Microsoft Windows Privilege escalation vulnerability (CVE-2013-5065) attacks (Dec 4, 2013)

/in /by

The Dell SonicWALL Threats Research team observed reports of a new Windows privilege escalation vulnerability being exploited in the wild. Microsoft has released a security advisory for this vulnerability identified by CVE-2013-5065, and this vulnerability only affects users on Windows XP and Windows Server 2003 operating systems.

The exploit code is being distributed in a specially crafted PDF file. The PDF file contains malicious JavaScript with shellcode, obfuscated using JJEncode, that checks for specific versions of Adobe Reader and performs heapspray. If the Adobe Reader exploit attempt is successful, it will crash the application and pass the control to the shellcode. The shellcode further attempts to exploit a local Windows privilege escalation vulnerability on the target machine. It then decrypts a malicious executable embedded inside the original PDF file and installs it on the victim machine with kernel mode privilege.

The following chart illustrates the complete infection cycle:

Below is the deobfuscated JavaScript code checking for Adobe Reader version prior to exploitation attempt:

Upon successful Adobe Reader exploitation, the shellcode opens \.NDProxy and issues a specially crafted DeviceIOControlCode API call that triggers a local privilege escalation vulnerability mentioned here.

The shellcode then decrypts and executes embedded malware executable with elevated privileges on the target machine. The malware executable was found to inject code into system explorer.exe process. It also creates the following registry key to persist infection upon system reboot.

  • HKCUSoftwareMicrosoftWindows NTCurrentVersionWinlogon “Shell” = explorer.exe,(path to malware)

Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:

  • GAV: Inject.DKI (Trojan)
  • GAV: Pidief.SKD (Exploit)

Spam campaign roundup: The Thanksgiving Day Edition (Nov 27, 2013)

/in /by

It is that time of the year again where savvy shoppers are in search for the best deals this season. Black Friday is the day following the Thanksgiving Day in the United States and often regarded as the kickoff of the holiday shopping season that extends until Cyber Monday where consumers are expected to shop more online. But in recent years, this holiday shopping extravaganza has been stretched even longer, with retailers offering deep discounts on items weeks ahead of Black Friday. Unfortunately, cyber criminals are taking advantage of this longer shopping frenzy, sending unsolicited advertisements for products and services that often yield to fraud, phishing and even malware.

Over the past week, the Dell SonicWALL threats research team has been following a steady growth in Black Friday and Cyber Monday related spam emails as seen below:

As the Thanksgiving weekend approaches, we have been receiving an increasing amount of holiday related spam emails. These emails have a common theme of trying to lure consumers to click on the links and provide their personal information in exchange for access to special offers and deep discounts. The following are some of the most common email subjects:

  • SAVINGS ALERT: See the Hottest Black Friday Ads Now
  • Gift ahead of Black Friday for You
  • This could aid your Black Friday-shopping
  • Everything is 90% off now – Cyber Monday starts now
  • 40% off + Ship Free! Black Friday begins…

The links on the emails will take users to a spam site which is part of the same affiliate marketing scheme that we have seen in the past. Some of them claim to come from popular department stores promising gift cards or coupons, that when clicked would take you to a URL different from the real merchant’s website but has the merchant’s branding. They will try to convince users to sign up for different offers while these scammers earn commissions for each successful subscription.

The domain names used in the URLs embedded in the spam emails were just recently created suggesting that they were just created for use in this spam campaign. They were all registered using a domain privacy service to keep the domain name owner’s personal information from showing up on global Whois lookups.

We urge our users to always be vigilant and cautious with any unsolicited email and to avoid providing any personal information, particularly if you are not certain of the source.

Dell SonicWALL Gateway Antivirus monitors and provides constant protection against such malicious threats.

Microsoft out-of-band Security Advisory for Windows Kernel (Nov 27, 2013)

/in /by

Microsoft has released an out-of-band bulletin Microsoft Security Advisory (2914486) on Nov 27, 2013 that addresses an Elevation of Privilege vulnerability in Microsoft Kernel component. This vulnerability affects Windows XP and Windows Server 2003. A successful exploit will cause arbitrary code run in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights.

This vulnerability has been referred by CVE as CVE-2013-5065.

Dell SonicWALL threat team researched this vulnerability the same day and created following GAV signatures to cover the attack.

  • GAV: 27311 Inject.DKI (Trojan)
  • GAV: 27312 Pidief.SKD (Exploit)

For the Microsoft vulnerabilities covered by SonicWALL, please refer to SonicWALL MAPP for details.

JBOSS Marshalled Object Remote Code Execution Vulnerability (November 27, 2013)

/in /by

Dell Sonicwall Threats Research team has addressed a remote code execution Vulnerability which affects components containing vulnerable JBoss.
Wildfly, initially known as JBoss is a Java based Application Server which is currently managed by RedHat.
JBoss also features an embedded Apache Tomcat servlet container.
This vulnerability has been assigned (CVE-2013-4810).

There also has been an (Exploit) published which employs this vulnerability.
We also observed attacks actively utilizing this vulnerability while blocking these attempts at the same time.

Here are a few details.

Following servlets, EJBInvokerServlet and JMXInvokerServlet allow Remote Method Invocation over HTTP which are also the culprits that cause this vulnerability.

Here we can see how Marshalled Object is constructed followed by the post request.

The request contains url for JSP file which gets deployed.

The JSP file contains shell which can be used remotely after successful deployment.

We can see get request connecting to the deployed JSP.

The following signature detects the vulnerability exploit.

  • IPS 5026 JBoss Marshalled Object Remote Code Execution

Infostealer Trojan that tracks user activity (November 22, 2013)

/in /by

The Dell SonicWall Threats Research Team received reports of an infostealer Trojan that aims at gathering information about the victim system and passes it to the attacker. Some of the information passed to the attacker includes the programs and shell commands being executed by the user when the Trojan is running.

Infection Cycle

We found the Trojan to be hosted on a legitimate website tala[removed].com/sem/xp.exe which is still active at the time of writing this blog. The Trojan gets downloaded from this link as xp.exe with WinRar icon:


It drops the following files on the system:

  • %ProgramData%MicrosoftWindowsStart MenuProgramsStartupsystem.pif – Copy of itself
  • %APPDATA%Roamingofficewinword.exe – Copy of itself

It creates the following Mutexes on the system to mark its presence:

  • ***MUTEX***
  • UACMutexxxxx
  • _x_X_BLOCKMOUSE_X_x_
  • _x_X_PASSWORDLIST_X_x_
  • _x_X_UPDATE_X_x_

The Trojan adds the following key to the Windows registry to enable startup after reboot:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “%APPDATA%Roamingofficewinword.exe”

It makes the following changes to the registry in order to bypass firewalls:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZonemapProxyBypass=”1″
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZonemapIntranetName=”1″
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZonemapUNCAsIntranet=”1″

It drops the following additional files on the system:

  • %APPDATA%LocalTempUuU.uUu – This contains the time at which the Trojan was executed
  • %APPDATA%LocalTempXxX.xXx – This contains the time at which the Trojan was executed
  • %APPDATA%LocalTempXX–XX–XX.txt – a 230kB temporary text file
  • %APPDATA%LocalTempteste.vbs – This VB Script lists the Firewall and Antivirus Products present on the victim system and copies them onto a file teste.txt

We observed the Trojan communicating with data3.sytes.net on TCP port 9090 where it sends information about the activity performed by the user when the Trojan is executing. Some of the activities that were captured during our analysis were:

  • Programs being opened
  • Folders being opened
  • Commands executed in Shell

Below is a screenshot of sample network traffic from this infostealer:

In addition, it performs the following:

  • Stops the Windows firewall by executing net stop mpssvc

The main goal of this Trojan is to harvest information on the infected system and relay it to the attacker. During our analysis the information that was passed was limited to programs, commands and files opened by the user. The Trojan can be considered noisy as it performs a number of activities and does not try very hard to conceal its presence, the names of the Mutexes also indicate the non-stealthy nature of this Trojan.

Dell SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Spatet.AA_2 (Trojan)

Microsoft InformationCardSigninHelper Class ActiveX control (CVE-2013-3918) exploit spotted in the Wild (November 20, 2013)

/in /by

Dell Sonicwall Threats Research team has found In The Wild exploit utilizing the InformationCardSigninHelper Class ActiveX control Vulnerability (CVE-2013-3918).
The attacks that contain a specially crafted HTML page specifically target Internet Explorer.
We were able to successfully exploit Windows XP System running IE 8.

Following are the details of the attack.

We can see the vulnerable clsid instantiated using an object tag. The attack uses both javascript and vbscript interchangeably and calls vulnerable function while setting up ROP gadgets.

The code above gets translated to following ROP chain in the memory.

The ROP chain leads to VirtualProtect

We can see the bytes are further XORed with 0x9f

Following shows how rundll32 process is created.

On successful execution, the process tries to make tcp requests to IP address 111.X.X.93 and its port 443.

We have a couple of signatures that cover the attack.

  • IPS 7600 InformationCardSigninHelper ActiveX Instantiation (MS13-090)
  • SPY 4736 CVE-2013-3918

P2P Zeus downloader targeting corporate e-mails (November 13, 2013)

/in /by

The Dell SonicWall Threats Research team received reports of a targeted Corporate E-mail spam campaign that spreads SSL based Zeus Downloader. We have observed similar campaigns in the past as seen here. This downloads a P2P Zeus Trojan variant over SSL after successful infection on the victim machine.

Infection cycle:

The malicious sample spreads through a targeted campaign where it tries to lure employees into downloading a Confidential Document as seen from the e-mail below:

The executable comes with a PDF icon:

The Trojan drops the following files to the file-system:

  • %APPDATA%LocalTempbudha.exe [Detected as GAV: Tepfer.ZC (Trojan)] (id 60505822)
  • %APPDATA%LocalTempkilf.exe [Detected as GAV: Zbot.ES_5 (Trojan)] (id 60505862)
  • %APPDATA%RoamingWucuronoe.exe [Detected as GAV: Zbot.ES_5 (Trojan)] (id 60505854)
  • %APPDATA%LocalTempRRO1145.bat – deletes kilf.exe and itself

The Trojan adds the following key to the Windows registry to enable startup after reboot:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “%APPDATA%RoamingWucuronoe.exe”

The Trojan adds the following additional key to the Windows registry :

  • HKLMsystemcurrentcontrolsetservicessharedaccessparametersfirewallpolicystandardprofilegloballyopenportslist [4064:tcp]
  • HKLMsystemcurrentcontrolsetservicessharedaccessparametersfirewallpolicystandardprofilegloballyopenportslist [5275:udp]
  • HKLMsystemcurrentcontrolsetservicessharedaccessparametersfirewallpolicystandardprofile disablenotifications

It downloads a malicious executable named heap.exe from ao[removed]/[removed]/heap.exe [Detected as GAV: Zbot.ES_5 (Trojan)]. This site appears to be a legitimate Marketing Company which is being used as a conduit to spread malicious content.

We observed the Trojan accessing .WAB (Windows Address Book) files on the infected system. These are files used by Outlook and Outlook Express that store contact information such as names, mailing addresses and phone numbers.

Dell SonicWALL Gateway AntiVirus has blocked more than 200,000 Zeus attachments from this targeted campaign in the past 12 hours. It has also blocked more than 34,000 downloads of Zeus Trojan from this infection in the wild during the same time-frame. Below is the geographic distribution of this spam campaign:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Tepfer.ZC (Trojan)
  • GAV: Zbot.ES_5 (Trojan)

Microsoft Security Bulletin Coverage (Nov 12, 2013)

/in /by

Dell SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of November, 2013. A list of issues reported, along with Dell SonicWALL coverage information follows:

MS13-088 Cumulative Security Update for Internet Explorer (2888505)

  • CVE-2013-3871 Internet Explorer Memory Corruption Vulnerability
    IPS: 7547 “Windows IE Use-After-Free Vulnerability (MS13-080) 1”
  • CVE-2013-3908 Internet Explorer Information Disclosure Vulnerability
    IPS: 7599 “Windows IE Information Disclosure Vulnerability (MS13-088)”
  • CVE-2013-3909 Internet Explorer Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2013-3910 Internet Explorer Memory Corruption Vulnerability
    IPS: 7601 “Windows IE Use-After-Free Vulnerability (MS13-088) 1”
  • CVE-2013-3911 Internet Explorer Memory Corruption Vulnerability
    IPS: 7602 “Windows IE Use-After-Free Vulnerability (MS13-088) 2”
  • CVE-2013-3912 Internet Explorer Memory Corruption Vulnerability
    IPS: 7603 “Windows IE Use-After-Free Vulnerability (MS13-088) 3”
  • CVE-2013-3914 Internet Explorer Memory Corruption Vulnerability
    IPS: 7604 “Windows IE Use-After-Free Vulnerability (MS13-088) 4”
  • CVE-2013-3915 Internet Explorer Memory Corruption Vulnerability
    IPS: 7605 “DOM Object Use-After-Free Attack 8”
  • CVE-2013-3916 Internet Explorer Memory Corruption Vulnerability
    IPS: 7605 “DOM Object Use-After-Free Attack 8”
  • CVE-2013-3917 Internet Explorer Memory Corruption Vulnerability
    IPS: 7606 “Windows IE Use-After-Free Vulnerability (MS13-088) 5”

MS13-089 Vulnerability in Windows Graphics Device Interface Could Allow Remote Code Execution (2876331)

  • CVE-2013-3940 Internet Explorer Memory Corruption Vulnerability
    SPY: 3606 “Malformed-File doc.MP.15”

MS13-090 Cumulative Security Update of ActiveX Kill Bits (2900986)

  • CVE-2013-3918 InformationCardSigninHelper Vulnerability
    IPS: 7600 “InformationCardSigninHelper ActiveX Control Memory Corruption (MS13-090)”

MS13-091 Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2885093)

  • CVE-2013-0082 WPD File Format Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2013-1324 Word Stack Buffer Overwrite Vulnerability
    SPY: 3920 “Malformed-File doc.MP.16”
  • CVE-2013-1325 Word Heap Overwrite Vulnerability
    SPY: 4734 “Malformed-File doc.MP.17”

MS13-092 Vulnerability in Hyper-V Could Allow Elevation of Privilege (2893986)

  • CVE-2013-3898 Address Corruption Vulnerability
    There are no known exploits in the wild.

MS13-093 Vulnerability in Windows Ancillary Function Driver Could Allow Information Disclosure (2875783)

  • CVE-2013-3887 Ancillary Function Driver Information Disclosure Vulnerability
    There are no known exploits in the wild.

MS13-094 Vulnerability in Microsoft Outlook Could Allow Information Disclosure (2894514)

  • CVE-2013-3905 S/MIME AIA Vulnerability
    There are no known exploits in the wild.

MS13-095 Vulnerability in Digital Signatures Could Allow Denial of Service (2868626)

  • CVE-2013-3869 Digital Signatures Vulnerability
    There are no known exploits in the wild.

Microsoft out-of-band Security Advisory for Graphics Component (Nov 5, 2013)

/in /by

Microsoft has released an out-of-band bulletin Microsoft Security Advisory (2896666) on Nov 5, 2013 that addresses a vulnerability in Microsoft Graphics Component. This vulnerability affects Microsoft Windows, Microsoft Office and Microsoft Lync. The Graphics component improperly handles specially crafted TIFF images. These images can be embedded in malicious documents and thus can be served via both email or web allowing attackers to achieve remote code execution. Microsoft reports there are known targeted attacks that exploit Microsoft Office.

This vulnerability has been referred by CVE as CVE-2013-3906.

Dell SonicWALL threat team researched this vulnerability the same day and created following GAV signatures to cover the attack.

  • GAV: 26249 Malformed.docx.MP.1
  • GAV: 26255 Malformed.tif.MP.3
  • GAV: 26278 Malformed.docx.MP.2
  • GAV: 26311 CVE-2013-3906
  • GAV: 26320 Sisproc.A_6
  • GAV: 26388 Agent.OGZ_2
  • GAV: 26391 Delf.PNS
  • GAV: 26394 Webclient.A
  • GAV: 26396 Spy.MT
  • GAV: 26399 KeyLogger.AHKO
  • GAV: 26401 Zbot.VFO
  • GAV: 26404 VB.NYJ
  • SPY: 4732 Malformed-File doc.MP.6

For the Microsoft vulnerabilities covered by SonicWALL, please refer to SonicWALL MAPP for details.

Increase in Bitcoin mining malware as price soars (Nov 11, 2013)

/in /by

With the cost of a Bitcoin surging past $300 USD over the last week the Dell Sonicwall Threats Research team have observed a significant increase in Bitcoin mining malware. Bearing the ever increasing mining difficulty (computation required to generate a bitcoin) mining botnets are a way of gathering enough computing power to generate bitcoins with zero hardware and energy expenses to the operators. The Trojan we analysed will even utilize GPU’s for mining computational power if present.

Infection cycle:

The Trojan adds the following files to the filesystem:

  • %APPDATA%MozillaUpdaterjupdate.exe [Detected as GAV: BitCoinMiner.A_5 (Trojan)]
  • %APPDATA%MozillaUpdatermozillaupdater.exe [Detected as GAV: Ircbrute_39 (Trojan)]
  • %APPDATA%BHEcsE.exe [Detected as GAV: Ircbrute_39 (Trojan)]
  • %APPDATA%hnoeylZB.exe [Detected as GAV: Ircbrute_39 (Trojan)]
  • %APPDATA%KLVlgeHa.exe [Detected as GAV: Ircbrute_39 (Trojan)]
  • %APPDATA%MQBtxMHH.exe [Detected as GAV: Ircbrute_39 (Trojan)]
  • %APPDATA%vGpUGvWU.exe [Detected as GAV: Ircbrute_39 (Trojan)]
  • %APPDATA%YlGjKrFF.exe [Detected as GAV: Ircbrute_39 (Trojan)]
  • %APPDATA%IRzNdm.exe [Detected as GAV: Ircbrute_39 (Trojan)]

The Trojan adds the following key to the Windows registry to enable startup after reboot:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun MozillaUpdater “%APPDATA%MozillaUpdatermozillaupdater.exe”

The Trojan makes the following DNS queries:

The Trojan joins the channel #ship on a remote IRC server and awaits further instructions. Other bots that are connected are hidden:

In the background the Trojan updates itself by downloading and running mozillaupdater.exe [Detected as GAV: Ircbrute_39 (Trojan)]:

The Trojan runs a Bitcoin miner in the background and instructs it to join the EMC Bitcoin Mining Pool (eclipsemc.com). As a result of mining it uses up all of the CPU resources on the system. It also attempts to locate GPU libraries for mining using graphics cards:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Ircbrute_39 (Trojan)
  • GAV: BitCoinMiner.A_5 (Trojan)