Posts

Obama Speech Trojan (Nov 5, 2008)

SonicWALL UTM Research team observed a new spam campaign which uses yesterday’s US election as a social engineering mechanism to install a Trojan.

The email appears to be from news@bbc.com with the subject “Priorities for the New President”. The email contents is

——————
Barack Obama Elected 44th President of United States

Barack Obama, unknown to most Americans just four years ago, will become the 44th president and the first African-American president of the United States.
Watch His amazing speech at November 5!

Proceed to the election results news page>>

2008 American Government Official Website
This site delivers information about current U.S. Foreign policy and about American life and culture.
—————

Some other subjects used are:

  • Barack Obama wins
  • Can Obama win popular vote but lose election?
  • Did Obama Win Yet?
  • Election 2008: Time lapse of U.S. counties
  • Election Center 2008 – Election Results
  • Election Night Results
  • Fear of a Black President
  • Obama win an Electoral College majority
  • Obama win Defined by Race
  • USA Election 2008 Results
  • World Welcomes Obama’s Win

Link goes to one of these fast-fluxed domains (bfiinwach.com, gerimumsoe.com, lopbiuemis.com,vcoenutrmsi.com, wconlinenrue.com)

If the link is clicked a Adobe_flash9.exe is served to the user. It is 31,232 bytes in size and is compressed by ASPACK executable packer. It drops itself in %Windir%9129837.exe and drops a rootkit in %Windir%new_drv.sys, which it installs as a new kernel-mode driver.

It also modifies the registry:

 [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun] ttool = "%Windir%9129837.exe" 

so that 9129837.exe runs every time Windows starts

Trojan then connects to HTTP on 91.203.93.57 (which is hosted in Ukraine) and issues the following GET requests:

  • cgi-bin/options.cgi?user_id=3311905101&version_id=5&passphrase=fkjvhsdvlksdhvlsd&socks=22539&version=125&crc=00000000
  • cgi-bin/cmd.cgi?user_id=3311905101&version_id=5&passphrase=fkjvhsdvlksdhvlsd&socks=22539&version=125&crc=00000000

It is exfiltrating stolden userids and passwords to the above IP.

The Trojan is also known as TrojanSpy:Win32/Ursnif.gen!D (Micorosft) and Mal/Heuri-E (Sophos).

SonicWALL has released a GAV signature to protect against this threat: GAV: Games.C (Trojan)

WebLogic Apache Connector Vulnerability (Oct 30, 2008)

Oracle BEA WebLogic Server is a multi-tier Java Application Server platform. In a two and three-tier application architecture, a web server is used to receive forms or HTTP requests, then pass them to application servers, which perform actual processing. A connector software refers to the component used by web server to communicate with the application server. Oracle BEA WebLogic Server ships with a connector, named mod_wl, for Apache HTTP server.

Normally an HTTP POST request is sent in one stream, unless the HTTP header Transfer-Encoding is specified. A common value of the Transfer-Encoding header is “chunked”.

There exists a buffer overflow vulnerability in Oracle BEA WebLogic Server’s connector software for Apache HTTP server. Specifically, the vulnerability is due to improper parsing of HTTP Transfer-Encoding headers sent to the Apache Web server. When a Transfer-Encoding header containing unrecognized value is received, the connector software of WebLogic Server copies the header value into a stack buffer of fixed size using a sprintf() function. It has been observed that the vulnerable code does not verify the length of the string before copying it to the buffer.

A remote unauthenticated attacker could exploit this vulnerability by sending a crafted HTTP request containing overly long Transfer-Encoding value to the vulnerable WebLogic connector software. Successful exploitation would result in code injection and execution with the privileges of the service, normally “System” on Windows platform.

SonicWALL has released an IPS signature that will detect and prevent attacks targeting this vulnerability. The signature to address this vulnerability is:

  • 3596 WEB-ATTACKS Transfer-Encoding HTTP Header BO Attempt

New ZBot Trojan variant (Oct 28, 2008)

SonicWALL UTM Research team observed a new ZBot variant being spammed in the wild using Angelina Jolie video spam campaign starting on Saturday, October 25, 2008 which involves a fake e-mail message pretending to contain Angelina Jolie video. The email has a zip archived attachment which contains the new ZBot variant.

SonicWALL has received more than 10,000 e-mail copies of this malware so far. The e-mail looks like following:

Attachment: anjelina_video.zip (contains anjelina_video.exe)

Subject: New Anje1lna Jo1ie p0rn

Email Body:
————————
Anje1lna Jo1ie p0rn video, file attached, watch him
————————

Starting October 27, 2008 the spam campaign changed to “new eCard” spam which involves a fake e-mail message pretending to contain an ecard. The email has a zip archived attachment which contains the new ZBot variant.

SonicWALL has received more than 5,000 e-mail copies of this malware so far. The e-mail looks like following:

Attachment: ecard.zip (contains ecard.exe)

Subject: You have received an eCard

Email Body:
————————
Good day.

You have received an eCard
To pick up your eCard open attached file
We hope you enjoy you eCard.
Thank You!
————————

The Trojan when executed drops following malicious files in the windows system folder:

  • twain_32local.ds
  • twain_32user.ds
  • twext.exe

It modifies the following registry keys to ensure that twext.exe executes on system startup:

  • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserinit = “(System Folder Path)userinit.exe,(System Folder Path)twext.exe,”

It also tries to connect to opokimoki.com domain and sends following HTTP request:

  • GET /los/cfn.bf

The Trojan is also known as Trojan-Spy.Win32.Zbot.fql [Kaspersky], Troj/Agent-IAZ [Sophos], and TrojanSpy:Win32/Zbot.gen!C [Microsoft]

SonicWALL Gateway AntiVirus provided proactive protection against this new Zbot variant via GAV: Zbot.FME (Trojan) signature [809,401 hits recorded starting Oct 25, 2008].

screenshot

MS08-067 Server Service Buffer Overflow (Oct 23, 2008)

A vulnerability has been reported in the Server service of most versions of Microsoft Windows. This service facilitates file, print, and named-pipe sharing over the network for Windows-based computers. These remote access facilities are often utilized for Remote Procedure Calls (RPC).

Calling RPC methods on a remote machine entails opening a named pipe as a file and accessing the RPC interface through a Universally Unique Identifier (UUID). Some Microsoft operating systems do not require authentication to access several named pipes. The srvsvc pipe is an alias to the ntsvcs named pipe and can be accessed by several other aliases. The srvsvc interface is registered with the UUID “4B324FC8-1670-01D3-1278-5A47BF6EE188”. The interface exposes a set of functions that enumerate and configure shares, sessions and other resources on the server. Two RPC functions that are provided by the SRVSVC interface are listed below:

  • NetprPathCanonicalize
  • NetprPathCompare

The function NetprPathCanonicalize, with opcode 31, normalizes a path name by converting slash characters to backslash characters and removing directory traversal sequences. Another RPC function, NetprPathCompare, with opcode 32, internally calls the NetprPathCanonicalize function to normalize path names before comparing them. Thus RPC calls to NetprPathCompare also invoke NetprPathCanonicalize.

The server side implementation of NetprPathCanonicalize RPC function is provided by the library NETAPI32.DLL. The calling syntax of this function is as follows:

long NetprPathCanonicalize(
[in] [string] [unique] wchar_t *ServerName,
[in] [string] [ref] wchar_t *PathName,
[in] long OutBufLen;
[in] [string] [ref] wchar_t *Prefix,
[in] [out] [ref] long *PathType;
[in] long PathFlags;
);

A stack buffer overflow vulnerability exists in the way the Server service processes the PathName argument to the NetprPathCanonicalize function. The affected code fails to properly handle cases where directory traversal sequences result in traversing past the root path as in the following case:

/pathpart1/../../pathpart2

In such cases, the code will internally copy the string, less the traversal sequence and the path which precedes it into a calculated destination buffer. The destination buffer for the copied string is found by searching for the first slash character which precedes the traversal sequence. Normally, this ends up as being the beginning of the source string. Such that the process of normalizing the first traversal in the above example will end up with the following string:

/../pathpart2

Since the next traversal sequence that is to be normalized is not preceded by a path, the search for the first slash character preceding this sequence will incorrectly end up at a memory location in front of the designated buffer. Such that, if a slash character happens to exist on the stack in a vulnerable location, then the source string will be copied into that location.

It has been observed that the stack can be manipulated in a favourable way by the attacker by calling the affected RPC function twice wherein the second time it is called, the copy will overwrite the designated stack buffer.

A remote attacker can exploit this vulnerability by sending specially crafted RPC requests to an affected system. Successful exploitation may result in execution of arbitrary code on the target host with System privileges. A denial of service condition may ensue in cases of unsuccessful attacks.

SonicWALL has released two signatures which will detect and block generic exploitation attempts of this vulnerability. The following IPS signatures have been deployed to address this issue:

  • 1160 – SRVSVC NetPathCanonicalize BO Attempt 1 (MS08-067)
  • 1161 – SRVSVC NetPathCanonicalize BO Attempt 2 (MS08-067)
  • 1174 – SRVSVC NetPathCanonicalize BO Attempt 3 (MS08-067)
  • 1178 – SRVSVC NetPathCanonicalize BO Attempt 4 (MS08-067)
  • 1186 – SRVSVC NetPathCanonicalize BO Exploit 1 (MS08-067)

MS08-067 exploit in wild (Oct 23, 2008)

Today SonicWALL UTM Research team received samples using the newly patched MS08-067 – Windows Server Service vulnerability. We have received at least 10 distinct copies of this exploit malware. Filenames were n[x].exe (where [x]=1 or 2 or 3).

The malware is 397,312 bytes in size. When executed, it drops following malicious file in the system folder:

  • sysmgr.dll

It starts a service as “sysmgr (System Maintenance Service)” and deletes the original copy of the malware from the folder where it was executed.

It tries to communicate with following domains over HTTP:

  • summertime.1gokurimu.com
  • doradora.atzend.com
  • perlbody.t35.com
  • 59.106.145.58

The trojan generates a URL based on the operating system and antivirus information, in the following format: IPADDRESS/test2.php?abc=A?def=B

Where A is numeric and represents an associated type of antivirus application and B is also numeric and defines the operating system. The two values vary depending on the host computer.

It also performs following registry modifications:

  • Creates key “HKLMSystemCurrentControlSetServicessysmgrParameters”.
  • Sets value “ServiceDll”=”C:WINDOWSSYSTEM32wbemsysmgr.dll” in key “HKLMSystemCurrentControlSetServicessysmgrParameters”.
  • Sets value “ServiceMain”=”ServiceMainFunc” in key “HKLMSystemCurrentControlSetServicessysmgrParameters”.
  • Creates key “HKLMSoftwareMicrosoftWindows NTCurrentVersionSvcHost”.
  • Sets value “sysmgr”=”sysmgr” in key “HKLMSoftwareMicrosoftWindows NTCurrentVersionSvcHost”.
  • Sets value “I”=”” in key “HKLMSystemCurrentControlSetServicessysmgr”.
  • Sets value “DisplayName”=”System Maintenance Service” in key “HKLMSystemCurrentControlSetServicessysmgr”.

This malware has a very low detection at the time of this writing: Win32/Gimmiv.A [Microsoft], Generic Dropper [McAfee], Mal/Generic-A [Sophos].

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: MS08-067 (Exploit) signature.

SonicWALL has also released generic IPS signatures that will detect and prevent attacks targetting this vulnerability. Please to refer to MS08-067 Server Service Buffer Overflow (Oct 23, 2008) for a detailed description of the vulnerability.

MS Windows IPP Buffer Overflow (Oct 17, 2008)

The Internet Printing Protocol (IPP) is a standard network protocol for managing remote printing. IPP is built on HTTP/1.1 and supports access control, encryption and authentication. The Microsoft IPP implementation consists of an ISAPI extension for Internet Information Service (IIS). Client hosts send IPP requests to the MS IPP service by accessing the “/printers” HTTP directory through IIS. The server replies to these request with an HTML page containing the list of all currently configured printers on the server. The IPP service can be used to query a specific printer on the remote host as well. The following HTTP request is shown as an example:

POST /printers/~5c~5c10~2e0~2e0~2e10~5cdummy/.printer HTTP/1.1
Content-Type: application/ipp

In the above example, the printer is instructed to send an IPP query to a remote SMB printer \10.0.0.10dummy Upon receiving such a request, the IPP service will translate it into SPOOLSS RPC request and redirect it to the given printer. Windows defines a Remote Procedure Call (RPC) interface for the server-side spooler Win32 API. This RPC interface can be accessed via the named pipe “spoolss” with UUID “12345678-1234-abcd-ef00-0123456789ab”.

To service the IPP request, the server will establish an SMB connection to the requested printer and send the IPP request translated into RPC function. The RPC reply is then translated into HTTP/IPP reply and sent back to the original requester in the same HTTP session.

One of IPP requests is the Get-Jobs request with operation-id 0x000a. This request translates into the EnumJobs RPC function, its purpose is to enumerate the list of print jobs currently managed by the chosen printer. The function’s prototype is shown below:

BOOL EnumJobs(
  HANDLE hPrinter, // handle to printer object
  DWORD FirstJob, // index of first job
  DWORD NoJobs, // number of jobs to enumerate
  DWORD Level, // information level
  LPBYTE pJob, // job information buffer
  DWORD cbBuf, // size of job information buffer
  LPDWORD pcbNeeded, // bytes received or required
  LPDWORD pcReturned // number of jobs received
);

Normally, the function is called twice. First, the caller specifies an empty buffer cbBuf=0 and the spooler replies with pcbNeeded set to the size of the buffer required to store the request. The caller will then repeat the request setting cbBuf to the required size.

A buffer overrun vulnerability exits within the IPP implementation on Windows servers running IIS. The flaw may be exploited by remote authenticated attackers by sending a crafted Get-Jobs IPP request to the target server. Specifically, the attacker will send the Get-Jobs IPP with the IP address and printer name of an attacker-controlled print server. The attacker’s print server will reply to the SMB/RPC requests from the target, waiting for the EnumJobs RPC function call. The reply from the attacker to the EnumJobs call will provide incorrect cbBuf and pcbNeeded values such that when these values are added by the vulnerable IPP server, the sum will overflow a 32-bit integer. The IPP server will allocate memory based on this sum which will be smaller than the size of the pJob string, and this buffer will be overwritten by the received pJob.

Successful exploitation of this vulnerability may allow for arbitrary code injection and execution with the privileges of the ISS server process. Code injection that does not result in execution could terminate the affected process due to memory corruption.

SonicWALL has released an IPS signature that will detect and prevent known exploits of this flaw. The following signature addresses this vulnerability:

  • 5274 – MS Windows Internet Printing Service Integer Overflow PoC (MS08-062)

This vulnerability has been assigned CVE-2008-1446 and has been described in the Microsoft security bulletin MS08-062

New statement spam (Oct 17, 2008)

SonicWALL UTM Research team observed a new wave of the on-going Statement document spam campaign starting today Friday, October 17, 2008. The email has a zip archived attachment which contains the new Trojan variant.

The e-mail contains following attachment:

Attachment: Statement_01-10.zip (contains Statement_01-10.doc [WHITESPACES] .exe – UPX packed)

The Trojan when executed drops following malicious files in the system folder:

  • rs32net.exe (copy of itself)

It also creates the following Registry keys to ensure that rs32net.exe gets executed automatically on system startup:

  • HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunrs32net = “(SYSTEM FOLDER PATH)rs32net.exe”

It then starts the rs32net.exe process and deletes the original copy of the file from the folder where it was executed.

The Trojan tries to send a HTTP GET request

  • GET /40E80008F04FCE3BCEE24D126C000001DD6600000002760000015EEB000530829EA5AC HTTP/1.0

to following IP addresses:

  • 208.66.194.240
  • 216.195.55.50
  • 216.195.56.22
  • 209.66.122.238
  • 91.203.92.7
  • 208.66.195.15
  • 208.66.195.71

The Trojan has a very low detection at the time of writing this report.

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Agent.AGWR (Trojan) signature.

SQL Injection Attack Summary (Oct 10, 2008)

The SQL Injection Attack is not new to the SonicWALL customers, but it is still popular. An article about it was released by SonicWALL UTM team two months ago. In that article, we have explained the details of this type of attacking. Also, we provided statistics data about the attacks around that time.

During the past two months, there are more SQL Injection Attack waves happened. The following figure shows the hits statistics of all the SQL Injection related signatures from June 2008 on. And it indicates there were three waves of attacks, and two of them happened in August 2008.

To provide more protection to the SonicWALL customers from being affected by the SQL Injection Attacks, the SonicWALL UTM team re-classified the SQL related signatures, and created a new category called SQL-Injection. There are 36 signatures re-classified into the new category. The detailed signature names can be found here. With this new category, the customers can easily manage the SQL Injection related signatures, no matter the signatures are in low or high priority.

Note that the figure is more accurate than the one from the last article because it shows all the 36 SQL Injection signatures instead of 11 signatures for the last time.

Angelina Jolie video spam (Oct 6, 2008)

SonicWALL UTM Research team observed a new wave of the on-going Angelina Jolie video spam campaign starting on Monday, October 6, 2008. The email has a zip archived attachment which contains the new Downloader Trojan variant.

SonicWALL has received more than 60,000 e-mail copies of this malware till date. The e-mail looks like following:

Attachment: video.zip (contains video.exe – UPX packed)

Subject: Angelina Jolie Free Video

Email Body:
————————
New sex scandal, Angelina Jolie porn watch in attached file
————————

The Trojan when executed drops following malicious files in the system folder:

  • gzipmod.dll
  • vbagz.sys

It also creates the following Registry keys to ensure that gzipmod.dll is installed as a Winlogon notification package:

  • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifygzipmod
  • HKLMSYSTEMControlSet001ControlSafeBootMinimalkteproc.sys
  • HKLMSYSTEMControlSet001ControlSafeBootNetworkkteproc.sys

The Trojan includes a backdoor component that listens on TCP port 6051 & 6052. It also tries to resolve the following domains and subsequently sends HTTP requests to them:

  • sargej-grienko.com
  • ulm-haafeulm-haa.com
  • art8005.com

The Trojan is also known as Trojan.Spy.Goldun.NDU [BitDefender], Win32/Spy.Goldun.NDN trojan [ESET], and TR/Crypt.XPACK.Gen [AntiVir]

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Agent.XQL (Trojan) signature.

RealWin DATAC Control Buffer Overflow (Oct 1, 2008)

RealWin is a SCADA server product that monitors and controls a industrial, infrastructure or facility based process in a computer system. A SCADA System usually consists of a Human-Machine Interface, a supervisory system and a Remote Terminal Units. RealWin, as a SCADA system, can read and maintain data returned from field devices using drivers, store data for historical access, run CSL (Command Sequence Language) scripts and generate alarms as defined in the system.

There is a stack-based buffer overflow vulnerability in DATAC Control RealWin SCADA System server product 2.0 and prior. The vulnerability is due to a boundary error while parsing a crafted value in a FC_INFOTAG/SET_CONTROL packet.

A remote, unauthenticated attacker could exploit this vulnerability by sending a specially crafted FC_INFOTAG_SET_CONTROL packet. Successful exploitation would allow for arbitrary code injection and execution with the privileges of the affected service, or terminate the application resulting in a Denial of Service condition.

SonicWALL has released a generic IPS signature that will detect and prevent attacks targeting this vulnerability. The signature to address this vulnerability is:

  • 1134 RealWin Server Crafted FC_INFOTAG/SET_CONTROL Packet BO Attempt