Adobe Reader, CVE-2013-3346 and Windows, CVE-2013-5065 Exploit Analysis (January 10, 2014)

/in /by

In December, we reported an attack that leverages a combination of Adobe Reader Vulnerability(CVE-2013-3346) and a Windows Local Privilege Escalation Vulnerability(CVE-2013-5065). These vulnerabilities are already patched by their respective vendors.
The following write up explains in detail how these vulnerabilities are exploited.

Attack Flow

Analysis of CVE-2013-3346

This is a use-after-free vulnerability in Adobe Reader which can be exploited using specially crafted PDF file.
The Exploit PDF has an obfuscated JavaScript Stream.

After De-obfuscation, we can see code-piece that has shellcode, heapspray, payload, ROP

Here, the exploit is fine tuned for Adobe Reader 10 and 11.

The following is the minimum crash code.

Here are some debugging images.
The following shows crash, normal execution and call in the corrupted structure.

This is how the corrupted structure looks like. We can see how the call pivots into the ROP Chain.

This is a subset of ROP Chain

Now a sequence of functions is called which ultimately drop and execute malicious binary.

Analysis of CVE-2013-5065

This is a local privilege escalation vulnerability that could lead to code execution in ring0 context. The vulnerability exists in Microsoft’s NDProxy driver. The vulnerability is triggered due to out of bound condition in the ioctl handler.
The proof of concept code is as follows:

The ‘CreateFile’ function opens NDProxy through I/O. As quoted in MSDN – “NDPROXY is a system-provided driver that interfaces NDISWAN and CoNDIS WAN drivers (WAN miniport drivers, call managers, and miniport call managers) to the TAPI services.” DeviceIOControl is then used to send the control code directly to NDProxy driver. The code here is 0x8fff23cc.
There’s no detailed documentation on this code – so let’s look at NDProxy.sys (v5.1.2600.5512)
There’s PxIoDispatch(…) function that handles the codes

As you can see, the code 0x8fff23cc corresponds to the execution of the code in the box. Also note in the highlighted red box, ‘eax’ equals to 0x7030125 which is the value that was passed to DeviceIoControl function above as a part of the ‘InBuff’ [*(InBuf+5)]. Subtracting 7030101h from this gives 0x24. Let’s try to figure that out by debugging the sample. Executing the sample produces a crash :-

Let’s look at the crash using Windbgs “analyze !v”

And the state of the registers:

As seen, the EIP points to 0x38 (crash).

Let’s look at NDProxy!PxIODispatch+0x2b3 :

The call invokes in to an array with starting offset at off_18008. The index for the highlighted call is ‘eax’ which is 0x1b0 as you can in the state of the registers above. So, 0x18008 + 0x1b0 = 0x181B8. Looking at this address:

And it points to 0x38 – exactly the place where EIP was during the crash. Thus, the value 0x7030125 is chosen carefully to lead to this crash.

Following is the Flow :

Dell SonicWALL protects against this threat with the following signatures:

  • GAV: Inject.DKI (Trojan)
  • GAV: Pidief.SKD (Exploit)

Post holiday season spammers sending out fake court notices to panic recipients

/in /by

The Dell Sonicwall Threats Research team have received a massive amount of virus infected spam over the past week, which appear to be from Court Clerks claiming recipients must appear in court on a specified date. Spammers are spreading spam under the guise of prestigious law firms such as Latham Watkins, Perkins Coie, Baker Botts, Hogan Lovells,etc.

Infection Cycle:

It creates the following text file at the location %TEMP%Plaint Note_06_01_2014_document_us.txt:

It creates a copy of itself into the following directory:

  • %APPDATA%Localhogvbjma.exe [Detected as GAV: Kuluoz.D_13 (Trojan)]

The Trojan contains the following anti-debugging and anti-analysis checks:

  • Inspects the registry for the presence of virtual environments by looking for strings such as “Virtual”, “Vbox”, “VMware”
  • Checks for the presence of analysis tools such as Wireshark, IPTools, Iris – Version 5.59, Process Monitor, Process Explorer, Process Hacker.

    • We observed the following project strings during our analysis:

    • %USER_PROFILE%DocumentsSysIQUAloader_1.4 sloader_v4loader_v3Releaseloader_v3.pdb
    • %USER_PROFILE%DocumentsSysIQUAloader_1.4 sloader_v4loader_v3Releasedll.pdb

    Below are some of the common email subjects that were observed from this spam wave:

        #Hearing of your case in Court N#0418-175
        #Hearing of your case in Court NO8142-534
        #Notice of appearance in court Order 0289
        #Urgent court notice Order (number)
        Court attendance notification #No(number)
        Court notification No3700
        Hearing of your case in Court ID4061
        Hearing of your case in Court NR#9256
        Hearing of your case in Court No#8925
        Notice of appearance in court NR#(number)
        Notice to appear in court No#1966
        Urgent court notice ID(number)
        Urgent court notice NR#61018

    The e-mails have almost similar content in the body which claims you need to bring all documents and witnesses. Later versions mention pretrial notice and being a defendant for something like illegal software use:

    These emails are not real and they do not come from law firms or court clerks.These fake court notices are designed to panic recipients into opening the attached file without caution. The attachments are also named in a specific way to trick the recipients. Here are few of the attachment names:

    • Plaint Note_06_01_2014_No5752.zip
    • Court_Notice_Document_ID25172.zip
    • Court_Notice_Jones_Day_Wa#0188.zip
    • Document_Court_Notice_ID67146.zip

    Upon opening the attachments we observed a malicious executable with Microsoft Word icon. Those who fall for the trick believe that this is a real notice coming from the law firm and open the exe file inside.

    We have observed a high number of these spam emails over the last few days, some numbers are as shown below:

    The following HeatMap shows the distribution of this attack:

    We have observed a large number of hits over the last few days for this spam campaign and its still active as seen below:

    SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

    • GAV: Kuluoz.D_6 (Trojan)
    • GAV: Kuluoz.D_7 (Trojan)
    • GAV: Kuluoz.D_8 (Trojan)
    • GAV: Kuluoz.D_10 (Trojan)
    • GAV: Kuluoz.D_11 (Trojan)
    • GAV: Kuluoz.D_12 (Trojan)
    • GAV: Kuluoz.D_13 (Trojan)

    Cisco Prime DCNM Information Disclosure (Jan 3, 2014)

    /in /by

    Cisco Unified Fabric is a data center architecture which provides connectivity and unifies storage, data networking and network services. Cisco Prime Data Center Network Manager (DCNM) is a set of tools to implement, visualize, and manage Cisco Unified Fabric. DCNM incorporates JBoss for its custom web applications, including a Java servlet named “/downloadServlet”.

    An information disclosure vulnerability exists in Cisco Prime DCNM. The vulnerability is due to 1. there is no authentication for accessing “/downloadServlet” and 2. the servlet lacks input validation of HTTP requests. In an attack scenario, a remote attacker can leverage this vulnerability to download any file form the server.

    The vulnerability has been assigned as CVE-2013-5487.

    Dell SonicWALL has released an IPS signature to detect and block specific exploitation attempts targeting this vulnerability. The signature is listed below:

    • 5345 Cisco Prime Data Center Network Manager Information Disclosure

    Fake Chrome Flash Player extension targets Facebook users (Jan 03, 2014)

    /in /by

    The Dell SonicWall Threats Research team has received reports of a Trojan posing as a fake flash player targeting the Google Chrome browser. The malicious plug-in is being distributed through compromised legitimate websites whose URLs are posted as status updates on popular social networking sites, attracting unsuspecting users to install the update to view a video. The trojan installer uses the following icon:

    Figure 1: Installer icon

    Infection Cycle:

    Upon execution the Trojan creates a copy of itself into the following location:

    • %APPDATA%net.exe [Detected as GAV: FBook.O (Trojan)]

    It then downloads a zipped file containing additional components:

    Figure 2: Downloading extcookbackup.zip from a remote server

    The contents are then extracted into the following locations:

    • %OSDRIVE%IntelNews[*random digits*]background.js – script that downloads an updated list from the server that gets appended to script1.js
    • %OSDRIVE%IntelNews[*random digits*]favicon.ico
    • %OSDRIVE%IntelNews[*random digits*]icon.png
    • %OSDRIVE%IntelNews[*random digits*]manager.html
    • %OSDRIVE%IntelNews[*random digits*]manager.js – script that manages Chrome cookies
    • %OSDRIVE%IntelNews[*random digits*]manifest.json – Chrome extension’s manifest file that provides information such as the name, version, icon and permisions used as seen in figure:3 below
    • %OSDRIVE%IntelNews[*random digits*]popup.html
    • %OSDRIVE%IntelNews[*random digits*]script1.js – script that will auto-“like” a list of facebook pages

    It installs itself as a browser extension named “Flash Player” with the following permissions:

    Figure 3: Fake Flash Player browser extension

    It then terminates currently open Chrome browser sessions. And on restart, it downloads a script with an updated list of facebook fan pages:

    Figure 4: Downloading an updated script from a remote server

    Figure 5: Contents of the script showing a list of facebook fan pages

    Once the Trojan detects an active Facebook login session, it “likes” a list of pages supplied by the malware author using the user’s account. Although these “likes” will not be visible in the user’s facebook timeline, it will be shown in the user’s activity log. It does this periodically to ensure that the supplied list of facebook pages are in “liked” state for the active Facebook login session.

    Figure 6: Sample Facebook activity log of a victim account
    figure 5: Contents of the script showing a list of facebook fan pages

    In order to start after reboot and to ensure that all components are continuously downloaded and updated the Trojan adds the following key to the registry:

    • HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun [.NET] “%APPDATA%net.exe”

    Visiting the remote server, we found the contact information of the malware author.

    Figure 7: Remote server homepage

    And based on this information, we found several posts from this author in underground forums and social networking sites promoting different advertising packages for page clicks, page likes and page views.

    Figure 8: Malware Author Sample Ads

    Figure 8: Malware author Ad 1 Figure 9: Malware author Ad 2 Figure 10: Malware author Ad 3

    We urge our users to always be vigilant and cautious with installing unknown applications, browser extensions, addons or plugins, particularly if you are not certain of the source.

    Dell SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

    • GAV: FBook.O (Trojan)
    • GAV: JS.FBLike (Trojan)

    New Tor-based Information stealing Trojan (Dec 27, 2013)

    /in /by

    The Dell Sonicwall Threats Research team has observed reports of a new family of Information stealing Trojan that utilizes Tor for its Command and Control communication. The Infostealer Trojan arrives via drive-by download and is capable of stealing sensitive user information from the infected machine which is relayed back to a remote server via Tor network.

    Tor is a popular free software and an open network that helps user maintain online anonymity. Tor conceals user location by directing Internet traffic through a distributed network of more than four thousand relays run by volunteers all around the world. We are seeing a steady increase in number of malware families incorporating Tor support for concealing Command and Control communication.

    Infection Cycle:

    Upon execution the malware drops a copy of itself into the common user startup folder as:

    • %All Users%Start MenuProgramsStartupspoolsv.exe [Detected as GAV: Fsysna.A (Trojan)]

    It then executes the dropped copy with the original malware executable path as a command line argument and terminates itself. The new process sleeps for five seconds and deletes the original malware executable using the command line argument.

    The malware starts gathering sensitive system information on the victim machine which includes:

    • External IP address by connecting to a legitimate site http://ekiga.net/ip
    • System MAC address
    • Computer Name
    • User account permission
    • Logs user keystrokes

    The malware installs a hook for low level keyboard event and logs the user keystrokes to a system.log file created in the user temp directory.

    It logs the time, current active window title, and user keystrokes as seen below:

    The logged information for currently active application gets matched against two predetermined regular expressions before being written into system.log file, when the user switches context to a new application window.

    The Trojan also enumerates through running processes and extracts information by applying the regular expressions in each of the allocated virtual memory page.

    The malware executable comes with an embedded Tor network connector binary (not malicious) that is dropped as %Temp%tor.exe on the infected system. The Tor program is further used by the malware to send all the captured information in Base64 encrypted format to the following URLs:

    • http://5ji235jysrvwfgmb.onion/recvdata.php [To transfer information extracted by matching regular expressions]
    • http://5ji235jysrvwfgmb.onion/sendlog.php [To transfer keylogger system.log file]

    The tor.exe process is terminated after every upload of stolen information from the victim machine. The malware uploads the existing keylog file system.log and then deletes it every 24 hours.

    Dell SonicWALL UTM appliance provides protection against this threat with the following signature:

    • Fsysna.A (Trojan)

    ABB MicroSCADA Vulnerability (Dec 20, 2013)

    /in /by

    ABB MicroSCADA provides monitoring, gateway, integrate control, redundancy, reporting and other functionalities to substation automation. Upon installation of ABB MicroSCADA, an program named wserver.exe is also deployed.

    A stack buffer overflow vulnerability exists in wserver.exe of ABB MicroSCADA. The vulnerability is due to insufficient input validation of remote execution calls. A remote attacker can exploit this vulnerability by sending crafted calls to wserver.exe. Successful exploitation could lead to arbitrary code execution in the security context of the vulnerable program.

    Dell SonicWALL has released an IPS signature to detect and block specific exploitation attempts targeting this vulnerability. The signature is listed below:

    • 5178 ABB MicroSCADA Remote Code Execution

    Spammers take advantage of vacation mood this Holiday Season (December 19, 2013)

    /in /by

    We have reached the time of the year that is filled with festivity, celebrations, shopping and holidays. Owing to these reasons and the fact that it is the year end, December is commonly associated with people making travel plans to visit home or to just take a break from work. Spammers are capitalizing on this fact and spreading spam under the guise of Airline Tickets, using emails that pose to be coming from Airlines confirming an individual’s itinerary.

    Some of the common subjects we observed for this spam campaign include:

    • Order #(alphanumeric number) is processed
    • Download your ticket #(alphanumeric number)
    • Please download your ticket #(alphanumeric number)
    • Ticket is ready
    • Your order #(alphanumeric number) has been completed

    The e-mails have almost similar content in the body as seen below:

    Upon opening the attachments we observed a malicious executable with Microsoft Word icon in majority of the cases. This is created so as to fool the victim into believing its coming from the Airlines conforming the ticket.

    We have observed a high number of these spam emails over the last few days, some numbers are as shown below:

    We observed a number of different malware families like Tepfer, Zortob, Kuoloz, Dofoil as part of the attachment for this spam campaign.

    The following HeatMap shows the distribution of this attack:

    We have observed a large number of hits over the last few days for this spam campaign and its still active as seen below:

    Dell SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

    • GAV: Kuluoz.D(Trojan)
    • GAV: Kuluoz.D#email (Trojan)
    • GAV: Kuluoz.D#email_2 (Trojan)
    • GAV: Tepfer.ETD (Trojan)
    • GAV: Dofoil.R_10 (Trojan)
    • GAV: Dapato.D_2 (Trojan)
    • GAV: Kryptik.BQUP_2 (Trojan)
    • GAV: Zortob.B_66 (Trojan)

    New Bitcoin infostealer Trojan spotted in the wild (Dec 13, 2013)

    /in /by

    The Dell Sonicwall Threats Research team have received reports of a new info stealer Trojan aimed at Bitcoin users. As the value of Bitcoin continues to rise and reach relative stability, attackers are continually coming up with ways to either steal or generate bitcoins using compromised machines. The following Trojan contains the ability to steal various types of information from the victim machine including Bitcoin wallet.dat files.

    Infection cycle:

    The Trojan uses the following icon:

    The Trojan makes the following DNS query:

    The Trojan adds the following files to the filesystem:

    • %USERPROFILE%asvepwinupdate.exe (AutoIt executable)
    • %USERPROFILE%asvep5943564.IFW (encoded AutoIt script)
    • %USERPROFILE%asvep20070.RQT [Detected as GAV: NetWiredRC.I#enc (Trojan)]
    • %USERPROFILE%asvep65901.PPZ (command configuration file)
    • %USERPROFILE%asvep7246235.vbe
    • %USERPROFILE%asvepstart.cmd
    • %USERPROFILE%asvepstart.vbs

    The Trojan adds the following keys to the Windows registry to enable startup after reboot:

    • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce asvep “%USERPROFILE%asvepstart.vbs”
    • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun winlogon “%WINDOWS%System32mshta.exe”

    The Trojan binary contains an embedded RAR archive that contains the malicious files listed above:

    5943564.IFW contains an encoded AutoIt script. The decoded version of the script contains some anti-debugging, anti vm and anti anti-virus instructions:

    The AutoIt script is started by start.cmd:

    The configuration file instructs the script to hide the process, disable UAC, protect the process by adding anti hooking features and prevent the task manager from loading.

    The script decrypts and runs 20070.RQT [Detected as GAV: NetWiredRC.I (Trojan)] by injecting code into %WINDOWS%System32mshta.exe

    The following encrypted communication was observed between the decrypted NetWiredRC.I Trojan and bitcoins.dd-dns.de:

    The NetWiredRC.I executable is an infostealer Trojan capable of stealing data from the victim machine including Bitcoin wallet.dat files.

    SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

    • GAV: Netwired.A (Trojan)
    • GAV: NetWiredRC.I (Trojan)
    • GAV: NetWiredRC.I#enc (Trojan)

    Microsoft Security Bulletin Coverage (Dec 10, 2013)

    /in /by

    Dell SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of December, 2013. A list of issues reported, along with Dell SonicWALL coverage information follows:

    MS13-096 Vulnerability in Microsoft Graphics Component Could allow Remote Code Execution (2908005)

    • CVE-2013-3906 Microsoft Graphics Component Memory Corruption Vulnerability
      GAV: 26249 Malformed.docx.MP.1
      GAV: 26255 Malformed.tif.MP.3
      GAV: 26278 Malformed.docx.MP.2
      GAV: 26311 CVE-2013-3906

    MS13-097 Cumulative Security Update for Internet Explorer (2898785)

    • CVE-2013-5045 Internet Explorer Elevation of Privilege Vulnerability
      There are no known exploits in the wild.
    • CVE-2013-5046 Internet Explorer Elevation of Privilege Vulnerability
      There are no known exploits in the wild.
    • CVE-2013-5047 Internet Explorer Memory Corruption Vulnerability
      IPS: 9372 Windows IE Memory Corruption Vulnerability (MS13-097) 1
    • CVE-2013-5048 Internet Explorer Memory Corruption Vulnerability
      IPS: 9385 Windows IE Memory Corruption Vulnerability (MS13-097) 2
    • CVE-2013-5049 Internet Explorer Memory Corruption Vulnerability
      IPS: 9393 Windows IE Memory Corruption Vulnerability (MS13-097) 3
    • CVE-2013-5051 Internet Explorer Memory Corruption Vulnerability
      IPS: 9420 Windows IE Memory Corruption Vulnerability (MS13-097) 4
    • CVE-2013-5052 Internet Explorer Memory Corruption Vulnerability
      IPS: 9431 Windows IE Memory Corruption Vulnerability (MS13-097) 5

    MS13-098 Vulnerability in Windows Could Allow Remote Code Execution (2893294)

    • CVE-2013-3900 WinVerifyTrust Signature Validation Vulnerability
      IPS: 4773 Suspicious HTTP Authorization Header 6
      SPY: 4706 IsFreemium

    MS13-099 Vulnerability in Microsoft Scripting Runtime Object Library Could Allow Remote Code Execution (2909158)

    • CVE-2013-5056 Use-After-Free Vulnerability in Microsoft Scripting Runtime Object Library
      IPS: 9436 Microsoft Scripting Object Use After Free

    MS13-105 Vulnerabilities in Microsoft Exchange Server Could Allow Remote Code Execution (2915705)

    • CVE-2013-1330 MAC Disabled Vulnerability
      There are no known exploits in the wild.
    • CVE-2013-5072 OWA XSS Vulnerability
      There are no known exploits in the wild.
    • CVE-2013-5763 Oracle Outside In Contains Multiple Exploitable Vulnerabilities
      There are no known exploits in the wild.
    • CVE-2013-5791 Oracle Outside In Contains Multiple Exploitable Vulnerabilities
      There are no known exploits in the wild.

    MS13-100 Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution (2904244)

    • CVE-2013-5059 SharePoint Page Content Vulnerabilities
      There are no known exploits in the wild.

    MS13-101 Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2880430)

    • CVE-2013-3899 Win32k Memory Corruption Vulnerability
      There are no known exploits in the wild.
    • CVE-2013-3902 Win32k Use After Free Vulnerability
      There are no known exploits in the wild.
    • CVE-2013-3903 TrueType Font Parsing Vulnerability
      There are no known exploits in the wild.
    • CVE-2013-3907 Port-Class Driver Double Fetch Vulnerability
      There are no known exploits in the wild.
    • CVE-2013-5058 Win32k Integer Overflow Vulnerability
      There are no known exploits in the wild.

    MS13-102 Vulnerability in LRPC Client Could Allow Elevation of Privilege (2898715)

    • CVE-2013-3878 LRPC Client Buffer Overrun Vulnerability
      There are no known exploits in the wild.

    MS13-103 Vulnerability in ASP.NET SignalR Could Allow Elevation of Privilege (2905244)

    • CVE-2013-5042 SignalR XSS Vulnerability
      There are no known exploits in the wild.

    MS13-104 Vulnerability in Microsoft Office Could Allow Information Disclosure (2909976)

    • CVE-2013-5054 Token Hijacking Vulnerability
      There are no known exploits in the wild.

    MS13-106 Vulnerability in a Microsoft Office Shared Component Could Allow Security Feature Bypass (2905238)

    • CVE-2013-5057 HXDS ASLR Vulnerability
      There are no known exploits in the wild.

    Android Security Bypass Vulnerability (Dec 6, 2013)

    /in /by

    A new security bypass vulnerability has been identified in Android 4.3 and prior versions. An attacker may entice the target to install a malicious application and remove all existing device locks activated by the target user at a defined time. The new Android version 4.4 (KitKat) has fixed this issue.

    More specifically, this vulnerability is caused by a design error on com.android.settings.ChooseLockGeneric class. This class is used to allow the user to modify the type of lock mechanism. The vulnerable code in function updateUnlockMethodAndFinish of this class clears all the existing locks when the supplied password type for the function is identified as type PASSWORD_QUALITY_UNSPECIFIED. A sample of the malicious application can have the following code sequence:

    Dell SonicWALL Threat team has researched this vulnerability and released the following signature to protect their customers:

    • SPY:4771 Malformed-File apk.OT.1

    This vulnerability is identified by CVE as CVE-2013-6271.