Posts

New statement spam (Oct 17, 2008)

/in /by

SonicWALL UTM Research team observed a new wave of the on-going Statement document spam campaign starting today Friday, October 17, 2008. The email has a zip archived attachment which contains the new Trojan variant.

The e-mail contains following attachment:

Attachment: Statement_01-10.zip (contains Statement_01-10.doc [WHITESPACES] .exe – UPX packed)

The Trojan when executed drops following malicious files in the system folder:

  • rs32net.exe (copy of itself)

It also creates the following Registry keys to ensure that rs32net.exe gets executed automatically on system startup:

  • HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunrs32net = “(SYSTEM FOLDER PATH)rs32net.exe”

It then starts the rs32net.exe process and deletes the original copy of the file from the folder where it was executed.

The Trojan tries to send a HTTP GET request

  • GET /40E80008F04FCE3BCEE24D126C000001DD6600000002760000015EEB000530829EA5AC HTTP/1.0

to following IP addresses:

  • 208.66.194.240
  • 216.195.55.50
  • 216.195.56.22
  • 209.66.122.238
  • 91.203.92.7
  • 208.66.195.15
  • 208.66.195.71

The Trojan has a very low detection at the time of writing this report.

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Agent.AGWR (Trojan) signature.

SQL Injection Attack Summary (Oct 10, 2008)

/in /by

The SQL Injection Attack is not new to the SonicWALL customers, but it is still popular. An article about it was released by SonicWALL UTM team two months ago. In that article, we have explained the details of this type of attacking. Also, we provided statistics data about the attacks around that time.

During the past two months, there are more SQL Injection Attack waves happened. The following figure shows the hits statistics of all the SQL Injection related signatures from June 2008 on. And it indicates there were three waves of attacks, and two of them happened in August 2008.

To provide more protection to the SonicWALL customers from being affected by the SQL Injection Attacks, the SonicWALL UTM team re-classified the SQL related signatures, and created a new category called SQL-Injection. There are 36 signatures re-classified into the new category. The detailed signature names can be found here. With this new category, the customers can easily manage the SQL Injection related signatures, no matter the signatures are in low or high priority.

Note that the figure is more accurate than the one from the last article because it shows all the 36 SQL Injection signatures instead of 11 signatures for the last time.

Angelina Jolie video spam (Oct 6, 2008)

/in /by

SonicWALL UTM Research team observed a new wave of the on-going Angelina Jolie video spam campaign starting on Monday, October 6, 2008. The email has a zip archived attachment which contains the new Downloader Trojan variant.

SonicWALL has received more than 60,000 e-mail copies of this malware till date. The e-mail looks like following:

Attachment: video.zip (contains video.exe – UPX packed)

Subject: Angelina Jolie Free Video

Email Body:
————————
New sex scandal, Angelina Jolie porn watch in attached file
————————

The Trojan when executed drops following malicious files in the system folder:

  • gzipmod.dll
  • vbagz.sys

It also creates the following Registry keys to ensure that gzipmod.dll is installed as a Winlogon notification package:

  • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifygzipmod
  • HKLMSYSTEMControlSet001ControlSafeBootMinimalkteproc.sys
  • HKLMSYSTEMControlSet001ControlSafeBootNetworkkteproc.sys

The Trojan includes a backdoor component that listens on TCP port 6051 & 6052. It also tries to resolve the following domains and subsequently sends HTTP requests to them:

  • sargej-grienko.com
  • ulm-haafeulm-haa.com
  • art8005.com

The Trojan is also known as Trojan.Spy.Goldun.NDU [BitDefender], Win32/Spy.Goldun.NDN trojan [ESET], and TR/Crypt.XPACK.Gen [AntiVir]

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Agent.XQL (Trojan) signature.

RealWin DATAC Control Buffer Overflow (Oct 1, 2008)

/in /by

RealWin is a SCADA server product that monitors and controls a industrial, infrastructure or facility based process in a computer system. A SCADA System usually consists of a Human-Machine Interface, a supervisory system and a Remote Terminal Units. RealWin, as a SCADA system, can read and maintain data returned from field devices using drivers, store data for historical access, run CSL (Command Sequence Language) scripts and generate alarms as defined in the system.

There is a stack-based buffer overflow vulnerability in DATAC Control RealWin SCADA System server product 2.0 and prior. The vulnerability is due to a boundary error while parsing a crafted value in a FC_INFOTAG/SET_CONTROL packet.

A remote, unauthenticated attacker could exploit this vulnerability by sending a specially crafted FC_INFOTAG_SET_CONTROL packet. Successful exploitation would allow for arbitrary code injection and execution with the privileges of the affected service, or terminate the application resulting in a Denial of Service condition.

SonicWALL has released a generic IPS signature that will detect and prevent attacks targeting this vulnerability. The signature to address this vulnerability is:

  • 1134 RealWin Server Crafted FC_INFOTAG/SET_CONTROL Packet BO Attempt

    • ICS Monitoring Team spam (Sep 29, 2008)

    /in /by

    SonicWALL UTM Research team observed a new spam campaign starting on Friday, September 27, 2008 which involves a fake notification e-mail pretending to be arriving from ICS Monitoring Team. The email has a zip archived attachment which contains the new Downloader Trojan.

    SonicWALL has received more than 40,000 e-mail copies of this malware so far. The e-mail looks like following:

    Attachment: user-EA49943X-activities.zip (contains user-EA49943X-activities.exe)

    Subject: Your internet access is going to get suspended

    Email Body:
    ————————
    Your internet access is going to get suspended

    The Internet Service Provider Consorcium was made to protect the rights of software authors, artists. We conduct regular wiretapping on our networks, to monitor criminal acts.

    We are aware of your illegal activities on the internet wich were originating from

    You can check the report of your activities in the past 6 month that we have attached. We strongly advise you to stop your activities regarding the illegal downloading of copyrighted material of your internet access will be suspended.

    Sincerely ICS Monitoring Team
    ————————

    The Trojan when executed drops following malicious files in the system folder:

    • gzipmod.dll
    • tremir.bin
    • vbagz.sys

    It also creates the following Registry keys:

    • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifygzipmod
    • HKLMSYSTEMControlSet001ControlSafeBootMinimalkteproc.sys
    • HKLMSYSTEMControlSet001ControlSafeBootNetworkkteproc.sys

    It also tries resolve the following domains and subsequently sends HTTP requests to them:

    • ulm-haafeulm-haa.com
    • art8005.com

    The Trojan is also known as Trojan-Dropper.Win32.Agent.xgg [Kaspersky], W32/Downldr2.DVJA [F-Prot], and TR/Crypt.XPACK.Gen [AntiVir]

    SonicWALL Gateway AntiVirus provided protection against this malware via GAV: Goldun.AZM (Trojan) signature [159,053 hits recorded].

    screenshot

    Openwsman HTTP Basic Auth Overflow (Sep 25, 2008)

    /in /by

    Web Services Management (WS-Management) is a specification of a SOAP-based protocol for the management of servers, devices, applications and more. Openwsman, maintained by Intel’s Open-Source Technology Center, is a project intended to provide an open-source implementation of the WS-Management and to expose system management information on the Linux operating system.

    The openwsman 2.0.0 management service is vulnerable to remote buffer overflow attacks. One of authorization schemes supported by Openwsman is the Basic HTTP authentication. An example of such a request follows:

    POST / HTTP/1.1
    Host: www.example.com
    Authorization: Basic dnJ0OmZvb2Jhcg==

    Openwsman decodes and stores the authorization credential to a stack based buffer without performing boundary checks. The buffer has a static size of 4096 bytes. By sending HTTP requests with specially crafted Authorization header value (longer than 5462 bytes), a user without valid login credentials could trigger the buffer overflow. Successful exploitation could lead to execution of arbitrary code on the vulnerable system with the privilege of the openwsman server process.

    SonicWALL has released a generic IPS signature that will detect and prevent attacks targeting this vulnerability. The signature to address this vulnerability is:

    • 2060 Openwsman HTTP Basic Authentication BO Attempt

    Important Document (doc.zip) spam (Sep 23, 2008)

    /in /by

    SonicWALL UTM Research team observed a new spam campaign starting on Monday, September 22, 2008 which involves a fake e-mail claiming to have an important document.

    SonicWALL has received 4,500 e-mail copies of this malware so far. The e-mail looks like following:

    Attachment: doc.zip (contains doc.exe) -> password protected

    Subject: Important document for X (where X = random alphanumeric string)

    Email Body:
    ————————
    Hello X, the document is attached. Pass 123.
    ————————

    The email attachment contains zipped malware executable which is a new Downloader Trojan. The Trojan when executed drops the following files on the system:

    • c:2.tmp
    • c:3.tmp
    • c:4.tmp
    • c:5.tmp
    • c:6.tmp
    • c:7.tmp

    It also tries to download other malware by sending following GET requests:

    • hxxp://79.135.XX.18/cgi-bin/index.cgi?user5
    • hxxp://79.135.XX.18/scan.exe
    • hxxp://79.135.XX.18/s.exe
    • hxxp://79.135.XX.18/l.exe
    • hxxp://79.135.XX.18/ftp.exe

    The Trojan is also known as TrojanDownloader:Win32/Chepvil.H [Microsoft], W32/Trojan3.AN [F-Prot], and TR/Dropper.Gen [AntiVir]

    SonicWALL provides protection against password protected zip file via GAV: Password-protected ZIP file signature. It is highly recommend to turn on “Restrict Transfer of password-protected ZIP files” option in Gateway Anti-Virus settings to turn the signature on.

    SonicWALL has also released a signature to detect the new Downloader Trojan:Agent.AHKV (Trojan)

    IBM DB2 XML Query Buffer Overflow (Sep 19, 2008)

    /in /by

    A remotely exploitable vulnerability has been reported in the IBM DB2 Database product. The DB2 product consists of a set of separate services that provide data processing functions. The main database engine process is contained in the binary executable db2syscs.exe on Windows based installations.

    The DB2 database has unique facilities to store and manage data in XML format. Quering and manipulation of XML data objects is performed with the help of the XQuery query language. DB2 supports a set of functions that can resolve XQuery expressions to facilitate XML data management.

    One of such XQuery functions is XMLQUERY. Given an XQuery expression as its argument, this function returns an XML value from the database. The syntax of XMLQUERY is described as follows:

    XMLQUERY(xquery-expression-constant [PASSING xquery-argument AS identifier] )

    Where xquery-expression-constant is an SQL character string that is interpreted as an XQuery expression. A practical use example of the function is shown:

    SELECT XMLQuery(’$PORDER/PurchaseOrder/item/name’) FROM purchaseorder

    A stack buffer overflow vulnerability exists during the processing of the XMLQUERY function. The vulnerability is a result of insufficient boundary checks on the xquery-expression-constant string passed to the affected function. The vulnerable code does not properly validate the length of this parameter before making an internal copy of it to a limited buffer on the stack. This has been shown to result in overwriting of critical memory locations in cases where the string argument is overly long.

    A remote authenticated attacker with limited privileges could exploit this vulnerability by passing a specially crafted argument to the XMLQUERY function in a SQL statement. Successful exploitation of this flaw may allow the attacker to inject and execute arbitrary code in the context of the affected service, normally the Administrative account.

    SonicWALL has released a generic IPS signature that will detect and prevent attacks targeting this vulnerability. The signature released to address this vulnerability is:

    • 5244 IBM DB2 Universal Database XMLQuery BO Attempt

    Contract.zip Trojan (Sep 17, 2008)

    /in /by

    SonicWALL UTM Research team observed a new spam campaign starting on Wednesday, Sep 17 at 00:41:58 PST, which uses fake legal paperwork as social engineering.

    SonicWALL has received 450 e-mail copies of this malware so far.

    Attachment: contract.zip (contains file contract.doc.exe)

    The email contents is
    ——————
    Dear customers,
    We have prepared a contract and added the paragraphs that
    you wanted to see in it.
    Our lawyers made alterations on the last page.
    If you agree with all the provisions we are ready to
    make the payment on Friday for the first consignment.
    We are enclosing the file with the prepared contract.

    If necessary, we can send it by fax.
    Looking forward to your decision.
    —————

    The subjects used by this Trojan are

    • Contract of order fulfillment
    • Contract of retirement
    • Contract of settlements
    • Loan Contract
    • Open an account
    • Permit for retirement
    • Record in debit of account
    • Rent contract
    • Your new labour contract

    When run it copies itself to C:Program FilesMicrosoft Commonwuauclt.exe, A:system.exe, B:system.exe

    Downloads
    |–> http://www.econoco**.com/images/lspr.exe
    |–> http://www.econoco**.com/images/rep.exe

    Trojan then changes the Registry:
    HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsexplorer.exe “” = C:Program FilesMicrosoft Commonwuauclt.exe

    The Trojan is also known as Trojan.Win32.Agent.adyf (Kaspersky), TR/Dldr.Agent.RCE (Antivir) and Win32/AutoRun.ZV worm (Eset). It has a file size of 66,560 bytes.

    SonicWALL has released a signature to protect against this threat: GAV: Agent.ADYF (Trojan)

    Obama Sex Trojan (Sep 12, 2008)

    /in /by

    SonicWALL UTM Research team observed a new spam campaign which uses the US presidential election as a social engineering mechanism to install a Trojan.

    The email appears to be from obamasex@obama.com with the subject “Barack Obama sex story with girl”.

    The email contents is
    ——————
    Sensation!!! United States Senator for Illinois
    Barack Obama in 2007 was travel to Ukraine and
    have sex action with many ukrainian girls!
    You may view this private porno in a flash video.
    Download and view now. Please send this
    news to your friends!
    Obama it’s not right choice!!!
    —————

    link goes to a Chinese domain site hosted in Thailand
    hxxp://***promo.cn/sensations/obama_b***job.exe

    If the link is clicked a video plays for 14 seconds, and in the background, information-stealing Trojan is installed on the victim’s computer.

    The Trojan is also known as Trojan.Win32.Agent.acyq (Kaspersky), PWS-Banker.cs trojan (McAfee) and Mal/Hupig-D (Sophos). It installs itself in C:Documents and Settings[UserName]Local SettingsTempsystem32_.exe and installs 809.exe in the user’s Temporary Internet Files folder.

    Also a Browser Helper Object (BHO) named Siemens32.dll is registered. It posts stolen data to a compromised Finnish travel site,
    hxxp://*****-hotel.com/berloga/datas.php

    SonicWALL has released a GAV signature to protect against this threat: GAV: Agent.ACYQ (Trojan)

    Here is a screenshot of the email:

    email-screenshot