In this post I'll cover an interesting piece of obfuscation that we recently came across while handling a blended threat.  This threat began as several malicious emails containing a link that redirected to the site below.  The obfuscation was found in part of an attack site using the Phoenix Exploit Kit. 

Here is a screen shot of the Phoenix Exploit's Kit login at the site we are going to analyze:

Once decoded, like many attack kits, this attack site attempts to exploit a visiting computer using a number of known vulnerabilities.  The vulnerabilities focused on Java, Flash, and PDF.  What made this obfuscation particularly interesting was the way in which the decoding was done.  The algorithm used to deobfuscate the sample I reviewed was a type of random access file. 

Here is a screen shot of the HTML payload:

That alone looks like a big headache and may make your eyes cross at first glance!  We can see that there is a Java applet in the HTML code, but there is also a large script which we will focus on deobfuscating so we can understand the threat a little better.  Let's parse out the script and beautify it a bit so we know where we can start. 

Here is a beautified version of the script:

This is much easier to review but obviously still obfuscated.  At least we can now see a structure to the obfuscated JavaScript and we can see a few key areas.  First there is a huge variable declaration, cut off in the screen shot, which is probably what the algorithm is going to work on decoding.  Then there is a function definition, a <p> tag being written to the page, a nested for loop, and finally an eval. 

The first thing that caught my eye in this obfuscation was the document.write('<p>3360</p>') code.  My first thought was "Why would a malicious script write a paragraph tag containing a single number to the page?"  Then, on the next line, we can see that the above number is loaded into a variable.  This is somewhat hidden in a simple obfuscated document.getElementsByTagName call.

Here is a screen shot of the above referenced code:

The for loop is the next interesting part and, as with most deobfuscation routines, is the main part of the algorithm.  If we step through the for loop a number of times, we see that it's working to access that huge variable using the number from the above paragraph tag as a byte offset.  The inner loop is where the random access actually happens.  It runs through the long variable, starting at index 0, and uses the number in the <p> tag written to the document from the above code as the byte offset from the index until it comes to the end of the variable string.  Once the end of the variable string is reached, the outer loop forces the inner loop to pass through starting at an index of 1 and so on.  Stepping through this algorithm 15 times, you will get a bit of an obfuscated document.write( call.  Each of the characters at the index + byte offset is concatenated into another variable which, when these loops complete, turn out to be the deobfuscated attack script.

Screen shot of the nested loop code:

From this point, there are a few simple search and replace actions done via a function call and an eval to execute the JavaScript code that holds the exploits.  Reviewing the code, we were able to see that there are a hefty number of exploit attempts on different versions of Adobe Reader, Java, Flash, and other Windows components.

This is a snippet of the attack code after it's been deobfuscated:

Another thing that this site has done that is getting to be more common with attack sites, is allow only one visit to the attack page.  This seems counter intuitive as it would also limit the attack exposure for these sites.  However, this technique is meant as a protection mechanism for attackers to prevent researchers, such as ourselves, from analyzing the attacks occurring on the site.  This also makes things harder when figuring out whether to publish attacks to block databases.  Our ACE analytics allow us to capture these sites and protect our customers in a real time fashion, not relying on URL database production.  This means that from the first time our customers visit these attack sites, they are protected.

Yesterday we received reports about a flaw in Apple's QuickTime player. According to the reports, this flaw can potentially allow an attacker to exploit the user's machine through the browser by making it run arbitrary code without user interaction - a classic drive-by vulnerability.

Following a blog post by Ruben Santamata, the flaw apparently stems from the vulnerable file QTPlugin.ocx, which is part of the default QuickTime installation. According to the analysis, the flaw affects the latest version of QuickTime (7.67.75.0), as well as older versions of 7.x and 6.x.

The DLL file (QTPlugin.ocx) that holds the reported vulnerability is an ActiveX control used by Internet Explorer. Thus,  the vulnerability applies only to that browser, not to any other browser.
 

We are currently looking into this report and are doing more analysis. We have also started searching for any malicious code on the Web that might emerge and take advantage of this vulnerability. Our customers are protected from attacks that use this vulnerability by ACE, which includes our generic shellcode analytics.

It's certainly not the first time that QuickTime has suffered from such vulnerabilities. One of the latest was CVE-2010-1799, which Apple has already managed to patch near the start of August.

We'll keep you updated on any developments.

This week has been pretty rough on Friendster, one of the more popular social networking sites. The Websense® Threatseeker® Network detected a spike, or a rather large increase, in the number of abused or fake Friendster accounts that are being Web spammed.

The chart below shows the number of posts that lead to fake Friendster profiles holding spam content this week:

The posted Web spam messages lead to fake Friendster accounts holding pharmaceutical spam.

Here is one example. Please meet "Medication Ativan" - a 45-year-old male from the United States:

"Medication Ativan" isn't your ordinary friend; this fake member would like to sell you a variety of pharmaceutical pills:

Thanks for the offer "Medication Ativan", but no thanks!

Try our Defensio plug-ins to stop this kind of Web spam in your Facebook account or personal blog.

Month of July
This month the world saw the Microsoft Windows LNK shortcut flaw bring a smile to black hat hackers running Stuxnet, Chymine, Vobfus, Sality and Zeus, as they quickly updated their malware to leverage the vulnerability. In addition, we'll talk about banking Trojans piggy-backing on social-networking sites, the YouTube XSS vulnerability, malicious browser add-ons, brand-jacking, and more.

Also this month, the Websense Security Lab researchers presented at Black Hat Las Vegas and Hack In The Box in Amsterdam.

Major Hits

Ever wonder where your search engine stands relative to others based on malicious links they serve up in their search results? A two-month study by Barracuda Labs provides these estimates (be careful clicking those links!). Total malware by search engine:

• Google: 69%
• Yahoo: 18%
• Bing: 12%
• Twitter: 1%

The Windows LNK shortcut flaw (CVE-2010-2568) made a huge splash this month, a problem exacerbated by a computer worm dubbed Stuxnet that uses this flaw as one of the worm's propagation methods. Stuxnet targets Siemens SCADA systems, used to control production at industrial plants.

Strictly speaking, the LNK files themselves were correctly formatted (as opposed to a file crafted to exploit a buffer overflow) and they were legitimate .lnk files, except that they were allowed to link to (and run) executable files located elsewhere -- an ugly design flaw. The bad guys simply took the opportunity to make shortcuts to malware, and sent these shortcuts around to victims. The shortcuts could be activated without actually clicking on them. Using Windows Internet Explorer, merely browsing to the folder containing the malicious .lnk file triggered the bad stuff. Here is our technical analysis on the Microsoft LNK vulnerability.

Hot on the heels of Stuxnet, malware makers of Chymine, Vobfus, Sality, and Zeus updated their unwanted products to benefit from this vulnerability. Additional mitigation advice can be found here: US-CERT VU#940193

Web 2 dot uh oh

Last month in this section we mentioned that new ways to exploit social networks continue to surface. This month was more of the same. The RSA FraudAction Research Lab was among many to observe social sites being used to operate a banking Trojan virus. Once the Trojan infects a user's computer, the virus accesses a specific social profile, Google Group, or even a Twitter feed, all set up by the controller of the virus. From these sites, the virus, trained to parse text, can receive instructions embedded in posts, feeds, etc. This sophisticated exploitation of social sites bypasses the cost and maintenance of independent servers dedicated to doing the same thing. Using these free sites, communication with the Trojan can be done for no cost with little risk. It is up to the site to remove these malicious throw away accounts.

The other notable exploit of Web 2.0 functionality in July was YouTube's XSS vulnerability.  The visual effects of this vulnerability were seen by many users when only the top few comments of a post were loaded, along with a script comment regarded mostly as spam. Fortunately this was the extent to which the vulnerability was exploited before Google patched the YouTube service. Potentially this could have been used to force the browser to execute embedded malicious script code disguised in the YouTube page.

Browser and friends

Mozilla has blacklisted a third-party add-on called "Mozilla Sniffer". The add-on submits the login form of any website, with the password field, to a remote location. The add-on has been downloaded about 1800 times. Those who installed it are advised to change their password in case of attack. Mozilla also released two security updates this month; 15 vulnerabilities have been patched.

It has been disclosed by researcher Jeremiah Grossman that the "autofill" feature in Apple Safari has a security vulnerability. The autofill feature can be hacked to steal data from the computer's address book. Apple provided a quick response; a patch was released a few days later. In all, 15 vulnerabilities were fixed this month, including the autofill problem.

Google released a security update for Chrome. Five bugs were fixed in the patch.

The good news from Adobe is that Adobe Reader is going to add Protected Mode in the next version. Protected Mode is a sandboxing technology based on Microsoft's Practical Windows Sandboxing technique. It is similar to the Google Chrome sandbox and Microsoft Office 2010 Protected Viewing Mode. All operations required by Adobe Reader to display the PDF file to the user are run in a very restricted manner inside a confined environment. More good news is that Adobe will join Microsoft Active Protections Program (MAPP), in which vulnerability information is shared to security software providers in advance.

Microsoft

Aside from the major LNK vulnerability brouhaha mentioned above in the Major Hits section, Microsoft patched a vulnerability in Windows Help and Support Center (MS10-042), Canonical Display Driver (MS10-043), MS Office Access ActiveX Control (MS10-044), and MS Office Outlook (MS10-045). The Windows Help and Support Center  zero day (MS10-042) saw at least 25,000 attacks as confirmed by Microsoft, largely in Russia and Europe.

Hello Threatseeker. You've got mail!

This month there was a lot of follow up on the previous month's email threats.  In addition, there was no shortage or end to the abuse of social networking sites such as Facebook and hi5.  The more interesting attacks within the email space were focused on "brand-jacking" where Gumblar seem to have made a come back impersonating Amazon.com.  The aim of the campaign was to trick unsuspecting users to visit a client-side exploit serving URL.

Other attacks include but are not limited to the influx of Youtube themed spam requesting users to confirm their email address, the fake ImageShack Registration emails, and Welcome to My Opera account activation.

Security Trends

A low-cost, home-brewed GSM hacking device, developed by researcher Chris Paget, mimics more expensive devices already in use by intelligence and law enforcement agencies – called IMSI catchers – that can capture phone ID data and content.

According to Secunia’s recently released report, between 2005 and 2010 Apple Inc. had the most reported security vulnerabilities.

Some motherboards in 4 models of Dell PowerEdge servers were shipped to customers with malware code on the embedded server management firmware. A Dell representative confirmed the issue on Dell’s community forum.

A fake technical support phone call was used to spread malware. The attackers in this scheme cheated targeted users by calling them and helping them to install malware, remote desktop applications etc.

The Secunia Half Year Report 2010  asserts that a typical end-user PC with 50 installed programs had 3.5 times more vulnerabilities in the 24 third-party programs than in the 26 Microsoft programs.

Thanks to this month's roundup contributors:

* Lei Li

* Douglas Libby

* Amon Sanniez

* Ulysses Wang

* Jay Liew

419 scams have become lame and not a lot of people are falling for them these days. So the scammers have to change their tactics if they want to stay in business.The scam we describe in this blog is quite interesting because it is combines a typical 419 scam with a phishing attack. After the initial communication with the scammer, the victim receives a phishing email claiming to be from PayPal indicating that the scammer "PayPaled" the money to the victim. Here is the long story.

One of my friends posted an ad on craigslist to sell his HP laptop. Dr. Robinson (a scammer and a physician from Utah) wanted to buy the laptop as a birthday gift for his son David -- who is BTW doing human development research in Nigeria. Dr. Robinson offered to send the payment via PayPal and asked that the laptop be shipped to his son in Nigeria.

From: Donald Robinson [donaldrobinson1001@gmail.com]
Sent: Thursday, August 05, 2010 6:07 AM
To: xxx
Subject: Re: HP   Laptop - $280

Hello,
 I am very grateful to hear back from you.I am a Medical Doctor residing in Utah.The (HP Laptop) is for my son's birthday present,due to his brilliant performance,he was currently transferred from US to West Africa with his team on a research on Human development under world Health Organization. I'll be paying you through paypal.I will forward my son's residential address to you for shipping as soon as the payment reaches you.send me your paypal email so that i will do the payment.
 NB: I will be paying you $400 for both the cost price and shipping fee.Please get back to me so that i will proceed with the payment.
Best Regards,
Dr. Robinson.

I created a fake email account and sent Dr. Robinson the following note

Dear Dr Robinson,

Please send me your son's address and I will ship the laptop as soon as I receive the payment through paypal. My paypal email is xxx@gmail.com.
Thank you for your interest.

Regards,

Couple of hours later I received a phishing email claiming to be from PayPal indicating that I got a new fund from Dr. Robinson. Dr. Robinson was very generous and sent me $400 not $280 as was posted in the craigslist ad. The social engineering part in the email was interesting:

"This PayPal payment has been deducted from the buyer's account and has been "APPROVED"but will not be credited to your account until the shipment reference/tracking number is sent to us for shipment verification and this is done to secure both the buyer and the seller against any fraudulent activities. Below are the necessary information requested before your account will be credited. Send tracking number to  us or email us through  paypalaccountserviceinfo@ovi.com and our customer service care will attend to you. As soon as you send us the shipment's tracking number   the money will be credited to your account and this is done for security purposes and the safety of the buyer and the seller."

Couple of minutes later, I received another phishing email claiming to be from PayPal telling me that PayPal is waiting for my shipment tracking number. Also, they assured me that the order has been confirmed and that I can ship the order now to the buyer, but I have to do so within 48 hours. I googled that transaction ID "8UG760668M701084Y" and found three posts [1,2,3] talking about similar scams.

Couple of minutes later, Dr. Robinson emailed me and told me that he has sent me the money via PayPal. He asked that I ship the laptop first thing in the morning via USPS first class express mail in an insured package. The interesting thing about this address is that all the three posts above share the same city and state in Nigeria "Uwani, Enugu, Nigeria". I looked up the city in google maps, but did not find anything eye-catching, except Enugu prison that was in the neighborhood!

David Robinson: I wish you a very happy birthday and I with you success in your research on human development in Nigeria, but you are not receiving a laptop for your birthday. Brad can send you one if he likes :)

(Acknowledgment: T and R)

So, we have this situation here. iPhone has a remote jailbreaking capability without any USB connection or anything. If you launch Safari and connect to the jailbreakme site, you can have your phone jailbroken with just a few steps. Obviously, this can be abused by bad guys to attack any iPhone in the world. We had time to analyze the mechanism of jailbreaking, and as we expected, it's just a matter of time before anyone can abuse this. Here's the summary of what we found.

    Picture 1: The flow of Jailbreaking using 2 iPhone vulnerabilities

First, the process uses the PDF Compact Font Format vulnerability (CVE-2010-1797). To our surprise, it's a simple stack-based buffer overflow. With this vulnerability, an overly long CFF charString entry ends up with attacker-controlled $pc. Many people think of Return Oriented Programming (ROP) as a rather immature technique to use for complicated jobs. But the jailbreakme shellcode uses ROP to execute more than a total of 150 API calls. This means non-executable memory is not a defense against these kinds of memory corruption attacks. Looks as if the current ROP technique for iPhone exploitation is very mature and stable.

The ROP payload actually abuses an undisclosed kernel vulnerability residing in an IOSurface component from Apple. It seems that the vulnerability allows a normal process to have access to kernel memory with write privileges. After it modifies kernel space data to circumvent security checks, it calls “setuid(0)” to get root access. So, the game is pretty much over at this point. The Safari process at this point has root user privileges, and it can do whatever it wants.

After this exploitation phase, it drops the “installui.dylib” shared library, loads it, and executes the “iui_go” function from the library. This allows some UI text to be displayed on the user's screen to ask whether to go forward with jailbreaking. Then it downloads the “wad.bin” file from the jailbreakme site and extracts necessary files like “install.dylib” from there, and then executes the “do_install” function from there, which will do the typical jailbreaking process. All these operations are possible because the Safari process has root access acquired using the kernel bug.

The jailbreaking phase involves something like moving some system directories and modifying essential system files like “/etc/fstab”. Also it directly accesses the “/dev/kmem” device to patch kernel flags or code. And finally it installs the “Cydia" installer package and restarts SpringBoard using the “uicache” command.

The whole lesson here is that it is extremely easy to modify PDF payloads provided by the jailbreakme site, to make it do more operations than it was originally intended to do. The attack will surface soon, and it could be devastating, because we don't have any practical defense mechanisms against this type of attack on iPhone. We'd better try not to click any suspicious links on our iPhone browser from now on. And we'd better not check any PDF attachments delivered through iPhone mail until we have the fix. I hope the patch will be out soon, and I recommend that everyone install the patch when it's out.

Websense Security Labs™ ThreatSeeker™ Network has detected thousands of malicious emails purporting to be from big-brand companies like Target, Macy’s, Best Buy, and Evite.

We blogged about the different attack strategies that malicious authors have been using in their recent tax-themed spam emails yesterday.   Today’s malicious emails go back to the fake AV strategy that we last saw two months ago, as we blogged here.  All the malicious URLs associated in the emails above redirect to the same fake AV web site.  Users are then prompted to run a malicious executable called "antivirus_24.exe" [MD5: 5be4b708a68687cb5490fe2caea49c82], currently detected by 11/42 AV engines.

Payload:

Fake AV Site:

Adding to virus notification pop-ups in system trays, this “System Update” notification window appears to be the latest addition in their fake AV concoction.

Our real-time analytics proactively identify this threat, and with ThreatSeeker, we get feedback into our email products to block messages containing these URLs.  Websense® Messaging and Websense Web Security customers are protected against this attack.

Websense® Security Labs™ ThreatSeeker™ Network has discovered that over 100 Web sites on the Media Temple Web host servers have been compromised, and will lead visitors to the Phoenix Exploit Kit. It's not the first time they have had a WordPress injection, but a quick investigation suggests that only 46% of these sites have WordPress installed, and Sucuri Scanner reveals that they do have multiple vulnerabilities. So what happened to the other sites? They don't have WordPress installed but have still been compromised; why? According to the statement from Media Temple, neither Media Temple’s architecture nor the up-to-date versions of WordPress is the source of these compromises. Some insecure 3rd-party software applications installed on customer servers are the root cause, which has been verified by Sucuri.

All the injections are designed to only work on JavaScript files as shown below, and are obfuscated to evade detection.

After deobfuscation, we got a simple algorithm to generate malicious URLs. We generated 64 URLs which are all already covered by Websense. Now we go to check those generated URLs, and find there are 2 different scripts. One is very simple with an anti-bot trick so it won't be crawled by search engines. Unfortunately the payload site it redirects to is now down.

The other is highly obfuscated, and finally redirects to an exploit kit called Phoenix.

The Phoenix Exploit Kit is a sophisticated hacker tool set that exploits several of the latest vulnerabilities on popular vectors to execute arbitrary code.

Websense TRITON Advanced Classification Engine(ACE) is protecting customers against this attack. We will keep track of it and provide updates when it changes. 

Websense Security Labs™ ThreatSeeker™ Network has detected a wave of tax-themed malicious email.  While the tax theme in spam email is common all year round, it is interesting to see the different strategies malicious authors use in their campaigns.

We have seen reports last June about email with the subject "Notice of Underreported Income".  Today, we have seen a couple of email having the same subject but with different attack strategies.

The first sample below uses a malicious link just like those distributed earlier.  Unlike earlier malicious email, which redirects to a fake IRS site that instructs the user to download a malicious file (tax-statement.exe), this link saves the  victim a couple of clicks by prompting to download a file (adobe_flash_install.exe) immediately without going to a fake IRS site.

Payload :

The second sample below is more aggressive in that the malicious zip [MD5:dfbb95730b2377cccf8372107bdef503] is attached in the email.  It is recognized by 1/42 AV engines via VirusTotal.

In addition to these, we are seeing malicious email with the subject “You are in a higher tax bracket”.  It also has a malicious zip [MD5: 3b9c60c761734fcd4ac7a753c93ec5d1] attached to it and is recognized by 1/42 AV engines via VirusTotal.

 
 Websense® Messaging and Websense Web Security customers are protected against this attack.

Late last week a new jailbreak method was released for iOS 4 and iPhone OS 3.x based devices such as the iPhone, iPod, and iPad. Jailbreaking these devices is nothing new. It's been done for years to allow these devises to run applications not approved by Apple, and also as a means to unlock iPhones for use on other carriers. What is different in this new method is that all that it takes to jailbreak the device is to visit a specific website using the built-in Web browser. Previously users had to connect the device to a computer and use software for Windows or Mac to complete the process.

At jailbreakme.com, all it takes to complete the jailbreak is to slide the arrow to the right and wait for the process to complete. To perform the jailbreak the process takes advantage of two vulnerabilities; one in how Safari parses PDF files, and one in the kernel of iOS/iPhoneOS. VUPEN has more information about these vulnerabilities in their advisory.

Apple is reportedly looking into the vulnerability issues, but until they have issued a patch, all users of iPhones, iPads, or iPods are at risk, because there is nothing that prevents a malicious attacker from using these vulnerabilities to automatically install malware onto the device. Reports around the Web are claiming that there isn't much a user can do to prevent this type of attack unless you've already jailbroken, as there is an add-on, via Cydia, that will warn you for every PDF you open. However, this is not entirely true.

While it is true that Safari and other Web browsers on iOS/iPhoneOS automatically render and display a PDF page, and therefore will load the exploit automatically, some third-party browsers have customizable filters that can block the attack and prevent your device from compromise. Two examples are Atomic Web Browser and iCabMobile, both of which work on iPhone, iPod Touch, and iPad.

Here is how you enable and tweak the application filters to prevent PDFs from being downloaded in the browser.

Atomic Web Browser

1. Start the application, click the Settings icon, and click Settings.
   
   
   
2. Click "Ad Block Settings" and then "Edit Ad Block".
3. Click "New Filter" and then enter: *.pdf
4. Click "Done" and "Save".
5. Click "Ad Block" at the top-left corner and enable the Ad Block Feature.
   
   

iCabMobile

1. Start the iCabMobile application and click the Settings icon.
   
   
   
2. Scroll down until you see "Edit Filters" and click that selection.
3. Click "Create New Filter" and enter: *.pdf
4. Click "Done" and then "Tools" in the upper-left corner to go back to the Settings menu.
5. Scroll up and make sure that the "Enable Filters" settings is set to "On".
   
   

While we at Websense, Inc. don't support or endorse these products, neither of which are free, they could be a worthwhile investment until Apple fixes the problem.

Finally, don't forget that these third-party browsers will not protect you if you get a PDF in an email message, click on a link in an email/SMS or click on a link that launches a built-in browser in the app (like Twitter, Facebook etc). These all use the Safari engine to view the PDF and will bypass the third-party browser filters.