Posts | Page 216 of 276

Microsoft Security Bulletin Coverage (March 11, 2014)

March 11, 2014/in Threat intelligence /by Security News

Dell SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of March, 2014. A list of issues reported, along with Dell SonicWALL coverage information follows:

MS14-012 Cumulative Security Update for Internet Explorer (2925418)

CVE-2014-0297 Internet Explorer Memory Corruption Vulnerability
IPS: 3462 Windows IE Memory Corruption Vulnerability (MS14-012) 6

CVE-2014-0298 Internet Explorer Memory Corruption Vulnerability
IPS: 5764 Windows IE Memory Corruption Vulnerability (MS14-010) 6

CVE-2014-0299 Internet Explorer Memory Corruption Vulnerability
IPS: 3469 Windows IE Memory Corruption Vulnerability (MS14-012) 8

CVE-2014-0302 Internet Explorer Memory Corruption Vulnerability
IPS: 3479 Windows IE Memory Corruption Vulnerability (MS14-012) 11

CVE-2014-0303 Internet Explorer Memory Corruption Vulnerability
IPS: 3480 Windows IE Memory Corruption Vulnerability (MS14-012) 12

CVE-2014-0304 Internet Explorer Memory Corruption Vulnerability
IPS: 3472 Windows IE Memory Corruption Vulnerability (MS14-012) 10

CVE-2014-0305 Internet Explorer Memory Corruption Vulnerability
IPS: 3461 Windows IE Memory Corruption Vulnerability (MS14-012) 4

CVE-2014-0306 Internet Explorer Memory Corruption Vulnerability
IPS: 3464 Windows IE Memory Corruption Vulnerability (MS14-012) 5

CVE-2014-0307 Internet Explorer Memory Corruption Vulnerability
There are no known exploits in the wild.

CVE-2014-0308 Internet Explorer Memory Corruption Vulnerability
There are no known exploits in the wild.

CVE-2014-0309 Internet Explorer Memory Corruption Vulnerability
IPS: 3466 Windows IE Memory Corruption Vulnerability (MS14-012) 7

CVE-2014-0311 Internet Explorer Memory Corruption Vulnerability
IPS: 3471 Windows IE Memory Corruption Vulnerability (MS14-012) 9

CVE-2014-0312 Internet Explorer Memory Corruption Vulnerability
IPS: 3468 Windows IE Memory Corruption Vulnerability (MS14-012) 14

CVE-2014-0313 Internet Explorer Memory Corruption Vulnerability
IPS: 3467 Windows IE Memory Corruption Vulnerability (MS14-012) 13

CVE-2014-0314 Internet Explorer Memory Corruption Vulnerability
IPS: 3448 Windows IE Memory Corruption Vulnerability (MS14-012) 3

CVE-2014-0321 Internet Explorer Memory Corruption Vulnerability
There are no known exploits in the wild.

CVE-2014-0322 Internet Explorer Memory Corruption Vulnerability
SPY: 4825 Malformed-File html.MP.2

CVE-2014-0324 Internet Explorer Memory Corruption Vulnerability
IPS: 3444 Windows IE Memory Corruption Vulnerability (MS14-012) 1

MS14-013 Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution (2929961)

CVE-2014-0301 DirectShow Memory Corruption Vulnerability
There are no known exploits in the wild.

MS14-014 Vulnerability in Silverlight Could Allow Security Feature Bypass (2932677)

CVE-2014-0319 Silverlight DEP/ASLR Bypass Vulnerability
There are no known exploits in the wild.

MS14-015 Vulnerabilities in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2930275)

CVE-2014-0300 Win32k Elevation of Privilege Vulnerability
There are no known exploits in the wild.

CVE-2014-0323 Win32k Information Disclosure Vulnerability
There are no known exploits in the wild.

MS14-016 Vulnerability in Security Account Manager Remote (SAMR) Protocol Could Allow Security Feature Bypass (2934418)

CVE-2014-0317 SAMR Security Feature Bypass Vulnerability
There are no known exploits in the wild.

IFrame Injection Attacks in the wild (Mar 7, 2014)

March 7, 2014/in Threat intelligence /by Security News

An HTML element is an individual component of an HTML document or web page. “iFrame” is one of these HTML elements, it defines an inline frame in the web page. An iFrame has the following format:

The Document Object Model (DOM) is a cross-platform and language-independent convention for representing and interacting with objects in HTML, XHTML and XML documents. With DOM, a user can easily manipulate the HTML elements with a script. A sample JavaScript code of the DOM is listed below:

 var node=document.getElementById("myList2").lastChild; document.getElementById("myList1").appendChild(node);

iFrame Injection Attack is a method for an a attacker to embed code from another site by leveraging the iFrame tag with DOM. It is a popular way for drive-by-downloads. iFrame injection attacks are not quite as common as they once were on the web, however from time to time they do still happen. Dell SonicWALL Threat research team has observed multiple iFrame Injection Attacks in the wild.

Another example of the iFrame Injection can be in one of our recent SonicAlert Adobe Flash Zero Day(CVE-2014-0502) Exploit Analysis (Feb 27, 2014).

Dell SonicWALL Threat research team has created multiple IPS signatures to detect malicious iFrame tag in the web pages:

7292 Suspicious HTML Iframe Tag 1
7378 Suspicious HTML Iframe Tag 2
9767 Suspicious HTML Iframe Tag 3
10202 Suspicious HTML Iframe Tag 4

Parcim Trojan steals sensitive system information (March 6, 2014)

March 6, 2014/in Threat intelligence /by Security News

The Dell Sonicwall Threats Research team have discovered an info stealer Trojan that is dropped onto unpatched machines as part of a drive-by-attack. The attack uses the CVE-2014-0502 vulnerability which has been covered recently in a previous SonicAlert.

Infection Cycle:

The Trojan adds the following files to the filesystem:

%TEMP%chrome_frame_helper.dll [Detected as GAV: Parcim.A (Trojan)]
%TEMP%chrome_frame_helper.exe
%TEMP%chrome_frame_info.dll
%TEMP%MSMAPI.OCX [Detected as GAV: Parcim.A_2 (Trojan)]
%TEMP%YahooCache.ini
%USERPROFILE%Local SettingsTemp$NtUninstallKB942388$ (contains stolen system information)

The Trojan adds the following key to the Windows registry:

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun chrome_update “%TEMP%chrome_frame_helper.exe”

The Trojan makes the following DNS query:

YahooCache.ini contains the following data:

The Trojan downloads an additional malicious file and saves it as MSMAPI.OCX [Detected as GAV: Parcim.A_2 (Trojan)]:

It runs MSMAPI.OCX using the following commandline:

rundll32 %TEMP%MSMAPI.OCX,RunProcGoa

The Trojan runs the following commands to gather system information:

cmd.exe /C ipconfig /all

cmd.exe /A /C rundll32 %TEMP%MSMAPI.OCX,RunProcGoA

cmd.exe /C net start

cmd.exe /C tasklist

cmd.exe /C systeminfo

cmd.exe /C netstat -an

cmd.exe /C net view

cmd.exe /C dir "%userprofile%recent"

$NtUninstallKB942388$ contains the following data derived from the commands above:

Windows IP Configuration
Data on configured network adaptors
A list of running services
Tasklist
Output from netstat
Number of processors
Recently run .lnk files
System info (OS version, processors, service pack, physical RAM etc.)

The stolen system information was observed being sent to a remote C&C server:

The Trojan periodically contacts the C&C server to announce its presence. It sends its internal IP address as the value for “&ClientId” and obtains its external IP address from the server:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

GAV: Parcim.A (Trojan)
GAV: Parcim.A_2 (Trojan)

Adobe Flash Zero Day(CVE-2014-0502) Exploit Analysis (Feb 27, 2014)

March 6, 2014/in Threat intelligence /by Security News

Last week, Dell Sonicwall Threats Research Team observed multiple instances of Adobe Flash Zero Day targeting CVE-2014-0502.
A Double Free Vulnerability exists in Adobe Flash which may allow arbitrary code execution.
Adobe quickly addressed this attack by providing a Security Update.
We also have a detailed writeup on Malware analysis of downloaded file after successful exploitation.

Let’s look at an in-depth analysis of the Exploit.

Attack Flow:

We can see how the iframe is injected,

When user gets redirected to malicious iframe, the HTML contains a reference to malicious SWF.

SWF De-compilation shows how gif file is loaded.

Here we can see how the exploit is fine-tuned for Windows XP, Windows 7.

SWF also does the work of allocating the ROP chain corresponding to checks above.

A cookie is set and checked for one time execution only.

Debugging shows how the execution pivots into the ROP chain.

We can see how urlmon module is used for downloading exe.

This exe gets copied at C: and is executed.

Then there is Post-Infection Activity

We have implemented following signatures to detect the attack.

SPY:4185 Malformed-File swf.OT.7
SPY:4186 Malformed-File gif.OT.1
SPY:2342 Malformed-File swf.MP.103
SPY:2344 Malformed-File swf.MP.104

Adobe Flash player installer packaged with Siromost Trojan (Feb 28, 2014)

February 28, 2014/in Threat intelligence /by Security News

The Dell SonicWall Threats Research Team has spotted a sample packed with a legitimate installer for Adobe Flash player (Version 10.0.12.36). Once this is executed, both the legitimate file and the malware are executed.

Since the downloaded malware arrives from the Flash player package, it is saved here:

GAV: Siromost.A (Trojan)

This malicious file is signed using an expired certificate:

Once it is executed, the malware creates the following mutex:

Sessions1BaseNamedObjectsInternet Explorer Verifier

It injects code into the system processes:

The malware sends out an initial HTTP GET request over TCP port 80:

This looks to be an authentication request which doesn’t have any system information.

The second request is sent out with the system information along:

Once the relevant system information is sent out, a similar request is sent out with an additional parameter “list”. In response to this, the C&C server responded with a jpeg file.

Here is the downloaded jpeg image:

After a series of requests are exchanged, the malware sends out the encrypted stolen system information to the C&C server.

Overall the main motive of this malware is to steal system information. The malware also downloads more files to be executed on the system. We will continue to monitor this threat and provide updates on its capabilities.

Dell SonicWALL protects against this threat with the following signatures:

GAV: Siromost.A (Trojan)

GAV: Siromost.A_2 (Trojan)

CVE 2014-0322 Malware – Sakurel (Feb 21, 2014)

February 21, 2014/in Threat intelligence /by Security News

The Dell SonicWall Threats Research Team has spotted the latest malware being served in the recent CVE 2014-0322 attack. We have already shared our analysis on the exploit behavior so we will now discuss the behavior of the malware payload, Sakurel.

This malware has many features and contains multiple levels of embedded files. The malware ultimately seeks to steal information and provide a backdoor to the infected system, and uses different modules to accomplish its tasks.

The file that gets dropped after exploitation, ‘stream.exe’, has fairly basic dropper behavior. The file contains an XOR-encoded binary which gets decoded and executed in memory.

The decoded malware contains additional embedded modules, including one that provides for privilege escalation if the current user is not an administrator.

After checking if the current process is running as an administrator, the escalation module is extracted and dropped with a .dat extension, then executed via ‘rundll32’.

This DLL contains a well-known technique for escalating user privileges via the ‘sysprep’ tool. This uses a UAC bypass which affects 32-bit versions Windows 7 and Windows 8.

Once the malware has administrator privileges, it extracts an OCX file from its resources and moves a copy of its original dropped incarnation into “MicroMedia” underneath “%APPDATA%LocalTemp” and creates the following registry key to execute when the system boots up:

ComputerHKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunMicroMedia: %APPDATA%LocalTempMicroMediaMediaCenter.exe

Once the malware has acquired sufficient access and achieved peristence on the machine, the Windows ‘hosts’ file is modified to redirect a number of domains to IP addresses controlled by the attackers. These strings from the binary show the domains the attackers are redirecting:

The following strings, which include command and control domains and paths, are encoded in the binary with the XOR key 0x56:

Overall the main motive of this malware is to steal user credentials from the targeted domains. The malware also provides full backdoor access to the system via the command and control structure. We will continue to monitor this threat and provide updates on its capabilities.

Dell SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

GAV: Sakurel.EX (Trojan)

Internet Explorer Zero Day(CVE-2014-0322) Exploit Analysis (Feb 21, 2014)

February 21, 2014/in Threat intelligence /by Security News

Last week, we reported our Preliminary analysis of Internet Explorer Zero Day Exploit targeting CVE-2014-0322.
This article is a continuation of our analysis.
We also have a detailed writeup on Malware analysis of dropped Binaries.

Attack Flow

In the SWF de-compilation below, we can see another file, Erido.jpg downloaded which contains bytes that are used to drop malware after successfully exploiting the Vulnerability.

Here is the crash point which shows mshtml.dll,

The following sequence of functions is called in the context of IE which shows Exploit is successful.

Sqlrenew.txt dropped in Temp Folder

Stream.exe dropped in Temp Folder

The control shows to be executed from 0x1a1bXXXX address range and multiple WriteFile calls do respective file write operations.

We can see below that the module sqlrevew.txt is loaded. When the user exits IE, stream.exe is spawned as a Process.

Following is our Detection Coverage.

IPS:6315 HTTP Client Shellcode Exploit 11a
IPS:7454 HTTP Client Shellcode Exploit 35a
GAV: CVE-2014-0322#swf (Exploit)
GAV: CVE-2014-0322#html (Exploit)

Another AutoIt compiled Worm enters the Malware scene (February 14, 2014)

February 14, 2014/in Threat intelligence /by Security News

The Dell Sonicwall Threats Research Team received reports of an AutoIt Script compiled Worm that gathers sensitive information from the victim machine and transmits it to a remote server via FTP. The stolen information may include browsing history, device hardware profile, ARP table, network configuration and periodically taken screen captures.

AutoIt is a popular scripting language for Windows that has been around for more than two decades. Ease-of-use is one of the main reasons for its popularity among developers, the same reason has attracted Malware writers to use this language more and more over the past few years. We have seen a rise in trend of AutoIt compiled Malware over the past few years and this trend is not likely to drop in the foreseeable future.

Infection Cycle

The Worm drops a copy of itself at the following location:

%Administrator%Start MenuProgramsStartUpLoveU.exe [Copy of itself]

It creates the following process to disable system firewall

C:Windowssystem32cmd.exe /c netsh firewall set opmode mode=disable

It shows the following message box which disappears after few moments

The Worm then starts gathering information about the system and stores this information locally. The Following table shows the commands and corresponding files that save the relevant information:

Additional information about the victim’s machine is saved as follows:

The Worm then opens a FTP connection to koko[xxxxxx].com and sends this information to the server. Once sent, it deletes these files from the system.

The Worm has the following additional capabilities:

Scan for available removable drives and drops the malicious files onto them to spread further
Capture screenshot of the system
Send Mail from the system

Overall the main motive of this Worm is to gather information about the victim system and send it over to the attacker. We will continue to monitor this threat to see if further additions are made to increase its arsenal of capabilities.

Dell SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

GAV: Fucom.A (Worm)

Latest Internet Explorer Zero Day (CVE-2014-0322) Exploited In The Wild (Feb 14, 2014)

February 14, 2014/in Threat intelligence /by Security News

Dell Sonicwall Threats Research Team has spotted latest Zero Day that exploits Vulnerability CVE-2014-0322.
This exploit targets Internet Explorer 10 which contains a specially crafted JavaScript that causes Use-After-Free condition.
The exploit was getting served from an infected website which since has taken down the malicious HTML.

Following shows the structure of the exploit.

Here an ActiveXObject is getting instantiated.

We can see the code for Memory Corruption.

Here function puIHa3 has a check for presence of a DLL followed by reference to swf file.
Also, we can see the exploit specifically checks for the presence of IE 10.

The swf file has function ExternalInterface which is invoking puIHa3 in the JavaScript above.

Swf is also responsible for further allocating bytes to carry out successful exploitation.

We have implemented following signatures to detect the attack.

IPS: 6315 HTTP Client Shellcode Exploit 11a
IPS: 7454 HTTP Client Shellcode Exploit 35a
GAV: CVE-2014-0322#swf (Exploit)
GAV: CVE-2014-0322#html (Exploit)

Microsoft Security Bulletin Coverage (Feb 11, 2014)

February 12, 2014/in Threat intelligence /by Security News

Dell SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of February, 2014. A list of issues reported, along with Dell SonicWALL coverage information follows:

MS14-005 Vulnerability in Microsoft XML Core Services Could Allow Information Disclosure (2916036)

CVE-2014-0266 MSXML Information Disclosure Vulnerability
IPS: 5933 Microsoft XML Core Services Information Disclosure (MS14-005)

MS14-006 Vulnerability in IPv6 Could Allow Denial of Service (2904659)

CVE-2014-0254 TCP/IP Version 6 (IPv6) Denial of Service Vulnerability
There are no known exploits in the wild.

MS14-007 Vulnerability in Direct2D Could Allow Remote Code Execution (2912390)

CVE-2014-0263 Microsoft Graphics Component Memory Corruption Vulnerability
IPS: 5927 Microsoft Graphics Component Memory Corruption (MS14-007)

MS14-008 Vulnerability in Microsoft Forefront Protection for Exchange Could Allow Remote Code Execution (2927022)

CVE-2014-0294 RCE Vulnerabilities
There are no known exploits in the wild.

MS14-009 Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (2916607)

CVE-2014-0253 POST Request DoS Vulnerability
There are no known exploits in the wild.

CVE-2014-0257 Type Traversal Vulnerability
There are no known exploits in the wild.

CVE-2014-0295 VSAVB7RT ASLR Vulnerability
There are no known exploits in the wild.

MS14-010 Cumulative Security Update for Internet Explorer (2909921)

CVE-2014-0268 Internet Explorer Elevation of Privilege Vulnerability
There are no known exploits in the wild.

CVE-2014-0271 VBScript Memory Corruption Vulnerability
IPS: 9997 Windows IE VBScript Memory Corruption Vulnerability (MS14-010)

CVE-2014-0293 Internet Explorer Cross-domain Information Disclosure Vulnerability
There are no known exploits in the wild.

CVE-2014-0267 Internet Explorer Memory Corruption Vulnerability
IPS: 5707 Windows IE Memory Corruption Vulnerability (MS14-010) 1

CVE-2014-0269 Internet Explorer Memory Corruption Vulnerability
IPS: 5708 Windows IE Memory Corruption Vulnerability (MS14-010) 18

CVE-2014-0270 Internet Explorer Memory Corruption Vulnerability
IPS: 5709 Windows IE Memory Corruption Vulnerability (MS14-010) 19

CVE-2014-0272 Internet Explorer Memory Corruption Vulnerability
IPS: 7633 HTTP Client Shellcode Exploit 80

CVE-2014-0273 Internet Explorer Memory Corruption Vulnerability
IPS: 9998 Windows IE Memory Corruption Vulnerability (MS14-010) 2

CVE-2014-0274 Internet Explorer Memory Corruption Vulnerability
IPS: 5734 Windows IE Memory Corruption Vulnerability (MS14-010) 3

CVE-2014-0275 Internet Explorer Memory Corruption Vulnerability
IPS: 5774 Windows IE Memory Corruption Vulnerability (MS14-010) 7

CVE-2014-0276 Internet Explorer Memory Corruption Vulnerability
IPS: 5747 Windows IE Memory Corruption Vulnerability (MS14-010) 4

CVE-2014-0277 Internet Explorer Memory Corruption Vulnerability
IPS: 5781 Windows IE Memory Corruption Vulnerability (MS14-010) 8

CVE-2014-0278 Internet Explorer Memory Corruption Vulnerability
IPS: 5782 Windows IE Memory Corruption Vulnerability (MS14-010) 9

CVE-2014-0279 Internet Explorer Memory Corruption Vulnerability
IPS: 5795 Windows IE Memory Corruption Vulnerability (MS14-010) 11

CVE-2014-0280 Internet Explorer Memory Corruption Vulnerability
There are no known exploits in the wild.

CVE-2014-0281 Internet Explorer Memory Corruption Vulnerability
IPS: 5914 Windows IE Memory Corruption Vulnerability (MS14-010) 14

CVE-2014-0283 Internet Explorer Memory Corruption Vulnerability
IPS: 5920 Windows IE Memory Corruption Vulnerability (MS14-010) 15

CVE-2014-0284 Internet Explorer Memory Corruption Vulnerability
IPS: 5805 Windows IE Memory Corruption Vulnerability (MS14-010) 12

CVE-2014-0285 Internet Explorer Memory Corruption Vulnerability
IPS: 5925 Windows IE Memory Corruption Vulnerability (MS14-010) 16

CVE-2014-0286 Internet Explorer Memory Corruption Vulnerability
IPS: 5894 Windows IE Memory Corruption Vulnerability (MS14-010) 13

CVE-2014-0287 Internet Explorer Memory Corruption Vulnerability
IPS: 5926 Windows IE Memory Corruption Vulnerability (MS14-010) 17

CVE-2014-0288 Internet Explorer Memory Corruption Vulnerability
IPS: 5793 Windows IE Memory Corruption Vulnerability (MS14-010) 10

CVE-2014-0289 Internet Explorer Memory Corruption Vulnerability
IPS: 5764 Windows IE Memory Corruption Vulnerability (MS14-010) 6

CVE-2014-0290 Internet Explorer Memory Corruption Vulnerability
IPS: 5748 Windows IE Memory Corruption Vulnerability (MS14-010) 5

MS14-011 Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution (2928390)

CVE-2014-0271 VBScript Memory Corruption Vulnerability
IPS: 9997 Windows IE VBScript Memory Corruption Vulnerability (MS14-010)