Tepfer Infostealer Trojan being actively spammed (Nov 16, 2012)

/in /by

Dell SonicWALL Threats Research team captured multiple spam campaigns serving newer variant of Tepfer Infostealer Trojan. The malware arrives in an e-mail attachment using themes shown below:

screenshot

The malware executable inside the zip attachment uses Adobe PDF file icon and also uses official Microsoft Window’s application metadata to disguise itself as seen below:

screenshot screenshot

Infection Cycle

The malware executable will perform following activities, if the user is tricked into opening the file:

  • It looks for configuration files (.ini,.dat,.xml etc) of multiple applications to steal FTP and E-mail server information and user credentials:

    screenshot

  • It contains a list of common passwords which is compressed inside the binary file using aPLib v1.01 compression library. The decompressed list is shown below:

    screenshot

  • It attempts to connect to a list of predetermined servers to send the stolen information via HTTP request: /POST /forum/viewtopic.php:
    • 3.soundfactor.org
    • 3.ussana.net
  • It further downloads and executes a new variant of P2P Zeus binary from multiple remote servers listed below. It appears to be exploiting the Pay-Per-Install scheme by downloading and installing multiple instances of same Zeus payload from different servers on the victim machine:
    • mjorart.com/{REMOVED}.exe
    • bestinsighttours.com/{REMOVED}.exe
    • rdquark.com/{REMOVED}.exe
    • quranaqiq.com/{REMOVED}.exe
    • westquimica.com/{REMOVED}.exe
    • superelectronico.com/{REMOVED}.exe
    • jagatoko.com/{REMOVED}.exe
    • muzikmeno.com/{REMOVED}.exe
    • eds-kurier.de/{REMOVED}.exe

      • The downloaded Zeus payload is detected as GAV: Zbot.AAN_65 (Trojan).

  • The Infostealer variants seen across different spam campaigns in last two weeks appears to be from the same author as seen by the project name extracted from the binary:

    screenshot

Dell SonicWALL Gateway AntiVirus has blocked close to 1 million instances of these spammed Infostealer variants in past one week. Below is the geographic distribution of this Infostealer spam campaign:

screenshot

Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signatures:

  • GAV: Tepfer.BVXJ (Trojan)

  • GAV: Tepfer.CAVW (Trojan)

Microsoft Security Bulletin Coverage (Nov 13, 2012)

/in /by

Dell SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of November, 2012. A list of issues reported, along with Dell SonicWALL coverage information follows:

MS12-071 Cumulative Security Update for Internet Explorer

  • CVE-2012-1538 CFormElement Use After Free Vulnerability
    IPS:9238 – Windows IE CFormElement Use After Free Exploit
  • CVE-2012-1539 CTreePos Use After Free Vulnerability
    IPS:9237 – Windows IE CTreePos Use After Free Exploit
  • CVE-2012-4775 CTreeNode Use After Free Vulnerability
    IPS:9236 – Windows IE CTreeNode Use After Free Exploit

MS12-072 Vulnerabilities in Windows Shell Could Allow Remote Code Execution

  • CVE-2012-1527 Windows Briefcase Integer Underflow Vulnerability
    IPS:5512 – Server Application Shellcode Exploit 28 IPS:5945 – Client Application Shellcode Exploit 18

    • CVE-2012-1528 Windows Briefcase Integer Overflow Vulnerability
    GAV:Malformed.bfc.MP.1

MS12-073 Vulnerabilities in Microsoft Internet Information Services (IIS) Could Allow Information Disclosure

  • CVE-2012-2531 Password Disclosure Vulnerability
    Exploitation requires valid logon credentials.
  • CVE-2012-2532 FTP Command Injection Vulnerability
    No available method of attack detection.

MS12-074 Vulnerabilities in .NET Framework Could Allow Remote Code Execution

  • CVE-2012-1895 Reflection Bypass Vulnerability
    This is a local vulnerability. Detection of attacks on the wire is not possible.
  • CVE-2012-1896 Code Access Security Info Disclosure Vulnerability
    This is a local vulnerability. Detection of attacks on the wire is not possible.
  • CVE-2012-2519 .NET Framework Insecure Library Loading Vulnerability
    IPS:1023 – Binary Planting Attack 1
    IPS:5726 – Binary Planting Attack 2
    IPS:6847 – Binary Planting Attack 3
    IPS:8538 – Binary Planting Attack 4
    IPS:8546 – Binary Planting Attack 5
  • CVE-2012-4776 Web Proxy Auto-Discovery Vulnerability
    IPS:9243 – Malformed PAC File
  • CVE-2012-4777 WPF Reflection Optimization Vulnerability
    This is a local vulnerability. Detection of attacks on the wire is not possible.

MS12-075 Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution

  • CVE-2012-2530 Win32k Use After Free Vulnerability
    This is a local vulnerability. Detection of attacks on the wire is not possible.
  • CVE-2012-2553 Win32k Use After Free Vulnerability
    This is a local vulnerability. Detection of attacks on the wire is not possible.
  • CVE-2012-2897 Windows Font Parsing Vulnerability
    This is a local vulnerability. Detection of attacks on the wire is not possible.

MS12-076 Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution

  • CVE-2012-1885 Excel SerAuxErrBar Heap Overflow Vulnerability
    IPS:9239 – Malformed Excel Document 21
  • CVE-2012-1886 Excel Memory Corruption Vulnerability
    IPS:9240 – Malformed Excel Document 22
  • CVE-2012-1887 Excel SST Invalid Length Use After Free Vulnerability
    IPS:9241 – Malformed Excel Document 23
  • CVE-2012-2543 Excel Stack Overflow Vulnerability
    IPS:9242 – Malformed Excel Document 24

UMPlayer Insecure Library Loading (Nov 9, 2012)

/in /by

Ori Rejwan UMPlayer a multimedia player available for Microsoft Windows, Apple Mac OS/X, and GNU/Linux operating systems. With built-in Audio and Video codecs, UMPlayer can handle various media formats.

Windows applications can control the location from which a DLL is loaded by specifying a full path, using DLL redirection, or by using a manifest. If none of these methods are used, the system searches for the DLL in the following order if SafeDllSearchMode is enabled:

    1. The directory from which the application loaded.
    2. The system directory.
    3. The 16-bit system directory.
    4. The Windows directory.
    5. The current directory.
    6. The directories that are listed in the PATH environment variable.

A code execution vulnerability exists in UMPlayer for Windows. When a .mp3 or .mp4 file is loaded into UMPlayer, it tries to dynamically load a library file wintab32.dll. A vulnerable UMPlayer will try to load wintab32.dll from “current directory.” An attacker can place a malicious library named wintab32.dll in the same directory as the .mp3 or .mp4 file. When a victim accesses the .mp3 or .mp4 using SMB or WebDAV protocol, the malicious wintab32.dll will be loaded by UMPlayer. Successful exploitation of this flaw allows arbitrary command execution in the security context of the logged-in user.

Dell SonicWALL has released signatures to detect and block specific exploitation attempts targeting this vulnerability. The signatures are listed below:

  • IPS sid:5726 “Binary Planting Attack 2”
  • IPS sid:9218 “wintab32.dll Insecure Library Loading 2”

Drive by download leads to RAT Trojan (Nov 08,2012)

/in /by

Dell SonicWALL Threats Research team discovered a RAT Trojan spreading through drive-by downloads from malicious links. The links were found hosting a malicious java applet under the guise of an online game. Once the applet is executed, it proceeds to download a Dark Comet RAT Trojan hosted on dropbox and executes it. Dark Comet is a remote administration tool but is often used for malicious purposes because of its Trojan like capabilities. In this instance, the RAT was used to capture the user’s keystrokes along with relevant window information and upload it to a remote server.

Infection Cycle

  • The drive by download kicks in once the malicious page is visited. The security warning is shown as result of the Java applet being signed by a self-signed DSA certificate.

  • If an unwary user decides to allow the applet to run, it silently downloads and executes the RAT in background

  • The RAT is hosted on dropbox and the link to it is passed as a parameter to the Java applet as show below

Once executed the RAT Trojan performs the following activities:

  • It creates copies of itself in:
    • %APPDATA%rundll32.exe [Detected by GAV: Fynloski.AA_5 (Trojan)]
    • %USERPROFILE%My DocumentsMSDCSCmsdcsc.exe [Detected by GAV: Fynloski.AA_5 (Trojan)]

  • It uses the following misleading icon:

  • It creates a startup entry to ensure infection on reboot:
    • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun:MicroUpdate:”%USERPROFILE%My DocumentsMSDCSCmsdcsc.exe”

  • The RAT uses an encrypted configuration file. During our analysis we were able to obtain the decrypted version of the configuration file seen below. Some of key features used are explained:

  • It captures users keystrokes and stores it in:
    • %APPDATA%dclogs{YYYY-MM-DD-H}.dc

  • The keystrokes are captures along with the relevant window titles as shown below:

  • It uploads captured data to a remote server over Port 1336 or 1444

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV:Fynloski.AA_5 (Trojan)
  • GAV:JavaDL.CX (Exploit)

Cridex Trojan actively spreading with IRS theme mails (November 2, 2012)

/in /by

Dell SonicWALL Threats Research team discovered a new variant of info stealer Trojan in the wild that steals sensitive information from the users system. The malware arrives in the form of an email message claiming that your Income Tax refund appeal has been declined by IRS, the details of which can be found in the attached IRS letter.

A sample E-mail message from this campaign looks like below:

screenshot

The zip attachment in the E-mail contains the malware executable.

Infection cycle

The infection begins when the user opens the malicious file inside the zip attachment. The malware drops a copy of itself and modifies system registry to ensure that the dropped copy runs each time on system reboot. The dropped filename uses the format KB%08d.exe i.e. KB(8 Digit Number).exe. Another malicious file is dropped by the name of exp.tmp.exe, this file injects malicious code in explorer.exe.

Following are the malicious files dropped on the system:

  • C:Documents and SettingsOwnerApplication DataKB00654892.exe [Detected as GAV:Cridex.SRI_2(Trojan)]
  • C:Documents and SettingsOwnerLocal SettingsTempexp.tmp.exe [Detected as GAV: Kryptik.ALRY (Trojan)]

Following entry was aded to the registry:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “C:Documents and SettingsxxxxApplication DataKB00654892.exe”

The malware also drops a batch file as C:Documents and SettingsOwnerLocal SettingsTempexp.tmp.bat that checks and deletes the original file. The infected instance of explorer.exe was found to be connecting to a number of domains on port 8080:

  • rob.roboticwares.com
  • recipe.devrich.com
  • khtweb.sote.hu

We found a number of hardcoded C&C IP addresses in the executable:

  • 148.208.216.70:8080
  • 180.235.150.72:8080
  • 200.169.13.84:8080
  • 59.90.221.6:8080
  • 61.7.235.35:8080
  • 210.56.23.100:8080
  • 195.111.72.46:8080
  • 216.38.12.158:8080
  • 50.22.102.132:8080

The following encrypted communication was observed between the Trojan and the C&C server:

screenshot
A similar behavior was observed in a previous SonicALERT for eFax Spam.

Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:

  • GAV: Cridex.SRI_2 (Trojan)

  • GAV: Kryptik.ALRY (Trojan)

    • Oracle Java Heap Buffer Overflow (Nov 1, 2012)

    /in /by

    Java is a programming language originally developed by James Gosling at Sun Microsystems (which has since merged into Oracle Corporation) and released in 1995 as a core component of Sun Microsystems’ Java platform. Java applications are typically compiled to bytecode (class file) that can run on any Java virtual machine (JVM) regardless of computer architecture. Java is a general-purpose, concurrent, class-based, object-oriented language that is specifically designed to have as few implementation dependencies as possible. Java is distributed in the form of various tools such as the Java Runtime Environment (JRE) and the Java Development Kit (JDK).

    The JRE is a software platform that contains the Java Virtual Machine (JVM), Java libraries and other various components. End-users commonly use a Java Runtime Environment (JRE) installed on their own machine for standalone Java applications, or in a Web browser for Java applets. Standardized libraries provide a generic way to access host-specific features such as graphics, threading, and networking. The JDK is primarily a toolkit for developers and consists of the Java loader, compiler, libraries, debugger and several other tools. These libraries enable Java to parse various graphics and media content. The common graphics library packages of Java are the Abstract Windowing Toolkit (AWT) and Swing packages.

    TrueType is an outline font standard developed by Apple Computer in the late 1980s as a competitor to Adobe’s Type 1 fonts used in PostScript. It has become the most common format for fonts on both the Mac OS and Microsoft Windows operating systems. JRE and JDK are able to parse various graphics files, TrueType font files.

    A TrueType Font file consists of a number of tables. There is a directory of tables that must appear at the start of the file. The file may contain only one table of each type, and the type is indicated by a case-sensitive four letter tag. Each table and the whole font have checksums. The tables can appear in any order. The font directory consists of two parts: the offset subtable and the table directory. The offset subtable provides the number of tables in the font and their offset information, and has the following structure:

     Offset		Size (bytes)		Name ------------------------------------------------------------------- 0x00			4		Version 0x04			2		numTables 0x06			2		searchRange (maximum power of 2 <= numTables)*16 0x08			2		entrySelector log2(maximum power of 2 <= numTables) 0x0a			2		rangeShift

    A heap memory buffer overflow vulnerability exists in Oracle Java's handling of true type fonts. A remote unauthenticated attacker can exploit this vulnerability to inject and execute arbitrary code in the security context of the logged in user.

    Dell SoincWALL UTM team has researched the vulnerability and released the following signatures to cover the exploit.

    • GAV:Malformed.ttf.TL.2

    The vulnerability was not assigned a Common Vulnerabilities and Exposures (CVE) identifier.

    Hurricane Sandy Email Phishing Scam (Oct 31, 2012)

    /in /by

    During Hurricane Sandy crisis, people want to help those in need. At the same time, unscrupulous criminals will try to take advantage of the disaster. They may ask you for bogus charitable donations or offer free dining coupons to those in need. Now is the time to use special scrutiny when you receive unsolicited emails. Below are screenshots of examples of fraudulent emails you may receive. Should you receive such an email and click on the URL in it, the link will take you to a fake website and attempt to infect your computer.

    To protect our customers, we offer the most up-to-date protection against new spam attacks while ensuring delivery of legitimate email with real-time information from the Dell SonicWALL Global Response Intelligent Defense (GRID) Network. The GRID Network collects and analyzes millions of data points, performing rigorous testing and evaluation every day, establishing reputation scores for senders and content and identifying new threats in real-time.

    Technology makes our lives easy, but it also gives criminals a possible avenue to deceive and bypass common sense. While the method may vary from email to text messages, tweets or cold calling, one thing remains the same: If you are planning to give to a nonprofit in the wake of any disaster, verify that it is legitimate. Charity evaluators like Guidestar and Charity Navigator are good ways to check that the organization you’re donating to is established and your funds will go where you intend.

    If you are interested in testing your email expertise and detection skills, please check out our Dell SonicWALL phishing test .

    Here are screenshots showing some of the spam e-mails we have captured using Hurricane Sandy theme:

    Samsung Kies Remote Command Execution (Oct 26, 2012)

    /in /by

    Samsung Kies is a software application used for communication between Windows/Mac computers, mobile phones and tablets. Communication can be performed via USB on traditional devices or via WiFi on newer devices. The software has a number of functions, including data backup, data transfer, multimedia management and firmware/OS upgrade.

    Upon installation, Kies deploys an ActiveX control CmdAgent.CommandAgent which is contained in dynamic-link library CmdAgent.dll. The ActiveX control can be instantiated via a web page.

    A remote command execution vulnerability exists in Samsung Kies. Specifically the vulnerability is due to exposure of unsafe methods in the CmdAgent.CommandAgent ActiveX control. A remote attackers can exploit this vulnerability by enticing a target user (who has Samsung Kies installed) to open a specially crafted web page. Successful exploitation of this flaw allows arbitrary command execution in the security context of the logged-in user.

    Dell SonicWALL has released signatures to detect and block specific exploitation attempts targeting this vulnerability. The signatures are listed below:

    • IPS sid:9116 “Samsung Multistage Command Agent ActiveX Instantiation 1”
    • IPS sid:9117 “Samsung Multistage Command Agent ActiveX Instantiation 2”

    eFax spam campaign delivers info stealer Trojan (Oct 26, 2012)

    /in /by

    Dell SonicWALL UTM Research team discovered a new info stealer Trojan in the wild that steals account information from FTP and Email configuration files. The Trojan also drops a variant of the Zbot Trojan on the system.

    The Trojan arrives in the form of an email purporting to be a fax message delivered by eFax Corporate. The user is encouraged to download and execute the attachment to view the fax:

    Upon infection the Trojan performs the following DNS queries:

    • dechotheband.gr
    • barisdogalurunler.com
    • alpertarimurunleri.com
    • oneglobalexchange.com
    • rumanas.org
    • www.10130138.wavelearn.de
    • visiosofttechnologies.com
    • sgisolution.com.br
    • plusloinart.be
    • marengoit.pl
    • www.google.com

    The Trojan adds the following files to the filesystem:

    • %USERPROFILE%Local SettingsTemp215229.exe [Detected as GAV: Zbot.AAN_62 (Trojan)]
    • %USERPROFILE%Local SettingsTemp220286.exe [Detected as GAV: Zbot.AAN_62 (Trojan)]
    • %USERPROFILE%Local SettingsTemp224803.exe [Detected as GAV: Zbot.AAN_62 (Trojan)]
    • %USERPROFILE%Local SettingsTemp227637.exe [Detected as GAV: Zbot.AAN_62 (Trojan)]
    • %USERPROFILE%Local SettingsTemp230491.exe [Detected as GAV: Zbot.AAN_62 (Trojan)]
    • %USERPROFILE%Local SettingsTemp231913.exe [Detected as GAV: Zbot.AAN_62 (Trojan)]
    • %USERPROFILE%Local SettingsTemp233065.exe [Detected as GAV: Zbot.AAN_62 (Trojan)]
    • %USERPROFILE%Local SettingsTemp249648.exe [Detected as GAV: Zbot.AAN_62 (Trojan)]
    • %USERPROFILE%Local SettingsTemp252302.exe [Detected as GAV: Zbot.AAN_62 (Trojan)]
    • %APPDATA%Ettohxiud.exe [Detected as GAV: Zbot.EQLN_2 (Trojan)]
    • %USERPROFILE%Local SettingsTempabcd.bat

    abcd.bat contains the following data. This is used to clean up parts of the infection process:

        :ijk
        del %1
        if exist %1 goto
        ijk
        del %0

    The Trojan adds the following key to the Windows registry to enable startup after reboot:

    • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun {C05E9BBE-21ED-AD41-CB90-673CEB12442E} “%APPDATA%Ettohxiud.exe”

    The Trojan downloads and runs the following files [All detected as GAV: Zbot.AAN_62 (Trojan)] from various remote webservers:

    The following encrypted communication was observed between the Trojan and a remote C&C webserver:

    The unencrypted form of the above “CRYPTED” data that is sent is as follows. It contains sensitive system information::

    The Trojan was observed iterating through the Program Files directory looking for FTP and Email configuration files. It steals credentials from the following FTP and Email softwares if present.

        BulletProof FTP
        Smart FTP
        Turbo FTP
        Sota's FTP
        FTP Navigator
        FTP Commander
        FlashFXP
        FileZilla
        Cute FTP
        Core FTP
        Ultra FXP
        Frigate3
        FTP Explorer
        SecureFX
        Classic FTP
        FTPVoyager
        Wise FTP
        SeaMonkey
        Leech FTP
        FTPGetter
        3D-FTP
        Go FTP
        BlazeFtp
        FTPNow
        Pocomail
        The Bat!
        Thunderbird

    The Trojan contains the following common word password list:

    SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

    • GAV: Androm.EFX
    • GAV: Tepfer.AIUQ
    • GAV: Zbot.EQLN_2
    • GAV: Zbot.AAN_62

    Novell ZENworks Information Disclosure (Oct 19, 2012)

    /in /by

    Novell ZENworks is a suite of software products for computer systems management, aims to manage the entire life cycle of servers, PCs and handheld devices. ZENworks supports multiple server platforms and multiple directory services. One of the products, the ZENworks Asset Management suite is used for auditing complete information about hardware and software installations.

    The web console provided in ZENworks Asset Management features a graphical interface for administrative tasks. The web console is based on Apache Tomcat; it listens on TCP port 8080 by default. An information disclosure vulnerability exists in Novell ZENworks Asset Management web console. The vulnerability is due to hardcoded credentials which are used by several maintenance functions. In an attack scenario, a remote attacker can use these default credentials to access sensitive information.

    Dell SonicWALL has released IPS signatures to detect and block specific exploitation attempts targeting this vulnerability. The signatures are listed below:

    • 9011 Novell ZENworks Asset Management Information Disclosure 1
    • 9012 Novell ZENworks Asset Management Information Disclosure 2