Android Browser Information Disclosure (Oct 10, 2014)

/in /by

Android Open Source Project (AOSP) browser – called “Browser” – is a web browser application that is capable of rendering both static and dynamic web content (DOM). The app appears in Android 4.3 and earlier; in Android 4.4, Google dropped the app to encourage use of its Chrome browser.

The same origin policy is an important concept in the web application security model. The policy permits scripts running on pages originating from the same site – a combination of scheme, hostname, and port number – to access each other’s DOM with no specific restrictions, but prevents access to DOM on different sites.

An information disclosure vulnerability exists in Android Browser. The vulnerability is due to validation failure when processing JavaScript functions within web pages. A remote attacker can exploit this vulnerability by enticing a user to view a specially crafted web page using a vulnerable version of Android Browser. Successful exploitation can result in violation of same origin policy, which would disclosure information about other web pages opened by the user or stored in the browser cache.

The vulnerability has been assigned as CVE-2014-6041.

Dell SonicWALL has released IPS signatures to detect and block specific exploitation attempts targeting this vulnerability. The signatures are listed below:

  • 5570 Android Browser Same Origin Policy Bypass 1
  • 5682 Android Browser Same Origin Policy Bypass 2

Android Windseeker with injection and hooking mechanisms (Oct 3, 2014)

/in /by

Instant messengers are a commonplace these days and it is quite normal to have an average of at least 3 instant messengers on a smartphone. Tencent has been emerging as a big player in the instant messaging market with QQ and WeChat dominating the Chinese market with staggering number of active users that range in millions. Due to the huge popularity of these messengers we have observed a number of services that claim to “monitor” QQ and WeChat activity of employees, spouse or anyone in general for a certain fee. Dell SonicWALL Threats Research team received reports of an Android Malware that does something similar, it spies the activity of QQ and WeChat messengers on the victims device and sends this information over to a server without the victims knowledge.

All the collected logs are transmitted to tin[removed].com where they can be viewed:

Infection Cycle

The Trojan asks for the following permissions during installation:

  • Internet
  • Write External Storage
  • Get Tasks
  • Write Settings
  • Receive Boot Complete
  • Read Phone State
  • Access Network State

The app appears in the app drawer as wind seeker, upon clicking the app requests for root permission on the device. The app disappears from the app drawer a few moments after it is opened but it runs in the background via the service ProcessMonitor.

Owing to root privileges wind seeker is able to drop the following helper files from its assets folder to different folders on the device, these files aid it in monitoring QQ and Wechat messengers:

  • competing_su dropped at /system/xbin/
  • conn.jar dropped at /data/data/qy/
  • libcall.so dropped at /system/lib/
  • inject_appso dropped at /system/bin/

The code for competing_su contains a list of Chinese mobile based security apps, there have been instances in the past where Trojans have tried to disable/uninstall security apps present on the device. That did not happen for this case, however these security apps did deem wind seeker as malicious and advised us to remove it:

Ptrace system call can be used by one process to control and manipulate the execution of another process. DexClassLoader can be used by an Android application to dynamically load a jar package. This Trojan uses a combination of these two techniques to first inject libcall.so onto the messengers and then load conn.jar, which it previously dropped at /data/data/qy, through libcall.so .

Conn.jar contains majority of the code for Hooking onto the chat messengers and monitor chat messages in real-time:

During our analysis even though root permissions were given to the app it did not successfully transmit the stolen information, however we observed code to access Contact Information, send Chat History to the remote server, access QQ app database for additional information stored by the app among other things:

Overall this threat is tailored towards monitoring user activity related to QQ and WeChat messengers. Considering the usage of these messengers in general, there is a good probability that a high amount of sensitive/personal information is shared by them. Coupled with the fact that these messengers are installed on millions of devices, this is a very potent threat for the Android ecosystem.

The mechanism used by this threat can be related to a keylogger. The legality of a keylogger is often determined by the way in which it is used. Similarly it can be debated that tools which monitor messenger or other activity on a mobile device fall under the same category. At the end of the day it is the users responsibility to understand what an app will be doing before permissions are granted to it. This post further highlights the dangers of installing apps from non-market sources as well as rooting the mobile device. A rooted device can be tailored to our liking but it also opens the door for such malicious entities and other risks.

Dell SonicWALL Gateway Antivirus provides protection against this threat via the following signature:

  • GAV: AndroidOS.Windseeker (Trojan)
  • GAV: AndroidOS.Windseeker.Main (Trojan)
  • GAV: AndroidOS.Windseeker.Conn (Trojan)

Signed Cryptowall distributed via drive-by download advertising campaign

/in /by

The Dell Sonicwall Threats Research team observed reports of a Cryptowall bot family named GAV: Cryptowall.I actively spreading in the wild. This is the new Variant of Popular CryptoLocker Ransomware which is digitally signed and distributed via advertising campaign on several top ranked Alexa Web sites.

The Malware typically is spread through a couple of vectors such as exploit kits and spam campaigns that include malicious attachments. This most recent campaign involves a series of popular sites that are serving malicious ads that infect machines with CryptoWall.

Infection Cycle:

Md5: ba92a58928b82ba662e7abb4ff4014a9

The Trojan adds the following files to the system:

C:58324545832454.exe [Executable file]

%Appdata%5832454.exe [Executable file]

The Trojan adds the following keys to the Windows registry to ensure persistence upon reboot:

HKCUSoftwareMicrosoftWindowsCurrentVersionRun5832454

C:Documents and SettingsAdministratorApplication Data5832454.exe

HKCUSoftwareMicrosoftWindowsCurrentVersionRun583245

C:58324545832454.exe

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerShell FoldersAppData

C:Documents and SettingsAdministratorApplication Data

The Trojan it has SeDebugPrivilege Enabled for Thread injection and uses Injected Svchost.exe to set %Appdata% value in the Windows Registry.

The CryptoWall is signed by DigiCert Timestamp Responder, the signature show it was signed on Sunday as you can see on following:

Hopefully the issuer revoked the Certificate after malware was identified on Sunday.

After malware encrypted all your personal documents and files its shows you following web page:

Command and Control (C&C) Traffic

CryptoWall has the C&C communication over port 80. Uses requests to statically defined IP/Domains are made on a regular basis. These requests such as the following:

Drive-by Download advertising campaign

The Malware uses Drive-by downloads were detected as coming from following websites:

  • hindustantimes[.]com
  • bollywoodhungama[.]com
  • one[.]co[.]il
  • codingforums[.]com
  • mawdoo[.]com

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • Cryptowall.I

OpenSSL Heartbleed: 3 Months Later (July 3, 2014)

/in /by

More GNU Bash vulnerabilities have been disclosed since Sep 25, 2014 and Dell SonicWALL keeps monitoring the Internet and analyzing the vulnerabilities.
Here’s the latest coverage of GNU Bash Code Injection Vulnerabilities:

    CVE-2014-6271

    • IPS sid:10529 “GNU Bash Code Injection Vulnerability (CVE-2014-6271) 1”
    • IPS sid:5603 “GNU Bash Code Injection Vulnerability (CVE-2014-6271) 2”
    • IPS sid:5605 “GNU Bash Code Injection Vulnerability (CVE-2014-6271) 3”
    CVE-2014-6277

    • IPS sid:5667 “GNU Bash Code Injection Vulnerability (CVE-2014-6277, CVE-2014-7186) 1”
    CVE-2014-6278

    • IPS sid:5661 “GNU Bash Code Injection Vulnerability (CVE-2014-6278, CVE-2014-7169) 1”
    CVE-2014-7169

    • IPS sid:5661 “GNU Bash Code Injection Vulnerability (CVE-2014-6278, CVE-2014-7169) 1”
    CVE-2014-7186

    • IPS sid:5667 “GNU Bash Code Injection Vulnerability (CVE-2014-6277, CVE-2014-7186) 1”
    CVE-2014-7187

    • IPS sid:5669 “GNU Bash Code Injection Vulnerability (CVE-2014-7187) 1”

Dell SonicWALL also observed millions of attack attempts during last 9 days, shown below:

The number reach its peak on Sep 29, 2014 then start decreasing. We expect the number keeps dropping to a certain level then remains steady.

Miras Backdoor Trojan (September 12, 2014)

/in /by

The Dell SonicWall Threats Research team has received reports of a recent backdoor that targets the Windows platform, called Miras. This malware sends out system information to a remote server and accepts various commands. The commands could allow to search/rename/delete/execute files, enumerate processes, terminate a process, collect system information information, or execute shell commands.

Infection cycle:

Once the trojan is executed, the trojan it is copied into a DLL at: %WinDir%System32wbemraswmi.dll

It then creates a batch file on the user’s desktop called “dd.bat” and writes the following code:

Upon execution of the batch file, the dll is run. It also sends a ping request to the IP 137.0.0.1. This IP belongs to US Air Force group known as 754th Electronic Systems Group.

Another batch file “d.bat” is created on the user’s desktop and deletes the executable.

The dll’s function GetMain is called, it creates a service to deletes its previous instance.

We found that the malware tries to communicate its command and control server:

It then constructs a request and sends it to the command and control server.

This request in XOR encrypted with key “6”. Once it is decrypted, it resolves to: U n Admintest D F A FE C SYSTEMU q

At the time of research, the remote server was not available to analyze the behavior of the malware.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Miras.A (Trojan)

Metasploit modules used by malicious exploit kit in the wild (Sep 12, 2014)

/in /by

The Dell Sonicwall Threats Research team has discovered an exploit kit which uses Metasploit modules to attack the user system. This kit is identified to be NailedPack. This is a multi-payload exploit kit targeting users based on their browser and operating system.

Infection Cycle:

A legitimate website is infected by injecting an iframe, which redirects the users to malicious server. Injected iframe is obfuscated by using a JavaScript Packer.

Fig-1 : Obfuscated injected Iframe

Fig-2 : DeObfuscated Iframe

After deobfuscation generated iframe redirects users to landing page served on malicious server. Landing page uses AutoPwn Metasploit module rather than the traditional Plugin Detect JavaScript library as used by other Exploit Kits.

Image 1 Image 2
Fig 3 : Obfuscated AutoPwn module Fig 4 : DeObfuscated AutoPwn module

Above script identifies the Operating Sytem, Browser and its version and sends this information to server in base64 encoded format.

Fig 5 : Base64 encoded Target system information

In response to the above information, server sends an obfuscated javascript which has a list of checks based on which it requests for corresponding exploits.

Fig 6 : DeObfuscated Script to check vulnerability

This pack requests for multiple exploits and on successful exploitation additional malware might be downloaded to the system. During our analysis we did not observe any active payload being served.

Having up to date software will help in mitigating this Exploit Kit. Dell Sonicwall Threats Research team will keep on monitoring this Exploit Kit and add update mitigation signatures as required.

SQL Injection Attacks Up-to-date Summary (Sept 19, 2014)

/in /by

SQL Injection vulnerability is one of the popular security breaches in applications’ software. SQL Injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution code injection technique. The first public discussions of SQL injection started appearing around 1998.

A typical SQL injection occurs when user input is not filtered for escape characters and is then passed into a SQL statement. The following line of code illustrates this vulnerability:

 statement = "SELECT * FROM users WHERE name ='" + userName + "';"

This SQL code is designed to pull up the records of the specified username from its table of users. However, if the “userName” variable is crafted in a specific way by a malicious user, the SQL statement may do more than the code author intended. For example, setting the “userName” variable as:

 ' or '1'='1

renders the following SQL statements by the parent language:

 SELECT * FROM users WHERE name = '' OR '1'='1';

If this code were to be used in an authentication procedure then this example could be used to force the selection of a valid username because the evaluation of ‘1’=’1′ is always true.

Dell SonicWALL Threat Research Team has developed multiple IPS signatures to protect their customers. These signatures include but are not limited to:

  • 10504 ManageEngine Password Manager SQL Injection
  • 10417 Nagios Core Config Manager SQL Injection
  • 10416 SolusLabs SolusVM SQL Injection
  • 10365 Advantech WebAccess DBVisitor.dll SQL Injection
  • 10346 lighttpd Host Header SQL Injection
  • 10246 SQL Injection Attack 23
  • 9584 MyBB birthdayprivacy SQL Injection
  • 9547 F5 BIG-IP SQL Injection

According to NVD (National Vulnerability Database), multiple SQL Injection vulnerabilities have been discovered for various applications every year. The following figure shows the SQL Injection related vulnerabilities found in different years. The SQL Injection vulnerability counts topped at 2008 and declined in the following years:

The statistics we observed shows the attack attempts addressing SQL Injection topped at 2010:

Although the SQL Injection attacks recently are much less than the peak time in 2010, it is still active and the following shows the geography graph of the attacks attempts happened in year 2014.

BlackPOS: Targets Point Of Sale Malware Version 2

/in /by

The Dell Sonicwall Threats Research team observed reports of a POS bot family named GAV: BlackPOS.B actively spreading in the wild. This is the new Variant of Popular Target Data Breach Gav: BlackPOS.A last December as well as the breach at Home Depot earlier this month.

These variations have been seen as far back as February 2013 and continue to operate as September 2014. BlackPOS malware typically has the capability such as scraping memory to retrieve Credit Card Data more efficiently by ignoring specific processes during its scan.

Infection Cycle:

Md5: b57c5b49dab6bbd9f4c464d396414685

The Trojan adds the following files to the system:

%SystemRoot%t.bat [Executable Bat file]

%SystemRoot%McTrayErrorLogging.dll [Contains Data scrapped from memory]

The Trojan adds the following keys to the Windows registry to ensure persistence upon reboot:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesmcfmisvc

The Trojan has the multi command Functions such as following arguments:

Usage: -[start|stop|install|uninstall]

The Trojan has an exclusion list that functions to ignore certain system processes; it gathers track data by scanning the memory of the all running processes except for the following List:

The dropper t.bat copies the contents of McTrayErrorLogging.dll to t:tempdotnetNDP45-KB2737084-x86.exe. Its used Net Commands on Cmd.exe to open a shared machine using a specific user to transfer the file. It contains the following commands:

POS Memory Scraping:

BlackPOS retrieve all processes lists; one of the injected malicious code threads is responsible for scraping the memory of active non-system processes on the infected machine for credit card information periodically.

The malware tries to Enumerate Credit Card Data from POS Software, for enumerate POS process attackers uses API functions calls such as following APIs list:

  • CreateToolhelp32Snapshot
  • Process32First
  • Process32Next
  • OpenProcess
  • ReadProcessMemory

Here is an Example of Credit Card Number Captured by Malware

Here is Encrypted data format saved into McTrayErrorLogging.dll

The Malware contains URL links referring to the United States involvement in political conflicts around the world

Command and Control (C&C) Traffic

BlackPOS has the C&C communication over port 445. Uses requests to statically defined IP/Domains are made on a regular basis. These requests such as the following:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • BlackPOS.B

Trojan uses an old compression format to thwart detection (Sep 19, 2014)

/in /by

The Dell SonicWALL Threats Research team has received reports of a Trojan posing as a fake word document. This Trojan may arrive in the form of an email with a seemingly harmeless compressed file as an attachment. This attachment comes in ARJ file format, which was a popular compression format back in the 90’s, and uses .arj as the file extension. By using a really old compression format, this malicious program can thwart security programs attempting to scan, block or unpack it.

Figure 1: Sample email with the malicious attachment

Infection Cycle:

The Trojan uses the following naming conventions with a .scr or .exe file extension:

  • statmnt_yyyy-mm-dd_*random digits*.scr
  • infraction_yyyy-mm-dd_*random digits*.exe
  • order_yyyy-mm-dd_*random digits*.scr
  • runout_yyyy-mm-dd_*random digits*.scr
  • termnate_yyyy-mm-dd_*random digits*.exe
  • sale_yyyy-mm-dd_*random digits*.exe

Once executed it drops the following files:

  • “%TEMP%/sale__*random digits*.rtf (a harmless document file)

It then displays the contents of this document by executing the following commands:

  • PROGRAM FILESMICROSOFTOFFICE11WORDVIEW.EXE [“PROGRA~1MICROS~2OFFICE11WORDVIEW.EXE” /n /dde]

Figure 2: Example contents of the harmless word document

To verify internet connectivity, the Trojan performs the following DNS queries:

Figure 3: DNS query to microsoft.com

The Trojan then establishes a connection to different remote servers and sends out encrypted data:

Figure 4: Trojan connects to remote server sazlar.de
Trojan connects to remote servers: sazlar.de, telasramacrisna.br and powerc214.galaxy-gmbh-service.de

Figure 5: Example of encrypted data sent

Based on the following strings found in the main binary file, this Trojan is capable of downloading additional malware to the victim’s machine:

Figure 6: Hardcoded strings found in the main executable
Trojan tries to download mine.tar.gz from: sazlar.de, telasramacrisna.br, pinballpassion.fr and necaps.org

These additional malware components were found to be variants of Zbot and are detected as:

  • Mine.exe [Detected as GAV: Zbot.AAD (Trojan)]

And in a true Zbot fashion, this new malware component was found to post encrypted data and send DNS queries to randomized domain names:

Figure 7: ZBot generated DNS queries to random domains

Overall, this Trojan is capable of downloading additional malware into the victim’s machine. It can also send sensitive information out to a remote server.

Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signatures:

  • GAV: Sinowal.CF (Trojan)

  • GAV: Sinowal.CF_2 (Trojan)

  • GAV: Sinowal.CF_3 (Trojan)

  • GAV: Vikaslop.A (Trojan)

  • GAV: Vikaslop.A_2 (Trojan)

  • GAV: Zbot.AAD (Trojan)

Linux Trojan dropped via CVE-2014-6271 vulnerability (Sep 26, 2014)

/in /by

The Dell Sonicwall Threats Research team has received reports of a Linux DDoS Trojan that is dropped onto systems vulnerable to CVE-2014-6271 (GNU Bash Code Injection Vulnerability). The Trojan can leak sensitive system information and is designed primarily for DDoS attacks using various methods. A Sonicalert describing CVE-2014-6271 had been released earlier this week.

Infection Cycle:

Upon successful infection and execution via the vulnerability the Trojan connects to a predetermined C&C server IP address on port 5. The IP address is hardcoded in the binary:

The Trojan contains the following DDoS capabilities as seen in the binary:

The C&C server can issue the following commands:

      GETLOCALIP
      SCANNER
      HOLD
      JUNK (flood)
      UDP (flood)
      TCP (flood)
      KILLATTK
      LOLNOGTFO
      DUP (disconnect from C&C)

The Trojan also contains a bruteforce password attack module. The following weak passwords were discovered in the binary:

The following strings were found in the binary. These strings indicate that the Trojan gathers network, CPU, kernel and memory information from the infected system:

As seen in the screenshot above the Trojan employs the following BusyBox command:

      /bin/busybox;echo -e '147141171146147164'

The output of the command is different depending on the system it is run on. This can be use as a way to differentiate between systems.

The functionality of the Trojan can be summarized as follows:

  • System fingerprinting attempts using BusyBox
  • Ability to leak sensitive system information
  • Perform DDoS attacks using various methods
  • Brute force authentication attacks

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Linux.Flooder.SS (Trojan)