Websense Security Labs Blog

Websense Security Labs discovers, investigates and reports on advanced Internet threats that traditional security
research methods miss.

Latest Blog Posts

View all posts > 

(May 2010) Posts

Game Channel of MOP BBS compromised

Posted: 30 May 2010 11:19 PM | Xue Yang | no comments

Websense Security Labs™ ThreatSeeker™ Network has discovered that the game channel of MOP BBS has been compromised. Mop.com is one of the largest and most influential forums in China. It was the birthplace of Chinese network culture and has grown into a website with integrated forum, news, games, entertainment etc. together to become a huge multimedia information platform. Mop.com has over 50 million registered users and over 200 million daily views making it the worlds 275th most popular website according to Alexa . The website is especially popular amongst World of Warcraft fans. The snapshot of the compromised site: Below is the redirection chain of the site: This site contains a reference to the JavaScript file ajax.js which has been modified and injected with malicious code by cyber-criminals. The injection code in ajax.js: The compromise uses a technique often used by BlackHat SEO attackers in that only the visitors who open the page from baidu.com search results, the very popular search engine in China, will get the malicious code. The code then does another check to see if the popular Chinese antivirus software 360 Safeguard is installed. If not installed the code continues to exploit the PC (step 2 in the chain). After that it will go on to redirect to the two URLs shown in step 3. The two sites have the same payload and both utilize the Microsoft Internet Explorer vulnerability MS10-018 to infect the user. After a quick analysis we found that the shellcode in the exploit will download the executable remote file called 55.exe . The file is encrypted and has very low anti-virus detection . Code from the file can be seen below: The shellcode in the exploit is then used to decode the file. Below is the encryption algorithm which just uses a single byte XOR with 0x95: After being decrypted the file is detected as an online game information stealer. Websense Messaging and Websense Web Security customers are protected against this attack.


Filed under: , ,

Most Hilarious Video attack on Facebook

Posted: 28 May 2010 01:11 PM | Patrik Runald | no comments

Attacks on Facebook during weekends are unfortunately becoming a trend. For the third weekend in a row users on Facebook are bombarded with messages on their walls talking about Distracting Beach Babes , Sexiest Video Ever or this latest attack which supposedly is the "Most Hilarious Video ever" shown in the screen shot below. We predicted that this attack would happen again and unfortunately we were right. This attack is different from previous weekends as not only do the attackers try to steal your Facebook credentials, what happens after that depends on which country you connect from. Once you click on the link to view the video you are taken to a fake Facebook login page where you are tricked into entering your credentials. The login page look like the real thing except of course if you look at the address bar you can see that you're not on facebook.com. But users can easily be tricked into thinking that they temporarily were logged out of Facebook and to continue they have to login. Regardless of what you enter in the login form you are then taken to a page on the real Facebook site that asks you to allow the application to access your profile. If you allow that you're taken to a page saying that you need to upload your FLV Player to view the video. Up until this point it's similar to how the two previous attacks have worked, except that this new one also has the phishing component. However, what happens now depends on which country you are connecting from. If you are coming from a US IP address you are prompted to download the FLV Player, which is detected by 35% of antivirus engines , as can be seen in the screen shot: However, if you're coming from a UK IP address you're taken to a quiz where they have to answer 10 questions. Once completed the user then gets the chance to win an iPad! All they have to do is to fill in their address. So instead of tricking the user into installing a malicious file, this time they're after your information in addition to your Facebook credentials from the fake login page. It's very likely that the behavior is different than the two examples we have described depending on which country you connect from. In our testing we only had the ability to test this attack from the US and UK but regardless of where you are connecting from you shouldn't click on the fake video and never, ever give you Facebook username and password to a website that is not facebook.com. We also recommend you to install Defensio , our free security app for Facebook that will protect your wall from posts like this. You can get it from http://defensio.com Here's a video explaining this latest attack.


Filed under: , , ,

A bad applet in the barrel...

Posted: 26 May 2010 12:06 PM | Chris Astacio | no comments

Injecting malicious html code into legitimate Web sites has become commonplace in the past few years. More often than not, the attackers inject a script or iframe tag in a legitimate site which is meant to redirect visitors to attack sites without their knowledge. Last week, however, we discovered an outlier of that trend which was a malicious applet code injection. The injected applet allows the code to work as a drive-by attack that downloads and then executes a malicious application. Screen shot of injected page: Reviewing the applet code, we can see that a 'Client.jar' file is downloaded. This Client.jar file runs and uses some of the code found in the applet to create a .vbs file on the local system. Reviewing the contents of Client.jar, we can see that it does this by getting the contents of the parameter "windows1". Screen shot of Client.jar: Reviewing the applet code on the injected site, we can see a <param tag with name='windows1'. The contents of the tag are actually one long command using cmd.exe to create a .vbs file in %temp%/winconfig.vbs. At the end of this command you can see that the .vbs file is executed to download a malicious file and place it on the local file system as %temp%/update.exe. Notice the use of the tinyurl passed to winconfig.vbs, this is probably an attempt to make the code look a bit more legitimate as it doesn't look like it's downloading an executable file. Screen shot of the .vbs code: The interesting thing about these injections is the social engineering aspect of the attack. Remember that this applet code is being injected by attackers into legitimate pages, and the attack .jar file is hosted on the same infected domain. This means that you may get a few warnings popped up by Java, but most people will simply click through and ignore them, especially if they are visiting a "trusted" page. After all, who really reads warnings when they are visiting a page they have been to before? Most people would think that if a warning is coming from a page which they have been to and trusted before, there must be a false positive situation occurring. Here is a quick video of this attack in action. Websense Messaging and Websense Web Security customers are protected against this attack.


Filed under: , , ,

Dissecting the Distracting Beach Babes Facebook app

Posted: 26 May 2010 01:01 AM | Elad Sharf | no comments

We managed to get our hands on the malicious Facebook application that we blogged about twice in the past few weeks. In the video below we're going to dive into it and see what's going on with this app: For those of you that can't spare the time to watch the video, this is a brief summary of how it works. The first part of the code contains Facebook-specific information such as API key, secret key etc. It starts off by checking if the app has permissions to post on the user's wall. If it doesn't it will prompt the user to grant it permissions using Facebook APIs. It then enumerates the list of friends, picks a random number (in this case it's hardcoded to be 10) and posts a message to the walls of the 10 randomly picked friends. A message is then displayed asking the user to click "Continue" to watch the video. Yet another page is displayed that loads a thumbnail of a video and overlays the image with a prompt saying that the "FLV Player" needs updating. When the user clicks on "Continue", it loads the file videoplayer.php which does a simple redirect to http://www.flvpro.com/downloadfile.php?aff=3447_movies , where 3447_movies is the affiliate ID of the group/person behind the malicious app. So far we have identified over 100 apps on Facebook that are all working the same way; the only difference is the API and secret keys that are used. In addition to them all working the same way, they also use the same Google Analytics UA ID to track visitor statistics. Overall the app is very simple and relies fully on social engineering. The numbers from the two attacks we've seen so far prove that despite its slow propagation method (only sending the message to 10 users at a time) these types of attack unfortunately work very well.


Filed under: , , , ,

Chinaz.com compromised

Posted: 25 May 2010 05:08 AM | WebsenseSecurityLabs | no comments

Websense Security Labs™ ThreatSeeker™ Network has discovered that the speed testing site of chinaz.com has been compromised. Chinaz.com is a very famous Web master site that provides technical and resource downloading services in China. The daily traffic to this site is over 50,000 hits, and it has a very high Alexa rank of 179. The injected subdomain speed.chinaz.com is the page that supplies tools for testing the speed of Web sites. A snapshot of the compromised site is shown below: This site first redirects to a JavaScript file in its own path, as shown below: Also shown below is the malicious code injected by the cyber-criminals as opposed to the JavaScript file: The payload of the injected site: This payload contains two parts: ap.js, and the obfuscation code in the script tag. When combined, we get the entire exploit code. After analyzing this, we noticed that it is used to target the IE vulnerability ( MS10-018 ), which downloads an executable file named dn.exe. This has a good detection rate by most AV vendors; however dn.exe will download and execute remote files and send local information to a remote server. The process disguises itself as an AV component while at the same time suspending the AV software. At present, a bug in the malicious code fails to get the MAC address correctly and as of this alert the site is still infected. Websense Messaging and Websense Web Security customers are protected against this attack.


Filed under:

Warning for "Distracting Beach Babes" on Facebook

Posted: 22 May 2010 05:04 PM | Patrik Runald | no comments

For the second Saturday in a row Facebook users have had to deal with Facebook malware in the form of what looks like sexy videos but are in fact malicious apps. This time the scam is spread in messages like this: Just like in the previous malware attack , what happens if you click on the link is that you'll be taken to an application installation screen that requests access to your profile and access post on your wall: This allows the application to send its message to your friends and post it on their walls. Once the user clicks Allow a page is displayed asking them to update their FLV Player which prompts the download of the malicious file: While all the download sites for the file was unavailable at the time of writing, this attack is exactly the same as last weekend's so it's very probable that the file was yet another Hotbar Adware installer. If you haven't seen the video of how this attack works you can check it out on our YouTube channel . Facebook is aware of the problem and are actively removing both the wall posts and the malicious applications. Taking a look at the malicious application's information page you can see that over 1,100 users "Like" it and every time the page is refreshed the amount of fans increase. According to the page Gale Shull is the developer of the application but it's probably safe to say that it's a fake account. We did send "her" a friend request so we will update the page if she accepts it. How to remove the malicious application If you have installed the application but did not install the fake video player, we advise you to remove the application from your application settings. You do this by clicking on "Account -> Application Settings" in the top-right corner of your Facebook page. You will now see a list of all applications that can access your Facebook profile. Find the one that you just installed, in this case it's " Video wave" . Just click on the X to remove it and click on "Remove" when asked. Just be careful not to remove applications that you would like to keep as there is no way to undo the removal except to reinstall it. If you also installed the fake video player make sure you scan your PC with an up-to-date antivirus software. In addition, we advise users who installed the malicious application to change their Facebook password . We certainly hope that "a new malware scam on Facebook every Saturday" won't turn into a trend. Update Upon further investigation we found that over 99 different malicious applications were used in this and last weekends attacks.


Filed under: ,

Deciphering in psychological terms

Posted: 21 May 2010 02:18 AM | Hermes Li | no comments

Cryptography is an interesting topic for security research. Recently a researcher put out a " decode me " challenge, and this blog describes what we did that may help others with more experience in cryptography solve the challenge once and for all. The first step was to decode a garbled message as shown below. The two "=" signs at the end of this message signify that it might be base64 encoded. %~~~~~~~~~~~~~~~~~~~~~~~~% |H4sIAAAAAAACA3P3dLOwTOxh| |YGF4zsBg7tHJMApGwYgE////| |V/zJwsjF8I9BB8QH5QkGjhYG| |xj/MD' gULH| |JrY' BbVi| |Tlx| Y4NgmoOxWoxH4yL5d| |VDR| oTseHh8f6WK359lQU| |qJy\ \YJOGt| |xhN5I\ \dlr| |qoJvnIznRDXvHjPWZ |SY7| |Lz31nKtYPklkV0F6w |AKr| |1E17 ,Vk5| |afng ,hp63R| |VsvNzy8u9qpU670lon11hvnS| |KNWuSS+vrvNf3HV05beU0NXB| |p71kJQQYrAFt8kQCpwMAAA==| %~~~~~~~~~~~~~~~~~~~~~~~~% After removing blanks,commas, and other garbage characters, and then decoding the base64 codes, we got a binary stream. This stream started with 0x1F8B, which is usually present for a gzip header. Unzipping the binary stream using gzip, we got a gif picture that showed a URL for the next challenge. In this challenge , players were asked to decrypt a cryptogram which was a paragraph taken from a book: LFDT FXVT XQDT FTCL FCTB TPCY EGDJ SRYP JPGC PTDD LFCJ PGNY ERLQ BLOY DTFT CLFC TFXG RAYP BTPC YSFM YPRT OLFC LFDG PYVT XQRA TFDG QRJP GCPT DDYP QHYB LYUY HSRL FDTF XGRA YPVT XQLR LQML IIYP YFRL FDGP YVTX QRAT FDGQ RDTF TCYP QYWJ YER The method by which I attacked this puzzle is best described as "Gestalt Psychology". After looking at the description, I knew that in this cryptogram, the key was created by taking the title of a book. The author gave very detailed information on the method of encryption. The indications were that the author had not expended energy on making the key hard to find, and therefore the book name might be well known, making this only a game rather than an enigma. First, I searched "most popular books" and found some clues. I tried to use allbookstores.com with no success, but goodreads.com was much more useful. Goodreads.com is the largest social network for readers in the world. There are many popular books but which book's title would be the key? There was another possible clue in the background of the game. The author was a computer engineer, and those trying to decrypt the challenge are obviously a group of computer guys, so the kind of books they are most conversant with would be in the computer category. So I decided to search for the book’s name in that category. Finally, I tried the the listed books as possible keys to replace the cipher text, and the third was correct. I had only heard of the famous one in the list, “The Mythical Man-Month”, so I guessed it might be the key, and was lucky. I took the title of the book and wrote down each unique letter from the title in the order it appeared. Once all letters from the title were used up, the remaining letters of the alphabet...


Filed under: , ,

A Simple N-gram Calculator: pyngram

Posted: 20 May 2010 07:53 AM | Jay Liew | no comments

Updated v1.0.1 5/21/2010 - Improved the exception handling, and changed xrange(len(inputstring)) to xrange(len(inputstring)-nlen+1)). Thanks to colleague Arik Baratz! Recently, as I was trying to solve a cryptogram , I wrote a tool to parse the bigrams and trigrams from the ciphertext, tally the frequency, and then display the results sorted from most to least frequently occurring bigram and trigram. First, a quick history of why I did this and how this was handy. One of the ways to solve a substitution cipher is to do a frequency analysis . Here's a typical distribution of letters in the English language . Just as it is obvious that the letter 'e' is by far the most popular in the English language, you can also calculate the most frequently occurring bigram (2 consecutive characters) and trigram (3 consecutive characters). In English, the top most frequently occurring bigrams are 'th' (1.52%), 'he' (1.28%), 'in' (0.94%) ( full list from Wikipedia here ). For trigrams, the most popular are ' th' (note the leading whitespace), 'he ' (trailing whitespace), followed by 'the' ( full list here ). The biggest assumption here is that the plaintext is in English. If it's in say, German, then you'll have to find the corresponding statistical distribution (Wikipedia has the 1-gram frequency distribution for other languages here ). Whatever the plaintext's (human) language is, you'd have to find the top n-grams occurring in the ciphertext first—and that's what this calculator will do for you. You can import the python module and call the function calc_ngram, or just invoke the .py file from your *nix command line. Example usage from python shell: >>> from pyngram import calc_ngram >>> # calc_ngram(inputstring, n-gram size) >>> results = calc_ngram('bubble bobble, bubble bobble, bubble bobble', 3) >>> for l in results: print l[0] + ' occured ' + str(l[1]) + ' times' ... bbl occurred 6 times ble occurred 6 times le occurred 3 times obb occurred 3 times bo occurred 3 times e b occurred 3 times ubb occurred 3 times bub occurred 3 times bob occurred 3 times , b occurred 2 times bu occurred 2 times le, occurred 2 times e, occurred 2 times Here's the source code (download 5001.pyngram.zip ), or better yet, install it with ' sudo pip install pyngram ' (from Python's Package Index "Cheeseshop"). #!/usr/bin/env python # A simple Python n-gram calculator. # # Given an arbitrary string, and the value of n # as the size of the n-gram (int), this code # snip will show you the results, sorted from # most to least frequently occurring n-gram. # # The 'sort by value' operation for the dict # follows the PEP 265 recommendation. # # Installation: # # user@host:~$ sudo pip install pyngram # # Quick start: # # from pyngram import calc_ngram # calc_ngram('bubble bobble, bubble bobble, bubble bobble'...


3 times lucky?

Posted: 20 May 2010 09:55 AM | Elson Lai | no comments

Websense® Security Labs™ ThreatSeeker™ Network has detected a new batch of malicious emails containing Zeus payloads. This campaign takes advantage on free site host to delivery malicious files using many social engineering techniques. From Porn attraction, e-greeting cards, to your system admin. Screen shot of malicious email:


My Wordpress blog got injected - again!

Posted: 19 May 2010 06:00 AM | Elad Sharf | no comments

At the beginning of the week and last week the WPSecurityLock Web site published alerts on prominent Wordpress injections. These injections redirect the visitor to a scareware site which falsely claims to have found an infection, i.e. a Rogue AV Web site. Here is a video that shows what exactly is going on from the user's perspective when accessing a compromised Web site with this attack: 




Filed under: , ,