SweetOrange ExploitKit and Qakbot (July 11, 2014)

/in /by

The Dell SonicWALL Threats Research Team has recently encountered an example of the Qakbot malware family. This long lived malware family was seen being dropped by a SweetOrange Exploit Kit. This bot has many features and capabilities and is a danger to sensitive networks and data.

Infection Cycle

This sample of Qakbot is self contained and, besides log and config files, only drops identical copies of itself to disk. Multiple stages of unpacking are required to reveal the full capabilities of the sample. After the initial execution, the original file is deleted with a typical invocation of cmd.exe: [cmd /c ping -n 10 localhost && del “C:windowstempfile.exe”]

Once the original file is melted via cmd.exe and the malware is unpacked in memory, it injects into numerous processes, particularly applications that stay resident in the system tray.

Qakbot Process Injection

In this case, the main injection target was Skype process that was then used to beacon out to a command and control server.

The injected Skype process is connected to a C&C server

This C&C traffic is very simple and serves as a beacon to let the attackers know that a new machine has been infected. The IP address of the infected machine and the malware-generated host identifier are the primary contents.

The beacon traffic contains only basic information

In addition to the beacon traffic, this malware also sends a record of the user’s browsing behavior in real time.

Browsing behavior is sent out to a C&C server in encoded HTTP requests

The data is only URL-escaped and can be easily decoded to show the true nature of the HTTP traffic:

The decoded C&C traffic clearly shows the user's browsing behavior

Indicators of Compromise

In order to persist upon reboot, the malware creates multiple run keys. Our analysis included one that uses the malware’s “/c” flag to execute and inject a target application.

The malware auto-runs itself and piggy-backs on a normal start-up application

The following randomized mutexes were seen during analysis and are used to prevent unnecessary reinfection and to manage the different infection threads.

  • Sessions1BaseNamedObjectsfilea
  • Sessions1BaseNamedObjectsizbtitjv
  • Sessions1BaseNamedObjectskyeuyya
  • BaseNamedObjectskyeuyy
  • BaseNamedObjectstlkpito
  • BaseNamedObjectsdiges
  • BaseNamedObjectsfrxikyn

Summary

Overall, the purpose of this malware is to gain control of and gather information from the target machine. Qakbot has a variety of functionality and will steal banking information and other personal data and credentials. Dell SonicWall Gateway Anti-Virus provides protection against this threat with the following signature:

  • GAV: Qbot.BH

Microsoft Security Bulletin Coverage (July 8, 2014)

/in /by

Dell SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of July, 2014. A list of issues reported, along with Dell SonicWALL coverage information are as follows:

MS14-037 Cumulative Security Update for Internet Explorer (2975687)

  • CVE-2014-1763 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-1765 Internet Explorer Memory Corruption Vulnerability
    IPS: 4393 “Internet Explorer Memory Corruption Vulnerability (MS14-037) 4”
  • CVE-2014-2783 Extended Validation (EV) Certificate Security Feature Bypass Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-2785 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-2786 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-2787 Internet Explorer Memory Corruption Vulnerability
    IPS: 4400 “Internet Explorer Memory Corruption Vulnerability (MS14-037) 5”
  • CVE-2014-2788 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-2789 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-2790 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-2791 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-2792 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-2794 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-2795 Internet Explorer Memory Corruption Vulnerability
    IPS: 4402 “Internet Explorer Memory Corruption Vulnerability (MS14-037) 6”
  • CVE-2014-2797 Internet Explorer Memory Corruption Vulnerability
    IPS: 4392 “Internet Explorer Memory Corruption Vulnerability (MS14-037) 3”
  • CVE-2014-2798 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-2800 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-2801 Internet Explorer Memory Corruption Vulnerability
    IPS: 4390 “Internet Explorer Memory Corruption Vulnerability (MS14-037) 2”
  • CVE-2014-2802 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-2803 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-2804 Internet Explorer Memory Corruption Vulnerability
    IPS: 4388 “Internet Explorer Memory Corruption Vulnerability (MS14-037) 1”
  • CVE-2014-2806 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-2807 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-2809 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-2813 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.

MS14-038 Vulnerability in Windows Journal Could Allow Remote Code Execution (2975689)

  • CVE-2014-1824 Windows Journal Remote Code Execution Vulnerability
    There are no known exploits in the wild.

MS14-039 Vulnerability in On-Screen Keyboard Could Allow Elevation of Privilege (2975685)

  • CVE-2014-2781 On-Screen Keyboard Elevation of Privilege Vulnerability
    There are no known exploits in the wild.

MS14-040 Vulnerability in Ancillary Function Driver (AFD) Could Allow Elevation of Privilege (2975684)

  • CVE-2014-1767 Ancillary Function Driver Elevation of Privilege Vulnerability
    There are no known exploits in the wild.

MS14-041 Vulnerability in DirectShow Could Allow Elevation of Privilege (2975681)

  • CVE-2014-2780 DirectShow Elevation of Privilege Vulnerability
    There are no known exploits in the wild.

MS14-042 Vulnerability in Microsoft Service Bus Could Allow Denial of Service (2972621)

  • CVE-2014-2814 Service Bus Denial of Service Vulnerability
    There are no known exploits in the wild.

Spam campaign roundup: The Independence Day Edition (July 3, 2014)

/in /by

As we all know, United States’ independence day is on the fourth of July. Independence day is commonly associated with fairs, fireworks, barbecues, getting together, etc. Since sales levels will be lower during holidays, stores offer deals and specials for July 4th. The spammers, as always, taking advantage of the major festivities, are trying to spread spam.

Over the last week, the Dell SonicWALL threats research team has been following all Independence Day related spam emails and has observed a steady increase as July 4th approaches.

These emails have a common theme of trying to lure consumers to click on the links and provide their personal information in exchange for access to deep discounts and offers. Most of these emails are poorly crafted with evident errors in grammar and spelling. The following are some of the most common email subjects:

  • July 4th – ONE DAY ONLY (Up To 50% Reducation)
  • 4th of July Clearance on New Cars
  • 4th of July Special – Gensets
  • Instant July 4th Price Markdowns (you have to see this)
  • July 4th sign and drive even 2014 – Access now
  • Don’t miss these July 4th Auto Markdowns Godbcvj

These emails look convincing trying to attract consumers with offers such as free gift cards. Once the user clicks on the link, they will lead to an affiliate website asking for survey which asks for their personal information.

As of now, we have not seen any malware associated with this spam campaign.

We urge our users to always be vigilant and cautious with any unsolicited email and to avoid providing any personal information, particularly if you are not certain of the source.

Dell SonicWALL Gateway Antivirus monitors and provides constant protection against such malicious threats.

Android Banking Trojan targets Korean users (June 30, 2014)

/in /by

Dell SonicWALLThreats Research team received reports of an Android malware that steals sensitive information from the victim’s mobile device after infection. We observed specific Korean financial apps being monitored by this malware on the victim’s device making this a very targeted attack.

Infection Cycle

During installation the app requests for the following permissions:

  • Send SMS
  • Receive Boot Completed
  • Internet
  • System Alert Window
  • Wifi State
  • Get Tasks
  • Call Phone
  • Receive SMS
  • Mount Unmount
  • Mount Format Filesystems
  • Write External Storage
  • Read Contacts
  • Read SMS

In addition, the app requests Administrator Access to perform some key actions like:

  • Forcefully lock the device
  • Factory Reset the phone
  • Disable the Camera

Upon installation the app appears in the app drawer as googl app stoy. When opened the app displays Program error deleted it! and then abruptly closes.


One may think that the app crashed and got uninstalled but a close examination of the running processes shows that there are 3 services actively running under google app stoy:

Android services are components of an Android app that run in the background performing long running operations with little to no user intervention. Lets examine some of these processes in a bid to uncover the devious motives of this malware.

UploadPhone Service

This service is used for uploading data collected by the malware

  • Checks if the device has specific Banking apps installed and sends this information to the server
  • Posts the all.zip file located in the temp folder of the mounted SDCard to the server.This file contains all the stolen data
  • The same file is named as [phone_number]_npki.zip and sent via Gmail, the credentials for this Gmail account are hard-coded



Uninstall Service

  • Checks if AhnLab V3 Mobile Plus 2.0 is installed on the phone, if found it attempts to uninstall this app
  • AhnLab V3 Mobile Plus claims to provide protection against fraud/accidents caused by malicious programs when using E-Banking apps
  • Based on a user review of this app it appears that some Korean Banking apps force the installation of this app, malware writers have thus taken the precaution of removing this app

SoftService

  • Stores a file locally with the server information
  • Checks if the app is running on an Android Emulator, if so, it exits
  • This is a precaution taken by malware writers to thwart Security Researchers from analysing this malicious app

Broadcast Receiver is an Android component that listens for system-wide events and performs a specified action once that event occurs. The following receivers were seen in the malware:

SystemReceiver

  • This listens for two events Boot_Completed and User_Present events, when any of these events occur this receiver launches the services shown in the image below. We have already discussed about few of these services in detail
  • Boot_Completed event indicates that the device has booted and User_Present event indicates that the user has unlocked the screen

OpenActivityReceiver

  • This listens for Sms_Received event and performs a set of actions
  • Personal SMS arriving at the device are relayed to a server at im[Removed]/phon/sms.php
  • Commands can be issued to this malware via SMS, following commands were identified:
    • ak49 : Content following this command will be written in ak49.txt file and UploadContent service is invoked
    • ak40-1 : Write “1” to ak40.txt
    • ak40-2 : Delete file ak40.txt
    • ak40-anything_else : Checks ak40.txt and if that file contains “1” then mail the contents of the SMS via Gmail to the attacker
    • ak60 : Content following this command will be written to sms_name.txt, this file saves the Gmail account to which data is sent
    • ak61 : Content following this command will be written to sms_pws.txt, this file saves the password for the Gmail account

Additionally we observed the following:

  • The malware has a function bankHijack() which tries to access data of the targeted Banking apps via Shared Preferences. There are many ways that Android provides an app to store data on a device, Shared Preferences is one of them. But if adequate security measures are not taken it is possible for a rogue app to access data stored via Shared Preferences of another app
  • The malware stores Bank related information as part of its data collected and uploads this information along with other data

Based on our analysis and observation, both the banking applications as well as the anti-virus solution that the malware targets are catered towards Korean users. These points give a good indication that this is a targeted attack centred towards a specific user-base. The app has a host of features to steal sensitive user information in a stealthy manner with services running in the background. An easy way to verify if your device is infected is to check if there are any running services similar to the ones described in this post.

A potent way to prevent such apps from infecting your device is to install apps only from the Google App Store and think twice before giving an app Device Administrator privileges.

Dell SonicWALL Gateway Antivirus provides protection against this threat via the following signature:

  • GAV: AndroidOS.Bankrypt.BT (Trojan)

Cryptowall Ransomware uses Bitcoin and TOR exclusively (June 27, 2014)

/in /by

The Dell SonicWall Threats Research team has received reports of a new variant of the Cryptolocker Ransomware Trojan named Cryptowall. As authorities home-in on the operator of the original Cryptolocker (covered in a previous SonicAlert) the operators of this variant have chosen to use Bitcoin as the only method of payment and to use TOR to hide its C&C servers.

Infection Cycle:

The Trojan uses the following email to masquerade as a legitimate FAX message:

The Trojan adds the following files to the filesystsem:

  • %APPDATA%3554cca.exe (copy of original)
  • %USERPROFILE%Start MenuProgramsStartup3554cca.exe (copy of original)
  • %USERPROFILE%Start MenuProgramsStartupDECRYPT_INSTRUCTION.HTML
  • %USERPROFILE%Start MenuProgramsStartupDECRYPT_INSTRUCTION.TXT
  • %USERPROFILE%Start MenuProgramsStartupDECRYPT_INSTRUCTION.URL

The Trojan adds the following files for each directory in which it has encrypted files.

  • DECRYPT_INSTRUCTION.HTML (instruction page)
  • DECRYPT_INSTRUCTION.TXT (explanation of what happened to the system)
  • DECRYPT_INSTRUCTION.URL (for displaying the instruction page at startup)

Below is a sample of registry keys added to the system. The files have a reference code just like in the original Cryptolocker:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun 3554cc “%SYSTEMROOT%3554cca3554cca.exe”
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun 3554cca “%APPDATA%3554cca.exe”
  • HKEY_CURRENT_USERSoftware3554CCA8DEC8E202D2A58AB4E13A3898CRYPTLIST %DEFAULTUSERPROFILE%Templatesexcel.xls dword:ac9ef1d9
  • HKEY_CURRENT_USERSoftware3554CCA8DEC8E202D2A58AB4E13A3898CRYPTLIST %DEFAULTUSERPROFILE%Templatesexcel4.xls dword:ac9ef1d9
  • HKEY_CURRENT_USERSoftware3554CCA8DEC8E202D2A58AB4E13A3898CRYPTLIST %DEFAULTUSERPROFILE%Templatespowerpnt.ppt dword:ac9ef1d9
  • HKEY_CURRENT_USERSoftware3554CCA8DEC8E202D2A58AB4E13A3898CRYPTLIST %DEFAULTUSERPROFILE%Templatesquattro.wb2 dword:ac9ef1d9
  • HKEY_CURRENT_USERSoftware3554CCA8DEC8E202D2A58AB4E13A3898CRYPTLIST %DEFAULTUSERPROFILE%Templatessndrec.wav dword:ac9ef1d9
  • HKEY_CURRENT_USERSoftware3554CCA8DEC8E202D2A58AB4E13A3898CRYPTLIST %DEFAULTUSERPROFILE%Templateswinword.doc dword:ac9ef1d9
  • HKEY_CURRENT_USERSoftware3554CCA8DEC8E202D2A58AB4E13A3898CRYPTLIST %DEFAULTUSERPROFILE%Templateswinword2.doc dword:ac9ef1d9
  • HKEY_CURRENT_USERSoftware3554CCA8DEC8E202D2A58AB4E13A3898CRYPTLIST %DEFAULTUSERPROFILE%Templateswordpfct.wpd dword:ac9ef1d9

    • The Trojan runs the following command to delete any shadow copies present on the system:

      vssadmin.exe Delete Shadows /All /Quiet

    DECRYPT_INSTRUCTION.URL contains the following data:

    The Trojan runs explorer.exe and causes it to inject code into a new instance of svchost.exe. The new svchost process is responsible for encrypting files on the system and receiving PGP decryption information from the C&C server:

    Further encrypted communication was observed over the TOR network:

    Once the Trojan is finished with the file encryption process it causes the default browser to display the following pages:

    The pages contains details of what happened to the system and indicate that Bitcoin is the only method of payment for restoring the files. The ransom is increased if the funds are not paid before an initial deadline. The combination of Bitcoin and TOR make it significantly harder for authorities to not only track the operators but to also take down the C&C servers.

    SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

    • GAV: Crypwall.H (Trojan)
    • GAV: Cryptodef.GF (Trojan)
    • GAV: Cryptodef.MD (Trojan)
    • GAV: Cryptodef.GK (Trojan)
    • GAV: Filecoder.V (Trojan)
    • GAV: Filecoder.CQ_3 (Trojan)
    • GAV: Filecoder.W_20 (Trojan)

    SAP Sybase ESP Vulnerabilities (Jun 27, 2014)

    /in /by

    XML-RPC is a remote procedure call (RPC) protocol; it works by sending a HTTP request to a server implementing the protocol. The client in that case is typically software wanting to call a single method of a remote system. Multiple input parameters can be passed to the remote method, one return value is returned. The parameter types allow nesting of parameters into maps and lists, thus larger structures can be transported.

    SAP Sybase Event Stream Processor (ESP) is a real-time data analysis solution. Traditional data analysis involves running queries against static data in a database. Sybase ESP, on the other hand, tries to run continuous queries against continuous stream. XML-RPC is used in ESP applications to modify elements.

    Several vulnerabilities exist in SAP Sybase ESP. The vulnerabilities are due to insufficient boundary check when processing XML-RPC requests. A remote attacker could exploit these vulnerabilities by sending a crafted XML-RPC request to the vulnerable ESP server. Successful exploitation could result in arbitrary code execution or a denial of service condition.

    The following CVEs are related to this issue: CVE-2014-3457 and CVE-2014-3458.

    Dell SonicWALL has released IPS signatures to detect and block specific exploitation attempts targeting these vulnerabilities. The signatures are listed below:

    • 3924 Sybase ESP esp_parse ConnectionType Remote Code Execution
    • 4092 Sybase ESP esp_parse Connection Remote Code Execution

    Angler Exploit Kit drive by attack (June 25, 2014)

    /in /by

    The Dell SonicWALL Threats Research team analyzed a drive by attack involving the Angler Cyber-crime exploit kit which leads to the download of additional malware on the target system upon successful exploit run. The malware in this case is from a Backdoor Trojan family Caphaw.

    The Angler Exploit Kit is yet another web based Cyber-crime exploit kit that emerged late last year with exploit payloads targeting Adobe Flash and Java vulnerabilities. The author added exploit payloads for Microsoft Silverlight 5 remote code execution vulnerability within a month which significantly increased the infection rates for this Exploit Kit. It appears to be the Exploit Kit of choice for Reveton Ransomware gang that was previously using Cool Exploit Kit, a premium Blackhole Exploit Kit version that became extinct after the arrest of the author. Like many other web-based exploit kits, Angler Exploit Kit utilizes browser plugin detectors to identify target system environment which includes versions of browser, Java, Adobe Flash, Silverlight etc. The targeted exploit payload is then served based on the identified vulnerable application leading to malware infection.

    The Angler exploit kit follows the standard exploit flow cycle where users are redirected from compromised website to the exploit kit hosting site also known as landing page. This kit uses 3 levels of redirection before redirecting user to landing page. JavaScript code that generates first and second redirection URL, uses compromised host’s name to generate redirection URL. It also creates a cookie with key as “google_api” and value as “1”. The landing page consist of highly obfuscated JavaScript code to evade AV detection.


    Figure 1: Obfuscated code stored in variables

    Angler Exploit Kit Landing Page infection cycle

    Landing page contains highly obfuscated JavaScript code segregated across multiple HTML span tags, followed by JavaScript code used for deobfuscation. Below is the function that is responsible for deobfuscation:


    Figure 2: Deobfuscation function

    • The first chunk of deobfuscated code checks for presence of the following driver files which belongs to Antivirus vendors Kaspersky and TrendMicro:
      • c:\Windows\System32\drivers\kl1.sys
      • c:\windows\system32\drivers\tmactmon.sys
      • c:\windows\system32\drivers\tmcomm.sys
      • c:\windows\system32\drivers\tmevtmgr.sys
      • c:\windows\system32\drivers\TMEBC32.sys
      • c:\windows\system32\drivers\tmeext.sys
      • c:\windows\system32\drivers\tmnciesc.sys
      • c:\windows\system32\drivers\tmtdi.sys

      It utilizes the following function leveraging ActiveXObject to check for above files:


      Figure 3: Checking for AV driver files

      If any of these files are present on the target system, it will stop the exploit cycle and redirect the user to a predetermined URL.

    • It then deobfuscates next code chunk that checks for Silverlight version on the system. If vulnerable, it will generate a URL for the exploit payload that gets executed on the target system. The exploit payload being served by this instance was for CVE-2013-0074 – Silverlight Double Dereference Vulnerability
    • If Silverlight version is not vulnerable then it performs similar version checks for Adobe Flash player and Java plugins respectively, serving exploit payloads if the installed version is vulnerable.


      • Figure 4: Check for vulnerable plugin versions on the system


      Figure 5: Variables used for marking vulnerable plugins


      Figure 6: Generating Exploit request based on identified environment (JAVA in the case above)

    • Upon successful exploitation, it will download and install a Backdoor Trojan from Caphaw malware family on the target system.

    SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

    • GAV: Angler.EKI (Exploit)
    • GAV: Angler.EKR (Exploit)
    • GAV: Angler.EKR_2 (Exploit)
    • GAV: Angler.EKLP (Exploit)
    • GAV: Malformed.Flash.OT (Exploit)
    • GAV: Malformed.Java.OT (Exploit)
    • GAV: Caphaw.AK (Trojan)
    • GAV: Caphaw.AMX (Trojan)

    Ranbyus Banking Trojan, Cousin of Zbot

    /in /by

    The Dell SonicWALL Threats Research Team has recently encountered an example of the Ranbyus banking trojan family. This family, a descendant of the Zbot family, has previously been reported by others to primarily target Ukranian and Eastern European users. One of the notable features of this strain is that it was one of the first to target Java remote banking apps for information stealing.

    Ranbyus Java injection strings

    Infection Cycle

    This sample of Ranbyus appears to be single-staged, as it only drops a copy of itself onto disk and otherwise decodes and executes its malicious payload entirely in memory. The payload is stored as Base64 encoded data within the .rsrc section of the binary, and is launched after being decoded in memory with the CryptStringToBinary API call.

    The malware is seen using CryptStringToBinary to decode the Base64 encoded payload

    After the initial execution, the original file is deleted with a typical use of cmd.exe: “C:\WINDOWS\system32\cmd.exe /c del C:\DOCUME~1\admin\APPLIC~1\file.exe >> NUL”

    After self-destructing the original sample, svchost.exe is injected. The injected svchost process then proceeds to drop the malware into the Windows system directory to achieve persistence on the machine. In our analysis, it used a hard-coded name for the dropped copy, located in C:Windowssystem32MifofomlJLohdj.exe [Detected as GAV: Zbot.SBEP].

    Shortcut created in Start Up directory for persistence

    In order to persist upon reboot, the malware creates a run key as well as a shortcut in the Start Up directory under the Start Menu.

    • HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRundpkS_uppkrBUa_JGnwzvayGcjU

    The following mutexes were seen during analysis and are used to prevent unnecessary reinfection and to manage the different infection threads.

    • BaseNamedObjectsD83A47EC0000037001CEEA35cF_hVxJBmrxrZ
    • BaseNamedObjectsv&xEiR43#$

    In addition to performing the persistence routines, the injected svchost process is also seen performing the callback communication.

    The svchost process can be seen connecting to the C&C server

    The usage of Base64 encoding continues in the C&C communication, although a custom alphabet is used to hinder analysis of the traffic.

    HTTP post to the C&C server contains Base64 data

    Further analysis of the binary in memory was able to lead us to the custom alphabet used for this sample: G4ozATO/sx521knPHdvVKZWXq9yfm6LNUQtcr3ea+MFubgCB8pES7RwlYhjiDIJ0=. We can then use this alphabet and this script to decode the traffic as seen below.

    A bit of formatting of the decoded callback communications reveals the content of the traffic.

    Summary

    Overall, the purpose of this malware is to steal banking information, as well as other personal information and credentials. Dell SonicWall Gateway Anti-Virus provides protection against this threat with the following signature:

    • GAV: Zbot.SBEP

    Cross-site scripting vulnerability in CUPS web interface (June 20, 2014)

    /in /by

    Common Unix Printing System (CUPS) is a printing system which allows a computer to act as printer server .CUPS is for Unix-like computer operating systems. The system running CUPS can act like a host which accepts print jobs from client computers, process them, and send them to the appropriate printer.

    CUPS provides a system to print jobs to the printers. The print data goes to scheduler which sends it further to be printed. The CUPS scheduler implements Internet Printing Protocol (IPP) over HTTP/1.1.The CUPS scheduler also provides a web-based interface for managing print jobs, the configuration of the server, and for documentation about CUPS itself.

    Cross-site scripting (XSS) vulnerability exists in the web interface of the scheduler.This allows remote attackers to inject arbitrary web script or HTML via the URL path. The vulnerable function is is_path_absolute. CUPS versions before 1.7.2 are vulnerable.This vulnerability is fixed and patch is available.

    Exploit example: public exploit

    http://XXX.XXX.XXX.XXX:631/GET /%3CSCRIPT%3Ealert(‘document.domain=’+document.domain)%3C/SCRIPT%3E.shtml HTTP/1.1

    When processing the GET /POST request the input is not sanitized and the script code is reflected back to the user. Successful exploitation will result in code being executed in context of current user.

    Dell SonicWALL threat team has researched this vulnerability and released the following IPS signature for it.

    • IPS:3903 CUPS Web Interface URL Handling XSS

    This vulnerability is referred by CVE as CVE-2014-2856

    FIFA World Cup Scams Abound (June 12, 2014)

    /in /by

    The 2014 FIFA World Cup has begun. This month-long tournament brings together the best soccer players in the world to battle for their countries. Unfortunately, cybercriminals are also taking advantage of the many fans. As the excitement builds up, the unsolicited advertisements for free live online streaming of the event and fake world cup related promotions are also increasing. These often yield to fraud, phishing and even malware.

    Over the last week, the Dell SonicWALL threats research team has been tracking down all World Cup related spam emails. The emails have a common theme of trying to lure users of providing their personal information in exchange for access to live streaming videos or to claim prizes from a FIFA lottery.
    sample fifa email

    The following are some of the common email subjects we have seen:

    • OPEN ATTACH FILE FOR YOUR FIFA IN BRIZAIL AWARD WINNING DETAILS
    • CONGRATULATION……_Your_winning_Reference_No:_FIFA/BRA/14/FFBR04563?
    • Copa do Mundo Fifa 2014
    • CONGRATULATIONS;YOU HAVE WON $2 MILLION FROM COCA-COLA/ FIFA CUP 2104 (OPEN FILE)
    • Save Big On World Cup Jerseys Cheap,Up To 80% Off World Cup Jerseys Wholesale.Fast Free Express.
    • World Cup 2014 – Time to get in on the action
    • World Cup Screenings 2014

    But for some of the fans that can not be in front of a TV to watch the games, they will be streaming the matches on their computers, laptops or mobile devices. Unfortunately, there are a lot of bogus online streaming sites on the web. Some of these sites will redirect to another URL requiring the user to provide their credit card information for full access to live streaming.
    fifa fake streaming

    While others will require users to download a special video playback software or install “missing plugins” that often install malware.

    fifa fake streaming
    fifa fake streaming

    We urge our users to always be vigilant and cautious with installing unknown applications, browser extensions, addons or plugins, particularly if you are not certain of the source. If you want to stream the games, you can do so via legitimate websites such as ESPN or BBC.

    Dell SonicWALL Gateway AntiVirus provides protection against these threats via the following signatures:

    • GAV: InstallIQ.A_5 (Adware)
    • GAV: RocketFuel.A_2 (Adware)
    • GAV: RocketFuel.A (Adware)
    • GAV: OutBrowse.D_8 (Adware)
    • GAV: OutBrowse.D_7 (Adware)