FREAK: Attacking Export RSA Keys (March 4, 2015)

/in /by

SSL/TLS are cryptographic protocols designed to provide security over a network communication. The cryptography provides confidentiality, integrity, and authentication. The strength of the security relies on the strength of the keys used to encrypt messages. Recently, security researchers discovered a flaw in SSL implementations (CVE-2015-0204) where an SSL client accepts export-grade RSA (export cipher suites) keys even though it originally intended to use regular/strong RSA. The export-grade RSA uses keys that can be easily broken thus endangering the secure communication between the client and the server. The support for these weak keys are still part of many SSL implementations due to US Government’s policy. FREAK (Factoring RSA export keys) is a Man-in-the-middle (MITM) attack to exploit CVE-2015-0204 vulnerability.

In the attack scenario, the attacker intercepts a ‘client hello’ message. The attacker then replaces the requested cipher to ‘export RSA’. Vulnerable server responds by signing the message with ‘export RSA’ key. Due to the weakness in the strength of the key, the attacker cracks the key. Although, it still takes fairly good amount of time to crack this key, many servers do not change the key quite often. So, once the attacker has the key, the attacker is ready to play as MITM for the future connections.

Test your server:

You can use OpenSSL (SSL/TLS client) to test whether your server is vulnerable to the attack by running :

openssl s_client -connect [server]:443 -cipher EXPORT

If you get a positive response from the server showing the server certificate and server’s temp key to be 512bits, the server is vulnerable.

If you get erroneous response, such as:

error setting cipher list
13492:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:.sslssl_lib.c:1312:

Then the server is not vulnerable.

Test your client:

Configure a test server to allow ‘export RSA’, and send a connection request to the server with ‘export RSA’ cipher suite request. If your client accepts it, it is susceptible to the attack.

Here’s a network packet capture snapshot showing the server has responded with an ‘export RSA’ key:

The following snapshot shows the scenario where the server did not accept client’s request for ‘export RSA’ :

  • www.sohu.com
  • www.hungryapp.co.kr
  • www.techmeme.com
  • www.youjizz.com
  • www.tribalfusion.com
  • www.ip138.com
  • www.coolenjoy.net
  • www.uludagsozluk.com
  • www.yengo.com
  • www.transrush.com
  • www.ppomppu.co.kr
  • www.businessinsider.com
  • www.lg.com
  • www.dailybasis.com
  • www.pc6.com
  • www.kuwo.cn
  • www.key-find.com
  • www.draftkings.com
  • www.copytraderpro.com
  • www.epson.co.jp
  • www.baharnews.ir
  • www.jabong.com
  • www.numbeo.com
  • www.delfi.lv
  • www.yixun.com
  • www.kohls.com
  • www.nova.cz
  • www.techgig.com
  • www.subtitles.at
  • www.mumsnet.com
  • www.translate.ru
  • www.designspiration.net
  • www.entekhab.ir
  • www.beitaichufang.com
  • www.priceminister.com
  • www.newsen.com
  • www.uploadbaz.com
  • www.adplxmd.com
  • www.americanexpress.com
  • www.tinyurl.com
  • www.ibtimes.co.uk
  • www.talktalk.co.uk
  • www.freemail.hu
  • www.dinodirect.com
  • www.russia.tv
  • www.element14.com
  • www.groupon.com
  • www.saramin.co.kr
  • www.lenskart.com
  • www.ihg.com
  • www.jiameng.com
  • www.made-in-china.com
  • www.weathernews.jp
  • www.forever21.com
  • www.fhserve.com
  • www.sleazyneasy.com
  • www.trafficholder.com
  • www.syosetu.org
  • www.rtl.be
  • www.makeupalley.com
  • www.vw.com.tr
  • www.gyakorikerdesek.hu
  • www.doortodoor.co.kr
  • www.dreammail.jp
  • www.mk.co.kr
  • www.unionpaysecure.com
  • www.networksolutionsemail.com
  • www.miui.com
  • www.gaana.com
  • www.katestube.com
  • www.ngacn.cc
  • www.mit.edu
  • www.locanto.com
  • www.dhgate.com
  • www.copyscape.com
  • www.cnyes.com
  • www.marketgid.com
  • www.rs-online.com
  • www.mangocity.com
  • www.lyricsmode.com
  • www.gg.com.ua
  • www.iporter.com
  • www.infor.pl
  • www.globososo.com
  • www.jcrew.com
  • www.itau.com.br
  • www.dv37.com
  • www.timesjobs.com
  • www.backlinkwatch.com
  • www.rincondelvago.com
  • www.thrillist.com
  • www.twitcasting.tv
  • www.famitsu.com
  • www.jahannews.com
  • www.gocomics.com
  • www.wiocha.pl
  • www.wsodownloads.info
  • www.juntadeandalucia.es
  • www.5usport.com
  • www.x3xtube.com
  • www.fishmpegs.com
  • www.education-portal.com
  • www.dereferer.org
  • www.todaysppc.com
  • www.hanjin.co.kr
  • www.jeep.com
  • www.5pao.com
  • www.wordtracker.com
  • www.indiocasino.com
  • www.17173.com
  • www.streamay.com
  • www.mps.it
  • www.net.cn
  • www.delfi.lt
  • www.vertex42.com
  • www.qianxs.com
  • www.dealmoon.com
  • www.wowhead.com
  • www.delfi.ee
  • www.mashreghnews.ir
  • www.hostgator.in
  • www.umich.edu
  • www.parsine.com
  • www.epnet.com
  • www.adxcore.com
  • www.duba.com
  • www.cjmall.com
  • www.nordstromrack.com
  • www.sidereel.com
  • www.focus.cn
  • www.alriyadh.com
  • www.coocan.jp
  • www.incruit.com
  • www.iesa.co
  • www.vesti.ru
  • www.gobizkorea.com
  • www.cr173.com
  • www.gem.pl
  • www.bmi.ir
  • www.vi-view.com
  • www.83suncity.com
  • www.ehanex.com
  • www.pcfaster.com
  • www.wmmail.ru
  • www.giga.de
  • www.ipeen.com.tw
  • www.wannonce.com
  • www.183.com.cn
  • www.labirint.ru
  • www.axisbank.com
  • www.freedigitalphotos.net
  • www.standardbank.co.za
  • www.bouyguestelecom.fr
  • www.ytn.co.kr
  • www.diegrossechance.net
  • www.e-rewards.com
  • www.markt.de
  • www.eleconomista.es
  • www.ad-center.com
  • www.themalaysianinsider.com
  • www.toodledo.com
  • www.mamaclub.com
  • www.mzamin.com
  • www.kotree.com
  • www.eurobank.gr
  • www.enuri.com
  • www.leggo.it
  • www.infibeam.com
  • www.wechat.com
  • www.bharatiyamobile.com
  • www.cpmfx.com
  • www.ohmyzip.com
  • www.19lou.com
  • www.veoh.com
  • www.youmaker.com
  • www.afreeca.com
  • www.unext.jp
  • www.bigrock.in
  • www.hypebeast.com
  • www.alternet.org
  • www.ilmessaggero.it
  • www.ana.co.jp
  • www.sec.gov
  • www.virtualedge.com
  • www.dominos.co.in
  • www.ets.org
  • www.sbicard.com
  • www.googleping.com
  • www.plan-q-secret.com
  • www.tradeindia.com
  • www.umeng.com
  • www.vno.co.kr
  • www.sweet-page.com
  • www.shueisha.co.jp
  • www.usnetads.com
  • www.lufax.com
  • www.huaban.com
  • www.kaixin001.com
  • www.priberam.pt
  • www.wikimart.ru
  • www.motorola.com
  • www.brokenlinkcheck.com
  • www.funweek.it
  • www.seobook.com
  • www.mafengwo.cn
  • www.lvmama.com
  • www.davidsbridal.com
  • www.santander.com.br
  • www.33lc.com
  • www.totheglory.im
  • www.ddo.jp
  • www.jcpenney.com
  • www.barisderin.com
  • www.minijuegos.com
  • www.seoul.co.kr
  • www.automaticmobilecash.com
  • www.n4hr.com
  • www.bluetradingonline.net
  • www.themarysue.com
  • www.brown.edu
  • www.tirerack.com
  • www.nissan.co.jp
  • www.ria.com
  • www.pcgameshardware.de
  • www.hitosara.com
  • www.gaymaletube.com
  • www.heydouga.com
  • www.resona-gr.co.jp
  • www.rzd.ru
  • www.unam.mx
  • www.sedo.com
  • www.jorudan.co.jp
  • www.flyme.cn
  • www.soaindo.com
  • www.olleh.com
  • www.yinyuetai.com
  • www.femina.mk
  • www.madewell.com
  • www.alice.it
  • www.afkarnews.ir
  • www.subscribe.ru
  • www.ca.com
  • www.persianv.com
  • www.weather.gc.ca
  • www.androidpit.com
  • www.pearson.com
  • www.ohio.gov
  • www.propellerads.com
  • www.daniweb.com
  • www.orange.es
  • www.game321.com
  • www.mg.gov.br
  • www.sofmap.com
  • www.hotelurbano.com
  • www.itv.com
  • www.cnsnews.com
  • www.usajobs.gov
  • www.canadiantire.ca
  • www.deichmann.com
  • www.dream-demo.com
  • www.findthebest.com
  • www.photo.net
  • www.chanet.com.cn
  • www.closermag.fr
  • www.germanbankersecrets.org
  • www.parkoz.com
  • www.cue-monitor.jp
  • www.myfxbook.com
  • www.jn.pt
  • www.ucr.edu
  • www.standardmedia.co.ke
  • www.lolking.net
  • www.lifemedia.jp
  • www.femina.hu
  • www.schoology.com
  • www.literotica.com
  • www.trafficshop.com
  • www.mediaite.com
  • www.linkprice.com
  • www.lefrecce.it
  • www.gingersoftware.com
  • www.startlap.com
  • www.rzeczpospolita.pl
  • www.alltop.com
  • www.ntt.com
  • www.mgid.com
  • www.advego.ru
  • www.wileyplus.com
  • www.pasionlibertadores.com
  • www.correos.es
  • www.pinkvilla.com
  • www.ecpic.com.cn
  • www.shafaf.ir
  • www.taikang.com
  • www.savenkeep.com
  • www.ui.ac.id
  • www.planalto.gov.br
  • www.caclubindia.com
  • www.coach.com
  • www.56.com
  • www.geeksforgeeks.org
  • www.bradesconetempresa.b.br
  • www.netcombo.com.br
  • www.lordandtaylor.com
  • www.bolsademulher.com
  • www.trojmiasto.pl
  • www.lfmall.co.kr

Sonicwall team has written following signatures that help identify this potential vulnerability:

  • IPS sid:6366 “Client Hello with EXPORT Cipher Suites 1”
  • IPS sid:6412 “Client Hello with EXPORT Cipher Suites 2”
  • IPS sid:6428 “Server Hello with EXPORT Cipher Suite”

Komodia Certificate Compromise affects Superfish and other software (Feb 23,2015)

/in /by

The private key used by Komodia SDK that ships pre-installed with some Lenovo laptops has been compromised, and presents a breakdown of trust between web browsers and secure websites. Komodia SDK-based software establishes, what is essentially a Man-in-the-Middle (MitM) between your browser and the HTTPS/SSL sites you visit, for example, like your bank. It creates a public-private key pair and inserts the public key as a Root Certificate Authority (CA) certificate on your machine. This means that an attacker can use this cracked private key to create spoofed SSL Certificate for a spoofed site. The Komodia SDK-based software will trust the certificate that has been installed into your Root CA store and you will not notice a thing. The only thing you will notice if you click on the lock icon in your browser address bar is that the certificate from your bank has an “Issued by: Superfish, Inc.”. Other software that uses the Komodia SDK includes PrivDog and others. PrivDog, for example, is advertised as a privacy and secure browsing program. Like Superfish it creates a MitM between your browser and secure websites.

The following image shows a browser with PrivDog installed:

This image shows the view from your browser:

This image shows the PrivDog Root Certificate Authority installed on your machine:

Dell SonicWALL UTM protects our customers with the following:

  • IPS:10756 Komodia SSL Certificate Superfish
  • IPS:10758 Komodia SSL Certificate PrivDog
  • IPS:10770 Komodia SSL Certificate ArcadeGiant
  • IPS:10769 Komodia SSL Certificate Cart Crunch
  • IPS:10790 Komodia SSL Certificate UtilTool Ltd
  • IPS:10789 Komodia SSL Certificate Kurupira Webfilter
  • IPS:10788 Komodia SSL Certificate Keep My Family Secure
  • IPS:10787 Komodia SSL Certificate Atom Security Staff-cop
  • IPS:10786 Komodia SSL Certificate Qustodio Technologies
  • IPS:10777 Komodia SSL Certificate Lavasoft WebCompanion
  • SPY:10758 Superfish
  • GAV:991 Superfish.LN
  • GAV:15018 SuperFish.AG
  • GAV:15017 SuperFish.OB
  • GAV:15016 SuperFish.CC
  • GAV:15013 SuperFish.WT
  • GAV:15012 SuperFish.CT
  • GAV:15011 SuperFish.CM
  • GAV:15010 SuperFish.OPT
  • GAV:15009 SuperFish.SM
  • GAV:18465 Superfish.JS
  • GAV:37070 Superfish.LN_3
  • GAV:37069 SuperFish.LN_2
  • GAV:739182 Superfish.JS_2

This vulernability was not assigned a CVE.

ManageEngine Desktop Central Directory Traversal Vulnerability (Feb 20,2015)

/in /by

ManageEngine Desktop Central MSP is a Desktop and Mobile system management software designed to ease the process of managing systems from a central point. A web-based interface using a mix of Java and custom binaries is used to interact with Desktop Central. It provides administrators with an all-encompassing front-end for administrative tasks such as installing software, adding users, and managing inventory. The web-based interface is provided by the Apache Tomcat application server framework where a number of Java servlets and JSP files are used to process requests sent to the server.

An arbitrary file upload vulnerability has been reported in a ManageEngine Desktop Central MSP. The vulnerability is due to a failure to effectively sanitize user-supplied input prior to its use in a file creation process. More specifically, the vulnerability exists within StatusUpdateServlet when it is provided a particular parameter, a file path, and malicious file contents in the request body. The function then writes the HTTP request body data to the file name defined in the file path parameter at the location specified in the URI. The parameters sent in the URI may be used in a malicious manner if directory traversal characters are used as their values.

A remote, unauthenticated attacker could exploit this vulnerability that could lead to arbitrary code execution under the security context of the system user.

Dell SonicWALL UTM protects our customers using the following IPS signature to detect and prevent the attacks addressing this issue:

  • 6219 ManageEngine Desktop Central Directory Traversal 2

This vulernability was assigned to CVE-2014-9404.

How Do We Live in Tomorrow’s World of Mobile Security?

/0 Comments/in /by

BYOD is solvable. COPE is solvable. The rest of the acronym soup that describes problems associated with keeping company data safe while on mobile devices are solvable. But today, it takes several different solutions strung together to get that data leaving the perimeter to be safe. In the future, those solutions will come together and the problem of protecting data as it moves around the world will be easier and cheaper.

First some background – you know what BYOD is. But what is COPE? COPE refers to Company Owned, Personally Enabled. It is really a description of the way many/most companies operate. The company buys you a computer and perhaps a smartphone. You might have a choice between vendor A and vendor B. And while that device comes configured, you still generally have administrative rights because if you don’t, you create way too many headaches and complaints for IT. “I have to have x installed! I have to have y installed. The system blocked me from installing z and I can’t do my job without z.” While there are some super security centric companies out there, the vast majority of employees have administrative rights to their computers. And, while the trend for phones was to go down the Mobile Device Management path where the company decided what can and can’t be on your phone, the current tide is going the other way. Why? Frankly none of us want some company IT person to tell me what I can and can’t have on my phone. “Phones are personal ““ even if I didn’t buy it! My computer is personal ““ even if I didn’t by it. My LIFE is on my computer and my LIFE is on my phone. Don’t tell me what I can and can’t have. I’ll go rogue or find a company that lets me be me.” That’s the general trend.

But company data is VALUABLE and companies have to protect that company data. So how can a company REALLY protect its data while letting you be you?

For the company to be a winner by protecting its data and for the user to be productive and happy the following three solutions need to work in concert. Access to all data needs to be controlled by a powerful Secure Remote Access gateway that is focused on understanding who the user is, what kind of risk their system poses, and exactly what data the company is willing to let out given the calculated risk. So, powerful SSL VPN gateways are a fundamental need. If you think the market for them has been eliminated, think again. They are fundamental. But these systems need to work in concert with solutions that provide mobile containers. Containers allow the SSL VPN solution (after doing its job of verifying the user, the risk of the device and what data should be accessed) to place that data into a virtual piece of real estate on that mobile device that is OWNED and Controlled by the owner of the data, not by the person in possession of the device. The key here is that companies should not try to take control of the device entirely, they only need to take control of a small piece of real estate that the user grants. All company data needs to land there. If the user and owner of the data choose to part ways, the company does not need to “destroy” the entire device. It only needs to revoke access to the data sitting in the virtual container. But you ask, how does a company “control” access to that container and the data within? How does it revoke a user’s ability to access it without doing something to the device? The answer is in encryption key management. If the data leaving the premises is encrypted with a strong key encryption solution that can allow or deny access to the data inside the container, then everyone is a winner! The company doesn’t need to wipe an entire device to protect access to data. It just needs to “not” provide access to that key that would open that data.

So, let’s summarize what these three solutions working together does for an owner of data that is going to let that data land on highly mobile devices.

  1. The Remote Access Gateway is going to understand who the user is, what device it going to be used, and what data should be given based on the risk of the device, users, and other variables. Only data that should leave will leave and will land
  2. Inside a mobile container. This container will not let data be copied and pasted outside of the container. Data can’t be emailed to different solutions. The data is inside and protected but it is not free data and can’t move elsewhere. And lastly,
  3. The Key Encryption Solution allows for the data to be open (only inside the container) and read/used only while that user and that device is in good standing. If the user or device becomes un-trusted, access to the key is revoked and the data can not be utilized. The owner of the data doesn’t even need to wipe the data since it is useless without access to the keys.

This is the present. Three solutions working together. In the future, these three solutions will merge into a single solution. Companies like SonicWall have all three components required to solve BYOD, COPE or any other variation of problems affecting mobile data. In future blogs, we’ll share the progress being made in bringing this future vision to life!

Bifrose.FPB a new variant of Info-stealer Bifrose actively spreading in the wild

/in /by

The Dell Sonicwall Threats Research team observed reports of a Bifrose bot family named GAV: Bifrose.FPB_5 actively spreading in the wild. This is the new Variant of Popular Bifrose which is a backdoor that connects to a remote IP address using TCP port 81 or a random port.

Bifrose has been around for many years now, highly available in the cybercriminal underground, and has been used for various cybercriminal activities.

Bifrose allows an attacker to access the computer and perform various actions contains:

  • Enumeration Current processes

  • Install Key logger

  • Install backdoor Command shell

  • Manipulate files or registry keys data

  • Retrieve installed program details

  • Bypass windows firewall

Infection Cycle:

Md5: a9e403e3e341e1763a6e2114a4dfb3ac

The Malware uses the following icon:

The Malware adds the following files to the system:

  • %Userprofile%Local SettingsTempdosya1.txt

  • %Userprofile%Local SettingsTempdosya2.txt

  • %Userprofile%Local SettingsTempDosya1.exe

  • %Userprofile%Local SettingsTempDosya2.exe

  • “%Userprofile%Local SettingsTempTrojan.exe”

  • C:Program FilesBifrostchrome.exe

The Malware adds the following keys to the Windows registry to ensure persistence upon reboot:

  • HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerShell FoldersAppData

    • %Userprofile%Local SettingsTempDosya1.exe

  • HKLMSOFTWAREMicrosoftActive SetupInstalled Components{C7668D2A-5DED-1927-2D46-C169B557CC3B}stubpath

    • C:Program FilesBifrostchrome.exe s

  • HKCUSoftwareMicrosoftWindowsCurrentVersionRun5cd8f17f4086744065eb0992a09e05a2

  • HKLMSoftwareMicrosoftWindowsCurrentVersionRun5cd8f17f4086744065eb0992a09e05a2

    • “%Userprofile%Local SettingsTempTrojan.exe”

Malware modifies registry to bypass windows firewall via following keys:

  • HKLMSystemCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList%Userprofile%Local SettingsTempTrojan.exe

    • %Userprofile%Local SettingsTempTrojan.exe:*:Enabled:Trojan.exe

Malware uses an injected Explorer.exe and IExplore.exe to send packets to its own C&C Server and after some time it terminates its own process.

After that malware tried to Enumeration all processes on the target machine, here is an example:

Command and Control (C&C) Traffic

Bifrose has the C&C communication over 81 & 1979. It sends requests to statically defined IP/Domains on a regular basis. The malware sends a TCP request to the C&C servers which contains information such as the infected machines computer name, operating system version and install date, here is an example:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Bifrose.FPB_5 ( Trojan )

Spam campaign roundup: The Valentines Day Edition (Feb 13, 2015)

/in /by

With Valentine’s Day just around the corner and people search for the perfect gift for their loved ones, cybercriminals has been busy distributing an increasing amount of Valentine’s day related spam to users with links to fake advertisements, online offers, and even photos or videos.

Over the last week, the Dell SonicWALL threats research team has been tracking down all Valentine’s Day related spam emails.

Figure 1: Number of spam emails recevied per day

As Valentine’s Day approaches, we are seeing an increasing amount of spam emails with links to phony florists or online retailer who promise a deal without the guarantee of ever receiving the products or services. Below are some of the most common email subjects:

  • Valentine’s Day is unforgettable with stunning roses. 25% off!
  • Your new love life is waiting for you
  • Fall in love with these prices
  • Achieve tips to unleash your love life
  • Valentine’s Flowers: Save 50% Today! Order Now
  • Coolest iPhone Accessory / Valentine’s Gift / GPS Tracking. Only 1000 Left.
  • Bouquets of Love 25% off
  • Valentine’s Day SALE STARTS NOW! Extra 90% Off + Ray Ban

Some emails provide links to photos, videos or online greetings that a “loved one” or a “secret admirer” might have left for you. Clicking these links often lead to survey scam, phishing sites or even malware.

Figure 2: Sample Spam Emails

For others that turn to the internet for something they can do instantly and finding an inexpensive last-minute idea like sending an e-card, cybercriminals have also got that covered. Searching online for free personalized Valentine’s card will turn up with links to compromised websites that host malicious applications.

Figure 3: Example of a link to a compromised website

Clicking on the link will redirect to a website that will ask the user to download an application that will supposedly install an e-card maker. The installers may use the following variation of filenames:

  • Valentine photo card maker_10924_i31536652_il345.exe [Detected as GAV: VMProtBad.A_6 (Trojan)]
  • Valentine_Photo_Card_Maker_downloader.exe [Detected as GAV: VMProtBad.A_6 (Trojan)]
  • Templates_For_Photo_Card_Maker_downloader.exe [Detected as GAV: VMProtBad.A_6 (Trojan)]

Infection Cycle:

Upon execution, the Trojan will then silently download additional malware components.

Figure 4: Trojan sends an HTTP GET request to download additional components

The user will also be prompted to agree to install applications different from what was intended to be installed.

Figure 5: User prompt to install Internet Optimizer

We observed several other adwares being downloaded and silently installed on the system.

Figure 6: Example of several HTTP GET requests to download additional malware

The downloaded malware components are copied to the following directory:

  • %TEMP%7BlLXcbJeA.exe [Detected as GAV: Badur.FDSP (Trojan)]
  • %TEMP%aCp6I5CqLt.exe [Detected as GAV: Tuto4PC.A_7 (Adware)]
  • %TEMP%bFtBuOwbCT.exe [Detected as GAV: Swiftbrowse.A_3 (Adware)]
  • %TEMP%UnfBln5TIv.exe [Detected as GAV: Swiftbrowse.A_3 (Adware)]
  • %TEMP%HRdM16yyj6.exe [Detected as SPY: OptimizerPro.A (Adware)]
  • %TEMP%bes29A3.exe SPY: [Detected as SPY: OfferInstaller.A (Adware)]
  • %TEMP%BackupSetup.exe: [Detected as GAV: MyPcBackup.A_2 (Adware)]
  • %TEMP%PAqKNEvlB5.exe [Detected as GAV: DownloadMR.A_20 (Trojan)]

The following files were silently installed into the following directories:

  • %PROGRAMFILES%MyPC BackupBackupStack.exe [Detected as GAV: MyPcBackup.A_3 (Adware)]
  • %PROGRAMFILES%MyPC BackupConfiguration Updater.exe [Detected as GAV: MyPcBackup.A_3 (Adware)]
  • %PROGRAMFILES%MyPC BackupSignup Wizard.exe [Detected as GAV: MyPcBackup.A_3 (Adware)]
  • %PROGRAMFILES%MyPC BackupUpdater.exe [Detected as GAV: MyPcBackup.A_3 (Adware)]
  • %PROGRAMFILES%MyPC BackupMyPC Backup.exe [Detected as GAV: MyPcBackup.A_3 (Adware)]
  • %PROGRAMFILES%MyPC BackupService Start.exe [Detected as GAV: MyPcBackup.A_3 (Adware)]
  • %PROGRAMFILES%MyPC BackupSignupWizard.dll [Detected as GAV: MyPcBackup.A_3 (Adware)]
  • %PROGRAMFILES%MyPC BackupBackupStackUI.dll [Detected as GAV: MyPcBackup.A_3 (Adware)]
  • %PROGRAMFILES%Optimizer Pro 3.38OptimizerPro.exe [Detected as SPY: OptimizerPro.A (Adware)]
  • %PROGRAMFILES%Optimizer Pro 3.38OptProGuard.exe [Detected as SPY: OptimizerPro.A (Adware)]
  • %PROGRAMFILES%Optimizer Pro 3.38OptProHelper.dll [Detected as SPY: OptimizerPro.A (Adware)]
  • %PROGRAMFILES%Optimizer Pro 3.38OptProLauncher.exe [Detected as SPY: OptimizerPro.A (Adware)]
  • %PROGRAMFILES%Optimizer Pro 3.38OptProReminder.exe [Detected as SPY: OptimizerPro.A (Adware)]
  • %PROGRAMFILES%Optimizer Pro 3.38OptProSchedule.exe [Detected as SPY: OptimizerPro.A (Adware)]
  • %PROGRAMFILES%Optimizer Pro 3.38OptProSmartScan.exe [Detected as SPY: OptimizerPro.A (Adware)]
  • %PROGRAMFILES%Optimizer Pro 3.38OptProStart.exe [Detected as SPY: OptimizerPro.A (Adware)]
  • %PROGRAMFILES%Optimizer Pro 3.38OptProUninstaller.exe [Detected as SPY: OptimizerPro.A (Adware)]
  • %PROGRAMFILES%ospd_us_835ospd_us_835.exe [Detected as GAV: Tuto4PC.A_7 (Adware)]
  • %PROGRAMFILES%Pinner for PinterestPinner for Pinterest.exe [Detected as GAV: DigiPlug.A_2 (Adware)]
  • %PROGRAMFILES%PricceeLessrUiCnUMEjQbrDn.exe [Detected as GAV: DigiPlug.A_2 (Adware)]
  • %PROGRAMFILES%PricceeLessrUiCnUMEjQbrDn.dll [Detected as GAV: MultiPlug.H_20 (Adware)]
  • %PROGRAMFILES%YoutubeadblockerNIiczbdjsU56cu.exe [Detected as GAV: DigiPlug.A_2 (Adware)]
  • %PROGRAMFILES%YoutubeadblockerNIiczbdjsU56cu.dll [Detected as GAV: MultiPlug.H_20 (Adware)]
  • %PROGRAMFILES%SmileFilesdownloader.exe [Detected as GAV: VMProtBad.A_6 (Trojan)]
  • %PROGRAMFILES%SmileFilesSmileFiles.exe [Detected as GAV: SmileFiles.A (Adware)]
  • %PROGRAMFILES%SmileFilesUpdaterSmileFilesUpdater.exe [Detected as GAV: SmileFiles.A (Adware)]

Within minutes of infection this Trojan was able to download and install multiple other malicious applications. Therefore, we urge our users to always be vigilant and cautious with any unsolicited email, to avoid clicking on unknown URLs, providing any personal information and installing unfamiliar applications specially if you are not certain of the source.

Dell SonicWALL Gateway AntiVirus provides protection against these threats with the following signatures:

  • GAV: VMProtBad.A_6 (Trojan}

  • GAV: DownloadMR.A_20 (Trojan)

  • GAV: Badur.FDSP (Trojan)

  • GAV: Tuto4PC.A_7 (Adware)

  • GAV: Swiftbrowse.A_3 (Adware)

  • GAV: MyPcBackup.A_2 (Adware)

  • GAV: MyPcBackup.A_3 (Adware)

  • GAV: DigiPlug.A_2 (Adware)

  • GAV: MultiPlug.H_20 (Adware)

  • GAV: SmileFiles.A (Adware)

  • SPY: OptimizerPro.A (
    Adware)

  • SPY: OfferInstaller.A (Adware)

Adware campaign spreads on Android app stores ( Feb 12, 2015 )

/in /by

A phone is not limited to just making and receiving calls anymore, a standard smartphone today contains enough features and applications (apps) to replace a computer for light day-to-day tasks. The app ecosystem can make or break the smartphones of the current generation, every major smartphone Operating System comes with its own app-store. Google Play is probably the largest and safest place to get apps from for an Android smartphone. Even though all apps on the Play store are scanned for malicious content, there are instances when some malicious apps sneak by and infect a user’s device.

Dell SonicWALL Threats Research team received reports of some apps from Google Play which were infecting users who downloaded them. These apps pose as utility applications like flash light but they are advertisement campaigns that constantly bombard the user with ads.

Google uses a service, codenamed Bouncer, which scans the apps on the Play store for malicious behavior. But the analysis is more towards static analysis, as a result some apps that download the malicious content after waiting for a particular period pass through this scrutiny. Recently Google introduced a component that scans the apps installed on the user’s device that Verifies whether the apps are behaving in the expected manner. But this comes into effect only after the apps are installed on the device so in some cases it might be very late, regardless we can expect this service to grow better with time and further strengthen the core Android security related to applications running on the device.

Android Ice Cream Sandwich (4.0 to 4.0.4) had verify apps in Settings > Security and Google Settings > Security. The latest version Android Lollipop (5.0 to 5.1) has this setting only in Google Settings > Security. It is possible that this feature will be integrated into the OS as a default option in future releases.

As of 2014 there around 1.3 million apps for the Android ecosystem. Apart from the Play store there are a number of non-Google app stores from which you can download apps but it may not always be safe. Google recommends that apps be downloaded only from the trusted Play Store.

The package names for the apps we checked are:

  • com.keloidscaretissue.Quxicompass
  • com.keloidscaretissue.QuxiFlashlisht
  • com.flashlightcompass.wedoourbest
  • com.keloidscaretissue.puzzle2048
  • com.onlygoodcompass.wedoourbest

These apps are no longer available on the Google Play store and other popular alternate stores:

But there are still some alternate stores that are providing these apps:

When applications as simple as a flashlight, compass and a puzzle game request for permissions as below it raises suspicion about the real motives of these applications:

  • Read and write to external storage
  • Access camera
  • Read contacts
  • Process outgoing calls

Upon installing the Flashlight app it appeared to work, but after a while the icon for the app disappeared from the app drawer. To the user this app appears to be not working and no longer present on the phone, but there are background services that continue to keep running. This behavior is common for all the 5 apps listed above, hence they have been dubbed as HideIcon by researchers.


The Flashlight app gets a text file called CDN.txt from cdn2.appicano.com that contains a list of Android app package names. There are a number of virustotal reports indicating malicious files have the link cdn2.appicano.com present in them. The phone is then bombarded by advertisements at an alarming rate. The ads are typically for different applications and there is no set pattern of the type of these applications. During our analysis we observed ads for games, popular services like Uber and Social Networking applications like PalTalk. We observed the following ways in which ads are displayed to the user:

  • Play store is opened with install page for an application:
  • The screen is covered with an image for the advertisement with download links. The image has a ‘close’ button which can be used to close the ad, but sometimes it does not have one and the user is forced to click a prompted button. There is a chance that the ad may cover the screen without a way to close it:
  • There are small button overlays on not only Play Store but also general applications like the Chrome browser. If clicked, the user is taken to the download page:

Overall, these apps pose as utility applications but are in fact advertisement campaigns and they mar the users Android experience by constantly bombarding on-screen advertisements. While it is recommended to download apps only from the Play store, it would be beneficial if users are notified when an app they downloaded is being removed from the store. This would protect existing users of the apps instead of protecting only potential new users as it currently stands.

However this case highlights the need to download apps only from the Play Store as Google constantly checks and analyzes for malicious behavior of apps and if it finds something malicious then the said app is taken down. A similar take-down on other non-Google stores usually takes time to reflect, similar to the current case, and this time gap may be all that is needed for one to get his/her phone infected.

Dell SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: AndroidOS.HideIcon.QC (Trojan)
  • GAV: AndroidOS.HideIcon.FL_2 (Trojan)
  • GAV: AndroidOS.HideIcon.PZ (Trojan)
  • GAV: AndroidOS.Hideicon.FL (Trojan)

Microsoft Security Bulletin Coverage (Feb 10, 2015)

/in /by

Dell SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of February, 2015. A list of issues reported, along with Dell SonicWALL coverage information are as follows:

MS15-009 Security Update for Internet Explorer (3034682)

  • CVE-2014-8967 Internet Explorer Memory Corruption Vulnerability
    IPS: 6108 “Internet Explorer HTML Use-After-Free 6”
  • CVE-2015-0017 Internet Explorer Memory Corruption Vulnerability
    IPS: 3480 “DOM Object Use-After-Free Attack 3a”
  • CVE-2015-0018 Internet Explorer Memory Corruption Vulnerability
    IPS: 6329 “Microsoft Internet Explorer HTML Use After Free 6”
  • CVE-2015-0019 Internet Explorer Memory Corruption Vulnerability
    IPS: 6331 “Microsoft Internet Explorer Use After Free 2”
  • CVE-2015-0020 Internet Explorer Memory Corruption Vulnerability
    IPS: 6333 “Microsoft Internet Explorer Use After Free 3”
  • CVE-2015-0021 Internet Explorer Memory Corruption Vulnerability
    IPS: 6340 “Microsoft Internet Explorer Use After Free 4”
  • CVE-2015-0022 Internet Explorer Memory Corruption Vulnerability
    IPS: 9961 “Microsoft Internet Explorer Use After Free 10”
  • CVE-2015-0023 Internet Explorer Memory Corruption Vulnerability
    IPS: 9961 “HTTP Client Shellcode Exploit 15”
  • CVE-2015-0025 Internet Explorer Memory Corruption Vulnerability
    IPS: 6344 “Microsoft Internet Explorer Use After Free 6”
  • CVE-2015-0026 Internet Explorer Memory Corruption Vulnerability
    IPS: 6346 “Microsoft Internet Explorer HTML Use After Free 7”
  • CVE-2015-0027 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-0028 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-0029 Internet Explorer Memory Corruption Vulnerability
    IPS: 7645 “HTTP Client Shellcode Exploit 11c”
  • CVE-2015-0030 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-0031 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-0035 Internet Explorer Memory Corruption Vulnerability
    IPS: 9836 “Microsoft Internet Explorer Use After Free 9”
  • CVE-2015-0036 Internet Explorer Memory Corruption Vulnerability
    IPS: 6347 “Microsoft Internet Explorer Out of Bound index array (MS15-009)”
  • CVE-2015-0037 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-0038 Internet Explorer Memory Corruption Vulnerability
    IPS: 9944 “Microsoft Internet Explorer HTML Use After Free 10”
  • CVE-2015-0039 Internet Explorer Memory Corruption Vulnerability
    IPS: 6350 “Microsoft Internet Explorer HTML Use After Free 8”
  • CVE-2015-0040 Internet Explorer Memory Corruption Vulnerability
    IPS: 6351 “Microsoft Internet Explorer Use After Free 7”
  • CVE-2015-0041 Internet Explorer Memory Corruption Vulnerability
    IPS: 5097 “Microsoft Internet Explorer Use After Free 8”
  • CVE-2015-0042 Internet Explorer Memory Corruption Vulnerability
    IPS: 6320 “Microsoft Internet Explorer HTML Use After Free 9”
  • CVE-2015-0043 Internet Explorer Memory Corruption Vulnerability
    IPS: 10726 “Microsoft Internet Explorer Use After Free 11”
    IPS: 10727 “Microsoft Internet Explorer Use After Free 12”
  • CVE-2015-0044 Internet Explorer Memory Corruption Vulnerability
    IPS: 10728 “Microsoft Internet Explorer Remote Code Execution 4”
  • CVE-2015-0045 Internet Explorer Memory Corruption Vulnerability
    IPS: 10729 “Microsoft Internet Explorer Use After Free 14”
  • CVE-2015-0046 Internet Explorer Memory Corruption Vulnerability
    IPS: 10730 “Microsoft Internet Explorer Remote Code Execution 3”
  • CVE-2015-0048 Internet Explorer Memory Corruption Vulnerability
    IPS: 10731 “Microsoft Internet Explorer Use After Free 16”
  • CVE-2015-0049 Internet Explorer Memory Corruption Vulnerability
    IPS: 10732 “Microsoft Internet Explorer Use After Free 17”
  • CVE-2015-0050 Internet Explorer Memory Corruption Vulnerability
    IPS: 3310 “HTTP Client Shellcode Exploit 82”
  • CVE-2015-0051 Internet Explorer ASLR Bypass Vulnerability
    IPS: 10733 “Microsoft Internet Explorer Memory Access”
  • CVE-2015-0052 Internet Explorer Memory Corruption Vulnerability
    IPS: 10734 “Microsoft Internet Explorer Remote Code Execution 2”
  • CVE-2015-0053 Internet Explorer Memory Corruption Vulnerability
    IPS: 2067 “Microsoft Internet Explorer 7 Uninitialized Pointer (MS15-009)”
  • CVE-2015-0054 Internet Explorer Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-0055 Internet Explorer Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-0066 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-0067 Internet Explorer Memory Corruption Vulnerability
    IPS: 9948 “Microsoft Internet Explorer Uninitialized Pointer (MS15-009)”
  • CVE-2015-0068 Internet Explorer Memory Corruption Vulnerability
    IPS: 9926 “Microsoft Internet Explorer Remote Code Execution (MS15-009)”
  • CVE-2015-0069 Internet Explorer ASLR Bypass Vulnerability
    IPS: 9988 “HP Data Protector Remote Code Execution”
  • CVE-2015-0070 Internet Explorer Cross-domain Information Disclosure Vulnerability
    IPS: 9925 “Microsoft Internet Explorer Information Disclosure (MS15-009)”
  • CVE-2015-0071 Internet Explorer ASLR Bypass Vulnerability
    IPS: 9949 “Internet Explorer Memory Corruption Vulnerability (MS13-047) 12”

MS15-010 Vulnerabilities in Windows Kernel-Mode Driver Could Allow Remote Code Execution (3036220)

  • CVE-2015-0003 Win32k Elevation of Privilege Vulnerability
    This is a local vulnerability.
  • CVE-2015-0010 CNG Security Feature Bypass Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-0057 Win32k Elevation of Privilege Vulnerability
    This is a local vulnerability.
  • CVE-2015-0058 Windows Cursor Object Double Free Vulnerability
    This is a local vulnerability.
  • CVE-2015-0059 TrueType Font Parsing Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-0060 Windows Font Driver Denial of Service Vulnerability
    There are no known exploits in the wild.

MS15-011 Vulnerability in Group Policy Could Allow Remote Code Execution (3000483)

  • CVE-2015-0008 Group Policy Remote Code Execution Vulnerability
    IPS: 10735 “Group Policy Remote Code Execution Vulnerability”

MS15-012 Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (3032328)

  • CVE-2015-0063 Excel Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-0064 Office Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-0065 OneTableDocumentStream Remote Code Execution Vulnerability
    There are no known exploits in the wild.

MS15-013 Vulnerability in Microsoft Office Could Allow Security Feature Bypass (3033857)

  • CVE-2014-6362 Microsoft Office Component Use After Free Vulnerability
    There are no known exploits in the wild.

MS15-014 Vulnerability in Group Policy Could Allow Security Feature Bypass (3004361)

  • CVE-2015-0009 Group Policy Security Feature Bypass Vulnerability
    There are no known exploits in the wild.

MS15-015 Vulnerability in Microsoft Windows Could Allow Elevation of Privilege (3031432)

  • CVE-2015-0062 Windows Create Process Elevation of Privilege Vulnerability
    This is a local vulnerability.

MS15-016 Vulnerability in Microsoft Graphics Component Could Allow Information Disclosure (3029944)

  • CVE-2015-0061 TIFF Processing Information Disclosure Vulnerability
    There are no known exploits in the wild.

MS15-017 Vulnerability in Virtual Machine Manager Could Allow Elevation of Privilege (3035898)

  • CVE-2015-0012 Virtual Machine Manager Elevation of Privilege Vulnerability
    This is a local vulnerability.

One more avatar of Nuclear Exploit Kit (Feb 6th, 2015)

/in /by

Dell Sonicwall Threats Research team has recently observed an update in Nuclear Exploit Kit. The Exploit kit has added in its arsenal the latest Adobe Flash Exploit CVE-2015-0311. In addition to the new exploit, there is an update in the landing page.

Until now the landing page had obfuscated plugin detect library to determine version of Java, Adobe Flash, Adobe Reader & Silverlight plugins installed in the browser. It would then serve the corresponding exploit to compromise the user system.

But in this update we have not seen any plugin detection library and Kit targets Adobe Flash and Silverlight plugins only.

Fig-1 : old DeObfuscated Nuclear Exploit Kit landing page
Fig-2 : latest DeObfuscated Nuclear Exploit Kit landing page

On successful exploitation additional malware will be downloaded into the system. During our analysis we observed payload to be a Downloader.

Having up to date software will help in mitigating this Exploit Kit. Dell Sonicwall Threats Research team will keep on monitoring this Exploit Kit and add update mitigation signatures as required.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: MalSWF ( Trojan )

  • GAV: MalAgent.G ( Trojan )

Dyre.E: New Variant of Dyre Trojan Spreads Upatre Malware

/in /by

The Dell Sonicwall Threats Research team observed reports of a Dyre bot family named GAV: Dyre.E and Dyre.F actively spreading in the wild. This is the new Variant of Popular Dyre which is uses I2P (Invisible Internet Project) for C&C communications. I2P is an anonymity network that is similar to Tor network which uses its own self-signed SSL certificate for C&C communications.

Dyre typically arrives via a spam attachment that claims to be a fax or a package tracking notification, but actually includes an Upatre downloader that installs Dyre. The spam emails are sent with Upatre attached and the cycle repeats.

Infection Cycle:

Md5: 9651d4ffb09a507bb17502228a8dc674 , 18cf4a3a89c07aa1fb7a8848e92259ad

The Malware uses the following icon:

The Malware adds the following files to the system:

  • %Userprofile%Local SettingsTempforeveview.exe [Executable file]

  • %systemroot%wKehylcgruOagGy.exe [Executable file]

  • %Userprofile%Local SettingsTempQjGjK48.exe [Executable file]

The Malware adds the following keys to the Windows registry to ensure persistence upon reboot:

  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesgoogleupdate

    • C: HKLMSystemCurrentControlSetServicesgoogleupdateImagePath

    • %systemroot%wKehylcgruOagGy.exe

The Malware adds the following keys to modify security services on target machine:

The file wKehylcgruOagGy.exe registered as services on win32 subsystem, after next restart the malware uses an injected Svchost.exe to send packets to its own C&C Server and after some time it terminates its own process.

Command and Control (C&C) Traffic

Dyre has the C&C communication over HTTP & SSL. It sends requests to statically defined IP/Domains on a regular basis. Some requests (seems to be normal pdf file) retrieves an encrypted Dyre binary and it is decrypted by its own algorithm.

The malware sends a HTTP request to the C&C server which contains information such as the campaign it belongs to, the infected machines computer name, operating system version, here is an example:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Dyre.E ( Trojan )

  • GAV: Dyre.F ( Trojan )