Analysis of Latest Adobe Flash Vulnerability CVE-2014-0497 (Feb 7, 2014)

/in /by

Dell Sonicwall Threats Research Team has analyzed an Integer Underflow Vulnerability (CVE-2014-0497) in Adobe Flash.
This is the latest vulnerability that affects Flash Player versions before 12.0.0.44 and 11.2.202.336.

Flash Specification supports the following formats, ZWS(LZMA compression), CWS(Zlib compression), FWS(uncompressed).

Flash also supports ActionScript ByteCode embedded in a Flash file which is run by ActionScript Virtual Machine.
This vulnerability can be exploited by creating malformed ActionScript shown by the following disassembly.

We observed following crashes while debugging both IE and Flash Player.

A remote attacker can exploit this vulnerability by creating a malformed SWF file and cause arbitrary code execution.

We have implemented following signatures to detect the attack.

  • IPS:9996 Thirdbase C&C Traffic
  • GAV:16454 Malformed.swf.MP.91
  • GAV: 36030 Malformed.swf.MP.92
  • GAV: 36037 Malformed.swf.MP.93

Neutrino Exploit Kit drive by attack (Feb 7, 2014)

/in /by

The Dell SonicWALL Threats Research team analyzed a drive by attack involving the Neutrino Cyber-crime exploit kit which leads to the download of additional malware on the target system upon successful exploit run. The malware in this case is a Backdoor Trojan – Pakes.ADDS.

The Neutrino Exploit Kit is yet another web-based Cyber-crime exploit kit that emerged early last year with exploit payloads targeting multiple Java vulnerabilities. Like many other web-based exploit kits, it utilizes browser plugin detectors to identify target system environment which includes versions of browser, Java, Adobe Flash, Adobe Reader etc. The targeted exploit payload is then served based on the identified vulnerable application leading to malware infection. The Neutrino exploit kit follows the standard exploit flow cycle but it has a unique feature of segregating the highly obfuscated JavaScript code and the Plugin detect code in an attempt to evade AV detection.

Below is the sample of web requests made during Neutrino Exploit kit infection cycle from the target machine:

The Neutrino Exploit Kit is following the same business model as the now obsolete Blackhole Exploit Kit. Based on the information from an underground forum the author offers to rent hosted Exploit Kit servers at $40 USD per day, $150 USD per week, and $450 USD per month.

Upon successful exploit in our test case, the Exploit Kit was serving a malicious .NET executable that gets downloaded and executed on the target machine.

The downloaded file uses the following icon:

The following image shows how the malicious payload is decrypted and executed by the .NET executable.

It attempts to connect to a remote server khalidandrozay.ru and sends stolen information from the victim machine.

It also creates a new scheduled task as Windows Update Check to run upon Windows Logon for the dropped malware executable as seen below:

    C:WindowsSystem32schtasks.exe /CREATE /SC ONLOGON /TN “Windows Update Check – ” /TR “C:Program FilesCommon Filesdkfnvkunv99450495i49oisxcdlvd.exe” /RL HIGHEST

Dell SonicWALL UTM appliance provides protection against this threat with the following signature:

  • GAV: Pakes.ADDS (Trojan)

Yet another attack targeting Java vulnerability CVE-2013-2465 (Feb 5, 2014)

/in /by

Dell SonicWALL threat research team has observed another live malware exploiting CVE-2013-2465 in the wild. The vulnerability allows remote attackers to bypass the Java sandbox via vectors related to “Incorrect image channel verification” in 2D.

When a victim is lured to visit malicious website http://sxxxxxxxxxxxxxxxx.br, the browser will download obfuscated javascripts, for example:

De-obfuscated javascript looks like:

, which determines JRE version. Other javascripts utilize different functions and eventually different malicious files got downloaded according to configuration of the victim’s machine.

We’ve analyzed the downloaded jnlp file and Java applet. The jnlp file itself is leveraging another exploit, Unsigned Applet Restriction Bypass Weakness, which bypass Java security warning. This flaw is fixed with Java 1.7.21 update.

The Java applet is highly obfuscated too:

It first tries to exploit the vulnerability in SinglePixelPackedSampleModel. The decompiled code looks like:

Successful exploit will set SetSecurityManager null.

Then it tries to download copy.exe.

In the end, copy.exe got executed by calling:

rundll32 url.dll,FileProtocolHandler “C:\DOCUME~1\USERNAME\LOCALS~1\Temp\Copy.exe”

Dell SonicWALL has released several signatures to detect and block specific exploitation attempts targeting this vulnerability. The signatures are listed below:

  • Anti-SPY: Malformed-File class.TL.39
  • GAV: Malformed.class.MT.3
  • GAV: Malformed.jar.TL.4
  • GAV: Malformed.jar.TL.5
  • GAV: Pakes.ADDS

IceFog cyber-espionage group targets US companies (Jan 31, 2014)

/in /by

The Dell Sonicwall Threats Research team received a Java exploit sample that is now part of the long running IceFog APT (Advanced Persistent Threat) campaign. This sample communicates with one of the IceFog command & control servers and sends information about the victim system while waiting for commands from the server.

IceFog APT campaign started in year 2011 and was seen actively targeting supply chain organizations to government institutions, defense industry contractors, telecom operators, etc mainly in South Korea and Japan. This cyber-espionage group went inactive after the campaign was exposed in September last year only to resurface with recent attacks against three major U.S. based Oil companies using a new Java based IceFog variant

Infection Cycle
The Trojan adds the following key to the Windows registry to enable start-up after reboot:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun JavaUpdate “%TEMP%update.jar” [ copy of itself ]

Majority of the malicious code resides in the function ToolFun within JavaTool class of the jar file

The Malware contacts the server lingdona.com and sends the victim machine’s information to the server, information includes the list of running tasks on the victim machine at that point as shown below:

The Malware creates a hash for uniquely identifying every victim based on the hostname. It appends this hash to the POST URL parameter title when sending the information back to the server

The Malware has the capabilities to listen and execute the following commands from the server:

IceFog Campaign has been active since 2011, over the years there have been a number of changes in terms of how the Malware communicates with the server. The current IceFog Java variant is being dubbed as JavaFog in Security Circles. This JavaFog variant is more of a backdoor with certain capabilities to supply victim machine information to the attacker. It remains to be seen if there will be further enhancements to this variant.

As of this writing, the domain lingdona.com has been sink-holed and is being monitored by Kaspersky to further track activity pertaining to this campaign.

Dell SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Java.IceFog (Exploit)
  • IPS: Java IceFog Infection Activity

EMC CMCNE Directory Traversal Vulnerability (Jan 30, 2014)

/in /by

EMC Connectrix Manager Converged Network Edition (CMCNE) is a centralized management tool of the SAN environments and other product configuration applications. It can be used to control and protect user passwords and port access; monitor port-level statistics; and automatically record system events and networked storage fabric configuration changes.

CMCNE incorporates WildFly, formerly known as JBoss, for its custom web applications. JBoss provides a full Java Enterprise Edition (JEE) stack. The web application module access provided by CMCNE has the following format: 

   [filename] [directory]

An arbitrary file upload vulnerability exists in the EMC Connectrix Manager Converged Network Edition (CMCNE). An unauthenticated user can take use of this vulnerability to copy any file of any type to an arbitrary location on the server, which can lead to information disclosure, denial of service, and eventually arbitrary code execution when combined with other features/vulnerabilities of the product.

Dell SonicWALL Threat team has researched this vulnerability and released the following IPS signatures to address this issue.

  • 5550 EMC CMCNE Directory Traversal 1
  • 5630 EMC CMCNE Directory Traversal 2

This vulnerability is referred by CVE as CVE-2013-6810.

A closer look at XtremeRATs Keylogger component (Jan 24, 2014)

/in /by

The Dell Sonicwall Threats Research team has looked at the keylogger component of the XtremeRAT Trojan. The Trojan was previously in the news for being used in attacks against government networks in late 2012. The sample we analysed uses a component called Xtremekeylogger and has the ability to monitor keystrokes and steal clipboard data. It also steals gaming related data if installed on the system.

Infection cycle:

The Trojan adds the following files to the filesystem:

  • %WINDIR%InstallDirServer.exe [Detected as GAV: Remtasu.G (Trojan)]
  • %APPDATA%oAWLX69iDGJRzoPkEX.dat [keylog file]

The Trojan adds the following keys to the Windows registry:

  • HKEY_USERSS-1-5-21-448539723-1682526488-839522115-1003SoftwareXtremeRAT Mutex hex(2):6f,41,57,4c,58,36,39,69,44,47,4a,52,7a,6f,50,6b,45,58,00, (“oAWLX69iDGJRzoPkEX”)
  • HKEY_USERSS-1-5-21-448539723-1682526488-839522115-1003SoftwareMicrosoftWindowsCurrentVersionExplorerFileExts.dat
  • HKEY_CURRENT_USERSoftwareoAWLX69iDGJRzoPkEX ServerStarted hex(2):31,37,2f,30,31,2f,32,30,31,34,20,31,35,3a,31,35,3a,31,33,00, (“17/01/2014 15:15:13”)
  • HKEY_CURRENT_USERSoftwareXtremeRAT Mutex hex(2):6f,41,57,4c,58,36,39,69,44,47,4a,52,7a,6f,50,6b,45,58,00, (“oAWLX69iDGJRzoPkEX”)
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerFileExts.dat
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun HKCU hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,49,6e,73,74,61,6c,6c,44,69,72,5c,53,65,72,76,65,72,2e,65,78,65,00, (“C:WINDOWSInstallDirServer.exe”)

The Trojan injects code [Detected as GAV: Remtasu.G (Trojan)] into a new instance of svchost and firefox (if installed). It then initiates the code using the CreateRemoteThread API call:

The Trojan then uses built in Windows API’s to set up keystroke logging hooks and start Xtremekeylogger:

The Xtremekeylogger component monitors keystroke and clipboard activity and stores the data in oAWLX69iDGJRzoPkEX.dat. The file is encrypted:

The encryption algorithm is nothing but single-byte xor using an 8-bit key (0x13). We were easily able to decrypt the file and expose the data which is stored in HTML format:

The infected svchost instance was observed checking for the presence of popular games on the system:

Although the sample we analysed did not produce any network activity, it can be assumed that the file is sent to a remote server later on.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Remtasu.G (Trojan)
  • GAV: Remtasu.A (Trojan)

Microsoft Windows IE Vulnerability (CVE-2013-2551) attacks spotted in the wild (January 23, 2014)

/in /by

Dell Sonicwall Threats Research team has found Internet Explorer vulnerability (CVE-2013-2551) still being exploited in the wild.
This use-after-free vulnerability in Microsoft Internet Explorer 6 through 10 allows remote attackers to execute arbitrary code
via a crafted web site that triggers access to a deleted object.

This vulnerability has already been patched.

Following is an in-depth analysis of the attack.

Below is the crash code:

Due to this vulnerability attacker is able to control data in memory. In this case its from address 0x0c0c0c0c

The crash point:

Malicious javascript used to create a ROP Chain as follows:

We can see how the ROP Chain translates into memory

The stack trace:

We can see how the memory 0x0c0c0c0c is being written into.

Dell SonicWALL protects against this threat with the following signatures:

  • IPS: 9897 Windows IE VML shape object Memory Corruption 1 (MS13-037)
  • IPS: 9915 Windows IE VML shape object Memory Corruption 2 (MS13-037)

    • Noisy Spam Malware – New Cutwail Variant (Jan 16, 2014)

    /in /by

    Updated 01/21/2014

    The Dell SonicWall Threats Research team came across an aggressive spam bot that appears to be a newer variant of Cutwail, being actively served in the wild by compromised WordPress websites. The malware arrives via drive-by download and upon infection facilitates spamming of other malware families from the victim machine as instructed by the Command & Control server. The malware generates a lot of traffic on the network in what looks like an attempt to hide the integrated Tepfer infostealer’s data exfiltration and other command and control communications.

    Infection Cycle:

    Upon execution, the malware creates an environment variable named %SPK% with the integer value ‘3’, which is checked before proceeding with unpacking the embedded resource.


    %SPK% is set to ‘3’


    %SPK% is checked before the embedded PNG is read and decoded.

    After memory space is allocated within the current process, the PNG is decoded into the region and execution is transferred. The malware then creates a mutex named ‘huxdeacotlag’ to prevent reinfection attempts and creates registry key to automatically execute a copy of itself which is dropped into the user’s home directory:

    • HKCUsoftwaremicrosoftwindowscurrentversionrunhuxdeacotlag
    • %USERPROFILE%huxdeacotlag.exe [Detected as GAV: Wigon.PH_44 (Trojan)]

    The malware was seen creating additional random mutexes:

    • Run 1
      • Creates mutex: bqqtoqd92636
      • Creates mutex: faxdkmk85433
      • Creates mutex: jhxejwv40484
      • Creates mutex: nafky68023
      • Creates mutex: sopnl31793
    • Run 2
      • Creates mutex: bddjgc5987
      • Creates mutex: cxiozk77429
      • Creates mutex: jhxejwv40484
      • Creates mutex: nafky68023

    The malware is capable of infecting both 32-bit and 64-bit versions of various Microsoft Windows operating systems. We saw the malware checking for the following upon execution:

    • IsWow64Process
    • UndefinedOS
    • Win8
    • WinServer2012
    • Win7
    • WinServer2008R2
    • WinServer2008
    • Vista
    • WinHomeServer
    • WinServer2003R2
    • WinServer2003
    • WinXP64
    • WinXP
    • Win2K

    The primary process checks for Internet connectivity as well as unfiltered access on SMTP port by attempting to connect to following mail servers:

    • smtp.compuserve.com
    • mail.airmail.net
    • smtp.directcon.net
    • smtp.sbcglobal.yahoo.com
    • smtp.mail.yahoo.com
    • smtp.live.com

    Following a succesful check of network access, the malware downloads a second stage file and spawns several instances of svchost.exe and injects malicious code into them. If no SMTP access is found, it will not launch the spam module. If all checks are succesful, we have seen between three to five svchost processes spawned.


    Three svchost.exe processes spawned directly from the main malware process.


    The svchost.exe processes performing network communications.

    The first instance appears responsible for generating a majority of the decoy traffic. It contains a large list of realistic User Agent strings that are used for the decoy requests.


    Some of the decoy requests seen.

    The second injected component appears to be a well known infostealer family – Tepfer. This module is responsible for stealing user credentials with a focus on FTP and e-mail accounts. It exits upon checking all possible applications for credentials. More detailed analysis for this family can be found in our previous SonicAlerts on Tepfer. The following is a list of applications the malware checks for credentials to steal:

      FTP/Remote File Access

      • Far Manager
      • Ghisler Windows Commander
      • Ghisler Total Commander
      • Ipswitch WS_FTP
      • GlobalSCAPE CuteFTP
      • FlashFXP
      • FileZilla Client
      • FTP Navigator
      • FTP Commander
      • BulletProof FTP Client
      • TurboFTP
      • Sota FFFTP
      • CoffeeCup Software
      • FTPWare COREFTP
      • FTP Explorer
      • Frigate3
      • VanDyke SecureFX
      • UltraFXP
      • FTPRush
      • Cryer WebSitePublisher
      • BitKinex
      • ExpanDrive
      • NCH Software ClassicFTP
      • SoftX.org FTPClient
      • GPSoftware Directory Opus
      • CoffeeCup Software
      • LeapFTP
      • NetDrive
      • South River Technologies WebDrive
      • AceBit
      • Wise FTP
      • FTPVoyage
      • Leech FTP
      • WinFTP
      • FTPGetter
      • Estsoft ALFTP
      • Internet Explorer
      • Deluxe FTP
      • Staff-FTP
      • Blaze FTP
      • Fresh FTP
      • Global Downloader
      • FTP++
      • GoFTP
      • 3D-FTP
      • EasyFTP
      • NetSarang
      • FTP Now
      • Robo-FTP
      • LinasFTP
      • Cyberduck
      • NppFTP
      • FTPShell
      • MAS-Soft FTPInfo
      • WinZip
      • NovaFTP

      Browsers

      • FireFox
      • Flock Browser
      • Opera
      • Chrome
      • Chromium
      • Bromium
      • Nichrome
      • Comodo
      • RockMelt
      • K-Meleon
      • FastStone Browser
      • ChromePlus

      Mail Clients

      • Windows Mail
      • Windows Live Mail
      • IncrediMail
      • Pocomail
      • The Bat!
      • Microsoft Outlook
      • ThunderBird

      Other

      • PuTTY

      We are still investigating the full functionality of the last module injected into svchost.exe, but it appears to be the module that performs the spamming. This module has also been seen running in multiple svchost processes simultaneously. We will provide an update with more information on this module’s functionality.

      Among the many HTTP requests observed, it seemed that the amount of traffic may be an attempt to obscure a smaller number of interesting communications. This response from ‘budbad.com’ featured a very large HTML comment of data in base64 encoding, and the comment itself is at the end of a very long and boring looking HTML page. Further analysis has confirmed this is the encrypted second stage that is downloaded before svchost.exe processes are spawned:

      Below is a small sample of SMTP and HTTP connections observed making up the decoy traffic.

      • 144.76.136.216:25
      • 321equipment.com:80 (74.86.251.210)
      • 78rpm.net:80 (210.172.144.178)
      • absolument-feminin.com:25 (46.105.105.199)
      • absolument-feminin.com:80 (46.105.105.199)
      • coe.pku.edu.cn:80 (162.105.5.245)
      • dkhw.de:25 (213.239.241.139)
      • dkhw.de:80 (213.239.241.139)
      • esra.edu:80 (87.98.251.33)
      • fotowork.ca:25 (74.208.96.241)
      • fotowork.ca:80 (74.208.96.241)
      • fraser-high.school.nz:80 (210.48.67.144)
      • jeinsurance.com:25 (69.160.74.51)
      • jeinsurance.com:80 (69.160.74.51)
      • justconnect.co.za:80 (5.9.122.172)
      • kagazy.kz:25 (95.57.120.55)
      • lazos.org.mx:80 (209.172.57.153)
      • macons.co.in:25 (174.132.183.227)
      • macons.co.in:80 (174.132.183.227)
      • ompgp.co.jp:80 (204.227.165.46)
      • panoramamcc.org.au:25 (180.150.134.33)
      • panoramamcc.org.au:80 (180.150.134.33)
      • pbp.sieradz
        .pl:80 (94.152.8.28)
      • quanta.org.uk:25 (198.91.82.109)
      • quanta.org.uk:80 (198.91.82.109)
      • rea-soft.ru:80 (78.47.135.34)
      • schiedel.it:80 (217.145.99.26)
      • sdlp.ie:80 (141.101.117.223)
      • vitrea.pl:25 (212.85.125.160)
      • vitrea.pl:80 (212.85.125.160)
      • zuisousha.co.jp:25 (210.136.185.51)
      • zuisousha.co.jp:80 (210.136.185.51)

      Recent activity of this threat in the wild:

      The following HeatMap shows the geographic distribution of this attack:

      Dell SonicWALL UTM appliance provides protection against this threat with the following signature:

      • GAV: Wigon.PH_44 (Trojan)
      • IPS: 9828 Cutwail Infection Activity 1

    Cryptolocker Ransomware holds files hostage for cash (Sep 19, 2013)

    /in /by

    The Dell SonicWall Threats Research team has received reports of a new Ransomware Trojan. Rather than locking the screen and denying access to the system as with traditional Ransomware the Trojan leaves system access intact but encrypts various documents and executables found on the system. It claims that the encryption keys for decrypting the files and restoring them to their original state are stored on a remote server and is only recoverable after making a payment of 300 USD. If payment is not made within 72 hours the remotely stored decryption keys are eradicated and the files are permanently lost.

    Infection cycle:

    The Trojan adds the following files to the filesystem:

    • %APPDATA%{DFF788D4-F884-FDC4-89CC-CAE3FCFBC5DA}.exe (copy of original) [Detected as GAV: Filecoder.BQ (Trojan)]

    The Trojan adds the following key to the Windows registry to enable startup after reboot:

    • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun CryptoLocker “”%APPDATA%{DFF788D4-F884-FDC4-89CC-CAE3FCFBC5DA}.exe””

    It creates a registry entry for each file that it encrypts with a reference ID. Below is a sample of such entries:

    • HKEY_CURRENT_USERSoftwareCryptoLockerFiles C:?Documents and Settings?sshdsvc?Templates?excel.xls dword:00116886
    • HKEY_CURRENT_USERSoftwareCryptoLockerFiles C:?Documents and Settings?sshdsvc?Templates?excel4.xls dword:001168a4
    • HKEY_CURRENT_USERSoftwareCryptoLockerFiles C:?Documents and Settings?sshdsvc?Templates?powerpnt.ppt dword:001168c2
    • HKEY_CURRENT_USERSoftwareCryptoLockerFiles C:?Documents and Settings?sshdsvc?Templates?quattro.wb2 dword:001168cc
    • HKEY_CURRENT_USERSoftwareCryptoLockerFiles C:?Documents and Settings?sshdsvc?Templates?winword.doc dword:00116912

    The following is a sample of DNS queries that the Trojan makes using its Domain Generation Algorithm. Such a system increases the life expectancy of an infection by allowing the Trojan to connect to new C&C servers in the future after previous servers have been taken offline by authorities:

    Upon successful connection to a C&C server the Trojan sends and receives the following data:

    Below is the decrypted form of the outgoing data:

    It receives the public IP of the victim machine and a public key used for encryption in response:

    After a short period of time the Trojan brings up the following dialog informing the user that certain files on the system have been encrypted. The files are not recoverable unless the equivalent of 300 USD is paid using various payment methods such as Bitcoin and UKash:

    It provides a page that shows the user a list of files that have been encrypted:

    The sample Excel files we had on our test system were encrypted by the Trojan thus rendering it scrambled and unusable:

    SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

    • GAV: Filecoder.BQ (Trojan)
    • GAV: Filecoder.BQ_6 – 8 (Trojan)
    • GAV: Filecoder.BQ_12 (Trojan)
    • GAV: Filecoder.BQ_17 (Trojan)
    • GAV: Filecoder.BH_7 – 8 (Trojan)
    • GAV: Filecoder.BH_11 (Trojan)
    • GAV: Filecoder.W (Trojan)
    • GAV: Filecoder.NAC (Trojan)
    • GAV: Filecoder.NAC_4 (Trojan)
    • GAV: FileCoder.A_2 – 5 (Trojan)
    • GAV: FileCoder.A_11 – 12 (Trojan)
    • GAV: FileCoder.A_16 (Trojan)
    • GAV: FileCoder.A_24 (Trojan)
    • IPS: Cryptolocker Infection key fetch attempt 1
    • IPS: Cryptolocker Infection key fetch attempt 2

    Microsoft Security Bulletin Coverage (Jan 14, 2014)

    /in /by

    Dell SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of January, 2014. Following is the list of issues reported, along with Dell SonicWALL coverage information:

    MS14-001 Vulnerabilities in Microsoft Word and Office Web Apps Could Allow Remote Code Execution (2916605)

    • CVE-2014-0258 Microsoft Word Memory Corruption Vulnerability
      There are no known exploits in the wild.
    • CVE-2014-0259 Microsoft Word Memory Corruption Vulnerability
      There are no known exploits in the wild.
    • CVE-2014-0260 Microsoft Word Memory Corruption Vulnerability
      There are no known exploits in the wild.

    MS14-002 Vulnerability in Windows Kernel Could Allow Elevation of Privilege (2914368)

    • CVE-2013-5065 Kernel NDProxy Vulnerability
      GAV: Inject.DKI
      GAV: Pidief.SKD

    MS14-003 Vulnerability in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2913602)

    • CVE-2014-0262 Win32k Window Handle Vulnerability
      There are no known exploits in the wild.

    MS14-004 Vulnerability in Microsoft Dynamics AX Could Allow Denial of Service (2880826)

    • CVE-2014-0261 Query Filter DoS Vulnerability
      There are no known exploits in the wild.