Trojan distributed as 8 Ball Pool game hack

The Dell SonicWALL Threats Research team has received a sample of a backdoor Trojan posing as a game hack. Cheats for games often contain malware and that might not come as a surprise to many. But as a game becomes more popular, cybercriminals take advantage of eager gamers with a promise to help unlock abilities or perhaps accumulate enough credits to buy something to progress in a game and these shortcuts make them more appealing. The sample we received is posing as a cheat to a top ranking free sports game. In fact, searching for 8 Ball Pool game online yields keywords suggestions such as "hack" and "cheats."


Infection Cycle The Trojan arrives as a file named "hack 8 ball pool.exe." Upon execution, it copies itself to the following directory:
  • %TEMP%\chrome.exe
In order to start after reboot the Trojan adds the following keys to the registry:
  • HKLM\software\microsoft\windows\currentversion\run[8ce73491bf190a3fd7028c92bd3331b1] "%TEMP%\chrome.exe"
To bypass the windows firewall it adds the following to the registry:
  • HKLM\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list [%TEMP%\chrome.exe]
It then makes the following DNS query:

Figure 1: DNS query to hackernople.no-ip.biz


It subsequently then starts to send information such as the current date, the victim's computer name, user name, operating system and IP to a remote server:

Figure 2: Trojan sending personal information to a remote C&C server


We have also noticed the Trojan sending desktop screenshots to a remote server:

Figure 3: Trojan sending screenshots in a JPG format to a remote C&C server


This Trojan is capable of deleting files from a victim's machine. During our analysis, it deleted security tools such as processxp and tcpview.

Figure 4: Trojan sending a confirmation of removal of processes such as procexp.exe and tpcview.exe


It is also capable of downloading additional malicious components. During our analysis, it downloaded a password recovery tool called "WebBrowserPassView" on to the victim's machine and installed it. This tool can be used to reveal passwords stored in the victim's internet browsers.

Figure 5: Packets showing the infected machine receiving an executable


Figure 6: Receiving command to execute and install WebBrowserPassView
This Trojan is capable of deleting data, possibly disrupting services and stealing information and therefore poses a big threat depending on the sensitivity of data stolen from the victim. It makes it even more pervasive as it banks on the popularity of the game it pretends to be and with its capability to download and install more components, victims will likely end up with multiple malware infections in their computer systems.

Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:
  • GAV: Barys.RAT (Trojan)


Source : Dell SonicWALL Security Center
Have a good time.
(Be knowledgeable, pass it on then)

Allowing WeChat to Sign Up and to get QR Code for login in SonicWall

SonicWall's Application Control block some required Application for WeChat Application.

So that Mobile Device users using WeChat will not be able to Sign Up in you network and they will get "Connection error. Check your network settings."


For those who already has account also will not able to sign in by using QR code.

Laptop/Desktop WeChat user also will encounter the error as below.



To solve these issue, you need to Unblock/Allow the Applications from below Application Signature List in your SonicWall.
Application Category : Proxy-Access (27)
Application : Proxy-Access HTTP (966)
Application Signature : Proxy-Access HTTP Proxy -- HTTP Proxy POST (9685)

You still need to Allow/Exclude below IP Address lists from Application Control List of your SonicWall.(In fact, WeChat used many IP Addresses and need to check logs and add some more if your issue not resolve yet by adding below list.)
203.205.129.101
203.205.147.168
203.205.151.160
140.206.160.213

Once you done above steps, your users shouldn't be any issue when they using WeChat either on their Mobile Devices or Laptop/Desktop within your network.
(For me I really do not want to allow for this application as it is not secure but have to allow because of business need. So I have to monitor closely on usage of this application.)

Have a good time.
(Be knowledgeable, pass it on then)

Increased Online Shopping and Increased Malicious Email Threats

As usual, online shopping website are discounting for year ends after ThanksGiving Day, Black Friday and Cyber Monday.
As a result, spammer also launch spam campaign to find the victim via online shopping.

Below are guide for "How to stay safe" at online and "Best practices for avoiding email scams".

How to Stay Safe

An important skill to stay safe online is how to identify fraudulent domain names used in malicious links in emails. Scammers will usually try to deceive end users by disguising the true second-level domain, by prepending legitimate, familiar names to the beginning of hostnames. Appearing to come from a legitimate sources, the malicious email will contain links to sites that host exploit code with the hope that the user have unpatched systems and vulnerable web browsers, and the goal of compromising the user's system. Other attack vectors come directly in email attachments--word docs, executables, and other infected files.

Best practices for avoiding email scams

- Never click on links in emails without thinking about it carefully.
- Authenticate the sender: Is the sender truly who they say they are? Do I recognize and trust the sender?
- Educate end users on how to hover over links in emails to identify the real domain name in the email from address, as well as in any links in the email body.
- If there is any doubt about the authenticity of this domain name? Taking the example above, customer_service@amazon.com--0123-xyz.malicious-site.com. Is this domain in the sender's email address, malicious-site.com, owned by Amazon or by someone else? (The easiest way is just to go to amazon.com and take care of any notifications or required actions by first logging-in to the site directly, rather than clicking on links in emails.
- For users that are unable to identify domain names in links and email addresses, advise them never to click on a link sent in an email, but rather to open the site in a browser by typing manually in the address bar to ensure that they are going to the legitimate site.
- Always report suspicious emails to your Security Administrator, or directly to the site being spoofed. If in doubt, ask before clicking.
- Never open file attachments from unknown/untrusted sources.
- Stay up-to-date with software patches for Operating Systems, web browsers and all other software on the computer.
- Install and keep up-to-date host-based, and network-based Gateway Anti-Virus, and Intrusion Detection systems.

That's all for general security guide lines for end users and for IT professional who need to care security of organization.

Hope it may useful for some.

Have a good time.
(Be knowledgeable, pass it on then)

Microsoft Word Remote Code Execution Vulnerability (CVE-2015-0097)



Remote code execution vulnerability exists in Microsoft Office software and is caused when the Office improperly handles objects in memory while parsing specially crafted Office files. This could corrupt system memory in such a way as to allow an attacker to execute arbitrary code CVE-2015-0097 .
 
To exploit this vulnerability the user has to be tricked into visiting the attacker's website by clicking on a link. Another scenario could be downloading and opening specially crafted MS office email attachment. Microsoft Word, Excel and Powerpoint contains a remote code execution vulnerability because it is possible to reference documents such as Works document (.wps) as HTML. It will process HTML and script code in the context of the local machine zone of Internet Explorer which leads to arbitrary code execution. 

Once the user opens the office document the attacker is able to perform actions in security context of the logged in user. 


When the user opens that crafted document the code is executed. The code connects to attacker's server and downloads a file which is saved as .hta in the \appdata\roaming\microsoft\windows\start menu\programs\startup\ directory. 


So when the user reboots the machine this malicious file which is saved in the startup directory is executed. This allows remote attacker to execute arbitrary code via crafted office document aka "Microsoft Word Local Zone Remote Code Execution Vulnerability."

That's why you might need to check whether your Security Devices are updated in Signature to protect this kind of vulnerability.

Have a good time.
(Be knowledgeable, pass it on then)

NTP Daemon Vulnerabilities




NTP is a protocol designed to synchronize the clocks of computers over a network. The NTP Project produces a reference implementation of the NTP protocol and implementation documentation through a largely volunteer effort. NTP uses a hierarchical, semi-layered system of time sources. Each level of this hierarchy is termed a "stratum" and is assigned a number starting with zero at the top.
The NTP Project conducts Research and Development in NTP and produces the Official Reference Implementation of NTP along with the Implementation Documentation. A few weeks ago, ntp-4.2.8p4 was released which fixed multiple vulnerabilities.
  • "NTP Daemon Arbitrary File Overwrite", which addresses CVE-2015-7703
Description: If ntpd is configured to allow for remote configuration, and if the (possibly spoofed) source IP address is allowed to send remote configuration requests, and if the attacker knows the remote configuration password, it's possible for an attacker to use the "pidfile" or "driftfile" directives to potentially overwrite other files.
  • "NTP Daemon Assertion Failure DoS", which addresses CVE-2015-7855
Description: If ntpd is fed a crafted mode 6 or mode 7 packet containing an unusually long data value where a network address is expected, the decodenetnum() function will abort with an assertion failure instead of simply returning a failure condition.
  • "NTP Daemon Crypto-NAK Authentication Bypass 1" and
    "NTP Daemon Crypto-NAK Authentication Bypass 2", which address CVE-2015-7871
Description: Crypto-NAK packets can be used to cause ntpd to accept time from unauthenticated ephemeral symmetric peers by bypassing the authentication required to mobilize peer associations. This vulnerability appears to have been introduced in ntp-4.2.5p186 when the code handling mobilization of new passive symmetric associations was refactored.
The most critical one in the above list is the crypto-NAK bug. Administrators are urged to upgrade ntpd to the latest version to protect their servers.
Source: Dell SonicWall Security Center

Have a good time.
(Be knowledgeable, pass it on then)

How to stop "Wireless SSID" from broadcasting in Ruckus ZoneDirector and remove from APs

If you want to disable the Wireless SSID from broadcasting and remove on all Access Points, please follow below steps in your Ruckus ZoneDirector.
- Login to ZoneDirector
- Click "Configure" and go to "WLANs"
- Fine "WLAN Groups" under "WLANs" Section
- If you are using "System Default Group", just select it and edit. Then uncheck the SSID which you want to disable from bradcast and remove from all APs and Click "OK".
- If you are using "Custom Group", just same as above step.

Now your SSID has been disabled and removed from all Access Points.
You can verify by going to Dashboard and checking "Most Recent System Activities".

That's all.

Have a good time.
(Be knowledgeable, pass it on then)

Troubleshooting unable to PING issue on Cisco RV215W

I had to configure and install one Meg@POP router at site office.
Configuration is very simple. Just WAN, LAN and Static Routing.
After all configuration was done, I can PING from router and client to SingTel Side IP and HQ side IP but not from them.
I had to reviewed simple configuration repeatedly and unable to find any wrong.
But after check the Firewall setting since this router has security feature included.
Then realized "Block WAN Request" option checkbox was checked and need to uncheck.
After I unchecked it and save, SingTel and HQ can PING to this router successfully.

Thanks God.

So if you are having same issue like me while configuring Cisco RV215W Wireless VPN Router, just do no forget to uncheck that "Block WAN Request" and save to able to PING from outside.



Have a good time.
(Be knowledgeable, pass it on then)