Websense Security Labs Blog

Websense Security Labs discovers, investigates and reports on advanced Internet threats that traditional security
research methods miss.

Latest Blog Posts

View all posts > 

(May 2010) Posts

Zeus is forwarding Adobe updates again

Posted: 18 May 2010 10:02 AM | Chris Astacio | no comments


Websense® Security Labs™ ThreatSeeker™ Network has detected a new batch of malicious emails containing Zeus payloads. This campaign is very similar to another which Adobe reported on a couple weeks ago. The social engineering tricks on this campaign have gotten considerably better. The...

Read more > 

"Sexiest Video Ever" on Facebook

Posted: 15 May 2010 04:15 AM | Patrik Runald | no comments


A new malware is making its way across Facebook in messages that claims to be "the sexiest video ever" . A screen shot of the message can be seen below. When clicking on the "video" you are taken to an application installation screen asking you to allow it to access your profile,...

Read more > 

This Month in the Threat Webscape - April 2010

Posted: 13 May 2010 07:05 AM | Jay Liew | no comments


Major hits Palm's mobile platform named WebOS failed many basic security measures. White hat hackers found that WebOS could be exploited by specially crafted text messages (SMS). The Apache Foundation's web servers were compromised in an attack that used a combination of cross-site scripting...

Read more > 

New Malspam: Please review my CV, Thank you!

Posted: 11 May 2010 08:33 PM | Tim Xia | no comments


Websense® Security Labs™ ThreatSeeker™ Network has discovered a new job-search related malware spam outbreak today. The spam is designed to be sent to the inboxes of Human Resources people to infect their computers, and asks them to review a CV without claiming what position the application...

Read more > 

Don't use that new Facebook Toolbar, I mean backdoor!

Posted: 11 May 2010 08:20 AM | Chris Astacio | no comments


Today our email honeypots found a new message that purported to be from Facebook, advertising a new toolbar. The From line was spoofed to look like the message had actually been sent from the Facebook team. There is no specific recipient name in the message, so it's very generic in how it's addressed...

Read more > 

BlackHat SEO Abuse Of UK General Election

Posted: 07 May 2010 03:24 PM | Carl Leonard | no comments


Websense Security Labs™ ThreatSeeker™ Network has discovered that search terms relating to the UK General Election are delivering rogue antivirus to end users through the use of BlackHat SEO. The British General Election polls closed yesterday, and news of the results is gradually making...

Read more > 

phpnuke.org has been compromised

Posted: 07 May 2010 07:25 AM | Tamas Rudnai |


Websense® Security Labs™ ThreatSeeker™ Network has discovered that the popular Web site, phpnuke.org, has been compromised. PHP-Nuke is a popular Web content management system (CMS), based on PHP and a database such as MySQL, PostgreSQL, Sybase, or Adabas. Earlier versions were open source...

Read more > 

Buying iTunes Gift Certificate Malware Spam

Posted: 06 May 2010 05:51 PM | Tim Xia | no comments


Websense® Security Labs™ ThreatSeeker™ Network has discovered that a "Thank you for buying iTunes Gift Certificate!" themed malware spam is spreading quickly over the Internet. It disguises itself as a notification from iTunes Store, asking users to open the attached malware...

Read more > 

Extracting Malicious Codes from the Process Memory: ZeuS Case

Posted: 04 May 2010 06:53 PM | Anonymous | no comments


In my last article, Analyzing Malwares Using Microsoft Tools , we collected a process dump image with an infected ZeuS variant inside it. In this article, we will go through the procedure for separating the ZeuS part from the other parts. With the extracted binary data, we can apply a disassembling process...

Read more > 

Treasury websites compromised

Posted: 03 May 2010 04:50 PM | Patrik Runald | no comments


A few of the US Treasury websites were compromised today and loaded a hidden iframe containing exploit code to anyone who visited the following three sites: bep.gov bep.treas.gov moneyfactory.gov The code that was loaded can be seen in the screen shot below. This iframe loads a page from gr[REMOVED]ad...

Read more >