Posts

Symantec cliproxy ActiveX Control BO (Feb 26, 2010)

/in /by

Symantec Antivirus and Symantec Client Security are applications designed to protect against the threat of viruses, malware, and other intrusion attempts. These applications use the Microsoft Windows COM framework to implement some of their functionality. This is done with ActiveX controls contained in the linked library Cliproxy.dll. The library provides the ActiveX control cliproxy.objects having the clsid E381F1C0-910E-11D1-AB1E-00A0C90F8F6F.
This control can be instantiated like all other ActiveX controls, with HTML or script code in a web page. Because the control is proprietary and undocumented, the details of its methods and properties are not known. One exposed method in particular provided by the control is SetRemoteComputerName. The method is defined as follows: 

void SetRemoteComputerName(BSTR computer)

A vulnerability exists in the cliproxy.objects ActiveX control shipped in the Symantec Antivirus and Symantec Client Security applications. The flaw is created by an improperly implemented boundary check in the SetRemoteComputerName method. When an overly long argument is passed to the affected method, a heap buffer may be overran with user supplied data corrupting critical memory. A skilled attacker may exploit the flaw leading to injection and execution of arbitrary code. The ActiveX control is marked safe for scripting on default installations which opens up remote exploitation opportunities. The vulnerability has been assigned the id CVE-2010-0108 by Mitre. SonicWALL has released a generic IPS signature addressing this vulnerability. The following signature was released:

  • 3190 – Symantec CLIproxy.dll ActiveX SetRemoteComputerName Invocation

In addition to this targeted IPS signature, SonicWALL has numerous generic signatures that proactively catch exploit attempts addressing this, and other web client exploitation attempts.

New Zeus Botnet – Kneber (Feb 18, 2010)

/in /by

SonicWALL UTM Research team observed reports of the Kneber Botnet today morning that compromised over 75,000 systems including government agencies worldwide. This is not a new Botnet but a standard Zeus Botnet that we have covered in detail in one of our SonicAlert last year – Zeus Trojan Family.

New variants of Zeus Botnet appear constantly in the wild. The name Kneber comes from the user name associated with one of its controller domain silence7.cn.

A look-up of this domain from http://whois.domaintools.com yields the following information where the registrant email address bears its last name ‘Kneber’, thus the name of this Botnet.

    Domain Name: silence7.cn
    ROID: 20091210s10001s86100640-cn
    Domain Status: ok
    Registrant Organization: Hilary
    Registrant Name: Hilary
    Administrative Email: hilarykneber@yahoo.com

    Name Server:free01.editdns.net
    Name Server:free02.editdns.net
    Registration Date: 2009-12-10 21:10
    Expiration Date: 2010-12-10 21:10

This new variant has the following characteristics generic to Zeus Botnet:

    File Creation:
    [System Folder]sdra64.exe
    [System Folder]lowsec
    [System Folder]lowseclocal.ds
    [System Folder]lowsecuser.ds

    Note: [System Folder] is the default windows installation folder. Typically its C:Winntsystem32 for Windows 2000 and NT and C:WindowsSystem32 for XP, Vista, and Windows 7.

    Registry Modification:
    This botnet modifies this registry entry to ensure its automatic execution on every Windows startup.

    Key: [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon]
    Value: “Userinit”
    Original Data: “C:\WINDOWS\system32\userinit.exe,”
    Modified Data: “C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\sdra64.exe,”

    Process Termination
    This Botnet tries to terminate firewall application to allow itself to run without interruption.

    • Outpost Firewall
    • Zone Alarm Firewall

SonicWALL Gateway AntiVirus provides protection against this Botnet via following GAV signatures:

  • GAV: Zbot.HNO (Trojan)
  • GAV: ZBot.gen (Trojan)
  • GAV: Zbot.AEZ (Trojan)
  • GAV: Zbot.ABC (Trojan)
  • GAV: Zbot.CMS (Trojan)
  • GAV: Zbot.RL (Trojan)
  • GAV: Zbot.IXC (Trojan)
  • GAV: Zbot.CFA (Trojan)
  • GAV: Zbot.gen.C (Trojan)
  • GAV: Zbot.ADFY_2 (Trojan)
  • GAV: Zbot.CA (Trojan)

screenshot

screenshot

Windows URL Validation Vulnerability (Feb 18, 2010)

/in /by

A URL (Uniform Resource Locator) is a case insensitive string which has the following format:

: [ // ][ ] [ ? ] [ # ]

The Microsoft Windows operating system provides facilities to invoke different applications based on a URL. An application can be registered on a system to open a particular URL scheme, such as “mailto”, “nntp”, “telnet”, etc. When a user clicks a link with a scheme for which no application is registered, the Windows function ShellExecute() is called to directly handle the URL. The ShellExecute() functionality can be found in Windows Shell (shlwapi.dll) and Internet Explorer (ieframe.dll).

An input validation vulnerability exists in the ShellExecute() functionality. Specifically, the vulnerable code incorrectly parses the path section of a URL. When a URL contains a two byte character sequence #:, the vulnerable code incorrectly assumes the path is a valid drive. For example,

xyz://www.example.com#://../../C:/windows/system32/calc.exe

will make the Windows to run calc.exe.

Attackers can exploit this vulnerability by enticing a target user to click a link to a malicious URL; the link can exist in a web page or in a crafted document. Successful exploitation of this vulnerability would lead to arbitrary command execution. In the scenario where a malicious binary file is placed in a predictable location on the target system, this vulnerability can be exploited to execute arbitrary code with the privileges of the currently logged-in user.

Microsoft has released Security Bulletin MS10-007 to address this issue. The CVE identifier for this vulnerability is CVE-2010-0027.

SonicWALL has released an IPS signature to detect and block specific exploitation attempts targeting this vulnerability. The signature is listed below:

  • 3167 MS Windows URL Validation Remote Command Execution (MS10-007)

New Bredolab spam campaigns (Updated – Feb 12, 2010)

/in /by

SonicWALL UTM Research team has observed a sharp increase in Bredolab spam campaigns in last two days. Earlier Bredolab spam campaign involving Facebook and MySpace, first in year 2010 was covered in Sonicalert – Bredolab spam campaigns return in 2010 .

SonicWALL has received more than 200,000 e-mail copies from these recent spam campaigns so far. The email messages in all these spam campaigns have a zip archived attachment which contain the new variants of Bredolab Trojan executable. The sample e-mail format from each spam campaign is shown below:

Campaign #1 – Microsoft Outlook spam

Attachment: officexp-KB910721-FullFile-ENU.zip (contains officexp-KB910721-FullFile-ENU.exe)

Subject: Update for Microsoft Outlook / Outlook Express (KB910721)

Email Body:
————————
Brief Description
Microsoft has released an update for Microsoft Outlook / Outlook Express. This update is critical and provides you with the latest version of the Microsoft Outlook / Outlook Express and offers the highest levels of stability and security.

Instructions

* Install Update for Microsoft Outlook / Outlook Express (KB910721). To do this, follow these steps:
1. Run attached file officexp-KB910721-FullFile-ENU.exe
2. Restart Microsoft Outlook / Outlook Express

System Requirements

* Supported Operating Systems: Windows 2000; Windows 98; Windows ME; Windows NT; Windows Server 2003; Windows XP; Windows Vista

* This update applies to the following product: Microsoft Outlook / Outlook Express
————————

The email message looks like:

screenshot

Campaign #2 – Macbook Air spam

Attachment: winner.zip (contains winner.exe)

Subject: Congratulation !!!

Email Body:
————————
Congratulations!! You have won todays Macbook Air.
Please open attached file and see details.
————————

The email message looks like:

screenshot

Campaign #3 – Greeting Card Spam

Attachment: ecard.zip (contains ecard.exe)

Subject: You Have Received a Greeting Card

Email Body:
————————
To pick up your eCard, open attached file
Your card will be aviailable for pick-up beginning for the next 30 days.
————————

The email message looks like:

screenshot

Campaign #4 – Girlfriend Spam

Attachment: Me8541779.zip (contains Me8541779.exe)

Subject: Do you like to find a girlfriend like me ?

Email Body:
————————
Wish to have a boyfriend
Be able to protect me, take care of me
Intolerable lonely night and would like to have your care.
do you Willing ?

This is my photos.
————————

The email message looks like:

screenshot

Campaign #5 – Facebook Account Agreement Spam

Attachment: agreement.zip (contains agreement.exe)

Subject: updated account agreement

Email Body:
————————
Dear Facebook user,

Due to Facebook policy changes, all Facebook users must submit a new,
udpated account agreement, regardless of their original account start
date.
Accounts that do not submit the updated account agreement by the
deadline will have restricted.

Please unzip the attached file and run agreement.exe by double-clicking
it.

Thanks,
The Facebook Team
————————

The email message looks like:

screenshot

If the user downloads and executes these new Bredolab variants, they will further attempt to download FakeAV malware from a hard-coded IP address. SonicWALL has received more than 7 distinct Bredolab variants through these spam campaigns till now. The executable files inside the attachment looks like this:

screenshot

SonicWALL Gateway AntiVirus provided proactive protection against above spam campaigns with the following signatures:

  • GAV: Bredolab.CCK (Trojan) [2,622,667 hits recorded starting Feb 2, 2010]
  • GAV: Bredolab.SMP_2 (Trojan) [6,004,226 hits recorded starting Feb 4, 2010]
  • GAV: Bredolab.BY (Trojan) [1,143,060 hits recorded starting Feb 12, 2010]

screenshot

SMB Client Remote Code Execution (Feb 11, 2010)

/in /by

Server Message Block (SMB, also known as Common Internet File System, CIFS) operates as an application-layer network protocol mainly used to provide shared access to files, printers, serial ports, and miscellaneous communications between nodes on a network. It also provides an authenticated inter-process communication mechanism. All versions of Microsoft Windows ship with an implementation of SMB.

The messages sent from a SMB client to a SMB server are normally named Commands, as the messages sent from the server to the client are named Responses. A Microsoft Windows SMB server listens on TCP ports 139 and 445.

When a client wishes to engage in SMB communication with a server, the client will send an SMB NEGOTIATE Request message to the server and the server will respond with an SMB NEGOTIATE Response. An SMB NEGOTIATE Response message has the following structure:

Offset Size Field
——————————————————————————–
0x0000 BYTE Word Count
0x0001 WORD Dialect Index
0x0003 BYTE Security Mode
0x0004 WORD Max Mpx Count
0x0006 WORD Max Number VCs
0x0008 DWORD Max Buffer Size
0x000C DWORD Max Raw Size
0x0010 DWORD Session Key
….(truncated)

After an SMB session has been established, the client can start sending other commands.

There exists a vulnerability within the Microsoft Windows SMB client implementation. Specifically, the Max Buffer Size value is assumed to be at least 32 (0x20) bytes, and the value is used to allocate a heap buffer. When the vulnerable code processes SMB NEGOTIATE Response messages, it copies data into this heap buffer without first verifying its size. A remote unauthenticated attacker can leverage this vulnerability by enticing the target user to connect to an SMB server, which will reply to SMB NEGOTIATE Request messages with crafted SMB NEGOTIATE Response messages.

Successful exploitation would allow the attacker to inject and execute arbitrary code with the privileges of “SYSTEM”. Unsuccessful exploitation would result in system crash due to memory corruption.

Microsoft has released Security Bulletin MS10-006 to address this issue. The CVE identifier for this vulnerability is CVE-2010-0016.

SonicWALL has released an IPS signature to detect and block specific exploitation attempts targeting this vulnerability. The signature is listed below:

  • 4791 MS Windows SMB Client Pool Corruption (MS10-006)

MS IE URI Redirection Information Disclosure (Feb 4, 2010)

/in /by

Windows Internet Explorer (formerly Microsoft Internet Explorer) is one of the most widely used web browsers. The browser is capable of processing HTML, images, scripting languages, and various other popular Internet specifications.

URI schemes are one of the specifications that are supported by Internet Explorer. IE uses the URI schemes to access resources on the specified paths. These URI schemes include http://, ftp://, mailto:, file://, and so on. For example, the following scheme can be referred in any webpage. 

http:////

The file:// URI scheme is typically used to retrieve files from one’s own computer. This scheme, unlike many other URL schemes, does not designate a resource that is universally accessible over the Internet. It has the following format:

file:///

Where could be the following hierarchical directory:

/C$/my/directory/file.txt

Besides the specifications, Internet Explorer has embedded numerous security policies which are meant to prevent malicious actions from being attempted by rendered resources. One of the enforced policies found in popular browsers is the inability of cross site scripting (XSS). This is enforced specifically to prevent one site from accessing potentially sensitive information from other started sessions which may contain, among other things, authentication information. Furthermore, Internet Explorer groups websites into security zones with different access privileges. For instance, the Intranet zone websites have higher privileges than the Internet zone ones by default.

There is a security bypass vulnerability found in Microsoft Internet Explorer that could result in information disclosure as well as rendering of arbitrary files on the system as HTML content. Specifically, the vulnerability is due to improper processing of the file:// URI scheme during the web page redirection process. The vulnerable code does not properly validate the security zone before accessing the local files on the target client. If an attacker can predict the correct filename and path, it is possible for the attacker to access arbitrary files via a crafted web page.

SonicWALL UTM team has researched this vulnerability and released an IPS signature to detect and block generic attack attempts targeting this vulnerability. The following IPS signature has been released:

  • 3104 MS IE URI Redirection Security Bypass Attempt

This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) identifier CVE-2010-0255.

WebLogic Node Manager Command Execution (Jan 27, 2010)

/in /by

Oracle WebLogic Server is enterprise level application server for building and deploying enterprise Java EE applications. Node Manager is one of the Oracle WebLogic Server utilities to start, stop and restart administration and managed Server Instances from remote location. Node Manager is optional component of the management system.

There are two versions of Node Manager – Java-based and Script-based. Both of them are using TCP Port 5556 as the default listening port. However, the default installation of the Node Manager accepts commands only from the local host. This decreases the risk of the server being attacked.

The Node Manager is designed to accept remote commands, for example:

HELLO GETLOG DOMAIN GETNMLOG GETSTATES EXECSCRIPT UPDATEPROPS

The EXECSCRIPT command can execute scripts in the target server. The default location of the scripts is:

C:beawlserver_10.3samplesdomainsDOMAINbinservice-migration

A command execution vulnerability exists in Oracle WebLogic Server’s Node Manager utility. The vulnerability is due to insufficient access control when a client accesses the Node Manager utility through TCP port 5556. Specifically, the EXECSCRIPT command is exposed to the client pre-authentication. In addition, the vulnerable application does not validate the path supplied to the EXECSCRIPT command and may therefore execute commands or scripts outside of the default directory if the command path includes the directory traversal chraracters like “../”. A remote unauthenticated attacker can leverage this vulnerability to execute the following command by sending a crafted message to the vulnerable applications.

EXECSCRIPT ../../../../../../../../Windows/System32/notepad.exe

SonicWALL has release an IPS signature to detect and block generic attack attempts targeting this vulnerability. The following signature has been released:

  • 1106 Oracle WebLogic Server Node Manager Command Execution

This vulnerability has not been assigned a Common Vulnerabilities and Exposures (CVE) identifier.

Oracle Secure Backup Buffer Overflow (Jan 22, 2010)

/in /by

Oracle Secure Backup is a centralized tape backup management suite. It comprises of a server that allows an administrator to centrally manage data on network-attached storage devices and distributed multi-platform hosts. The transfer of data to and from its host systems is SSL encrypted in order to prevent unauthorized hosts from participating in the procedure.

Oracle Secure Backup uses the NDMP protocol to administer and perform backup tasks for all clients. The NDMP server, implemented by the binary executable observiced.exe, listens on TCP port 10000 by default. Upon a client connection, the NDMP server performs a reverse DNS lookup of the client host’s IP. After the client’s domain name is determined, communication with the client over the NDMP connection ensues.

The reverse DNS lookup is implemented through standard networking libraries which result in a regular UDP DNS message exchange over port 53. The DNS message consists of a 12 byte header and multiple Resource Records (RR), which are in turn classified as Question RR, Answer RR, Authority RR, and Additional RR.

A vulnerability exists in some versions of Oracle Secure Backup. It is due to insufficient string length checks of the domain name fields in reverse DNS lookup responses. Exploitation of the flaw manifests itself as a stack buffer overflow. Internally, the affected code copies the client supplied domain name string to a fixed size buffer without verifying its length beforehand.
An overly long DNS domain name string could overrun the destination buffer corrupting critical data on the stack. Consequently, this may lead to the diversion of the process flow of the vulnerable server. Remote unauthenticated attackers could exploit this vulnerability by initiating a connection to the NDMP server and supplying a malicious DNS response. This type of attack is trivial to execute, however, numerous timing conditions must be met for successful exploitation. The attacker must be able to spoof a DNS response that is accepted by the target server.

Successful exploitation allows for the injection and execution of arbitrary code on the target server. An unsuccessful attack could terminate the affected service.

SonicWALL has released an IPS signature that addresses this issue. The following signature has been released:

  • 1054 – Malicious DNS Response Traffic

Mitre has assigned this vulnerability the ID CVE-2010-0072

Updated BlackEnergy DDoS Botnet kit (Jan 18, 2010)

/in /by

BlackEnergy is a popular web-based DDos (Distributed Denial of Service) botnet kit originally written by a member of a Russian hacking group. It has been in development for quite some time now and in the later part of last year, we’ve seen this botnet evolve from targeting websites for DDoS attacks to include plugins architecture that allows spamming emails and facilitates online banking fraud.

This botnet kit comes in a package that usually resides in the C&C Server of the Botnet owner. It contains the following malicious files:

  • builder.exe (v 1.9.2) detected as GAV: BlackEnergy.A (Trojan)
  • calc.exe – detected as GAV: Crypted_2 (Trojan)
  • crypt.exe – detected as GAV: Crypted_2 (Trojan)

The builder.exe is the one responsible for building the dropper.exe (botnet client) file that carries the payload for this botnet. This file usually arrives in the system when downloaded by unsuspecting users from different gaming websites or forums.

A screenshot of the builder.exe is shown below:

screenshot

Once executed, this botnet client will install its rootkit component to hide its presence from the user and the main dll component responsible for loading the plugins. After installation, the botnet client phones home to its server and waits for additional commands.

The botnet server can issue the following commands to the client:

  • rexec – download and execute a remote file
  • lexec – execute a local command using cmd.exe
  • die – uninstall BlackEnergy Botnet
  • upd – download and install a remote update
  • setfreq – change the phone-home interval of the trojan

This botnet utilizes DDos Plugins to launch icmp, syn, udp and http floods against designated targets. It may also employ spam plugin and online banking fraud plugin. The banking plugin we’ve seen is capable of stealing banking credentials from an infected computer by injecting an embedded sub-module in the following browser processes:

  • iexplore.exe
  • firefox.exe
  • flock.exe
  • opera.exe
  • java.exe

The banking plugin may also be paired with another dll module kill.dll that is capable of destroying the filesystem of the infected system by overwriting the first 4,096 clusters of the disk with random data. It also attempts to delete the files “ntldr” and “boot.ini” from root of the filesystem rendering the system unreadable and unbootable in Windows system.

The Screenshot below shows the control page of the C&C server when issuing commands on the bot clients:

screenshot

screenshot

This Trojan is also known as Backdoor:Win32/Phdet.D [Microsoft], Win32:Blackenergy [Trj] [Avast] and DoS.Win32.BlackEnergy.a [Kaspersky]

SonicWALL has multiple signatures protecting users from this botnet, including:

  • GAV: BlackEnergy.A (Trojan)
  • GAV: Kbot.S_3 (Trojan)
  • GAV: Crypted_2 (Trojan)
  • GAV: Inject.GF_2 (Trojan)
  • GAV: Rustok.H (Trojan)
  • GAV: Agent.KJA (Trojan)
  • GAV: Rustok.D (Trojan)
  • GAV: Rustok.DV (Trojan)

screenshot

screenshot

Comele – New IE zero-day exploit (Jan 15, 2010)

/in /by

SonicWALL UTM Research team found reports of new zero-day vulnerability (CVE-2010-0249) in Internet Explorer DOM operations that leads to arbitrary code execution. The vulnerability exists in the way Internet Explorer handles certain DOM operations that allow access to invalid pointer after an object is deleted. Successful exploitation of this vulnerability can be used for allowing remote code execution.

This vulnerability was supposedly part of the targeted attack campaign used against Google, Adobe and other major companies that was reported by Google. Microsoft has acknowledged this issue in their security advisory and is currently investigating the vulnerability.

SonicWALL UTM Research team got hold of a zero-day exploit for this vulnerability which is a specially crafted web page containing heavily encoded malicious Javascript code. This exploit functions on any version of Internet Explorer with JavaScript enabled and Data Execution Prevention (DEP) disabled. A decoded version of the malicious page can be seen below:

screenshot

If the exploit is successful in exploiting the vulnerability, it attempts to download and execute a malicious executable via HTTP connection to following URL:

  • http://demo1.ftp(REMOVED)/ad.jpg [ Detected as GAV: Roarur.DR (Trojan) ]

The downloaded malware executable is a Trojan dropper that performs following activities on the victim machine:

  • Drops another Trojan as (Windows System)Rasmon.dll [ Detected as GAV: Roarur.DLL (Trojan) ]

  • Injects the dropped Trojan Rasmon.dll into the address space of svchost.exe and starts a new service ‘UpsMYi’

  • Performs registry modifications:
    • HKLMSYSTEMControlSet001ServicesRaS7BL8ParametersServiceDll = “%System%rasmon.dll”
    • HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesRaS7BL8ImagePath = “%System%svchost.exe -k netsvcs”

There is no patch currently available from Microsoft and the only way to mitigate this vulnerability is by setting IE’s Internet zone security to high. Microsoft may release an out-of-band patch for this threat outside of the normal monthly patch cycle.

SonicWALL Gateway AntiVirus provides protection against this threat via GAV: Comele (Exploit) signature.