Websense Security Labs Blog

Websense Security Labs discovers, investigates and reports on advanced Internet threats that traditional security
research methods miss.

Latest Blog Posts

View all posts > 

(July 2010) Posts

Microsoft LNK Vulnerability Brief Technical Analysis(CVE-2010-2568)

Posted: 20 Jul 2010 12:34 PM | Matt Oh | no comments

A few days ago, an exploit used for highly targeted attacks was published here: CVE-2010-2568 Lnk shortcut . As the blog post, and other posts, state, this is caused by Windows Control Panel's shortcut image display routine. The original blog post shows a stack trace of the exploit results, which also serves to explain the vulnerability. The nature of the vulnerability is pretty clear. But out of curiosity we did some reverse engineering and here is what we have found. The bug itself is a design flaw as stated by many people and it's very straightforward to locate the point where it happens. The vulnerable file is shell32.dll and the vulnerable routines are Control Panel-related. We loaded the binary on a disassembler and found that the Control Panel file-related routines start with a “CPL_” prefix. Drawing 1 shows the relations between CPL initialization routines and data flow. The red “LoadLibraryW” API is the vulnerable one. Drawing 1: The flow of the related routines and data The icon extraction routine calls “CPL_FindCPLInfo” to find the icon information of the target file. The “CPL_FindCPLInfo” routine is basically a wrapper around all CPL-related routines. The loading and initialization of the CPL module is performed before getting any information out of it. One of the initialization routines, “_LoadCPLModule”, calls the “LoadLibraryW” API to load the target CPL dll for future use. The module handle acquired from this call is used later in the “_InitializeControl” routine with the “LoadImage” API. There are ways to acquire an icon handle from a dll without loading it, but in this case the programmer chose to load the target dll for some reason, which opens the vulnerability. It looks like the security side-effects of one module are not evaluated fully before it's combined with other modules. We recommend following this Microsoft security advisory to disable icon display or the WebClient service until a patch for this flaw is released.


Filed under:

Hack In The Box first time in Europe

Posted: 12 Jul 2010 12:57 AM | Tamas Rudnai | 1 comment(s)

I have just come back from Amsterdam where I was a speaker at the Hack In The Box conference. HITB held its annual conference here in Europe for the first time. The event was hosted in the beautiful 'Venice of the North', Amsterdam (Netherlands), the home of canals, windmills, tulips, and probably the best cheese in the world. One of the most beautiful hotels in the heart of Amsterdam, the Krasnapolsky, offered a welcoming environment for this occasion. My subject was FireShark , which is an open source tool written by Stephan Chenette, our Principal Security Researcher at Websense. Stephan originally created an ultimate de-obfuscation tool by hooking Internet Explorer's DLLs and dumping eval and document.write calls. This tool was presented at Toorcon last year and the code was released. Later on he moved to a Firefox plugin where he could use proper APIs provided by Firefox, as opposed to hooking function calls in DLLs. He also added new ideas to the project which gave the tool new functionalities. Currently FireShark covers two main problems: ultimate de-obfuscation, and creating a graphical map of compromised Web sites. Both of these features are based on monitoring Firefox's internals to discover redirections, iframes and newly created DOM objects. Because the Web page is loaded into a real browser instead of an emulator, it does not matter how the obfuscation works: the browser sees all the results of the JavaScript code running while visiting the page, which is then logged by FireShark. No emulation is involved, therefore this is an 'ultimate de-obfuscation'. Later on this log can be analyzed to see the real intention of the code. Also in the meantime it logs all redirections and iframes made by the page, and that data can be post-processed to generate a nice graphical map about connections made to other Web pages. For example, if there is a mass-injection campaign we could see that all the compromised Web sites are making connections to one suspicious landing site. Will we discover something new by seeing all of these? Hopefully that question will be answered soon. This year at the HITB conference, we had the option to hear many very interesting talks from various security experts from all over the world, including deep analysis of shellcode, hardware hacking, and traveling to the Russian cyber underground. I attended the following talks: Keynote 1: Security Chasm - Dr Anton Chuvakin Anton is a well-known security expert and the author of many books about this subject. In his talk he emphasized the importance of focusing on real security issues rather than conceptual theories. He was wondering why people are more afraid of getting a fine by not wearing a seatbelt rather than worrying about the risk to their life. He also took a nice overview of the history of information security and a prediction on how it will be changed in the following 5 or 10 years. Breaking Virtualization by Switching to Virtual 8086 Mode - Jonathan...


Filed under:

This Month in the Threat Webscape - June 2010

Posted: 09 Jul 2010 06:32 PM | Jay Liew |

Month of June Security conferences are a great way to learn about what's on the cutting-edge, germinate and cross-pollinate ideas, and establish real-world relationships within the tight-knit community of white hat hackers. This past month, we presented at both EUSecWest in Amsterdam and SyScan in Singapore . If you missed us there, not to worry, in just a few weeks we are presenting at Black Hat and DEF CON, both in Las Vegas. Come say hi to us! Major hits Every major event and news item is followed very closely by exploiters looking to achieve some profit. It may be the death of a celebrity or a major event such as FIFA World Cup ; the bad guys are always there. With the World Cup still ongoing, we continue to see targeted attacks of known zero-day pdf vulnerabilities , the infamous 419 scam letters, phishing attempts , and of course the more popular than ever Blackhat SEO scareware campaigns. More than 100k popular Web sites were compromised last month with a mass injection targeting IIS using ASP.net platform. The attack came from Chinese IP addresses and the injected iFrame led to a Chinese-hosted domain http://www.ro[REMOVED]nt.us serving juicy Mal/Behav-290 malware. The majority of Web sites were cleaned up in matter of hours. Apple, Inc. was accused of a data breach resulting in the loss of 100k email addresses and ICC-ID numbers. A few hours later the finger was pointed to the real miscreant. An AT&T designed and secured Web application allowed the Goatse hacker group to match ICC-IDs with email addresses used by iPad users to access their iTunes accounts . Observations? If you are a developer, carefully design and review for security and secure coding practices. If you are a hacker, do not irritate a giant without very good armor. Web 2 dot uh oh It seems like everyone on the Web today is trying to figure out how to leverage social networking tools (Facebook, Twitter) for "viral" marketing. Even the bad guys. This month, the baddies used a clever combination of social and technical tricks to increase their own reputation and get over 15,000 people to 'like' them on Facebook . The social-engineering trick started off with a lure (as they all do) to see the "best passport application rejection in history". Behind the scenes, an invisible Facebook 'like' button follows your mouse cursor, guaranteeing that you'll click on the Facebook 'like' button regardless of where you click on the malicious web site. The consequence of clicking the hidden 'like' button is that a link to this web site is posted on your Facebook profile for all your friends to see - and if they too click on it, the cycle repeats itself. In a separate Facebook scam involving the lure ' Teacher nearly killed this boy ', a rogue Facebook app requested permission to access the viewer's profile information, and permission to post content on the viewer's Facebook wall. Users who don't pay attention...


Filed under:

Fake Input Method Editor(IME) Trojan

Posted: 05 Jul 2010 02:26 AM | Hermes Li | no comments

Websense® Security Labs™ ThreatSeeker™ Network has detected a type of trojan that uses the Windows input method editor (IME) to inject a system. An IME is an operating system component or program that allows users to enter characters and symbols not found on their input device. For example, it could allow a user of a 'Western' keyboard to input Chinese, Japanese, Korean, and Indic characters. The trojan can install itself as an IME, then it kills any running antivirus processes and deletes the installed antivirus executable files. The original executable file of this trojan disguises itself as an antivirus update package. When a user runs the trojan, it creates a file named winnea.ime under the system folder,The .ime file type is primarily associated with 'Global Input Method Editor' by Microsoft Corporation: In the above example, winnea.ime is a Dynamic Link Library (DLL) file, but pretends to be an input method file and is installed as an input method. The input parameter "5Ah" was used by SystemParametersInfo Function(sub_131486C0) to change the user profile in the Windows registry to set the default IME: When the user opens the default input method, the file winnea.ime loads and detects an antivirus list: At the same time, winnea.ime releases a file named pcij.sys to the system folder and loads it as a driver process: Then it calls DeviceIOControl to kill the running process of any antivirus in the list; the control code is sent to the driver process pcij.sys: The pcij.sys file is used to find all running antivirus processes and kill them by calling the ObReferenceObjectByHandle function: This quick analysis shows an interesting way that trojans can use to inject themselves into a system. The input method in Windows is now a popular way for hackers to inject malicious code. Websense Messaging and Websense Web Security customers are protected against these attacks.


Article Alley compromised

Posted: 05 Jul 2010 12:44 AM | Xue Yang | no comments

Websense Security Labs™ ThreatSeeker™ Network has detected that Articlealley.com has been compromised and injected with obfuscated code. Article Alley is a free article directory that aims to help authors promote and syndicate their content. It allows authors and promoters to get their articles out on the Web with the potential of being read by millions of readers. This site was compromised from the root domain, and as a result all subsequent sub-pages were infected by the attack. Screenshot of the infected site: Screenshot of injected code: After de-obfuscation, the redirection chain shown below verifies that this reached the final page but was still highly encrypted. On first glance, the malicious code is fairly extensive and complex, but the decryption method used is quite simple. First we use '%' to replace all instances of 'SS KWKW o' in the two long variables. The next step is to use the Unescape() function to decode the two variables by running it twice. Snapshot of the decrypted code: The attack is targeting the Microsoft Help and Support Center 0-day vulnerability CVE-2010-1885 , which you can get more details of here . At the time of publishing this blog, the site has been cleaned and the malicious code removed. Websense Messaging and Websense Web Security customers are protected against this attack.


Filed under: , ,