OpenSSL HeartBleed Vulnerability(CVE-2014-0160) Actively Targeted(Apr 9, 2014)

/in /by

Dell SonicWALL Threats Research Team has observed the OpenSSL HeartBleed Vulnerability being actively targeted in the wild.

This Critical vulnerability has been assigned CVE-2014-0160. This is an Information Disclosure Vulnerability which can be used to reveal up to 64K of memory due to an incorrect bounds check. OpenSSL has also released a Security Advisory that addresses this issue. Since the OpenSSL vulnerable version 1.0.1 has been in the field since March of 2012, in addition to applying the OpenSSL version 1.0.1g patch issued on April 7th, 2014, please issue new keys and revoke any previous keys based on insecure versions.

Dell SonicWALL firewalls with activated Intrusion Prevention protect customers’ servers against this attack with the following signatures by testing the bytes in the heartbeat packet against the limits that are outside the normal bounds:

  • IPS:3616 OpenSSL Heartbleed Information Disclosure 1
  • IPS:3638 OpenSSL Heartbleed Information Disclosure 2
  • IPS:3652 OpenSSL Heartbleed Information Disclosure 3
  • IPS:3653 OpenSSL Heartbleed Information Disclosure 4
  • IPS:3661 OpenSSL Heartbleed Information Disclosure 5
  • IPS:3663 OpenSSL Heartbleed Information Disclosure 6

The following is the format of a HeartBeat Request. Malicious attackers can craft this specific request to extract sensitive information from vulnerable servers not behind a Next Gen firewall.

Following stats show how this attack is being actively exploited.

Here, it is quite evident that the hourly hits are increasing.

The distribution below shows USA being targeted the most.

Malware claiming to be Heartbleed test tool (April 11, 2014)

/in /by

The Dell SonicWALL Threats Research team came across a malicious executable that claims to be the recently discovered Heartbleed vulnerability test tool. The executable is a new variant of a Backdoor Trojan malware family Zacom. This is yet another example of how quickly Cybercriminals try to take advantage of a new popular topic to spread malware.

The Heartbleed vulnerability is a critical information disclosure bug in the TLS and DTLS implementations of OpenSSL that was discovered earlier this week. More information about the vulnerability and our analysis is available here.

Infection Cycle

The malware executable file looks like below:

The malware upon execution will generate a unique ID utilizing the infected ComputerName and UniqueID information as shown below:

It then registers the infection with a remote Command and Control server for which the IP address was found to be hardcoded in the malware. The command and control server responds back with a unique string starting with either su or sp followed by 9 digit numbers.

It further creates the following files on the system:

  • %User Local Settings%Temphello032.txt [Temporary text file to check for write permission and bitness]
  • %User Local Settings%Tempmsbridge.exe [Copy of itself detected as GAV: Zacom.A_2 (Trojan)]

It also creates a registry entry to ensure that the dropped malware executable runs on system reboot:

    HKCUSoftwareMicrosoftWindowsCurrentVersionRun Msbridge = %User Local Settings%Tempmsbridge.exe

The original malware process terminates after creating a new process to start the dropped executable with the following arguments:

%User Local Settings%Tempmsbridge.exe %PATH TO THE ORIGINAL EXECUTABLE FILE% 4194304

The new process will utilize the path argument to delete the original malware executable file.

It then attempts to communicate with the hardcoded command and control server IP, waiting for further commands. The following network activity indicators were observed during our analysis:

As seen above, the malware has support for downloading updates and additional malware as well as upload stolen information from the infected machine. The malware also uses a custom generic User Agent string for its communication. The command and control server is hosted in Hong Kong and appears to be active at the time of analysis.

Dell SonicWALL UTM appliance provides protection against this threat with the following signatures:

  • GAV: Zacom.A (Trojan)
  • GAV: Zacom.A_2 (Trojan)
  • IPS:3686 Zacom heartbleed malware activity 1
  • IPS:3688 Zacom heartbleed malware activity 2

Microsoft Security Bulletin Coverage (Apr 8, 2014)

/in /by

Dell SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of April, 2014. A list of issues reported, along with Dell SonicWALL coverage information are as follows:

MS14-017 Vulnerabilities in Microsoft Word and Office Web Apps Could Allow Remote Code Execution (2949660)

  • CVE-2014-1757 Microsoft Office File Format Converter Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-1758 Microsoft Word Stack Overflow Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-1761 Word RTF Memory Corruption Vulnerability
    GAV: 20922 “CVE-2014-1761”

MS14-018 Cumulative Security Update for Internet Explorer (2950467)

  • CVE-2014-1755 Internet Explorer Memory Corruption Vulnerability
    IPS: 3611 “Windows IE Memory Corruption Vulnerability (MS14-018) 4”

    CVE-2014-1753 Internet Explorer Memory Corruption Vulnerability
    IPS: 3610 “Windows IE Memory Corruption Vulnerability (MS14-018) 3”

    CVE-2014-1752 Internet Explorer Memory Corruption Vulnerability
    IPS: 3609 “Windows IE Memory Corruption Vulnerability (MS14-018) 2”

    CVE-2014-1751 Internet Explorer Memory Corruption Vulnerability
    IPS: 3571 “Windows IE Memory Corruption Vulnerability (MS14-018) 1”

    CVE-2014-0235 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.

    CVE-2014-1760 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.

MS14-019 Vulnerability in Windows File Handling Component Could Allow Remote Code Execution (2922229)

  • CVE-2014-0315 Windows Insecure Binary Loading Vulnerability
    There are no known exploits in the wild.

MS14-020 Vulnerability in Microsoft Publisher Could Allow Remote Code Execution (2950145)

  • CVE-2014-1759 Arbitrary Pointer Dereference Vulnerability
    There are no known exploits in the wild.

Cutwail spam campaigns lure users to download various threats (April 04, 2014)

/in /by

The Dell SonicWALL Threats Research team has observed a sharp increase in the number of spammed malware e-mails originating from Cutwail Botnet. We have captured a variety of spam campaigns over past two weeks that involved fake delivery notifications, voice messages, tax returns, pictures, fax messages, invoices, etc.

You can refer to our analysis of latest Cutwail variant here.

The following graph highlights our findings:

These emails have a common theme of trying to lure consumers to open the attachment which looks legitimate with the following subjects:

  • ACH payment failure report
  • CCL Computers – Order Despatched
  • CIS Online submission received by HM Revenue and Customs
  • Documents – WellsFargo
  • FW: Loan docs
  • Failure to deliver
  • Notification of direct debit of fees
  • PCI DSS Compliance Programme
  • RE:Please open the attachment to view your payment slip for confirmation of order
  • Some men commented on your status
  • Statement of account
  • You send new photo!
  • message from your attorney

Below are some sample e-mails captured from these spam campaigns:

Some of the common files seen in these attachments are:

  • ABSA certificate update.exe
  • Annual _report.PDF.scr
  • Avis_de_Paiement.scr
  • B8582964793.scr
  • Case_26032014.scr
  • CBE_Form.scr
  • Copy-04012014.scr
  • Court_Notice_document_date_25-03-2014Y.exe
  • DATA-204658-SCR89.scr
  • PPs INvoice PROTECTED.exe
  • PrivateImage_03312014.scr
  • Returns Repot for march 2014.exe
  • test result AF1T-2.exe
  • WellsFargo_Docs_042014.scr

These files look like pdfs and word documents but with extensions .scr and .exe as shown:

Once the user tries to open these attachments, the malicious file is executed and their machine is compromised.

We urge our users to always be vigilant and cautious before opening attachments from any unsolicited email.

Dell SonicWALL Gateway AntiVirus provides protection against these threats with the following signatures:

  • GAV: Bublik.CGAE (Trojan)
  • GAV: Inject.KXDK (Trojan)
  • GAV: Kryptik.BYQN (Trojan)
  • GAV: Kryptik.BYRX (Trojan)
  • GAV: Kryptik.BYRX_2 (Trojan)
  • GAV: MalAgent.H_349 (Trojan)
  • GAV: MalAgent.H_350 (Trojan)
  • GAV: Onkods.G (Trojan)
  • GAV: Tepfer.ALEH_5 (Trojan)
  • GAV: Upatre.AK (Trojan)
  • GAV: Waski.A_37 (Trojan)
  • GAV: Waski.A_38 (Trojan)
  • GAV: Waski.A_39 (Trojan)
  • GAV: Waski.A_40 (Trojan)
  • GAV: Zbot.AAU_161 (Trojan)
  • GAV: Zbot.PA (Trojan)
  • GAV: Zbot.RYOT (Trojan)
  • GAV: Zbot_133 (Trojan)
  • GAV: Zortob.B_89 (Trojan)

Microsoft Word Zero Day(CVE-2014-1761) Exploit Analysis (Apr 4, 2014)

/in /by

Dell Sonicwall Threat research team has spotted Microsoft Word Zero Day attacks in the wild.
Last week, Microsoft released a Security Advisory that addresses this vulnerability.

Following is the Technical Analysis of this attack.

The attack comes down as a malicious RTF file.

Minimum crash file showed following crash

We can see how ROP chain is constructed using MSCOMCTL.

VirtualAlloc is used to create an executable page

Now it returns back to ROP Chain.

More ROP Gadgets, navigate control to Shellcode

Shellcode takes control from here on.

On successful execution, we can see how svchost is spawned by word.

Following is our Detection Coverage.

  • GAV: CVE-2014-1761 (Exploit)

Onkods social engineering spam campaign continues (Mar 28, 2014)

/in /by

The Dell SonicWall research team recently encountered a malicious spam e-mail. The sample contained in the email is another in the line of droppers known by the name Onkods. This malware family’s primary role is to gain execution on a victim’s machine in order to download and launch the next stage in the attack.

Infection Cycle

The file attached to the email pretends to be a JPG, with a filename that mimics the filename a digital camera would produce. The real extension of the file is SCR however, so if a user attempts to view it, it will execute and infect their system.


While the URL for the second stage binary is clearly visible in the contents of the binary, the malware does obfuscate the API functions it uses to download and launch the second stage.


The encrypted procedure names within the binary can be seen above.


This listing shows the encrypted procedure names in the context of the malware’s execution flow.

After running the obfuscated library names through the malware’s decryption routine, the intent of the sample becomes even more clear.

The second stage binary is then downloaded to the file name 78f6d86g4g.exe [Detected by GAV:Phorpiex.B_9 (Worm)], which then proceeds to download further binaries. These additional binaries were seen being executed in our analysis:

  • C:UsersAdminAppDataLocalTemp1241547105.exe [Detected by GAV:Injector.BAKZ (Trojan)]
  • C:UsersAdminAppDataLocalTemp2561927484.exe [Detected by GAV:Sdbot.JN (Trojan)]
  • C:UsersAdminM-2480286949245824winsvc.exe [Detected by GAV:Sdbot.JN (Trojan)]
  • C:UsersAdminM-89675864735623587winmgr.exe [Detected by GAV:Phorpiex.B_9 (Worm)]

The malware creates the following mutexes on the system:

  • spm10
  • trk24

The malware communicates with the following hosts:

  • 106.187.50.148:80
  • a1961.g.akamai.net:80 (67.131.104.169)
  • api.wipmania.com:80 (69.197.137.58)
  • epiclanka.com:80 (67.22.135.5)
  • filebox.su:80 (119.59.84.51)
  • spmbox.ru:5050 (205.251.134.1)
  • trikbox.ru:5050 (205.251.134.1)
  • mx01.gmx.com:25 (74.208.5.27)

Overall the motive of this Trojan is to create additional bots to send spam and propagate further. The SonicWALL research team will continue to monitor this threat.

Dell SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV:Onkods.Y (Trojan)
  • GAV:Kryptik.BLMB (Trojan)
  • GAV:Injector.BAKZ (Trojan)
  • GAV:SDbot.JN (Trojan)
  • GAV:Phoripex.B_9 (Worm)

Microsoft Security Advisory Coverage (March 24, 2014)

/in /by

Dell SonicWALL has analyzed and addressed Microsoft’s security advisory released on March 24th, 2014. A list of issues reported, along with Dell SonicWALL coverage information follows:

Microsoft Security Advisory (2953095) Vulnerability in Microsoft Word Could Allow Remote Code Execution

  • CVE-2014-1761 Word RTF Memory Corruption Vulnerability
    SPY: 3376 Malformed-File rtf.MP.4

Web Application XML External Entity Vulnerabilities (Mar 21,2014)

/in /by

XML is extensively used in many web applications. Some of XML usages include:

  • Web publishing: XML allows you to create interactive pages, allows the customer to customize those pages, and makes creating e-commerce applications more intuitive. With XML, you store the data once and then render that content for different viewers or devices based on style sheet processing using an Extensible Style Language (XSL)/XSL Transformation (XSLT) processor.
  • Web searching and automating Web tasks: XML defines the type of information contained in a document, making it easier to return useful results when searching the Web:
  • Metadata applications: XML makes it easier to express metadata in a portable, reusable format.

XML has the concept of an entity: a symbolic representation of a block of information. Entities can be defined in two ways: internal and external.

Internal entities are both defined and used inside the same XML file. The declaration has the following format:

External entities exist in a location outside of the XML document where it is defined, such as a file. External entities require the SYSTEM identifier in order to be imported and used. The declaration has the following format:

References to entities consist of the entity name prefixed with an ampersand and suffixed by a semi-colon (in this case, “&anyname;“). Every time an entity reference appears in the XML, it will be replaced with the entity value when the XML is parsed.

Multiple web applications are prone to Xml eXternal Entity (XXE) vulnerabilities. The vulnerabilities are due to processing of an external entity containing tainted data. Successful exploitation may lead to disclosure of confidential information and other system impacts.

Dell SonicWALL has released an IPS signature to detect and block XML External Entity injection. The signature is listed below:

  • 3496 Multiple Web Applications XXE Injection

Vondola Trojan steals sensitive system information (March 21, 2014)

/in /by

Dell SonicWall Threats Research team received reports of a Trojan that aims at gathering sensitive system information from the victims machine and transmits it to a remote server.

Infection Cycle

Upon execution the Trojan scans %App Data% and %Program Files% folder for presence of executable files. It also carries a list of executable names that it scans, some of them are as follows:


Once it finds an executable, it appends s at the end of the executable name and drops a copy of itself along with the original executable.

It drops the following file on the system:

  • %Temp%updatems.exe [Detected as GAV:Symmi.VU (Trojan)]

It adds the following Registry Keys to disable User Account Control prompts:

  • HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemConsentpromptbehavioradmin – 0
  • HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemEnablelua – 0

It adds an extensive list of Scheduled tasks for the executables that it drops at various locations:

  • C:WindowsSystem32at.exe” 18:29 /every:1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31 “C:UsersAdminAppDataLocalTempupdatems.exe”
  • C:WindowsSystem32at.exe” 18:35 /every:1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31 “c:program files7-Zip7zs.exe”

The Trojan communicates with [removed]med.tripod.com and downloads configpublic96.dat. This file contains multiple instructions from the server.

The Trojan collects sensitive system related data and sends it to the attacker at [removed]load.org in a POST request. It sends this information in Base64 Encoded format, some of it is as follows:

  • 1 and 2 – hardcoded Email addresses
  • 3 – Victim’s machine name
  • 4 – Running Processes, Open Commands Prompts, Open Programs
  • 5 – Desktop screenshot in PNG format

Overall the motive of this Trojan is to steal sensitive user information and pass it on to the attacker. It remains to be seen if this threat is updated with more functionality in the time to come.

Dell SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV:Vondola.ML (Trojan)
  • GAV:Vondola.A (Trojan)
  • GAV:Symmi.VU (Trojan)

Trojan poses as a Fake Microsoft Office update (Mar 13, 2014)

/in /by

The Dell SonicWall Threats Research team has received reports of a Trojan posing as a Microsoft Office update opportunely timed with Patch Tuesday’s release two days ago. The Trojan periodically contacts a remote server and has the ability to download and install further components on the victim machine.

Infection Cycle:

Upon execution the Trojan compares its file name against the following two names that are commonly used by security researchers when naming their malware samples and terminates itself when it finds a match:

Figure 1: Common file names for malware samples

The trojan creates a copy of itself into the following location:

  • %APPDATA%MsOfficeOfficeUpdt.exe [Detected as GAV: FakeOff.MS (Trojan)]

It also creates the following files in the same location:

  • %APPDATA%MsOfficedb
  • %APPDATA%MsOfficedebug.txt (log file)

Figure 2: Sample of information written to this log file

In order to start after reboot the bot adds the following keys to the registry:

  • HKCUSoftwareMicrosoftWindowsCurrentVersionRun [MSOfficeUpdate] “%AppData%MsOfficeOfficeUpdt.exe”

The trojan periodically contacts a remote server and sends encrypted data from the log file:

Figure 3:Trojan connecting to a remote server

Figure 4:Sample of information sent to a remote server

The Trojan appears to be capable of supplementing itself with more functionalities by downloading and installing additional modules based on these strings found in its main executable:

Figure 5: Strings from the binary

But during our analysis, the only communication we received from the remote server had this content:

Figure 6: Sample content of communication received from the remote server

Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:

  • GAV: FakeOff.MS (Trojan)