Microsoft out-of-band Security Advisory for IE 8 (May 4, 2013)

/in /by

Microsoft has released an out-of-band bulletin Microsoft Security Advisory (2847140) addressing an IE 8 vulnerability on May 3, 2013. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. The vulnerability does not affect other IE versions.

This vulnerability has been referred by CVE as CVE-2013-1347.

Dell SonicWALL threat team has researched this vulnerability at the same day and created three IPS signatures to capture the attack traffic. The following are the list of the IPS signatures.

  • 9871 EXPLOIT HTTP Client Shellcode Exploit 77
  • 9872 WEB-CLIENT HTTP Client Suspicious Function Call
  • 9873 WEB-CLIENT HTTP Client Suspicious Function Call 2

For the Microsoft vulnerabilities covered by SonicWALL, please refer to SonicWALL MAPP for details.

Update(May 8, 2013): the Fix It Information has been released by Microsoft on May 8, 2013.

Oracle Java TTF File Stack Buffer Overflow (May 3, 2013)

/in /by

The Java software platform owned by Oracle allows developing cross-platform applications. Java Runtime Environment (JRE) contains Java Virtual Machine (JVM), libraries and other components whereas Java Development Kit (JDK) is a toolkit for developers. Java also allows developers to code the Graphics functionality using Swing or Abstract Window Toolkit (AWT) packages.

Java Applet is made of Java Code that can be embedded in a web page. When a user views the web page using a web browser, it downloads the Java Applet which gets executed in the JVM.

TrueType Font is an outline font standard developed by Apple. It is one of the most popular formats on the MAC OS and Windows Platforms. A TTF file is structured in a way that contains a number of tables which store the data to process the fonts. An application responsible for handling a TTF file should be able to parse these tables.

While handling TTF files, Java is capable of parsing the tables in the TTF file structure. However, it fails to validate one of the table structures which might be present in a malformed TTF file. This missing check can allow a Stack Based Buffer Overflow condition.

Remote attackers could exploit this vulnerability by persuading target users to visit a web site that links to a malicious Java applet that parses a malformed TTF file. Successful exploitation can cause stack overflow. This could potentially allow for arbitrary code execution in the security context of the logged in user.

Dell SonicWALL Threat team has released a SPY signature to address this vulnerability. The following signature was released:

  • 3973 Malformed-File class.TL.32

This vulnerability has not been assigned a CVE identifier.

Oracle has released an advisory regarding this issue.

New Russian DDoS botnet discovered (May 1, 2013)

/in /by

The Dell SonicWALL Threats Research team has discovered a new DDoS Trojan originating from Russia. The sole purpose of this Trojan is to provide its operators with an army of bots that can be used to take websites and services off-line at will.

Infection Cycle:

The Trojan makes the following DNS queries:

  • truth-about-bakhmatuk.com
  • drnona.rv.ua

The Trojan adds the following files to the filesystem:

  • %USERPROFILE%Local SettingsApplication DatasLT.exf
  • %TEMP%ifd.exe [Detected as GAV: Delf.QMH_10 (Trojan)]
  • %TEMP%kdg.exe [Detected as GAV: Delf.QMH_10 (Trojan)]
  • %TEMP%48df.exe [Detected as GAV: Delf.QMH_10 (Trojan)]
  • %TEMP%9f7g.exe [Detected as GAV: Polip.gen (Virus)]
  • %TEMP%mdf8.exe [Detected as GAV: Delf.QMH_10 (Trojan)]
  • %TEMP%mfg9.exe [Detected as GAV: Delf.QMH_10 (Trojan)]
  • %WINDOWS%abtse.exe [Detected as GAV: Delf.QMH_10 (Trojan)]
  • %WINDOWS%botze.exe [Detected as GAV: Delf.QMH_10 (Trojan)]
  • %SYSTEM32%antivar.exe [Detected as GAV: Delf.QMH_10 (Trojan)]
  • %SYSTEM32%antogoi.exe [Detected as GAV: Delf.QMH_10 (Trojan)]
  • %SYSTEM32%dasdt.exe [Detected as GAV: Polip.gen (Virus)]
  • %SYSTEM32%driverssvchost.exe [Detected as GAV: Delf.QMH_10 (Trojan)]

In order to start after reboot it registers itself as a service by adding the following key to the Windows registry:

  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSytaytytd “%SYSTEM32%dasdt.exe”

The file sLT.exf contains the following data:

      7r3e6u9v68q9f8ajh49k2dxyem6083ie

The Trojan spawns 6 processes upon execution, 5 of which remain idle:

dasdt.exe reports infection to a remote C&C server and receives a hostname and port:

The string (7r3e6u9v68q9f8ajh49k2dxyem6083ie) that is sent in the POST request appears to be random each time it is sent. It is read from sLT.exf. The Trojan then commences its DoS attack by sending UDP packets of varying lengths to the specified hostname and port. The packets contain mostly null bytes. It uses the following loop with a 1ms sleep between packets:

SonicWALL Gateway AntiVirus provides protection against this threat with the following signatures:

  • GAV: Delf.QMH_10 (Trojan)
  • GAV: Polip.gen (Virus)
  • GAV: Neshta.A_16 (Trojan)

Increase in Andromeda botnet spam (April 26, 2013)

/in /by

The Dell SonicWall Threats Research team has observed an increase in active spam campaigns involving the Andromeda botnet in the wild. The Trojan arrives in the form of emails that masquerade as messages from financial institutions or service providers with attachments of receipts, form notifications or a service invoice as pictured below:

Andromeda is a highly modular kit that makes it easy for a botnet operator to combine functionalities that will serve their purpose. With a few purchasable plugins, an operator can add proxy capabilities, a rootkit and a form grabber. The following screenshot is an example of an ad we found for the Andromeda loader in a hacker forum; a kit starts at $300:

Infection Cycle:

Upon execution The Trojan makes the following DNS queries to verify internet connectivity:

  • msftncsi.com
  • update.microsoft.com
  • akamai.net

Once internet connectivity has been verified, it will connect and send data to a remote server:


It will then download additional files. In this case it downloaded plugins such as r.pack, which is the rootkit component and s.pack, the socks4 proxy component.


The Trojan loader copies itself to the following location:

  • %APPDATA%svchost.exe [Detected as GAV: Androm.EB_2 (Trojan)]

To enable startup after a reboot, it adds the following key to the Windows registry:

  • HKLMsoftwaremicrosoftwindowscurrentversionrun [sunjavaupdatesched] “%APPDATA%svchost.exe”

The sample we analyzed uses the IsDebuggerPresent API to detect and prevent malware analysts from debugging and understanding its behavior.

Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signatures:

  • GAV: Androm.EB_2 (Trojan)

  • GAV: Androm.PSG (Trojan)

  • GAV: Injector.AFKU (Trojan)

Honeywell EBI ActiveX Control Vulnerability (Apr 19, 2013)

/in /by

The Honeywell HMIWeb Browser provides secure web access to Honeywell building control systems. Upon installation of the following software:

Honeywell Enterprise Buildings Integrator (EBI)
Honeywell SymmetrE
Honeywell ComfortPoint Open Manager

the Honeywell HMIWeb Browser is also deployed.

A remote code execution vulnerability exists in multiple Honeywell products. The vulnerability is due to exposure of an unsafe method in the HscRemoteDeploy.dll ActiveX control used in Honeywell HMIWeb Browser. A remote attacker can exploit this vulnerability by enticing a user to open a specially crafted webpage using Internet Explorer. Successful exploitation could lead to arbitrary code execution in the security context of the logged-in user. Failed attacks could lead to termination of the browser.

The vulnerability has been assigned as CVE-2013-0108.

Dell SonicWALL has released an IPS signature to detect and block specific exploitation attempts targeting this vulnerability. The signature is listed below:

  • 9789 Honeywell EBI HscRemoteDeploy ActiveX LaunchInstaller Method Invocation

Boston bomb blast video spam – RedKit (April 17, 2013)

/in /by

The Dell SonicWALL Threats Research team has discovered a new malware spam campaign taking advantage of the recent Boston marathon bomb blast news. The e-mail messages contain a malicious URL that leads to a RedKit Exploit Kit hosting site which serves various exploits eventually infecting the victim machine with multiple malware families.

The spam campaign started late yesterday – April 16, 2013 and is active at the time of writing this Alert. We have captured more than 41,000 copies of e-mails from this spam attack up until now as seen below:

Infection Cycle:

An e-mail arrives using one of the above Subjects, pretending to contain URL of Boston marathon blast video. The e-mail message body contains a URL which leads to a HTML page containing six iframes, 5 of them point to legitimate YouTube videos and the last one points to a malicious RedKit exploit site as seen below:

If the user clicks the URL inside the e-mail, it will open the following page and trigger the RedKit exploit kit infection cycle.

During our analysis, we saw a malicious JAR applet getting served by the RedKit site which lead to the download of a new Tepfer variant. The Tepfer variant further downloads a new P2P Zbot variant and a Ransomware on the victim machine.

Network requests observed on the victim machine:

It drops the following malicious executables on the victim machine:

  • %Temp%alifna.exe [Detected as GAV: Zbot.USBV (Trojan)]
  • %Temp%coppe.exe [Detected as GAV: Zbot.KLRY (Trojan)]
  • %Temp%temp91.exe [Detected as GAV: Zbot.USBV (Trojan)]

It creates the following key in the Windows registry to persist infection on system reboot:

  • HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunSonyAgent: “%Temp%temp91.exe”

Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signatures:

  • GAV: Redkit.BS (Exploit)
  • GAV: Zbot.USBV (Trojan)
  • GAV: Zbot.KLRY (Trojan)

Yet another Delphi Infostealer Trojan (April 12, 2013)

/in /by

The Dell SonicWALL Threats Research team has discovered a new Delphi based information stealing Trojan. All the dropper samples of this family and the dropped components are Delphi files. The main goal for this multi-component malware is to steal confidential information from the victim computer.

Infection Cycle:

Below is a sample of the DNS queries that the Trojan performed during analysis:

  • searchbestbiz.com
  • l11ll.com
  • handjobheats.com

Upon execution, the dropper downloads the secondary component in an encrypted form and saves it as:

  • %SYSTEM32%adodbupd.dat [Detected as GAV: EncAgent.HPE (Trojan)]

The dropper and all the subsequent downloaded files contain obfuscated API names to make analysis difficult for researchers. We were able to locate the decryption routine which revealed the calls during runtime. This is very similar to the Chinese bot we had posted a SonicALERT before which indicates possible connections between the authors of the two malware.

The dropper decrypts a portion of the downloaded file in memory. It then creates an explorer.exe process in suspended mode, injects the decrypted file into the suspended explorer.exe process and runs it.

The hijacked explorer process further creates two DLL files:

  • %SYSTEM32%IUNSYw32.dll
  • %SYSTEM32%IUNSKw32.dll

It creates two different restart mechanisms for each of these. IUNSYw32.dll is registered as a winlogon notification package which looks after the logon and startup events:

IUNSKw32.dll is registered as a ServiceDll for svchost based service with name “Intel(R) Management Services”.

Once this service is started it downloads another encrypted file vdocert130327.dat and saves it as:

  • %SYSTEM32%itusbcore.dat [Detected as GAV: EncAgent.HPE_2 (Trojan)]

The downloaded file is then decrypted in memory and injected into a new svchost.exe process. This final process now acts as an information stealer.

Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signatures:

  • GAV: Agent.HPE (Trojan)
  • GAV: Agent.HPE_2 (Trojan)
  • GAV: EncAgent.HPE (Trojan)
  • GAV: EncAgent.HPE_2 (Trojan)

Microsoft Security Bulletin Coverage (Apr 9, 2013)

/in /by

Dell SonicWALL has analysed and addressed Microsoft’s security advisories for the month of April, 2013. A list of issues reported, along with Dell SonicWALL coverage information follows:

MS13-028 Cumulative Security Update for Internet Explorer (2817183)

  • CVE-2013-1303 Internet Explorer Use After Free Vulnerability
    There are no known exploits in the wild.
  • CVE-2013-1304 Internet Explorer Use After Free Vulnerability
    There are no known exploits in the wild.

MS13-029 Vulnerability in Remote Desktop Client Could Allow Remote Code Execution (2828223)

  • CVE-2013-1296 RDP ActiveX Control Remote Code Execution Vulnerability
    IPS: 9810 “Microsoft RDP ActiveX AdvancedSettings Attribute Setting”
    IPS: 9811 “Microsoft RDP ActiveX TransportSettings Attribute Setting”

MS13-030 Vulnerability in SharePoint Could Allow Information Disclosure (2827663)

  • CVE-2013-1290 Incorrect Access Rights Information Disclosure Vulnerability
    This is a configuration issue; attack is not distinguishable.

MS13-031 Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2813170)

  • CVE-2013-1284 Kernel Race Condition Vulnerability
    This is a local vulnerability. Detection of attack over the wire is not feasible.
  • CVE-2013-1294 Kernel Race Condition Vulnerability
    This is a local vulnerability. Detection of attack over the wire is not feasible.

MS13-032 Vulnerability in Active Directory Could Lead to Denial of Service (2830914)

  • CVE-2013-1282 Memory Consumption Vulnerability
    There are no known exploits in the wild.

MS13-033 Vulnerability in Windows Client/Server Run-time Subsystem (CSRSS) Could Allow Elevation of Privilege (2820917)

  • CVE-2013-1295 CSRSS Memory Corruption Vulnerability
    This is a local vulnerability. Detection of attack over the wire is not feasible.

MS13-034 Vulnerability in Microsoft Antimalware Client Could Allow Elevation of Privilege (2823482)

  • CVE-2013-0078 Microsoft Antimalware Improper Pathname Vulnerability
    This is a local vulnerability. Detection of attack over the wire is not feasible.

MS13-035 Vulnerability in HTML Sanitization Component Could Allow Elevation of Privilege (2821818)

  • CVE-2013-1289 HTML Sanitization Vulnerability

    • IPS: 9817 “HTML Sanitization Vulnerability”

MS13-036 Vulnerabilities in Kernel-Mode Driver Could Allow Elevation Of Privilege (2829996)

  • CVE-2013-1283 Win32k Race Condition Vulnerability
    This is a local vulnerability. Detection of attack over the wire is not feasible.
  • CVE-2013-1291 OpenType Font Parsing Vulnerability
    There are no known exploits in the wild.
  • CVE-2013-1292 Win32k Race Condition Vulnerability
    This is a local vulnerability. Detection of attack over the wire is not feasible.
  • CVE-2013-1293 NTFS NULL Pointer Dereference Vulnerability
    This is a local vulnerability. Detection of attack over the wire is not feasible.

Ransomware uses new trick to make believable threats (April 5th, 2013)

/in /by

Dell SonicWALL Threats Research team received reports of a Ransomware that threatens the user to pay a huge amount because Department of Homeland Security and FBI have found illegal content on the system. This may sound like a common trait by Ransomwares, but this sample showed a unique characteristic that separates it from others. This Ransomware receives a list of websites from the server and checks if the victim has browsed a website from this list. The lockscreen showed to the user will highlight the visited website in an effort to make the threat more believable.

Infection Cycle:

Upon execution, the Malware creates a copy of itself and drops it at this location:

  • %USERPROFILE%Local SettingsApplication DataKBxxxxxxxKBxxxxxxx.exe (7 random digits)

The following changes are made to the registry to show the lockscreen to the user as soon as the system starts:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunKBxxxxxxx “%USERPROFILE%Local SettingsApplication DataKBxxxxxxxKBxxxxxxx.exe”
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRunKBxxxxxxx “%USERPROFILE%Local SettingsApplication DataKBxxxxxxxKBxxxxxxx.exe”

Run keys are not executed in Safe Mode by default so the Malware modifies the Winlogon Shell key in an attempt to load it even in Safe Mode by modifying the following key:

  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonShell “Explorer.exe, “%USERPROFILE%Local SettingsApplication DataKBxxxxxxxKBxxxxxxx.exe””

It allows websites to execute scripts such as ActiveX, Java or another binary and it disables the built-in popup blocker by modifying the following registry keys:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZones12300 “00000000”
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZones31206 “00000000”
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZones31809 “00000003”
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZones32300 “00000000”

To make removal even more difficult, it disables the Task manager and the Registry editor:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemDisableTaskMgr “00000001”
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemDisableRegistryTools “00000001”

The Ransomware tries to search and disable AV solutions on the victim system. During our analysis we observed the Ransomware tried to disable the following:

  • Bullguard
  • Comodo
  • Dr.Web
  • TrustPoint

The communication between Ransomware and the server can be summarized as follows:

  • Informs the server about the infection on a machine using a Unique Identification for every machine
  • Gets a list of explicit websites

  • Sends the user’s Computer Name that would be used as part of the lockscreen
  • Checks if the user’s browser history has any website that matches the URLs from the list
  • Render the lockscreen on the users system highlighting the website which matched from the list

  • During our analysis no website was mentioned on the lockscreen message if no URL from our computer’s browser history was found matching any of the websites from its list.

This can be seen as a new trick employed by Ransomwares to make the threat more believable for the victim. Most Ransomwares display a lockscreen with a generic message to the user, but pointing a specific website visited by the user may convince him into actually believing that the threat is real.

We expect to see similar customizations to be adopted by different Ransomwares in the near future.

Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:

  • GAV: Kovter.A (Trojan)

Squid Accept-Language Value DoS (April 5th, 2013)

/in /by

The Squid Proxy server is an open source internet proxy and web caching application. It is utilized to speed up web servers by caching web pages and other network resources. Squid proxy supports numerous network protocols and is primarily ran on Unix based systems acting as an HTTP proxy. The HTTP protocol structure consists of an HTTP request, HTTP headers, and optional HTTP data. Headers are lines of human readable text, immediately following the HTTP request line. Headers are colon-separated name-value pairs terminated by the end of line character sequence ‘rn’. The last header line is denoted by two such sequences. An example is shown: 

 Content-Type: text/htmlnr Content-Length: 123nr nr [optional request data]

One possible request header is the Accept-Language header, which indicates the set of natural languages accepted by the client. An example is shown: 

 Accept-Language: en-US,en;q=0.8

Each language can be given an associated quality value q which represents an estimate of the client’s preference for the languages specified by the range. The expected default value for this field is “q=1”.
A denial-of-service vulnerability exists in the Squid Proxy server during processing of malformed Accept-Language header values. The vulnerability is due to a design weakness during error page generation. When the affected header is present in the request, the vulnerable code does not account for all possible erroneous conditions when processing the value. If the value starts with the comma character, an internal memory pointer is thrown off track which causes the code to enter an infinite loop. Remote attackers can exploit this vulnerability by sending specially crafted, malicious HTTP requests to the target server. Successful exploitation of this vulnerability will result in a denial-of-service condition of the proxy server.

Dell SonicWall has released the following IPS signature to address this issue:

  • 9798 – Squid strHdrAcptLangGetItem DoS

The vulnerability has been assigned CVE-2013-1839 by mitre.
The vendor has released an advisory to address this issue.