Posts

Broadwin WebAccess Client Format String Attack (Sept 8, 2011)

/in /by

Supervisory Control and Data Acquisition (SCADA), generally refers to industrial control systems: computer systems that monitor and control industrial, infrastructure, or facility-based processes. A SCADA system usually consists of the following subsystems: a human-machine interface or HMI, a supervisory (computer) system, remote terminal units (RTUs) connecting to sensors in the process, Programmable logic controller (PLCs) used as field devices and communication infrastructure. Broadwin Technology is one of the vendors that manufacture SCADA systems. Browser-based Human-Machine Interface (HMI) and Supervisory Control and Data Acquisition (SCADA) software are two of their main products.

Broadwin’s WebAccess is the client component of their SCADA system. It provides an ActiveX component designed to run in an Internet Explorer (IE) session. The ActiveX control is associated with CLSID “5C2A52BD-2250-4F6B-A4D2-D1D00FCD748C”, and ProgID “BWOCXRUN.BwocxrunCtrl.1”. It can be instantiated in a web page using the tag or via scripting. The following example demonstrate how this ActiveX control can be instantiated:



A format string code execution vulnerability exists in the Broadwin Technology’s WebAccess client ActiveX component nbwocxrun.ocx. The vulnerability is due to insufficient input validation when handling one of the parameters in calls to the BWOCXRUN.BwocxrunCtrl.1 method. A remote unauthenticated attacker can exploit this vulnerability by enticing a target client to view a crafted HTML document, ASP page, or various other media. Successful exploitation could result in execution of arbitrary code within the security context of the target user.


SonicWALL UTM team has researched this vulnerability and created the following IPS signature to prevent/detect attacks addressing this vulnerability.


    

  • 1801 Broadwin WebAccess Client Format String Attack
    • 



This vulnerability has not been assigned with an ID by CVE.


	Apache Range Header Processing DoS (Sep 1, 2011)				
/in  /by 
The Apache HTTP server is the most popular HTTP server software in use. It supports a variety of features, many implemented as compiled modules which extend the core functionality.


  The Range header in HTTP/1.1 is used to request part of an entity; it improves efficiency when recovering from failed or incomplete transfers. The Range header may specify a single range of bytes, or a set of ranges within a single entity.


  A memory exhaustion vulnerability exists in Apache HTTP Server. Specifically, the vulnerability happens when processing a Range header that expresses multiple overlapping ranges. A remote attacker could exploit this vulnerability by sending a series of crafted HTTP requests to the target server. Successful exploitation would exhaust available memory of the target server and cause a denial-of-service condition.


  The vulnerability has been assigned as CVE-2011-3192.


  SonicWALL has released an IPS signature to detect and block specific exploitation attempts targeting this vulnerability. The signature is listed below:




    

  • 6905 Apache HTTP Range Header DOS Attempt
    • 



	RDP Worm Morto.A (Aug. 31, 2011)				
/in  /by 
SonicWALL UTM Research team received reports of a new internet worm propagating in the wild. This worm targets Remote Desktop Protocol (RDP) and has the capability to download additional malicious components, terminate Antivirus related security processes and services,  perform Denial-of-Service attack (DDOS) and can be remotely controlled from a malicious server. 


  Process of Infection:


 This worm targets machines via Remote Desktop Protocol (RDP) by compromising weak administrator passwords. Once a system is infected, it will scan the local network for RDP connections through port 3389. It uses a set of usernames and passwords to gain access to these RDP machines and infects them.  


	 Installation:


 This worm has three components: Main executable, DLL loader, and the payload. 


 Main Executable


 The main executable drops the DLL loader ntshrui.dll on %windir%/temp directory and copies it as clb.dll on %windir% directory.   


 It adds the following registry entries as part of its installation: 


    

  • HKLMSYSTEMWpait
    • 

  • HKLMSYSTEMWpaid
    • 

  • HKLMSYSTEMWpaie
    • 

  • HKLMSYSTEMWpasr
    • 

  • HKLMSYSTEMWpasn
    • 

  • HKLMSYSTEMWpamd
    • 



 It then deletes the following registry to remove its tracks: 


    

  • HKCU “SoftwareMicrosoftWindowsCurrentVersionExplorerRunMRU”
    • 



 The DLL loader clb.dll located at %windir% directory is loaded once the malware spawns the process Registry Editor (regedit.exe). 


 There is a legitimate DLL file clb.dll located in %windir%/system32 directory that regedit.exe actually uses. But because of the design of how windows loads files, wherein it will look for them at %windir% directory first before looking at %windir%/system32, the malware component clb.dll will in effect be loaded instead of the legitimate one. 


 DLL Loader


 After getting loaded by the process regedit, it will decrypt the payload DLL and loads it to memory. It will also perform the following activities: 


     Added Registry: 
    

     Key: HKLMSYSTEMCurrentControlSetControlWindows
     Value: “NoPopUpsOnBoot”
     Data: “1” 
    

     Key: HKLMSYSTEMCurrentControlSetServices6to4Parameters
     Value: “ServiceDll”
     Data: “%windir%temp ntshrui.dll” 
    

     Modified Registry:
    

     Key: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSENSParameters
     Value: ServiceDll
     Data Before: %SystemRoot%system32sens.dll Data After: %SystemRoot%system32sens32.dll 
    

     Added Files: 
    

     %windir%offline web pages{Current Date}
     %windir%offline web pages1.40_testDdos
     %windir%offline web pagescache.txt – blocked as [ GAV: Morto.A_2 (Trojan) ] %windir%system32sens32.dll  – blocked as [ GAV: Morto.A_2 (Trojan) ] 


 DLL Payload 


 The malware attempts to connect to RDP servers on local network through port 3389 using administrator accounts. Some of the accounts are shown below:


 screenshot	 


 It will copy the following files on the RDP workstations through \tsclienta. 


    

  • \tsclientaa.dll – blocked as [ GAV: Morto.A_2 (Trojan) ]
    • 

  • \tsclientar.reg
    • 



 Contents of the file r.reg is shown below which ensures rundll32.exe will run the malware with administrator privileges and without prompting for user for permission for any system changes: 


    [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem] 		
    “ConsentPromptBehaviorAdmin”=dword:0 		
    “EnableLUA”=dword:0 		
    
[HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCuurrentVersionAppCompatFlagsLayers] 		
    “c:\windows\system32\rundll32.exe”=”RUNASADMIN” 		
    “d:\windows\system32\rundll32.exe”=”RUNASADMIN” 		
    “e:\windows\system32\rundll32.exe”=”RUNASADMIN” 		
    “f:\windows\system32\rundll32.exe”=”RUNASADMIN” 		
    “g:\windows\system32\rundll32.exe”=”RUNASADMIN” 		
    “h:\windows\system32\rundll32.exe”=”RUNASADMIN” 		
    “i:\windows\system32\rundll32.exe”=”RUNASADMIN” 		
    

    “c:\windows\SysWOW64\rundll32.exe”=”RUNASADMIN” 		
    “d:\windows\SysWOW64\rundll32.exe”=”RUNASADMIN” 		
    “e:\windows\SysWOW64\rundll32.exe”=”RUNASADMIN” 		
    “f:\windows\SysWOW64\rundll32.exe”=”RUNASADMIN” 		
    “g:\windows\SysWOW64\rundll32.exe”=”RUNASADMIN” 		
    “h:\windows\SysWOW64\rundll32.exe”=”RUNASADMIN” 		
    “i:\windows\SysWOW64\rundll32.exe”=”RUNASADMIN” 		
    

    “c:\winnt\system32\rundll32.exe”=”RUNASADMIN” 		
    “c:\win2008\system32\rundll32.exe”=”RUNASADMIN” 		
    “c:\win2k8\system32\rundll32.exe”=”RUNASADMIN” 		
    “c:\win7\system32\rundll32.exe”=”RUNASADMIN” 		
    “c:\windows7\system32\rundll32.exe”=”RUNASADMIN” 


 Once files have been copied to RDP workstations, the malware will run those with the following commands: 


    

  • “regedit /s \tsclientar.reg”
    • 

  • “rundll32 \tsclientaa.dll a”
    • 



 It also terminates the following services related to AV security softwares: 


    

  • 360rp
    • 

  • a2service
    • 

  • ACAAS
    • 

  • ArcaConfSV
    • 

  • AvastSvc
    • 

  • avguard 
    • 

  • avgwdsvc
    • 

  • avp
    • 

  • avpmapp
    • 

  • ccSvcHst    
    • 

  • cmdagent
    • 

  • coreService
    • 

  • FortiScand
    • 

  • FPAVServer
    • 

  • freshclam
    • 

  • fsdfwd  
    • 

  • GDFwSvc
    • 

  • K7RTScan
    • 

  • knsdave
    • 

  • KVSrvXP
    • 

  • kxescore
    • 

  • mcshield
    • 

  • MPSvc
    • 

  • MsMpEng
    • 

  • NSESVC.EXE
    • 

  • PavFnSvr
    • 

  • RavMonD
    • 

  • SavService
    • 

  • scanwscs
    • 

  • Shell
    • 

  • SpySweeper
    • 

  • Vba32Ldr
    • 

  • vsserv
    • 

  • zhudongfangyu
    • 



 Network Activities:


 The malware tries to contact the following URLs: 


    

  • qf{REMOVED}.net
    • 

  • ms.ji{REMOVED}nfo
    • 

  • ms.ji{REMOVED}o.cc
    • 

  • ms.ji{REMOVED}o.be
    • 



 SonicWALL Gateway AntiVirus provides protection against this worm via the following signatures: 


 GAV: Morto.A (Worm)
 GAV: Morto.A_2 (Trojan) 


 screenshot	


	RealPlayer QCP File Parsing Buffer Overflow (Aug 25, 2011)				
/in  /by 
The QCP file format is used by many cellular telephone manufacturers to provide ring tones and record voice. It is based on RIFF, a generic format for storing chunks of data identified by tags. The QCP format does not specify how voice data in the file is encoded. Rather, it is a container format. The detailed QCP file format is defined in RFC3625


  RealPlayer is a cross-platform media player by RealNetworks that plays a number of multimedia formats including MP3, MPEG-4, QuickTime, Windows Media, QCP, and multiple versions of proprietary RealAudio and RealVideo formats.


  A heap-based buffer overflow vulnerability exists in RealPlayer. Specifically, the vulnerability occurs while processing fmt chunks in QCP files. An attacker can exploit this vulnerability by enticing a user to open a specially crafted QCP file using RealPlayer. Successful exploitation would allow for arbitrary code injection and execution with the privileges of the currently logged in user. Code injection that does not result in execution would terminate the application.


  The vulnerability has been assigned as CVE-2011-2950.


  SonicWALL has released an IPS signature to detect and block known exploits targeting this vulnerability. The following signature was released to address this issue:




    

  • 1569 – RealNetworks RealPlayer QCP File Parsing Buffer Overflow
    • 



	Ramnit evolves into a financial malware (Aug 25, 2011)				
/in  /by 
SonicWALL UTM Research team received reports of a new variant of Ramnit malware spreading in the wild.  


 The Ramnit malware family is known for following capabilities: 


    

  •  File infector: infects files with EXE, DLL, SCR, HTM and HTML extensions by appending its code. 
    • 

  •  Network propagation: Spreads via network shares and USB devices.  
    • 

  •  Backdoor: Creates a backdoor where it can receive remote instructions. 
    • 

  •  Steals FTP credentials and browser cookies. 
    • 



 The latest variant also incorporates Zeus-like Man-in-the-Browser (MitB) web inject functionality to steal Online Banking credentials. It is highly likely that some modules of the Zeus source code (leaked earlier this year) have been integrated into it. 


 The sample under investigation performs following activities on the infected system: 


    

  • Creates a copy of itself as (Local Settings)Tempdbsoowwjviewtmlp.exe (random filename generated per system).
    • 

     
    

  • Initiates two instances of svchost.exe processes and injects code into it.
    • 

     
    

  • Infects executable files having .EXE and .DLL extensions by appending malicious code to the files. Below is a sample list of files under Program Files that were infected:

      

    • AdobeReader 9.0ReaderLogTransport2.exe 
      • 

    • AdobeReader 9.0Readerpe.dll 
      • 

    • AdobeReader 9.0Readersqlite.dll 
      • 

    • Common FilesAdobeAcrobatActiveXAcroIEHelper.dll 
      • 

    • Common FilesAdobeAcrobatActiveXAcroPDF.dll 
      • 

    • Common FilesAdobe AIRVersions1.0Resourcestemplate.exe 
      • 

    • Common FilesDESIGNERMSADDNDR.DLL 
      • 

    • Common FilesJavaJava Updatejusched.exe 
      • 

    • Common FilesMicrosoft SharedMSDesigners7MSVCP71.DLL 
      • 

    • Common FilesMicrosoft SharedOFFICE11MSO.DLL 
      • 

    • Common FilesMicrosoft SharedOFFICE11MSSOAP30.DLL 
      • 

    

     		The infected executable files will have an additional section containing malicious code:  		 			
    

     				screenshot 				
     				screenshot 			
    

    • 

  • Makes registry modifications to launch itself upon system reboot. It also disables the Windows Safe Mode feature by deleting registry keys from following locations:

      

    • HKLMSYSTEMControlSet001ControlSafeBootMinimal
      • 

    • HKLMSYSTEMControlSet001ControlSafeBootNetwork
      • 

    • HKLMSYSTEMCurrentControlSetControlSafeBootMinimal
      • 

    • HKLMSYSTEMCurrentControlSetControlSafeBootNetwork
      • 

    

     				Subsequent attempts to reboot infected system in Safe Mode will result in Blue Screen of Death (BSoD) crash. 				 				
    

     				screenshot 				
     				screenshot 				
    

    • 

  • Opens a backdoor Secure FTP server on TCP port 22 on the infected system.

     				screenshot 				 
    • 

  • Connects to a remote C&C server at carr(REMOVED)ezz.com using SSL connection to receive instructions.
    • 



 SonicWALL Gateway AntiVirus provides protection against this threat via following signatures: 


    

  • GAV: Ramnit.D (Trojan)
    • 

  • GAV: Ramnit.D_2 (Trojan)
    • 



	Mozilla Firefox mChannel Use After Free (Aug 19, 2011)				
/in  /by 
Mozilla Firefox is a web browser developed by the Mozilla Foundation. Firefox is capable of rendering multiple types of content such as HTML, XML, XUL, JavaScript, and popular media formats among others. Firefox is distributed for all major platforms such as Windows, Apple, and Linux. The Cross Platform Component Object Model (XPCOM) is a component oriented software framework produced by the Mozilla Foundation. It is similar to Microsoft’s Component Object Model (COM). Mozilla’s Gecko layout engine is XPCOM based as is the DOM implementation. XPCOM has many language bindings, and can be accessed via JavaScript. All XPCOM interfaces inherit from the base interface nsISupports, which has the following methods: 


 nsrefcnt AddRef(); void QueryInterface( in nsIIDRef uuid, [iid_is(uuid),retval] out nsQIResult result); nsrefcnt Release();


 The QueryInterface method is used for type discovery, and performs a type casting function. It returns the interface pointer. An example is shown of obtaining an object implementing the nsIChannelEventSink interface in JavaScript: 


 obj.QueryInterface(Components.interfaces.nsIChannelEventSink) 


 The nsIChannelEventSink interface is shown to provide the following methods: 


 void asyncOnChannelRedirect(in nsIChannel oldChannel,         in nsIChannel newChannel, (Firefox 4+)        in unsigned long flags,        in nsIAsyncVerifyRedirectCallback callback); void onChannelRedirect( in nsIChannel oldChannel,        in nsIChannel newChannel,        in unsigned long flags); 


 The function asyncOnChannelRedirect is an asynchronous replacement for onChannelRedirect. These methods are called when a redirect occurs, such as when triggered by a 3xx HTTP status code. The onChannelRedirect method implementation for HTML objects contains a use after free flaw.
  In order to exploit this vulnerability, a remote attacker would have to entice the target user to open a crafted web page. Successful exploitation could allow the attacker to execute arbitrary code on the vulnerable system in the security context of the browser. An unsuccessful exploitation attempt could result in the abnormal termination of the browser. Use after free vulnerabilities are generally difficult to exploit successfully for code execution, hence the most likely outcome of an attack attempt would result in a browser crash.


 SonicWALL has released the following IPS signature to address this threat: 


    

  • 1497 – Mozilla Firefox onChannelRedirect Method Invocation
    • 



 Additionally, SonicWALL has multiple existing IPS signatures that detect and block suspected heap spray methods which would most likely be used in attacks targeting this type of vulnerability. These signatures serve as a pro active defense against the most popular HTML based attacks.


 This vulnerability has been assigned CVE-2011-0065 by mitre.
 The vendor has released an advisory addressing this issue.


	Android Malware Nickispy.C snoops on Users  (Aug 18, 2011)				
/in  /by 
SonicWALL UTM Research team received reports of a new variant of AndroidOS malware Nickispy that can record phone calls, log call details, sms messages, gps locations, and copy contact informations and eventually sends them to remote server.  


 This malware was seen hosted in a chinese website riding on the popularity of recently released social networking service Google+ as evident on its use of installed application – “Google++”. 


     screenshot 


 Users are advised against installing third-party applications from unknown or untrusted sources and to be wary of request for suspicious permissions during installation. 


 Once the malware is downloaded and executed, it requests for the following permissions during installation: 


     screenshot 


 Take note of unnecessary permissions requested by the malware such as able to intercept outgoing calls, edit SMS or MMS and record audio. These permissions should raise the user’s suspicion that the application could be on to some phony activities. 


 Installed services include the following: 


     screenshot 


 It also uses the following services: 


    

  • CallLogService
    • 

  • CallRecordRegisterService
    • 

  • CallRecordService
    • 

  • CallsListenerService
    • 

  • ContactService
    • 

  • GpsService
    • 

  • KeyguardLockService
    • 

  • LocationService
    • 

  • ScreenService
    • 

  • SendResultService
    • 

  • SMSControllerService
    • 

  • SyncContactService
    • 

  • UploadService
    • 



Once installed, this malware performs the following: 


    

  • Record Calls:

      

      screenshot
      

    

    • 

  • Record GPS Locations:

      

      screenshot 	
    

    • 

  • Logs SMS Messages:

      

      screenshot
      

    

    • 

  • It eventually uploads collected data to a remote server:

      

      screenshot
      

    • Remote Server: cs.{removed}ng.com 
      Port: 2018
      • 

    

    • 



 This malware is also known as Trojan-Spy.AndroidOS.Nickspy.g [Kaspersky], AndroidOS_NICKISPY.C [TrendMicro] and TrojanSpy:AndroidOS/Nickispy.B [Microsoft] 


 SonicWALL Gateway AntiVirus provides protection against this threat via the following signature: 


    

  • GAV: AndroidOS.Nickispy.C (Trojan)
    • 

     


	New banker Trojan steals information via compromised webservers (Aug 10, 2011)				
/in  /by 
The Sonicwall UTM research team received reports of a new Banking Trojan spreading in the wild.  The Trojan spreads through email and steals banking credentials from customers of BBVA bank.  The email that is spread falsely reports that the long-time dictator of Cuba, Fidel Castro had died from a sudden heart attack at his residence.  The email uses 2 links: “click on the image” and “Play video” that lead to the download of the Trojan executable file: 




 The links to the Trojan are hosted on compromised webservers:  


    

  • http://www.chem{removed}.co.uk/24horasnoticias.exe
    • 

  • http://www.ferienwoh{removed}-vk.de/lightbox/js/24horasnoticias.exe
    • 

  • http://web4.au{removed}.org/bird/cbc/pdf/24horasnoticias.exe
    • 



 The downloaded file uses the following icon: 




 Once run, this initial dropper Trojan adds the following file to the filesystem: 


    

  • C:09342.exe [Detected as GAV: Dapato.HEM (Trojan)]
    • 



 The following request was observed when obtaining 009342.exe.  This file is a spreader Trojan and is downloaded from a predetermined list of compromised remote webservers: 




 C:09342.exe is executed and makes the following changes to the filesystem: 


    

  • C:Documents and SettingsAll UsersApplication DataLupitaLupita.exe [Detected as GAV: Banker.SKQG (Trojan)]
    • 



 C:09342.exe makes the following change to the windows registry to enable startup of the main banking Trojan: 


    

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun  “C:Documents and SettingsAll UsersApplicationDataLupitaLupita.exe”
    • 



 C:09342.exe was also seen scanning all directories on the filesystem for .dbx files in an attempt to gather email addresses for further spreading. 


 The dropped executable (Lupita.exe) is the main banker Trojan.  The Trojan binary contains the following links: 


    

  • http://www.hidro{removed}.com.br/img_site/addo.php
    • 

  • http://www.holi{removed}.info/features/addo.php
    • 

  • http://h1655219.stra{removed}.net/wework/js/addo.php
    • 

  • http://www.hippodr{removed}.com//Hippodrome/Les_partenaires/del.php
    • 

  • http://www.houseimm{removed}.it/php/del.php
    • 

  • http://icomiarr{removed}.net//del.php
    • 

  • http://www.ihp-e{removed}.be/espoir/wii.php
    • 

  • http://www.hw{removed}.com/modules/wii.php
    • 

  • http://www.group{removed}.com/gosier//images/people/wii.php
    • 

  • http://www.f{removed}.at//newpics/tr/up7.exe.bak
    • 

  • http://mox{removed}.vn//images/up7.exe.bak
    • 

  • http://www.flc{removed}.com.tw/html/up7.exe.bak
    • 

  • http://www.marath{removed}.com//images/sd/up7.exe.bak
    • 

  • http://www.ecuriesdupa{removed}.com//agb/config/up7.exe.bak
    • 

  • http://www.designs{removed}.com/portfolio/we/up7.exe.bak
    • 



 The links are used for receiving stolen banking credentials from the Trojan. 


 Lupita.exe uses the following icon: 




 After reboot and an undertermined period of time the Trojan (Lupita.exe) will spawn a BBVA bank login page in place of the Windows desktop background.  The page cannot be closed unless the process is killed: 




 In an attempt to appear legitimate, the page contains genuine warnings about online banking security.  One warning roughly translates to: 


    

  • "If you get a few emails or enter a screen where you apply all your card numbers secure password, do not give any help and contact information online at 600 600 1100"
    • 



 The page does however ask for your BBVA bank logon credentials. This information is posted to a remote webserver: 




 SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures: 


    

  • GAV: Banker.SKQG (Trojan)
    • 

  • GAV: Dapato.HEM (Trojan) (Trojan)
    • 







	Microsoft Security Bulletin Coverage (Aug 9, 2011)				
/in  /by 
SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of August, 2011. A list of issues reported, along with SonicWALL coverage information follows:


 MS11-057 Cumulative Security Update for Internet Explorer 


    

  •      Window Open Race Condition Vulnerability – CVE-2011-1257 
         This is a race condition. Not detectable by an IPS appliance.     
    • 



    

  •      Event Handlers Information Disclosure Vulnerability- CVE-2011-1960
         This is a logical flaw in the script engine of IE. Normal traffic is not distinguishable from malicious traffic.     
    • 



    

  •      Telnet Handler Remote Code Execution Vulnerability – CVE-2011-1961
         This is a binary planting vulnerability in the telnet scheme handler.
         IPS 6847 Possible Binary Planting Attempt 3     
    • 



    

  •      Shift JIS Character Encoding Vulnerability – CVE-2011-1962
         This is a logical flaw in the script engine of IE. Normal traffic is not distinguishable from malicious traffic.     
    • 



    

  •      XSLT Memory Corruption Vulnerability – CVE-2011-1963
         IPS 6848 MS IE XSLT Memory Corruption Attack Attempt     
    • 



    

  •      Style Object Memory Corruption Vulnerability – CVE-2011-1964
         This is a logical flaw in the script engine of IE. Normal traffic is not distinguishable from malicious traffic.     
    • 



    

  •      Drag and Drop Information Disclosure Vulnerability – CVE-2011-2383
         This is a logical flaw in the script engine of IE. Normal traffic is not distinguishable from malicious traffic.     
    • 



  MS11-058Vulnerabilities in DNS Server Could Allow Remote Code Execution 


    

  •      DNS NAPTR Query Vulnerability – CVE-2011-1966
         IPS 1371 Suspicious DNS Traffic 3     
    • 



    

  •      DNS Uninitialized Memory Corruption Vulnerability – CVE-2011-1970
         There is no method of detecting attacks targeting this vulnerability. An attack is not distinguishable from valid scenario.      
    • 



  MS11-059 Vulnerability in Data Access Components Could Allow Remote Code Execution 


    

  •      Data Access Components Insecure Library Loading Vulnerability – CVE-2011-1975
         IPS 5726 Possible Binary Planting Attempt     
    • 



  MS11-060 Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution 


    

  •      pStream Release RCE Vulnerability – CVE-2011-1972
         IPS 1374 Malformed Visio Document 1b     
    • 



    

  •      Move Around the Block RCE Vulnerability – CVE-2011-1979
         IPS 1388 Malformed Visio Document 2b     
    • 



 MS11-061 Vulnerability in Remote Desktop Web Access Could Allow Elevation of Privilege 


    

  •      Remote Desktop Web Access Vulnerability – CVE-2011-1263
         IPS 6843 Remote Desktop Web Access XSS      
    • 



 MS11-062 Vulnerability in Remote Access Service NDISTAPI Driver Could Allow Elevation of Privilege 


    

  •      NDISTAPI Elevation of Privilege Vulnerability – CVE-2011-1974
         This is a local vulnerability.     
    • 



 MS11-063 Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege 


    

  •      CSRSS Vulnerability – CVE-2011-1967
         This is a local vulnerability.     
    • 



 MS11-064 Vulnerabilities in TCP/IP Stack Could Allow Denial of Service  


    

  •      ICMP Denial of Service Vulnerability – CVE-2011-1871
         This is a logical vulnerability. There is nothing distinguishable in attack traffic from normal traffic.     
    • 



    

  •      TCP/IP QOS Denial of Service Vulnerability – CVE-2011-1965
         This is a logical flaw which manifests itself in certain configurations of the vulnerable product. There is nothing distinguishable in attack traffic from normal traffic.     
    • 



 MS11-065 Vulnerability in Remote Desktop Protocol Could Allow Denial of Service 


    

  •      Remote Desktop Protocol Vulnerability – CVE-2011-1968
         This is a race condition. Not detectable by an IPS appliance.     
    • 



 MS11-066 Vulnerability in Microsoft Chart Control Could Allow Information Disclosure  


    

  •      Chart Control Information Disclosure Vulnerability – CVE-2011-1977
         IPS 6845 Chart Control Information Disclosure Attempt     
    • 



 MS11-067 Vulnerability in Microsoft Report Viewer Could Allow Information Disclosure 


    

  •      Report Viewer Controls XSS Vulnerability – CVE-2011-1976
         IPS 6844 Report Viewer Controls XSS Attempt     
    • 



 MS11-068 Vulnerability in Windows Kernel Could Allow Denial of Service  


    

  •      Windows Kernel Metadata Parsing DOS Vulnerability – CVE-2011-1971
         This is a local vulnerability.     
    • 



 MS11-069 Vulnerability in .NET Framework Could Allow Information Disclosure  


    

  •      Socket Restriction Bypass Vulnerability – CVE-2011-1978
         This is a local vulnerability.     
    • 



	Spygold trojan found in rogue android application (Aug 3, 2011)				
/in  /by 
SonicWALL UTM Research team received reports of a rogue android gaming application spreading in the wild. The rogue application is a modified version of a legitimate game available on the android market. The modified application was found spying on call logs and text messages. SonicWALL advices users against installing applications from untrusted sources and to be wary of applications that request for suspicious permissions. 


 When the rogue application is downloaded and executed, it requests for the following permissions: 


 screenshot 


It performs the following activities when installed: 


    

  • It stores calls logs and text message periodically to the following locations

      

      screenshot
      

    

    • 

  • The contents of the files storing call logs and text messages are shown below:

      

    • zjphonecall.txt:
       

      screenshot 			
      

    • zjsms.txt:
       

      screenshot 		
    

    • 

  • It ensures service is started on reboot of the phone

      

      screenshot
      

    

    • 

  • It scrounges device information

      

    •  Grabs IMEI, IMSI and SIM number
       			screenshot 		 
    

    • 

  • It uploads collected data to a remote server

      

    • http://{removed}.net/zj/upload/UploadFiles.aspx 			
    

    • 



 SonicWALL Gateway AntiVirus provides protection against this threat with the following signature: 


  • GAV: AndroidOS.spygold (Trojan)
    • 

    

    

    
                
                

                
            

        


						

	


			

			
				


					
		
		
		






				

    
					
    
						
    Pin It on Pinterest