Microsoft Security Bulletin Coverage (June 12, 2013)

/in /by

Dell SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of June, 2013. A list of issues reported, along with Dell SonicWALL coverage information follows:

MS13-047 Cumulative Security Update for Internet Explorer (2838727)

  • CVE-2013-3110 Internet Explorer Memory Corruption Vulnerability
    IPS: 9929 “Windows IE Use-After-Free Vulnerability (MS13-047) 1”
  • CVE-2013-3111 Internet Explorer Memory Corruption Vulnerability
    IPS: 9930 “Windows IE Use-After-Free Vulnerability (MS13-047) 2”
  • CVE-2013-3112 Internet Explorer Memory Corruption Vulnerability
    IPS: 9935 “Windows IE Use-After-Free Vulnerability (MS13-047) 3”
  • CVE-2013-3113 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2013-3114 Internet Explorer Memory Corruption Vulnerability
    IPS: 9938 “Windows IE Use-After-Free Vulnerability (MS13-047) 4”
  • CVE-2013-3116 Internet Explorer Memory Corruption Vulnerability
    IPS: “Windows IE Use-After-Free Vulnerability (MS13-047) 5”
  • CVE-2013-3117 Internet Explorer Memory Corruption Vulnerability
    IPS: 9940 “Windows IE Use-After-Free Vulnerability (MS13-047) 6”
  • CVE-2013-3118 Internet Explorer Memory Corruption Vulnerability
    IPS: 9941 “Windows IE Use-After-Free Vulnerability (MS13-047) 7”
  • CVE-2013-3119 Internet Explorer Memory Corruption Vulnerability
    IPS: 9942 “Windows IE Use-After-Free Vulnerability (MS13-047) 8”
  • CVE-2013-3120 JSON Array Information Disclosure Vulnerability
    IPS: 9936 “Internet Explorer Memory Corruption Vulnerability”
  • CVE-2013-3121 Internet Explorer Memory Corruption Vulnerability
    IPS: 9937 “Windows IE 9 DOM SetExpression Memory Corruption”
  • CVE-2013-3122 Internet Explorer Memory Corruption Vulnerability
    IPS: 9943 “Windows IE Memory Corruption Vulnerability (MS13-047)”
  • CVE-2013-3123 Internet Explorer Memory Corruption Vulnerability
    IPS: 9609 “DOM Object Use-After-Free Attack 3”
  • CVE-2013-3124 Internet Explorer Memory Corruption Vulnerability
    IPS: 9931 “Windows IE DOM Object Memory Corruption 1”
  • CVE-2013-3125 Internet Explorer Memory Corruption Vulnerability
    IPS: 9932 “Windows IE DOM Object Memory Corruption 2”
  • CVE-2013-3139 Internet Explorer Memory Corruption Vulnerability
    IPS: 9933 “Windows IE DOM Object Memory Corruption 3”
  • CVE-2013-3141 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2013-3142 Internet Explorer Memory Corruption Vulnerability
    IPS: 9934 “Windows IE DOM Object Use-After-Free 8”
  • CVE-2013-3126 Internet Explorer Script Debug Vulnerability
    There are no known exploits in the wild.

MS13-048 Vulnerability in Windows Kernel Could Allow Information Disclosure (2839229)

  • CVE-2013-3136 Windows Kernel Information Disclosure
    Not feasible to detect.

MS13-049 Vulnerability in Kernel-Mode Driver Could Allow Denial of Service (2845690)

  • CVE-2013-3138 TCP/IP kernel-mode driver Denial of Service Vulnerability
    Not feasible to detect.

MS13-050 Vulnerability in Windows Print Spooler Components Could Allow Elevation of Privilege (2839894)

  • CVE-2013-1339 Microsoft Windows Print Spooler Elevation of Privilege Vulnerability
    It’s elevation of privilege, not feasible to detect.

MS13-051 Vulnerability in Microsoft Office Could Allow Remote Code Execution (2839571)

  • CVE-2013-1331 Microsoft Office Buffer Overflow Vulnerability
    GAV: 18622 “Malformed.png.MP.1”

Android Pincer Trojan equipped with data stealing and anti-analysis modules (June 7, 2013)

/in /by

Dell SonicWALL Threats Research Team received reports of Pincer Android Malware that can execute a host of commands from the Command and Control (C&C) once it infects a device. Apart from the commands that it can execute, one interesting feature about this malware is its capability to detect if it is being run in an emulator. Anti-analysis tricks are a commonplace in Windows Malware but not so much in its Android/Mobile counterpart.

Infection Cycle

We analyzed a number of samples for Pincer but observed two variants, one was installed on the system as Certificate and the other as Mobile Security.

Core functionalities in both these variants are the same with just minor differences in the two. The following permissions are requested during installation:

  • Internet
  • Send_SMS
  • Read_Logs
  • Call_Phone
  • Receive_SMS
  • Call_Privileged
  • Read_Phone_State
  • Modify_Phone_State
  • Receive_Boot_Completed

Upon execution of Certificate app the following was displayed indicating that the certificate is now active on the device, the Mobile Security app crashed during our analysis session.

Once executed, the apps send device related information to their respective C&C sources:

  • C&C for Certificate app: 198.211.118.115:9081/Xq0jzoPa/g_L8jNgO.php and the number +447937xxxxxx
  • C&C for Mobile Security app: img-cache.com/android_panel/gate.php and the number +447937xxxxxx

The following information about the device is sent to the C&C:

  • Device Model
  • Device Serial number
  • Carrier for the device
  • OS Version
  • Phone Number
  • Whether the device is rooted or not

The attacker can send the following commands via SMS in the format command : [command_code] to be executed:

  • start_sms_forwarding
  • start_call_blocking
  • stop_sms_forwarding
  • stop_call_blocking
  • send_sms
  • execute_ussd
  • simple_execute_ussd
  • stop_program
  • show_message
  • delay_change
  • ping

The above commands indicate that the Malware tries to gather sensitive information about the user via SMS and calls and transfers this data to the C&C.

Malwares trying to understand if they are being analyzed in a debugging environment has been an old trick seen in Windows Malware, but observing the same being done for Android Malware is very rare. The Pincer samples we analyzed try to identify if they are being run in an Android Emulator, which is one of the most basic tools used for Android Malware Analysis. The Malware tries to match the following:

  • Network Operator = Android
  • Device Id = 000000000000000
  • Line Number = 15555215554
  • Android OS Build Model = sdk and generic

These are default values for an Android Emulator, meaning that this is a good way to identify if the Malware is being run inside an Android Emulator. Even though it is possible to change these values, the fact that the change is not so straightforward to make gives the Malware enough reason to have this check in place. We can expect more Malwares to follow suit and employ this trick in future.

Dell SonicWALL Gateway AntiVirus provides protection against these threats with the following signatures:

  • GAV: AndroidOS.Pincer.CR (Trojan)
  • GAV: AndroidOS.Pincer.MS (Trojan)

Oracle Java Font Processing Vulnerability (May 31, 2013)

/in /by

Java is a general-purpose, concurrent, class-based, object-oriented computer programming language that is specifically designed to have as few implementation dependencies as possible. A Java virtual machine (JVM) is a program which executes certain other programs, namely those containing Java bytecode instructions. The JVM bundled together with a set of standard class libraries (that implement the Java API) form the Java Runtime Environment (JRE). The Java Development Kit (JDK) containsa full copy of the JRE, a Java compiler, and many other important development tools.

The most common form of Java used on the web is the Java Applet. Java applets can be used to parse various graphics files located on a remote host. One of the font formats processed by the JRE and JDK is the OpenType Font (OTF) format.

A memory corruption vulnerability exists in Oracle JRE and JDK. Specifically, the vulnerability is due to insufficient validation while handling OpenType Font. A remote attacker can exploit this vulnerability by enticing a user to visit a webpage which contains a crafted Java applet. Successful exploitation could lead to arbitrary code execution in the security context of the logged-in user.

The vulnerability has been assigned as CVE-2013-1491.

Dell SonicWALL has released IPS signatures to detect and block specific exploitation attempts targeting this vulnerability. The signatures are listed below:

  • 9917 Oracle Java Font Processing Memory Corruption Vulnerability 1
  • 9918 Oracle Java Font Processing Memory Corruption Vulnerability 2
  • 9919 Oracle Java Font Processing Memory Corruption Vulnerability 3

Spam campaign roundup: The Memorial Day Edition (May 24, 2013)

/in /by

Memorial Day is the day of honoring American soldiers who died serving the country in wars. It is celebrated on the last Monday in May and this year it will be on the 27th. Consumers also watch out for deep discounts on goods that can yield them big savings during this holiday weekend. Unfortunately, cyber criminals take advantage of such individuals by sending unsolicited advertisements for products and services that often yield to fraud, phishing and even malware.

Over the last week, the Dell SonicWALL threats research team has been tracking down all Memorial Day related spam emails.

As the Memorial Day weekend approaches, we are receiving an increasing amount of holiday related spam emails. These emails have a common theme of trying to lure consumers to click on the links and provide their personal information in exchange for access to heavily discounted products. The following are some of the most common email subjects:

  • Secret Half Off Memorial -Day Event
  • Access Memorial-Day Prices 6 Days Early
  • Gain Private Access To Memorial Day (half-off) prices
  • Price Rebate On All Cars (Memorial Day Deal)
  • Wow – 90%_off iPads, MacBooks, & more – ends Memorial Day
  • Look fantastic for Memorial Day weekend and shred unwanted fat
  • Memorial Day shopping cash is now available

Some emails are purporting to come from popular department stores or restaurant chains promising gift cards or coupons, that when clicked would take you to a URL different from the real merchant’s website but has the merchant’s branding. The consumer will then be asked to enter their personal information and to participate in a number of offers often costing money in fees or subscriptions without the guarantee of ever receiving the products and services or the free gift card at the end of the process.


The domain names used in the URLs embedded in the spam emails were just created in the past month and were all registered using a domain privacy service to keep the domain name owner’s personal information from showing up on global Whois lookups.

We urge our users to always be vigilant and cautious with any unsolicited email and to avoid providing any personal information, particularly if you are not certain of the source.

Dell SonicWALL Gateway Antivirus monitors and provides constant protection against such malicious threats.

nginx Server Denial of Service (May 24, 2013)

/in /by

nginx is an open source web server and a reverse proxy server for HTTP, SMTP, POP3, and IMAP protocols, with a strong focus on high concurrency, performance and low memory usage. nginx implements the HTTP protocol version 1.1 as defined in RFC 2616.

A denial of service vulnerability exists in nginx. Specifically, the vulnerability is due to an input validation error when handling chunked requests or responses from a peer. A remote attacker could exploit this vulnerability by sending a crafted HTTP request/response to the target server. Successful exploitation would terminate the process and cause a denial of service condition.

Dell SonicWALL has released IPS signatures to detect and block specific exploitation attempts targeting this vulnerability. The signatures are listed below:

  • 3113 Suspicious HTTP Transfer-Encoding Header 1c
  • 4590 Suspicious HTTP Transfer-Encoding Header 1s

Oracle Java Zero-days Found in 2013 (Apr 26, 2013)

/in /by

Java is a set of several computer software products and specifications from Sun Microsystems (which has since merged with Oracle Corporation), that together provide a system for developing application software and deploying it in a cross-platform computing environment. Java is used in a wide variety of computing platforms from embedded devices and mobile phones on the low end, to enterprise servers and supercomputers on the high end.

In year 2013, multiple vulnerabilities have been found in Oracle Java products and some of them have been used for zero-days attacks. The zero-days found to date in year 2013 are listed below:

  • CVE-2013-0422 on Jan 10th, 2013

    • This vulnerability covers both the JMX/MBean and Reflection API issues. It has already been integrated into the existing Blackhole Exploit Kit and Nuclear Pack.

  • CVE-2013-1493 on Feb 28th, 2013

    • An out-of-bounds read or memory corruption will be triggered by exploiting this vulnerability.

  • CVE-2013-2423 on April 23rd, 2013

    • This vulnerability will cause Java security sandbox bypass.

Oracle has been working on updates of these security issues and released multiple updates from Java 1.7 Update 9, 10 to Java 1.7 Update 21, to resolve these security vulnerabilities.

Dell SonicWALL threat team has researched all the vulnerabilities and released signatures and advisory addressing the issues:

  • CVE-2013-0422

    • GAV: 34662 Exploit.CVE-2013-0422 (Exploit)
    GAV: 34661 Blacole.gen_26 (Exploit)
    GAV: CoolEK.Java.1 (Exploit)

We have also released an advisory for CVE-2013-0422 zero-day attack: New Java 0-day drive-by exploit (Jan 10, 2013).

  • CVE-2013-1493

    • GAV: 35877 McRat.B (Trojan)
    GAV: CVE-2013-1493 (Exploit)
    GAV: CVE-2013-1493_2 (Exploit)
    GAV: CVE-2013-1493_3 (Exploit)

  • CVE-2013-2423

    • IPS: 9835 “Oracle JRE HotSpot Remote Code Execution 3”
    GAV: 16134 CVE-2013-2423 (Exploit)

Updated on May 23rd by adding coverage of CVE-2013-1493.

DarkKomet Trojan resurfaces in the wild (May 17, 2013)

/in /by

The Dell SonicWALL Threats Research team has received reports of a Delphi based backdoor Trojan. This Trojan appears to be a version of the DarkKomet Remote Administration Tool (RAT).

Infection Cycle:

Upon execution The Trojan makes the following DNS query, although at the time of analysis this URL is offline:

It then drops the following file on the system:

  • %USERPROFILE%My DocumentsMSDCSCmsdcsc.exe (a copy of itself) [Detected as GAV: DarkKomet.A_2 (Trojan)]

In order to start after reboot the Trojan adds the following keys to the registry:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun MicroUpdate “%USERPROFILE%My DocumentsMSDCSCmsdcsc.exe”
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon ” Userinit “C:WINDOWSsystem32userinit.exe, %USERPROFILE%My DocumentsMSDCSCmsdcsc.exe”

It then changes the file’s attributes to hide it:

The Trojan monitors the keyboard and records all the actions to a file:

  • %APPDATA%dclogs[yyyy-mm-dd-#].dc

Apart from the keylogging functionality, further analysis reveals additional features such as administering DDoS attacks, sound capture, executing and uploading files and controlling your webcam.

Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:

  • GAV: DarkKomet.A_2 (Trojan)

Microsoft Security Bulletin Coverage (May 14, 2013)

/in /by

Dell SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of May, 2013. A list of issues reported, along with Dell SonicWALL coverage information follows:

MS13-037 Cumulative Security Update for Internet Explorer (2829530)

  • CVE-2013-2551 Internet Explorer Use After Free Vulnerability
    IPS: 9897 “Windows IE VML shape object Memory Corruption”
  • CVE-2013-1313 Internet Explorer Use After Free Vulnerability
    IPS: 9601 “Windows OLE Automation Remote Code Execution 2 (MS13-020)”
    IPS: 9635 “Windows OLE Automation Remote Code Execution 3 (MS13-020)”
    IPS: 9636 “Windows OLE Automation Remote Code Execution 4 (MS13-020)”
  • CVE-2013-1312 Internet Explorer Use After Free Vulnerability
    IPS: 9899 “Windows IE DOM Object Use-After-Free 5”
  • CVE-2013-1311 Internet Explorer Use After Free Vulnerability
    IPS: 9896 “Windows IE DOM Object Use-After-Free 4”
  • CVE-2013-1310 Internet Explorer Use After Free Vulnerability
    IPS: 9895 “Windows IE DOM Object Use-After-Free 3”
  • CVE-2013-1309 Internet Explorer Use After Free Vulnerability
    IPS: 9894 “Windows IE CDispNode Use-After-Free”
  • CVE-2013-1308 Internet Explorer Use After Free Vulnerability
    IPS: 9609 “DOM Object Use-After-Free Attack 3”
  • CVE-2013-1307 Internet Explorer Use After Free Vulnerability
    IPS: 7454 “HTTP Client Shellcode Exploit 35a”
  • CVE-2013-1306 Internet Explorer Use After Free Vulnerability
    IPS: 9900 “Windows IE DOM Object Use-After-Free 6”
  • CVE-2013-1297 JSON Array Information Disclosure Vulnerability
    IPS: 9891 “Windows IE JSON Information Disclosure”
  • CVE-2013-0811 Internet Explorer Use After Free Vulnerability
    Not feasible to detect the vulnerability.

MS13-038 Security Update for Internet Explorer (2847204)

  • CVE-2013-1347 Security Update for Internet Explorer
    IPS: 9470 “DOM Object Use-After-Free Attack 2”
    IPS: 9871 “Obfuscated HTML Code 3a”
    IPS: 9872 “Windows IE DOM Object Use-After-Free 1”
    IPS: 9873 “Windows IE DOM Object Use-After-Free 2”

MS13-039 Vulnerability in HTTP.sys Could Allow Denial of Service (2829254)

  • CVE-2013-1305 HTTP.sys Denial of Service Vulnerability
    IPS: 9893 “Suspicious HTTP Accept-Encoding Header 1”

MS13-040 Vulnerabilities in .NET Framework Could Allow Spoofing (2836440)

  • CVE-2013-1337 Authentication Bypass Vulnerability
    Cannot distinguish between normal and attack traffic.
  • CVE-2013-1336 XML Digital Signature Spoofing Vulnerability
    Cannot distinguish between normal and attack traffic.

MS13-041 Vulnerability in Lync Could Allow Remote Code Execution (2834695)

  • CVE-2013-1302 Lync RCE Vulnerability
    There are no known exploits in the wild.

MS13-42 Vulnerabilities in Microsoft Publisher Could Allow Remote Code Execution (2830397)

  • CVE-2013-1329 Publisher Buffer Underflow Vulnerability
    There are no known exploits in the wild.
  • CVE-2013-1328 Publisher Pointer Handling Vulnerability
    There are no known exploits in the wild.
  • CVE-2013-1327 Publisher Signed Integer Vulnerability
    There are no known exploits in the wild.
  • CVE-2013-1323 Publisher Incorrect NULL Value Handling Vulnerability
    There are no known exploits in the wild.
  • CVE-2013-1322 Publisher Invalid Range Check Vulnerability
    There are no known exploits in the wild.
  • CVE-2013-1321 Publisher Return Value Validation Vulnerability
    There are no known exploits in the wild.
  • CVE-2013-1320 Publisher Buffer Overflow Vulnerability
    There are no known exploits in the wild.
  • CVE-2013-1319 Publisher Return Value Handling Vulnerability
    There are no known exploits in the wild.
  • CVE-2013-1318 Publisher Corrupt Interface Pointer Vulnerability
    There are no known exploits in the wild.
  • CVE-2013-1317 Publisher Integer Overflow Vulnerability
    There are no known exploits in the wild.
  • CVE-2013-1316 Publisher Negative Value Allocation Vulnerability
    There are no known exploits in the wild.

MS13-043 Vulnerability in Microsoft Word Could Allow Remote Code Execution (2830399)

  • CVE-2013-1335 Word Shape Corruption Vulnerability
    There are no known exploits in the wild.

MS13-044 Vulnerability in Microsoft Visio Could Allow Information Disclosure (2834692)

  • CVE-2013-1301 XML External Entities Resolution Vulnerability
    IPS: 9892 “Microsoft Visio Information Disclosure”

MS13-045 Vulnerability in Windows Essentials Could Allow Information Disclosure (2813707)

  • CVE-2013-0096 Windows Essentials Improper URI Handling Vulnerability
    There are no known exploits in the wild.

MS13-046 Vulnerabilities in Kernel-Mode Drivers Could Allow Elevation Of Privilege (2840221)

  • CVE-2013-1334 Win32k Window Handle Vulnerability
    It’s elevation of privilege, not feasible to detect.
  • CVE-2013-1333 Win32k Buffer Overflow Vulnerability
    It’s elevation of privilege, not feasible to detect.
  • CVE-2013-1332 DirectX Graphics Kernel Subsystem Double Fetch Vulnerability
    It’s elevation of privilege, not feasible to detect.

C++ based bot with DDOS and spying capabilities (May 10, 2013)

/in /by

Dell SonicWALL Threats Research team came across a C++ based bot with DDoS capabilities along with multiple commands to spy on a victim and report its findings back to the Command & Control (C&C) server.

Infection Cycle:

Upon execution the Malware drops the following file on the system:

  • %USERPROFILE%Application Datadropped.exe (Copy of itself)

The Malware adds the following keys to the registry to enable startup after reboot:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunvnet “%USERPROFILE%Application Datadropped.exe”

It makes the following changes to the registry in order to bypass firewalls:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZonemapProxyBypass=”1″
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZonemapIntranetName=”1″
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZonemapUNCAsIntranet=”1″

It creates the following Mutexes on the system to mark its presence :

  • IESQMMUTEX_0_208
  • VN_MUTEX16

The Malware communicates with the server at www.holoscripter.co-m.mx. One of the parameters used during the communication is ‘adduser’ followed by information about the victim machine. This appears to be registering the computer on the server as a victim.

The Malware communicates with the C&C server through HTTP where the commands to be executed are present in the response messages. During our analysis we observed the following commands present in the code:

Based on the commands and the following observations we can infer that this is infact VertexNet Bot v1.2:

  • The string ‘vertexnet’ present in the code

  • The version number present in the code

  • HKNAME in the resource section is vnet

  • One of the Mutexes created is named VN_MUTEX16

The functionalities of VertexNet indicate that this bot has been designed to gather sensitive information about the victim and report it back to the server. Additionally this bot also has DDoS capabilities owing to httpflood command.

Dell SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: VertexNet.BT (Trojan)

Mothers Day Spam campaign on the rise (May 9, 2013)

/in /by

May 12 marks the celebration of Mother’s Day for 2013. As observed with most festivals, spammers are taking advantage of Mother’s Day as a guise to spread Spam. The chart below shows our observations for Mother’s Day related Spam over the last 10 days:

As clearly visible, we can see a steady rise in Mother’s Day related spam as May 12 approaches. We can expect the numbers to go down after May 12.

The following are subjects for a few emails that were observed in high numbers over this time period:

  • Subject: $19.99 Flowers – Don’t Forget Mother’s Day!
  • Subject: Make Mother’s Day unforgettable with fragrant flowers for $19.99!
  • Subject: Special Mother’s Day Offer
  • Subject: Wow, $19.99! That’s right, beautiful Mother’s Day bouquets for $19.99.
  • Subject: Don’t Forget Mother’s Day – $19.99 Flowers

Flowers are considered as one of the most recommended gifts for Mother’s Day, thus it is not surprising to see this as a very common subject in most of the Spam Emails. The following are screenshots for some of the Spam Emails that we saw:


Some of the websites to which the users are redirected to as part of these campaigns may be legitimate, but most of the websites are designed to extract personal information from the user without providing the services to which the user pays for. Some emails redirect the users to completely unrelated websites, for instance all the links in the email below redirect the user to a website that shows popular search results. There is high possibility that links in some emails would redirect the users to malicious websites.

Additionally we observed a many of the links that were involved in Spam emails to use .pw domain extension. Recent findings have pointed to a sudden surge in Spam campaigns involving .pw domains. The same can be seen in this case. Few such links that we observed during our analysis appear to have been created very recently, this gives an indication that they may have been created with Mother’s Day Spam campaign in mind.

We urge our readers to be very careful of such emails and please refrain from providing sensitive personal information to websites that you do not trust.

Dell SonicWALL Gateway AntiVirus monitors and provides constant protection against malicious threats. We wish our readers a Happy Mother’s Day.