Posts

IFrame Injection Attacks in the wild (Mar 7, 2014)

/in /by

An HTML element is an individual component of an HTML document or web page. “iFrame” is one of these HTML elements, it defines an inline frame in the web page. An iFrame has the following format:

The Document Object Model (DOM) is a cross-platform and language-independent convention for representing and interacting with objects in HTML, XHTML and XML documents. With DOM, a user can easily manipulate the HTML elements with a script. A sample JavaScript code of the DOM is listed below:

 var node=document.getElementById("myList2").lastChild; document.getElementById("myList1").appendChild(node);

iFrame Injection Attack is a method for an a attacker to embed code from another site by leveraging the iFrame tag with DOM. It is a popular way for drive-by-downloads. iFrame injection attacks are not quite as common as they once were on the web, however from time to time they do still happen. Dell SonicWALL Threat research team has observed multiple iFrame Injection Attacks in the wild.

iframe-injection image

Another example of the iFrame Injection can be in one of our recent SonicAlert Adobe Flash Zero Day(CVE-2014-0502) Exploit Analysis (Feb 27, 2014).

Dell SonicWALL Threat research team has created multiple IPS signatures to detect malicious iFrame tag in the web pages:

  • 7292 Suspicious HTML Iframe Tag 1
  • 7378 Suspicious HTML Iframe Tag 2
  • 9767 Suspicious HTML Iframe Tag 3
  • 10202 Suspicious HTML Iframe Tag 4

Adobe Flash Zero Day(CVE-2014-0502) Exploit Analysis (Feb 27, 2014)

/in /by

Last week, Dell Sonicwall Threats Research Team observed multiple instances of Adobe Flash Zero Day targeting CVE-2014-0502.
A Double Free Vulnerability exists in Adobe Flash which may allow arbitrary code execution.
Adobe quickly addressed this attack by providing a Security Update.
We also have a detailed writeup on Malware analysis of downloaded file after successful exploitation.

Let’s look at an in-depth analysis of the Exploit.

Attack Flow:

We can see how the iframe is injected,

When user gets redirected to malicious iframe, the HTML contains a reference to malicious SWF.

SWF De-compilation shows how gif file is loaded.

Here we can see how the exploit is fine-tuned for Windows XP, Windows 7.

SWF also does the work of allocating the ROP chain corresponding to checks above.

A cookie is set and checked for one time execution only.

Debugging shows how the execution pivots into the ROP chain.

We can see how urlmon module is used for downloading exe.

This exe gets copied at C: and is executed.

Then there is Post-Infection Activity

We have implemented following signatures to detect the attack.

  • SPY:4185 Malformed-File swf.OT.7
  • SPY:4186 Malformed-File gif.OT.1
  • SPY:2342 Malformed-File swf.MP.103
  • SPY:2344 Malformed-File swf.MP.104

Parcim Trojan steals sensitive system information (March 6, 2014)

/in /by

The Dell Sonicwall Threats Research team have discovered an info stealer Trojan that is dropped onto unpatched machines as part of a drive-by-attack. The attack uses the CVE-2014-0502 vulnerability which has been covered recently in a previous SonicAlert.

Infection Cycle:

The Trojan adds the following files to the filesystem:

  • %TEMP%chrome_frame_helper.dll [Detected as GAV: Parcim.A (Trojan)]
  • %TEMP%chrome_frame_helper.exe
  • %TEMP%chrome_frame_info.dll
  • %TEMP%MSMAPI.OCX [Detected as GAV: Parcim.A_2 (Trojan)]
  • %TEMP%YahooCache.ini
  • %USERPROFILE%Local SettingsTemp$NtUninstallKB942388$ (contains stolen system information)

The Trojan adds the following key to the Windows registry:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun chrome_update “%TEMP%chrome_frame_helper.exe”

The Trojan makes the following DNS query:

YahooCache.ini contains the following data:

The Trojan downloads an additional malicious file and saves it as MSMAPI.OCX [Detected as GAV: Parcim.A_2 (Trojan)]:

It runs MSMAPI.OCX using the following commandline:

      rundll32 %TEMP%MSMAPI.OCX,RunProcGoa

The Trojan runs the following commands to gather system information:

      cmd.exe /C ipconfig /all
      cmd.exe /A /C rundll32 %TEMP%MSMAPI.OCX,RunProcGoA
      cmd.exe /C net start
      cmd.exe /C tasklist
      cmd.exe /C systeminfo
      cmd.exe /C netstat -an
      cmd.exe /C net view
      cmd.exe /C dir "%userprofile%recent"

$NtUninstallKB942388$ contains the following data derived from the commands above:

  • Windows IP Configuration
  • Data on configured network adaptors
  • A list of running services
  • Tasklist
  • Output from netstat
  • Number of processors
  • Recently run .lnk files
  • System info (OS version, processors, service pack, physical RAM etc.)

The stolen system information was observed being sent to a remote C&C server:

The Trojan periodically contacts the C&C server to announce its presence. It sends its internal IP address as the value for “&ClientId” and obtains its external IP address from the server:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Parcim.A (Trojan)
  • GAV: Parcim.A_2 (Trojan)