April Conficker (March 30, 2009)

/in /by

Conficker.C variant has been discovered on March 4, 2009.

This variant of the Conficker worm infects the local computer, terminates services, blocks access to numerous security related Web sites and downloads arbitrary code. It can also relay command instructions to other infected computers via built-in peer-to-peer communication. Conficker.C is installed by previous variants of Win32/Conficker.

Other variants of Win32/Conficker infect computers across a network by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE). It may also spread via removable drives and weak administrator passwords.

This new version, however, does not attack new systems. It’s waiting until April 1, 2009. On that date, systems infected with Conficker.C will start trying to contact domains on the Internet for new instructions. Previous versions of Conficker did the same thing, but the domain generation algorithm has been changed in Conficker.C. The new algorithm generates a larger pool of possible domains than the original one. It will generate 50,000 domains names per day and pick random 500 from that set to connect to.

So, the only thing that will happen on April 1st is that already infected computers will start using the new algorithm to locate potential update servers.

SonicWALL UTM research team is monitoring the situation and releasing GAV signatures for Conficker variants as soon as they are discovered. SonicWALL Gateway AntiVirus provides protection against Conficker.C with the following GAV signatures:
* Conficker.C
* Conficker.C_2
* Conficker.C_3
* Conficker.C_4
* Conficker.C_5
* Conficker.C_6
* Conficker.C_7
* Conficker.C_8
* Conficker.gen (Worm)

In addition, the following IPS signatures are related to Conficker:

* 1160 SRVSVC NetPathCanonicalize BO Attempt 1 (MS08-067)
* 1161 SRVSVC NetPathCanonicalize BO Attempt 2 (MS08-067)
* 1174 SRVSVC NetPathCanonicalize BO Attempt 3 (MS08-067)
* 1178 SRVSVC NetPathCanonicalize BO Attempt 4 (MS08-067)
* 1186 SRVSVC NetPathCanonicalize BO Exploit 1 (MS08-067)
* 1190 SRVSVC NetPathCanonicalize BO Exploit 2 (MS08-067)
* 1226 SRVSVC NetPathCanonicalize BO Exploit 3 (MS08-067)
* 1250 SRVSVC NetPathCanonicalize BO Attempt 5 (MS08-067)
* 1257 SRVSVC NetPathCanonicalize BO Attempt 6 (MS08-067)
* 1261 SRVSVC NetPathCanonicalize BO Attempt 7 (MS08-067)
* 5450 Conficker Infected Machine Activity

There were 2 previous SonicAlerts related to this vulnerability:

SonicWALL UTM research team recommends to ensure that systems are patched with MS08-067, security software signatures are updated, and systems that are infected with any variant of Conficker are cleaned and network passwords are strong to prevent Conficker variants from spreading.

Adobe Reader geticon Buffer Overflow (Mar 27, 2009)

/in /by

Adobe Reader (formerly Acrobat Reader) is a ubiquitous application for viewing PDF (Portable Document Format) documents.

Since version 4.0, Acrobat includes JavaScript functionality allowing for customization and extensibility. Acrobat JavaScript is an extension of the core JavaScript which adds Acrobat-specific classes that enable the author to manage document related tasks. These classes include app, dbg, console, SOAP, ADBC, util, etc.

The app.Collab object provides the getIcon method, which accepts an string argument that serves as the name of an icon. The supplied path string must contains one of “N”, “D”, “H” characters followed by a “.” character. For example:

app.Collab.getIcon(“A_EmailDistribute_110x64_N.png”)

There exists a buffer overflow vulnerability in Adobe Reader. Specifically, the vulnerability is due to incorrect validation of values supplied to the “app.Collab.getIcon()” JavaScript function. By providing a overly long string to the function, the stack-based buffer will be overrun. The buffer overflow condition could allow for overwriting return address and SEH structure on the stack.

An attacker can exploit this vulnerability by enticing a user to open a crafted PDF document. Successful exploitation would allow for arbitrary code injection and execution with the privileges of the currently logged in user. Code injection that does not result in execution would terminate the application due to memory corruption.

The vulnerability has been assigned as CVE-2009-0927.

SonicWALL has released a IPS signature to detect and block specific exploitation attempts targeting this vulnerability. The signature is listed bellow:

  • 5446 – Adobe Acrobat JavaScript getIcon Method BO Attempt

New Buzus Trojan (Mar 27 2009)

/in /by

–Updated March 27, 2009—

SonicWALL UTM Research team saw a third wave of DHL Tracking number invoice spam with different attachment payloads starting late afternoon on March 26, 2009.

SonicWALL Gateway Antivirus provides protection against this new wave via GAV: Zbot.JJP (Trojan) signature. Total Signature hits recorded since yesterday – 872,128 hits (Signature statistics image below)

————————————————

–Updated March 26, 2009—

SonicWALL UTM Research team saw a new wave of DHL Tracking number invoice spam with different attachment payloads starting March 25, 2009.

SonicWALL Gateway Antivirus provided proactive protection against this new wave via GAV: Suspicious#waledac.8 (Worm) signature that was released on March 9, 2009. Total Signature hits recorded since yesterday – 576,942 hits (Signature statistics image below)

————————————————

–Original publish date: March 23, 2009—

SonicWALL UTM Research team observed a new wave of the on-going Tracking number invoice spam campaign starting Sunday, March 22, 2008. The email has a zip archived attachment which contains the new Buzus Trojan variant.

SonicWALL has received more than 1,700 e-mail copies of this malware till date. The e-mail looks like following:

Attachment: DHL_DOC.zip (contains DHL_DOC.exe)
Update [March 26, 2009]:
Attachment: DHL_HELP.zip (contains DHL_HELP.exe)
Update [March 27, 2009]:
Attachment: dhl_n756512.zip (contains dhl_n756512.exe)

Subject: DHL Tracking number #[15 digit alphanumeric ID]

Email Body:
————————
Hello!

We were not able to deliver postal package you sent on the 14th of March in time because the recipient’s address is not correct.
Please print out the invoice copy attached and collect the package at our office.

Your personal manager: Nathan Lund,
Customer Service: 1-800-CALL-DHL
Fax: 888-221-6211
DHL International, Ltd. All Rights Reserved.
————————

Update [March 26, 2009]: The executable file inside the zip attachment in the new wave has an icon disguised as a Microsoft Help file and it looks like following:

screenshot

The executable file inside the zip attachment has an icon disguised as a Microsoft Word document file and it looks like following:

screenshot

Update [March 27, 2009]: A screenshot of a sample e-mail for the third wave is shown below:

screenshot

Update [March 26, 2009]: A screenshot of a sample e-mail for the second wave is shown below:

screenshot

A screenshot of a sample e-mail is shown below:

screenshot

The Trojan when executed performs following host level activity:

  • Creates a directory lowsec in Windows System folder
  • Creates files local.ds, user.ds, and user.ds.lll in the lowsec directory
  • Drops a copy of itself as sdra64.exe in Windows system directory

It modifies the following Registry key for running sdra64.exe on system reboot:

  • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserinit: “(System_Dir)userinit.exe,(System_Dir)sdra64.exe,”

It also tries connect and download an encrypted configuration file from the following URL:

  • mn-room.ru/phpbb/dir.cfg

The Trojan is also known as DR/Delphi.Gen [AntiVir], trojan W32/Trojan3.AIY [F-Prot], and VirTool:Win32/DelfInject.gen!J [Microsoft]

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Buzus.ARQX (Trojan),GAV: Suspicious#waledac.8 (Worm) and GAV: Zbot.JJP (Trojan) signatures.

screenshot

screenshot

screenshot

Oracle Secure Backup Memory Corruption (Mar 20, 2009)

/in /by

Oracle Secure Backup is a centralized tape backup management solution that provides data protection for heterogeneous file systems and the Oracle database. It uses the Network Data Management Protocol (NDMP) protocol to administer and perform backup tasks for all clients.

The NDMP protocol is designed to make every network attached storage device “backup ready”, enabling true plug-and-play backup operation. With the NDMP approach, each network-attached file server ships with a “universal agent”, which can be used by any NDMP-compliant backup administration application.

There is a memory corruption vulnerability in Oracle Secure Backup. The vulnerability is triggered during processing the malformed NDMP requests NDMP_CONNECT_OPEN or NDMP_CONNECT_CLOSE. The issue is due to the vulnerable code improper handle the Error field of the requests, and refers to a non-allocated memory. This operation will cause the NDMP process instance terminated immediately.

SonicWALL UTM team has developed the following signatures to detect/prevent attack attempts addressing this issue.

  • 5034 Symantec Veritas Backup Exec Agent Error Status DoS
  • 5431 Oracle Secure Backup NDMP Handling DoS

Waledac Terror Attack Trojan (March 18, 2009)

/in /by

This week, SonicWALL UTM Research team observed new variants of Waledac. They switched to using a terror attack theme: by spoofing news agency Reuters website and sending emails that link to the spoofed site.

These Waledac variants incorporate IP address geolocation, just like the previous Couponizer attack, which is a way of determining a user’s location based on the IP address. The user’s IP address is queried to determine its location, then the results of that query are put into the webpage.

The website claims that a “dirty bomb” exploded in the user’s city and that at least 12 people have been killed. A video from Reuters is shown but “You need the latest Flash player to view video content. Click here to download.” The alleged missing codec file is the malware executable.

The websites used in this attack include:

  • adorelyricxx.com
  • bestcouponfreexx.com
  • bestlovelongxx.com
  • codecouponsitexx.com
  • funloveonlinexx.com
  • funnyvalentinessitexx.com
  • goodnewsdigitalxx.com
  • greatcouponclubxx.com
  • greatsalesavailablexx.com
  • supersalesonlinexx.com
  • youradorexx.com
  • worldtracknewsxx.com

These domains resolve to different IP addresses every time they are visited. The filenames are also rotated. Some of the filenames used in this wave are:

  • contact.exe
  • run.exe
  • print.exe
  • save.exe
  • main.exe
  • news.exe

When executed this Waledac variant is almost identical in its behavior to the previous variant.

SonicWALL Gateway Antivirus will detect this new Waledac variant with GAV: Suspicious#waledac.8 (Worm) signature.

SonicWALL UTM Research team recommends to mouse-over the links on any page and verifying they do not go to an EXE file to avoid being infected with malware.

Here is a screenshot of the malicious website:

screenshot

New Infostealer Trojan (Mar 13, 2009)

/in /by

SonicWALL UTM Research team observed a new spam campaign starting March 13, 2009 which involves a fake e-mail pretending to be arriving from Bank of America Support system.

The email informs user that the automatic installation for Bank of America certificate component failed and they need to follow the instructions to get it installed. The email contains a malicious link that leads to the download of the new Infostealer Trojan.

SonicWALL has seen more than 8000 e-mail copies for this malware since March 13, 2009 9 AM PST. The e-mail messages looks like below:

Email #1:

screenshot

Email #2:

screenshot

Email #3:

screenshot

When the user clicks on the link in the e-mail, it opens up a fake Bank of America page that displays a demo video frame on how to install Digital Certificate. When the user tries to play the video, it prompts the user to download a Adobe flash player update which is the Trojan executable as seen below:

screenshot

screenshot

Upon execution, it performs following activities:

  • Drops following files on the target system:
    • (Windows_Dir)9129837.exe [Detected as GAV: Papras.JD (Trojan) ]
    • (Windows_Dir)new_drv.sys [Detected as GAV: Agent.EX (Trojan) ]
    • (Desktop)abcdefg.bat
  • Makes following modifications to Windows Registry:
    • Creates: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRuntool = “(Windows_Dir)9129837.exe”
    • Creates: HKLMSYSTEMControlSet001Servicesnew_drvImagePath: “(Windows_Dir)new_drv.sys”
  • Attempts to send GET requests containing victim machine information to following IP address:
    • 58.65.232.17

The Trojan has very low detection at the time of writing this alert. It is also known as Infostealer.Snifula.B [Symantec] and Trojan-PSW:W32/Papras.DK [F-Secure].

SonicWALL Gateway Antivirus provides protection against this malware via GAV: Papras.JD (Trojan) signature.

Microsoft Security Bulletin Coverage (Mar 13, 2009)

/in /by

Microsoft has released three security bulletins MS09-006, MS09-007 and MS09-008 for March 2009 this week, which include 8 vulnerabilities. One of the bulletins, MS09-006, was assessed as Critical severity by Microsoft, and it is a client-side related advisory. The other two bulletins MS09-007 and MS09-008 are assessed as Important, and they are server-side related advisories. SonicWALL UTM team has analyzed each security bulletin and released IPS signatures that detect/prevent potential attacks leveraging these vulnerabilities.

MS09-006 Vulnerabilities in Windows Kernel Could Allow Remote Code Execution (958690)

Windows Kernel Input Validation Vulnerability – CVE-2009-0081
  • IPS: 5427 MS GDI32 Polyline BO PoC (MS09-006)
Windows Kernel Handle Validation Vulnerability – CVE-2009-0082
  • The vulnerability is limited to local system and is not remotely exploitable.
Windows Kernel Invalid Pointer Vulnerability – CVE-2009-0083
  • The vulnerability is limited to local system and is not remotely exploitable.

MS09-007 Vulnerability in SChannel Could Allow Spoofing (960225)

SChannel Spoofing Vulnerability – CVE-2009-0085
  • The vulnerability is a design error, and it occurs only when the client doesn’t send a certificate verify message to the server. It can not be detected by signatures as they are legitimate traffic.

MS09-008 Vulnerabilities in DNS and WINS Server Could Allow Spoofing (962238) )

DNS Server Query Validation Vulnerability – CVE-2009-0233
  • The vulnerability is triggered by poisoning the DNS server with case-sensitive words alias different IP addresses, such as, www.abc.com and www.ABC.com resolved to different IP addresses. It can not be detected by signatures as they are legitimate traffic.
DNS Server Response Validation Vulnerability – CVE-2009-0234
  • The vulnerability is due to improper handling of flooding DNS messages with query type ANY. It can not be detected by signatures as they are legitimate traffic.
DNS Server Vulnerability in WPAD Registration Vulnerability- CVE-2009-0093
  • 5422 MS DNS Server WPAD Registration Spoofing PoC (MS09-008)
  • 5426 MS DNS Server WPAD Registration Spoofing PoC 2 (MS09-008)
WPAD WINS Server Registration Vulnerability – CVE-2009-0094
  • 5425 MS WINS Server WPAD Registration Spoofing PoC (MS09-008)

Besides enabling prevention for these signatures, customers are advised to run Windows Update and get latest patches from Microsoft in order to maximize the protection against potential exploits.

Nullsoft Winamp CAF Buffer Overflow (Mar 6, 2009)

/in /by

Nullsoft Winamp is a widely used multimedia player application that is capable of playing numerous media file formats. In addition to playing CD tracks, MPEG, and the popular MP3 format, Winamp also plays Apple’s Core Audio Format (CAF) files.

The CAF file is meant to store and manipulate digital audio data. The format of this specification consists of a simple header followed by data chunks. The first chunk of a CAF file is called the Audio Description chunk, and is required to immediately follow the header. This chunk describes the format of the data.
A breakdown of the Audio Description chunk is shown:

 offset  size     description ------- -------- ------------------------------------------------ 0x0000  4        chunk type ('desc') 0x0004  8        chunk size (sizeof(data)) 0x000c  var      data

The structure of the data field can be broken down as follows: 

 offset  size     description ------- -------- ------------------------------------------------ 0x0000  8        sample rate 0x0008  4        format ID 0x000c  4        format flags 0x0010  4        bytes per packet 0x0014  4        frames per packet 0x0018  4        channels per frame 0x001c  4        bits per channel

An integer overflow vulnerability exists in Winamp’s processing of CAF files. Specifically, the flaw is due to lack of validation of a field value in the Audio Description chunk. Under specific circumstances, the code will use a value, directly derived from the said chunk, in a calculation of a heap buffer size. The affected value can be manipulated to cause an integer overflow which will result in the allocation of a buffer of insufficient size.
Remote attackers may exploit this vulnerability by enticing the target user to open a malicious CAF file using a vulnerable version of Winamp. Successful exploitation may cause a heap buffer overflow that results in process flow diversion.

SonicWALL has released an IPS signature to detect and block specific exploits targeting this vulnerability. The following signature addresses this issue:

  • 5417 – Nullsoft Winamp CAF File Processing Integer Overflow PoC

Delta Airline spammed trojan (Mar 5, 2009)

/in /by

–Updated March 5, 2009—

SonicWALL UTM Research team saw two separate waves of Delta Arline spammed Trojan campaign with different attachment payloads between March 2, 2009 and March 5, 2009.

SonicWALL Gateway Antivirus provided proactive protection against these new waves via GAV: Delf.KD (Trojan) signature that was released on Feb 26, 2009. Total Signature hits recorded till now – 137,480 hits (Signature statistics image below)

————————————————

–Original publish date: February 26, 2009—

SonicWALL UTM Research team observed a new spam campaign starting today, February 26, 2009 which involves a fake e-mail pretending to be arriving from Delta Airlines and containing passenger itinerary receipt. The email has a zip archived attachment which contains the new Trojan executable.

SonicWALL has received more than 1,000 e-mail copies of this malware so far. The e-mail message contains:

Attachment: delta_RQ763.zip (contains delta_RQ763.exe)

Subject:

  • Confirmation of airline ticket purchase at www.delta.com

Email Body:
————————
Thanks for the purchase!

Booking number: (random alpha-numeric string)

You will find attached to this letter PASSENGER ITINERARY RECEIPT of your electronic ticket. It verifies that you paid the ticket in full and confirms your right for air travel and luggage transportation by the indicated flight Delta Air Lines.

On board you will be offered: – beverages; – food; – daily press.

You are guaranteed top-quality services and attention on the part of our benevolent personnel.

We recommend you to print PASSENGER ITINERARY RECEIPT and take it alone to the airport. It will help you to pass control and registration procedures faster.

See you on board! Best regards,

Delta Air Lines
————————

A sample of spammed e-mail message looks like this:

screenshot

The executable file inside the zip attachment has an icon disguised as a Microsoft Excel file and it looks like following:

screenshot

The Trojan when executed creates following files:

  • (SYSTEM-DIR)twain32local.ds
  • (SYSTEM-DIR)twain32user.ds
  • (SYSTEM-DIR)twain32user.ds.lll
  • (SYSTEM-DIR)twex.exe

It modifies the following Registry key to ensure that Trojan runs every time the system restarts:

  • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserinit: “C:WINDOWSsystem32userinit.exe,C:WINDOWSsystem32twex.exe,”

It also tries to connect and download a file from the following URL:

  • hxxp://91.211.65.33/ejik/admin.bin (<- Encrypted configuration data file)

The Trojan has very low detection at the time of writing this alert. It is also known as trojan W32/Trojan2.FXRO [F-Prot] and Trojan-Dropper.Delf [Ikarus].

SonicWALL Gateway Antivirus provides protection against this malware via GAV: Delf.KD (Trojan) signature.

screenshot

Waledac Couponizer Trojan (March 3, 2009)

/in /by

This week, SonicWALL UTM Research team observed new variants of Waledac. They switched to using coupons theme: by making copies of couponizer.com and sending emails that link to the spoofed look-alike sites.

Users can differentiate between the infected sites and the legitimate couponizer.com website by pointing the mouse cursor over any of the images on the page and checking which link is displayed in the browser’s status bar. If the link is to a executable file (.exe) this page is malware.

In addition these variants incorporate IP address geolocation, which is a way of determining a user’s location based on the IP address. The user’s IP address is queried to determine its location, then the results of that query are put into the webpage. The websites used in this attack include:

  • adorelyricxx.com
  • bestcouponfreexx.com
  • bestlovelongxx.com
  • codecouponsitexx.com
  • funloveonlinexx.com
  • funnyvalentinessitexx.com
  • greatcouponclubxx.com
  • greatsalesavailablexx.com
  • greatsalestaxxx.com
  • supersalesonlinexx.com
  • youradorexx.com
  • yourmazdatributexx.com

These domains resolve to different IP addresses every time they are visited. The filenames are also rotated. Some of the filenames used in this wave are:

  • couponslist.exe
  • nocrisis.exe
  • saleslist.exe
  • sales.exe

When executed this Waledac variant is almost identical in its behavior to the previous variant.

The malware has very low AV detection at the time of writing this Security Alert. SonicWALL Gateway Antivirus will detect this new Waledac variant with GAV signatures: Suspicious#waledac.6 (Worm), Agent.AINT (Trojan), Suspicious#waledac.5 (Worm) .

Here are some screenshots of the attack websites.

screenshot

screenshot