Posts

Adobe Flash 0-day exploit (July 22, 2009)

/in /by

SonicWALL UTM Research team found reports of new 0-day vulnerability (CVE-2009-1862) in Adobe Flash player v9 and v10 being exploited in the wild via malicious drive-by sites.

The exploit is being actively served in the wild via following URL that is found to be injected into pages of infected websites:

  • sorla.us/(REMOVED)x/mail.asp

The above page will only load with a valid referrer field containing the URL of one of the infected pages. The active server page contains script to identify user’s browser environment and based on that loads one of the following pages:

  • If browser is not Internet Explorer, iframe URL- sorla.us/(REMOVED)x/ff.html

  • If browser is Internet explorer and has flash ActiveX installed, iframe URL- sorla.us/(REMOVED)x/ie.html

  • if browser is Internet Explorer and script cannot create a valid flash ActiveX object, iframe URL- sorla.us/(REMOVED)x/mpg.html

The code snippet can be seen below:

screenshot

In the first two cases, ff.html and ie.html contains JavaScript to download and run malicious Shockwave flash file that exploits 0-day vulnerability in Adobe Flash player:

  • sorla.us/(REMOVED)x/xp.swf [Detected as GAV: Pidief_2 (Exploit)]

It also downloads XORed Backdoor Trojan executable file from following URL:

  • sorla.us/(REMOVED)x/xor.gif [Detected as GAV: Agent.ROX (Trojan)]

Screenshot of 0-day exploit in action causing the flash player object and browser to crash can be seen below:

screenshot

In the third case, mpg.html page contains JavaScript that further checks for the presence of specific host AntiVirus software from Kaspersky and McAfee. If the AntiVirus software is not present then it tries to exploit Microsoft DirectShow Msvidctl vulnerability.

The code snippet for AntiVirus presence detection can be seen below:

screenshot

SonicWALL Gateway AntiVirus provides protection against this threat via GAV: Pidief (Exploit), GAV: Pidief_2 (Exploit), GAV: Pidief_3 (Exploit) and GAV: Agent.ROX (Trojan) signatures.

WebLogic Console Help Interface XSS (July 23, 2009)

/in /by

Oracle WebLogic Server is a multi-tier Java Application Server platform. In a two and three-tier application architecture, a web server is used to receive forms or HTTP requests, then pass them to application servers, which perform actual processing. To reduce management complexity in large installations, WebLogic Servers are grouped into domains. There is a single Administration Server for each domain, which is itself an instance of a WebLogic Server. By default, the Administration Server is listening TCP port 7001.

The Administration Server is managed using the Administration Console. The Administration Console includes tools and Console Help interface. Administrators can use the Console Help interface to search documents on a desired topic. A typical search query looks like:

http://[hostname]:7001/consolehelp/console-help.portal?_nfpb=true&_pageLabel=ConsoleHelpSearchPage&searchQuery=[topic to search]

A cross-site scripting vulnerability exists in Oracle WebLogic Server. Specifically, the vulnerability is in the Administration Console Help interface. The vulnerable code does not properly validate the searchQuery value before using it in constructing the response page. By sending crafted searchQuery value to the Console Help interface, an attacker could inject arbitrary HTML or script code to the Administration Server. Such injected HTML or script code will then be sent by the server in its response to the client and will be executed in the security context of the client’s browser.

Successful exploitation would allow the attacker to steal the target user’s private information, such as the username, password and session cookie. The attacker may use the credential to grant full access to administrator’s account and the underlying WebLogic Server.

The vulnerability has been assigned as CVE-2009-1975.

SonicWALL has released an IPS signature that will detect and prevent attacks targeting this vulnerability. The signature to address this vulnerability is:

  • 1185 XSS Oracle WebLogic Server console-help.portal XSS Attempt

Fake Invoice – ZBot Downloader (July 16, 2009)

/in /by

SonicWALL UTM Research team saw a new spam campaign pretending to contain a Debt Invoice, starting July 16, 2009. The spammed e-mail message is in Spanish and contains a fake invoice attachment which is the new ZBot Downloader Trojan.

English Translation of the e-mail:

Attachment: Factura66.zip (contains Factura66.doc [multiple spaces] .exe)

Subject: Outstanding debt

Email Body:
————————
Please note that an invoice is outstanding.
————————

The executable file inside the zip attachment has an icon disguised as a Microsoft Word document and it looks like following:

screenshot

The original e-mail message looks like:

screenshot

The Downloader Trojan when executed performs following activity:

  • Drops a copy of itself as (User Local Settings)Tempsvchost.exe

  • Modifies the Registry entry – HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonShell: “Explorer.exe (User Local Setting)Tempsvchost.exe”
  • Executes the dropped file svchost.exe and transfers control to it

  • Checks for Internet connectivity by sending a specific GET request to macromedia.com (with User-Agent: chek)

  • Downloads a new ZBot variant from the URL:
    • www.blondiespizzasunriver.com/images/logot.jpg [Detected as GAV: Zbot.JF_10 (Trojan)]
  • Executes the new ZBot variant

The new ZBot variant performs following activity:

  • Creates multiple files:
    • (SYSTEM32)lowseclocal.ds
    • (SYSTEM32)lowsecuser.ds
    • (SYSTEM32)lowsecuser.ds.lll
    • (SYSTEM32)sdra64.exe
  • Modifies the Registry entry – HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserinit: “(SYSTEM32)userinit.exe,(SYSTEM32)sdra64.exe,”
  • Attempts to download an encrypted configuration file from the URL:
    • www.monozoro.net/images/swf5.bin

  • Further attempts to download a new update of ZBot binary from the URL:
    • www.stuffedchocolate.com/logo.exe [Detected as GAV: Zbot.JF_10 (Trojan)]

The Downloader Trojan is also known as Win32/TrojanDownloader.Delf.OVB trojan [ESET], Trojan-Spy:W32/Zbot.OWF [F-Secure], and Trojan.Win32.Regrun [IKARUS].

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Regrun.DGJ (Trojan), GAV: Zbot.JF_10 (Trojan) and GAV: Zbot.TE (Trojan) signatures.

MS Office Web Components ActiveX BO (July 13, 2009)

/in /by

A zeroday vulnerability has been published today affecting the Microsoft Office Web Components ActiveX controls. The flaw exists in the controls used by IE to display Excel spreadsheets. Exploitation requires enticing the target user to navigate to a malicious web page, although this can be largely automated. It is reported that exploitation of this flaw resulting in process flow diversion is fairly reliable and the vulnerability is being actively exploited in the wild.

The affected ActiveX controls are not installed by default on any Windows platform, however they do come bundled with the popular MS Office application suite and some select server applications. This makes for a very large base of affected users.

The CLSIDs of the affected controls are listed: 

0002E541-0000-0000-C000-000000000046 0002E559-0000-0000-C000-000000000046

The affected controls can also be instantiated through scripting: 

OWC10.Spreadsheet OWC11.Spreadsheet

Microsoft has listed workarounds to prevent possible exploitation in a security bulletin. This vulnerability has been assigned a CVE id of CVE-2009-1136.

SonicWALL has written and released four IPS signatures that will detect and block generic attack attempts and two GAV signatures that detect specific exploits.

The following IPS signatures have been released to address this vulnerability:

  • 1014 – MS Office Web Components ActiveX Instantiation 1
  • 1016 – MS Office Web Components ActiveX Instantiation 2
  • 1023 – MS Office Web Components ActiveX Instantiation 3
  • 1024 – MS Office Web Components ActiveX Instantiation 4

The following GAV signatures have been released to address this vulnerability:

  • ScriptUE
  • OWCref.A

Microsoft Video Control Buffer Overflow (July 7, 2009)

/in /by

SonicWALL UTM Research team is tracking a new 0-day exploit within the msVidCtl component of Microsoft DirectShow that is actively being exploited through drive-by attacks using thousands of newly compromised web sites.

Microsoft DirectShow is a multimedia framework and API; it is the replacement for Microsoft’s earlier “Video for Windows” technology. DirectShow provides a common interface for media across many programming languages, and is an extensible, filter-based framework that can render or record media files on demand.

Microsoft DirectShow exposes a number of ActiveX controls for developers. The binary code of these ActiveX controls are encapsulated in dynamic link library msvidctl.dll. These ActiveX controls were not intended to be exposed for the purposes of web development, however, a user can force to load it in an HTML document.

A stack buffer overflow vulnerability exists in ProgramID “BDATuner.MPEG2TuneRequest” and ClassID “0955AC62-BF2E-4CBA-A2B9-A63F772D46CF”, which is hosted by msvidctl.dll. Specifically, the application extracts a 4-byte integer value at file offset 0x06 of a GIF image; the application then uses it as the Data Size to copy file data to a stack buffer without performing boundary checks. Opening a specially crafted GIF file in the ActiveX control will overflow the stack buffer, potentially ovewriting critical process data such as function return addresses and SEH pointers.

Remote attackers could exploit this vulnerability by enticing a target user to visit a maliciously crafted webpage. Successful exploitation would lead to arbitrary code execution in the security context of the logged in user, or terminate the application resulting in a Denial of Service condition. The other CLSIDs and ProgramIDs that are hosted by library msvidctl.dll might be vulnerable as well.

SonicWALL has released several GAV and IPS signatures to detect and prevent specific exploitation attempts targeting this vulnerability. The signatures are listed bellow:

GAV:

  • 37926 – DirectShow_Msvidctl (Exploit)

screenshot

IPS:

  • 3015 – MS Video (msvidctl.dll) ActiveX Control Instantiation 1
  • 3016 – MS Video (msvidctl.dll) ActiveX Control Instantiation 2
  • 3017 – MS Video (msvidctl.dll) ActiveX Control Instantiation 3
  • 3018 – MS Video (msvidctl.dll) ActiveX Control Instantiation 4
  • 3020 – MS Video (msvidctl.dll) ActiveX Control Instantiation 5
  • 3031 – MS Video (msvidctl.dll) ActiveX Control Instantiation 6
  • 3032 – MS Video (msvidctl.dll) ActiveX Control Instantiation 7
  • 3034 – MS Video (msvidctl.dll) ActiveX Control Instantiation 8
  • 3035 – MS Video (msvidctl.dll) ActiveX Control Instantiation 9
  • 3036 – MS Video (msvidctl.dll) ActiveX Control Instantiation 10
  • 3038 – MS Video (msvidctl.dll) ActiveX Control Instantiation 11
  • 3047 – MS Video (msvidctl.dll) ActiveX Control Instantiation 12
  • 3053 – MS Video (msvidctl.dll) ActiveX Control Instantiation 13
  • 3055 – MS Video (msvidctl.dll) ActiveX Control Instantiation 14
  • 3056 – MS Video (msvidctl.dll) ActiveX Control Instantiation 15
  • 3060 – MS Video (msvidctl.dll) ActiveX Control Instantiation 16
  • 3061 – MS Video (msvidctl.dll) ActiveX Control Instantiation 17
  • 3062 – MS Video (msvidctl.dll) ActiveX Control Instantiation 18
  • 3063 – MS Video (msvidctl.dll) ActiveX Control Instantiation 19
  • 3064 – MS Video (msvidctl.dll) ActiveX Control Instantiation 20
  • 3065 – MS Video (msvidctl.dll) ActiveX Control Instantiation 21
  • 3068 – MS Video (msvidctl.dll) ActiveX Control Instantiation 22
  • 3074 – MS Video (msvidctl.dll) ActiveX Control Instantiation 23

Some of the domains that are exploiting the new IE-0day as well as secondary domains that are hosting potentially malicious binaries utilized in these attacks are listed below. DO NOT VISIT THEM!

  • vip762.3322.org
  • 3b3.org
  • www.27pay.com
  • www.hao-duo.com
  • dump.vicp.cc
  • 64tianwang.com
  • webxue38.3322.org
  • 556622.3322.org
  • jfg1.3322.org
  • df56y.3322.org
  • javazhu.3322.org
  • 8dfgdsgh.3322.org
  • ceewe3w2.cn
  • js.tongji.linezing.com
  • h65uj.8866.org
  • 45hrtt.8866.org
  • 8oy4t.8866.org
  • www.mjbox.com
  • 2wdqwdqw.cn
  • www.vbsjs.cn
  • cdew32dsw.cn
  • qvod.y2y2dfa.cn
  • kan31ni.cn
  • www.duiguide.us
  • gkiot.cn
  • www.carloon.cn
  • movie.wildmansai.com
  • www.7iai.cn
  • www.jazzhigh.com
  • www.netcode.com
  • 6ik76.8866.org
  • 76ith.8866.org
  • qd334t.8866.org
  • u5hjt.8866.org
  • vpsvip.com
  • x16ake8.6600.org
  • www.huimzhe.cn
  • www.hostts.cn
  • ucqh.6600.org
  • qitamove.kmip.net
  • news.85580000.com
  • guama.9966.org
  • dx123.9966.org
  • ds355.8866.org
  • dnf.17xj.cn
  • dasda11d.cn
  • d212dddw.cn
  • ckt5.cn
  • ccfsdee32.cn
  • aaa.6sys6.cn
  • 9owe2211.cn
  • 8man7.3322.org
  • 6gerere3e.cn
  • 66yttrre.cn
  • 45hrtt.8866.org
  • tongji520.com
  • www.google-cdma.com

See Internet Stom Center blog entry for up-to-date list.

Apple iTunes Buffer Overflow (July 2, 2009)

/in /by

A URL (Universal Resource Locator) specifies parameters to request for a resource. Typically, a URL composed of the following components:

://[:@][:][/]

For example:

http://www.example.com:8080/pub/afile.txt

Apple iTunes is a multimedia player that supports a wide range of media formats. When iTunes is installed, it registers itself with the host Operating System as a protocol handler for several application URL schemes.

A buffer overflow vulnerability exists in iTunes. The vulnerability is due to a boundary error when parsing URLs containing iTunes-specific schemes such as iTunes Music Store Protocol (itms://), Podcast (itpc://) and Digital Audio Access Protocol (daap://). Specifically, the application copies the port value from an URL into a fixed size (256 bytes) stack buffer without performing boundary checks. If URL contains an overly long port string, it will overflow the stack buffer, potentially ovewriting critical process data such as function return addresses and SEH pointers.

Remote attackers could exploit this vulnerability by persuading a target user to open a specially crafted URL, causing a stack-based buffer overflow. Successful exploitation would lead to arbitrary code execution in the security context of the logged in user, or terminate the application resulting in a Denial of Service condition.

The vulnerability has been assigned as CVE-2009-0950.

SonicWALL has released several IPS signatures to detect and block specific exploitation attempts targeting this vulnerability. The signatures are listed bellow:

  • 3013 – Apple iTunes DAAP Handler BO Attempt
  • 3808 – Apple iTunes ITMS Handler BO Attempt
  • 3836 – Apple iTunes ITMS Handler BO Attempt 2
  • 3840 – Apple iTunes ITPC Handler BO Attempt

Michael Jackson Video Trojan (June 26, 2009)

/in /by

SonicWALL UTM Research team observed a new Trojan Downloader – Adload.LI (Trojan) being spammed in the wild starting June 26, 2009. The spammed emails pretend to contain links to unseen videos and pictures of late Michael Jackson.

The link in the spammed e-mail points to a well-known radio broadcasting station website hosted in Australia. At the time of writing this alert, the link was still alive fetching the malicious file:

  • www.beatzradio(REMOVED).Jackson_videos_fotos.php

The file gets downloaded as Michael.Jackson.videos.scr and has an icon disguised as a MPEG video file as seen below:

screenshot

Screenshot of a download prompt from the well-known website is shown below:

screenshot

When executed the Trojan Downloader performs following activity:

  • Creates a Mutex Object _!SHMSFTHISTORY!_ to marks its presence in the system

  • Opens up a legitimate website showing a news article related to Michael Jackson in Internet Explorer as seen below:

    • screenshot

  • Attempts to download malicious files from anella2009.dominiotemporario.com domain:
    • GET /ba/foto.dll – saved as (Windows)Dynamic.dll (GAV: Banker.N (Trojan))
    • GET /ba/michael.gif – saved as (System)fotos.exe (GAV: Banspy.F (Trojan))
    • GET /ba/kproces.gif – saved as (System)kproces.exe (GAV: Banbra.NOR (Trojan))
  • Runs the files downloaded above.

This Trojan is also known as TrojanDownloader:Win32/VB.LI [Microsoft] and Trojan-Downloader.Win32.Adload [Ikarus]

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Adload.LI (Trojan) signature.

CA Backup Message Engine DoS (June 25, 2009)

/in /by

The CA ARCserve Backup products offer data protection for distributed servers, clients, databases and applications. They offer centralized control over backup and restore operations among other services.

CA ARCserve Backup Message Engine is one of the services provided by BrightStor ARCserve Backup products. The engine accepts DCE-RPC messages on port TCP/6503 by default. DCE-RPC messages exchanged on the said port have the following common format:

 Offset  Size  Description ------- ----- ---------------------------------- 0x0000  1     Major Version, 0x05 0x0001  1     Minor Version, 0x00 0x0002  1     Packet Type, 0 for Request Packet 0x0003  1     Packet Flags, 0x80 for UUID set 0x0004  4     Data Representation 0x0008  2     Frag Length, N 0x000A  2     Auth Length 0x000C  4     Call ID 0x0010  N-16  type-specific data

A type 0 packet (request) has the following format inside the type-specific data portion:

 Offset  Size Description ------- ----- ---------------------------------- 0x0000  4     Alloc hint 0x0004  2     Context ID 0x0006  2     opcode 0x0008  N-24  Stub Data

The opcode field represents the RPC operation number. The Stub Data field contains the arguments passed to the called RPC method. The structure of the Stub Data field is opcode specific and in this case defined by the vendor, CA. It has been determined that RPC messages having opcode 0x13 have the following structure:

 long (   [in] long arg_1,   [in] short arg_2,   [in][size_is(65536), length_is(65536)] char * arg_3,   [in] long arg_4,   [out] long * arg_5 );

A denial of service vulnerability exists in the CA ARCserve Backup Message Engine. The vulnerability is due to insufficient checks on user supplied parameters when handling opcode 0x13 RPC messages. When both arg_1 and arg_4 are set to 1, and arg_3 is a string 65536 characters long, the vulnerable code will end up referencing a null pointer. That causes a memory access violation which results in the termination of the CA ARCserve Backup Message Engine. This attack may be performed by unauthenticated remote users.

SonicWALL has released an IPS signature which will detect and block generic attack attempts targeting this vulnerability. The following signature was released to address this issue.

  • 2118 – CA ARCserve Backup Message Engine DoS

Fake Outlook update – New ZBot (June 23, 2009)

/in /by

SonicWALL UTM Research team observed a fake Critical Update for Microsoft Outlook spam. The email has a link to a spoofed Microsoft security website which serves a new ZBot Trojan variant.

ZBot is a banking trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system. Read more about Zeus/Zbot Trojan Family here: https://www.mysonicwall.com/SonicAlert/index.asp?ev=article&id=132

This malware is 83,456 bytes in size.

When executed it creates the following files on the system:

  • %System%lowseclocal.ds
  • %System%lowsecuser.ds
  • %System%lowsecuser.ds.lll
  • %System%sdra64.exe

It modifies registry: 

 [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon] Userinit = "%System%userinit.exe,%System%sdra64.exe,"

so that sdra64.exe runs every time Windows starts

It creates registry entries: 

 [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetwork] UID = "%ComputerName%_0004DCC0"  and   [HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionInternet Settings] ProxyEnable = 0x00000000

The e-mail looks like:

screenshot

The Trojan is also known as trojan Trojan-Spy.Win32.Zbot.xdj [Kaspersky], Mal/Zbot-O [Sophos] and Trojan.Spy.LooksLike.ZBot [McAfee]

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Zbot.XDJ (Trojan) signature.

MS IE 7 Event Handler Memory Corruption (June 19, 2009)

/in /by

A vulnerability has been discovered in the Microsoft Internet Explorer web browser. The problem exists in the browser’s method of handling certain DHTML objects. Several event types have been identified as problematic when repeatedly called during an ongoing dynamic web page modification. These events are as follows:

  • onbeforedeactivate
  • onbeforeactivate
  • ondeactive
  • onactive
  • onfocusout
  • onfocusin

Due to improper reuse of memory while processing repeated calls to events that change the markup of the HTML document, this flaw can lead to memory corruption. This may consequently lead to the injection and execution of arbitrary code.

Remote attackers may exploit this vulnerability by enticing the target user to view a malicious HTML document. Exploitation of this flaw is not considered a trivial task. Nevertheless, the popularity of the affected application makes this vulnerability a significant risk.

SonicWALL has deployed an IPS signature that will detect specific exploits targeting this vulnerability. The following signature addresses this issue:

  • 5543 – MS IE Event Handler Memory Corruption PoC (MS09-019)