Runouce Trojan with IRC bot spreads via .eml files (March 24, 2016)

/in /by

The Dell Sonicwall Threats Research team has observed a Trojan that spreads via .eml files. The Trojan contains IRC functionality and also has the ability to infect pre-installed system executable files with malicious code:

Infection Cycle:

The Trojan makes the following DNS queries:

On our test system the following files were created:

  • %USERPROFILE%kuelio.exe [Detected as GAV: Runouce.B2 (Trojan)]
  • %SYSTEM32%runouce.exe (“runonce” with “n” changed to “u” (patched)) [Detected as GAV: Virut.U_6 (Trojan)]
  • %SYSTEM32%runonce.exe (patched) [Detected as GAV: Virut.U_6 (Trojan)]

The following files were also created [all detected as GAV: Runouce.B2#email (Trojan)]:

  • %APPDATA%GoogleChromeUser DataDefaultExtensionsaapocclcgogkmnckokdopfmhonfmgoek.9_0readme.eml
  • %APPDATA%GoogleChromeUser DataDefaultExtensionsaohghmighlieiainnegkcijnfilokake.9_0readme.eml
  • %APPDATA%GoogleChromeUser DataDefaultExtensionsenacoimjcgeinfnnnpajinjgmkahmfgb.65.0_0readme.eml
  • %APPDATA%GoogleChromeUser DataDefaultExtensionsenacoimjcgeinfnnnpajinjgmkahmfgb.65.0_0tabsreadme.eml
  • %APPDATA%GoogleChromeUser DataDefaultExtensionsfelcaaldnbdncclmgdcncolpebgiejap1.1_0readme.eml
  • %APPDATA%GoogleChromeUser DataDefaultExtensionsfocgpgmpinbadijfcdimbdkgnpndjnkl.54_0readme.eml
  • %APPDATA%GoogleChromeUser DataDefaultExtensionsfocgpgmpinbadijfcdimbdkgnpndjnkl.54_0changelogsreadme.eml
  • %APPDATA%GoogleChromeUser DataDefaultExtensionsfocgpgmpinbadijfcdimbdkgnpndjnkl.54_0tabsreadme.eml
  • %APPDATA%GoogleChromeUser DataDefaultExtensionsnmmhkkegccagdldgiimedpiccmgmieda.1.1.0_0htmlreadme.eml
  • %USERPROFILE%Local SettingsTempreadme.eml
  • %USERPROFILE%Local SettingsTemporary Internet FilesContent.IE5B4ZWX2C9readme.eml
  • %USERPROFILE%Local SettingsTemporary Internet FilesContent.IE5FATM9A7Mreadme.eml
  • %USERPROFILE%Local SettingsTemporary Internet FilesContent.IE5HE7GL0WOreadme.eml
  • %USERPROFILE%Local SettingsTemporary Internet FilesContent.IE5MDJBB39Wreadme.eml
  • %PROGRAMFILES%Common FilesMicrosoft SharedOFFICE121033readme.eml
  • %PROGRAMFILES%Common FilesMicrosoft SharedOFFICE12HTMLreadme.eml
  • %PROGRAMFILES%Common FilesMicrosoft SharedOFFICE12VS Runtime1033readme.eml
  • %PROGRAMFILES%Common FilesMicrosoft SharedSmart Tag1033readme.eml
  • %PROGRAMFILES%Common FilesMicrosoft SharedStationeryreadme.eml
  • %PROGRAMFILES%Common FilesSystemadoreadme.eml
  • %PROGRAMFILES%Microsoft OfficeOffice12readme.eml
  • %PROGRAMFILES%Microsoft OfficeOffice121033readme.eml
  • %PROGRAMFILES%Microsoft OfficeOffice12AccessWebreadme.eml
  • %PROGRAMFILES%Microsoft OfficeOffice12GrooveToolDatagroove.netGrooveFormsreadme.eml
  • %PROGRAMFILES%Microsoft OfficeOffice12GrooveToolDatagroove.netGrooveForms3readme.eml
  • %PROGRAMFILES%Microsoft OfficeOffice12GrooveToolDatagroove.netGrooveForms4readme.eml
  • %PROGRAMFILES%Microsoft OfficeOffice12GrooveToolDatagroove.netGrooveForms5readme.eml
  • %PROGRAMFILES%Microsoft OfficeStationery1033readme.eml
  • %PROGRAMFILES%Microsoft OfficeTemplates12MseNewFileItemsreadme.eml
  • %PROGRAMFILES%NetMeetingreadme.eml
  • %PROGRAMFILES%WinRARreadme.eml
  • %PROGRAMFILES%Wiresharkreadme.eml

The Trojan writes the following keys to the registry to enable continued infection activity after reboot:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun kuelio “%USERPROFILE%kuelio.exe /y”
  • HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun Runouce “%SYSTEM32%runouce.exe”

If there are shared folders or external drives attached the following file will be written to it:

The Trojan disables the ability to kill kuelio.exe.

NOTHING-6A527FE.eml and readme.eml are email files that contain an attachment called pp.exe [Detected as GAV: Runouce.B_3 (Worm)]:

The Trojan infects %SYSTEM32%runonce.exe with additional malicious code. It modifies the PE section headers to extend the rsrc section and inject code. It then changes the OEP (entrypoint) so that the infected executable runs the malicious code first:

The Trojan joins an IRC server hosted at ircd.zief.pl and awaits further instructions:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Sirefef.A_33 (Trojan)
  • GAV: Runouce.B2 (Trojan)
  • GAV: Runouce.B2#email (Trojan)
  • GAV: Runouce.B_3 (Worm)
  • GAV: Chir.B (Worm)
  • GAV: Nimda_2 (Worm)
  • GAV: Virut.U_6 (Trojan)

Microsoft Silverlight Remote Code Execution Vulnerability – CVE-2016-0034 (Mar 18,2016)

/in /by

Microsoft Silverlight is a powerful development tool for creating interactive user experiences for Web and mobile applications. Silverlight is a free plug-in, powered by the .NET framework and compatible with multiple browsers. Microsoft Silverlight 5 before 5.1.41212.0 mishandles negative offsets during decoding, which allows remote attackers to execute arbitrary code or cause a denial of service (object-header corruption) via a crafted web site, aka “Silverlight Runtime Remote Code Execution Vulnerability.”

The vulnerability is triggered when the System.Text.Decoder class tries to allocate buffer using value returned by GetChars() function. The attacker can override the GetChars function in a derived class to return a negative value.This leads to memory corruption.

To exploit this vulnerability an attacker could host a specially crafted Silverlight application on a website and entice the user to click it. Successful exploitation could lead to remote code execution in context of the logged in user.

The overridden GetChars function in the derived class looks like this

IE crashes when System.Text.Decoder class tries to allocate a negative buffer size.

The exploit code is an obfuscated .net assembly. The decompiled and deobfuscated dll code looks like this

Demcompiled

Deobfuscated

The exploit code tries to decode a long byte array.

Attaching a debugger we see that the malicious dll sprays the memory with malicious code . We can also see some code that could tamper with registry.

The graphical view of exploit code looks like this.

Dell SonicWALL Threat Research Team has researched this vulnerability and released following signature to protect their customers

  • IPS 11388: Microsoft Silverlight Remote Code Execution (MS16-006)

Data stealing trojan posing as a configuration file (March 18, 2016)

/in /by

The Dell SonicWall Threats Research team has received reports of a data stealing Trojan posing as a configuration file. Upon execution, the trojan steals information from the system and also capable of downloading more files on to the system.

Infection Cycle:

The Trojan has the following icon:

The Trojan has the origin in China and the following properties:

It modifies registry for running after reboot:

  • HKU%%softwaremicrosoftwindowscurrentversionrunguazhuan “C:windowstempsample.exe” -autorun

    • It creates multiple threads replicating the sample using different commands:

    The malware contacts the following domains:

    Once the CnC server is connected, it steals the following information and sends it to the server.

    It also makes the following requests to the server:

    The trojan makes multiple requests to the server and downloads various dat files and configuration files.

    The trojan creates C:UsersAdminAppDataRoamingLSinglePro with configuration settings for a Search Engine.

    The trojan makes multiple search requests and downloads javascript files on to the machine.

    Overall, this Trojan is capable of sending sensitive information out to a remote server.We urge our users to always be vigilant and cautious with any unsolicited attachments specially if you are not certain of the source.

    Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:

    • GAV:Graftor.B_74 (Trojan)

    SonicWall Next-Gen Firewall Consistently Ranks as Recommended Year After Year

    /0 Comments/in /by

    The hacking economy continues to thrive. As you can see for the timeline chart below, we have seen data breach headlines in every industry verticals regardless of their size. Cyber-criminals made the most of their opportunities last year, and rest assured it’s unlikely to be any different for years to come.

    Timeline of high profile breaches in 2015

    If the fear of a network breach keeps you up at night wondering if you’ve done a thorough job measuring the effectiveness of your cyber-defense system, then you’re in good company. Even a slight doubt about your firewall capability forces you to worry regularly if you are successful as you can be in thwarting preventable attacks on your networks. Burdened with the possibility of having to deal with security incidents, you may ask if there is a reliable way to lessen this anxiety. The good news is the answer is yes!

    Once a year, leading next-generation firewalls (NGFWs) vendors gear up to participate in the industry’s rigorous security and performance tests, conducted by NSS Labs, a trusted authority in independent product testing. NSS designs various permutations of real-world test conditions and parameters specifically to address the challenges security professionals face when measuring and determining if their firewall is truly performing as their vendor has promised. Upon completion of these tests, NSS publishes a comprehensive result-based report on all participating vendors. Each vendor’s product is ranked either “Recommended,”“Neutral” or “Caution” based on its weighted score across key evaluation criteria including security effectiveness, resistance to evasion, performance, and stability and reliability.

    Definition:

    1. A “Recommended” rating from NSS indicates that a product has performed well and deserves strong consideration. Only the top technical products earn this rating from NSS, regardless of market share, company size, or brand recognition.
    2. A “Neutral” rating from NSS indicates that a product has performed reasonably well and should continue to be used if it is the incumbent within an organization.
    3. A “Caution” rating from NSS indicates that a product has performed poorly. Organizations using one of these products should review their security posture and other threat mitigation factors, including possible alternative configurations and replacement. Products that earn a Caution rating from NSS should not be short-listed or renewed.

    NSS started this vendor group test four years ago, so it has a significant amount of knowledge and experience in security product testing. Over this period, I have observed many vendors that have moved in and out of the NSS Labs “Recommended” quadrant as NSS’s test methodologies have evolved. This should give you total clarity and confidence toward those vendors with products that have repeatedly and consistently performed well year over year, while providing specific guidance on how to proceed with products that performed poorly or inconsistently. You can find out how your current firewall vendor performed in the latest 2016 Next Generation Firewall Comparative Report ““ Security Value Mapâ„¢ (SVM). The SVM gives you a complete scorecard and ranking for each product tested. I urge you to read the entire set of NSS Labs NGFW reports, including the SVM, Comparative Analysis Report (CAR) and product Test Report (TR), to help you evaluate your current security posture and take immediate action where necessary.

    For four years running, SonicWall has prevailed in the NSS Labs vendor group test. The SonicWall SuperMassiveâ„¢ E10800 is one of only three vendor products to have earned the coveted “Recommended” rating in the NSS Labs Next-Generation Firewall Security Value Map for four consecutive years. This year, the SuperMassive E10800 once again demonstrated one of the highest security effectiveness ratings in the industry, blocking 98.83 percent of exploits during continuous live testing. The device also consistently scored 100 percent effective against all tested evasion techniques and passed all manageability, stability and reliability tests. These are highly credible and verifiable proof points that SonicWall next-generation firewalls deliver on our product promise, and empowers you to achieve breakthrough performance at unprecedented levels of protection. The same technology is used in SonicWall SuperMassive, NSA and TZ firewalls, so they are also highly secure.

    Figure of NSS Labs 2016 Security Value Map (SVM) for Next Generation Firewall (NGFW)

    Learn more. Read the 2016 NSS Labs Next-Generation Firewall Security Value Map SVM Report.

    Download Report

    Have a Secret, Secure and Scalable Network from Today’s Cyber Attacks?

    /0 Comments/in /by

    “Is it secret? Is it safe?”

    For those who’ve never seen the 1976 film Marathon Man, that’s what the fugitive Nazi war criminal played by Sir Laurence Olivier asks Dustin Hoffman while he’s sticking a pointy dental probe into Hoffman’s exposed cavity. Ouch. Excellent movie, though.

    Cinema trivia notwithstanding, these are pertinent questions federal agencies need to ask when it comes to information under their control. Is it secret? There are many levels of classified information. Is it safe? We hope that, classified or not, information about the workings of our government and about us is safe from cyber attack.

    Secrecy and safety should go together, and it would seem that “secret” and “safe” together should add up to “secure.” But there’s one situation in which, unfortunately, that’s not the case.

    When the website you’re at shows up with a URL starting with “https://”, that site is using encryption to add security, specifically Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocols.

    OMB Memorandum M-15-13, “A Policy to Require Secure Connections across Federal Websites and Web Services” (June 2015) requires that “all publicly accessible Federal websites and web services only provide service through a secure connection. The strongest privacy and integrity protection currently available for public web connections is Hypertext Transfer Protocol Secure (HTTPS).”

    Encrypting HTTP does add latency, and agencies need to take this into account in planning their network infrastructure. But you’d think that the performance hit is well worth the increase in security (safety, secrecy) SSL and TLS provide. However, here’s where that assumption starts to fall apart:

    More and more cyber attacks are taking place using SSL itself as a means of injecting malicious code and acting as a gateway into places they have no business being. SonicWall Security’s 2016 Annual Threat Report, just released, goes into great detail on the global increase in SSL traffic. The encrypted sessions themselves are being used as attack vectors.

    Preventing this requires that agencies inspect all packets, even encrypted ones, that enter their networks. As you’d expect, SSL inspection can add yet another performance/latency hit, unless you implement a solution specifically architected to minimize that impact.

    Fortunately, SonicWall has that solution. Our SuperMassive 9000 Series Next-Generation Firewalls (NGFWs) provide SSL decryption, inspection and protection with no added latency, through Reassembly-Free Deep Packet Inspection (RFDPI), patented by SonicWall. The SonicWall SuperMassive next-gen firewall series deployed in a SonicWall firewall sandwich architecture allows up to 16 SonicWall SuperMassive devices to perform DPI inspection in parallel, supporting up to 160Gbps of DPI and 80Gbps of SSL-DPI. Our Firewall Sandwich can be deployed in several different configurations depending on your agency’s existing network design helping you scale firewall services with more resiliency and availability. The SuperMassive and NSA Series NGFWs are now certified under the Department of Defense’s Unified Capabilities Approved Products List (UC APL), an essential for DoD and a significant plus for civilian agencies looking for the best, most cost-effective network security solutions they can find.

    Picture of SonicWall's SuperMassive 9000 Series Next-Generation Firewall at a show

    In the Federal Computer Week Digital Dialogue, “Speed and Security Aren’t Mutually Exclusive,” Angelo Rodriguez, director of security engineering at SonicWall Security Solutions Group, goes into greater detail on the firewall sandwich and the technology behind our NGFWs.

    Read the Digital Dialogue

    The Dialogue is a summary of December’s Government Computer News webcast, “Enabling Network Security at the Speed of Mission”, in which Angelo discusses the concept of a scale-out firewall architecture, a network-based model for scaling a next-generation firewall (NGFW) beyond 100Gbps, and deep packet inspection.

    RIG Exploit Kit (March 9th, 2016)

    /in /by

    Dell Sonicwall Threat Research team has observed Rig Exploit kit, using exploits for Adobe Flash and IE vulnerabilities in its arsenal.

    Redirection Chain:

    Malicious javascript code is injected into compromised website to redirect victim to Kit’s Landing page.

    Fig-1 : Compromised webpage with injected Javascript

    This exploit kit uses Iframe redirection technique as shown below:

    Fig-2 :Injected script has an iframe pointing to Kit’s landing page.

    Exploit Kit’s landing page contains three HTML script elements as shown below:

    Fig-3 : Kit’s Landing Page

    First script element defines two custom variables. The next two scripts are used to decrypt data and add new HTML script elements.

    The purpose of the data decrypted by the second script element is to play a malicious flash file, which exploits Adobe Flash vulnerability [CVE-2015-8416], as shown below:

    Fig-4 : Decrypted data of second script

    Similarly, the data decrypted by the third script tag, exploits vulnerability present in IE [CVE-2015-2419] as shown below:

    Fig-5 : Decrypted data of third script

    Fig-6 : packet capture with URI pattern

    Sonicwall Gateway AntiVirus provides protection against this threat via the following signatures:

    • GAV: RigHtm.EKA (Exploit)

    • GAV: RigSWF.EKA (Exploit)

    FrameworkPOS.acc: New variant of FrameworkPOS Uses DNS requests to deliver stolen card data to the attackers (Mar 1,2016)

    /in /by

    The Dell Sonicwall Threats Research team observed reports of a new variant POS family named GAV: FrameworkPOS.AAC actively spreading in the wild. FrameworkPOS malware affecting point-of-sale systems has been discovered to rely on DNS requests to deliver stolen card data to the attackers.

    Infection Cycle:

    Md5:

    feac3bef63d95f2e3c0fd6769635c30b Detected as GAV: FrameworkPOS.AAC (Trojan)

    The Trojan adds the following keys to the Windows registry to ensure persistence upon reboot:

    • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLogMeInServer

      • ImagePath”=”%Userprofile%Malware.exe -service

    FrameworkPOS retrieves a list of running processes; the malware is responsible for scraping the memory of current processes on the infected machine for credit card information periodically.

    The Malware has an exclusion list that functions to ignore certain system processes; it gathers track data by scanning the memory of the all running processes except for the following List:

    The malware tries to Enumerate Credit Card Data from POS Software. The hackers use the following API functions such as:

    • CreateToolhelp32Snapshot

    • Process32First

    • Process32Next

    • OpenProcess

    The malware generates two files dspsvc.bid and [Random Name].dat

    The dspsvc.bid file contains bot Campaign Id and the .dat file contains encrypted Credit Card information such as following example:

    The malware sends a HTTP request to an external server and the server responds with the victim’s public IP address.

    Once the public IP is acquired, then the malware tries to verify Credit Cards and then sends track 1 and track 2 credit card data in encrypted format to one of the given C&C Servers based on DNS Traffic format such as following example:

    Command and Control (C&C) Traffic

    FrameworkPOS performs C&C communication over DNS protocol.

    The malware sends your Credit Card information to its own C&C server via following format, here are some examples:

    SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

    • GAV: FrameworkPOS.AAC

    Microsoft Security Bulletin Coverage (Mar 8, 2016)

    /in /by

    Dell SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of Mar. 8, 2016. A list of issues reported, along with Dell SonicWALL coverage information are as follows:

    MS16-023 Cumulative Security Update for Internet Explorer

    • CVE-2016-0102 Microsoft Browser Memory Corruption Vulnerability
      IPS:11490 ” Internet Explorer Memory Corruption Vulnerability (MS16-023) 1″
    • CVE-2016-0103 Internet Explorer Memory Corruption Vulnerability
      There are no known exploits in the wild.
    • CVE-2016-0104 Internet Explorer Memory Corruption Vulnerability
      IPS: 11491 “Internet Explorer Memory Corruption Vulnerability (MS16-023) 2 “
    • CVE-2016-0105 Microsoft Browser Memory Corruption Vulnerability
      IPS: 5173 “Obfuscated ActiveX Instantiation 3”
    • CVE-2016-0106 Internet Explorer Memory Corruption Vulnerability
      IPS: 11492 “Internet Explorer Memory Corruption Vulnerability (MS16-023) 3”
    • CVE-2016-0107 Internet Explorer Memory Corruption Vulnerability
      IPS: 11493 “Internet Explorer Memory Corruption Vulnerability (MS16-023) 4”
    • CVE-2016-0108 Internet Explorer Memory Corruption Vulnerability
      IPS: 11494 “Internet Explorer Memory Corruption Vulnerability (MS16-023) 5”
    • CVE-2016-0109 Microsoft Browser Memory Corruption Vulnerability
      IPS: 11495 “Internet Explorer Memory Corruption Vulnerability (MS16-023) 6”
    • CVE-2016-0110 Microsoft Browser Memory Corruption Vulnerability
      IPS: 11497 ” Internet Explorer Memory Corruption Vulnerability (MS16-023) 8″
    • CVE-2016-0111 Microsoft Browser Memory Corruption Vulnerability
      IPS: 11498 ” Internet Explorer Memory Corruption Vulnerability (MS16-023) 7″
    • CVE-2016-0112 Internet Explorer Memory Corruption Vulnerability
      IPS: 11501 “Internet Explorer Memory Corruption Vulnerability (MS16-023) 10”
    • CVE-2016-0113 Internet Explorer Memory Corruption Vulnerability
      IPS: 11503 “Internet Explorer Memory Corruption Vulnerability (MS16-023) 11”
    • CVE-2016-0114 Internet Explorer Memory Corruption Vulnerability
      IPS: 11504 “Internet Explorer Memory Corruption Vulnerability (MS16-023) 12”

    MS16-024 Cumulative Security Update for Microsoft Edge

    • CVE-2016-0102 Microsoft Browser Memory Corruption Vulnerability
      IPS:11490 ” Internet Explorer Memory Corruption Vulnerability (MS16-023) 1″
    • CVE-2016-0105 Microsoft Browser Memory Corruption Vulnerability
      IPS: 5173 “Obfuscated ActiveX Instantiation 3”
    • CVE-2016-0109 Microsoft Browser Memory Corruption Vulnerability
      IPS: 11495 “Internet Explorer Memory Corruption Vulnerability (MS16-023) 6”
    • CVE-2016-0110 Microsoft Browser Memory Corruption Vulnerability
      IPS: 11497 “Internet Explorer Memory Corruption Vulnerability (MS16-023) 8”
    • CVE-2016-0111 Microsoft Browser Memory Corruption Vulnerability
      IPS: 11498 ” Internet Explorer Memory Corruption Vulnerability (MS16-023) 7″
    • CVE-2016-0116 Microsoft Edge Memory Corruption Vulnerability
      There are no known exploits in the wild.
    • CVE-2016-0123 Microsoft Edge Information Disclosure Vulnerability
      IPS: 11496 “Microsoft Edge Memory Corruption Vulnerability (MS16-024) 1”
    • CVE-2016-0124 Microsoft Edge Information Disclosure Vulnerability
      IPS: 11499 “Microsoft Edge Memory Corruption Vulnerability (MS16-024) 2”
    • CVE-2016-0125 Microsoft Edge Information Disclosure Vulnerability
      There are no known exploits in the wild.
    • CVE-2016-0129 Microsoft Edge Memory Corruption Vulnerability
      There are no known exploits in the wild.
    • CVE-2016-0130 Microsoft Edge Memory Corruption Vulnerability
      There are no known exploits in the wild.

    MS16-025 Security Update for Windows Library Loading to Address Remote Code Execution

    • CVE-2016-0100 Library Loading Input Validation Remote Code Execution Vulnerability
      There are no known exploits in the wild.

    MS16-026 Security Updates for Graphic Fonts to Address Remote Code Execution

    • CVE-2016-0120 OpenType Font Parsing Vulnerability
      There are no known exploits in the wild.
    • CVE-2016-0121 OpenType Font Parsing Vulnerability
      There are no known exploits in the wild.

    MS16-027 Security Update for Windows Media to Address Remote Code Execution

    • CVE-2016-0098 Windows Media Player Parsing Remote Code Execution Vulnerability
      IPS: 11500 “Windows Media Player Parsing Remote Code Execution 1”
    • CVE-2016-0101 Windows Media Player Parsing Remote Code Execution Vulnerability
      IPS: 11502 “Windows Media Player Parsing Remote Code Execution 2 “

    MS16-028 Security Update for Microsoft Windows PDF Library to Address Remote Code Execution

    • CVE-2016-0117 Remote Code Execution Vulnerability
      SPY: 3280 “FathFTP ActiveX RasIsConnected Method Invocation”
    • CVE-2016-0118 Remote Code Execution Vulnerability
      There are no known exploits in the wild.

    MS16-029 Security Update for Microsoft Office to Address Remote Code Execution

    • CVE-2016-0021 Microsoft Office Memory Corruption Vulnerability
      SPY: 3252 “Malformed-File rtf.MP.11”
    • CVE-2016-0057 Microsoft Office Security Feature Bypass Vulnerability
      There are no known exploits in the wild.
    • CVE-2016-0134 Microsoft Office Memory Corruption Vulnerability
      There are no known exploits in the wild.

    MS16-030 Security Update for Windows OLE to Address Remote Code Execution

    • CVE-2016-0091 Windows OLE Memory Remote Code Execution Vulnerability
      SPY: 2439 “Malformed-File rtf.MP.10”
    • CVE-2016-0092 Windows OLE Memory Remote Code Execution Vulnerability
      SPY: 3251 “Malformed-File rtf.MP.12”

    MS16-031 Security Update for Microsoft Windows to Address Elevation of Privilege

    • CVE-2016-0087 Windows Elevation of Privilege Vulnerability
      This is a local Vulnerability.

    MS16-032 Security Update for Secondary Logon to Address Elevation of Privilege

    • CVE-2016-0099 Secondary Logon Elevation of Privilege Vulnerability
      This is a local Vulnerability.

    MS16-033 Security Update for Windows USB Mass Storage Class Driver to Address Elevation of Privilege

    • CVE-2016-0133 USB Mass Storage Elevation of Privilege Vulnerability
      There are no known exploits in the wild.

    MS16-034 Security Update for Windows Kernel-Mode Drivers to Address Elevation of Privilege

    • CVE-2016-0093 Win32k Elevation of Privilege Vulnerability
      This is a local Vulnerability.
    • CVE-2016-0094 Win32k Elevation of Privilege Vulnerability
      This is a local Vulnerability.
    • CVE-2016-0095 Win32k Elevation of Privilege Vulnerability
      This is a local Vulnerability.
    • CVE-2016-0096 Win32k Elevation of Privilege Vulnerability
      This is a local Vulnerability.

    MS16-035 Security Update for .NET Framework to Address Security Feature Bypass

    • CVE-2016-0035 .NET XML Validation Security Feature Bypass
      There are no known exploits in the wild.

    Beating Cybercrime and Driving Better Security at RSA

    /0 Comments/in /by

    As I’ve spent the past few days talking with customers and fellow information security professionals at this year’s RSA Conference, it’s become crystal clear that the threat of cybercrime has changed up the way we work. As these threats morph and shapeshift into new, more sophisticated forms, we must stay one step ahead of the bad actors to protect our customers.

    Customers at RSA feel this expanding threat environment is compounded by increased pressure to deploy new capabilities at warp speed. The massive explosion in both applications and access points makes it difficult for IT to keep the business productive and secure from these constantly evolving threats.

    The release last month of the SonicWall Security 2015 Threat Report provides a dose of reality with its analysis of the cybercrime trends of 2015, and a jolting look at the emerging security threats we can expect in 2016. The evolution of exploit kits that conceal exploits from security systems, the surging growth in SSL/TLS encryption that enables hackers to launch under-the-radar attacks that conceal malware from firewalls, plus a continued rise in Android malware that puts most of the smartphone market at risk and a marked increase in malware attacks in general all are on the horizon this year. As information security professionals, our work is cut out for us.

    SonicWall Security is committed to delivering comprehensive protection against dramatic growth of the zero-day attacks identified in the Threat Report. On Monday, we unveiled at RSA the SonicWall Capture Advanced Threat Protection Service, a first-to-market, adaptive, multi-engine sandboxing approach that enhances the ability of organizations to protect against shape-shifting cyber threats, not just by detecting the threats with a single engine solution as other sandboxing tools do, but by going a necessary step further to actually block those threats before they enter the network. This cloud offering, which was showcased throughout the week at RSA, incorporates the VMRay third-generation Analyzer threat detection analysis engine with the Lastline Breach Detection platform and the SonicWall Sonic Sandbox threat analysis engine, to deliver a much needed three-layer level of defense against today’s unknown threats.

    We’re also reinforcing our commitment to our channel partners by beefing up the already best-in-class security offerings they have available to customers. Our new SonicWall Capture solution is available through the channel, and, in February, we announced that our newest Identity and Access Management solution, SonicWall One Identity Safeguard for Privileged Passwords, also is available through our channel partners. SonicWall Security’s first identity and access management solution offered through channel partners at the initial launch, Safeguard adds critical security controls to our partners’ portfolio.

    In addition, I’m pleased to report that we’ve received significant industry validation for our SonicWall Security portfolio recently. For the fourth consecutive year, the SonicWall SuperMassive E10800 next-generation firewall (NGFW) running SonicOS 6.0 and integrated Intrusion Prevention Service has earned the coveted Recommended rating in the NSS Labs Next-Generation Firewall Security Value Map. This represents the highest rating given by NSS Labs, and SonicWall is one of only three vendors to earn this distinction for four consecutive years. NSS Labs is one of the industry’s most influential third-party evaluators of security products, and that means our customers are protecting their networks with a security product that is among the best-performing in the industry.

    SonicWall Security solutions also received nine awards in the recently announced 2016 Info Security Products Guide Global Excellence Awards.

    At SonicWall Security, we are committed to helping our customers fight constantly shapeshifting threats by extending end-to-end connected security that both protects the modern day enterprise, and enables support for mobility, cloud and easy user access that drives business productivity. We strive to deliver security solutions that support our open ecosystem where every aspect of security is covered with little overlap. Our goal is for all of our best-in-class solutions and technologies to reinforce each other and work both independently and together, to ensure we’re setting the highest bar for value to our partners and customers.

    Preventing DROWN Attack (March 2, 2016)

    /in /by

    On March 1st 2016, OpenSSL released patches that disable the SSLv2 protocol by default, as well as removing SSLv2 EXPORT ciphers.

    A cross-protocol attack was discovered that could lead to decryption of TLS sessions by using a server supporting SSLv2 and EXPORT cipher suites as a Bleichenbacher RSA padding oracle. Note that traffic between clients and non-vulnerable servers can be decrypted provided another server supporting SSLv2 and EXPORT ciphers (even with a different protocol such as SMTP, IMAP or POP) shares the RSA keys of the non-vulnerable server. This vulnerability is known as DROWN.

    The vulnerability is referred by CVE as CVE-2016-0800.

    Dell SonicWALL customers are encouraged to enable the following IPS signature to detect and block SSLv2 traffic:

    • 5160 SSLv2.0 Client Hello