Posts

New ZBot variant (May 12, 2009)

/in /by

–Updated May 12, 2009—

SonicWALL UTM Research team saw a new wave of ZBot variant spam campaign comprising of fake e-mail message from Western Union money transfer service, starting early morning today May 12, 2009.

SonicWALL Gateway Antivirus provides protection against this new wave via GAV: Suspicious#waledac.8 (Worm) and GAV: ZBot.MT (Trojan) signature. Total Signature hits recorded today- 296,341 hits (Signature statistics image below)

SonicWALL has received more than 2,200 e-mail copies of this malware till now. The e-mail looks like follwoing:

Attachment: MTCN_NR8621982.zip (contains MTCN_NR8621982.exe) or MTCN_INVOICE.zip (contains MTCN_INVOICE.exe)

Subject: Western Union Transfer MTCN: (10 digit random number)

Email Body:
————————
Dear client!

The money transfer you have sent on the 21st of March wasn’t received by the recipient.
According to the Western Union treaty the transfers which are not received in 30 business days are to be returned to sender.
To collect funds you need to print the invoice attached to this e-mail and visit the nearest Western Union branch.

Thank you!

[(some site) : nospam] [EMAILID: (random email address on above site)]
[TIME:(timestamp)]
————————

The executable file inside the zip attachment has an icon disguised as a Microsoft Office Excel sheet and it looks like following:

screenshot

A screenshot of a sample e-mail is shown below:

screenshot

–Updated May 08, 2009—

SonicWALL UTM Research team saw a second wave of ZBot WorldPay card spam campaign with different attachment payloads starting on May 07, 2009.

SonicWALL Gateway Antivirus provides protection against this new wave via GAV: Suspicious#waledac.8 (Worm) signature. Total Signature hits recorded since yesterday – 390,249 hits (Signature statistics image below)

–Original publish date: April 23, 2009—

SonicWALL UTM Research team observed a new wave of ZBot Trojan spam campaign starting today, April 23, 2009. The email has a zip archived attachment which contains the new ZBot Trojan variant.

SonicWALL has received more than 2,000 e-mail copies of this malware till now. The e-mail looks like follwoing:

Attachment: WorldPay_TRANS_8651.zip (contains WorldPay_TRANS_8651.exe)

[May 08, 2009] Update: Attachment: WorldPay_CONFR.zip (contains WorldPay_CONFR.exe)

Subject: WorldPay CARD transaction Confirmation

Email Body:
————————
Thank you!

Your transaction has been processed by WorldPay, on behalf of Amazon Inc. The invoice file is attached to this message. This is not a tax receipt. We processed your payment. Amazon Inc has received your order, and will inform you about delivery. Sincerely, Amazon Team

This confirmation only indicates that your transaction has been processed successfully. It does not indicate that your order has been accepted. It is the responsibility of Amazon Inc to confirm that your order has been accepted, and to deliver any goods or services you have ordered.
————————

[May 08, 2009] Update: The executable file inside the zip attachment has an icon disguised as a Microsoft Office Excel sheet and it looks like following:

screenshot

The executable file inside the zip attachment has an icon disguised as a Microsoft Help file and it looks like following:

screenshot

[May 08, 2009] Update: A screenshot of a sample e-mail is shown below:

screenshot

A screenshot of a sample e-mail is shown below:

screenshot

The Trojan when executed performs following host level activity:

  • Creates a directory lowsec in Windows System folder
  • Creates files local.ds, user.ds, and user.ds.lll in the lowsec directory
  • Drops a copy of itself as sdra64.exe in Windows system directory

It modifies the following Registry key for running sdra64.exe on system reboot:

  • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserinit: “(System_Dir)userinit.exe,(System_Dir)sdra64.exe,”

[May 08, 2009] Update: It also tries connect and download an encrypted configuration file from the following URL:

  • bklinkov.ru/hi/start.cfg

It also tries connect and download an encrypted configuration file from the following URL:

  • grafjasqq.ru/kiew/kiew.cfg

The Trojan is also known as TR/Spy.ZBot.66560 [AntiVir], Trojan-Spy:W32/Zbot.OSK [F-Prot], and PWS:Win32/Zbot.M [Microsoft]

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: ZBot.M (Trojan), GAV: Suspicious#waledac.8 (Worm) and GAV: ZBot.MT (Trojan) signatures.

screenshot

screenshot

screenshot

WebLogic Client Certificate Buffer Overflow (May 7, 2009)

/in /by

Oracle WebLogic Server is a multi-tier Java Application Server platform. In a two and three-tier application architecture, a web server is used to receive forms or HTTP requests, then pass them to application servers, which perform actual processing. A connector software refers to the component used by web server to communicate with the application server. Oracle WebLogic Server ships with a connector, named mod_wl, for Apache HTTP server.

The Apache web server can receive HTTP requests over SSL. During the establishment of a SSL connection the server always sends its certificate to the client, while the client may optionally send its certificate as a method of authentication. When certificates are verified, the connection will proceed and an encrypted channel will be created.

A stack-based overflow vulnerability exists in WebLogic Server’s connector software for Apache HTTP server. Specifically, the vulnerability is due to improper validation of client certificates. When a client certificate is received, it is exported to the plug-in as a PEM-encoded certificate. The WebLogic connector software then copies the contents of the PEM-encoded certificate, stripping all CR/LF characters, to a stack-based buffer. It has been observed that the vulnerable code does not verify the length of the certificate before copying it to the buffer.

A remote unauthenticated attacker could exploit this vulnerability by supplying a specially crafted certificate to trigger a stack-based buffer overflow. Successful exploitation would result in code injection and execution with the privileges of the affected service. Code injection that does not result in execution will terminate the affected process due to a memory corruption.

SonicWALL has released an IPS signature that will detect and prevent attacks targeting this vulnerability. The signature to address this vulnerability is:

  • 1442 WEB-ATTACKS SSL/TLS Overly Long Client Certificate Attempt

MSN Messenger Trojan (May 01, 2009)

/in /by

SonicWALL UTM Research team discovered a new MSN Messenger based threat starting April 29, 2009. There are 2 types of IM threats: those that arrive through “send a file” functionality of the instant messaging client, and those that arrive through link-spamming. This attack is of the latter type, as it arrives in form of links via MSN messenger messages pretending to be pointing to image files.

Sample MSN instant message looks like:

  • Your foto on facebook?? http://facebook-images(removed)/view.php?=(your msn account address)
  • You saw this pic?? http://64.32.16.99/images.php?id=(your msn account address)

It performs the following activity on the victim machine:

  • Drops two files (Temporary Folder)IXP000.TMPmsns.exe and (Windows Directory)msnmsgrs.exe [detected as GAV: IRCBot.IUN (Trojan)]
  • It adds the following Registry key to ensure that msnmsgrs.exe file starts every time on system reboot:
    • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunWindows UDP Control Center = “msnmsgrs.exe”
  • It creates a mutex object – hidpower, to mark its presence on the system
  • It tries to connect to the next.hi5photos.mobi domain on TCP port 8080

The screenshots of the sample messages are shown below:

SAMPLE MESSAGE #1

screenshot

SAMPLE MESSAGE #2

screenshot

If the user clicks on the link, it downloads the malware executable file that has an icon disguised as a JPEG image file and it looks like this:

screenshot

When the user tries to open the file, it opens up the following windows dialog box saying Picture can not be displayed:

screenshot

The Trojan is also known as Virus.Win32.Trojan [Ikarus], BackDoor.IRC.Wisdom [DrWeb], and Win32:Trojan-gen [Avast]

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: IRCBot.EMSN (Trojan) signature.

Symantec AMS2 Package Buffer Overflow (May 01, 2009)

/in /by

Symantec Products Alert management System 2 (AMS2) is a package included by various Symantec Solutions such as System Centre, AntiVirus Server, and AntiVirus Central Quarantine Server. AMS2 contains a component named Intel Alert Originator (IAO) Service, which is run under System account by default.

IAO Service is using a proprietary protocol to exchange messages with other modules. One of the messages is called BIND message. It has the following format: 

 Offset Size Description ----------- ---------- ----------------------------------------- 0000   8    filled with "0xFF" 0008   6    unknown, seems always contain 0x00 0x00 0x02 0x00 0x95 0x94 000E   4    IPv4 address of client 0012   8    filled with "0x00" 001A   4    message size covering header (N) 001E   19   unknown 0031   1    Bind Type (Save=0x02 Remove=0x03) 0032   8    unknown 003A   4    Bind Identifier ("BIND") 003E   17   unknown 004F   5    Bind Identifier2 ("BINDx00") 0054   N    Bind Parameters (N-84)

There is a stack-based buffer overflow vulnerability in IAO Service of AMS2. The vulnerability is due to a boundary error in the IAO service when processing crafted “Bind Remove” messages. Specifically, the vulnerable code copies message parameters into a stack-based buffer without verifying the size of the “Bind Remove” message. Thus, an overly long string can overwrite critical stack data including function return addresses and SEH handler structure. By exploiting this vulnerability, an attacker can successfully inject and execute arbitrary code within the security context of the service, which is System by default.

SonicWALL has released an IPS signature that will detect and block a generic attack attempt addressing this issue. The following IPS signature has been released today:

  • 1440 Symantec Alert Management System BO Attempt

This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2009-1430.

Oracle DBMS_AQADM_SYS SQL Injection (April 23, 2009)

/in /by

Oracle Database is a relational database management system (RDBMS). It provides comprehensive database applications to enterprise-level users. To extend the functionality of the Oracle Database Server, Oracle provides multiple packages of related program objects. The DBMS_AQADM_SYS package is one of them. The package provides subprograms to manage the administration of Oracle Streams Advanced Queueing (AQ).

An SQL injection vulnerability exists in DBMS_AQADM_SYS package. To be specific, a procedure GRANT_TYPE_ACCESS included in this package doesn’t sanitize its parameter correctly, the profile of the procedure is listed as bellow: 

 Argument Name Type In/Out? ------------------------------ USER_NAME VARCHAR2 IN

The parameter user_name of the procedure is later used in the following SQL sentences:

 EXECUTE_STMT( 'grant execute on sys.aq$_agent      to '|| USER_NAME||GRANT_OPT); EXECUTE_STMT('grant execute on sys.aq$_dequeue_history      to '|| USER_NAME||GRANT_OPT);

A remote attacker could exploit this vulnerability by embedding malicious SQL code as part of the vulnerable parameter user_name. Successful exploitation would result in modification or manipulation of the user permissions in the underlying database.

SonicWALL UTM team has released an IPS signature to detect/prevent generic attacks addressing this vulnerability. The signature is listed as bellow:

  • 1438 Oracle DB GRANT_TYPE_ACCESS Procedure SQL Injection

This vulnerability has been assigned the CVE identifier CVE-2009-0977.

Oracle OPMN Format String Vulnerability (April 17, 2009)

/in /by

The Oracle Application Server is a multi-platform application development and deployment system. With every installation of the Application Server comes the Oracle Process Manager and Notification Server (OPMN), which, among other tasks, manages the starting, stopping and monitoring of all applications. The OPMN is an essential part of the Application Server.

The OPMN consists of three components, the Oracle Notification Server, Oracle Process Manager, and Process Manager Modules. Oracle Notification Server (ONS) is the transport mechanism for failure, recovery, startup, and other related notifications between components in Oracle Application Server. Oracle Process Manager (PM) is used to manage Oracle Application Server processes. Finally, the Oracle Process Manager Modules (PM Modules) implement Oracle Application Server component-specific process management functionality.

A format string vulnerability exists in the Oracle Application Server OPMN service. The specific vulnerability is due to insufficient validation of the URI part of incoming HTTP requests.
The vulnerable code directly uses the received URI string in a fprintf function call, without any prior sanitization. The said function is used to print the URI string to a local log file. However, if the URI string contains format specifiers such as “%s”, “%x”, or “%n” then the fprintf function will interpret them as such. In such cases, the execution of fprintf may result in arbitrary data being written to critical memory locations, thereby overwriting process critical data.

A carefully crafted URI string that is intended to exploit this flaw may result in process flow diversion which may consequently result in a system wide compromise.

SonicWALL has released an IPS signature that will detect and prevent generic attacks targeting this vulnerability. The following signature was created:

  • 1436 – Oracle Application Server OPMN Service Format String Attack

This vulnerability has been assigned the CVE identifier CVE-2009-0993.

Waledac SMS Spy Trojan (April 16, 2009)

/in /by

Yesterday, SonicWALL UTM Research team observed new variants of Waledac. They switched to using SMS Spy software trial theme: by pretending to offer software that allows the user to read other people’s SMS.

In the past, we released SonicAlerts about Waledac pretending to be a Valentine’s Day E-Card, a Couponizer program, and a Fake News Story about a Dirty Bomb.

The latest SMS Spy variants do not incorporate IP address geolocation, the message is not customized to the user’s city.

The website banks on the user’s curiosity and offers a tool to invade privacy and read anyone’s mobile phone text messages. For example, it targets jealous boyfriends, with taglines such as “Do you really trust her?”, “Are you sure you want to know?” in the email spam used to spread links to the latest Waledac domains. On the website, “Download Free Trial” link leads to the malware executable.

When executed this Waledac variant is almost identical in its behavior to the previous variant.

The websites used in this attack include:

  • adoresongsxx.com
  • antiterrorisxx.com
  • bakeloafxx.com
  • bestadorexx.com
  • bestcouponfreexx.com
  • bestjournalguidexx.com
  • bestlifeblogxx.com
  • bestlovehelpxx.com
  • bestlovelongxx.com
  • bestusablogxx.com
  • bluevalentineonlinexx.com
  • breakingnewsltdxx.com
  • chatloveonlinexx.com
  • cherishletterxx.com
  • chinamobilesmsxx.com
  • codecouponsitexx.com
  • coralarmxx.com
  • downloadfreesmsxx.com
  • easyworldnewsxx.com
  • freecolorsmsxx.com
  • freeservesmsxx.com
  • fryrollxx.com
  • funloveonlinexx.com
  • funnyvalentinessitexx.com
  • goldfixonlinexx.com
  • goodnewsdigitalxx.com
  • goodnewsreviewxx.com
  • greatcouponclubxx.com
  • greatsalesgroupxx.com
  • greatsvalentinexx.com
  • lastlabelxx.com
  • lovecentralonlinexx.com
  • lovelifeportalxx.com
  • miosmsclubxx.com
  • mobilephotoblogxx.com
  • moneymedalxx.com
  • nuovosmsxx.com
  • photoblogsitexx.com
  • romanticslovingxx.com
  • screenaliasxx.com
  • smsclubnetxx.com
  • smsdirettoxx.com
  • smspianetaxx.com
  • spacemynewsxx.com
  • tagdebtxx.com
  • thecoupondiscountxx.com
  • thevalentineloversxx.com
  • tntbreakingnewsxx.com
  • urbanfearxx.com
  • usabreakingnewsxx.com
  • virtualesmsxx.com
  • wealthleafxx.com
  • wirelessvalentinedayxx.com
  • worldlovelifexx.com
  • worshiplovexx.com
  • youradorexx.com
  • yourbarrierxx.com
  • yourgreatlovexx.com
  • yourvalentinedayxx.com
  • yourvalnetinepoemsxx.com

All domains are registered in China. They resolve to different IP addresses every time they are visited. The filenames are also rotated. Some of the filenames used in this wave are:

  • trial.exe
  • sms.exe
  • smsreader.exe
  • freetrial.exe
  • free.exe
  • promo.exe

SonicWALL Gateway Antivirus detects this new Waledac variant proactively with GAV: Waledac.gen.2 (Trojan) signature. This generic signature was added on April 13, 2009, catches 253 different variants of Waledac and has 23,387 hits so far.

Here is a screenshot of the malicious website:

screenshot

Microsoft PowerPoint Memory Corruption (April 10, 2009)

/in /by

The Microsoft PowerPoint presentation application is capable of creating and playing complex presentations utilizing audio visual components. Files created by the application are typically assigned the file extension ppt. PowerPoint presentation files use the proprietary Compound Document Object format. Application specific data in this format is contained in data streams. The streams containing PowerPoint presentation data are comprised of a series of records that start with a generic header. The structure of this header is shown:

 Offset Size     Field ------ -------- ---------------- 0x0000 uint16   RecVersion 0x0002 uint16   RecType 0x0004 uint32   RecLength, n 0x0008 char[n]  Data

There are two categories of records, the Atom record and the Container record. The Atom record contains information about objects stored inside containers. The Container record stores atoms and other containers.

A memory corruption vulnerability has been identified in the PowerPoint application. Namely, the processing of two Atom records, the TextHeaderAtom (RecType=0xf9f) and OutlineTextRefAtom (RecType=0xf9a) records is flawed. When handling these two Atoms contained in the same container, the vulnerable code will attempt to free a block of allocated memory twice. This will result in corruption of memory which will consequently result in either the termination of the application or diversion of the process flow. It is conceivable that, with a carefully crafted malicious ppt document, the vulnerability can be exploited for code injection and execution. Successful code injection exploitation of this flaw is not a trivial task.

SonicWALL has released an IPS signature that will detect and block a specific exploit attempt. Detection of generic exploitation attempts of this flaw is not feasible as that would require a full PowerPoint presentation parser. The following IPS signature has been released to address this vulnerability:

  • 5460 – MS PowerPoint Invalid Object Reference Code Execution PoC

This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2009-0556.

Conficker.E appears (April 9, 2009)

/in /by

A week after the Conficker.C (Worm) update algorithm became active, infected machines updated themselves to Conficker.E. However, the update came through Peer-to-Peer channels, not through the web control domains!

The new variant is an executable EXE file unlike previous variants that were DLLs. It’s also known as WORM_DOWNAD.E (Trend), W32.Downadup.E (Symantec). The new variant has following characteristics:

  • Spreads by exploiting MS08-067 vulnerability, infecting USB devices, and via weak network shares.
  • It has a self-destruct trigger set for May 3, 2009 when it will deactivate and remove itself.
  • It attempts to connect to the following domains to determine the victim machine’s IP address:
    • www.whatsmyipaddress.com
    • www.ipdragon.com
    • www.findmyip.com
    • www.ipaddressworld.com
    • www.findmyipaddress.com
    • www.myipaddress.com
    • checkip.dyndns.com
    • checkip.dyndns.org
  • It also attempts to connect to the following web sites:
    • myspace.com
    • msn.com
    • ebay.com
    • cnn.com
    • aol.com
  • It listens on TCP port 5453 and broadcasts the service by sending SSDP discover requests.

    • screenshot

  • It does not generate 50,000 domains per day unlike previous variant. In fact, it doesn’t appear to contact any of the control domains via HTTP. It can still be controlled via P2P.
  • It deletes the original dropped file and removes any file system/registry traces from the infected machine.

The infected machines were also instructed via Conficker P2P network to:

  • Download hxxp://goodnewsdigitalXXXX.com/XXXX.exe, which is an encrypted copy of a Waledac Trojan. SonicWALL GAV detects the Trojan as GAV: Suspicious#waledac.10 (Worm) and the drive-by site component as GAV: Waledac#html (Trojan). More information related to Waledac Trojan could be found in our SonicAlerts archive.
  • Download rogue antivirus program – Spyware Protect 2009 from spy-protect-2009XX.com, spywrprotect-2009XX.com, or spywareprotector-2009XX.com. The software finds non-existent threats and offers to remove them for $49.95. SonicWALL GAV detects this rogue anti-virus program as GAV: SpywareProtect2009_3 (Trojan).

SonicWALL UTM research team is monitoring the situation and releasing GAV signatures for Conficker variants as soon as they are discovered. SonicWALL Gateway AntiVirus provides protection against Conficker.E with GAV: Conficker.E (Worm) signature.

Below is the screenshot of the Rogue AV site that was still active at the time of writing this article: screenshot

There are over 3 million computers infected with Conficker worm variants. Below are the hits on our generic signature: hits graph

Mozilla Firefox XSL Vulnerability (April 3, 2009)

/in /by

Mozilla Firefox is a web browser which is capable of interpreting and rendering HTML, XML, XUL, JavaScript and so on. The XSL engine built into Firefox supports standard Extensible Stylesheet Language (XSL). The XSL family comprises three languages: XSL Transformations (XSLT), XSL Formatting Objects (XSL-FO) and the XML Path Language (XPath).

The xsl:key element is used to declare keys. It has the following format:

For example, an XML defined as:




An XSL document developer can provide the XPath expression “@id” for the use attribute of the xsl:key element, arbitrarily specifying that the “id” attribute of the company element is to be interpreted as a key value. The XML above can be transformed into an HTML document containing only the company with id=161787:




  
  
  
    Id:

    Name:
    

  
  
  

There exists a memory corruption vulnerability in Mozilla Firefox products. Specifically, there is an implementation error when an invalid XPath expression is provided for the use attribute of an xsl:key element. When an XSL transform is taking place using a malicious xsl:key, internal memory is not properly released and leads to memory corruption. A remote attacker could exploit this vulnerability by persuading a target user to open a specially crafted web page. Successful exploitation may allow the attacker to execute arbitrary code on the vulnerable system with the privileges of the target user.

The vulnerability has been assigned as CVE-2009-1169.

SonicWALL has released IPS signatures to detect and block specific exploitation attempts targeting this vulnerability. The signatures are listed bellow:

  • 5457 – Mozilla Firefox XSL Transformation Memory Corruption PoC 1
  • 5458 – Mozilla Firefox XSL Transformation Memory Corruption PoC 2