-date information on SonicWall ‘s SES product suite, challenging quizzes, engaging instructional strategies modeled with a constructivist approach, a new course template, colorful and animated screens and smaller course segments to accommodate busy schedules! The course harmonizes various knowledge levels and seeks to provide an enhanced learning experience around the SonicWall SES solution, to supplement the information provided by the product Admin Guide.

Knowledge rests not upon truth alone, but upon error also!

This free, self-paced training instructs you on how to deploy, configure, and maintain the SonicWall Email Security (SES) solution to meet email security and compliance requirements. The Web-based course prepares the students for their CSSA Level Certification exam. All 11 modules of this course are interspersed with challenging quizzes and knowledge checks modeled along Kirkpatrick’s evaluation principles and procedures to integrate learning, behavior, and results.

These knowledge checks have been deliberately left ungraded because their primary purpose is to help you revisit, analyze, or explore a concept based on any prior knowledge or experience in the email security domain. Detailed and analytical feedback is provided to you for most of the quizzes.

The new SonicWall SES course includes behaviorist-oriented, pre-instructional strategies, such as stimulating recall of prerequisites. It also follows a constructivist approach to non-graded quizzes and knowledge checks that provide opportunities for the learners to reflect upon and articulate what they learned using analytical or holistic rubrics.

There are things known, and there are things unknown. And in between are the doors!

The mainstay of the course is that the revised content came straight from the horse’s mouth, figuratively speaking! The subject matter expertise for the content originated not from the product engineers, but from the folks in the middle of all action, at the vanguards of the battle lines, at…, well, you get the idea! We are referring to none other than the omniscient Tech Support folks that provide solutions to any issues you might ever face with your SonicWall SES application. Their repertoire of case studies drawn from real-life customer stories and experiences was the source of much of the course content and helped make it as contextual and real-life as possible.

Knowledge is of two kinds; We know a subject ourselves, or we know where we can find information about it.

Let’s just summarize by stating that the new SonicWall Email Security course is dynamic, right-sized, collaborative, personalized, comprehensive and ““ best of all ““ free! So check it out and send us your feedback.

Data stealing trojan found in the wild (August 14, 2015)

The Dell SonicWall Threats Research team has received reports of a Trojan which leaves no trace behind and steals information from the infected system which is spreading in the wild.

Infection Cycle:

The Trojan uses the following mutex:


Upon looking at the properties, the trojan is described as an application in Chinese, named Aspirate.

Upon execution, the Trojan creates a copy of itself in the following location:

  • %Application Data%sample.exe [Detected as GAV: Crowti.A_86 (Trojan)]

It creates a autostart object at:

  • C:Documents and SettingsAdminStart MenuProgramsStartupsample.exe

In order to start after reboot the malware creates the following registry key:

  • %%USER%softwaremicrosoftwindowscurrentversionrun[sample.exe][Detected as GAV: Crowti.A_86 (Trojan)]

To make removal even more difficult, it disables the System Restore:

  • HKLMsoftwaremicrosoftwindows ntcurrentversionsystemrestore[disablesr]

The trojan executes these commands:

  • C:Windowssystem32svchost.exe -k netsvcs
  • C:Windowssystem32vssadmin.exe vssadmin.exe Delete Shadows /All /Quiet
  • bcdedit /set {default} recoveryenabled No
  • bcdedit /set {default} bootstatuspolicy ignoreallfailures

It creates a file and tries to steal information at:

  • %Admin%CookiesUIJNQI9V.txt

It tries to connect to the following domains:


It does the following request multiple times to the C&C servers. Once it receives the reply, it sends encrypted information to the servers.

Dell SonicWALL Gateway AntiVirus and Intrusion Prevention provides protection against this threat with the following signatures:

  • GAV: Crowti.A_86(Trojan)

Tech Data and SonicWall Partner to Build Roads to Success

The following is a guest post from Chuck Bartlett, Senior Vice President, Advanced Infrastructure Solutions, Tech Data Corp.

The SonicWall Security Peak Performance 2015 conference is fast approaching. Taking place from Aug. 30 through Sept. 2 in Las Vegas, this conference offers an opportunity to gain important insights about security trends, learn about changing customer needs, and grow your business with SonicWall. As a platinum sponsor, Tech Data is proud to partner with SonicWall to provide education and consulting for resellers focused on industry-leading network security solutions and data protection.

As new security threats happen every second, Tech Data is committed to arming you with the tools and services your business’s security network needs to meet evolving market demands, reduce distractions, and ultimately increase profitability.

According to Gartner, the enterprise network security equipment total in North America is expected to increase at a compound annual growth rate (CAGR) of 5.4% until 2019. Tech Data offers comprehensive security solutions that meet the evolving needs of this dynamic market, helping you protect your business and your customers’ data. Additionally, Tech Data provides best-in-class customer service and customized partner enablement programs””including sales and technical training, lead generation, and marketing services””to help grow your SonicWall business.

SonicWall offers industry-leading security solutions. Together with Tech Data’s dedicated team of industry experts””including software licensing specialists, system engineers, and product sales champions””we will work with you and your sales team to establish a customized, value-added channel enablement strategy that works for your business.

Please plan to visit us at booth #9 during the event for a one-on-one consultation. See you in Las Vegas!

Engage in event activities and follow the conversation on Twitter at @SonicWall and @Tech_Data using the conference hashtag #SonicWallPeak.

SonicWall Peak Performance Conference - Tech Data