Posts

Fake Conficker Removal Tool – Agent.MSU (June 10, 2009)

SonicWALL UTM Research team observed a new Trojan Downloader spammed in the wild starting June 9, 2009 pretending to be from Microsoft Security Department.

The email pretends to contain important Windows XP/Vista security update related to the Conficker worm and also contains a link to download a removal tool. The download link points to the new Trojan Downloader. The link leads to download of the malicious executable file from a domain in Russia:

  • windowsupdate.microsoft.com.(Removed).ru/remtool_conf.exe

The downloaded file has zero AV detection at the time of writing this alert and it looks like this:
screenshot

When executed the Trojan performs following activities:

  • Stops the Windows security center service (Service Name: wscsvc)
  • Creates a new directory (Windows Temporary folder)nsf3.tmp and drops webexplorer.exe, nsExec.dll, and NSISdl.dll files in it.
  • Opens up a new window displaying Symantec Trojan.Brisv.A Removal Tool 2.1.0.7 EULA:
  • screenshot

  • If the user clicks accept button and starts the tool it will run for a while and display a “fixbrisa” message box at the end:
  • screenshot

  • It attempts to connect to makemymoneys.com domain and downloads an Injector Trojan by sending HTTP GET request:
    • GET /install/winupdate.exe
    • – Detected as GAV: Injector.PI (Trojan)

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Agent.MSU (Trojan) signature.

Screenshot of the original e-mail message is shown below:

screenshot

New Trojan Downloader – Branvine.A (June 5, 2009)

SonicWALL UTM Research team observed multiple spam campaigns of new Trojan downloader – Branvine.A starting June 2, 2009. The emails have a zip archived attachment which contains the new Trojan downloader variant.

SonicWALL has received more than 10,000 e-mail copies of this malware so far.

While the spammed e-mails and attachment name changed across the different spam campaign, the attachment payload only changed once on June 4, 2009.

When executed the Trojan attempts to connect to the domains below:

  • biz-er.org
  • full-free-xmovies.com
  • mysex-adult.com

It tries to download files from above domains via following GET requests respectively:

  • GET /cnf/bizzi11.exe
  • – Detected as GAV: Agent.BIZ (Trojan)

  • GET /promo1/soft/install-1557.exe
  • – Detected as GAV: PrivacyCenter.DO_2 (Trojan)

  • GET /promo1/soft/install-1557.exe
  • – Detected as GAV: PrivacyCenter.DO_2 (Trojan)

Sample e-mails for each spam campaign are shown below:

June 2, 2009 – Sample Email #1:

screenshot

June 2, 2009 – Sample Email #2:

screenshot

June 2, 2009 – Sample Email #3:

screenshot

June 2, 2009 – Sample Email #4:

screenshot

June 3, 2009 to June 4, 2009 – Sample Email #5:

screenshot

The Trojan is also known as Trojan-Downloader.Win32.Murlo.bdc [Kaspersky], Trojan-Downloader.Win32.Branvine [IKarus], and Downloader-BPX trojan [McAfee]

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Branvine.A (Trojan) signature. Total hits recorded since the release of this signature on June 2, 2009 – 2,318,091.

screenshot

Apple QuickTime Movie Vulnerabilities (June 4, 2009)

Apple QuickTime is a media player application developed by Apple. It is capable of playing back numerous multimedia file formats from local file system or remote servers. QuickTime movie file is one format of media files that can be played by QuickTime.

A QuickTime movie file consists of Metadata and Atoms. The Metadata stores the description of the media content while atoms are the data units of media content. Each atom contains size and type fields that precede any other data. The common structure of an atom is as below:

 Type      Description --------- ------------------- UINT32    Atom size (n) UINT32    Atom identifier BYTE[n-8] Atom data 

There are a lot of buffer overflow and integer overflow vulnerabilities found in Apple QuickTime product. Most of the vulnerabilities are due to the improper validations of the atoms fields. These atoms include moov, trak, minf, stsd, avcC, rpza, sdtp and so on. For example, there is one memory corruption vulnerability found recently in QuickTime media player, which is due to improper input validation on specially crafted QuickTime movies containing an ‘stsd’ atom with malicious ‘rpza’ video data. The Apple Video compression format (rpza) has the following structure:

 Type      Description --------- -------------------------- UINT16    version UINT16    revision level, set to 0 BYTE[4]   vendor UINT32    temporal quality, 0 ~ 1023 UINT32    spatial quality, 0 ~ 1024 UINT16 width UINT16    height UINT32    horizontal resolution UINT32    vertical resolution UINT32    data size, set to 0 UINT16    frame count, usually 1 

The vulnerable code doesn’t validate the ‘width’ value from the above ‘rpza’ structure and rounds up the ‘width’ value to a multiple of 4-byte and then multiplies it by 4, which may cause an integer overflow. Remote attackers could exploit this vulnerability to inject and execute arbitrary code in the target system.

SonicWALL UTM team has analyzed each of the vulnerabilities, and created multiple IPS/GAV signatures for them. For the vulnerabilities that can not be covered by generic signatures, SonicWALL UTM team monitored the published exploits and released signatures for each of them. The following released signatures are related with Apple QuickTime media player and QuickTime movie file format:

  • 1691 Apple QuickTime ctab Atom Heap Corruption PoC
  • 1806 Apple QuickTime stsd Atom Heap BO Attempt
  • 2107 Apple QuickTime H.264 Crafted Movie BO PoC
  • 2293 Apple QuickTime udta Atom Parsing BO Attempt 1
  • 2372 Apple QuickTime udta Atom Parsing BO Attempt 2
  • 2373 Apple QuickTime udta Atom Parsing BO Generic Detection 3
  • 4958 Apple QuickTime crgn Atom Parsing Memory Corruption PoC
  • 5031 Apple QuickTime hdlr Atom Integer Overflow PoC
  • 5412 GStreamer QuickTime File Parsing Heap Overflow PoC 1
  • 5414 GStreamer QuickTime File Parsing Heap Overflow PoC 3

UPS Invoice spam – New ZBot (May 28, 2009)

SonicWALL UTM Research team observed a new wave of the UPS invoice spam campaign starting late Wednesday night, May 27, 2009. The email has a zip archived attachment which contains the new ZBot Trojan variant.

SonicWALL has received more than 1,500 e-mail copies of this malware till date. The e-mail looks like:

Attachment: UPS_DOC_986001.zip (contains UPS_DOC_986001.exe) or UPSEXL_GEN99012.zip (contains UPSEXL_GEN99012.exe)

Subject: Postal Tracking # [15-digit alpha-numeric number]

Email Body:
————————
Hello!

We were not able to deliver postal package you sent on the 14th of March in time because the recipient’s address is not correct.
Please print out the invoice copy attached and collect the package at our office.

Your United Parcel Service of America
————————

The e-mail message looks like below:

screenshot

The executable file inside the zip attachment has an icon disguised as a Microsoft Excel sheet file:

screenshot

The Trojan when executed performs following host level activity:

  • Creates a directory (Windows System Folder)wbem
  • Drops a copy of itself as (Windows System Folder)wbemgrpconv.exe
  • Deletes the original file

It tires to connect to dollarpoint.ru domain and sends following HTTP request to it:

  • dollarpoint.ru/abc/controller.php?action=bot&entity_list=&uid=&first=1&guid=13441600&rnd=8520045

The Trojan is also known as trojan W32/Trojan3.AXD [F-Secure], Win32/Agent.PMJ trojan [ESET], and Spy-Agent.bw trojan [McAfee]

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Zbot.JFG (Trojan) and GAV: Zbot.JFA (Trojan) signature.

screenshot

MS IIS WebDAV Information Disclosure (May 28, 2009)

Microsoft Internet Information Server (IIS) is a collection of Internet service packages. It provides Web Server, FTP Server, SMTP Server services and so on. The Web Server service is equipped with the Active Server Pages (ASP) technology which is utilized for dynamic content generation.

IIS supports Web Distributed Authoring and Versioning (WebDAV), an extension set of the HTTP protocol, which allows user to manage files on a Web server, such as creating file, reading files or modifying files. Locking/protection, extended document properties, name space management, and resource collections are included as important features in WebDAV protocol.

The WebDAV extension introduces a new HTTP request header, “Translate”. If the value of this header starts with “f”, the request is for a file, rather than the evaluation result of a server side script. WebDAV also adds PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK and UNLOCK as HTTP request methods.

WebDAV protocol uses an XML-based data transaction scheme defined in RFC 2518. The following is an example of WebDAV PROPFIND request:

PROPFIND /webdav/abc.txt HTTP/1.1 Depth: 0 User-Agent: Microsoft-WebDAV-MiniRedir/5.1.2600 Host: x.x.x.x Content-Length: 0 Connection: Keep-Alive Pragma: no-cache 

A vulnerability exists in the IIS product when WebDAV extension is enabled. The vulnerability is due to improperly handling of Unicode token ‘/’ (%c0%af) embedded in WebDAV request URIs. The vulnerable code in WebDAV extension will discard the Unicode character ‘/’ and return the required resource without proper credentials, which causes the information disclosed to unauthorized people.

An example of an attack request for a protected file is listed bellow:

GET /%c0%af/webdav/confidential HTTP/1.1 Translate: f Connection: close Host: x.x.x.x 

SonicWALL has created and released an IPS signatures that detect and block generic attack attempts targeting this vulnerability. The following signature addresses this issue:

  • 1466 MS IIS 6.0 WebDAV Information Disclosure 1
  • 1469 MS IIS 6.0 WebDAV Information Disclosure 2
  • 1481 MS IIS 6.0 WebDAV Information Disclosure 3

Zeus Trojan Family (May 26, 2009)

Zeus, also known as Zbot, WSNPoem and NTOS is a crimeware kit. It offers its own cryptor that obfuscates the Trojan, making it difficult to detect. The cryptor creates a new binary file each time it is used, and these files are radically different from each other. SonicWALL blocks over 3,500 different binary variants of the Zeus Trojan.

Zeus is built for hijacking E-banking sessions, although it can steal credentials for any online services. The kit costs about $700 to purchase.

The Zeus Trojan is frequently installed through drive-by exploits or through spam mails that pretend to be invoices and contain a copy of the Trojan as an attachment.

Typically the Trojan is located on the system at:

  • Variant A:
    • C:WINDOWSsystem32ntos.exe
    • C:WINDOWSsystem32wsnpoemaudio.dll
    • C:WINDOWSsystem32wsnpoemvideo.dll
  • Variant B:
    • C:WINDOWSsystem32oembios.exe
    • C:WINDOWSsystem32sysproc64sysproc86.sys
    • C:WINDOWSsystem32sysproc64sysproc32.sys
  • Variant C:
    • C:WINDOWSsystem32twext.exe
    • C:WINDOWSsystem32twain_32local.ds
    • C:WINDOWSsystem32twain_32user.ds

Zeus consists of three parts:

  • Control Panel, which is installed on the server
  • Builder, an application for Windows, is used to specify the configuration for the infector bot.
  • Bot, Trojan for for Windows, infects the victim, then connects to the dropzone.

Zeus host consists of three components as well:

  • a config file (usually with file extension *.bin)
  • a binary file which contains the newest version of the trojan
  • a dropzone (usually a php file)

The config file is an encrypted binary file that contains information necessary for the Zeus bot to update itself and instructions where to submit stolen data. Also, it has a list of sites to target, to avoid, and what code to inject into web pages.

Decoding Zeus Config

Zeus uses HTTP for command and control. It is built on PHP, mySQL. The system normally installs with a password protection scheme using HTTP basic authentication to protect the botnet. The Zeus botnet uses HTTP to communicate to its controlling servers by sending a POST message to the server. The response contains an encoded command.

The Zeus is capable of logging all network information, stealing banking data or credit card numbers, controlling the system, sending spam, or stealing passwords from Protected Storage. The collected info is sent to the dropzone via HTTP requests. Zeus can be re-configured, malware retrieves current configuration file from the dropzone.

It is a very effective stealer of user private and confidential information (form grabber), it can inject arbitrary HTML code into any website (also encrypted websites), can steal certificates and use screenshots to defeat virtual keyboards commonly used by financial institutions. It can also act as a proxy server via Socks 4/4a/5, even if compromised device is behind a NAT.

Zeus kit is a complete package, complex professional software with a team of Russian programmers actively developing it. Zeus’s “features under development” include:

  • Compatibility with Windows Vista and Windows 7
  • Random generation of configuration files to avoid generic detection”
  • Console-based builder
  • Full IPv6 support
  • Detailed statistics on antivirus software and firewalls installed on the infected machines

Zeus even has its own EULA (end-user license agreement), in Russian.

Which translates roughly as follows:

  • The user may not distribute the product in a commercial way.
  • The user may not reverse-engineer the bot builder.
  • The user may not use the control panel to control other botnets.
  • The user may not deliberately share any portion of the code to anti-virus companies.
  • The user must pay for any future features or improvements..

According to Zeus Tracker, the countries where most Zeus sites are hosted are USA, Russia, China, Ukraine and Latvia. More than half of the dropzones are hosted on bullet-proof hosting (providers that do not honor takedown requests).

The individuals behind Zeus are allegedly based in Europe, and known as the Rock Phish group. It is a criminal collective that has been targeting banks and other financial institutions since 2004. According to RSA, they are responsible for half of the worldwide phishing attacks and have siphoned tens of millions of dollars from individuals’ bank accounts. The group got its name from an old feature where phishers used directory paths that contained the word “rock.”

Antivirus companies have different names for Zeus threat, most common being: Trojan.Wsnpoem (Symantec), W32/Zbot (F-Secure), Trojan.Spy.Zeus (Bitdefender), TSPY_ZBOT (TrendMicro), NTOS.

SonicWALL has many signatures protecting from variants of Zeus malware, including: GAV: Zbot.HNO (Trojan) , GAV: ZBot.gen (Trojan) , GAV: Zbot.AEZ (Trojan) , GAV: Zbot.ABC (Trojan) , GAV: Zbot.CMS (Trojan) , GAV: Zbot.RL (Trojan) , GAV: Zbot.IXC (Trojan).

Zeus builder

Zeus admin panel

Some screenshots from www.abuse.ch:

Zeus admin panel

Zeus stats

Issuing a command

Online Bots

Browsing logs for stolen accounts

For more on ZEUS check out Zeus Tracker .

Oracle RollbackWorkspace SQL Injection (May 22, 2009)

The Oracle Database Server is an enterprise-level relational database application suite. To extend the functionality of the Oracle Database Server, extra packages are included in the suite such as procedures, constants, cursors, and exceptions, in order to ease data management. The included stored procedures and functions are essentially sets of SQL statements that are stored on the server. One such bundled package is the Oracle Workspace Manager.

The Oracle Workspace Manager enables application developers and DBAs to manage current, proposed and historical versions of data in the same database. Interface to the Oracle Workspace Manager tools is provided by the DBMS_WM package. Among the functions supplied by this package is RollbackWorkspace. This function takes two arguments:

 WORKSPACE   - VARCHAR2 AUTO_COMMIT - BOOLEAN

An SQL injection vulnerability exists in the aforementioned function. The flaw is created due to a lack of proper sanitization of user supplied arguments. The function is vulnerable to an SQL injection attack in the WORKSPACE argument. Injecting a single quote inside the data passed in this argument will cause the internally generated script to treat a portion of the passed argument as a separate SQL statement.

The code that may be injected through the vulnerable function is limited in scope, length and functionality. Because of these constraints, execution of any complex SQL commands may only be performed through user created functions. Thus, exploitation of the flaw would require an attacker not only to have valid credentials to log into the vulnerable server, but also to have privileges to create SQL functions.

It should be noted that by default, all database users have permissions to execute the vulnerable function. Thus, a database user with normal privileges may inject SQL statements which will be executed with system privileges on the target database server.

Any injected SQL commands will be executed within the security privileges of the database administrator, SYSDBA, effectively compromising the database server. Exploitation of the vulnerability is considered to be an easy task, given that the attacker has privileges to create functions.

SonicWALL has created and released an IPS signature that detects and blocks generic attack attempts targeting this vulnerability. The following signature addresses this issue:

  • 1471 – Oracle LT.ROLLBACKWORKSPACE SQL Injection Attempt

Gumblar web attacks (May 19, 2009)

SonicWALL UTM Research team observed an increase in use of Gumblar drive-by attack on many popular websites.

Gumblar exploit is dynamically generated and varies not only from site to site, but also from page to page on the same site. It is also heavily obfuscated, making detection difficult. According to ScanSafe, Gumblar compromises are increasing – up 188% from last week. According to Sophos, Gumblar infections accounted for 42 percent of all infections found on websites last week.

This attack consists of two stages: the first stage of this exploit attempts to compromise legitimate websites by injecting malicious code into them. These infections occur mostly through stolen or weak FTP logins. The second stage of this exploit happens when users visit the website infected by Gumblar. It attempts to load exploits in PDF and SWF (flash) files, and through those exploits infect the users with a Trojan. This Trojan can monitor network traffic and steal FTP logins, as well as meddle with Google search results.

At least 3,000 websites have been compromised. United States Computer Emergency Readiness Team (US-CERT), issued an alert about it: here (link to US-CERT).

The original version of this exploit loaded malicious content from a site in china called Gumblar.cn, which inspired the name ‘Gumblar’. Recently ‘gumblar.cn’ was shutdown, and the exploit evolved to load malicious payload from ‘martuz.cn’. The new version also detects the Google Chrome browser and avoids loading the exploit in it.

SonicWALL Gateway Antivirus detects Gumblar exploit with GAV: Suspicious#gumblar (Trojan) signature. This signature has 24,500 hits so far.

Gumblar malicious script is injected between the HEAD and BODY tags as seen in this screenshots:

Obfuscated: screenshot

Decoded: screenshot

Below are the hits on our signature: hits graph

New fake codec malware (May 15, 2009)

SonicWALL UTM Research team came across a new Fake codec malware drive-by site posing to contain nude Rihanna video.

The drive-by site was actively serving the malware at the time of posting this alert:

 www.scribd.com/(REMOVED)/Rihanna-nude | --> http://tumler(REMOVED)/2.html  |  --> http://xtube-host.com/(REMOVED)Mediacodec_v3.7   |   --> Mediacodec_v3.7.exe (1,984,538 bytes)   detected as GAV: FakeAlert.BDP (Trojan) 

The downloaded malware executable file looks like:

screenshot

It performs the following activity on the victim machine:

  • Creates multiple directories including (App Data)PCenter and (Program Files)PCenter.
  • Drops multiple files including (Program Files)PCenteragent.exe and (Program Files)PCenterpc.exe.
  • It adds registry keys to ensure that agent.exe and pc.exe starts every time on system reboot:
    • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunagent.exe = “(Program Files)PCenteragent.exe”
    • HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogonShell = “(Program Files)PCenterpc.exe”
  • It creates following mutex objects to mark its presence on the system:
    • AMResourceMutex2
    • VideoRenderer
  • It sends HTTP request to below URLs:
    • http://194.165.4.(REMOVED)/software_response.php?uid=1235
    • http://privacyupdate447.com/avail

The screenshots of the drive-by site and the Fake codec Trojan being downloaded are shown below.

Main site posing to host nude Rihanna video:

screenshot

When user attempts to start the video, it opens a new page asking the user to download a certified ActiveX video codec (VAC codec) to protect content Copyrights. The page looks like below:

screenshot

If the user clicks on the video frame again then it downloads the malware executable file as seen below:

screenshot

The Trojan is also known as Win32/Adware.PrivacyComponents [ESET], Trojan.FakeAlert.BDP [BitDefender], and Cryp_FakeAV-12 [Trend Micro].

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: FakeAlert.BDP (Trojan) signature.

Adobe Acrobat getAnnots Vulnerability (May 14, 2009)

Adobe Acrobat and Adobe Reader are ubiquitous applications for viewing PDF (Portable Document Format) documents.

Since version 4.0, Acrobat includes JavaScript functionality allowing for customization and extensibility. Acrobat JavaScript is an extension of the core JavaScript which adds Acrobat-specific classes that enable the author to manage document related tasks. These classes include app, dbg, console, Doc, SOAP, ADBC, util, etc.

An annot object represents a particular Acrobat annotation created using the Acrobat annotation tool. Annotation types include: Text, FreeText, Line, Square, Circle, Polygon, PolyLine, Highlight, etc. The Doc object provides the getAnnots method, which returns an array of Annot Objects based on the parameters provided to it, or returns a Null value if no results are found. This method accepts four parameters:

getAnnots(nPage, nSortBy, bReverse, nFilterBy)

  • nPage: A 0-based page number that specifies from which page to get Annots.
  • nSortBy: A sort method applied to the array.
  • bReverse: If true, causes the array to be reverse sorted.
  • nFilterBy: Gets only those annotations that satisfy certain criteria.

There exists a buffer overflow vulnerability in Adobe Acrobat/Reader. Specifically, the vulnerability is due to improper parsing of the getAnnots JavaScript function. The code does not validate the parameters passed to the function. When all four parameters are passed as negative numbers, the program memory will be corrupted.

An attacker can exploit this vulnerability by enticing a user to open a crafted PDF document. Successful exploitation would allow for arbitrary code injection and execution with the privileges of the currently logged in user. Code injection that does not result in execution would terminate the application due to memory corruption.

The vulnerability has been assigned as CVE-2009-1492.

SonicWALL has released a IPS signature to detect and block specific exploitation attempts targeting this vulnerability. The signature is listed bellow:

  • 5503 – Adobe Reader getAnnots Method Memory Corruption Attempt