Chocolate and Network Security: A Match Made in Heaven

/0 Comments/in /by

I’ve just finished lunch and something is missing. It was a good lunch too: grilled cheese sandwich and lentil soup (a nod to the chilly, blustery Spring morning outside). I liked my lunch, but now I want a little”¦ I don’t know”¦ a little something. What I’d like, truth be told, is a little bit of chocolate. Maybe a small chunk of Ghirardelli’s mile, or whoa ““ how about a lovely Lindt Lindor truffle? Yes, that would be just the ticket, but alas”¦ there’s no chocolate in the house.

And what, you may ask, has this to do with Security?

Everything. I assure you. Everything.

Let’s say you’re a distributor of fine chocolates, candies, gourmet sauces and other foods for the discerning palette. Let’s say you’re business is expanding by leaps and bounds, and your IT infrastructure is increasingly at risk, as you get hit with various malware events. No one really thinks of the critical role that IT plays in under-girding the success of gourmet food, but as wholesale and retail provider, First Source, knew ““ without a sound and safe infrastructure, they were going to be in trouble. But not only did First Source need an updated security infrastructure to better protect against threats 24×7, they also needed this to happen while improving the speed and quality of its order processing.

As a chocolate craver, let me tell you, I’m so glad First Source put SonicWall Security’s mobile and network security solutions and gourmet food together.

Over a period of 18 months, First Source designed and deployed a company-wide SonicWall next-generation firewall solution “” including firewall appliances at each remote location “” to act as the gatekeepers for the First Source IT infrastructure.

And wouldn’t you know it – the SonicWall solution has not only boosted the company’s security, but having site-to-site SSL VPN access with load balancing and high-speed internet connections has allowed the company to increase efficiency and collaboration too (read what other benefits First Source experienced here >>)

In almost every industry, in almost every location a solid secure infrastructure under girds almost all aspects of our lives. Even my chocolate cravings”

Download Case Study

ISC BIND DNS DoS

/in /by

Berkeley Internet Name Domain (BIND) is the Domain Name Service implementation suit maintained by Internet Systems Consortium (ISC). BIND can be used for purpose of keeping and responding to requests regarding authoritative information about domains as well as it can act as recursive name server.

A DNS message consists of several types of resource records (RRs) like type A and AAAA to specify details about DNS resources and entities. Extension Mechanism for DNS (EDNS0) is used to send additional capability information like Payload Size which uses OPT pseudo-RR. This pseudo RR contains various options, one of them is DNS Cookie Option which is used to provide security for clients and servers against DoS and forgery attacks.

BIND is prone to DoS. Function process_opt() is called when BIND receives OPT pseudo-RR which checks variables, sitbad and sitgood are zero upon receiving COOKIE option using INSIST assertion and then it sets one of the variables to one according to cookie received. If it encounters second COOKIE option, it leads to an assertion failure because of previously set one of sitbad or sitgood variables. This causes BIND to terminate.

Remote attacker can exploit this vulnerability by sending crafted DNS messages which can lead to Daniel of service condition.

This vulnerability affects the following products:

  • ISC BIND 9.10.0 through 9.10.3-P3

Dell SonicWALL Threat Research Team has researched this vulnerability and released following signatures to protect their customers:

  • IPS:11525 ISC BIND Cookie Option DoS

Three Reasons to Simplify Your Network Infrastructure

/0 Comments/in /by

You have a growing business, so you need to add more connections: PCs, cameras, or even another location. As you grow, your IT infrastructure is getting complicated, and with every new branch office complexity becomes an issue. As this network grows, there are additional challenges when adding more connections that need to be managed by the firewall. For organizations with multiple remote sites, such as retailers and distributed enterprises, there could be hundreds of consoles to manage, leading to uncontrollable complexity and spiraling costs. Whether it’s scaling to expand a small business or already overseeing a large enterprise, managing the security of an entire distributed network necessitates a simpler and more consolidated approach that can work within tight budgets.

This seems to be a common theme for many companies, ranging from a single store to a large multi-store chain. As I see it, the challenge is the need for a simpler, more centralized approach that allows you to:

  • Securely grow the business
  • Manage security, wireless, cameras, VoIP, networking and WAN acceleration infrastructure through a centralized management console.
  • Create and deploy consistent security policies, across multiple branches or locations

Traditionally, you rely on your network expert to build out a network consisting of several dumb switches that only increase complexity and cost. This is especially true when configuring distributed networks, as each piece requires multiple consoles, increased overhead costs and the potential for misconfiguration and non-compliance. Managing success should not include dealing with increased complexity and less security.

SonicWall’s solution solves this challenge with a converged infrastructure approach. For a single installation, SonicWall lets you add more connections that are managed by the firewall, thus, delivering greater flexibility to apply granular security controls. SonicWall provides a single solution to connect all your devices, whether they be PCs and printers, or Power over Ethernet (PoE) devices (such as wireless access points and cameras). For remote installations, SonicWall’s solution lets you deliver consistent security policies that can be viewed under a single centralized management console.

To learn more about how you can grow your business while reducing complexity, click here to read our executive brief.

Learn More

Petya Ransomware encrypts the MBR (Mar 30, 2016)

/in /by

The Dell Sonicwall Threat Research team has received reports of yet another ransomware called Petya. Over the past year, Ransomware has proven to be an inceasingly lucrative business for cybercriminals and has become very widespread that victims have resorted to paying to get their data back. Petya is no different, but instead of just encrypting files it overwrites the system’s master boot record (MBR) effectively locking the victim out and rendering the machine unusable unless payment is made.

Infection Cycle:

Upon execution, Petya replaces the boot drive’s MBR with a malicious loader which will cause Windows to crash. On reboot, it will display a fake CHKDSK screen.

The victim is then greeted with a flashing skull.

After pressing any key, the instructions on how to pay to get their data back is then displayed.

At this point, the victim is locked out of their machine and renders it useless. Rebooting into safe mode is also not possible. Victims can reformat their computers but will obviously lose all of their data.

Below are the screenshots from the cybercriminal’s well crafted website on the onion network where further instructions are given on how to submit payment in bitcoins. It appears that the group behind Petya Ransomware is calling themselves “Janus Cybercrime Solutions” and are demanding victims to send them 0.95865300 Bitcoins or an equivalent to $395 with the current exchange rate.

Petya Ransomware Step 1</a></td> <td width = FPetya Ransomware Step 2
Petya Ransomware Step 3</a></td> <td width = FPetya Ransomware Step 4

Because of the prevalence of these types of malware attacks, we urge our users to back up their files regularly.

Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signatures:

  • GAV: Petya.AB (Trojan)

  • GAV: Petya.AC (Trojan)

  • GAV: Petya.AD (Trojan)

SonicWall Security Announces SonicOS 6.2.5 for SonicWALL Next-Generation Firewalls

/0 Comments/in /by

Today, I am very excited to share with you the SonicOS 6.2.5 release for our 6th generation SonicWall TZ, NSA and SuperMassive Next-Generation firewalls. SonicOS 6.2.5 brings many new features that span across SMB, distributed enterprise and high-end deployments. Further, SonicOS 6.2.5 simplifies support for SonicWall Security partners by offering a single software platform for majority of the 6th generation  SonicWall firewalls.

Highlights of SonicOS 6.2.5

  • SMB and distributed enterprises are challenged by the diverse management solutions involved in managing the security, switching and wireless access points for their network infrastructure. With the new SonicWall X-Series switch integration feature, SonicOS 6.2.5 delivers a consolidated management of all network infrastructure including TZ firewalls, X-Series switches, SonicPoints and WAN Acceleration devices from within the TZ Series firewalls.
  • Recently published 2016 SonicWall Security Annual Threat Report highlighted the surge in encrypted traffic as one of the major trends observed in 2016. With the need to address effective TLS/SSL inspection, multiple DPI SSL Enhancements have been added to the new SonicOS 6.2.5 release. Few of these key enhancements include but not limited to ““
    • CFS category-based exclusion/inclusion of encrypted connections for efficient standards compliance (PCI, HIPPA)
    • Strengthened Encryption Methods (TLS 1.2, SHA256)
    • Increased default Certificate Authority (CA) database
    • Improved troubleshooting for encrypted connection failures with one-click exclude
    • Finer granularity for encrypted connection exclusions based on alternate domain names (excluding youtube.com vs. *.google.com)
    • Refreshed GUI for easy-to-use configuration of encrypted connection processing
    • Increased SSL Connection counts for NSA and SM Series firewalls
    • Unified Capabilities (UC) Approved Product List (APL) enhancements SonicWall firewalls are now qualified for use by Department of Defense (DoD) agencies in the United States. Multiple enhancements including addition of new administrator roles, Out-of-band management, enhanced audit logging and IPv6 features were added to support UC APL certification that is now available for all customers running SonicOS 6.2.5.
    • Firewall Sandwich support and Wire mode VLAN translation features provide flexible and scalable solutions for datacenter deployments
    • Gateway Anti-Virus Detection Only Mode to support deployments where traffic containing viruses are logged but not blocked.
    • Flexible DPI actions for administrators to exclude/include traffic by protocols/DPI service/Application rule action.
    • Botnet Source identification in AppFlow Monitor to quickly view the individual user of IP address associated with the detected applications.
    • Wireless DFS Certification for FCC U-NII (Unlicensed-National Information Infrastructure) to ensure compliance for all customer SonicWall wireless appliances (SonicPoint ACe/ACi/N2)

This is exactly what our partners and customers are asking for. Our partners are active in the SonicOS 6.2.5 beta and are looking forward to all of these rich features to provide even greater security to their customers.

“We are excited about theSonicOS 6.2.5 release because it delivers the ability to control the most crucial elements of your network from a single pane of glass. Customers can now manage the Internet Security Appliance, Secure Wireless Network, and Network Switching from a single console. This is great news for customers and IT administrators, as it simplifies administration and support. This is a big gain for distributed enterprise as well, as this release also allows each of these components to be controlled from the SonicWall Global Management System. Western NRG is excited to have this functionality available in our own GMS instance, where we support hundreds of our customers’ SonicWall’s,” said Tim Martinez, CEO of Western NRG, a premier SonicWall Partner.

With the SonicOS 6.2.5 release we have made huge strides to make the life of a security officer easier to do more with less and reduce the complexity of network management. All of the important enhancements of this release are available at no additional cost to customers with valid support contracts for SonicWall Next-Generation Firewalls or Unified Threat Management appliances. SonicOS 6.2.5 firmware is available as an Early Availability release on www.mysonicwall.com for customers with a valid support contract.

SonicOS 6.2.5 is available on the following platforms:

– SOHO W, TZ300, TZ300 W, TZ400, TZ400 W, TZ500, TZ500 W, TZ600
– NSA 2600, NSA 3600, NSA 4600, NSA 5600, NSA 6600
– SuperMassive SM 9200, SM 9400, SM 9600

To dive deeper into how to have a centrally managed network security infrastructure, download our release notes and the: The Distributed Enterprise and the SonicWall TZ – Building a Coordinated Security Perimeter.

Managing the Madness of Multiple Management Consoles with SonicWall TZ Firewall and X-Series Switches

/0 Comments/in /by

With fast emerging technologies, challenges of network design in distributed retail store locations is becoming huge. As retail store and distributed enterprise environments evolve, the underlying network infrastructure must evolve with the transformational changes to embrace new technologies such as mobile and digital media which aim to improve customer experience. Embracing new technological changes in a retail network needs to be carefully thought through by raising the following questions:

  1. Is the network infrastructure scalable?
  2. With the increased scale, is the network still secure?
  3. Are the operating costs increasing with the network expansion?
  4. Above all, is there still sanity prevailing in the management of such an evolved network?

The ultimate goal of a network design for any distributed retail location is to create a smart, flexible and easy-to manage platform that can scale to the specific needs of each site, while helping the organization reduce costs and risks. Typical solution of solving any network design expansion is to throw more capacity at the problem. As support for new technology and devices arise, there is overinvestment with added complexity. A new paradigm shift is necessary that can provide a converged infrastructure, simple & easy-to-use management, lower operating costs and can scale to a retail store site’s specific business need.

Let us start by understanding a typical retail store network. A retail store has many components: Point of Sale (POS) devices that require network access to process orders, multiple PoE powered devices such as IP cameras, Network devices such as storage servers & printers, multiple internal backend networks that employees need access to and above all a Guest WiFi requirement that retail customers can benefit from. Taking these attributes into account, a typical retail store design gets broken up into:

  • Multiple internal networks for employee access (for example Sales, Engineering, Finance)
  • Point-of-Sale (POS) network
  • Network devices ““ PoE Cameras, PoE/PoE+ driven Access Points, Storage Servers & Printers
  • Wireless Networks ““ Corporate internal wireless, Guest wireless

The retail network design needs to be secure, fault tolerant and interconnected. Security is typically offered by next-generation firewalls, switches provide the interconnectivity and wireless is offered through multiple access points depending on the store location size. With a scattered management design, an IT administrator is faced with the challenge of managing the network through multiple management consoles. There is the added operating cost of licensing for the various management consoles. A certain madness starts to prevail with the varied management solution as we consider troubleshooting issues in such a network.

With the newly launched SonicOS 6.2.5, SonicWall Security launched a special feature, X-Series integration, that allows for a simplified management of secure converged infrastructure across a distributed retail network by integrating SonicWall X-Series switches into a single consolidated management view that already controls SonicWall firewalls, SonicWall SonicPoints (wireless access points), and SonicWall WAN acceleration devices. Using SonicWall Global Management System (GMS), SonicWall now offers a compelling single-vendor, consolidated secure management solution for distributed retail networks. If you are an existing customer and partner looking for the latest release notes, they are posted here: https://support.software.dell.com/sonicwall-tz-series/release-notes-guides

To learn more about the design of a scalable secure retail network, download our Tech brief: Scalable, consolidated security for retail networks.

DOWNLOAD WHITE PAPER

Microsoft Windows Media arbitrary code execution-CVE-2016-0101

/in /by

Microsoft Windows operating system provides Windows Media for playing audio, video and viewing images. Remote attacker can entice user to open malicious media file which can lead to remote code execution with security context of user.

Windows Media uses MPEG2 Transport Stream file format to store media and protocol data. Vulnerable dynamic library is MFDS because of boundary error in it. The function MPEG2_PMT_SECTION::Parse() is used to parse descriptors array in Program Map Table (PMT) in packets of MPEG2-TS file. The function calculates the number of descriptor elements according to the Elementary Info Length field, but function does not validate the Elementary Info Length field properly. Attacker can provide large value to this field which may lead to execution of arbitrary code in user context.

Unsuccessful attempts may lead to denial of service.

This vulnerability affects the following products:

  • Microsoft Windows 7
  • Microsoft Windows 8.1
  • Microsoft Windows RT 8.1
  • Microsoft Windows 10
  • Microsoft Windows Server 2008 R2
  • Microsoft Windows Server 2012
  • Microsoft Windows Server 2012 R2

Dell SonicWALL Threat Research Team has researched this vulnerability and released following signatures to protect their customers:

  • 3281 Malformed.ts.MP.1
  • 3849 Malformed.ts.TL.1

Runouce Trojan with IRC bot spreads via .eml files (March 24, 2016)

/in /by

The Dell Sonicwall Threats Research team has observed a Trojan that spreads via .eml files. The Trojan contains IRC functionality and also has the ability to infect pre-installed system executable files with malicious code:

Infection Cycle:

The Trojan makes the following DNS queries:

On our test system the following files were created:

  • %USERPROFILE%kuelio.exe [Detected as GAV: Runouce.B2 (Trojan)]
  • %SYSTEM32%runouce.exe (“runonce” with “n” changed to “u” (patched)) [Detected as GAV: Virut.U_6 (Trojan)]
  • %SYSTEM32%runonce.exe (patched) [Detected as GAV: Virut.U_6 (Trojan)]

The following files were also created [all detected as GAV: Runouce.B2#email (Trojan)]:

  • %APPDATA%GoogleChromeUser DataDefaultExtensionsaapocclcgogkmnckokdopfmhonfmgoek.9_0readme.eml
  • %APPDATA%GoogleChromeUser DataDefaultExtensionsaohghmighlieiainnegkcijnfilokake.9_0readme.eml
  • %APPDATA%GoogleChromeUser DataDefaultExtensionsenacoimjcgeinfnnnpajinjgmkahmfgb.65.0_0readme.eml
  • %APPDATA%GoogleChromeUser DataDefaultExtensionsenacoimjcgeinfnnnpajinjgmkahmfgb.65.0_0tabsreadme.eml
  • %APPDATA%GoogleChromeUser DataDefaultExtensionsfelcaaldnbdncclmgdcncolpebgiejap1.1_0readme.eml
  • %APPDATA%GoogleChromeUser DataDefaultExtensionsfocgpgmpinbadijfcdimbdkgnpndjnkl.54_0readme.eml
  • %APPDATA%GoogleChromeUser DataDefaultExtensionsfocgpgmpinbadijfcdimbdkgnpndjnkl.54_0changelogsreadme.eml
  • %APPDATA%GoogleChromeUser DataDefaultExtensionsfocgpgmpinbadijfcdimbdkgnpndjnkl.54_0tabsreadme.eml
  • %APPDATA%GoogleChromeUser DataDefaultExtensionsnmmhkkegccagdldgiimedpiccmgmieda.1.1.0_0htmlreadme.eml
  • %USERPROFILE%Local SettingsTempreadme.eml
  • %USERPROFILE%Local SettingsTemporary Internet FilesContent.IE5B4ZWX2C9readme.eml
  • %USERPROFILE%Local SettingsTemporary Internet FilesContent.IE5FATM9A7Mreadme.eml
  • %USERPROFILE%Local SettingsTemporary Internet FilesContent.IE5HE7GL0WOreadme.eml
  • %USERPROFILE%Local SettingsTemporary Internet FilesContent.IE5MDJBB39Wreadme.eml
  • %PROGRAMFILES%Common FilesMicrosoft SharedOFFICE121033readme.eml
  • %PROGRAMFILES%Common FilesMicrosoft SharedOFFICE12HTMLreadme.eml
  • %PROGRAMFILES%Common FilesMicrosoft SharedOFFICE12VS Runtime1033readme.eml
  • %PROGRAMFILES%Common FilesMicrosoft SharedSmart Tag1033readme.eml
  • %PROGRAMFILES%Common FilesMicrosoft SharedStationeryreadme.eml
  • %PROGRAMFILES%Common FilesSystemadoreadme.eml
  • %PROGRAMFILES%Microsoft OfficeOffice12readme.eml
  • %PROGRAMFILES%Microsoft OfficeOffice121033readme.eml
  • %PROGRAMFILES%Microsoft OfficeOffice12AccessWebreadme.eml
  • %PROGRAMFILES%Microsoft OfficeOffice12GrooveToolDatagroove.netGrooveFormsreadme.eml
  • %PROGRAMFILES%Microsoft OfficeOffice12GrooveToolDatagroove.netGrooveForms3readme.eml
  • %PROGRAMFILES%Microsoft OfficeOffice12GrooveToolDatagroove.netGrooveForms4readme.eml
  • %PROGRAMFILES%Microsoft OfficeOffice12GrooveToolDatagroove.netGrooveForms5readme.eml
  • %PROGRAMFILES%Microsoft OfficeStationery1033readme.eml
  • %PROGRAMFILES%Microsoft OfficeTemplates12MseNewFileItemsreadme.eml
  • %PROGRAMFILES%NetMeetingreadme.eml
  • %PROGRAMFILES%WinRARreadme.eml
  • %PROGRAMFILES%Wiresharkreadme.eml

The Trojan writes the following keys to the registry to enable continued infection activity after reboot:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun kuelio “%USERPROFILE%kuelio.exe /y”
  • HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun Runouce “%SYSTEM32%runouce.exe”

If there are shared folders or external drives attached the following file will be written to it:

The Trojan disables the ability to kill kuelio.exe.

NOTHING-6A527FE.eml and readme.eml are email files that contain an attachment called pp.exe [Detected as GAV: Runouce.B_3 (Worm)]:

The Trojan infects %SYSTEM32%runonce.exe with additional malicious code. It modifies the PE section headers to extend the rsrc section and inject code. It then changes the OEP (entrypoint) so that the infected executable runs the malicious code first:

The Trojan joins an IRC server hosted at ircd.zief.pl and awaits further instructions:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Sirefef.A_33 (Trojan)
  • GAV: Runouce.B2 (Trojan)
  • GAV: Runouce.B2#email (Trojan)
  • GAV: Runouce.B_3 (Worm)
  • GAV: Chir.B (Worm)
  • GAV: Nimda_2 (Worm)
  • GAV: Virut.U_6 (Trojan)

Microsoft Silverlight Remote Code Execution Vulnerability – CVE-2016-0034 (Mar 18,2016)

/in /by

Microsoft Silverlight is a powerful development tool for creating interactive user experiences for Web and mobile applications. Silverlight is a free plug-in, powered by the .NET framework and compatible with multiple browsers. Microsoft Silverlight 5 before 5.1.41212.0 mishandles negative offsets during decoding, which allows remote attackers to execute arbitrary code or cause a denial of service (object-header corruption) via a crafted web site, aka “Silverlight Runtime Remote Code Execution Vulnerability.”

The vulnerability is triggered when the System.Text.Decoder class tries to allocate buffer using value returned by GetChars() function. The attacker can override the GetChars function in a derived class to return a negative value.This leads to memory corruption.

To exploit this vulnerability an attacker could host a specially crafted Silverlight application on a website and entice the user to click it. Successful exploitation could lead to remote code execution in context of the logged in user.

The overridden GetChars function in the derived class looks like this

IE crashes when System.Text.Decoder class tries to allocate a negative buffer size.

The exploit code is an obfuscated .net assembly. The decompiled and deobfuscated dll code looks like this

Demcompiled

Deobfuscated

The exploit code tries to decode a long byte array.

Attaching a debugger we see that the malicious dll sprays the memory with malicious code . We can also see some code that could tamper with registry.

The graphical view of exploit code looks like this.

Dell SonicWALL Threat Research Team has researched this vulnerability and released following signature to protect their customers

  • IPS 11388: Microsoft Silverlight Remote Code Execution (MS16-006)

Data stealing trojan posing as a configuration file (March 18, 2016)

/in /by

The Dell SonicWall Threats Research team has received reports of a data stealing Trojan posing as a configuration file. Upon execution, the trojan steals information from the system and also capable of downloading more files on to the system.

Infection Cycle:

The Trojan has the following icon:

The Trojan has the origin in China and the following properties:

It modifies registry for running after reboot:

  • HKU%%softwaremicrosoftwindowscurrentversionrunguazhuan “C:windowstempsample.exe” -autorun

    • It creates multiple threads replicating the sample using different commands:

    The malware contacts the following domains:

    Once the CnC server is connected, it steals the following information and sends it to the server.

    It also makes the following requests to the server:

    The trojan makes multiple requests to the server and downloads various dat files and configuration files.

    The trojan creates C:UsersAdminAppDataRoamingLSinglePro with configuration settings for a Search Engine.

    The trojan makes multiple search requests and downloads javascript files on to the machine.

    Overall, this Trojan is capable of sending sensitive information out to a remote server.We urge our users to always be vigilant and cautious with any unsolicited attachments specially if you are not certain of the source.

    Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:

    • GAV:Graftor.B_74 (Trojan)