Microsoft Security Bulletins Coverage (Nov 09, 2010)

/in /by

SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of November, 2010. A list of issues reported, along with SonicWALL coverage information follows:

MS10-087 Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2423930)

  • CVE-2010-3333 – RTF Stack Buffer Overflow Vulnerability
    IPS 5950 Word RTF File Parsing Stack BO
  • CVE-2010-3334 – Office Art Drawing Records Vulnerability
    IPS 5955 Office Art Drawing Records Vulnerability
  • CVE-2010-3335 – Drawing Exception Handling Vulnerability
    IPS 5956 Malicious Excel Document 7b
  • CVE-2010-3336 – MSO Large SPID Read AV Vulnerability
    IPS 5957 Malicious Word Document 5b
    IPS 5958 Malicious Excel Document 8b
  • CVE-2010-3337 – Insecure Library Loading Vulnerability
    IPS 5726 Possible Binary Planting Attempt

MS10-088 Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (2293386)

  • CVE-2010-2572 – PowerPoint Parsing Buffer Overflow Vulnerability
    IPS 5954 Malicious PowerPoint Document 1b
  • CVE-2010-2573 – PowerPoint Integer Underflow Causes Heap Corruption Vulnerability
    IPS 5945 Malicious PowerPoint Document 1b

MS10-089 Vulnerabilities in Forefront Unified Access Gateway (UAG) Could Allow Elevation of Privilege (2316074)

  • CVE-2010-2732 – UAG Redirection Spoofing Vulnerability
    Note: There is no way to differentiate malformed and legitimate traffic.
  • CVE-2010-2733 – UAG XSS Allows EOP Vulnerability
    Note: There are no known public exploits targeting this vulnerability.
  • CVE-2010-2734 – XSS Issue on UAG Mobile Portal Website in Forefront Unified Access Gateway Vulnerability
    Note: There are no known public exploits targeting this vulnerability.
  • CVE-2010-3936 – XSS in Signurl.asp Vulnerability
    Note: There are no known public exploits targeting this vulnerability.

New IE 0-day Vulnerability (Nov 5, 2010)

/in /by

SonicWALL UTM Research team received reports of a new Internet Explorer 0-day Vulnerability reported here being exploited in the wild. Internet Explorer version 6, 7 and 8 are affected by it. The vulnerability is actively being targeted in the wild by specially crafted HTML pages on compromised sites.

The HTML page contains a heavily obfuscated malicious java script code that encloses the shell code and NOP sled. Upon successful exploit attempt, the shell code gets executed and it will lead to download & execution of a malicious executable file on the victim machine.

During our research we found the shell code enclosed within the JavaScript to be encrypted and snippet of the decrypted code can be seen below:

screenshot

The code seen above leads to the download of linkbl.gif file from a compromised site, which is an encrypted malicious executable and has a GIF header to avoid AV detection. The file gets decrypted and the GIF header is replaced by MZ header on the victim machine.

The malware performs following activities upon execution:

  • Drops following two files on the victim machine:
    • (STARTUP)/ctfmon.exe [Detected as GAV: Agent.IEM (Trojan)]
    • (SYSTEM32)/msnetacsvc.dll [Detected as GAV: Pirpi.D (Trojan)]

  • Creates the following registry entry to ensure that the dropped malware runs on every system reboot:
    • HKLM_SYSTEM_ServicesNWCWorkstationParametersServiceDll: “%SystemRoot%System32msnetacsvc.dll”
    • HKLM_SYSTEM_ServicesNWCWorkstationImagePath: “%SystemRoot%System32svchost.exe -k netsvcs”
    • HKLM_SYSTEM_ServicesNWCWorkstationDisplayName: “NetWare Workstations”

  • Opens a backdoor on victim machine and attempts to connect to an IP address of a server hosted in Poland. The server is still actively serving encrypted command files at the time of writing this alert. Sample command files requested:
    • GET /bbs/OmIxA9gILmICAAAAPDlUKWrsYsjh0XQxOpixOpixOpiA.gif
    • GET /binary/jXor5LTseXmEAAAAihV0f-Pux4Xbv_grj1Wrj1Wrj1UA.rar
    • GET /picture/OdEw2TlxLdEDAAAAPThVKGntYcfg0HUwO9ewO9ewO9eA.jpg
    • GET /images/Y6V8BWHA1AUIAAAAWtefUqtsaX7fGXD9g5mA.gif
    • GET /news/kHgu4hdmhHeCAAAAlx7Xgkpzwkh7xecukL8ukL8ukL6A.jpg
    • GET /pic/9AWMBYsPcAUgAAAA8un9djhBrNp2tiOM9IoM9IoM9ImA.bmp

    Directories contacted on the server include bbs, binary, pic, picture, image, images, index, and news.

SonicWALL Gateway AntiVirus provided protection against this threat via following signatures:

GAV: CVE-2010-3962.A (Exploit)
GAV: Pirpi.D#dldr (Trojan)
GAV: Agent.IEM (Trojan)
GAV: Pirpi.D (Trojan)
IDP: 5908 Malicious HTML Style Tag 1

MS Excel PtgExtraArray Parsing Memory Corruption (Nov 5th, 2010)

/in /by

Microsoft Excel is a spreadsheet application released as a component of the Microsoft Office suite. The application can create complex spreadsheets with multiple workbooks, formulas, and various data sources. The file format used for storing Microsoft Excel documents is known as the Binary Interchange File Format (BIFF).

In BIFF5 versions and above, data inside all Office Document files is stored in a series of streams. These streams contain meta-data information about the document, such as the author name, subject, and in case of Excel documents, individual sheet names. Excel specific data is organized as a series of Records. The common structure of an Excel Record is shown below:

Offset  Size    Contents ------- ------- ------------------------------------------ 0x0000  int16   Identifier (Type) 0x0002  int16   Size of the following data (n) 0x0004  char[n] Record Data

The Formula record (type 0x06) describes a cell that contains a formula in the Excel file. The Formula record structure is shown below:

Offset  Size    Contents ------- ------- ------------------------------------------ 0x0000  int16   type (0x6) 0x0002  int16   length of the Formula record data 0x0004  int16   row 0x0006  int16   column 0x0008  int16   index to XF record 0x000A  char[8] current value of the formula 0x0012  int16   option flags 0x0014  int32   chn 0x0018  int16   cce length of the expression (n) 0x001A  char[n] rgce parsed expression

Within the Formula record, the rgce field contains the formula in its parsed format which is the internal tokenized representation of an Excel formula. A parsed expression contains a sequence of tokens, each of which consists of a token type and a token value.
When an rgce contains one or more tokens that rquire extra data, the containing formula structure includes an RgbExtra section containing the data for those records. A structure, PtgExtraArray, is contained within the RgbExtra section. The structure is defined as shown:

Offset  Size    Contents ------- ------- ------------------------------------------ 0x0000  char    cols  0x0001  int16   rows 0x0003  n       SerAr[n]

A memory corruption vulnerability exists in Microsoft Office Excel. The vulnerability is due to improper processing of the PtgExtraArray structure within the Formula record of Excel files. The vulnerable code uses the values provided in the cols and rows fields of the PtgExtraArray structure to calculate the number of the elements in the SerAr[] array. The result of this calculation is not verified. This value is then used as the counter in a loop that copies SerAr structures sequentially into a memory buffer.

If the total size of the SerAr structures is large enough then the memory copy loop may write past the boundary specified for the Formula record, overwriting potentially critical data.

Exploitation of this flaw may result in arbitrary code execution. Remote attackers could exploit this vulnerability by persuading unsuspecting users to open a crafted Excel file. Successful exploitation would allow arbitrary code injection and execution in the security context of the logged in user.

SonicWall has released an IPS signature to address a known exploit targeting this vulnerability. The following signature was released:

  • 5915 – MS Excel PtgExtraArray Parsing Memory Corruption PoC 2 (MS10-080)

This vulnerability has been assigned CVE-2010-3231 by mitre. The vendor has released an advisory regarding this issue.

IBM Rational Products Backdoor Account Access (Oct 29, 2010)

/in /by

The IBM Rational is a web-based quality solution integrating the management and deployment of test environments within the quality management lifecycle. It incorporates Apache Tomcat to serve custom web applications.

To connect to a Tomcat application, a user must provide valid credentials. The user’s username and password will be included in the “Authorization:” HTTP header with each request.

A security-restriction-bypass vulnerability exists in IBM Rational products. Tomcat stores its user credentials within the configuration file tomcat-users.xml. When IBM Rational is installed, the user ADMIN is added to the configuration file with a default password; the role “manager” is also associated with this user. In an attack scenario, a remote attacker can use these default credentials to upload and run arbitrary web applications on the vulnerable system, within the security context of the affected process.

For more information about this vulnerability, please see SecurityFocus bid 44172.

SonicWALL has released an IPS signature to detect and block specific exploitation attempts targeting these vulnerabilities. The signature is listed below:

  • 5890 IBM Rational QM/TLM Default Account Access

New Adobe Acrobat 0-day Vuln (Oct 28, 2010)

/in /by

SonicWALL UTM Research team received reports of a new Adobe 0-day Vulnerability reported here being exploited in the wild. This new vulnerability is being targeted by a specially crafted PDF file. Upon successful exploit attempt, it will drop & execute a malicious executable file on the victim machine.

Installation:

Once the user opens the malicious PDF file, it will drop the following payloads on %TEMP% folder:

  • ~temp.bat
    – Waits for 3 seconds
    – Do process cleanup on crashed Adobe Acrobat application by terminating the running instance
    – Opens the clean PDF file that it drops to make it appear normal to the end user

    • The content of the file ~temp.bat looks like:

    screenshot

  • nsunday.exe – [GAV: Wisp.A_2 (trojan)]
    – payload malicious executable file

After successfully exploit attempt on the Adobe Acrobat application, the control will be transferred over to nsunday.exe to continue its infection.

Malware Routine:

  • Drops the malicious file nsunday.dll in %TEMP% folder and injects it to the following running processes:
    • iexplore.exe
    • outlook.exe
    • firefox.exe
  • Creates the following registry entry to ensure that the malware runs on every system reboot:
    • Key: [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun] Value: nsunday
      Data: “{user}Local SettingsTempnsunday.exe -installkys”
    Contacts following domain:

    • news.mysundayparty.com
  • Request commands from remote url:
    • news.m{REMOVE}/kys_allow_get.asp?name=getkys.kys

    Sample screenshot of the commands received:

    screenshot

      These commands include:

    • Downloading of other malicious files.
    • Uploading of files to remote server
    • Retrieving system information

    Sample screenshot of the information retrieved from the system:

    screenshot

  • Uploads retrieved system information to remote url:
    • news.m{REMOVE}/kys_allow_put.asp?type=

    Other dropped files:

    • %TEMP%gdnsunday.tmp – text file containing the commands received from the remote server
    • %TEMP%gnsunday.tmp – encrypted data
    • %TEMP%pdnsunday.tmp – text file containing the gathered system information

    SonicWALL Gateway AntiVirus provided protection against this malware via the following:

    GAV: Wisp.A_2 (Trojan)
    GAV: PDF.JS_3 (Exploit)
    IPS: Adobe Shockwave rcsL Chunk Memory Corruption PoC
    IPS: Adobe Shockwave rcsL Chunk Memory Corruption PoC 2

HP Data Protector Media Operations DoS (Oct 22, 2010)

/in /by

HP Data Protector Media Operations is a life cycle media management solution providing tracking and management of off-line storage media such as magnetic tapes. The HP Data Protector Media Operations service is provided by the DBServer.exe process. By default, the process listens for connections on TCP port 19813.

A denial of service vulnerability exists in HP Data Protector Media Operations server process. Specifically, the vulnerability is due to a NULL pointer dereference error when processing incoming requests. A NULL pointer dereference error will trigger an invalid memory access and crash the server process. A remote attacker can exploit these vulnerabilities by sending crafted requests to the target server. Successful exploitation would cause the DBServer.exe to terminate abnormally, resulting in the denial-of-service condition.

For more information about this vulnerability, please see Secunia Advisory SA41698.

SonicWALL has released an IPS signature to detect and block specific exploitation attempts targeting these vulnerabilities. The signature is listed below:

  • 5866 HP Data Protector Media Operations DoS

Bandok Keylogger Trojan (Oct 21, 2010)

/in /by

SonicWALL UTM Research received reports of new backdoor Trojan being spammed in the wild. The trojan arrives via email as an attachment.

If the user downloads and executes the file attachment from the email then it performs the following activities on the victim machine:

  • Process Information:
    • It creates the following processes
      • firefox.exe
      • cfmon_.exe
    • It creates the following mutexes
      • BEN333JDJDJ
      • fHDVQUw

  • Network Activity:
    • It connects to {removed}.com and downloads the following files.

      • screenshot

    • It uploads hardvested information back to the same domain. Here is screenshot of currently harvested user information as seen on the domain indexed by username.

      • screenshot

  • File Activity:

    It creates the following files

    • %windir%system32dreambupl.dll
    • %windir%system32dreambupws.dll
    • %windir%system32dreambupws.dll
    • %windir%system32dreamsqlite3.dll
    • %windir%system32dreamctfmon_.exe – Detected as GAV: Bandok.WG_2 (Trojan)
    • %windir%system32dreamdreamwaver.exe (copy of itself) – Detected as GAV: Bandok.WG (Trojan)
    • %windir%system32dream.bns
    • %windir%system32dreamblogs{DD}_{MM}_{YYYY}.html

      •   This file contains information about open windows and associated keystrokes which is uploaded to the domain. Sample of the file is as below: screenshot

  • Registry Activity:
    • It creates “HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun {VB45O-P98RE-KJL43-NMB4-DFR3T}” with value “%windir%System32dreamdreamwaver.exe” to ensure that it runs on every reboot

  • Information Harvesting:
    • It logs keystrokes for each active application
    • It logs form data from open web sessions
    • It harvests e-mail addresses from address book

SonicWALL Gateway AntiVirus provides protection against this Bandok Trojan with the following signatures
  GAV: Bandok.WG (Trojan)
  GAV: Bandok.WG_2 (Trojan)

Qbot Infostealer Trojan (Oct 15, 2010)

/in /by

SonicWALL UTM Research team observed reports of a new Qbot Infostealer Trojan variant being spammed in the wild via e-mail. The e-mail pretends to contain pictures of the sender and lures the user into opening them. The attachment is an executable file (pic.exe) and leads to compromise of confidential information.

The e-mail message looks like below:

screenshot

Most e-mail clients with default security settings will block the attachment by default as it is an executable file. However, if the user manages to open the attached file then it will perform following activities:

  • Steals confidential information from victim machine including E-mail account credentials, Various website credentials, and confidential information stored in cookies. It stores the confidential information in encrypted format.
  • Blocks Antivirus updates as well as Google updates on the victim machine
  • Connects to a compromised domain going-wide.net and downloads newer variant of itself which was saved as:
    • (Temp)ky95.tmp.exe [Detected as GAV: Qbot.RP (Trojan)]
  • Drops following files on the victim machine:
    • (WINDOWS)system32 a.dll
    • (WINDOWS)system32 d.dll
    • (WINDOWS)system32 kkkkkkk
    • (WINDOWS)system32 n.dll
    • (WINDOWS)system32 ntcore.dll
    • (WINDOWS)system32 o.dll
    • (WINDOWS)system32 p.dll
    • It patches the following system file:
      • (WINDOWS)system32ole32.dll
    • Sample request that it uses to send confidential system information:

      screenshot

    • Sample runtime activity log from infected system:

      screenshot

    SonicWALL Gateway AntiVirus provides protection against this Information stealing Trojan variant via GAV: Qbot.RP (Trojan) signature.

Microsoft Security Bulletins Coverage (Oct 12, 2010)

/in /by

SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of October, 2010. A list of issues reported, along with SonicWALL coverage information follows:

MS10-071 Cumulative Security Update for Internet Explorer (2360131)

  • CVE-2010-0808 – AutoComplete Information Disclosure Vulnerability
    Note: There are no known public exploits targeting this vulnerability.
  • CVE-2010-3243 – HTML Sanitization Vulnerability
    IPS 5844 MS IE XSS Vulnerability Exploit
  • CVE-2010-3324 – HTML Sanitization Vulnerability
    IPS 4149 MS IE toStaticHTML Method Invocation
  • CVE-2010-3325 – CSS Special Character Information Disclosure Vulnerability
    Note: There are no known public exploits targeting this vulnerability.
  • CVE-2010-3326– Uninitialized Memory Corruption Vulnerability
    Note: There are no known public exploits targeting this vulnerability.
  • CVE-2010-3327 – Anchor Element Information Disclosure Vulnerability
    Note: There are no known public exploits targeting this vulnerability.
  • CVE-2010-3328– Uninitialized Memory Corruption Vulnerability
    Note: Detection would require a logical analysis or traversal of a file. It is not feasible.
  • CVE-2010-3329– Uninitialized Memory Corruption Vulnerability
    IPS 5836MS IE Uninitialized Memory Corruption Vulnerability 2 (MS10-071)
  • CVE-2010-3330– Cross-Domain Information Disclosure Vulnerability
    Note: Detection would require a logical analysis or traversal of a file. It is not feasible.
  • CVE-2010-3331– Uninitialized Memory Corruption Vulnerability
    IPS 5835MS IE Uninitialized Memory Corruption Vulnerability (MS10-071)

MS10-072 Vulnerabilities in SafeHTML Could Allow Information Disclosure (2412048)

  • CVE-2010-3243– HTML Sanitization Vulnerability
    Note: Please refer to MS10-071
  • CVE-2010-3324– HTML Sanitization Vulnerability
    Note: Please refer to MS10-071

MS10-073 Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957)

  • CVE-2010-2549– Win32K Reference Count Vulnerability
    Note: Local elevation of privilege
  • CVE-2010-2743– Win32K Keyboard Layout Vulnerability
    Note: Local elevation of privilege
  • CVE-2010-2744– Win32k Window Class Vulnerability
    Note: Local elevation of privilege

MS10-074 Vulnerability in Microsoft Foundation Classes Could Allow Remote Code Execution (2387149)

  • CVE-2010-3227– Windows MFC Document Title Updating Buffer Overflow Vulnerability
    Note: There are no known public exploits targeting this vulnerability.

MS10-075 Vulnerability in Media Player Network Sharing Service Could Allow Remote Code Execution (2281679)

  • CVE-2010-3225– RTSP Use After Free Vulnerability
    IPS 5845 Microsoft Windows Media Player Code Execution Exploit

MS10-076 Vulnerability in the Embedded OpenType Font Engine Could Allow Remote Code Execution (982132)

  • CVE-2010-1883– Embedded OpenType Font Integer Overflow Vulnerability
    IPS 5837 Malicious Font File Download 5b

MS10-077Vulnerability in .NET Framework Could Allow Remote Code Execution (2160841)

  • CVE-2010-3228– .NET Framework x64 JIT Compiler Vulnerability
    Note: There is no way to differentiate malformed and legitimate traffic.

MS10-078 Vulnerabilities in the OpenType Font (OTF) Format Driver Could Allow Elevation of Privilege (2279986)

  • CVE-2010-2740– OpenType Font Parsing Vulnerability
    IPS 5831 Malicious Font File Download 3b
  • CVE-2010-2741– OpenType Font Validation Vulnerability
    IPS 5832 Malicious Font File Download 4b

MS10-079Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (2293194)

  • CVE-2010-2747– Word Uninitialized Pointer Vulnerability
    Note: There are no known public exploits targeting this vulnerability.
  • CVE-2010-2748– Word Boundary Check Vulnerability
    Note: There are no known public exploits targeting this vulnerability.
  • CVE-2010-2750– Word Index Vulnerability
    Note: There are no known public exploits targeting this vulnerability.
  • CVE-2010-3214– Word Stack Overflow Vulnerability
    IPS 5833Malicious Word Document 3b
  • CVE-2010-3215– Word Return Value Vulnerability
    Note: There are no known public exploits targeting this vulnerability.
  • CVE-2010-3216– Word Bookmarks Vulnerability
    Note: There are no known public exploits targeting this vulnerability.
  • CVE-2010-3217– Word Pointer Vulnerability
    Note: There are no known public exploits targeting this vulnerability.
  • CVE-2010-3218– Word Heap Overflow Vulnerability
    Note: There are no known public exploits targeting this vulnerability.
  • CVE-2010-3219– Word Index Parsing Vulnerability
    Note: There are no known public exploits targeting this vulnerability.
  • CVE-2010-3220– Word Parsing Vulnerability
    Note: There are no known public exploits targeting this vulnerability.
  • CVE-2010-3221– Word Parsing Vulnerability
    Note: There are no known public exploits targeting this vulnerability.

MS10-080 Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (2293211)

  • CVE-2010-3230– Excel Record Parsing Integer Overflow Vulnerability
    IPS 5840Malicious Excel Document 6b
  • CVE-2010-3231– Excel Record Parsing Memory Corruption Vulnerability
    Note: There are no known public exploits targeting this vulnerability.
  • CVE-2010-3232– Excel File Format Parsing Vulnerability
    IPS 5839Malicious Excel Document 5b
  • CVE-2010-3233– Lotus 1-2-3 Workbook Parsing Vulnerability
    Note: There are no known public exploits targeting this vulnerability.
  • CVE-2010-3234– Formula Substream Memory Corruption Vulnerability
    Note: There are no known public exploits targeting this vulnerability.
  • CVE-2010-3235– Formula Biff Record Vulnerability
    Note: There are no known public exploits targeting this vulnerability.
  • CVE-2010-3236– Out Of Bounds Array Vulnerability
    Note: There are no known public exploits targeting this vulnerability.
  • CVE-2010-3237– Merge Cell Record Pointer Vulnerability
    IPS 5834Malicious Excel Document 3b
  • CVE-2010-3238– Negative Future Function Vulnerability
    Note: There are no known public exploits targeting this vulnerability.
  • CVE-2010-3239– Extra Out of Boundary Record Parsing Vulnerability
    Note: There are no known public exploits targeting this vulnerability.
  • CVE-2010-3240– Real Time Data Array Record Vulnerability
    IPS 5838Malicious Excel Document 4b
  • CVE-2010-3241– Out-of-Bounds Memory Write in Parsing Vulnerability
    Note: There are no known public exploits targeting this vulnerability.
  • CVE-2010-3242– Ghost Record Type Parsing Vulnerability
    Note: There are no known public exploits targeting this vulnerability.

MS10-081 Vulnerability in Windows Common Control Library Could Allow Remote Code Execution (2296011)

  • CVE-2010-2746– Comctl32 Heap Overflow Vulnerability
    Note: There are no known public exploits targeting this vulnerability.

MS10-082 Vulnerability in Windows Media Player Could Allow Remote Code Execution (2378111)

  • CVE-2010-2745– Windows Media Player Memory Corruption Vulnerability
    Note: There are no known public exploits targeting this vulnerability.

MS10-083 Vulnerability in COM Validation in Windows Shell and WordPad Could Allow Remote Code Execution (2405882)

  • CVE-2010-1263– COM Validation Vulnerability
    Note: This is a platform design-level issue. The detection logic varies in different ActiveX control.

MS10-084 Vulnerability in Windows Local Procedure Call Could Cause Elevation of Privilege (2360937)

  • CVE-2010-3222– LPC Message Buffer Overrun Vulnerability
    Note: This is a Local elevation of privilege.

MS10-085 Vulnerability in SChannel Could Allow Denial of Service (2207566)

  • CVE-2010-3229– TLSv1 Denial of Service Vulnerability
    IPS 5846MS IIS 7.0 Denial of Service Attempt

MS10-086 Vulnerability in Windows Shared Cluster Disks Could Allow Tampering (2294255)

  • CVE-2010-3223– Permissions on New Cluster Disks Vulnerability
    Note: There is no way to differentiate malformed and legitimate traffic.

Virus Murofet.A (Oct 8, 2010)

/in /by

SonicWALL UTM Research team received reports of a new file infector active in the wild. This new virus infects PE files and uses its own random domain name generator to generate domain names. It then attempts to download and execute malicious files via these domains.

Last time we saw random domain name generation algorithm being used by Conficker Worm to download additional Malware.

Installation:

The virus drops a copy of itself on the system and runs it. It will also inject codes to running processes before dropping a batch file to delete itself.

The injected code generates random domains and tries to download and execute additional Malware. These generated domains are derived from a randomizing function computed from the current UTC system time and date using the Windows API GetSystemTime.

It generates 800 random domains per second until it successfully downloads a Malware from one of the domains.

Dropped Files

It drops a copy of itself at:

  • {User}Application Data{random folder (4 Characters)}{random}.exe

In our environment, the virus copied itself as:

  • {User}Application DataDyemvaiq.exe – GAV: Murofet.A (Virus)

Other dropped files:

  • {User}Application DataKesakuaww.eve

Registry modification

It adds the following registry entry to ensure that the dropped copy of malware starts on every system reboot:

  • Key: [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun] Value: “{ABE1C0BF-B85A-7A2B-01C5-9CAEA05BDB43}”
    Data: “”{User}Application DataDyemvaiq.exe””
Infection Routine

  • It infects .exe files and uses cavity style of infection to insert malicious code. This allows the virus to infect files without increasing its file size.

Random Domain Name Generation

  • Get the current System time and date (UTC Format)
  • Compute based on timestamp to generate Ascii characters [a-z].
  • Generate Domain Name from characters [a-z] not exceeding 16 characters.
  • Uses one of the following top level domains to form the URL:
    • .com
    • .net
    • .info
    • .biz
    • .org
  • The generator does not include the seconds and milliseconds in the computation. This makes any infected machine synchronize up to the Minute to generate the same Domain Name.

URL Pattern:

    http://{generated_domain}/forum/

Samples of Domain Names observed:

  • eiw{REMOVED}gyoqzm.info
  • opq{REMOVED}ghpnjux.biz
  • njj{REMOVED}tekjpsib.net
  • onu{REMOVED}xrtusnyl.org
  • trk{REMOVED}xsvuml.com

Download Routine

Infected files attempt to download other malicious file from the generated URL and saves it in %TEMP% directory. It also validates the downloaded file first before executing it. Files downloaded by this virus are getting blocked as GAV: Conficker.gen (Worm)

Sample DNS requests:

    screenshot

SonicWALL Gateway AntiVirus provided protection against this malware via GAV: Murofet.A (Virus) and GAV: Conficker.gen (Worm)