Websense Security Labs Blog

Websense Security Labs discovers, investigates and reports on advanced Internet threats that traditional security
research methods miss.

Latest Blog Posts

View all posts > 

(September 2010) Posts

Websense Insight: The Route to Malware

Posted: 28 Sep 2010 01:35 PM | Patrik Runald | no comments


How many clicks does it take to get to the malicious code of an infected website? Surprisingly, the answer is usually, just two . In this Websense Insight we look at how most Internet users are only two clicks away from malicious content in one of three ways: from top sites, poisoned search results, and malicious links.. In the video, we use extensive data from analysis of thousands of links to illustrate that you may be in more danger from searching for items on the World Cup than you would in the "traditionally" dangerous "neighborhoods" of the "adult" or objectionable Web. We also present some fascinating and surprising data on how close you are to malware and links to malware from some of the most highly trafficked and trusted sites on the Web. To learn more about Websense Threat research in addition to this blog or view additional Websense Insights, please visit the Insights tab on http://community.websense.com/blogs/ To download the free Defensio application for free individual use, please visit defensio.com . We'll have more analysis of these statistics and other Web Security findings in our upcoming "State of the Internet Report."

Read more > 

Filed under: , ,

Websense Insight: Link Analysis - What links are people sharing on Facebook and Twitter?

Posted: 28 Sep 2010 01:13 PM | Patrik Runald | no comments


With millions of Tweets and Facebook postings flying around daily from personal and business users, have you ever wondered where the links in these postings go? In this Websense Insight we have analyzed hundreds of thousands of social networking links to determine the ecosphere of links and the potential threat vectors of the social Web. Some of the findings may truly surprise you. For example, did you know that 40 percent of Facebook status posts contain a URL , and that 10 percent of those are either spam or malicious ? We also provide some top tips for avoiding the potential dangers of user generated content within an organization and on your own Facebook wall. To learn more about Websense Threat research in addition to this blog or view additional Websense Insights, please visit the Insights tab on http://community.websense.com/blogs/ To download the free Defensio application for free individual use, please visit defensio.com . We'll have more analysis of these statistics and other Web Security findings in our upcoming "State of the Internet Report."

Read more > 

Filed under: , ,

Phoenix the supervisor

Posted: 22 Sep 2010 04:34 PM | Anonymous | no comments


In general, spammers will try everything and stop at nothing to deliver content to users. When people don't trust one kind of email, spammers change their tactics and use something else. This process never stops, and is very interesting to follow. It's interesting, at least, if we know we're being protected. Websense® Security Labs™ ThreatSeeker™ Network has detected another wave of malicious email messages linked to the Phoenix Exploit Kit . Websense customers are and have been protected by the real-time protection in our Advanced Classification Engine , ACE. As we have seen during last couple of weeks, blended attacks are being used more than ever before. Earlier, we saw spammers enticing users to pharma spam , exploiting the death of a football player , and offering Evite invitations . This time, they are attempting to lure users with genuine-looking email attachments that, when opened, launch them into a redirection chain that ends up on a page containing the Phoenix Exploit Kit. The emails contain only one or two sentences and a html attachment: When the attachment is opened, the page that is displayed looks legitimate. In fact, the spammers copied content from several different vendors and brands, including XBox 360, Bank of America, and Twitter, as shown below: Once opened, the obfuscated JavaScript kicks in and launches the user into the redirection chain that, as mentioned earlier, takes them to a page that contains the Phoenix Exploit Kit.

Read more > 

Filed under: , ,

Twitter OnMouseOver Flaw In The Wild

Posted: 21 Sep 2010 02:28 PM | Carl Leonard | no comments


As of this morning we have been monitoring a flaw on twitter.com that delivers pop-ups to Twitter users when they move their mouse cursor over a specially crafted tweet. There is also the potential to deliver status updates when mousing over a tweet and altering the display of the Twitter status on user's profile pages. The affected tweets contain JavaScript that runs the OnMouseOver event (this event enables the code specified in the Tweet to run without requiring the user to click). This morning we saw Proof Of Concepts of the Twitter command being posted by Twitter users and then began to see end users tweeting the code virally. There is the potential for malware authors to spread malicious tweets using the flaw to direct users to other Web sites. As of writing, hundreds of new tweets per second are being published on twitter.com using the OnMouseOver flaw. Twitter users whose accounts have been affected by the flaw include journalists and high-profile celebrities. Examples of compromised accounts: Our advice is to use an alternative to the twitter.com Web site if you need to update your Twitter status. UPDATE As of 3pm UK time Twitter Safety is reporting that the XSS flaw is no longer exploitable.

Read more > 

Filed under: , ,

Can rogue AV ever be legitimate?

Posted: 21 Sep 2010 09:04 AM | Mary Grace Timcang | no comments


Over the past year, the prevalence of search results laced with rogue AV seemed to never end. Whether the search was about celebrity, politics, calamity, or anything that was hot and trending, blackhat SEO was sure to follow. Now, search engines are being more proactive in producing safer search results for users, forcing malware authors to think more intuitively and change the way of dispensing rogueware. Lately, email appears to be, at least for the time being, the favorite vehicle to distribute rogue AV. We've blogged and tweeted about malicious Twitter and Facebook password resets and big brand names being used in email containing malicious links or attachments in the past few months. Today, we are blogging about an interesting email our Websense® ThreatSeeker Network recently identified. With Websense® Advanced Classification Engine ( ACE ) , Websense customers are proactively protected against this threat. The email appears to be a transaction receipt for someone who was enticed to buy rogue AV software called Security Suite Platinum. Since Security Suite Platinum is a pretty popular rogue AV, it came as a surprise that none of the AV engines in Virus Total actually detected it. This led us to look deeper into the binary. What does Security Suite Platinum actually do? Security Suite Platinum is a well-known rogue antivirus which uses scare tactics to extract fees from unsuspecting users. It acts like a legitimate virus scanner, searching a computer for viruses, trojans and other malicious files. At the end of its "scan" it claims to have detected malware which scares a user enough into paying a small fee to remove the threats. This part has been discussed many times before in a variety of security forums and blogs. However, what happens when a person actually pays the required fee is not so clear. After paying a registration fee the user will receive an email with a confirmation and download instructions, as you can see in the email sample above. After clicking the link provided and typing the transaction ID, the Web site leads us to download the registered Security Suite Platinum straight away. The registered Security Suite Platinum contains real open-source antivirus, called ClamAV. Think of it this way: it’s like ClamAV, but illegally used to operate as Security Suite Platinum. Security Suite Platinum actually turns out to be somewhat "real" antivirus in that it actually does detect some malicious files and behaves almost like real antivirus software. This also explains why none of the AV engines in Virus Total detected this binary. By a simple string search we can clearly prove the existence of the well-known open-source antivirus inside the rogue AV. So far so good, so what is wrong with this? First, it scared people into paying a fee using fake detection (not to mention the bad guys getting hold of a user’s financial information). Second, although the code running the rogue AV is legitimate AV...

Read more > 

Filed under: , ,

Fake Facebook password reset leads to rogue AV

Posted: 17 Sep 2010 10:54 AM | Anonymous | no comments


There is no stopping the abuse of social networking sites and an endless reign of social engineering tactics in email campaigns, be it spam or malicious. Facebook seems to be a favourite for most attackers as it has a huge user base, and attackers are almost guaranteed to get their message propagated quickly. Websense customers are proactively protected against these threats by the real-time protection in our Advanced Classification Engine (ACE). This particular campaign is yet another rogue AV. Here a user is presented with an email message which suggests opening the attached zip file, in order to retrieve a newly-created password due to supposed changes made to the user's Facebook account. The header details show the real source and origin of the email as the display name is the only relation to Facebook. The zip file contains an icon for a PDF document, which is misleading as it is actually a Windows executable. When the user double-clicks this downloader, a rogue AV application is downloaded and launched which scares the user into thinking their machine is infected. As a result of being scared into thinking their computer might have been infected, the user is lured into going ahead with the rogue AV's instructions to disinfect the machine. The installation carries out a series of scans with fake detections to make it more convincing to the user. The next stage offers the user the opportunity to remove the threats of the fake detections carried out by the rogue AV. When this is selected, the user is then presented with the alert that the rogue AV is not registered and to do so requires the user's credit card details. This is where the phishing for information takes place. Currently we have seen over 240,000 of these email messages through our Websense Hosted Email Security product, and according to VirusTotal about 65% of anti-virus products detect the file attachment.

Read more > 

Filed under: , ,

Daniel Covington death spam leading to Rogue AV and Phoenix exploit kit

Posted: 17 Sep 2010 09:14 AM | Ran Qiong | no comments


Websense Security Labs™ ThreatSeeker™ Network has detected a new virus spam outbreak after Daniel Covington's death. Websense customers were proactively protected against the malicious code by our Advanced Classification Engine (ACE). Most popular sport Web sites have reported this news: Daniel Covington, a former Louisville football player, was shot and killed after an altercation in downtown Louisville in the early hours of the morning on Sep 16, 2010. Of course, hackers never lose their chance to extend their criminal activities and this time, Daniel Covington has been their victim. Let's track their vicious trail. Firstly, they send thousands of spam messages with a subject of "Daniel Covington die" to attract people's attention on the Internet. Screenshot of the email: Be careful of the HTML attachment: don't click it, as it hides malicious obfuscated JavaScript code and the obfuscation technique has been mentioned in our previous blog . Let's see how evil they are. If a recipient clicks the HTML file, they will be redirected to two malicious sites. One site contains rogue AV, and the other one includes a Phoenix exploit kit - a well known kit used by web attackers. "Daniel Covington die" is not the only theme in this campaign. We have also found the virus spam in emails with these subjects: * America's Got Talent * Cops kill active shooter at Johns Hopkins Hospital * Church of Body Modification * failure notice * Jackie Evancho and Sarah Brightman * NFL Picks Week 2

Read more > 

Filed under: , , ,

Singing a malicious song

Posted: 16 Sep 2010 04:23 PM | Anonymous | 4 comment(s)


Every now and then we look for song lyrics on the Internet. Using the newest Google Instant technology we immediately find what we need. At least, we think so. Websense Security Labs™ ThreatSeeker™ Network has detected that the popular site S onglyrics.com ( with approximately 200,000 daily page views and 2,000,000 unique visitors ) is compromised and injected with obfuscated malicious code. Websense customers are proactively protected against the malicious code by our Advanced Classification Engine - ACE Once a user accesses the main page of the song lyrics site, injected code redirects to an exploit site loaded with the Crimepack exploit kit. Attempted exploits result in a malicious binary ( VT 39.5% ) file that's run on the victim's computer. Once infected, the machine becomes another zombie-bot in the wild. Deobfuscating this code reveals a redirection to the malicious payload site: It is interesting to note that the malicious code injected on Songlyrics.com uses a similar obfuscation algorithm as Crimepack - a prepackaged commercial software used by attackers to deliver malicious Web-based code. It appears that the majority of pages served by Songlyrics.com are compromised. Crimepack has become one of the best selling exploit packs on the market due to its huge number of pre-compiled exploits offering a great base for the "drive-by-download & execute" business implication.

Read more > 

Filed under: ,

Cash and "Labels and such" lead to ZEUS

Posted: 15 Sep 2010 03:34 PM | Anonymous | no comments


Websense® Security Labs™ ThreatSeeker™ Network has detected another wave of Zeus malicious email messages. This campaign is related to the familiar "pharma" spam messages that we see everyday, with one exception. This campaign combines an HTML or ZIP attachment with a social engineering technique, similar to what we normally see in malicious email campaigns. For example, the message may state that $375 has been sent to a mail recipient's account, and include a link to view the transaction in the recipient's account. Opening the attachment results in a compromised user machine via an obfuscated JavaScript in the attached HTML file. So far, we have seen this type of email with subjects like "Labels and such" and "Greetings from Rivermark Bill Payer!" . Websense customers are protected by the real-time protection for customers in our Advanced Classification Engine , ACE. Here is a screen shot of an email message with an HTML attachment: In the case of an HTML attachment, criminals use obfuscated JavaScript. Content is encrypted with a commercially available HTML obfuscation tool. When viewing the deobfuscated content we see that the script uses a meta refresh tag to redirect a user who views the attachment. The script checks which browser is used and only performs the redirection if one of the following browsers: Firefox (navigator.userAgent.indexof('Gecko')) or Chrome/Safari (navigator.userAgent.indexOf('KHTML')). A user who is using one of the affected browsers will get redirected to a pharmaceutical site like this one: For email messages that have ZIP attachments, the ZIP file has coverage in VirusTotal - 5 /43 . The "label.zip" file contains "label.exe" which is a copy of Zeus. The malware copies itself to "C:\Documents and Settings\user\Application Data\Ewca\refef.exe" and tries to access two sites located in the .ru zone. Here is a screen shot of the encrypted Zeus configuration file being downloaded after the malware injects itself into a legitimate process: So far, we have seen more than 100,000 email messages like this.

Read more > 

Filed under: ,

This Month in the Threat Webscape - August 2010

Posted: 15 Sep 2010 08:49 AM | Jay Liew | no comments


Month of August 2010 Major hits Mass compromises & infections Network Solutions, one of the oldest domain registrars in the world, was found to be serving up a malicious widget on its customers' Web sites. All sites that opted to display a " Small Business Success Index " widget were infecting their visitors. This includes sites not hosted by Network Solutions itself, such as Google Blogger accounts that installed the widget. Armorize has a more detailed analysis here , and pegged the number of compromised sites at a minimum of half a million (source: Google) or five million (source: Yahoo). It was also discovered that this widget is served up as part of the standard domain parking page for new domains registered. Web hosting companies Media Template and Rackspace also found themselves compromised and accidentally serving up malicious code to their visitors. DLL Hijacking Another tactic to infect users, dubbed " DLL hijacking ", grabbed headlines this month. Basically, when you fire up an app in Windows (e.g. Microsoft PowerPoint), more often than not big apps search a series of locations for "helper" libraries to assist with the job. Knowing that the app will search for other libraries to execute, a bad guy can place a malicious binary in the location the app is searching in an attempt to trick the app into thinking that the malicious file is the correct library. This vulnerability has been added to Metasploit; check out this video to see it in action. iPhone Web drive-by exploit Usually when we talk about drive-by exploits, it goes without saying that we're referring to something bad that is to be avoided. But what about people who intentionally try to get exploited by a drive-by, whether they understand it in those terms or not?!? Yes, we're talking about the much hyped JailbreakMe Web site for Apple's iOS . Basically, all you need to do is open your browser from your iOS device (iPad, iPhone, etc.) and visit the Web site. With just one click (or "swipe" on the "touch" interface) and the Web site jailbreaks your device (using an exploit). The broader food for thought here is that whereas this Web site prompts for your permission to execute an exploit on your device to do things the owners consent to, the fact that this is technically possible ( our research ) in the first place opens the door to malicious Web sites that don't have to prompt you for permission to do malicious things on your device that you don't consent to. In other news, watch out for malicious fake YouTube pages and malicious links that show up in Bing search results , both of which can lead to rogue or fake anti-virus software. Web 2 dot uh oh This month saw a huge increase in the number of abused and fake accounts being used for spam propagation such as in the case of the fake Friendster.com accounts that seem to have happened over the course of a few days (blogged about here ). The threat of Web spam...

Read more > 

Filed under: