Antivirus Security Pro FakeAV Downloader – Onkods (Nov 8, 2013)

/in /by

The Dell SonicWall Threats Research team has observed multiple variants of a new FakeAV downloader Trojan being actively spammed in the wild. The FakeAV downloader also known as Onkods arrives as an e-mail attachment pretending to be a JPEG image. It downloads and installs a new FakeAV Trojan Antivirus Security Pro when an unsuspecting user opens the e-mail attachment. The Downloader and FakeAV Trojan utilizes multiple anti-debugging and anti-detection techniques to prevent heuristic detection and automated analysis.

Here is a list of e-mail subjects and attachment names from various spam e-mails that were captured over the last week involving Onkods Trojan:

Sample e-mail messages look like below:

Infection Cycle:

A closer look at the Onkods Downloader Trojan binary revealed that certain API calls and Windows Library names were encrypted to deter heuristic detection. These are network activity and filesystem activity related API calls that are decrypted on runtime.

  • Encrypted API Calls
    • Encrypted Decrypted
    JHo@pNEE]dGoY InternetOpenA
    JHo@pNEE]dGoMe{^ InternetOpenUrlA
    JHo@pNEEQxMr}_vqwqf InternetCloseHandle
    JHo@pNEE@qCe^~{z InternetReadFile
    @T~DvEpC}wGrkV CreateProcess
    @T~DvEfX~qc CreateFileA
    TTrQgfI]w WriteFile
    @JtVghA_vxG CloseHandle
  • Encrypted Windows Library name
    • Encrypted Decrypted
    tOuLlET.vxn wininet.dll
    HCiKgL.pNm Kernel32.dll

If the user opens the attachment, it connects to a predetermined remote server to download the FakeAV Trojan. The downloader uses a custom User-Agent string as seen below:

The server hosting these FakeAV Trojan binaries are located in Lithuania. It then runs the downloaded executable which will begin the FakeAV infection cycle.

Antivirus Security Pro

The FakeAV Trojan checks for the presence of any of these two files c:sd.dbg and c:sd2.dbg and terminates itself if found. It also checks for the presence of Virtual environments like Virtual Box, Virtual PC, VMWare, and Qemu before starting the infection cycle. While we have seen many other malware families that are VM-aware, this is unique as it uses more discreet API calls – SetupDiGetClassDevs, SetupDiEnumDeviceInfo, and SetupDiGetDeviceRegistryProperty to enumerate hardware and detect the Virtual Environment as seen below:

It disables the Microsoft Windows security and update processes by running these commands:

It then displays a fake Windows Security Center alert searching for a solution to fix virus activity which is followed by Antivirus Security Pro scanning:

The following screens show the usual Fake Antivirus scareware tactics:

  • Fake scanning and infection alerts.

  • Blocks legitimate programs from running.

  • Prompts user to buy upgrade to cleanup infection.

We were able to extract the following affiliate ID, payment gateway, and support URLs during our analysis:

Dell SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Onkods.S (Trojan)
  • GAV: Kryptik.BLMB (Trojan)
  • GAV: FakeAV.BLMB (Trojan)

IBM iNotes ActiveX Control Vulnerability (Nov 8, 2013)

/in /by

IBM iNotes (formerly IBM Lotus iNotes) is a web-based version of the IBM Notes client; it provides browser access to IBM Notes email, calendar and contacts. IBM iNotes includes an ActiveX component (DWA9W) which enables enhanced attachment functions.

An integer overflow vulnerability exists in IBM iNotes; the vulnerability is due to exposure of an unsafe property in the DWA9W ActiveX control. A remote attacker can exploit this vulnerability by enticing a user to open a specially crafted webpage using Internet Explorer. Successful exploitation could lead to arbitrary code execution in the security context of the logged-in user. Failed attacks could lead to termination of the browser.

The vulnerability has been assigned as CVE-2013-3027.

Dell SonicWALL has released an IPS signature to detect and block specific exploitation attempts targeting this vulnerability. The signature is listed below:

  • 7598 IBM iNotes DWA9W ActiveX Instantiation

Fake excel spreadsheet installs a Backdoor Trojan (November 1, 2013)

/in /by

The Dell SonicWALL Threats Research team has received reports of a backdoor Trojan posing as an Excel spreadsheet. This Trojan targets the Windows platform and is being distributed through compromised legitimate websites. It overwrites a legitimate windows system file and connects to a remote server waiting for further instructions.

Infection Cycle:

Upon execution it creates the following files:

  • %TEMP%*chinese characters*.xls
  • %TEMP%InstallServer.exe [Detected as GAV: Laproy_2 (Trojan)]

It opens the .xls file to display its content:

InstallServer.exe then creates the following files:

  • %SYSTEM%netman.dll [Detected as GAV: Laproy_3 (Trojan)]
  • %SYSTEM%dllcachenetman.dll [Detected as GAV: Laproy_3 (Trojan)]

These copies of netman.dll will overwrite the legitimate Network Connections Manager library (netman.dll) from the user’s system. The malicious copy even shares the same export functions as the real windows DLL with the addition of two extra functions to install and uninstall the malware.

The malware then communicates to a remote server, sending identifiable information that marks its presence in the victim machine. Upon confirmation, it receives the address of another remote server:

During our analysis, we have only observed this trojan constantly sending SYN to the server awaiting for further instructions:

Dell SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Laproy (Trojan)
  • GAV: Laproy_2 (Trojan)
  • GAV: Laproy_3 (Trojan)

Oracle Java CVE-2013-2465 attacks spotted in the wild (Nov 1, 2013)

/in /by

Dell SonicWALL threat team has observed live malware exploiting CVE-2013-2465 in the wild. The vulnerability referred by CVE-2013-2465 is related to Incorrect image channel verification in Java Runtime Environment (JRE)’s 2D component in Oracle Java SE, and the vulnerable versions include Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7. By exploiting the issue, an attacker can inject and execute arbitrary code remotely.

By exploiting this vulnerability, the observed malware executes the following steps:

a. Create a “mspaints.exe” file with the following codes:

b. Execute mspaints.exe

c. mspaints copies itself in system directory and deletes the first copy

d. connects to malicious webpage:

Dell SonicWALL has created the following IPS signatures to prevent attacks addressing this vulnerability:

  • 4539 Malformed Java Class File 8
  • 4547 Malformed Java Class File 9
  • 4662 Malformed Java Class File 11

Malware switches users Bank Account Number with that of the attacker (October 25, 2013)

/in /by

The Dell SonicWALL Threats Research Team received reports of a Visual Basic based Malware that uses a simple but relatively new trick to steal the victims money by misusing the traditional copy-paste mechanism. Whenever a bank account number is copied by the victim onto the clipboard (ctrl + c) it replaces the copied account number with a hard-coded account number belonging to the attacker. So when the victim pastes (ctrl + v) the content, it would be the attackers account number. It is possible that some people might easily overlook the account switch and end up transferring money to the attacker.

Infection Cycle

The malware spreads as part of a spam campaign wherein the following files are dropped onto the victims machine when the malicious mail attachment is opened:

  • taskmgr.exe [Detected as GAV: VBTroj.TAS (Trojan)]
  • explore.exe [Detected as GAV: VBTroj.EXP (Trojan)]
  • svchost.exe [Detected as GAV: VBTroj.SV (Trojan)]
  • acs.exe [Detected as GAV: VBTroj.ACS (Trojan)]

We observed different tasks performed by each of the dropped files, some of them are highlighted below:

  • taskmgr.exe gets a text file from adfc4s2ky.biz.ly/score970.txt which appears to be dead at the time of writing.

    It increments a counter maintained by the attacker to provide statistics about the number of infections. At the time of writing this blog the count is at 3811. It uses the following URL to achieve this:
    simplehitcounter.com/hit.php?uid=1555750&f=16777215&b=0

    It then registers itself to the attacker by sending a mail through SMTP, this mode of notification is not common.

  • explore.exe performs the trick of replacing the 26 digit account number copied by the victim to a hard-coded account number stored in the Malware. The following figure shows the dummy account number in the first image that was copied before the malware was executed. Upon execution, the malware changes the contents of the clipboard to the account number stored in the code. It should be noted that only 26 digits that are pertaining to the account number are changed.


    We observed names of a number of banks in the executable whose users may possibly be targeted by this Malware:

    • Multibank
    • Getin Bank
    • Eurobank
    • Ing Bank
    • Mbank
    • Pekao24

  • acs.exe tries to download a resource named file1.pdf from adfc4s2ky.biz.ly but it has been moved/removed from that location.

Overall this threat aims at misusing one of the most used feature in modern computing to carry out malicious activity. As the case with most banking malwares it targets the victims sensitive banking information, Bank Account number in this case, to get monetary benefit.

Dell SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: VBTroj.TAS (Trojan)
  • GAV: VBTroj.EXP (Trojan)
  • GAV: VBTroj.SV (Trojan)
  • GAV: VBTroj.ACS (Trojan)

HP Intelligent BIMS UploadServlet Arbitrary File Upload (Oct 25, 2013)

/in /by

HP Intelligent Management Center (IMC) Enterprise Software Platform is designed on a service-oriented architecture (SOA) using a business application flow model as its core and featuring an on-demand, modularized structure. It is capable of managing, monitoring and controlling of enterprise class networks.

IMC Branch Intelligent Management Software (BIMS) is an IMC module that supports the remote management of customer premise equipment (CPE) in WANs. The web interface to the management console is accessible via the following URL:

 http://server-address:8080/

An arbitrary file-upload vulnerability exists in the HP Intelligent Management Center Branch Intelligent Management Software (BIMS) module. The vulnerable function fails to properly sanitize the user supplied directory traversal pattern, which allows arbitrary creation/writing of files of any type anywhere on the server.

Dell SonicWALL Threat team has researched this vulnerability and released the following IPS signatures to detect them:

  • 7578 HP Intelligent BIMS UploadServlet Arbitrary File Upload
  • 7581 HP Intelligent BIMS UploadServlet Arbitrary File Upload 2

This vulnerability is referred by CVE as CVE-2013-4822.

Wave of Zortob Backdoor Trojan discovered in the wild (Oct 18, 2013)

/in /by

The Dell SonicWall Threats Research team have received reports of a recent wave of the Zortob Trojan in the wild. Trojans of this nature may have no particular objective upon infection but give an attacker a back-door into the infected systems through which any other malware can be installed. This Trojan is reported to arrive as an email attachment masquerading as a voicemail message.

Infection cycle:

The Trojan uses the following icon to pose as a voicemail message:

The Trojan adds the following files to the filesystem:

  • %APPDATA%kqljentg.exe [Detected as GAV: Zortob.B_47 (Trojan)]
  • {run location}VoiceMail_Round_Rock_(512)4584934.txt

Once it is run it will delete itself and create VoiceMail_Round_Rock_(512)4584934.txt in the same location:

It will then open notepad.exe to display the text file:

The following IP addresses for C&C servers were discovered in the binary:

  • 62.75.242.232
  • 5.39.84.59
  • 89.144.14.28
  • 106.186.23.14

The following encrypted communication was observed between the Trojan and a remote C&C server:

During analysis we discovered the unencrypted form of the data sent above:

The response from the C&C server suggests that the Trojan remain idle. We also discovered various other commands in the Trojan binary:

  • idl
  • run
  • crc
  • rem
  • rdl
  • red
  • upd

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Zortob.B_47 (Trojan)

Microsoft Windows IE Vulnerability(CVE-2013-1347) attacks spotted in the Wild (Oct 17, 2013)

/in /by

Dell Sonicwall Threats Research team has found the old Internet Explorer vulnerability(CVE-2013-1347) still getting actively exploited.
This is the same vulnerability exploited in the Department of Labor Attacks earlier this year.
This is a use-after-free condition which occurs when an Object gets deleted but its reference is re-used causing memory corruption thereby allowing arbitrary code execution.

Following is an in-depth analysis of the attack.

Malicious Javascript is shown below employing ROP techniques.

image

Debugging shows successful exploitation of the vulnerability

image

This page includes payload which downloads a binary which is saved as C:rund11.exe

image

image

Another binary is downloaded as shown.

image

This binary upon execution sends requests to following domains.

image

Following signatures are already proactively detecting the attack.

  • IPS:9470 DOM Object Use-After-Free Attack 2
  • IPS:9872 Windows IE DOM Object Use-After-Free (MS13-038) 1
  • IPS:9873 Windows IE DOM Object Use-After-Free (MS13-038) 2

IRC Bot masquerading as popular applications (October 11, 2013)

/in /by

The Dell SonicWall Threats Research team has observed a recent wave of IRC bots posing as legitimate applications. The bot installer may arrive with file names such as, chrome.exe or facebook-images.exe on the victim machine. It attempts to masquerade itself as Google Chrome by using the following icon and file properties:

Infection Cycle:

Upon execution the bot creates a copy of itself into the following directories:

  • %WINDIR%tempfacebook-images.exe [Detected as GAV: Zusy.G (Trojan)]
  • %TEMP%adbreader.exe [Detected as GAV: Zusy.G (Trojan)]

In order to start after reboot the bot adds the following keys to the registry:

  • HKCUSoftwareMicrosoftWindowsCurrentVersionRun [adobe driver update] “%TEMP%adbreader.exe”
  • HKLMsoftwareMicrosoftWindowsCurrentVersionRun [adobe driver update] “%TEMP%adbreader.exe”

It also executes the following command to allow itself through the windows firewall:

  • %SYSTEM% netsh.exe [netsh firewall add allowedprogram “%TEMP%adbreader.exe” “Adobe Driver Update” ENABLE]

It connects to a remote IRC based Command and Control server and waits for further instructions:

It then joins an IRC channel named #biz:

During our analysis, we noticed the Command and Control server sending instructions to download an additional malware component:

The downloaded malware is copied into the following directory:

  • %WINDIR%mdm.exe [Detected as GAV: Injector.AOED (Trojan)]

The following registry keys were added by the bot to persist infection upon system reboot:

  • HKCUSoftwareMicrosoftWindowsCurrentVersionRun [microsoft firevall engine] “%WINDIR%mdm.exe”
  • HKLMSoftwareMicrosoftWindowsCurrentVersionRun [microsoft firevall engine] “%WINDIR%mdm.exe”

It also sent an instruction to create another component which uses the Pidgin icon and is copied into the following directory:

  • %TEMP%eraseme_*random digits*.exe [Detected as GAV: MalAgent.G_3527 (Trojan)]

Dell SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Injector.AOED (Trojan)
  • GAV: Zusy.G (Trojan)
  • GAV: MalAgent.G_3527(Trojan)

Microsoft Security Bulletin Coverage (Oct 8, 2013)

/in /by

Dell SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of October, 2013. A list of issues reported, along with Dell SonicWALL coverage information follows:

MS13-080 Cumulative Security Update for Internet Explorer (2879017)

  • CVE-2013-3872 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2013-3873 Internet Explorer Memory Corruption Vulnerability
    IPS: 7548 “Windows IE Use-After-Free Vulnerability (MS13-080) 2”
  • CVE-2013-3874 Internet Explorer Memory Corruption Vulnerability
    IPS: 7549 “Windows IE Use-After-Free Vulnerability (MS13-080) 3”
  • CVE-2013-3875 Internet Explorer Memory Corruption Vulnerability
    IPS: 7550 “Windows IE Use-After-Free Vulnerability (MS13-080) 4”
  • CVE-2013-3882 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2013-3885 Internet Explorer Memory Corruption Vulnerability
    IPS: 7551 “Windows IE Use-After-Free Vulnerability (MS13-080) 5”
  • CVE-2013-3886 Internet Explorer Memory Corruption Vulnerability
    IPS: 7552 “Windows IE Use-After-Free Vulnerability (MS13-080) 6”
  • CVE-2013-3893 Internet Explorer Memory Corruption Vulnerability
    IPS: 7377 “Windows IE Memory Corruption Vulnerability”
    IPS: 7417 “Windows IE Memory Corruption Vulnerability 2”
    SPY: 4119 “Malformed-File html.TL.274”
  • CVE-2013-3897 Internet Explorer Memory Corruption Vulnerability
    Please check Analysis for more details on the exploit seen in the wild.
    IPS: 7553 “Windows IE Use-After-Free Vulnerability (MS13-080) 7”
    SPY: 4684 “CVE-2013-3897”

MS13-081 Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2870008)

  • CVE-2013-3894 TrueType Font CMAP Table Vulnerability Vulnerability
    There are no known exploits in the wild.
  • CVE-2013-3888 DirectX Graphics Kernel Subsystem Double Fetch Vulnerability Vulnerability
    There are no known exploits in the wild.
  • CVE-2013-3881 Win32k NULL Page Vulnerability
    This is a local vulnerability.
  • CVE-2013-3880 App Container Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2013-3879 Win32k Use After Free Vulnerability
    This is a local vulnerability.
  • CVE-2013-3200 Windows USB Descriptor Vulnerability
    There are no known exploits in the wild.
  • CVE-2013-3128 Open Type Font Parsing Vulnerability
    SPY: 4683 “Malformed-File otf.MP.9”

MS13-082 Vulnerabilities in .NET Framework Could Allow Remote Code Execution (2878890)

  • CVE-2013-3861 JSON Parsing Vulnerability
    There are no known exploits in the wild.
  • CVE-2013-3860 Entity Expansion Vulnerability
    IPS: 6316 “Microsoft .NET Framework Entity Expansion DoS”
  • CVE-2013-3128 OpenType Font Parsing Vulnerability
    SPY: 4683 “Malformed-File otf.MP.9”

MS13-083 Vulnerability in Windows Common Control Library Could Allow Remote Code Execution (2864058)

  • CVE-2013-3195 Comctl32 Integer Overflow Vulnerability
    SPY: 4685 “Malformed-File exe.MP.7”

MS13-084 Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution (2885089)

  • CVE-2013-3895 Parameter Injection Vulnerability
    IPS: 7555 “Microsoft SharePoint Server Remote Code Execution 4 (MS13-084)”
  • CVE-2013-3889 MIcrosoft Excel Memory Corruption Vulnerability
    There are no known exploits in the wild.

MS13-085 Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (2885080)

  • CVE-2013-3890 Microsoft Excel Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2013-3889 Microsoft Excel Memory Corruption Vulnerability
    There are no known exploits in the wild.

MS13-086 Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (2885084)

  • CVE-2013-3892 Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2013-3891 Memory Corruption Vulnerability
    SPY: 4686 “Malformed-File doc.MP.14”

MS13-087 Vulnerability in Silverlight Could Allow Information Disclosure (2890788)

  • CVE-2013-3896 Silverlight Vulnerability
    There are no known exploits in the wild.