Posts

Rejected Federal Tax payment spam campaign (Nov 10, 2011)

SonicWALL UTM Research team observed a new spam campaign pretending to be arriving from IRS information center. It informs the user about a rejected Federal Tax payment and asks them to review the attached PDF report file for more information. The attached file is a malicious executable Trojan masquerading as a PDF file.

A sample e-mail message looks like:

screenshot

The attached report file looks like:

screenshot

The file if executed will perform following activity:

  • Creates a process svchost.exe and injects code into it.
  • Connects to public Google DNS Server 8.8.4.4 to check for Internet connectivity and sends DNS queries to it for a list of predetermined remote servers:
    • followmego12.ru
    • hidemyfass87111.ru
    • losokorot7621.ru
    • mamtumbochka766.ru

  • Reports the infected machine’s information to one of the above mentioned servers via POST request:

    screenshot

    The decrypted version of the data being sent looks like “id:8(REMOVED)|bid:X|bv:XXX|sv:XXXX|la:X”

  • It further attempts to download malicious executable files from a remote server in Latvia:
    • 91.22(REMOVED).29/step.exe [Detected as GAV: Pakes.II_2 (Trojan)]
    • 91.22(REMOVED).29/spm.exe [Detected as GAV: Festi.C_3 (Trojan)]
  • Drops following files:
    • (All Users Temp)5328ffb60049acd7.exe [Copy of itself detected as GAV: Pakes.QUJ (Trojan)]
    • (User Temp)uhbgmrxgvk.bat [Batch file to remove previous version]
  • Deletes the original copy of the file.

SonicWALL Gateway AntiVirus provides protection against this threat via following signatures:

  • GAV: Pakes.QUJ (Trojan)
  • GAV: Festi.C_3 (Trojan)
  • GAV: Pakes.II_2 (Trojan)

Microsoft Security Bulletin Coverage (Nov 8, 2011)

SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of November, 2011. A list of issues reported, along with SonicWALL coverage information follows:

MS11-083 Vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)

  • CVE-2011-2013 Reference Counter Overflow
    Normal traffic is not distinguishable from malicious traffic.

MS11-084 Vulnerability in Windows Kernel-Mode Drivers Could Allow Denial of Service (2617657)

  • CVE-2011-2004 TrueType Font Parsing Vulnerability
    There is no feasible method of detection.

MS11-085 Vulnerability in Windows Mail and Windows Meeting Space Could Allow Remote Code Execution (2620704)

  • CVE-2011-2016 Windows Mail Insecure Library Loading Vulnerability
    IPS: 5726 – Possible Binary Planting Attempt 1

MS11-086 Vulnerability in Active Directory Could Allow Elevation of Privilege (2630837)

  • CVE-2011-2014 LDAPS Authentication Bypass Vulnerability
    Normal traffic is not distinguishable from malicious traffic.

Microsoft Windows TrueType Parsing Engine Code Execution (Nov 3, 2011)

TrueType is an outline font standard originally developed by Apple Computer in the late 1980s as a competitor to Adobe’s Type 1 fonts used in PostScript. TrueType has become the most common format for fonts on both the Mac OS and Microsoft Windows operating systems. In Microsoft Windows, the OS uses a Windows component, the Win32k TrueType font parsing engine to analyze the TTF data.

A remote code execution vulnerability has been found in Microsoft Windows. Especially the vulnerability was found in the Win32k TrueType font parsing engine. By exploiting this vulnerability, an attacker could run arbitrary code in kernel mode on the target system. This vulnerability is related to the Duqu malware.

SonicWALL UTM team has researched this vulnerability and released a GAV signature as following:

  • 56984 TTF.Exp.MP.1

The vulnerability has been referred by the vendor, Microsoft as 2639658, and it’s referred by CVE as CVE-2011-3402.

New Banker Trojan redirects credentials to remote server (Nov 3, 2011)

The Sonicwall UTM research team received reports of a new Banking Trojan in the wild. Banking Trojans steal logon credentials and target specific banks. This Banking Trojan targets users of ITAU bank based in Brazil. The Trojan steals bank logon credentials by redirecting traffic through a remote webserver.

The Trojan adds the following files to the filesystem:

  • {run location}abcde.txt [Detected as GAV: Banker.ITC (Trojan)]
  • C:Documents and SettingsAll UsersApplication Databola7.txt [Detected as GAV: Banload.QLO_2 (Trojan)]
  • C:Documents and SettingsAll UsersApplication Dataclear.exe [Detected as GAV: Banker.SMY_4 (Trojan)]
  • C:Documents and SettingsAll UsersApplication Datacrsrc.exe [Detected as GAV: Banker.SMY_5 (Trojan)]
  • C:Documents and SettingsAll UsersApplication Dataiexplore.exe [Detected as GAV: Banker.SMY_6 (Trojan)]
  • C:Documents and SettingsAll UsersApplication Datambservice.exe [Detected as GAV: Banker.SMY_7 (Trojan)]
  • C:Documents and SettingsAll UsersApplication Datah4714log.txt

h4714log.txt contains the following data:

      tipo=inf
      nomepc={USERNAME}
      mac=08-00-27-{removed}

The Trojan adds the following key to the Windows registry to enable startup after reboot:

  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun mbservice.exe “C:Documents and SettingsAll UsersApplication Datambservice.exe”

Upon infection the Trojan replaces itself with {run location}abcde.txt and then runs mbservice.exe. mbservice.exe runs in the background inspecting window title strings. It contains code that looks for a specific window title string “BANCO ITAU – FEITO PARA VOCE” running in Internet Explorer.

The Trojan targets users of ITAU bank. Below is a screenshot of their main page:

The Trojan redirects all traffic through a remote webserver and was observed leaking the following data from h4714log.txt:

The Trojan also leaks data typed into the “Agency” and “Account” boxes and passwords using the virtual keyboard:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Banload.QLO_2 (Trojan)
  • GAV: Banker.SMY_4 (Trojan)
  • GAV: Banker.SMY_5 (Trojan)
  • GAV: Banker.SMY_6 (Trojan)
  • GAV: Banker.SMY_7 (Trojan)

Oracle AutoVueX ActiveX Arbitrary File Creation (Nov 3, 2011)

Oracle’s AutoVue enterprise visualization is a suite of Oracle products for viewing, reviewing and collaborating on product, asset and engineering documents and information across remote locations. The AutoVue suite contains an ActiveX control (AutoVueX.ocx) that allows web based interaction with the specified documents.

A file creation vulnerability exists in Oracle’s AutoVueX ActiveX control. Specifically, the vulnerable ActiveX control fail to sanitize parameters in several methods which handle file I/O. A remote attacker can exploit this vulnerability by enticing a user to open a specially crafted webpage. Successful exploitation can result in arbitrary file creation or file overwriting on the file system.

SonicWALL has released multiple IPS signatures to detect and block specific exploitation attempts targeting this vulnerability. The signatures are listed below:

  • 2587 Oracle AutoVueX ActiveX Arbitrary File Creation 1
  • 2849 Oracle AutoVueX ActiveX Arbitrary File Creation 2
  • 2921 Oracle AutoVueX ActiveX Arbitrary File Creation 3

Apple Safari Webkit libxslt File Creation Vulnerability (Oct 27, 2011)

Safari is a web browser application developed by Apple Inc. and included with the Mac OS X and iOS operating systems. It supports retrieving, presenting, and traversing information resources such as web page, image, video on the World Wide Web. Safari is capable of parsing multiple file formats including HTML, CSS, XML, JPG, PIC and so on. Safari is the default web browser for Mac OS X. A simplified version, MobileSafari, runs on Apple iPhone devices. Safari is based on the WebKit rendering engine. WebKit is a development toolkit, which allows third party developers to build applications that use technologies such as HTML and JavaScript. WebKit provides the WebCore HTML parser and the JavaScriptCore JavaScript engine.

Extensible Markup Language (XML) is a set of rules for encoding documents in machine-readable form. It is defined in the XML 1.0 Specification produced by the W3C, and several other related specifications. XSLT is a language with an XML-based syntax that is used to transform XML documents into other XML documents, HTML, or other, unstructured formats such as plain text or RTF. For example:

Sample of incoming XML document:

          John     Smith           Morka     Ismincius     

XSLT stylesheet provides templates to transform the XML document:

                                                           

Its evaluation results in a new XML document, having another structure:

     John   Morka  

WebKit uses the GNOME project’s libxslt library for applying XSLT to XML documents. Libxslt supports multiple extensions to XSLT, including many proposed by the EXSLT XSLT extensions initiative, and some found in the Saxon XSLT and XQuery processor. An arbitrary file creation vulnerability exists in Safari’s use of the WebKit rendering engine. A remote attacker can exploit this vulnerability create arbitrary files on the target user’s machine. Remote code execution is possible if the attacker can write a file that will be executed by the host OS.

SonicUTM team has researched this vulnerability and created the following IPS signatures to detect attacks addressing this vulnerability.

  • 2524 Apple Safari Webkit libxslt Arbitrary File Creation 1
  • 2534 Apple Safari Webkit libxslt Arbitrary File Creation 2
  • 7047 Apple Safari Webkit libxslt Arbitrary File Creation Exploit

This vulnerability has been referred by CVE as CVE-2011-1774.

Hanove Backdoor Trojan (Oct 27, 2011)

SonicWALL UTM Research team discovered a new backdoor Trojan in the wild. This backdoor Trojan called Hanove opens a backdoor on the infected system allowing the attacker to send further commands to the compromised system. The Trojan was also observed to be capturing and uploading screenshots of the user’s desktop to a remote server at regular intervals.

It performs the following activities:

  • It ensures persistence of infection across reboots by creating the following startup script
      All UsersStart MenuProgramsStartupsyncdata.vbs
      screenshot

  • It captures screenshots of the user’s desktop at five second intervals and stores it to the following location
      Documents and Settings{user}Desktopshot.bmp
      screenshot

  • It renames the captured screenshot using the current timestamp with the following file format
      mm-dd-yy_HH-MM-SS.jpg

  • It decrypts obfuscated strings in memory to construct the remote URL it contacts. The decryption routine simply decrements the value of each character by one to get the decrypted string.
      screenshot

  • It uploads captured screenshot to a remote URL using the custom user agent string “MBVDFRESCT”
      screenshot

  • It receives the following response if the upload is successful
      screenshot

  • The remote server it connects to is hosted in Pennsylvania, United States and is active at the time of writing this alert

SonicWALL Gateway AntiVirus provides protection against this threat with the following signatures:

  • GAV: Hanove.A (Trojan)
  • GAV: Hanove.A_2 (Trojan)

US Postal Service Email Spam (Oct 21, 2011)

SonicWALL UTM Research team received reports of a new spam campaign pretending to be arriving from US Postal Service spreading in the wild. It contains the new variant of Dofoil Trojan that SonicWALL blocks as GAV: Dofoil.L. This worm also downloads other malware components including trojans and FakeAV malware.

The sample e-mail format of the spam campaign includes the following:

Subject:

  • USPS Shipment Status IDxxxxxxxx
  • USPS service. Get your parcel IDxxxxxxxx
  • USPS Invoice copy IDxxxxxxxx
  • USPS Tracking number IDxxxxxxxx

Attachment: Post_Label#id{Random Numbers}.zip

The ZIP file attachment contains the malicious executable that disguises itself with the use of Microsoft Word icon as shown below:

    screenshot

Example of the email spam:

    screenshot

If the user downloads and executes the malicious executable inside the zip attachment, it performs the following activity:

  • Creates the process SVCHOST.EXE and injects its code.
  • Creates a copy of itself as %application data%csrss.exe and deletes the original executable file

Downloads other malware:

  • %windir%system32msrepl40A.exe – [ detected as GAV: Swisyn.JYB (Trojan) ]
  • %windir%system32wbcache8.exe – [ detected as GAV: Swisyn.JYB (Trojan) ]
  • sl20.exe – [ detected as GAV: EncPk.WX_3 (Trojan) ]
  • setup.exe – [ detected as GAV: Pirminay.ANW (Trojan) ]
  • 574-01.exe – [ detected as GAV: FakeAlert.BHX (Trojan) ]
  • sssss.exe – [ detected as GAV: Danmec.L (Trojan) ]

Added Registry:

  • Key: HKEY_CURRENT_USERSoftwaregtwbetugt
  • Key: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun
    Value: Epsilon Squared
    Data:”%Application Data%csrss.exe”
  • Key: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun
    Value: TKYDMYTE
    Data:”C:WINDOWSSystem32wbcache8.exe”
  • Key: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun
    Value: Dbft
    Data:”C:WINDOWSSystem32msrepl40A.exe”

Network Activity:

HTTP GET Requests:

  • http://live{REMOVED}128.ru/m07/index.php
  • http://suteki{REMOVED}disc.jp/walking-diet/
  • http://image{REMOVED}ing.be/

DNS Requests:

  • http://live{REMOVED}128.ru

Hosts File Modification:

This malware added the following entries to block access to torrent websites.

  • 127.0.0.1 thepiratebay.org
  • 127.0.0.1 www.thepiratebay.org
  • 127.0.0.1 mininova.org
  • 127.0.0.1 www.mininova.org
  • 127.0.0.1 forum.mininova.org
  • 127.0.0.1 blog.mininova.org
  • 127.0.0.1 suprbay.org
  • 127.0.0.1 www.suprbay.org

FakeAV

After Installing the FakeAV application, it will show a Fake Windows Error Alert as seen below:

    screenshot

    screenshot

    screenshot

Clicking the “Scan and fix” Button will scan for errors and show a fake result:

    screenshot

Clicking the “Fix Errors” button prompts the user to buy the fake security software.

    screenshot

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Dofoil.L#email (Trojan)
  • GAV: Dofoil.L (Trojan)
  • GAV: Swisyn.JYB (Trojan)
  • GAV: EncPk.WX_3 (Trojan)
  • GAV: FakeAlert.BHX (Trojan)
  • GAV: Danmec.L (Trojan)

Oracle Outside In CorelDRAW Integer Overflow (Oct 20, 2011)

Oracle Outside In Technology provides software developers with a comprehensive solution to access, transform, and control the contents of unstructured file formats. The file formats include from the office suites, such as Microsoft Office 2007, to specialty formats and legacy files. The tool from Outside In is embedded by multiple client and server products that need parsing of various file formats.

CorelDRAW is a vector graphics editor developed and marketed by Corel Corporation. CorelDRAW uses CDR file format, which is a proprietary file format developed by Corel Corporation and primarily used for vector graphic drawings. Outside In supports Corel Corporation’s CDR file format. This file format is encoded in the hierarchical Resource Interchange File Format (RIFF) format. RIFF is based on the Interchange File Format (IFF) and all multi-byte integers are in little-endian format. The basic storage structure of RIFF is called a chunk. The format of a chunk is illustrated as below:

 Offset Type    Description ------ ------- ----------------------------------------------------------------- 0x0000 Byte[4] four ASCII character identifier, padded with space if less than 4 0x0004 DWORD   *Size* of Data 0x0008 Byte[]  Size bytes of data, plus one padding byte if Size is odd 

The structure of a CorelDRAW file is not publicly known. The following structure represents the reverse engineering of the format:

 RIFF ('CDR8' or 'CDR7' 	'vrsn' (version number?) 	'DISP' 	LIST ('INFO' 		'IKEY' 		... 		) 	LIST ('CMPR' ...) 		LIST ('doc ' 			'mcfg' 			'ptrt' 			LIST('stlt' 				 				) 		) 	) 

An integer overflow vulnerability exists in Oracle Outside In. The vulnerability is due to improper bounds checking of the user-supplied chunk data. The data will be used to calculate the size of allocation memory and the memory is filled with user supplied chunk data. Remote attackers could exploit the vulnerability to inject and execute arbitrary code in the context of the vulnerable service or user application.

SonicWALL UTM team has researched this vulnerability and created the following IPS signature to detect the attack attempts.

  • 2483 Oracle Outside In CorelDRAW File Parser Integer Overflow

This vulnerability has been referred by CVE as CVE-2011-3541.

Android Malware stealing user information (Oct 14, 2011)

SonicWALL UTM Research team received reports of a new AndroidOS malware Neflic masquerading as Netflix application that steals information from the user and sends it to a remote server. The server has been taken down at the time of writing this alert.

The malware author, in this case, took advantage of the popularity of Netflix mobile application and lack of availability across all Android OS versions. The malicious application looks very similar to the official Netflix Android application and steals user’s account information before self destroying itself. Below are the screenshots of the malicious Application in action:

Installation Screen

    screenshot

Login Screen comparision – Fake (on left) & Real (on right)

    screenshot

Once the user enters the login credentials, it will send the information to a remote server and generate a fake “Your Android TV is not supported” prompt as seen below:

    screenshot

Code snippet showing the malicious server (offline now) where the stolen information was being logged:

    screenshot

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: AndroidOS.neflic (Trojan)
  • GAV: AndroidOS.neflic_2 (Trojan)