ManageEngine Desktop Central Policy Bypass Vulnerability (Jan 9, 2015)

/in /by

Desktop Central is an integrated desktop & mobile device management software that helps in managing the servers, laptops, desktops, smartphones and tablets from a central point.It automates regular desktop management routines like installing patches, distributing software, managing your IT Assets, managing software licenses, monitoring software usage statistics, managing USB device usage, taking control of remote desktops etc.

A policy bypass vulnerability exists in ManageEngine Desktop Central The parameters sent to the page Dcpluginservelet are not validated properly.A remote unauthenticated attacker can create an administrator account by sending a specially crafted request as shown below.This creates a new administrator user “dcpwn” with the password “admin”.

Dell SonicWALL Threat Research Team has researched this vulnerability (CVE-2014-7862) and released the following IPS signature to protect their customers.

  • IPS 6180 : ManageEngine Desktop Central Policy Bypass

Asterisk res_pjsip_pubsub Denial of Service (Jan 2, 2015)

/in /by

Asterisk is a software implementation of a telephone private branch exchange (PBX). It allows attached telephones to make calls to one another, and to connect to other telephone services, such as the public switched telephone network (PSTN) and Voice over Internet Protocol (VoIP) services. Asterisk supports a wide range of Voice over IP protocols, including the Session Initiation Protocol (SIP), the Media Gateway Control Protocol (MGCP), and H.323.

The Session Initiation Protocol (SIP) is a signaling communications protocol, widely used for controlling multimedia communication sessions such as voice and video calls over Internet Protocol (IP) networks. The protocol defines the messages that are sent between endpoints, which govern establishment, termination and other essential elements of a call. SIP can be used for creating, modifying and terminating sessions consisting of one or several media streams. It is a text-based protocol with syntax similar to that of HTTP. A typical SIP request has the following format:

A denial of service vulnerability exists in Asterisk’s res_pjsip_pubsub module. The vulnerability is due to improper handling of a crafted header in a SIP SUBSCRIBE request. A remote authenticated users can cause a denial of service (crash) of the target Asterisk server by exploiting this vulnerability.

Dell SonicWALL Threat team as researched this vulnerability and released the following IPS signature to protect their customers:

  • 6152 Asterisk Open Source res_pjsip_pubsub DoS

This vulnerability is referred as CVE-2014-6609.

CloudAtlas campaign makes its way to mobile platforms (December 25, 2014)

/in /by

Over the past few days there have been multiple reports regarding a very sophisticated multi-layered state-sponsored malware campaign mainly against diplomats and workers from oil and financial industry. This campaign is being referred to as CloudAtlas and The Inception Framework by research from Kaspersky and BlueCoat respectively. Reports indicate that this threat may be a creation from the people behind Red October, a massive cyber-espionage campaign that was discovered in October 2012. It is common for such a huge operation to lay low for a while once their modus operandi is exposed. They make a return with redesign, improvement and additional components added to their attack infrastructure. This seems to be the case with this campaign too, if it indeed has ties with Red October, as now there is a Mobile component to this campaign which was previously missing.

DellSonicWALL Threats Research Team covered the CloudAtlas campaign in a blog post recently. Reports indicate this campaign has made its way to mobile platforms that include Android, Apple IOS and Blackberry systems. We were able to obtain the Android counterpart that is a part of Inception/CloudAtlas campaign. This malware for Android masquerades itself as an update for the popular messenger app Whatsapp and in turn spies on the victim’s device and obtains sensitive information.

Infection Cycle

The malware requests for the following permissions during installation:

  • Get_accounts
  • Authenticate_accounts
  • Access_coarse_location
  • Internet
  • Read_contacts
  • Read_sms
  • Read_external_storage
  • Write_external_storage
  • Write_internal_storage
  • Read_internal_storage
  • Record_audio
  • Process_outgoing_calls
  • Read_phone_state
  • Access_fine_location
  • Access_network_state
  • Access_wifi_state
  • com.android.browser.permission.write_history_bookmarks
  • com.android.browser.permission.read_history_bookmarks
  • Read_calendar
  • Receive_boot_completed
  • Read_call_log

The following screenshot shows the different phases once a user clicks on the app from the app drawer:


The Malware creates a number of directories on the device where it saves all the collected information:

One of the main objectives of this malware is to record the conversations done through the device. It keeps track of different states of the device with relation to receiving and making calls:

It records the conversations in MP4 format that are transmitted to the attacker eventually:

The Malware contains few hardcoded links with which it exchanges data after infecting the device. These links appear to be blogs hosted on LiveJournal which is a social networking service that allows users to keep a blog:

Points of interest:

  • It has been stated in multiple reports about a possibility that the CloudAtlas campaign tries to throw security researchers off-rails, it does so by intentionally putting breadcrumbs that point to involvement of different countries in the campaign. We see hints of that in the Android malware counterpart as there are multiple instances in the code where we can see comments/text in Hindi, possibly indicating India might be involved:

  • All the three links hardcoded in the malware point to blog pages that have readable text content followed by gibberish unreadable content:
  • One of the permissions requested by the malware during installation is the ability to read and modify browser hitory and bookmarks. This allows it to spy on the victim’s browser activity

Overall the aim of this malware is to gather sensitive information about the victim, this goes in line with the overall motive of the CloudAtlas campaign. Considering how mobile devices can harbor sensitive information about a person, the addition of this component attempts to drive this campaign towards its goal of extracting sensitive information about its targeted victim.

DellSonicWALL Gateway Antivirus provides protection against this threat via the following signatures:

  • GAV: Cloudatlas.AAC (Trojan) – Windows compoment
  • GAV: AndroidOS.CloudAtlas.DX (Trojan) – Android component

Cloudatlas: an advanced persistent threat spreading in the wild

/in /by

The Dell SonicWall Threats Research team observed reports of an advanced persistent threat Trojan named GAV: Cloudatlas.AAC actively spreading in the wild. Cloud Atlas it’s a highly complex malware that targeted high level executives from the oil and financial industries as well as government organizations.

The Malware tries to resides in the registry as a DLL in the computer’s registry. This mechanism could be used by malicious Visual Basic script that people could download from email attachments as part of received documents or exploit kits such as crafted RTF Stack-based buffer overflow in Microsoft Office XP CVE-2010-3333 and CVE-2012-0158.

Once the target system is compromised, the attacker would control the malware through their free accounts on the Swiss cloud storage company, CloudMe.

Infection Cycle:

Md5: 19ad782b0c58037b60351780b0f43e43 [crafted RTF file]

Md5: D007616DD3B2D52C30C0EBB0937E21B4 [DLL file]

The Trojan adds the following files to the system:

  • %windir%ctfmonrn.dll [DLL file]
  • %Userprofile%Local SettingsTempHRTODiK.vbs [Visual Basic script]
  • %Userprofile%Local Settings Tempdocument.doc [Document file ]
  • C:WINDOWSmiditiming [Encrypted file]

The Trojan adds the following key to the Windows registry to ensure persistence upon reboot:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
  • regsvr32 “C:WINDOWSctfmonrn.dll” /s /n /i:”i”

The Malware uses RTF Microsoft Office exploit (CVE-2012-0158) which is contains a Visual Basic script with it. The Script didn’t write a PE backdoor on the disk directly. Instead, its drops and execute a Visual Basic script, which in turn dropped the loader and the payload onto the infected system. Each payload is encrypted with a unique key, making it impossible for it to be decrypted without a corresponding dynamic link library file.

Here is a sample of the Crafted RTF File:

When the VBSript is run it drops two files to disk, here is how malware works on target machine:

The malware executes the encoded VBScript to create an auto startup registry key on the target machine:

  • Regsvr32 “C:WINDOWSctfmonrn.dll” /s /n /i:”i”

The regsvr32 is responsible for all malware components on the infected system, here is the VBScript Sample:

Also here is the DLL dropper sample:

Malware Traffic

Cloud Atlas has communication over HTTPS and WebDav works with Cloudme.com server.

Cloudme it’s a cloud services provider which offers free and paid Cloud file storage. The attackers created their accounts on the cloud and only using it for storing their files.

There are some files containing system information and other data in the free CloudMe accounts registered by the attackers. Here are some examples of URL Traffic used by malware on Following:

As you can see the Traffic seems to very normal traffic by system services.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Cloudatlas.AAC

Windows OLE CVE-2014-6332 exploit spotted in the wild (Dec 17,2014)

/in /by

Remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory. The vulnerability is due to Internet Explorer improperly accessing OLE objects in memory. This allows remote attackers to execute arbitrary code via a crafted web site.

CVE-2014-6332 aka Windows OLE Automation Array Remote Code Execution Vulnerability is being exploited in the wild. The vulnerability is due to insufficient error handling when using ReDim Preserve in VBscript.

The exploit code does type confusion. If error occurs during array-redimensioning , the old array size is not preserved . This allows the attacker to read/write memory outside the limits of the original array.

As one can see from the call stack that the vulnerable dll is OLEAUT32.DLL

Microsoft had already released a patch for the vulnerability.Dell SonicWALL Threat Research Team has researched this vulnerability and released the following IPS signature to protect their customers.

  • IPS 5978 : Windows OLE Automation Array Remote Code Execution

Ransomware purports to be from National Security Bureau (Dec 12, 2014)

/in /by

The Dell Sonicwall Threats Research team has recieved reports of a relatively new Ransomware Trojan that tries to extort money from its victims. It does not encrypt files as with Ransomware such as CryptLocker or Cryptowall but it does infect various file types found on the system such as image files.

Infection Cycle:

The Trojan uses the following icon:

The executable is obfuscated in an attempt to deter reverse engineering:

The Trojan contacts google.com to verify internet connectivity:

The Trojan makes the following DNS query:

      google.com

The Trojan adds the following files to the filesystem:

  • %ALLUSERSPROFILE%zaQUUoEg nEckMYsg.exe [Detected as GAV: Obfus.3_2 (Trojan)]
  • %ALLUSERSPROFILE%zaQUUoEg nEckMYsg.inf
  • %USERPROFILE%HuEwIQMEhmgAEcws.exe [Detected as GAV: Virut.CM (Trojan)]
  • %USERPROFILE%HuEwIQMEhmgAEcws.inf
  • %USERPROFILE%Local SettingsTempfile.vbs

file.vbs contains the following data:

      WScript.Sleep(50)

The Trojan adds the following keys to the Windows registry to enable startup after reboot:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun hmgAEcws.exe “%USERPROFILE%HuEwIQMEhmgAEcws.exe”
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun nEckMYsg.exe “%ALLUSERSPROFILE%zaQUUoEg nEckMYsg.exe”

The Trojan communicates with a remote C&C server using encrypted traffic:

The Trojan then locks the system by displaying the following fake warning:

The warning states that pirated software has been found on the system. It purports that the message is from the National Security Bureau and states that 0.652 in Bitcoins should be transfered to a specified address (198tX7NmLg6o8qcTT2Uv9cSBVzN3oEozpv) after which the computer will be unlocked “within 4.5 working days”. It also threatens that a warrant for arrest will be issued with a penalty of up to 5 years in prison if the sum is not paid. The message is ofcourse false and is a campaign designed to extort money from unfortunate victims.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Crypted.A_21 (Trojan)
  • GAV: Obfus.3_2 (Trojan)
  • GAV: Virut.CM (Trojan)

Microsoft Internet Explorer display:run-in Use-After-Free Vulnerability (December 11,2014)

/in /by

A use-after-free remote code execution vulnerability CVE-2014-8967 has be found in Microsoft Internet Explorer. This vulnerability is related to CHeaderElement an HTML element. Due to improper handling of CElement objects an attacker can cause the object’s reference count to fall to zero prematurely, causing the object to be freed. A remote unauthenticated attacker could exploit this vulnerability by enticing the target user to open a specially crafted web page with a display:run-in CSS style. The attacker can leverage this vulnerability to execute code under the context of the current process.

Microsoft had not released a patch for this vulnerability as of today December 11,2014.Dell SonicWALL Threat Research Team has researched this vulnerability and released the following IPS signature to protect their customers.

  • IPS 6108:Microsoft Internet Explorer HTML Use After Free 6

Microsoft Security Bulletin Coverage (December 09, 2014)

/in /by

Dell SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of December, 2014. A list of issues reported, along with Dell SonicWALL coverage information are as follows:

MS14-075 Vulnerabilities in Microsoft Exchange Server Could Allow Elevation of Privilege (3009712)

  • CVE-2014-6319 Outlook Web Access Token Spoofing Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-6325 OWA XSS Vulnerability
    IPS: 6098 “Cross-Site Scripting (XSS) Attack 48”
  • CVE-2014-6326 OWA XSS Vulnerability
    IPS: 6107 “Cross-Site Scripting (XSS) Attack 49”
  • CVE-2014-6336 Exchange URL Redirection Vulnerability
    IPS: 6099 “Microsoft Exchange URL Redirection Vulnerability”

MS14-080 Cumulative Security Update for Internet Explorer (3008923)

  • CVE-2014-6327 Internet Explorer Memory Corruption Vulnerability
    IPS: 6097 “Internet Explorer Memory Corruption Vulnerability (MS14-080) 3”
  • CVE-2014-6328 Internet Explorer XSS Filter Bypass Vulnerability
    IPS: 6105 “Internet Explorer XSS Filter Bypass Vulnerability “
  • CVE-2014-6329 Internet Explorer Memory Corruption Vulnerability
    IPS: 3552 “Internet Explorer Memory Corruption Vulnerability (MS14-080) 2”
  • CVE-2014-6330 Internet Explorer Memory Corruption Vulnerability
    IPS: 6518 “Internet Explorer Memory Corruption Vulnerability (MS14-080) 1 “
  • CVE-2014-6363 VBScript Memory Corruption Vulnerability
    IPS: 5665 “Internet Explorer VBScript Memory Corruption Vulnerability (MS14-080)”
  • CVE-2014-6365 Internet Explorer XSS Filter Bypass Vulnerability
    SPY: 3253 “Malformed-File html.MP.52”
  • CVE-2014-6366 Internet Explorer Memory Corruption Vulnerability
    SPY: 3254 “Malformed-File html.MP.54”
  • CVE-2014-6368 Internet Explorer ASLR Bypass Vulnerability
    IPS: 6093 “Internet Explorer Memory Corruption Vulnerability (MS14-080) 4 “
  • CVE-2014-6369 Internet Explorer Memory Corruption Vulnerability
    IPS: 6094 “Internet Explorer Memory Corruption Vulnerability (MS14-080) 5”
  • CVE-2014-6373 Internet Explorer Memory Corruption Vulnerability
    SPY: 3258 “Malformed-File html.MP.56”
  • CVE-2014-6374 Internet Explorer Memory Corruption Vulnerability
    SPY: 3259 “Malformed-File html.MP.57”
  • CVE-2014-6375 Internet Explorer Memory Corruption Vulnerability
    IPS: 6106 “Internet Explorer Memory Corruption Vulnerability (MS14-080) 7”
  • CVE-2014-6376 Internet Explorer Memory Corruption Vulnerability
    SPY: 3260 ” Malformed-File html.MP.58″
  • CVE-2014-8966 Internet Explorer Memory Corruption Vulnerability
    IPS: 6095 “Internet Explorer Memory Corruption Vulnerability (MS14-080) 6”

MS14-081 Vulnerabilities in Microsoft Word and Microsoft Office Web Apps Could Allow Remote Code Execution (3017301)

  • CVE-2014-6356 Index Remote Code Execution Vulnerability
    SPY: 3262 “Malformed-File doc.MP.19”
  • CVE-2014-6357 Use After Free Word Remote Code Execution Vulnerability
    SPY: 3263 “Malformed-File rtf.MP.5_2”

MS14-082 Vulnerability in Microsoft Office Could Allow Remote Code Execution (3017349)

  • CVE-2014-6364 Microsoft Office Component Use After Free Vulnerability
    SPY: 3264 “Malformed-File doc.MP.20”

MS14-083 Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (3017347)

  • CVE-2014-6360 Global Free Remote Code Execution in Excel Vulnerability
    SPY: 3265 “Malformed-File xls.MP.43 “
  • CVE-2014-6361 Excel Invalid Pointer Remote Code Execution Vulnerability
    SPY: 3266 “Malformed-File xls.MP.44 “

MS14-084 Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution (3016711)

  • CVE-2014-6363 VBScript Memory Corruption Vulnerability
    IPS: 5665 “Internet Explorer VBScript Memory Corruption Vulnerability (MS14-080)”

MS14-085 Vulnerability in Microsoft Graphics Component Could Allow Information Disclosure (3013126)

  • CVE-2014-6355 Information Disclosure Vulnerability
    SPY: 3261 “Malformed-File html.MP.59”

3266

BMC Track-It! .NET Remoting Vulnerability (Dec 5, 2014)

/in /by

BMC Track-It! is a software for IT help desk. It provides tools including work order ticket tracking, incident and problem management, knowledge management, service level management, asset management, change management, software license management, mobile device access, end-user self-service and so on. Upon installation, BMC Track-It! enables .NET Remoting on TCP port 9010.

A remote code execution vulnerability exists in the BMC Track-It!. The vulnerability is due to a design error that no authentication is required for .NET Remoting requests. Successful exploitation allows a remote attacker to upload arbitrary files, execute arbitrary code, or obtain sensitive credential and configuration information.

The vulnerability is referred by CVE as CVE-2014-4872.

Dell SonicWALL has released an IPS signature to detect and block exploitation attempts targeting this vulnerability. The signature is listed below:

  • 10653 BMC Track-It! Remote Code Execution

Sony Pictures appeared to have been targeted by a destructive Trojan (Dec 3, 2014)

/in /by

Sony Corp has been in the news again for being the victim of a major attack that led to a number of Sony films to be leaked onto file-sharing sites. A group calling themselves Guardians of Peace (GOP) has taken the responsibility for these attacks. If few media sources are to be believed, the motive for this attack seems rather outlandish. Some believe that this attack is a retaliation against Sony Picture’s upcoming movie The Interview which revolves around a CIA plot to kill the North Korean leader Kim Jong-Un. Shortly after this attack the Federal Bureau of Investigation issued a flash warning message to U.S. businesses indicating presence of a destructive threat.

Dell SonicWALL Threats Research team has obtained variants of samples described. The analysis is below.

Infection Cycle:

  • It drops the following files that have been associated with the attack:
    • igfxtrayex.exe [Detected as GAV: Wiper.A (Trojan)]
    • net_ver.dat

  • Net_ver.dat appears to be a list of IP addresses of its target victim.
  • It establishes connection to multiple IPs as listed in the net_ver.dat file and thereby attempts to perform a SYN Flood Attack.

  • The resource section of the main file shows that the language pack used was Korean.

  • It then creates copies of itself named as “taskhost**.exe”

  • The Trojan registers itself as a Windows service by adding the following registry key:
    • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWinsSchMgmt DisplayName “Windows Schedule Management Service”

  • The following interesting strings were observed in the dropped file:
    • cmd.exe /q /c net share shared$ /delete
    • cmd.exe /q /c net share shared$=%SystemRoot% /GRANT:everyone,FULL
    • cmd.exe /c wmic.exe /node:”%s” /user:”%s” /password:”%s” PROCESS CALL CREATE “%s” > %s
    • cmd.exe /c net stop MSExchangeIS /y
    • cmd.exe /c net stop termservice /y

  • The malware gets its name Wiper owing to its capabilities to wipe the hard drive of the infected system. The screenshot below is of one of our analysis systems after we infected it with Wiper:

Dell SonicWALL provides protection against these threats via the following signatures:

  • GAV: Wiper.SNP (Trojan)
  • GAV: Wiper.SN (Trojan)
  • GAV: Wiper.A (Trojan)