Blackhat Vegas, one of the largest technical and most anticipated security conferences of the year, is just around the corner, and we wanted to let everyone know what talks we'll be giving and how to get in touch with us. So if you're a fellow researcher, security enthusiast, reporter, or customer and you want to talk to a few members of the Security Labs, you'll know how to find us.

Dan Hubbard, CTO of Websense, and a major driving force behind the innovation and research that comes from Websense Security Labs, will be talking at "The Cloud Security Alliance Summit" at Blackhat. Dan will be speaking on the first day of the conference, Wednesday, July 28.

The other member of our team who will be speaking is Jeongwook "Matt" Oh, senior security researcher at Websense Security Labs. Matt will be talking about the third version of a free open source tool that he supports and works on outside of his main research at Websense: DarunGrim. If you haven't used it and are interested in binary diffing—which is very useful when you have to conduct patch diffing analysis to find the code responsible for a particular vulnerability—check out DarunGrim. Having used it myself, I can say that it's quite impressive. Matt will also be speaking on Wednesday, July 28, the first day of the conference. If you want to see the tool in action and ask Matt questions directly, he will be at the Blackhat Tools Arsenal on the 2nd day of the conference, here is the schedule.

Besides the talks by our own team members, we're planning to attend quite a few other presentations. We'd list them here, but this year's schedule is so packed with phenomenal talks that we'd end up listing everything in the schedule having to do with taint analysis, visualizing social networks (Maltego), memory corruption attacks, the state of SSL, and so much more. It is Vegas, after all, so once the talks are done at the end of the day, we're planning to hit up as many of the Blackhat parties as we can (like Thursday night's Microsoft Party), so we hope to see you there!

Jay Liew and I  (Stephan Chenette) will also be attending, and all four of us will be tweeting our locations and opinions of the talks. You can follow our tweets and direct message us to meet up for a drink, discussion, or interview.

Our Websense Twitter account is: WebsenseLabs.

Here are the titles and abstracts for the two talks by Websense Security Labs speakers.

Speaker: Dan Hubbard
Title: Cloudy with a chance of miss-information

Abstract:
The biggest use today of the cloud is the use of the web and web services, platforms, and content. Users want their information and they want it NOW. With that the several new technologies have been created/added/modified to present data in real-time. One of these is real-time search.

Attackers have been utilizing weaknesses within search engine algorithms for some time now. Today it is VERY likely that you will hit a poisoned result on any named current event search. However we have not seen attacks commonly happening within the social web through real-time search.

Search engines are embracing the social web through real-time search results. This presentation will demonstrate how to poison the real-time web with your results in real-time.

    * Will demonstrate how today’s search engine poisoning works.
    * Will demonstrate how to poison the social web through real-time search in various search engines.
    * Will include demonstrations and steps to perform actions including mitigation options.
    * Will demonstrate future vectors and possibilities


Here is a link to the schedule for the Cloud Security Alliance:
https://www.blackhat.com/html/bh-us-10/bh-us-10-specialevents_csa.html

Speaker: "Matt" Jeongwook Oh
Title: ExploitSpotting: Locating Vulnerabilities Out Of Vendor Patches Automatically

Abstract:
We already have many kinds of binary patching systems available. There are commercial ones and free ones. But the current implementations only concentrate on finding the difference between binaries. But what the security researchers really want from the patch analysis is security patches. Sometimes it's very hard to locate security patches because they are buried inside normal feature updates. The time for locating the security patches will increase drastically as more feature updates are included in the released patches. This is especially true with all the Adobe and Sun product patches. They tend to mix security patches and feature updates.

In that case, we need another way to boost the speed of the analysis. The automatic way to locate the security patches! This can be done by analyzing the patched parts and see if it has some specific patterns that the usual security patches have. Some integer overflow will have some comparison against the boundary integer values. And buffer overflow will involve the vulnerable "strcpy" or "memcpy" replaced with safer functions. Even free-after-use type bug has their own patch patterns. We will present all the common patterns that we saw and also present way to locate them using pattern matching. But there can be more thing to be done in addition to this simple approach. You can introduce static taint analysis to binary diffing world. You can trace back all the suspicious variables(expressed as register value or memory location) found in the patch by using binary diffing. And you can see if they are controllable or taint-able from the user controllable input like network packets or user supplied file input.

This automatic security patch locating ability will be beneficial to the IPS rule writers. They can spend more time in concentrating on what really matters instead of spending time to find the actual parts to analyze. To achieve all these, I upgraded the current implementation of "DarunGrim(http://www.darungrim.org)" binary diffing system to support pattern matching and static taint analysis. It will become DarunGrim v3. DarunGrim is the most featured open source binary diffing implementation. I will show how fast we can locate the vendor patches that, otherwise, will take few hours using other tools. All the updated source code will be released at the presentation.

We hope to see everyone at Blackhat Vegas!

A few days ago, an exploit used for highly targeted attacks was published here: CVE-2010-2568 Lnk shortcut. As the blog post, and other posts, state, this is caused by Windows Control Panel's shortcut image display routine. The original blog post shows a stack trace of the exploit results, which also serves to explain the vulnerability.

The nature of the vulnerability is pretty clear. But out of curiosity we did some reverse engineering and here is what we have found. The bug itself is a design flaw as stated by many people and it's very straightforward to locate the point where it happens. The vulnerable file is shell32.dll and the vulnerable routines are Control Panel-related. We loaded the binary on a disassembler and found that the Control Panel file-related routines start with a “CPL_” prefix.

Drawing 1 shows the relations between CPL initialization routines and data flow. The red “LoadLibraryW” API is the vulnerable one.

Drawing 1: The flow of the related routines and data

The icon extraction routine calls “CPL_FindCPLInfo” to find the icon information of the target file. The “CPL_FindCPLInfo” routine is basically a wrapper around all CPL-related routines. The loading and initialization of the CPL module is performed before getting any information out of it. One of the initialization routines, “_LoadCPLModule”, calls the “LoadLibraryW” API to load the target CPL dll for future use. The module handle acquired from this call is used later in the “_InitializeControl” routine with the “LoadImage” API. There are ways to acquire an icon handle from a dll without loading it, but in this case the programmer chose to load the target dll for some reason, which opens the vulnerability.

It looks like the security side-effects of one module are not evaluated fully before it's combined with other modules.

We recommend following this Microsoft security advisory to disable icon display or the WebClient service until a patch for this flaw is released.

I have just come back from Amsterdam where I was a speaker at the Hack In The Box conference. HITB held its annual conference here in Europe for the first time. The event was hosted in the beautiful 'Venice of the North', Amsterdam (Netherlands), the home of canals, windmills, tulips, and probably the best cheese in the world. One of the most beautiful hotels in the heart of Amsterdam, the Krasnapolsky, offered a welcoming environment for this occasion.

My subject was FireShark, which is an open source tool written by Stephan Chenette, our Principal Security Researcher at Websense. Stephan originally created an ultimate de-obfuscation tool by hooking Internet Explorer's DLLs and dumping eval and document.write calls. This tool was presented at Toorcon last year and the code was released. Later on he moved to a Firefox plugin where he could use proper APIs provided by Firefox, as opposed to hooking function calls in DLLs. He also added new ideas to the project which gave the tool new functionalities. Currently FireShark covers two main problems: ultimate de-obfuscation, and creating a graphical map of compromised Web sites. Both of these features are based on monitoring Firefox's internals to discover redirections, iframes and newly created DOM objects. Because the Web page is loaded into a real browser instead of an emulator, it does not matter how the obfuscation works: the browser sees all the results of the JavaScript code running while visiting the page, which is then logged by FireShark. No emulation is involved, therefore this is an 'ultimate de-obfuscation'. Later on this log can be analyzed to see the real intention of the code. Also in the meantime it logs all redirections and iframes made by the page, and that data can be post-processed to generate a nice graphical map about connections made to other Web pages. For example, if there is a mass-injection campaign we could see that all the compromised Web sites are making connections to one suspicious landing site. Will we discover something new by seeing all of these? Hopefully that question will be answered soon.

This year at the HITB conference, we had the option to hear many very interesting talks from various security experts from all over the world, including deep analysis of shellcode, hardware hacking, and traveling to the Russian cyber underground.

I attended the following talks:

• Keynote 1: Security Chasm - Dr Anton Chuvakin
  Anton is a well-known security expert and the author of many books about this subject. In his talk he emphasized the importance of focusing on real security issues rather than conceptual theories. He was wondering why people are more afraid of getting a fine by not wearing a seatbelt rather than worrying about the risk to their life. He also took a nice overview of the history of information security and a prediction on how it will be changed in the following 5 or 10 years. 
• Breaking Virtualization by Switching to Virtual 8086 Mode - Jonathan Brossard
  Jonathan had a nice talk about the security issues of virtual machines, especially escaping code from virtualized servers. Server virtualization is very important nowadays, mostly used in Web hosting environments. As he pointed out, an attacker might take over the host computer breaking out of the virtualized hardware using an almost forgotten CPU mode, the virtual 8086 mode. 
• From Russia With Love 2.0 - Fyodor Yarochkin
  Fyodor is an independent network security researcher who digs deep down into the world of the Russian cyber underground, revealing many of their secrets and myths. He explained how they are organized and why they do what they do - unsurprisingly it is all about the money. Fyodor also pointed out that many people do not even realize they are involved in a cyber crime. They get a temporary job offer over the Internet and once they finish their assignment they receive the money online. Sounds like a legitimate business; however, in the end the work is related to illegal activity.  
• Keynote 2: Ten Crazy Ideas That Might Actually Change the State of Information Security - Mark Curphey
  Mark is the director of the MSDN Subscription Engineering team at Microsoft. He had some very interesting ideas about the fundamental issues of information security, and laid down 10 ideas that could change the security industry. He compared this work to how WHO stopped one of the deadliest diseases in the history of human kind, smallpox. Mark also highlighted that maybe security experts should work in the same way as a Chinese doctor: paid only if healthy, not when sick. 
• Maltego 3: Start Your Engines - Reolf Temmingh
  Reolf is the founder of Paterva Ltd, the creator of Maltego. Maltego is an open source intelligence and forensics application. It can be used to connect information and their sources together revealing many interesting details about a subject or even about people. Fyodor was actually using Maltego for his findings about the Russian cyber underground. Reolf presented the capability of the new version 3 to the audience.  
• Abusing Microsoft's PostMark Validation Protocol - Dimitru Codreanu
  Dimitru is a Senior Researcher at BitDefender. He did research on a GPU and FPGA-assisted application that can break Microsoft's PostMark Validation Protocol. This protocol helps with fighting against spam, and it was claimed that to break this system, the spammer needs to invest hundreds of thousands of dollars in hardware. Dimitru showed the weakness of the protocol and that using a GPU (graphical card like nVidia GeForce) or an FPGA card inserted into an ordinary PC could lead to signing 3-8 million mails per day with PostMark Validation, with an investment of only around a few hundred dollars.  
• Subverting Windows 7 x64 Kernel with DMA Attacks - Cristophe Devine & Damien Aumaitre
  Cristophe and Damien are Security Researchers at Sogeti/ESEC and they made a very interesting showcase of how vulnerable our computing systems are to hardware-based attacks. They have inserted a PCMCIA card into a laptop running Windows 7 for a couple of seconds, which then accepted any random string entered to the Windows Logon screen as a valid password. They have pointed out that hardware that can use DMA (such as FireWire / IEEE1394, PCMCIA, ExpressCard and PCI card) is bypassing any security protocol in the operating system, leaving our computers open to attacks. 
• Top 10 Web 2.0 Attacks and Exploits - Sheeraj Shah
  Sheeraj is the founder of Blueinfy and the author of many books on Web 2.0 Security. In his talk we got an overview of the top 10 Web 2.0 attacks, exploits, and hacking techniques. He also explained new tools and methodologies to prevent attacks like these. 
• The Traveling Hackersmith 2009-2010 - Saumi Shah
  Saumi is the founder of Net-Square and the author of many books and tools. He was talking off the record this time about discovering security issues in online flight bookings and hotel room reservations during many of his travels. As it was off the record it would not be ethical to write down his subject in detail. He emphasized that he does not want to prove a point; however, overall my conclusion was that he was worrying about Web shops in general, how highly insecure they are, simply because either the developer does not know much about information security or because they just do not think a cyber criminal would target their site at any time.

The conference material can be downloaded from the HITB Web site.

Month of June

Security conferences are a great way to learn about what's on the cutting-edge, germinate and cross-pollinate ideas, and establish real-world relationships within the tight-knit community of white hat hackers. This past month, we presented at both EUSecWest in Amsterdam and SyScan in Singapore. 

If you missed us there, not to worry, in just a few weeks we are presenting at Black Hat and DEF CON, both in Las Vegas. Come say hi to us!

Major hits

Every major event and news item is followed very closely by exploiters looking to achieve some profit. It may be the death of a celebrity or a major event such as FIFA World Cup; the bad guys are always there. With the World Cup still ongoing, we continue to see targeted attacks of known zero-day pdf vulnerabilities, the infamous 419 scam letters, phishing attempts, and of course the more popular than ever Blackhat SEO scareware campaigns.

More than 100k popular Web sites were compromised last month with a mass injection targeting IIS using ASP.net platform. The attack came from Chinese IP addresses and the injected iFrame led to a Chinese-hosted domain http://www.ro[REMOVED]nt.us serving juicy Mal/Behav-290 malware. The majority of Web sites were cleaned up in matter of hours.

Apple, Inc. was accused of a data breach resulting in the loss of 100k email addresses and ICC-ID numbers. A few hours later the finger was pointed to the real miscreant. An AT&T designed and secured Web application allowed the Goatse hacker group to match ICC-IDs with email addresses used by iPad users to access their iTunes accounts. Observations? If you are a developer, carefully design and review for security and secure coding practices. If you are a hacker, do not irritate a giant without very good armor.

Web 2 dot uh oh

It seems like everyone on the Web today is trying to figure out how to leverage social networking tools (Facebook, Twitter) for "viral" marketing. Even the bad guys. This month, the baddies used a clever combination of social and technical tricks to increase their own reputation and get over 15,000 people to 'like' them on Facebook. The social-engineering trick started off with a lure (as they all do) to see the "best passport application rejection in history". Behind the scenes, an invisible Facebook 'like' button follows your mouse cursor, guaranteeing that you'll click on the Facebook 'like' button regardless of where you click on the malicious web site. The consequence of clicking the hidden 'like' button is that a link to this web site is posted on your Facebook profile for all your friends to see - and if they too click on it, the cycle repeats itself. 

In a separate Facebook scam involving the lure 'Teacher nearly killed this boy', a rogue Facebook app requested permission to access the viewer's profile information, and permission to post content on the viewer's Facebook wall. Users who don't pay attention and simply click through to get to the video risk the safety of their Facebook friends should they click on something malicious that could be posted by the rogue app from the viewer's wall.

A persistent cross-site scripting (XSS) vulnerability was discovered on Twitter. You may recall a similar incident some time ago, but whereas the previous case involved the application URL, this time around it involves the application name.

A study by ISACA, an international organization that researches IT governance and control just published a research paper that listed viruses and malware, brand hijacking, and lack of control over corporate content as some of the top risks faced by companies using Web 2.0 social media tools. 

Is that any surprise?

Browser & friends

Adobe made a big splash in the security market this month. New zero-day vulnerability (CVE-2010-1297) was discovered early in the month. A few days later PDF samples embedded with a SWF file exploiting the vulnerability were found in the wild. The samples spread as an email attachment. And then html pages with exploited SWF files arrived. The more convenient method has been used to attack customers. Details about the zero-day vulnerability can be found here.

In the middle of the month Adobe released a security update for Flash Player that fixes 31 vulnerabilities, including the zero-day vulnerability. At the end of the month Adobe released a security update for Adobe Reader and Acrobat to fix the zero-day vulnerability. You should update your Flash Player and Adobe Reader as soon as possible. Mozilla released 8 security advisories this month, several critical vulnerabilities were fixed in the recent Firefox update. A new feature called Crash Protection, also known as OOPP(Out Of Process Plug-ins) has been added to Firefox 3.6.4. With this feature, the plug-in process is isolated from the browser process. This makes the browser more stable because a plug-in crash should not affect the browser. Apple has patched 48 vulnerabilities for Safari and WebKit.

Microsoft

The two big events this month were Microsoft's busy Patch Tuesday, addressing 34 vulnerabilities, and a zero-day POC released by a Google security researcher.

Among the many fixes this month, Microsoft fixed the SharePoint XSS bug from April and a publicly disclosed data leakage vulnerability in Internet Explorer.  Other vulnerabilities affect Windows, Office, Internet Explorer, and the IIS Web server.

Tavis Ormandy, a security researcher at Google, released a zero-day exploit in the Windows Help and Support Center that allows remote code execution.  Tavis posted exploitation details to the Full Disclosure list just a few days after notifying Microsoft of the vulnerability.  Microsoft released and discussed an advisory on the issue, including a workaround to disable the HCP protocol being exploited until a patch is released.

Hello ThreatSeeker. You've got mail!

Delivering Web sites as an attachment via email is a bit like snail-mailing someone a newspaper clipping when you can just send them the URL. As silly and inefficient as that may be, if the method delivers, then it's well worth it. And that's exactly what the malicious hackers did: deliver malicious Web sites as an attachment via email. In this incident, victims were told their computers were infected and that they needed to open the attachment "Virus Scan.html". This resulted in the computer downloading a malicious PDF and Java .jar file.

The bad guys also capitalized on the official launch of the much anticipated iPhone 4 by delivering scams via email and also posting them on Facebook. The lure enticed users with the chance of receiving a free iPhone 4 (yes, some offers on the Internet are just too good to be true. Always proceed with caution!)

Other assorted unhealthy snacks served up via email this month included the following themes:

1. Reset your Twitter password - malicious link to fake AV
2. FIFA World Cup South Africa... bad news - malware attachment in a "news.html" file
3. Account verification (yeah, this one's subject line is boring in comparison) - malicious link to malware and exploits
4. Notice of Underreported Income (masquerading as from the IRS) - malicious link to fake site and malware

Security Trends

Joanna Rutkowska, who is known for her work on virtualization security and low-level rootkits, is building a project named  Qubes, which is an open-source OS meant to provide isolation of the OS components for better security.

At the Syscan'10 Singapore conference, security researchers from TEHTRI-Security published twelve zero-day flaws targeting five of the most common Web malware exploitation kits, such as Neon, Eleonore, Liberty, Lucky, and the Yes exploitation kits.

It was observed in a specific malicious spam campaign, that the malicious HTML file attachment used the same obfuscation algorithm as a known mass injection attack on the web.

This month's contributors:

• Lei Li
• Ulysses Wang
• Erik Buchanan
• Ivan Sabo
• Jay Liew

Websense® Security Labs™ ThreatSeeker™ Network has detected a type of trojan that uses the Windows input method editor (IME)  to inject a system. An IME is an operating system component or program that allows users to enter characters and symbols not found on their input device. For example, it could allow a user of a 'Western' keyboard to input Chinese, Japanese, Korean, and Indic characters.

The trojan can install itself as an IME, then it kills any running antivirus processes and deletes the installed antivirus executable files. The original executable file of this trojan disguises itself as an antivirus update package.

When a user runs the trojan, it creates a file named winnea.ime under the system folder,The .ime file type is primarily associated with 'Global Input Method Editor' by Microsoft Corporation:

In the above example, winnea.ime is a Dynamic Link Library (DLL) file, but pretends to be an input method file and is installed as an input method.  The input parameter "5Ah" was used by SystemParametersInfo Function(sub_131486C0) to change the user profile in the Windows registry to set the default IME:

When the user opens the default input method, the file winnea.ime loads and detects an antivirus list:

At the same time, winnea.ime releases a file named pcij.sys to the system folder and loads it as a driver process:

Then it calls DeviceIOControl to kill the running process of any antivirus in the list; the control code is sent to the driver process pcij.sys:

The pcij.sys file is used to find all running antivirus processes and kill them by calling the ObReferenceObjectByHandle function:

This quick analysis shows an interesting way that trojans can use to inject themselves into a system. The input method in Windows is now a popular way for hackers to inject malicious code.

Websense Messaging and Websense Web Security customers are protected against these attacks.

Websense Security Labs™ ThreatSeeker™ Network has detected that Articlealley.com has been compromised and injected with obfuscated code.

Article Alley is a free article directory that aims to help authors promote and syndicate their content. It allows authors and promoters to get their articles out on the Web with the potential of being read by millions of readers. This site was compromised from the root domain, and as a result all subsequent sub-pages were infected by the attack.

Screenshot of the infected site:

Screenshot of injected code:

After de-obfuscation, the redirection chain shown below verifies that this reached the final page but was still highly encrypted.

On first glance, the malicious code is fairly extensive and complex, but the decryption method used is quite simple.  First we use '%' to replace all instances of 'SS KWKW o' in the two long variables. The next step is to use the Unescape() function to decode the two variables by running it twice.

Snapshot of the decrypted code:

The attack is targeting the Microsoft Help and Support Center 0-day vulnerability CVE-2010-1885, which you can get more details of here.

At the time of publishing this blog, the site has been cleaned and the malicious code removed.

 Websense Messaging and Websense Web Security customers are protected against this attack.