Latest Java Vulnerability(CVE-2013-2473) exploited in the Wild (September 6, 2013)

/in /by

Dell Sonicwall Threats Research team has identified latest Java Vulnerability (CVE-2013-2473) already being exploited actively. Oracle has already patched this vulnerability per their June 2013 Critical Patch update.

Following is an in depth analysis of the attack.
Victim visits a malicious html that downloads a Javascript responsible for detecting the installed Java Plugin version.

Depending on Java version, malicious jar is downloaded either using JNLP or usual applet

We can also see the exe url specified as a .txt file. This would get downloaded after jar gets succesfully exploited.

Following is a decompilation of malicious jar which is highly obfuscated to avoid detection. We can see version-specific functions are called at Java level too. Parameter “duFJfXw” is accessed to download the malicious exe after the exploit function returns.

Navigating the function calls brings us to following code that triggers the vulnerability by using reflection.

A Couple of Raster objects are created using “createWriteableRaster” method with arguments as “ColorModel” and “DataBufferInt”. One of these objects is malformed. When both the raster objects are passed to “compose” method, it causes memory corruption which ultimately allows sandbox bypass.

We have implemented a couple of signatures that detect the vulnerability.

  • IPS:4704 Malformed Java Class File 12
  • GAV:22586 Malformed.class.TL.37

New Zeus dropper being spammed actively (September 6, 2013)

/in /by

The Dell SonicWall Threats Research team has observed incidents of a new Dropper Trojan being delivered via an e-mail spam campaign in the wild. The e-mail attachment is a password protected zip file and contains the malicious executable. The zip attachment is named using one of the recipient’s first initial and last name as suffix which makes it more convincing for the intended recipient to open it. The malware executable has zero AV detection at the time of this writeup and it connects to a remote server to download and install a new variant of Banking Trojan Zeus on the target machine.

Sample e-mail from this campaign that was captured today can be seen below:

The zip attachment name is of the format – FSEMC.(First Initial + Last Name of recipient).zip. The enclosed malicious executable file masquerades itself as a PDF file as seen below:

Infection Cycle:

Upon execution, the Dropper Trojan creates a copy of itself as %TEMP%hfdfjdk.exe and runs it in the background:

It deletes the original File that was opened by the user.

The Dropper then attempts to connect to a predetermined remote server ce-cloud.com and downloads the latest variant of Zeus over HTTPS. We were able to capture the downloader command during our analysis which can be seen below:

The latest zeus variant can be seen downloaded from the encoded URI /images/note.exe onto the system as %TEMP%ckjienn.exe [Detected as GAV: Zbot.AAU_67 (Trojan)]. It then executes the downloaded executable and kickstarts the Zeus infection cycle that makes the following filesystem changes:

  • Creates a copy of itself as %APPDATA%Teugw.exe

  • Creates a registry entry to ensure infection persists on system reboot:

      • HKCUSoftwareMicrosoftWindowsCurrentVersionRun Teugw “%APPDATA%Okzocuteugw.exe”

  • Injects malicious code into multiple system and user processes:

    • %WINDOWS%system32Dwm.exe
    • %WINDOWS%Explorer.EXE
    • %WINDOWS%system32taskhost.exe
    • %PROGRAMFILES%AdobeReader 9.0Readerreader_sl.exe
    • %WINDOWS%system32SearchProtocolHost.exe

Dell SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Tepfer.gen_4 (Trojan)
  • GAV: Zbot.AAU_67 (Trojan)

Android malware with SMTP capabilities (September 6, 2013)

/in /by

The Dell SonicWall Threats Research Team received reports of an Android malware capable of sending Emails using the SMTP protocol. We have observed Android malware evolve using new tricks to infect its victims but this is the first one to sport the use of SMTP to send sensitive device and user information to the attackers.

Infection Cycle

Before installation the app requests for the following permissions:

  • bind_device_admin
  • change_network_state
  • receive_sms
  • process_outgoing_calls
  • read_sms
  • read_user_dictionary
  • write_sms
  • send_sms
  • internet
  • write_external_storage
  • wake_lock
  • record_audio
  • modify_audio_settings
  • vibrate
  • receive_boot_completed
  • write_settings
  • disable_keyguard
  • read_contacts
  • write_contacts
  • get_tasks
  • write_secure_settings
  • read_phone_state

Once installed the app appears as ‘Google Service’ on the phone. Clicking on it will prompt the user into allowing the app to be set as device administrator, this essentially means that the app will be able to alter the security policy of the device. Whenever any app requests permission to be set as device administrator, it is highly advised to verify the intentions of the app before granting this permission.

Upon clicking the app nothing happens on the screen and the app is no longer visible in the app drawer, but it continues to run in the background. The app collects information on the device and attempts to send it using SMTP.
The app has capabilities to steal and send the following information:

  • Contacts on the phone
  • SMSes on the device
  • Audio recordings of the calls on the device

We found interesting strings in a function named sendAll() that gathers collected data and formats it for sending via SMTP

The app collects this information and sends it to the attackers via SMTP. We found the following SMTP servers in the code:

  • smtp.gmail.com
  • smtp.126.com

During our analysis the sample tried to communicate with smtp.126.com but we did not see any further activity.

The motive of this malware is to send sensitive user information to the attackers, we have seen such spy apps in the past but most of them relied on SMS or HTTP as a medium to send the stolen information but this is the first malware to use SMTP. This just highlights that malware writers are constantly evolving Android malware with new tricks.

Dell SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: AndroidOS.Spy.SMTP (Trojan)

Internet Explorer Vulnerability(MS12-043) Exploited in the Wild (August 30, 2013)

/in /by

Dell Sonicwall Threats Research team has found multiple instances of malicious websites exploiting this old Internet Explorer Vulnerability. This vulnerability is already patched and has been assigned CVE-2012-1889. Metasploit also has a module msxml_get_definition_code_exec and we can see some similarities in the exploit code as outlined below.

There is obfuscation, heap allocation and shellcode setup.

Vulnerable “MSXML3” control is included followed by its function call “definition” that triggers the condition.

Debugging shows heap spray and download of the url containing malicious executable.

A separate variant uses IP address for executable download

We detect multiple variants of this attack by following IPS signatures

  • 7967 Microsoft XML Core Services Uninitialized Object Access 1
  • 8007 Microsoft XML Core Services Uninitialized Object Access 6
  • 7610 HTTP Client Shellcode Exploit 68b
  • 7370 HTTP Client Shellcode Exploit 68a
  • 5416 HTTP Client Shellcode Exploit 15a
  • 4604 HTTP Client Shellcode Exploit 1a
  • 4605 HTTP Client Shellcode Exploit 2

A new Trustezeb variant spammed in the wild (Aug 30, 2013)

/in /by

The Dell SonicWall Threats Research team has observed incidents of a new Trustezeb variant being delivered via e-mail spam and drive-by downloads in the wild. The malware executable is compiled in Microsoft Visual C++ and contains two malicious executable embedded in it that gets run on the target machine. The dropped executable sends sensitive information to a remote server and waits for further commands.

Sample e-mail containing the new Trustezeb variant as an attachment:

Infection Cycle:

Upon execution, the Trojan takes a snapshot of the running processes and checks for the presence of Sandboxie environment as well as Avast antivirus program:

The Trojan creates a mutex UACMutexxxxx to mark its presence on the system.

It attempts to stop the Microsoft Windows firewall by running the following command:

The Trojan then creates a new process svchost.exe, injects one of the two embedded executable that it decrypts on runtime, and runs it. The newly created process checks if the parent process is running from %Temp% folder and if the extension of the parent process is .pre. If not, then it drops a copy of the original malware executable into the %Temp% directory as (RandomName).pre and runs it. The infection process cycle can be seen below:

The Trojan creates a registry entry to ensure that it runs on system reboot.

The dropped malware executable that gets injected into svchost.exe, gathers sensitive information on the target machine and reports it back to the Command & Control server in an encrypted form via HTTP GET request. The format of the GET request used by the malware:

    GET /img_cache.php?text=(RANDOMLY GENERATED KEY BLOCK)&img_url=http://(SENSITIVE SYSTEM DATA).(bmp/jpg/png/pcx)&rpt=simage&pos=(INT)

A sample request looks like the following:

The decrypted version of the data being transmitted in above request contains the following information:

    DISKVOLUME_INFO USERNAME:USERID:OPERATING_SYSTEM:SYSTEM_DEFAULT_LANGAUGE_ID:OS_VERSION

A list of hardcoded Command & Control servers extracted during our analysis can be seen below:

The malicious process then waits for commands from the remote server. We saw support for the following commands in the injected code:

  • URLS
  • UPGRADE
  • UPGRADEURL
  • EXECUTE
  • LOAD
  • EXECDLL
  • LOADDLL
  • WAIT
  • KILL
  • MAINER
  • MAINERFILE

Dell SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Trustezeb.E (Trojan)

Citadel Trojan masquerades as UPS Invoice download (August 23, 2013)

/in /by

The Dell SonicWall Threats Research team has received reports of a new variant of the Citadel Trojan (based on Zbot). This Trojan is known to contain many features that are used to steal information from infected machines. This includes stealing banking credentials, audio capture and playback, keystroke logging and screenshot/video capture.

Infection Cycle:

The Trojan arrives in the form of an email purporting to be from UPS:

It provides fake links to a Tracking number and invoice. The links lead to the download of the Trojan executable file.

The Trojan makes the following DNS query:

  • davs.microdnsz.com

The Trojan adds the following files to the filesystem:

  • %APPDATA%Afgokoqxi.exe [Detected as GAV: Zbot.BIM (Trojan)]
  • %APPDATA%Haisaamaf.elw [empty file]
  • %APPDATA%Iqevopohoqq.rib [configuration file]

The Trojan adds the following keys to the windows registry to enable startup after reboot:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun Ibosod “%APPDATA%Afgokoqxi.exe”
  • HKEY_USERSS-1-5-21-448539723-1682526488-839522115-1003SoftwareMicrosoftAzcae Okqy hex:3d,e4,f2,fa,b2,d4,e2,1c,aa,a2,78,f6,4c,2f,ee, …

The configuration file contains the C&C server URL, the name of the process to inject (in this case explorer.exe), browser User Agent strings and other information on what to do once the system has been infected:

Before deleting itself, the original malicious executable writes oqxi.exe to disk and runs it. oqxi.exe injects code [Detected as GAV: Xin1_4 (Trojan)] into explorer.exe:

It causes explorer.exe to report to a remote C&C server and download an additional malicious module:

It was observed sending the following sensitive system information encrypted to the C&C server:

Analysis of the binaries installed by the Trojan suggest an array of capabilities such as video/audio recording and playback, webinject capability and the ability to extract information from certain files. We caught the Trojan inspecting a Microsoft Outlook Sent Items.dbx file.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Zbot.BIM (Trojan)
  • GAV: Xin1_4 (Trojan)

Samba read_nttrans_ea_list Function DoS (Aug 22, 2013)

/in /by

Samba, which runs on most Unix and Unix-like systems, is a free software re-implementation of the SMB/CIFS networking protocol. As of version 3, Samba provides file and print services for various Microsoft Windows clients and can integrate with a Windows Server domain. By default, a Samba server listens on 445/TCP for SMB over TCP.

A denial of service vulnerability exists in Samba. Specifically, the vulnerability is due to interger overflow in function read_nttrans_ea_list. A remote attacker can exploit this vulnerability by sending crafted requests to the target Samba server. Successful exploitation would cause memory exhaustion and result in denial-of-service condition.

The vulnerability has been assigned as CVE-2013-4124.

Dell SonicWALL has released an IPS signature to detect and block specific exploitation attempts targeting this vulnerability. The signature is listed below:

  • 7214 Samba read_nttrans_ea_list DoS

Compromised WordPress-based websites redirect users to explicit sites (Aug 16, 2013)

/in /by

The Dell SonicWALL Threats Research team discovered mass defacements of various WordPress based websites which include government websites in the Asia Pacific regions. These reputable domains are typical targets for cybercriminals as their platform for carrying out malicious activities because these sites are less likely to be blocked by security software.

The majority of the websites involved in this attack were running on an outdated version of the popular blogging software, WordPress. Visiting the website for the first time would redirect the user to a malicious site. This was accomplished by inserting a few lines of obfuscated malicious JavaScript on the homepage as seen in the screenshot below.

Figure 1: Obfuscated malicious JavaScript

Decrypting and analyzing the code reveals that the attacker is ensuring one visit per browser session by using traditional cookies. It creates a cookie named ‘doRedirect’ when visiting the compromised website and redirects the browser to a malicious explicit URL shortened using Google’s URL shortening service. Subsequent visits to the compromised website will no longer be redirected.

Figure 2: Deobfuscated JavaScript

Further research uncovers many other legitimate websites injected with the same malicious JavaScript. Most of them are running on an outdated version of WordPress or use popular blogging platforms such as Tumblr or Blogger. The embedded malicious URLs lead to the same explicit website but use different URL shorteners such as bit.ly or adfoc.us.

Figure 3: URL redirect using bit.ly & adfoc.us

Statistics on two different “goo.gl” URLs we found which redirect to the same explicit website show how widespread this attack is. Garnering over 15,000 clicks in a day and totaling to over 300,000 clicks since the shortened link was first created targeting many regions of North America, Asia and Europe.

Figure 4: Statistics on goo.gl URL #1 Figure 5: Statistics on goo.gl URL #2

Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:

  • GAV: FakePostePay.A (Trojan)

Microsoft Security Bulletin Coverage (Aug 13, 2013)

/in /by

Dell SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of August, 2013. A list of issues reported, along with Dell SonicWALL coverage information follows:

MS13-059 Cumulative Security Update for Internet Explorer (2862772)

  • CVE-2013-3184 Internet Explorer Memory Corruption Vulnerability
    IPS: 6020 “Windows IE Use-After-Free Vulnerability (MS13-059) 3”
  • CVE-2013-3186 Internet Explorer Process Integrity Level Assignment Vulnerability
    There are no known exploits in the wild.
  • CVE-2013-3187 Internet Explorer Memory Corruption Vulnerability
    IPS: 6023 “Windows IE Use-After-Free Vulnerability (MS13-059) 7”
  • CVE-2013-3188 Internet Explorer Memory Corruption Vulnerability
    IPS: 7026 “Windows IE Use-After-Free Vulnerability (MS13-059) 1”
  • CVE-2013-3189 Internet Explorer Memory Corruption Vulnerability
    IPS: 7027 “Windows IE Type Confusion Vulnerability (MS13-059)”
  • CVE-2013-3190 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2013-3191 Internet Explorer Memory Corruption Vulnerability
    IPS: 7029 “Windows IE Use-After-Free Vulnerability (MS13-059) 2”
  • CVE-2013-3192 EUC-JP Character Encoding Vulnerability
    There are no known exploits in the wild.
  • CVE-2013-3193 Internet Explorer Memory Corruption Vulnerability
    IPS: 7060 “Windows IE Use-After-Free Vulnerability (MS13-059) 4”
  • CVE-2013-3194 Internet Explorer Memory Corruption Vulnerability
    IPS: 7061 “Windows IE Use-After-Free Vulnerability (MS13-059) 5”
  • CVE-2013-3199 Internet Explorer Memory Corruption Vulnerability
    IPS: 7062 “Windows IE Use-After-Free Vulnerability (MS13-059) 6”

MS13-060 Vulnerability in Unicode Scripts Processor Could Allow Remote Code Execution (2850869)

  • CVE-2013-3181 Uniscribe Font Parsing Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.

MS13-061 Vulnerabilities in Microsoft Exchange Server Could Allow Remote Code Execution (2876063)

  • CVE-2013-2393 Oracle Outside In Contains Multiple Exploitable Vulnerabilities
    There are no known exploits in the wild.
  • CVE-2013-3776 Oracle Outside In Contains Multiple Exploitable Vulnerabilities
    There are no known exploits in the wild.
  • CVE-2013-3781 Oracle Outside In Contains Multiple Exploitable Vulnerabilities
    There are no known exploits in the wild.

MS13-062 Vulnerability in Remote Procedure Call Could Allow Elevation of Privilege (2849470)

  • CVE-2013-3175 Remote Procedure Call Vulnerability
    Cannot reproduct the attack.

MS13-063 Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2859537)

  • CVE-2013-2556 ASLR Security Feature Bypass Vulnerability
    There are no known exploits in the wild.
  • CVE-2013-3196 Windows Kernel Memory Corruption Vulnerability
    This is a local vulnerability. Detection of attack over the wire is not feasible.
  • CVE-2013-3197 Windows Kernel Memory Corruption Vulnerability
    This is a local vulnerability. Detection of attack over the wire is not feasible.
  • CVE-2013-3198 Windows Kernel Memory Corruption Vulnerability
    This is a local vulnerability. Detection of attack over the wire is not feasible.

MS13-064 Vulnerability in Windows NAT Driver Could Allow Denial of Service (2849568)

  • CVE-2013-3182 Windows NAT Denial of Service Vulnerability
    There are no known exploits in the wild.

MS13-065 Vulnerability in ICMPv6 could allow Denial of Service (2868623)

  • CVE-2013-3183 ICMPv6 Vulnerability
    There are no known exploits in the wild.

MS13-066 Vulnerability in Active Directory Federation Services Could Allow Information Disclosure (2873872)

  • CVE-2013-3185 AD FS Information Disclosure Vulnerability
    There are no known exploits in the wild.

Firefox onreadystatechange Use-after-free Vulnerability (Aug 9, 2013)

/in /by

Mozilla Firefox is a web browser developed by the Mozilla Foundation. Firefox is capable of rendering multiple types of content such as HTML, XML, XUL, JavaScript, and popular media formats among others. Firefox is distributed for all major platforms such as Windows, Apple, and Linux.

The Document Object Model (DOM) is a cross-platform and language-independent convention for representing and interacting with objects in HTML, XHTML and XML documents. Objects in the DOM tree may be addressed and manipulated by using methods on the objects. The public interface of a DOM is specified in its application programming interface (API). Firefox uses DOM as the main structure to interpret and render related documents. JavaScript can be used within Firefox to access and modify a web page’s underlying DOM.

Firefox supports various DOM events, which may occur when changes to the structure or contents of the document are made or when user actions are detected. Some of the events supported by the browser are character input and clipboard events; load, unload and state events; form events; mouse events and scrolling; move and drag events; resize events; activation and focus events and selection events.

A use-after-free vulnerability exists in Mozilla Firefox. Mozilla Firefox before 22.0 do not properly handle onreadystatechange events in conjunction with page reloading, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted web site that triggers an attempt to execute data at an unmapped memory location.

Dell SonicWALL Threat team has researched this vulnerability and released the following IPS signatures to address the issue:

  • 4169 Mozilla Firefox onreadystatechange use after free Attack
  • 6207 HTTP Client Shellcode Exploit 42a

This vulnerability is referred by CVE as CVE-2013-1690.