Posts

New mass-mailing worm seen in the wild (Sep 10, 2010)

/in /by

SonicWALL UTM Research team observed a new variant of Autorun worm spreading in the wild. The worm spreads through e-mails, removable storage and network shares. The e-mail campaigns contains a link which points to the Autorun worm. The email looks like below:

Link to PDF file [Mass-mailing worm]

Subject: Here you have

Email Body:
————————

Hello:

This is The Document I told you about,you can find it Here.http://www.{removed}/library/PDF_Document21.025542010.pdf

Please check it and reply as soon as possible.

Cheers,
————————

Link to WMV file [Adult Spam]

Subject: Just for you

Email Body:
————————

Hello:

This is The Free Dowload Sex Movies,you can find it Here.

http://www.{removed}/library/SEX21.025542010.wmv

Enjoy Your Time.

Cheers,
————————

Sample e-mails message looks like this:

screenshot

screenshot

If the user download and opens the file then it performs following activities on the victim’s machine:

  • Network Activity:
    • It connects to members.multimania.co.uk and downloads multiple files. The malicious account hosting these files was disabled by Lycos UK.

  • File Activity:

    It creates the following files

    • C:autorun.inf
    • C:open.exe (copy of itself) – Detected as GAV: AutoRun.ICO (Worm)
    • C:{Logged on User} CV 2010.exe (copy of itself) – Detected as GAV: AutoRun.ICO (Worm)
    • %windir%autorun.inf
    • %windir%autorun2.inf
    • %windir%csrss.exe (copy of itself) – Detected as GAV: AutoRun.ICO (Worm)
    • %windir%ff.exe – Detected as GAV: Pass.A_2 (Hacktool)
    • %windir%gc.exe – Detected as GAV: NetPass.FX (Hacktool)
    • %windir%ie.exe – Detected as GAV: IEPassView.G (Hacktool)
    • %windir%im.exe – Detected as GAV: Messen.HX (Hacktool)
    • %windir%op.exe – Detected as GAV: PassView.A (Hacktool)
    • %windir%pspv.exe – Detected as GAV: PSPassView.A (Hacktool)
    • %windir%rd.exe – Detected as GAV: IEPassView.G (Hacktool)
    • %windir%re.exe – Detected as GAV: PSExec.D (Hacktool)
    • %windir%re.iq
    • %windir%{Logged on User} CV 2010.exe (copy of itself) – Detected as GAV: AutoRun.ICO (Worm)
    • %windir%tryme1.exe
    • %windir%vb.vbs – Detected as GAV: VBS.TRZ (Trojan)
    • %windir%system{Logged on User} CV 2010.exe (copy of itself) – Detected as GAV: AutoRun.ICO (Worm)
    • %windir%systemupdate.exe (copy of itself) – Detected as GAV: AutoRun.ICO (Worm)
    • %windir%system32SendEmail.dll – Detected as GAV: Sendmail.MOK (Hacktool)

    It replaces the following files

    • %windir%system32driversetchosts

    It deletes the following files

    • All .exe files on the desktop

  • Process Acitivty:

    It creates the following process in memory

    • %windir%csrss.exe

  • Registry Activity:
    • It adds HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonShell:”Explorer.exe C:WINDOWScsrss.exe” to ensure infection on reboot
    • It disables Windows Security Center Service by deleteing HKLMSYSTEMCurrentControlSetServiceswscsvc:Start
    • It disables Windows AutoUpdate Service by deleteing HKLMSYSTEMCurrentControlSetServiceswuauserv:Start
    • It creates multiple registry entries that intercept execution calls to processes.
      It adds the value “C:WINDOWScsrss.exe” to HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options{process}Debugger

  • Propagation:
    • It mass emails itself using the email campaigns seen above
    • It copied itself on to removable storage media as open.exe and replaces autorun.inf to launch itself

      •     screenshot

    • It copies itself on to the following locations using the vb.vbs script created
          screenshot

  • Harvesting Credentials:
    • It download multiple password harvesting tools and harvests user credentials

SonicWALL Gateway AntiVirus provides protection against this Autorun worm variant with the following signatures
GAV: AutoRun.ICO (Worm)
GAV: IEPassView.G (Hacktool)
GAV: NetPass.FX (Hacktool)
GAV: PassView.A (Hacktool)
GAV: Pass.A_2 (Hacktool)
GAV: Messen.HX (Hacktool)
GAV: PSPassView.A (Hacktool)
GAV: PsExec.D (Hacktool)
GAV: Sendmail.MOK (Hacktool)
GAV: VBS.TRZ (Trojan)

screenshot screenshot screenshot screenshot

MySQL Denial of Service Vulnerabilities (Sep 9, 2010)

/in /by

MySQL is an open-source relational database which supports SQL. The database has a number of built-in SQL functions which are designed to help users with the task of querying and updating data. MySQL uses the MySQL protocol to communicate with clients over the network. By default, MySQL server listens for connections on TCP port 3306.

Two different denial-of-service vulnerabilities exist in MySQL server. The first vulnerability is due to an error while handling joins involving a table with a unique SET column. When one uses LIKE function to query specially joined tables, the LIKE function will fail. The second vulnerability is due to errors while performing comparisons in IN and CASE functions. Specifically, MySQL does not properly handle cases when one of the compared values is NULL. MySQL databases prior to version 5.1.49 are prone to these vulnerabilities.

A remote attacker can exploit these vulnerabilities by sending crafted queries to the target server. Successful exploitation would cause the database server to terminate abnormally, resulting in the denial-of-service condition. The impact of the vulnerabilities is mitigated by the requirement of a successful authentication.

SonicWALL has released multiple IPS signatures to detect and block specific exploitation attempts targeting these vulnerabilities. The signatures are listed below:

  • 5572 MySQL Unique SET Column Join DoS 1
  • 5573 MySQL Unique SET Column Join DoS 2
  • 5672 MySQL IN and CASE DoS 1
  • 5673 MySQL IN and CASE DoS 2
  • 5674 MySQL IN and CASE DoS 3

Bamital Trojan – Pay Per Install (Sept 3, 2010)

/in /by

SonicWALL UTM Research team observed reports of Bamital Trojan Installer being distributed in the wild as part of Pay-Per-Install campaign by the malware authors.

Bamital Trojan family is known to monitor user browsing activity, modify internet search results and display advertisements generating revenue for the malware authors. SonicWALL is seeing an increase in the number of Bamital infected executable files starting early August.

A forum posting was seen on pay-per-install.org yesterday that advertised revenue sharing per installations i.e. infections of Bamital Trojan (The post has been removed now). As seen in the image below, they assign a numeric ID to the users signing up and provide a binary based on that user ID which can be used to track the number of installations. Malware authors are offering up to 800$ per 1000 infections which gives an indication of the amount of money they are making out of it.

screenshot

The domain advertised in the post is of Russian origin and is actively serving Bamital Trojan Installer at the time of writing this alert. The malicious installer executable performs following activities upon execution:

  • Disables the System Restore functionality by modifying the registry

  • Creates following files on the infected system:
    • (WINDOWS)Tempexplorer.dat [Original version of system explorer.exe]
    • (WINDOWS)Tempwinlogon.dat [Original version of system winlogon.exe]
    • (WINDOWS)system32hlp.dat [Encrypted file containing data & code used during runtime]
    • (Application Data)Windows Serveradmin.txt
    • (Application Data)Windows Serverserver.dat[Encrypted file containing data & code used during runtime]

  • Injects code into windows system executables Explorer.exe and Winlogon.exe. The malicious code is injected at the entry point in these system executables and it looks like:

    • screenshot

  • The Trojan now monitors the user’s web browsing activity via a hook in Explorer.exe. The Trojan then tries to modify the web search results for any search query done via affected web browsers.

    • screenshot

  • It deletes the original Installer file that was executed.

SonicWALL Gateway AntiVirus provides protection against this Trojan via following signatures:

  • GAV: Bamital.DZ (Trojan)
  • GAV: Suspicious#bamital (Trojan)

Apple QuickTime QTPlugin Code Execution (Sept 2, 2010)

/in /by

QuickTime is an extensible proprietary multimedia framework developed by Apple Inc., capable of handling various formats of digital video, picture, sound, panoramic images, and interactivity. It is available for Mac OS classic (System 7 onwards), Mac OS X and Microsoft Windows operating systems.

QuickTime provides the ability for third-party components, called QuickTime plugins. QTPlugin.ocx, a web browser plugin, is one of them, which is installed by default with Apple QuickTime. This plugin enables users to play many types of movies through a web browser. It is available for both Mac and Windows platforms. Users can configure in QuickTime what MIME types the QTPlugin should handle in a web browser. The supported MIME types include movie streaming (RTSP and SDP), AVI, FLC, QuickTime Movie, MPEG, MP3, and more.

This plugin can be instantiated as an ActiveX object either by using the ClassID or the Program ID. The QTPlugin.ocx is assigned the ClassID 02BF25D5-8C17-4B23-BC80-D3488ABDDC6B and the ProgID QuickTime.QuickTime. The object instantiation through the ClassID is done using the tag as following:

< object id="ctrl" classid="clsid:{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}" >

whereas the ProgID can be used either in JavaScript or VBScript as in the following, respectively:

var ctrl = new ActiveXObject("QuickTime.QuickTime"); Set ctrl = CreateObject("QuickTime.QuickTime")

The QTPlugin exposes various methods and parameters. One of the parameters supported by the QTPlugin control is _Marshaled_pUnk. The _Marshaled_pUnk parameter value represents a marshalled pointer value. Marshalling is a process of transforming the memory representation of data to a format that is suitable for storage or transmission.

A code execution vulnerability exists in Apple QuickTime player web browser plugin. Specifically, the vulnerability is due to a design error while parsing the value of the _Marshaled_pUnk parameter. A remote attacker can exploit this vulnerability to execute arbitrary code in the security context of the logged in user.

SonicWALL UTM team has researched this vulnerability and released IPS signatures for an attack attempts addressing this issue:

  • 5592 Apple QuickTime ActiveX _Marshaled_pUnk Attribute Setting

The vendor has released an advisory regarding this issue. The vulnerability has been assigned CVE-2010-0211 by mitre.

Apple Safari Button Rendering Code Execution (Aug 25, 2010)

/in /by

Safari is a graphical web browser developed by Apple and included as part of the Mac OS X operating system. The browser is capable of processing HTML, images, scripting languages, and various other popular Internet specifications such as XHTML. Its rendering engine, called WebKit, is also running in the standard browsers of several mobile phone platforms, including the iPhone OS, Google Android, Nokia S60 and Palm WebOS. WebKit has a development toolkit which allows third party developers to build applications that use Internet technologies such as HTML, HTTP, and others. WebKit provides WebCore, an HTML parser, and JavaScriptCore, which is a JavaScript engine. WebKit also supports styling using CSS.

Cascading Style Sheets (CSS) is a style sheet language used to describe the presentation semantics (the look and formatting) of a document written in a markup language. Its most common application is to style web pages written in HTML and XHTML, but the language can also be applied to any kind of XML document, including SVG and XUL. CSS can define color, font, text alignment, size, borders, spacing, layout and many other typographic characteristics. It can do so independently for on-screen and printed views. One of these characteristics is the first-letter pseudo-element which affects the first character of a paragraph. The following example uses the first-letter pseudo-element to change the color of the first letter of the paragraph on the body:

 < html > < head > < style type="text/css" > p:first-letter { color:#ff0000; font-size:xx-large; display:none; } < / style > < / head > < body > < p >The first letter of this text is red! < / p > < / body > < / html >

A design error exists in Safari WebKit. The vulnerability is due to an implementation error when rendering elements with a specific CSS display property for the first-letter set. Remote attackers could exploit this vulnerability by persuading a target user to visit a maliciously crafted web page. Successful exploitation would result in code execution with the privileges of the logged in user. In case of an unsuccessful attack, the associated browser tab will terminate abnormally and then the browser will recover it.

SonicWALL UTM team has researched this vulnerability, and created the following IPS signatures for the public exploits:

  • 5563 Apple Safari Button Rendering Code Execution PoC 1
  • 5564 Apple Safari Button Rendering Code Execution PoC 2

The CVE identifier for this vulnerability is CVE-2010-1392.

PS3 Jailbreak Trojan (Aug 25, 2010)

/in /by

SonicWALL UTM Research team received reports of a new PS3 Jailbreak Trojan being distributed in the wild. This Trojan is actually a new variant of Trojan Spatet packaged together with a PS3 Jailbreak Tool. This tool purportedly will allow gamers to use their PS3 console without the games original disc. However, users who download this tool get infected by a Trojan Backdoor that steals information from their system.

The release of this Trojan comes after a real PS3 Jailbreak USB Stick has been released and is currently gaining popularity among PS3 gamers.

Arrival & Installation:

This trojan may arrive in the system after being downloaded from the following URL:

  • http://www.fol{REMOVED}8e3979fb14

The installer of this Trojan looks like this:

screenshot

The PS3 Jailbreak tool looks like this:

screenshot
screenshot
screenshot

As the user installs the PS3 Jailbreak tool, it will also install the following:

  • %Temp%hahahaha.exe (282 KB) – [ detected as GAV: Rebhip.A (Virus) ]
  • %Temp%abc2.exe (563 KB)- [ detected as GAV: Spatet.B (Trojan) ]
  • %System%temptempp.exe – [ detected as GAV: Spatet.B (Trojan) ]

It will create Mutex to ensure that only one instance of the application runs in the system:

  • {UserName}{Random Number}

(Note: %Temp% is the Temporary Folder, which is usally C:Documents and Settings{User}Local SettingsTemp%System% is the Windows System folder, which is usually C:WindowsSystem32)

Registry Changes:

It adds the following registry entries to ensure that the dropped copy of the malware starts on every system reboot:

  • Key: [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun] Value: “Policies”
    Data: “”C:WINDOWSsystem32temptempp.exe””
  • Key: [HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun] Value: “Policies”
    Data: “”C:WINDOWSsystem32temptempp.exe””
  • Key: [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun] Value: “HKCU”
    Data: “”C:WINDOWSsystem32temptempp.exe””
  • Key: [HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun] Value: “HKLM”
    Data: “”C:WINDOWSsystem32temptempp.exe””

It adds the following registry entries as part of its installation:

  • Key: [HKEY_CURRENT_USERSoftwareps3] Value: “FirstExecution”
    Value: “NewGroup”
    Value: “NewIdentification”

Anti-Debugging Technique:

This Trojan employs the following Anti-Debugging/Anti-Analysis technique before it proceeds execution:

  • Checks if its running inside a Virtual machine
  • Checks if its running inside a Debugger
  • Checks if its running under the following Automated Analysis Tools:
    • Anubis
    • CWSandbox
    • JoeBox

Information Stealing:

It collects information from the following:

  • Stored IE Account Information
  • Stored Mozilla Firefox Account Information
  • RAS Accounts
  • Browser Autocomplete Forms Content
  • Windows Live Account Information
  • Current User Name
  • Computer Name and IP Address

After it collects information, it will send them to a remote server through HTTP protocol.

Command & Control (C&C) Server connection:
It tries to connect to a remote server to receive further instruction and to send collected information:

  • ownedbynob{REMOVED}biz:35578
  • hackfre{REMOVED}.com
  • steamgi{REMOVED}.at

SonicWALL Gateway AntiVirus provides protection against this worm via the following signatures:

  • GAV: Rebhip.A
  • GAV: Rebhip.A_2
  • GAV: Spatet.B (Trojan)

screenshot

Microsoft Windows SMB Pool Overflow (Aug 20, 2010)

/in /by

The Microsoft Windows operating system ships with an implementation of the Server Message Block (SMB) protocol. SMB is a widely used protocol that allows for sharing network devices and remote procedure calls, among other things. The service listens on TCP ports 139 and 445. SMB is a stateful protocol that requires successful authentication before a session is established. An SMB message is composed of a header and message-specific data.
The following describes an SMB message structure: 

 Offset	Size      Field ------	--------- --------------------------------------- 0x0000	char[4]   'SMB' 0x0004	char      Command (TRANS2 = 0x32) 0x0005	int32     Error Class 0x0009	char      Flags  0x000A	int16     Flags2 0x000C	int16     Pid High 0x000E	int32[2]  Signature 0x0016	int16     Unused 0x0018	int16     Tree ID 0x001A	int16     Process ID 0x001C	int16     User ID 0x001E	int16     Multiplex ID 0x0020  var       SMB Message Data

One of the Commands supported by the SMB protocol is the SMB_COM_TRANSACTION2, also known as TRANS2 (0x32).
The SMB Message Data portion of an SMB TRANS2 Request message has the following structure: 

 Offset	Size	Field ------	------- ------------------------------------------ 0x0000 char     Word Count 0x0001 int16    Total Parameter Count 0x0003 int16    Total Data Count 0x0005 int16    Max Parameter Count 0x0007 int16    Max Data Count 0x0009 char     Max Setup Count 0x000A char     Reserved 0x000B int16    Flags 0x000D int32    Timeout 0x0011 int16    Reserved 0x0013 int16    Parameter Count 0x0015 int16    Parameter Offset 0x0017 int16    Data Count 0x0019 int16    Data Offset 0x001B char     Setup Count 0x001C char     Reserved 0x001D int16    Subcommand [...]

Based on the Subcommand, the format of the Subcommand Data will change. One of the supported subcommands is QUERY_FS_INFO.

A buffer overflow vulnerability exists in the Server Message Block (SMB) protocol client implementation on Microsoft Windows. The vulnerability is due to a boundary error when handling specially crafted SMB messages. The flaw exists in the processing of the QUERY_FS_INFO subcommand in SMB_COM_TRANSACTION2 requests. The vulnerable code does not properly verify the value of ‘Max Data Count’ field of the request. This value is used to allocate a memory pool in the kernel address space. A malicious SMB message processed by the vulnerable service could result in an undersized memory pool to be allocated which could consequently trigger a write access violation when utilized by the kernel.

Successful exploitation may result in code injection and execution with the privileges of the operating system kernel. In cases of unsuccessful exploitation, the attack will lead to kernel panic causing a system wide denial of service condition.

SonicWALL has released an IPS signature to address this vulnerability. The following signature has been released:

  • 5235 – MS SMB Pool Overflow Attack Attempt

The vendor has released an advisory regarding this issue. The vulnerability has been assigned CVE-2010-2550 by mitre.

Ackantta Trojan spam campaign (August 19, 2010)

/in /by

SonicWALL UTM Research team observed a Twitter spam campaign involving a newer variant of Ackantta Trojan in the last 7 days. The spam emails arrive with a zip archived attachment which contains the Ackantta Trojan executable. The e-mail is drafted to appear as a Twitter invitation from a friend.

Attachment: Invitation Card.zip (contains document.doc … .exe)

Subject: Your friend invited you to Twitter!

Email Body:
————————

New to Twitter? Sign up now

Have an account? Sign in

Your friend invited you to twitter!

Twitter

Twitter is a service for friends, family, and co-workers to communicate and stay connected through the exchange of quick, frequent answers to one simple question:

What are you doing?

To join or to see who invited you, check the attachment.
————————

A sample email message looks like:

screenshot

The executable files inside the attachment looks like this:

screenshot

If the user opens the malicious attachment then it performs following activities on the victim’s machine:

  • Network Activity:
    • It connects to whatismyip.com and attempts to obtain victims IP address

      • screenshot

    • It sends a request to a known malicious domain

      • screenshot

    • It resolves multiple SMTP servers and attempts to propagate by mass emailing
  • File Activity:

    It creates the following files

    • %windir%system32HPWuSchdb.exe (copy of document.doc … .exe) – Detected as GAV: Ackantta.TW (Trojan)
    • %windir%system32reader_s1.exe – Detected as GAV: Ackantta.TW (Trojan)
    • %ProgramFiles%Mozilla Firefoxextensions{9CE11043-9A15-4207-A565-0C94C42D590D}chromecontenttimer.xul – Detected as GAV: Dursg.G (Trojan)
    • %ProgramFiles%Mozilla Firefoxextensions{9CE11043-9A15-4207-A565-0C94C42D590D}install.rdf
    • %ProgramFiles%Mozilla Firefoxextensions{9CE11043-9A15-4207-A565-0C94C42D590D}chrome.manifest
  • Process Acitivty:

    It creates the following process in memory

    • %AppData%SystemProclsass.exe
    • %windir%system32reader_sl.exe
    • %windir%system32HPWuSchdb.exe
    • %windir%system32hp-357.exe
    • %ProgramFiles%Internet ExplorerIEXPLORE.EXE
  • Registry Activity:
    • It creates HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun: C:WINDOWSsystem32HPWuSchdb.exe under the name “HP Software Updater” ensuring infection on system restart
    • It creates HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun: C:WINDOWSreader_sl.exe under the name “Adobe Reader Speed Launcher” ensuring infection on system restart
    • It disables Windows Security Center Service by modifying HKEY_LOCAL_MACHINESystemCurrentControlSetServiceswscsvc:Start
    • It disables Error Reporting Service by modifying HKEY_LOCAL_MACHINESystemCurrentControlSetServicesERSvc:Start
    • It disables User Account Control(UAC) by modifying HKEY_LOCAL_MACHINESoftwareMicrosoftSecurity Center:EnableLUA
    • It disables User Account Control(UAC) notification by modifying HKEY_LOCAL_MACHINESoftwareMicrosoftSecurity Center:UACDisableNotify
  • Firefox Extension:

    As part of the infection process it installs timer.xul as a firefox extension which embeds a script in the section of the certain pages rendered in the browser.

    screenshot

SonicWALL Gateway AntiVirus provides protection against this Ackantta Trojan variant with GAV: Ackantta.TW (Trojan) signature. [12770 hits recorded in last 7 days]

screenshot

Yahos Worm Spreading in the Wild (Aug 12, 2010)

/in /by

SonicWALL UTM Research team received reports of a new variant of Yahos worm spreading in the wild. It propagates through Instant Messaging application such as Yahoo Messenger, AOL, Skype and MSN as well as in Social Networking site- Facebook. It also includes IRC-based backdoor capability to receive instructions from remote server.

Installation:

Drops a copy of itself:

  • %Windows%jusched.exe – [ detected as GAV: Yahos.BA (Worm) ]

Drops the following files:

  • C:sssA1234567890.exe – [ detected as GAV: Yahos.BA_2 (Trojan) ]
  • C:WINDOWSsystem32rrrc.yeo – [ detected as GAV: Oficla_14 (Trojan) ]

Downloads related Malware:

  • C:WINDOWSsystem328c.html – [ detected as GAV: Kryptik.EVL (Trojan) ]
  • %User Profile%fow.exe – [ detected as GAV: Kryptik.CLM (Trojan) ]
  • %User Profile%secupdat.dat – [ detected as GAV: Cetorp.P_3 (Backdoor) ]
  • C:WINDOWSsystem32secupdat.dat – [ detected as GAV: Cetorp.P_3 (Backdoor) ]

Creates Mutex to ensure that only one instance of the application runs in the system:

  • Micro Upe

(Note: %Windows% is the Windows folder, which is usually C:Windows or C:WINNT. %User Profile% is the User folder, which is usually C:Documents and Settings{Current User})

Registry Changes:

It adds the following registry entries to ensure that the dropped copy of the malware starts on every system reboot:

  • Key: [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun] Value: “Java developer Script Browse”
    Data: “”C:WINDOWSjusched.exe””
  • Key: [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun] Value: “Java developer Script Browse”
    Data: “”C:WINDOWSjusched.exe””
  • Key: [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTerminal ServerInstallSoftwareMicrosoftWindowsCurrentVersionRun] Value: “Java developer Script Browse”
    Data: “”C:WINDOWSjusched.exe””

Adds following registry entry to bypass firewall restrictions:

  • Key: [HKLMSYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList] Value: “C:WINDOWSjusched.exe”
    Data: “C:WINDOWSjusched.exe:*:Enabled:Java developer Script Browse”

Command & Control (C&C) Server connection:

    Upon successful installation, it tries to connect to a remote server to receive further instruction:
    Remote Server: ptf.messenger-update.su

    screenshot

    screenshot

    This worm will also join the following IRC Channel to receive instruction:

    • #!gf!

    The screenshot below shows the IRC communication:

    screenshot

Backdoor Functionality:

  • Spread via instant messaging
  • Update itself
  • Remove itself
  • Download and execute files

Network Activity:

This worm may download files and updates from the following addresses:

  • 95.211.130.132
  • 212.95.32.52
  • rgtryhbgddtyh.biz
  • wertdghbyrukl.ch

Propagation:

This worm propagates via the following platforms:

    Instant Messaging Application:

    • AOL
    • MSN
    • Skype
    • Yahoo Messenger

      screenshot

      screenshot

    Social Networking site:

    • Facebook

Other System Modification:

Terminates the following services:

  • Microsoft Malware Protection Service – MsMpSvc
  • Windows AutoUpdate Service – wuauserv

SonicWALL Gateway AntiVirus provides protection against this worm via the following signatures:

  • GAV: Yahos.BA (Worm)
  • GAV: Yahos.BA_2 (Trojan)
  • GAV: Oficla_14 (Trojan
  • GAV: Kryptik.EVL (Trojan)
  • GAV: Kryptik.CLM (Trojan)
  • GAV: Cetorp.P_3 (Backdoor)

screenshot

Microsoft Security Bulletins Coverage (Aug 10, 2010)

/in /by

SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of August, 2010. A list of issues reported, along with SonicWALL coverage information follows:

MS10-047 Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege

  • CVE-2010-1888Windows Kernel Data Initialization Vulnerability
    Local elevation of privilege
  • CVE-2010-1889Windows Kernel Double Free Vulnerability
    Local elevation of privilege
  • CVE-2010-1890Windows Kernel Improper Validation Vulnerability
    Local denial of service

MS10-048 Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege

  • CVE-2010-1887Win32k Bounds Checking Vulnerability
    Local denial of service
  • CVE-2010-1894Win32k Exception Handling Vulnerability
    Local elevation of privilege
  • CVE-2010-1895Win32k Pool Overflow Vulnerability
    Local elevation of privilege
  • CVE-2010-1896Win32k User Input Validation Vulnerability
    Local elevation of privilege
  • CVE-2010-1897Win32k Window Creation Vulnerability
    Local elevation of privilege

MS10-049 Vulnerabilities in SChannel Could Allow Remote Code Execution

  • CVE-2009-3555TLS/SSL Renegotiation Vulnerability
    This vulnerability allows an attacker to spoof an authenticated SSL client.
    There is no feasible method to discern malicious traffic from normal.
  • CVE-2010-2566SChannel Malformed Certificate Request Remote Code Execution Vulnerability
    Attacks occur over an encrypted channel.

MS10-050 Vulnerability in Windows Movie Maker Could Allow Remote Code Execution

  • CVE-2010-2564Movie Maker Memory Corruption Vulnerability
    There are no known public exploits targeting this vulnerability.

MS10-051 Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution

  • CVE-2010-2561MSxml2.XMLHTTP.3.0 Response Handling Memory Corruption Vulnerability
    Unexpected HTTP responses may trigger a bug in Microsoft XML Core Services which may result in process flow diversion.

MS10-052 Vulnerability in Microsoft MPEG Layer-3 Codecs Could Allow Remote Code Execution

  • CVE-2010-1882MPEG Layer-3 Audio Decoder Buffer Overflow Vulnerability
    There are no known public exploits targeting this vulnerability.

MS10-053 Cumulative Security Update for Internet Explorer

  • CVE-2010-1258Event Handler Cross-Domain Vulnerability
    IPS 5184 – document.execCommand Method Invocation
  • CVE-2010-2556Uninitialized Memory Corruption Vulnerability

    • IPS 5157 – location.protocol Attribute Setting

  • CVE-2010-2557Uninitialized Memory Corruption Vulnerability
    This is a logical flaw. Attacks targeting this vulnerability cannot be detected by IPS.
  • CVE-2010-2558Race Condition Memory Corruption Vulnerability
    This is a logical flaw. Attacks targeting this vulnerability cannot be detected by IPS.
  • CVE-2010-2559Uninitialized Memory Corruption Vulnerability
    This is a logical flaw. Attacks targeting this vulnerability cannot be detected by IPS.
  • CVE-2010-2560HTML Layout Memory Corruption Vulnerability
    This is a logical flaw. Attacks targeting this vulnerability cannot be detected by IPS.

MS10-054 Vulnerabilities in SMB Server Could Allow Remote Code Execution

  • CVE-2010-2550SMB Pool Overflow Vulnerability
    IPS 5235 – MS SMB Pool Overflow Attack Attempt
  • CVE-2010-2551SMB Variable Validation Vulnerability
    A denial of service vulnerability exists in the way that Microsoft Server Message Block (SMB) Protocol software handles specially crafted SMB packets.
  • CVE-2010-2552SMB Stack Exhaustion Vulnerability
    A denial of service vulnerability exists in the way that Microsoft Server Message Block (SMB) Protocol software handles specially crafted SMB compounded requests.

MS10-055 Vulnerability in Cinepak Codec Could Allow Remote Code Execution

  • CVE-2010-2553Cinepak Codec Decompression Vulnerability
    There are no known public exploits targeting this vulnerability.

MS10-056 Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution

  • CVE-2010-1900Word Record Parsing Vulnerability
    There are no known public exploits targeting this vulnerability.
  • CVE-2010-1901Word RTF Parsing Engine Memory Corruption Vulnerability
    GAV Agent.EXP_5
    GAV Agent.EXP_6
    GAV Agent.EXP_7
  • CVE-2010-1902MS Word RTF Parsing Buffer Overflow Attempt
    IPS 5127 – MS Word RTF Parsing Buffer Overflow Attempt
  • CVE-2010-1903Word HTML Linked Objects Memory Corruption Vulnerability
    There are no known public exploits targeting this vulnerability.

MS10-057 Vulnerability in Microsoft Office Excel Could Allow Remote Code Execution

  • CVE-2010-2562
    Excel Memory Corruption Vulnerability
    There are no known public exploits targeting this vulnerability.

MS10-058 Vulnerabilities in TCP/IP Could Allow Elevation of Privilege

  • CVE-2010-1892IPv6 Memory Corruption Vulnerability
    A denial of service vulnerability exists in TCP/IP processing in Microsoft Windows due to an error in the processing of specially crafted IPv6 packets with a malformed extension header.
  • CVE-2010-1893Integer Overflow in Windows Networking Vulnerability
    Local elevation of privilege

MS10-059 Vulnerabilities in the Tracing Feature for Services Could Allow an Elevation of Privilege

  • CVE-2010-2554Tracing Registry Key ACL Vulnerability
    Local elevation of privilege
  • CVE-2010-2555Tracing Memory Corruption Vulnerability
    Local elevation of privilege

MS10-060 Vulnerabilities in the Microsoft .NET Common Language Runtime and in Microsoft Silverlight Could Allow Remote Code Execution

  • CVE-2010-0019Microsoft Silverlight Memory Corruption Vulnerability
    IPS 5115 – MS Silverlight Memory Corruption S1
  • CVE-2010-1898Microsoft Silverlight and Microsoft .NET Framework CLR Virtual Method Delegate Vulnerability
    A remote code execution vulnerability exists in the Microsoft .NET Framework that can allow a specially crafted Microsoft .NET application or a specially crafted Silverlight application to access memory, leading to arbitrary unmanaged code execution.

Pin It on Pinterest