Microsoft Security Bulletins Coverage (Feb 08, 2011)

/in /by

SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of February, 2011. A list of issues reported, along with SonicWALL coverage information follows:

MS11-003 Cumulative Security Update for Internet Explorer (2482017)

  • CVE-2010-3971 – CSS Memory Corruption Vulnerability
    IPS 6094 MS IE CSS Import Use-After-Free Code Execution Exploit 1
    IPS 6095 MS IE CSS Import Use-After-Free Code Execution Exploit 2
    IPS 6096 MS IE CSS Import Use-After-Free Code Execution Exploit 3
    IPS 6098 MS IE CSS Import Use-After-Free Attempt
  • CVE-2011-0035 – Uninitialized Memory Corruption Vulnerability
    This is a logical vulnerability. No IPS detection solution is available.
  • CVE-2011-0036 – Uninitialized Memory Corruption Vulnerability
    IPS 6223 MS IE DHTML Object Memory Corruption (MS11-003)
  • CVE-2011-0038 – Internet Explorer Insecure Library Loading Vulnerability
    IPS 5726 Possible Binary Planting Attempt

MS11-004 Vulnerability in Internet Information Services (IIS) FTP Service Could Allow Remote Code Execution (2489256)

  • CVE-2010-3972 – IIS FTP Service Heap Buffer Overrun Vulnerability
    IPS 6101 MS IIS FTP Server DoS Vulnerability

MS11-005 Vulnerability in Active Directory Could Allow Denial of Service (2478953)

  • CVE-2011-0040 – Active Directory SPN Validation Vulnerability
    This is a local vulnerability. No IPS detection solution is available.

MS11-006 Vulnerability in Windows Shell Graphics Processing Could Allow Remote Code Execution (2483185)

  • CVE-2010-3970 – Windows Shell Graphics Processing Overrun Vulnerability
    IPS 6119 MS Graphics Rendering Thumbnail Stack BO Exploit

MS11-007 Vulnerability in the OpenType Compact Font Format (CFF) Driver Could Allow Remote Code Execution (2485376)

  • CVE-2011-0033 – OpenType Font Encoded Character Vulnerability
    GAV 39973 OpenType.MS11-007

MS11-008 Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution (2451879)

  • CVE-2011-0092 – Visio Object Memory Corruption Vulnerability
    This is a logical vulnerability. No IPS detection solution is available.
  • CVE-2011-0093 – Visio Data Type Memory Corruption Vulnerability
    This is a logical vulnerability. No IPS detection solution is available.

MS11-009 Vulnerability in JScript and VBScript Scripting Engines Could Allow Information Disclosure (2475792)

  • CVE-2011-0031 – Scripting Engines Information Disclosure Vulnerability
    IPS 6224 Possible Scripting Engine Memory Corruption Attack

MS11-010 Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (2476687)

  • CVE-2011-0030 – CSRSS Elevation of Privilege Vulnerability
    This is a local vulnerability. No IPS detection solution is available.

MS11-011 Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802)

  • CVE-2010-4398 – Driver Improper Interaction with Windows Kernel Vulnerability
    This is a local vulnerability. No IPS detection solution is available.
  • CVE-2011-0045 – Windows Kernel Integer Truncation Vulnerability
    This is a local vulnerability. No IPS detection solution is available.

MS11-012 Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2479628)

  • CVE-2011-0086 – Win32k Improper User Input Validation Vulnerability
    This is a local vulnerability. No IPS detection solution is available.
  • CVE-2011-0087 – Win32k Insufficient User Input Validation Vulnerability
    This is a local vulnerability. No IPS detection solution is available.
  • CVE-2011-0088 – Win32k Window Class Pointer Confusion Vulnerability
    This is a local vulnerability. No IPS detection solution is available.
  • CVE-2011-0089 – Win32k Window Class Improper Pointer Validation Vulnerability
    This is a local vulnerability. No IPS detection solution is available.
  • CVE-2011-0090 – Win32k Memory Corruption Vulnerability
    This is a local vulnerability. No IPS detection solution is available.

MS11-013 Vulnerabilities in Kerberos Could Allow Elevation of Privilege (2496930)

  • CVE-2011-0043 – Kerberos Unkeyed Checksum Vulnerability
    This is a local vulnerability. No IPS detection solution is available.
  • CVE-2011-0091 – Kerberos Spoofing Vulnerability
    This is a local vulnerability. No IPS detecti
    on solution is available.

MS11-014 Vulnerability in Local Security Authority Subsystem Service Could Allow Local Elevation of Privilege (2478960)

  • CVE-2011-0039 – LSASS Length Validation Vulnerability
    This is a local vulnerability. No IPS detection solution is available.

Microsoft Windows IE Vulnerability (CVE-2013-3897) attacks spotted in the wild (October 8, 2013)

/in /by

The Dell SonicWALL Threats Research team observed reports of CVE-2013-3897 vulnerability being actively exploited in the wild. The vulnerability enables attacker to trigger memory corruption in Microsoft Internet Explorer via a crafted web site, allowing the remote attackers to execute arbitrary code upon successful exploitation. Microsoft released security update for this vulnerability and we highly recommend applying these security updates.

Dell SonicWALL customers were proactively secured from the attacks involving this 0-day exploit that started sometime in September, 2013.

Infection Cycle:

The exploit cycle begins with a highly obfuscated JavaScript being embedded on a compromised site. This JavaScript is responsible for redirecting the user to a remote server hosting the CVE-2013-3897 vulnerability exploit as seen below:

Here is a screenshot of an active exploit page that we captured from the wild:

It uses heap spray and ROP techniques to bypass ASLR and DEP. As seen below it uses unescape function to set up spray and ROP chain for specific targets:

If the exploit is successful, the shellcode will trigger the download of a malicious executable from a remote server. We saw similar attacks targeting CVE-2013-3893 two weeks ago.

The exploit fails on Windows XP even with with the language packs installed as we noticed only crashes.
We specifically reproduced the exploit on IE 8 running on Japanese XP that explains how the ROP gadgets were designed to target specific systems.
The Javascript code below shows shows checks for Japanese or Korean systems.

Debugging shows how the ROP chain is set up and how it executes it.

Which translates to

Another similar pattern seen here if we compare it to CVE-2013-3893 exploit, is a set of bytes being ‘xored’ with 0x94

The following bytes were used after a successful run to download and execute a malicious binary.

The downloaded malicious executable further connects to the same server to download another malicious executable pretending to be an image file firw.gif. This file is still actively being served by the remote server at the time of writing this alert.

Dell SonicWALL Gateway AntiVirus proactively blocked these attacks in the wild with the following signature:

  • GAV: Shellcode.GEN_12 (Trojan)
  • GAV: Magania.FFAD (Trojan)
  • GAV: Patched.OX (Trojan)

We additionally have added following signatures to detect the Exploit:

  • IPS: 7553 Windows IE Use-After-Free Vulnerability (MS13-080) 7
  • SPY: 4684 CVE-2013-3897

Solid Edge ST4 ActiveX Control Vulnerability (Oct 4, 2013)

/in /by

Solid Edge ST4, developed by SIMENS PLM Software, is a mechanical design system with tools for creating and managing 3D digital prototypes. Through third party applications, Solid Edge has links to many other Product Lifecycle Management (PLM) technologies. Upon installation of the SIEMENS Solid Edge ST4, an ActiveX control named SEListCtrlX is also deployed.

A memory corruption vulnerability exists in SIEMENS Solid Edge ST4; the vulnerability is due to exposure of an unsafe method in the SEListCtrlX ActiveX control. A remote attacker can exploit this vulnerability by enticing a user to open a specially crafted webpage using Internet Explorer. Successful exploitation could lead to arbitrary code execution in the security context of the logged-in user. Failed attacks could lead to termination of the browser.

SonicWall has released an IPS signature to detect and block specific exploitation attempts targeting this vulnerability. The signature is listed below:

  • 4778 Siemens Solid Edge ActiveX DeleteItem Method Invocation

Gone with the wings ngrBot dropper (Oct 4, 2013)

/in /by

The Dell SonicWall Threats Research team has observed incidents of a new ngrBot Dropper Trojan active in the wild. The Dropper may arrive as an attachment in spam e-mail or via drive-by downloads from cybercrime exploit kit hosting sites. The Dropper appears to remove other malware family binaries from the victim machine before infecting it with the embedded copy of the new ngrBot variant.

ngrBot, also known as Dorkbot is a family of IRC-based worms that is known to spread through instant messengers, social networking websites, and removable drives. The bot steals user credentials for various applications & websites, and is also capable of launching Denial of Service attacks. More details can be found in our previous writeup – New Dorkbot variant targeting skype users (Oct 19, 2012).

Infection Cycle:

Upon execution, the Dropper Trojan checks for the command line argument “-shell” and attempts to create a specific mutex. If the Dropper was executed with the argument “-shell” and the mutex already exists on the system, it will terminate as seen below:

If the above conditions are not true, then it drops multiple copies of itself as:

  • %APPDATA%temp.bin [Copy of itself detected as GAV: Dropper.NGR (Trojan) ]
  • %APPDATA%ScreenSaverPro.scr [Copy of itself detected as GAV: Dropper.NGR (Trojan) ]
  • %APPDATA%Microsoftrcanurcanu.exe [Copy of itself detected as GAV: Dropper.NGR (Trojan) ]

It creates the following registry key to ensure that the infection persists upon system reboot:

  • HKCUSoftwareMicrosoftWindowsCurrentVersionRun Screen Saver Pro 3.1 “%APPDATA%ScreenSaverPro.scr”
  • HKCUSoftwareMicrosoftWindowsCurrentVersionRun Windows Update “%APPDATA%Microsoftrcanurcanu.exe”

It keeps track of the number of times the malware has been executed on the victim machine by creating a Registry key shown in the image below and by setting the value for iterXXXz. It essentially forces the target system to reboot twice after initial infection. This looks like a ploy to hinder malware analysis by automated systems and malware researchers.

It further creates a system process svchost.exe and injects malicious code into it which is responsible for following:

    Infect Removable Drives

  • It checks and monitors any removable drives connected to the infected system. If found, it will drop a copy of itself as %VolumeSerialNumber%.exe on it.
  • It then looks for HIDDEN or READONLY executable files on the removable drive and deletes them.
  • It infects the removable drive by copying %APPDATA%temp.bin to it using the same filename and attributes as the files that it deleted.
  • It finally launches Microsoft Windows paint program mspaint.exe process in the background which will eventually be accessed by the ngrBot process.

The Dropper then looks for files with .exe extension in %APPDATA%, %TEMP%, and %User Profile% directories and appends string .gonewiththewings to the filename before deleting them as seen below:

It launches the ngrBot binary which is embedded in the resource section. More details on the ngrBot infection cycle can be found in our previous alert.

The ngrBot variant in our case connected to a remote IRC server and was immediately instructed to download an updated version of the bot as seen below:

We have been actively tracking ngrBot Botnets over the past one year, and here is the geographical distribution of the active Botnet Command and Control (C&C) servers from the past two weeks:

Dell SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Dorkbot.B_222 (Worm)
  • GAV: Dropper.NGR (Trojan)
  • IPS: ngrBot Infection Activity

Microsoft Security Bulletin Coverage (Sept 10, 2013)

/in /by

Dell SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of September, 2013. A list of issues reported, along with Dell SonicWALL coverage information follows:

MS13-067 Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution (2834052)

  • CVE-2013-3858 Word Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2013-3857 Word Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2013-3849 Word Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2013-3848 Word Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2013-3847 Word Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2013-3180 POST XSS Vulnerability
    IPS: 6128 “Cross-Site Scripting (XSS) Attack 44”
  • CVE-2013-3179 SharePoint XSS Vulnerability
    There are no known exploits in the wild.
  • CVE-2013-1330 MAC Disabled Vulnerability
    IPS: 6103 “Microsoft SharePoint Server Remote Code Execution 3”
  • CVE-2013-1315 Microsoft Office Memory Corruption Vulnerability
    SPY: 4678 “Malformed-File xlw.MP.1”
  • CVE-2013-0081 SharePoint Denial of Service Vulnerability
    IPS: 6100 “Microsoft SharePoint Server Remote Code Execution 5 (MS13-067)”

    IPS: 6096 “Microsoft SharePoint Server Remote Code Execution 4 (MS13-067)”

MS13-068 Vulnerability in Microsoft Outlook Could Allow Remote Code Execution (2756473)

  • CVE-2013-3870 Message Certificate Vulnerability
    There are no known exploits in the wild.

MS13-069 Cumulative Security Update for Internet Explorer (2870699)

  • CVE-2013-3845 Internet Explorer Memory Corruption Vulnerability
    IPS: 7258 “Windows IE Use-After-Free Vulnerability (MS13-069) 1”
  • CVE-2013-3209 Internet Explorer Memory Corruption Vulnerability
    IPS: 7278 “Windows IE Use-After-Free Vulnerability (MS13-069) 3”
  • CVE-2013-3208 Internet Explorer Memory Corruption Vulnerability
    IPS: 7282 “Windows IE Use-After-Free Vulnerability (MS13-069) 4”
  • CVE-2013-3207 Internet Explorer Memory Corruption Vulnerability
    IPS: 7287 “Windows IE Use-After-Free Vulnerability (MS13-069) 5”
  • CVE-2013-3206 Internet Explorer Memory Corruption Vulnerability
    IPS: 7295 “Windows IE Use-After-Free Vulnerability (MS13-069) 6”
  • CVE-2013-3205 Internet Explorer Memory Corruption Vulnerability
    IPS: 7323 “Windows IE Use-After-Free Vulnerability (MS13-069) 8”
  • CVE-2013-3204 Internet Explorer Memory Corruption Vulnerability
    IPS: 7313 “Windows IE Use-After-Free Vulnerability (MS13-069) 7”
  • CVE-2013-3203 Internet Explorer Memory Corruption Vulnerability
    IPS: 7339 “Windows IE Type Confusion Vulnerability (MS13-069)”
  • CVE-2013-3202 Internet Explorer Memory Corruption Vulnerability
    IPS: 7273 “Windows IE Use-After-Free Vulnerability (MS13-069) 2”
  • CVE-2013-3201 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.

MS13-070 Vulnerability in OLE Could Allow Remote Code Execution (2876217)

  • CVE-2013-3863 OLE Property Vulnerability
    There are no known exploits in the wild.

MS13-071 Vulnerability in Windows Theme File Could Allow Remote Code Execution (2864063)

  • CVE-2013-0810 Windows Theme File Remote Code Execution Vulnerability
    IPS: 6130 “Malformed Theme File”

MS13-072 Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2845537)

  • CVE-2013-3858 Word Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2013-3857 Word Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2013-3856 Word Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2013-3855 Word Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2013-3854 Word Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2013-3853 Word Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2013-3852 Word Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2013-3851 Word Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2013-3850 Word Memory Corruption Vulnerability
    IPS: 6105 “Microsoft Word Memory Corruption Vulnerability (MS13-072) 1”
  • CVE-2013-3849 Word Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2013-3848 Word Memory Corruption Vulnerability
    IPS: 6109 “Microsoft Word Memory Corruption Vulnerability (MS13-072) 2”
  • CVE-2013-3847 Word Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2013-3160 XML External Entities Resolution Vulnerability
    There are no known exploits in the wild.

MS13-073 Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (2858300)

  • CVE-2013-3159 XML External Entities Resolution Vulnerability
    There are no known exploits in the wild.
  • CVE-2013-3158 Microsoft Office Memory Corruption Vulnerability
    SPY: 4679 “Malformed-File xlw.MP.2”
  • CVE-2013-1315 Microsoft Office Memory Corruption Vulnerability
    There are no known exploits in the wild.

MS13-074 Vulnerabilities in Microsoft Access Could Allow Remote Code Execution (2848637)

  • CVE-2013-3157 Access Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2013-3156 Access File Format Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2013-3155 Access Memory Corruption Vulnerability
    There are no known exploits in the wild.

MS13-075 Vulnerability in Microsoft Office IME (Chinese) Could Allow Elevation of Privilege (2878687)

  • CVE-2013-3859 Chinese IME Vulnerability
    There are no known exploits in the wild.

MS13-076 Vulnerabilities in Kernel-Mode Drivers Could Allow Elevation of Privilege (2876315)

  • CVE-2013-3866 Win32k Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2013-3865 Win32k Multiple Fetch Vulnerability
    There are no known exploits in the wild.
  • CVE-2013-3864 Win32k Multiple Fetch Vulnerability
    There are no known exploits in the wild.
  • CVE-2013-1344 Win32k Multiple Fetch Vulnerability
    There are no known exploits in the wild.
  • CVE-2013-1343 Win32k Multiple Fetch Vulnerability
    There are no known exploits in the wild.
  • CVE-2013-1342 Win32k Multiple Fetch Vulnerability
    There are no known exploits in the wild.
  • CVE-2013-1341 Win32k Multiple Fetch Vulnerability
    There are no known exploits in the wild.

MS13-077 Vulnerability in Windows Service Control Manager Could Allow Elevation of Privilege (2872339)

  • CVE-2013-3862 Service Control Manager Double Free Vulnerability
    There are no known exploits in the wild.

MS13-078 Vulnerability in FrontPage Could Allow Information Disclosure (2825621)

  • CVE-2013-3137 XML Disclosure Vulnerability
    IPS: 6162 “Microsoft FrontPage Information Disclosure”

MS13-079 Vulnerability in Active Directory Could Allow Denial of Service (2853587)

  • CVE-2013-3868 Remote Anonymous DoS Vulnerability
    There are no known exploits in the wild.

Microsoft Windows IE Memory Corruption (Sept 18, 2013)

/in /by

Microsoft has released an advisory addressing CVE-2013-3893 on Sept 17, 2013. This vulnerability found in Microsoft Internet Explorer affects Internet Explorer versions 8 and 9 and is being used in the wild by cyber-criminals. The issue could potentially affect all supported IE versions.

It has been observed that the vulnerable event handler has been used in a JavaScript file in an Adobe Flash Tool, and the JavaScript file was manipulated by hackers. However, we didn’t confirm which vulnerability the manipulated JavaScript is exploiting as the target server has stopped serving the final malicious code. The following image shows the manipulated JavaScript file:

image

A hacker can load the mentioned JavaScript file:

image

Dell SonicWALL Threat team has researched this vulnerability and released the following IPS signature:

  • 7377 Windows IE Memory Corruption Vulnerability

Dell SonicWALL has updated information on Sept 26, 2013 for this vulnerability as below.

HP LoadRunner ActiveX Control Vulnerability (Sep 27, 2013)

/in /by

HP LoadRunner is an application performance testing software. It helps to detect bottlenecks and obtain an accurate picture of end-to-end system performance before going live. Upon installation of the HP LoadRunner, an ActiveX control named micWebAjax.dll is also deployed.

A stack buffer overflow vulnerability exists in HP LoadRunner; the vulnerability is due to exposure of an unsafe method in the micWebAjax.dll ActiveX control. A remote attacker can exploit this vulnerability by enticing a user to open a specially crafted webpage using Internet Explorer. Successful exploitation could lead to arbitrary code execution in the security context of the logged-in user. Failed attacks could lead to termination of the browser.

The vulnerability has been assigned as CVE-2013-2368.

Dell SonicWALL has released an IPS signature to detect and block specific exploitation attempts targeting this vulnerability. The signature is listed below:

  • 4649 HP LoadRunner ActiveX NotifyEvent Method Invocation

Microsoft Windows IE Vulnerability(CVE-2013-3893) attacks spotted in the Wild (September 26, 2013)

/in /by

Dell Sonicwall Threats Research team has found live attacks exploiting Internet Explorer Vulnerability (CVE-2013-3893). Last week we reported this Vulnerability and proactively started detecting and blocking the attack attempts.

We found the same HTML as reported by FireEye but being served by a different url. This means that the same exploit is being served from multiple locations. Once the exploit is successful, it similarly downloads jpg file which is an exe “xor” with 0x95 as a key.
Please refer Sonicalert for detailed binary analysis.

image

The malicious html above contains a code-sequence exploiting the IE vulnerability. This code uses heap spray and ROP techniques to bypass ASLR and DEP.

image

Here it uses cookie to track the visit.

image

Now it checks if it is exploitable and chooses the target accordingly.

image

Uses unescape function to set up spray and ROP chain for specific targets which corresponds to the in-memory bytes below.

image

The following code-sequence is responsible for the vulnerability.

image

We saw following crash when we separated the ASLR and DEP evasion code.

image

Some excerpts below show how the ROP chain is constructed and how shellcode is used.

image

image

Here Payload is encoded with “xor 0x9f”

image

The jpg is downloaded as shown.

image

Xor with 0x95 and the file decoded

image

image

We have implemented following signatures to detect the attack.

  • IPS:7377 Windows IE Memory Corruption Vulnerability
  • IPS:7417 Windows IE Memory Corruption Vulnerability 2
  • SPY:4119 Malformed-File html.TL.274
  • GAV: 24181 Unruy.JPG (Trojan)
  • GAV: 24180 Unruy.JPX (Trojan)

CVE-2013-3893 exploit actively serving malware (September 26, 2013)

/in /by

Dell SonicWall Threats research team found a malicious site that exploits Microsoft Windows IE Vulnerability (CVE-2013-3893) to serve the attack payload onto the victims machine. More information about the actual vulnerability can be found on a Sonicalert covering the same attack case.

Infection Cycle:

The following steps illustrate the infection cycle:

Upon successful exploitation an encrypted file pretending to be an image logo.jpg is downloaded on the system. The extension of this file is misleading as it is actually a malicious Windows Executable XORed with 0x95 key as shown below:

The malware executable also ensures that it is named as “runrun.exe” before it infects the system, otherwise it terminates. The following screenshot shows the name check function:

The Trojan adds the following key to the Windows registry to enable startup after reboot:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun IEXPLORE “%Temp%runrun.exe””

The Trojan adds the following mutex on the system to mark its presence:

  • ;A>6gi3lW

We observed the Trojan attempting to connect to login.momoshop.org via SSL but we did not see any further network activity from the server side. We also observed the following hardcoded IP in the code, the server appears to be down at the time of writing this blog.

Dell SonicWALL Gateway AntiVirus provides protection against these threats with the following signature:

  • GAV: Unruy.JPG (Trojan)
  • GAV: Unruy.JPX (Trojan)

Fake love note delivers a keylogger (September 13, 2013)

/in /by

Cybercriminals use different schemes to attract unsuspecting users and gather personal data passively. From fake delivery notifications, to bank statements and purchase orders; all these have been far too common and easily discernible until recently, the Dell SonicWALL Threats Research team has received reports of a Trojan posing as a romantic message but delivering a keylogger in the background. The main installer uses the following icon:

Figure 1: Installer icon and filename

Infection Cycle:

Upon execution the Trojan drops the following components:

  • %APPDATA%/SSA/envtask.exe [Detected as GAV: SniperSpy.A (Trojan)]
  • %TEMP%/tumbler_****.png

In order to start after reboot the Trojan adds the following keys to the registry:

  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun sysclean %APPDATA%/SSA/envtask.exe
  • HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun sysclean %APPDATA%/SSA/envtask.exe

It then launches Microsoft photo editor, photoed.exe, to open the file tumbler_***.png and display this image:

Figure 2: Fake message displayed

Meanwhile, envtask.exe downloads additional components of a commercial keylogger called SniperSpy and drops them onto the following directories:

  • %APPDATA%/SSA/ui.exe – SniperSpy’s GUI component [Detected as GAV: SniperSpy.B_2 (Trojan)]
  • %APPDATA%/*computer name*/system.zip – an ini configuration file

Figure 3: Downloading SniperSpyUI.exe

It will then silently monitor all websites visited, keystrokes typed, instant messages sent and various other activities.

Figure 4: Example of activities monitored by SniperSpy based on the strings found in the binary

Collected data are saved into the following directories with a .bin or .sys file extension:

  • %APPDATA%/*computer name*/A_sys – keywords logged
  • %APPDATA%/*computer name*/C_sys – chat logs
  • %APPDATA%/*computer name*/Sys_S/****_scr_*date*_t.sys – screenshots taken every 5 minutes
  • %APPDATA%/*computer name*/SetX.bin – system information
  • %APPDATA%/*computer name*/AFsys.bin – programs installed
  • %APPDATA%/*computer name*/sys_*.bin – the rest of the data are kept in a numbered sys.bin file which include programs ran, user logon events, files creates and deletes, keystrokes and clipboard data.

It then sends the initial user information it has gathered (SetX.bin) which includes the computer name, mac address, running processes and currently installed instant messaging clients.

Figure 5: SetX.bin uploaded as SetX.xml

All the data gathered in the numbered sys.bin files are combined into one xml file named rec_*randomdigits*.xml and sent to the remote server. Screen captures are uploaded individually as seen in the figure below:

Figure 6: JPG screenshot file uploaded to a remote server

Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signatures:

  • GAV: Keylogger.ILY (Trojan)

  • GAV: SniperSpy.A (Trojan)

  • GAV: SniperSpy.B_2 (Trojan)