Posts | Page 248 of 276

Microsoft Security Bulletins Coverage (Mar 08, 2011)

April 12, 2011/in Threat intelligence /by Security News

SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of March, 2011. A list of issues reported, along with SonicWALL coverage information follows:

MS11-015 Vulnerabilities in Windows Media Could Allow Remote Code Execution (2510030)

CVE-2011-0032 – DirectShow Insecure Library Loading Vulnerability
IPS 5726 Possible Binary Planting Attempt
CVE-2011-0042 – DVR-MS Vulnerability
IPS 6307 Malicious Video File 5b

MS11-016 Vulnerability in Microsoft Groove Could Allow Remote Code Execution (2494047)

CVE-2010-3146 – Microsoft Groove Insecure Library Loading Vulnerability
IPS 5726 Possible Binary Planting Attempt

MS11-017 Vulnerability in Remote Desktop Client Could Allow Remote Code Execution (2508062)

CVE-2011-0029 – Remote Desktop Insecure Library Loading Vulnerability
IPS 5726 Possible Binary Planting Attempt

Microsoft Security Bulletins Coverage (April 12, 2011)

April 12, 2011/in Threat intelligence /by Security News

SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of April, 2011. A list of issues reported, along with SonicWALL coverage information follows:

MS11-018 Cumulative Security Update for Internet Explorer (2497640)

CVE-2011-0094 – Layouts Handling Memory Corruption Vulnerability
IPS 6432 MS IE Memory Corruption Vulnerability
CVE-2011-0346 – MSHTML Memory Corruption Vulnerability
There is no feasable method of detection.
CVE-2011-1245 – Javascript Information Disclosure Vulnerability
IPS 6435 MS IE Javascript Information Disclosure Vulnerability
CVE-2011-1345 – Object Management Memory Corruption Vulnerability
IPS 6427 MS IE Double Release Object Vulnerability
IPS 6428 MS IE Double Release Object Vulnerability 2
GAV IExploit.A6428

MS11-019 Vulnerabilities in SMB Client Could Allow Remote Code Execution (2511455)

CVE-2011-0654 – Browser Pool Corruption Vulnerability
IPS 6248 Generic Netbios Shellcode Exploit
CVE-2011-0660 – SMB Client Response Parsing Vulnerability
IPS 6436 SMB Client Response Parsing Vulnerability Exploit

MS11-020 Vulnerability in SMB Server Could Allow Remote Code Execution (2508429)

CVE-2011-0661 – SMB Transaction Parsing Vulnerability
There is no feasable method of detection.

MS11-021 Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (2489279)

CVE-2011-0097 – Excel Integer Overrun Vulnerability
GAV MS.Xsl.E
CVE-2011-0098 – Excel Heap Overflow Vulnerability
GAV MS.Xsl.E_2
CVE-2011-0101 – Excel Record Parsing WriteAV Vulnerability
GAV MS.Xsl.E_3
CVE-2011-0103 – Excel Memory Corruption Vulnerability
GAV MS.Xsl.E_5
CVE-2011-0104 – Excel Buffer Overwrite Vulnerability
GAV Hlink.BO.A
GAV Hlink.BO.B
CVE-2011-0105 – Excel Data Initialization Vulnerability
GAV MS.Xsl.E_6
CVE-2011-0978 – Excel Array Indexing Vulnerability
GAV MS.Xsl.E_7
CVE-2011-0979 – Excel Linked List Corruption Vulnerability
GAV MS.Xsl.E_8
CVE-2011-0980 – Excel Dangling Pointer Vulnerability
GAV MS.Xsl.E_4

MS11-022 Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (2489283)

CVE-2011-0685 – Floating Point Techno-color Time Bandit RCE Vulnerability
GAV MS.Ppt.E
CVE-2011-0656 – Persist Directory RCE Vulnerability
GAV MS.Ppt.E_2
CVE-2011-0976 – OfficeArt Atom RCE Vulnerability
GAV MS.Ppt.E_3

MS11-023 Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2489293)

CVE-2011-0107 – Office Component Insecure Library Loading Vulnerability
IPS 5726 Possible Binary Planting Attempt
CVE-2011-0977 – Microsoft Office Graphic Object Dereferencing Vulnerability
GAV MS.Xsl.E_9

MS11-024 Vulnerability in Windows Fax Cover Page Editor Could Allow Remote Code Execution (2527308)

CVE-2010-3974 – Fax Cover Page Editor Memory Corruption Vulnerability
GAV MS.cov.E

MS11-025 Vulnerability in Microsoft Foundation Class (MFC) Library Could Allow Remote Code Execution (2500212)

CVE-2010-3190 – MFC Insecure Library Loading Vulnerability
IPS 5726 Possible Binary Planting Attempt

MS11-026 Vulnerability in MHTML Could Allow Information Disclosure (2503658)

CVE-2011-0096 – MHTML Mime-Formatted Request Vulnerability
IPS 6205 MHTML Protocol Handler XSS Attack Attempt 4

MS11-027 Cumulative Security Update of ActiveX Kill Bits (2508272)

CVE-2010-0811 – Microsoft Internet Explorer 8 Developer Tools Vulnerability
IPS 6437 MS Windows IE8 Developer Tools ActiveX Invocation Attempt
CVE-2010-3973 – Microsoft WMITools ActiveX Control Vulnerability
IPS 6434 MS Windows WMITools ActiveX Control Invocation Attempt
CVE-2011-1243 – Microsoft Windows Messenger ActiveX Control Vulnerability
IPS 6433 MS Windows Live Messenger ActiveX invocation attempt

MS11-028 Vulnera
bility in .NET Framework Could Allow Remote Code Execution (2484015)

CVE-2010-3958 – NET Framework Stack Corruption Vulnerability
This is a local vulnerability.

MS11-029 Vulnerability in GDI+ Could Allow Remote Code Execution (2489979)

CVE-2011-0041 – GDI+ Integer Overflow Vulnerability
GAV ms11-029.ms

MS11-030 Vulnerability in DNS Resolution Could Allow Remote Code Execution (2509553)

CVE-2011-0657 – DNS Query Vulnerability
There is no feasable method of detection.

MS11-031 Vulnerability in JScript and VBScript Scripting Engines Could Allow Remote Code Execution (2514666)

CVE-2011-0663 – Scripting Memory Reallocation Vulnerability
There is no feasable method of detection.

MS11-032 Vulnerability in the OpenType Compact Font Format (CFF) Driver Could Allow Remote Code Execution (2507618)

CVE-2011-0034 – OpenType Font Stack Overflow Vulnerability
IPS 6438 MS OpenType Font Stack Overflow Exploit

MS11-033 Vulnerability in WordPad Text Converters Could Allow Remote Code Execution (2485663)

CVE-2011-0028 – WordPad Converter Parsing Vulnerability
GAV ms11-033.ms.ttextflow
GAV ms11-033.ms.tsplit

MS11-034 Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2506223)

CVE-2011-0662 – Win32k Use After Free Vulnerability
Local authenticated vulnerability
CVE-2011-0665 – Win32k Use After Free Vulnerability
Local authenticated vulnerability
CVE-2011-0666 – Win32k Use After Free Vulnerability
Local authenticated vulnerability
CVE-2011-0667 – Win32k Use After Free Vulnerability
Local authenticated vulnerability
CVE-2011-0670 – Win32k Use After Free Vulnerability
Local authenticated vulnerability
CVE-2011-0671 – Win32k Use After Free Vulnerability
Local authenticated vulnerability
CVE-2011-0672 – Win32k Use After Free Vulnerability
Local authenticated vulnerability
CVE-2011-0673 – Win32k Null Pointer De-reference Vulnerability
Local authenticated vulnerability
CVE-2011-0674 – Win32k Use After Free Vulnerability
Local authenticated vulnerability
CVE-2011-0675 – Win32k Use After Free Vulnerability
Local authenticated vulnerability
CVE-2011-0676 – Win32k Null Pointer De-reference Vulnerability
Local authenticated vulnerability
CVE-2011-0677 – Win32k Null Pointer De-reference Vulnerability
Local authenticated vulnerability
CVE-2011-1225 – Win32k Null Pointer De-reference Vulnerability
Local authenticated vulnerability
CVE-2011-1226 – Win32k Null Pointer De-reference Vulnerability
Local authenticated vulnerability
CVE-2011-1227 – Win32k Null Pointer De-reference Vulnerability
Local authenticated vulnerability
CVE-2011-1228 – Win32k Null Pointer De-reference Vulnerability
Local authenticated vulnerability
CVE-2011-1229 – Win32k Null Pointer De-reference Vulnerability
Local authenticated vulnerability
CVE-2011-1230 – Win32k Null Pointer De-reference Vulnerability
Local authenticated vulnerability
CVE-2011-1231 – Win32k Null Pointer De-reference Vulnerability
Local authenticated vulnerability
CVE-2011-1232 – Win32k Null Pointer De-reference Vulnerability
Local authenticated vulnerability
CVE-2011-1233 – Win32k Null Pointer De-reference Vulnerability
Local authenticated vulnerability
CVE-2011-1234 – Win32k Use After Free Vulnerability
Local authenticated vulnerability
CVE-2011-1235 – Win32k Use After Free Vulnerability
Local authenticated vulnerability
CVE-2011-1236 – Win32k Use After Free Vulnerability
Local authenticated vulnerability
CVE-2011-1237 – Win32k Use After Free Vulnerability
Local authenticated vulnerability
CVE-2011-1238 – Win32k Use After Free Vulnerability
Local authenticated vulnerability
CVE-2011-1239 – Win32k Use After Free Vulnerability
Local authenticated vulnerability
CVE-2011-1240 – Win32k Use After Free Vulnerability
Local authenticated vulnerability
CVE-2011-1241 – Win32k Use After Free Vulnerability
Local authenticated vulnerability
CVE-2011-1242 – Win32k Use After Free Vulnerability
Local authenticated vulnerability

Oficla spam on the rise (April 8, 2011)

April 8, 2011/in Threat intelligence /by Security News

SonicWALL UTM Research team has observed an increase in spam campaigns involving new variants of Oficla Trojan in the last two weeks. These spam campaigns included tracking notices and delivery failure notices from various Mailing services.

SonicWALL has received more than 700,000 e-mail copies from these spam campaigns till now. The email messages in all these spam campaigns have a zip archived attachment which contains the new variants of Oficla Trojan executable. The sample e-mail format from each spam campaign is shown below:

Campaign #1 – United Parcel Service (UPS) tracking number spam starting March 28, 2011

– Fake UPS tracking notices with slightly different subject and body.

Campaign #2 – Post Express notification spam starting March 28, 2011

– Fake deilvery failure message containing mailing label and invoice copy to pickup a package. Below is an example of one such e-mail:

Campaign #3 – DHL Express spam March 30, 2011

– Fake DHL tracking notices

Campaign #4 – Express Delivery notification spam starting April 6, 2011

– Fake Express Delivery tracking notices

The executable files inside the attachment masquerades the icon of popular formats like MS Word, PDF to trick the user:

If the user downloads and executes the malicious executable inside the zip attachment, it performs the following activity:

Connects to a malicious site zalupkin.ru and downloads Fake AV. It saves the downloaded file at following location and executes it:
- (Application Data)emm.exe – Detected as GAV: Kryptik.MLA (Trojan)

Registry modification (shell spawning technique to run itself):
- HKCRexefileshellopencommand @ “”%1″ %*” “”(Application Data)emm.exe” -a “%1″ %*”
- HKLMSOFTWAREClientsStartMenuInternetFIREFOX.EXEshellopencommand: “C:PROGRA~1MOZILL~1FIREFOX.EXE”
- HKLMSOFTWAREClientsStartMenuInternetFIREFOX.EXEshellopencommand: “”(Application Data)emm.exe” -a “C:PROGRA~1MOZILL~1FIREFOX.EXE””
- HKLMSOFTWAREClientsStartMenuInternetFIREFOX.EXEshellsafemodecommand: “C:PROGRA~1MOZILL~1FIREFOX.EXE -safe-mode”
- HKLMSOFTWAREClientsStartMenuInternetFIREFOX.EXEshellsafemodecommand: “”(Application Data)emm.exe” -a “C:PROGRA~1MOZILL~1FIREFOX.EXE -safe-mode””
- HKLMSOFTWAREClientsStartMenuInternetIEXPLORE.EXEshellopencommand: “C:Program FilesInternet Exploreriexplore.exe”
- HKLMSOFTWAREClientsStartMenuInternetIEXPLORE.EXEshellopencommand: “”(Application Data)emm.exe” -a “C:Program FilesInternet Exploreriexplore.exe””
If the user attempts to open any of the Application executable,it will show a fake infection warning as seen below:

Disables the windows auto update feature by deleting following registry entry:
- HKLMSYSTEMCurrentControlSetServiceswuauserv

Deletes the original copy of the malware executable.

More fake infection warnings forcing user to buy the rogue application:

SonicWALL Gateway AntiVirus provides protection against above spam campaigns by following signatures:

GAV: Oficla.CE#email_2 (Trojan) [599,897 hits]
GAV: Oficla.AC (Trojan) [105,518 hits]
GAV: Oficla.AE_3 (Trojan) [60,962 hits]
GAV: Oficla.MKD (Trojan) [27,559 hits]

IBM solidDB Authentication Bypass (April 8, 2011)

April 8, 2011/in Threat intelligence /by Security News

IBM solidDB is a relational database management system comprised of an in-memory, as well as traditional database. solidDB listens on two ports by default, TCP/1315 or TCP/2315. The format of the protocol used for network communication is proprietary and unpublished. However, it can be observed that all messages have a 15 byte header followed the data portion. The message header has the following format:

Offset   Size   Description -------- ------ --------------------- 0x0000   1      Unknown 0x0001   1      Unknown 0x0002   1      Unknown 0x0003   2      command type 0x0005   2      Unknown 0x0007   4      Unknown 0x000b   4      byte order specification  0x000f   ?      type-specific data

A breakdown of the type-specific data for the observed authentication related command follows:

Offset   Size   Description -------- ----- --------------------- 0x0000   4      Unknown 0x0004   4      Unknown 0x0008   4      username length 0x000c   L      username 0x000c+L 4      password hash length 0x0010+L M      password hash

An authentication bypass vulnerability exists in the IBM solidDB product. The product allows a remote user to specify the password-hash length value. Any length value above 1 is accepted and used to validate user-supplied password hashes. Thus, by modifying the password hash length value to the minimum allowed value, the attacker can force the server to validate only a few bytes of the hash. As there are only fewer possible values represented by fewer bytes, an attacker can bypass authentication through fuzzing all possible values. A remote unauthenticated attacker may exploit this vulnerability by sending crafted messages with specially crafted password hash length and hash fields. Successful exploitation would allow the attacker to bypass the authentication checks of the database server.

SonicWall has released a new IPS signature to detect and block attack attempts targeting this vulnerability. The following signature was released:

6422 – IBM solidDB solid.exe Authentication Bypass

Mass SQL Injection Leads to FakeAV (April 1, 2011)

April 1, 2011/in Threat intelligence /by Security News

SonicWALL UTM Research team received reports of a mass SQL injection infecting millions of websites. It is likely that the back-end databases of these websites were compromised leading to this SQL injection.

Malicious script codes were inserted and being served in webpages which when triggered redirects to malicious link that serves FakeAV malware.

Following are some of the reported Malicious URL inserted on compromised webpages:

alexblane(dot)com/ur.php
alisa-carter(dot)com/ur.php
books-loader(dot)info/ur.php
lizamoon(dot)com/ur.php
milapop(dot)com/ur.php
t6ryt56(dot)info/ur.php
tadygus(dot)com/ur.php
Worid-of-books(dot)com/ur.php

All of these URLs resolve to single ip:

91.213.29.182

Malicious codes were inserted as shown in the image below:

Google result shows some of the websites that were compromised:

screenshot

When a user clicks on these links, they will be redirected to a malicious website that serves FakeAV.

screenshot

Eventually, it will serve the malicious file for download as freesystemscan.exe as shown in this instance. The filename however can change over time.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

GAV: ScrInject.UR (Trojan)
GAV: Suspicious#asprotect (Trojan)

Cisco Secure Desktop Vulnerability (March 31, 2011)

March 31, 2011/in Threat intelligence /by Security News

Cisco Secure Desktop (CSD) is a multipurpose client-side VPN software. It seeks to minimize the risk of information being left after an SSL VPN session terminates. CSD’s goal is to reduce the possibility that cookies, browser history, temporary files, and downloaded content remain on a system after a remote user logs out or an SSL VPN session times out.

CSDWebInstaller is an ActiveX component of CSD that allows the download and installation of any executable that is digitally-signed by Cisco.

A remote code execution vulnerability exists in Cisco Secure Desktop. Specifically, the vulnerability is due to design error in CSDWebInstaller ActiveX control, which allows bypassing the validation of digital signature.

An attacker can exploit this vulnerability by enticing a user to visit a crafted web page, which tries to instantiate the vulnerable ActiveX control and downloads malicious executable. Successful exploitation would allow for arbitrary code execution with the privileges of the currently logged in user.

The vulnerability has been assigned as CVE-2011-0926.

SonicWALL has released an IPS signature to detect and block known exploits targeting this vulnerability. The following signature was released to address this issue:

6399 – Cisco Secure Desktop CSDWebInstaller ActiveX Control Instantiation

Novell Netware FTP Server Buffer Overflow (Mar 25, 2011)

March 25, 2011/in Threat intelligence /by Security News

Novell Netware is a network operating system developed by Novell. One of the services provided by Novell Netware is Netware FTP Server, which supplies file-transferring to and from Netware volumes.

FTP is built on a client-server architecture and utilizes separate control and data connections between the client and server. Several FTP commands are available to perform different operations. The DEL/DELE command performs file deletion on the FTP server.

The syntax for DEL/DELE command is as follow:

DEL
or
DELE

A stack buffer overflow vulnerability exists in Novell Netware FTP Server. The vulnerability is due to insufficient boundary checks when processing the DEL/DELE command. Remote authenticated attackers could exploit this vulnerability by connecting to a vulnerable Netware FTP Server and sending a malicious DEL/DELE command to the target server. Successful exploitation would allow for arbitrary code injection and execution with the privileges of the FTP service. Code injection that does not result in execution would terminate the FTP session.

The vulnerability has been assigned as CVE-2010-4228.

SonicWALL has released several IPS signatures to detect and block exploits targeting this vulnerability. The signatures are listed below:

238 – DELE Command BO Attempt

5541 – Generic FTP Shellcode Exploit 1

2099 – Generic FTP Shellcode Exploit 2

4961 – Generic FTP Shellcode Exploit 3

4982 – Generic FTP Shellcode Exploit 4

6367 – Generic FTP Shellcode Exploit 5

Delf.EP Trojan steals online banking passwords (Mar 25, 2011).

March 25, 2011/in Threat intelligence /by Security News

The Sonicwall UTM research team received reports of a new online banking Trojan in the wild. The Trojan’s sole purpose is to steal security credentials used to manage various online banking accounts. The Trojan targets sites such as paypal, mastercard and citibank. The Trojan is targeted exclusively at brazilian users but can also affect users from other countries.

The Trojan’s activity once it has compromised a machine is quite simple. It makes only a single modification to the file system once it has run.

The Trojan makes the following POST and GET requests to a remote webserver:

The Trojan downloads a hosts.txt from the remote webserver and places it at:

C:WINDOWSsystem32driversetchosts

The hosts file contains the following data:

69.162.122.215 www.bb.com.br

69.162.122.215 bb.com.br

69.162.122.215 www.bancobrasil.com.br

69.162.122.215 bancobrasil.com.br

69.162.122.215 www.bancodobrasil.com.br

69.162.122.215 bancodobrasil.com.br

69.162.122.215 americanexpress.com.br

69.162.122.215 www.americanexpress.com.br

69.162.122.215 bancoamazonia.com.br

69.162.122.215 www.bancoamazonia.com.br

69.162.122.215 bancodaamazonia.com.br

69.162.122.215 www.bancodaamazonia.com.br

69.162.122.215 citibank.com.br

69.162.122.215 www.citibank.com.br

69.162.122.215 credicard.com.br

69.162.122.215 www.credicard.com.br

69.162.122.215 hotmail.com.br

69.162.122.215 www.hotmail.com.br

69.162.122.215 login.live.com

69.162.122.215 live.com

69.162.122.215 naotempreco.com.br

69.162.122.215 www.naotempreco.com.br

69.162.122.215 mastercard.com

69.162.122.215 www.mastercard.com

69.162.122.215 mastercard.com.br

69.162.122.215 www.mastercard.com.br

69.162.122.215 itau.com.br

69.162.122.215 www.itau.com.br

69.162.122.215 bancoitau.com.br

69.162.122.215 www.bancoitau.com.br

69.162.122.215 itaupersonnalite.com.br

69.162.122.215 www.itaupersonnalite.com.br

69.162.122.215 personnalite.com.br

69.162.122.215 www.personnalite.com.br

69.162.122.215 pagseguro.com.br

69.162.122.215 www.pagseguro.com.br

69.162.122.215 pagseguro.com

69.162.122.215 www.pagseguro.com

69.162.122.215 pagseguro.uol.com.br

69.162.122.215 www.pagseguro.uol.com.br

69.162.122.215 paypal.com

69.162.122.215 www.paypal.com

69.162.122.215 paypal.com.br

69.162.122.215 www.paypal.com.br

69.162.122.215 bradesco.com.br

69.162.122.215 www.bradesco.com.br

69.162.122.215 bradesco.com

69.162.122.215 www.bradesco.com

69.162.122.215 bancobradesco.com.br

69.162.122.215 www.bancobradesco.com.br

69.162.122.215 bancobradesco.com

69.162.122.215 www.bancobradesco.com

69.162.122.215 bradescoprime.com.br

69.162.122.215 www.bradescoprime.com.br

69.162.122.215 bancobradescoprime.com.br

69.162.122.215 www.bancobradescoprime.com.br

69.162.122.215 bancobradescoprime.com

69.162.122.215 www.bancobradescoprime.com

69.162.122.215 bradescoprivatebank.com.br

69.162.122.215 www.bradescoprivatebank.com.br

69.162.122.215 bradescoprivatebank.com

69.162.122.215 www.bradescoprivatebank.com

69.162.122.215 serasa.com.br

69.162.122.215 www.serasa.com.br

69.162.122.215 serasaexperian.com.br

69.162.122.215 www.serasaexperian.com.br

69.162.122.215 serasa.com

69.162.122.215 www.serasa.com

69.162.122.215 serasaexperian.com

69.162.122.215 serasaexperian.com.br

69.162.122.215 bancoreal.com.br

69.162.122.215 www.bancoreal.com.br

69.162.122.215 real.com.br

69.162.122.215 www.real.com.br

69.162.122.215 santander.com.br

69.162.122.215 www.santander.com.br

69.162.122.215 bancosantander.com.br

69.162.122.215 www.bancosantander.com.br

69.162.122.215 internetbanking.caixa.gov.br

69.162.122.215 www.caixa.com.br

69.162.122.215 www.caixa.gov.br

69.162.122.215 www.caixaeconomica.com.br

69.162.122.215 www.caixaeconomica.gov.br

69.162.122.215 www.caixaeconomicafederal.com.br

69.162.122.215 www.caixaeconomicafederal.gov.br

69.162.122.215 www.cef.com.br

69.162.122.215 www.cef.gov.br

69.162.122.215 caixa.com.br

69.162.122.215 caixa.gov.br

69.162.122.215 caixaeconomica.com.br

69.162.122.215 caixaeconomica.gov.br

69.162.122.215 caixaeconomicafederal.com.br

69.162.122.215 caixaeconomicafederal.gov.br

69.162.122.215 cef.com.br

69.162.122.215 cef.gov.br

This hosts file causes all of the above sites to point to the IP address of a malicious web server (69.162.122.215). The malicious web server hosts a copy of pages at each of the original sites listed above. It should be noted that none of the redirected sites use the HTTPS protocol for secure communication.

The screenshot below shows a non-https brazilian copy of paypal.com hosted on the malicious webserver:

Upon entering the username and password the following messagebox is displayed:

The screenshot below shows the default malicious page loaded for mastercard.com. This page requests credit card information in order to obtain certain benefits:

Upon submitting the requested information the following page is displayed:

Translation:

Congratulations, your MasterCard was successfully registered in our database!

Now you compete for prizes every month up to $ 500,000.00 (Five Hundred Thousand Dollars), and $ 50.00 each in

purchases made with your MasterCard, you earn 01 point to exchange for goods or services

our partners.

Warning: Though it was already participating in, your login will be released only after the next billing cycle.

SonicWALL Gateway AntiVirus provid
es protection against this threat via the following signature:

GAV: Delf.EP (Trojan)

Momibot Worm – Spreading in the Wild (March 18, 2011)

March 18, 2011/in Threat intelligence /by Security News

SonicWALL UTM Research team received reports of a new variant of Momibot worm propagating in the wild. This worm propagates through emails, network and removable drives.

Process of Infection:

An unsuspecting user may receive an email with the malware attachment.

From: {user}
Subject: nake pics as you’ve requested
Attachment: picofme.zip (59.3KB)

Installation:

Once the user opens and executes the attachment, it will do the following:

Drops a copy of itself:

%System%{random filename in %System%}{random letter}.exe – [ detected as GAV: Momibot.B_4 (Trojan) ]
%System%{random filename}.dat – [ Data File ]

Registry Changes

Adds the following AutoStart registry entries to ensure that the malware runs on every system startup.

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
Value: Win32Update
Data: “C:WINDOWSSystem32{random filename in %System%}{random letter}.exe”
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices
Value: Win32Update
Data: “C:WINDOWSSystem32{random filename in %System%}{random letter}.exe”
HKEY_LOCAL_MACHINESoftwareMicrosoftOLE
Value: Win32Update
Data: “C:WINDOWSSystem32{random filename in %System%}{random letter}.exe”
HKEY_LOCAL_MACHINESystemCurrentControlsetControlLsa
Value: Win32Update
Data: “C:WINDOWSSystem32{random filename in %System%}{random letter}.exe”

Adds the following registry entries to install the malware as a Service. Service name was derived from appending two existing services already installed in the system.

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTermServiceRSVP
Value: ImagePath
Data: “C:WINDOWSSystem32{random filename in %System%}{random letter}.exe”

Mutex

Creates this mutex to ensure only a single instance is running in the memory.

9LZZ1TXjZ5NHrnf71f

Command & Control (C&C) Server connection:

Upon successful installation, it tries to connect to a remote server to receive further instruction:

http://9{REMOVED}5.174

This worm will also join the following IRC Channel to receive instruction:

Port: 6667
IRC Channel: #AllNiteCafe

Backdoor Functionality:

Update itself
Remove itself
Download and execute files
Gather system information

SonicWALL Gateway AntiVirus provides protection against this worm via the following signatures:

GAV: Momibot.B_4 (Trojan)

Adobe Flash Player 0-Day Exploit (Mar 17, 2011)

March 17, 2011/in Threat intelligence /by Security News

SonicWALL UTM Research team found reports of new 0-day vulnerability in Adobe Flash Player 10 and the “authplay.dll” file that ships with Adobe Reader and Acrobat X products.

An attacker can exploit this vulnerability by enticing a user to open a crafted Excel spreadsheet (.xls), which contains a malicious Flash (.swf) file. Successful exploitation would allow for arbitrary code injection and execution with the privileges of the currently logged in user. Code injection that does not result in execution would terminate the application due to memory corruption.

The vulnerability has been assigned as CVE-2011-0609.