Websense Security Labs Blog

Websense Security Labs discovers, investigates and reports on advanced Internet threats that traditional security
research methods miss.

Latest Blog Posts

View all posts > 

(October 2010) Posts

All Tricks & No Treat for Anti-Spam Engines

Posted: 29 Oct 2010 09:00 AM | Mary Grace Timcang | no comments


Spammers don't appear to be running out of tricks off their sleeves when it comes to bypassing anti-spam engines. Websense Security Labs™ ThreatSeeker™ Network found that spammers had slightly changed their tactics on the recent World Pharmacy campaign . Note that the earlier variant of the World Pharmacy campaign is still active at the time of writing. Our customers are being protected proactively against this ongoing and evolving spam campaign by ACE, our Advanced Classification Engine . While abusing free services offered by legitimate and highly reputable companies is not new, this trick doesn't seem to grow old. In fact, it appears to work well with the spammers' intent. This is proven true when inspecting the links found in the sample email below. Earlier variants of this spam campaign used compromised sites in their links. However, in an effort to evade detection, the newer variants are abusing Google's free translation service, Google Translate, which serves as a re-director to the spam site and not as a site translator as what the service is meant to do. Since the domain used as links in this email, http://translate.google.com, is obviously from a legit company, this may pass as a legit email. The translator then redirects users to snip software snip . ru which had been in the English language all along. A further evidence that the sole purpose of using such services is to bypass spam filters. Spammers also practice their business skills by re-using this same email template to sell OEM software, which of course redirects users to sites selling OEM software merchandise. The earlier variants of the World Pharmacy spam emails were well crafted and may well pass as a legitimate newsletter to unsuspecting eyes. The newer version appear to fall short of the craftiness - texts are all over the place and seem to be 'space-happy' with all the spaces between the words . However, a closer look at the email reveals that what appears to be spaces between words are actually characters having the same color as the background. Unless highlighted, the human eye can only see spaces between words. Anti-spam engines see this differently and process this as a single set of text. Since Anti-spam engines rely mostly on text patterns, a single set of text can easily pass spam filters. For example, an email with the word " pharmacy " may be tagged as spam. But if there are texts (hidden or not), before and/or after the word, say " hello pharmacy buy ", the email may not be treated as spam by Anti-spam engines entirely. This spam trick is of course another effort to evade detection. Another noticeable difference of the newer variant is the number of legitimate links of reputable companies hidden in the email, including Google, Alexa, Facebook, Twitter, Bing and eBay. This may be an attempt to get good reputation based on how many legit links are in the email. So far, the campaign only contains links to Pharmacy...

Read more > 

Filed under:

Adobe Flash Player & Adobe Reader and Acrobat 0-day (CVE-2010-3654)

Posted: 28 Oct 2010 05:18 PM | Elad Sharf | no comments


Websense® Security Labs™ has received reports of a new zero-day exploit that targets the Adobe Flash Player. Our customers are protected from this latest vulnerability by ACE , our Advanced Classification Engine. The vulnerability can be delivered directly via a SWF file (Flash) or via a PDF file with an embedded Flash file object. An attack using the vulnerability with a PDF file has been spotted in the wild by Contiago Malware Dump ( blog ). Today Adobe issued a security advisory confirming the flaw and rating the vulnerability critical : It has been a very busy past few months with respect to vulnerabilities in Adobe products. The upcoming Adobe Acrobat Reader version, dubbed Adobe Acrobat X, promises tightened security features , so hopefully the exploitation through Adobe's Reader will diminish. Adobe announced that they will release a patched version of Flash on November 9 and a fixed version of Adobe Reader the week of November 15. We are keeping an eye on developments and will update further as events unfold.

Read more > 

Filed under: ,

Lindsay Lohan Leaked Sex Tape fake invites on Facebook

Posted: 28 Oct 2010 02:15 PM | Patrik Runald | 3 comment(s)


Right now there's a campaign ongoing on Facebook where fake invitations are sent to users that claim to be about "Lindsay Lohan Leaked Celebrity Sex Tape" , " Lindsey Lohan Just Leaked Having a THREEWAY on Camera" or variations on this theme. Websense customers are protected with our ACE technology. Invites using different spelling of Ms. Lohan's name exist as well, such as "Lindsey Lohan Just Leaked Sex Tape" . As with a lot of malicious campaigns on Facebook which rely on social engineering (which is pretty much all of them), it's sometimes astounding to see how people can fall for them, but they do. Social engineering on a social networking site is unfortunately a powerful combination. In the following screenshot, 8 people have accepted the fake invite and 12 are maybe coming. All in all we've seen hundreds of different invitations being sent around. The information on each invite is not the same every time, but the common theme is that they all contain a TinyURL link which redirects to the following page: When clicking on Login the following popup appears so it seems like the actual payload is not available. While the payload is not available at the time of writing, it could be made available at any time. We will keep monitoring this and update the blog post if we see any developments. Thanks to Fa7her for sending us this tip. Update This attack eventually was changed, activated and later killed again. When it was working it lead to a page showing a video from YouTube. It also tricked the user into installing a Facebook application that, when the user selected to install the app, created an event in your name similar to the screen shot in the beginning of this post. Lastly, it redirected the user to a survey, tricking the user into giving away personal information.

Read more > 

Filed under: ,

Critical Vulnerability in Firefox Browser CVE-2010-3765

Posted: 27 Oct 2010 04:05 PM | Tamas Rudnai | no comments


Yesterday we received reports about a critical vulnerability in Firefox browser that has been detected in the wild. According to the reports, this flaw can potentially allow an attacker to exploit the user's machine through the browser by making it run arbitrary code without user interaction - a classic drive-by vulnerability. Our customers are protected from this latest vulnerability by ACE , our Advanced Classification Engine. The vulnerability was discovered when Nobel Peace Prize's web site got compromised. The attacker used multiple iframe redirections on the same compromised site, with the last chain pointing to a dynamic DNS provider to get to the malicious page. Mozilla community also confirmed the vulnerability in a blog where they state that they are investigating the issue and working on a fix. Websense Security Labs are currently investigating the vulnerability in detail. Initial analysis shows that the attacker references an object in the web page that has been removed, leaving the reference pointing to an invalid memory space. The malicious code uses heap spray technique to exploit the vulnerability and run arbitary code in user's computer. In addition, part of the exploit code checks the version of the browser and the operating system, and constructs the shellcode accordingly to initiate a successful exploit.

Read more > 

Filed under: ,

Opengraphprotocol.org compromised

Posted: 22 Oct 2010 10:46 PM | Patrik Runald | no comments


The opengraphprotocol.org Web site is currently compromised and is redirecting users to rogue AV sites. Websense customers are protected with our ACE technology, which has real-time protection to proactively protect against this attack. Open Graph is a protocol developed by Facebook that allows other Web sites to provide Facebook services directly on the site, such as having a "Like" button on the page. The opengraphprotocol.org site is owned by Facebook, but hosted by a third party provider. This is how Facebook describes Open Graph: “The Open Graph API will allow any page on the Web to have all the features of a Facebook Page – users will be able to become a Fan of the page, it will show up on that user’s profile and in search results, and that page will be able to publish stories to the stream of its fans.” Here is what the compromised code looks like on the Open Graph Web site. Our investigation indicates that every single page on the site is compromised with the same code. The file ko.php starts a redirection chain that eventually leads the user to a standard rogue AV page. The way that Open Graph is referenced on sites that use the API is that typically a link to the Open Graph XML schema is included above the header of the page. Here's a snippet of code from foursquare.com (which has not been compromised, nor will any user that visits foursquare.com be infected): Users not affected It's very important to note that Web sites that use the Open Graph API or reference a schema like the above example, will NOT serve malicious content to their users. This is because the schema link is an informational link only, it doesn't get loaded as part of the page, nor does it provide a clickable link to the user. Update Facebook has cleaned up the pages. After we notified them it took them less than 10 minutes to fix the problem. Big kudos to their security team for acting so promptly on this!

Read more > 

Filed under:

First we take Canada, then we take the World

Posted: 22 Oct 2010 08:13 PM | Ran Mosessco | no comments


By now, Web sites related to "Canadian Pharmacy" are well-known to email users around the globe, many of whom have had the "pleasure" of receiving spam messages offering a way to buy cheap medications. Recently, Websense Security Labs™ ThreatSeeker™ Network came across what looks like a newer variant: "World Pharmacy". What's interesting about this campaign is that it uses links to compromised Web sites, which in turn redirect to the World Pharmacy affiliate site. So far, it seems that the compromised pages contain only a simple redirect, but there's no guarantee that the campaign will remain this benign. The wide variety of compromised sites (Web Hosting, Nepal Government office site, English school, and more), suggests that the spammers want to use the good reputation of legitimate sites to get their message across. Websense customers are proactively protected against this spam by our Advanced Classification Engine - ACE. This particular variant arrives through email with various subject lines, like: More energy for affairs Your powerful uprise will excite women Prevent ero-failures Show her your potential Stop ruining yourself Buy macho-doping online Make her joy stronger Dreaming of being number one for her? Huge success in male augmentation Magnesium oxide replenishment to your organism. Secret of lasting acts of love Secret of male victories The email tries to endear itself to the recipient by addressing the reader as Dear <user name from the recipient's email address>, After such a personal opening, who can resist clicking on the link text, which ranges from male enhancement offers to a generic registration confirmation, or "Would you believe that?" and similar ploys. To get around mail content filters, the text doesn't use explicit product names or overly objectionable expressions. To add another bit of legitimacy, the footer clearly states that the senders are committed to your privacy, and that you can unsubscribe at any time. Of course, all the links in the footer point to the same compromised page with different parameters. The compromised pages contain a simple redirect, as mentioned above, to a Web site registered to one "Vladislav Petrenko" from Moscow, who seems to have an affinity for the registration of spam domains... In this case, Websense customers are protected by multiple layers: Websense messaging products recognize patterns in the messages and links; the Hosted products also identify abnormal network activity; and real-time Web protection prevents the user from accessing the links in the mail, thus avoiding the final redirection target. As always, be careful of links in unexpected emails. They often lead to spam, malware, or other unwanted content.

Read more > 

Filed under: ,

Piggybacking on Adobe Acrobat and others

Posted: 18 Oct 2010 01:35 PM | Elad Sharf | no comments


Yesterday, Adobe unveiled the next version of its Acrobat software: Adobe Acrobat X. The version is set to hit the market within 30 days. Among other features, the version is going to include a very important security feature that will allow users to view documents safely within a sandbox environment, adding a layer of protection to the product. Until the new version is released, there will be a lot of talk about it, which presents an opportunity to cyber criminals. "Piggybacking" software has been circulating for some time now, and the upcoming Adobe Acrobat X launch is a great opportunity for it to rear its ugly head again. The term "piggybacking software" refers to programs that use the reputation of popular free or paid software to sell the exact same software under false pretences (for example, by claiming that it has enhanced features), or to sell slightly different software with limited added functionality. In both cases, the software is presented in a misleading way as an updated version of the genuine software. Piggybacking software is usually found on Web sites that: 1. Are v ery low reputation sites or template sites 2. Use the original software brand name, themes, and colors 3. Present the same features the original free software or service 4. Sell the same features the original software or service offers, possibly adding very limited functionality 5. Spread through spam, Web spam, or proxy Web sites 6. Are not affiliated with the offered software or service, and have a limited refund policy, if any The table shows an example of what is meant by low reputation . All the sites in the table below sell piggyback software. At some point, all of the sites shared the same IP address, registered for a relatively short period of time, used the same templates with various different names, and used the anonymous domain registrar "Domains By Proxy." You can see Adobe is a popular target, but there are also others: Hostname Website exists for Target download-2010-version.com 4 months+ Adobe Acrobat latest-2010-version.com 4 months+ Adobe Acrobat latest-new-pdf-download.com 20 days Adobe Acrobat new-earth-online.com 1 month+ Google Earth new-online-version.com 5 months+ Limewire official-pdf-download.com 2 months+ Adobe Acrobat official-pdf-pro.com 2 months+ Adobe Acrobat official-pdf2010.com 2 months+ Adobe Acrobat official-pdfdownload.com 2 months+ Adobe Acrobat pdf-new2010.com 4 months+ Adobe Acrobat pdfreader--2010.com 4 months+ Adobe Acrobat the-movie-downloads.com 5 months+ Generic / Streamer watch-hd-movies-online.com 1 month+ Generic / Streamer www.online-tv-on-pc.com 28 days Generic / Streamer www.pdf-new-2010-download.com 20 days Adobe Acrobat This is how piggyback scams generally work: The entrepreneurs (criminals, to be more precise) establish a software Web site where they sell piggyback software. They take care of the site's design, payment processing, the availability of the Web site, etc. They want...

Read more > 

Filed under: ,

Murofet: Domain Generation ala Conficker

Posted: 14 Oct 2010 09:05 PM | Gregory Newman | no comments


Recently a new piece of malware has emerged that operates similarly to Conficker. This malware, named Murofet, is similar to Conficker in that it generates thousands of domains daily that it then contacts for updates. Our customers are protected from this latest threat by ACE, our Advanced Classification Engine . Immediately upon executing, Murofet starts a thread that attempts to download malware updates. It generates pseudo-random domain names based on the year, month, day, and minute of execution. The algorithm used for domain generation is simple, using the previously mentioned data, it generates two DWORD values. The first is composed of the month, day, and low byte of the year of the date of execution, plus 0x30 (48). The second DWORD value is based on the minute of execution, multiplied by 0x11 (17). This number is hereafter iterated 800 times to generate multiple domains. The resulting QWORD value is then hashed with the MD5 algorithm and each byte of the result is then used to generate one letter of the domain name by dividing it into 2 nibbles and, if a valid numeric representation of a letter of the alphabet, converted into that letter by adding 0x61 ('a'). For example, 0x42 = 0x4 + 0x2 = 0x6 = 'g' (zero represents 'a'). Each letter is then concatenated into a domain name. Once the letter conversion loop is finished, Murofet applies a few rules to decide which domain extension to use. If the current iteration of the value derived from the minute value is divisible by 5, it uses ".biz". Failing this, if the derived value [bitwise] AND 3 results in zero, the extension ".info" is used. If this fails, it checks to see if the number is divisible by 3, in which case it uses ".org". Finally, if the number is divisible by 2 it uses ".net", otherwise it uses ".com". Pseudocode for the above process is as follows: (Figure 1: domain generation pseudocode) Because of the modular division of the iterated value derived from the minute the binary is run, there are exactly 1020 domains generated per day. When Murofet finds a valid download at one of the links, it attempts to create a process. Upon successful creation of the process, the thread attempting to find updates exits and the new malware does its job. If any security research professionals should need a domain list, please visit this link and make your request by selecting the "other" category. Just let us know what date range you need and we'll do what we can to help out!

Read more > 

This Month in the Threat Webscape - September 2010

Posted: 14 Oct 2010 06:33 PM | Jay Liew | no comments


Month of September Major Hits Stuxnet was the major story last month. After the presentations at Virus Bulletin 2010 [ 1 , 2 ] Stuxnet has gotten even more attention. CVE-2010-2883, a 0-day in Adobe Reader , was another major story. A malicious injection targeting Song Lyrics put Google users at risk, thanks to Google Instant. Finally, Google Code was found to be hosting malicious Web content, specifically the Ultimate BlackHat Tool Kit . Web 2 dot uh oh "Links lead to more Links" - you are just 2 clicks away from being infected. Use of Link Analysis to find objectionable or malicious content and ACE (Advanced Classification Engine) technology gives us in-depth insight into security threats on the social Web and helps protect our users. Over 40 percent of Facebook posts contain a URL and 10 percent of those are either spam or malicious. Take a look at some tips for avoiding the potential dangers of user generated content in our Websense Insight: Link Analysis blog. Visit Defensio.com for the only social media threat detection application that protects social media sites and Facebook pages from spam or profanity. The highlight in Web 2.0 this month was a "OnMouseOver" flaw on twitter.com. The flaw, caused by XSS (cross-site scripting), delivered pop-ups to users when they moused over specially-crafted tweets. The tweets contained JavaScript code that ran the OnMouseOver event, which enabled the code to run without requiring a mouse click. The issue could potentially have been used by malware authors to spread malicious tweets that redirected users to malicious Web sites. The flaw was patched and is no longer exploitable. Browser and friends A number of security flaws on some of the most-used media players - Apple's iTunes and QuickTime, and Real Network's RealPlayer, hit the September headlines. While RealPlayer and iTunes released patches for known vulnerabilities, QuickTime faced a classic drive-by 0-day that may lead to arbitrary code execution by visiting malicious Web sites or images. Websense® ACE (Advanced Classification Engine) identified and protected our customers against this attack at least a month before this news broke out. Google Chrome marked its 2nd birthday by delivering patches on 15 known vulnerabilities. Firefox also released patches for 15 vulnerabilities, including fixes for the DLL load hijacking issue. Apple released patches for 3 security holes in its Safari browser, 2 of which affects Safari and iTunes' open-source rendering engine Webkit. A security update for Adobe Flash Player was released mid-September for a 0-day that allowed the attacker to gain control of affected systems. CVE-2010-2884 affects Flash Player version 10.1.82.76 and earlier, Adobe Reader 9.3.4 and earlier, and Adobe Acrobat 9.3.4 and earlier. Microsoft Major DLL load hijacking issues crossed over from the end of August to the beginning of last month affecting not only Microsoft, but other popular vendors as well. Microsoft...

Read more > 

Filed under:

Eleonore Exploits Pack's Unescape Cipher

Posted: 13 Oct 2010 11:22 PM | Chris Astacio | 1 comment(s)


In this blog post, we will cover Eleonore Exploits Pack's obfuscation, which is meant to conceal the true intent of the source code that the exploit page serves up. Obfuscation is one of a few ways that attack kits try to protect themselves and their malicious intent. The obfuscation of their code discourages analysis because it looks too difficult to handle. With a little bit of patience and time, we can learn to deobfuscate the content and fully understand the intent of the attack code. The kit also protects itself by only serving the exploit page once per visitor, identifying visitors by IP address. This may seem counterintuitive, since it does limit the exposure of the attack, but it also protects the kit from analysis because researchers only have one shot at obtaining the payload. Despite the obfuscation we are about to cover, Websense customers are protected from the Eleonore Exploit Pack by the real-time analytics in ACE, our Advanced Classification Engine . Because of ACE, we can block sites hosting Eleonore Exploit Pack the first and only time that customers are exposed to it. Here is a screenshot of the Eleonore Exploit Pack's login page: Behind this login page are all sorts of stats for the attacker, such as what operating systems, browsers, and countries have visited the attack site. It also shows which Web sites referred visitors to the kit, and allows attackers to upload the malware they want loaded onto victim computers. I digress, though. These descriptions are meant for another time and another campfire story. Below, we can see the attack code served by Eleonore. All we know is that this code is meant to exploit visitors. From looking at it, we can't tell how visitors are being attacked. In order to understand the how, we need to deobfuscate the code to make it human-readable. This is a screenshot of the Eleonore Exploit Pack's attack code served to visitors: First off, I'll tell you that I cleaned up this code a bit. The attack code is longer than 31 lines, but I removed most of the encoded or obfuscated attack code to make the rest of the source code easier to see. Hint: The variable oRxBt5K8aKg9Ig is the shortened obfuscated code. This will be primarily what we try to deobfuscate. Looking at the code on this page, we can see that it's fragmented, meaning that not everything needed to deobfuscate the code can be found on this page. At the top of the page, there is a JavaScript file that we'll need to fetch in order to fully deobfuscate this code. Why is the attack page fragmented in this way? I would venture that it's another protection mechanism, because some tools can't handle code that is separated by files. For example, I can't parse the script out of this page and expect malzilla to deobfuscate it for me. Screenshot of 432.js: Looking at the first variable that is declared after the long, obfuscated variable, we can see a function call to jklsdjfk() . This function can be found in the...

Read more >