Oracle AutoVue Office Desktop API Issue (July 6, 2012)

/in /by

Oracle’s AutoVue solutions are designed to meet all of an organization’s document visualization requirements. They can serve as the window for visualization across all enterprise applications and can even meet the basic viewing needs of individual desktops. AutoVue includes tools for Electronic Design Automation (EDA), a category of software tools for designing electronic systems such as printed circuit boards (PCB) and integrated circuits.

Oracle’s AutoVue solutions have multiple products, including but not limited to AutoVue 3D Professional Advanced, AutoVue Office, AutoVue Integrations, AutoVue EDA Professional etc. Oracle’s AutoVue Office delivers native document viewing and digital annotation capabilities for Microsoft Office, portable document format (PDF), and graphic document types. Users can view, print, review, and collaborate on hundreds of digital documents without requiring the authoring applications that were used to create them.

A critical vulnerability has been found in Oracle’s AutoVue Office product. The vulnerability can be exploited over the ‘HTTP’ protocol, and it allows remote attackers to affect confidentiality, integrity, and availability, related to Desktop API. It affects the Oracle AutoVue version 20.0.2.

Dell SonicWALL UTM team has researched this vulnerability and will release the following IPS signature to detect it.

  • 8107 Oracle AutoVue Office Desktop API Component Issue

The following generic IPS signatures can also provide protection addressing this issue.

  • 3756 HTTP Client Shellcode Exploit 19a
  • 4095 Client Application Shellcode Exploit 7
  • 4297 Client Application Shellcode Exploit 1
  • 6395 Client Application Shellcode Exploit 23

This vulnerability has been referred by CVE as CVE-2012-0549.

Yoshi Bitcoin Mining Botnet (June 29, 2012)

/in /by

The Dell Sonicwall UTM research team received reports of a continually growing Bitcoin miner Botnet. Bitcoin miner Trojans continue to be an evolving threat. They gather many infected machines together to form a botnet and use public mining pools to contribute to the generation of bitcoins. The bitcoins can be later converted into fiat currency. Malware of this nature has also been covered in a previous sonicalert.

The Trojan performs the following DNS queries:

      jus{removed}.tf
      dire{removed}.tv
      hot{removed}.com
      s320.hot{removed}.com
      eu.triplemining.com
      eu2.triplemining.com

The Trojan creates the following files on the filesystem:

  • %WINDIR%system32conhostd.exe [Detected as GAV: Miner.C (Trojan)]
  • %WINDIR%system32svchost64.exe [Detected as GAV: Miner.YSH (Trojan)]

The Trojan creates the following registry key in the Windows registry to enable startup after reboot:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun conhostd.exe “%WINDIR%system32conhostd.exe”

The Trojan makes the following request to determine how to download and run the mining module:

The Trojan downloads a commandline bitcoin miner from a public file hosting site:

The mining software contains the following commandline options:

The Trojan also downloads a bitcoin mining controller module [Detected as GAV: Miner.C (Trojan)]. The module contains the following configuration data:

Upon successful setup the Trojan will invoke the bitcoin miner. The mining software uses most of the CPU resources of the compromised machine. The software is also capable of utilizing ATI GPU’s as suggested in the configuration data and commandline options.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Miner.C (Trojan)
  • GAV: Miner.A_2 (Trojan)
  • GAV: Miner.YSH (Trojan)

Apple QuickTime TeXML Buffer Overflow (June 29, 2012)

/in /by

QuickTime is an extensible proprietary multimedia framework developed by Apple Inc., capable of handling various formats of digital video, picture, sound, panoramic images, and interactivity. The classic version of QuickTime is available for Windows XP and later, as well as Mac OS X Leopard and later operating systems. Apple QuickTime supports a number of native file formats to store images, audio, and movies such as .mov for movies and .pct for image files.

TeXML has been developed as an OpenSource project with the aim to automatically present XML data as PDF with sophisticated layout properties. An example of an XML document, which has already been transformed into the TeXML structure:

  	 		documentclass[a4paper]{article} 		usepackage[latin1]{inputenc} 		usepackage[T1]{fontenc} 	 	 		Misinterpretation of special characters as being functional characters is called "Escaping", thus: $, ^, >

QuickTime TeXML has a specific format for constructing 3GPP-compliant timed text tracks in a QuickTime movie file. The following example demonstrates a typical TeXML file:

    	 		 			 		 		 			 			 			This is a simple run of text.

A stack buffer overflow has been discovered in Apple QuickTime. One of the strings provided in the XML file is copied to a fixed length stack buffer without prior verification of the string length. A remote attacker can exploit this vulnerability to execute arbitrary codes in the context of the vulnerable application.

Dell SonicWALL UTM team has researched this vulnerability and released the following IPS signatures to protect their customers.

  • IPS: 8056 Apple QuickTime TeXML Handling Buffer Overflow 1
  • IPS: 8057 Apple QuickTime TeXML Handling Buffer Overflow 2

The vulnerability has been referred as by CVE as CVE-2012-0663.

Microsoft XML Core Services Uninitialized Object Access (June 22, 2012)

/in /by

Microsoft XML Core Services (MSXML) is a set of services that allow building Windows-native XML-based applications. All MSXML products are exposed as Component Object Model (COM) objects. Each version of MSXML exposes its own set of CLSIDs and ProgIDs.

A memory corruption vulnerability exists in Microsoft XML Core Services. Specifically, the vulnerable MSXML objects fail to handle parameter exceptions when certain method is invocated. A remote attacker can exploit this vulnerability by enticing a user to open a specially crafted web page. Successful exploitation could result in arbitrary code execution in the context of the currently logged-in user. Failed attacks will cause denial-of-service conditions.

The vulnerability has been assigned as CVE-2012-1889.

SonicWALL has released multiple IPS signatures to detect and block specific exploitation attempts targeting this vulnerability. The signatures are listed below:

  • 7967 Microsoft XML Core Services Uninitialized Object Access 1
  • 7968 Microsoft XML Core Services Uninitialized Object Access 2
  • 7969 Microsoft XML Core Services Uninitialized Object Access 3
  • 7970 Microsoft XML Core Services Uninitialized Object Access 4
  • 7971 Microsoft XML Core Services Uninitialized Object Access 5
  • 8007 Microsoft XML Core Services Uninitialized Object Access 6
  • 8008 Microsoft XML Core Services Uninitialized Object Access 7
  • 8009 Microsoft XML Core Services Uninitialized Object Access 8
  • 8010 Microsoft XML Core Services Uninitialized Object Access 9
  • 8011 Microsoft XML Core Services Uninitialized Object Access 10
  • 8012 Microsoft XML Core Services Uninitialized Object Access 11
  • 8013 Microsoft XML Core Services Uninitialized Object Access 12

Live Security Platinum FakeAV infections on the rise (June 20, 2012)

/in /by

Dell SonicWALL Threats Research team observed a rise in FakeAV variant titled “Live Security Platinum”. It was seen spreading in the wild through compromised webpages. As seen in the past, this FakeAV variant uses various scare tactics to convince the user to buy a license in order to disinfect their system. In addition to the usual scare tactics, it was also found redirecting webpages in Internet Explorer to a fake alert page.

On vitising the compromised page, a drive by infection is triggered without the users knowledge. The injected script on the compromised webpage is heavily obfuscated and leads to the download and execution of the FakeAV variant:

screenshot

The FakeAV when executed performs the following activities:

  • It creates the following files:
    • %appdata%529C50D8002841870004330E2830AC72529C50D8002841870004330E2830AC72.exe (Copy of itself) [Detected as GAV: LiveSecurityPlatinum (Trojan)]
    • %appdata%529C50D8002841870004330E2830AC72529C50D8002841870004330E2830AC72 (Data file)]
    • %UserProfile%DesktopLive Security Platinum.lnk
    • %ProgramFiles%Live Security PlatinumLive Security Platinum.lnk

  • It creates the following registry keys:
    • HKEY_USERSSoftwareMicrosoftWindowsCurrentVersionRunOnce:529C50D8002841870004330E2830AC72:”%appdata%529C50D8002841870004330E2830AC72529C50D8002841870004330E2830AC72.exe”
    • SoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMapDomains:{removed IP Address}

  • It steals user cookies

  • It connects to remote servers to report infection and for contacting fake payment gateways:

    screenshot

  • Some of the alerts generated are shown below:

    screenshot

    screenshot

    screenshot

  • It hooks GetUrlCacheHeaderData in Wininet.dll to redirect users to a fake alert page in Internet Explorer :

    screenshot

  • It repeatedly prompts the user to buy the product:

    screenshot

    screenshot

  • If the user decides to activate the software, it open a fake payment page asking for credit card details and personal information:

    screenshot

Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:

  • GAV: LiveSecurityPlatinum (Trojan)
  • GAV: LiveSecurityPlatinum_2 (Trojan)
  • GAV: LiveSecurityPlatinum_3 (Trojan)
  • GAV: LiveSecurityPlatinum_4 (Trojan)
  • GAV: LiveSecurityPlatinum_5 (Trojan)

Blackhole exploit spam campaigns on the rise – (June 15, 2012)

/in /by

Dell Sonicwall Threats Research team continued to monitor new spam campaigns involving malicious URLs in the e-mail body. These malicious URLs point to Blackhole exploit kit hosting compromised websites that are currently serving Cridex banking Trojan. We posted about a similar campaign – Craigslist spam campaign last week.

We saw multiple new spam campaigns this week leading to the Blackhole exploit websites serving a new variant of the banking Trojan:

  • American Arlines Flight order
  • Amazon.com Order
  • Federal Tax Payment
  • Ebay.com purchase receipt
  • DHL Tracking information
  • Verizon wireless monthly statement (Started earlier today)
  • UPS shipment tracking number (Started earlier today)

We are currently seeing e-mails from the last two campaigns actively spammed in the wild. Geographic distribution of the Blackhole exploit hosting websites involved in these campaigns from the last two weeks is shown below:

One of the most aggressive campaigns involved e-mails with subject “RE: URGENT” and the e-mail body contained malicious Javascript and Iframe leading to the Blackhole exploit sites serving Cridex banking Trojan. Although the majority of e-mail clients in use today disable Iframes by default, there are still some clients like Outlook Express, some versions of Outlook, Thunderbird, and Windows Mail that allow it. Screenshot showing raw e-mail content from this spam:

If the user’s e-mail client supports HTML and Iframes then simply opening up this e-mail would lead to the start of infection cycle that we discussed in our previous alert. The malicious code inside the e-mail ensures that a connection is made to a Blackhole exploit site. If the exploit is successfully executed it will infect the host with the latest variant of the Cridex banking Trojan.

Dell SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Blacole.GB (Exploit)
  • GAV: BlacoleRef.W_2 (Trojan)
  • GAV: Blacole.gen_4 (Exploit)
  • GAV: Cridex.MLX (Trojan)

Microsoft Security Bulletin Coverage (Jun 12, 2012)

/in /by

SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of June, 2012. A list of issues reported, along with SonicWALL coverage information follows:

MS12-036 Vulnerability in Remote Desktop Could Allow Remote Code Execution (2685939)

  • CVE-2012-0173 Remote Desktop Protocol Vulnerability
    There is no feasible method of detection at gateway level.

MS12-037 Cumulative Security Update for Internet Explorer (2699988)

  • CVE-2012-1523 Center Element Remote Code Execution Vulnerability
    IPS: 7959 – Microsoft IE Center Element Exploit
  • CVE-2012-1858 HTML Sanitization Vulnerability
    IPS: 7960 – Cross-Site Scripting (XSS) Attempt 32
  • CVE-2012-1872 EUC-JP Character Encoding Vulnerability
    There is no feasible method of detection.
  • CVE-2012-1873 Null Byte Information Disclosure Vulnerability
    IPS: 7961 – Microsoft IE Null Byte Information Disclosure Exploit
  • CVE-2012-1874 Developer Toolbar Remote Code Execution Vulnerability
    IPS: 7962 – Microsoft IE Developer Toolbar Memory Corruption
  • CVE-2012-1875 Same ID Property Remote Code Execution Vulnerability
    IPS: 7963 – Microsoft IE Same ID Property Exploit
  • CVE-2012-1876 Col Element Remote Code Execution Vulnerability
    IPS: 7454 – HTTP Client Shellcode Exploit 35a
  • CVE-2012-1877 Title Element Change Remote Code Execution Vulnerability
    GAV: 20231 – Malformed-File html.MP.5
  • CVE-2012-1878 OnBeforeDeactivate Event Remote Code Execution Vulnerability
    GAV: 20228 – Malformed-File html.MP.4
  • CVE-2012-1879 insertAdjacentText Remote Code Execution Vulnerability
    IPS: 4665 – HTTP Client Shellcode Exploit 13a
  • CVE-2012-1880 insertRow Remote Code Execution Vulnerability
    GAV: 20227 – Malformed-File html.MP.3
  • CVE-2012-1881 OnRowsInserted Event Remote Code Execution Vulnerability
    GAV: 20225 – Malformed-File html.MP.2
  • CVE-2012-1882 Scrolling Events Information Disclosure Vulnerability
    There is no feasible method of detection.

MS12-038 Vulnerability in .NET Framework Could Allow Remote Code Execution (2706726)

  • CVE-2012-1855 .NET Framework Memory Access Vulnerability
    IPS: 7964 – Malformed ZIP File 12

MS12-039 Vulnerabilities in Lync Could Allow Remote Code Execution (2707956)

  • CVE-2011-3402 TrueType Font Parsing Vulnerability
    GAV: 19421 – Malformed.ttf.MP.1
  • CVE-2012-0159 TrueType Font Parsing Vulnerability
    GAV: 18601 – Malformed-File ttf.MP.2
  • CVE-2012-1849 Lync Insecure Library Loading Vulnerability
    IPS: 1023 – Binary Planting Attempt 1
    IPS: 5726 – Binary Planting Attempt 2
    IPS: 6847 – Binary Planting Attempt 3
  • CVE-2012-1858 HTML Sanitization Vulnerability
    IPS: 7960 – Cross-Site Scripting (XSS) Attempt 32

MS12-040 Vulnerability in Microsoft Dynamics AX Enterprise Portal Could Allow Elevation of Privilege (2709100)

  • CVE-2012-1857 Dynamics AX Enterprise Portal XSS Vulnerability
    IPS: 1369 – Cross-Site Scripting (XSS) Attempt 1

MS12-041 Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2709162)

  • CVE-2012-1864 String Atom Class Name Handling Vulnerability
    This is a local elevation of privilege vulnerability.
  • CVE-2012-1865 String Atom Class Name Handling Vulnerability
    This is a local elevation of privilege vulnerability.
  • CVE-2012-1866 Clipboard Format Atom Name Handling Vulnerability
    This is a local elevation of privilege vulnerability.
  • CVE-2012-1867 Font Resource Refcount Integer Overflow Vulnerability
    This is a local elevation of privilege vulnerability.
  • CVE-2012-1868 Win32k.sys Race Condition Vulnerability
    This is a local elevation of privilege vulnerability.

MS12-042 Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2711167)

  • CVE-2012-0217 User Mode Scheduler Memory Corruption Vulnerability
    This
    is a local elevation of privilege vulnerability.
  • CVE-2012-1515 BIOS ROM Corruption Vulnerability
    This is a local elevation of privilege vulnerability.

Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (2719615)

  • CVE-2012-1889 MSXML Uninitialized Memory Corruption Vulnerability
    IPS: 7967 – ACTIVEX Suspicious ActiveX Method 7
    IPS: 7968 – ACTIVEX Suspicious ActiveX Method 8
    IPS: 7969 – ACTIVEX Suspicious ActiveX Method 9
    IPS: 7970 – ACTIVEX Suspicious ActiveX Method 10
    IPS: 7971 – ACTIVEX Suspicious ActiveX Method 11

Craigslist spam uses Blackhole Exploit to download Cridex Banking Trojan (June 8, 2012)

/in /by

The Sonicwall UTM research team received reports a new large spam campaign that uses a fake Craigslist automated message that contains a malicious link. The URL inside the e-mail points to a malicious site hosting the blackhole exploit kit. The Blackhole exploit kit as we have seen in past is capable of serving multiple exploits that target Java, Adobe Reader, Adobe Flash player, Windows Media player etc. depending on the victim machine’s configuration. It first attempts to exploit CVE-2006-0003 and if successful downloads and runs Cridex Trojan. Users whose systems are not patched to cover this security hole need only launch the link in their browser to become infected.

The spammed email uses the following text which contains the malicious link:

The webpage contains a javascript function [Detected as GAV: Expack.PP (Exploit)] that contains encrypted code. The decrypted code contains the following shellcode exploit:

The shellcode decrypts a URL that hosts a variant of the Cridex banking Trojan. This Trojan has been covered in a previous sonicalert. It causes the browser to download and execute the Trojan executable:

The Trojan adds the following files to the filesystem:

  • %APPDATA%KB01217753.exe [Detected as GAV: Cridex.MLX (Trojan)]
  • %USERPROFILE%21d0fb5.exe (copy of KB01217753.exe) [Detected as GAV: Cridex.MLX (Trojan)]
  • %USERPROFILE%Local SettingsTempexp3E.tmp.bat

KB01217753.exe and 21d0fb5.exe use the following icons:

exp3E.tmp.bat contains the following text:

      @echo off
      :R
      del /F /Q /A "%USERPROFILE%21d0fb5.exe"
      if exist "%USERPROFILE%21d0fb5.exe" goto R
      del /F /Q /A "%USERPROFILE%Local SettingsTempexp3E.tmp.bat"

The Trojan adds the following key to the windows registry to enable startup after reboot:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “KB01217753.exe” “%AppData%KB01217753.exe”

The Trojan was observed posting sensitive encrypted system information to a remote server. The behavior of this Trojan is similar to the previous variant:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Cridex.MLX (Trojan)
  • GAV: Expack.PP (Exploit)
  • GAV: Blacole.GB (Exploit)

Symantec Web Gateway Command Execution (June 8, 2012)

/in /by

Symantec Web Gateway offers web content filtering as well as protection against data loss and malware. It is also capable of SSL decryption, URL filtering and application control. The product exposes a web interface that allows users to administer it and manage further deployments. The interface is accessible via HTTP as well as HTTPS protocols.

The HTTP specification is a request/response scheme. Requests are sent by clients to a server, which then responds back to clients. Requests for resources may include optional arguments in the request URI. A simplified definition of a URI follows:

 /[?=[&=[..]]]

Symantec Web Gateway contains a resource /spywall/releasenotes.php which returns application release notes. It is exposed by default and accessible through the web interface by unauthenticated users. The request for the resource may be given an argument relfile to specify which release notes to provide.

A directory traversal vulnerability exists in Symantec Web Gateway Management Console. If a request to /spywall/releasenotes.php is made, the releasenotes.php script will use the relfile value without verification to construct an absolute path to a file on the server file system. If the relfile value ends up poiting to a file containing php code, then it will execute said code. The following code snippet of releasenotes.php shows the direct use of user supplied cgi variable in the include directive:

This vulnerability may be exploited by injecting php code through an HTTP request URI, which will get logged by the web server. Subsequently, a request for the log file, utilizing the directory traversal vulnerability will result in the execution of previously injected code.

Successful exploitation of this vulnerability could cause arbitrary command execution on the target machine. Injected code will be executed in the security context of the target service.

Dell SonicWALL has released an IPS signature to address this issue. The following signature was released:

  • 7954 – Symantec Web Gateway Management Shell Command Execution Attempt

In addition to the signature specifically released to cover this vulnerability, Dell SonicWALL has multiple existing signatures, that detect and block exploit code, known to have proactively blocked exploitation attempts targeting this vulnerability.

This vulnerability has been assigned CVE-2012-0297 by mitre.
The vendor has released an advisory addressing this issue.

New Flamer Worm seen in targeted attacks (May 29, 2012)

/in /by

Dell SonicWALL Threats Research team received reports of a new sophisticated Worm that was employed in targetted attacks in the Middle East. This Worm dubbed Flamer/SkyWiper was found to contain multiple modules and has the ability to steal user information and propagate further.

The components of the Worm were found to be written in Visual C++ (.OCX files) and Lua Scripting language. It was also found using SQLLite to store information. The combined size of the modules of the Flamer Worm was found to be approximately 17MB which shows that a significant amount of code and features were implemented as a part of the Worm. The main module of the worm “mssecmgr.ocx” contains the following exported functions:

screenshot

The Worm when activated using the export function “DDEnumCallback” performs the following activities:

  • It injects code in to services.exe, winlogon.exe and iexplorer.exe

  • It creates the following files:
    • %windir%system32mssecmgr.ocx (Copy of itself) [Detected as GAV: Flamer.A (Worm)]
    • %windir%system32advnetcfg.ocx [Detected as GAV: Flamer.A (Worm)]
    • %windir%system32msglu32.ocx [Detected as GAV: Flamer.A (Worm)]
    • %windir%system32 nteps32.ocx [Detected as GAV: Flamer.A (Worm)]
    • %windir%system32boot32drv.sys (Encrypted Data)
    • %windir%system32ccalc32.sys (Encrypted Data)
    • %windir%Ef_trace.log (Encrypted Data)
    • %ProgramFiles%Common FilesMicrosoft SharedMSSecurityMgrdstrlog.dat (Encrypted Data)
    • %ProgramFiles%Common FilesMicrosoft SharedMSSecurityMgrmscrypt.dat (Encrypted Data)
    • %ProgramFiles%Common FilesMicrosoft SharedMSSecurityMgr ntcache.dat (Encrypted Data)
    • %ProgramFiles%Common FilesMicrosoft SharedMSSecurityMgrssitable (Encrypted Data)
    • %ProgramFiles%Common FilesMicrosoft SharedMSSecurityMgrrccache.dat (Empty file )
    • %ProgramFiles%Common FilesMicrosoft SharedMSSecurityMgrlmcache.dat (Empty file)
    • %ProgramFiles%Common FilesMicrosoft SharedMSAudio (Encrypted Data)
    • %ProgramFiles%Common FilesMicrosoft SharedMSAudiowavesup3.drv (Copy of itself) [Detected as GAV: Flamer.A (Worm)]
    • %ProgramFiles%Common FilesMicrosoft SharedMSAudiowpgfilter.dat (Encrypted Data)
    • %ProgramFiles%Common FilesMicrosoft SharedMSAudioaudfilter.dat (Empty file)

  • It modifies the following registry keys to ensure infection after reboot:
    • HKLMSYSTEMControlSet001ControlLsaAuthentication Packages:”msv1_0 mssecmgr.ocx”
    • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionDrivers32:wave9:”%ProgramFiles%Common FilesMicrosoft SharedMSAudiowavesup3.drv”

  • It creates the following mutexes:
    • TH_POOL_SHD_PQOISNG_{PID}SYNCMTX
    • TH_POOL_SHD_MTX_FSW95XQ_{PID}
    • {DRIVE}__program files_common files_microsoft shared_mssecuritymgr_mscrypt.dat
    • {DRIVE}__program files_common files_microsoft shared_mssecuritymgr_ssitable

  • Some of the commmands and functions used by the worm are shown below:

    screenshot

  • In our analysis, it was seen contacting the following command and control servers:

    screenshot

Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:

  • GAV: Flamer.A (Worm)
  • GAV: Malicious Certificate 1 (Exploit)
  • GAV: Malicious Certificate 2 (Exploit)