NTP crypto-NAK DoS

ntpd is an implementation of Network Time Protocol which sets and maintains the system time of day synchronized with Internet standard time servers or any local references. Many major servers and devices come with inbuilt ntpd.

NTP works with different variants like client/server, symmetric, and broadcast. Symmetric mode is used for time synchronization between the servers with authentication. It operates with two modes active and passive. Active mode packets are used when connection is already set. If connection is not set, passive mode packets are used to set up short passive connection for authentication. If packet which fails to authenticate is received, it responds with crypto-NAK packet.

While processing incoming packets findpeer() function is called to see if packet is from existing peer. It returns pointer to peer structure or NULL depending upon whether peer is found or not. To check whether packet is crypto-NAK, valid_NAK() function is called. One of the parameters for the function is pointer from findpeer() function. Without checking the pointer for NULL, valid_NAK() tries to access keyid and flags field of peer structure. Which causes NULL pointer dereference.

Remote attacker can send undesired crypto-NAK packet to exploit this vulnerability which can lead to Denial of Service.

Dell SonicWALL has researched this vulnerability. The following signature has been created to protect their customers.

  • IPS: 11240 NTP Daemon Crypto-NAK Authentication Bypass 1

Become the “Department of Yes” for BYOD Using SonicWall Secure Mobile Access 8.5

One of the most frightening IT nightmares is hearing employees say their mobile devices or laptops were lost or stolen. Cyber-attacks and mobile threats are at the highest they ever been and will continue soar. Customers large and small face cyber espionage. Today, at SonicWall Security PEAK16 – “Come for Knowledge. Leave with Power” – at the Hotel Excelsior in Malta; we are announcing the SonicWall Secure Mobile Access (SMA) 100 Series OS 8.5. This product’s new features and enhancements offer comprehensive security; it allows IT administrators to quickly and easily deliver secure mobile access and roles based privileges. Remote workers using managed or unmanaged devices will have secure, fast and easy access. I am honored to share this news at our highly anticipated, annual conference for European security value-added resellers (VARs). For the next two days, we are meeting for insightful one-on-one dialogue with top VARs business and technical executives.

The VARS are at the core of our ecosystem. They deliver the expertise to chief security officers (CISOs) with speed and agility, without compromising company security. This is at the heart of our worldwide campaign, the “Department of Yes.” When you partner with SonicWall Security, you have the power and support of the world’s leading security provider for your customers — while opening up limitless opportunities for your business.

“We at CETSAT have been working with the SonicWall family of products for over 15 years. SonicWall has always been able to maintain a commanding relevance to business and today is no different. With IT security increasingly on the mind of every business owner, director and staff responsible for technology, the SonicWall Security portfolio of products leads the way in helping companies of all sizes to reduce risk from cyber threats and prevent disruption to business. CETSAT look forward to a continuing and beneficial relationship with this great world brand.”

— Durgan Cooper, president of CETSAT

Peak16 attendees and press will be introduced to SonicWall Secure Mobile Access OS 8.5’s capacity to allow small to medium sized businesses to ensure workers can be securely productive anywhere and on any device. Becoming part of the “Department of Yes” gives IT administrators the flexibility to enable BYOD while protecting business assets and the organization from today’s shape-shifting threats. The SMA 100 Series is compatible with devices across Windows, iOS, Mac OS X, Android, Linux, Kindle Firewall and Chrome. We provide mobile users secure access to network resources including shared folders, client-server applications, intranet sites, email and remote and virtual desktop services. Our proven and award-winning solutions enable IT to configure polices for context-aware authentication, granting access only to trust devices and authorized users. Some of the innovative enhancements of this release include:

  • Policy wizards – Easy wizards to deploy policies for OWA, ActiveSync, Outlook Anywhere and Auto-discover.
  • HTML5 Enhancements – Delivers end users with a rich access experience within their choice of web browser, eliminating their need to download, install and maintain additional software on their systems.
  • Virtual Host Multicore Support – Increases resource capacity of host resources that can be accessed by SMA giving greater reliability and performance at higher concurrencies for connected users.

Also, noteworthy recent enhancements to SonicWall SMA 100 series include:

  • Web Application Firewall (WAF) Enhancements Securing internal web applications from remote users, SonicWall’s award-winning WAF engine has been enhanced to detect against additional exploits and threats. This ensures that the confidentiality of data and internal web services remain uncompromised if a malicious or rogue authenticated user should gain access.
  • Geo IP Detection and Botnet Protection Grants customers with a mechanism to allow or restrict user access from various geographical locations.
  • End Point Control (EPC) Enhancements Enhancements to the SMA EPC engine provide greater assurance that the endpoint accessing the network is trusted and not malicious.

SonicWall Security EMEA PEAK16 also offers a wealth of state-of-the-art keynotes by our executives (including yours truly), as well as technical and business breakouts that open up the world of the Department of Yes. These jam-packed sessions address our end-to-end security, including our identity-aware firewalls and more:

We are delighted that our security channel partners are joining us for SonicWall Security PEAK16 in Malta. I encourage you to engage live with us by following the ongoing discussion on Twitter, LinkedIn and Facebook at @SonicWall with the conference hashtags #EMEAPEAK16, and post your comments below.

SonicWALL Channel Partners Come for Knowledge and Leave with Power at EMEA PEAK16 in Malta

Today, we are so excitedEamon Moore managing director of EMIT
to be here at the Grand Hotel Excelsior in Valetta, Malta with more than 230 of our security-focused partners, for the annual SonicWall Security EMEA PEAK16 conference. This is SonicWall Security’s opportunity to affirm our commitment to our channel partners and to work together to protect our customers.

The conference comes at a time when the cyber threat landscape is hotter than ever. We can’t deny the headlines reporting how enterprises of all sizes are under attack. And it’s clear that most of these enterprises are ill-prepared to keep pace with the threats or deal with the inevitable breach. This is where SonicWall Security’s Channel comes in. These talented organizations are where enterprises must turn to seek advice and action on how to protect their brands, their assets and IP, and their customers. Together with our Partners, SonicWall Security is on a mission to protect our customers!


If you are a CISO how do know if you can defend against the countless known and unknown threats? Is your customer data safe? What to do about ransomware? We recently launched a worldwide campaign focused on helping these CISOs understand how they can address these security threats that prevent them from supporting the business of their enterprise and swiftly move from being an obstacle to an enabler. We help them become the Department of Yes. SonicWall Security EMEA Peak16 details for our partners how to architect and deliver the security solutions that turn “no” in to “yes.” How to break down the siloes that exist between all the traditional elements in a security blueprint. I am excited to spend the next few days showing our partners how by leveraging our SonicWall network security and SonicWall One Identity portfolios; we can inspect every packet and govern every identity in a seamless, integrated way that delivers superior security.

We recently saw a great guest blog by Eamon Moore managing director of EMIT our premier partner in Ireland, highlighting what he is looking for this year to expand his knowledge and networking with peers across Europe. With the packed agenda and expert speakers, we hope to inspire our Partners to drive conversations with their customers that go well beyond bits and bytes, to approach a security strategy in a different, connected way. In doing so, our Partners will be able to add more value as the trusted advisor and enable their customers to become the Department of Yes.

We are looking forward to meeting up with Jason Hill, Sales Director for Exertis VAD Solutions, our premier partner.

“Our relationship with Sonicwall spans nearly two decades, in 2017 we will celebrate our 20th anniversary, and I know the commitment from both parties makes our relationship rock solid. SonicWall Security has opened up new opportunities for us and more importantly our channel, and we are looking forward to working with our partners to provide comprehensive security to their end user base.

Peak 2016 in Malta will be packed with the latest solution and product updates. We never miss attending these events as they are the perfect opportunity to catch up with the staff from SonicWall, meet our channel partners and learn together.” Jason Hill, Sales Director, Exertis VAD Solutions, United Kingdom.

EMEA Peak16 also provides a great forum for SonicWall Security to outline all of the new programs, tools, resources, enablement and incentives we are investing in to help our Partners build an even more significant and profitable practice with SonicWall Security.

Key among these are our new Reward for Value structure, where partners earn the maximum reward for the value they add to selling and implementing SonicWall Security solutions. We’ll detail how identifying new opportunities, building technical expertise and executing a successful proof of concept all translate into building a more profitable practice. We are also announcing new partner enablement; a specific accreditation focused on how to help their customers become a “Department of YES.”

A significant portion of the agenda is also dedicated to deep dives into our product portfolio, both the evolution and latest features of long-standing products like our SonicWall next-gen firewalls, SonicWall Secure Mobile Access and  SonicWall Email Security that many of our Partners have made mainstays of their security solutions for many years, as well as new and exciting security services such as SonicWall Capture ATP. Partners tell us that our rock solid portfolio and recent innovations in these areas inspire them, and we are confident we can Wow them with this at EMEA Peak16.

Finally, SonicWall Security EMEA Peak16 is a tremendous opportunity for feedback from our partners on what we can do to enhance and support their business. I’m excited to continue this two-way communication where our partners advise us on our products and programs, our sales investment and sales motions, helping improve our support and the overall customer life cycle experience we jointly deliver. As the head of sales, I’m hoping to learn how we can team most effectively with our Partners to compete and win incremental business. We have built a deliberate and fully dependent go-to-market model on our partners, and it’s important to me that we are the best business partner we can be to them and that we strive to be easy to do business with.

And one last thing, as my 25 years of working with partners has taught me, an event like SonicWall Security EMEA Peak16 is also an opportunity for us all to get to know each other better, to connect on a personal level and have some FUN! We are united in our mission to protect our customer and the more personal our bond, the more effective we will be in our pursuit of this very important mission.

For those who cannot be with us, I encourage you to follow the ongoing discussion on Twitter with #EMEAPEAK16, #PartnerDirect, @SonicWall @SonicWallChannelEMEA and post your comments below.

New Android Lockscreen campaign spotted in the wild (May 12, 2016)

Dell SonicWALL Threats Research Team got reports of a new wave of lockscreen malware spreading for Android. This lockscreen is spreading mainly via Porn related apps. We observed multiple groups of apps with subtle differences but the same functionality overall indicating this campaign is using multiple mediums to spread. Based on some of the components it appears that this campaign is still in its early stages and will evolve with time.

Infection Cycle

Upon installation the app requests for Device Administrator privileges. Permissions for dev admin ? On clicking the application or opening the System Settings app we see a screen as shown in the figure. This screen appears to be the ransom/lockscreen but the user can easily come out of this view by clicking the Home or Menu buttons.

Traditionally lockadult_screens cover the entire screen of the device and “lock” the users in a position where the device becomes unusable as the users cannot come out of the lockscreen view. In this campaign, at the moment the victim cannot view contents of the System Settings as the lockscreen is shown. It is interesting to note that there is no demand for ransom of any kind, also the fact that the victim can come out of this view gives an indication that this mechanism might not be completely implemented.

Once the application starts running, encoded data is transmitted to multiple domains in the background. The encoding routine is present in each application that is part of this campaign:

We observed data being sent to the following domains:

  • routstreetcars.com
  • highlevelzend.com
  • girlszendarno.com
  • artflowerstreet.net
  • raspberryfog.net

If an Android device gets infected with a malware with Device Administrator privileges it becomes difficult to remove it as the uninstall button gets greyed out. A good way to circumvent this issue is to get the device into Safe Mode and then remove it. Getting an Android device into Safe Mode disables the third party apps so it becomes easier to remove malware or any unwanted app. But some Android malware are persistent in Safe Mode as well, this malicious app is no different.

Once in Safe Mode the malicious app starts blocking the System Settings after a few moments as shown below:

The traditional way to remove an application does not work here as the System Settings app is unusable because of the lockscreen. An alternative is to disable the running app via Android Debug Bridge (adb):

  • Get into the device shell – adb shell
  • pm disable [ application package name ]
  • Get out of the shell and run – adb uninstall [ application package name ]

We observed a number of apps belonging to this campaign, most of the apps have a lot of similarities:

  • Display Icons
    Most of the apps belonging to this campaign use one of the following icons:
  • Services
    Most of the applications have a set of services ranging from 15-17 in number with the naming structure as follows:
    [ package_name ].[ random_word ]Service[ random_number ]

    We observed two sets of random words in most of the applications. Below table shows services from three applications:

  • Permissions requested during installation
    The applications request for the following permissions during installation:
    • Bluetooth
    • Bluetooth Admin
    • Internet
    • Write Contacts
    • Write Settings
    • Write History Bookmarks
    • Read Contacts
    • Restart Packages
    • Read Profile
    • Get Tasks
    • Read Call Log
    • Read History Bookmarks
    • Write External Storage
    • Access Fine Location
    • Receive Boot Completed
    • Read Phone State
    • Vibrate
    • System Alert Window
    • Kill Background Processes
    • Camera
    • Wake Lock
    • Access Coarse Updates
    • Process Outgoing Calls
    • Access Coarse Location
  • Code Structure
    Upon inspecting the code structure we found many applications contains a set of three class files with the encoding routine present in one of these classes as shown below:

    Interestingly, many applications contained an additional component with the addition of the above mentioned classes. This additional component is Chartboost SDK. Chartboost is a mobile game monetization platform which can be used to show video ads in games. Although, none of the apps actually do any activity other than showing the lockscreen image.

  • Lockscreen
    The lockscreen image is present in the assets folder for each malicious application from this campaign:

Overall it looks like this campaign is in its early days as the lockscreen does not work as expected and it is easy to come out of the “lock” state. At present, only the System Settings is unusable but apart from that other functionality is intact. Considering the volume of malicious apps that are part of this campaign it can be said that this campaign might grow bigger in the near future with updated components. We can expect a different lockscreen image in the future that demands ransom in some form.

Dell SonicWALL provides protection against multiple versions of this threat via the following signatures:

  • GAV: AndroidOS.Ransomware.LK
  • GAV: AndroidOS.Ransomware.LK_2
  • GAV: AndroidOS.Ransomware.LK_3
  • GAV: AndroidOS.Ransomware.LK_4

Below are details about a small subset of samples from each group that we observed, the groups have been differentiated based on their icons:

Icon MD5 Package Name
2bc52bd05fcd98236b081a1ba5845454 com.wedlock.cellular
5aaa96d6ce97bc3f2b8ccc7e2b9fc259 content.constructing
e3883943ba264939038b529006abfdb9 content.pranks
d698a3f1d0e9c54cbd53ca2a02eee407 net.melodies.dehydrating
8a2680716b605f68478dd5f4f108aa0c org.undertones.ponder
de2d20d9adc97187e6a6e17fcb9c284a edu.undermanned
91bd903b23e87787a706455da2bdc178 com.jigs
6f2cf2bb1cd16f05185e4da7e67717f0 de.calmer
a9dd251bf780ed8c3560fd93ac6723d0 de.predefine.bullet
b41db3bb436e8522ecfe88e507f6ff7f edu.deductively.horseradish
fa31fed7d4ee5dd210a35e76c228ecc6 content.grandly
9d3feccff2a9f1cb4efede56095821a9 com.borrower.boutique
1232d4d8dd9ac5566d89c2e86f0a17c6 net.logarithmic.quarrelling
fdb5ee400746b708328e59f5be0630bd fl.uncritically.aspirant
a5a4be2f8d0169be1c5fa816d83a361b net.lobotomising
68851e90861ad8c0a9f025e88cc75e24 fl.undetectability.reissues
c454f79278e19fb62e5b3645ad2e6ec9 content.reinitialise.intuitively
a7648efd10036d45c057617da2141a3a com.adoringly.bracing
1c52a678a7281082625eb195419c0329 de.cleaving.carer
8fd53b0358d865c3994e077c861cc296 de.tans.wont
21b80741fce42c47f5633077e8d17921 de.clo
d1ba17fbba8df61e356b32ed19b4a8b3 content.signatory
0785361faab56ec46a86ac1494a6c56f org.affixes.sheepdog
850e4ae1af21873495a3f9d383a7a69a edu.kilowatt.filling

Inspect Everything, Protect Everything: Next Generation Firewalls for Network Segmentation Inspection

Most of us would reach into a cookie jar full of delicious, just-out-of-the-oven, chocolate chip cookies without a care in the world, or any doubt that we should simply enjoy the euphoric chocolaty goodness.

But what about germs? Did everyone wash their hands before reaching into the jar? What soap did they use? How do you know if your delicious cookie hasn’t been infected? It’s not like you can force someone to stand guard with a bottle of hand sanitizer to ensure that everyone is disinfected before they reach their hand into the jar. Or can you?

Your network data is a lot like that jar of cookies. You want to ensure it is available for those trusted to be able to enjoy and use, and you want to keep it safe from infection. You also want to be able to see who else is reaching into your cookie jar, and make sure they aren’t eating all the cookies. You want to make sure you are protected from cookie thieves and other crumb snatchers.

The practice of architecting a network with different zones and segments based on usage, function, or location (for instance, configuring different network zones or VLANs for different uses such as isolating DMZ from LAN traffic) is nothing new. It has been a long standing cornerstone in any enterprise network. Over the years this segmentation theme has grown drastically in some enterprises, such that different hallways or floors of buildings are isolated on specific VLANs, or printers and servers are on different VLANs than end-user workstations. In some cases, there could be further segmenting of various WIFI networks, VoIP networks, or public accessible kiosks. In the Internet of Things model, everything needs to be connected, but, for controlling the connectivity, network segmentation is still a vastly favored and effective method.

However, there is a flaw to this mindset that many network admins and architects have overlooked, and that is the evolving security threat landscape. Most networks using forms of VLAN segmentation have deployed these VLANs on high-performance-core network switches to support the vast demand of connectivity and throughput performance. As such, the most common example one might see of this configuration is several VLANs combined with Layer 3 IP Interfaces built on the core switch. Once this is configured, it enables users to route directly over the switch from user networks to the server networks. While this is traditionally a very effective and standard approach to network communications, it has become an effective way for malware to communicate as well. In this approach, as there is typically no access control between the end-users and server segments, exploits, trojans, and malware can pass freely from zone to zone.

Consider the data as the cookies, and the server zone in which they sit as the cookie jar. You need to make sure every user that reaches their hand into that jar has used hand sanitizer to make sure they are not passing off any infections. You need to make sure the users reaching into that jar are who they say they are, and that they aren’t stealing your favorite cookie. You cannot rely on simple network access control or stateful packet inspection via access list on a core switch to protect your cookies. The threat landscape has evolved, and stateful rules that would permit file share access would also permit communications for the latest ransomware exploits. Don’t let the bad guys hold your cookies hostage.

By deploying the SonicWall Next-Gen Firewall with advanced Gateway Antivirus, Access Control, Application Inspection, Intrusion Prevention, and Advanced Persistent Threat Protection, in combination with a network architecture crafted for segmenting different network zones, you can successfully ensure that everyone’s hands have been disinfected. Keep your cookie jar clean from the latest botnets, exploits, intrusions, and malware. Read more on this topic with our “Executive Brief: Why you need network security segmentation to stop advance threats.”

Unpatched, critical Flash vulnerability being exploited in the wild (CVE-2016-4171)

Adobe Flash Player is vulnerable to a critical vulnerability. It is reported to be exploited in the wild. The following CVE identifier has been assigned to this vulenrability:

  • CVE-2016-4171

This vulnerability affects Flash Player versions running on Windows, Macintosh, Linux as well as Chrome OS. It is reported that any successful exploitabtion could cause a crash and potentially allow an attacker to take control of the affected system. Although, Adobe reports that the vulnerability is exploited on a limited but targeted basis in the wild.

Adobe is aware of the this vulnerability and expectes to release the patch as early as June 16.

Dell Sonicwall team has written the following signature to help protect our customers from this attack:

  • Malformed-File swf.MP.550

Microsoft Security Bulletin Coverage (June 14, 2016)

Dell SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of June 10, 2016. A list of issues reported, along with Dell SonicWALL coverage information are as follows:

MS16-063 Cumulative Security Update for Internet Explorer

  • CVE-2016-0199 Internet Explorer Memory Corruption Vulnerability
    IPS:11661 ” Internet Explorer Memory Corruption Vulnerability (MS16-063) 1″
  • CVE-2016-0200 Internet Explorer Memory Corruption Vulnerability
    IPS:11662 ” Internet Explorer Memory Corruption Vulnerability (MS16-063) 2″
  • CVE-2016-3202 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2016-3205 Scripting Engine Memory Corruption Vulnerability
    IPS:11663 ” Scripting Engine Memory Corruption Vulnerability (MS16-063) 1 “
  • CVE-2016-3206 Scripting Engine Memory Corruption Vulnerability
    IPS:11663 ” Scripting Engine Memory Corruption Vulnerability (MS16-063) 1 “
  • CVE-2016-3207 Scripting Engine Memory Corruption Vulnerability
    IPS:11665 ” Scripting Engine Memory Corruption Vulnerability (MS16-063) 3 “
  • CVE-2016-3210 Scripting Engine Memory Corruption Vulnerability
    IPS:3310 ” HTTP Client Shellcode Exploit 82 “
  • CVE-2016-3211 Internet Explorer Memory Corruption Vulnerability
    SPY:4954 ” Malformed-File exe.MP.17_5 “
  • CVE-2016-3212 Internet Explorer XSS Filter Vulnerability
    There are no known exploits in the wild.
  • CVE-2016-3213 WPAD Elevation of Privilege Vulnerability
    SPY:4959 ” Malformed-File exe.MP.18 “

MS16-068 Cumulative Security Update for Microsoft Edge

  • CVE-2016-3198 Microsoft Edge Security Feature Bypass
    IPS: 11667 “Microsoft Edge Security Feature Bypass (MS16-068) “
  • CVE-2016-3199 Scripting Engine Memory Corruption Vulnerability
    IPS:11668 ” Scripting Engine Memory Corruption Vulnerability(MS16-068) 5″
  • CVE-2016-3201 Windows PDF Information Disclosure Vulnerability
    SPY:4956 ” Malformed-File pdf.MP.157″
  • CVE-2016-3202 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2016-3203 Windows PDF Remote Code Execution Vulnerability
    SPY:4957 ” Malformed-File pdf.MP.158″
  • CVE-2016-3214 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2016-3215 Windows PDF Information Disclosure Vulnerability
    SPY:4958 ” Malformed-File pdf.MP.159″
  • CVE-2016-3222 Microsoft Edge Memory Corruption Vulnerability
    IPS:11669 ” Microsoft Edge Memory Corruption Vulnerability(MS16-068) 1″

MS16-069 Cumulative Security Update for JScript and VBScript

  • CVE-2016-3205 Scripting Engine Memory Corruption Vulnerability
    IPS:11663 ” Scripting Engine Memory Corruption Vulnerability (MS16-063) 1 “
  • CVE-2016-3206 Scripting Engine Memory Corruption Vulnerability
    IPS:11663 ” Scripting Engine Memory Corruption Vulnerability (MS16-063) 1 “
  • CVE-2016-3207 Scripting Engine Memory Corruption Vulnerability
    IPS:11665 ” Scripting Engine Memory Corruption Vulnerability (MS16-063) 3 “

MS16-070 Security Update for Microsoft Office

  • CVE-2016-0025 Microsoft Office Memory Corruption Vulnerability
    SPY: 4955 “Malformed-File doc.MP.37 “
  • CVE-2016-3233 Microsoft Office Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2016-3234 Microsoft Office Memory Corruption Vulnerability
    IPS:11670 “Microsoft Office Information Disclosure Vulnerability(MS16-070) 1”
  • CVE-2016-3235 Microsoft Office OLE DLL Side Loading Vulnerability
    There are no known exploits in the wild.

MS16-071 Security Update for Microsoft Windows DNS Server

  • C
    Windows DNS Server Use After Free Vulnerability
    There are no known exploits in the wild.

MS16-072 Security Update for Group Policy

  • CVE-2016-3223 Group Policy Elevation of Privilege Vulnerability
    There are no known exploits in the wild.

MS16-073 Security Update for Windows Kernel-Mode Drivers

  • CVE-2016-3218 Win32k Elevation of Privilege Vulnerability
    This is a local Vulnerability.
  • CVE-2016-3221 Win32k Elevation of Privilege Vulnerability
    This is a local Vulnerability.
  • CVE-2016-3232 Windows Virtual PCI Information Disclosure Vulnerability
    There are no known exploits in the wild.

MS16-074 Security Update for Microsoft Graphics Component

  • CVE-2016-3216 Information Disclosure Vulnerability
    SPY:4791 “Malformed-File emf.MP.7 “
  • CVE-2016-3219 Win32k Elevation of Privilege Vulnerability
    This is a local Vulnerability.
  • CVE-2016-3220 ATMFD.DLL Elevation of Privilege Vulnerability
    This is a local Vulnerability.

MS16-075 Security Update for Windows SMB Server

  • CVE-2016-3225 Windows SMB Server Elevation of Privilege Vulnerability
    There are no known exploits in the wild.

MS16-076 Security Update for Netlogon

  • CVE-2016-3228 Windows NetLogon Memory Corruption Remote Code Execution Vulnerability
    There are no known exploits in the wild.

MS16-077 Security Update for WPAD

  • CVE-2016-3213 WPAD Elevation of Privilege Vulnerability
    SPY:4959 ” Malformed-File exe.MP.18 “
  • CVE-2016-3236 Windows WPAD Proxy Discovery Elevation of Privilege Vulnerability
    IPS:11660 ” NBNS Spoofing “

MS16-078 Security Update for Windows Diagnostic Hub

  • CVE-2016-3231 Windows Diagnostics Hub Elevation of Privilege Vulnerability
    This is a local Vulnerability.

MS16-079 Security Update for Microsoft Exchange Server

  • CVE-2016-0028 Microsoft Exchange Information Disclosure Vulnerability
    There are no known exploits in the wild.

MS16-080 Security Update for Microsoft Windows PDF

  • CVE-2016-3201 Windows PDF Information Disclosure Vulnerability
    SPY:4956 ” Malformed-File pdf.MP.157″
  • CVE-2016-3203 Windows PDF Remote Code Execution Vulnerability
    SPY:4957 ” Malformed-File pdf.MP.158″
  • CVE-2016-3215 Windows PDF Information Disclosure Vulnerability
    SPY:4958 ” Malformed-File pdf.MP.159″

MS16-081 Security Update for Active Directory

  • CVE-2016-3226 Active Directory Denial of Service Vulnerability
    There are no known exploits in the wild.

MS16-082 Security Update for Microsoft Windows Search Component

  • CVE-2016-3230 Windows StructuredQuery Denial of Service Vulnerability
    There are no known exploits in the wild.

Antidetect.B malware found with valid digital certificate (Jun 8,2016)

The Dell Sonicwall Threats Research team observed reports of a second generation of Malware family named GAV: Antidetect.B actively spreading in the wild. A recently discovered variant of the Antidetect was found to use a legitimate digital signature to avoid detection from anti-virus systems. Antidetect.B uses process injection via Microsoft Register Server and Manipulates windows registry to avoid detection. Since the malware comes with a valid digital signature, it is an extremely dangerous situation because the file is digitally signed with a valid certificate; it appears trustworthy at first glance.

Infection Cycle:

The Malware uses the following icon:


  • 33f494d3a27ded5c85f29c91f87400e0

The Malware adds the following file to the system:

  • Malware.exe

    • %Userprofile%Local SettingsApplication Data[Random Name][Random Name].exe

The Malware adds the following keys to the Windows registry to ensure persistence upon reboot:

  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun

The malware manipulates the windows registry; even if you run Regedit.exe you would not be able to see any evidence of the malware.

Here is an example:

The malware creates UID from your system and its saves on following registry keys:

Here is an example:

Once the computer is compromised, the malware copies its own executable file to %Userprofile%Local SettingsApplication Data folder With Random name and then injects Regsvr32.exe to collects information from target system.

Here is an example of the Malware injection:

The malware tries to transfers your personal information to its own C&C server such as following domains:

Command and Control (C&C) Traffic

Antidetect.B performs C&C communication over 80 and 8080 ports. The malware sends your system information to its own C&C server via following format, here are some examples:

We have been monitoring varying hits over the past few days for the signature that blocks this threat:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Antidetect.B (Trojan)

Looking Ahead to Black Friday: Fortify Your Network Security

One of my first customers in IT was a large retailer, with more than a thousand stores. This was at a time when e-commerce was just beginning, at least for large, traditional retailers. Giving their customers the ability to purchase on the web was still a year or two away.

This retailer made about 90 percent of its annual revenue between Thanksgiving and New Year’s Day. That was “Season”, and the entire year’s IT schedule was built around getting ready for Season. Any and all hardware upgrades, OS changes, and software updates were to be completed and locked in by mid October. Change control during Season was very simple: No changes unless something broken absolutely had to be fixed, you were able to make a 100% solid case for the change, and not doing the change would impact revenue. Otherwise, hold off until January.

Retail’s a lot more complex these days, and brick-and-mortar is only one of the revenue-generating retail channels. Still, Season remains Season. And it all begins with Black Friday. Estimates of 2015’s revenue for the first two days of Season, including Black Friday, top $4 billion in the U.S., with about a third of that coming from online sales. More than 150 million shoppers purchased online during the 2015 Thanksgiving holiday weekend.

Clearly, this is not a time to have security issues with your infrastructure, and especially so with your payment systems, whether online or POS systems in your stores.

The relevant compliance standard is PCI DSS (Payment Card Industry Data Security Standard). Version 3.1 takes effect on June 30, and includes a number of changes from the previous version (3.0). These include, with some exceptions, removal of SSL and early versions (1.0 and 1.1) of TLS, along with some additional clarifications of existing requirements, a number of which are common sense clarifications (For example, don’t send unencrypted account numbers in a text message. You think?).

Complying with PCI DSS is a good way to reduce your business’s risk of cyber attack, but it’s really only a waypoint toward better security, not an end in and of itself. That’s a point SonicWall Security’s Tim Brown, our CTO and a SonicWall Fellow, makes in an on-demand webcast highlighting the changes to PCI DSS in version 3.1, so that you can be best prepared for Black Friday. We offer SonicWall network security solutions to help you stay PCI compliant, and improve security well beyond the PCI basics. And staying in line with 3.1 will put you in better shape to have a more secure, successful Black Friday, Cyber Monday, and holiday Season. It will also prepare you for PCI DSS 3.2, which includes additional clarifications and new requirements, particularly around multifactor authentication for anyone having access to cardholder data. While 3.2 succeeds 3.1 as a standard for assessments as of this October, its new requirements will not be mandated until February 2018 until then, they’ll just be considered best practices.

Learn more about the changes in PCI DSS 3.1, and how they can help your business prepare for Black Friday. View Focusing on security to meet compliance: responding to changes in PCI DSS 3.1.

Apache Struts Dynamic Method Invocation Remote Code Execution (CVE-2016-3081)

A remote, unauthenticated vulnerability exists in Apache Struts. The vulnerability allows an attacker to execute arbitrary code on the server with the privileges of the user running the Java Web Container process (e.g. JBoss, Tomcat etc). CVE-2016-3081 is assigned to this vulnerability.

Apache Struts is a MVC (model-view-controller) franework for building Java applications. It uses Java Servlet APIs to expose ActionServlet controller. Any requests coming from a client are sent to the controller in the form of ‘actions’. These actions are outlined as a map in a configuration file. Accordingly, the corresponding method is invoked. An interface called ActionMapper is used to provide mapping between the request and the corresponding action. The default implemtation maps to DefaultActionMapper class.

A remote code exection vulnerability exists in Apache Struts 2 framework due to lack of proper santization inside the constructor of DefaultActionMapper. It fails to properly validate the values provided by the attacker. This allows a remote attacker to craft a malicious request to cause the vulnerable server to execute arbitrary code.

The following verions of Apache Struts are vulnerable:

  • Apache Struts 2

Dell Sonicwall team has written the following signature that helps protect our customers from this attack:

  • 11631:Apache Struts Dynamic Method Invocation Remote Code Execution 1
  • 11632:Apache Struts Dynamic Method Invocation Remote Code Execution 2