Posts

ICS Monitoring Team spam (Sep 29, 2008)

SonicWALL UTM Research team observed a new spam campaign starting on Friday, September 27, 2008 which involves a fake notification e-mail pretending to be arriving from ICS Monitoring Team. The email has a zip archived attachment which contains the new Downloader Trojan.

SonicWALL has received more than 40,000 e-mail copies of this malware so far. The e-mail looks like following:

Attachment: user-EA49943X-activities.zip (contains user-EA49943X-activities.exe)

Subject: Your internet access is going to get suspended

Email Body:
————————
Your internet access is going to get suspended

The Internet Service Provider Consorcium was made to protect the rights of software authors, artists. We conduct regular wiretapping on our networks, to monitor criminal acts.

We are aware of your illegal activities on the internet wich were originating from

You can check the report of your activities in the past 6 month that we have attached. We strongly advise you to stop your activities regarding the illegal downloading of copyrighted material of your internet access will be suspended.

Sincerely ICS Monitoring Team
————————

The Trojan when executed drops following malicious files in the system folder:

  • gzipmod.dll
  • tremir.bin
  • vbagz.sys

It also creates the following Registry keys:

  • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifygzipmod
  • HKLMSYSTEMControlSet001ControlSafeBootMinimalkteproc.sys
  • HKLMSYSTEMControlSet001ControlSafeBootNetworkkteproc.sys

It also tries resolve the following domains and subsequently sends HTTP requests to them:

  • ulm-haafeulm-haa.com
  • art8005.com

The Trojan is also known as Trojan-Dropper.Win32.Agent.xgg [Kaspersky], W32/Downldr2.DVJA [F-Prot], and TR/Crypt.XPACK.Gen [AntiVir]

SonicWALL Gateway AntiVirus provided protection against this malware via GAV: Goldun.AZM (Trojan) signature [159,053 hits recorded].

screenshot

Openwsman HTTP Basic Auth Overflow (Sep 25, 2008)

Web Services Management (WS-Management) is a specification of a SOAP-based protocol for the management of servers, devices, applications and more. Openwsman, maintained by Intel’s Open-Source Technology Center, is a project intended to provide an open-source implementation of the WS-Management and to expose system management information on the Linux operating system.

The openwsman 2.0.0 management service is vulnerable to remote buffer overflow attacks. One of authorization schemes supported by Openwsman is the Basic HTTP authentication. An example of such a request follows:

POST / HTTP/1.1
Host: www.example.com
Authorization: Basic dnJ0OmZvb2Jhcg==

Openwsman decodes and stores the authorization credential to a stack based buffer without performing boundary checks. The buffer has a static size of 4096 bytes. By sending HTTP requests with specially crafted Authorization header value (longer than 5462 bytes), a user without valid login credentials could trigger the buffer overflow. Successful exploitation could lead to execution of arbitrary code on the vulnerable system with the privilege of the openwsman server process.

SonicWALL has released a generic IPS signature that will detect and prevent attacks targeting this vulnerability. The signature to address this vulnerability is:

  • 2060 Openwsman HTTP Basic Authentication BO Attempt

Important Document (doc.zip) spam (Sep 23, 2008)

SonicWALL UTM Research team observed a new spam campaign starting on Monday, September 22, 2008 which involves a fake e-mail claiming to have an important document.

SonicWALL has received 4,500 e-mail copies of this malware so far. The e-mail looks like following:

Attachment: doc.zip (contains doc.exe) -> password protected

Subject: Important document for X (where X = random alphanumeric string)

Email Body:
————————
Hello X, the document is attached. Pass 123.
————————

The email attachment contains zipped malware executable which is a new Downloader Trojan. The Trojan when executed drops the following files on the system:

  • c:2.tmp
  • c:3.tmp
  • c:4.tmp
  • c:5.tmp
  • c:6.tmp
  • c:7.tmp

It also tries to download other malware by sending following GET requests:

  • hxxp://79.135.XX.18/cgi-bin/index.cgi?user5
  • hxxp://79.135.XX.18/scan.exe
  • hxxp://79.135.XX.18/s.exe
  • hxxp://79.135.XX.18/l.exe
  • hxxp://79.135.XX.18/ftp.exe

The Trojan is also known as TrojanDownloader:Win32/Chepvil.H [Microsoft], W32/Trojan3.AN [F-Prot], and TR/Dropper.Gen [AntiVir]

SonicWALL provides protection against password protected zip file via GAV: Password-protected ZIP file signature. It is highly recommend to turn on “Restrict Transfer of password-protected ZIP files” option in Gateway Anti-Virus settings to turn the signature on.

SonicWALL has also released a signature to detect the new Downloader Trojan:Agent.AHKV (Trojan)

IBM DB2 XML Query Buffer Overflow (Sep 19, 2008)

A remotely exploitable vulnerability has been reported in the IBM DB2 Database product. The DB2 product consists of a set of separate services that provide data processing functions. The main database engine process is contained in the binary executable db2syscs.exe on Windows based installations.

The DB2 database has unique facilities to store and manage data in XML format. Quering and manipulation of XML data objects is performed with the help of the XQuery query language. DB2 supports a set of functions that can resolve XQuery expressions to facilitate XML data management.

One of such XQuery functions is XMLQUERY. Given an XQuery expression as its argument, this function returns an XML value from the database. The syntax of XMLQUERY is described as follows:

XMLQUERY(xquery-expression-constant [PASSING xquery-argument AS identifier] )

Where xquery-expression-constant is an SQL character string that is interpreted as an XQuery expression. A practical use example of the function is shown:

SELECT XMLQuery(’$PORDER/PurchaseOrder/item/name’) FROM purchaseorder

A stack buffer overflow vulnerability exists during the processing of the XMLQUERY function. The vulnerability is a result of insufficient boundary checks on the xquery-expression-constant string passed to the affected function. The vulnerable code does not properly validate the length of this parameter before making an internal copy of it to a limited buffer on the stack. This has been shown to result in overwriting of critical memory locations in cases where the string argument is overly long.

A remote authenticated attacker with limited privileges could exploit this vulnerability by passing a specially crafted argument to the XMLQUERY function in a SQL statement. Successful exploitation of this flaw may allow the attacker to inject and execute arbitrary code in the context of the affected service, normally the Administrative account.

SonicWALL has released a generic IPS signature that will detect and prevent attacks targeting this vulnerability. The signature released to address this vulnerability is:

  • 5244 IBM DB2 Universal Database XMLQuery BO Attempt

Contract.zip Trojan (Sep 17, 2008)

SonicWALL UTM Research team observed a new spam campaign starting on Wednesday, Sep 17 at 00:41:58 PST, which uses fake legal paperwork as social engineering.

SonicWALL has received 450 e-mail copies of this malware so far.

Attachment: contract.zip (contains file contract.doc.exe)

The email contents is
——————
Dear customers,
We have prepared a contract and added the paragraphs that
you wanted to see in it.
Our lawyers made alterations on the last page.
If you agree with all the provisions we are ready to
make the payment on Friday for the first consignment.
We are enclosing the file with the prepared contract.

If necessary, we can send it by fax.
Looking forward to your decision.
—————

The subjects used by this Trojan are

  • Contract of order fulfillment
  • Contract of retirement
  • Contract of settlements
  • Loan Contract
  • Open an account
  • Permit for retirement
  • Record in debit of account
  • Rent contract
  • Your new labour contract

When run it copies itself to C:Program FilesMicrosoft Commonwuauclt.exe, A:system.exe, B:system.exe

Downloads
|–> http://www.econoco**.com/images/lspr.exe
|–> http://www.econoco**.com/images/rep.exe

Trojan then changes the Registry:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsexplorer.exe “” = C:Program FilesMicrosoft Commonwuauclt.exe

The Trojan is also known as Trojan.Win32.Agent.adyf (Kaspersky), TR/Dldr.Agent.RCE (Antivir) and Win32/AutoRun.ZV worm (Eset). It has a file size of 66,560 bytes.

SonicWALL has released a signature to protect against this threat: GAV: Agent.ADYF (Trojan)

Obama Sex Trojan (Sep 12, 2008)

SonicWALL UTM Research team observed a new spam campaign which uses the US presidential election as a social engineering mechanism to install a Trojan.

The email appears to be from obamasex@obama.com with the subject “Barack Obama sex story with girl”.

The email contents is
——————
Sensation!!! United States Senator for Illinois
Barack Obama in 2007 was travel to Ukraine and
have sex action with many ukrainian girls!
You may view this private porno in a flash video.
Download and view now. Please send this
news to your friends!
Obama it’s not right choice!!!
—————

link goes to a Chinese domain site hosted in Thailand
hxxp://***promo.cn/sensations/obama_b***job.exe

If the link is clicked a video plays for 14 seconds, and in the background, information-stealing Trojan is installed on the victim’s computer.

The Trojan is also known as Trojan.Win32.Agent.acyq (Kaspersky), PWS-Banker.cs trojan (McAfee) and Mal/Hupig-D (Sophos). It installs itself in C:Documents and Settings[UserName]Local SettingsTempsystem32_.exe and installs 809.exe in the user’s Temporary Internet Files folder.

Also a Browser Helper Object (BHO) named Siemens32.dll is registered. It posts stolen data to a compromised Finnish travel site,
hxxp://*****-hotel.com/berloga/datas.php

SonicWALL has released a GAV signature to protect against this threat: GAV: Agent.ACYQ (Trojan)

Here is a screenshot of the email:

email-screenshot

MS OneNote Handler Vulnerability (Sep 11,2008)

Microsoft Office OneNote is a new component of the Microsoft Office Suite. Microsoft Office OneNote is a digital notebook that provides people one place to gather their notes and information, powerful search to find what they are looking for quickly, and easy-to-use shared notebooks so that they can manage information overload and work together more effectively.

Microsoft Office OneNote registers a protocol handler with the Windows registry, named “onenote” with the format “onenote://”. This handler enables the OneNote executable to be launched from the Microsoft Internet Explorer browser. The onenote handler, however, can trigger a buffer-overrun vulnerability in mso.dll, which can cause malicious executable code injected and executed in the target client.

Microsoft has released an advisory MS08-055 to address this vulnerability, which can be found here. In this advisory, the Maximum Security Impact of this vulnerability is scored as CRITICAL. To protect the SonicWALL customers from being affected by this vulnerability, the SonicWALL UTM team has developed the following IPS signatures:

  • 3482 MS OneNote URL Validation Error 4 (MS08-055)
  • 3479 MS OneNote URL Validation Error 3 (MS08-055)
  • 3476 MS OneNote URL Validation Error 2 (MS08-055)
  • 3474 MS OneNote URL Validation Error 1 (MS08-055)

New ZBot Variant (Sep 10, 2008)

UPS Invoice spam – New ZBot variant

SonicWALL UTM Research Team has discovered a new wave of fake UPS Invoice e-mails spammed this morning.

The email contains a fake message about not being able to deliver the postal package that you sent on September 1st and it asks you to take a print out of attached copy of invoice in order to collect the package from local UPS office.

SonicWALL has received 1100 e-mail copies of this malware so far. This Trojan is similar to and connects to the same website as Fedex Tracking number spam we alerted on last week.

The e-mails look like following:

Attachment: ups_invoice.zip (contains file ups_invoice.exe)

email-screenshot

file-screenshot

The e-mail attachment is a zip archive containing an executable file which is a new ZBot variant. Upon execution, it tries to connect to bmwx6foreva.ru domain which is located at Bendery, Moldova and was registered recently on September 6, 2008. The malware sends following GET request to the domain:

  • GET /loads/engine2.bin HTTP/1.0

It drops the following files:

  • C:WINDOWSsystem32oembios.exe
  • C:WINDOWSsystem32sysproc64sysproc32.sys
  • C:WINDOWSsystem32sysproc64sysproc86.sys
  • C:Documents and SettingsLocalServiceApplication Datasysproc64sysproc32.sys

It also makes following modifications to the Windows registry:

  • HKLM…WinlogonUserinit: “C:WINDOWSsystem32userinit.exe,C:WINDOWSsystem32oembios.exe,”

SonicWALL Gateway Antivirus detects this new ZBot variant as GAV: ZBot.UPS (Trojan) [66,384 hits recorded]

hits-screenshot

Spammed zipped Trojans (Sep 4, 2008)

SonicWALL UTM Research Team has observed multiple Trojan spam runs in last one week starting August 27, 2008 which included the Labor day weekend. Common part among all the spam was the Trojan arrives via email in a zipped archive attachment.

Summary:

Western Union MTCN spam
Online Flight Ticket spam
Airmail Express delivery failure spam
Fedex Tracking number spam

Western Union MTCN spam

This spam wave started on August 27, 2008 and continued for 2 days. The e-mail contains a fake message about your Western Union money transfer transaction being halted or bounced. The e-mails look like following:

Attachment:

  • RN67761263.zip (contains file RN67761263.exe)
  • In776162.zip (contains file In776162.exe)

Subjects: Western Union MTCN #<10 digit Number>

Message Body:
——————
Hello!

Attention! The wire sent to Maksim Zverev, Moscow, Russia has been blocked by our security service.

Your credit card issuing bank has halted the transaction by the demand of the Federal Criminal Investigation Service (case No. <5 digit number> since the recipient has been undergoing the international retrieval by the InterPol.

Please contact the closest Western Union office and make sure you have your ID card, the credit card that was used for making the payment, and the invoice file with you.

(The invoice file is attached to this message; please print it out and hand it to our agent.)

You can find the address of the closest Western Union agent on our website at http://www.westernunion.com

Thank you!
——————

SonicWALL detection for these Trojans:

  • GAV: Zbot.EJX (Trojan) [Hits recorded: 851]
  • GAV: ZBot.EJW (Trojan) [Hits recorded: 4,210]

Online Flight Ticket spam

The first wave of this spam was seen on August 28, 2008 which lasted just 1 day. Another wave of this spam campaign with different attachment name started on Labor day and continued until September 2, 2008. The e-mail pretends to be containing an online flight ticket invoice. The e-mails look like following:

Attachment:

  • eTicket_N832.zip (contains file eTicket_N832.exe)
  • e-Ticket_S737.zip (contains file e-Ticket_S737.exe)

Subjects: Your Online Flight Ticket N <5 digit number>

Message Body:
——————
Dear customers, Thank you for using our new service “Buy airplane ticket Online” on our website. Your account has been created:

Your login: Your password: pass<4 random characters>

Your credit card has been charged for $6XX.XX. [where X can be 0-9] We would like to remind you that whenever you order tickets on our website you get a discount of 10%! Attached to this message is the purchase Invoice and the flight ticket. To use your ticket, simply print it on a color printed, and you are set to take off for the journey!

Kind regards, Virgin America
——————

SonicWALL detection for these Trojans:

  • GAV: AutoRun.WK (Worm) [Hits recorded: 7,892]
  • GAV: Emold.A_2 (Trojan) [Hits recorded: 107,996]

Airmail Express delivery failure spam

The first wave of this spam was seen on August 28, 2008 which lasted for 2 days. Another wave of this spam campaign with different attachment name started on Labor day and continued until September 3, 2008. The e-mail contains a fake message about not being able to deliver the postal package you sent and it asks you to take a print out of attached copy of invoice. The e-mails look like following:

Attachment:

  • AIRMAIL#7661224.zip (contains file AIRMAIL#7661224.exe)
  • AIRMAIL_76612.zip (contains file AIRMAIL_76612.exe)
  • #876712.zip (contains file #876712.exe)
  • 5322412.zip (contains file 5322412.exe)

Subjects:

  • AIRMAIL EXPRESS $_ < random number >
  • Airmail Tracking number #<7 digit random number>

Message Body:
——————
Unfortunately we were not able to deliver postal package you sent on August the 1st in time because the recipients address is not correct. Please print out the invoice copy attached and collect the package at our office

AIRMAIL EXPRESS
——————

SonicWALL detection for these Trojans:

  • GAV: Zbot.AIR (Trojan) [Hits recorded: 198,947]
  • GAV: Zbot.EKQ (Trojan) [Hits recorded: 38]
  • GAV: Zbot.EMQ (Trojan) [Hits recorded: 266]
  • GAV: Zbot.EOD (Trojan) [Hits recorded: 4068]
  • GAV: Zbot.ENM (Trojan) [Hits recorded: 34,337]

Fedex Tracking number spam

This spam started on Labor day and continued until September 2, 2008. The e-mail contains a fake message about not being able to deliver the postal package you sent and it asks you to take a print out of attached copy of invoice. The e-mails look like following:

Attachment: TR87190-18721.doc.zip (contains file TR87190-18721.doc.exe)

Subjects: Tracking N <10 digit random number>

Message Body:
——————
Unfortunately we were not able to deliver postal package you sent on July the 25 in time because the recipients address is not correct. Please print out the invoice copy attached and collect the package at our office.

Your FEDEX www.fedex.com
——————

SonicWALL detection for these Trojans: GAV: Agent.ACCI (Trojan) [Hits recorded: 895]

Google Chrome Vulnerabilities (Sep 4, 2008)

On September 2nd 2008 Google released Chrome, an open source web browser. Chrome uses tabs as primary component of its user interface. It uses the (open source) WebKit rendering engine on advice from the Android team.

One of Chrome’s design goals is improving security. It is achieved by:
1. Each tab in Chrome is sandboxed into its own process.
2. Plugins are run in separate processes that communicate with the renderer.
3. Chrome periodically downloads updates of phishing and malware blacklists.

Just hours after the release, a few vulnerabilities in Google Chrome were discovered. One is that Chrome allows files (e.g., executables) to be automatically downloaded to the user’s computer without any user prompt. Another is a denial-of-service vulnerability; Chrome will crash when it loads a web page which has an undefined handler followed by a special character.

SonicWALL has tested and confirmed these vulnerabilities on Google Chrome version 0.2.149.27, Build 1583. Two signatures were released on September 3rd to detect and block attacks targeting these vulnerabilities. The signatures are:

  • (3458) WEB-CLIENT Google Chrome Automatic File Download PoC
  • (3459) WEB-CLIENT Google Chrome Undefined Handler DoS PoC