Trojan Masquerading as a resume seen in the wild (Aug 15, 2014)

/in /by

The Dell SonicWall Threats Research team has received reports of a Trojan masquerading as a resume. This Trojan may arrive in the form of email with a seemingly harmeless PDF attachment. It is even signed with a fake certificate claiming to be issued by Adobe Systems.

Figure 1: Trojan uses the PDF icon

Figure 2: Digital Signature

Infection Cycle:

Upon execution The Trojan creates these files in the following locations:

  • %USERPROFILE%Rar.exe (legitimate compression utility)
  • %USERPROFILE%temporary.rar

It then unpacks the contents of the temporary.rar archive by executing the following command:

  • “%USERSPROFILE%Rar.exe” e “%USERSPROFILE%temporary.rar” -pUjht6yTgrt63 “%USERSPROFILE%”

The archive contents are copied into the following locations:

  • %USERPROFILE%CertMgr.exe(legitimate Microsoft Certificate Manager tool)
  • %USERPROFILE%Sert.cer (a fake certificate)
  • %USERPROFILE%Resume.pdf (a non-malicious pdf file)

The Trojan then installs the fake certificate by executing the following command:

  • “%USERPROFILE%CertMgr.exe” -add -c “%USERPROFILE%sert.cer” -s -r localMachine root”

The Trojan then invokes Acrobat Reader to open the PDF file. It displays a poorly crafted resume written in the Russian language.

Figure 3:A decoy resume written in the Russian language

It then makes the following DNS queries to verify internet connectivity:

Figure 4: Trojan connects to legitimate websites

The Trojan also checked for the presence of the following registry keys to verify if the host is a virtual environment:

Figure 5: Trojan checking for virtual box related registry keys

It also employs the most common technique to thwart analysis using a debugger:

Figure 5: Trojan uses the IsDebuggerPresent function as an anti-debugger technique

During our analysis the Trojan attempted to download additional components.

Figure 5: The trojan downloading a poper.rar from ripola.net

It was also seen sending a simple text message “INSTALL” over TCP port 25.

Figure 5: The Trojan sending an email message to confirm installation

Overall, this Trojan is capable of downloading additional malware into the victim’s machine. It can also send sensitive information out to a remote server.

Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:

  • GAV: Eratoma.A (Trojan)

Microsoft Security Bulletin Coverage (August 12, 2014)

/in /by

Dell SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of August, 2014. A list of issues reported, along with Dell SonicWALL coverage information are as follows:

MS14-043 Vulnerability in Windows Media Center Could Allow Remote Code Execution (2978742)

  • CVE-2014-4060 CSyncBasePlayer Use After Free Vulnerability
    There are no known exploits in the wild.

MS14-044 Vulnerabilities in SQL Server Could Allow Elevation of Privilege (2984340)

  • CVE-2014-1820 SQL Master Data Services XSS Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-4061 Microsoft SQL Server Stack Overrun Vulnerability
    There are no known exploits in the wild.

MS14-045 Vulnerabilities in Kernel-Mode Drivers Could Allow Elevation of Privilege (2984615)

  • CVE-2014-0318 Win32k Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-1819 Font Double-Fetch Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-4064 Windows Kernel Pool Allocation Vulnerability
    There are no known exploits in the wild.

MS14-046 Vulnerability in .NET Framework Could Allow Security Feature Bypass (2984625)

  • CVE-2014-4062 .NET ASLR Vulnerability
    There are no known exploits in the wild.

MS14-047 Vulnerability in LRPC Could Allow Security Feature Bypass (2978668)

  • CVE-2014-0316 LRPC ASLR Bypass Vulnerability
    There are no known exploits in the wild.

MS14-048 Vulnerability in OneNote Could Allow Remote Code Execution (2977201)

  • CVE-2014-2815 OneNote Remote Code Execution Vulnerability
    There are no known exploits in the wild.

MS14-049 Vulnerability in Windows Installer Service Could Allow Elevation of Privilege (2962490)

  • CVE-2014-1814 Windows Installer Repair Vulnerability
    There are no known exploits in the wild.

MS14-050 Vulnerability in Microsoft SharePoint Server Could Allow Elevation of Privilege (2977202)

  • CVE-2014-2816 SharePoint Page Content Vulnerability
    There are no known exploits in the wild.

MS14-051 Microsoft Security Bulletin MS14-051 – Critical

  • CVE-2014-2774 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-2784 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-2796 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-2808 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-2810 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-2811 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-2817 Internet Explorer Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-2818 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-2819 Internet Explorer Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-2820 Internet Explorer Memory Corruption Vulnerability
    IPS: 4841 “Internet Explorer Memory Corruption Vulnerability (MS14-051) 1”
  • CVE-2014-2821 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-2822 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-2823 Internet Explorer Memory Corruption Vulnerability
    IPS: 4846 “Internet Explorer Memory Corruption Vulnerability (MS14-051) 2”
  • CVE-2014-2824 Internet Explorer Memory Corruption Vulnerability
    IPS: 4860 “Internet Explorer Memory Corruption Vulnerability (MS14-051) 3”

  • CVE-2014-2825 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-2826 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-2827 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-4050 Internet Explorer Memory Corruption Vulnerability
    IPS: 4862 “Internet Explorer Memory Corruption Vulnerability (MS14-051) 4”
  • CVE-2014-4051 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-4052 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-4055 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-4056 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-4057 Internet Explorer Memory Corruption Vulnerability
    IPS: 4864 “Internet Explorer Memory Corruption Vulnerability (MS14-051) 5”
  • CVE-2014-4058 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-4063 Internet Explorer Memory Corruption Vulnerability
    IPS: 4927 “Internet Explorer Memory Corruption Vulnerability (MS14-051) 6”
  • CVE-2014-4067 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.

Google Chrome Use after free vulnerability (Aug 8,2014)

/in /by

Google Chrome is a freeware web browser developed by Google.

A use after free vulnerability exists in Google Chrome. The vulnerable function DocumentV8Internal::locationAttributeSetter holds a pointer to the contentDocument.location property. If an attempt to access a closed/freed location object is made it results in use-after free condition. A remote attacker can exploit this vulnerability by enticing a user to open a crafted web page with a vulnerable version of Google Chrome. Successful exploitation could lead to denial of service, memory corruption or code execution.

This vulnerability has been assigned a CVE-2014-1713.

Dell SonicWALL protects against this threat with the following signature:

  • 4837:Google Chrome locationAttributeSetter Use After Free

Backoff: New Point Of Sale Malware (August 06,2014)

/in /by

The Dell Sonicwall Threats Research team observed reports of a new POS bot family named Backoff versions 1.55 and 1.56 actively spreading in the wild. This is the second instance of an infostealer bot family that features popular Point-of-Sale Trojan Dexter like memory scrapping functionality. These variations have been seen as far back as October 2013 and continue to operate as of July 2014. Backoff malware typically has the capabilities such as scraping memory, injecting into explorer.exe and key logging functionality.

Infection Cycle:

The Trojan adds the following file to the file system:

    %APPDATA% OracleJava javaw.exe [Detected as GAV: Backoff.A (Trojan)]
    %APPDATA% OracleJava Log.txt [Logging keystrokes]

The Trojan adds the following key to the Windows registry to ensure persistence upon reboot:

    HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun Windows NT Service “%APPDATA% OracleJava javaw.exe”

It will inject Import Address Table ( IAT Modification) of its own functions (1.55 “goo”)

KeyLogger:

Backoff has the Key logger function, it uses GetKeyState and GetKeyboardState to capture the pressed keys on target system and it’s logging all keys into following file:

    %APPDATA% OracleJava Log.txt

The malware uses GetForegroundWindow and GetWindowTextA to retrieve non-ASCII keys such as following list:

POS Memory Scraping:

The malware retrieve all processes lists and save it on its own memory, one of the injected malicious code threads is responsible for scraping the memory of active non-system processes on the infected machine for credit card information periodically. Backoff tries to enumerate Credit Card data from POS Software. For this process, attackers use API functions calls such as:

  • CreateToolhelp32Snapshot
  • Process32First
  • Process32Next
  • OpenProcess
  • ReadProcessMemory

The stolen information is then relayed back to the Command & Control server. Backoff (1.55 “goo”) uses some filtering memory scraping against some process in the following list:

  • explorer.exe
  • lsass.exe
  • spoolsv.exe
  • mysqld.exe
  • services.exe
  • wmiprvse.exe
  • LogonUI.exe
  • taskhost.exe
  • wuauclt.exe
  • smss.exe
  • csrss.exe
  • winlogon.exe
  • alg.exe
  • iexplore.exe
  • firefox.exe
  • chrome.exe
  • devenv.exe

Command and Control communication

During our analysis we saw that the following communication between the infected machine and the C2 server (1.55 “backoff” and 1.55 “goo”):

The ‘id’ parameter is stored in the following registry Key:

  • HKCUSOFTWAREMicrosoftWindowsCurrentVersionidentifier

    Backoff has the “data” code which is Base64 encoded/RC4 decrypted Card data; here is an example of encrypted card data which is scraped by malware.

    Backoff Variants on the Wild

    Backoof has the six variants such as following:

    • Backoff 1.4
    • 1.55 “backoff”
    • 1.55 “goo”
    • 1.55 “MAY”
    • 1.55 “net”
    • 1.56 “LAST”

    Backoff 1.4
    MD5: 927AE15DBF549BD60EDCDEAFB49B829E
    Install Path: %APPDATA%AdobeFlashPlayermswinsvc.exe
    Dropped Files:

    • %APPDATA%mskrnl
    • %APPDATA%winserv.exe
    • %APPDATA%AdobeFlashPlayermswinsvc.exe

    Registry Keys:

    • HKCUSOFTWAREMicrosoftWindowsCurrentVersionidentifier
    • HKCU SOFTWARE MicrosoftWindowsCurrentVersionRunWindows NT Service

    HTTP POST Request:

    • User-Agent: Mozilla/4.0
    • URI(s): /aircanada/dark.php
    • Static String on POST Request: zXqW9JdWLM4urgjRkX

    1.55 “backoff”
    MD5: F5B4786C28CCF43E569CB21A6122A97E
    Install Path: %APPDATA%AdobeFlashPlayermswinhost.exe
    Dropped Files:

    • %APPDATA%mskrnl
    • %APPDATA%winserv.exe
    • %APPDATA%AdobeFlashPlayermswinhost.exe
    • %APPDATA%AdobeFlashPlayerLog.txt

    Registry Keys:

    • HKCUSOFTWAREMicrosoftWindowsCurrentVersionidentifier
    • HKCU SOFTWARE MicrosoftWindowsCurrentVersionRunWindows NT Service

    HTTP POST Request:

    • User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0
    • URI(s): /aero2/fly.php
    • Static String on POST Request: ihasd3jasdhkas

    1.55 “goo”

    MD5: 17E1173F6FC7E920405F8DBDE8C9ECAC
    Install Path: %APPDATA%OracleJavajavaw.exe
    Dropped Files:

    • %APPDATA%nsskrnl
    • %APPDATA%winserv.exe
    • %APPDATA%OracleJavajavaw.exe
    • %APPDATA%OracleJavaLog.txt

    Registry Keys:

    • HKCUSOFTWAREMicrosoftWindowsCurrentVersionidentifier
    • HKCU SOFTWARE MicrosoftWindowsCurrentVersionRunWindows NT Service

    HTTP POST Request:

    • URI(s): /windows/updcheck.php
    • Static String on POST Request: jhgtsd7fjmytkr

    1.55 “MAY”
    MD5: 21E61EB9F5C1E1226F9D69CBFD1BF61B
    Install Path: %APPDATA%OracleJavajavaw.exe
    Dropped Files:

    • %APPDATA%nsskrnl
    • %APPDATA%winserv.exe
    • %APPDATA%OracleJavajavaw.exe
    • %APPDATA%OracleJavaLog.txt

    Registry Keys:

    • HKCUSOFTWAREMicrosoftWindowsCurrentVersionidentifier
    • HKCU SOFTWARE MicrosoftWindowsCurrentVersionRunWindows NT Service

    HTTP POST Request:

    • URI(s): /windowsxp/updcheck.php
    • Static String on POST Request: jhgtsd7fjmytkr

    1.55 “net”
    MD5: 0607CE9793EEA0A42819957528D92B02
    Install Path: %APPDATA%AdobeFlashPlayermswinhost.exe
    Dropped Files:

    • %APPDATA%AdobeFlashPlayermswinhost.exe
    • %APPDATA%AdobeFlashPlayerLog.txt

    Registry Keys:

    • HKCUSOFTWAREMicrosoftWindowsCurrentVersionidentifier
    • HKCU SOFTWARE MicrosoftWindowsCurrentVersionRunWindows NT Service

    HTTP POST Request:

    • URI(s): /windowsxp/updcheck.php
    • Static String on POST Request: ihasd3jasdhkas9

    1.56 “LAST”
    MD5: 12C9C0BC18FDF98189457A9D112EEBFC
    Install Path: %APPDATA%OracleJavajavaw.exe
    Dropped Files:

    • %APPDATA%nsskrnl
    • %APPDATA%winserv.exe
    • %APPDATA%OracleJavajavaw.exe
    • %APPDATA%OracleJavaLog.txt

    Registry Keys:

    • HKCUSOFTWAREMicrosoftWindowsCurrentVersionidentifier
    • HKCU SOFTWARE MicrosoftWindowsCurrentVersionRunWindows NT Service
    • HKLM SOFTWARE MicrosoftWindowsCurrentVersionRunWindows NT Service
    • HKCUSOFTWARE\MicrosoftActive SetupInstalled Components{B3DB0D62-B481-4929-888B-49F426C1A136}StubPath
    • HKLMSOFTWARE\MicrosoftActive SetupInstalled Components{B3DB0D62-B481-4929-888B-49F426C1A136}StubPath

    HTTP POST Request:

    • User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0
    • URI(s): /windebug/updcheck.php
    • Static String on POST Request: jhgtsd7fjmytkr

    SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

    • GAV: Backoff.A (Trojan)
    • GAV: Backoff.A_2 (Trojan)

    ServStart Backdoor Spotted in the Wild

    /in /by

    The Dell SonicWALL Threats Research Team has recently encountered an example of the ServStart backdoor family. This malware was captured in the wild as a drive-by-download and although it seems to be an outdated family, it has some interesting features.

    Infection Cycle

    WinMain() code showing different execution paths

    This sample of ServStart consists of a single file with two modes of execution. When launched directly as a standalone binary, it installs a copy of itself as a system service. After the malicious service is launched, it melts the original file in common fashion, utilizing cmd.exe to do the deletion: [C:Windowssystem32cmd.exe /c del c:windowstemp13FD80~1.EXE > nul]

    Service properties

    When the threat is launched as a system service, it registers a mutex for itself, then spawns threads to communicate with two hardcoded hosts.

    The malware is started from services and connects to two hosts

    One host is specified with a hardcoded IP address while the other uses a static hostname. It is interesting to note that a date check is performed before the threat will attempt to connect to the hostname. It’s even more interesting that the date is in 2013 even though this sample appears to have been compiled in June 2014.

    Malware sleeps until 20130222

    Once the malicious service is active, the host operating system version and CPU speed are collected to send with the callback to the attacker’s server.

    While both hosts appear to be online, they no longer seem to be accepting the callback communications, and send only TCP RST packets in response.

    It’s unclear if this is an attempt to hinder analysis via disassembly or decompilation or simply a side effect of implementation on either side, but the way the hardcoded hostname is constructed is a bit unique. A quick read of the disassembled or decompiled code would suggest that the hostname is “vip.3252300.com”. However, due to the way the variables are actually arranged in memory, the host turns out to be “vip.1325213100.com”.

    The definition in code compared to the memory layout

    Indicators of Compromise

    In order to persist across reboots, the malware installs itself as a system service that starts at boot time.

    The following mutex was seen during analysis and is used to prevent unnecessary reinfection and to manage execution threads:

    • BaseNamedObjectsWindows Dfsr My Teast 3.0
    The following registry key was seen during analysis:
    • HKLMSYSTEMControlSet001ServicesWindows Dfsr My Teast 3.0
    The following file was dropped to disk:
    • C:Windowssystem32vmware-vmx.exe

    Summary

    Overall, the purpose of this malware is to gain control of a target machine. Although the command and control servers are not currently responding to the malware’s communications, the attackers may be able to reactivate the servers or update the hostname’s dns and gain control of any active infections at any time. Dell SonicWall Gateway Anti-Virus provides protection against this threat with the following signature:

    • GAV: ServStart.A_4

    Symantec Web Gateway SQL Injection (Aug 1, 2014)

    /in /by

    Symantec Web Gateway is a web security gateway appliance that protects organizations against web threats, which include malicious URLs,spyware, botnets, viruses, and other types of malware.A management interface is used to monitor and manage Web Gateway deployments. The web interface uses the HTTP and HTTPS protocols.

    A SQL injection vulnerability exists in clientreport.php in the management console in Symantec Web Gateway (SWG) which allows remote attackers to execute arbitrary SQL commands.The vulnerability is due to improper sanitization of the of HTTP parameters passed to PHP pages.A successful SQL injection exploit can execute SQL commands which can read sensitive data from the database or even modify existing contents.

    This vulnerability has been assigned as CVE-2014-1651.

    Dell SonicWALL Threat research team has observed consistent SQL injection attacks in the wild. Following graph shows recent data :

    Dell SonicWALL protects against this threat with the following signature:

    • 5679 SQL Injection Attack 3

    Browserlock (July 25,2014)

    /in /by

    Many types ransomware are making news now-a-days,one of them is browserlock. Ransomware is a type of malicious software designed to block access to a computer system until a sum of money is paid. Some forms of ransomware encrypt files on the system’s hard drive, while some may simply lock the system and display messages intended to coax the user into paying.

    Unlike typical ransomware Browserlock is a HTML ransomware which executes javascript to create the effect of locking your browser. It also claims to lock up files till a ransom is paid. The attacker entices the user to visit the malicious website where the ransomware is hosted. For this ransomware to work the user should have the Javascript enabled. When the user visits the website the javascript code executes and it does not allow the user to close the browser or switch to a different document

    Below is a Javascipt code found in the ransomware that disables certain keyboard functions:

    The browser then displays a pop up saying ‘YOUR BROWSER IS BEING LOCKED UP FOR SAFETY PURPOSES.ALL THE DATA ON YOUR COMPUTER IS UNDER ARREST.’ If the user selects ‘Leave this page’ same message it showed to the user again. If the user selects to ‘Stay on this page’ he is not able to do anything on the page except to fill in the ransom voucher.

    It also has a countdown timer which threatens the user to pay the ransom within a certain time period. When the countdown expires following pop up is displayed

    After clicking ok the user still cannot leave the page.

    If the user enters wrong Moneypak voucher number following pop up is displayed

    When a correct voucher is entered followed pop up is displayed and a POST request is sent to the attacker’s website. The POST sends the user entered voucher number, amount and the IP of user’s machine along with other information. After clicking ok the user is still not able to close the browser

    Browserlock ransomware request looks like this :

    DELL Sonicwall threat research team has implemented following signature to prevent this attack.

  • SPY: 2216 Malformed-File html.Q.7

    • Zeus Gameover v3 (July 24, 2014)

    /in /by

    The Dell SonicWALL Threats Research Team has analyzed binaries that are part of a potential revival of the recently taken down Zeus Gameover botnet. SonicWALL's Anti-Spam service detected and blocked the campaign initially reported by Malcovery Security and Brian Krebs. SonicWALL researchers were able to remove the protection scheme used to hide the malware, which masquerades at first glance as an inconspicuous MFC application using a PDF icon, but once ran infects the end-users workstation and begins calling out to command-and-control servers. The Domain Generation Algorithm (DGA) used in this latest iteration appears to differ from previous versions, and the Peer-to-Peer (P2P) component that was previously used does not appear to be included.

    Infection Cycle and Indicators of Compromise

    A host infected with this latest variant or spin-off of Zeus displays, at a functional level, no major new functionality. Infected hosts were, during this campaign, presented with a spam email with a binary attachment that had a PDF icon. If the attachment is downloaded and ran by an end user, it presents the typical Zeus behavior. A randomly named directory is created in %TEMP% then a randomly named copy of the binary is dropped in the new directory. E.G.

    "C:Documents and SettingsaLocal SettingsTempZaofgadeg.exe"

    Then a batch file is created, also in %TEMP% to delete the initially downloaded artifact:

     @echo off :raejpugyl del /F /Q /A RSHAIL "C:Documents And Settingsafile.exe" >nul if exist "C:Documents And Settingsafile.exe" goto raejpugyl

    To maintain persistence, a registry run-key is created, pointing at the binary in %TEMP%

     SetValueKey "HKCUSoftwareMicrosoftWindowsCurrentVersionRunGadeg" "C:Documents and SettingsaLocal SettingsTempZaofgadeg.exe"

    From here, we observe the file doing what we expect of Zeus, injecting pieces of itself into running processes and attempting to steal the end-user's banking information. One thing we observed in this version that was not present in other recent versions of Gameover is anti virtual machine and sandbox detection, as detailed below in the unpacking details.

    Manually Unpacking

    To manually unpack the sample, we'll first need to bypass checks for vboxservice.exe and vmtoolsd.exe, assuming you're analyzing in a VM. If not, this step can obviously be skipped. It should be noted that the code below was data initially that was modified then copied to a newly allocated region of memory which we're debugging, so if you're looking for these strings or code locations in the original binary statically, they will not exist. In the snippet below, we observe two strings being created, then a sequence of Windows API calls to enumerate processes, then iterate through that list and compare running process names to the ones VirtualBox and VMWare use for their tools.

     debug039:01492610 mov     byte ptr [ebp-44h], 'V' debug039:01492614 mov     byte ptr [ebp-43h], 'B' debug039:01492618 mov     byte ptr [ebp-42h], 'o' debug039:0149261C mov     byte ptr [ebp-41h], 'x' debug039:01492620 mov     byte ptr [ebp-40h], 'S' debug039:01492624 mov     byte ptr [ebp-3Fh], 'e' debug039:01492628 mov     byte ptr [ebp-3Eh], 'r' debug039:0149262C mov     byte ptr [ebp-3Dh], 'v' debug039:01492630 mov     byte ptr [ebp-3Ch], 'i' de
bug039:01492634 mov     byte ptr [ebp-3Bh], 'c' debug039:01492638 mov     byte ptr [ebp-3Ah], 'e' debug039:0149263C mov     byte ptr [ebp-39h], '.' debug039:01492640 mov     byte ptr [ebp-38h], 'e' debug039:01492644 mov     byte ptr [ebp-37h], 'x' debug039:01492648 mov     byte ptr [ebp-36h], 'e' debug039:0149264C mov     [ebp-35h], bl debug039:0149264F mov     byte ptr [ebp-2Ch], 'v' debug039:01492653 mov     byte ptr [ebp-2Bh], 'm' debug039:01492657 mov     byte ptr [ebp-2Ah], 't' debug039:0149265B mov     byte ptr [ebp-29h], 'o' debug039:0149265F mov     byte ptr [ebp-28h], 'o' debug039:01492663 mov     byte ptr [ebp-27h], 'l' debug039:01492667 mov     byte ptr [ebp-26h], 's' debug039:0149266B mov     byte ptr [ebp-25h], 'd' debug039:0149266F mov     byte ptr [ebp-24h], '.' debug039:01492673 mov     byte ptr [ebp-23h], 'e' debug039:01492677 mov     byte ptr [ebp-22h], 'x' debug039:0149267B mov     byte ptr [ebp-21h], 'e' debug039:0149267F mov     [ebp-20h], bl debug039:01492682 call    dword ptr [ebp-4A4h]            ; kernel32_CreateToolhelp32Snapshot ... debug039:014926D3 call    esi                             ; kernel32_GetModuleHandleA debug039:014926D5 push    eax debug039:014926D6 call    dword ptr [ebp-4D4h]            ; kernel32_GetModuleFileNameA ... debug039:014926E6 call    dword ptr [ebp-4D0h]            ; kernel32_Process32First debug039:014926EC test    eax, eax debug039:014926EE jz      short loc_1492732 debug039:014926F0 debug039:014926F0 loc_14926F0:                            ; CODE XREF: debug039:0149272Ej ... debug039:014926FA call    dword ptr [ebp-0B0h]            ; kernel32_Process32Next debug039:01492700 test    eax, eax debug039:01492702 jz      short loc_1492732 debug039:01492704 lea     eax, [ebp-79Ch]                 ; current proc debug039:0149270A push    eax debug039:0149270B lea     eax, [ebp-44h]                  ; looking for debug039:0149270E push    eax debug039:0149270F call    doChrCmp debug039:01492714 pop     ecx debug039:01492715 test    eax, eax debug039:01492717 pop     ecx debug039:01492718 jnz     short loc_1492730 debug039:0149271A lea     eax, [ebp-79Ch]                 ; current proc debug039:01492720 push    eax debug039:01492721 lea     eax, [ebp-2Ch]                  ; looking for debug039:01492724 push    eax debug039:01492725 call    doChrCmp debug039:0149272A pop     ecx debug039:0149272B test    eax, eax debug039:0149272D pop     ecx debug039:0149272E jz      short loc_14926F0

    To bypass this, we can simply go to the strings location in memory:

     0011E6A8  56 42 6F 78 53 65 72 76  69 63 65 2E 65 78 65 00  VBoxService.exe. 0011E6B8  F3 00 00 00 FA 00 00 00  76 6D 74 6F 6F 6C 73 64  =...·...vmtoolsd 0011E6C8  2E 65 78 65 00 DD 54 01  BB 7A DD 77 6B 65 72 6E  .exe.¦T.+z¦wkern

    And in IDA, F2 to modify the memory and change a letter of each string, as seen below:

     0011E6A8  55 42 6F 78 53 65 72 76  69 63 65 2E 65 78 65 00  UBoxService.exe. 0011E6B8  F3 00 00 00 FA 00 00 00  75 6D 74 6F 6F 6C 73 64  =...·...umtoolsd 0011E6C8  2E 65 78 65 00 DD 54 01  BB 7A DD 77 6B 65 72 6E  .exe.¦T.+z¦wkern

    The next anti-analysis code we see is looking for a module related to Sandboxie, where CreateToolhelp32Snapshot > Module32First > Module32Next is called to look for sbiedll.dll. The technique to bypass this is the same as for VMWare/Vbox. If any of the above are found, the malware will call the following to terminate:

     debug039:0149367E push    0 debug039:01493680 xor     eax, eax debug039:01493682 call    eax debug039:01493684 retn

    Next we trace further along into the crypter's stub, we see it call CreateProcessW using itself as an argument, then several sections of memory are unmapped using NtUnmapViewOfSection, then it calls VirtualAllocEx. At this point, we have a new child process, and data begins to be written to sections of that child process.

     debug039:01492255 call    [ebp+kernel32_CreateProcessW] ... debug039:01492277 call    dword ptr [ebp-kernel32_GetThreadContext] ... debug039:0149228D call    [ebp+ntdll_NtReadVirtualMemory] debug039:01492293 push    [ebp+var_1C] debug039:01492296 push    [ebp+var_30] debug039:01492299 call    [ebp+NtUnmapViewOfSection] debug039:0149229C push    [ebp+var_1C] debug039:0149229F push    [ebp+var_30] debug039:014922A2 call    [ebp+NtUnmapViewOfSection] debug039:014922A5 push    [ebp+var_1C] debug039:014922A8 push    [ebp+var_30] debug039:014922AB call    [ebp+NtUnmapViewOfSection] debug039:014922AE push    dword ptr [edi+34h] debug039:014922B1 push    [ebp+var_30] debug039:014922B4 call    [ebp+NtUnmapViewOfSection] debug039:014922B7 push    dword ptr [edi+34h] debug039:014922BA push    [ebp+var_30] debug039:014922BD call    [ebp+NtUnmapViewOfSection] debug039:014922C0 push    40h debug039:014922C2 push    3000h debug039:014922C7 push    dword ptr [edi+50h] debug039:014922CA push    dword ptr [edi+34h] debug039:014922CD push    [ebp+var_30] debug039:014922D0 call    [ebp+kernel32_VirtualAllocEx]

    To get further along where the unpacked binary is ready for us to dump, we're looking for CreateProcess > VirtualAlloc > multiple calls to WriteProcessMem
    ory then SetThreadContext and finally a call to ResumeThread, like below.

     debug039:01492354 call    [ebp+kernel32_WriteProcessMemory] debug039:0149235A mov     eax, [edi+28h] debug039:0149235D add     eax, [ebp+var_5C]             ; make note of eax here, its OEP debug039:01492360 mov     [ebp+var_1204], eax           ; eax == 00432EA1 debug039:01492366 mov     [ebp+var_120C], eax debug039:0149236C lea     eax, [ebp+var_12BC] debug039:01492372 push    eax debug039:01492373 push    [ebp+var_2C] debug039:01492376 call    [ebp+SetThreadContext] debug039:0149237C push    [ebp+var_2C] debug039:0149237F call    [ebp+kernel32_ResumeThread]

    If we break at 0x01492360, and note the value in EAX, next we need to set a BP on the call to ResumeThread. Break here, but don't execute yet. If we open the process in 010 Editor. the bottom pane has a “Process” tab that shows heap, flags etc. At 0x400000 we observe some memory that starts with an “MZ”. Getting warmer. We noted the EP above, so if we drop the probable base address of 0x400000 and add0x32EA1 to the start of the section that has an “MZ” we arrive at a local address of 0x35EA1. Still using 010, if we overwrite 0x558B with0xEBFE here and save:

    010ed

    We can then step over the resume thread and run the parent process. It will exit, and the child process will be running suspended in an infinite loop at the OEP and we can attach here to continue debugging and also dump the unpacked executable. In it's unpacked state at OEP we see a much more familiar entry point, and much more analyzed code than before:

    idascr

    There will still be some strings still encoded, however we see references to the banking software processes Zeus is known to look for to steal information like:

     .text:00408944 00000006 unicode us                 .text:0040894C 00000012 unicode bancline           .text:00408960 00000012 unicode fidelity           .text:00408974 00000012 unicode micrsolv           .text:00408988 00000010 unicode bankman            .text:00408998 0000000E unicode vantiv             .text:004089A8 0000000E unicode episys             .text:004089B8 00000016 unicode jack henry         .text:004089D0 00000014 unicode cruisenet          .text:004089E4 00000014 unicode gplusmain          .text:004089F8 00000026 unicode launchpadshell.exe .text:00408A20 0000001A unicode dirclt32.exe       .text:00408A3C 00000012 unicode wtng.exe           .text:00408A50 0000001A unicode prologue.exe       .text:00408A6C 00000016 unicode silverlake         .text:00408A84 00000014 unicode pcsws.exe          .text:00408A98 00000016 unicode v48d0250s1         .text:00408AB0 0000001A unicode fdmaster.exe       .text:00408ACC 00000010 unicode fastdoc

    Summary

    GAV Signature “Zbot.A_51” was created to block the binaries associated with spam attachments or other distribution methods. Thus far Dell SonicWALL NGFW Threat Prevention services (GAV/IPS) and email security solutions have been blocking this attack. SonicWALL researchers will also continue tracking, analyzing and reporting on this new campaign as it develops.

    Related Articles and References:

    Another Android Trojan targeting Korean Banks (July 18, 2014)

    /in /by

    Dell SonicWALL Threats Research team published a blog recently about an Android Malware targeting specific Korean Banks. We received reports of yet another Android Malware targeting the same banks and showing similar behaviour to the Malware analyzed earlier. Similar to the previous Malware, this malicious app targets specific Korean banking apps and steals sensitive information from the victim device and sends it to the attacker.

    Infection Cycle

    During installation the app requests for the following permissions:

    • Read SMS
    • Write SMS
    • Receive SMS
    • Send SMS
    • Read Contacts
    • Write Contacts
    • Internet
    • Write External Storage
    • Access Network State
    • Read Phone State
    • Receive Boot Completed
    • Update App OPS Stats
    • Get Tasks
    • Vibrate
    • Kill Background Processes

    In addition, the app requests for Administrator Access

    Upon installation the app appears in the app drawer as Google Framework Services. The app shows few characteristics post-installation that are similar to the previous Android malware that we analyzed:

    • The app disappears from the app drawer after the user clicks on it the first time
    • Service(s) originating from the app are visible in the Running tab even though the app appears to have crashed
    • The uninstallation tab is blocked out and its not possible to remove the app directly

    The Malware constructs and sends a GET request to the server 103.228.65.101 and in response it receives the command/task that it needs to execute on the victim device. During the time of our writing this blog the server was unresponsive but the below image shows resolveTasks() to be the function that stores the list of tasks the Malware can execute:

    Lets understand what actually happens when these tasks are executed by the Malware:

    • UploadDetail
      This task gathers sensitive information stored on the device and sends it to the attacker. Some of the information sent includes:
      • Phone Number
      • IMEI number
      • Entire Contacts List

      An interesting information sent is the banklist. As mentioned before, this Malware targets specific Korean banking softwares. If any of these apps are present on the device then an abbreviation is sent for the corresponding app indicating its presence. The target Bank list includes the same banks as that in the previous Malware. Below image shows the information sent with the mentioned banking apps:

      Android Malware Bankrypt

    • PopWindow
      This task replaces the existing targeted banking apps present on the device, but these banking apps require installation of Ahn labs V3 Mobile Plus security solution. Before the banking apps can be replaced, the malicious app needs to kill V3 Mobile Plus which is running in the background:

      It then displays the message “The new version has been released. Please use after reinstallation”. It uninstalls the targeted Banking app and replaces it with an app downloaded from the server:

    • UploadSMS
      This task POSTS the SMS stored on the device to the attacker

    • UpdateMe
      The malicious app checks and downloads a new version of itself if available.

    Additional observations about the Malware:

    • We observed some functions like BankHijack, FilterSms, RunIntents to be incomplete indicating that this piece of Malware might be a work in progress

    • The Malware targets specific Korean Banks and one of the modules where Contacts on the device are retrieved pays special attention to numbers from China:


      This gives strong indications about the possible origin and region specific targets of this Malware campaign

    As discussed earlier, we saw a number of similarities between this Malware and the one we analyzed a few days back. At the same time there are few differences that give an indication that this is a next evolved version of the previous Malware strain:

    • SMS theft is a new addition in this version of the Malware
    • Data was stored on the sdcard in a zipped form in the previous Malware but this version maintains a database. Sensitive user information was retrieved from a database and then sent as a Post request to the attacker

    • Few functionalities are incomplete at the moment

    Based on these observations we can expect a more evolved version of the similar Malware targeting similar or more banks in the near future over the Android Malware landscape.

    Dell SonicWALL Gateway Antivirus provides protection against this threat via the following signature:

    • GAV: AndroidOS.Bankrypt.BH_2 (Trojan)

    Symantec Web Gateway XSS (Jul 18, 2014)

    /in /by

    Symantec Web Gateway protects organizations against multiple types of Web-borne malware, prevents data loss over the Web and gives organizations the flexibility of deploying it as either a virtual appliance or on physical hardware. Symantec Web Gateway provides a web interface which provides administration, reports and other functionalities.

    A cross-site scripting (XSS) vulnerability exists in Symantec Web Gateway. Specifically, the vulnerability is due to lack of sanitation of HTTP(S) requests sent to the Symantec Web Gateway management console interface. A remote attacker could exploit this vulnerability by enticing a user to click a specially crafted URL link or to submit a web form with crafted values in its fields. Successful exploitation could result in execution of arbitrary script in the victim’s browser.

    The vulnerability has been assigned as CVE-2014-1652.

    Dell SonicWALL has released an IPS signature to detect and block specific exploitation attempts targeting this vulnerability. The signature is listed below:

    • 4527 Symantec Web Gateway Multiple PHP Pages XSS