Oracle Warehouse Builder SQL Injection (July 22, 2011)

/in /by

Oracle Warehouse Builder (OWB) is an Extract, Transform, and Load (ETL) tool for managing data for business intelligence systems. Every Oracle 11g database product includes OWB as a bundled component. The Oracle Database supports querying and programming with the Structured Query Language (SQL), PL/SQL (Procedural Language / SQL), and Java. PL/SQL is Oracle’s procedural extension to SQL allowing the use of variables, conditional and loop constructs, functions, as well as some object-oriented features. PL/SQL program units can be pre-compiled and stored in the database. The Java runtime is also integrated with the SQL and PL/SQL database engines and enables the use of Java in stored procedures.
An example of a PL/SQL procedure which includes Java code is shown:

create or replace and resolve java source named "TESTING" as import java.lang.*; import java.io.*; public class Hello {   public static void HelloWorld() {     System.out.println("This is a test");   } }

The OWB by default includes a database user OWBREPOS_OWNER. This user has a number of critical roles and privileges which enable it to read all data in the database (including user hashes). The user OWBREPOS_OWNER can also execute OS commands and can therefore obtain SYSDBA right.

A privilege escalation vulnerability has been found in Oracle Warehouse Builder. A specific stored procedure in the OWBREPOS_OWNER package performs insufficient input validation on all of its parameters. The said procedure has execute permissions granted to PUBLIC by default. By inserting escaped single quotes (denoted by two single quotes) into one of the parameter strings, SQL, PL/SQL, and Java code can be injected to be executed as OWBREPOS_OWNER.

An attacker with limited user privileges could use this vulnerability to read arbitrary data including password hashes from the database, and execute arbitrary SQL, PL/SQL and Java code, and operating system commands in the security context under which the database is running, effectively compromising the database server completely.

SonicWALL has multiple generic IPS signatures which address SQL injection attempts. The following IPS signatures are proactively addressing attacks targeting this vulnerability.

  • 1421 – SQL-INJECTION Generic SQL Injection Attempt 7
  • 1661 – SQL-INJECTION Generic SQL Injection Attempt 8
  • 4161 – SQL-INJECTION Generic SQL Injection Attempt 16

This vulnerability has been assigned the identifier CVE-2011-0799 by mitre.
The vendor has released an advisory addressing this issue.

Email Spam leads to Banking Trojan (July 21, 2011)

/in /by

Sonicwall UTM research team received reports of a new online banking Trojan seen in the wild. This Trojan steals security credentials used to manage various online banking accounts targeting South American Bank Caixa Group.

Users will receive an email similar to the screenshot below related to banking transaction. The email contains a link purportedly to be the proof or receipt of the transaction but otherwise leads to downloading of the banking trojan.

    screenshot

    Translated to English:

    Portuguese – detected to English translation
    ————————————————–
    PROOF OF SCHEDULE
    ————————————————–

    Please be advised that scheduling was made in Internal Transfer
    BPI service online, with the following data:

    Schedule Date – 07/18/2011 06:16
    Operation Type – Issuance of checks on foreign
    Nr Documento2342576678899 (9.12 kb)

The email link leads to a compromised website which serves the trojan: http://cla{REMOVED}ua/…/bpi23045.asp

Once the user clicks on the link, it will display the message below showing that the Adobe Reader is outdated and redirects it to the download page.

    screenshot

The Adobe Reader download page is fake and will actually serve the banking trojan.

    screenshot

    screenshot

In order to disguise the banking trojan as a legitimate installer, it uses Adobe Flash icon shown below:

After installation, the trojan will launch these pages to let the user think that it installed a legitimate Adobe Reader and will ultimately show the online banking transaction.

    screenshot

    screenshot

Installed files:

  • %systemdir%1kl1.exe [ detected as GAV: VBKrypt.CQZR (Trojan) ]
  • %systemdir%xservicex.exe [ detected as GAV: VBKrypt.CQZR (Trojan) ]
  • %temp%header_10.1.45.2.exe [ detected as GAV: VBKrypt.CQZR (Trojan) ]

Added Registry:

  • Key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
    Value: xservicex
    Data:”%systemdir%1kl1.exe”

Network Activity:

HTTP Requests:

  • http://www.ca{REMOVED}/lnkFloud.php
  • http://www.d{REMOVED}tyjytj/…/c.php
  • http://sch{REMOVED}/willkohead.png

SonicWALL Gateway AntiVirus provided proactive protection against this threat via the following existing signatures:

  • GAV: VBKrypt.CQZR (Trojan)
  • GAV: Banker.UTV (Trojan)

screenshot

XP Internet Security 2012. FakeAV trend continues. (Jul 14, 2011)

/in /by

The Sonicwall UTM research team received reports of a FakeAV called XP Internet Security 2012. FakeAV software of this nature continues to be a steady growing trend and has been covered in some of our previous SonicALERTs. Once infected, this software will disable the Windows firewall, Windows automatic updates and Windows Security Center antivirus notifications. It will then proceed with its campaign to sell the software to the infected victim.

The Trojan performs the following DNS query:

      hises{removed}.com

The Trojan brings up the following fake system scan dialogs a few seconds after infection:

The Trojan periodically brings up the following messages in an attempt to encourage the user to buy the software:

The Trojan makes the following GET request to a remote webserver (hises{removed}.com):

The Trojan was seen receiving the following data in response to the above GET request:

The Trojan creates the following files on the filesystem:

  • C:Documents and Settings{USER}Local SettingsApplication Datauwk.exe [Detected as GAV: Kryptik.QFG (Trojan)]
  • C:Documents and SettingsAll UsersApplication Datac1xisgac1m22i0vav24c46v8xoky2du4 [Detected as GAV: Kryptik.QFG_2 (Trojan)]
  • C:Documents and Settings{USER}Local SettingsApplication Datac1xisgac1m22i0vav24c46v8xoky2du4 [Detected as GAV: Kryptik.QFG_2 (Trojan)]
  • C:Documents and Settings{USER}Local SettingsApplication Datac1xisgac1m22i0vav24c46v8xoky2du4 [Detected as GAV: Kryptik.QFG_2 (Trojan)]
  • C:Documents and Settings{USER}Local SettingsTempc1xisgac1m22i0vav24c46v8xoky2du4 [Detected as GAV: Kryptik.QFG_2 (Trojan)]
  • C:Documents and Settings{USER}Templatesc1xisgac1m22i0vav24c46v8xoky2du4 [Detected as GAV: Kryptik.QFG_2 (Trojan)]

The Trojan creates the following registry keys in the Windows registry:

    Enable startup:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun 453461717 “C:Documents and Settings{USER}Local SettingsApplication Datauwk.exe”

    • Shell spawning:

  • HKEY_CLASSES_ROOT.exeshellopencommand @ “”C:Documents and Settings{USER}Local SettingsApplication Datauwk.exe”
  • HKEY_CURRENT_USERSoftwareClasses.exeshellopencommand @ “”C:Documents and Settings{USER}Local SettingsApplication Datauwk.exe”
  • HKEY_CURRENT_USERSoftwareClassesexefileshellopencommand @ “”C:Documents and Settings{USER}Local SettingsApplication Datauwk.exe”

    • Disable windows firewall and notifications:

  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyDomainProfile EnableFirewall dword:00000000
  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyDomainProfile DoNotAllowExceptions dword:00000000
  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyDomainProfile DisableNotifications dword:00000001
  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfile EnableFirewall dword:00000000
  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfile DoNotAllowExceptions dword:00000000
  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfile DisableNotifications dword:00000001

The Trojan makes the following registry modifications:

    Disable windows antivirus check and notifications:

  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity Center AntiVirusDisableNotify dword:00000000 dword:00000001
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity Center FirewallDisableNotify dword:00000000 dword:00000001
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity Center UpdatesDisableNotify dword:00000000 dword:00000001
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity Center AntiVirusOverride dword:00000000 dword:00000001
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity Center FirewallOverride dword:00000000 dword:00000001

The Trojan deletes everything under the following registry keys to disable Windows automatic updates:

  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_WUAUSERV
  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceswuauserv

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Kryptik.QFG (Trojan)
  • GAV: Kryptik.QFG_2 (Trojan)

Microsoft Security Bulletin Coverage (July 12, 2011)

/in /by

SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of July, 2011. A list of issues reported, along with SonicWALL coverage information follows:

MS11-053 Vulnerability in Bluetooth Stack Could Allow Remote Code Execution (2566220)

  • Bluetooth Stack Vulnerability – CVE-2011-1265
    Attacks targeting this vulnerability would occur over Bluetooth.

MS11-054 Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2555917)

  • Win32k Use After Free Vulnerability – CVE-2011-1874
    This is a local vulnerability.
  • Win32k Use After Free Vulnerability – CVE-2011-1875
    This is a local vulnerability.
  • Win32k Use After Free Vulnerability – CVE-2011-1876
    This is a local vulnerability.
  • Win32k Use After Free Vulnerability – CVE-2011-1877
    This is a local vulnerability.
  • Win32k Use After Free Vulnerability – CVE-2011-1878
    This is a local vulnerability.
  • Win32k Use After Free Vulnerability – CVE-2011-1879
    This is a local vulnerability.
  • Win32k Null Pointer De-reference Vulnerability – CVE-2011-1880
    This is a local vulnerability.
  • Win32k Null Pointer De-reference Vulnerability – CVE-2011-1881
    This is a local vulnerability.
  • Win32k Use After Free Vulnerability – CVE-2011-1882
    This is a local vulnerability.
  • Win32k Use After Free Vulnerability – CVE-2011-1883
    This is a local vulnerability.
  • Win32k Use After Free Vulnerability – CVE-2011-1884
    This is a local vulnerability.
  • Win32k Null Pointer De-reference Vulnerability – CVE-2011-1885
    This is a local vulnerability.
  • Win32k Incorrect Parameter Validation Allows Information Disclosure Vulnerability – CVE-2011-1886
    This is a local vulnerability.
  • Win32k Null Pointer De-reference Vulnerability – CVE-2011-1887
    This is a local vulnerability.
  • Win32k Null Pointer De-reference Vulnerability – CVE-2011-1888
    This is a local vulnerability.

MS11-055 Vulnerability in Microsoft Visio Could Allow Remote Code Execution (2560847)

  • Microsoft Visio Insecure Library Loading Vulnerability – CVE-2011-3148
    IPS 5726 Possible Binary Planting Attempt

MS11-056 Vulnerabilities in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (2507938)

  • CSRSS Local EOP AllocConsole Vulnerability – CVE-2011-1281
    This is a local vulnerability.
  • CSRSS Local EOP SrvSetConsoleLocalEUDC Vulnerability – CVE-2011-1282
    This is a local vulnerability.
  • CSRSS Local EOP SrvSetConsoleNumberOfCommand Vulnerability – CVE-2011-1283
    This is a local vulnerability.
  • CSRSS Local EOP SrvWriteConsoleOutput Vulnerability – CVE-2011-1284
    This is a local vulnerability.
  • CSRSS Local EOP SrvWriteConsoleOutputString Vulnerability – CVE-2011-1870
    This is a local vulnerability.

Citrix Provisioning Services Buffer Overflow (Jul 8, 2011)

/in /by

Citrix Provisioning Services is a workload (operating system, application, and configuration) management system. It maximizes flexibility of hardware resources by making no software preloaded on the systems; instead, computers will obtain application from the network in real-time. A proprietary communication protocol is used between the Provisioning Server and other components.

Several buffer overflow vulnerabilities exist in the Citrix Provisioning Services. Specifically, the vulnerabilities are due to insufficient validation of data sent to the streamprocess.exe, which listens on port 6905/udp. An attacker can exploit these vulnerabilities by sending crafted packets to the target server. Successful exploitation would allow for arbitrary code injection and execution with the privileges of the streamprocess.exe. Code injection that does not result in execution would terminate the service due to memory corruption.

SonicWALL has released several IPS signatures to detect and block known exploits targeting these vulnerabilities. The signatures are listed below:

  • 6346 – Citrix Provisioning Services Buffer Overflow 1
  • 6794 – Citrix Provisioning Services Buffer Overflow 2

Financial spam campaigns on the rise (July 08, 2011)

/in /by

SonicWALL UTM Research team continued to observe a increase in financial spam campaigns pretending to be from a credit card company. The email attempts to grab the reader’s attention by stating that their credit card bill is overdue. The attachment in the email purporting to be a financial statement is a newer variant of the FakeAV we analyzed earlier.

The spam campaign is shown below:

screenshot

It performs the following activities when executed:

  • It creates the following files:
    • Start MenuProgramsStartupdxdiag.exe (Copy of itself) [Detected as GAV: Aspxor.Y (Trojan)]
    • WINDOWSsystem32aspimgr.exe [Detected as GAV: Danmec.E (Trojan)]
    • WINDOWSdvcbdt1.dll [Detected as GAV: Mufanom.BLDH (Trojan)]
    • %temp%rrtegggggggg[1].exe [Detected as GAV: FakeAV.AHV (Trojan)]
    • %temp%gggssgsdggg[1].exe [Detected as GAV: Mufanom.BLDH (Trojan)]
    • %temp%bibalabibabuba[1].exe [Detected as GAV: Aspxor.Z (Trojan)]

  • It reports new infection to a remote server:
    • GET /forum1/task.php?bid=462e39cb208270ad&os=5-1-2600&uptime=0&rnd=574609 HTTP/1.1

  • It downloads further files from a remote server using a custom user-agent string:
    • GET /forum1/load.php?module=grabbers HTTP/1.1
      User-Agent: Our_Agent

  • It creates the following registry entry to ensure infection on reboot:
    • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun Ulazebebebag “rundll32.exe “C:WINDOWSdvcbdt1.dll”,Startup”

  • It displays fake scans and infections and prompts the user to purchase the product in order to clean their computer.

SonicWALL Gateway AntiVirus provides protection against this threat with the following signatures:

  • GAV: Oficla.FS (Trojan)
  • GAV: Oficla.FS#email (Trojan)
  • GAV: Aspxor.Y (Trojan)
  • GAV: Aspxor.Z (Trojan)
  • GAV: Danmec.E (Trojan)
  • GAV: Mufanom.BLDH (Trojan)
  • GAV: FakeAV.AHV (Trojan)

screenshot

ISC BIND Denial of Service (Jun 30, 2011)

/in /by

BIND is by far the most widely used DNS software on the Internet. It provides a platform that is fully compliant with published DNS standards.

The Domain Name System Security Extensions (DNSSEC) is a set of extensions to DNS which provide to DNS clients origin authentication of DNS data, authenticated denial of existence, and data integrity. Several DNS record types were created or adapted to use with DNSSEC:

  • RRSIG
  • DNSKEY
  • DS
  • NSEC
  • NSEC3
  • NSEC3PARAM

A vulnerability exists in the BIND’s implementation of RRSIG handler. An attacker can host a DNS server which sends malicious RRSIG records to other DNS servers. Successful exploitation would terminate the “named” (the BIND name server process) on the vulnerable DNS servers.

The vulnerability has been assigned as CVE-2011-1910.

SonicWALL has released an IPS signature to detect and block known exploits targeting this vulnerability. The following signature was released to address this issue:

  • 6790 – ISC BIND RRSIG RRsets DoS

Fake Credit Card and IRS notices (June 30, 2011)

/in /by

SonicWALL UTM Research team observed two new spam campaigns in the past few days pretending to contain notices from a Credit Card company or the Internal Revenue Service (IRS). The e-mails contain Downloader Trojan Chepvil as attachment. Chepvil is a Trojan that silently downloads and installs malware components or other malware which includes Rouge AV. SonicWALL has received more than 100,000 copies of emails from these spam campaigns till now delivering 74 unique malicious binaries and it is still active at the time of writing this article.

Campaign #1 – Credit Card Overdue notice spam

Subject:

  • Credit Card Overdue

Attachment: Customer details.zip (contains Customer details.exe)

The e-mail message looks like below:

screenshot

Campaign #2 – IRS notification spam

Subject:

  • IRS notification

Attachment: IRS document.zip (contains IRS document.exe)

The e-mail message looks like below:

screenshot

The executable file inside the zip attachment has an icon disguised as a Acrobat Reader PDF file:

screenshot

If the user downloads and executes the malicious executable inside the zip attachment, it performs the following activity:

  • Creates a process SVCHOST.EXE and injects code into it.

  • Deletes the original copy of the file.

  • Reports the infected machine by sending the following GET request:
    GET /404.php?type=stats&affid=531&subid=01&awok HTTP/1.1
    User-Agent: IE
    Host: click(REMOVED).org

  • Downloads Fake AV Trojan from a remote server mysteryforyou1.ru to the following location and executes it:

    • (Application Data)dRBAHQLTbF.exe – [ detected as GAV: FakeAV.PSL (Trojan) ]

  • Fake AV Trojan moves all the user programs into (TEMP)smtmp(N) [where N = 1,2,3..] periodically making them unavailable to the user and also hides the user files. Commands and features found in the analysis are shown below:

    screenshot

    Languages supported:

    screenshot

    More details about this Fake AV Trojan functionality can be found in one of our previous sonicalerts – Fake Desktop Utilities on the rise (June 8, 2011)

  • Other dropped files include:
    • (TEMP)trol.exe – [ detected as GAV: Agent.SEO (Trojan) ]
    • (TEMP)javaw.exe – [ detected as GAV: Suspicious#polycrypt.4_2 (Worm) ]

  • Registry modification to ensure Fake AV runs upon system reboot:
    • Key: HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionRun
      Value: dRBAHQLTbF
      Data:(Application Data)dRBAHQLTbF.exe

    • SonicWALL Gateway AntiVirus blocks the spammed Downloader Trojan Chepvil proactively via following signature:

    • GAV: Suspicious#Chepvil.K (Trojan)

    screenshot

McDonald's Free Dinner e-mail Leads to FakeAV (June 22, 2011)

/in /by

SonicWALL UTM Research team received reports of a new spam campaign pretending to be arriving from McDonalds Restaurants being spammed in the wild. This campaign includes subject about “McDonalds Free Dinner”.

The sample e-mail format of the spam campaign includes the following:

Subject:

  • Come to us at our holiday of healthy and free food
  • Dont miss The Free Five-Course Dinner Day
  • Find the invitation to Free Day in the letter
  • Get a ticket for free helpings
  • Large free dish of five courses
  • Tasty and free food for each visitor
  • The Free Day holiday is here
  • The Free Dinner Day
  • The letter contains the ticket for free helpings
  • We are having the holiday of free food
  • We gift you a ticket to the day of free dishes

Attachment: Invitation_Card{Random Numbers}.zip (22.9KB)

screenshot

The executable file masquerades as a Microsoft Word document by using an icon seen below:

screenshot

If the user downloads and executes the malicious executable inside the zip attachment, it performs the following activity:

  • Creates the process SVCHOST.EXE and injects its code.
  • Copies itself as %Startup%/dxdiag.exe [ detected as GAV: Obfuscator.PO_2 (Virus) ] Sets the time stamp as the same with ntdll.dll to hide itself from malware tools that checks for newly created files.
  • Deletes the original executable file

Downloads other malware:

  • Application Datagog.exe – [ detected as GAV: FakeAV.LSX (Trojan) ]

Dropped files:

  • Application Datacompletescan
  • Application Datact_start
  • Application Data1.gif
  • Application Datainstall
  • Application Datastart

Added Registry:

  • Key: HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon
    Value: Shell
    Data:”Application Datagog.exe”

Network Activity:

This malware steals system information and sends them to remote server every 96 seconds.

    User-Agent: Our_Agent

  • http://diamond{REMOVED}e2011.ru//forum/task.php?bid={VolumeInfo}&os={OS Version}&uptime=0&rnd={random number}

Once the remote server receives the system information, it will acknowledge it and reply with commands as follows:

  • download – download other malware
  • update – update itself

FakeAV

    This malware also downloads and installs FakeAV application. Once installed it will show a Fake Microsoft Security Essentials Alert as seen below:

    screenshot

    After Clicking the “Scan Online” Button, it will show this message and prompts for rebooting the system:

    screenshot

    After rebooting the system, the following FakeAV screens will appear. It will then ask the user to pay for the software to completely clean the system.

    screenshot

    screenshot

    screenshot

    screenshot

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Obfuscator.PO_2
  • GAV: FakeAV.LSX (Trojan)
  • GAV: Zurgop.Z#email (Trojan)

screenshot

Adobe Shockwave Player Memory Corruption (Jun 23, 2011)

/in /by

Adobe Shockwave is a multimedia platform used to add animation and interactivity to web pages. Shockwave movies are authored in the Adobe Director environment. Any computer which has Shockwave plug-in installed can view Shockwave movies. Adobe Director files have the extension .dir which can be published into the Shockwave file format with extension .dcr.

A memory corruption vulnerability exists in Adobe Shockwave player. Specifically, the vulnerability occurs while processing specially crafted tSAC chunks in Director files. An attacker can exploit this vulnerability by enticing a user to open a crafted Director (.dir or .dcr) file. Successful exploitation would allow for arbitrary code injection and execution with the privileges of the currently logged in user. Code injection that does not result in execution would terminate the application due to memory corruption.

The vulnerability has been assigned as CVE-2011-2118.

SonicWALL has released an IPS signature to detect and block known exploits targeting this vulnerability. The following signature was released to address this issue:

  • 6756 – Adobe Shockwave Director tSAC Chunk Memory Corruption PoC