Fake MS Removal Tool forces user to buy Fake AV software (Jun 17, 2011)

/in /by

The SonicWALL UTM research team has received reports of a new FakeAV that is more intrusive than usual. Most FakeAV’s are simply annoying and cause pop-up windows to appear that encourage its victims to buy the software. Fakesysdef.BDF is a FakeAV that actually forces the user to buy the software. The system is rendered unusable until the software is paid for or removed.

The Trojan creates the following file on the filesystem:

  • C:Documents and SettingsAll UsersApplication DatajB04208NpCpC04208jB04208NpCpC04208.exe [Detected as GAV: Fakesysdef.BDF (Trojan)]

    • The file “jB04208NpCpC04208.exe” is a copy of the original Trojan file. The filename is randomly generated but always ends with “04208”. From further analysis it is suspected that “04208” is an affiliate ID. Once copied, the file is then run from its new location.

The Trojan creates the following registry keys to ensure startup:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce {random} “C:Documents and SettingsAll UsersApplication DatajB04208NpCpC04208jB04208NpCpC04208.exe” [Detected as GAV: Fakesysdef.BDF (Trojan)]

The Trojan will run silently in the background for a period of approximately 10 minutes. After this time the Trojan will remove the desktop background and pop up a fake system scan window named “MS Removal Tool”:

The Trojan will show a fake summary of results of the scan and prompt the user to remove the threats:

When trying to run most software on the system the Trojan will give a fake warning that the program is infected:

When clicking on “Remove all threads now” the user is taken to a payment page:

The Trojan was spotted communicating with 46.161.{removed}.{removed} for payment form information using the affiliate ID “04208”:

The Trojan was also spotted enumerating directories under C:Program Files and reading the contents of C:documents and settings{user}start menudesktop.ini.

The SonicWALL UTM research team have discovered various license keys posted on the internet that claim to disable this FakeAV software. However, the software is not removed from the system using these keys and still runs in the background.

After registering the software we observed continued suspicious behavior. The Trojan attempts to steal information from popular game titles that may be installed on the system:

SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:

  • GAV: Fakesysdef.BDF (Trojan)

Microsoft Security Bulletins Coverage (Jun 15, 2011)

/in /by

SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of June, 2011. A list of issues reported, along with SonicWALL coverage information follows:

MS11-037 Vulnerability in MHTML Could Allow Information Disclosure (2544893)

  • MHTML Mime-Formatted Request Vulnerability – CVE-2011-1894
    IPS 6154 MHTML Protocol Handler XSS Attack 1
    IPS 6155 MHTML Protocol Handler XSS Attack 2
    IPS 6201 MHTML Protocol Handler XSS Attack 3

MS11-038 Vulnerability in OLE Automation Could Allow Remote Code Execution (2476490)

  • OLE Automation Underflow Vulnerability – CVE-2011-0658
    IPS 4297 Generic Client Application Shellcode Exploit 1

MS11-039 Vulnerability in .NET Framework and Microsoft Silverlight Could Allow Remote Code Execution (2514842)

  • .NET Framework Array Offset Vulnerability – CVE-2011-0664
    This is a local vulnerability.

MS11-040 Vulnerability in Threat Management Gateway Firewall Client Could Allow Remote Code Execution (2520426)

  • TMG Firewall Client Memory Corruption Vulnerability – CVE-2011-1889
    There is no feasible method of detection.

MS11-041 Vulnerability in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2525694)

  • Win32k OTF Validation Vulnerability – CVE-2011-1873
    There is no feasible method of detection.

MS11-042 Vulnerabilities in Distributed File System Could Allow Remote Code Execution (2535512)

  • DFS Memory Corruption Vulnerability – CVE-2011-1868
    IPS 6714 Suspicious CIFS Traffic 7

  • DFS Referral Response Vulnerability – CVE-2011-1869
    There is no feasible method of detection.

MS11-043 Vulnerability in SMB Client Could Allow Remote Code Execution (2536276)

  • SMB Response Parsing Vulnerability – CVE-2011-1268
    IPS 6713 Suspicious CIFS Traffic 6

MS11-044 Vulnerability in .NET Framework Could Allow Remote Code Execution (2538814)

  • .NET Framework JIT Optimization Vulnerability – CVE-2011-1271
    There is no feasible method of detection.

MS11-045 Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (2537146)

  • Excel Insufficient Record Validation Vulnerability – CVE-2011-1272
    IPS 6707 Malicious Excel Document 11b

  • Excel Improper Record Parsing Vulnerability – CVE-2011-1273
    IPS 6708 Malicious Excel Document 12b

  • Excel Out of Bounds Array Access Vulnerability – CVE-2011-1274
    IPS 6709 Malicious Excel Document 13b

  • Excel Memory Heap Overwrite Vulnerability – CVE-2011-1275
    IPS 6710 Malicious Excel Document 14b

  • Excel Buffer Overrun Vulnerability – CVE-2011-1276
    IPS 6718 Malicious Excel Document 16b

  • Excel Memory Corruption Vulnerability – CVE-2011-1277
    IPS 6719 Malicious Excel Document 17b

  • Excel WriteAV Vulnerability – CVE-2011-1278
    IPS 6721 Malicious Excel Document 18b

  • Excel Out of Bounds WriteAV Vulnerability – CVE-2011-1279
    IPS 6715 Malicious Excel Document 15b

MS11-046 Vulnerability in Ancillary Function Driver Could Allow Elevation of Privilege (2503665)

  • Ancillary Function Driver Elevation of Privilege Vulnerability – CVE-2011-1249
    This is a local vulnerability.

MS11-047 Vulnerability in Hyper-V Could Allow Denial of Service (2525835)

  • VMBus Persistent DoS Vulnerability – CVE-2011-1872
    This is a local vulnerability.

MS11-048 Vulnerability in SMB Server Could Allow Denial of Service (2536275)

  • SMB Request Parsing Vulnerability – CVE-2011-1267
    IPS 6712 Suspicious CIFS Traffic 5

MS11-049 Vulnerability in the Microsoft XML Editor Could Allow Information Disclosure (2543893)

  • XML External Entities Resolution Vulnerability – CVE-2011-1280
    There is no feasible method of detection.

MS11-050 Cumulative Security Update for Internet Explorer (2530548)

  • MIME Sniffing Information Disclosure Vulnerability – CVE-2011-1246
    There is no feasible method of detection.

  • Link Properties Handling Memory Corruption Vulnerability – CVE-2011-1250
    There is no feasible method of detect
    ion.

  • DOM Manipulation Memory Corruption Vulnerability – CVE-2011-1251
    IPS 6723 MS IE DOM Manipulation Memory Corruption Attack

  • toStaticHTML Information Disclosure Vulnerability – CVE-2011-1252
    There is no feasible method of detection.

  • Drag and Drop Memory Corruption Vulnerability – CVE-2011-1254
    IPS 6722 MS IE Drag and Drop Memory Corruption Attack

  • Time Element Memory Corruption Vulnerability – CVE-2011-1255
    There is no feasible method of detection.

  • DOM Modification Memory Corruption Vulnerability – CVE-2011-1256
    There is no feasible method of detection.

  • Drag and Drop Information Disclosure Vulnerability – CVE-2011-1258
    There is no feasible method of detection.

  • Layout Memory Corruption Vulnerability – CVE-2011-1260
    IPS 6148 Suspicious HTML BDO Tag

  • Selection Object Memory Corruption Vulnerability – CVE-2011-1261
    IPS 6717 MS IE Selection Object Memory Corruption Attack

  • HTTP Redirect Memory Corruption Vulnerability – CVE-2011-1262
    IPS 6716 MS IE HTTP Redirect Memory Corruption Attack

MS11-051 Vulnerability in Active Directory Certificate Services Web Enrollment Could Allow Elevation of Privilege (2518295)

  • Active Directory Certificate Services Vulnerability – CVE-2011-1264
    IPS 1369 Generic Cross-Site Scripting (XSS) Attempt 1
    IPS 3700 Generic Cross-Site Scripting (XSS) Attempt 3
    IPS 4948 Generic Cross-Site Scripting (XSS) Attempt 4
    IPS 1380 Generic Cross-Site Scripting (XSS) Attempt 5
    IPS 1381 Generic Cross-Site Scripting (XSS) Attempt 6

MS11-052 Vulnerability in Vector Markup Language Could Allow Remote Code Execution (2544521)

  • VML Memory Corruption Vulnerability – CVE-2011-1266
    IPS 6711 MS VML Memory Corruption PoC

MS Host Integration Server Memory Corruption (June 10, 2011)

/in /by

Microsoft Host Integration Server (a.k.a. HIS) is a gateway application providing connectivity between Microsoft Windows networks and IBM mainframe and AS/400 systems. Support is provided for SNA, 3270 (standard and Telnet 3270 TN3270E), 5250 (standard and Telnet 5250), CICS, APPC, and other IBM protocols. Support is also provided for advanced integration with Windows networks and software, such as linking Microsoft Message Queuing applications to IBM WebSphere MQ, binding Microsoft DTC transactions with CICS, and cross-protocol access to DB2 databases on IBM platforms. HIS is the successor to Microsoft SNA Server.

The Systems Network Architecture (SNA) communication protocol is a proprietary undocumented protocol, although it is still in wide use in the banking industry and various government agencies. Microsoft HIS deploys a number of services to handle the SNA protocol. By observing the traffic data, the following information can be deduced for the UDP traffic of snalink.exe, snaservr.exe and mngagent.exe services.

OffsetSize (bytes)Description
0x002payload size (starting at offset 0x39)
0x021opcode
0x0316Unknown hostname (possibly source)
0x1310x2a
0x1415Unknown
0x2316Unknown hostname (possibly destination)
0x336Unknown
0x39payload sizepayload

A denial of service vulnerability exists in Microsoft Host Integration Server. The vulnerability is due to an input validation error while parsing messages with a special opcode. A remote, unauthenticated attacker can exploit this vulnerability by sending a specially crafted packet to any of the vulnerable services. This can lead to a denial of service condition.

SonicWALL UTM has researched and analyzed the vulnerability. The following IPS signatures has been created to detect/prevent the malicious traffic.

  • 6703 MS Host Integration Server Memory Corruption

Fake Desktop Utilities on the rise (June 8, 2011)

/in /by

SonicWALL UTM Research team has observed a rise in fake desktop utility malware in the wild. A new fake windows recovery malware is making the rounds through drive-by downloads. We have observed other variants before but this variant employs some new tactics such as disabling the task manager, hiding user programs and files by modifying file attributes, hiding start menu items and disabling multiple operating system features.

As seen in the past with other fake utilities, it attempts to scare the user with fake errors and tries to convince the user to buy the product in order to fix those errors. It uses a fake icon and file name to masquerade as a legitimate file as seen below:

screenshot

It performs the following activities:

  • It creates a copy of itself in the following location
    • AppData%uaaiHfWFhq.exe
  • It reports new infection to a remote server
    • GET /404.php?type=stats&affid=508&subid=new02&awok HTTP/1.1
  • It creates the following registry entry to ensure infection on reboot
    • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunuaaiHfWFhq:”%AppData%uaaiHfWFhq.exe”
  • It executes the following commands in the background to modify the file attributes to be hidden
    • attrib +h “C:DocumentsandSettingsAllUsersStartMenu*.*”
    • attrib +h “C:DocumentsandSettingsAdministrator*.*”
    • attrib +h “C:*.*”
  • It moves contents of start menu from “All UsersStart MenuPrograms” to “%Temp%smtmp1”
  • It modifies the following registry values to disable various features
    • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemDisableTaskMgr
      – Disables the task manager
    • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerAdvancedHidden
      – Disables viewing of protected operating system files
    • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerAdvancedShowSuperHidden
      – Disables viewing of hidden files
    • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoDesktop
      – Hides desktop icons
    • HKEY_CURRENT_USERSoftwareMicrosoftInternetExplorerDownloadCheckExeSignatures
      – Disables warning for downloaded software from untrusted publishers
    • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesAttachmentsSaveZoneInformation
      – Disables preservation of zone information in downloaded and attached files

Here are some screenshots of the fake utility in action:

It generates fake warnings:
screenshot

screenshot

It simulates a scan and displays fake error messages:
screenshot

screenshot

screenshot

If the user proceeds to buy the advanced module it displays the following screen asking for credit card and personal information:

screenshot

SonicWALL Gateway AntiVirus provides protection against this threat with the following signatures:

  • GAV: FakeSysdef (Trojan)
  • GAV: FakeSysdef.A (Trojan)
  • GAV: Fakesysdef.BDA (Trojan)
  • GAV: Fakesysdef.BDB (Trojan)
  • GAV: Fakesysdef.BDC (Trojan)
  • GAV: Fakesysdef.BDD_2 (Trojan)
  • GAV: Fakesysdef.BDE (Trojan)
  • GAV: Dapato.AR (Trojan)
  • GAV: Dapato.D (Trojan)

HP Data Protector Client Command Execution Vulnerability (June 2, 2011)

/in /by

HP OpenView Storage Data Protector is a backup solution that provides reliable data protection and high accessibility for fast growing business data. Data Protector offers comprehensive backup and restore functionality specifically tailored for enterprise-wide and distributed environments. The Data Protector has the folloiwng major features:

  • Scalable and Highly Flexible Architecture
  • Supporting Mixed Environments
  • Easy Installation for Mixed Environments
  • Easy Central Administration
  • Easy Restore
  • High Availability Support

HP Data Protector Architecture is based on the concept of a cell: a network environment that contains a Cell Manager, clients, and backup agents. The backup agents provide the Data Protector Backup Client Service which is implemented by the OmniInet process. The OmniInet process (omniinet.exe) is responsible for communication between systems in the cell as well as for starting other processes that are used for backup and restore operations. The service is started when the Data Protector is installed on a system.

The backup agent supports various message types in its communication with clients. The message is made up of multiple variable length strings. Each string is terminated with a NULL character. The strings may be ASCII or Unicode encoded. The encoding is determined by an optional two byte field at offset 4 in the message. The possible values are shown below:

ValueRepresents
0xFFFEUnicode (UTF-16) Little Endian byte order
0xFEFFUnicode (UTF-16) Big Endian byte order
noneASCII

A command execution vulnerability exists while HP Data Protector Client handles the above described message. A remote unauthenticated attacker can exploit this vulnerability by sending a specially crafted message to the HP DataProtector Client. Successful exploitation will result in command execution with SYSTEM privileges.

SonicWALL UTM team has researched this vulnerability and created the following IPS signatures for them:

  • 6612 Generic Server Application Directory Traversal 5
  • 6613 Generic Server Application Directory Traversal 6

This vulnerability is referred by CVE as CVE-2011-0923.

Facebook worm targets Mac and Windows users (June 1, 2011)

/in /by

SonicWALL UTM found reports of a new Facebook malware targeting Mac OS X and Windows users. The malware is actively spreading via a fake viral video utilizing through Facebook at the time of writing this alert.

A few weeks back we saw the first Rogue AV malware targeting Mac & Windows users via poisoned Google search results. This is the first instance of Facebook clickjacking worm targeting Mac and Windows users alike via a fake controversial video claiming to be of IMF boss Dominique Strauss-Kahn. The video is in reference to the news story that made headlines a few weeks back. This is a classic example of malware authors utilizing social engineering techniques to target large number of users via social media.

screenshot

If a Mac user clicks on the video, it will redirect the user to a Fake AV landing page that will run an animation showing Apple security center malware scanning and eventually fake infections. It then prompts the user to download and install Rogue AV in order to clean up the infections as seen below:

screenshot

screenshot

screenshot

Besides displaying Fake infection alerts, it also randomly opens pornographic websites in the browser from a predetermined list. This Rogue AV is similar in functionality to MACDefender except that it does not prompt the user for an administrator password in order to install. We were also able to confirm that this new Rogue AV variant evades the latest Apple security update .

If a Windows user clicks on the video, it will redirect the user to a fake YouTube look-alike site and prompts the user with a fake message to update Adobe Flash player in order to view the video. The user will download and install a Trojan executable if he runs the Flash update from that site as seen below:

screenshot

The dropped malware files for both Windows and Mac have a very low AV detection at the time of writing this alert.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: MacDefender.A (Trojan)
  • GAV: MacDefender.FB (Trojan)
  • GAV: MalAgent.E_8 (Trojan)

RealNetworks RealGames ActiveX Command Execution (May 27, 2011)

/in /by

RealNetworks operates a digital games service that includes downloadable and online games and subscription services. RealNetworks RealGames provides games for PC, mobile and social networks. RealGames owns multiple gaming brands such as RealArcade, Zylom, Gamehouse, among others. My Farm Life is one of the games that RealGames Gamehouse provides. During installation or My Farm Life, an ActiveX control, StubbyUtil, is installed and registered safe for scripting. The associated ClassID for this control is “5818813ed53d-47a5-abbb-37e2a07056b5”.
The control can be instantiated via a web page as in the following example:

  
 The object exposes several methods such as CreateVistaTaskLow, Exec, ExecLow and ShellExec. The methods’ prototypes are shown:
 void CreateVistaTaskLow(BSTR ExecutablePath, BSTR Arguments, SystemString workDir) Boolean Exec(SystemString mod, SystemString cmdline, System boolan _MID_0098,System boolan _MID_0099 ) Boolean ExecLow(SystemString _MIDL_0117, SystemString cmdline, SystemString workDir) void ShellExec(SystemString _MIDL_0118) 
 A command injection vulnerability exists in the StubbyUtil ActiveX control included within the My Farm Life application. The vulnerability is due to a design flaw in this control which allows scripting of several privileged methods. These methods are intended to be accessible only to authenticated users with sufficient privileges, but no access controls or restrictions are implemented in the ActiveX control. A remote attacker can inject and execute arbitrary Windows shell commands and binary executables on the client machine by passing the executable commands as arguments to the affected methods. 
Remote unauthenticated attackers can exploit this vulnerability by enticing target users to open a specially crafted web page. 
Successful exploitation of this flaw allows arbitrary command injection and execution with the privileges of the currently logged in user.
 SonicWall has released several IPS signatures to address this threat. The following signatures have been released:
  • 6640 – RealNetworks RealGames ActiveX ShellExec Method Invocation
  • 6641 – Suspicious JavaScript Code 1
  • 6642 – Suspicious JavaScript Code 2
 In addition to the signatures released to specifically address this vulnerability, SonicWall has existing generic IPS signatures that detect and block suspicious shellcode that is often used to exploit flaws such as this one.
 Fake VirusTotal serves Drive-by Download Malware (May 24, 2011)  
/in  /by 
SonicWALL UTM Research team received reports of a fake VirusTotal Website serving malware through drive-by download. By visiting the website, the embedded Java Applet code will download the malware as seen below:
 Fake VirusTotal Website: http://ne{REMOVED}otal.tk/
 screenshot
 The applet is unsigned and prompts for the user’s permission to run. If the user proceeds and runs the applet it downloads the  malware and executes it. The downloaded malware uses the following icon:
     screenshot
 This malware is also known as n0ise bot designed primarily to add zombies for the malware author’s botnet. Attacks include the following:
  • UDP Flood
  • ICMP Flood
  • SYN Flood
  • HTTP Flood
 Other features of this malware includes:
  • Anti Cain
  • Anti Debugger
  • Anti Emulator
  • Anti Filemon
  • Anti Netstat
  • Anti Networkmon
  • Anti ParallelsDesktop
  • Anti Processmon
  • Anti Regmon
  • Anti TCPView
  • Anti VirtualBox
  • Anti VirtualPC
  • Anti VMWare
  • Anti Wireshark
 Command and Control Server:
 Server Name: http://rea{REMOVE}trol.de/bot/gate.php
 This malware sends to remote server system informations such as:
  • Bot Version
  • PC Name
  • Windows Version
  • IP Address
 Backdoor Functionality:
  • Update Bot
  • Remove Bot
  • CheckInstall
  • Self Destruct
  • Disable Procedures
  • Get Server Command
 SonicWALL Gateway AntiVirus provides protection against this threat with the following signatures:
 GAV: Arcdoor.AG (Worm) 
 GAV: Downloader.AJ (Exploit)
 Drive-by download leads to Backdoor Trojan (May 11, 2011)  
/in  /by 
SonicWALL UTM Research team discovered instances of malicious java applets being used to perform drive-by download of malware. The malware is downloaded and excuted without any user interaction once the applet executes. The downloaded malware was found reporting system information back to a remote server and it also creates a backdoor on the victim’s machine. When a user visits a malicious domain hosting the applet it runs as seen below:
screenshot
 The applet is unsigned and prompts for the user’s permission to run. If the user proceeds and runs the applet it downloads a file silently and executes it. The downloaded executable performs the following activities:
  • It creates the following copies of the same file:
    • %appdata%DocumentWriter.exe [Detected as GAV: VB.SGQ (Trojan)]
    • %temp%privzate.exe [Detected as GAV: VB.SGQ (Trojan)]
    • %temp%6858.jpg [Detected as GAV: VB.SGQ (Trojan)]
    • %temp%51156.jpg [Detected as GAV: VB.SGQ (Trojan)]
  • It creates the following registry entry to ensure that it runs on every system reboot:
    • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun:”%appdata%DocumentWriter.exe”
  • It determines the public IP address by performing the following HTTP request to api.ipinfodb.com
    • GET /v2/ip_query_country.php?key=1d1bb511aed00402daada8d8706f74b477e3172d0ca020deab3b43c16441a73d&timezone=off
  • It creates a backdoor listening on TCP port 1232
  • It sends information back to a remote server such as version, infection date, IP address, OS information and screenshots
    •  screenshot
 SonicWALL Gateway AntiVirus provides protection against this threat with the following signatures:
 GAV: ClsDLod.A ( Trojan )
 GAV: ClsDLod.A_2 ( Trojan )
 GAV: VB.SGQ (Trojan)
 FakeXvid.A – Increase in drive-by infections (May 20, 2011)  
/in  /by 
The SonicWALL UTM research team has seen a sudden increase in drive-by infection malware.  Such infection takes place simply by visiting a website that uses a known browser exploit.  Some of these websites are hosted on legitimate servers that have been compromised.
 The Trojan is being actively spammed via e-mails containing malicious links:
 
 The link in the email directs the user to a malicious website pretending to host a video that requires the XVID codec:
 screenshot
 The website page contains an iframe HTML tag that causes the download of a malicious PDF file:
 
 The PDF file employs a known (heap spray) exploit to run malicious code.  The code decrypts and runs a script.  This script downloads and runs setup.exe [Detected as Kryptik.NTI_3 (Trojan)]:
 
 The webpage will also initiate the download of XvidSetup.exe [Detected as FakeXvid.A (Trojan)]:
 
 The Trojan performs the following DNS queries:
  • smtp.mail.ru
 The Trojan creates the following files on the filesystem:
  • C:Documents and Settings{USER}Local SettingsTempsetup.exe [Detected as GAV: Kryptik.NTI_3 (Trojan)]
  • C:Documents and Settings{USER}Local SettingsTemporary Internet FilesContent.IE5SL2VSXQV37dbbd[2].pdf [Detected as GAV: Pdfka.OSQ (Trojan)]
 The Trojan creates the following key in the Windows registry:
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun	AutoStart	“C:DOCUME~1{USER}LOCALS~1Tempsetup.exe”
 SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:
  • GAV: FakeXvid.A (Trojan)
  • GAV: Kryptik.NTI_3 (Trojan)
  • GAV: Pdfka.OSQ (Trojan)
       
Pin It on Pinterest