Websense Security Labs Blog

Websense Security Labs discovers, investigates and reports on advanced Internet threats that traditional security
research methods miss.

Latest Blog Posts

View all posts > 

(August 2010) Posts

Phoenix Exploit Kit's Random Access Obfuscation

Posted: 31 Aug 2010 09:53 PM | Chris Astacio | no comments


In this post I'll cover an interesting piece of obfuscation that we recently came across while handling a blended threat. This threat began as several malicious emails containing a link that redirected to the site below. The obfuscation was found in part of an attack site using the Phoenix Exploit Kit. Here is a screen shot of the Phoenix Exploit's Kit login at the site we are going to analyze: Once decoded, like many attack kits, this attack site attempts to exploit a visiting computer using a number of known vulnerabilities. The vulnerabilities focused on Java, Flash, and PDF. What made this obfuscation particularly interesting was the way in which the decoding was done. The algorithm used to deobfuscate the sample I reviewed was a type of random access file. Here is a screen shot of the HTML payload: That alone looks like a big headache and may make your eyes cross at first glance! We can see that there is a Java applet in the HTML code, but there is also a large script which we will focus on deobfuscating so we can understand the threat a little better. Let's parse out the script and beautify it a bit so we know where we can start. Here is a beautified version of the script: This is much easier to review but obviously still obfuscated. At least we can now see a structure to the obfuscated JavaScript and we can see a few key areas. First there is a huge variable declaration, cut off in the screen shot, which is probably what the algorithm is going to work on decoding. Then there is a function definition, a <p> tag being written to the page, a nested for loop, and finally an eval. The first thing that caught my eye in this obfuscation was the document.write('<p>3360</p>') code. My first thought was "Why would a malicious script write a paragraph tag containing a single number to the page?" Then, on the next line, we can see that the above number is loaded into a variable. This is somewhat hidden in a simple obfuscated document.getElementsByTagName call. Here is a screen shot of the above referenced code: The for loop is the next interesting part and, as with most deobfuscation routines, is the main part of the algorithm. If we step through the for loop a number of times, we see that it's working to access that huge variable using the number from the above paragraph tag as a byte offset. The inner loop is where the random access actually happens. It runs through the long variable, starting at index 0, and uses the number in the <p> tag written to the document from the above code as the byte offset from the index until it comes to the end of the variable string. Once the end of the variable string is reached, the outer loop forces the inner loop to pass through starting at an index of 1 and so on. Stepping through this algorithm 15 times, you will get a bit of an obfuscated document.write( call. Each of the characters at the index + byte offset is concatenated into another variable which, when...

Read more > 

Filed under: , ,

Apple QuickTime "_MARSHALED_PUNK" 0-day

Posted: 31 Aug 2010 04:10 PM | Elad Sharf | no comments


Yesterday we received reports about a flaw in Apple's QuickTime player. According to the reports, this flaw can potentially allow an attacker to exploit the user's machine through the browser by making it run arbitrary code without user interaction - a classic drive-by vulnerability. Following a blog post by Ruben Santamata, the flaw apparently stems from the vulnerable file QTPlugin.ocx, which is part of the default QuickTime installation. According to the analysis, the flaw affects the latest version of QuickTime (7.67.75.0), as well as older versions of 7.x and 6.x. The DLL file (QTPlugin.ocx) that holds the reported vulnerability is an ActiveX control used by Internet Explorer. Thus, the vulnerability applies only to that browser, not to any other browser. We are currently looking into this report and are doing more analysis. We have also started searching for any malicious code on the Web that might emerge and take advantage of this vulnerability. Our customers are protected from attacks that use this vulnerability by ACE , which includes our generic shellcode analytics. It's certainly not the first time that QuickTime has suffered from such vulnerabilities. One of the latest was CVE-2010-1799, which Apple has already managed to patch near the start of August. We'll keep you updated on any developments.

Read more > 

Filed under:

Web Spam leading to Friendster on the rise

Posted: 27 Aug 2010 04:39 PM | Elad Sharf | no comments


This week has been pretty rough on Friendster , one of the more popular social networking sites. The Websense® Threatseeker® Network detected a spike, or a rather large increase, in the number of abused or fake Friendster accounts that are being Web spammed. The chart below shows the number of posts that lead to fake Friendster profiles holding spam content this week: The posted Web spam messages lead to fake Friendster accounts holding pharmaceutical spam. Here is one example. Please meet "Medication Ativan" - a 45-year-old male from the United States: "Medication Ativan" isn't your ordinary friend; this fake member would like to sell you a variety of pharmaceutical pills: Thanks for the offer "Medication Ativan", but no thanks! Try our Defensio plug-ins to stop this kind of Web spam in your Facebook account or personal blog.

Read more > 

Filed under: , ,

This Month in the Threat Webscape - July 2010

Posted: 12 Aug 2010 11:49 AM | Jay Liew | 2 comment(s)


Month of July This month the world saw the Microsoft Windows LNK shortcut flaw bring a smile to black hat hackers running Stuxnet, Chymine, Vobfus, Sality and Zeus, as they quickly updated their malware to leverage the vulnerability. In addition, we'll talk about banking Trojans piggy-backing on social-networking sites, the YouTube XSS vulnerability, malicious browser add-ons, brand-jacking, and more. Also this month, the Websense Security Lab researchers presented at Black Hat Las Vegas and Hack In The Box in Amsterdam . Major Hits Ever wonder where your search engine stands relative to others based on malicious links they serve up in their search results? A two-month study by Barracuda Labs provides these estimates (be careful clicking those links!). Total malware by search engine: Google: 69% Yahoo: 18% Bing: 12% Twitter: 1% The Windows LNK shortcut flaw (CVE-2010-2568) made a huge splash this month, a problem exacerbated by a computer worm dubbed Stuxnet that uses this flaw as one of the worm's propagation methods. Stuxnet targets Siemens SCADA systems , used to control production at industrial plants. Strictly speaking, the LNK files themselves were correctly formatted (as opposed to a file crafted to exploit a buffer overflow) and they were legitimate .lnk files, except that they were allowed to link to (and run) executable files located elsewhere -- an ugly design flaw. The bad guys simply took the opportunity to make shortcuts to malware, and sent these shortcuts around to victims. The shortcuts could be activated without actually clicking on them. Using Windows Internet Explorer, merely browsing to the folder containing the malicious .lnk file triggered the bad stuff. Here is our technical analysis on the Microsoft LNK vulnerability. Hot on the heels of Stuxnet, malware makers of Chymine, Vobfus, Sality, and Zeus updated their unwanted products to benefit from this vulnerability. Additional mitigation advice can be found here: US-CERT VU#940193 Web 2 dot uh oh Last month in this section we mentioned that new ways to exploit social networks continue to surface. This month was more of the same. The RSA FraudAction Research Lab was among many to observe social sites being used to operate a banking Trojan virus . Once the Trojan infects a user's computer, the virus accesses a specific social profile, Google Group, or even a Twitter feed, all set up by the controller of the virus. From these sites, the virus, trained to parse text, can receive instructions embedded in posts, feeds, etc. This sophisticated exploitation of social sites bypasses the cost and maintenance of independent servers dedicated to doing the same thing. Using these free sites, communication with the Trojan can be done for no cost with little risk. It is up to the site to remove these malicious throw away accounts. The other notable exploit of Web 2.0 functionality in July was YouTube's XSS vulnerability . The visual effects of this vulnerability were seen by...

Read more > 

Filed under:

419 scams go phishing

Posted: 09 Aug 2010 11:34 PM | sabu-nimeh | no comments


419 scams have become lame and not a lot of people are falling for them these days. So the scammers have to change their tactics if they want to stay in business.The scam we describe in this blog is quite interesting because it is combines a typical 419 scam with a phishing attack. After the initial communication with the scammer, the victim receives a phishing email claiming to be from PayPal indicating that the scammer "PayPaled" the money to the victim. Here is the long story. One of my friends posted an ad on craigslist to sell his HP laptop. Dr. Robinson (a scammer and a physician from Utah) wanted to buy the laptop as a birthday gift for his son David -- who is BTW doing human development research in Nigeria. Dr. Robinson offered to send the payment via PayPal and asked that the laptop be shipped to his son in Nigeria. From: Donald Robinson [donaldrobinson1001@gmail.com] Sent: Thursday, August 05, 2010 6:07 AM To: xxx Subject: Re: HP Laptop - $280 Hello, I am very grateful to hear back from you.I am a Medical Doctor residing in Utah.The (HP Laptop) is for my son's birthday present,due to his brilliant performance,he was currently transferred from US to West Africa with his team on a research on Human development under world Health Organization. I'll be paying you through paypal.I will forward my son's residential address to you for shipping as soon as the payment reaches you.send me your paypal email so that i will do the payment. NB: I will be paying you $400 for both the cost price and shipping fee.Please get back to me so that i will proceed with the payment. Best Regards, Dr. Robinson. I created a fake email account and sent Dr. Robinson the following note Dear Dr Robinson, Please send me your son's address and I will ship the laptop as soon as I receive the payment through paypal. My paypal email is xxx@gmail.com. Thank you for your interest. Regards, Couple of hours later I received a phishing email claiming to be from PayPal indicating that I got a new fund from Dr. Robinson. Dr. Robinson was very generous and sent me $400 not $280 as was posted in the craigslist ad. The social engineering part in the email was interesting: "This PayPal payment has been deducted from the buyer's account and has been "APPROVED" but will not be credited to your account until the shipment reference/tracking number is sent to us for shipment verification and this is done to secure both the buyer and the seller against any fraudulent activities . Below are the necessary information requested before your account will be credited. Send tracking number to us or email us through paypalaccountserviceinfo@ovi.com and our customer service care will attend to you. As soon as you send us the shipment's tracking number the money will be credited to your account and this is done for security purposes and the safety of the buyer and the seller." Couple of minutes later, I received another phishing email claiming to...

Read more > 

Filed under: ,

Technical Analysis on iPhone Jailbreaking

Posted: 06 Aug 2010 02:32 PM | Matt Oh | no comments


So, we have this situation here. iPhone has a remote jailbreaking capability without any USB connection or anything. If you launch Safari and connect to the jailbreakme site, you can have your phone jailbroken with just a few steps. Obviously, this can be abused by bad guys to attack any iPhone in the world. We had time to analyze the mechanism of jailbreaking, and as we expected, it's just a matter of time before anyone can abuse this. Here's the summary of what we found. Picture 1: The flow of Jailbreaking using 2 iPhone vulnerabilities First, the process uses the PDF Compact Font Format vulnerability ( CVE-2010-1797 ). To our surprise, it's a simple stack-based buffer overflow. With this vulnerability, an overly long CFF charString entry ends up with attacker-controlled $pc. Many people think of Return Oriented Programming (ROP) as a rather immature technique to use for complicated jobs. But the jailbreakme shellcode uses ROP to execute more than a total of 150 API calls. This means non-executable memory is not a defense against these kinds of memory corruption attacks. Looks as if the current ROP technique for iPhone exploitation is very mature and stable. The ROP payload actually abuses an undisclosed kernel vulnerability residing in an IOSurface component from Apple. It seems that the vulnerability allows a normal process to have access to kernel memory with write privileges. After it modifies kernel space data to circumvent security checks, it calls “setuid(0)” to get root access. So, the game is pretty much over at this point. The Safari process at this point has root user privileges, and it can do whatever it wants. After this exploitation phase, it drops the “installui.dylib” shared library, loads it, and executes the “iui_go” function from the library. This allows some UI text to be displayed on the user's screen to ask whether to go forward with jailbreaking. Then it downloads the “wad.bin” file from the jailbreakme site and extracts necessary files like “install.dylib” from there, and then executes the “do_install” function from there, which will do the typical jailbreaking process. All these operations are possible because the Safari process has root access acquired using the kernel bug. The jailbreaking phase involves something like moving some system directories and modifying essential system files like “/etc/fstab”. Also it directly accesses the “/dev/kmem” device to patch kernel flags or code. And finally it installs the “Cydia" installer package and restarts SpringBoard using the “uicache” command. The whole lesson here is that it is extremely easy to modify PDF payloads provided by the jailbreakme site, to make it do more operations than it was originally intended to do. The attack will surface soon, and it could be devastating, because we don't have any practical defense mechanisms against...

Read more > 

You have Rogue Mail!

Posted: 06 Aug 2010 05:17 PM | Mary Grace Timcang | no comments


Websense Security Labs™ ThreatSeeker™ Network has detected thousands of malicious emails purporting to be from big-brand companies like Target, Macy’s, Best Buy, and Evite. We blogged about the different attack strategies that malicious authors have been using in their recent tax-themed spam emails yesterday. Today’s malicious emails go back to the fake AV strategy that we last saw two months ago, as we blogged here . All the malicious URLs associated in the emails above redirect to the same fake AV web site. Users are then prompted to run a malicious executable called "antivirus_24.exe" [MD5: 5be4b708a68687cb5490fe2caea49c82], currently detected by 11/42 AV engines. Payload: Fake AV Site: Adding to virus notification pop-ups in system trays, this “System Update” notification window appears to be the latest addition in their fake AV concoction. Our real-time analytics proactively identify this threat, and with ThreatSeeker, we get feedback into our email products to block messages containing these URLs. Websense® Messaging and Websense Web Security customers are protected against this attack.

Read more > 

Filed under: , ,

Media Temple injections lead to Phoenix Exploit Kit

Posted: 05 Aug 2010 10:39 AM | Tim Xia | no comments


Websense® Security Labs™ ThreatSeeker™ Network has discovered that over 100 Web sites on the Media Temple Web host servers have been compromised, and will lead visitors to the Phoenix Exploit Kit. It's not the first time they have had a WordPress injection , but a quick investigation suggests that only 46% of these sites have WordPress installed, and Sucuri Scanner reveals that they do have multiple vulnerabilities. So what happened to the other sites? They don't have WordPress installed but have still been compromised; why? According to the statement from Media Temple, neither Media Temple’s architecture nor the up-to-date versions of WordPress is the source of these compromises. Some insecure 3rd-party software applications installed on customer servers are the root cause, which has been verified by Sucuri. All the injections are designed to only work on JavaScript files as shown below, and are obfuscated to evade detection. After deobfuscation, we got a simple algorithm to generate malicious URLs. We generated 64 URLs which are all already covered by Websense. Now we go to check those generated URLs, and find there are 2 different scripts. One is very simple with an anti-bot trick so it won't be crawled by search engines. Unfortunately the payload site it redirects to is now down. The other is highly obfuscated, and finally redirects to an exploit kit called Phoenix. The Phoenix Exploit Kit is a sophisticated hacker tool set that exploits several of the latest vulnerabilities on popular vectors to execute arbitrary code. Websense TRITON A dvanced C lassification E ngine(ACE) is protecting customers against this attack. We will keep track of it and provide updates when it changes.

Read more > 

Filed under: , , , ,

2010 Tax-Themed Malicious Emails

Posted: 04 Aug 2010 12:46 PM | Mary Grace Timcang | no comments


Websense Security Labs™ ThreatSeeker™ Network has detected a wave of tax-themed malicious email. While the tax theme in spam email is common all year round, it is interesting to see the different strategies malicious authors use in their campaigns. We have seen reports last June about email with the subject "Notice of Underreported Income". Today, we have seen a couple of email having the same subject but with different attack strategies. The first sample below uses a malicious link just like those distributed earlier. Unlike earlier malicious email, which redirects to a fake IRS site that instructs the user to download a malicious file (tax-statement.exe), this link saves the victim a couple of clicks by prompting to download a file (adobe_flash_install.exe) immediately without going to a fake IRS site. Payload : The second sample below is more aggressive in that the malicious zip [MD5:dfbb95730b2377cccf8372107bdef503] is attached in the email. It is recognized by 1/42 AV engines via VirusTotal. In addition to these, we are seeing malicious email with the subject “You are in a higher tax bracket”. It also has a malicious zip [MD5: 3b9c60c761734fcd4ac7a753c93ec5d1] attached to it and is recognized by 1/42 AV engines via VirusTotal. Websense® Messaging and Websense Web Security customers are protected against this attack.

Read more > 

Filed under: ,

JailbreakMe, drive-by attacks on iOS, and limiting potential attacks

Posted: 04 Aug 2010 07:06 AM | Patrik Runald | no comments


Late last week a new jailbreak method was released for iOS 4 and iPhone OS 3.x based devices such as the iPhone, iPod, and iPad. Jailbreaking these devices is nothing new. It's been done for years to allow these devises to run applications not approved by Apple, and also as a means to unlock iPhones for use on other carriers. What is different in this new method is that all that it takes to jailbreak the device is to visit a specific website using the built-in Web browser. Previously users had to connect the device to a computer and use software for Windows or Mac to complete the process. At jailbreakme.com, all it takes to complete the jailbreak is to slide the arrow to the right and wait for the process to complete. To perform the jailbreak the process takes advantage of two vulnerabilities; one in how Safari parses PDF files, and one in the kernel of iOS/iPhoneOS. VUPEN has more information about these vulnerabilities in their advisory. Apple is reportedly looking into the vulnerability issues, but until they have issued a patch, all users of iPhones, iPads, or iPods are at risk, because there is nothing that prevents a malicious attacker from using these vulnerabilities to automatically install malware onto the device. Reports around the Web are claiming that there isn't much a user can do to prevent this type of attack unless you've already jailbroken, as there is an add-on, via Cydia, that will warn you for every PDF you open. However, this is not entirely true. While it is true that Safari and other Web browsers on iOS/iPhoneOS automatically render and display a PDF page, and therefore will load the exploit automatically, some third-party browsers have customizable filters that can block the attack and prevent your device from compromise. Two examples are Atomic Web Browser and iCabMobile , both of which work on iPhone, iPod Touch, and iPad. Here is how you enable and tweak the application filters to prevent PDFs from being downloaded in the browser. Atomic Web Browser Start the application, click the Settings icon, and click Settings . Click "Ad Block Settings" and then " Edit Ad Block" . Click "New Filter" and then enter: *.pdf Click "Done" and "Save" . Click "Ad Block" at the top-left corner and enable the Ad Block Feature. iCabMobile Start the iCabMobile application and click the Settings icon. Scroll down until you see "Edit Filters" and click that selection. Click "Create New Filter" and enter: *.pdf Click "Done" and then "Tools" in the upper-left corner to go back to the Settings menu. Scroll up and make sure that the "Enable Filters" settings is set to "On" . While we at Websense, Inc. don't support or endorse these products, neither of which are free, they could be a worthwhile investment until Apple fixes the problem. Finally, don't forget that these third-party browsers will not protect you if...

Read more > 

Filed under: