Posts

Mozilla Firefox XSL Vulnerability (April 3, 2009)

/in /by

Mozilla Firefox is a web browser which is capable of interpreting and rendering HTML, XML, XUL, JavaScript and so on. The XSL engine built into Firefox supports standard Extensible Stylesheet Language (XSL). The XSL family comprises three languages: XSL Transformations (XSLT), XSL Formatting Objects (XSL-FO) and the XML Path Language (XPath).

The xsl:key element is used to declare keys. It has the following format:

For example, an XML defined as:




An XSL document developer can provide the XPath expression “@id” for the use attribute of the xsl:key element, arbitrarily specifying that the “id” attribute of the company element is to be interpreted as a key value. The XML above can be transformed into an HTML document containing only the company with id=161787:




  
  
  
    Id:

    Name:
    

  
  
  

There exists a memory corruption vulnerability in Mozilla Firefox products. Specifically, there is an implementation error when an invalid XPath expression is provided for the use attribute of an xsl:key element. When an XSL transform is taking place using a malicious xsl:key, internal memory is not properly released and leads to memory corruption. A remote attacker could exploit this vulnerability by persuading a target user to open a specially crafted web page. Successful exploitation may allow the attacker to execute arbitrary code on the vulnerable system with the privileges of the target user.

The vulnerability has been assigned as CVE-2009-1169.

SonicWALL has released IPS signatures to detect and block specific exploitation attempts targeting this vulnerability. The signatures are listed bellow:

  • 5457 – Mozilla Firefox XSL Transformation Memory Corruption PoC 1
  • 5458 – Mozilla Firefox XSL Transformation Memory Corruption PoC 2

Conficker infections map (April 2, 2009)

/in /by

Here are the maps of all Conficker infections up to April 1, 2009, compiled by the Conficker Working Group. SonicWALL is a proud member of this group.

 

 

For more maps, visit the website of the Conficker Working Group.

Also, Joe Stewart has created a very simple tool that is available at the Conficker Working Group’s website.
Try out this Conficker Eye Chart to check if your computer is infected.

April Conficker (March 30, 2009)

/in /by

Conficker.C variant has been discovered on March 4, 2009.

This variant of the Conficker worm infects the local computer, terminates services, blocks access to numerous security related Web sites and downloads arbitrary code. It can also relay command instructions to other infected computers via built-in peer-to-peer communication. Conficker.C is installed by previous variants of Win32/Conficker.

Other variants of Win32/Conficker infect computers across a network by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE). It may also spread via removable drives and weak administrator passwords.

This new version, however, does not attack new systems. It’s waiting until April 1, 2009. On that date, systems infected with Conficker.C will start trying to contact domains on the Internet for new instructions. Previous versions of Conficker did the same thing, but the domain generation algorithm has been changed in Conficker.C. The new algorithm generates a larger pool of possible domains than the original one. It will generate 50,000 domains names per day and pick random 500 from that set to connect to.

So, the only thing that will happen on April 1st is that already infected computers will start using the new algorithm to locate potential update servers.

SonicWALL UTM research team is monitoring the situation and releasing GAV signatures for Conficker variants as soon as they are discovered. SonicWALL Gateway AntiVirus provides protection against Conficker.C with the following GAV signatures:
* Conficker.C
* Conficker.C_2
* Conficker.C_3
* Conficker.C_4
* Conficker.C_5
* Conficker.C_6
* Conficker.C_7
* Conficker.C_8
* Conficker.gen (Worm)

In addition, the following IPS signatures are related to Conficker:

* 1160 SRVSVC NetPathCanonicalize BO Attempt 1 (MS08-067)
* 1161 SRVSVC NetPathCanonicalize BO Attempt 2 (MS08-067)
* 1174 SRVSVC NetPathCanonicalize BO Attempt 3 (MS08-067)
* 1178 SRVSVC NetPathCanonicalize BO Attempt 4 (MS08-067)
* 1186 SRVSVC NetPathCanonicalize BO Exploit 1 (MS08-067)
* 1190 SRVSVC NetPathCanonicalize BO Exploit 2 (MS08-067)
* 1226 SRVSVC NetPathCanonicalize BO Exploit 3 (MS08-067)
* 1250 SRVSVC NetPathCanonicalize BO Attempt 5 (MS08-067)
* 1257 SRVSVC NetPathCanonicalize BO Attempt 6 (MS08-067)
* 1261 SRVSVC NetPathCanonicalize BO Attempt 7 (MS08-067)
* 5450 Conficker Infected Machine Activity

There were 2 previous SonicAlerts related to this vulnerability:

SonicWALL UTM research team recommends to ensure that systems are patched with MS08-067, security software signatures are updated, and systems that are infected with any variant of Conficker are cleaned and network passwords are strong to prevent Conficker variants from spreading.

Adobe Reader geticon Buffer Overflow (Mar 27, 2009)

/in /by

Adobe Reader (formerly Acrobat Reader) is a ubiquitous application for viewing PDF (Portable Document Format) documents.

Since version 4.0, Acrobat includes JavaScript functionality allowing for customization and extensibility. Acrobat JavaScript is an extension of the core JavaScript which adds Acrobat-specific classes that enable the author to manage document related tasks. These classes include app, dbg, console, SOAP, ADBC, util, etc.

The app.Collab object provides the getIcon method, which accepts an string argument that serves as the name of an icon. The supplied path string must contains one of “N”, “D”, “H” characters followed by a “.” character. For example:

app.Collab.getIcon(“A_EmailDistribute_110x64_N.png”)

There exists a buffer overflow vulnerability in Adobe Reader. Specifically, the vulnerability is due to incorrect validation of values supplied to the “app.Collab.getIcon()” JavaScript function. By providing a overly long string to the function, the stack-based buffer will be overrun. The buffer overflow condition could allow for overwriting return address and SEH structure on the stack.

An attacker can exploit this vulnerability by enticing a user to open a crafted PDF document. Successful exploitation would allow for arbitrary code injection and execution with the privileges of the currently logged in user. Code injection that does not result in execution would terminate the application due to memory corruption.

The vulnerability has been assigned as CVE-2009-0927.

SonicWALL has released a IPS signature to detect and block specific exploitation attempts targeting this vulnerability. The signature is listed bellow:

  • 5446 – Adobe Acrobat JavaScript getIcon Method BO Attempt

New Buzus Trojan (Mar 27 2009)

/in /by

–Updated March 27, 2009—

SonicWALL UTM Research team saw a third wave of DHL Tracking number invoice spam with different attachment payloads starting late afternoon on March 26, 2009.

SonicWALL Gateway Antivirus provides protection against this new wave via GAV: Zbot.JJP (Trojan) signature. Total Signature hits recorded since yesterday – 872,128 hits (Signature statistics image below)

————————————————

–Updated March 26, 2009—

SonicWALL UTM Research team saw a new wave of DHL Tracking number invoice spam with different attachment payloads starting March 25, 2009.

SonicWALL Gateway Antivirus provided proactive protection against this new wave via GAV: Suspicious#waledac.8 (Worm) signature that was released on March 9, 2009. Total Signature hits recorded since yesterday – 576,942 hits (Signature statistics image below)

————————————————

–Original publish date: March 23, 2009—

SonicWALL UTM Research team observed a new wave of the on-going Tracking number invoice spam campaign starting Sunday, March 22, 2008. The email has a zip archived attachment which contains the new Buzus Trojan variant.

SonicWALL has received more than 1,700 e-mail copies of this malware till date. The e-mail looks like following:

Attachment: DHL_DOC.zip (contains DHL_DOC.exe)
Update [March 26, 2009]:
Attachment: DHL_HELP.zip (contains DHL_HELP.exe)
Update [March 27, 2009]:
Attachment: dhl_n756512.zip (contains dhl_n756512.exe)

Subject: DHL Tracking number #[15 digit alphanumeric ID]

Email Body:
————————
Hello!

We were not able to deliver postal package you sent on the 14th of March in time because the recipient’s address is not correct.
Please print out the invoice copy attached and collect the package at our office.

Your personal manager: Nathan Lund,
Customer Service: 1-800-CALL-DHL
Fax: 888-221-6211
DHL International, Ltd. All Rights Reserved.
————————

Update [March 26, 2009]: The executable file inside the zip attachment in the new wave has an icon disguised as a Microsoft Help file and it looks like following:

screenshot

The executable file inside the zip attachment has an icon disguised as a Microsoft Word document file and it looks like following:

screenshot

Update [March 27, 2009]: A screenshot of a sample e-mail for the third wave is shown below:

screenshot

Update [March 26, 2009]: A screenshot of a sample e-mail for the second wave is shown below:

screenshot

A screenshot of a sample e-mail is shown below:

screenshot

The Trojan when executed performs following host level activity:

  • Creates a directory lowsec in Windows System folder
  • Creates files local.ds, user.ds, and user.ds.lll in the lowsec directory
  • Drops a copy of itself as sdra64.exe in Windows system directory

It modifies the following Registry key for running sdra64.exe on system reboot:

  • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserinit: “(System_Dir)userinit.exe,(System_Dir)sdra64.exe,”

It also tries connect and download an encrypted configuration file from the following URL:

  • mn-room.ru/phpbb/dir.cfg

The Trojan is also known as DR/Delphi.Gen [AntiVir], trojan W32/Trojan3.AIY [F-Prot], and VirTool:Win32/DelfInject.gen!J [Microsoft]

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Buzus.ARQX (Trojan),GAV: Suspicious#waledac.8 (Worm) and GAV: Zbot.JJP (Trojan) signatures.

screenshot

screenshot

screenshot

Oracle Secure Backup Memory Corruption (Mar 20, 2009)

/in /by

Oracle Secure Backup is a centralized tape backup management solution that provides data protection for heterogeneous file systems and the Oracle database. It uses the Network Data Management Protocol (NDMP) protocol to administer and perform backup tasks for all clients.

The NDMP protocol is designed to make every network attached storage device “backup ready”, enabling true plug-and-play backup operation. With the NDMP approach, each network-attached file server ships with a “universal agent”, which can be used by any NDMP-compliant backup administration application.

There is a memory corruption vulnerability in Oracle Secure Backup. The vulnerability is triggered during processing the malformed NDMP requests NDMP_CONNECT_OPEN or NDMP_CONNECT_CLOSE. The issue is due to the vulnerable code improper handle the Error field of the requests, and refers to a non-allocated memory. This operation will cause the NDMP process instance terminated immediately.

SonicWALL UTM team has developed the following signatures to detect/prevent attack attempts addressing this issue.

  • 5034 Symantec Veritas Backup Exec Agent Error Status DoS
  • 5431 Oracle Secure Backup NDMP Handling DoS

Waledac Terror Attack Trojan (March 18, 2009)

/in /by

This week, SonicWALL UTM Research team observed new variants of Waledac. They switched to using a terror attack theme: by spoofing news agency Reuters website and sending emails that link to the spoofed site.

These Waledac variants incorporate IP address geolocation, just like the previous Couponizer attack, which is a way of determining a user’s location based on the IP address. The user’s IP address is queried to determine its location, then the results of that query are put into the webpage.

The website claims that a “dirty bomb” exploded in the user’s city and that at least 12 people have been killed. A video from Reuters is shown but “You need the latest Flash player to view video content. Click here to download.” The alleged missing codec file is the malware executable.

The websites used in this attack include:

  • adorelyricxx.com
  • bestcouponfreexx.com
  • bestlovelongxx.com
  • codecouponsitexx.com
  • funloveonlinexx.com
  • funnyvalentinessitexx.com
  • goodnewsdigitalxx.com
  • greatcouponclubxx.com
  • greatsalesavailablexx.com
  • supersalesonlinexx.com
  • youradorexx.com
  • worldtracknewsxx.com

These domains resolve to different IP addresses every time they are visited. The filenames are also rotated. Some of the filenames used in this wave are:

  • contact.exe
  • run.exe
  • print.exe
  • save.exe
  • main.exe
  • news.exe

When executed this Waledac variant is almost identical in its behavior to the previous variant.

SonicWALL Gateway Antivirus will detect this new Waledac variant with GAV: Suspicious#waledac.8 (Worm) signature.

SonicWALL UTM Research team recommends to mouse-over the links on any page and verifying they do not go to an EXE file to avoid being infected with malware.

Here is a screenshot of the malicious website:

screenshot

New Infostealer Trojan (Mar 13, 2009)

/in /by

SonicWALL UTM Research team observed a new spam campaign starting March 13, 2009 which involves a fake e-mail pretending to be arriving from Bank of America Support system.

The email informs user that the automatic installation for Bank of America certificate component failed and they need to follow the instructions to get it installed. The email contains a malicious link that leads to the download of the new Infostealer Trojan.

SonicWALL has seen more than 8000 e-mail copies for this malware since March 13, 2009 9 AM PST. The e-mail messages looks like below:

Email #1:

screenshot

Email #2:

screenshot

Email #3:

screenshot

When the user clicks on the link in the e-mail, it opens up a fake Bank of America page that displays a demo video frame on how to install Digital Certificate. When the user tries to play the video, it prompts the user to download a Adobe flash player update which is the Trojan executable as seen below:

screenshot

screenshot

Upon execution, it performs following activities:

  • Drops following files on the target system:
    • (Windows_Dir)9129837.exe [Detected as GAV: Papras.JD (Trojan) ]
    • (Windows_Dir)new_drv.sys [Detected as GAV: Agent.EX (Trojan) ]
    • (Desktop)abcdefg.bat
  • Makes following modifications to Windows Registry:
    • Creates: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRuntool = “(Windows_Dir)9129837.exe”
    • Creates: HKLMSYSTEMControlSet001Servicesnew_drvImagePath: “(Windows_Dir)new_drv.sys”
  • Attempts to send GET requests containing victim machine information to following IP address:
    • 58.65.232.17

The Trojan has very low detection at the time of writing this alert. It is also known as Infostealer.Snifula.B [Symantec] and Trojan-PSW:W32/Papras.DK [F-Secure].

SonicWALL Gateway Antivirus provides protection against this malware via GAV: Papras.JD (Trojan) signature.

Microsoft Security Bulletin Coverage (Mar 13, 2009)

/in /by

Microsoft has released three security bulletins MS09-006, MS09-007 and MS09-008 for March 2009 this week, which include 8 vulnerabilities. One of the bulletins, MS09-006, was assessed as Critical severity by Microsoft, and it is a client-side related advisory. The other two bulletins MS09-007 and MS09-008 are assessed as Important, and they are server-side related advisories. SonicWALL UTM team has analyzed each security bulletin and released IPS signatures that detect/prevent potential attacks leveraging these vulnerabilities.

MS09-006 Vulnerabilities in Windows Kernel Could Allow Remote Code Execution (958690)

Windows Kernel Input Validation Vulnerability – CVE-2009-0081
  • IPS: 5427 MS GDI32 Polyline BO PoC (MS09-006)
Windows Kernel Handle Validation Vulnerability – CVE-2009-0082
  • The vulnerability is limited to local system and is not remotely exploitable.
Windows Kernel Invalid Pointer Vulnerability – CVE-2009-0083
  • The vulnerability is limited to local system and is not remotely exploitable.

MS09-007 Vulnerability in SChannel Could Allow Spoofing (960225)

SChannel Spoofing Vulnerability – CVE-2009-0085
  • The vulnerability is a design error, and it occurs only when the client doesn’t send a certificate verify message to the server. It can not be detected by signatures as they are legitimate traffic.

MS09-008 Vulnerabilities in DNS and WINS Server Could Allow Spoofing (962238) )

DNS Server Query Validation Vulnerability – CVE-2009-0233
  • The vulnerability is triggered by poisoning the DNS server with case-sensitive words alias different IP addresses, such as, www.abc.com and www.ABC.com resolved to different IP addresses. It can not be detected by signatures as they are legitimate traffic.
DNS Server Response Validation Vulnerability – CVE-2009-0234
  • The vulnerability is due to improper handling of flooding DNS messages with query type ANY. It can not be detected by signatures as they are legitimate traffic.
DNS Server Vulnerability in WPAD Registration Vulnerability- CVE-2009-0093
  • 5422 MS DNS Server WPAD Registration Spoofing PoC (MS09-008)
  • 5426 MS DNS Server WPAD Registration Spoofing PoC 2 (MS09-008)
WPAD WINS Server Registration Vulnerability – CVE-2009-0094
  • 5425 MS WINS Server WPAD Registration Spoofing PoC (MS09-008)

Besides enabling prevention for these signatures, customers are advised to run Windows Update and get latest patches from Microsoft in order to maximize the protection against potential exploits.

Nullsoft Winamp CAF Buffer Overflow (Mar 6, 2009)

/in /by

Nullsoft Winamp is a widely used multimedia player application that is capable of playing numerous media file formats. In addition to playing CD tracks, MPEG, and the popular MP3 format, Winamp also plays Apple’s Core Audio Format (CAF) files.

The CAF file is meant to store and manipulate digital audio data. The format of this specification consists of a simple header followed by data chunks. The first chunk of a CAF file is called the Audio Description chunk, and is required to immediately follow the header. This chunk describes the format of the data.
A breakdown of the Audio Description chunk is shown:

 offset  size     description ------- -------- ------------------------------------------------ 0x0000  4        chunk type ('desc') 0x0004  8        chunk size (sizeof(data)) 0x000c  var      data

The structure of the data field can be broken down as follows: 

 offset  size     description ------- -------- ------------------------------------------------ 0x0000  8        sample rate 0x0008  4        format ID 0x000c  4        format flags 0x0010  4        bytes per packet 0x0014  4        frames per packet 0x0018  4        channels per frame 0x001c  4        bits per channel

An integer overflow vulnerability exists in Winamp’s processing of CAF files. Specifically, the flaw is due to lack of validation of a field value in the Audio Description chunk. Under specific circumstances, the code will use a value, directly derived from the said chunk, in a calculation of a heap buffer size. The affected value can be manipulated to cause an integer overflow which will result in the allocation of a buffer of insufficient size.
Remote attackers may exploit this vulnerability by enticing the target user to open a malicious CAF file using a vulnerable version of Winamp. Successful exploitation may cause a heap buffer overflow that results in process flow diversion.

SonicWALL has released an IPS signature to detect and block specific exploits targeting this vulnerability. The following signature addresses this issue:

  • 5417 – Nullsoft Winamp CAF File Processing Integer Overflow PoC