Adobe Type Confusion Vulnerability CVE-2015-7645 Exploits in the Wild

There was a critical zero day vulnerability CVE-2015-7645 found on Oct 13, 2015 and it was discovered firstly to be used by cyber-espionage campaign Pawn Storm. Adobe has acknowledged and released an emergent patch later that week. By exploiting this vulnerability, a remote attacker can execute arbitrary code on the target systems running vulnerable versions of Adobe Flash Player via a crafted SWF file. The affected versions include Adobe Flash Player 18.x through and 19.x through on Windows and OS X and 11.x through on Linux. An immediate patch is suggested by the Adobe.

Specifically, the vulnerability exists in the IExternalizable interface supported by ActionScript of Adobe Flash Player. A type-confusion vulnerability exists when the function writeExternal pointer is overwritten by another different type variable with the same name. The overwritten pointer can be pointed to arbitrary code which may be controlled by an attacker.

There are multiple exploits have been found for this vulnerability, and some of them are identified to be used by Angler Exploit Kits, for example, the following are two hashes of the files:

  • d3e3194e612e7f9df804aea2f2ab818dd25a392b7a4b44f144a8d85ec8bc766d
  • 1b332c513d20e01208ee7dc3c80fc231b49cfd03a9be6c49990372d742381985

The following codes from one the exploits shows how the writeExternal function was overwritten by a variable claim and assignment:

And it was called later:

An example of the obfuscated Action Script code from the exploits is below:

Dell SonicWALL have researched this vulnerability at the same week as the vulnerability was discovered and released multiple signatures to cover the exploits in the wild:

  • GAV: CVE-2015-7645 (Exploit)
  • GAV: CVE-2015-7645_2 (Exploit)
  • GAV: CVE-2015-7645_3 (Exploit)
  • GAV: CVE-2015-7645_4 (Exploit)

Heur.CFG A Malware Uses Encryption to Hide Its Intentions

The Dell Sonicwall Threats Research team observed reports of a New Malware family named GAV: Heur.CFG actively spreading in the wild. This time attacker uses Self-Signed encryption for C&C data communication to avoid detection by Anti-Virus programs.

Infection Cycle:

The Malware uses the following icon:


  • 9F5DF82346249748F6C4A2E681BC33D3

The Malware adds the following keys to the Windows registry to ensure persistence upon reboot:

  • HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun

    • Armour =%Userprofile%Malware.exe

Once the computer is compromised, the malware starts to communicate with its own domains via following format:

The malware tries to communicate with its own C&C server such as following IPs:

The Malware uses Self-Signed encryption for C&C data communication to avoid detection by Anti-Virus programs, here is an example:

The Malware tries to download some SWF Adobe Flash and executable files from following domains:

Command and Control (C&C) Traffic

Heur.CFG performs C&C communication over 80, 3009 and 23466 ports. The malware sends your system information to its own C&C server via following format, here are some examples:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Heur.CFG (Trojan)

SonicWall Previews New APT at SonicWall World 2015

Suffice it to say, SonicWall ‘s been in the news recently. Certainly the news around EMC has garnered many headlines. But it’s great to know that while all of this goes on, our number one priority remains interacting with our customers from around the world. This week, many of us are at the annual SonicWall  World and the SonicWall Software User Forum 2015 in Austin. SonicWall World is one of our greatest opportunities to interact with our customers one-on-one. It provides us with an opportunity to give and receive information. My role here is certainly to do both. At the start of SonicWall World my focus was to communicate the SonicWall Security Solutions strategy and our roadmap. Yesterday at the SonicWall World Software User Forum main stage, I had the chance to disclose some of our key innovations, including Simplified Infrastructure Management of Security + Networking, SaaS Global Management, and Security Sandboxing just to name a few. But in addition to these innovations, I want to be sure to highlight the exciting technology preview for Network Security.

To protect customers against the increasing dangers of advanced persistent threats (APTs), SonicWall is offering a technology preview of the SonicWall APT Protection Service at SonicWall  World. This new service – available on both firewalls and email security solutions – scans files of any size and holds potentially malicious unknown files until a verdict can be reached. This solution is built on multi-layered sandbox technologies that use both system emulation and virtualization techniques to detect more threats than competitors’ single engine solutions and leverages the SonicWall GRID, our cloud forensics platform which leverages real-time analytics from over 500K connected next-gen firewalls (NGFWs). Customers immediately benefit from fast response times, high security effectiveness and reduced total cost of ownership.

Additional offerings from Network Security include:

  • New integrated management of SonicWall Networking X-Series switches through the SonicWall firewall interface allows customers to manage and enforce security policies across their network security, switching, wireless and WAN acceleration from a single pane of glass. This reduces complexity, increases operational efficiency and ultimately leads to better network security for multi-unit deployments.
  • SonicWall Email Security increases effectiveness with the addition of Cyren anti-virus signatures. SonicWall Hosted Email Security and Email Security appliances running software release 8.2 now features best in class multi-layer AV protection including \SonicWall GRID AV, McAfee AV, Kaspersy AV and Cyren AV.

What I love most about SonicWall World is my time spent talking to our customers and hearing how we can do better. I’m also extremely pleased that we’ve brought in our highly technical experts and resources to conduct in-depth detailed training. If you’re joining us here at SonicWall World 2015 and Software User Forum, THANK you, be sure to attend the track sessions highlighted in an earlier SonicWall World blog. The more training a company gets in security, the more secure they will be. I am thoroughly enjoying our time together. Please let me know if there are additional ways we can support you and be sure to visit our security evangelists in the Solutions Expo over the next few days!

 Picture of the DellWorld stage viewed from the audience

Chimera Ransomware uses Bitmessage over TOR (Oct 23, 2015)

Ransomware infections have shown no signs of slowing down. The most prevalent of all which belongs to a malware family called, Cryptolocker has proven to be persistent and adaptive; creating new variants and targeting different groups over time.

The Dell SonicWALL threats research team has received reports of a ransomware Trojan calling itself Chimera malware and appears to be targeting users in the German-speaking countries. Cryptolocker, which heavily targeted the US and UK in its previous iterations, arrives as an email attachment purporting to be an important document and this ransomware is no different.

Figure 1:Trojan purporting to be a fake document file

Infection Cycle:

Upon execution the malware injects itself into the legitimate explorer.exe and makes the following connection to know the IP address of the victim machine:

Figure 2: Connecting to shows the IP of the infected machine

Figure 3: Explorer.exe making malicious outbound connections

The malware then connects to several hostnames in the Tor Network. The following are just some of the hosts which this Trojan connected to during our analysis:


This variant of ransomware not only connects to different hosts in the Tor Network but also uses PyBitmessage to send encrypted messages and keep the identities of the sender and receiver secure and hidden from wiretapping systems.

Figure 4: Trojan sending encrypted message using Bitmessage over TOR

The Trojan encrypts files with extensions such as .js, .da,. .ini, .html, .xml, .jpg, .txt, .doc, .xls, .wma, .mpg, among others. It appends “.crypt” to the extension of the file to denote being encrypted and also drops an HTML file “YOUR_FILES_ARE_ENCRYPTED.HTML” to all the directories where encrypted files are found.

Figure 5: Sample of encrypted picture files with the “.crypt” extension

The Trojan also creates a copy of the file “YOUR_FILES_ARE_ENCRYPTED.HTML” to the Startup directory to ensure this message appears on reboot:

Figure 6: Chimera Malware warning and instructions on how to pay

The victim is given no deadline on when he can send bitcoin payments to decrypt his files but is threatened with a warning that his private data, photos and videos will be posted online if no payment has been made.

Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:

  • GAV: Chimera.RW (Trojan)

More Adobe Flash (SWF) Exploits Discovered in the Wild for CVE-2015-5119

More Adobe Flash (SWF) Exploits Discovered in the Wild for CVE-2015-5119

CVE-2015-5119 is a Use-after-free vulnerability in the ByteArray class in the ActionScript 3. Adobe first released the advisory for CVE-2015-5119 in July and the first exploit surfaced soon. We continue to observe new exploits in the wild.

A typical type of exploit using this vulnerability is to add an extra layer of obfuscation to the exploit Action Script code into a second flash file–which is embedded as a binary within the outer Flash file. The following image shows the decompiled outer SWF file. Here you can see that there is a binary byte array included in in the outer SWF file:

This image shows the encrypted bytes of the binary file (which will be retrieved through a ByteArrayAsset class of Action Script and decoded):

The following function decodes the binary with an embedded key and obfuscated system function calls:

This image shows the binary of the embedded Flash file after decryption:

Finally, we can see the exploit code for CVE-2015-5119 that resides inside the inner SWF file. This exploit uses the valueOf property on a ByteArray:

Dell SonicWALL has observed hundreds of the exploits using the flash wrapping method in the wild since July. Multiple GAV signatures have been created to protect the customers. The following are some of them:

  • 28005 CVE-2015-5119.AJ
  • 27997 CVE-2015-5119.C_3
  • 27992 CVE-2015-5119.A_17
  • 19262 CVE-2015-5119_3
  • 18484 CVE-2015-5119_2
  • 18363 CVE-2015-5119.AN_2
  • 16398 CVE-2015-5119.C_4
  • 16399 CVE-2015-5119.C_5

Firewall Hero Sandwich to the Rescue

When a giant global plastics manufacturer faced a super cyber threat landscape, SonicWall’s firewall “Hero Sandwich” came to the rescue. This powerful security solution of the SonicWall Firewall Sandwich was recently leveraged by our customer, a global enterprise network. The challenges faced by this customer were the same that all companies face today as the cyber threat landscape increases exponentially year over year. While vastly differing in scalability, architecture, and policy, cyber security is paramount to any business or corporation whether it be the local fast food merchant, multinational financial industry, or a government service or agency. As the customer’s network expanded, the network administrators desperately needed to augment their security protection and inspection for their Internet presence. While securing the gateway is fundamental, this did not take into account the ever increasing challenge that every network administrator faces today: protecting the network from the end users.

Every network with a mobile workforce is faced with the same inherent risk of the industry’s most elaborate and compromising cyber security breaches. Network admins must account for devices, often taken off-premises that have secure and trusted access to the corporate network generally beyond the gateway firewall. These devices are vulnerable when they connect to possibly unsecure public networks, or go to sites normally blocked by the corporate firewall or security policy. This trusted device then could compromise the corporate network once the device is reconnected to the internal network. A gateway solution does not account for this type of vulnerability.

The network administrator of the giant plastics manufacturer had to find a way to deliver security inspection and control for some 500 mobile devices while simultaneously securing a large datacenter serving over 5,000 global user workforce. While the manufacturer’s Internet connectivity is a 1 Gbps connection, this paled in comparison to the average per second throughput of their internal core network. Their core network on an average is moving 30 – 40 Gbps. The real challenge was identifying a security solution that could reach this high throughput demand, and provide a path to easily meet performance demands in the future without allowing latency in the network. Enter the SonicWall Firewall Sandwich to the rescue!

In this fluid design for this manufacturer, the network admin implemented four of the SonicWall SuperMassive 9800s in a single Firewall Sandwich deployment, our “Hero Sandwich”. With high performance SonicWall next-generation firewalls in place the customer could easily scale to their current 40 Gbps. Furthermore, the architecture of the SonicWall Firewall Sandwich enables the customer to easily scale this network by simply adding additional appliances over time as demand on throughput expands. Even speeds of 60, 100, even 300 Gbps and higher are easily deliverable with this solution. With the “Hero Sandwich” the network admin now has the ability to apply the industry’s best Application Control, Anti-Virus Inspection, Anti-Spyware Inspection, SSL Decryption, Botnet Inspection, and Intrusion Detection & Prevention on all traffic traversing his internal network. All these services are performed real-time on every packet, and without introducing any performance limitations or network latency. This particular network admin now has the ability to ensure the integrity of the internal network, even from internally introduced threats.

Here are some important questions you might want to ask yourself. Do you have similar network demands? Do you have a mobile workforce with devices coming and going on your internal network? Do you inspect inside-to-inside network activity? Are you able to monitor network applications, access, and user activity? Can you easily produce user activity and threat alert reports on inside LAN communications? Do you know what threats exist on your LAN today? The SonicWall Firewall Sandwich may be your solution, too. Download the tech brief and watch the Webinar and contact your SonicWall team today.

Info stealer module leaks process information (Oct 16th, 2015)

The Dell Sonicwall Threats Research team have discovered an info stealer Trojan that is possibly as a module for part of a larger botnet crimeware system. The sample analysed here leaks information about the currently running processes on the system and contains functionality to capture desktop screenshots.

Infection cycle:

The Trojan uses the following icon to masquerade as a harmless PDF file:

The Trojan adds the following files to the filesystem:

  • (encrypted file)
  • %WINDIR%wyv.lta (encrypted file)

The Trojan periodically sends encrypted data to a remote webserver:

During analysis we were able to locate the routine used to encrypt the outgoing data:

It was discovered that the data being sent is a list of running processes on the system:

This Trojan is believed to be part of the Nymaim malware family.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Nymaim.AY (Trojan)

Microsoft Security Bulletin Coverage (October 13, 2015)

Dell SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of October 13, 2015. A list of issues reported, along with Dell SonicWALL coverage information are as follows:

MS15-106 Cumulative Security Update for Internet Explorer

  • CVE-2015-2482 Scripting Engine Memory Corruption Vulnerability
    IPS: 11189 “Windows Scripting Engine Memory Corruption Vulnerability (MS15-108)”
  • CVE-2015-6042 Memory Corruption Vulnerability
    IPS: 11191 “Internet Explorer Memory Corruption Vulnerability (MS15-106) 3”
  • CVE-2015-6044 Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-6046 Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-6047 Elevation of Privilege Vulnerability
    This is a local vulnerability.
  • CVE-2015-6048 Memory Corruption Vulnerability
    IPS: 11192 “Internet Explorer Memory Corruption Vulnerability (MS15-106) 4”
  • CVE-2015-6049 Memory Corruption Vulnerability
    IPS: 11193 “Internet Explorer Memory Corruption Vulnerability (MS15-106) 5”
  • CVE-2015-6050 Memory Corruption Vulnerability
    IPS: 11194 “Internet Explorer Memory Corruption Vulnerability (MS15-106) 6”
  • CVE-2015-6051 Elevation of Privilege
    This is a local vulnerability.
  • CVE-2015-6052 VBScript and JScript ASLR Bypass
    IPS: 11185 “Internet Explorer ASLR Bypass Vulnerability (MS15-106) 1”
  • CVE-2015-6053 Information Disclosure Vulnerability
    IPS: 11186 “Internet Explorer Information Disclosure Vulnerability (MS15-106) 1”
  • CVE-2015-6055 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-6056 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-6059 Information Disclosure Vulnerability
    IPS: 11187 “Windows Scripting Engine Information Disclosure Vulnerability (MS15-106)”

MS15-107 Cumulative Security Update for Microsoft Edge

  • CVE-2015-6057 Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-6058 XSS Filter Bypass in Microsoft Edge
    IPS: 9592 “Cross-Site Scripting (XSS) Attack 42”

MS15-108 Security Update for Jscript and VBScript to Address Remote Code Execution

  • CVE-2015-2482 Scripting Engine Memory Corruption Vulnerability
    IPS: 11189 “Windows Scripting Engine Memory Corruption Vulnerability (MS15-108)”
  • CVE-2015-6052 VBScript and JScript ASLR Bypass
    IPS: 11185 “Internet Explorer ASLR Bypass Vulnerability (MS15-106) 1”
  • CVE-2015-6055 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-6059 Information Disclosure Vulnerability
    IPS: 11187 “Windows Scripting Engine Information Disclosure Vulnerability (MS15-106)”

MS15-109 Security Update for Windows Shell to Address Remote Code Execution

  • CVE-2015-2515 Toolbar Use After Free Vulnerability
    IPS: 11188 “Internet Explorer Toolbar Use-After-Free (MS15-109)”
  • CVE-2015-2548 Microsoft Tablet Input Band Use After Free Vulnerabiilty
    IPS: 11190 “Microsoft Tablet Input Band Use-After-Free (MS15-109)”

MS15-110 Security Updates for Microsoft Office to Address Remote Code Execution

  • CVE-2015-2555 Microsoft Office Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-2556 Microsoft SharePoint Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-2557 Microsoft Office Memory Corruption Vulnerability
    IPS: 3209 “MS WSDAPI Memory Corruption Attempt (MS09-063)”
  • CVE-2015-2558 Microsoft Office Memory Corruption Vulnerability
    IPS: 3210 “Titan FTP Server Information Disclosure”
  • CVE-2015-6037 Microsoft Office Web Apps XSS Spoofing Vulnerability
    There are no known exploits in the wi
  • CVE-2015-6039 Microsoft SharePoint Security Feature Bypass Vulnerability
    There are no known exploits in the wild.

MS15-111 Security Update for Windows Kernel to Address Elevation of Privilege

  • CVE-2015-2549 Windows Kernel Memory Corruption Vulnerability
    This is a local Vulnerability
  • CVE-2015-2550 Windows Elevation of Privilege Vulnerability
    This is a local Vulnerability
  • CVE-2015-2552 Trusted Boot Security Feature Bypass Vulnerability
    This is a local Vulnerability
  • CVE-2015-2553 Windows Mount Point Elevation of Privilege Vulnerability
    This is a local Vulnerability
  • CVE-2015-2554 Windows Object Reference Elevation of Privilege Vulnerability
    This is a local Vulnerability

New SonicWall Email Security 8.2 w. Cyren AV

The foundation of email threat protection has long been anti-virus technology and IP reputation databases. Threat research teams across the globe are hard at work analyzing email, identifying spam and malware, and building anti-virus and IP reputation database libraries to help combat threats. Experts agree that for best threat protection, email security solutions should not rely on a single anti-virus engine or reputation database, but should integrate multiple sources to maximize security effectiveness.

To deliver best-in-class email threat protection, SonicWall Email Security 8.2 includes multiple anti-virus technologies, including SonicWall Global Response Intelligent Defense (GRID) Anti-Virus, SonicWall Time Zero, and premium anti-virus technologies, including McAfee, Kaspersky, and now, Cyren Anti-Virus.

Cyren AV is now included with SonicWall Hosted Email Security and, for customers that prefer an on-prem solution, available with Email Security appliance and software release 8.2, when purchased with the Total Secure subscription service. The SonicWall Email Security offers seamless set-up for IT administrators and provides immediate results.

“Since replacing our Barracuda appliance with SonicWall, we achieved a 95 percent reduction in spam reaching user mailboxes,” saidGary Walker, network administrator, City of Alexandria.

With SonicWall Email Security solutions, our GRID Network performs rigorous testing and evaluation of millions of emails every day, and then reapplies this constantly updated analysis to provide exceptional spam-blocking results and anti-virus and anti-spyware protection.  SonicWall Time Zero Virus Protection uses predictive and responsive technologies to protect organizations from virus infections before anti-virus signature updates are available. Suspect emails are identified and immediately quarantined, safeguarding the network from the time a virus outbreak occurs until the time an anti-virus signature update is available. Moreover, premium anti-virus technology from industry-leading, anti-virus partners including McAfee, Kaspersky, and Cyren provides an additional layer of anti-virus protection, resulting in protection superior to that provided by solutions that rely on a single anti-virus technology. In addition to the multi-layer threat protection and ease of use, the SonicWall solution is affordable and provides low TCO.

“With SonicWall, we have easily saved $30,000, and will save an additional $15,000 each year,” said Walker.

Learn More about SonicWall Email Security

For more information about SonicWall Email Security, please visit our website, refer to the SonicWall Email Security 8.2 release notesor contact a SonicWall representative at 1.888.557.6642, or

Visualization is Key to Deeper Network Security

If you follow sports at all you’ve probably heard about athletes using visualization to improve performance. It’s a simple tool where an athlete visualizes or “sees” himself or herself performing successfully in the athlete’s mind. Through visualization athletes paint a mental picture of how they will succeed and accomplish their goals.

The concept of visualization also applies to network security. If you’re an administrator it’s important that you have constant insight into what’s happening on the network. Gathering intelligence on users, applications, bandwidth consumed, etc. is a smart idea. Not only does it give you a better understanding of who’s on the network and what they’re doing, it also helps you develop a plan to optimize your network’s performance. Network visualization takes intelligence gathering a step further by providing a graphical representation of network activity. The ability to see various activities across the network in real time is a big advantage.

Want another reason why visualization is important? Most humans learn from watching. Here’s an interesting fact. According to the Social Science Research Network, 65 percent of the population are visual learners. We also process visual information much faster than information that’s text-based. It stands to reason then that having the tools to visualize network activity is critical to gaining a deeper level of security.

These days the new norm in network security is the next-generation firewall. One of the requirements of a next-generation firewall is application identification and visibility. Administrators should be able to view applications in use on the network, the amount of bandwidth and processing power they consume and who the top users are. Using this information you can make informed decisions such as which apps to allow and which to block, the amount of bandwidth to allocate to each app and whether you need to have a talk with an employee about his/her choice of websites which may potentially contain malware.

If you’re still using a legacy stateful packet inspection firewall or even a next-generation firewall to protect your network, here are 10 questions you should ask to make sure you’re getting the right level of protection from your security appliance.

Does my firewall:

  1. Gather information on critical topics such as apps, users, bandwidth consumption and threats across the network?
  2. Present the information visually in a way that makes it easy to understand?
  3. Update the information in real time so that I have the latest data?
  4. Provide daily reports on network threats (viruses, intrusions, malware) and non-essential multimedia apps (gaming, video) that have been blocked?
  5. Allow me to manage bandwidth per application and allocate more to business-critical apps while throttling those that are unproductive?
  6. Provide continual information on other vital functions such as connection count, memory and CPU usage, incoming and outgoing packets and more?
  7. Chart log activity?
  8. Offer filters that allow me to view information in multiple formats over different time periods?
  9. Enable me to export or email data directly from the firewall?
  10. Provide an intuitive dashboard that summarizes all the information I need?

Earlier I brought up the use of visualization in sports and how athletes use it to help improve their performance. Well, here’s another example of visualization, albeit in a slightly different way. The pylon cam. The pylon cam is the NFL’s latest tool for gathering information through visualization. Inside each goal line pylon is a high-definition camera that provides a field-level view across both the goal lines and sidelines. Officials can then use this information to make the correct call on critical plays. It’s an interesting use of the visualization concept to gather information and make decisions, just like in network security.

If you are interested in learning more about firewall solutions that provide application control and network visualization, take a virtual test drive of the SonicWall NSA 3600.