Data stealing trojan described as a JPG file (December 31, 2015)

/in /by

The Dell SonicWall Threats Research team has received reports of a data stealing Trojan described as a JPG file. Upon execution, the trojan steals information from the system and also capable of downloading more malware.

Infection Cycle:

The Trojan has the following description:

There are few tools available such as Resource Tuner which can be used to change the properties of an executable such as:

  • Company Name
  • Copyright Notice
  • Product Name
  • Product Description
  • File Version
  • Product Version

It copies itself at the following location as explorer.exe to hide itself as a windows process.

  • C:Documents and SettingsAdminApplication Dataexplorer.exe detected as GAV:Kryptik.EGO_2 (Trojan)

    • It also modifies autorun entries by adding itself at:

  • C:Documents and SettingsAdminStart MenuProgramsStartup6b297773d8200eb005c582cd40418052.exe

    • It also modifies the firewall policy to add itself to the authorized applications

  • HKLMsystemcurrentcontrolsetservicessharedaccessparametersfirewallpolicystandardprofileauthorizedapplicationslistc:documents and settingsadminapplication dataexplorer.exe

    On analysis, the malware contains the following strings which are used to encrypt and decrypt the user information:

    The malware contacts the following domain:

    Once the CnC server is connected, it steals the following information and sends it to the server at port 5584.

    The system information is base64 encoded when sending to the server.

    • V0lORE9XU18xMDA0MERDNw== : decodes to WINDOWS_10040DC7
    • UHJvZ3JhbSBNYW5hZ2VyAA== : decodes to Program Manager�
    • V0lORE9XUw0KbG92ZTIwMTQuZGRucy5uZXQ6NTU4NA0KQXBwRGF0YQ0KZXhwbG9yZXIuZXhlDQpUcnVlDQpUcnVlDQpGYWxzZQ0KRmFsc2U=: decodes to WINDOWS love2014.ddns.net:5584 AppData explorer.exe True True False False

    Overall, this Trojan is capable of sending sensitive information out to a remote server.We urge our users to always be vigilant and cautious with any unsolicited attachments specially if you are not certain of the source.

    Dell SonicWALL Gateway AntiVirus and Intrusion Prevention provides protection against this threat with the following signatures:

    • GAV:Kryptik.EGO_2 (Trojan)

    Knock!! Knock!! … CK Exploit kit is back (Dec 31st, 2015)

    /in /by

    Dell Sonicwall Threat Research team has been observing CK Exploit Kit being used in the wild, which was first seen in 2012 and continued its presence till 2013 and went quiet.

    CK kit uses multiple levels of redirection before serving the landing page. Its redirection chain is shown below:

    Fig-1 : Flow chart of Infection Chain

    CK Exploit Landing page uses Oracle Deployment Toolkit's javascript to evaluate the Java version and SWFObject project's javascript to evaluate Flash plugin version and uses Dean Edwards' Javascript Packer to hide malicious javascript code.

    Fig 2: Landing Page

    Landing page has two levels of obfuscation. On de-obfuscation it looks as shown below


    Fig-3 : First level of de obfuscation

    Fig-4 : second level of de obfuscation


    In this update, the kit is checking for the below mentioned browsers, their versions and plugins installed. Based on the victim's browser and plugin version exploit is being served.

    Fig 5: script serving the exploit

    On successful exploitation, malware belonging to PWS-Banker is being served currently.

    Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:

    • GAV: CKhtm.EKA (Exploit)
    • GAV: CKflash.EKA (Exploit
    • GAV: PWS-Banker (Trojan)

    Out-of-band Adobe security update (Dec 29, 2015)

    /in /by

    On December 28, 2015, Adobe published security bulletin APSB16-01 and related security patches, which originally were scheduled to be released in January 2016.

    The patches fix multiple issues, including an integer overflow vulnerability in Adobe Flash Player (CVE-2015-8651), which has been exploited in the wild.

    Dell SonicWALL has released a signature to detect and block exploitation attempts targeting this vulnerability. The signature is listed below:

    • ANTISPY sid:4221 “Malformed-File swf.MP.360”

    Adobe’s decision to release the patches earlier is creditable since shortening response time is critical to reduce damages caused by attackers. Good job Adobe!

    Trojan distributed as 8 Ball Pool game hack (Dec 18, 2015)

    /in /by

    The Dell SonicWALL Threats Research team has received a sample of a backdoor Trojan posing as a game hack. Cheats for games often contain malware and that might not come as a surprise to many. But as a game becomes more popular, cybercriminals take advantage of eager gamers with a promise to help unlock abilities or perhaps accumulate enough credits to buy something to progress in a game and these shortcuts make them more appealing. The sample we received is posing as a cheat to a top ranking free sports game. In fact, searching for 8 Ball Pool game online yields keywords suggestions such as “hack” and “cheats.”

    Infection Cycle

    The Trojan arrives as a file named “hack 8 ball pool.exe.” Upon execution, it copies itself to the following directory:

    • %TEMP%chrome.exe

    In order to start after reboot the Trojan adds the following keys to the registry:

    • HKLMsoftwaremicrosoftwindowscurrentversionrun[8ce73491bf190a3fd7028c92bd3331b1] “%TEMP%chrome.exe”

    To bypass the windows firewall it adds the following to the registry:

    • HKLMsystemcurrentcontrolsetservicessharedaccessparametersfirewallpolicystandardprofileauthorizedapplicationslist [%TEMP%chrome.exe]

    It then makes the following DNS query:

    Figure 1: DNS query to hackernople.no-ip.biz

    It subsequently then starts to send information such as the current date, the victim’s computer name, user name, operating system and IP to a remote server:

    Figure 2: Trojan sending personal information to a remote C&C server

    We have also noticed the Trojan sending desktop screenshots to a remote server:

    Figure 3: Trojan sending screenshots in a JPG format to a remote C&C server

    This Trojan is capable of deleting files from a victim’s machine. During our analysis, it deleted security tools such as processxp and tcpview.

    Figure 4: Trojan sending a confirmation of removal of processes such as procexp.exe and tpcview.exe

    It is also capable of downloading additional malicious components. During our analysis, it downloaded a password recovery tool called “WebBrowserPassView” on to the victim’s machine and installed it. This tool can be used to reveal passwords stored in the victim’s internet browsers.

    Figure 5: Packets showing the infected machine receiving an executable

    Figure 6: Receiving command to execute and install WebBrowserPassView

    This Trojan is capable of deleting data, possibly disrupting services and stealing information and therefore poses a big threat depending on the sensitivity of data stolen from the victim. It makes it even more pervasive as it banks on the popularity of the game it pretends to be and with its capability to download and install more components, victims will likely end up with multiple malware infections in their computer systems.

    Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:

    • GAV: Barys.RAT (Trojan)

    iPower Technologies Arrests Hidden Malware from Body Cameras with SonicWall Firewalls

    /0 Comments/in /by

    Note: This is a guest blog by Jarrett Pavao CEO iPower Technologies Inc., a Premier Partner for SonicWall Security, in South Florida.

    Every day viruses, malware and trojans infect IT infrastructure through a growing number of mobile devices. With the growth of Internet of Things (IoT), this threat is rapidly increasing. We are faced with viruses potentially infiltrating almost every connected device – even brand-new law enforcement body cameras.

    That’s right, even the people sworn to protect are exposed to these threats. Here at iPower Technologies, we never ceased to be amazed at the lengths that the bad guys will go to break into networks. That’s why it’s important that organizations have comprehensive network security that protects their associates whether they are working in the field, at home or in the office. As more of our everyday devices become “smart” and “connected”, they bring great convenience to our private and professional lives, but also provide an access point to infect entire networks and wreak havoc. This potential threat may even come from new equipment straight out of the box.

    As the CEO of iPower Technologies, my team based in Boca Raton recently discovered malware on the body cameras used by one of our law enforcement clients. As a SonicWall Security Premium Partner, we follow strict protocols and we regularly audit and scan our clients’ IT infrastructure and endpoint devices, including body cameras used by our law enforcement customers. With SonicWall next-generation firewalls, we were able to detect the virus before it infected the entire network and potentially put critical data at risk. These cameras leverage geolocation/GPS capabilities, meaning that the malware could be used to track law enforcement locations.

    Discovery: Conficker Worm

    We discovered the malware during testing of body camera equipment for one of our law-enforcement clients. iPower engineers connected the USB camera to one of our computers. When he did that, multiple security systems on our test environment were alerted to a new threat. It turned out to be a variant of the pervasive Conficker worm and we immediately quarantined it. A second camera was connected to a virtual lab PC with no antivirus. The SonicWall next-generation firewall immediately notified iPower of the virus’ attempt to spread on the LAN and blocked the virus’ from communicating with command-and-control servers on the public internet.

    Prevention

    Like body armor that peace officers wear, taking precautions and preventive measures is the best defense to stopping and limiting damage from attacks. Fortunately for our clients, my iPower team has the expertise to recognize active threats along with the support of the  SonicWall Threat Research team to prevent successful attacks. In this specific case, the threat was stopped before it could do any damage and an alert for the Confiker worm was issued.

    Any network with a properly deployed  SonicWall next-gen firewall would have contained the attack to a local device, such as the USB port, and not to the entire network.

    Sonicwall Next Generation firewalls have multiple security features including the ability to inspect encrypted traffic, and leverage deep packet inspection (DPI) technology. See the diagram below for an example of how to prevent a virus or worm like Conficker from spreading from a PC to your servers:

    Examine Smart Devices before Deploying

    It’s a matter of policy for us at iPower to test all equipment before we install on a client’s network. If you don’t have a test environment – or have access to one – I strongly suggest that you make the investment. It can pay for itself in preventing embarrassing events at the client site, as well as increase internal staff knowledge that can then be applied in the real world. So do test every device you plan to install or connect to your client’s network.

    Make that sure testing is a matter of policy by having a strict written policy regarding the implementation of any new hardware or software. Test any new systems being added to your corporate network in a sandbox environment prior to deployment. We don’t know for sure how the malware got onto the body cameras. It could have happened in any number of the manufacture, assembly and – ironically – QA testing stages. I think the most likely reason is due to lack of manufacture controls and outsourced equipment production. It seems innocuous enough. It’s just a camera, but the potential of the worm could have devastating, even tragic, ramifications if it had been able to gain remote code execution inside a network. Attackers could then harvest police database for Personal Identifiable Information (PII). This can be used to forge fake identities, etc.

    This threat is real and growing. When you extrapolate this threat out to common smart devices, such as connected refrigerators and thermostats and the general lack of security knowledge in the home and SMB markets, you have a potentially massive challenge. So again, any device that will be placed on the same network as servers, databases, or could potentially access a corporate network need to be checked out and properly aligned with security best practices.The best way to do this is careful network design, including intra-VLAN inspection on SonicWall next-generation firewalls is a great way to protect critical infrastructure from high risk PCs and IoT devices.

    Jenkins CI Server Commons-Collections Library Insecure Deserialization

    /in /by

    Jenkins is an continuous integration (CI) tool. It is written in Java and is open source. It builds and tests software continuously. It also tracks the status of existing jobs. It supports various version control systems such as subversion, git, perforce, etc.

    To remotely administer Jenkins, included is a command line interface (CLI) tool called jenkins-cli.jar. Using this tool, commands can be sent to Jenkins server. Jenkins server processes these commands using Remoting. To achieve remoting, objects are serialized by the client and they are de-serialized by the server. An insecure deserialization vulnerability (CVE-2015-8103) exists in the server due to the deserialization of untrusted data that is processed by vulnerable version of Apache Commons Collections library. The vulnerability can be exploited by unathenticated remote attacker by sending specially crafted serialized object. Successful exploitation can lead to execution of arbitrary commands on the server. The problem is located in readObjecT() method in ‘connection.class’ class file.

    Deserializing untrusted data while vulnererable Apache Commons Collections classes are included leads to the vulnerability. Such classes are, for example:

    • InvokerTransformer
    • ForClosure
    • CloseTransformer

    to name a few. The untrusted data eventually passes down to ‘runtime.exec()’ method where arbitrary code gets executed. Below is the applied fix. The fix filters a list of classes that are considered unsafe:

    Vulnerable versions:

    • Jenkins Jenkins 1.637 and prior
    • Jenkins Jenkins LTS releases 1.625.1 and prior

    Dell Sonicwall has written the following signature that protects our customers from attacks agains this vulnerability:

    • 11314.Jenkins CLI Remote Code Execution

    Dridex module leaks system info and potentially more. (Dec 11th, 2015)

    /in /by

    The Dell Sonicwall UTM research team have discovered a Dridex info stealer module that leaks system information as well as potentially modifying certificates stored on the system.

    Infection Cycle:

    Upon infection the Trojan sends the following systen information to a remote C&C server:

    The following encrypted conversation was then observed:

    The Trojan drops the following file: 2FE.tmp.mod [Detected as GAV: Dridex.OOVO (Trojan)] on the infected system:

    2FE.tmp.mod contains the following strings:

    • Mozilla/4.0 (Mozilla/4.0; MSIE 7.0; Windows NT 5.1; FDM; SV1; .NET CLR 3.0.0
    • CryptSIPDllGetSignedDataMsg
    • CryptDllExportPublicKeyInfoEx
    • CryptDllImportPublicKeyInfoEx
    • CryptDllEncodePublicKeyAndParameters
    • CryptDllConvertPublicKeyInfo
    • CertDllVerifyRevocation
    • CertDllVerifyCTLUsage
    • CertDllOpenSystemStoreProv
    • CertDllRegisterSystemStore
    • CertDllUnregisterSystemStore
    • CertDllEnumSystemStore
    • CertDllRegisterPhysicalStore
    • CertDllUnregisterPhysicalStore
    • CertDllEnumPhysicalStore
    • CryptDllExportPrivateKeyInfoEx
    • CryptDllImportPrivateKeyInfoEx
    • CertDllVerifyCertificateChainPolicy
    • CryptMsgDllExportEncryptKey
    • CryptMsgDllImportEncryptKey
    • CryptMsgDllGenContentEncryptKey
    • CryptMsgDllImportKeyTrans
    • CryptMsgDllImportKeyAgree
    • CryptMsgDllImportMailList

    These strings suggest intent to inspect or manipulate certificates on the infected system.

    On our infected test system the following data was encrypted an leaked to a C&C server:

    SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

    • GAV: Dridex.AA_3 (Trojan)
    • GAV: Dridex.OOVO (Trojan)

    Higher Education Makes Cybersecurity a High Priority – Are You Prepared?

    /0 Comments/in /by

    Digital natives predominantly compose the student body at today’s education institutions, and technological advancements have created unprecedented opportunities for personalized learning. BYOD and other emerging technologies have allowed school districts, colleges, and universities to become more effective, inclusive, and collaborative.

    With the proliferation of devices now on the network, however, IT administrators are now faced with the enormous task of empowering end-users to capitalize on the benefits of increased mobility and connectivity, while also ensuring the integrity of the organization’s network and data. In our current threat environment, it is more critical than ever that schools, colleges and universities develop an overarching, end-to-end security approach that aligns with the institution’s mission.

    A recent SonicWall survey, conducted in partnership with the Center for Digital Education, targeted higher education IT professionals, including executives (CIO, CISO, VP of IT, etc.), IT Directors and network managers to assess the state of network security on college campuses. A key takeaway from the study, however unsurprising, is that 73 percent of respondents rank cybersecurity high or very high among their institution’s technology priorities.

    Just as cybersecurity has become a priority across industry and government, higher education institutions are shining a brighter spotlight on security – and for good reason. While educational institutions rank their ability to detect and block cyber attacks relatively high, with 65 percent citing their abilities as good or excellent, only 17 percent indicate that they have not experienced a network breach/incident in the past year. This statistic is indicative of the fact that cyber threats are continuing to increase in both frequency and sophistication in every industry.

    In response to the growing threat of data breaches, 77 percent of survey respondents indicate they expect to spend more on network security in the next 12 months and 63 percent expect to spend more on secure access to data and applications. This is an encouraging statistic, as it reflects increased awareness around the need to strengthen security and mitigate risk.

    In our hyper-connected world, a strong security posture is a strategic investment for education at all levels. IT administrators and decision makers across the education industry need to address the continually growing role of technology on campus by implementing end-to-end security solutions that protect all data and endpoints, old and new. Holistic, end-to-end security that utilizes identity access management, next-gen firewalls, endpoint security and efficient patch management allows school districts, colleges and universities to confidently and securely offer the benefits of increased mobility and other IT advances to their faculty and students.

    For more details from the survey, view the on-demand webcast “Network Security in Education: The changing landscape of campus data security.” In this November 2015 webinar, Larry Padgett of the School District of Palm Beach County reviews how his district – the 10th largest in the United States — is leveraging people, processes, and SonicWall next-generation firewalls to protect a network serving 189,000 students and staff in nearly 200 sites. SonicWall Security’s Ken Dang joins Larry in this Education Dive webinar.

    Register for Webcast

    Network Security Designs for Your Retail Business

    /0 Comments/in , /by

    The 2015 Verizon Data Breach Investigations Report (DBIR) estimate of $400 million financial loss from security breaches show the importance of managing the breaches and ensuring appropriate security infrastructure is put in place. Retail industry saw high-profile retail breaches this year through RAM scraping malware aimed at point-of-sale (POS) systems. The security breaches affect both large and small organizations. According to Verizon 2015 DBIR, attackers gained access to POS devices of small organizations through brute-force while larger breaches were a multi-step attack with some secondary system being breached before attacking the POS system. This article highlights the key design considerations to build and deploy a secure, scalable and robust retail network.

    Secure Network Design Considerations

    Organizations need to ensure that their networks are resilient, secure and robust. Security solution put in place must not be a knee-jerk reaction to an attack but rather a comprehensive protection solution. A typical retail location requirement includes support for POS systems, Guest Wi-Fi access, Employee access to restricted resources, third party vendor access to limited resources and reliable Internet connection with no downtime. Given these requirements, following strategies are recommended in the retail network design –

    1. Network Segmentation – It is important to segment the retail network into multiple networks. This ensures that an attack on a particular device in a network does not infest the entire network. A simple, flat network design is an easy access for an infested POS terminal to bring the entire network down. Create separate networks for – POS terminals, Guest Wi-Fi devices, Employee access to restricted information and 3rd party vendor access (limited & appropriate access).

    2. Access Control – Install strict access controls on all network segments to ensure how devices communicate within and across network segment(s).

    3. VPN Tunnels – Create site-to-site VPN tunnels between retail location and centralized data center location to ensure all traffic originating from a POS system is always encrypted. Typically customer sensitive credit card information is encrypted when validating over internet. However, simple management data such as login credentials may not be encrypted and could pose an entry point for a security breach.

    4. Security – SonicWall 2015 Annual Threat Report findings show 109% increase in the encrypted connection traffic from last year. This potentially means that attackers could be using encryption as a way to hide their malware from firewalls. It is imperative to use a Next-Generation Firewall (NGFW) that performs deep packet inspection on all traffic including encrypted ones. Deep packet inspection services such as Intrusion Prevention, Malware detection and Content Filtering are strongly recommended to reduce the risk of intrusions and malware attacks. Additionally, enable endpoint anti-virus on all POS terminals for increased security.

    5. Reliability – Retail networks need to be secure, and fault tolerant with zero-downtime. For fault tolerance at smaller retail location, it is recommended to use 3G/4G backup failovers with a multi-ISP provider strategy. For heavier traffic retail location, NGFWs deployed in High-Availability mode provides for un-interrupted connectivity.

    6. Guest Wi-Fi – Retail locations are increasingly using guest Wi-Fi access as a means to increase their business and stickiness with customers. For guest Wi-Fi, create a locked-down Internet-only network access for visitors or untrusted network nodes. Choose a solution that provides guest services with the latest wireless technology such as 802.11ac for increased bandwidth.

    The SonicWall Next Generation Firewall based security solution provides an integrated approach to addressing all the requirements of a typical retail network. For more information on best practices for securing your retail network, download this white paper.

    DOWNLOAD EBOOK

    The Holiday Online Shopping Season is Coming Is Your Network Prepared?

    /0 Comments/in /by

    Now that Halloween is over, it’s time for the holiday online shopping season to kick in, beginning on Black Friday, continuing through Cyber Monday, and finishing up on New Year’s day. For a lot of people it’s time to start spending money.

    When we shop for the holidays many of us like to do it online. The National Retail Federation indicates that more than half of U.S. consumers plan to make at least some of their holiday purchases online this year. Why? Well, we can do it from anywhere at any time. It’s convenient. That includes shopping from work.

    What does it mean to your organization? Well, there’s a good chance your employees will spend some of their work time shopping online over the next six weeks. Is that a potential problem? If you consider the security of your network, the productivity of your employees and the use of network bandwidth important to your organization, then the answer is yes, and here’s why.

    Online shopping at work introduces security risks. For example, employees may inadvertently create opportunities for malicious attacks directed at your organization. An “attack or threat vector” is the means a hacker uses to gain access to one or more systems or servers on your network. Through the attack vector, the hacker can compromise systems on your network and deliver a malicious payload, the most common being a virus, worm, trojan or spyware. A common threat vector around the holidays is phishing. Phishing is an email fraud method in which the perpetrator sends out a legitimate-looking email instructing recipients to go to the fake website of a reputable business such as FedEx or UPS. The site will attempt to collect personal information such as the user’s name, passwords, social security number and credit card details. Another attack vector you may come across is “malvertising,” or “malicious advertising,” which is a threat that uses online advertising to spread malware. The malware can then capture information from an infected machine, or send probes around the network to find servers and other systems that can be compromised.

    The security of your network isn’t the only issue your organization faces during the holiday buying season. Employees are exercising more freedom for personal activities such as online shopping during work hours. This is concerning. Why? Well, they’re shopping on company time so they’re not as productive and it’s likely they’re connecting to sites through the corporate network which could lead to a security risk as well as a misappropriation of valuable bandwidth.

    Speaking of your bandwidth, there’s the question of how it’s being used. With likely over half of your employees shopping online at some point during the holidays, the bandwidth available to critical applications on your network is going to disappear. Therefore, it’s critical to prevent vital bandwidth from being consumed by non-productive web use such as online shopping, streaming music and watching HD videos which can all have a negative impact on network performance if left unchecked.

    What can you do to secure your network, improve employee productivity and get the most out of your bandwidth during the holiday online shopping season? Here are a few tips:

    • Get a next-generation firewall. If you don’t have one already, next-generation firewalls secure inbound and outbound traffic from threats, provide you the tools to determine which websites your employees can and can’t access (hint – online shopping sites) and allow you to identify and control the apps used on your network and how much bandwidth you want to allocate to them. Not only that, with more websites moving to SSL encryption, it’s important that the next-generation firewall be able to decrypt and inspect encrypted traffic for threats.
    • Help your employees learn how to avoid malvertising and recognize phishing emails. Be alert for suspicious emails and links to unknown websites.
    • Educate employees to use different passwords for every account and establish policies for strong passwords.
    • Many attacks are based on known vulnerabilities in recognized browsers, as well as in plug-ins and common apps. Therefore it’s critical to apply updates and patches promptly and reliably.
    • It’s a good idea to use tools that allow IT managers to monitor the use of network applications. It’s called “Application Intelligence” and it can help you determine if anyone is violating company policies or simply visiting sites that have no business purpose such as online shopping.

    SonicWall offers a complete range industry-leading next-generation firewalls including the NSA Series that integrate numerous advanced features for deep packet inspection such as Anti-Malware, Intrusion Prevention, Application Intelligence and Control, Content and URL Filtering and SSL Decryption and Inspection.