Posts

New Autorun.inf worm variant (Jan 30, 2009)

/in /by

SonicWALL UTM Research team observed a new Autorun.inf worm variant starting on Monday, January 26, 2009 which has IRC Bot functionality and spreads via network shares or by exploiting windows vulnerabilities.

SonicWALL has received 7 copies of this network aware worm. It performs following activities when executed:

Host level activities

  • Disables Task Manager
  • Disables Registry Tools
  • Disables Notifications for Firewalls and various AntiVirus Tools
  • Copies itself to %windir%system32driversSCtri.exe and adds a registry entry for it to run every time system reboots
  • Infects USB drive by dropping an autorun.inf file and a copy of itself SCtri.exe so that whenever user connects the infected USB drive on a machine with auto run enabled, the machine will get infected.
  • Modifies the tcpip.sys file to conceal the network traffic from being captured locally by well-known sniffers (E.g. wireshark)
  • It includes Anti-VM and Anti-Debugging code

Network level activities

  • Scans the network for SMB shares with weak passwords and infects them. List of passwords it tries looks like following:
    • server
    • asdfgh
    • asdf
    • password
    • access
    • pass1234
    • administrador
    • 654321
    • 123456
    • 12345
    • 1234
    • root
    • admin
    • administrator
  • Also spreads on the network of computers by exploiting Windows vulnerabilities: MS04-011 and MS08-067
  • Tries to resolve multiple domains (baldmanpower.[com/net/org] and kutlufamily.com ) and connects to an IRC server on port 80 where it listens for the commands.
  • It has the RxBot family IRC bot functionality.

The worm is also known as Exploit:Win32/MS06040.gen [Microsoft], IRC/SdBot trojan [ESET], and Worm/SdBot.735232.1 [AntiVir]

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: SdBot.NW (Worm) signature [798 hits recorded].

screenshot

Oracle Secure Backup uname Vulnerability (Jan 23, 2009)

/in /by

The Oracle Secure Backup product is a centralized tape backup management solution. The server acts as a management host for network connected storage devices as well as multi-platform distributed hosts. Communication between the server and hosts is SSL encrypted. The server can be administered remotely through a web interface. The interface requires the administrator to login before any administrative tasks are performed. The login procedure is handled by the CGI script login.php. A normal request to the login.php script may look as follows:

GET /login.php?attempt=1"&uname=admin&passwd=test HTTP/1.1

The uname and passwd variable values are passed on to verification functions contained in another script, common.php, on the backend. These functions eventually call a shell utility on the server host using one of the supplied CGI values as arguments to the utility. Specifically, the following php command is generated and executed:

$rbtool_auth --gui -u $username lsuser -s $username

A command injection vulnerability exists in the aforementioned scripts. The flaw exists due to insufficient sanitization of user input before it is used in command line arguments to the shell utility. The value supplied in the CGI variable uname is not stripped of meta characters that may affect the execution of the shell utility. Meta characters, such as ‘&’ and ‘|’ can be used to inject unrelated and possibly malicious commands which get executed in the security context of the Oracle Secure Backup server. The following URL exploitation example is shown to demonstrate the problem:

https://vulnerable.host.com/login.php?attempt=1&uname=%26+calc.exe

The above example will translate to the following shell command:

rbtool_auth --gui -u & calc.exe lsuser -s & calc.exe

The vulnerability may be exploited by unauthenticated users to execute commands on the target host. This flaw allows for fairly complex exploitation attempts as there are many methods of encoding malicious strings in a URI. Successful exploitation may allow an attacker to take complete control over an affected system. SonicWALL has released a signature to detect and block specific exploitation attempts targeting this vulnerability. The following IPS signature has been released:

  • 5361 – Oracle Secure Backup uname Command Injection PoC

New Waledac Trojan (Jan 23, 2009)

/in /by

SonicWALL UTM Research team observed a new variant of Waledac Trojan in the wild starting today Thursday, January 23, 2009. Waledac was first seen on the Internet a day before Christmas (Dec 24, 2009) and since then there were multiple variants spammed in the wild.

Waledac arrives via email that contains a link to the Trojan. A sample of URL spammed for the newest variant of Waledac looks like following:

  • wlt.goodnewsdigital.com?cardnum=(REMOVED)

If the user clicks on the link, the Trojan will get downloaded with one of the following filename:

  • onlyyou.exe
  • love.exe
  • you.exe
  • youandme.exe
  • meandyou.exe

The malware when executed, performs the following tasks:

  • Adds the following registry key to ensure that the Trojan gets executed every time system reboots
    • HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunPromoReg: “(PATH)(FILENAME)”

  • Sends out email messages containing the Malicious URL to e-mail addresses harvested from local machine. It contained following IP Addresses encrypted inside the binary file:

    • 60.17.155.78
    • 201.2.164.168
    • 124.73.130.120
    • 71.10.230.45
    • 200.100.83.229
    • 119.96.206.189
    • 121.1.102.3
    • 124.199.31.108
    • 124.153.156.121

    Malware sends folling HTTP requests to the above IP addresses most of which has content-length of 957 bytes:

    • POST /zzmk.htm HTTP/1.1
    • POST /smphsfmsdll.htm HTTP/1.1
    • POST /xbqbqkhnd.htm HTTP/1.1
    • POST /zmqwyliet.png HTTP/1.1
    • POST /irpswjczfew.htm HTTP/1.1

    The malware has very low AV detection (2/32) at the time of writing this Security Alert. SonicWALL Gateway Antivirus will detect this new Waledac variant as GAV: Waledac.Z (Trojan) .

Northwest Airlines spam (Jan 12, 2009)

/in /by

SonicWALL UTM Research team observed a new spam campaign starting on Monday, January 12, 2009 which involves a fake e-mail pretending to be arriving from Northwest Airlines and containing Airline Ticket. The email has a zip archived attachment which contains the new Trojan.

SonicWALL has received more than 2,000 e-mail copies of this malware so far. The e-mail looks like following:

Attachment: NorthwestAirlines.zip (contains NorthwestAirlines.exe) or eTicket.zip (contains eTicket.exe)

From: Northwest Airlines (tickets at nwa.com) [Spoofed Email Address]

Subject:

  • E-ticket #(10 digit random number)

Email Body:
————————
Hello!

Thank you for using our new service “Buy Northwest Airlines ticket Online” on our website.
Your account has been created:

Your login: (random email address)
Your password: passXXXX (where X = [0-9] OR [A-Z])

Your credit card has been charged for $4NN.NN. (N=0-9)
We would like to remind you that whenever you order tickets on our website you get a discount of 10%!
Attached to this message is the purchase Invoice and the Northwest Airlines ticket.
To use your ticket, simply print it on a color printed, and you are set to take off for the journey!

Kind regards,
Mel Michael
Northwest Airlines
————————

The executable file inside the zip attachment has an icon disguised as a Microsoft Word document. The Trojan when executed performs following host level activity:

  • Creates a directory twain32 in the system folder and drops files user.ds.lll, user.ds, and local.ds in it.
  • Drops a copy of itself as SYSTEM32twex.exe

It modifies the following Registry key for itself:

  • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserinit: “SYSTEM32userinit.exe,SYSTEM32twex.exe,”

It also tries to connect and download files from the following URLs:

  • 91.211.65.33/ferrari/admin.bin

The Trojan is also known as Win32/Spy.Zbot.DZ trojan [Eset], trojan W32/Trojan3.UW [F-Prot], and TR/Spy.ZBot.jzb [AntiVir]

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Pakes.ARF (Trojan) signature [12,696 hits recorded].

screenshot

Oracle TimesTen Format String Flaw (Jan 16, 2009)

/in /by

The TimesTen In-Memory Database product from Oracle is used for real-time data management in performance-critical environments. Amongst other applications, it can be used as a high performance cache for an Oracle Database.

The product includes various services that provide different functionalities and user access points. One of the services is a scaled down HTTP server ran on port 17000/TCP. A typical request that would be sent to the server is shown:

GET evtdump?msg=thisisatest HTTP/1.0rn
The TimesTen Database generates transaction logs of the HTTP connections. The log generation is enabled in the product in default installations. All transactions that fail as well as requests that are in any form invalid are logged by the service.

A format string vulnerability exists in the Oracle TimesTen Database product. The flaw is contained in the transaction logging function. The method that generates the logs does not sufficiently sanitize user input before internally passing it as arguments to printf-like functions. As a request comes in to the HTTP server, the URI is inspected for illegal character sequences such as format specifiers like “%n”. If any format specifiers are found in the URI then the request is considered invalid and as such, must be logged. Subsequently, it is passed onto the logging function without being sanitized. The logging function calls the snprintf function, passing the user supplied URI as the string parameter. Since the URI includes format sting specifiers, they get interpreted as such by the snprintf function. This results in memory corruption which may lead to either process flow diversion or a termination of the vulnerable service.

Remote unauthenticated users could exploit this flaw by sending a malicious request to the affected service. Successful exploitation may allow a malicious user to execute arbitrary code on the target host. SonicWALL has released an IPS signature to detect and block limited exploit attempts targeting this vulnerability. The following IPS signature has been released to address this vulnerability:

  • 1318 – Oracle TimesTen In-Memory Database evtdump Format String Attempt

YouTube Messaging used to spread Trojan (Jan 09, 2009)

/in /by

SonicWALL UTM Research team observed a new Trojan being spammed starting today Friday, January 09, 2009 via YouTube messaging service. The YouTube message contains a link that claims to be a Video file but points to a new Renos Trojan.

The Trojan is packed with UPX and it performs following activity:

  • Deletes the original copy of the file
  • Downloads malicious files from following URLs:
    • xxxx://89.149.206.82/balamutra.php
    • xxxx://89.149.207.114/cfg/(REMOVED)/video20879.cfg
    • xxxx://94.247.2.117/cfg/(REMOVED)/video20879.cfg
    • xxxx://69.46.16.99/lr/11.php?(REMOVED)
    • xxxx://69.46.16.99/lr/11.php?(REMOVED)
    • xxxx://94.247.2.112/fanta/(REMOVED)
    • xxxx://69.46.16.99/lr/12.php?(REMOVED)
  • Sends POST requests to following URLs:
    • xxxx://89.149.236.200/(REMOVED)/t.gif
    • xxxx://74.50.99.129/1.php

The YouTube message looks like following:


The Trojan is also known as Trojan-Downloader.Win32.Renos [Ikarus], TrojanDownloader:Win32/Renos.gen!BB [Microsoft], and TR/Crypt.XPACK.Gen [AntiVir]

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Renos_21 (Trojan) signature.

SAP GUI Heap Overflow Vulnerability (Jan 08, 2009)

/in /by

In SAP’s 3-tier architecture of database, application server and client, SAPGUI (client) is the platform used for remote access to the SAP central server in a company network.

SAPGUI for Windows environment is shipped with ActiveX control component TabOne. TabOne has a method named AddTab, which expects a Caption string parameter. The ActiveX control allocates a heap-based buffer when its been instantiated. Each time AddTab() is called, the Caption parameter is concatenated to the string in the said buffer with a prefix “|” character.

A heap buffer overflow vulnerability exists in the ActiveX control TabOne (the vulnerability has been assigned as CVE-2008-4827). Since AddTab method is performed without proper boundary check, excessive number of Caption strings would overflow the destination buffer. An attacker could host a crafted web page and entice a user to visit. When a victim (who has installed the vulnerable software) views the web page, a heap buffer overflow will occur. Successful exploitation would lead to arbitrary code execution with the privileges of the currently logged-in user.

SonicWALL has released the following IPS signatures that will detect and prevent the instantiation of TabOne ActiveX control. The signatures to address this vulnerability are:

  • 3708 SAP GUI TabOne ActiveX Control Instantiation 1
  • 3723 SAP GUI TabOne ActiveX Control Instantiation 2

SQL Server Stored Procedure Overflow (Jan 02, 2009)

/in /by

Microsoft SQL Server is a relational database management system. It uses Transact-SQL (T-SQL) for querying and modifying data and managing databases. SQL Server provides a wide range of stored procedures. A stored procedure is a group of Transact-SQL statements compiled into a single execution plan. One such stored procedure is sp_replwritetovarbin. It can be called by using EXEC SQL statement:

EXEC master.dbo.sp_replwritetovarbin

There exists a buffer overflow vulnerability in Microsoft SQL Server. Specifically, the flaw is due to a boundary error in the implementation of the sp_replwritetovarbin stored procedure. The vulnerable procedure does not check whether the supplied output varbinary buffer has the adequate size for this copy operation. By supplying an insufficiently small varbinary object to its output buffer parameter, and/or an overly large string argument to the sp_replwritetovarbin stored procedure, an authenticated user can trigger the buffer overflow condition. Successful exploitation could lead to arbitrary code execution in the context of the vulnerable SQL server process.

The vulnerability has been assigned as CVE-2008-5416 and Microsoft KB961040.

Since the procedure, sp_replwritetovarbin, is proprietary to Microsoft and its interface is not published, it is believed that the procedure is rarely used for legitimate purposes.

SonicWALL has released the following IPS signatures that will detect and prevent the invocation of sp_replwritetovarbin stored procedure. The signatures to address this vulnerability are:

  • 1286 SQL Server sp_replwritetovarbin Procedure Attempt (Unicode)
  • 1292 SQL Server sp_replwritetovarbin Procedure Attempt (ASCII)

New UPS ZBot Trojan spam (Dec 18, 2008)

/in /by

SonicWALL UTM Research team observed a new wave of the on-going UPS invoice spam campaign starting Wednesday, December 17, 2008. The email has a zip archived attachment which contains the new ZBot Trojan variant.

SonicWALL has received more than 1,500 e-mail copies of this malware till date. This malware is spread in the same way as the previous ZBot variant of Nov 21 (described here), but the sample has been updated to thwart antivirus detection.

The behavior is identical to the previous one, except this variant connects to download an encrypted configuration file from a different location:

* GAV: Zbot.GSV (Nov 21, 2008) – pavelmoous.ru/pavel/conf.bin
* GAV: Zbot.GAB (Dec 17, 2008) – reservpptppp20.ru/igor.bin

At this time only 6 antivirus vendors detect this malware.

The Trojan is also known as Trojan-Spy.Win32.Zbot.idq [Kaspersky], Mal/Zbot-G [Sophos], and TR/Spy.ZBot.IAX [AntiVir].

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Zbot.GAB (Trojan) and GAV: Zbot.GAA (Trojan) signatures.

The GAV: Zbot.GAB (Trojan) signature received more than 55,000 hits in the last 24 hours, demonstrating that this malware is very active in the wild at the moment. The following figure shows the hits per hour so far.

JavaScript Code Injection Summary (Dec 17, 2008)

/in /by

JavaScript is a scripting language widely used for client-side web development. It is so popular that most of the web pages on the Internet have JavaScript codes. The JavaScript provides a lot of functionalities and flexibilities to the users. However, it has also provided the convenience for the attackers to inject JavaScript code, exploit and control the target servers.

JavaScript Injection has multiple implementations, including JavaScript cookie modification, JavaScript HTML Form modification and some Cross Site Scripting. For example, the simple injection of the following JavaScript code will eliminate some authorization checks for the malicious user.

javascript:void(document.cookie=”authorization=true”);

Besides the common methods of the JavaScript Injection mentioned above, there is one special JavaScript Injection method which is used only for the shell code injection, we call it JavaScript Code Injection. They are used with the other vulnerabilities as an assistant. But they are more dangerous because the code injected is no longer to be restricted as JavaScript or any scripts, they can be any assembly codes to be running in the system.

One latest example for JavaScript Code Injection is Microsoft IE 0-Day vulnerability found on Dec 9, 2008. The details are here. Some exploits in the wild are using the JavaScript to inject shell codes, then exploiting the vulnerability to trigger the injected codes to be executed. The injected code is like the following:

var shellcode = unescape(“%ue8fc%u0044%u0000%u458b%u8b3c%u057c%u0178%u8bef%u184f %u5f8b%u0120%u49eb%u348b%u018b%u31ee%u99c0%u84ac%u74c0%uc107%u0dca %uc201%uf4eb%u543b%u0424%ue575%u5f8b

After carefully checking a lot of injected shell codes and related vulnerabilities for the patterns, SonicWALL UTM team has developed seven signatures for JavaScript Code Injection attempts. They are listed as bellow:

  • 3127 Javascript Code Injection Attempt (Mac)
  • 4665 Javascript Code Injection Attempt (Win/Linux) 2
  • 4701 Javascript Code Injection Attempt (Win/Linux) 3
  • 4744 Javascript Code Injection Attempt (Win/Linux) 4
  • 4760 Unicode Javascript Code Injection Attempt 1
  • 4761 Unicode Javascript Code Injection Attempt 2
  • 5051 Javascript Code Injection Attempt (Win/Linux) 5

The signatures listed above have not only detected the existing vulnerabilities, but also proactively prevented a lot of attacks addressing zero-day vulnerabilities, including the Microsoft IE 0-Day Vulnerability found on Dec 9, 2008.

The following figure shows the hits for those signatures within a month.