Adobe Embedded JBIG2 Stream BO (Feb 27, 2009)

/in /by

Adobe products are used for creating, distributing, authoring and viewing Portable Document Format (PDF) documents. The Adobe Reader and Adobe Acrobat are examples of such products. The PDF file format was created and is controlled by Adobe. The format allows for representation of text, images and graphics in a single document.

Binary data, such as images are represented in a PDF document by stream objects. A stream is represented by a series of bytes enclosed in the stream and endstream keywords. An example of a stream in a PDF file is shown: 

 stream 0099009900990099 endstream

A stream will generally be preceded by a definition describing its properties amongst which will be the filter which is to be used to interpret the respective stream. For example, an image compressed by the JBIG2 compression standard may look as follows: 

 << /Type /XObject /Subtype /Image /Length 100 /Filter [ /ASCIIHexDecode /JBIG2Decode ] >>  stream 1847509384750293847593847594837495874939203948405 8459484379857032975402398650432986502398538754934 endstream

The JBIG2 bit stream consists of segments, with each segment containing a header followed by data. The format of a JBIG2 segment header is of variable length based on the values contained therein. In certain specific situations, the Adobe application will use a supplied value in the header as an index into an array of pages without checking the value for validity first. The application will then attempt to write into the array using this index. The affected field which is controlled by the PDF author, can be manipulated to overwrite any location within a 32-bit address space. This gives a malicious user the capability to corrupt memory of the affected process, thereby potentially diverting the process flow.

In order to exploit this vulnerability, the target user must be enticed to open a malicious PDF document. Successful exploitation may allow arbitrary code injection and execution with the privileges of the currently logged in user. As of the writing of this report, the vulnerability is being exploited in the wild.

SonicWALL has released three IPS signatures to detect and block specific exploit attempts. The following signatures have been released to address this vulnerability:

  • 5401 – Adobe Multiple Products Embedded JBIG2 Stream BO PoC 1
  • 5402 – Adobe Multiple Products Embedded JBIG2 Stream BO PoC 2
  • 5403 – Adobe Multiple Products Embedded JBIG2 Stream BO PoC 3

ProFTPD SQL Injection Vulnerability (Feb 20, 2009)

/in /by

The ProFTPD server is a highly configurable GPL-licensed FTP server software mainly used in Linux distributions. In addition to using the host system for authentication, ProFTPD can authenticate users using a SQL database or LDAP.

When ProFTPD is configured to use a SQL database for authentication, it escapes and expands SQL statements before passing the query onto the database. After a SQL statement is escaped, ProFTPD performs various string substitutions on the SQL statement. These substitutions are performed using the function resolve_short_tag. resolves_short_tag transforms text, which it interprets as an internal ProFTPD tag, into a value. Tags are specified as strings with % as the first character. Since the function resolve_short_tag transforms SQL statements after they are escaped, ProFTPD is vulnerable to a SQL injection attack.

A remote attacker can exploit this vulnerability by specifying a “%'” (percent + single quote) string in the username following arbitrary SQL to be executed. For example, an attacker may specify the following string as the username:

root %’) and 1=2 union SELECT 1,1,uid,gid,homedir,shell from ftpuser —

ProFTPD would perform its escaping and transformation processes, causing the following SQL statement to be sent to the database:

SELECT userid, passwd, uid, gid, homedir, shell FROM ftpuser WHERE (userid=’root {UNKNOWN TAG}’) and 1=2 union SELECT 1,1,uid,gid,homedir,shell from ftpuser — ‘) LIMIT 1

A successful attack can allow the attacker to masquerade as an authenticated user and gain unauthorized access to the FTP server and the underlying database.

The vulnerability has been assigned as CVE-2009-0542.

SonicWALL has released the following IPS signature that will detect and prevent potential attacks leveraging this vulnerability:

  • 1376 FTP ProFTPD Server Username Handling SQL Injection Attempt

Waledac Valentine cards (February 19, 2009)

/in /by

This week, SonicWALL UTM Research team observed new variants of Waledac worm spreading in the wild and using Valentine’s theme. They send fake e-greeting card emails with a link to view an e-card to potential victims.

The websites used in this attack include:

  • adorelyricxx.com
  • adorepoemxx.com
  • adoresongxx.com
  • cherishletterxx.com
  • funloveonlinexx.com
  • goodnewsreviewxx.com
  • greatvalentinepoemsxx.com
  • orldlovelifexx.com
  • reportradioxx.com
  • spacemynewsxx.com
  • yourgreatlovexx.com

These domains resolve to different IP addresses every time they are visited. The filenames are also rotated. Some of the filenames used in this wave are:

  • Card.exe
  • cardviewer.exe
  • devkit.exe
  • download.exe
  • ecard.exe
  • install.exe
  • kit.exe
  • lovecard.exe
  • lovekit.exe
  • loveprogramm.exe
  • Loveu.exe
  • Luv.exe
  • Programm.exe
  • vcard.exe
  • viewer.exe
  • valkit.exe

When executed this Waledac variant is almost identical in its behavior to the previous variant.

The malware has very low AV detection at the time of writing this Security Alert. SonicWALL Gateway Antivirus will detect this new Waledac variant with GAV signatures: Suspicious#waledac.5 (Worm), Waledac.AG (Worm), Waledac.I_2 (Trojan) .

Here are some screenshots of the attack websites.

screenshot

MS09-002 Exploit (Feb 18, 2009)

/in /by

SonicWALL UTM Research Team has observed a new MS09-002 exploit being used in the wild in drive-by attacks.

This exploit involves a malicious Microsoft Word (.doc) document that uses XML format being delivered to the end user. The .doc has a file size of 3,871 bytes and attempts to exploit the Uninitialized Memory Corruption vulnerability (CVE-2009-0075) in Internet Explorer 7 patched by Microsoft in the MS09-002 patch release.

The malicious word document file contains the following specially crafted data bytes:

w:ocx w_data=”DATA:application/x-oleobject;BASE64,rv0krsYD0RGLdgCAx0TziQAAOAAAAGgAdAB0AHA (REMOVED) gAZQBuAGcAagBp AHQAagAuAGMAbwBtAC8AYgBiAHMALwBpAG0AYQBnAGUAcwA vAGEAbABpAHAAYQB5AC8AbQBtAC8A agBjAC8AagBjAC4AaAB0AG0AbAA= ” w_id=”DefaultOcxName” w_name=”DefaultOcxName” w_classid=”CLSID:AE24FDAE-03C6-11D1-8B76-0080C744F389″ w_w=”200″ w_h=”123″ wx_iPersistPropertyBag=”true”

When the end user opens the document file, it uses the Microsoft Scriptlet Component ActiveX control (CLSID:AE24FDAE-03C6-11D1-8B76-0080C744F389) to connect to following Malicious URL:

  • hxxp://(REMOVED)/bbs/images/alipay/mm/jc/jc.html [detected as GAV: XMLhttpd.D (Exploit)]

jc.html file contains an obfuscated javascript code that further downloads a Trojan from following URL:

  • hxxp://(REMOVED)/bbs/images/alipay/mm/jc/jc.exe [detected as GAV: Rincux_4 (Trojan)]

The exploit has very low detection and is also known as Exploit-MSWord.k trojan (McAfee). SonicWALL GAV detects this exploit as GAV: MSWord.K (Exploit)

Microsoft Security Bulletin Coverage (Feb 13, 2009)

/in /by

During the first 2 months of 2009 Microsoft has published 5 security bulletins. Among them, MS09-001, MS09-003 and MS09-004 address vulnerabilities on the server side, while MS09-002 and MS09-005 address vulnerabilities on the client side. SonicWALL UTM team has analyzed each security bulletin and released IPS signatures that detect/prevent potential attacks leveraging these vulnerabilities. Below is the summary of security bulletins and the corresponding SonicWALL signatures.

MS09-001 Vulnerabilities in SMB Could Allow Remote Code Execution

  • IPS Sid 5357 — NETBIOS MS SMB TRANS Request Error Handling Memory Corruption PoC (MS09-001)
    CVE-2008-4834
  • IPS Sid 5358 — NETBIOS MS SMB OPEN2 Request Error Handling Memory Corruption PoC (MS09-001)
    CVE-2008-4835

MS09-002 Cumulative Security Update for Internet Explorer

  • IPS Sid 5379 — WEB-CLIENT MS IE Cloned Object Memory Corruption Attempt (MS09-002)
    CVE-2009-0075
  • IPS Sid 5387 — WEB-CLIENT MS IE CSS Processing Memory Corruption PoC (MS09-002)
    CVE-2009-0076

MS09-003 Vulnerabilities in Microsoft Exchange Could Allow Remote Code Execution

  • IPS Sid 5383 — DOS MS Exchange System Attendant DoS
    CVE-2009-0099
  • IPS Sid 5385 — SMTP MS Exchange TNEF Integer Underflow PoC (MS09-003)
    CVE-2009-0098

MS09-004 Vulnerability in Microsoft SQL Server Could Allow Remote Code Execution

  • IPS Sid 1286 — MS-SQL SQL Server sp_replwritetovarbin Procedure Attempt (Unicode)
    CVE-2008-5416
  • IPS Sid 1292 — MS-SQL SQL Server sp_replwritetovarbin Procedure Attempt (ASCII)
    CVE-2008-5416
  • IPS Sid 1358 — MS-SQL SQL Server sp_replwritetovarbin Procedure Attempt (Unicode-SMB)
    CVE-2008-5416
  • IPS Sid 1360 — MS-SQL SQL Server sp_replwritetovarbin Procedure Attempt (ASCII-SMB)
    CVE-2008-5416

MS09-005 Vulnerabilities in Microsoft Office Visio Could Allow Remote Code Execution

  • IPS Sid 5384 — MISC MS Visio Object ID Table Memory Corruption PoC (MS09-005)
    CVE-2009-0097
  • IPS Sid 5386 — MISC MS Visio Invalid Tag Handling Memory Corruption PoC (MS09-005)
    CVE-2009-0096
  • IPS Sid 5389 — MS Visio VSD File Icon Bits Memory Corruption PoC (MS09-005)
    CVE-2009-0096

Besides enabling prevention for these signatures, customers are advised to run Windows Update and get latest patches from Microsoft in order to maximize the protection against potential exploits.

New ZBot Variant (Feb 12, 2009)

/in /by

SonicWALL UTM Research Team observed a new ZBot variant being distributed in the wild via drive-by download sites.

This ZBot variant was first seen in the wild on December 31, 2008 via following malicious site:

  • domainworksite.com/main/REMOVED (This domain is down now)

The malware when executed performs following tasks:

  • It runs in background and allows remote access to the compromised system.
  • It creates following files and directory:
    • C:WINDOWSsystem32twain32
    • C:WINDOWSsystem32twain32local.ds
    • C:WINDOWSsystem32twain32user.ds
    • C:WINDOWSsystem32twain32user.ds.lll
    • C:WINDOWSsystem32twex.exe
  • It creates and modifies following registry keys:
    • HKU.DEFAULTSoftwareMicrosoftWindowsCurrentVersionExplorer{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}
    • HKU.DEFAULTSoftwareMicrosoftProtected Storage System Provider
    • HKU.DEFAULTSoftwareMicrosoftProtected Storage System ProviderS-1-5-18
    • HKUS-1-5-19SoftwareMicrosoftProtected Storage System Provider
    • HKUS-1-5-19SoftwareMicrosoftProtected Storage System ProviderS-1-5-19
    • HKUS-1-5-18SoftwareMicrosoftWindowsCurrentVersionExplorer{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}
    • HKUS-1-5-18SoftwareMicrosoftProtected Storage System Provider
    • HKUS-1-5-18SoftwareMicrosoftProtected Storage System ProviderS-1-5-18
    • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserinit: “C:WINDOWSsystem32userinit.exe,C:WINDOWSsystem32twex.exe,” (Ensures that it runs every time windows restart)
  • It attempts to disable any Internet proxy settings and Windows Firewall. It also attempts to acquire privileges to monitors the list of running processes.

  • It tries to resolve uplevela.net domain and sends following HTTP request: GET /awstats/admin/conf.sts

This ZBot variant is also known as Trojan-Spy.Win32.Zbot.ipx (Kaspersky), Win32/Spy.Zbot.DH (ESET), and Generic PWS.y (McAfee). SonicWALL Gateway Antivirus detects this ZBot variant as GAV: ZBot.IPX (Trojan)

Virtumonde windshield malware (Feb 9, 2009)

/in /by

SonicWALL UTM Research team observed a new interesting social engineering trick to install malware: hackers are using fake parking violation warnings to trick motorists into visiting malware-infested websites.

A windshield flier was left in cars with a website address linked to a malicious file. The fliers said: 

  PARKING VIOLATION  This vehicle is in violation of  standard parking regulations.  To view pictures with information about  your parking preferences, go to  http://horribleparkxxxx.com/

The website serves the malicious file to the user: http://horribleparkxxxx.com/PictureSearchToolbar.exe

This malware: PictureSearchToolbar.exe is detected by SonicWALL as GAV: AgentBypass_6 (Trojan).

 

   screenshot

It is a variant of Virtumonde / Vundo family of trojan horse that cause popups and advertises rogue antispyware programs. (aka Win32/Vundo.JI [Microsoft]). PictureSearchToolbar.exe is 56,832 bytes in size and when it runs it drops these files on the system:

  • %Temp%awtrQGay.bat – 63 bytes
  • %System%yayyXRKe.dll – 38,912 bytes

It injects yayyXRKe.dll in explorer.exe process.

It also creates the following registry entries:

  • HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
  • HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}InprocServer32
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionControl PanelSettings
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifyyayyXRKe
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoft0cd0861
  • HKEY_CURRENT_USERSoftwareMicrosoftcs41275

It then attempts to download http://childxxxx.com/pas/apstpldr.dll.html?affid=177194&uid=&guid=16560F811C084DA3B8270F85F0661238 and save it as %System%awtrQGay.dll.

Downloaded malware: awtrQGay.dll is detected by SonicWALL as GAV: Monder_3 (Trojan), it is another variant of Virtumonde/Vundo trojan and attempts to install Fake Antivirus software from bestantispywaresecurityxxx.com

SonicWALL Gateway AntiVirus provides protection against this attack via GAV: Monder_3 (Trojan) and GAV: AgentBypass_6 (Trojan) signatures.

The following figures shows the recorded hits for GAV: Monder_3 (Trojan) signature.

screenshot

Oracle ODCITABLESTART Buffer Overflow (Feb 6, 2009)

/in /by

Oracle Database Server is an enterprise-level relational database application suite. Online Analytical Processing (OLAP) is one of the feature extensions available for Oracle Database Server to enhance its functionality. OLAP is fully integrated into the relational database, all data and metadata is stored and managed from within Oracle Database providing scalability and security.

There is a buffer overflow in the OLAP implementation of one of the functions in module SYS.OLAPIMPL_T, which is called ODCITABLESTART. This function is invoked to begin retrieving rows from a table. The vulnerability is due to an insufficient boundary check when processing the parameter DATA_MAP passed to the function. The definition of the function is shown: 

 int ODCITableStart(SCTX, CUBE, OBJECT_TYPE, DATA_MAP, LIMIT_MAP, RWS)

By exploiting this vulnerability, an attacker can inject and execute malicious code within the security context of the service process. On Windows platforms, in default configuration, the affected service is running with System privileges.

SonicWALL has released a signature to detect and block specific exploitation attempts targeting this vulnerability. The IPS signature is listed bellow:

  • 5372 – SYS.OLAPIMPL_T Package ODCITABLESTART BO Attempt

Please refer to CVE-2008-3974 for more details about the vulnerability

Nullsoft Winamp Heap Overrun Flaw (Jan 29, 2009)

/in /by

Nullsoft Winamp is a multimedia player application that is capable of playing many formats of audio and video files. Winamp can play AIFF media file which has file extension .aiff. A heap-buffer overrun vulnerability exists in the way that Winamp handles the AIFF files.

The AIFF file consists of a header and followed by chunks. One of the chunks in AIFF file is COMM chunk. The structure of the COMM chunk is as below: 

 Type Size Description --------- ----- ------------------------------------ 0x0000 4 "COMM"  0x0004 4 < COMM chunk size > 0x0008 2 < Number of channels(c) > 0x000A 4 < Number of frames(f) > 0x000E 2 < bits/samples(b) > 0x0010 10 < Sample rate >

The vulnerability is due to the codes allocate a fixed heap buffer, but use the data from “COMM chunk size” field in the file showed above as the counter, which can cause the overrun of the allocated heap butter. A successful exploitation with this vulnerability would allow the attacker to execute arbitrary code on the vulnerable system in the context of the logged in user.

SonicWALL UTM team has developed and released the following IPS signatures.

  • 5262 Nullsoft Winamp AIFF Parsing Heap BO Attempt 1
  • 5363 Nullsoft Winamp AIFF Parsing Heap BO Attempt 2

The signatures have generated the following hits in a few days:

screenshot

New Autorun.inf worm variant (Jan 30, 2009)

/in /by

SonicWALL UTM Research team observed a new Autorun.inf worm variant starting on Monday, January 26, 2009 which has IRC Bot functionality and spreads via network shares or by exploiting windows vulnerabilities.

SonicWALL has received 7 copies of this network aware worm. It performs following activities when executed:

Host level activities

  • Disables Task Manager
  • Disables Registry Tools
  • Disables Notifications for Firewalls and various AntiVirus Tools
  • Copies itself to %windir%system32driversSCtri.exe and adds a registry entry for it to run every time system reboots
  • Infects USB drive by dropping an autorun.inf file and a copy of itself SCtri.exe so that whenever user connects the infected USB drive on a machine with auto run enabled, the machine will get infected.
  • Modifies the tcpip.sys file to conceal the network traffic from being captured locally by well-known sniffers (E.g. wireshark)
  • It includes Anti-VM and Anti-Debugging code

Network level activities

  • Scans the network for SMB shares with weak passwords and infects them. List of passwords it tries looks like following:
    • server
    • asdfgh
    • asdf
    • password
    • access
    • pass1234
    • administrador
    • 654321
    • 123456
    • 12345
    • 1234
    • root
    • admin
    • administrator
  • Also spreads on the network of computers by exploiting Windows vulnerabilities: MS04-011 and MS08-067
  • Tries to resolve multiple domains (baldmanpower.[com/net/org] and kutlufamily.com ) and connects to an IRC server on port 80 where it listens for the commands.
  • It has the RxBot family IRC bot functionality.

The worm is also known as Exploit:Win32/MS06040.gen [Microsoft], IRC/SdBot trojan [ESET], and Worm/SdBot.735232.1 [AntiVir]

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: SdBot.NW (Worm) signature [798 hits recorded].

screenshot