Fake McAfee E-mail protection tool – Banker Trojan (Apr 15, 2010)

/in /by

SonicWALL UTM Research team discovered a new Banker Trojan spam theme involving fake McAfee E-mail Protection alerts. The e-mail for the instance we saw is in Portuguese and it warns the user about a computer virus infection.

The e-mail pretends to arrive from McAfee E-Mail Protection and informs the user about his computer being infected with a virus – Worm/Delf.JBH that is sending out malicious emails to all the contacts found on the computer. It further warns the user that the e-mail account will be permanently blocked if the virus is not removed and offers the user to download a fake cleanup tool from McAfee E-mail protection via a URL in the email. If the user clicks on the URL it leads to the download of the new Banker Trojan variant.

The e-mail message looks like:

screenshot

screenshot

screenshot

The downloaded fake McAfee E-mail protection cleanup tool looks like:

screenshot

If the user runs the malicious executable file, it performs the following activities:

  • Downloads and executes two malicious executables files which are also Information stealing Trojan variants:
    • www.te(REMOVED)di.com/union/u6.jpg => C:sshs.exe [Detected as GAV: Delf_150 (Trojan)]
    • www.te(REMOVED)di.com/union/u7.jpg => C:ksso.exe [Detected as GAV: Hupigon_804 (Trojan)]

    Both the files are compressed with PECompact v2 packer. The site hosting these files appears to be compromised as shown below:

    screenshot

  • The above executable files harvests e-mail addresses and logs other sensitive information on the victim machine and sends the stolen data via POST requests to a malicious domain.

SonicWALL Gateway AntiVirus provides protection against this Trojan via GAV: Banker.BXQ_3 (Trojan) signature.

Java Web Start Command-Line Injection (Apr 14, 2010)

/in /by

A command-line injection vulnerability exists in the Oracle’s (Sun’s) Java Web Start (aka JavaWS or javaws). JavaWS is a component of the Java 2 Runtime Environment (JRE). It facilitates deployment of applications (written with Java programming language) over network.

Web Start applications do not run inside the browser. Instead they run in the sandbox, which often has fewer restrictions. Information about a Web Start application is stored in a Java Network Launching Protocol (JNLP) file. When installing JRE, by default, JNLP files will be associated with JavaWS. Since Java 6 Update 10, Oracle has distributed NPAPI plug-ins and ActiveX controls Java Plugin and Java Deployment Toolkit to provide developers with a method of distributing their Java applications to end users.

The command-line injection vulnerability is due to insufficient input validation of JNLP network paths. When Java Plugin or Java Deployment Toolkit is used to launch a Web Start application, each assures that the provided URL path points to a valid network resource (a URL starts with “http:” or “https:” is sufficient) and opens the JavaWS command-line utility. If the string -J is specified within a URL, the NPAPI/ActiveX will incorrectly pass it as command-line parameter to the JavaWS utility. In other words, the URL with -J provides the ability to bypass restrictions and execute arbitrary Java code outside the confines of the Java security sandbox. By enticing the target user to open a crafted HTML page, an attacker could exploit the vulnerability. Successful exploitation will result in execution of arbitrary code within the security context of the logged-in user.

SonicWALL has released several IPS signatures to detect and block specific exploitation attempts targeting this vulnerability. The signatures are listed below:

  • 5026 Sun Java jnlp Command Injection Attempt 1
  • 5027 Sun Java jnlp Command Injection Attempt 2
  • 5031 Sun Java jnlp Command Injection Attempt 3
  • 5036 Sun Java jnlp Command Injection Attempt 4
  • 5086 Sun Java jnlp Command Injection Attempt 5
  • 5091 Sun Java jnlp Command Injection Attempt 6
  • 5093 Sun Java jnlp Command Injection Attempt 7

Bredolab DHL and Facebook Spam Campaigns (Dec 21, 2009)

/in /by

SonicWALL UTM Research continues to observe the same social engineering tactic being used to spam new variants of Bredolab.

This new variant uses a similar DHL undelivered parcel email spam campaign that we have covered in SonicAlert – Multiple Spam Waves – Bredolab.X This new DHL undelivered parcel spam campaign which started since December 7, 2009 involves a fake e-mail message pretending to have come from DHL Delivery Services. The email informs the user that DHL was not able to deliver their parcel due to error in shipping address. It further instructs the user to pickup the parcel at their post office and print the attached shipping label. This attachment however, is an executable file which is this new variant of Bredolab Trojan.

Another campaign that the authors of this Trojan use is the Facebook password reset spam campaign as it still continues its wave since we covered it in SonicAlert – New social engineering tactics by Bredolab and ZBot. It still involves a fake e-mail message pretending to arrive from Facebook. It informs the users that Facebook have taken measures to provide safety to their clients that include resetting their password. It instructed the users to retrieve their new password from the attached document which is the new variant of Bredolab Trojan.

Campaign #1 – DHL parcel service

Subject:

  • DHL Express Services. You need to get a parcel NR.[4-digit numeric number]
  • DHL Office. Please get your parcel NR.[4-digit numeric number]
  • DHL services. Please get your parcel NR.[5-digit numeric number]
  • DHL International. Get your parcel NR.[4-digit numeric number]
  • DHL Customer Services. Please get your parcel NR.[4-digit numeric number]

Attachment: DHL_Print_label_12454.zip (contains DHL_Print_label_12454.exe)

Email Body:
————————
Dear customer!

The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.

You may pickup the parcel at our post office personaly.

Please attention!
The shipping label is attached to this e-mail.
Print this label to get this package at our post office.

Please do not reply to this e-mail, it is an unmonitored mailbox!

Thank you,
DHL Delivery Services.
————————

The e-mail message looks like below:

screenshot

Campaign #2 – Facebook Password Reset spam

Subject:

  • Facebook Password Reset Confirmation! Customer Message
  • Facebook Password Reset Confirmation! Your Support
  • Facebook Password Reset Confirmation! Important Message
  • Facebook Password Reset Confirmation! Customer Support

Attachment: Facebook_Password_10493.zip (contains Facebook_Password_10493.exe)

Email Body:
————————
Hey [Facebook User]!

Because of the measures taken to provide safety to our clients, your password has been changed
You can find your new password in attached document.

Thank,
Your facebook.
————————

The e-mail message looks like below:

screenshot

The executable file inside the zip attachment has an icon disguised as a Microsoft Excel sheet file:

screenshot

screenshot

The Trojan when executed performs the following host level activity:

  • Drops a copy of itself as (Windows System Folder)Startuprarype32.exe (~36KB)
  • Deletes the original file
  • Injects its code to winlogon.exe process in the memory where it tries to connect to dollardream.ru domain and downloads an encrypted configuration file.

The Trojan is also known as trojan Mal/Bredo-A [Sophos] and TrojanDownloader:Win32/Bredolab.AB [Microsoft].

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Bredolab.AA_6 (Trojan) signature. [13,428,256 hits recorded starting December 10, 2009].

screenshot

Novell Netware FTP Server BO (Apr 9, 2010)

/in /by

The Novell Netware operating system provides file sharing and other services such as printing and email. Netware includes an FTP server which facilitates the transfer of files to and from Netware volumes. File transfers can be performed using a regular FTP client.

The initial connection to the FTP server forms the control stream on which FTP service commands are passed from the client on occasion from the server to the client. A separate stream is used for the transfer of data.

FTP service commands define the file transfer or the file system function requested by a connected user. Some examples of FTP commands are listed:

  • CWD – to change the working directory
  • MKD – to create a directory
  • RMD – to delete a directory
  • LIST – to transfer a list of files in the current directory
  • NLST – to transfer names of files with CRLF or NL characters

A buffer overflow vulnerability exists in the Novell Netware FTP service. The vulnerability is due to insufficient boundary checks when processing some FTP commands. The vulnerable code performs an internal memory copy of a user supplied string into a static size buffer without validating the length of the string. When an FTP user requests directory creation or removal with an overly long argument, the vulnerable code will copy the argument past the aforementioned buffer.

Exploitation of this vulnerability may result in process flow diversion of the vulnerable service. The service will continue to operate after an unsuccessful code injection attempt. This may give the attacker multiple chances to exploit the targeted host. Only authenticated users have the ability to attempt an attack as the affected commands are available post authentication only.

SonicWALL already has existing signatures addressing this type of flaw that will detect and block attacks targeting this vulnerability. The following signatures are available:

  • 34 – MKD Command BO Attempt
  • 239 – RMD Command BO Attempt

This vulnerability has been assigned CVE-2010-0625 by Mitre. The vendor has released an advisory with a patch addressing this issue.

New Storm Variant (June 27, 2008)

/in /by

New spammed wave of Storm emails was discovered. The email arrives with the subject: Re: Delivery Protection. The body of the message contains a link pointing to hxxp://www.slowinscy.pl/xxx/index1.php

Details in the alert PDF format

Bredolab DHL and Facebook spam continues (Apr 9, 2010)

/in /by

SonicWALL UTM Research team continued to monitor the Bredolab email spam campaigns with the theme related to popular social networking website Facebook and courier service DHL. These spam campaign related emails started appearing early morning today and were still being spammed at the time of writing this alert.

SonicWALL has already received more than 400,000 e-mail copies from these spam campaigns. The email messages in both these spam campaigns have a zip archived attachment which contain the new variant of Bredolab Trojan executable. The sample e-mail format from each spam campaign is shown below:

Campaign #1 – DHL Services

Subject:

  • DHL Express Services. You need to get a parcel NR.[4-digit numeric number]
  • DHL Office. Please get your parcel NR.[4-digit numeric number]
  • DHL services. Please get your parcel NR.[5-digit numeric number]
  • DHL International. Get your parcel NR.[4-digit numeric number]
  • DHL Customer Services. Please get your parcel NR.[4-digit numeric number]

Attachment: DHL_package_1737.zip (contains DHL_package_1737.exe)

Email Body:
————————
Hello!

The courier service was not able to deliver your parcel at your address.
Cause: Mistake in address.

You may pickup the parcel at our post office personally.

The delivery advice is attached to this e-mail.
Print this label to get this package at our post office..

Please do not reply to this e-mail, it is an unmonitored mailbox!

Thank you,
DHL Services
————————

The e-mail message looks like below:

screenshot

Campaign #2 – Facebook Password Reset spam

Subject:

  • Facebook Password Reset Confirmation NR.[4-digit numeric number]

Attachment: Facebook_password_1574.zip (contains Facebook_password_1574.exe)

Email Body:
————————
Hey [Facebook User]!

Because of the measures taken to provide safety to our clients, your password has been changed
You can find your new password in attached document.

Thanks,
The Facebook Team.
————————

The e-mail message looks like below:

screenshot

The executable file inside the zip attachment has an icon disguised as a Microsoft Word document file:

screenshot

Installation

    Drops DLL component files

Files Installed

  • All UsersApplication DataMicrosoftWindowsmspdb44.dll – [Bredolab.CL_2 (Trojan)]
  • system32lgou.rlo – [GAV: Oficla.FO_2 (Trojan)]

Registry Changes

    Added Registry

  • Key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWindows
    Value: LoadAppInit_DLLs
    Data: dword:00000001

  • Key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWindows
    Value: RequireSignedAppInit_DLLs
    Data: dword:00000000

    Modified Registry

  • Key: HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon
    Value: Shell
    Original Data: “Explorer.exe
    Modified Data: “Explorer.exe rundll32.exe lgou.rlo mrtiyyb”
  • Key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWindows
    Value: AppInit_DLLs
    Original Data: “”
    Modified Data: “All UsersApplication DataMicrosoftWindowsmspdb44.dll”

SonicWALL Gateway AntiVirus provides protection against this Trojan via GAV: Bredolab.CL (Trojan), GAV: Bredolab.CL_2 (Trojan) and GAV: Oficla.FO_2 (Trojan)

screenshot

Trojan targeting Vietnamese Speakers (Apr 2, 2010)

/in /by

SonicWALL UTM Research team observed reports of a new Trojan targeting Vietnamese speakers reported by Google here. Authors of this malware repackaged the binary together with Vietnamese keyboard driver VPSKeys. VPSKeys is a legitimate application that provides Vietnamese keyboard support to Windows users.

Users who downloaded this keyboard driver may not be aware that it is a tampered version since both the VPSKeys installer and the malicious binary looks the same except for the file size discrepancy.

screenshot

Screenshot of VPSKeys
screenshot

Installation

  • Copies and runs itself at %User%Application Data folder.

Files Installed

  • %User%Application DataJavajre6binjucheck.exe – [Detected as GAV: VBbot.V (Trojan)]
  • %User%Application DataJavajre6binzf32.dll
  • %User%Application DataVpskeys43.exe – [Detected as GAV: VulcanBot (Trojan)]

  • Program FilesAdobeAdobeUpdateManager.exe – [Detected as GAV: VBbot.V (Trojan)]]
  • Program FilesAdobezf32.dll
  • Program FilesMicrosoft OfficeOffice11OSA.exe – [Detected as GAV: VBbot.V (Trojan)]
  • Program FilesWindows DefenderMPClient.exe – [Detected as GAV: Dosvine_2 (Trojan) ]
  • Program FilesWindows DefenderMPSvc.exe – [Detected as GAV: Dosvine_3 (Trojan) ]
  • Program FilesJavajre6binjucheck.exe – [Detected as GAV: VBbot.V (Trojan)]
  • Program FilesJavajre6binzf32.dll
  • Program FilesWindows NTWindows Updatewuauclt.exe – [Detected as GAV: VBbot.V (Trojan)]
  • Program FilesWindows NTWindows Updatezf32.dll

  • %Windir%system32mscommon.inf
  • %Windir%system32msconfig32.sys
  • %Windir%system32zf32.dll
  • %Windir%system32SetupAdobeUpdateManager.exe – [Detected as GAV: VBbot.V (Trojan)]
  • %Windir%system32Setupjucheck.exe – [Detected as GAV: VBbot.V (Trojan)]
  • %Windir%system32SetupMPClient.exe – [Detected as GAV: Dosvine_2 (Trojan) ]
  • %Windir%system32SetupMPSvc.exe – [Detected as GAV: Dosvine_3 (Trojan) ]
  • %Windir%system32SetupOSA.exe – [Detected as GAV: VBbot.V (Trojan)]
  • %Windir%system32Setupwuauclt.exe – [Detected as GAV: VBbot.V (Trojan)]
  • %Windir%system32Setupzf32.dll

Registry Changes

    Added Registry

  • Key: HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon
    Value: Userinit
    Data: “C:WINDOWSSystem32userinit.exe,C:Program FilesAdobeAdobeUpdateManager.exe”

    • Added to run the binary as a service

  • Key: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesjucheck
    Value: ImagePath
    Data: C:Program FilesJavajre6binjucheck.exe

    • Added to run the binary on every Windows startup

  • Key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
    Value: Adobe Update Manager
    Data: “C:Program FilesAdobeAdobeUpdateManager.exe”
  • Key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
    Value: Microsoft Office quick launch
    Data: “C:Program FilesMicrosoft OfficeOffice11OSA.exe”
  • Key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
    Value: Windows Update Automatic Updates
    Data: “C:Program FilesWindows NTWindows Updatewuauclt.exe”
  • Key: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
    Value: Adobe Update Manager
    Data: “C:Program FilesAdobeAdobeUpdateManager.exe”
  • Key: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
    Value: Microsoft Office quick launch
    Data: “C:Program FilesMicrosoft OfficeOffice11OSA.exe”
  • Key: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
    Value: Windows Update Automatic Updates
    Data: “C:Program FilesWindows NTWindows Updatewuauclt.exe”

    Added to run the binary on Windows Safemode

  • Key: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimaljucheck
    Value: @
    Data: “Service”
  • Key: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetworkjucheck
    Value: @
    Data: “Service”

    Modified Registry

  • Key: HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon
    Value: Userinit
    Original Data: “C:WINDOWSSystem32userinit.exe,
    Modified Data: “C:WINDOWSSystem32userinit.exe,C:Program FilesAdobeAdobeUpdateManager.exe”

Process Created

  • jucheck.exe
  • AdobeUpdateManager.exe
  • MPsvc.exe
  • wuauclt.exe
  • OSA.exe

Network Activity

It tries to connect to the following domain:

  • adobe.ath.cx
  • blogspot.blogsite.org
  • google.homeunix.com
  • tyuqwer.dyndns.org
  • update-adobe.com
  • voanews.ath.cx
  • ymail.ath.cx

This malware is also known as W32/Vulcanbot [Mcafee], Win32/VBbot.V [Microsoft], and VBbot.A [Eset]

SonicWALL Gateway AntiVirus provides protection against this Trojan via GAV: Vulcanbot (Trojan), GAV: Dosvine (Trojan), GAV: Dosvine_2 (Trojan), GAV: Dosvine_3 (Trojan) and GAV: VBBot.V (Trojan) signatures.

Social Engineering Attack Against Adobe Reader (Apr 01, 2010)

/in /by

Social engineering is the act of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical hacking techniques.

Didier Stevens recently demonstrated how to use social engineering techniques to entice end user and execute arbitrary code in Adobe Reader. The original blog post can be found here. Given the popularity of Adobe Reader, it is a great example showing how social engineering attacks can affect our daily lives.

Adobe Reader does not allow embedded executables to be extracted and executed directly. To bypassed the restriction, the first thing (in Windows) to do is running cmd.exe. This can be achieved by calling (/Launch /Action). The only thing preventing cmd.exe from execution is a dialog box:

Using social engineering techniques, the author replaced the warning message to this:

Once the targeted user clicks the “Open” button, the cmd.exe will be launched. At this point it is up to the PDF author’s creativity to perform additional malicious actions, as cmd.exe can be used to run embedded executables in the PDF file.

SonicWALL has released an IPS signature to detect and block PDF files utilizing launch action. The signature is listed below:

  • 4907 Suspicious Launch Action in PDF Document

Please note since usage of launch action is legitimate and defined in PDF specs, the signature is set to low priority.

ZBot IRS spam targeting Tax period (Mar 26, 2010)

/in /by

SonicWALL UTM Research team observed a new wave of the previously seen Fake IRS notice spam campaign starting yesterday – March 25, 2010, which takes advantage of the Tax period to target users. US-CERT issued an alert related to it today morning.

The email pretends to arrive from an irs.gov e-mail address and contains a URL to the fake notice. If the user clicks on this URL, it leads to a fake IRS page which prompts the user to download the new ZBot Trojan variant.

The e-mail looks like:

Subject: Notice of Underreported Income

Email Body:
————————
Taxpayer ID: [email handle-(14 digit random number)US] Tax Type: INCOME TAX
Issue: Unreported/Underreported Income (Fraud Application)

Please review your tax statement on Internal Revenue Service (IRS) website (click on the link below):

review tax statement for taxpayer id: [email handle-(14 digit random number)US] (<-- Malicious URL)

Internal Revenue Service
————————

The e-mail message looks like below:

screenshot

The site that opens up when user clicks on the URL inside the e-mail is shown below:

screenshot

As seen in the screenshot the malicious site prompts the user to download and execute the IRS notice which in reality is the malware executable file as seen here:

screenshot

The new ZBot variant performs following activities upon execution:

  • It creates MUTEX objects _AVIRA_2108, _AVIRA_2109 to mark its presence on the system.

  • It attempts to download an encrypted configuration file via following GET request:
    GET /cnf/shopinf.jpg HTTP/1.1

    Host: shopinfmaster.com
  • Creates following files:
    • (Windows_System)lowseclocal.ds
    • (Windows_System)lowsecuser.ds
    • (Windows_System)lowsecuser.ds.lll
    • (Windows_System)sdra64.exe

      • (Copy of itself)

  • Ensures that it runs every time Windows restart by modifying following registry entry:
    • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserinit: “(Windows_System)userinit.exe,(Windows_System)sdra64.exe,”

The Trojan is also known as PWS:Win32/Zbot.gen!R [Microsoft] and Packed.Win32.Krap.ae [Kaspersky].

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Zbot.YP_7 (Trojan) signature.

SAP GUI Arbitrary Command Execution (Mar 25, 2010)

/in /by

A command execution vulnerability exists in the SAP GUI SAPBExCommonResources ActiveX Control. The SAP GUI is the GUI client in SAP’s 3-tier architecture. When installing SAP GUI in Windows, an ActiveX control will be registered (with CLSID “A009C90D-814B-11D3-BA3E-080009D22344” and ProgID “SAPBExCommonResources.BExGlobal“). It can be instantiated in a web page using the tag or via scripting.

One of the methods exposed in SAPBExCommonResources.BExGlobal ActiveX control is Execute. The method is defined as follows:

Int32 Execute(String, String, String, Int32, String, SAPBExCommonResources_3_6.tShowWindow)

When Execute method is invoked, the vulnerable code will execute the specified command (the first parameter) on the web client. By enticing the target user to open a crafted HTML page, attackers could exploit the vulnerability, result in execution of arbitrary commands within the security context of the logged-in user.

SonicWALL has released an IPS signature to detect and block specific exploitation attempts targeting this vulnerability. The signature is listed below:

  • 3540 SAP GUI SAPBExCommonResources ActiveX Control Execute Invocation

Pin It on Pinterest