SonicWALL UTM Research team has been monitoring fake desktop utilities since mid October. While we continue to see new variants of Fake Antivirus every day, this is a new approach adapted by Fake AV authors to target unwitting users. These fake utilities may arrive by spammed e-mails or via drive-by downloads from compromised sites similar to Fake AV.

We have received multiple variants of fake desktop utilities till now that includes – Disk Doctor, Windows Defrag, Disk Scanner, Control Panel, Utility Manager etc. The agenda is pretty much similar to the Fake AV – infect the computer, scare the user with fake errors, and make them purchase a product to fix the errors.

As you can see above they use fake icon and file information to masquerade as legitimate utilities. Below are some screenshots showing the fake desktop utilities in action:

In addition to the above activity, some of the newer variants were randomly generating “hard drive problem” alerts whenever user attempts to open any application post infection.

If the user falls for the trap and attempts to buy the software, it loads a fake address bar image containing SSL certificate information and the secure lock image in the same product window further assuring user of a safe legitimate transaction. In the background it attempts to connect to the landing site which has been taken off at the time of writing this alert.

SonicWALL Gateway AntiVirus provided protection against these fake utilities via following signatures:

GAV: Suspicious#fakeav_17 (Trojan) [ ~900,000 hits ]
GAV: Suspicious#fakeav_16 (Trojan) [ ~5,000 hits ]

SonicWALL UTM Research team discovered instances of polluted results appearing in search engine results for Wikileaks related search terms. Malware authors often use SEO poisoning campaigns to lure unsuspecting users in to clicking on malicious links strategically placed in search engine results. This technique has been traditionally used by Malware authors in Black Hat SEO campaigns around all major events. However this is the first time we have observed Wikileaks related terms being used in Black Hat SEO campaigns. The search term “Julian Assange Wikileaks” leads users to the polluted search result shown below:

If the user clicks on the malicious link in the search results then it performs the following on the victim’s machine:

• The initial link redirects users to a FakeAV landing page.

  

• If the user downloads and runs the FakeAV executable then it performs the following on the victim’s machine:
  • Drops the following files:
  • %temp%/systempack8_195.exe (Copy of Itself) [Detected as GAV: Kryptik.IXE (Trojan)]
  • %USERPROFILE%/Application Data/7b4dd2/IA7b4_195.exe [Detected as GAV: Suspicious#fakeav_2 (Trojan)]
  • Creates the following registry entry to ensure that the dropped malware runs on every system reboot:
    • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce: “%temp%/systempack8_195.exe”

Cyber criminals may be using the popularity garnered by wikileaks to their advantage as also observed from the mirror listing site “wikileaks.info” which is hosted in an address space known to be under the control of cyber criminals. Although the hosted site has not been found serving any malicious content so far we advise users to exercise caution visiting this domain.

SonicWALL Gateway AntiVirus provided protection against this threat via following signatures:

GAV: Kryptik.IXE (Trojan)
GAV: GAV: Suspicious#fakeav_2 (Trojan)

HP OpenView Storage Data Protector is a backup solution for enterprise and distributed environments. It consists of a Cell Manager, backup agents, and backup device servers. The Cell Manager is the central point from which backup agents and device servers are administered, and backup and restore operations are controlled.

The Media Management Daemon service runs on the Cell Manager and controls media management and device operations. It provides features such as protection against accidental overwrites, capability of transferring all media-related catalog from one Cell Manager to another, tracking of all media including the status of each medium, etc. The server listens for incoming connections on a dynamically assigned TCP port. The protocol utilized for communication between Media Management Daemon service and clients is proprietary and not documented.

A request sent to the Media Management Daemon service has the following format:

 Offset             Size      Field     -----------------  --------- ------------------------------ 0x0000             4         Command Length 0x0004             2         Unknown  0x0006             N1        Command code unicode string 0x0006+N1          2         0x2000 0x0008+N1          N2        Unicode string 0x0008+N1+N2       2         0x2000 0x000A+N1+N2       N3        Unicode string 0x000A+N1+N2+N3    2         0x2000 0x000E+N1+N2+N3    N4        Unicode string 0x0010+N1+N2+N3+.. 

Command Length is a 4 byte value in big endian byte order. It specifies the number of bytes inside the packet, excluding the length field itself. The arguments are in the form of wide char strings terminated with double Null bytes, and separated by one Unicode space character. The backup agent executes different programs based on the received Command code.

A code execution vulnerability exists in HP Data Protector Manager Server. The flaw is due to a stack buffer overflow during parsing of malformed requests. If a request with a certain command code is sent, the vulnerable code allocates a fixed-size buffer of 624 bytes. The 7th user-supplied argument is then copied into the destination buffer without any verification of its length. By supplying an overly long string in a crafted request, the destination stack buffer can be overflowed. The overflow could result in the overwriting of critical stack data such as stored function return addresses and SEH pointers, allowing for code injection and execution.

A remote unauthenticated attacker can exploit this vulnerability by sending a malicious request to a target server. Successful exploitation could result in execution of arbitrary code within the security context of the service, which is configured during the software installation (usually Administrator).

SonicWALL has in place numerous generic IPS signatures that detect and block shell code transferred in exploitation attempts of vulnerabilities of this type. A known exploit targeting this vulnerability is currently being proactively caught by the following IPS signature:

• 5512 – Generic Server Application Shellcode Exploit 28