Websense Security Labs Blog

Websense Security Labs discovers, investigates and reports on advanced Internet threats that traditional security
research methods miss.

Latest Blog Posts

View all posts > 

(May 2010) Posts

Zeus is forwarding Adobe updates again

Posted: 18 May 2010 10:02 AM | Chris Astacio | no comments


Websense® Security Labs™ ThreatSeeker™ Network has detected a new batch of malicious emails containing Zeus payloads. This campaign is very similar to another which Adobe reported on a couple weeks ago. The social engineering tricks on this campaign have gotten considerably better. The messages appear to be forwarded from a Director of Information Services who apparently received update instructions directly from an associate at Adobe. The message from the Adobe associate states that the update link is to patch CVE-2010-0193 . There are two links in the message that lead to the same IP address hosting a PDF file for instructions and an executable that is meant to be the patch to apply. The executable file named adbp932b.exe (SHA1 0632f562c6c89903b56da235af237dc4b72efeb3) has minimal coverage of about 7% . Screen shot of malicious email: The kicker in these messages is actually the update.pdf (SHA1 d408898e33c207eceea6d5b2affdac8ec266f77e) document. What would be expected of a malicious email with a PDF document is that it would contain an exploit of some sort that would attempt to do damage and take over the recipient's computer. This case is much different from that, probably because the attackers are working more of the social engineering angle and counting on the weakest link in the security chain, which would be the end user. The document is actually benign and provides the same link as the email to download the "security patch" and tells you to "Click run in each window that appears". Sharp eyes will actually notice that the IP leading to the malicious application and the IP showing in the screen shot of the document aren't actually the same site. This ploy of a non-malicious PDF document that looks authentic is an attempt to convince recipients that the instructions contained within are authentic. Screen shot of attached PDF document: Websense Messaging and Websense Web Security customers are protected against this attack. Update: The attackers sending these messages have taken their social engineering tactics even further with the executable file linked in the messages. There is a new executable hosted on the attacker's IP address (SHA1 7af53e5924b45ebcb48d8b17e20b66a5979600f3) which seems to behave like a typical installer. There are even setup prompts and a EULA as you move along in the installation but once the installation is complete, a Backdoor is installed on the victim's computer. Because there is such a small amount of messages that we have seen and the fact that this installer is infecting with a Backdoor, we believe this to be another targeted attack. Screen shots of the installation process:

Read more > 

Filed under:

"Sexiest Video Ever" on Facebook

Posted: 15 May 2010 04:15 AM | Patrik Runald | no comments


A new malware is making its way across Facebook in messages that claims to be "the sexiest video ever" . A screen shot of the message can be seen below. When clicking on the "video" you are taken to an application installation screen asking you to allow it to access your profile, wall etc. Once approved it claims you have to download an updated FLV Player to view the video and promptly sends an EXE your way. This is the Hotbar Adware which displays ads in your browser based on your browsing habits etc. In addition, the Facebook application just installed will post messages on your friends wall on your behalf with the same "sexiest video ever" message. We have seen these malicious applications use names such as K-Multimedia and Winamp . Here's a video of how it works. As always, be careful of links you click on Facebook. Note that if you clicked on the link but didn't allow the application access to your profile you are safe. You can also install our security application for Facebook, the world's first and only security app that protects your wall from unwanted messages. It's available for free at http://defensio.com

Read more > 

Filed under: , , ,

This Month in the Threat Webscape - April 2010

Posted: 13 May 2010 07:05 AM | Jay Liew | no comments


Major hits Palm's mobile platform named WebOS failed many basic security measures. White hat hackers found that WebOS could be exploited by specially crafted text messages (SMS). The Apache Foundation's web servers were compromised in an attack that used a combination of cross-site scripting (XSS) vulnerabilities and a URL shortener (TinyURL). In other news, 1.5 million Facebook accounts were up for sale in the malicious underground. The price per 1,000 compromised accounts was segmented by how many friends each compromised account had (the more friends, the more valuable the account). Web 2.0 uh oh There was a mass-compromise of fully-patched Wordpress installations hosted by Network Solutions . It turns out that the passwords were stored in plain text in a config file that is supposed to be set to be readable only by Apache (and not anyone else), but victims incorrectly set the file permissions so that it was readable by the attacker. The attacker then inserted an iframe that led to a malicious web site. Ever wonder if bad guys are using Twitter's API? We do. Here's an analysis of how malicious web sites are using Twitter's API to make it appear that their operations are unpredictable. Browser and friends A Java zero-day vulnerability has been exploited in the wild. The vulnerability was discovered by two researchers independently (Tavis Ormandy and Ruben Santamarta), and Tavis Ormandy informed Oracle. Details were published and a demo of the exploit was made available (this will make the calculator execute). Pity that Oracle's patch arrived a little late; Websense found dozens of web sites that contained the exploit code before the patch was available. Please keep your Java application updated . Adobe released a new update for Adobe Reader that patched 15 vulnerabilities. Apple patched vulnerability CVE-2010-1120 in the Safari browser. This was discovered by Charlie Miller, who used the vulnerability in hacking a fully-patched Macbook at 2010 Pwn2Own. A patch for Quicktime also was delivered this month; 16 vulnerabilities were fixed. Mozilla also give a quick response to the vulnerability discovered at 2010 Pwn2Own. The vulnerability was fixed in Firefox 3.6.3. Microsoft April's Patch Tuesday included fixes for several drive-by remote code execution vulnerabilities affecting Windows, Microsoft Exchange, and Office. Security researchers at Blackhat EU released a proof of concept exploit demonstrating an XSS flaw in the Internet Explorer filter designed to protect against them. Microsoft plans to release a patch in June . One of the Patch Tuesday fixes, addressing a remote code execution bug in Windows Media Services (MS10-025) , failed to fix the underlying vulnerability and was re-released two weeks later, on April 27. Hello ThreatSeeker. You've got mail! Who says that you can't teach an old dog new tricks! This month one of the longstanding and more popular threats showed why it's still used so much, by...

Read more > 

Filed under:

New Malspam: Please review my CV, Thank you!

Posted: 11 May 2010 08:33 PM | Tim Xia | no comments


Websense® Security Labs™ ThreatSeeker™ Network has discovered a new job-search related malware spam outbreak today. The spam is designed to be sent to the inboxes of Human Resources people to infect their computers, and asks them to review a CV without claiming what position the application is for. Moreover, some attachments are disguised as picture files which might catch some email recipients off-guard and make them open the attachment. We have seen more than 230,000 samples in 4 hours this morning, and the number is increasing quickly. Snapshot of the spam: Inside the ZIP file is an executable that contains the Oficla bot. This connects to a URL in the davidopolko.ru for its C&C functions. It also connects to topcarmitsubishi.com.br, get-money-now.net, mamapapalol.com and li1i16b0.com . Just over half of the AV vendors have detection for this attack according to VirusTotal . Once run it changes the wallpaper telling you that your PC is infected. After which it downloads and installs a Rogue AV called Security essentials 2010 . Update: Added more domains the malware connects to. Websense Messaging and Websense Web Security customers are protected against this attack.

Read more > 

Filed under: , ,

Don't use that new Facebook Toolbar, I mean backdoor!

Posted: 11 May 2010 08:20 AM | Chris Astacio | no comments


Today our email honeypots found a new message that purported to be from Facebook, advertising a new toolbar. The From line was spoofed to look like the message had actually been sent from the Facebook team. There is no specific recipient name in the message, so it's very generic in how it's addressed. When a recipient downloads and runs the toolbar.exe file (SHA1 51bcf2fc766e7e59f9b8face45b18843a36f37a5) using a link in the message, they are installing a backdoor with decent coverage as a Zapchast IRC backdoor threat. Screenshot of the malicious Facebook Toolbar email: Websense Messaging and Websense Web Security customers are protected against this attack.

Read more > 

BlackHat SEO Abuse Of UK General Election

Posted: 07 May 2010 03:24 PM | Carl Leonard | no comments


Websense Security Labs™ ThreatSeeker™ Network has discovered that search terms relating to the UK General Election are delivering rogue antivirus to end users through the use of BlackHat SEO. The British General Election polls closed yesterday, and news of the results is gradually making its way into traditional press and online media. The topical nature of the event is being abused by malware authors to direct users to rogue (fake) antivirus applications, the payloads of which are hosted on a Polish Web hosting provider, a trend that we have seen recently. Screenshot of Google search result: Typical search terms that will return malicious links include: uk election news uk election british election 2010 british election results uk general election 2010 The user is directed to a Web site delivering rogue antivirus: A VirusTotal result of the payload file (SHA1: 15e1cdebe76aafb97409c4354cf8724542208f8c) shows only a 25% detection rate by AV vendors. Websense Messaging and Websense Web Security customers are protected against this attack.

Read more > 

Filed under: ,

phpnuke.org has been compromised

Posted: 07 May 2010 07:25 AM | Tamas Rudnai |


Websense® Security Labs™ ThreatSeeker™ Network has discovered that the popular Web site, phpnuke.org, has been compromised. PHP-Nuke is a popular Web content management system (CMS), based on PHP and a database such as MySQL, PostgreSQL, Sybase, or Adabas. Earlier versions were open source and free software protected by GNU Public License, but since then it has become commercial software. As it is still very popular in the Internet community, it is not surprising that it has become a target of blackhat attacks. The injected iframe hijacks the browser to a malicious site, where through several steps of iframe redirections the user finally ends up on a highly obfuscated malicious page. After de-obfuscating the code, we can see three different exploits, two of them targeting Internet Explorer and the third one targeting Adobe Reader. The first exploit targets a vulnerability in MDAC ( CVE-2006-0003 ), described in Microsoft Security Bulletin MS06-014 . If it succeeds, a malicious application is downloaded and stored in "%temp%\updates.exe". After this the downloaded trojan is executed, at which point it installs itself on the computer and attempts to access several Web sites. The second exploit uses a Java vulnerability to spawn shellcode, which then initiates the download action. After downloading the malicious executable, everything works as described above. The third exploit is a PDF exploit -- this actually merges three exploits targeting Adobe Reader. First the JavaScript in the HTML page checks if Adobe Reader is exploitable by checking its version number. The version should be between 7 and 7.1.4, 8 and 8.1.7, or 9 and 9.4. When a vulnerable version is found, the exploit downloads the malicious PDF file and as it is loaded by Adobe Reader, the malicious ActionScript in the file is executed automatically. The PDF itself contains an obfuscated ActionScript that utilizes one of the three different PDF exploits it hides. These are CVE-2009-4324 , CVE-2007-5659 , and CVE-2009-0927 . If it succeeds, the download and installation of updates.exe happens in a similar manner to that described earlier. The downloaded executable is detected by 12% of antivirus products, according to VirusTotal . WARNING: At the time of writing the front page of phpnuke.org still contains the malicious iframe, so we advise users to stay away from the site until it has been fixed. Websense Messaging and Websense Web Security customers are protected against this attack.

Read more > 

Filed under: , , ,

Buying iTunes Gift Certificate Malware Spam

Posted: 06 May 2010 05:51 PM | Tim Xia | no comments


Websense® Security Labs™ ThreatSeeker™ Network has discovered that a "Thank you for buying iTunes Gift Certificate!" themed malware spam is spreading quickly over the Internet. It disguises itself as a notification from iTunes Store, asking users to open the attached malware to confirm the the certification code it claims to contain. So far, we have received over 300,000 copies of the scam in the latter part of this afternoon. Screenshot of the spam: The malware attached to the spam email message has been detected by some heuristic AV engines; however the detection rate is still very low . Websense Messaging and Websense Web Security customers are protected against this attack.

Read more > 

Filed under: , , ,

Extracting Malicious Codes from the Process Memory: ZeuS Case

Posted: 04 May 2010 06:53 PM | Matt Oh | no comments


In my last article, Analyzing Malwares Using Microsoft Tools , we collected a process dump image with an infected ZeuS variant inside it. In this article, we will go through the procedure for separating the ZeuS part from the other parts. With the extracted binary data, we can apply a disassembling process using IDA. You may wonder if it's possible to disassemble the image taken out from the process dump. In this case, the ZeuS variant was injecting a valid DLL file into the process, and somehow managed to hide the existence of the DLL so that it would not appear in the loaded modules list. We can locate that image and can take it out using some tricks. In the previous article, we found that the following APIs were hooked: ws2_32.dll: send, WSASend, closesocket wininet.dll: InternetCloseHandle, HttpSendRequestA, HttpQueryInfoA, InternetReadFile, InternetQueryDataAvailable, HttpSendRequestExW, InternetReadFileExA, HttpSendRequestW, HttpSendRequestExA crypt32.dll: PFXImportCertStore user32.dll: TranslateMessage, DefWindowProcW, NtUserBeginPaint, NtUserEndPaint, DefWindowProcA, GetClipboardData ntdll.dll: ZwCreateThread, NtQueryDirectoryFile With the list of hooked APIs in mind, open the process dump file using Windbg. Then use the "u"(disassemble) command to check the first instructions they have. Below are some of the examples: 0:000> u ws2_32!send L1 ws2_32!send: 71ab428a e911990c8f jmp 00b7dba0 0:000> u ws2_32!WSASend L1 ws2_32!WSASend: 71ab6233 e985790c8f jmp 00b7dbbd … 0:000> u crypt32!PFXImportCertStore L1 crypt32!PFXImportCertStore: 77aef748 e9f7e50889 jmp 00b7dd44 … 0:000> u ntdll!ZwCreateThread L1 ntdll!ZwCreateThread: 7c90d7d2 e955962784 jmp 00b86e2c 0:000> u ntdll!NtQueryDirectoryFile L1 ntdll!NtQueryDirectoryFile: 7c90df5e e927902784 jmp 00b86f8a From the installed inline hooks, we can get the memory region where the hooking function is installed. Here is one of the "!address" results from the hooking function's addresses: 0:000> !address 00b7dd44 00b70000 : 00b70000 - 00026000 Type 00020000 MEM_PRIVATE Protect 00000040 PAGE_EXECUTE_READWRITE State 00001000 MEM_COMMIT Usage RegionUsageIsVAD The memory region starts from 0xb70000 and the size is 0x26000 bytes. Let's just dump the start of the memory region using the "db" command, which dumps memory by bytes. Yes, we got the start of the PE file. We can see the 'MZ' signature and some part of DOS header of the PE file. What we have to do now is simply dump the memory region to a file. Windbg provides a command called " .writemem " to write memory regions to a file. The following command dumps the region of memory to the file " C:\Malwares\00b70000.bin". 0:000> .writemem C:\Malwares\00b70000.bin b70000 L26000 Writing 26000 bytes............................................................................ We open the file using IDA. It seems to be successful, until we find that there is something...

Read more > 

Filed under: ,

Treasury websites compromised

Posted: 03 May 2010 04:50 PM | Patrik Runald | no comments


A few of the US Treasury websites were compromised today and loaded a hidden iframe containing exploit code to anyone who visited the following three sites: bep.gov bep.treas.gov moneyfactory.gov The code that was loaded can be seen in the screen shot below. This iframe loads a page from gr[REMOVED]ad.com (hosted in Turkey) which in turn redirects to si[REMOVED]e-g.com/jobs/ (hosted in The Netherlands) which is where the exploits are hosted. In this case it's the Eleonore Exploit Kit that is used which has support for several vulnerabilities in Adobe Reader, Flash, Internet Explorer etc. In the video below you can see how the exploit kit pushes a malicious PDF to the user which exploits a vulnerability in Adobe Reader. At the time of writing only 20% of all AV vendors detected that file. Our customers were protected against this proactively as we had real-time signatures available that blocked all the exploits.

Read more > 

Filed under: ,