Posts

Adobe Flash Player ActionScript Vulnerability (Apr 22, 2011)

Adobe Flash is a multimedia platform. It is used to add animation, video, and interactivity to web pages, PDF files or even Microsoft Office documents.

Adobe Flash supports a scripting language called ActionScript; it is executed by the ActionScript Virtual Machine. ActionScript code is typically compiled into bytecode format called ActionScript Byte Code (ABC). The bytecode verifier is responsible for safety check, making sure there is no type-unsafe operations, stack underflow/overflow, improper array accesses, etc.

A type confusion vulnerability exists in Adobe Flash Player ActionScript Virtual Machine. Specifically, the flaw exists in the implementation of callMethod bytecode command. The bytecode verifier fails to detect the stack misalignment under certain circumstances. An attacker can exploit this vulnerability by enticing a user to visit a crafted web page, open a crafted PDF file or open a crafted Office document; all of which may contain malicious Adobe Flash content. Successful exploitation would allow for arbitrary code execution with the privileges of the currently logged in user.

The vulnerability has been assigned as CVE-2011-0611.

SonicWALL has released several IPS signatures to detect and block known exploits targeting this vulnerability. The following signatures were released to address this issue:

  • 6475 – Adobe Flash Player ActionScript callMethod Type Confusion 1
  • 6476 – Adobe Flash Player ActionScript callMethod Type Confusion 2

Fakerean_7 Malicious Fake Antivirus software

The SonicWALL UTM research team has seen an increase in Fake AV Malware. Such Malware attempts to scare users into buying Fake Antivirus software that performs fake scans and returns bogus results. Fakerean_7 (Trojan) is yet another piece of Malware that performs such malicious activity.

The Trojan performs the following DNS queries:

  • {random 9-14 char domain}.com [we observed over 100 of these requests]
  • microsoft.com

The Trojan uses a typical Windows installer icon and claims to have originated from Valve Corporation:

Upon infection the Trojan removes itself from the location it is run from. It then shows a fake virus scan informing the user that the system is infected with Malware:

screenshot> </p>
<p> <b>Once the fake scan is complete it informs the user that the system is infected with Malware and the user should register (buy) the software:</b> </p>
<p> <img SRC=

Clicking the “register” button leads to the following page:

screenshot

The Trojan will periodically show variations of the following pop-ups:

The Trojan creates the following files on the filesystem:

  • C:Documents and SettingsAll UsersApplication Datac5t4g1kso4fl53 [Detected as GAV: Fakerean_7 (Trojan)]
  • C:Documents and Settings{USER}Local SettingsApplication Datac5t4g1kso4fl53 [Detected as GAV: Fakerean_7 (Trojan)]
  • C:Documents and Settings{USER}Local SettingsApplication Datahxk.exe [Detected as GAV: Fakerean_7 (Trojan)]
  • C:Documents and Settings{USER}Local SettingsTempc5t4g1kso4fl53 [Detected as GAV: Fakerean_7 (Trojan)]
  • C:Documents and Settings{USER}Templatesc5t4g1kso4fl53 [Detected as GAV: Fakerean_7 (Trojan)]

The Trojan creates the following keys in the Windows registry:

Registry Spawning keys:

  • HKEY_CLASSES_ROOT.exeDefaultIcon @ “%1”
  • HKEY_CLASSES_ROOT.exeshellopencommand @ “”C:Documents and Settings{USER}Local SettingsApplication Datahxk.exe” -a “%1″ %*”
  • HKEY_CURRENT_USERSoftwareClasses.exeshellopencommand @ “”C:Documents and Settings{USER}Local SettingsApplication Datahxk.exe” -a “%1″ %*”
  • HKEY_CURRENT_USERSoftwareClassesexefileshellopencommand @ “”C:Documents and Settings{USER}Local SettingsApplication Datahxk.exe” -a “%1″ %*”
  • HKEY_CURRENT_USERSoftwareClassesexefileshellopencommand IsolatedCommand “”%1″ %*”
  • HKEY_CURRENT_USERSoftwareClassesexefileshellrunascommand @ “”%1″ %*”
  • HKEY_CURRENT_USERSoftwareClassesexefileshellrunascommand IsolatedCommand “”%1″ %*”
  • HKEY_USERSS-1-5-21-1993962763-1202660629-1957994488-1003_Classesexefileshellopencommand @ “”C:Documents and Settings{USER}Local SettingsApplication Datahxk.exe” -a “%1″ %*”
  • Disabling firewall:

  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyDomainProfile EnableFirewall dword:00000000
  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyDomainProfile DoNotAllowExceptions dword:00000000
  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyDomainProfile DisableNotifications dword:00000001

The Trojan deletes the following keys from the Windows registry:

To disable Windows Automatic Updates:

  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_WUAUSERV000 ClassGUID “{8ECC055D-047F-11D1-A537-0000F8753ED1}”
  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_WUAUSERV000 DeviceDesc “Automatic Updates”
  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_WUAUSERV000Control ActiveService “wuauserv”
  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceswuauserv ImagePath hex “%systemroot%system32svchost.exe -k netsvcs”
  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceswuauserv DisplayName “Automatic Updates”

SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:

  • GAV: Fakerean_7 (Trojan)

Rayon – Removable Storage Worm (Apr 13, 2011)

SonicWALL UTM Research team observed a new variant of Rayon worm spreading in the wild. It disables various windows security features as well as security applications that may be used to detect the presence of the malware. The worm spreads through removable storage.

The executables use misleading icons and names as seen below:

screenshot

It performs the following activities when executed:

  • It creates the following copies of itself on the local drive:
    • %appdata%MicrosoftNetworkexplorer.exe [Detected as GAV: Rayon.CG (Worm)]
    • iPhone Ringtone.exe [Detected as GAV: Rayon.CG (Worm)]
    • Symbian Ringtone.exe [Detected as GAV: Rayon.CG (Worm)]
    • WindowsMobile Ringtone.exe [Detected as GAV: Rayon.CG (Worm)]

  • It creates the following copies of itself on attached removable storage drives:
    • RECYCLERRECYCLED.{645FF040-5081-101B-9F08-00AA002F954E}autorun.exe [Detected as GAV: Rayon.CG (Worm)]
    • iPhone Ringtone.exe [Detected as GAV: Rayon.CG (Worm)]
    • Symbian Ringtone.exe [Detected as GAV: Rayon.CG (Worm)]
    • WindowsMobile Ringtone.exe [Detected as GAV: Rayon.CG (Worm)]

  • It creates autorun.inf file on removable storage drives with the following contents:
        screenshot
  • It creates the following registry entry to ensure that the worm runs on every system reboot:
    • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun:”%appdata%MicrosoftNetworkexplorer.exe”
  • It disables the following services:
    • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesDnscache – This service caches DNS resolutions.
    • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesERSvc – This is the error reporting service.
    • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccess – This service is responsible for NAT, addressing and name resolution.
    • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceswuauserv – This is the auto-update service.
    • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesDCOM Client LauncherSecurity – Windows firewall cannot run when DCOM is disabled.
  • It prevents security applications from being run by creating the registry entry “HKEY_USERSS-1-5-21-1275210071-573735546-839522115-1003SoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerDisallowRun” with the following values:
    • 360rpt.exe
    • 360safe.exe
    • 360Safe.exe
    • 360safebox.exe
    • 360tray.exe
    • adam.exe
    • AgentSvr.exe
    • AppSvc32.exe
    • avconsol.exe
    • autoruns.exe
    • avgrssvc.exe
    • AvMonitor.exe
    • avp.com
    • avp.exe
    • CCenter.exe
    • ccSvcHst.exe
    • EGHOST.exe
    • FTCleanerShell.exe
    • FYFireWall.exe
    • FileDsty.exe
    • HijackThis.exe
    • IceSword.exe
    • Iparmor.exe
    • iparmo.exe
    • kabaload.exe
    • isPwdSvc.exe
    • KaScrScn.SCR
    • KASMain.exe
    • KASTask.exe
    • KAV32.exe
    • KAVDX.exe
    • KAVPF.exe
    • KAVPFW.exe
    • KAVSetup.exe
    • KAVStart.exe
    • KISLnchr.exe
    • KMailMon.exe
    • KMFilter.exe
    • KPFW32.exe
    • KPFW32X.exe
    • KPfwSvc.exe
    • KPFWSvc.exe
    • KRepair.com
    • KRegEx.exe
    • KsLoader.exe
    • KVCenter.kxp
    • KvDetect.exe
    • KvfwMcl.exe
    • KVMonXP.kxp
    • kvol.exe
    • KVMonXP_1.kxp
    • kvolself.exe
    • KvReport.kxp
    • KVScan.kxp
    • KVSrvXP.exe
    • KVStub.kxp
    • kvupload.exe
    • kvwsc.exe
    • KvXP.kxp
    • KvXP_1.kxp
    • KWatch.exe
    • KWatch9x.exe
    • KWatchX.exe
    • MagicSet.exe
    • mcconsol.exe
    • mmqczj.exe
    • mmsk.exe
    • Navapsvc.exe
    • Navapw32.exe
    • nod32.exe
    • nod32krn.exe
    • nod32kui.exe
    • NPFMntor.exe
    • OllyDBG.exe
    • OllyICE.exe
    • PFW.exe
    • PFWLiveUpdate.exe
    • QHSET.exe
    • procexp.exe
    • QQDoctor.exe
    • QQKav.exe
    • Ras.exe
    • RavMonD.exe
    • RavStub.exe
    • RawCopy.exe
    • RegClean.exe
    • RegTool.exe
    • rfwcfg.exe
    • rfwmain.exe
    • RfwMain.exe
    • rfwProxy.exe
    • rfwsrv.exe
    • rfwstub.exe
    • RsAgent.exe
    • Rsaupd.exe
    • runiep.exe
    • safebank.exe
    • safeboxTray.exe
    • safelive.exe
    • scan32.exe
    • shcfg32.exe
    • SmartUp.exe
    • SREng.exe
    • SysSafe.exe
    • symlcsvc.exe
    • TrojanDetector.exe
    • Trojanwall.exe
    • TrojDie.kxp
    • UIHost.exe
    • UmxAttachment.exe
    • UmxAgent.exe
    • UmxCfg.exe
    • UmxFwHlp.exe
    • UmxPol.exe
    • UpLive.exe
    • vsstat.exe
    • webscanx.exe
    • WinDbg.exe
    • WoptiClean.exe

  • It makes the following HTTP request to a remote IP address:
    • GET /cmd/cmd.php?s=0 HTTP/1.1 – This request returns encrypted data.
  • It launches the browser with advertising pages

SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:

GAV: Rayon.CG (Worm)

Microsoft Security Bulletins Coverage (April 12, 2011)

SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of April, 2011. A list of issues reported, along with SonicWALL coverage information follows:

MS11-018 Cumulative Security Update for Internet Explorer (2497640)

  • CVE-2011-0094 – Layouts Handling Memory Corruption Vulnerability
    IPS 6432 MS IE Memory Corruption Vulnerability
  • CVE-2011-0346 – MSHTML Memory Corruption Vulnerability
    There is no feasable method of detection.
  • CVE-2011-1245 – Javascript Information Disclosure Vulnerability
    IPS 6435 MS IE Javascript Information Disclosure Vulnerability
  • CVE-2011-1345 – Object Management Memory Corruption Vulnerability
    IPS 6427 MS IE Double Release Object Vulnerability
    IPS 6428 MS IE Double Release Object Vulnerability 2
    GAV IExploit.A6428

MS11-019 Vulnerabilities in SMB Client Could Allow Remote Code Execution (2511455)

  • CVE-2011-0654 – Browser Pool Corruption Vulnerability
    IPS 6248 Generic Netbios Shellcode Exploit
  • CVE-2011-0660 – SMB Client Response Parsing Vulnerability
    IPS 6436 SMB Client Response Parsing Vulnerability Exploit

MS11-020 Vulnerability in SMB Server Could Allow Remote Code Execution (2508429)

  • CVE-2011-0661 – SMB Transaction Parsing Vulnerability
    There is no feasable method of detection.

MS11-021 Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (2489279)

  • CVE-2011-0097 – Excel Integer Overrun Vulnerability
    GAV MS.Xsl.E
  • CVE-2011-0098 – Excel Heap Overflow Vulnerability
    GAV MS.Xsl.E_2
  • CVE-2011-0101 – Excel Record Parsing WriteAV Vulnerability
    GAV MS.Xsl.E_3
  • CVE-2011-0103 – Excel Memory Corruption Vulnerability
    GAV MS.Xsl.E_5
  • CVE-2011-0104 – Excel Buffer Overwrite Vulnerability
    GAV Hlink.BO.A
    GAV Hlink.BO.B
  • CVE-2011-0105 – Excel Data Initialization Vulnerability
    GAV MS.Xsl.E_6
  • CVE-2011-0978 – Excel Array Indexing Vulnerability
    GAV MS.Xsl.E_7
  • CVE-2011-0979 – Excel Linked List Corruption Vulnerability
    GAV MS.Xsl.E_8
  • CVE-2011-0980 – Excel Dangling Pointer Vulnerability
    GAV MS.Xsl.E_4

MS11-022 Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (2489283)

  • CVE-2011-0685 – Floating Point Techno-color Time Bandit RCE Vulnerability
    GAV MS.Ppt.E
  • CVE-2011-0656 – Persist Directory RCE Vulnerability
    GAV MS.Ppt.E_2
  • CVE-2011-0976 – OfficeArt Atom RCE Vulnerability
    GAV MS.Ppt.E_3

MS11-023 Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2489293)

  • CVE-2011-0107 – Office Component Insecure Library Loading Vulnerability
    IPS 5726 Possible Binary Planting Attempt
  • CVE-2011-0977 – Microsoft Office Graphic Object Dereferencing Vulnerability
    GAV MS.Xsl.E_9

MS11-024 Vulnerability in Windows Fax Cover Page Editor Could Allow Remote Code Execution (2527308)

  • CVE-2010-3974 – Fax Cover Page Editor Memory Corruption Vulnerability
    GAV MS.cov.E

MS11-025 Vulnerability in Microsoft Foundation Class (MFC) Library Could Allow Remote Code Execution (2500212)

  • CVE-2010-3190 – MFC Insecure Library Loading Vulnerability
    IPS 5726 Possible Binary Planting Attempt

MS11-026 Vulnerability in MHTML Could Allow Information Disclosure (2503658)

  • CVE-2011-0096 – MHTML Mime-Formatted Request Vulnerability
    IPS 6205 MHTML Protocol Handler XSS Attack Attempt 4

MS11-027 Cumulative Security Update of ActiveX Kill Bits (2508272)

  • CVE-2010-0811 – Microsoft Internet Explorer 8 Developer Tools Vulnerability
    IPS 6437 MS Windows IE8 Developer Tools ActiveX Invocation Attempt
  • CVE-2010-3973 – Microsoft WMITools ActiveX Control Vulnerability
    IPS 6434 MS Windows WMITools ActiveX Control Invocation Attempt
  • CVE-2011-1243 – Microsoft Windows Messenger ActiveX Control Vulnerability
    IPS 6433 MS Windows Live Messenger ActiveX invocation attempt

MS11-028 Vulnera
bility in .NET Framework Could Allow Remote Code Execution (2484015)

  • CVE-2010-3958 – NET Framework Stack Corruption Vulnerability
    This is a local vulnerability.

MS11-029 Vulnerability in GDI+ Could Allow Remote Code Execution (2489979)

  • CVE-2011-0041 – GDI+ Integer Overflow Vulnerability
    GAV ms11-029.ms

MS11-030 Vulnerability in DNS Resolution Could Allow Remote Code Execution (2509553)

  • CVE-2011-0657 – DNS Query Vulnerability
    There is no feasable method of detection.

MS11-031 Vulnerability in JScript and VBScript Scripting Engines Could Allow Remote Code Execution (2514666)

  • CVE-2011-0663 – Scripting Memory Reallocation Vulnerability
    There is no feasable method of detection.

MS11-032 Vulnerability in the OpenType Compact Font Format (CFF) Driver Could Allow Remote Code Execution (2507618)

  • CVE-2011-0034 – OpenType Font Stack Overflow Vulnerability
    IPS 6438 MS OpenType Font Stack Overflow Exploit

MS11-033 Vulnerability in WordPad Text Converters Could Allow Remote Code Execution (2485663)

  • CVE-2011-0028 – WordPad Converter Parsing Vulnerability
    GAV ms11-033.ms.ttextflow
    GAV ms11-033.ms.tsplit

MS11-034 Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2506223)

  • CVE-2011-0662 – Win32k Use After Free Vulnerability
    Local authenticated vulnerability
  • CVE-2011-0665 – Win32k Use After Free Vulnerability
    Local authenticated vulnerability
  • CVE-2011-0666 – Win32k Use After Free Vulnerability
    Local authenticated vulnerability
  • CVE-2011-0667 – Win32k Use After Free Vulnerability
    Local authenticated vulnerability
  • CVE-2011-0670 – Win32k Use After Free Vulnerability
    Local authenticated vulnerability
  • CVE-2011-0671 – Win32k Use After Free Vulnerability
    Local authenticated vulnerability
  • CVE-2011-0672 – Win32k Use After Free Vulnerability
    Local authenticated vulnerability
  • CVE-2011-0673 – Win32k Null Pointer De-reference Vulnerability
    Local authenticated vulnerability
  • CVE-2011-0674 – Win32k Use After Free Vulnerability
    Local authenticated vulnerability
  • CVE-2011-0675 – Win32k Use After Free Vulnerability
    Local authenticated vulnerability
  • CVE-2011-0676 – Win32k Null Pointer De-reference Vulnerability
    Local authenticated vulnerability
  • CVE-2011-0677 – Win32k Null Pointer De-reference Vulnerability
    Local authenticated vulnerability
  • CVE-2011-1225 – Win32k Null Pointer De-reference Vulnerability
    Local authenticated vulnerability
  • CVE-2011-1226 – Win32k Null Pointer De-reference Vulnerability
    Local authenticated vulnerability
  • CVE-2011-1227 – Win32k Null Pointer De-reference Vulnerability
    Local authenticated vulnerability
  • CVE-2011-1228 – Win32k Null Pointer De-reference Vulnerability
    Local authenticated vulnerability
  • CVE-2011-1229 – Win32k Null Pointer De-reference Vulnerability
    Local authenticated vulnerability
  • CVE-2011-1230 – Win32k Null Pointer De-reference Vulnerability
    Local authenticated vulnerability
  • CVE-2011-1231 – Win32k Null Pointer De-reference Vulnerability
    Local authenticated vulnerability
  • CVE-2011-1232 – Win32k Null Pointer De-reference Vulnerability
    Local authenticated vulnerability
  • CVE-2011-1233 – Win32k Null Pointer De-reference Vulnerability
    Local authenticated vulnerability
  • CVE-2011-1234 – Win32k Use After Free Vulnerability
    Local authenticated vulnerability
  • CVE-2011-1235 – Win32k Use After Free Vulnerability
    Local authenticated vulnerability
  • CVE-2011-1236 – Win32k Use After Free Vulnerability
    Local authenticated vulnerability
  • CVE-2011-1237 – Win32k Use After Free Vulnerability
    Local authenticated vulnerability
  • CVE-2011-1238 – Win32k Use After Free Vulnerability
    Local authenticated vulnerability
  • CVE-2011-1239 – Win32k Use After Free Vulnerability
    Local authenticated vulnerability
  • CVE-2011-1240 – Win32k Use After Free Vulnerability
    Local authenticated vulnerability
  • CVE-2011-1241 – Win32k Use After Free Vulnerability
    Local authenticated vulnerability
  • CVE-2011-1242 – Win32k Use After Free Vulnerability
    Local authenticated vulnerability

Microsoft Security Bulletins Coverage (Mar 08, 2011)

SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of March, 2011. A list of issues reported, along with SonicWALL coverage information follows:

MS11-015 Vulnerabilities in Windows Media Could Allow Remote Code Execution (2510030)

  • CVE-2011-0032 – DirectShow Insecure Library Loading Vulnerability
    IPS 5726 Possible Binary Planting Attempt
  • CVE-2011-0042 – DVR-MS Vulnerability
    IPS 6307 Malicious Video File 5b

MS11-016 Vulnerability in Microsoft Groove Could Allow Remote Code Execution (2494047)

  • CVE-2010-3146 – Microsoft Groove Insecure Library Loading Vulnerability
    IPS 5726 Possible Binary Planting Attempt

MS11-017 Vulnerability in Remote Desktop Client Could Allow Remote Code Execution (2508062)

  • CVE-2011-0029 – Remote Desktop Insecure Library Loading Vulnerability
    IPS 5726 Possible Binary Planting Attempt

IBM solidDB Authentication Bypass (April 8, 2011)

IBM solidDB is a relational database management system comprised of an in-memory, as well as traditional database. solidDB listens on two ports by default, TCP/1315 or TCP/2315. The format of the protocol used for network communication is proprietary and unpublished. However, it can be observed that all messages have a 15 byte header followed the data portion. The message header has the following format:

Offset   Size   Description -------- ------ --------------------- 0x0000   1      Unknown 0x0001   1      Unknown 0x0002   1      Unknown 0x0003   2      command type 0x0005   2      Unknown 0x0007   4      Unknown 0x000b   4      byte order specification  0x000f   ?      type-specific data

A breakdown of the type-specific data for the observed authentication related command follows:

Offset   Size   Description -------- ----- --------------------- 0x0000   4      Unknown 0x0004   4      Unknown 0x0008   4      username length 0x000c   L      username 0x000c+L 4      password hash length 0x0010+L M      password hash

An authentication bypass vulnerability exists in the IBM solidDB product. The product allows a remote user to specify the password-hash length value. Any length value above 1 is accepted and used to validate user-supplied password hashes. Thus, by modifying the password hash length value to the minimum allowed value, the attacker can force the server to validate only a few bytes of the hash. As there are only fewer possible values represented by fewer bytes, an attacker can bypass authentication through fuzzing all possible values. A remote unauthenticated attacker may exploit this vulnerability by sending crafted messages with specially crafted password hash length and hash fields. Successful exploitation would allow the attacker to bypass the authentication checks of the database server.

SonicWall has released a new IPS signature to detect and block attack attempts targeting this vulnerability. The following signature was released:

  • 6422 – IBM solidDB solid.exe Authentication Bypass

Oficla spam on the rise (April 8, 2011)

SonicWALL UTM Research team has observed an increase in spam campaigns involving new variants of Oficla Trojan in the last two weeks. These spam campaigns included tracking notices and delivery failure notices from various Mailing services.

SonicWALL has received more than 700,000 e-mail copies from these spam campaigns till now. The email messages in all these spam campaigns have a zip archived attachment which contains the new variants of Oficla Trojan executable. The sample e-mail format from each spam campaign is shown below:

Campaign #1 – United Parcel Service (UPS) tracking number spam starting March 28, 2011

– Fake UPS tracking notices with slightly different subject and body.

screenshot

Campaign #2 – Post Express notification spam starting March 28, 2011

– Fake deilvery failure message containing mailing label and invoice copy to pickup a package. Below is an example of one such e-mail:

screenshot

Campaign #3 – DHL Express spam March 30, 2011

– Fake DHL tracking notices

screenshot

Campaign #4 – Express Delivery notification spam starting April 6, 2011

– Fake Express Delivery tracking notices

screenshot

The executable files inside the attachment masquerades the icon of popular formats like MS Word, PDF to trick the user:

screenshot

If the user downloads and executes the malicious executable inside the zip attachment, it performs the following activity:

  • Connects to a malicious site zalupkin.ru and downloads Fake AV. It saves the downloaded file at following location and executes it:
    • (Application Data)emm.exe – Detected as GAV: Kryptik.MLA (Trojan)
  • Registry modification (shell spawning technique to run itself):
    • HKCRexefileshellopencommand @ “”%1″ %*” “”(Application Data)emm.exe” -a “%1″ %*”
    • HKLMSOFTWAREClientsStartMenuInternetFIREFOX.EXEshellopencommand: “C:PROGRA~1MOZILL~1FIREFOX.EXE”
    • HKLMSOFTWAREClientsStartMenuInternetFIREFOX.EXEshellopencommand: “”(Application Data)emm.exe” -a “C:PROGRA~1MOZILL~1FIREFOX.EXE””
    • HKLMSOFTWAREClientsStartMenuInternetFIREFOX.EXEshellsafemodecommand: “C:PROGRA~1MOZILL~1FIREFOX.EXE -safe-mode”
    • HKLMSOFTWAREClientsStartMenuInternetFIREFOX.EXEshellsafemodecommand: “”(Application Data)emm.exe” -a “C:PROGRA~1MOZILL~1FIREFOX.EXE -safe-mode””
    • HKLMSOFTWAREClientsStartMenuInternetIEXPLORE.EXEshellopencommand: “C:Program FilesInternet Exploreriexplore.exe”
    • HKLMSOFTWAREClientsStartMenuInternetIEXPLORE.EXEshellopencommand: “”(Application Data)emm.exe” -a “C:Program FilesInternet Exploreriexplore.exe””

    If the user attempts to open any of the Application executable,it will show a fake infection warning as seen below:

    screenshot

  • Disables the windows auto update feature by deleting following registry entry:
    • HKLMSYSTEMCurrentControlSetServiceswuauserv
  • Deletes the original copy of the malware executable.

More fake infection warnings forcing user to buy the rogue application:

screenshot

screenshot

screenshot

SonicWALL Gateway AntiVirus provides protection against above spam campaigns by following signatures:

  • GAV: Oficla.CE#email_2 (Trojan) [599,897 hits]
  • GAV: Oficla.AC (Trojan) [105,518 hits]
  • GAV: Oficla.AE_3 (Trojan) [60,962 hits]
  • GAV: Oficla.MKD (Trojan) [27,559 hits]

Mass SQL Injection Leads to FakeAV (April 1, 2011)

SonicWALL UTM Research team received reports of a mass SQL injection infecting millions of websites. It is likely that the back-end databases of these websites were compromised leading to this SQL injection.

Malicious script codes were inserted and being served in webpages which when triggered redirects to malicious link that serves FakeAV malware.

Following are some of the reported Malicious URL inserted on compromised webpages:

  • alexblane(dot)com/ur.php
  • alisa-carter(dot)com/ur.php
  • books-loader(dot)info/ur.php
  • lizamoon(dot)com/ur.php
  • milapop(dot)com/ur.php
  • t6ryt56(dot)info/ur.php
  • tadygus(dot)com/ur.php
  • Worid-of-books(dot)com/ur.php

All of these URLs resolve to single ip:

  • 91.213.29.182

Malicious codes were inserted as shown in the image below:

    screenshot

Google result shows some of the websites that were compromised:

    screenshot

    screenshot

When a user clicks on these links, they will be redirected to a malicious website that serves FakeAV.

    screenshot

    screenshot

Eventually, it will serve the malicious file for download as freesystemscan.exe as shown in this instance. The filename however can change over time.

    screenshot

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: ScrInject.UR (Trojan)
  • GAV: Suspicious#asprotect (Trojan)

screenshot

screenshot

Cisco Secure Desktop Vulnerability (March 31, 2011)

Cisco Secure Desktop (CSD) is a multipurpose client-side VPN software. It seeks to minimize the risk of information being left after an SSL VPN session terminates. CSD’s goal is to reduce the possibility that cookies, browser history, temporary files, and downloaded content remain on a system after a remote user logs out or an SSL VPN session times out.

CSDWebInstaller is an ActiveX component of CSD that allows the download and installation of any executable that is digitally-signed by Cisco.

A remote code execution vulnerability exists in Cisco Secure Desktop. Specifically, the vulnerability is due to design error in CSDWebInstaller ActiveX control, which allows bypassing the validation of digital signature.

An attacker can exploit this vulnerability by enticing a user to visit a crafted web page, which tries to instantiate the vulnerable ActiveX control and downloads malicious executable. Successful exploitation would allow for arbitrary code execution with the privileges of the currently logged in user.

The vulnerability has been assigned as CVE-2011-0926.

SonicWALL has released an IPS signature to detect and block known exploits targeting this vulnerability. The following signature was released to address this issue:

  • 6399 – Cisco Secure Desktop CSDWebInstaller ActiveX Control Instantiation

Delf.EP Trojan steals online banking passwords (Mar 25, 2011).

The Sonicwall UTM research team received reports of a new online banking Trojan in the wild. The Trojan’s sole purpose is to steal security credentials used to manage various online banking accounts. The Trojan targets sites such as paypal, mastercard and citibank. The Trojan is targeted exclusively at brazilian users but can also affect users from other countries.

The Trojan’s activity once it has compromised a machine is quite simple. It makes only a single modification to the file system once it has run.

The Trojan makes the following POST and GET requests to a remote webserver:

The Trojan downloads a hosts.txt from the remote webserver and places it at:

  • C:WINDOWSsystem32driversetchosts

The hosts file contains the following data:

      69.162.122.215 www.bb.com.br
      69.162.122.215 bb.com.br
      69.162.122.215 www.bancobrasil.com.br
      69.162.122.215 bancobrasil.com.br
      69.162.122.215 www.bancodobrasil.com.br
      69.162.122.215 bancodobrasil.com.br
      69.162.122.215 americanexpress.com.br
      69.162.122.215 www.americanexpress.com.br
      69.162.122.215 bancoamazonia.com.br
      69.162.122.215 www.bancoamazonia.com.br
      69.162.122.215 bancodaamazonia.com.br
      69.162.122.215 www.bancodaamazonia.com.br
      69.162.122.215 citibank.com.br
      69.162.122.215 www.citibank.com.br
      69.162.122.215 credicard.com.br
      69.162.122.215 www.credicard.com.br
      69.162.122.215 hotmail.com.br
      69.162.122.215 www.hotmail.com.br
      69.162.122.215 login.live.com
      69.162.122.215 live.com
      69.162.122.215 naotempreco.com.br
      69.162.122.215 www.naotempreco.com.br
      69.162.122.215 mastercard.com
      69.162.122.215 www.mastercard.com
      69.162.122.215 mastercard.com.br
      69.162.122.215 www.mastercard.com.br
      69.162.122.215 itau.com.br
      69.162.122.215 www.itau.com.br
      69.162.122.215 bancoitau.com.br
      69.162.122.215 www.bancoitau.com.br
      69.162.122.215 itaupersonnalite.com.br
      69.162.122.215 www.itaupersonnalite.com.br
      69.162.122.215 personnalite.com.br
      69.162.122.215 www.personnalite.com.br
      69.162.122.215 pagseguro.com.br
      69.162.122.215 www.pagseguro.com.br
      69.162.122.215 pagseguro.com
      69.162.122.215 www.pagseguro.com
      69.162.122.215 pagseguro.uol.com.br
      69.162.122.215 www.pagseguro.uol.com.br
      69.162.122.215 paypal.com
      69.162.122.215 www.paypal.com
      69.162.122.215 paypal.com.br
      69.162.122.215 www.paypal.com.br
      69.162.122.215 bradesco.com.br
      69.162.122.215 www.bradesco.com.br
      69.162.122.215 bradesco.com
      69.162.122.215 www.bradesco.com
      69.162.122.215 bancobradesco.com.br
      69.162.122.215 www.bancobradesco.com.br
      69.162.122.215 bancobradesco.com
      69.162.122.215 www.bancobradesco.com
      69.162.122.215 bradescoprime.com.br
      69.162.122.215 www.bradescoprime.com.br
      69.162.122.215 bancobradescoprime.com.br
      69.162.122.215 www.bancobradescoprime.com.br
      69.162.122.215 bancobradescoprime.com
      69.162.122.215 www.bancobradescoprime.com
      69.162.122.215 bradescoprivatebank.com.br
      69.162.122.215 www.bradescoprivatebank.com.br
      69.162.122.215 bradescoprivatebank.com
      69.162.122.215 www.bradescoprivatebank.com
      69.162.122.215 serasa.com.br
      69.162.122.215 www.serasa.com.br
      69.162.122.215 serasaexperian.com.br
      69.162.122.215 www.serasaexperian.com.br
      69.162.122.215 serasa.com
      69.162.122.215 www.serasa.com
      69.162.122.215 serasaexperian.com
      69.162.122.215 serasaexperian.com.br
      69.162.122.215 bancoreal.com.br
      69.162.122.215 www.bancoreal.com.br
      69.162.122.215 real.com.br
      69.162.122.215 www.real.com.br
      69.162.122.215 santander.com.br
      69.162.122.215 www.santander.com.br
      69.162.122.215 bancosantander.com.br
      69.162.122.215 www.bancosantander.com.br
      69.162.122.215 internetbanking.caixa.gov.br
      69.162.122.215 www.caixa.com.br
      69.162.122.215 www.caixa.gov.br
      69.162.122.215 www.caixaeconomica.com.br
      69.162.122.215 www.caixaeconomica.gov.br
      69.162.122.215 www.caixaeconomicafederal.com.br
      69.162.122.215 www.caixaeconomicafederal.gov.br
      69.162.122.215 www.cef.com.br
      69.162.122.215 www.cef.gov.br
      69.162.122.215 caixa.com.br
      69.162.122.215 caixa.gov.br
      69.162.122.215 caixaeconomica.com.br
      69.162.122.215 caixaeconomica.gov.br
      69.162.122.215 caixaeconomicafederal.com.br
      69.162.122.215 caixaeconomicafederal.gov.br
      69.162.122.215 cef.com.br
      69.162.122.215 cef.gov.br

This hosts file causes all of the above sites to point to the IP address of a malicious web server (69.162.122.215). The malicious web server hosts a copy of pages at each of the original sites listed above. It should be noted that none of the redirected sites use the HTTPS protocol for secure communication.

The screenshot below shows a non-https brazilian copy of paypal.com hosted on the malicious webserver:

Upon entering the username and password the following messagebox is displayed:

The screenshot below shows the default malicious page loaded for mastercard.com. This page requests credit card information in order to obtain certain benefits:

Upon submitting the requested information the following page is displayed:

Translation:

      Congratulations, your MasterCard was successfully registered in our database!
      Now you compete for prizes every month up to $ 500,000.00 (Five Hundred Thousand Dollars), and $ 50.00 each in
      purchases made ​​with your MasterCard, you earn 01 point to exchange for goods or services
      our partners.
      Warning: Though it was already participating in, your login will be released only after the next billing cycle.

SonicWALL Gateway AntiVirus provid
es protection against this threat via the following signature:

  • GAV: Delf.EP (Trojan)