Posts

New Bredolab spam campaign (August 6, 2010)

/in /by

SonicWALL UTM Research team discovered a wave of YouSendIt spam campaign involving newer variant of Bredolab Trojan in the last 24 hours. The spam emails arrive with a zip archived attachment which contains the Bredolab Trojan executable.

The e-mail pretends to be arriving from YouSendIt which is an online file sharing service. YouSendIt lets users send, receive and track files on-demand. This is the first time SonicWALL has observed YouSendIt storage service provider being used to spoof emails by Bredolab authors while spamming the newer variant of the Trojan.

Attachment: YouSendIt_reader.zip (contains YouSendIt_reader.exe)

Subject: You have received a file from [removed]@[removed].com via YouSendIt. (The subject varies based on the from email address)

Email Body:
————————

Katelyn Goodman has sent you the following via YouSendIt

File attached to this letter.

YouSendIt, Inc. | Privacy Policy
1919 S. Bascom Ave., Campbell, CA 95008
————————

A sample email message looks like:

screenshot

The executable files inside the attachment looks like this:

screenshot

If the user opens the malicious attachment then it performs following activities on the victim’s machine:

  • Network Activity:
    • It downloads a file from 188.65.74.161 and renames it to _ex-68.exe

      • screenshot

    • It sends a request to 77.78.249.2

      • screenshot

    • It send a SYN to 85.234.191.111:80 which is acknowledged by an ACK possibly reporting infected IP
  • It creates the following files
    • C:WINDOWSTemp_ex-08.exe – Detected as GAV: Bredolab.SI (Trojan)
    • C:WINDOWSTemp_ex-68.exe – Detected as GAV: FakeAlert.P (Trojan)

      • screenshot

  • It creates the following process in memory
    • C:WINDOWSTemp_ex-08.exe
    • C:WINDOWSTemp_ex-68.exe

      • (The process name is a randomized number in memory)

  • It creates following registry keys to ensure infection on every system restart under the name “sniffer” :
    • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun: C:WINDOWSTemp_ex-08.exe
  • As part of the infection process it downloads and launches the file _ex-68.exe which is a fake AntiVirus product
    • It launches and displays fake infections

      • screenshot

    • When the user attempts to remove infections an activation screen is displayed

      screenshot

    • When the user clicks “Activate Security Tool” a screen is displayed asking for credit card and personal information

      screenshot

SonicWALL Gateway AntiVirus provides protection against this Bredolab Trojan variant with GAV: Bredolab.SI (Trojan) signature. [2,759,497 hits recorded in last 24 hours]

screenshot

Symantec AMS2 Remote Command Execution (Aug 5, 2010)

/in /by

Symantec Alert Management System 2 (AMS2) is a component of the Symantec System Center console, Symantec AntiVirus Server, and of the Symantec AntiVirus Central Quarantine Server. AMS2 listens for specific security related events on a computer network, and sends notifications as specified by the administrator. The AMS2 starts multiple services on the system, including Message System Service (MSGSYS.EXE) and AMS2 Handler Manager Service (HNDLRSVC.EXE). The MSGSYS.EXE service on clients listens on TCP port 38292; it gets messages from the AMS server for different alert actions and forwards them to the HNDLRSVC.EXE service to perform the required action.

A design weakness exists in Symantec AMS2. Specifically, the vulnerable service does not perform any authentication mechanism to verify the sender of the alert actions. An unauthenticated remote attacker can exploit this vulnerability by sending a crafted packet to the MSGSYS.EXE service. Successful exploitation of this vulnerability would allow the attacker to execute arbitrary command with SYSTEM privileges.

SonicWALL has released an IPS signature to detect and block specific exploitation attempts targeting this vulnerability. The signature is listed below:

  • 4815 Symantec AMS Intel Alert Handler Command Execution

Rise in Zeus spam campaigns (July 30, 2010)

/in /by

Updated on August 02, 2010 11:30 AM PST

SonicWALL UTM Research team has observed an increase in spam campaigns involving new variants of Zeus banking Trojan in last 24 hours. These spam campaigns included two new themes like Social Security Annual statement pretending to be arriving from Social Security Administration and Fraudulent Credit Card transaction report pretending to arriving from ATM Electronic Report system.

SonicWALL has received more than 100,000 e-mail copies from these spam campaigns till now. The email messages in all these spam campaigns have a zip archived attachment which contain the new variants of Zbot Trojan executable. The sample e-mail format from each spam campaign is shown below:

Campaign #1 – Social Security Annual statement

Attachment: statement.zip (contains statement.exe)

Subject: Review your annual Social Security statement

Email Body:
————————
Due to possible calculation errors, your annual Social Security statement may contain errors.

Open attached file to review your annual Social Security statement.
————————

The email message looks like:

screenshot

Campaign #2 – Fraudulent Credit Card Transaction report

Attachment: report.zip (contains report.exe)

Subject: Possible Fraudulent Transaction

Email Body:
————————
Dear VISA card holder,

A recent review of your transaction history determined that your card was used at an ATM located in Peru, but for security reasons the requested transaction was refused.Please carefully review electronic report for your VISA card (attach to this letter)
————————

The email message looks like:

screenshot

Campaign #3 – Password Reset

Attachment: password.zip (contains password.exe)

Subject: Password Reset Confirmation

Email Body:
————————
Hello,

Because of the measures taken to provide safety to our clients, your password has been changed. You can find your new password in attached document.

Thanks,
————————

The email message looks like:

screenshot

The executable files inside the attachment looks like:

screenshot

If the user downloads and executes the malicious executable inside the zip attachment, it performs following activity:

  • Drops following files:
    • (Application Data)Adliudikz.exe – Detected as GAV: Zbot.ALYP (Trojan)
    • (Application Data)Cutufymus.piz

  • Registry modification:
    • HKUSoftwareMicrosoftInternet ExplorerPrivacyCleanCookies = 0x00000000
    • HKU\SoftwareMicrosoftWindowsCurrentVersionRun{31F6212F-0693-C632-DA88-C26F74578F5F}: (Application Data)Adliudikz.exe

  • Network activity:
    • Downloads encrypted configuration file from a predetermined Zeus C&C domain zephehooqu.ru – GET /bin/koethood.bin
    • Sends information to a predetermined Zeus C&C domain jocudaidie.ru – POST /9xq/_gate.php

  • Deletes the original copy of the malware executable.

SonicWALL Gateway AntiVirus provided proactive protection against above spam campaigns by following signatures:

  • GAV: Zbot.PSQ (Trojan) [1,611,630 hits recorded in last 24 hours]
  • GAV: Suspicious#bredolab_3 (Trojan) [983,152 hits recorded in last 24 hours]

screenshot

screenshot

[Update – August 02, 2010] SonicWALL UTM Research team observed a big spike in the Zeus spam campaign over the weekend and SonicWAL Gateway AntiVirus continued to provide proactive protection via following signature:

  • GAV: Suspicious#bredolab_3 (Trojan) [15 million hits recorded in last 4 days]

screenshot

Apache Struts2 Remote Command Execution (July 29, 2010)

/in /by

Apache Struts2 is originated from 2 different projects, the Apache Struts and WebWork. In 2008, the two projects combined to create Struts2, which is a MVC framework for building Java web-based applications. OGNL stands for Object-Graph Navigation Language; it is an expression language for getting and setting properties of Java objects.

A remote command execution vulnerability exists in Apache Struts2. The vulnerability is due to insufficient validation when evaluating request parameter names as OGNL statements. A remote attacker can exploit this vulnerability by sending a crafted HTTP request to the target server. Successful exploitation of this vulnerability would allow the attacker to execute arbitrary command with the privileges of the target service. In the case command execution is not successful, the vulnerable process may terminate abnormally, resulting a denial of service condition.

The CVE identifier for this vulnerability is CVE-2010-1870.

SonicWALL has released an IPS signature to detect and block specific exploitation attempts targeting this vulnerability. The signature is listed below:

  • 4680 Apache Struts2/XWork Remote Command Execution

Ipswitch IMail Server Reply-To BO (July 26, 2010)

/in /by

The Ipswitch IMail Server is a mail server geared towards medium to large size organizations. It implements the POP3, IMAP4, and SMTP protocols. The SMTP server module is installed and started in a default installation.

The SMTP protocol defines a set of commands used to exchange email messages between network connected hosts. The full SMTP protocol specification is outlined in RFC 821. SMTP commands are composed of ASCII strings separated by the end of line byte sequence 0x0d0a (CRLF). In a standard SMTP session, after the TCP connection is opened, there is normally a handshake process between the client and server. After successful connection has been established, the client will either send an email to an account on the SMTP server or will use the server to relay the message to its destination.

An SMTP email message consists of a header and a message body. The header consists of several lines defining numerous aspects of the email such as the source and destination addresses. The body of the message begins after an empty line following the header. Each header line is composed of a field name, followed by a colon character “:”, further followed by the field value, terminated by CRLF. For example: 

From:  To:  Subject: test email Reply-To:  Content-Type: text/plain;

Some of the header fields specified by the standard are listed below: 

Bcc Cc Date From Received Reply-To Subject To X-headers

A buffer overflow vulnerability exists in the Ipswitch IMail server. The vulnerability is due to a boundary error in the processing of the Reply-To SMTP header. If multiple Reply-To headers exist in a message, the vulnerable code will concatenate them into a single string. This string will then be copied into a fixed size stack buffer without any prior checks of the final string’s length. If the length of the concatenated Reply-To header is greater than the size of the allocated buffer, the string copy operation will result in user supplied data overrunning the provided buffer. This will lead to corruption of sensitive stack data such as the function return addresses. Unauthenticated attackers may exploit this vulnerability by supplying a crafted SMTP message with multiple, long Reply-To headers. Successful exploitation may allow arbitrary code to be injected and executed with the privileges of the server process.

SonicWall has established IPS signatures in place to proactively detect and block attacks of these types. The following SMTP signatures are effectively blocking SMTP related attacks by detecting common shellcode transfers:

  • 4120 – Generic SMTP Attack Attempt
  • 5470 – Generic SMTP Shellcode Exploit

SonicWALL has additional generic signatures that encompass multiple protocols, including SMTP, which are not protocol specific. These signatures are also effective in proactively blocking attacks against SMTP servers.

Prolaco Worm Spreading in the Wild (July 23, 2010)

/in /by

SonicWALL UTM Research team received reports of a new variant of Peer-to-Peer (P2P) Worm Prolaco spreading in the wild. It propagates through P2P channels as well as spammed e-mail. The e-mail contains the malicious file inside the zip attachment.

Below are sample e-mails:

Subject:

  • You have got a new message on Facebook!
  • You have received A Hallmark E-Card!
  • Thank you from Google!

Attachment:

  • Facebook message.zip (contains document.jpg .exe )
  • Postcard.zip (contains document.jpg .exe )
  • CV-20100120-112.zip (contains document.jpg .exe )

Email Body:

    Hi,

    You have got a personal message on Facebook from your friend.
    To read it please check the attachment.
    Thanks,

    The Facebook Team
    ===================================================
    Hello!

    You have received a Hallmark E-Card from your friend.

    To see it, check the attachment.

    There’s something special about that E-Card feeling. We invite you to make a friend’s day and send one.

    Hope to see you soon,
    Your friends at Hallmark

    ===================================================
    We just received your resume and would like to thank you for your interest in working at Google.
    This email confirms that your application has been submitted for an open position.

    Our staffing team will carefully assess your qualifications for the role(s) you selected and others that
    may be a fit. Should there be a suitable match, we will be sure to get in touch with you.

    Click on the attached file to review your submitted application.

    Have fun and thanks again for applying to Google!

    Google Staffing
    ===================================================

The e-mail message looks like below:

    screenshot
    screenshot
    screenshot ===================================================

Once the user runs the executable file, it will do the following activities:

File Operation:

Added Files

  • Documents and Settings{user}Application DataSystemProclsass.exe – (222KB) [ Detected as GAV: Prolaco.I (Worm) ]
  • WINDOWSsystem32HPWuSchd5.exe – (447KB) [ Detected as GAV: Prolaco.I (Worm) ]
  • Program FilesMozilla Firefoxextensions{9CE11043-9A15-4207-A565-0C94C42D590D}
  • Program FilesMozilla Firefoxextensions{9CE11043-9A15-4207-A565-0C94C42D590D}chrome
  • Program FilesMozilla Firefoxextensions{9CE11043-9A15-4207-A565-0C94C42D590D}chromecontent
  • Program FilesMozilla Firefoxextensions{9CE11043-9A15-4207-A565-0C94C42D590D}chromecontenttimer.xul [ Detected as GAV: Dursg.G (Trojan) ]
  • Program FilesMozilla Firefoxextensions{9CE11043-9A15-4207-A565-0C94C42D590D}chrome.manifest
  • Program FilesMozilla Firefoxextensions{9CE11043-9A15-4207-A565-0C94C42D590D}install.rdf

Registry Operation:

Added Entries

  • HKEY_CURRENT_USERIdentities Curr version “25”
  • HKEY_CURRENT_USERIdentities Last Date “23-7-2010”
  • HKEY_CURRENT_USERIdentities Inst Date “23-7-2010”
  • HKEY_CURRENT_USERIdentities Popup count “0”
  • HKEY_CURRENT_USERIdentities Popup time “0”

    • Allows program to run without user notification:

  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciessystem EnableLUA dword:00000000

    • Ensures this Worm runs on every Windows startup.

  • KEY: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
    Value: HP Software Updater5
    Data:“WINDOWSSystem32HPWuSchd5.exe”

  • KEY: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun
    Value: RTHDBPL
    Data:“Documents and Settings{user}Application DataSystemProclsass.exe”

    • Ensures this Worm bypass the Firewall.

  • KEY: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList
    Value: C:WINDOWSSystem32HPWuSchd5.exe
    Data:“C:WINDOWSSystem32HPWuSchd5.exe:*:Enabled:Explorer”

Malware Propagation:

    Peer-to-Peer Applications

    This Worm drops copies on P2P shared folders using filenames taken from its list:

    List of the P2P apps:

    • program fileswinmxshared
    • program filesteslafiles
    • program fileslimewireshared
    • program filesmorpheusmy shared folder
    • program filesemuleincoming
    • program filesedonkey2000incoming
    • program filesbearshareshared
    • program filesgrokstermy grokster
    • program filesicqshared folder
    • program fileskazaa lite k++my shared folder
    • program fileskazaa litemy shared folder
    • program fileskazaamy shared folder

    Filenames it uses when copying itself to P2P folders which are key generator and cracking tools of popular commercial applications:

    • AOL Instant Messenger (AIM) Hacker.exe
    • AOL Password Cracker.exe
    • Ad-aware 2010.exe
    • Adobe Acrobat Reader keygen.exe
    • Adobe Illustrator CS4 crack.exe
    • Adobe Photoshop CS4 crack by M0N5KI Hack Group.exe
    • Alcohol 120 v1.9.x.exe
    • Anti-Porn v13.x.x.x.exe
    • AnyDVD HD v.6.3.1.8 Beta incl crack.exe
    • Ashampoo Snap 3.xx [Skarleot Group].exe
    • Avast 4.x Professional.exe
    • Avast 5.x Professional.exe
    • BitDefender AntiVirus 2010 Keygen.exe
    • Blaze DVD Player Pro v6.52.exe
    • Brutus FTP Cracker.exe
    • CleanMyPC Registry Cleaner v6.02.exe
    • Counter-Strike Serial key generator [Miona patch].exe
    • DCOM Exploit archive.exe
    • DVD Tools Nero 10.x.x.x.exe
    • Daemon Tools Pro 4.8.exe
    • DivX 5.x Pro KeyGen generator.exe
    • Divx Pro 7.x version Keymaker.exe
    • Download Accelerator Plus v9.2.exe
    • Download Boost 2.0.exe
    • FTP Cracker.exe
    • G-Force Platinum v3.7.6.exe
    • Google SketchUp 7.1 Pro.exe
    • Grand Theft Auto IV [Offline Activation + mouse patch].exe
    • Half-Life 2 Downloader.exe
    • Hotmail Cracker [Brute method].exe
    • Hotmail Hacker [Brute method].exe
    • ICQ Hacker Trial version [brute].exe
    • IP Nuker.exe
    • Image Size Reducer Pro v1.0.1.exe
    • Internet Download Manager V5.exe
    • K-Lite Mega Codec v5.2 Portable.exe
    • K-Lite Mega Codec v5.2.exe
    • Kaspersky AntiVirus 2010 crack.exe
    • Kaspersky Internet Security 2010 keygen.exe
    • Keylogger unique builder.exe
    • L0pht 4.0 Windows Password Cracker.exe
    • LimeWire Pro v4.18.3 [Cracked by AnalGin].exe
    • MSN Password Cracker.exe
    • Magic Video Converter 8.exe
    • McAfee Total Protection 2010 [serial patch by AnalGin].exe
    • Microsoft Visual Basic KeyGen.exe
    • Microsoft Visual C++ KeyGen.exe
    • Microsoft Visual Studio KeyGen.exe
    • Microsoft.Windows 7 ULTIMATE FINAL activator+keygen x86.exe
    • Motorola, nokia, ericsson mobil phone tools.exe
    • Mp3 Splitter and Joiner Pro v3.48.exe
    • Myspace theme collection.exe
    • NetBIOS Cracker.exe
    • NetBIOS Hacker.exe
    • Norton Anti-Virus 2005 Enterprise Crack.exe
    • Norton Anti-Virus 2010 Enterprise Crack.exe
    • Norton Internet Security 2010 crack.exe
    • PDF password remover (works with all acrobat reader).exe
    • Password Cracker.exe
    • Power ISO v4.4 + keygen milon.exe
    • Rapidshare Auto Downloader 3.8.6.exe
    • Sophos antivirus updater bypass.exe
    • Sub7 2.5.1 Private.exe
    • Super Utilities Pro 2
      009 11.0.exe
    • Total Commander7 license+keygen.exe
    • Tuneup Ultilities 2010.exe
    • Twitter FriendAdder 2.3.9.exe
    • UT 2003 KeyGen.exe
    • VmWare 7.x keygen.exe
    • Website Hacker.exe
    • WinRAR v3.x keygen [by HiXem].exe
    • Winamp.Pro.v7.xx.PowerPack.Portable+installer.exe
    • Windows 2008 Enterprise Server VMWare Virtual Machine.exe
    • Windows Password Cracker + Elar3 key.exe
    • Windows2008 keygen and activator.exe
    • YouTubeGet 5.6.exe
    • Youtube Music Downloader 1.3.exe
    • [+ MrKey +] Windows XP PRO Corp SP3 valid-key generator.exe
    • [Eni0j0 team] Vmvare keygen.exe
    • [Eni0j0 team] Windows 7 Ultimate keygen.exe
    • [antihack tool] Trojan Killer v2.9.4173.exe
    • [fixed]RapidShare Killer AIO 2010.exe
    • [patched, serial not need] Nero 9.x keygen.exe
    • [patched, serial not needed] Absolute Video Converter 6.2-7.exe
    • [patched, serial not needed] PDF Unlocker v2.0.5.exe
    • [patched, serial not needed] PDF to Word Converter 3.4.exe
    • sdbot with NetBIOS Spread.exe

    Mass-Mailing

    This Worm harvests email addresses from the system and send spam emails with an attachment of itself.

Network Activity:

The following HTTP request were observed from this Worm:

  • http://controll{REMOVED}ckout

Pop-up Advertisements

    This Worm injects code to the following browser to monitor keyword searches:

    • Internet Explorer
    • Opera
    • Chrome
    • Firefox

    The following are the keyword terms that it monitors and once found displays pop-up advertisements from the domain “tetrosearch.com”:

    • airlines
    • amazon
    • antivir
    • antivirus
    • baby
    • bank
    • bany
    • baseball
    • books
    • cars
    • casino
    • cialis
    • cigarettes
    • comcast
    • craigslist
    • credit
    • dating
    • design
    • diet
    • doctor
    • dvd
    • ebay
    • estate
    • fashion
    • film
    • finance
    • flights
    • flower
    • footbal
    • football
    • gambling
    • game
    • gifts
    • golf
    • graphic
    • health
    • hotel
    • insurance
    • iphone
    • ipod
    • job
    • loan
    • loans
    • medical
    • military
    • mobile
    • money
    • mortgage
    • movie
    • music
    • myspace
    • pharma
    • pocker
    • poker
    • porn
    • school
    • sex
    • shop
    • software
    • sport
    • spybot
    • spyware
    • trading
    • tramadol
    • travel
    • twitter
    • verizon
    • video
    • virus
    • vocations
    • wallpaper
    • weather
    • yobt

SonicWALL Gateway AntiVirus provides protection against these Worm via the following signatures:

  • GAV: Prolaco.I (Worm)
  • GAV: Dursg.G (Trojan)

MS Outlook ATTACH_BY_REFERENCE (July 16, 2010)

/in /by

Microsoft Outlook email client is an implementation of all popular email protocols such as SMTP, POP3 and IMAP, as well as Microsoft’s own proprietary standards. Attachments, rich text or HTML emails are transferred between email client and server in encoded formats in order to adhere to the 7bit character limitation. There are several methods which are used to accomplish this, one of which is a proprietary Microsoft encoding format called the Transport Neutral Encapsulation Format (TNEF). The TNEF specification encodes and encapsulates the message body in a file attachment using “winmail.dat” as its filename.

The structure of TNEF allows for pointing to other email attachments, included in the email or referred to with a URL. The URL is interpreted by Outlook and the resource is requested and subsequently handled by the system based on its type.

A design flaw exists in Microsoft Outlook when processing attachment URLs inside the mail body. The vulnerability exists in the attachment URL handling mechanism. Upon opening the attachment, the vulnerable application first attempts to confirm that the file extension is not on the black list. When the attachment body is not enclosed within the message, but rather referred to with a URL, the verification logic can be tricked to bypass that check.
If the URI referencing the attachment contains a query string, and the query string contains what may be interpreted as a file extension, then that perceived file extension is considered in the verification procedure.

It is possible to construct a specific attachment URI that Outlook will consider as safe, but upon downloading the attachment, will forward the file to the operating system for execution without blocking.

An attacker must entice the target user to open a malicious attachment using a vulnerable version of the affected product. Successful exploitation may allow the download and execution of arbitrary code with the privileges of the currently logged in user.

SonicWALL has released two IPS signatures to detect and block known existing exploits targeting this flaw. The following signatures were released to address this issue:

  • 4662 – MS Outlook SMB Code Execution PoC 1 (MS10-045)
  • 4664 – MS Outlook SMB Code Execution PoC 2 (MS10-045)

Mitre has assigned the ID CVE-2010-0266. The vendor has released a security advisory regarding this issue.

Bredolab Trojan spam campaign (July 16, 2010)

/in /by

SonicWALL UTM Research team observed a wave of Resume spam campaign involving newer variant of Bredolab Trojan starting earlier this week. The spam emails arrive with a zip archived attachment which contains the Bredolab Trojan executable. The e-mail pretends to be arriving from a prospective job applicant and it looks like:

Attachment: resume_41170.zip (contains Myresume.exe)

Subject: Please look my CV, Thank you

Email Body:
————————
Hello!

I have figured out that you have an available job.
I am quiet intrested in it. So I send you my resume,

Looking forward to your reply.
Thank you.
————————

A sample email message looks like:

screenshot

The executable files inside the attachment has an icon disguised as a Microsoft Word document file:

screenshot

If the user opens the malicious attachment then it performs following activities on the victims machine:

  • It creates the following file
    • C:WINDOWSSystem32svrwsc.exe – Detected as GAV: Bredolab.ZX (Trojan)
  • It injects itself into the following processes
    • C:WINDOWSsystem32csrss.exe
    • C:WINDOWSSystem32svchost.exe
  • It attempts to access the following files and fails, possibly looking for a prior infection
    • (Application Data)MicrosoftOFFICETEMPdoc~1.dat
    • (Application Data)MicrosoftOFFICETEMPdoc~2.dat
  • It connect to a predetermined malicious domain musiceng.ru and sends process information

    screenshot

  • It creates following registry keys to ensure svrwsc.exe starts as service on every system restart under the name “Windows Security Center Service” :
    • HKLMSYSTEMCurrentControlSetServicesSvrWscType: 0x00000010
    • HKLMSYSTEMCurrentControlSetServicesSvrWscStart: 0x00000002
    • HKLMSYSTEMCurrentControlSetServicesSvrWscErrorControl: 0x00000000
    • HKLMSYSTEMCurrentControlSetServicesSvrWscImagePath: “C:WINDOWSSystem32svrwsc.exe”
    • HKLMSYSTEMCurrentControlSetServicesSvrWscDisplayName: “Windows Security Center Service”
    • HKLMSYSTEMCurrentControlSetServicesSvrWscObjectName: “LocalSystem”
    • HKLMSYSTEMCurrentControlSetServicesSvrWscDescription: “The service provides COM APIs for independent software vendors to register and record the state of their products to the Security Center service.”

SonicWALL Gateway AntiVirus provides protection against this Bredolab Trojan variant with GAV: Bredolab.ZX (Trojan) signature.

screenshot

Oficla Trojan spam campaigns (July 9, 2010)

/in /by

SonicWALL UTM Research team observed multiple spam campaigns in last 3 days involving Oficla Trojan. SonicWALL has received more than 10,000 e-mail copies from these spam campaigns till now. The e-mail messages contains a zip archived attachment which has the new variant of Oficla Trojan executable.

E-mail format from these spam campaigns are shown below:

Campaign #1 – Changelog document spam

Attachment: Changelog_05_07_2010.zip (contains Changelog_05_07_2010.DOC.exe)

Subject: Your log 06.07.2010

Email Body:
————————
Good afternoon,
as promised your changelog is attached,
Sandy
————————

The email message looks like:

screenshot

Campaign #2 – Fees document spam

Attachment: Fees_2010.zip (contains Fees_2010.DOC.exe)

Subject: Your fees 2010

Email Body:
————————
Please find attached a statement of fees as requested, this will be posted today.
The accommodation is dealt with by another section and I have passed your request on to them today.

Kind regards.
Gina Martinez
————————

The email message looks like:

screenshot

The executable files inside the attachment has an icon disguised as a Microsoft Word document file:

screenshot

If the user opens the malicious attachment then it performs following activities on the victim machine:

  • Connects to a predetermined C&C server and sends system information. The server responds back with command to download & run malware executable and also contains backup URLs for the C&C server.

    screenshot

  • Drops following malicious executable files some of which gets downloaded from URLs received via C&C server:
    • (Temp)10.tmp – Detected as GAV: Bredolab.PCK (Trojan)
    • (Temp)14.tmp – Detected as GAV: Bredolab.PCK_2 (Trojan)
    • (Temp)15.tmp – Detected as GAV: Bredolab.PCK_2 (Trojan)
    • (Temp)F.tmp – Detected as GAV: Oficla_8 (Trojan)
    • (System)thxr.wgo – Detected as GAV: Oficla_8 (Trojan)
  • Injects F.tmp into svchost.exe process.
  • Deletes the original copy of the file that was opened by the user.
  • Modifies following registry entry to ensure thnxr.wgo gets injected on every system restart:
    • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonShell: “Explorer.exe rundll32.exe thxr.wgo nwfdtx”
  • Creates following registry entry to store the backup C&C server URLs in hexadecimal format:
    • HKLMSOFTWAREClassesididurl1: (URL in hexadecimal format)
    • HKLMSOFTWAREClassesididurl2: (URL in hexadecimal format)
    • HKLMSOFTWAREClassesididurl3: (URL in hexadecimal format)

SonicWALL Gateway AntiVirus provides protection against this Oficla Trojan variant by GAV: Oficla.GW_2 (Trojan) signature.

screenshot

VMware SpringSource Remote Code Execution (July 8, 2010)

/in /by

SpringSource is a division of VMWare, Inc. provides a suite of software products that accelerate the entire build, run, and manage enterprise Java application lifecycle. SpringSource also provides support for the open source application frameworks Spring and Grails which run on the Java Virtual Machine. The SpringSource Spring Framework is a framework in the Java web development industry.

Java is a programming language originally developed by James Gosling at Sun Microsystems. Java is general-purpose, concurrent, class-based, and object-oriented, and is specifically designed to have as few implementation dependencies as possible. All code in Java is written inside a class and everything is an object, with the exception of the intrinsic data types (ordinal and real numbers, boolean values, and characters), which are not classes for performance reasons. A typical Java class is listed as bellow:

 // Outputs "Hello, world!" and then exits public class HelloWorld {    public static void main(String[] args) {        System.out.println("Hello, world!");    } }

A software construct used within the Spring Framework is the JavaBean. A JavaBean is a reusable software component that conforms to a particular convention. It is a Java Object that is serializable, has a nullary constructor, and allows access to properties using getter and setter methods. One way Spring Framework enables rapid web application development is by leveraging introspection and JavaBeans into a single concept: a form backing bean. A form backing bean enables a Java Spring developer to map web form input to a JavaBean. The mapping has several properties:

commandClass - the class of the object that will be used to represent the data in this form. commandName - the name of the command object. sessionForm validator - a class that validate data that is passed in from the form. formView - the JSP for the form successView - the JSP that the user is routed to if the form submits with no validation errors.

When an HTML form is submitted to a URL, the Spring web framework will instantiate an instance of the JavaBean specified by commandClass.

A remote code execution vulnerability exists in VMware SpringSource Spring Framework. The vulnerability is due to a design error when processing submissions to a URL utilizing a form backing bean. During the classs initialization, all properties of the Class object can be modified by a remote user; including the Class object’s classLoader property. This allows the attackers to inject and execute arbitrary code with the privileges of the target service.

SonicWALL UTM team has researched this vulnerability and created the following IPS signature:

  • 4551 VMware SpringSource Remote Code Execution

This issue is referred by CVE as CVE-2010-1622.