Adobe Type Confusion Vulnerability CVE-2016-1019 Exploited in the Wild

/in /by

A critical vulnerability is reported in Adobe’s Flash Player. The CVE identifier for this vulnerability is CVE-2016-1019. This vulnerability applies to Windows, Mac, Linux, as well as Chrome OS. An attacker who successfully exploits this vulnerability can execute remote code and potentially take over the system. Versions 21.0.0.197 and before are vulnerable.

Exploits of this vulnerability has been seen in the wild. Some examples below:

  • 9d7561f5613114431bf906ede4bc1c40208a9e35
  • 7021457e03445f8f10e38cf5aed4a60a757ea326
  • 8670993b2e63e32260685a80b78d15adf5742a6a
  • 2173970148947e7954ac028fc2fd855445897be1

Although it is exploited in the wild, a mitigation that was introduced in the Flash Player 21.0.0.182 prevents the exploitation of this vulnerability.

The exploits are obfuscated as usual. However, it is clear to see the attempts to exploit this vulnerability:

As you can see above, the code attempts to load bytes from ‘var_51’ which essentially points to one of the bytes arrays in ‘binaryData’ section within the SWF file. This is another SWF file embedded inside:

Let’s load this embedded SWF:

This is a heavily obfuscated file. The nature of the vulnerability requires two SWFs to work together. The latter SWF is merely the second part which triggers the vulnerability.

Dell Sonicwall team as created following signatures that protect our customers from these expoits:

  • CVE-2016-1019.A_4(Exploit)
  • CVE-2016-1019.A_3
  • CVE-2016-1019.A_2
  • CVE-2016-1019.A

Guatambu: new multi-component InfoStealer drops Kartoxa POS Malware (Apr 08, 2016)

/in /by

The Dell Sonicwall Threats Research team observed reports of a new multi-component InfoStealer family named GAV: Guatambu.AAB and GAV: Guatambu.POS actively spreading in the wild.

Guatambu malware gathers confidential information from the computer such as login details, passwords; financial information sends it to its own C&C Server.

One major component of Guatambu contains features such as memory scrapping functions.

The Malware drops Kartoxa POS Malware on the target system.

Infection Cycle:

Md5:

  • 823c663a4aecdc74e36fb224c2ff1ddc Detected as GAV: Guatambu.AAB (Trojan)
  • fa88a7c8e6779993eb70370c9263b3c3 Detected as GAV: Guatambu.POS (Trojan)

The Malware adds the following files to the system:

  • %Userprofile%Start MenuProgramsStartupWordPad.exe Detected as GAV: Guatambu.AAB (Trojan)
  • %Userprofile%Application DataTaskhost.exe Detected as GAV: Guatambu.AAB (Trojan)
  • %Userprofile%Application DataDwn.exe Detected as GAV: Guatambu.AAB (Trojan)
  • %Userprofile%Application DataPOS.exe Detected as GAV: Guatambu.POS (Trojan)
  • %Userprofile%Application DataOutput.txt [POS Credit Card Data ]

The Malware adds the following keys to the Windows registry:

  • HKEY_CURRENT_USERSoftwareVB and VBA Program SettingsGUIDGUID=520EAFA9
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity CenterUACDisableNotify= dword:00000000

The Malware running following commands on the system:

Once the computer is compromised, the malware copies its own Executable files to Userprofile folder.

The malware starts to communicate with its own domain to see if there is new update and updates its own sample and also starts to download the POS Component Detected as GAV: Guatambu.POS (Trojan).

For Guatambu, the goal is to collect as much data as possible; the more details about the user that end up in the hands of the remote attacker, the bigger the potential profit.

The malware gathers data such as following examples:

  • COMPUTERNAME
  • &admin=
  • &hid=
  • &arc=
  • &user=USERNAME
  • Full
  • &ram=
  • &cpu=
  • &gpu=

Once Guatambu Downloads the POS Component, the malware retrieves a list of running processes; the malware is responsible for scraping the memory of current processes on the infected machine for Credit Card information periodically, such as following example:

Command and Control (C&C) Traffic

Guatambu performs C&C communication over TCP and UDP Protocols.

The malware sends your Computer information to its own C&C server via following format, here are some examples:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Guatambu.AAB
  • GAV: Guatambu.POS

Chocolate and Network Security: A Match Made in Heaven

/0 Comments/in /by

I’ve just finished lunch and something is missing. It was a good lunch too: grilled cheese sandwich and lentil soup (a nod to the chilly, blustery Spring morning outside). I liked my lunch, but now I want a little”¦ I don’t know”¦ a little something. What I’d like, truth be told, is a little bit of chocolate. Maybe a small chunk of Ghirardelli’s mile, or whoa ““ how about a lovely Lindt Lindor truffle? Yes, that would be just the ticket, but alas”¦ there’s no chocolate in the house.

And what, you may ask, has this to do with Security?

Everything. I assure you. Everything.

Let’s say you’re a distributor of fine chocolates, candies, gourmet sauces and other foods for the discerning palette. Let’s say you’re business is expanding by leaps and bounds, and your IT infrastructure is increasingly at risk, as you get hit with various malware events. No one really thinks of the critical role that IT plays in under-girding the success of gourmet food, but as wholesale and retail provider, First Source, knew ““ without a sound and safe infrastructure, they were going to be in trouble. But not only did First Source need an updated security infrastructure to better protect against threats 24×7, they also needed this to happen while improving the speed and quality of its order processing.

As a chocolate craver, let me tell you, I’m so glad First Source put SonicWall Security’s mobile and network security solutions and gourmet food together.

Over a period of 18 months, First Source designed and deployed a company-wide SonicWall next-generation firewall solution “” including firewall appliances at each remote location “” to act as the gatekeepers for the First Source IT infrastructure.

And wouldn’t you know it – the SonicWall solution has not only boosted the company’s security, but having site-to-site SSL VPN access with load balancing and high-speed internet connections has allowed the company to increase efficiency and collaboration too (read what other benefits First Source experienced here >>)

In almost every industry, in almost every location a solid secure infrastructure under girds almost all aspects of our lives. Even my chocolate cravings”

Download Case Study

ISC BIND DNS DoS

/in /by

Berkeley Internet Name Domain (BIND) is the Domain Name Service implementation suit maintained by Internet Systems Consortium (ISC). BIND can be used for purpose of keeping and responding to requests regarding authoritative information about domains as well as it can act as recursive name server.

A DNS message consists of several types of resource records (RRs) like type A and AAAA to specify details about DNS resources and entities. Extension Mechanism for DNS (EDNS0) is used to send additional capability information like Payload Size which uses OPT pseudo-RR. This pseudo RR contains various options, one of them is DNS Cookie Option which is used to provide security for clients and servers against DoS and forgery attacks.

BIND is prone to DoS. Function process_opt() is called when BIND receives OPT pseudo-RR which checks variables, sitbad and sitgood are zero upon receiving COOKIE option using INSIST assertion and then it sets one of the variables to one according to cookie received. If it encounters second COOKIE option, it leads to an assertion failure because of previously set one of sitbad or sitgood variables. This causes BIND to terminate.

Remote attacker can exploit this vulnerability by sending crafted DNS messages which can lead to Daniel of service condition.

This vulnerability affects the following products:

  • ISC BIND 9.10.0 through 9.10.3-P3

Dell SonicWALL Threat Research Team has researched this vulnerability and released following signatures to protect their customers:

  • IPS:11525 ISC BIND Cookie Option DoS