Download your copy >
Evaluate Websense products by watching demos and installing evaluation software.
Learn how Websense solutions help keep our customer safe, secure and productive
Get information on product updates, support resources and more.
Get the most out of support in five simple steps.
Find tools and assets to help sell Websense solutions.
Be notified of Websense news, product information, industry events and more.
Labs Twitter Feed
Websense Security Labs discovers, investigates and reports on advanced Internet threats that traditional security
research methods miss.
Latest Blog Posts
(July 2010) Posts
26 Jul 2010 01:15 PM |
20 Jul 2010 12:34 PM |
Matt Oh |
A few days ago, an exploit used for highly targeted attacks was published here: CVE-2010-2568 Lnk shortcut . As the blog post, and other posts, state, this is caused by Windows Control Panel's shortcut image display routine. The original blog post shows a stack trace of the exploit results, which also serves to explain the vulnerability. The nature of the vulnerability is pretty clear. But out of curiosity we did some reverse engineering and here is what we have found. The bug itself is a design flaw as stated by many people and it's very straightforward to locate the point where it happens. The vulnerable file is shell32.dll and the vulnerable routines are Control Panel-related. We loaded the binary on a disassembler and found that the Control Panel file-related routines start with a “CPL_” prefix. Drawing 1 shows the relations between CPL initialization routines and data flow. The red “LoadLibraryW” API is the vulnerable one. Drawing 1: The flow of the related routines and data The icon extraction routine calls “CPL_FindCPLInfo” to find the icon information of the target file. The “CPL_FindCPLInfo” routine is basically a wrapper around all CPL-related routines. The loading and initialization of the CPL module is performed before getting any information out of it. One of the initialization routines, “_LoadCPLModule”, calls the “LoadLibraryW” API to load the target CPL dll for future use. The module handle acquired from this call is used later in the “_InitializeControl” routine with the “LoadImage” API. There are ways to acquire an icon handle from a dll without loading it, but in this case the programmer chose to load the target dll for some reason, which opens the vulnerability. It looks like the security side-effects of one module are not evaluated fully before it's combined with other modules. We recommend following this Microsoft security advisory to disable icon display or the WebClient service until a patch for this flaw is released.
Filed under: Vulnerability Analysis
12 Jul 2010 12:57 AM |
Tamas Rudnai |
Filed under: Conferences
09 Jul 2010 06:32 PM |
Jay Liew |
Month of June Security conferences are a great way to learn about what's on the cutting-edge, germinate and cross-pollinate ideas, and establish real-world relationships within the tight-knit community of white hat hackers. This past month, we presented at both EUSecWest in Amsterdam and SyScan in Singapore . If you missed us there, not to worry, in just a few weeks we are presenting at Black Hat and DEF CON, both in Las Vegas. Come say hi to us! Major hits Every major event and news item is followed very closely by exploiters looking to achieve some profit. It may be the death of a celebrity or a major event such as FIFA World Cup ; the bad guys are always there. With the World Cup still ongoing, we continue to see targeted attacks of known zero-day pdf vulnerabilities , the infamous 419 scam letters, phishing attempts , and of course the more popular than ever Blackhat SEO scareware campaigns. More than 100k popular Web sites were compromised last month with a mass injection targeting IIS using ASP.net platform. The attack came from Chinese IP addresses and the injected iFrame led to a Chinese-hosted domain http://www.ro[REMOVED]nt.us serving juicy Mal/Behav-290 malware. The majority of Web sites were cleaned up in matter of hours. Apple, Inc. was accused of a data breach resulting in the loss of 100k email addresses and ICC-ID numbers. A few hours later the finger was pointed to the real miscreant. An AT&T designed and secured Web application allowed the Goatse hacker group to match ICC-IDs with email addresses used by iPad users to access their iTunes accounts . Observations? If you are a developer, carefully design and review for security and secure coding practices. If you are a hacker, do not irritate a giant without very good armor. Web 2 dot uh oh It seems like everyone on the Web today is trying to figure out how to leverage social networking tools (Facebook, Twitter) for "viral" marketing. Even the bad guys. This month, the baddies used a clever combination of social and technical tricks to increase their own reputation and get over 15,000 people to 'like' them on Facebook . The social-engineering trick started off with a lure (as they all do) to see the "best passport application rejection in history". Behind the scenes, an invisible Facebook 'like' button follows your mouse cursor, guaranteeing that you'll click on the Facebook 'like' button regardless of where you click on the malicious web site. The consequence of clicking the hidden 'like' button is that a link to this web site is posted on your Facebook profile for all your friends to see - and if they too click on it, the cycle repeats itself. In a separate Facebook scam involving the lure ' Teacher nearly killed this boy ', a rogue Facebook app requested permission to access the viewer's profile information, and permission to post content on the viewer's Facebook wall. Users who don't pay attention...
Filed under: Monthly Reports
05 Jul 2010 02:26 AM |
Hermes Li |
Websense® Security Labs™ ThreatSeeker™ Network has detected a type of trojan that uses the Windows input method editor (IME) to inject a system. An IME is an operating system component or program that allows users to enter characters and symbols not found on their input device. For example, it could allow a user of a 'Western' keyboard to input Chinese, Japanese, Korean, and Indic characters. The trojan can install itself as an IME, then it kills any running antivirus processes and deletes the installed antivirus executable files. The original executable file of this trojan disguises itself as an antivirus update package. When a user runs the trojan, it creates a file named winnea.ime under the system folder,The .ime file type is primarily associated with 'Global Input Method Editor' by Microsoft Corporation: In the above example, winnea.ime is a Dynamic Link Library (DLL) file, but pretends to be an input method file and is installed as an input method. The input parameter "5Ah" was used by SystemParametersInfo Function(sub_131486C0) to change the user profile in the Windows registry to set the default IME: When the user opens the default input method, the file winnea.ime loads and detects an antivirus list: At the same time, winnea.ime releases a file named pcij.sys to the system folder and loads it as a driver process: Then it calls DeviceIOControl to kill the running process of any antivirus in the list; the control code is sent to the driver process pcij.sys: The pcij.sys file is used to find all running antivirus processes and kill them by calling the ObReferenceObjectByHandle function: This quick analysis shows an interesting way that trojans can use to inject themselves into a system. The input method in Windows is now a popular way for hackers to inject malicious code. Websense Messaging and Websense Web Security customers are protected against these attacks.
05 Jul 2010 12:44 AM |
Xue Yang |
Websense Security Labs™ ThreatSeeker™ Network has detected that Articlealley.com has been compromised and injected with obfuscated code. Article Alley is a free article directory that aims to help authors promote and syndicate their content. It allows authors and promoters to get their articles out on the Web with the potential of being read by millions of readers. This site was compromised from the root domain, and as a result all subsequent sub-pages were infected by the attack. Screenshot of the infected site: Screenshot of injected code: After de-obfuscation, the redirection chain shown below verifies that this reached the final page but was still highly encrypted. On first glance, the malicious code is fairly extensive and complex, but the decryption method used is quite simple. First we use '%' to replace all instances of 'SS KWKW o' in the two long variables. The next step is to use the Unescape() function to decode the two variables by running it twice. Snapshot of the decrypted code: The attack is targeting the Microsoft Help and Support Center 0-day vulnerability CVE-2010-1885 , which you can get more details of here . At the time of publishing this blog, the site has been cleaned and the malicious code removed. Websense Messaging and Websense Web Security customers are protected against this attack.
Filed under: Compromise, Microsoft, Vulnerabilities