How many clicks does it take to get to the malicious code of an infected website? Surprisingly, the answer is usually, just two.

In this Websense Insight we look at how most Internet users are only two clicks away from malicious content in one of three ways: from top sites, poisoned search results, and malicious links..

In the video, we use extensive data from analysis of thousands of links to illustrate that you may be in more danger from searching for items on the World Cup than you would in the "traditionally" dangerous "neighborhoods" of the "adult" or objectionable Web.

We also present some fascinating and surprising data on how close you are to malware and links to malware from some of the most highly trafficked and trusted sites on the Web.

To learn more about Websense Threat research in addition to this blog or view additional Websense Insights, please visit the Insights tab on http://community.websense.com/blogs/

To download the free Defensio application for free individual use, please visit defensio.com.

We'll have more analysis of these statistics and other Web Security findings in our upcoming "State of the Internet Report."

With millions of Tweets and Facebook postings flying around daily from personal and business users, have you ever wondered where the links in these postings go?

In this Websense Insight we have analyzed hundreds of thousands of social networking links to determine the ecosphere of links and the potential threat vectors of the social Web.  Some of the findings may truly surprise you.

For example, did you know that 40 percent of Facebook status posts contain a URL, and that 10 percent of those are either spam or malicious?

We also provide some top tips for avoiding the potential dangers of user generated content within an organization and on your own Facebook wall.

To learn more about Websense Threat research in addition to this blog or view additional Websense Insights, please visit the Insights tab on http://community.websense.com/blogs/

To download the free Defensio application for free individual use, please visit defensio.com.

We'll have more analysis of these statistics and other Web Security findings in our upcoming "State of the Internet Report."

In general, spammers will try everything and stop at nothing to deliver content to users. When people don't trust one kind of email, spammers change their tactics and use something else. This process never stops, and is very interesting to follow. It's interesting, at least, if we know we're being protected.

Websense® Security Labs™ ThreatSeeker™ Network has detected another wave of malicious email messages linked to the Phoenix Exploit Kit. Websense customers are and have been protected by the real-time protection in our Advanced Classification Engine, ACE.

As we have seen during last couple of weeks, blended attacks are being used more than ever before. Earlier, we saw spammers enticing users to pharma spam, exploiting the death of a football player, and offering Evite invitations. This time, they are attempting to lure users with genuine-looking email attachments that, when opened, launch them into a redirection chain that ends up on a page containing the Phoenix Exploit Kit.

The emails contain only one or two sentences and a html attachment:

When the attachment is opened, the page that is displayed looks legitimate. In fact, the spammers copied content from several different vendors and brands, including XBox 360, Bank of America, and Twitter, as shown below:

Once opened, the obfuscated JavaScript kicks in and launches the user into the redirection chain that, as mentioned earlier, takes them to a page that contains the Phoenix Exploit Kit.

As of this morning we have been monitoring a flaw on twitter.com that delivers pop-ups to Twitter users when they move their mouse cursor over a specially crafted tweet.  There is also the potential to deliver status updates when mousing over a tweet and altering the display of the Twitter status on user's profile pages.

The affected tweets contain JavaScript that runs the OnMouseOver event (this event enables the code specified in the Tweet to run without requiring the user to click).

This morning we saw Proof Of Concepts of the Twitter command being posted by Twitter users and then began to see end users tweeting the code virally.  There is the potential for malware authors to spread malicious tweets using the flaw to direct users to other Web sites.

As of writing, hundreds of new tweets per second are being published on twitter.com using the OnMouseOver flaw.  Twitter users whose accounts have been affected by the flaw include journalists and high-profile celebrities.

Examples of compromised accounts:

Our advice is to use an alternative to the twitter.com Web site if you need to update your Twitter status.

UPDATE

As of 3pm UK time Twitter Safety is reporting that the XSS flaw is no longer exploitable.

Over the past year, the prevalence of search results laced with rogue AV seemed to never end.  Whether the search was about celebrity, politics, calamity, or anything that was hot and trending, blackhat SEO was sure to follow.  Now, search engines are being more proactive in producing safer search results for users, forcing malware authors to think more intuitively and change the way of dispensing rogueware.  Lately, email appears to be, at least for the time being, the favorite vehicle to distribute rogue AV.  We've blogged and tweeted about malicious Twitter and Facebook password resets and big brand names being used in email containing malicious links or attachments in the past few months. 

Today, we are blogging about an interesting email our Websense® ThreatSeeker Network recently identified. With Websense® Advanced Classification Engine (ACE), Websense customers are proactively protected against this threat. 

The email appears to be a transaction receipt for someone who was enticed to buy rogue AV software called Security Suite Platinum.  Since Security Suite Platinum is a pretty popular rogue AV, it came as a surprise that none of the AV engines in Virus Total actually detected it.  This led us to look deeper into the binary.

What does Security Suite Platinum actually do?

Security Suite Platinum is a well-known rogue antivirus which uses scare tactics to extract fees from unsuspecting users. It acts like a legitimate virus scanner, searching a computer for viruses, trojans and other malicious files. At the end of its "scan" it claims to have detected malware which scares a user enough into paying a small fee to remove the threats.

This part has been discussed many times before in a variety of security forums and blogs. However, what happens when a person actually pays the required fee is not so clear.

After paying a registration fee the user will receive an email with a confirmation and download instructions, as you can see in the email sample above. After clicking the link provided and typing the transaction ID, the Web site leads us to download the registered Security Suite Platinum straight away.

The registered Security Suite Platinum contains real open-source antivirus, called ClamAV. Think of it this way: it’s like ClamAV, but illegally used to operate as Security Suite Platinum. Security Suite Platinum actually turns out to be somewhat "real" antivirus in that it actually does detect some malicious files and behaves almost like real antivirus software.  This also explains why none of the AV engines in Virus Total detected this binary.

By a simple string search we can clearly prove the existence of the well-known open-source antivirus inside the rogue AV. 

So far so good, so what is wrong with this? First, it scared people into paying a fee using fake detection (not to mention the bad guys getting hold of a user’s financial information). Second, although the code running the rogue AV is legitimate AV, it is still not a legal and truly legitimate antivirus. There’s no trustworthy company behind it run by antivirus experts. The detection rate cannot be guaranteed. Finally, it is just an illegal use of free and open-source antivirus software acting like it is proprietary, asking for money when anyone can get it free.

To test its detection capability we just copied several random malicious files into the %SYSTEM32% directory to see if the registered Security Suite would really detect it. Its detection worked on at least one of the samples and then it asked us to reboot the computer to remove the threat. However, instead of deleting the malicious file or moving it to quarantine, it only renamed the file by just adding an extra ".virus" extension.

** Analysis by Tamas Rudnai

There is no stopping the abuse of social networking sites and an endless reign of social engineering tactics in email campaigns, be it spam or malicious.  Facebook seems to be a favourite for most attackers as it has a huge user base, and attackers are almost guaranteed to get their message propagated quickly. 

Websense customers are proactively protected against these threats by the real-time protection in our Advanced Classification Engine (ACE). 

This particular campaign is yet another rogue AV.  Here a user is presented with an email message which suggests opening the attached zip file, in order to retrieve a newly-created password due to supposed changes made to the user's Facebook account. 

The header details show the real source and origin of the email as the display name is the only relation to Facebook.

The zip file contains an icon for a PDF document, which is misleading as it is actually a Windows executable.  When the user double-clicks this downloader, a rogue AV application is downloaded and launched which scares the user into thinking their machine is infected.  

As a result of being scared into thinking their computer might have been infected, the user is lured into going ahead with the rogue AV's instructions to disinfect the machine.

The installation carries out a series of scans with fake detections to make it more convincing to the user. 

The next stage offers the user the opportunity to remove the threats of the fake detections carried out by the rogue AV.

When this is selected, the user is then presented with the alert that the rogue AV is not registered and to do so requires the user's credit card details. This is where the phishing for information takes place.

Currently we have seen over 240,000 of these email messages through our Websense Hosted Email Security product, and according to VirusTotal about 65% of anti-virus products detect the file attachment.

Websense Security Labs™ ThreatSeeker™ Network has detected a new virus spam outbreak after Daniel Covington's death. Websense customers were proactively protected against the malicious code by our Advanced Classification Engine (ACE).

Most popular sport Web sites have reported this news: Daniel Covington, a former Louisville football player, was shot and killed after an altercation in downtown Louisville in the early hours of the morning on Sep 16, 2010.  Of course, hackers never lose their chance to extend their criminal activities and this time, Daniel Covington has been their victim.

Let's track their vicious trail. Firstly, they send thousands of spam messages with a subject of "Daniel Covington die" to attract people's attention on the Internet.

Screenshot of the email:

Be careful of the HTML attachment: don't click it, as it hides malicious obfuscated JavaScript code and the obfuscation technique has been mentioned in our previous blog.

Let's see how evil they are. If a recipient clicks the HTML file, they will be redirected to two malicious sites. One site contains rogue AV, and the other one includes a Phoenix exploit kit - a well known kit used by web attackers.

"Daniel Covington die" is not the only theme in this campaign. We have also found the virus spam in emails with these subjects:

    * America's Got Talent
    * Cops kill active shooter at Johns Hopkins Hospital
    * Church of Body Modification
    * failure notice
    * Jackie Evancho and Sarah Brightman
    * NFL Picks Week 2

Every now and then we look for song lyrics on the Internet. Using the newest Google Instant technology we immediately find what we need. At least, we think so.

Websense Security Labs™ ThreatSeeker™ Network has detected that the popular site Songlyrics.com (with approximately 200,000 daily page views and 2,000,000 unique visitors) is compromised and injected with obfuscated malicious code.
Websense customers are proactively protected against the malicious code by our  Advanced Classification Engine - ACE

Once a user accesses the main page of the song lyrics site, injected code redirects to an exploit site loaded with the Crimepack exploit kit.
Attempted exploits result in a malicious binary (VT 39.5%) file that's run on the victim's computer. Once infected, the machine becomes another zombie-bot in the wild.

Deobfuscating this code reveals a redirection to the malicious payload site:

It is interesting to note that the malicious code injected on Songlyrics.com uses a similar obfuscation algorithm as Crimepack - a prepackaged commercial software used by attackers to deliver malicious Web-based code.

It appears that the majority of pages served by Songlyrics.com are compromised.

Crimepack has become one of the best selling exploit packs on the market due to its huge number of pre-compiled exploits offering a great base for the "drive-by-download & execute" business implication.

Websense® Security Labs™ ThreatSeeker™ Network has detected another wave of Zeus malicious email messages. This campaign is related to the familiar "pharma" spam messages that we see everyday, with one exception. This campaign combines an HTML or ZIP attachment with a social engineering technique, similar to what we normally see in malicious email campaigns. For example, the message may state that $375 has been sent to a mail recipient's account, and include a link to view the transaction in the recipient's account. Opening the attachment results in a compromised user machine via an obfuscated JavaScript in the attached HTML file.  So far, we have seen this type of email with subjects like "Labels and such" and "Greetings from Rivermark Bill Payer!".

Websense customers are protected by the real-time protection for customers in our Advanced Classification Engine, ACE.

Here is a screen shot of an email message with an HTML attachment:

In the case of an HTML attachment, criminals use obfuscated JavaScript.  Content is encrypted with a commercially available HTML obfuscation tool.

When viewing the deobfuscated content we see that the script uses a meta refresh tag to redirect a user who views the attachment. The script checks which browser is used and only performs the redirection if one of the following browsers: Firefox (navigator.userAgent.indexof('Gecko')) or Chrome/Safari (navigator.userAgent.indexOf('KHTML')).

A user who is using one of the affected browsers will get redirected to a pharmaceutical site like this one:

For email messages that have ZIP attachments, the ZIP file has coverage in VirusTotal - 5/43. The "label.zip" file contains "label.exe" which is a copy of Zeus. The malware copies itself to "C:\Documents and Settings\user\Application Data\Ewca\refef.exe" and tries to access two sites located in the .ru zone.

Here is a screen shot of the encrypted Zeus configuration file being downloaded after the malware injects itself into a legitimate process:

So far, we have seen more than 100,000 email messages like this.

Month of August 2010

Major hits

Mass compromises & infections
Network Solutions, one of the oldest domain registrars in the world, was found to be serving up a malicious widget on its customers' Web sites. All sites that opted to display a "Small Business Success Index" widget were infecting their visitors. This includes sites not hosted by Network Solutions itself, such as Google Blogger accounts that installed the widget. Armorize has a more detailed analysis here, and pegged the number of compromised sites at a minimum of half a million (source: Google) or five million (source: Yahoo). It was also discovered that this widget is served up as part of the standard domain parking page for new domains registered.

Web hosting companies Media Template and Rackspace also found themselves compromised and accidentally serving up malicious code to their visitors. 

DLL Hijacking
Another tactic to infect users, dubbed "DLL hijacking", grabbed headlines this month. Basically, when you fire up an app in Windows (e.g. Microsoft PowerPoint), more often than not big apps search a series of locations for "helper" libraries to assist with the job. Knowing that the app will search for other libraries to execute, a bad guy can place a malicious binary in the location the app is searching in an attempt to trick the app into thinking that the malicious file is the correct library. This vulnerability has been added to Metasploit; check out this video to see it in action.

iPhone Web drive-by exploit
Usually when we talk about drive-by exploits, it goes without saying that we're referring to something bad that is to be avoided. But what about people who intentionally try to get exploited by a drive-by, whether they understand it in those terms or not?!? Yes, we're talking about the much hyped JailbreakMe Web site for Apple's iOS. Basically, all you need to do is open your browser from your iOS device (iPad, iPhone, etc.) and visit the Web site. With just one click (or "swipe" on the "touch" interface) and the Web site jailbreaks your device (using an exploit). The broader food for thought here is that whereas this Web site prompts for your permission to execute an exploit on your device to do things the owners consent to, the fact that this is technically possible (our research) in the first place opens the door to malicious Web sites that don't have to prompt you for permission to do malicious things on your device that you don't consent to.

In other news, watch out for malicious fake YouTube pages and malicious links that show up in Bing search results, both of which can lead to rogue or fake anti-virus software.

Web 2 dot uh oh

This month saw a huge increase in the number of abused and fake accounts being used for spam propagation such as in the case of the fake Friendster.com accounts that seem to have happened over the course of a few days (blogged about here).  

The threat of Web spam seems more real than ever as the world of Web 2.0 and the use of social networking sites becomes ever more popular.  Another way to look at it is that "it is really here to stay".

Browser and friends

At the Black Hat USA 2010 conference, researcher Charlie Miller presented an exploitable vulnerability in Adobe's PDF Reader. Adobe delivered an out of cycle patch in the middle of August to patch the CVE-2010-2862 vulnerability and another critical vulnerability. Adobe also released two security updates this month, one was for Adobe Flash Player, which fixed six critical vulnerabilities, and the other was for Shockwave Player.

A security update for QuickTime was released in early August, to plug a hole that allowed arbitrary code execution. At the end of August, a 0-day vulnerability in Apple's QuickTime player was discovered. The flaw affected the latest version of QuickTime (7.67.75.0), an alert was published here.

Google released Google Chrome 5.0.375.127 with patches for 9 security holes. Google paid $10,011 to award those who reported the bugs.

Opera released Opera 10.61 update which fixed three vulnerabilities.

Microsoft

Microsoft had to send out an out-of-band update to patch the LNK vulnerability that was discovered last month. One week after that, Microsoft had a record "patch Tuesday" that included 14 bulletins patching 34 vulnerabilities, eight of them were critical. The patches affected Windows, Microsoft Office, Internet Explorer, SQL and Silverlight.

However, Microsoft is not alone in the game as Adobe had to patch 10 critical vulnerabilities in Flash Player, Flash Media Server, and ColdFusion.

Hello ThreatSeeker. You've got mail!

This month in the email space saw some of the usual suspects come around again.  There were spoofed Microsoft emails that tried to get users to download a spam bot executable.  The attackers tried to make recipients of these emails believe that they needed to patch their systems for a dangerous 0-day attack.  We also saw a large spike in malicious spam that used various subjects which looked personalized as a social engineering trick to entice recipients to open malicious attachments in emails. 

For attackers, every day is tax day as they continued their tax themed social engineering tricks.  This campaign of emails contained variants that told of under reported income warnings or higher tax bracket notifications.  These messages also either contained a link to a malicious executable or an attachment. 

Perhaps the most interesting trend this month was the use of many brands with which to spam people.  This technique is nothing new, but how it was being used was a bit new.  With these messages, we saw the use of malicious links that were meant to download and install Rogue AV software on victim computers.  This is a bit new as most attacks involving Rogue AV used Blackhat SEO as their attack vector.

Security Trends

60GB of accounting data for social networking sites, bank accounts, credit card numbers, and intercepted emails were stolen by a mini ZeuS botnet dubbed Mumba. Thirty three percent of the infected users are based in the U.S, followed by 17 percent in Germany, and 7 percent in Spain.

The first SMS Trojan for Android OS has been detected as Trojan-SMS.AndroidOS.FakePlayer.a spread in Russia. For now, the Trojan only causes losses for Russian users, and as far as we can tell, it’s currently not being spread via the Android Marketplace.

A kind of Interesting PHP injection has been found by researchers.  The script uses the User-Agent field as the deobfuscation key and the injected PHP script contains multiple eval() calls of which every one uses a different deobfuscation key.

The United States edition of the second annual International Barometer published by Panda Security showed that 46 percent of U.S. small- and medium-sized businesses (SMBs)  have fallen victim to cybercrime, up two percent from last year’s survey.  The group surveyed nearly 10,000 SMBs around the globe and more than 1,500 in the United States.

Innocent companies with good reputations are targeted by identity thieves looking for valid certificates to provide malware authors. There are many possible scams purposely make it very difficult to verify that the CA coming from a company is genuine. This should give us all serious concern about the trustworthiness of code signing in general.
 
This month's roundup contributors:

• Saeed Abu-Nimeh
• Lei Li
• Ulysses Wang
• Chris Astacio
• Amon Sanniez
• Matthew Mors
• Jay Liew