Zeus P2P variant served via spammed Blackhole exploit links (Mar 2, 2012)

/in /by

SonicWALL UTM Research team observed reports of multiple spam campaigns leading to Blackhole exploit kit infected websites. The most recent campaign involved emails pretending to be from Better Business Bureau, warning the user of a customer complaint against them and contains a link to the alleged complaint report. Another related spam campaign involved e-mails pretending to be from Intuit Inc. customer service, informing the user of a software order purchase information and contains a link to view the Order information.

SonicWALL has received more than 1000 copies of e-mails from these campaigns in past few days. In both these campaigns, URL inside the message will lead the user to a compromised website running Blackhole exploit kit which also recently featured in a recent mass-defacement of wordpress based websites. The Blackhole exploit kit on these sites targets known Java VM vulnerabilities and upon successful exploitation will download and run a new Zeus variant with P2P capabilities.

Please note that in our test labs, machines running latest Java version 6 update 31 were not compromised. It is highly recommended for the users to keep their Java software updated.

The sample e-mail messages are shown below:

screenshot

screenshot

If the user clicks on the link then a temporary loading page will appear while the Blackhole exploit kit runs in the background:

screenshot

screenshot

The downloaded Zeus P2P variant file looks like below:

screenshot

It modifies the registry to ensure that the dropped Zeus P2P variant gets executed on system reboot and also modifies the Windows Firewall policy to open UDP Port 29833 and TCP port 26645 for P2P communication with the other bots as seen below:

screenshot

SonicWALL Gateway AntiVirus provides proactive protection against this spam campaign via following signature:

  • GAV: Zbot.gen_246 (Trojan)
  • GAV: Blacole.gen (Trojan)

screenshot

German users targeted in Vodafone Spam Campaign (Mar 8, 2012)

/in /by

SonicWALL UTM Research team discovered a new spam campaign targeting users in Germany. The email pretending to be from Vodafone informs the recipient that their new Vodafone bill has been generated and is attached to the email. The PDF attachment is malicious and if opened attempts to exploit Adobe reader via heap spray which in turn downloads a Trojan and executes it.

The spam campaign is shown below:

screenshot
The spam email is in German and is translated below:

screenshot

We discovered the following on analysis of the attached PDF:

  • The PDF attachment contains an obfuscated malaicious javascript shown below:

    screenshot

  • The javascript when deobfuscated was found exploiting Adobe reader and using heap spray to load and execute shell code:

    screenshot

  • On inspecting the shell code being used in the heap spray we discovered that it was downloading and executing a Trojan from a remote URL:

    screenshot

The downloaded Trojan performs the following activities:

  • It injects code in to csrss.exe

  • It checks for connectivity to the internet by querying google.com

  • It creates the following file:
    • %windir%system32wink.exe (Copy of itself) [Detected as GAV: Inject.DCGC (Trojan)]

  • It creates to following registry entry to add itself as a debugger for the userinit.exe process. This ensures it is executed in the execution sequence of userinit.exe at windows logon:
    • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsuserinit.exe Debugger “wink.exe”

  • It posts data to a remote server:

    screenshot

SonicWALL Gateway AntiVirus provides protection against this threat with the following signatures:

  • GAV: Pidief.AWT (Exploit)
  • GAV: Inject.DCGC (Trojan)

New LockScreen Ransomware Trojan in the wild (Mar 15, 2012)

/in /by

The Sonicwall UTM research team discovered a new Ransomware Trojan in the wild originating from Russia but targetting UK users. Ransomware simply extorts money from its victims by denying access back to the desktop until a sum of money is paid. This type of Lockscreen Ransomware has also been covered in a previous sonicalert

Once infected, the Trojan pops up the following screen giving a fake justification as to why it is locked:

The screen is positioned to be always-on-top of other windows. The desktop is thus locked until the correct lock code is entered.

The Trojan makes the following changes to the windows registry:

enable startup:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “{original run path}”

disables Safe-mode by renaming the following keys:

  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimal to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootmini
  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetwork to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBoot net

The Trojan contains functionality to disable taskmgr.exe, msconfig.exe, regedit.exe and cmd.exe:

The Trojan contains code to report to a remote server and provide backdoor functionality:

Upon further analysis, we discovered two plaintext unlock keys embedded in the executable code. The keys “end!” and “892736loker” can be used to temporarily unlock the desktop. However, these keys do not remove the Trojan from the system. The Trojan lockscreen will appear on next reboot.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: LockScreen.AKE (Trojan)

Wells Fargo Account Update Downloader Trojan (Mar 21, 2012)

/in /by

SonicWALL UTM Research team observed a spam campaign targetting Wells Fargo users. The emails pretending to be from WellsFargo.com informs the recipient about a fake online transaction and asks the user to open the attached document for more details. The zipped attachment in the email contains a malicious Downloader Trojan.

A sample e-mail message from this campaign looks like:

Subject: Wells Fargo Checking Account Update

Attachment: WellsFargo–CheckingAccount-Status-Report-9YXPZ-March-2012.zip
contains WellsFargo–CheckingAccount-Status-Report-March-2012.exe

Message Body:
wellsfargo.com An update on your checking account activityHere is the update you requested for your Wells Fargo checking account XXXXXX0375. Balance SummaryEnding Balance:$4,672.21 Available Balance(as of Tue, 20 Mar 2012 15:19:37 +0100 ):$5,812.49 Deposits ONLINE TRANSFER REF #IBE7128074 FROM CHECKING XXXXXX9245 ON 01/22/12 $757.00 This information is accurate as of Tue, 20 Mar 2012 15:13:37 +0100. For the most current balance and more account details, open attached report and go to Account Activity Section for this account.If you have questions, Wells Fargo Online Customer Service is available 24 hours a day, 7 days a week. Call us at 1-800-956-4442 or sign on to send a secure email.wellsfargo.com | Fraud Information CenterNote about balances: Ending balance reflects transactions that have posted to your account and does not reflect pending deposits or withdrawals. The available balance is an indication of funds that are available to you today; however, it may not reflect all transactions that you may have initiated or authorized. Available Balance – This is the amount of money you have in your account that is available for withdrawal. It reflects the latest balance based on transactions posted to your account, including deposited funds, paid checks, withdrawals, and purchases made with your ATM Card or Debit Card. Please note that some transaction activity (such as outstanding checks and some Debit Card purchases) may take several days to post to your account and, therefore, may not be reflected in the available balance. Some deposits made in a store or ATM may not be immediately available for withdrawal or to cover other transactions. Please do not reply to this email directly. To ensure a prompt and secure response, sign on to email us. To modify or cancel your alerts, sign on, go to Messages & Alerts, and select Set Up/Modify Alerts.

If the user opens the malicious file, it performs following activities on the victim machine:

  • Original process terminates after it starts a svchost.exe process and injects code into it.

  • The injected process deletes the original file and drops a copy of original file to Windows System directory:
    • (SYSTEM32)C9E053BA24B5EF92B076.exe (Random 20 character Alphanumeric filename)

  • Modifies WinLogon Registry to ensure that it runs on system reboot:
    • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon Userinit = “(System32)userinit.exe,(System32)C9E053BA24B5EF92B076.exe,”

  • Drops Fake Trusteer Trojan at (Windows)RPService.exe and runs it as:
    • (Windows)RPService.exe –install [Detected as GAV: Injector.DKFL (Trojan)]

  • Performs registry modifications:
    • HKLMSOFTWAREClasses.eze: “MyEze.1”
    • HKLMSOFTWAREClassesMyEze.1shellopencommand: “%SystemRoot%system32RPService.exe %0 %1 %2”
    • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsRapportMgmtService.exeDebugger: “RPService.exe”
    • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsRapportService.exeDebugger: “RPService.exe”
    • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsRapportSetup-Full.exeDebugger: “RPXService.exe”
    • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsRapportSetup.exeDebugger: “RPXService.exe”

  • Drops a copy of itself at (Program Files)TrusteerRapportbinRapportService.exe

  • Attempts to connect to fast-flux domains skironi.com, herdcave.ru and sends following requests:
    • GET /home/credit.php?id=(REMOVED)&stat=0
    • POST /paris.php

  • Connects to a compromised site located in U.S., downloads additional malware executables to User Temp directory and runs it:

    Zeus Bot (zero AV detection at the time of writing this alert)

    • Downloads hotel(REMOVED)/francais/bk/aas.exe [Detected as GAV: Injector.DKFL (Trojan)]

    • It drops and runs a batch file (Temp)tmp61db87ea.bat to disable automatic windows update and windows security services.

    • It drops a copy of itself to (AppData)Udtakapotoza.exe and runs it

    • It drops and runs another batch file (Temp)tmp61db87ea.bat to delete the original file.

    Rootkit dropper

    • Downloads hotel(REMOVED)/francais/bk/umc.exe [Detected as GAV: MalAgent.LSS (Trojan)]

    • Copies itself to User directory as (Documents and Settings)UserName2g9oda1c0l.exe

    • Creates registry entry to ensure that it runs on system reboot:
      • HKEY_USERSUserIDSoftwareMicrosoftWindowsCurrentVersionRun 2g9oda1c0l = “(Documents and Settings)UserName2g9oda1c0l.exe”

    • Attempts to connect to following domains using https:

    • Downloads a rootkit [Detected as GAV: Kryptik.HT_2 (Trojan)] from one of the above servers using SSL and then goes dormant for 12 hours.


SonicWALL Gateway AntiVirus provides protection against this threat with the following signatures:

  • GAV: Trustezeb.A_7 (Trojan)
  • GAV: FakeTruste.A (Trojan)
  • GAV: Injector.DKFL (Trojan)
  • GAV: MalAgent.LSS (Trojan)

Microsoft Security Bulletin Coverage (April 10, 2012)

/in /by

SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of April, 2012. The summary from the vendor can be found at here. A list of issues reported, along with SonicWALL coverage information follows:

MS12-023 Cumulative Security Update for Internet Explorer (2675157)

  • CVE-2012-0168 Print Feature Remote Code Execution Vulnerability
    No public information is available.
  • CVE-2012-0169 JScript9 Remote Code Execution Vulnerability
    Race condition, not detetable on the wire.
  • CVE-2012-0170 OnReadyStateChange Remote Code Execution Vulnerability
    IPS: 7694
  • CVE-2012-0171 SelectAll Remote Code Execution Vulnerability
    IPS: 7695
  • CVE-2012-0172 VML Style Remote Code Execution Vulnerability
    IPS: 7696

MS12-024 Vulnerability in Windows Could Allow Remote Code Execution (2653956)

  • CVE-2012-0151 WinVerifyTrust Signature Validation Vulnerability
    SPY: 3583

MS12-025 Vulnerability in .NET Framework Could Allow Remote Code Execution (2671605)

  • CVE-2012-0163 .NET Framework Parameter Validation Vulnerability
    SPY: 3584

MS12-026 Vulnerabilities in Forefront Unified Access Gateway (UAG) Could Allow Information Disclosure (2663860)

  • CVE-2012-0146 UAG Blind HTTP Redirect Vulnerability
    No public information is available.
  • CVE-2012-0147 Unfiltered Access to UAG Default Website Vulnerability
    Cannot distinguish between normal and attack traffic.

MS12-027 Vulnerability in Windows Common Controls Could Allow Remote Code Execution (2664258)

MS12-028 Vulnerability in Microsoft Office Could Allow for Remote Code Execution (2639185)

  • CVE-2012-0177 Office WPS Converter Heap Overflow Vulnerability
    SPY: 3582

Stiniter Android Trojan uses new techniques (Mar 28, 2012)

/in /by

SonicWALL UTM Research team received reports of a new sophisticated Trojan targeting the android platform. This Trojan called Stiniter/TGLoader is a modified version of an Android game with an additional malicious service. During our analysis we found that the Trojan was installing multiple modules (ELF and APK), contacting a remote command and control server and sending messages to a premium rate number.

When the rogue application is run, it in turn installs 4 ELF executable modules and 3 android applications. The sequence of events on execution is shown below:

screenshot

The installed android applications use misleading names and were found to be using the following permissions:

  • GoogleService:
    • Modify/delete SD card contents
    • Read phone state and identity
    • Start at boot
  • GoogleSMS:
    • Send SMS messages
    • Read phone state and identity
  • Unlock:
    • Modify/delete SD card contents
    • Read phone state and identity
    • Prevent phone from sleeping
    • Disable keylock

It performs the following activities:

  • It drops the following files and modifies their permission using ‘chmod 777’:
    • /data/data/android.gdwsklzz.com/googleservice.apk
    • /data/data/android.gdwsklzz.com/googlemessage.apk
    • /data/data/android.gdwsklzz.com/unlock.apk
    • /data/data/android.gdwsklzz.com/start
    • /data/data/android.gdwsklzz.com/initr
    • /data/data/android.gdwsklzz.com/keeper
    • /data/data/android.gdwsklzz.com/ts

  • It disables keyguard and prevents the processor from going to sleep.

  • It remounts the /system/ folder on the device with write privileges.

  • It sends device information to a remote server: 
      screenshot

  • It has the ability to send touchscreen events.

  • It downloads the configuration file containing the number for premium rate messaging from a remote server: 
      screenshot

  • It send sms messages to the premium rate number in the configuration file.

SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:

  • GAV: AndroidOS.Stiniter.B (Trojan)

    • AryaN IRC Botnet discovered in the wild (April 5, 2012)

    /in /by

    The SonicWALL Threat Research team discovered a new IRC bot Trojan in the wild with DDoS (Distributed Denial Of Service) functionality. This Trojan also has the ability to spread through USB removeable drives and update itself over the internet.

    Once run, the Trojan injects code into explorer.exe and exits. The injected code contains an IRC bot [Detected as GAV: Agent.ADC (Trojan)]. The injected code deletes the original malware file.

    The Trojan makes the following DNS requests:

    The Trojan determines its IP address by making a request to wipmania.com. It then proceeds to join channel #!y! on a private IRC server.

    The Bots idle on IRC awaiting further instructions from its author. They are given names according to Bot type, geographical location, operating system version and CPU architecture as seen in the screenshot below:

    The Trojan contains the ability to spread through USB removeable drives. It also contains UDP flooding functionality for DDoS (distributed denial of service attacks):

    Upon further analysis we found that the Trojan also contains the ability to update itself by downloading a new version from a remote webserver.

    The Trojan adds the following file to the file system:

    • C:Documents and Settings{USER}Application Datasvhost.exe [Detected as GAV: Agent.ADC (Trojan)]

    The Trojan adds the following keys to the windows registry to enable startup after system reboot:

    • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun svhost.exe “C:Documents and Settings{USER}Application Datasvhost.exe”
    • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun svhost.exe “C:Documents and Settings{USER}Application Datasvhost.exe”
    • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun egregregerfwde “C:Documents and Settings{USER}Application Datasvhost.exe”

    SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

    • GAV: IRCbot.AYN (Trojan)
    • GAV: Agent.ADC (Trojan)

    Zeus Wire Transfer targeted attacks (April 12, 2012)

    /in /by

    SonicWALL Threat Research team spotted a wave of Wire Transfer fraud e-mails in the wild starting early morning today. The e-mail notifies the user about a recent wire transaction that was cancelled and asks the user to open the attached HTML file or visit a URL specified in the e-mail body. If the user opens the attached html file or visits the URL inside the e-mail, they will be redirected to a Phoenix Exploit site serving malware.

    Below are the sample e-mails we saw from this campaign:

    The HTML attachment contains obfuscated JavaScript that connects the user to a remote Phoenix Exploit site, downloads malicious PDF file and upon successful exploit run, it infects the system with a new variant of Zeus P2P Trojan.

    Below are some of the domains involved:

    • vanessamiyhome.ru:8080
    • vanishingmasers.ru:8080

    While the Phoenix Exploit kit is in action, it displays a fake NACHA page which allows the user to download a report which in reality is the Zeus Trojan:

    We also spotted a small number of e-mails which were part of a spear-phishing campaign using the same theme where Corporation’s executive staff were targeted. The e-mail pretends to be from Federal Reserve System’s Fraud department and contains a URL pointing to a malicious site federalreserve(REMOVED).com. A sample e-mail message looks like:

    This phishing site redirects the users to a Blackhole Exploit site serving Zeus Trojan. The initial website is hosted on Amazon’s Cloud server and we have notified Amazon’s security team about it. The functionality of the Zeus binary involved in both spam campaign is similar to what we saw in a previous SonicAlert- Zeus P2P variant served via spammed Blackhole exploit links (Mar 2, 2012)

    SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

    • GAV: Blacole.gen_2 (Exploit)
    • GAV: Blacole.WR (Exploit)
    • GAV: Zbot.IVT (Trojan)

    AryaN Botnet analysis – Part 2 (April 13, 2012)

    /in /by

    SonicWALL Threats Research team reported about an active IRC based AryaN botnet in the wild last week. We continued to monitor the botnet activity and looked further at its origin.

    We found that the AryaN Botnet builder kit was first released on September 11, 2011 on one of the underground forums. This was followed by a leak of source code and builder later that month. The builder was written in Borland Delphi and the interface looks like this:

    Botnet commands as advertised by the author:

    Features of Bot:

    • Geo/OS aware and named using following convention:
      • AryaN{%s-%s-x%d}%s -> AryaN{CountryCode-OperatingSystem-Architecture}BotID

    • Connects to a remote C&C server and waits for command

    • Capable of DoS attacks

    • Spreads by infected Removable devices

    • Injects itself into explorer.exe

    The botnet we were monitoring over past week is hosted in U.K. It grew close to 1000+ bots over a period of one week and we observed following activity:

    • New AryaN bot update and subsequent redirection to a new IRC server/channel.

    • Instruction to download Bitcoin miner Trojan. Below are the domains that were contacted by the downloaded Trojan:

      • eu.triplemining.com:8344
      • eu1.triplemining.com:8344
      • litecoinpool.org:9332

    • Instruction to perform DoS flooding attacks.

    • Instructions to download multiple other pay per install malware binaries and infect the victim machine.

    SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

    • GAV: Scar.GAJG (Trojan) [Bitcoin miner]
    • GAV: IRCBot.AYN_2 (Trojan) [New AryaN bot]
    • GAV: Agent.ADC (Trojan) [AryaN bot builder & base]

    Fire Safety emails lead to Gamarue Worm (Apr 18, 2012)

    /in /by

    SonicWALL Threat Research team discovered a new spam theme wherein Fire Saftey and Guidance notification e-mails were being sent out. This is the first time we have observed spammers employing Fire Safety spam themes to entice users in to opening a malicious attachment. The e-mail alleges to be from the Human Resources department and specifically targets company employees. The e-mail contains notice of an upcoming fire safety test and claims to have the recipient’s role attached. The zipped attachment in the email is a newer variant of Gamarue worm.

    Email subjects used in this spam campaign include:

    • Fire Safety joint event
    • Counter Terrorism Safety Event
    • Enclosed Tutoring Materials
    • FIRE INSTRUCTION AND TRAINING ACTIVITIES. NOTIFICATION.
    • Instruction in Life Safety Education
    • Materials for a scheduled Public Safety event
    • Notification for a FireSafety Event
    • Public Safety Joint Event
    • Scheduled Event Notification
    • Tutoring material for a scheduled event

    The body of the email is as shown below: 

     --------------------------------------------------------------------- Dear Associates  It might be useful for you to know that we are having a joint event with Fire and Counter Terrorism Safety including two written tests on Friday.  Last month four in ten employees surveyed could not pass the Fire Safety test.  Each of you will find enclosed a Fire Safety Guidance and your role description. Please take a look at the enclosed materials before 17th of April.  Kind regards,  Eve Sydow Department of Human Resources ---------------------------------------------------------------------

    The file in the zip attachment uses the following misleading icons:

    screenshot

    It performs the following activities when executed:

    • It creates the following files:
      • %temp%msdubmnax.exe (Copy of itself) [Detected as GAV: Gamarue.F_3 (Worm)]
      • %temp%fas.exe [Detected as GAV: Winwebsec.B (Trojan)]
      • Documents and Settingsuserd12280hoey.exe [Detected as GAV: Wigon.OW_8 (Trojan)]

    • It injects msdubmnax.exe into wuauclt.exe (Windows update client) and d12280hoey.exe into svchost.exe (Host Process for Services).

    • It creates the following registry entries to ensure infection on reboot:
      • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun 28739 “%temp%msdubmnax.exe”
      • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun d12280hoey “Documents and Settingstestd12280hoey.exe”

    • It posts information to a remote C&C server and receives further instructions

      screenshot

    • It downloads FakeAV and sends out spam emails

    SonicWALL Gateway AntiVirus provides protection against this threat with the following signatures:

    • GAV: Gamarue.F_3 (Worm)
    • GAV: Winwebsec.B (Trojan)
    • GAV: Wigon.OW_8 (Trojan)