Posts

Social Engineering Attack Against Adobe Reader (Apr 01, 2010)

/in /by

Social engineering is the act of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical hacking techniques.

Didier Stevens recently demonstrated how to use social engineering techniques to entice end user and execute arbitrary code in Adobe Reader. The original blog post can be found here. Given the popularity of Adobe Reader, it is a great example showing how social engineering attacks can affect our daily lives.

Adobe Reader does not allow embedded executables to be extracted and executed directly. To bypassed the restriction, the first thing (in Windows) to do is running cmd.exe. This can be achieved by calling (/Launch /Action). The only thing preventing cmd.exe from execution is a dialog box:

Using social engineering techniques, the author replaced the warning message to this:

Once the targeted user clicks the “Open” button, the cmd.exe will be launched. At this point it is up to the PDF author’s creativity to perform additional malicious actions, as cmd.exe can be used to run embedded executables in the PDF file.

SonicWALL has released an IPS signature to detect and block PDF files utilizing launch action. The signature is listed below:

  • 4907 Suspicious Launch Action in PDF Document

Please note since usage of launch action is legitimate and defined in PDF specs, the signature is set to low priority.

ZBot IRS spam targeting Tax period (Mar 26, 2010)

/in /by

SonicWALL UTM Research team observed a new wave of the previously seen Fake IRS notice spam campaign starting yesterday – March 25, 2010, which takes advantage of the Tax period to target users. US-CERT issued an alert related to it today morning.

The email pretends to arrive from an irs.gov e-mail address and contains a URL to the fake notice. If the user clicks on this URL, it leads to a fake IRS page which prompts the user to download the new ZBot Trojan variant.

The e-mail looks like:

Subject: Notice of Underreported Income

Email Body:
————————
Taxpayer ID: [email handle-(14 digit random number)US] Tax Type: INCOME TAX
Issue: Unreported/Underreported Income (Fraud Application)

Please review your tax statement on Internal Revenue Service (IRS) website (click on the link below):

review tax statement for taxpayer id: [email handle-(14 digit random number)US] (<-- Malicious URL)

Internal Revenue Service
————————

The e-mail message looks like below:

screenshot

The site that opens up when user clicks on the URL inside the e-mail is shown below:

screenshot

As seen in the screenshot the malicious site prompts the user to download and execute the IRS notice which in reality is the malware executable file as seen here:

screenshot

The new ZBot variant performs following activities upon execution:

  • It creates MUTEX objects _AVIRA_2108, _AVIRA_2109 to mark its presence on the system.

  • It attempts to download an encrypted configuration file via following GET request:
    GET /cnf/shopinf.jpg HTTP/1.1

    Host: shopinfmaster.com
  • Creates following files:
    • (Windows_System)lowseclocal.ds
    • (Windows_System)lowsecuser.ds
    • (Windows_System)lowsecuser.ds.lll
    • (Windows_System)sdra64.exe

      • (Copy of itself)

  • Ensures that it runs every time Windows restart by modifying following registry entry:
    • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserinit: “(Windows_System)userinit.exe,(Windows_System)sdra64.exe,”

The Trojan is also known as PWS:Win32/Zbot.gen!R [Microsoft] and Packed.Win32.Krap.ae [Kaspersky].

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Zbot.YP_7 (Trojan) signature.

SAP GUI Arbitrary Command Execution (Mar 25, 2010)

/in /by

A command execution vulnerability exists in the SAP GUI SAPBExCommonResources ActiveX Control. The SAP GUI is the GUI client in SAP’s 3-tier architecture. When installing SAP GUI in Windows, an ActiveX control will be registered (with CLSID “A009C90D-814B-11D3-BA3E-080009D22344” and ProgID “SAPBExCommonResources.BExGlobal“). It can be instantiated in a web page using the tag or via scripting.

One of the methods exposed in SAPBExCommonResources.BExGlobal ActiveX control is Execute. The method is defined as follows:

Int32 Execute(String, String, String, Int32, String, SAPBExCommonResources_3_6.tShowWindow)

When Execute method is invoked, the vulnerable code will execute the specified command (the first parameter) on the web client. By enticing the target user to open a crafted HTML page, attackers could exploit the vulnerability, result in execution of arbitrary commands within the security context of the logged-in user.

SonicWALL has released an IPS signature to detect and block specific exploitation attempts targeting this vulnerability. The signature is listed below:

  • 3540 SAP GUI SAPBExCommonResources ActiveX Control Execute Invocation

Facebook Password Reset spam continues (Mar 19, 2010)

/in /by

SonicWALL UTM Research team continued to monitor the email spam campaign with the theme related to popular social networking website Facebook. This current spam campaign is not as huge in terms of volume of spammed emails as compared to what we saw and covered in SonicAlert – New Bredolab spam campaigns

The email pretends to arrive from Facebook telling the user that their password have been changed and further instructs them to open the attachment to receive their new password. Like in previous campaigns, the email has zip archived attachment which contains an executable file. The sample e-mail format is shown below:

Campaign: Facebook Password Reset file spam

Attachment: Facebook_password_346.zip (contains Facebook_password_346.exe)

Subject: Facebook Password Reset Confirmation! Important Message

Email Body:
————————
Dear user of facebook,

Because of the measures taken to provide safety to our clients, your password has been changed. You can find your new password in attached document.

Thanks,
Your Facebook.
————————

The email message looks like below:

screenshot

The malicious executable file attachment uses an icon similar to MS Word document to lure users into opening the file. The file looks like this:

screenshot

If the user downloads and executes the attached malicious file, it performs the following activities:

Installation:

  • Drops a DLL file nnfj.tqo (20,480 bytes) in %System% directory and runs it.

    • The dropped DLL file looks like this:

    screenshot

Registry Changes:

    The DLL file modifies the following registry entry to ensure that it starts on every system reboot:

    Key: [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon] Value: “Shell”
    Original Data: “Explorer.exe,”
    Modified Data: “Explorer.exe rundll32.exe nnfj.tqo nhemkk”

Remote Connection:

    The DLL file tries to connect to a remote URL http://funnylive201(REMOVED)/bb.php and may download additional malware.

Facebook is already aware of this email spam and has issued a warning on their website.

This Trojan is also known as Oficla.M [Microsoft], Oficla.EV [ESET], and Mal/FakeAV-BW [Sophos].

SonicWALL Gateway AntiVirus provides protection against this spam campaign via following signatures:

  • GAV: Suspicious#fakeav_2 (Trojan) [673,532 hits recorded starting March 02, 2010]
  • GAV: Oficla.M_2 (Trojan)

screenshot

Opera Browser Content Length Buffer Overflow (Mar 18, 2010)

/in /by

Opera is a web browser and Internet suite developed by the Opera Software Company. The browser handles common Internet-related tasks such as rendering web pages, sending and receiving e-mail messages, chatting on IRC clients, downloading files.

Hypertext Transfer Protocol (HTTP) is one of the most popular web browsing protocols used on the Internet. It can be processed by any web browsers, including Opera. HTTP is a client/server type protocol, and an HTTP session is composed by a sequence of network request-response transactions. Basically, an HTTP client initiates a request by establishing a TCP connection to a particular port on a host (typically port 80), and sends a request message. The HTTP server listening on that port responds with a status line upon receiving the request message. For example, a client sends the following request:

GET /index.html HTTP/1.1 HOST: 10.0.0.1 ...

and a server will respond with a response similar to:

HTTP/1.0 200 OK Date: Mon, Mar 15, 2010 13:32:12 GMT Content-Type: text/html Content-Length: 1022   ...

In the preceding example the size of the content being transferred, “1022” bytes, is defined by the HTTP header Content-Length. This method of transfer is useful for cases when content is pre-computed and is ready to send as a single response.

A buffer-overflow vulnerability exists in Opera. Specifically, the HTTP Content-Length header is incorrectly handled. Opera uses the sscanf function to read the Content-Length value as a singed 64 bits integer. If the Content-Length is manipulated carefully, it could lead to a heap buffer overflow in the vulnerable Opera codes. A remote attack can take use of this vulnerability to entice a user and execute arbitrary code on the target client.

SonicWALL UTM team has researched this vulnerability and created two IPS signatures to prevent the attack attempts addressing this issue:

  • 4873 Opera Browser Content Length BO Attempt 1
  • 4878 Opera Browser Content Length BO Attempt 2

This vulnerability is not referred by Common Vulnerabilities and Exposures.

Rise in Rogue Antivirus Black hat SEO campaign (Mar 11, 2010)

/in /by

SonicWALL UTM Research team monitored a big spike in the Rogue Antivirus Black hat Search Engine Optimization (SEO) campaign targeting Google hot search terms recently. More details about Rogue Antivirus using SEO to infect users can be found here.

The spike was observed during the weekend of the most anticipated event – 82nd Annual Academy Awards which usually draws huge public interest in searching for news related to it. This SEO poisoning trend targeting Oscar related searches continued until March 10, 2010.

Following search terms related to Oscars that featured in Top 20 hot searches were amongst the most targeted:

  • “printable oscar ballot”
  • “academy awards 2010 time”
  • “oscar ballot 2010 printable”
  • “oscars 2010 date and time”
  • “what time does the oscars start”
  • “oscars 2010 tv schedule”
  • “oscars channel”
  • “what time do the oscars start 2010”
  • “sandra bullock oscar acceptance speech”
  • “elinor burkett oscars”
  • “oscar winners 2010 list”
  • “judd nelson oscars”
  • “sean penn oscars 2010”
  • “worst dressed oscars 2010”
  • “john hughes oscar tribute video”

The graph below highlights the spike observed since the weekend of March 6 – 7, 2010:

screenshot

SonicWALL Gateway AntiVirus (GAV) provides protection against these malicious websites serving Rogue AV via GAV: FakeAV#html_16 (Trojan) and GAV: FakeAV#html_17 (Trojan) signatures. SonicWALL GAV customers were protected against this recent spike as evident from the signature hits below:

screenshot

screenshot

MS IE Invalid Pointer Vulnerability (Mar 10, 2010)

/in /by

Microsoft Internet Explorer is one of the most popular web browsers on the Internet. Internet Explorer is capable of rendering both static and dynamic web contents, such as DHTML. It can also be used to download files, play multi-media contents and open different file formats using various plug-ins.

Dynamic HTML, or DHTML, is an umbrella term for a collection of technologies used together to create interactive and animated web sites by using a combination of a static markup language (such as HTML), a client-side scripting language (such as JavaScript), a presentation definition language (such as CSS), and the Document Object Model.

“DHTML behaviors” is one of the DHTML features, which is supported by Internet Explorer. It enhances an HTML element’s default behavior, for example, shows different icons when the mouse hovers over the element. DHTML behaviors can be applied to an HTML element via scripting or via Cascading Style Sheets (CSS). For example,

h3 { behavior: url(#default#userData); } obj.style.behavior = "url('#default#userData')"; object.addBehavior("#default#userData");

userData behavior showed above is one of the DHTML behaviors. This behavior persists information across sessions by writing to a UserData store. The store provides a data structure that is more dynamic and has a greater capacity than cookies. With the userData behavior attached to an object, the default DHTML setAttribute and getAttribute methods are overridden by the class CPersistUserData to provide access to the userData store on a client machine. These methods provide storage and retrieval of persisted data.

A remote code execution vulnerability exists in Microsoft Internet Explorer. The flaw is due to an error in the PersistUserData::setAttribute() method. When an HTML object is assigned the #default#userData behavior, the vulnerable code overrides the default setAttribute method with CPersistUserData::setAttribute(). When the setAttribute method is invoked with a specific parameter, the vulnerable code stores the result and clears the object from memory. When Internet Explorer reloads the page or navigates into another page, it calls a method on the freed object which may enable remote attackers to inject and execute arbitrary code.

SonicWALL UTM team has researched this vulnerability and created two IPS signature to detect the attack attempts addressing this issue as bellow:

  • 4836 MS IE Invalid Pointer Remote Code Execution Attempt 1
  • 4837 MS IE Invalid Pointer Remote Code Execution Attempt 2

SonicWALL UTM team has also released the WAF signatures on SSLVPN devices as bellow:

  • 1208 MS IE Invalid Pointer Remote Code Execution Attempt 1
  • 1209 MS IE Invalid Pointer Remote Code Execution Attempt 2

This vulnerability is referred by the Common Vulnerabilities and Exposures (CVE) as CVE-2010-0806. The vendor Microsoft has also released Microsoft Security Advisory (981374).

IBM IDS librpc.dll Buffer Overflow (Mar 5, 2010)

/in /by

The IBM Informix is a family of relational database management system (RDBMS) products. The Informix Dynamic Server (IDS) is an online transaction processing data server. Numerous RPC services included in the IDS are provided through the Portmapper facility. Portmapper is a service that runs on many Unix based operating systems for the purpose of mapping SunRPC program numbers to network addresses. The portmapper protocol uses the SunRPC message format which facilitates an authentication mechanism. The RPC header has the following structure: 

Offset Size Description ------ ---- ----------------------------------------------------- 0x00   4    XID 0x04   4    Message Type: Call (0) 0x08   4    RPC Version: 2 0x0C   4    Program: Portmap (100000) 0x10   4    Program Version: 2 0x14   4    Procedure 0x18   4    Credentials - Flavor 0x1C   4    Credentials - Length 0x20   x    Credentials - Structure

The structure of Credentials Structure is dependent on the value of Credentials Flavor. Informix uses a proprietary Credentials Flavor which is identified by the value 0x753D. The structure of this proprietary authentication mechanism is not fully known; however it is apparent that at least one string parameter, preceded by a value denoting its length, is expected.
There is a heap buffer overflow vulnerability in RPC library of IBM Informix portmapper module, librpc.dll. The vulnerabilities are due to improper boundary checking of the string parameter in the Informix flavor credentials structure.
The vulnerable function checks the length of the included string against a maximum value. If the string length is larger than the maximum, it is incremented by a fixed value and used as the size of buffer to be allocated. A copy operation then ensues which copies the entire string into the allocated buffer. If the supplied string length value is large enough such that the increment will wrap the integer around, then an insufficient buffer will be allocated. This will result in critical memory being overwritten by the string copy operation.
An attacker can craft a malicious Portmapper RPC message which may exploit this flaw leading to remote code execution in the context of the service.

SonicWALL has an IPS signature deployed which detects and blocks generic attacks targeting the Portmapper service. The following IPS signature is effective protection against attacks targeting this vulnerability:

  • 2068 – Novell NetWare Portmapper BO Attempt

This vulnerability has been assigned the id CVE-2009-2753 by Mitre.

New Pushbot worm variant (Mar 2, 2010)

/in /by

SonicWALL UTM Research team received reports of a new variant of Pushbot worm spreading in the wild. This worm generally spreads through MSN Messenger and includes IRC-based backdoor capability to receive instructions from remote server.

The new variant includes Yahoo Messenger as an added propagation vector and sends localized messages based on the target users system language setup.

Installation:

  • Copies itself as winmbu.exe in %windir% directory.
  • Creates a mutex (SN5JSN868L) to ensure that only one instance of the application runs in the system.

The dropped file looks like this:

screenshot

Registry Changes:

    It modifies following registry entry to ensure that the dropped copy of the malware starts on every system reboot:

    Key: [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon] Value: “Userinit”
    Original Data: “C:\WINDOWS\system32\userinit.exe,”
    Modified Data: “C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\winmbu.exe,”

    Adds following registry entry to allow itself to pass through firewall restrictions:

    Key: [HKLMSYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList] Value: “C:\WINDOWS\winmbu.exe”
    Data: “C:\WINDOWS\winmbu.exe:*:Enabled:Userinit”

Command & Control (C&C) Server connection:

    Upon successful installation, it tries to connect to a remote IRC server to receive further instruction:
    IRC Server: buri.burimche.net
    Port: 1234/tcp

    Backdoor Functionality:

    • Spread via instant messaging
    • Update itself
    • Remove itself
    • Download and execute files

IM Propagation:
This worm checks the system language setup of the target machine to determine which localized message it will send out to all the contacts.

    Localized languages used:

    • Czech
    • Danish
    • Dutch
    • English
    • Finnish
    • French
    • German
    • Italian
    • Norwegian
    • Polish
    • Portuguese
    • Romanian
    • Slovak
    • Spanish
    • Turkish

    Messages:

    • seen this?? 😀 [Malicious URL Link]
    • look at this picture 😀 [Malicious URL Link]
    • poglej to fotografijo 😀 [Malicious URL Link]
    • pogled na ovu fotografiju 😀 [Malicious URL Link]
    • min bild 😀 [Malicious URL Link]
    • foto 😀 [Malicious URL Link]
    • to fotografiu 😀 [Malicious URL Link]
    • uita-te la aceasta fotografie 😀 [Malicious URL Link]
    • kuvaa 😀 [Malicious URL Link]
    • bu resmi bakmak 😀 [Malicious URL Link]
    • olhar para esta foto 😀 [Malicious URL Link]
    • spojrzec na to zdjecie 😀 [Malicious URL Link]
    • dette bildet 😀 [Malicious URL Link]
    • pet 😀 [Malicious URL Link]
    • dette billede 😀 [Malicious URL Link]
    • vejte se na mou fotku 😀 [Malicious URL Link]
    • guardare quest’immagine 😀 [Malicious URL Link]
    • bekijk deze foto 😀 [Malicious URL Link]
    • schau mal das foto an 😀 [Malicious URL Link]
    • regardez cette photo 😀 [Malicious URL Link]

    A sample instant message sent by the worm looks like:

    screenshot

    SonicWALL Gateway AntiVirus provides protection against this worm via GAV: Pushbot.QM (Trojan) and GAV: Downloader.JMVS (Trojan) signatures.

A new settings file – Bredolab spam continues (Feb 26, 2010)

/in /by

SonicWALL UTM Research team continued to monitor and provide protection against the ongoing Bredolab spam which switched to a new spam theme starting Wednesday, February 24, 2010. There has been a sharp increase in Bredolab spam campaigns since mid February 2010 as covered in our previous SonicAlert – New Bredolab spam campaigns and it was not any different this week.

SonicWALL has received more than 25,000 e-mail copies from the “new settings file” spam campaign. The email messages like previous campaigns have a zip archived attachment which contain a new variant of Bredolab Trojan executable. The sample e-mail format is shown below:

Campaign: A new settings file spam

Attachment: settings.zip (contains settings.exe)

Subject: A new settings file for the (random email address) has just be released

Email Body:
————————
Dear use of the (email domain) mailing service!

We are informing you that because of the security upgrade of the mailing service your mailbox (random email address) settings were changed. In order to apply the new set of settings open attached file.

Best regards, (email domain) Technical Support.
————————

The email messages looks like:

screenshot

screenshot

SonicWALL has received more than 6 distinct variants of the settings.exe file till now. If the user downloads and executes these new Bredolab variants, it will further attempt to download FakeAV malware.

SonicWALL Gateway AntiVirus provides protection against this spam campaign via following signatures:

  • GAV: Bredolab.CE_2 (Trojan) [11,924,540 hits recorded starting Feb 20, 2010]
  • GAV: Bredolab.BK_2 (Trojan) [6,004,226 hits recorded starting Feb 26, 2010]
  • GAV: Bredolab.BK (Trojan) [471 hits recorded starting Feb 26, 2010]

screenshot

screenshot

Pin It on Pinterest