Facebook Password Reset spam continues (Mar 19, 2010)

/in /by

SonicWALL UTM Research team continued to monitor the email spam campaign with the theme related to popular social networking website Facebook. This current spam campaign is not as huge in terms of volume of spammed emails as compared to what we saw and covered in SonicAlert – New Bredolab spam campaigns

The email pretends to arrive from Facebook telling the user that their password have been changed and further instructs them to open the attachment to receive their new password. Like in previous campaigns, the email has zip archived attachment which contains an executable file. The sample e-mail format is shown below:

Campaign: Facebook Password Reset file spam

Attachment: Facebook_password_346.zip (contains Facebook_password_346.exe)

Subject: Facebook Password Reset Confirmation! Important Message

Email Body:
————————
Dear user of facebook,

Because of the measures taken to provide safety to our clients, your password has been changed. You can find your new password in attached document.

Thanks,
Your Facebook.
————————

The email message looks like below:

screenshot

The malicious executable file attachment uses an icon similar to MS Word document to lure users into opening the file. The file looks like this:

screenshot

If the user downloads and executes the attached malicious file, it performs the following activities:

Installation:

  • Drops a DLL file nnfj.tqo (20,480 bytes) in %System% directory and runs it.

    • The dropped DLL file looks like this:

    screenshot

Registry Changes:

    The DLL file modifies the following registry entry to ensure that it starts on every system reboot:

    Key: [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon] Value: “Shell”
    Original Data: “Explorer.exe,”
    Modified Data: “Explorer.exe rundll32.exe nnfj.tqo nhemkk”

Remote Connection:

    The DLL file tries to connect to a remote URL http://funnylive201(REMOVED)/bb.php and may download additional malware.

Facebook is already aware of this email spam and has issued a warning on their website.

This Trojan is also known as Oficla.M [Microsoft], Oficla.EV [ESET], and Mal/FakeAV-BW [Sophos].

SonicWALL Gateway AntiVirus provides protection against this spam campaign via following signatures:

  • GAV: Suspicious#fakeav_2 (Trojan) [673,532 hits recorded starting March 02, 2010]
  • GAV: Oficla.M_2 (Trojan)

screenshot

Opera Browser Content Length Buffer Overflow (Mar 18, 2010)

/in /by

Opera is a web browser and Internet suite developed by the Opera Software Company. The browser handles common Internet-related tasks such as rendering web pages, sending and receiving e-mail messages, chatting on IRC clients, downloading files.

Hypertext Transfer Protocol (HTTP) is one of the most popular web browsing protocols used on the Internet. It can be processed by any web browsers, including Opera. HTTP is a client/server type protocol, and an HTTP session is composed by a sequence of network request-response transactions. Basically, an HTTP client initiates a request by establishing a TCP connection to a particular port on a host (typically port 80), and sends a request message. The HTTP server listening on that port responds with a status line upon receiving the request message. For example, a client sends the following request:

GET /index.html HTTP/1.1 HOST: 10.0.0.1 ...

and a server will respond with a response similar to:

HTTP/1.0 200 OK Date: Mon, Mar 15, 2010 13:32:12 GMT Content-Type: text/html Content-Length: 1022   ...

In the preceding example the size of the content being transferred, “1022” bytes, is defined by the HTTP header Content-Length. This method of transfer is useful for cases when content is pre-computed and is ready to send as a single response.

A buffer-overflow vulnerability exists in Opera. Specifically, the HTTP Content-Length header is incorrectly handled. Opera uses the sscanf function to read the Content-Length value as a singed 64 bits integer. If the Content-Length is manipulated carefully, it could lead to a heap buffer overflow in the vulnerable Opera codes. A remote attack can take use of this vulnerability to entice a user and execute arbitrary code on the target client.

SonicWALL UTM team has researched this vulnerability and created two IPS signatures to prevent the attack attempts addressing this issue:

  • 4873 Opera Browser Content Length BO Attempt 1
  • 4878 Opera Browser Content Length BO Attempt 2

This vulnerability is not referred by Common Vulnerabilities and Exposures.

Rise in Rogue Antivirus Black hat SEO campaign (Mar 11, 2010)

/in /by

SonicWALL UTM Research team monitored a big spike in the Rogue Antivirus Black hat Search Engine Optimization (SEO) campaign targeting Google hot search terms recently. More details about Rogue Antivirus using SEO to infect users can be found here.

The spike was observed during the weekend of the most anticipated event – 82nd Annual Academy Awards which usually draws huge public interest in searching for news related to it. This SEO poisoning trend targeting Oscar related searches continued until March 10, 2010.

Following search terms related to Oscars that featured in Top 20 hot searches were amongst the most targeted:

  • “printable oscar ballot”
  • “academy awards 2010 time”
  • “oscar ballot 2010 printable”
  • “oscars 2010 date and time”
  • “what time does the oscars start”
  • “oscars 2010 tv schedule”
  • “oscars channel”
  • “what time do the oscars start 2010”
  • “sandra bullock oscar acceptance speech”
  • “elinor burkett oscars”
  • “oscar winners 2010 list”
  • “judd nelson oscars”
  • “sean penn oscars 2010”
  • “worst dressed oscars 2010”
  • “john hughes oscar tribute video”

The graph below highlights the spike observed since the weekend of March 6 – 7, 2010:

screenshot

SonicWALL Gateway AntiVirus (GAV) provides protection against these malicious websites serving Rogue AV via GAV: FakeAV#html_16 (Trojan) and GAV: FakeAV#html_17 (Trojan) signatures. SonicWALL GAV customers were protected against this recent spike as evident from the signature hits below:

screenshot

screenshot

MS IE Invalid Pointer Vulnerability (Mar 10, 2010)

/in /by

Microsoft Internet Explorer is one of the most popular web browsers on the Internet. Internet Explorer is capable of rendering both static and dynamic web contents, such as DHTML. It can also be used to download files, play multi-media contents and open different file formats using various plug-ins.

Dynamic HTML, or DHTML, is an umbrella term for a collection of technologies used together to create interactive and animated web sites by using a combination of a static markup language (such as HTML), a client-side scripting language (such as JavaScript), a presentation definition language (such as CSS), and the Document Object Model.

“DHTML behaviors” is one of the DHTML features, which is supported by Internet Explorer. It enhances an HTML element’s default behavior, for example, shows different icons when the mouse hovers over the element. DHTML behaviors can be applied to an HTML element via scripting or via Cascading Style Sheets (CSS). For example,

h3 { behavior: url(#default#userData); } obj.style.behavior = "url('#default#userData')"; object.addBehavior("#default#userData");

userData behavior showed above is one of the DHTML behaviors. This behavior persists information across sessions by writing to a UserData store. The store provides a data structure that is more dynamic and has a greater capacity than cookies. With the userData behavior attached to an object, the default DHTML setAttribute and getAttribute methods are overridden by the class CPersistUserData to provide access to the userData store on a client machine. These methods provide storage and retrieval of persisted data.

A remote code execution vulnerability exists in Microsoft Internet Explorer. The flaw is due to an error in the PersistUserData::setAttribute() method. When an HTML object is assigned the #default#userData behavior, the vulnerable code overrides the default setAttribute method with CPersistUserData::setAttribute(). When the setAttribute method is invoked with a specific parameter, the vulnerable code stores the result and clears the object from memory. When Internet Explorer reloads the page or navigates into another page, it calls a method on the freed object which may enable remote attackers to inject and execute arbitrary code.

SonicWALL UTM team has researched this vulnerability and created two IPS signature to detect the attack attempts addressing this issue as bellow:

  • 4836 MS IE Invalid Pointer Remote Code Execution Attempt 1
  • 4837 MS IE Invalid Pointer Remote Code Execution Attempt 2

SonicWALL UTM team has also released the WAF signatures on SSLVPN devices as bellow:

  • 1208 MS IE Invalid Pointer Remote Code Execution Attempt 1
  • 1209 MS IE Invalid Pointer Remote Code Execution Attempt 2

This vulnerability is referred by the Common Vulnerabilities and Exposures (CVE) as CVE-2010-0806. The vendor Microsoft has also released Microsoft Security Advisory (981374).

IBM IDS librpc.dll Buffer Overflow (Mar 5, 2010)

/in /by

The IBM Informix is a family of relational database management system (RDBMS) products. The Informix Dynamic Server (IDS) is an online transaction processing data server. Numerous RPC services included in the IDS are provided through the Portmapper facility. Portmapper is a service that runs on many Unix based operating systems for the purpose of mapping SunRPC program numbers to network addresses. The portmapper protocol uses the SunRPC message format which facilitates an authentication mechanism. The RPC header has the following structure:

Offset Size Description ------ ---- ----------------------------------------------------- 0x00   4    XID 0x04   4    Message Type: Call (0) 0x08   4    RPC Version: 2 0x0C   4    Program: Portmap (100000) 0x10   4    Program Version: 2 0x14   4    Procedure 0x18   4    Credentials - Flavor 0x1C   4    Credentials - Length 0x20   x    Credentials - Structure

The structure of Credentials Structure is dependent on the value of Credentials Flavor. Informix uses a proprietary Credentials Flavor which is identified by the value 0x753D. The structure of this proprietary authentication mechanism is not fully known; however it is apparent that at least one string parameter, preceded by a value denoting its length, is expected.
There is a heap buffer overflow vulnerability in RPC library of IBM Informix portmapper module, librpc.dll. The vulnerabilities are due to improper boundary checking of the string parameter in the Informix flavor credentials structure.
The vulnerable function checks the length of the included string against a maximum value. If the string length is larger than the maximum, it is incremented by a fixed value and used as the size of buffer to be allocated. A copy operation then ensues which copies the entire string into the allocated buffer. If the supplied string length value is large enough such that the increment will wrap the integer around, then an insufficient buffer will be allocated. This will result in critical memory being overwritten by the string copy operation.
An attacker can craft a malicious Portmapper RPC message which may exploit this flaw leading to remote code execution in the context of the service.

SonicWALL has an IPS signature deployed which detects and blocks generic attacks targeting the Portmapper service. The following IPS signature is effective protection against attacks targeting this vulnerability:

  • 2068 – Novell NetWare Portmapper BO Attempt

This vulnerability has been assigned the id CVE-2009-2753 by Mitre.

New Pushbot worm variant (Mar 2, 2010)

/in /by

SonicWALL UTM Research team received reports of a new variant of Pushbot worm spreading in the wild. This worm generally spreads through MSN Messenger and includes IRC-based backdoor capability to receive instructions from remote server.

The new variant includes Yahoo Messenger as an added propagation vector and sends localized messages based on the target users system language setup.

Installation:

  • Copies itself as winmbu.exe in %windir% directory.
  • Creates a mutex (SN5JSN868L) to ensure that only one instance of the application runs in the system.

The dropped file looks like this:

screenshot

Registry Changes:

    It modifies following registry entry to ensure that the dropped copy of the malware starts on every system reboot:

    Key: [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon] Value: “Userinit”
    Original Data: “C:\WINDOWS\system32\userinit.exe,”
    Modified Data: “C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\winmbu.exe,”

    Adds following registry entry to allow itself to pass through firewall restrictions:

    Key: [HKLMSYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList] Value: “C:\WINDOWS\winmbu.exe”
    Data: “C:\WINDOWS\winmbu.exe:*:Enabled:Userinit”

Command & Control (C&C) Server connection:

    Upon successful installation, it tries to connect to a remote IRC server to receive further instruction:
    IRC Server: buri.burimche.net
    Port: 1234/tcp

    Backdoor Functionality:

    • Spread via instant messaging
    • Update itself
    • Remove itself
    • Download and execute files

IM Propagation:
This worm checks the system language setup of the target machine to determine which localized message it will send out to all the contacts.

    Localized languages used:

    • Czech
    • Danish
    • Dutch
    • English
    • Finnish
    • French
    • German
    • Italian
    • Norwegian
    • Polish
    • Portuguese
    • Romanian
    • Slovak
    • Spanish
    • Turkish

    Messages:

    • seen this?? 😀 [Malicious URL Link]
    • look at this picture 😀 [Malicious URL Link]
    • poglej to fotografijo 😀 [Malicious URL Link]
    • pogled na ovu fotografiju 😀 [Malicious URL Link]
    • min bild 😀 [Malicious URL Link]
    • foto 😀 [Malicious URL Link]
    • to fotografiu 😀 [Malicious URL Link]
    • uita-te la aceasta fotografie 😀 [Malicious URL Link]
    • kuvaa 😀 [Malicious URL Link]
    • bu resmi bakmak 😀 [Malicious URL Link]
    • olhar para esta foto 😀 [Malicious URL Link]
    • spojrzec na to zdjecie 😀 [Malicious URL Link]
    • dette bildet 😀 [Malicious URL Link]
    • pet 😀 [Malicious URL Link]
    • dette billede 😀 [Malicious URL Link]
    • vejte se na mou fotku 😀 [Malicious URL Link]
    • guardare quest’immagine 😀 [Malicious URL Link]
    • bekijk deze foto 😀 [Malicious URL Link]
    • schau mal das foto an 😀 [Malicious URL Link]
    • regardez cette photo 😀 [Malicious URL Link]

    A sample instant message sent by the worm looks like:

    screenshot

    SonicWALL Gateway AntiVirus provides protection against this worm via GAV: Pushbot.QM (Trojan) and GAV: Downloader.JMVS (Trojan) signatures.

Symantec cliproxy ActiveX Control BO (Feb 26, 2010)

/in /by

Symantec Antivirus and Symantec Client Security are applications designed to protect against the threat of viruses, malware, and other intrusion attempts. These applications use the Microsoft Windows COM framework to implement some of their functionality. This is done with ActiveX controls contained in the linked library Cliproxy.dll. The library provides the ActiveX control cliproxy.objects having the clsid E381F1C0-910E-11D1-AB1E-00A0C90F8F6F.
This control can be instantiated like all other ActiveX controls, with HTML or script code in a web page. Because the control is proprietary and undocumented, the details of its methods and properties are not known. One exposed method in particular provided by the control is SetRemoteComputerName. The method is defined as follows:

void SetRemoteComputerName(BSTR computer)

A vulnerability exists in the cliproxy.objects ActiveX control shipped in the Symantec Antivirus and Symantec Client Security applications. The flaw is created by an improperly implemented boundary check in the SetRemoteComputerName method. When an overly long argument is passed to the affected method, a heap buffer may be overran with user supplied data corrupting critical memory. A skilled attacker may exploit the flaw leading to injection and execution of arbitrary code. The ActiveX control is marked safe for scripting on default installations which opens up remote exploitation opportunities. The vulnerability has been assigned the id CVE-2010-0108 by Mitre. SonicWALL has released a generic IPS signature addressing this vulnerability. The following signature was released:

  • 3190 – Symantec CLIproxy.dll ActiveX SetRemoteComputerName Invocation

In addition to this targeted IPS signature, SonicWALL has numerous generic signatures that proactively catch exploit attempts addressing this, and other web client exploitation attempts.

A new settings file – Bredolab spam continues (Feb 26, 2010)

/in /by

SonicWALL UTM Research team continued to monitor and provide protection against the ongoing Bredolab spam which switched to a new spam theme starting Wednesday, February 24, 2010. There has been a sharp increase in Bredolab spam campaigns since mid February 2010 as covered in our previous SonicAlert – New Bredolab spam campaigns and it was not any different this week.

SonicWALL has received more than 25,000 e-mail copies from the “new settings file” spam campaign. The email messages like previous campaigns have a zip archived attachment which contain a new variant of Bredolab Trojan executable. The sample e-mail format is shown below:

Campaign: A new settings file spam

Attachment: settings.zip (contains settings.exe)

Subject: A new settings file for the (random email address) has just be released

Email Body:
————————
Dear use of the (email domain) mailing service!

We are informing you that because of the security upgrade of the mailing service your mailbox (random email address) settings were changed. In order to apply the new set of settings open attached file.

Best regards, (email domain) Technical Support.
————————

The email messages looks like:

screenshot

screenshot

SonicWALL has received more than 6 distinct variants of the settings.exe file till now. If the user downloads and executes these new Bredolab variants, it will further attempt to download FakeAV malware.

SonicWALL Gateway AntiVirus provides protection against this spam campaign via following signatures:

  • GAV: Bredolab.CE_2 (Trojan) [11,924,540 hits recorded starting Feb 20, 2010]
  • GAV: Bredolab.BK_2 (Trojan) [6,004,226 hits recorded starting Feb 26, 2010]
  • GAV: Bredolab.BK (Trojan) [471 hits recorded starting Feb 26, 2010]

screenshot

screenshot

Windows URL Validation Vulnerability (Feb 18, 2010)

/in /by

A URL (Uniform Resource Locator) is a case insensitive string which has the following format:

: [ // ][ ] [ ? ] [ # ]

The Microsoft Windows operating system provides facilities to invoke different applications based on a URL. An application can be registered on a system to open a particular URL scheme, such as “mailto”, “nntp”, “telnet”, etc. When a user clicks a link with a scheme for which no application is registered, the Windows function ShellExecute() is called to directly handle the URL. The ShellExecute() functionality can be found in Windows Shell (shlwapi.dll) and Internet Explorer (ieframe.dll).

An input validation vulnerability exists in the ShellExecute() functionality. Specifically, the vulnerable code incorrectly parses the path section of a URL. When a URL contains a two byte character sequence #:, the vulnerable code incorrectly assumes the path is a valid drive. For example,

xyz://www.example.com#://../../C:/windows/system32/calc.exe

will make the Windows to run calc.exe.

Attackers can exploit this vulnerability by enticing a target user to click a link to a malicious URL; the link can exist in a web page or in a crafted document. Successful exploitation of this vulnerability would lead to arbitrary command execution. In the scenario where a malicious binary file is placed in a predictable location on the target system, this vulnerability can be exploited to execute arbitrary code with the privileges of the currently logged-in user.

Microsoft has released Security Bulletin MS10-007 to address this issue. The CVE identifier for this vulnerability is CVE-2010-0027.

SonicWALL has released an IPS signature to detect and block specific exploitation attempts targeting this vulnerability. The signature is listed below:

  • 3167 MS Windows URL Validation Remote Command Execution (MS10-007)

New Zeus Botnet – Kneber (Feb 18, 2010)

/in /by

SonicWALL UTM Research team observed reports of the Kneber Botnet today morning that compromised over 75,000 systems including government agencies worldwide. This is not a new Botnet but a standard Zeus Botnet that we have covered in detail in one of our SonicAlert last year – Zeus Trojan Family.

New variants of Zeus Botnet appear constantly in the wild. The name Kneber comes from the user name associated with one of its controller domain silence7.cn.

A look-up of this domain from http://whois.domaintools.com yields the following information where the registrant email address bears its last name ‘Kneber’, thus the name of this Botnet.

    Domain Name: silence7.cn
    ROID: 20091210s10001s86100640-cn
    Domain Status: ok
    Registrant Organization: Hilary
    Registrant Name: Hilary
    Administrative Email: hilarykneber@yahoo.com

    Name Server:free01.editdns.net
    Name Server:free02.editdns.net
    Registration Date: 2009-12-10 21:10
    Expiration Date: 2010-12-10 21:10

This new variant has the following characteristics generic to Zeus Botnet:

    File Creation:
    [System Folder]sdra64.exe
    [System Folder]lowsec
    [System Folder]lowseclocal.ds
    [System Folder]lowsecuser.ds

    Note: [System Folder] is the default windows installation folder. Typically its C:Winntsystem32 for Windows 2000 and NT and C:WindowsSystem32 for XP, Vista, and Windows 7.

    Registry Modification:
    This botnet modifies this registry entry to ensure its automatic execution on every Windows startup.

    Key: [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon]
    Value: “Userinit”
    Original Data: “C:\WINDOWS\system32\userinit.exe,”
    Modified Data: “C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\sdra64.exe,”

    Process Termination
    This Botnet tries to terminate firewall application to allow itself to run without interruption.

    • Outpost Firewall
    • Zone Alarm Firewall

SonicWALL Gateway AntiVirus provides protection against this Botnet via following GAV signatures:

  • GAV: Zbot.HNO (Trojan)
  • GAV: ZBot.gen (Trojan)
  • GAV: Zbot.AEZ (Trojan)
  • GAV: Zbot.ABC (Trojan)
  • GAV: Zbot.CMS (Trojan)
  • GAV: Zbot.RL (Trojan)
  • GAV: Zbot.IXC (Trojan)
  • GAV: Zbot.CFA (Trojan)
  • GAV: Zbot.gen.C (Trojan)
  • GAV: Zbot.ADFY_2 (Trojan)
  • GAV: Zbot.CA (Trojan)

screenshot

screenshot