Well-known Zero-day Vulnerabilities 2012 Summary (Aug 9, 2012)

/in /by

A zero-day attack or threat is an attack that exploits a previously unknown vulnerability in a computer application, operation system etc. Multiple zero-day vulnerabilities can be found each year. The following are the well-known zero-day vulnerabilities for the first half year of 2012. Dell SonicWALL coverage for these vulnerabilities and references are also listed:

With the deployed signatures, Dell SonicWALL has prevented the customers from being attacked. The following are the statistics within last 20 days:

2012 Zero-day hits

To better protect our customers, Dell SonicWALL has partnered with Microsoft on the MAPP program, and here is the MAPP landing page: https://www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=380.

In the above page, you can find all the Microsoft released vulnerabilities and our coverage for the past two years. Dell SonicWALL has been successfully cooperated with Microsoft for the vulnerabilities detecting and preventing, for example, the latest 0day vulnerability CVE-2012-1889, we have deployed the signatures at the same day when Microsoft released the public advisory: MAPP Partners with Updated Protections

In addition to the signatures of detecting 0day vulnerabilities, we have more than 200 shellcode detection IPS signatures, which proactively detects and blocks many attacks in the wild. The following are some examples of the IPS signatures:

  • 4569 HTTP Server Shellcode Exploit 8
  • 4573 Server Application Shellcode Exploit 10
  • 4574 HTTP Server Shellcode Exploit 10
  • 4584 Server Application Shellcode Exploit 17
  • 4598 Server Application Shellcode Exploit 3
  • 4601 HTTP Server Shellcode Exploit 11

Symantec Web Gateway SQL Injection (Aug 3, 2012)

/in /by

Symantec Web Gateway protects organizations against multiple types of Web-borne malware, prevents data loss over the Web and gives organizations the flexibility of deploying it as either a virtual appliance or on physical hardware. Symantec Web Gateway provides a web interface which provides administration, reports and other functionalities.

An SQL injection vulnerability exists in Symantec Web Gateway. Specifically, the vulnerability is due to lack of sanitation of user supplied parameters sent to the blocking feedback report page. A remote attacker could exploit this vulnerability by sending crafted HTTP requests to the Symantec Web Gateway server. Successful exploitation allows the attacker to execute arbitrary SQL commands and possibly grant Administrator privileges.

The vulnerability has been assigned as CVE-2012-2574.

SonicWALL has released an IPS signature to detect and block specific exploitation attempts targeting this vulnerability. The signature is listed below:

  • 8414 Symantec Web Gateway SQL Injection

FinFisher/FinSpy seen in targeted emails (July 31, 2012)

/in /by

Dell SonicWALL Threats Research team received reports of a spying tool being sent as an attachment in spear phishing emails targeting activists. This spying tool called FinFisher/FinSpy has been linked to being covertly used by various governments for surveillance within and across their borders. The tool behaves like a Trojan and uses various stealth techniques to evade detection. It harvests user data and attempts to upload the encrypted data to a remote server.

The executable in the email attachment uses the following misleading icons:
screenshot

The FinSpy tool when executed performs the following activities:

  • It creates the following files:
    • %appdata%MicrosoftInstallermssounddx.sys [Detected as GAV: FinSpy.A_3 (Trojan)]]
    • %appdata%MicrosoftInstallershellex32.dll [Detected as GAV: FinSpy.A_4 (Trojan)]]
    • %appdata%MicrosoftInstaller{8171412B-B34C-4183-A4BB-057CEA02F7FB}80C.dat (Harvested data)]
    • %appdata%MicrosoftInstaller{8171412B-B34C-4183-A4BB-057CEA02F7FB}(02-21)C.dat (Harvested data)]
    • %appdata%MicrosoftInstaller{8171412B-B34C-4183-A4BB-057CEA02F7FB}ico_ty23.ico (Harvested data)]
    • %temp%delete.bat (Bat executable with commands to delete itself)

  • It creates the following registry key to ensure infection on reboot:
    • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesmssounddx:”%appdata%MicrosoftInstallermssounddx.sys”

  • It hooks the following API in ntdll.dll:
    • CsrClientCallServer

  • It starts iexplorer.exe and injects code in to it

  • It attempts to contact the following remote servers: (These sub-domains no longer resolve)
    • tiger.gamma-international.de
    • ff-demo.blogdns.org

  • It attempts to send encrypted data over TCP ports 22, 3111, 3112 and 3113:

    screenshot

  • It attempts to disguise itself as Mozilla Firefox as seen from the resource section:

    screenshot

Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signatures:

  • GAV: FinSpy.A (Trojan)
  • GAV: FinSpy.A_2 (Trojan)
  • GAV: FinSpy.A_3 (Trojan)
  • GAV: FinSpy.A_4 (Trojan)
  • IPS: FinFisher Server Trafffic
  • IPS: FinFisher Client Connection Attempt

HP Data Protector Express Buffer Overflow (Jul 27, 2012)

/in /by

HP Data Protector Express is backup and recovery software designed specifically for smaller organizations. It protects single machines or small networks in Windows and Linux environments. Protection is delivered for file servers, application servers and Windows workstations. One of the Data Protector Express components is the dpwinsdr.exe service, which listens on TCP port 3817.

A stack buffer overflow exists in HP Data Protector Express. Specifically, the vulnerable dpwinsdr.exe service copies messages into a fix-sized stack buffer without performing boundary check. An attacker can exploit this vulnerability by sending a crafted message to the affected service. Successful exploitation could result in arbitrary code execution in the context of the affected service, which is SYSTEM by default. Failed attacks will cause denial-of-service conditions.

The vulnerability has been assigned as CVE-2012-0121.

SonicWALL has released an IPS signature to detect and block specific exploitation attempts targeting this vulnerability. The signature is listed below:

  • 8347 HP Data Protector Express Remote Code Execution

Bot with possible Chinese origins and Taliban lure (July 27, 2012)

/in /by

Dell SonicWALL Threats Research team came across a new Malware submission that looks like a bot with backdoor functionality. The Malware executable has Chinese origins based on the file resources and the Command & Control (C&C) domain involved but is using Taliban warfare image as a lure.

The original Malware executable named Talibanwarfare.exe uses an image file icon for disguise and drops the actual bot:

screenshot

Upon execution, it drops the following files on the victim machine:

  • c:lsass.exe [Malicious bot detected as GAV: Dapato.BNCB (Trojan)]
  • c:Talibanwarfare.jpg

The malware displays the dropped image file Talibanwarfare.jpg in default Windows image viewer application to make the user believe that everything is normal while it runs the dropped malicious bot in the background.

screenshot

It also ensures that the dropped malicious executable runs for the infected user upon system reboot by adding following registry key:

  • HKU(USERID)SoftwareMicrosoftWindowsCurrentVersionRunworkstations: “C:lsass.exe”

A quick analysis of the dropped malicious executable shows that it connects to a remote server web(REMOVED)yourturbe.org being hosted in San Francisco, USA. The domain name however was supposedly registered last year by some su guang in China.

screenshot

screenshot

The physical server involved looks to be part of the VPN service provided by Reliablehosting ISP. We found few similar malware samples in our database that connected to this and other VPN servers hosted by Reliablehosting for C&C communication. Reliablehosting has been notified about this and we are working with them to take further action.

The C&C communication in case of this Malware is encrypted. It continuously sends and receives packets from the C&C server every 30 seconds which looks like PING/PONG messages to ensure connectivity:

screenshot

It is interesting to note that the messages contain fake MSN messenger protocol headers. We also monitored commands to perform a network scan and some basic SMB/CIFS exploit attempts to propagate further inside the infected system’s network. We will update this Alert as we continue to analyze this attack further.

Dell SonicWALL Gateway AntiVirus provides protection against this threat via following signatures:

  • GAV: Agent.TBW_2 (Trojan)
  • GAV: Dapato.BNCB (Trojan)

Spam campaigns roundup (July 20, 2012)

/in /by

Dell SonicWALL Threats Research team has observed an increase in the number of e-mail spam campaigns over past one week that involved multiple Malware families. Below is a quick summary of some of the major malware spam campaigns we saw in last one week:

screenshot

Majority of the spam campaigns were found to contain a malicious executable attachment enclosed in a ZIP archive, pretending to be an Adobe PDF file or a Microsoft Document as seen last week too. We also saw some campaigns involving malicious URLs linked to an image in the e-mail body that either serves the Malware directly or via Black Hole exploit kit infected drive-by sites as seen in the past here.

A slightly different spam campaign involved a message body containing an image file that was downloaded from a remote server as the only visible part. A closer look revealed presence of invisible text using the popular rgb(255,255,255) spammer trick, an attempt to evade certain spam filters as seen in the screenshots below:

screenshot

screenshot

Geographical distribution of unique spam targets and sources for campaigns involving Gamarue worm can be seen below:

screenshot

screenshot

Dell SonicWALL Gateway AntiVirus provides protection against these threats with the following signatures:

  • GAV: Androm.DD (Trojan)
  • GAV: Androm.DE (Trojan)
  • GAV: Androm.SA (Trojan)
  • GAV: Cridex.E_2 (Trojan)
  • GAV: Zbot.AAT#email (Trojan)

Oracle JVM Bytecode Verifier Flaw (July 20, 2012)

/in /by

Java is a programming platform owned by Oracle, which is used for developing cross-platform applications. Java programs run in multiple environments including embedded devices, and smart phones. Java is distributed as the Java Runtime Environment (JRE) and the Java Development Kit (JDK).

The JRE is a software package that allows for running of Java applications. It provides a Java Virtual Machine (JVM) which programs are run on. A browser, such as Internet Explorer or Firefox can download, and locally execute Java applets that are embedded in a Web page. A Java applet is a Java application delivered to users in the form of Java bytecode. Java applets are executed in a sandbox, preventing them from accessing local data on the host filesystem.
Three major components comprise the base Java security sandbox. These are the bytecode verifier, the class loader, and the security manager. Each of these components must work properly in order for Java to perform in a secure fashion. Type safety is the most essential element of Java’s security. Type safety means that a program cannot perform an operation on an object unless that operation is valid for that object. The JVM has to make sure that bytecode doesn’t violate any security restrictions.

A vulnerability exists in Oracle’s JVM implementation, HotSpot. The HotSpot bytecode verifier performs incorrect optimization when processing certain bytecode access instructions. Whenever one of the affected access instructions on a field is verified, the result is cached. Other access instructions on the same field and in the same method are subsequently not verified due to the cached result. This can lead to execution of instructions that otherwise would fail verification. Exploitation of this flaw can be used to achieve a type confusion scenario which may result in bypass of sandbox restrictions.

In order to exploit this vulnerability, an attacker must entice the target user to visit a site which hosts a malicious Java applet. Successful exploitation could result in the execution of arbitrary Java code with full privileges of the currently logged in user.

Dell SonicWALL has released an IPS signature to address a known exploit. The following signature was released:

  • 8304 – Oracle JRE Hotspot Remote Code Execution

This vulnerability has been assigned the id CVE-2012-1723 by mitre.
The vendor has released an advisory addressing this issue.

Spam containing Cridex Banking Trojan on the rise (July 13,2012)

/in /by

Dell SonicWALL Threats Research team observed a increase in spam themes containing a newer variant of the Cridex Banking Trojan. We observed two different spam themes serving this Trojan, one of which was purporting to be from United Postal Service with the invoice attached. The other theme was enticing the user to open a scandalous pictures in the attachment. The zipped attachments in these email contains a newer variant of the Cridex Banking Trojan. We have observed this Trojan being served through other spam themes in past as attachments as well as links containing exploit kits.

Sample of the spam themes used is shown below:
screenshot

The Trojan inside the zipped attachment looks like:
screenshot

The Cridex Trojan when executed performs the following activities:

  • It creates the following files:
    • %appdata%KB00052230.exe (Copy of itself) [Detected as GAV: Cridex.E (Trojan)]
    • %appdata%{RandomHex}{RandomHex} (Files that contain intercepted banking credentials)]
    • %temp%exp1E.tmp.bat (Bat executable File)

  • It creates the following registry keys:
    • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun:”%appdata%KB00052230.exe”
    • HKEY_CURRENT_USERSoftwareMicrosoftWindows NTS38C2CF0E (List of banks, injection scripts and configuration is stored in this key)

  • The bat file “%temp%exp1E.tmp.bat” contains directives to delete the original executable and itself:

    screenshot

  • It contacts one of the hardcoded C&C servers to report infection and download the configuration file:

    screenshot

  • It hooks various API’s for code injection and in order to intercept banking credentials:

    screenshot

  • A sample of the configuration file stored in the registry key is shown below:

    screenshot

  • A sample of captured data stored in “%appdata%{RandomHex}{RandomHex}” is shown below:

    screenshot

Geographical distribution of spam targets and C&C servers is shown below. It is evident from this data that users of banking institutions in the United States were primarily targetted.

screenshot

screenshot

Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:

  • GAV: Cridex.E (Trojan)
  • GAV: Banker.Q_5 (Trojan)
  • GAV: Banker.PST#email (Trojan)
  • GAV: Banker.PST#email_2 (Trojan)

Microsoft Security Bulletin Coverage (July 10, 2012)

/in /by

Dell SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of July, 2012. A list of issues reported, along with Dell SonicWALL coverage information follows:

MS12-043 Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (2722479)

  • CVE-2012-1889 MSXML Uninitialized Memory Corruption Vulnerability
    IPS: 7967 – Microsoft XML Core Services Uninitialized Object Access 1

MS12-044 Cumulative Security Update for Internet Explorer (2719177)

  • CVE-2012-1522 Cached Object Remote Code Execution Vulnerability
    IPS: 8124 – HTTP Client Shellcode Exploit 70a
  • CVE-2012-1524 Attribute Remove Remote Code Execution Vulnerability
    IPS: 8120 – Suspicious Javascript Attribute Remove Code

MS12-045 Vulnerability in Microsoft Data Access Components Could Allow Remote Code Execution (2698365)

  • CVE-2012-1891 ADO Cachesize Heap Overflow RCE Vulnerability
    IPS: 8119 – Microsoft ADO Cachesize Heap Overflow Exploit

MS12-046 Vulnerabilities in Visual Basic for Applications Could Allow Remote Code Execution (27907960)

  • CVE-2012-1854 Visual Basic for Applications Insecure Library Loading Vulnerability
    IPS: 1023 – Binary Planting Attempt 1
    IPS: 5726 – Binary Planting Attempt 2
    IPS: 6847 – Binary Planting Attempt 3

MS12-047 Vulnerability in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2718523)

  • CVE-2012-1890 Keyboard Layout Vulnerability
    This is a local vulnerability. There is no feasible method of detection at gateway level.
  • CVE-2012-1893 Win32k Incorrect Type Handling Vulnerability
    This is a local vulnerability. There is no feasible method of detection at gateway level.

MS12-048 Vulnerability in Windows Shell Could Allow Remote Code Execution (2691442)

  • CVE-2012-0175 Command Injection Vulnerability
    IPS: 8118 – Suspicious Filename Transfer Through SMB

MS12-049 Vulnerability in TLS Could Allow Information Disclosure (2655992)

  • CVE-2012-1870 TLS Protocol Vulnerability
    There is no feasible method of detection at gateway level.

MS12-050 Vulnerabilities in SharePoint Could Allow Elevation of Privilege (2695502)

  • CVE-2012-1858 HTML Sanitization Vulnerability
    IPS: 7960 – Cross-Site Scripting (XSS) Attempt 32
  • CVE-2012-1859 XSS scriptresx.ashx Vulnerability
    IPS: 1849 – Cross-Site Scripting (XSS) Attempt 20
  • CVE-2012-1860 Sharepoint Search Scope Vulnerability
    There is no feasible method of detection at gateway level.
  • CVE-2012-1861 SharePoint Script in Username Vulnerability
    There is no feasible method of detection at gateway level.
  • CVE-2012-1863 Sharepoint Reflected List Parameter Vulnerability
    IPS: 1849 – Cross-Site Scripting (XSS) Attempt 20

MS12-051 Vulnerability in Microsoft Office for Mac Could Allow Elevation of Privilege (2721015)

  • CVE-2012-1894 Office for Mac Improper Folder Permissions Vulnerability
    There is no feasible method of detection at gateway level.

ACH Transfer spams serve Banking Trojan (July 6, 2012)

/in /by

The Dell Sonicwall UTM research team has been observing a recent increase in drive-by-download infections. These infections utilize the Blackhole Exploit and usually arrive in the form of spam masquerading as a legitimate company notification containing a malicious link.

The spam observed uses the following text and contains a malicious link:

The link takes the user to a malicious webpage that pretends to load a doc file containing further information:

The webpage contains javascript code the employs the Blackhole Exploit [Detected as Blacole.JI_2 (Exploit)]:

The exploit causes the download of a Cridex Banking Trojan variant:

The Trojan creates the following files on the filesystem:

  • %APPDATA%KB00097753.exe [Detected as GAV: Banker.M_10 (Trojan)]
  • %APPDATA%AB45AF71AB45AF71.DAT
  • %APPDATA%AB45AF71AB45AF71.DAT.DAT

The Trojan creates the following registry key in the Windows registry to enable startup after reboot:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun KB00097753.exe “%APPDATA%KB00097753.exe”

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Banker.M_10 (Trojan)
  • GAV: Blacole.JI_2 (Exploit)