Bamital Trojan – Pay Per Install (Sept 3, 2010)

/in /by

SonicWALL UTM Research team observed reports of Bamital Trojan Installer being distributed in the wild as part of Pay-Per-Install campaign by the malware authors.

Bamital Trojan family is known to monitor user browsing activity, modify internet search results and display advertisements generating revenue for the malware authors. SonicWALL is seeing an increase in the number of Bamital infected executable files starting early August.

A forum posting was seen on pay-per-install.org yesterday that advertised revenue sharing per installations i.e. infections of Bamital Trojan (The post has been removed now). As seen in the image below, they assign a numeric ID to the users signing up and provide a binary based on that user ID which can be used to track the number of installations. Malware authors are offering up to 800$ per 1000 infections which gives an indication of the amount of money they are making out of it.

screenshot

The domain advertised in the post is of Russian origin and is actively serving Bamital Trojan Installer at the time of writing this alert. The malicious installer executable performs following activities upon execution:

  • Disables the System Restore functionality by modifying the registry

  • Creates following files on the infected system:
    • (WINDOWS)Tempexplorer.dat [Original version of system explorer.exe]
    • (WINDOWS)Tempwinlogon.dat [Original version of system winlogon.exe]
    • (WINDOWS)system32hlp.dat [Encrypted file containing data & code used during runtime]
    • (Application Data)Windows Serveradmin.txt
    • (Application Data)Windows Serverserver.dat[Encrypted file containing data & code used during runtime]

  • Injects code into windows system executables Explorer.exe and Winlogon.exe. The malicious code is injected at the entry point in these system executables and it looks like:

    • screenshot

  • The Trojan now monitors the user’s web browsing activity via a hook in Explorer.exe. The Trojan then tries to modify the web search results for any search query done via affected web browsers.

    • screenshot

  • It deletes the original Installer file that was executed.

SonicWALL Gateway AntiVirus provides protection against this Trojan via following signatures:

  • GAV: Bamital.DZ (Trojan)
  • GAV: Suspicious#bamital (Trojan)

PS3 Jailbreak Trojan (Aug 25, 2010)

/in /by

SonicWALL UTM Research team received reports of a new PS3 Jailbreak Trojan being distributed in the wild. This Trojan is actually a new variant of Trojan Spatet packaged together with a PS3 Jailbreak Tool. This tool purportedly will allow gamers to use their PS3 console without the games original disc. However, users who download this tool get infected by a Trojan Backdoor that steals information from their system.

The release of this Trojan comes after a real PS3 Jailbreak USB Stick has been released and is currently gaining popularity among PS3 gamers.

Arrival & Installation:

This trojan may arrive in the system after being downloaded from the following URL:

  • http://www.fol{REMOVED}8e3979fb14

The installer of this Trojan looks like this:

screenshot

The PS3 Jailbreak tool looks like this:

screenshot
screenshot
screenshot

As the user installs the PS3 Jailbreak tool, it will also install the following:

  • %Temp%hahahaha.exe (282 KB) – [ detected as GAV: Rebhip.A (Virus) ]
  • %Temp%abc2.exe (563 KB)- [ detected as GAV: Spatet.B (Trojan) ]
  • %System%temptempp.exe – [ detected as GAV: Spatet.B (Trojan) ]

It will create Mutex to ensure that only one instance of the application runs in the system:

  • {UserName}{Random Number}

(Note: %Temp% is the Temporary Folder, which is usally C:Documents and Settings{User}Local SettingsTemp%System% is the Windows System folder, which is usually C:WindowsSystem32)

Registry Changes:

It adds the following registry entries to ensure that the dropped copy of the malware starts on every system reboot:

  • Key: [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun] Value: “Policies”
    Data: “”C:WINDOWSsystem32temptempp.exe””
  • Key: [HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun] Value: “Policies”
    Data: “”C:WINDOWSsystem32temptempp.exe””
  • Key: [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun] Value: “HKCU”
    Data: “”C:WINDOWSsystem32temptempp.exe””
  • Key: [HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun] Value: “HKLM”
    Data: “”C:WINDOWSsystem32temptempp.exe””

It adds the following registry entries as part of its installation:

  • Key: [HKEY_CURRENT_USERSoftwareps3] Value: “FirstExecution”
    Value: “NewGroup”
    Value: “NewIdentification”

Anti-Debugging Technique:

This Trojan employs the following Anti-Debugging/Anti-Analysis technique before it proceeds execution:

  • Checks if its running inside a Virtual machine
  • Checks if its running inside a Debugger
  • Checks if its running under the following Automated Analysis Tools:
    • Anubis
    • CWSandbox
    • JoeBox

Information Stealing:

It collects information from the following:

  • Stored IE Account Information
  • Stored Mozilla Firefox Account Information
  • RAS Accounts
  • Browser Autocomplete Forms Content
  • Windows Live Account Information
  • Current User Name
  • Computer Name and IP Address

After it collects information, it will send them to a remote server through HTTP protocol.

Command & Control (C&C) Server connection:
It tries to connect to a remote server to receive further instruction and to send collected information:

  • ownedbynob{REMOVED}biz:35578
  • hackfre{REMOVED}.com
  • steamgi{REMOVED}.at

SonicWALL Gateway AntiVirus provides protection against this worm via the following signatures:

  • GAV: Rebhip.A
  • GAV: Rebhip.A_2
  • GAV: Spatet.B (Trojan)

screenshot

Apple Safari Button Rendering Code Execution (Aug 25, 2010)

/in /by

Safari is a graphical web browser developed by Apple and included as part of the Mac OS X operating system. The browser is capable of processing HTML, images, scripting languages, and various other popular Internet specifications such as XHTML. Its rendering engine, called WebKit, is also running in the standard browsers of several mobile phone platforms, including the iPhone OS, Google Android, Nokia S60 and Palm WebOS. WebKit has a development toolkit which allows third party developers to build applications that use Internet technologies such as HTML, HTTP, and others. WebKit provides WebCore, an HTML parser, and JavaScriptCore, which is a JavaScript engine. WebKit also supports styling using CSS.

Cascading Style Sheets (CSS) is a style sheet language used to describe the presentation semantics (the look and formatting) of a document written in a markup language. Its most common application is to style web pages written in HTML and XHTML, but the language can also be applied to any kind of XML document, including SVG and XUL. CSS can define color, font, text alignment, size, borders, spacing, layout and many other typographic characteristics. It can do so independently for on-screen and printed views. One of these characteristics is the first-letter pseudo-element which affects the first character of a paragraph. The following example uses the first-letter pseudo-element to change the color of the first letter of the paragraph on the body:

 < html > < head > < style type="text/css" > p:first-letter { color:#ff0000; font-size:xx-large; display:none; } < / style > < / head > < body > < p >The first letter of this text is red! < / p > < / body > < / html >

A design error exists in Safari WebKit. The vulnerability is due to an implementation error when rendering elements with a specific CSS display property for the first-letter set. Remote attackers could exploit this vulnerability by persuading a target user to visit a maliciously crafted web page. Successful exploitation would result in code execution with the privileges of the logged in user. In case of an unsuccessful attack, the associated browser tab will terminate abnormally and then the browser will recover it.

SonicWALL UTM team has researched this vulnerability, and created the following IPS signatures for the public exploits:

  • 5563 Apple Safari Button Rendering Code Execution PoC 1
  • 5564 Apple Safari Button Rendering Code Execution PoC 2

The CVE identifier for this vulnerability is CVE-2010-1392.

Microsoft Windows SMB Pool Overflow (Aug 20, 2010)

/in /by

The Microsoft Windows operating system ships with an implementation of the Server Message Block (SMB) protocol. SMB is a widely used protocol that allows for sharing network devices and remote procedure calls, among other things. The service listens on TCP ports 139 and 445. SMB is a stateful protocol that requires successful authentication before a session is established. An SMB message is composed of a header and message-specific data.
The following describes an SMB message structure:

 Offset	Size      Field ------	--------- --------------------------------------- 0x0000	char[4]   'SMB' 0x0004	char      Command (TRANS2 = 0x32) 0x0005	int32     Error Class 0x0009	char      Flags  0x000A	int16     Flags2 0x000C	int16     Pid High 0x000E	int32[2]  Signature 0x0016	int16     Unused 0x0018	int16     Tree ID 0x001A	int16     Process ID 0x001C	int16     User ID 0x001E	int16     Multiplex ID 0x0020  var       SMB Message Data

One of the Commands supported by the SMB protocol is the SMB_COM_TRANSACTION2, also known as TRANS2 (0x32).
The SMB Message Data portion of an SMB TRANS2 Request message has the following structure:

 Offset	Size	Field ------	------- ------------------------------------------ 0x0000 char     Word Count 0x0001 int16    Total Parameter Count 0x0003 int16    Total Data Count 0x0005 int16    Max Parameter Count 0x0007 int16    Max Data Count 0x0009 char     Max Setup Count 0x000A char     Reserved 0x000B int16    Flags 0x000D int32    Timeout 0x0011 int16    Reserved 0x0013 int16    Parameter Count 0x0015 int16    Parameter Offset 0x0017 int16    Data Count 0x0019 int16    Data Offset 0x001B char     Setup Count 0x001C char     Reserved 0x001D int16    Subcommand [...]

Based on the Subcommand, the format of the Subcommand Data will change. One of the supported subcommands is QUERY_FS_INFO.

A buffer overflow vulnerability exists in the Server Message Block (SMB) protocol client implementation on Microsoft Windows. The vulnerability is due to a boundary error when handling specially crafted SMB messages. The flaw exists in the processing of the QUERY_FS_INFO subcommand in SMB_COM_TRANSACTION2 requests. The vulnerable code does not properly verify the value of ‘Max Data Count’ field of the request. This value is used to allocate a memory pool in the kernel address space. A malicious SMB message processed by the vulnerable service could result in an undersized memory pool to be allocated which could consequently trigger a write access violation when utilized by the kernel.

Successful exploitation may result in code injection and execution with the privileges of the operating system kernel. In cases of unsuccessful exploitation, the attack will lead to kernel panic causing a system wide denial of service condition.

SonicWALL has released an IPS signature to address this vulnerability. The following signature has been released:

  • 5235 – MS SMB Pool Overflow Attack Attempt

The vendor has released an advisory regarding this issue. The vulnerability has been assigned CVE-2010-2550 by mitre.

Ackantta Trojan spam campaign (August 19, 2010)

/in /by

SonicWALL UTM Research team observed a Twitter spam campaign involving a newer variant of Ackantta Trojan in the last 7 days. The spam emails arrive with a zip archived attachment which contains the Ackantta Trojan executable. The e-mail is drafted to appear as a Twitter invitation from a friend.

Attachment: Invitation Card.zip (contains document.doc … .exe)

Subject: Your friend invited you to Twitter!

Email Body:
————————

New to Twitter? Sign up now

Have an account? Sign in

Your friend invited you to twitter!

Twitter

Twitter is a service for friends, family, and co-workers to communicate and stay connected through the exchange of quick, frequent answers to one simple question:

What are you doing?

To join or to see who invited you, check the attachment.
————————

A sample email message looks like:

screenshot

The executable files inside the attachment looks like this:

screenshot

If the user opens the malicious attachment then it performs following activities on the victim’s machine:

  • Network Activity:
    • It connects to whatismyip.com and attempts to obtain victims IP address

      • screenshot

    • It sends a request to a known malicious domain

      • screenshot

    • It resolves multiple SMTP servers and attempts to propagate by mass emailing
  • File Activity:

    It creates the following files

    • %windir%system32HPWuSchdb.exe (copy of document.doc … .exe) – Detected as GAV: Ackantta.TW (Trojan)
    • %windir%system32reader_s1.exe – Detected as GAV: Ackantta.TW (Trojan)
    • %ProgramFiles%Mozilla Firefoxextensions{9CE11043-9A15-4207-A565-0C94C42D590D}chromecontenttimer.xul – Detected as GAV: Dursg.G (Trojan)
    • %ProgramFiles%Mozilla Firefoxextensions{9CE11043-9A15-4207-A565-0C94C42D590D}install.rdf
    • %ProgramFiles%Mozilla Firefoxextensions{9CE11043-9A15-4207-A565-0C94C42D590D}chrome.manifest
  • Process Acitivty:

    It creates the following process in memory

    • %AppData%SystemProclsass.exe
    • %windir%system32reader_sl.exe
    • %windir%system32HPWuSchdb.exe
    • %windir%system32hp-357.exe
    • %ProgramFiles%Internet ExplorerIEXPLORE.EXE
  • Registry Activity:
    • It creates HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun: C:WINDOWSsystem32HPWuSchdb.exe under the name “HP Software Updater” ensuring infection on system restart
    • It creates HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun: C:WINDOWSreader_sl.exe under the name “Adobe Reader Speed Launcher” ensuring infection on system restart
    • It disables Windows Security Center Service by modifying HKEY_LOCAL_MACHINESystemCurrentControlSetServiceswscsvc:Start
    • It disables Error Reporting Service by modifying HKEY_LOCAL_MACHINESystemCurrentControlSetServicesERSvc:Start
    • It disables User Account Control(UAC) by modifying HKEY_LOCAL_MACHINESoftwareMicrosoftSecurity Center:EnableLUA
    • It disables User Account Control(UAC) notification by modifying HKEY_LOCAL_MACHINESoftwareMicrosoftSecurity Center:UACDisableNotify
  • Firefox Extension:

    As part of the infection process it installs timer.xul as a firefox extension which embeds a script in the section of the certain pages rendered in the browser.

    screenshot

SonicWALL Gateway AntiVirus provides protection against this Ackantta Trojan variant with GAV: Ackantta.TW (Trojan) signature. [12770 hits recorded in last 7 days]

screenshot

Yahos Worm Spreading in the Wild (Aug 12, 2010)

/in /by

SonicWALL UTM Research team received reports of a new variant of Yahos worm spreading in the wild. It propagates through Instant Messaging application such as Yahoo Messenger, AOL, Skype and MSN as well as in Social Networking site- Facebook. It also includes IRC-based backdoor capability to receive instructions from remote server.

Installation:

Drops a copy of itself:

  • %Windows%jusched.exe – [ detected as GAV: Yahos.BA (Worm) ]

Drops the following files:

  • C:sssA1234567890.exe – [ detected as GAV: Yahos.BA_2 (Trojan) ]
  • C:WINDOWSsystem32rrrc.yeo – [ detected as GAV: Oficla_14 (Trojan) ]

Downloads related Malware:

  • C:WINDOWSsystem328c.html – [ detected as GAV: Kryptik.EVL (Trojan) ]
  • %User Profile%fow.exe – [ detected as GAV: Kryptik.CLM (Trojan) ]
  • %User Profile%secupdat.dat – [ detected as GAV: Cetorp.P_3 (Backdoor) ]
  • C:WINDOWSsystem32secupdat.dat – [ detected as GAV: Cetorp.P_3 (Backdoor) ]

Creates Mutex to ensure that only one instance of the application runs in the system:

  • Micro Upe

(Note: %Windows% is the Windows folder, which is usually C:Windows or C:WINNT. %User Profile% is the User folder, which is usually C:Documents and Settings{Current User})

Registry Changes:

It adds the following registry entries to ensure that the dropped copy of the malware starts on every system reboot:

  • Key: [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun] Value: “Java developer Script Browse”
    Data: “”C:WINDOWSjusched.exe””
  • Key: [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun] Value: “Java developer Script Browse”
    Data: “”C:WINDOWSjusched.exe””
  • Key: [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTerminal ServerInstallSoftwareMicrosoftWindowsCurrentVersionRun] Value: “Java developer Script Browse”
    Data: “”C:WINDOWSjusched.exe””

Adds following registry entry to bypass firewall restrictions:

  • Key: [HKLMSYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList] Value: “C:WINDOWSjusched.exe”
    Data: “C:WINDOWSjusched.exe:*:Enabled:Java developer Script Browse”

Command & Control (C&C) Server connection:

    Upon successful installation, it tries to connect to a remote server to receive further instruction:
    Remote Server: ptf.messenger-update.su

    screenshot

    screenshot

    This worm will also join the following IRC Channel to receive instruction:

    • #!gf!

    The screenshot below shows the IRC communication:

    screenshot

Backdoor Functionality:

  • Spread via instant messaging
  • Update itself
  • Remove itself
  • Download and execute files

Network Activity:

This worm may download files and updates from the following addresses:

  • 95.211.130.132
  • 212.95.32.52
  • rgtryhbgddtyh.biz
  • wertdghbyrukl.ch

Propagation:

This worm propagates via the following platforms:

    Instant Messaging Application:

    • AOL
    • MSN
    • Skype
    • Yahoo Messenger

      screenshot

      screenshot

    Social Networking site:

    • Facebook

Other System Modification:

Terminates the following services:

  • Microsoft Malware Protection Service – MsMpSvc
  • Windows AutoUpdate Service – wuauserv

SonicWALL Gateway AntiVirus provides protection against this worm via the following signatures:

  • GAV: Yahos.BA (Worm)
  • GAV: Yahos.BA_2 (Trojan)
  • GAV: Oficla_14 (Trojan
  • GAV: Kryptik.EVL (Trojan)
  • GAV: Kryptik.CLM (Trojan)
  • GAV: Cetorp.P_3 (Backdoor)

screenshot

Microsoft Security Bulletins Coverage (Aug 10, 2010)

/in /by

SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of August, 2010. A list of issues reported, along with SonicWALL coverage information follows:

MS10-047 Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege

  • CVE-2010-1888Windows Kernel Data Initialization Vulnerability
    Local elevation of privilege
  • CVE-2010-1889Windows Kernel Double Free Vulnerability
    Local elevation of privilege
  • CVE-2010-1890Windows Kernel Improper Validation Vulnerability
    Local denial of service

MS10-048 Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege

  • CVE-2010-1887Win32k Bounds Checking Vulnerability
    Local denial of service
  • CVE-2010-1894Win32k Exception Handling Vulnerability
    Local elevation of privilege
  • CVE-2010-1895Win32k Pool Overflow Vulnerability
    Local elevation of privilege
  • CVE-2010-1896Win32k User Input Validation Vulnerability
    Local elevation of privilege
  • CVE-2010-1897Win32k Window Creation Vulnerability
    Local elevation of privilege

MS10-049 Vulnerabilities in SChannel Could Allow Remote Code Execution

  • CVE-2009-3555TLS/SSL Renegotiation Vulnerability
    This vulnerability allows an attacker to spoof an authenticated SSL client.
    There is no feasible method to discern malicious traffic from normal.
  • CVE-2010-2566SChannel Malformed Certificate Request Remote Code Execution Vulnerability
    Attacks occur over an encrypted channel.

MS10-050 Vulnerability in Windows Movie Maker Could Allow Remote Code Execution

  • CVE-2010-2564Movie Maker Memory Corruption Vulnerability
    There are no known public exploits targeting this vulnerability.

MS10-051 Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution

  • CVE-2010-2561MSxml2.XMLHTTP.3.0 Response Handling Memory Corruption Vulnerability
    Unexpected HTTP responses may trigger a bug in Microsoft XML Core Services which may result in process flow diversion.

MS10-052 Vulnerability in Microsoft MPEG Layer-3 Codecs Could Allow Remote Code Execution

  • CVE-2010-1882MPEG Layer-3 Audio Decoder Buffer Overflow Vulnerability
    There are no known public exploits targeting this vulnerability.

MS10-053 Cumulative Security Update for Internet Explorer

  • CVE-2010-1258Event Handler Cross-Domain Vulnerability
    IPS 5184 – document.execCommand Method Invocation
  • CVE-2010-2556Uninitialized Memory Corruption Vulnerability

    • IPS 5157 – location.protocol Attribute Setting

  • CVE-2010-2557Uninitialized Memory Corruption Vulnerability
    This is a logical flaw. Attacks targeting this vulnerability cannot be detected by IPS.
  • CVE-2010-2558Race Condition Memory Corruption Vulnerability
    This is a logical flaw. Attacks targeting this vulnerability cannot be detected by IPS.
  • CVE-2010-2559Uninitialized Memory Corruption Vulnerability
    This is a logical flaw. Attacks targeting this vulnerability cannot be detected by IPS.
  • CVE-2010-2560HTML Layout Memory Corruption Vulnerability
    This is a logical flaw. Attacks targeting this vulnerability cannot be detected by IPS.

MS10-054 Vulnerabilities in SMB Server Could Allow Remote Code Execution

  • CVE-2010-2550SMB Pool Overflow Vulnerability
    IPS 5235 – MS SMB Pool Overflow Attack Attempt
  • CVE-2010-2551SMB Variable Validation Vulnerability
    A denial of service vulnerability exists in the way that Microsoft Server Message Block (SMB) Protocol software handles specially crafted SMB packets.
  • CVE-2010-2552SMB Stack Exhaustion Vulnerability
    A denial of service vulnerability exists in the way that Microsoft Server Message Block (SMB) Protocol software handles specially crafted SMB compounded requests.

MS10-055 Vulnerability in Cinepak Codec Could Allow Remote Code Execution

  • CVE-2010-2553Cinepak Codec Decompression Vulnerability
    There are no known public exploits targeting this vulnerability.

MS10-056 Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution

  • CVE-2010-1900Word Record Parsing Vulnerability
    There are no known public exploits targeting this vulnerability.
  • CVE-2010-1901Word RTF Parsing Engine Memory Corruption Vulnerability
    GAV Agent.EXP_5
    GAV Agent.EXP_6
    GAV Agent.EXP_7
  • CVE-2010-1902MS Word RTF Parsing Buffer Overflow Attempt
    IPS 5127 – MS Word RTF Parsing Buffer Overflow Attempt
  • CVE-2010-1903Word HTML Linked Objects Memory Corruption Vulnerability
    There are no known public exploits targeting this vulnerability.

MS10-057 Vulnerability in Microsoft Office Excel Could Allow Remote Code Execution

  • CVE-2010-2562
    Excel Memory Corruption Vulnerability
    There are no known public exploits targeting this vulnerability.

MS10-058 Vulnerabilities in TCP/IP Could Allow Elevation of Privilege

  • CVE-2010-1892IPv6 Memory Corruption Vulnerability
    A denial of service vulnerability exists in TCP/IP processing in Microsoft Windows due to an error in the processing of specially crafted IPv6 packets with a malformed extension header.
  • CVE-2010-1893Integer Overflow in Windows Networking Vulnerability
    Local elevation of privilege

MS10-059 Vulnerabilities in the Tracing Feature for Services Could Allow an Elevation of Privilege

  • CVE-2010-2554Tracing Registry Key ACL Vulnerability
    Local elevation of privilege
  • CVE-2010-2555Tracing Memory Corruption Vulnerability
    Local elevation of privilege

MS10-060 Vulnerabilities in the Microsoft .NET Common Language Runtime and in Microsoft Silverlight Could Allow Remote Code Execution

  • CVE-2010-0019Microsoft Silverlight Memory Corruption Vulnerability
    IPS 5115 – MS Silverlight Memory Corruption S1
  • CVE-2010-1898Microsoft Silverlight and Microsoft .NET Framework CLR Virtual Method Delegate Vulnerability
    A remote code execution vulnerability exists in the Microsoft .NET Framework that can allow a specially crafted Microsoft .NET application or a specially crafted Silverlight application to access memory, leading to arbitrary unmanaged code execution.

New Bredolab spam campaign (August 6, 2010)

/in /by

SonicWALL UTM Research team discovered a wave of YouSendIt spam campaign involving newer variant of Bredolab Trojan in the last 24 hours. The spam emails arrive with a zip archived attachment which contains the Bredolab Trojan executable.

The e-mail pretends to be arriving from YouSendIt which is an online file sharing service. YouSendIt lets users send, receive and track files on-demand. This is the first time SonicWALL has observed YouSendIt storage service provider being used to spoof emails by Bredolab authors while spamming the newer variant of the Trojan.

Attachment: YouSendIt_reader.zip (contains YouSendIt_reader.exe)

Subject: You have received a file from [removed]@[removed].com via YouSendIt. (The subject varies based on the from email address)

Email Body:
————————

Katelyn Goodman has sent you the following via YouSendIt

File attached to this letter.

YouSendIt, Inc. | Privacy Policy
1919 S. Bascom Ave., Campbell, CA 95008
————————

A sample email message looks like:

screenshot

The executable files inside the attachment looks like this:

screenshot

If the user opens the malicious attachment then it performs following activities on the victim’s machine:

  • Network Activity:
    • It downloads a file from 188.65.74.161 and renames it to _ex-68.exe

      • screenshot

    • It sends a request to 77.78.249.2

      • screenshot

    • It send a SYN to 85.234.191.111:80 which is acknowledged by an ACK possibly reporting infected IP
  • It creates the following files
    • C:WINDOWSTemp_ex-08.exe – Detected as GAV: Bredolab.SI (Trojan)
    • C:WINDOWSTemp_ex-68.exe – Detected as GAV: FakeAlert.P (Trojan)

      • screenshot

  • It creates the following process in memory
    • C:WINDOWSTemp_ex-08.exe
    • C:WINDOWSTemp_ex-68.exe

      • (The process name is a randomized number in memory)

  • It creates following registry keys to ensure infection on every system restart under the name “sniffer” :
    • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun: C:WINDOWSTemp_ex-08.exe
  • As part of the infection process it downloads and launches the file _ex-68.exe which is a fake AntiVirus product
    • It launches and displays fake infections

      • screenshot

    • When the user attempts to remove infections an activation screen is displayed

      screenshot

    • When the user clicks “Activate Security Tool” a screen is displayed asking for credit card and personal information

      screenshot

SonicWALL Gateway AntiVirus provides protection against this Bredolab Trojan variant with GAV: Bredolab.SI (Trojan) signature. [2,759,497 hits recorded in last 24 hours]

screenshot

Symantec AMS2 Remote Command Execution (Aug 5, 2010)

/in /by

Symantec Alert Management System 2 (AMS2) is a component of the Symantec System Center console, Symantec AntiVirus Server, and of the Symantec AntiVirus Central Quarantine Server. AMS2 listens for specific security related events on a computer network, and sends notifications as specified by the administrator. The AMS2 starts multiple services on the system, including Message System Service (MSGSYS.EXE) and AMS2 Handler Manager Service (HNDLRSVC.EXE). The MSGSYS.EXE service on clients listens on TCP port 38292; it gets messages from the AMS server for different alert actions and forwards them to the HNDLRSVC.EXE service to perform the required action.

A design weakness exists in Symantec AMS2. Specifically, the vulnerable service does not perform any authentication mechanism to verify the sender of the alert actions. An unauthenticated remote attacker can exploit this vulnerability by sending a crafted packet to the MSGSYS.EXE service. Successful exploitation of this vulnerability would allow the attacker to execute arbitrary command with SYSTEM privileges.

SonicWALL has released an IPS signature to detect and block specific exploitation attempts targeting this vulnerability. The signature is listed below:

  • 4815 Symantec AMS Intel Alert Handler Command Execution

Rise in Zeus spam campaigns (July 30, 2010)

/in /by

Updated on August 02, 2010 11:30 AM PST

SonicWALL UTM Research team has observed an increase in spam campaigns involving new variants of Zeus banking Trojan in last 24 hours. These spam campaigns included two new themes like Social Security Annual statement pretending to be arriving from Social Security Administration and Fraudulent Credit Card transaction report pretending to arriving from ATM Electronic Report system.

SonicWALL has received more than 100,000 e-mail copies from these spam campaigns till now. The email messages in all these spam campaigns have a zip archived attachment which contain the new variants of Zbot Trojan executable. The sample e-mail format from each spam campaign is shown below:

Campaign #1 – Social Security Annual statement

Attachment: statement.zip (contains statement.exe)

Subject: Review your annual Social Security statement

Email Body:
————————
Due to possible calculation errors, your annual Social Security statement may contain errors.

Open attached file to review your annual Social Security statement.
————————

The email message looks like:

screenshot

Campaign #2 – Fraudulent Credit Card Transaction report

Attachment: report.zip (contains report.exe)

Subject: Possible Fraudulent Transaction

Email Body:
————————
Dear VISA card holder,

A recent review of your transaction history determined that your card was used at an ATM located in Peru, but for security reasons the requested transaction was refused.Please carefully review electronic report for your VISA card (attach to this letter)
————————

The email message looks like:

screenshot

Campaign #3 – Password Reset

Attachment: password.zip (contains password.exe)

Subject: Password Reset Confirmation

Email Body:
————————
Hello,

Because of the measures taken to provide safety to our clients, your password has been changed. You can find your new password in attached document.

Thanks,
————————

The email message looks like:

screenshot

The executable files inside the attachment looks like:

screenshot

If the user downloads and executes the malicious executable inside the zip attachment, it performs following activity:

  • Drops following files:
    • (Application Data)Adliudikz.exe – Detected as GAV: Zbot.ALYP (Trojan)
    • (Application Data)Cutufymus.piz

  • Registry modification:
    • HKUSoftwareMicrosoftInternet ExplorerPrivacyCleanCookies = 0x00000000
    • HKU\SoftwareMicrosoftWindowsCurrentVersionRun{31F6212F-0693-C632-DA88-C26F74578F5F}: (Application Data)Adliudikz.exe

  • Network activity:
    • Downloads encrypted configuration file from a predetermined Zeus C&C domain zephehooqu.ru – GET /bin/koethood.bin
    • Sends information to a predetermined Zeus C&C domain jocudaidie.ru – POST /9xq/_gate.php

  • Deletes the original copy of the malware executable.

SonicWALL Gateway AntiVirus provided proactive protection against above spam campaigns by following signatures:

  • GAV: Zbot.PSQ (Trojan) [1,611,630 hits recorded in last 24 hours]
  • GAV: Suspicious#bredolab_3 (Trojan) [983,152 hits recorded in last 24 hours]

screenshot

screenshot

[Update – August 02, 2010] SonicWALL UTM Research team observed a big spike in the Zeus spam campaign over the weekend and SonicWAL Gateway AntiVirus continued to provide proactive protection via following signature:

  • GAV: Suspicious#bredolab_3 (Trojan) [15 million hits recorded in last 4 days]

screenshot