HP OpenView Storage Data Protector is a backup solution for enterprise and distributed environments. It consists of a Cell Manager, backup agents, and backup device servers. The Cell Manager is the central point from which backup agents and device servers are administered, and backup and restore operations are controlled.

The Media Management Daemon service runs on the Cell Manager and controls media management and device operations. It provides features such as protection against accidental overwrites, capability of transferring all media-related catalog from one Cell Manager to another, tracking of all media including the status of each medium, etc. The server listens for incoming connections on a dynamically assigned TCP port. The protocol utilized for communication between Media Management Daemon service and clients is proprietary and not documented.

A request sent to the Media Management Daemon service has the following format:

 Offset             Size      Field     -----------------  --------- ------------------------------ 0x0000             4         Command Length 0x0004             2         Unknown  0x0006             N1        Command code unicode string 0x0006+N1          2         0x2000 0x0008+N1          N2        Unicode string 0x0008+N1+N2       2         0x2000 0x000A+N1+N2       N3        Unicode string 0x000A+N1+N2+N3    2         0x2000 0x000E+N1+N2+N3    N4        Unicode string 0x0010+N1+N2+N3+.. 

Command Length is a 4 byte value in big endian byte order. It specifies the number of bytes inside the packet, excluding the length field itself. The arguments are in the form of wide char strings terminated with double Null bytes, and separated by one Unicode space character. The backup agent executes different programs based on the received Command code.

A code execution vulnerability exists in HP Data Protector Manager Server. The flaw is due to a stack buffer overflow during parsing of malformed requests. If a request with a certain command code is sent, the vulnerable code allocates a fixed-size buffer of 624 bytes. The 7th user-supplied argument is then copied into the destination buffer without any verification of its length. By supplying an overly long string in a crafted request, the destination stack buffer can be overflowed. The overflow could result in the overwriting of critical stack data such as stored function return addresses and SEH pointers, allowing for code injection and execution.

A remote unauthenticated attacker can exploit this vulnerability by sending a malicious request to a target server. Successful exploitation could result in execution of arbitrary code within the security context of the service, which is configured during the software installation (usually Administrator).

SonicWALL has in place numerous generic IPS signatures that detect and block shell code transferred in exploitation attempts of vulnerabilities of this type. A known exploit targeting this vulnerability is currently being proactively caught by the following IPS signature:

• 5512 – Generic Server Application Shellcode Exploit 28

SonicWALL UTM Research team received reports of a new variant of a Zbot worm spreading in the wild. This new variant is being spread through emails with links to the malicious file.

Below is the content of the e-mail:

Subject:

• Your package has arrived!

Email Body:

Dear client

Your package has arrived.
The tracking # is: 1Z45AR990283682749 and can be used at:

[http://www.ups.com/tracking/tracking.html]

The shipping invoice can be downloaded from :

[http://www.ups.com/tracking/invoices/download.aspx?invoice_id=3483273]

Thanks you,
United Parcel Service

*** This is an automatically generated email, please do not reply *** ===================================================

The e-mail message looks like below:

===================================================

The tracking number and the first link point to legitimate UPS website and resolve to a package for someone else. Although the package is for someone else, it tempts the user to click on the second link which leads to downloading of the Zbot executable.

Malicious link may lead to the following:

• hxxp://th{REMOVED}.net/e107_files/cache/invoice.scr
• hxxp://e1{REMOVED}dk/e107_files/cache/invoice.scr
• hxxp://ed{REMOVED}om/e107_files/cache/invoice.scr
• hxxp://www.su{REMOVED}at/e107_files/cache/invoice.scr
• hxxp://www.s{REMOVED}nl/weblog/pm/images/invoice.scr

Once the user runs the downloaded file, it will perform the following activities:

File Operation:

Added Files

• Documents and Settings{user}Application DataEszauxohxi.aqd – (5 KB)
• Documents and Settings{user}Application DataUgarckesy.exe – (159 KB) [ Detected as GAV: Kryptik.IOL (Trojan) ]

*Note that the folders created can be different from other system.

Registry Operation:

Added Entries

• HKEY_CURRENT_USERSoftwareMicrosoftIduwy Lowoo

Allows program to run without user notification:

• KEY: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
  Value: {1BF5BAE0-A94B-EB99-7464-692B693EE661}
  Data:“Documents and Settings{user}Application DataUgarckesy.exe”
• KEY: HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerPrivacy
  Value: CleanCookies
  Dword: 000000

Network Activity:

The following HTTP request was observed from this Worm:

• www.mortga{REMOVED}nton.com

The Worm is also known as Win32/Spy.Zbot.YW [Eset], DR/Spy.ZBot.avew [Antivir] and Mal/Zbot-AV [Sophos]

SonicWALL Gateway AntiVirus provides protection against this Worm via GAV: Kryptik.IOL (Trojan) signature