Posts

YouTube Messaging used to spread Trojan (Jan 09, 2009)

/in /by

SonicWALL UTM Research team observed a new Trojan being spammed starting today Friday, January 09, 2009 via YouTube messaging service. The YouTube message contains a link that claims to be a Video file but points to a new Renos Trojan.

The Trojan is packed with UPX and it performs following activity:

  • Deletes the original copy of the file
  • Downloads malicious files from following URLs:
    • xxxx://89.149.206.82/balamutra.php
    • xxxx://89.149.207.114/cfg/(REMOVED)/video20879.cfg
    • xxxx://94.247.2.117/cfg/(REMOVED)/video20879.cfg
    • xxxx://69.46.16.99/lr/11.php?(REMOVED)
    • xxxx://69.46.16.99/lr/11.php?(REMOVED)
    • xxxx://94.247.2.112/fanta/(REMOVED)
    • xxxx://69.46.16.99/lr/12.php?(REMOVED)
  • Sends POST requests to following URLs:
    • xxxx://89.149.236.200/(REMOVED)/t.gif
    • xxxx://74.50.99.129/1.php

The YouTube message looks like following:


The Trojan is also known as Trojan-Downloader.Win32.Renos [Ikarus], TrojanDownloader:Win32/Renos.gen!BB [Microsoft], and TR/Crypt.XPACK.Gen [AntiVir]

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Renos_21 (Trojan) signature.

SAP GUI Heap Overflow Vulnerability (Jan 08, 2009)

/in /by

In SAP’s 3-tier architecture of database, application server and client, SAPGUI (client) is the platform used for remote access to the SAP central server in a company network.

SAPGUI for Windows environment is shipped with ActiveX control component TabOne. TabOne has a method named AddTab, which expects a Caption string parameter. The ActiveX control allocates a heap-based buffer when its been instantiated. Each time AddTab() is called, the Caption parameter is concatenated to the string in the said buffer with a prefix “|” character.

A heap buffer overflow vulnerability exists in the ActiveX control TabOne (the vulnerability has been assigned as CVE-2008-4827). Since AddTab method is performed without proper boundary check, excessive number of Caption strings would overflow the destination buffer. An attacker could host a crafted web page and entice a user to visit. When a victim (who has installed the vulnerable software) views the web page, a heap buffer overflow will occur. Successful exploitation would lead to arbitrary code execution with the privileges of the currently logged-in user.

SonicWALL has released the following IPS signatures that will detect and prevent the instantiation of TabOne ActiveX control. The signatures to address this vulnerability are:

  • 3708 SAP GUI TabOne ActiveX Control Instantiation 1
  • 3723 SAP GUI TabOne ActiveX Control Instantiation 2

SQL Server Stored Procedure Overflow (Jan 02, 2009)

/in /by

Microsoft SQL Server is a relational database management system. It uses Transact-SQL (T-SQL) for querying and modifying data and managing databases. SQL Server provides a wide range of stored procedures. A stored procedure is a group of Transact-SQL statements compiled into a single execution plan. One such stored procedure is sp_replwritetovarbin. It can be called by using EXEC SQL statement:

EXEC master.dbo.sp_replwritetovarbin

There exists a buffer overflow vulnerability in Microsoft SQL Server. Specifically, the flaw is due to a boundary error in the implementation of the sp_replwritetovarbin stored procedure. The vulnerable procedure does not check whether the supplied output varbinary buffer has the adequate size for this copy operation. By supplying an insufficiently small varbinary object to its output buffer parameter, and/or an overly large string argument to the sp_replwritetovarbin stored procedure, an authenticated user can trigger the buffer overflow condition. Successful exploitation could lead to arbitrary code execution in the context of the vulnerable SQL server process.

The vulnerability has been assigned as CVE-2008-5416 and Microsoft KB961040.

Since the procedure, sp_replwritetovarbin, is proprietary to Microsoft and its interface is not published, it is believed that the procedure is rarely used for legitimate purposes.

SonicWALL has released the following IPS signatures that will detect and prevent the invocation of sp_replwritetovarbin stored procedure. The signatures to address this vulnerability are:

  • 1286 SQL Server sp_replwritetovarbin Procedure Attempt (Unicode)
  • 1292 SQL Server sp_replwritetovarbin Procedure Attempt (ASCII)

New UPS ZBot Trojan spam (Dec 18, 2008)

/in /by

SonicWALL UTM Research team observed a new wave of the on-going UPS invoice spam campaign starting Wednesday, December 17, 2008. The email has a zip archived attachment which contains the new ZBot Trojan variant.

SonicWALL has received more than 1,500 e-mail copies of this malware till date. This malware is spread in the same way as the previous ZBot variant of Nov 21 (described here), but the sample has been updated to thwart antivirus detection.

The behavior is identical to the previous one, except this variant connects to download an encrypted configuration file from a different location:

* GAV: Zbot.GSV (Nov 21, 2008) – pavelmoous.ru/pavel/conf.bin
* GAV: Zbot.GAB (Dec 17, 2008) – reservpptppp20.ru/igor.bin

At this time only 6 antivirus vendors detect this malware.

The Trojan is also known as Trojan-Spy.Win32.Zbot.idq [Kaspersky], Mal/Zbot-G [Sophos], and TR/Spy.ZBot.IAX [AntiVir].

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Zbot.GAB (Trojan) and GAV: Zbot.GAA (Trojan) signatures.

The GAV: Zbot.GAB (Trojan) signature received more than 55,000 hits in the last 24 hours, demonstrating that this malware is very active in the wild at the moment. The following figure shows the hits per hour so far.

JavaScript Code Injection Summary (Dec 17, 2008)

/in /by

JavaScript is a scripting language widely used for client-side web development. It is so popular that most of the web pages on the Internet have JavaScript codes. The JavaScript provides a lot of functionalities and flexibilities to the users. However, it has also provided the convenience for the attackers to inject JavaScript code, exploit and control the target servers.

JavaScript Injection has multiple implementations, including JavaScript cookie modification, JavaScript HTML Form modification and some Cross Site Scripting. For example, the simple injection of the following JavaScript code will eliminate some authorization checks for the malicious user.

javascript:void(document.cookie=”authorization=true”);

Besides the common methods of the JavaScript Injection mentioned above, there is one special JavaScript Injection method which is used only for the shell code injection, we call it JavaScript Code Injection. They are used with the other vulnerabilities as an assistant. But they are more dangerous because the code injected is no longer to be restricted as JavaScript or any scripts, they can be any assembly codes to be running in the system.

One latest example for JavaScript Code Injection is Microsoft IE 0-Day vulnerability found on Dec 9, 2008. The details are here. Some exploits in the wild are using the JavaScript to inject shell codes, then exploiting the vulnerability to trigger the injected codes to be executed. The injected code is like the following:

var shellcode = unescape(“%ue8fc%u0044%u0000%u458b%u8b3c%u057c%u0178%u8bef%u184f %u5f8b%u0120%u49eb%u348b%u018b%u31ee%u99c0%u84ac%u74c0%uc107%u0dca %uc201%uf4eb%u543b%u0424%ue575%u5f8b

After carefully checking a lot of injected shell codes and related vulnerabilities for the patterns, SonicWALL UTM team has developed seven signatures for JavaScript Code Injection attempts. They are listed as bellow:

  • 3127 Javascript Code Injection Attempt (Mac)
  • 4665 Javascript Code Injection Attempt (Win/Linux) 2
  • 4701 Javascript Code Injection Attempt (Win/Linux) 3
  • 4744 Javascript Code Injection Attempt (Win/Linux) 4
  • 4760 Unicode Javascript Code Injection Attempt 1
  • 4761 Unicode Javascript Code Injection Attempt 2
  • 5051 Javascript Code Injection Attempt (Win/Linux) 5

The signatures listed above have not only detected the existing vulnerabilities, but also proactively prevented a lot of attacks addressing zero-day vulnerabilities, including the Microsoft IE 0-Day Vulnerability found on Dec 9, 2008.

The following figure shows the hits for those signatures within a month.

Microsoft IE 0-Day vulnerability (Dec 11,2008)

/in /by

SonicWALL UTM Research team observed exploits circulating in the wild targeting the new zero-day vulnerability in Microsoft Internet Explorer from December 9th, 2008. It has been confirmed that some existing viruses such as IESlice.FO can be downloaded by the published exploits. The vulnerability is identified as CVE-2008-4844. The vendor also released an advisory 961051 for it.

The actual vulnerability exists in the Dynamic Link Library mshtml.dll of Microsoft Internet Explorer application. The flaw is due to an error in a module that is handling specially crafted XML data. A memory corruption will occur while Microsoft Internet Explorer handles the nested tags which contain identical XML reference in their datasrc attributes. For example, the nested XML reference can be like the following:

< span datasrc=#I datafld=B dataformatas=HTML> < span datasrc=#I datafld=B dataformatas=HTML>

If the vulnerability is triggered, the attacker can change the execution flow of the application to the code injected into the heap memory, which may cause the virus download or even full compromise of the target machine.

SonicWALL UTM Research team has analyzed the published exploits, and the following network snippet is from one of the exploits:

screenshot

Note that Internet Explorer 7 by default restricts the malicious code from being executed as seen below, but it is a general warning message that is seen even while executing legitimate code:

screenshot

SonicWALL UTM provided proactive protection against some of these vulnerability exploits with the following signatures:

  • IPS: 4665 Javascript Code Injection Attempt (Win/Linux) 2
  • GAV: IESlice.FO (Exploit)

Additional signatures specific for this vulnerability were added on December 10, 2008:

  • IPS: 3670 MS IE XML SPAN Tag Heap Overflow Attempt
  • IPS: 3671 MS IE XML SPAN Tag Heap Overflow Attempt 2
  • GAV: XMLHttpd.U (Exploit)
  • GAV: XMLHttp (Exploit)

VLC Player TY Buffer Overflow (Dec 05, 2008)

/in /by

The VLC Media Player is an open source, multiplatform multimedia player. The player is capable of processing multiple audio and video formats such as MPEG, MP3, and Wave as well as streaming media. Among the supported file formats is the TiVo TY file format. The TiVo TY file format specification is proprietary and as such, not available publicly. This file format is known to consist of a generic header and media specific chunks which contain data. The header of TY files can be represented as follows: 

 Offset Size Value/Description ------ --   ----------- 0x0000 4    0xF5467ABD 0x0004 4    0x00000002 0x0008 4    0x00020000 0x000C 4    ? 0x0010 4    ? 0x0014 4    bitmask size [...]

A stack buffer overflow vulnerability has been found in the VLC Media Player. The vulnerability occurs when processing TY media files. The vulnerable code does not properly validate the value at offset 0x0014 in the file header. This value is read from the file, incremented by 8 and used as a counter in a memory copy operation without any bounds checks. The destination to which file data is copied is a 32 byte stack buffer. Thus, a value larger than 32 will cause the copy operation to overrun the stack buffer. This will lead to critical data being overwritten and may consequently change the flow of execution.

This vulnerability, when exploited by enticing a user to open a malicious TV file, may result in process flow diversion. Exploits targeting this vulnerability are publicly available. SonicWALL has developed an IPS signature which will detect and block generic attack attempts. The following signature addresses this issue:

  • 1265 – VideoLAN VLC Media Player TY Processing BO Attempt

Merry Christmas Spam – Banker Trojan (Dec 02, 2008)

/in /by

SonicWALL UTM Research team observed a new spam campaign starting today Tuesday, December 02, 2008 which involves a fake e-mail pretending to be arriving from either Coca-Cola, McDonalds, or Hallmark. The email has a zip archived attachment which contains the new Banker Trojan.

The e-mail looks like following:

Attachment:

  • postcard.zip (contains postcard.doc .scr)
  • promotion.zip (contains coupon.exe)
  • coupon.zip (contains coupon.exe)

Subject:

  • You’ve received A Hallmark E-Card!
  • Coca Cola is proud to accounce our new Christmas Promotion.
  • Mcdonalds wishes you Merry Christmas!

Email Body:
————————
Dear Holder

Hello!

You have recieved a Hallmark E-Card from your friend. To see it, check the attachment.
There’s something special about that E-Card feeling. We invite you to make a friend’s day and send one.

Hope to see you soon, Your friends at Hallmark

Your privacy is our priority. Click the “Privacy and Security” link at the bottom of this E-mail to view our policy.
Hallmark.com | Privacy & Security | Customer Service | Store Locator
————————

The content of the Coca-Cola and McDonald’s spam email is fetched from Coca-Cola and McDonald’s official websites.

The Trojan when executed performs following host level activity:

  • Creates qnx.exe in the Windows System directory and runs it
  • Creates vxworks.exe in the Windows System directory and runs it
  • Deletes the original copy of the file

It creates the following Registry key:

  • HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunWind River Systems = “[Windows System Dir]vxworks.exe”
  • HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerWallpaper
  • HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerWallpaperXMAS

vxworks.exe process listens on TCP ports 1056 and 1071 and also sends following GET request:

  • http://whatismyip.com/automation/n09230945.asp

The Trojan is also known as Trojan-Banker.Win32.Banker.abbi [Kaspersky], VirTool:Win32/CeeInject.gen!J [Microsoft], and TR/Dropper.Gen [AntiVir]

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Banker.ABBI (Trojan) signature.

Firefox XUL Frame Tree Vulnerability (Nov 26, 2008)

/in /by

The multi-platform Mozilla Firefox browser is capable of interpreting and rendering many types of content published on the Internet. Some of the widely used formats are HTML, XML,and XUL.

XUL (XML User Interface Language) is an XML (Extensible Markup Language) user interface markup language. The XUL standard draws on other existing standards like DOM, XML, and CSS, and is similar in structure to HTML.

XUL has many predefined element types such as label, command, tree, etc. The tree element holds a set of rows of elements. An example of the use of the tree element follows:

Most XUL elements are at least partially implemented using XBL (XML Binding Language). XBL is a language used to describe bindings that can be attached to elements in other documents.

A vulnerability exists in Mozilla Firefox in the way the XBL Event Handler handles XUL documents with a series of specially crafted tree children. The flaw exists in constructing a tree frame. If the value of the rows attribute of a tree element is negative, it will mistakenly trigger an unrelated event which will remove the treechildren frame node from the DOM tree. Subsequently, the deleted frame is referenced again by the calling function which results in a NULL pointer reference. Consequently, the browser process will be terminated.
It is reported that memory corruption may occur as a result of exploitation which may lead to process flow diversion.

SonicWALL has released an IPS signature that will detect and block a specific exploit known to have been circulated in the wild. The following signature addresses this issue:

  • 5321 – Mozilla Firefox XUL Frame Tree Memory Corruption PoC

Bank of America Spam Trojan (Nov 25, 2008)

/in /by

SonicWALL UTM Research team observed a new Bank of America phishing campaign starting today Tuesday, November 25, 2008. The email pretends to be a service advertisement from Bank of America and contains a URL that leads to the demo video.

SonicWALL has received more than 1,000 e-mail copies of this phishing campaign today. The e-mail looks like following:

Subject:

  • Bank of America – Demo Account
  • Bank of America – Demo Account Setup
  • Bank of America – Always Free Customer Service Demo Account, Try for FREE
  • Bank of America – full access privileges for your DEMO account

Email body:

screenshot

The URL in the e-mail points to a phishing page containing Bank of America image. The image has the Bank of America Logo and displays the bank’s URL in the status bar when the user points at it. It also shows the video screen with a play button.

screenshot

Upon user’s click or after waiting for a few seconds the page will prompt the user to download the latest version of Adobe Flash Player 9 [Filename – Adobe_Player9.exe].

screenshot

The file that gets downloaded is a new Trojan downloader variant.

screenshot

The Trojan when executed tries to connect to silviocash.com domain and downloads a new Trojan [Filename – usp.exe] via HTTP.

At the time of writing this Alert, there was very low AntiVirus detection rate for both malware executables.

SonicWALL Gateway AntiVirus provides protection against these malware executables via GAV: Bofam (Trojan) and GAV: Bofam_2 (Trojan) signatures.