Postfix SASL AUTH Reuse Memory Corruption (May 20, 2011)

/in /by

Postfix is a mail server for Unix-like platforms commonly used as a replacement for Sendmail. The SMTP protocol defines a set of commands that are used to deliver email messages between connected systems. The full SMTP protocol specification is outlined in RFC 821. SMTP commands are composed of ASCII text terminated by the newline sequence. In a standard SMTP session, an exchange ensues to ensure that the client is communicating with the correct host. Each SMTP session begins with the Server sending a 220 ready reply to the client. The client then sends a HELO command to which the server responds with a 250 OK. In configurations where a client must authenticate to the SMTP server, the “AUTH” SMTP command must be sent to the server. The client must then specify the type of authentication method with the “AUTH” command. An SMTP session is terminated by sending a QUIT command by the client. The format of the AUTH command is as follows:

 AUTH

Where AUTH is the first word on a new line, is one space character (0x20) and is the end of line character sequence.
Simple Authentication and Security Layer (SASL), is a framework providing authentication and data security services in connection-oriented protocols via replaceable mechanisms. The Postfix server can use several SASL implementations such as Cyrus and Dovecot. Some supported authentication methods are listed:

  ANONYMOUS  CRAM-MD5  PLAIN  GSSAPI  DIGEST-MD5  LOGIN  SRP

When SASL authentication is enabled, the Postfix server creates a SASL handle for each SMTP session and keeps using it until the SMTP connection is closed. The Cyrus SASL server handle is not supposed to be reused if the client authentication fails. The server should create a new Cyrus SASL handle for every client authentication request. Only if the client and the server decide to switch from a plaintext session to an encrypted session is a new SASL handle created by Postfix for the same SMTP session.

A memory corruption vulnerability exists in Postfix SMTP server which uses the Cyrus SASL library. The vulnerability is due to the Postfix server failing to create a new SASL handle after a client authentication failure using certain authentication methods.
Each Cyrus SASL authentication mechanism comprises of session data structures which contain data and pointers to functions that implement the mechanism and the authentication states.
When an initialized authentication session is aborted by the client and a new authentication request is subsequently sent, Postfix fails to create a new SASL handle for the new request. As such, it will reuse the session context data structures that were allocated for the previous authentication session. This can lead to heap memory corruption.
A remote attacker could exploit this vulnerability by sending an AUTH command using a SASL authentication method, aborting it and subsequently sending another AUTH command. Successful exploitation will result in memory corruption. Execution of arbitrary code within the context of the process may also be possible.

This vulnerability has been assigned the identifier CVE-2011-1720 by mitre. SonicWall has released an IPS signature that addresses this issue. The following signature has been released:

  • 6619 – Postfix SASL AUTH Handle Reuse Memory Corruption

Microsoft Security Bulletins Coverage (May 10, 2011)

/in /by

SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of May, 2011. A list of issues reported, along with SonicWALL coverage information follows:

MS11-035 Vulnerability in WINS Could Allow Remote Code Execution (2524426)

  • CVE-2011-1248 WINS Service Failed Response Vulnerability
    IPS: 4573 Generic Server Application Shellcode Exploit 10

MS11-036 Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (2545814)

  • CVE-2011-1269 Presentation Memory Corruption RCE Vulnerability
    IPS: 6576 Malicious PowerPoint Document 2b
  • CVE-2011-1270Presentation Buffer Overrun RCE Vulnerability
    IPS: 6577 Malicious PowerPoint Document 3b

MS Excel catLabel Pointer Manipulation (May 06, 2011)

/in /by

Microsoft Excel is a commercial spreadsheet application written and distributed by Microsoft for Microsoft Windows and Mac OS X. It features calculation, graphing tools, pivot tables, and a macro programming language called Visual Basic for Applications. The common extension used for Microsoft Excel documents is .xls or .xlw.

The file format used for storing Microsoft Excel documents is known as the Binary Interchange File Format (BIFF). Each version of Microsoft Excel uses a different, though similar format. The detailed file format information can be found in Openoffice website or Microsoft Official website. The compatibility chart is presented below:

Application versionFile versionStart of File Identifier
Excel 2.1BIFF2x09x00
Excel 3.0BIFF3x09x02
Excel 4.0BIFF4x09x04
Excel 5.0BIFF5xD0xCFx11xE0xA1xB1x1AxE1
Excel 7.0(Excel 95) BIFF7xD0xCFx11xE0xA1xB1x1AxE1
Excel 8.0(Excel 97) BIFF8xD0xCFx11xE0xA1xB1x1AxE1
Excel 9.0(Excel 2000) BIFF8xD0xCFx11xE0xA1xB1x1AxE1
Excel 10.0(Excel 2002) BIFF8XxD0xCFx11xE0xA1xB1x1AxE1
Excel 11.0(Excel 2003) BIFF8XxD0xCFx11xE0xA1xB1x1AxE1

Note that versions before BIFF5 are in the Stream format. In BIFF5 versions and above, data inside all Office Document files is stored in a series of streams, the location of which is described by several sector allocation tables. This is generally referred to as OLE (Object Linking and Embedding) format. An allocation table contains values that represent stream offsets within the file. These streams contain meta-data information about the document, such as the author name, subject, and in the case of Excel documents, individual sheet names. Excel specific data is organized as a series of Records. The common structure of an Excel Record is a 2-byte identifier, followed by a 2-byte data size, and a number of data octets as specified in the size field:

OffsetSizeContents
0x00002 bytesIdentifier (Type)
0x00022 bytesSize of the following data N
0x0004N bytesRecord Data

The CatSerRange record specifies the properties of a category (3) axis, date axis, or series axis. The CatSerRange record has a two byte identifier of 4128 (0x1020) and the Record Data contains the following structure:

OffsetSizeContents
0x00002 bytescatCross – A signed int specifying where the value axis crosses this axis.
0x00022 bytescatLabel – A signed int specifying the interval between the axis labels on this axis.
Must be in the range [1, 31999].
0x00042 bytescatMark – A signed int specifying tick mark intervals.
0x00063 bitsfBetween – Whether the value axis crosses this axis between major tick marks.
fMaxCross – Whether the value axis crosses this axis at ‘catCross’
fReverse – Whether the axis is displayed in reverse order.

A pointer manipulation vulnerability exists in Microsoft Excel when parsing a CatSerRange record. An attacker must entice the target user to open a malicious Excel document in order to exploit this vulnerability. By exploiting this vulnerability, an attacker can inject and execute arbitrary code with the privileges of the currently logged-in user.

SonicWALL UTM research team has investigated this issue, and released the following IPS signatures for the exploits.

  • 6555 MS Excel catLabel Pointer Manipulation PoC 1
  • 6556 MS Excel catLabel Pointer Manipulation PoC 2

This vulnerability is referred by CVE as http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0978.

Rogue AV targeting Mac users – MACDefender (May 4, 2011)

/in /by

SonicWALL UTM found reports of a new Rogue AV application called MACDefender targeting Apple’s Mac OS X users.

As seen in the past, Rogue AV cyber-criminals are known to take advantage of latest news stories that interests large user base by poisoning Google search results. When an unsuspecting user clicks on these search results it leads them to download of Fake AV malware as seen in the past: Valentines Day, Wikileaks and Holiday Shopping Deals.

This is the first instance where we saw SEO poisoning techniques being used to target both Windows and Mac OS X users alike. Search terms like “Osama bin laden” or even simple terms like “piranhas” on Google web or image search were returning poisoned results clicking on which would execute a malicious JavaScript leading to the download of Fake AV malware. For Mac OS X Safari users, the malicious payload that gets downloaded is called BestMacAntivirus2011.mpkg.zip as oppose to BestAntivirus2011.zip for windows users.

Following are the screenshots showing MACDefender infection if the user runs the file:

screenshot

screenshot

screenshot

screenshot

If the user attempts to clean the infections it will prompt the user to buy the software and enter a Serial Number which were easy to find inside the payload itself as seen below:

screenshot

screenshot

Besides displaying Fake infection alerts, it also opens pornographic websites in the browser randomly from a predetermined list.

screenshot

SonicWALL Gateway AntiVirus provides protection against this Rogue AV malware via the following signatures:

  • GAV: MacDefender.A (Trojan)

SCADA Systems and Stuxnet (Feb 25, 2011)

/in /by

Supervisory control and data acquisition (SCADA), generally refers to industrial control systems: computer systems that monitor and control industrial, infrastructure, or facility-based processes. Industrial processes include those of manufacturing, production, power generation, fabrication, and refining, and may run in continuous, batch, repetitive, or discrete modes. Infrastructure processes may be public or private, and include water treatment and distribution, wastewater collection and treatment, oil and gas pipelines, electrical power transmission and distribution, Wind farms, civil defense siren systems, and large communication systems. And facility processes occur both in public facilities and private ones, including buildings, airports, ships, and space stations. They monitor and control HVAC, access, and energy consumption.

SCADA systems have evolved through three generations: Monolithic, Distributed, Networked. In the first generation, “Monolithic”, computing was done by mainframe computers. Networks did not exist at the time SCADA was developed. During the Second generation: “Distributed”, the processing was distributed across multiple stations which were connected through a LAN and they shared information in real time with proprietary protocols. The current generation SCADA systems, “Networked” generation, use open system architecture rather than a vendor-controlled proprietary environment. The SCADA system utilizes open standards and protocols, thus distributing functionality across a WAN rather than a LAN.

For the current generation SCADA system, SonicWALL UTM research team has researched the public protocols and created the following application signatures to monitor and control the SCADA traffic.

  • 773 Modbus — Outbound TCP
  • 774 Modbus — Inbound TCP
  • 6017 ICCP — COTP Connection Request
  • 6018 ICCP — Unauthorized Association Request
  • 6019 ICCP — Unauthorized MMS Write Request Attempt
  • 6029 ICCP — Invalid OSI-SSEL
  • 6034 ICCP — Invalid OSI PSEL
  • 6035 DNP3 — Disable Unsolicited Responses
  • 6036 DNP3 — Unsolicited Response Storm
  • 6037 DNP3 — Cold Restart From Client
  • 6038 DNP3 — Stop Application
  • 6039 DNP3 — Warm Restart
  • 6040 DNP3 — Broadcast Request from Client

From the statistics, we can see the SCADA systems are well distributed in the following countries:

  Country			Networks	hits  UNITED STATES			2182		15539047  INDIA				486		20317  CANADA				391		389251  TAIWAN, PROVINCE OF CHINA	304		6479034  ITALY				266		150232  UNITED KINGDOM			224		42618  SPAIN				181		6823  BRAZIL				137		22696  TURKEY				123		480351  GERMANY			103		2499369

As the description of the third generation of the SCADA system, more and more open system architecture rather than a vendor-controlled proprietary environment are widely used. Due to the usage of standard protocols and the fact that many networked SCADA systems are accessible from the Internet, the systems are potentially vulnerable to remote cyber-attacks. In particular, the most security issues that researchers are concerned about:

  • the lack of concern about security and authentication in the design, deployment and operation of existing SCADA networks
  • the belief that SCADA systems have the benefit of security through obscurity through the use of specialized protocols and proprietary interfaces
  • the belief that SCADA networks are secure because they are physically secured
  • the belief that SCADA networks are secure because they are disconnected from the Internet

For the above concerns, SonicWALL research team has devoted consistent efforts to protect their customers from being attacked by attackers taking use of SCADA related vulnerabilities. For example, the following IPS signatures were developed especially for the SCADA vulnerabilities. There are also more than 100 generic shellcode IPS/GAV signatures that cover the rest of the SCADA attacks in the meantime.

  • 6027 Modbus TCP Illegal Packet Size
  • 5056 CitectSCADA Buffer Overflow Attempt
  • 5951 RealFlex SCADA SCPC_INITIALIZE BO Attempt
  • 5952 RealFlex SCADA SCPC_INITIALIZE_RF BO Attempt

Stuxnet, as one of the SCADA vulnerabilities, is a Windows computer worm discovered in July 2010 that targets industrial software and equipment. The worm initially spreads indiscriminately, but includes a highly specialized malware payload that is designed to target only SCADA systems that are configured to control and monitor specific industrial processes. Different variants of Stuxnet targeted five Iranian organizations, with the probable target widely suspected to be uranium enrichment infrastructure in Iran. It is said the Iran nuclear program, which uses embargoed Siemens equipment procured clandestinely, has been damaged by Stuxnet.

SonicWALL research team paid attention to the Stuxnet worm when it was first discovered. The GAV signatures detecting Stuxnet worms were first created on July 13th, 2010. The signatures are listed as bellow. Some of them may have retired because those variants have been removed from the affected websites.

  • 5423 Stuxnet
  • 4228 Stuxnet.A_5
  • 3917 Stuxnet.A_4
  • 1601 Stuxnet.A_3
  • 41726 Stuxnet.B
  • 42142 Stuxnet.B_2
  • 41962 Stuxnet.D
  • 41730 Stuxnet.A_2
  • 41728 Stuxnet.A

For the current deployment, we can see the top 10 networks affected by Stuxnet grouped by countries are:

  Country                         Networks   UNITED STATES                     206   INDIA                              11   BRAZIL                             10   CANADA                              8   UNITED KINGDOM                      3   FRANCE                              2   GERMANY                             2   ICELAND                             2   PHILIPPINES                         2

CA Total Defense SQL Injection Vulnerability (Apr 29, 2011)

/in /by

CA Total Defense combines CA Anti-Virus, CA Anti-Spyware, CA Gateway Security and CA Host-Based Intrusion Prevention System to provide multi-layered protection. CA Total Defense contains a component called Unified Network Control (UNC), which is responsible for validating network accesses. Remote management to the UNC is provided by the Unified Network Control Web Service (UNCWS); the UNCWS accepts both HTTP POST and SOAP XML requests.

An SQL injection vulnerability exists in the CA Total Defense UNCWS. Specifically, the vulnerability is due to lack of sanitation of the modifiedData parameter in UNCWS requests. An attacker could exploit this vulnerability by sending a crafted HTTP POST or SOAP XML request to the target system. Successful exploitation would cause disclosure or manipulation of sensitive information. Arbitrary code execution on the target system is also possible, given the availability of the “exec” SQL function.

The vulnerability has been assigned as CVE-2011-1653.

SonicWALL has released an IPS signature to detect and block known exploits targeting this vulnerability. The following signature was released to address this issue:

  • 6523 – CA Total Defense Suite SQL Injection

Spam from your Facebook account – (Apr 29, 2011)

/in /by

SonicWALL UTM Research team received reports of a new spam campaign pretending to be arriving from Facebook abuse Department spreading in the wild. It involves the new variant of Oficla Trojan that SonicWALL blocked as GAV: Oficla.MME. This worm also downloads component files including mass mailer, info-stealer and FakeAV malware.

The sample e-mail format of the spam campaign includes the following:

Subject:

  • Spam from your Facebook account
  • Spam from your account
  • Your password has been changed

Attachment: Attached_SecurityCode{Random Numbers}.zip

screenshot

If the user downloads and executes the malicious executable inside the zip attachment, it performs the following activity:

  • Creates the process SVCHOST.EXE and injects its code.
  • Deletes the original executable file

Downloads other malware:

  • Application Datagog.exe – [ detected as GAV: FakeAV.MME (Trojan) ]
  • %windir%system32aspimgr.exe – [ detected as GAV: Mailer.G (Trojan) ]
  • %temp%Qojmytwjb.exe – [ detected as GAV: Mailer.G_2 (Trojan) ]
  • %temp%grabbers – [ detected as GAV: Grabber.A (Trojan) ]

Dropped files:

  • %windir%s32.txt
  • %windir%ws386.ini
  • %temp%_check32.bat
  • Application Datainstall

Added Registry:

  • Key: HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon
    Value: Shell
    Data:”C:Documents and SettingsresearchApplication Datagog.exe”
  • Key: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesaspimgr
    Value: ImagePath
    Data: %windir%System32aspimgr.exe

Network Activity:

HTTP GET Requests:

  • http://campaign{REMOVED}ions.ru/connect/load.php
  • http://campaign{REMOVED}hools.ru/connect/load.php
  • http://campf{REMOVED}om.ru/connect/load.php
  • http://camp{REMOVED}a.ru/connect/load.php

HTTP POST Requests:
This worm downloads a malware component that steals information from the system. It sends those information to this URL:

  • http://campaign{REMOVED}ations.ru/connect/grabbers.php

DNS Requests:

  • cl6{REMOVED}tart.ru
  • hy{REMOVED}ys.ru
  • ml6{REMOVED}art.ru
  • 94.244.80.60

Mass Mailer

    Checks for internet connectivity by connecting to the following sites

  • www.yahoo.com
  • www.web.de

Checks connectivity to SMTP servers by querying MX records as show below: screenshot

Collects e-mail addresses but ignores addresses with the following strings:

  • abuse
  • accoun
  • admin
  • anyone
  • apache.org
  • arachnoid
  • -bugs
  • ca.com
  • caube
  • cauce
  • cauce.org
  • certific
  • -certs
  • ci.el-paso.tx.us
  • cloudmark.com
  • digsigtrust
  • e-trust
  • example
  • fraud
  • gold-certs
  • google
  • ht.ht
  • icrosof
  • linux
  • listserv
  • mailwasher
  • majordomo
  • messagelabs
  • mydomai
  • nobody
  • nodomai
  • noone
  • nothing
  • paulgraham.com
  • phishing
  • postmaster
  • privacy
  • rating
  • rx.t-online
  • samples
  • secur
  • service
  • somebody
  • someone
  • submit
  • support
  • symantec
  • thawte
  • the.bat
  • valicert
  • verisign
  • verisign.com
  • webmaster
  • webroot.com

Information Stealing
Steals credentials from the following applications:

    Poker Games:

  • Full Tilt Poker
  • Pacificpoker
  • PartyPoker
  • Titan Poker

    • FTP Clients:

  • BitKinex
  • Bullet Proof FTP
  • BulletProof FTP Client 2009
  • BulletProof FTP Client 2010
  • ClassicFTP
  • CoffeeCup FTP
  • CuteFTP 6 Home
  • CuteFTP 6 Professional
  • CuteFTP 7 Home
  • CuteFTP 7 Professional
  • CuteFTP 8 Home
  • CuteFTP 8 Professional
  • CuteFTP Lite
  • CuteFTP Pro
  • CuteFTP
  • Dev Zero G
  • DirectFTP
  • ExpanDrive
  • FAR Manager FTP
  • FTP Commander
  • FTP Explorer
  • FTPClient
  • FTPRush
  • FileZilla
  • FlashFXP
  • Fling
  • Frigate3 FTP
  • NetDrive
  • SmartFTP
  • Sota
  • TurboFTP
  • WS_FTP
  • WebDrive

    • Web Browser

  • Flock
  • Google Chrome
  • IE
  • Mozilla
  • Opera
  • Safari
  • Seamonkey
  • ThuderBird

    • IM Clients

  • AIM
  • ICQ
  • MSN
  • Messenger-2
  • Miranda
  • Trillian
  • Yahoo
  • Vypress

    • Mail Clients

  • Eudora
  • Forte
  • Mail Commander
  • Mail.Ru
  • POP Peeper
  • PocoMail
  • Windows Mail

    • Others

  • Myspace
  • Pandion
  • Sipphone

FakeAV

    After Installing the FakeAV application, it will show a Fake Microsoft Security Essentials Alert as seen below:

    screenshot

    After Clicking the “Scan Online” Button, it will show this message and prompts for rebooting the system:

    screenshot

    After rebooting the system, the following FakeAV screens will appear. It will then ask the user to pay for the software to completely clean the system.

    screenshot

    screenshot

    screenshot

    screenshot

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: FakeAV.MME (Trojan)
  • GAV: Grabber.A (Trojan)
  • GAV: Mailer.G (Trojan)
  • GAV: Mailer.G_2 (Trojan)
  • GAV: Oficla.MME (Trojan)

Adobe Flash Player ActionScript Vulnerability (Apr 22, 2011)

/in /by

Adobe Flash is a multimedia platform. It is used to add animation, video, and interactivity to web pages, PDF files or even Microsoft Office documents.

Adobe Flash supports a scripting language called ActionScript; it is executed by the ActionScript Virtual Machine. ActionScript code is typically compiled into bytecode format called ActionScript Byte Code (ABC). The bytecode verifier is responsible for safety check, making sure there is no type-unsafe operations, stack underflow/overflow, improper array accesses, etc.

A type confusion vulnerability exists in Adobe Flash Player ActionScript Virtual Machine. Specifically, the flaw exists in the implementation of callMethod bytecode command. The bytecode verifier fails to detect the stack misalignment under certain circumstances. An attacker can exploit this vulnerability by enticing a user to visit a crafted web page, open a crafted PDF file or open a crafted Office document; all of which may contain malicious Adobe Flash content. Successful exploitation would allow for arbitrary code execution with the privileges of the currently logged in user.

The vulnerability has been assigned as CVE-2011-0611.

SonicWALL has released several IPS signatures to detect and block known exploits targeting this vulnerability. The following signatures were released to address this issue:

  • 6475 – Adobe Flash Player ActionScript callMethod Type Confusion 1
  • 6476 – Adobe Flash Player ActionScript callMethod Type Confusion 2

Fakerean_7 Malicious Fake Antivirus software

/in /by

The SonicWALL UTM research team has seen an increase in Fake AV Malware. Such Malware attempts to scare users into buying Fake Antivirus software that performs fake scans and returns bogus results. Fakerean_7 (Trojan) is yet another piece of Malware that performs such malicious activity.

The Trojan performs the following DNS queries:

  • {random 9-14 char domain}.com [we observed over 100 of these requests]
  • microsoft.com

The Trojan uses a typical Windows installer icon and claims to have originated from Valve Corporation:

Upon infection the Trojan removes itself from the location it is run from. It then shows a fake virus scan informing the user that the system is infected with Malware:

screenshot></p><p> <b>Once the fake scan is complete it informs the user that the system is infected with Malware and the user should register (buy) the software:</b></p><p> <img SRC=

Clicking the “register” button leads to the following page:

screenshot

The Trojan will periodically show variations of the following pop-ups:

The Trojan creates the following files on the filesystem:

  • C:Documents and SettingsAll UsersApplication Datac5t4g1kso4fl53 [Detected as GAV: Fakerean_7 (Trojan)]
  • C:Documents and Settings{USER}Local SettingsApplication Datac5t4g1kso4fl53 [Detected as GAV: Fakerean_7 (Trojan)]
  • C:Documents and Settings{USER}Local SettingsApplication Datahxk.exe [Detected as GAV: Fakerean_7 (Trojan)]
  • C:Documents and Settings{USER}Local SettingsTempc5t4g1kso4fl53 [Detected as GAV: Fakerean_7 (Trojan)]
  • C:Documents and Settings{USER}Templatesc5t4g1kso4fl53 [Detected as GAV: Fakerean_7 (Trojan)]

The Trojan creates the following keys in the Windows registry:

Registry Spawning keys:

  • HKEY_CLASSES_ROOT.exeDefaultIcon @ “%1”
  • HKEY_CLASSES_ROOT.exeshellopencommand @ “”C:Documents and Settings{USER}Local SettingsApplication Datahxk.exe” -a “%1″ %*”
  • HKEY_CURRENT_USERSoftwareClasses.exeshellopencommand @ “”C:Documents and Settings{USER}Local SettingsApplication Datahxk.exe” -a “%1″ %*”
  • HKEY_CURRENT_USERSoftwareClassesexefileshellopencommand @ “”C:Documents and Settings{USER}Local SettingsApplication Datahxk.exe” -a “%1″ %*”
  • HKEY_CURRENT_USERSoftwareClassesexefileshellopencommand IsolatedCommand “”%1″ %*”
  • HKEY_CURRENT_USERSoftwareClassesexefileshellrunascommand @ “”%1″ %*”
  • HKEY_CURRENT_USERSoftwareClassesexefileshellrunascommand IsolatedCommand “”%1″ %*”
  • HKEY_USERSS-1-5-21-1993962763-1202660629-1957994488-1003_Classesexefileshellopencommand @ “”C:Documents and Settings{USER}Local SettingsApplication Datahxk.exe” -a “%1″ %*”

    • Disabling firewall:

  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyDomainProfile EnableFirewall dword:00000000
  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyDomainProfile DoNotAllowExceptions dword:00000000
  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyDomainProfile DisableNotifications dword:00000001

The Trojan deletes the following keys from the Windows registry:

To disable Windows Automatic Updates:

  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_WUAUSERV000 ClassGUID “{8ECC055D-047F-11D1-A537-0000F8753ED1}”
  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_WUAUSERV000 DeviceDesc “Automatic Updates”
  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_WUAUSERV000Control ActiveService “wuauserv”
  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceswuauserv ImagePath hex “%systemroot%system32svchost.exe -k netsvcs”
  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceswuauserv DisplayName “Automatic Updates”

SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:

  • GAV: Fakerean_7 (Trojan)

Rayon – Removable Storage Worm (Apr 13, 2011)

/in /by

SonicWALL UTM Research team observed a new variant of Rayon worm spreading in the wild. It disables various windows security features as well as security applications that may be used to detect the presence of the malware. The worm spreads through removable storage.

The executables use misleading icons and names as seen below:

screenshot

It performs the following activities when executed:

  • It creates the following copies of itself on the local drive:
    • %appdata%MicrosoftNetworkexplorer.exe [Detected as GAV: Rayon.CG (Worm)]
    • iPhone Ringtone.exe [Detected as GAV: Rayon.CG (Worm)]
    • Symbian Ringtone.exe [Detected as GAV: Rayon.CG (Worm)]
    • WindowsMobile Ringtone.exe [Detected as GAV: Rayon.CG (Worm)]

  • It creates the following copies of itself on attached removable storage drives:
    • RECYCLERRECYCLED.{645FF040-5081-101B-9F08-00AA002F954E}autorun.exe [Detected as GAV: Rayon.CG (Worm)]
    • iPhone Ringtone.exe [Detected as GAV: Rayon.CG (Worm)]
    • Symbian Ringtone.exe [Detected as GAV: Rayon.CG (Worm)]
    • WindowsMobile Ringtone.exe [Detected as GAV: Rayon.CG (Worm)]

  • It creates autorun.inf file on removable storage drives with the following contents:
        screenshot

  • It creates the following registry entry to ensure that the worm runs on every system reboot:
    • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun:”%appdata%MicrosoftNetworkexplorer.exe”

  • It disables the following services:
    • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesDnscache – This service caches DNS resolutions.
    • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesERSvc – This is the error reporting service.
    • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccess – This service is responsible for NAT, addressing and name resolution.
    • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceswuauserv – This is the auto-update service.
    • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesDCOM Client LauncherSecurity – Windows firewall cannot run when DCOM is disabled.
  • It prevents security applications from being run by creating the registry entry “HKEY_USERSS-1-5-21-1275210071-573735546-839522115-1003SoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerDisallowRun” with the following values:
    • 360rpt.exe
    • 360safe.exe
    • 360Safe.exe
    • 360safebox.exe
    • 360tray.exe
    • adam.exe
    • AgentSvr.exe
    • AppSvc32.exe
    • avconsol.exe
    • autoruns.exe
    • avgrssvc.exe
    • AvMonitor.exe
    • avp.com
    • avp.exe
    • CCenter.exe
    • ccSvcHst.exe
    • EGHOST.exe
    • FTCleanerShell.exe
    • FYFireWall.exe
    • FileDsty.exe
    • HijackThis.exe
    • IceSword.exe
    • Iparmor.exe
    • iparmo.exe
    • kabaload.exe
    • isPwdSvc.exe
    • KaScrScn.SCR
    • KASMain.exe
    • KASTask.exe
    • KAV32.exe
    • KAVDX.exe
    • KAVPF.exe
    • KAVPFW.exe
    • KAVSetup.exe
    • KAVStart.exe
    • KISLnchr.exe
    • KMailMon.exe
    • KMFilter.exe
    • KPFW32.exe
    • KPFW32X.exe
    • KPfwSvc.exe
    • KPFWSvc.exe
    • KRepair.com
    • KRegEx.exe
    • KsLoader.exe
    • KVCenter.kxp
    • KvDetect.exe
    • KvfwMcl.exe
    • KVMonXP.kxp
    • kvol.exe
    • KVMonXP_1.kxp
    • kvolself.exe
    • KvReport.kxp
    • KVScan.kxp
    • KVSrvXP.exe
    • KVStub.kxp
    • kvupload.exe
    • kvwsc.exe
    • KvXP.kxp
    • KvXP_1.kxp
    • KWatch.exe
    • KWatch9x.exe
    • KWatchX.exe
    • MagicSet.exe
    • mcconsol.exe
    • mmqczj.exe
    • mmsk.exe
    • Navapsvc.exe
    • Navapw32.exe
    • nod32.exe
    • nod32krn.exe
    • nod32kui.exe
    • NPFMntor.exe
    • OllyDBG.exe
    • OllyICE.exe
    • PFW.exe
    • PFWLiveUpdate.exe
    • QHSET.exe
    • procexp.exe
    • QQDoctor.exe
    • QQKav.exe
    • Ras.exe
    • RavMonD.exe
    • RavStub.exe
    • RawCopy.exe
    • RegClean.exe
    • RegTool.exe
    • rfwcfg.exe
    • rfwmain.exe
    • RfwMain.exe
    • rfwProxy.exe
    • rfwsrv.exe
    • rfwstub.exe
    • RsAgent.exe
    • Rsaupd.exe
    • runiep.exe
    • safebank.exe
    • safeboxTray.exe
    • safelive.exe
    • scan32.exe
    • shcfg32.exe
    • SmartUp.exe
    • SREng.exe
    • SysSafe.exe
    • symlcsvc.exe
    • TrojanDetector.exe
    • Trojanwall.exe
    • TrojDie.kxp
    • UIHost.exe
    • UmxAttachment.exe
    • UmxAgent.exe
    • UmxCfg.exe
    • UmxFwHlp.exe
    • UmxPol.exe
    • UpLive.exe
    • vsstat.exe
    • webscanx.exe
    • WinDbg.exe
    • WoptiClean.exe

  • It makes the following HTTP request to a remote IP address:
    • GET /cmd/cmd.php?s=0 HTTP/1.1 – This request returns encrypted data.

  • It launches the browser with advertising pages

SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:

GAV: Rayon.CG (Worm)