Bank of America CashPro customers targeted by Tepfer variant (Feb 25, 2013)

/in /by

The Dell SonicWALL UTM Research team received reports of a new variant of the Tepfer Trojan. The Trojan originates through an email purporting to be from Bank of America CashPro Online. It asks the user to replace their digital certificate with one provided in the malicious attachment. The Trojan also downloads and executes various other malwares such as Zeus during the infection process. Another variant of this malware has been covered recently in a previous sonicalert

Infection Cycle:

The email has an attachment with a zip file containing the Trojan executable:

The executable file in the attachment uses the following icon:

The Trojan performs the following DNS queries:

  • blog.ritual.ca
  • ftp.tecnoazar.com.ar
  • preservationsolutionsplus.com
  • omarpage.com
  • www.google.com
  • ceregypt.com
  • cuatrofm.es
  • two.really-good-books.com
  • three.shell4pets.com
  • dontgetcaught.ca

The Trojan adds the following files to the filesystem:

  • %USERPROFILE%qyzozcewagje.exe [Detected as GAV: Pushdo.PKQ (Trojan)]
  • %APPDATA%Aqripazyykej.exe [Detected as GAV: Sality.AM.gen (Virus)]
  • %APPDATA%Aqripa9trZaHw9.exe [Detected as GAV: Sality.AM.gen (Virus)]
  • %APPDATA%AqripaaL5DZn.exe [Detected as GAV: ZBot.EB_4 (Trojan)]
  • %APPDATA%Aqripa4PsxF.exe (empty file)
  • %TEMP%tmp0c9b3e815365.exe (empty file)
  • %TEMP%tmpa6dcb566load50.exe [Detected as GAV: Kryptik.AUWV_2 (Trojan)]
  • %TEMP%tmpd5e04e47a3.exe [Detected as GAV: Pushdo.PKQ (Trojan)]

The Trojan adds the following keys to the Windows registry:

  • HKEY_CURRENT_USERSoftwareMicrosoftFuith 2a33b827 “bAkSC4m6SY/fyYlkHb0=”
  • HKEY_CURRENT_USERSoftwareMicrosoftFuith 25bd6f75 “Xwl9Cw==”
  • HKEY_CURRENT_USERSoftwareMicrosoftFuith 6e9ddg5 “1l99C9j3KI+5ybtk”
  • HKEY_CURRENT_USERSoftwareMicrosoftFuith 1h1ci1jg hex:0e,09,7d,0b,3f,df,0d,de,7f,7d,93,dc,19,eb,4f, …
  • HKEY_CURRENT_USERSoftwareMicrosoftFuith 2c6dd9ac “Dgl9C++6KI+
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun {C05E9BBE-21ED-AD41-CB90-673CEB12442E} “%APPDATA%Aqripazyykej.exe”
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun qyzozcewagje “%USERPROFILE%qyzozcewagje.exe”

The Trojan injects code into the currently running instance of explorer.exe and exits:

The injected code causes explorer to download and run the following malicious executable files:

The Trojan was observed sending the following encrypted information to a remote webserver:

The code that is injected into explorer.exe contains the following data referencing various banking URL’s:

      !https://*.lphbs.com/*
      @https://*.onlineaccess*AccountOverview.aspx
      @https://www.mercantilcbonline.com/secure/banking/protected/gridcard/*
      @https://bancopostaimpresaonline.poste.it/bpiol/lastFortyMovementsBalance.do?method=loadLastFortyMovementList
      @https://www3.csebo.it/*
      @https://qweb.quercia.com/*
      @https://www.sparkasse.it/*
      @https://dbonline.deutsche-bank.it/*
      @https://*.cedacri.it/*
      @https://www.bancagenerali.it/*
      @https://www.csebo.it/*
      @https://*.deutsche-bank.it/*
      @https://hbclassic.bpergroup.net/*/login
      @https://nowbankingpiccoleimprese*
      @https://www.inbiz.intesasanpaolo.com/*

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Tepfer.EB_2 (Trojan)
  • GAV: Pushdo.PKQ (Trojan)
  • GAV: Sality.AM.gen (Virus)
  • GAV: Kryptik.AUWV_2 (Trojan)
  • GAV: ZBot.EB_4 (Trojan)

Nagios Remote Command Execution (Feb 22, 2013)

/in /by

Nagios is a open source monitoring system that enables organizations to identify and resolve IT infrastructure problems. Nagios can monitor computer systems, applications, services, business processes and send alerts when they are not functioning properly. Nagios XI is a paid version of Nagios which offers greater functionality and performance.

A command injection vulnerability exists in one of the tools provided in Nagios XI — the Autodiscovery tool. Specifically the vulnerability is due to lack of sanitation of newjob or editjob commands received by Autodiscovery. A remote attacker could exploit this vulnerability by sending crafted HTTP requests to the Nagios XI server. Successful exploitation allows the attacker to execute arbitrary shell commands in the context of Nagios service.

Dell SonicWALL has released an IPS signature to detect and block specific exploitation attempts targeting this vulnerability. The signature is listed below:

  • 9664 Nagios Autodiscovery Remote Command Execution

SuperClean Android Malware that can infect your PC (Feb 21, 2013)

/in /by

Dell SonicWALL Threats Research Team received reports of SuperClean Android Malware that can execute a host of commands once it infects the device, but this Malware has a more sinister purpose that makes it unique. This Malware is one of the first of its kind to have capabilities to infect Windows machine if the infected mobile device is connected to it via USB. The Malware on the phone downloads and drops a different Malware on the Windows machine and infects it, thus effectively converting the phone into a Malware Dropper. Additionally both the Malwares have a huge arsenal of commands which they can receive from the Command & Control (C&C) server and execute.

Infection Cycle

The Malware disguises itself in the form of a ‘useful’ app and has been reported to be present on Google Play in the past with the name ‘Superclean’ made by Smart.Apps. Strangely enough it received good reviews for the time it was available for download. The app claims to clean up the system and make the device run faster, there is an abundance of such cleaner apps on Google Play indicating a cleverly chosen disguise.

In an ideal case the first stage of infection is when the malicious app gets installed on the users mobile device through Google Play. The second stage of infection is when the user connects the infected mobile device to his home/business computer and a new Malware gets dropped on the connected machine thereby infecting it. During installation the following permissions are requested:

  • Receive_Boot_Completed
  • Internet
  • Read_SMS
  • Receive_SMS
  • Send_SMS
  • Write_SMS
  • Call_Phone
  • Get_Accounts
  • Access_Wifi_State
  • Change_Wifi_State
  • Access_Network_State
  • Reboot
  • Read_Contacts
  • Kill_Background_Processes
  • Write_External_Storage
  • Read_Phone_State
  • Access_Fine_Location

The fact that a simple memory cleaner requires permissions to read contacts, access location and SMS should raise suspicion in the minds of users before granting these permissions. Upon installation the app appears in the App drawer as:

screenshot

When the app is clicked the user sees the following screen:

screenshot

This indicates that the memory has been optimized to improve the phones performance but in reality the app just lists the processes which are currently active on the device and simply restarts them. The app then tries to connect to claco.kicks-ass.net and announces the successful installation on a device. The app sends this announcement in the following format:

|NEW_HELLOW| app version + Google account registered to the device + port|/NEW_HELLOW/|

The attacker can now execute a host of commands on the device through this Malware. We found the Malware to be equipped with nearly 25 different commands, few of the more intrusive ones are listed below:

  • get_packages – Get a list of installed packages on the device
  • wifi – Toggle WiFi on or off
  • get_sms – Retrieve and forward all SMS’s on the device to the attacker
  • ringer – Set the ringer to ‘normal’ or ‘silent’
  • get_pics – Retrieve all pictures on the device and forward to the attacker
  • get_contacts – Retrieve all contacts on the device and forward to the attacker
  • forward – Enable call forwarding to a number specified by the attacker
  • start_track and stop_track – Track the location of the device via GPS
  • device – Reboot the device

The command and functionality that distinguishes this Malware from the rest of Android Malwares is usb_autorun_attack. Upon receiving this command the Malware tries to download three files from claco.hopto.org:

screenshot

These three files are stored on /mnt/sdcard/ of the device. Android users connect their phones to computers for many reasons, primary being transferring media files like photos, music and movies from the phone to the computer and vice versa. When the mobile device is connected to the computer in USB drive emulation mode svchosts.exe is automatically executed on the computer via autorun.inf provided AutoRun feature on the machine is enabled.

The dropped executable svchosts.exe [detected as GAV:MSIL.RCD (Trojan)] is capable of receiving and executing commands from the C&C. Upon execution it drops the following file on the system:

  • %WINDOWS%system32svchost.exe (copy of itself)

It makes the following changes to the registry to ensure that it runs each time the machine starts :

  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun “%WINDOWS%system32svchost.exe”

It makes the following changes to the registry in order to bypass firewalls:

  • HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZonemapProxyBypass=”1″
  • HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZonemapIntranetName=”1″
  • HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZonemapUNCAsIntranet=”1″

Once executed this Malware announces its presence to the same server and uses almost the same format:

|NEW_HELLOW| username + machine name + port + build |/NEW_HELLOW/|

This Malware, similar to the Android malware that downloaded it, is capable of executing a number of commands on the infected machines. Again we list a few commands from the entire roster of around 36 commands coded into the executable:

  • |GET_DRIVES| – Get information about all the drives on the system
  • |GET_FILES| – Get specified files from the system
  • |_EXE_CUTE_| – Execute a specific command on the system
  • |CR_ACCOUNT| – Create a user account on the system
  • |SCREEN_CAP| – Take a screenshot of the Desktop
  • |FIREFOXDAT| & |CHROMEDATA| – Get user data saved by these browsers on the system
  • |RECORD_STR| & |RECORD_STP| – Record from the microphone of the users system

The information collected by both the Malwares is sent to the attacker over FTP to claco.hopto.org. We observed a good chunk of the Windows Malware to have modules from NAudio which is an open source audio library. These modules are useful for the recording functionality of the Malware.

screenshot

As we saw, both the Malwares involved here have significant capabilities to gather sensitive information about the user through his phone as well as his computer thereby exposing a wealth of information for the attacker.

Dell SonicWALL Gateway AntiVirus provides protection against these threats with the following signatures:

  • GAV: AndroidOS.Sucl.A (Trojan)

  • GAV: AndroidOS.Sucl.A_2 (Trojan)

  • GAV: AndroidOS.Sucl.A_3 (Trojan)

  • GAV: MSIL.RCD (Trojan)

    • WE ARE INTERESTED IN YOUR PRODUCTS (Feb 14, 2013)

    /in /by

    Dell SonicWALL Threats Research team discovered an instance of an E-mail based attack that was flagged by our e-mail security service. The e-mail pretends to be from a potential international customer inquiring about the product prices and delivery times. We have seen this e-mail theme used before in 419 scams but in this case the e-mail contained malicious attachment with minor modification to the message body.

    The E-mail involved in this campaign looks like below:

    screenshot

    The attached archive contains a malicious executable donkumasi.exe with icon disguised to look like a legitimate document file as seen below:

    screenshot

    This is an Infostealer bot which is written in C#.net and has the capability to propagate via Instant Messengers and Removable media.

    Infection cycle

    Upon execution the malware performs following activity on the victim machine:

    • It decrypts and loads a Dynamic Link Library file which is embedded in its resource section. This DLL contains the functions utilized by this malware to steal information and propagate.
    • It creates a mutex DYRB to ensure that only a single instance of the bot is running on the victim machine.
    • It installs a hook to log user keystrokes and also takes screenshots of the user desktop.
    • The malware mines the victim machine for sensitive information and stores the data it collects at the following location:
      • %Appdata%MicrosoftBackups
      • %Appdata%MicrosoftCredentials
      • %AppData%Microsoft
    • It is capable of stealing user account credentials and account setting information for multiple applications as defined by the author.
    • It is also capable of disabling notable Windows features like:
      • Task Manager
      • Registry Editor
      • System Restore
      • Control Panel & Folder Options
      • Command Prompt
      • UAC
    • It also sends an e-mail confirmation message containing sensitive system informatoin to report successful infection. The hardcoded e-mail address belonged to GMAIL and we have reported it to the Google Security team.
    • It is capable of spreading across systems via:
      • Skype
      • MSN Messenger
      • Yahoo Messenger
      • Removable drives

    During our analysis, we discovered that the malware executable that was part of the e-mail attachment was being sold as Limitless Logger on the underground hacking forums. The latest version of this logger is v8.0.2 and it was released last week on Feb 8, 2013. Below are some of the screenshots taken from the underground forums showing the complete feature list, pricing, and author’s post.

    screenshot

    screenshot

    screenshot

    Dell SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

    • GAV: Agent.SKP (Worm)

    Microsoft Security Bulletin Coverage (Feb 12, 2013)

    /in /by

    Dell SonicWALL has analysed and addressed Microsoft’s security advisories for the month of February, 2013. A list of issues reported, along with Dell SonicWALL coverage information follows:

    MS13-009 Cumulative Security Update for Internet Explorer

    • CVE-2013-0015 Shift JIS Character Encoding Vulnerability
      IPS:9603 – Windows IE SJIS XSS
    • CVE-2013-0018 Internet Explorer SetCapture Use After Free Vulnerability
      IPS:9606 – Windows IE setCapture Use-After-Free
    • CVE-2013-0019 Internet Explorer COmWindowProxy Use After Free Vulnerability
      IPS:9607 – Windows IE comWindowProxy Use-After-Free
    • CVE-2013-0020 Internet Explorer CMarkup Use After Free Vulnerability
      IPS:9608 – Windows IE CDATA Use-After-Free
    • CVE-2013-0021 Internet Explorer vtabl Use After Free Vulnerability
      IPS:9611 – Windows IE vtable Use-After-Free
    • CVE-2013-0022 Internet Explorer LsGetTrailInfo Use After Free Vulnerability
      IPS:9613 – Windows IE lsGetTrailInfo Use-After-Free
    • CVE-2013-0023 Internet Explorer CDispNode Use After Free Vulnerability
      Detection of attack over the wire is not feasible.
    • CVE-2013-0024 Internet Explorer pasteHTML Use After Free Vulnerability
      IPS:9614 – Internet Explorer pasteHTML Use After Free Vulnerability
    • CVE-2013-0025 Internet Explorer SLayoutRun Use After Free Vulnerability
      IPS:9612 – Microsoft IE SLayoutRun Use After Free Exploit
    • CVE-2013-0026 Internet Explorer InsertElement Use After Free Vulnerability
      IPS:9610 – Internet Explorer InsertElement Use After Free Vulnerability
    • CVE-2013-0027 Internet Explorer CPasteCommand Use After Free Vulnerability
      IPS:9609 – HTTP Client Shellcode Exploit 76
    • CVE-2013-0028 Internet Explorer CObjectElement Use After Free Vulnerability
      IPS:9605 – Microsoft IE CObjectElement Use After Free Exploit
    • CVE-2013-0029 Internet Explorer CHTML Use After Free Vulnerability
      IPS:9604 – Microsoft IE VML Memory Corruption Exploit

    MS13-010 Vulnerability in Vector Markup Language Could Allow Remote Code Execution

    • CVE-2013-0030 VML Memory Corruption Vulnerability
      IPS:9602 – Windows IE VML Memory Corruption Exploit

    MS13-011 Vulnerability in Media Decompression Could Allow Remote Code Execution

    • CVE-2013-0077 Media Decompression Vulnerability
      There are no known exploits in the wild.

    MS13-012 Vulnerabilities in Microsoft Exchange Server Could Allow Remote Code Execution

    • CVE-2013-0393 Oracle Outside In Contains Multiple Exploitable Vulnerabilities
      IPS:9555 – Oracle Outside in DB Handling DoS
    • CVE-2013-0418 Oracle Outside In Contains Multiple Exploitable Vulnerabilities
      Malformed.cdr.TL.4

    MS13-013 Vulnerabilities in FAST Search Server 2010 for SharePoint Passing Could Allow Remote Code Execution

    • CVE-2013-3214 Oracle Outside In Contains Multiple Exploitable Vulnerabilities
      There are no known exploits in the wild.
    • CVE-2013-3217 Oracle Outside In Contains Multiple Exploitable Vulnerabilities
      There are no known exploits in the wild.

    MS13-014 Vulnerability in NFS Server Could Allow Denial of Service

    • CVE-2013-1281 NULL Dereference Vulnerability
      There are no known exploits in the wild.

    MS13-015 Vulnerability in .NEW Framework Could Allow Elevation of Privilege

    • CVE-2013-0073 WinForms Callback Elevation Vulnerability
      This is a local vulnerability. Detection of attack over the wire is not feasible.

    MS13-016 Win32k Race Condition Vulnerability

    MS13-017 Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege

    • CVE-2013-1278 Kernel Race Condition Vulnerability
      This is a local vulnerability. Detection of attack over the wire is not feasible.
    • CVE-2013-1279 Kernel Race Condition Vulnerability
      This is a local vulnerability. Detection of attack over the wire is not feasible.
    • CVE-2013-1280 Windows Kernel Reference Count Vulnerability
      This is a local vulnerability. Detection of attack over the wire is not feasible.

    MS13-018 Vulnerability in Windows TCP/IP Could Allow Denial Of Service

    • CVE-2013-0075 TCP FIN WAIT Vulnerability
      Connection limiting settings on the SonicWall will defend against attacks targeting this vulnerability.

    MS13-019 Vulnerability in Windows Client/Server Run-time Subsystem (CSRSS) Could Allow Elevation of Privilege

    • CVE-2013-0076 Reference Count Vulnerability
      This is a local vulnerability. Detection of attack over the wire is not feasible.

    MS13-020 Vulnerability in OLE Automation Could Allow Remote Code Execution

    • CVE-2013-1313 Common Controls Remote Code
      IPS:9601 – Windows Common Controls Remote Code Execution (MS13-020)

    Novell eDirectory NCP Stack Buffer Overflow (Feb 8, 2013)

    /in /by

    Novell eDirectory is a multi-platform Lightweight Directory Access Protocol (LDAP) server. It is a component of an identity management solution. It utilizes the Novell NetWare Core Protocol (NCP) for communication. NCP manages access to server resources like the file system, printing system and login requests. NCP for the Windows version of eDirectory communicates on port 524 over TCP and UDP.
    NCP messages have the following common header structure:

     Offset       Size (bytes)      Description ------------ ----------------- ------------------------------------------------------------------ 0x0000       0x04              command code 0x0004       0x04              data length  0x0008       0x04              version  0x000C       0x04              buffer size (in reply message)

    The structure of data following the header is shown:

     Offset       Size (bytes)      Description ------------ ----------------- ------------------------------------------------------------------ 0x0000       0x02              packet type 0x0002       0x01              sequence number 0x0003       0x01              connection number lower byte 0x0004       0x01              task number 0x0005       0x01              connection number higher byte 0x0006       n                 data

    Some packet type values that are commonly seen in normal traffic are: 

     Code         Description   ------------ ------------------------------------------------------------------ 0x1111       start connection 0x2222       request 0x3333       reply 0x5555       end connection 0x7777       burst mode message 0x9999       server busy message

    The request and reply messages have the following structure:

     Offset       Size (bytes)      Description ------------ ----------------- ------------------------------------------------------------------ 0x0000       0x01              function code 0x0001       0x02              subfunction structure length 0x0003       0x01              subfunction code 0x0004       0x08              key 0x000C       0x02              object type 0x000E       0x01              object name length (n) 0x000F       n                 object name

    NCP is used in several eDirectory operations including Novell Directory Service (NDS) and Novell Modular Authentication Service (NMAS). These operations are assigned with unique function and subfunction code values. One NCP request is the keyed object login request. A stack buffer overflow vulnerability has been identified in the processing of this login request. The flaw exists due to a lack of data length verification when copying the value of the object name field into an fixed size stack buffer. The supplied length argument is used as the size parameter given to the copy function without proper boundary checks. An attacker can exploit this vulnerability by sending a crafted message with an overly long object name value and trigger the buffer overflow flaw. This can in turn result in process flow diversion. Any executed code will execute within the privileges of the eDirectory service which is SYSTEM, by default. An exploit attempt that does not result in code execution would terminate the service and cause a denial of service condition.

    Dell SonicWALL has released two IPS signatures to address this issue. The following signatures were released:

    • 9546 – Novell NetIQ eDirectory NCP Buffer Overflow 1
    • 9585 – Novell NetIQ eDirectory NCP Buffer Overflow 2

    In addition to these new signatures, Dell SonicWALL has existing generic exploit signatures that have been observed to proactively catch exploits targeting this vulnerability.

    The vendor has released an advisory addressing this issue.
    The vulnerability has been assigned the id CVE-2012-0432 by mitre.

    New Dorkbot adds suite of new features (Feb 8, 2013)

    /in /by

    The SonicWALL Threat Research team discovered a new variant of the Dorkbot Trojan (also known as NGRBot). This Trojan was covered in a previous Sonicalert where it was targeting Skype users. The features in this variant are similar to the previous variant with the exception of spreading via Skype.

    Infection Cycle:

    The sample we analysed makes no changes to the file system or windows registry. It does however have the ability to do that by downloading further payloads as we have seen in previous variants.

    The Trojan uses the following icon:

    The Trojan makes the following DNS requests:

    • api.wipmania.com
    • webingenial.com
    • interactua.edu30.com
    • haztuwebsite.com

    Upon execution the Trojan injects code into the current running instance of explorer.exe [Detected as GAV: Dorkbot.B_67 (Trojan)]:

    The Trojan determines its IP address by making a request to wipmania.com. It then proceeds to join channel #main on a private IRC server. The IRC server does not allow various commands such as channel and user listing:

    It also downloads a text file from a remote webserver containing a list of subdomains of a banking website. This list can be either for DDoS attacks or bank site redirection via editing the hosts file:

    The Bots idle on IRC awaiting further instructions from its operators. They are given names according to geographical location and operating system version.

    During analysis we discovered that the Trojan contains a suite of malicious capabilities. The malicious modules can be utilized by issuing commands via the IRC channel that the bot has joined. The modules are listed as follows:

    • UDP/SYN Flood
    • Visit HTTP URL (for Pay-per-click schemes)
    • Log into and download files from FTP and POP3 email servers
    • Update bot/download file from remote webserver with MD5 verification
    • Execute file on system
    • Start a Socks4 proxy server
    • Spread via MSN Messenger Service
    • Spread via connected USB drives

    At the time of analysis it was determined that the botnet operators are actively monitoring connections to their IRC server. We were promptly banned from the IRC server due to performing activity not conforming to the bots typical behavior.

    SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

    • GAV: Ruskill.QCE (Trojan)
    • GAV: Dorkbot.B_67 (Trojan)

    Rise in Tepfer spam campaigns leading to P2P Zeus (Feb 1, 2013)

    /in /by

    Dell SonicWALL Threats Research team has observed an increase in spam campaigns involving new variants of the Tepfer Infostealer Trojan in the last one week. Tepfer also known as Fareit is known for stealing sensitive information from the victim machine which includes user credentials for various applications and certificates. It is also known to download and install Banking Trojans like Cridex and P2P Zeus on the victim machine. A more detailed analysis on the Tepfer Trojan infection activity can be found in one of our previous SonicAlert.

    The Tepfer variants from recent spam campaigns were all found to be installing P2P Zeus Trojan on the victim machine. Dell SonicWALL has received more than 50,000 e-mail copies from these spam campaigns till now. The email messages in all these spam campaigns have a zip archived attachment which contains the new variants of the Tepfer Trojan executable. The sample e-mail format from each spam campaign is shown below:

    screenshot

    screenshot

    The e-mail attachment contains a malicious executable with icons disguised to look like legitimate document files as seen below:

    screenshot

    Infection Cycle:

    Upon execution the Trojan mines the victim machine for user credentials of various FTP and E-mail applications. More details on the application names and other infection activity can be found here.

    The Trojan attempts to connect to a predetermined Command & Control server to report infection and upload stolen credentials from the victim machine via a POST request. Below are the C&C servers we saw during the last one week:

    • archiv.social-neos.eu:8080
    • central.si-vision.fr:8080
    • cloud.social-neos.eu:8080
    • eyon-neos.eu:8080
    • quest.social-neos.eu:8080

    It also connects to multiple domains to download and install the new variant of P2P Zeus Trojan on the victim machine. Below are the associated domains hosting new P2P Zeus binaries that we captured from these spam campaigns:

    • indonesiascuba.com
    • patentanwalt-baden.de
    • www.dimag-giantpale.it
    • plcontractors.co.uk
    • www.quickbeautyservizio.it

    The downloaded Zeus payload is detected as GAV: Zbot.AAU_9 (Trojan).

    Dell SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

    • GAV: Kryptik.ATJW (Trojan)
    • GAV: Kryptik.ATCI (Trojan)
    • GAV: Kryptik.ATLY (Trojan)

    Sourcefire Snort SMB Preprocessor Buffer Overflow (Jan 30, 2013)

    /in /by

    Snort is a free and open source network intrusion prevention system (IPS) and network intrusion detection system (IDS) created by Martin Roesch in 1998. Snort is now developed by Sourcefire, of which Roesch is the founder and CTO. Snort has the ability to perform real-time traffic analysis and packet logging on Internet Protocol (IP) networks. Snort performs protocol analysis, content searching, and content matching. The program can also be used to detect probes or attacks, including, but not limited to, operating system fingerprinting attempts, common gateway interface, buffer overflows, server message block probes, and stealth port scans.

    Snort can be configured in three main modes: sniffer, packet logger, and network intrusion detection. In intrusion detection mode, the program will monitor network traffic and analyze it against a rule set defined by the user. Sourcefire Vulnerability Research Team distributes official rules for Snort. While most of these rules are written in the typical rule description language, some rules are written in C, compiled and distributed as shared libraries. As Snort performs protocol analysis, the Snort rules are capable of processing various network protocols such Server Message Block (SMB).

    Server Message Block (SMB), also known as Common Internet File System (CIFS) operates as an application-layer network protocol mainly used for providing shared access to files, printers, serial ports, and miscellaneous communications between nodes on a network. SMB connections can either be directly sent over TCP or be encapsulated as NetBIOS payload. An SMB (Server Message Block) packet contains an SMB Header which has the following structure:

     SMB Header Offset Size Field ------------------------------------------------------------------------ 0x00   4    Server Component (xff SMB) 0x04   1    SMB Command: Trans (0x25) 0x05   4    NT Status 0x09   1    Flags (bit:0 = Request/Response) 0x0A   2    Flags2 0x0C   2    PID High 0x0E   8    Signature 0x16   2    Reserved 0x18   2    Tree ID 0x1A   2    Process ID 0x1C   2    User ID 0x1D   2    Multiplex ID

    There is an Snort rule 3:20257 distributed as a precompiled binary netbios.so by Sourcefire. A stack based buffer overflow vulnerability has been identified in this rule. An attacker can exploit this vulnerability to cause a stack buffer overflow which would allow for arbitrary code injection and execution with the privileges of Snort, by default administrative.

    Dell SonicWALL UTM team has researched this vulnerability and released the following signature addressing it:

    • 9563 Sourcefire Snort DCE-RPC Preprocessor Buffer Overflow 6

    This vulnerability has not been assigned a Common Vulnerabilities and Exposures (CVE) identifier.

    New Trojan attacking popular European Social Networking site (January 25, 2013)

    /in /by

    Dell SonicWALL Threats Research team received reports of a new Trojan that has been targetting VK (originally VKontakte). VK is a reputed European social networking service which has features similar to Facebook and has been growing in popularity, it has around 195 milllion accounts with an average 43 million daily users as of December 2012. The Trojan checks if the victim is part of the VK network and starts uploading pictures on Vk.com on the victims behalf. Additionally the Trojan downloads files from Vk.com and stores them locally. The trojan comes equipped with capabilities to accept and execute commands from a remote Command and Control (C&C) server.

    Infection Cycle:

    Upon execution the Trojan adds the following files to the filesystem:

    • %USERPROFILE%Local SettingsApplication DataKBxxxxxxx.exe – where ‘xxxxxxx’ is random 7 digits for every infection

    This file is a copy of the original executable which is deleted upon execution. We observed the trojan adding an image in the following directory:

    • %USERPROFILE%Local SettingsTemp%RandomCharacters%.jpg

    screenshot

    The Trojan adds the following keys to the windows registry to enable startup after reboot:

    • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersonRun KBxxxxxxx “%USERPROFILE%Local SettingsApplication DataKBxxxxxxx.exe”
    • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersonPoliciesExplorerRun KBxxxxxxx “%USERPROFILE%Local SettingsApplication DataKBxxxxxxx.exe”
    • HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersonRun KBxxxxxxx “%USERPROFILE%Local SettingsApplication DataKBxxxxxxx.exe”
    • HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersonPoliciesExplorerRun KBxxxxxxx “%USERPROFILE%Local SettingsApplication DataKBxxxxxxx.exe”

    The Trojan also adds the following keys to the windows registry:

    • HKEY_CURRENT_USERSoftwareMicrosoftsystem32_Reg32Path KBxxxxxxx “%USERPROFILE%Local SettingsApplication DataKBxxxxxxx.exe”
    • HKEY_LOCAL_MACHINESOFTWAREMicrosoftsystem32_Reg32Path KBxxxxxxx “%USERPROFILE%Local SettingsApplication DataKBxxxxxxx.exe

    We observed the following sequence of communication with the C&C:

    screenshot

    After the malware executed we observed that our vk.com account was now added to a group without our knowledge.

    screenshot

    Soon enough our account was suspended because of suspected malicious activity.

    screenshot

    A close observation of the above image reveals that the image being uploaded on our account is the same image that was saved locally as mentioned above. All the images stored on the C&C from images.txt file have the same theme, they try to promote vk-go.com as a service that can show who visits pages on our vk.com account. Such services try to lure users and obtain sensitive personal information.

    Vk-go.com redirects the users to space2014.ru/spyvk/phone.php where it asks them to enter their VK nickname. It then claims to create a report containing a list of people who visited their account. Lastly it asks for the users phone number to provide further information.

    screenshot

    We observed the malware download publicly available photos from vk.com belonging to the groups mentioned in the groups.txt file. This happens irrespective of whether the victim is part of vk.com or not.

    The main purpose of this campaign is to upload images promoting vk-go.com services on users VK account, thereby trying to lure more and more people into using their services. In doing so users give out their personal information.

    Dell SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Delf.RBQ (Trojan)