Posts

Valentine's day FakeAV woes (Feb 11, 2011)

/in /by

SonicWALL UTM Research team discovered instances of polluted results appearing in search engine results for Valentine’s day related search terms. Malware authors often use SEO poisoning campaigns to lure unsuspecting users in to following malicious links strategically placed in search engine results. We observed similar campaigns in the past for “Wikileaks” and “Holiday Shopping” related keywords. It is evident from the new instances of polluted results that malware authors have updated their landing page and associated FakeAV executables . The search term “Valentines Day Gifts” leads users to the polluted search result shown below:

screenshot

If the user clicks on the malicious link in the search results then it performs the following on the victim’s machine:

  • The initial link redirects users to a FakeAV landing page.

    screenshot

  • If the user downloads and runs the FakeAV executable then it performs the following on the victim’s machine:
    • Drops the following files:
      • %USERPROFILE%Application DatafPgHcEm13400fPgHcEm13400.exe (Copy of Itself) [Detected as FakeAlert.MHF (Trojan)]
      • %USERPROFILE%Application DatafPgHcEm13400fPgHcEm13400

    • Creates the following registry entry to ensure that the dropped malware runs on every system reboot:
      • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce: “fPgHcEm13400:%USERPROFILE%Application DatafPgHcEm13400fPgHcEm13400.exe”

    • It changes the wallpaper with the following text:
      • WARNING!
        YOU’RE IN DANGER!
        YOUR COMPUTER IS INFECTED WITH SPYWARE!

        ALL YOU DO WITH COMPUTER IS STORED FOREVER IN YOUR HARD DISK.
        WHEN YOU VISIT SITES,SEND EMAIL… ALL YOUR ACTIONS ARE
        LOGGED. AND IT IS IMPOSSIBLE TO REMOVE THEM WITH STANDARD TOOLS. YOUR DATA IS STILL AVAILABLE FOR FORENSICS. AND IN SOME CASES

        FOR YOUR BOSS, YOUR FRIENDS, YOUR WIFE, YOUR CHILDREN.
        Every site you or somebody or even something , like spyware, opened in your browsers,
        with all the images, and all the downloaded and maybe later removed movies or mp3 songs –
        ARE STILL THERE and could break your life !

        SECURE YOURSEFL RIGHT NOW! REMOVE ALL SPYWARE FROM YOUR PC!

    • It launches fake scans and when the user attempts to clean the machine a screen is displayed asking for credit card and personal information:

        screenshot

SonicWALL Gateway AntiVirus provided protection against this threat via following signatures:

GAV: FakeAlert.MHF (Trojan)

The holiday season has passed (Feb 03, 2011)

/in /by

The holiday season has passed (Feb 03, 2011)

One month after the Christmas and New Year’s Day, does everybody come back to work? Of course, there is no more shopping, surfing online and gossiping. Let’s get the proof.

First, let’s check the most popular regular online applications people are using for the last couple of months. People like surfing everywhere, such as shopping websites, so, the web analytics statistics application are no doubt the most popular ones, for example, Google Analytics; people like Social Networking, such as Facebook; network Security is an issue, so, people are downloading more software security updates, such as Microsoft Windows Updates. Let’s see how people were using them during the holidays compared to before and after. The spike for the applications started at Nov 15th 2010 and grew gradually, and topped at Dec 14th 2010, and dropped sharply at Dec 17th 2010. The hits amount is almost 14 times of a regular work day.

Application Hits

Second, let’s see the IM, P2P and Multimedia software people like. People still like eMule, BitTorrent to download software/movies; people like Multi-media stream like Shockwave Flash (SWF), PPStream, YouTube; People like Skype, Windows Live Messenger to chat online. The following is the graph for IM, P2P and multi-media online software during the last few months. For the spike of the IM, P2P and Multimedia, it started at Nov 16th 2010 and grew gradually, and topped at Dec 13th 2010, and dropped sharply at Dec 16th 2010. The hits amount is almost 8 times of a regular work day.

IM P2P Multimedia Hits

Third, hackers are happy as they have time to have fun, post more malicious web pages and got more targets, or make some money… OK, let’s take a look. The spike started at Nov 11th 2010 and grew gradually, and topped at Dec 13th 2010, and dropped sharply at Dec 16th 2010. The hits amount is almost 80 times of a regular work day.

IPS Hits

Forth, Trojans/Viruses were not spread so widely during the holiday season. Let’s take a look. The spike started at Nov 18th 2010 and grew slowly, and topped at Dec 15th 2010, and dropped sharply at Dec 16th 2010. The hits amount is almost 6 times of a regular work day.

GAV Hits

Guys, back to work. Don’t you see the traffic is back to normal?

PornoBlocker – Trojan Ransomware (Jan 27, 2011)

/in /by

SonicWALL UTM Research team received reports of a new variant of Trojan Ransomware seen in the wild. The Trojan locks down the system and asks the user to send money via premium SMS in Russia to receive the unlock code.

Process of Infection:

An unsuspecting user may download the Trojan from malicious websites. The screenshot below shows the Trojan using a movie icon.

screenshot

Once installed, the Trojan will lock down the system by displaying the image below:

screenshot

Below is the rough translation of the image:

    Attention!!!

    Your Operating System is blocked for violation of Internet usage.

    We discovered the following violations: visiting pornographic sites with elements of child porn, rape and bestiality. Storage of video files containing porn with presence of under-aged, rape, bestiality etc.

    Usage of pirated software.

    This block is intended to prevent the possibility of spreading this material over the internet.
    To remove this block you must:

    Replenish Beeline account number:
    8-903-202-99-12
    For the amount of 400 rubles

    After the payment on your receipt you will find a code, which you should enter in the field below

    When your system is unblocked you must remove all the illegal materials from your device.

    ENTER THE CODE:

The Trojan alleged that the user engages in illegal activities and have in possession materials in violation of Internet usage causing the system lock down. The message of course is a scam and just the Trojan’s way to extort money from the user.

Interestingly, the unlock code is embedded in the malware and can be used to regain control of the system. Some of the unlock codes seen on different variants of this malware are the following:

  • 8875510
  • 8095147
  • 3796054

After unlocking the system, the malware will delete itself.

Installation:

Drops a copy of itself:

  • %Windows% usrinit.exe – [ detected as GAV: PornoBlocker.DMQ (Trojan) ]

Registry Changes:

Modifies the registry entry below to ensure that the dropped copy of the malware starts on every system reboot:

  • Key: [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon]
    Value: Userinit
    Old Data: “C:WINDOWSsystem32userinit.exe,”
    New Data: “C:WINDOWSsystem32userinit.exe,” “C:WINDOWSsystem32userinit.exe,C:WINDOWSsystem32usrinit.exe”

Other System Modification:

Terminates the following process:

  • Task Manager

SonicWALL Gateway AntiVirus provides protection against this worm via the following signatures:

GAV: PornoBlocker.DMQ (Trojan)
GAV: PornoBlocker.DMS (Trojan)
GAV: LockScreen.P (Trojan)

RealNetworks RealPlayer Code Execution Vulnerability (Jan 25, 2011)

/in /by

RealPlayer is a closed source cross-platform media player by RealNetworks that plays a number of multimedia formats including MP3, MPEG-4, QuickTime, Windows Media, and multiple versions of proprietary RealAudio and RealVideo formats. The application can play media files from local file system or network servers.

RealPlayer can be bundled with ActiveX controls and plug-ins that implement various functions. One of the ActiveX controls called IERPPlugin, is linked to library ierpplug.dll. This control is associated with CLSID “FDC7A535-4070-4B92-A0EA-D9994BCC0DC5”, and ProgID “IERPCtl.IERPCtl.1”. This ActiveX control can be instantiated in a web page using the tag or via scripting. For example:



or


obj = new ActiveXObject("IERPCtl.IERPCtl.1")


The ActiveX Control IERPPlugin exposes a set of methods and properties that allows for playing media from the HTML pages using the RealPlayer client. RecordClip(), one of the methods, invokes the RecordingManager.exe utility installed with RealPlayer. The syntax of this method is shown below:


RecordClip (String url, String mimeType, String clipInfo)


RecordingManager.exe, which is invoked by RecordClip(), is the Web Download and Recording Manager component of the RealPlayer. This component can be used to monitor, pause, or stop the media download progress. This executable accepts a URL to a media file as an argument. By default, RecordingManager switches are not accessible through the RecordClip() method of the IERPPlugin. 


A code execution vulnerability exists in RealPlayer IERPPlugin ActiveX control. The vulnerability is due to improper validation of the url parameter passed to the RecordClip() method of the ActiveX Control. An attacker may leverage this vulnerability to download arbitrary files on any location on the target host. 


SonicWALL UTM Research team has investigated this vulnerability and created the following IPS signature to detect/prevent the attacks addressing this issue:


    

  • 6146	RealNetworks RealPlayer Injection Code Execution Attempt
    • 



This vulnerability is referred by CVE as CVE-2010-3749. 


	HP NNM Template Format String Flaw (Jan 21, 2011)				
/in  /by 
HP OpenView consists of a suite of network and system management software applications developed by HP. It includes several optional modules and components, such as OpenView Quality Manager, OpenView Performance Insight, and OpenView Network Node Manager.
 The HP OpenView Network Node Manager (NNM) supplies several CGI applications to provide a management interface to the NNM server. These CGI applications include OpenView.exe, nnmRptConfig.exe, and nnmRptPresenter.exe among others. With these applications, users can control and manage the NNM server, as well as access command-line applications, using a web browser.


 NNM is shipped with a number of report template files having the .rpt extension. The CGI application nnmRptConfig.exe is used to configure report generation by NNM. It uses various predefined templates and allows users to specify how frequently reports should be generated, where to send them, and what outgoing SMTP server to use, etc. This application can be accessed by a web browser. An example HTTP GET request the this application follows: 


GET /OvCgi/nnmRptConfig.exe?Content&Action=Create&Template=Avail/GenAvail&Operation= Apply&Params=schdParams+nameParams&schdParams=schd_select1%3Dmonthtodate& nameParams=text1%3DGeneral+Availability%26text2%3Dtmp%40tmp.com%26text3%3D10.0.15.12 HTTP/1.1 Host: 10.0.15.78 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate


 A format string code execution vulnerability exists in the NNM CGI program nnmRptConfig.exe. The vulnerability is due to insufficient input validation when handling one of the CGI parameters in HTTP requests. During message handling the vulnerable code uses an sprintf-like function to the copy a value string to a stack buffer. The code does not perform any validation on the user supplied string and uses it as part of a format string. Thus, if the string contains format conversion specifiers, they will be processed by the sprintf-like function instead of being copied verbatim into the target buffer. 


 Using certain format specifiers could lead to attacker-controlled memory corruption which can be exploited to inject and execute arbitrary code on the target server. A remote unauthenticated attacker can exploit this vulnerability by sending a crafted HTTP request to a target server. Successful exploitation could result in execution of arbitrary code within the security context of the Internet Guest Account user.
 SonicWALL has released an IPS signature to address generic exploit attempts targeting this vulnerability. The following signature has been released to address this issue: 


    

  • 6145 – HP OpenView Network Node Manager Format String Attempt
    • 



 In addition to this targeted detection effort, SonicWALL has numerous IPS signatures that proactively target format string attacks against vulnerabilities such as this one.


 This vulnerability has been assigned the identifier CVE-2011-0270 by mitre.


	Malicious PDF spreading in the wild (Jan 20, 2011)				
/in  /by 
SonicWALL UTM Research team observed a new malicious PDF spreading in the wild. This malicious PDF is being spread through spam emails with the file in the attachment. The email with malicious PDF file is shown below:


 screenshot 


 If the user downloads the PDF file attachment and executes it, then it delivers a malicious payload using an exploit in Adobe Acrobat Reader. This malicious payload in turn downloads secondary malware. 


    

  •  		The PDF contains a producer section which is encrypted. This encrypted producer section is decrypted at runtime with the script embedded in the PDF file.

     		screenshot 		
    

    • 

  •  		The encrypted producer section of PDF file decrypts to a script that serves the payload. This script uses an appropriate exploit technique to deliver the payload depending on the version of Adobe Acrobat Reader being used.

     		screenshot 	
    • 

  • 

     		On inspection of the payload used in the script we observed secondary malware being downloaded from a remote location. 		
    

     		screenshot 		 	
    

  • 

     		On execution of the payload it downloads and executes the following malicious file 			
    

      

    • us01.exe  [Detected as GAV: Kryptik.JKT (Trojan)]
      • 

    

    • 

  • 

     		The downloaded file performs the following activities on the victim’s machine: 			
    

      

    • It creates the following files
      • 

        

      • %UserProfile%Application DataMuitirfyoci.exe (Copy of itself) [Detected as GAV: Kryptik.JKT (Trojan)]
        • 

      • %UserProfile%Application DataYlaqozuzpa.lyz
        • 

      

    • It attempts to connect to randomly created domain names
      • 

        

        screenshot	 						
      

    • It creates the following registry key to ensure re-infection on system restart
      • 

        

      • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun: “%UserProfile%Application DataMuitirfyoci.exe”
        • 

      

    

    • 



 SonicWALL Gateway AntiVirus provided protection against this threat via following signatures:


 GAV: Pdfka.EML (Trojan)
 GAV: Kryptik.JKT (Trojan) 


screenshot 


screenshot	


	Orz.A Trojan (Jan 14, 2011)				
/in  /by 
SonicWALL UTM Research team received reports of a new Trojan spreading in the wild. Once on a system it appears to post potential sensitive information to a remote web server.  In the background it installs a copy of the “Super Rabbit” system configuration software.  The software is installed without user interaction or consent. 


 The Trojan makes DNS queries to the following hosts:




    

  • download.youbak.com
    • 

  • tj.pctutu.net
    • 

  • srtj.pctutu.net
    • 



 The Trojan makes a request to download a silent installer for the software “Super Rabbit”: 


    

  • http://121.15.221.{removed}/soft/113/sr_v9_mini.exe
    • 



 The Trojan and silent installer make the following modifications to the system: 


 	screenshot 


 The Trojan sends potential sensitive information to a remote site using the HTTP POST command: 


 	screenshot 


 SonicWALL Gateway AntiVirus provides protection against this worm via the following signatures: 


 GAV: Orz.A (Trojan)


	Microsoft Security Bulletins Coverage (Jan 11, 2010)				
/in  /by 
SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of January, 2011. A list of issues reported, along with SonicWALL coverage information follows:


  MS11-001 Vulnerability in Windows Backup Manager Could Allow Remote Code Execution (2478935) 


    

  •      CVE-2010-3145 – Backup Manager Insecure Library Loading Vulnerability
         IPS 5726 Possible Binary Planting Attempt     
    • 



  MS11-002 Vulnerabilities in Microsoft Data Access Components Could Allow Remote Code Execution (2451910) 


    

  •       CVE-2011-0026 – DSN Overflow Vulnerability
         Note: An API vulnerability. Microsoft products are not affected by this issue. There are no third party products known to be affected.     
    • 

  •      CVE-2011-0027 – ADO Record Memory Vulnerability
         IPS 6130 MS DAO Record Memory Corruption Exploit     
    • 



	HP Photo Creative audio.Record ActiveX Stack BO (Jan 7, 2011)				
/in  /by 
HP Photo Creations is a free software that helps the user create photo books, calendars, collages, greeting cards and other keepsakes that can be printed or shipped to the user. The HP Photo Creations can automatically make beautiful keepsakes or help the user to customize keepsakes with over 1,800 high quality artwork designs, 1,300 placeable graphics, placeable text boxes, custom fonts, borders, and dozens of photo editing tools.


While installing HP Photo Creative, an ActiveX control audio.Record is also installed and registered. This control contains various audio processing functions, such as recording, resampling, importing, etc. The registered ActiveX control is associated with CLSID “3EEEBC9A-580F-46EF-81D9-55510266413D” and progID “audio.Record”. It can be instantiated in a web page using the  tag or via scripting. For example:


  

The ActiveX control audio.Record provides a couple of audio functions, Resample is one of them. The profile of this function is showed as bellow:


 Resample(String in, String out, Int32 options) 


A stack-based buffer-overflow vulnerability exists in HP Photo Creative ActiveX control audio.Record. The vulnerability is due to a boundary check error while processing an argument passed to function Resample. As a result of this, an overly long string can overflow the buffer and overwrite other values on the stack. Successful exploitation would result in arbitrary code injection and execution with the privileges of the currently logged in user.


SonicWALL UTM research team has investigated this vulnerability and created the following signature to prevent/detect the attack attempts addressing this issue:


    

  • 6120	HP Photo Creative audio.Record ActiveX Stack BO
    • 



This vulnerability is referred by bugtraq with ID 45631


	Yimfoca Worm Spreading in the Wild (Jan 4, 2011)				
/in  /by 
SonicWALL UTM Research team received reports of a new variant of an IM worm spreading in the wild. It propagates through Instant Messaging application such as Yahoo Messenger, AIM, MSN as well as in Social Networking site- Facebook. There were reportedly multiple rogue Facebook applications that were leading to this worm which are now taken down.  


 Process of Infection:


 	An unsuspecting user will receive a message to view a picture purportedly hosted in facebook.com through instant messaging application from an infected machine. A sample of the suspicious message sent via MSN looks like below: 	


		 	screenshot 	


 	Once the user clicks on the link, it will redirect the user to this facebook.com page: 	


 	screenshot 


 This is a legitimate facebook.com page and typical when one clicks on a third-party link from within facebook. However, when the user clicks the continue button, the user will be directed to the malicious website.  


 	A screenshot of the malicious website is shown below: 


 	screenshot 


 		The site is designed to appear that the user is still browsing from within facebook, although the URL shows otherwise. It was also made to appear that the picture the user wants to see was moved and needed to click the “View Photo” button to see it. Clicking the button will download the malicious IM worm. 	


 Installation:


 Drops a copy of itself: 


    

  • %Windows% nvsvc32.exe – [ detected as  GAV: Yimfoca.AA_3 (Worm) ] 
    • 



 Downloads malware component: 


    

  • C:WINDOWS ndl.dl
    • 

  • C:WINDOWSwibrf.jpg
    • 

  • C:WINDOWSwiybr.png
    • 



 Creates Mutex to ensure that only one instance of the application runs in the system: 


    

  • Nvidia Drive Mon
    • 



 (Note: %Windows% is the Windows folder, which is usually C:Windows or C:WINNT.) 


 Registry Changes: 


 It adds the following registry entries to ensure that the dropped copy of the malware starts on every system reboot: 


    

  • Key: [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun] Value: “NVIDIA driver monitor”
     Data: “”c:windows nvsvc32.exe””

    • 

  • Key: [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun] Value: “NVIDIA driver monitor”
     Data: “”c:windows nvsvc32.exe””

    • 

  • Key: [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTerminal ServerInstallSoftwareMicrosoftWindowsCurrentVersionRun] Value: “NVIDIA driver monitor”
     Data: “”c:windows nvsvc32.exe”” 
    • 



 Adds following registry entry to bypass firewall restrictions:	 


    

  • Key: [HKLMSYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList] Value: “c:windows nvsvc32.exe”
     Data: “c:windows nvsvc32.exe:*:Enabled:NVIDIA driver monitor” 
    • 



 Command & Control (C&C) Server connection:  


     Upon successful installation, it tries to connect to a remote server to receive further instruction: 
     Remote Server: 75.102.21.13 
    

     This worm will also join the following IRC Channel to receive instruction: 
    

      

    • #!nn
      • 

    

     The screenshot below shows the IRC communication: 
    

     screenshot 
    



 Backdoor Functionality: 


    

  • Spread via instant messaging
    • 

  • Update itself
    • 

  • Remove itself
    • 

  • Download and execute files


 Network Activity: 


 DNS Request 


    

  • 13.21.102.75
    • 

  • 18.149.220.66
    • 

  • 237.181.44.132
    • 

  • ale.pakibili.com
    • 

  • api.albertoshistory.info
    • 

  • astro.ic.ac.uk
    • 

  • insidehighered.com
    • 

  • journalofaccountancy.com
    • 

  • mas.0730ip.com
    • 

  • stayontime.info
    • 

  • transnationale.org
    • 

  • versatek.com
    • 

  • www.shearman.com
    • 



 FTP Server: 


    

  • ftp.phoenix-cc.net
    • 



 Propagation:  


 This worm propagates via following platforms: 


     Instant Messaging Application: 
    

      

    • AIM
      • 

    • MSN
      • 

    • Yahoo Messenger
      • 

    

     Social Networking site: 
    

      

    • Facebook
      • 

    



 Other System Modification:  


 Terminates the following services: 


    

  • Microsoft Malware Protection Service – MsMpSvc
    • 

  • Windows AutoUpdate Service – wuauserv
    • 



 SonicWALL Gateway AntiVirus provides protection against this worm via the following signatures: 


 GAV: Yimfoca.AA_3 (Worm)





                
                

                
            

        


						

	


			

			
				


					
		
		
		






				


					

						
Pin It on Pinterest