Recently, at Websense Security Labs, we have seen Facebook being used to display phishing pages for different services, as well as to redirect to phishing pages hosted elsewhere. Below are two examples of what the phishing attempts look like:

The first email message appears to come from Facebook Security, and requests that users confirm their account. This is just like other phishing attacks we see every day. The twist here is that the phishing page itself gets loaded from within the Facebook site using an iframe. This makes it look much more legitimate than a site hosted on another domain.

The second message is similar, but there's another URL towards the end. Clicking the link sends the user to www.facebook.com, where a script redirects the user to another Web site that contains the phishing page.

Both of these attacks make it harder for the user to spot the malicious content directly from the email. Both messages do point to a valid Facebook URL. In addition, the inclusion of valid Facebook URLs makes protecting users somewhat harder for anti-spam solutions and Web filtering products that rely on heavily URL filtering to classify content.

Below is a video of both attacks in action. The video also shows a variant that looks like a Zynga account notification, also hosted in part by Facebook. Our customers have been protected against this threat by ACE, our Advanced Classification Engine.

The Websense ThreatSeeker Network has detected a bad URL quickly spreading through Facebook today. Our customers were protected proactively against this threat by ACE, our Advanced Classification Engine.

This is a classic social-engineering attack. The lure is a Facebook wall post enticing users to click a link. The link leads to a Web site that attempts to gain permission to post on behalf of the victim on other Facebook pages. This scam is able to virally propagate by then posting itself on all the pages that have been 'liked' by the Facebook user.

Always be cautious when clicking links inside of Facebook. In addition, if you have signed up for Websense's Facebook app, we can automatically delete such posts for you, or you can opt to receive an email notification that looks like this:

Ever noticed a magnifying glass next to your Google search results lately?  It is actually a new service that Google launched last week called Instant Previews.  This service allows users to see what a page looks like before going to it by hovering or clicking the magnifying glass next to the Google search results. 

Simple?  Yes.  Secure?  Not so much.  Our research shows that the images shown in Instant Previews is not updated as frequently as anyone might assume.  Therefore, we don't think this feature would help users as much in making an informed decision on judging whether a link is indeed malicious or not.  On the other hand, Websense customers are protected from this attack by our ACE real-time analytics.     

We reported some Black Hat SEO'd websites from searches relating to Prince William's engagement yesterday.  Using Google's Instant Preview on the malicious search results may lead users into believing that  the links they're clicking on is actually safe when in fact it's not. 

Take the picture above for example.  Instant Preview returns a very legitimate looking page, complete with pictures and relevant words.  To unsuspecting eyes, it looks clean.  Of course, when the user clicks the link, they will be redirected to the fake Firefox Update page.  This tactic is also evident on Black Friday related search results.

Other variations of images used by malware pushers in Instant Previews are the usual standard Google Search Page and a very simple "Preview not available."

It didn't take long for attackers to take advantage of the big news that Prince William and Kate Middleton are getting married. As we have explained before, attackers have the process down to a science. They monitor breaking news, trending topics, and buzz words, then automatically manipulate search results based on what's happening in the world. Websense customers are protected against this attack through our Advanced Classification Engine.

As we discussed in our 2010 Threat Report, searching for news and buzz words is now more dangerous than searching for adult content, with approximately 22.4% of all searches for current news leading to malicious search results. And that's in the top 100 results!

The result when clicking on one of the malicious links is exactly the same as with last week's Veteran's Day scams. As always, make sure you go to reputable sites when looking for news. Don't just do random searches.

Month of October 2010

Major Hits

Websense Security Labs discovered that the official Web site of the Nobel Peace Prize was compromised by malicious hackers. The hackers inserted code that infects visitors using Mozilla Firefox. This zero day vulnerability has since been patched.

The exploitation of vulnerabilities in Java has spiked dramatically, as brought to light by Holly Stewart from the Microsoft Malware Protection Center (see chart below). 

The attacks can largely be attributed to 3 vulnerabilities:

(Image and stats from Microsoft)

Web 2 dot uh oh

The Web site of the popular and perhaps most-used Facebook API Open Graph, opengraphprotocol.org, was compromised leading users to a standard Rogue AV landing page.  The same malcode were seen on every single page of the Web site.

Lindsay Lohan is the celebrity decoy of October's social engineering scheme.  Fake Facebook invites enticed users to view sex tapes about the controversial actress.  Links included in the invitations turn out to be a typical survey spam page at the time.

Towards the end of the month, a cross-platform Facebook worm that mimics some Koobface qualities heated up the information security sphere.  Facebook users received messages with links to a video. This worm, known as Boonana, lured users into installing a Java applet when the link enclosed with the message was clicked.  When users allowed the installation, other malicious components downloaded.  A closer look at the Boonana code sparked further interest since it contained codes indicating that it was targeting Mac OS X.

A new zero-day vulnerability (CVE-2010-3654) was discovered in Adobe Flash Player at the end of October. The vulnerability caused a crash and potentially allowed an attacker to take control of the affected system. Here are some details. A PDF file with an embedded flash file object exploited this vulnerability. And another zero-day vulnerability (CVE-2010-3653) was found in Adobe Shockwave Player. Here, a remote attacker could exploit the vulnerability to execute arbitary code or cause a denial of service. This was done via a director movie with a crafted rcsl chunk. The exploit code is published here. Also a new mega patch for Adobe PDF Reader was released, and 23 security holes have been fixed.

Mozilla released 9 bulletins in the middle of October, including 5 critical updates. The Noble Peace Prize's Web site was compromised, 0 day vulnerability (CVE-2010-3765) in Firefox was exploited to drop a Belmoo trojan on unsuspecting visitors' systems, and Mozilla patched the vulnerability very quickly.

Google released a security update for its Chrome browser to fix 11 vulnerabilities.

Oracle delivered a mega patch for Jave SE and Java for business. 29 security vulnerabilities were fixed. And the patch for Java on Mac OS was released here.

According to RealNetworks, 7 vulnerabilities in RealPlayer were fixed here.

Microsoft 

Microsoft sent out an astounding 16 bulletins meant to patch 49 vulnerabilities in the Windows operating system, Internet Explorer, .NET framework and Microsoft Office on October's Black Tuesday.  Patches for vulnerabilities that could allow remote code executions in Internet Explorer (MS10-071), Media Player Network Sharing (MS10-075), Embedded OpenType Font Engine (MS10-076) and .NET Framework (MS10-077) are deemed to be the most critical fixes and should be treated with high priority this month. 

Hello Threatseeker. You've got mail!

This month, Websense Security Labs saw spammers returning to some of their trickiest treats to fool email recipients.  Sorry, I couldn't resist the Halloween reference since it's October.  We saw that spammers were stuffing their messages with legitimate content to try and evade spam filters.  With one of the many campaigns we saw this month, the messages were leading to an unfamiliar target called World Pharmacy.  These messages were interesting because they were abusing legitimate site reputations much in the same way malicious attackers usually do.  The links in the messages were leading to URLs injected into legitimate sites which were meant to simply redirect to these World Pharmacy spam sites.  In an extension to this campaign, we also saw that spammers were attempting to take advantage of the ultimate reputation by using Google Translation services to redirect to software sites. 

Security trends

A PDF vulnerability was found on BlackBerry Enterprise Server that the BlackBerry Attachment Service runs on. This security hole discovered in the PDF distiller could allow a malicious individual to cause buffer overflow errors, leading to a Denial of Service (DoS) condition or possibly arbitrary code execution.This occurred when users opened PDFs on their Blackberries.

Microsoft has added Zeus disinfection instructions onto its malicious software removal tool (MSRT). It nuked Zeus (also called Zbot) 281,491 times from 274,873 computers in one week. MSRT scans Windows computers for infections by specific, prevalent malicious software. This tool is updated and released on the second Tuesday of each month, and Zbot is the latest addition to MSRT’s ever-growing list of malware.

A vulnerability for iPhone was posted to a MacRumors forum by a New Zealand iPhone user who figured out a sequence of key taps that rendered the passcode useless. It's a trivial way to bypass the four-digit passcode lock on fully patched iPhone (iOS 4.1) devices.

Security researchers found that the first version of the Koobface malware targeting Mac OS X users was spreading via links in messages on social networking sites such as Facebook, MySpace, and Twitter. The malicious Web sites attempted to trick Mac OS X users into running the Java applet  to open a video file.

The past few months have been very busy with zero-day flaws affecting popular products. In total, those vulnerabilities accounted for 108 non-patch days - that's 88.5% of vulnerable time in 4 months.

Murofet malware is similar to Conficker in that it generates thousands of domains daily that it then contacts for updates.

This month's round up contributors

• Ulysses Wang
• Lei Li
• Mary Grace Timcang
• Chris Astacio
• Jay Liew

Today is Veteran's Day and like any other holidays, black hat SEO and spam emails have been visible since Monday this week.  Websense customers are protected against this attack through our Advanced Classification Engine.

Search terms like veteran's day, veteran's day 2010, veteran's day events, veteran's day california and veteran's day honolulu return poisoned web results.    



 
Earlier this week, the code found on the infected site is reminiscent of last week's Midterm Elections attack.  In fact, the websites used in the the Midterm elections black hat SEO are also the ones used for Veteran's day black hat SEO.  At the time, the redirection was not working although the URL specified is an active rogue AV site.  As you can see below, the election term is replaced by veteran's day related search terms.

Today, the poisoned results' redirection pages are up and running.  If the user is using Firefox, they will be redirected to a fake Firefox update page, prompting them to download a file called firefox-update.exe, detected by 13/40 VT engines.  For Internet Explorer, the ever so familiar Rogue AV page is where users are redirected.  The only thing noticeable is that the rogue AV installer is not available for download, clicking on the "Remove all" button only prompts a warning box.

The fact remains that there is more than one way to find something in the web.  And so the malware pushers also decided to use poisoned image results too.  Unlike the poisoned web search results, poisoned image results have been active since Monday.   The payload is also browser-based today although it was serving up rogue AV regardless of the browser last Monday. 



Finally, spammers also want their share of the pie as well, so when you look at the results under videos, a slew of adult content is returned.  Of course this is in addition to the spam emails spammers have been distributing since last week.

To conclude, we have seen how business minded malware pushers are.  One code used in two different events.  As always, be cautious on clicking search results.  It's not every time that the "This site may harm your computer." warning is there to save the day, especially in video and image search results.  Moreover, keep in mind that malware pushers are diversifying their portfolio by including poisoned image search results more and more.  

UPDATE

We are also seeing the same attack on search terms related in today's UK Remembrance Day.  Do be cautious in searching for holocaust remembrance day 2010 and remembrance day 2010.

Websense Security Labs™ ThreatSeeker™ Network has detected that the Hong Kong Website of human rights organization Amnesty International has been compromised by multiple exploits, including the most recent Microsoft Internet Explorer 0-day. In one attack, an iframe has been injected into the index page, resulting in a quiet redirection of any visitor to an exploit server controlled by the cyber criminals. Websense customers are protected from this exploit by our ACE real-time analytics.

The exploit server is hosted in the United States. It combines several recent vulnerabilities in Adobe Flash, Adobe Shockwave, Apple QuickTime, and Internet Explorer.

Every URL in the picture above hosts an exploit. Let's analyze each one:

The index.htm (code snippet is below) hosts malcode that exploits a Flash vulnerability (CVE-2010-2884). This vulnerability, discovered in September 2010, has already been patched by Adobe. The vulnerable SWF file triggers the embedded shellcode to download a malicious executable file from hxxp://www.[removed].org:9126/hha.exe.  Because some of the bytes in the file have been xored with 0x95, the detection rate is very low (2/43).

The quicktime.html (code snippet is below) contains the code used to exploit a QuickTime vulnerability (CVE-2010-1799). Discovered in August 2010, this vulnerability has been patched by Apple. The shellcode triggered by the vulnerability in the HTML page executes a trojan from hxxp://www.[removed].org:9126/qq.exe. This trojan belongs to the Hupigon family of notorious backdoor trojans from China. Here is the detection result.

The ad.html is used to exploit a Shockwave vulnerability (CVE-2010-3653), which was just discovered in October 2010 and already patched by Adobe. The page embeds a vulnerable Shockwave file and some highly obfuscated shellcode. Deobfuscation reveals that the shellcode downloads a trojan file from hxxp://www.[removed].org:9126/pdf.exe. The sample holds zero antivirus detection.

The qqq.html does not return any content at the moment, but because the server is under the cyber criminals' control, anything malicious could be added at any time.

And that's not all

In a separate attack from the injected iframe just described, the Hong Kong Amnesty International Website has also been injected directly in one of its inner directories with code that exploits the latest 0-day vulnerability in Internet Explorer (CVE-2010-3962). This vulnerability was found only a few days ago and has not yet been patched. The injected code resides at hxxp://www.amnesty.org.hk/schi/[removed]ox.html.

Here is a snippet:

Enabling Data Execution Prevention (DEP) and Protected Mode in Internet Explorer can mitigate this vulnerability.

A new, potentially critical vulnerability in Adobe Acrobat Reader has come to our attention at Websense Security Labs. Quick analysis shows that malicious PDF documents invoke a function call to Doc.printSeps() to take advantage of the vulnerability. Proof of concept code plants shell code in memory using heap spraying to exploit the vulnerability.

Websense Security Labs is monitoring the situation, and we will update this blog post as we discover more. It is possible that malicious hackers could set up rigged Web sites or insert malicious code into legitimate, compromised sites to infect visitors. The vulnerability could be used for remote code execution, but we are still investigating these claims. Websense customers are protected by our ACE real-time analytics.

Adobe has published advice on how to avoid this vulnerability by blacklisting the vulnerable function call. The issue was unknown to Adobe PSIRT Team when Websense Security Labs informed them about it. Respecting their wish, we only disclosed the issue after their announcement. In the meantime, VUPEN also disclosed the issue.

In our test, Adobe Acrobat Reader crashed when the proof of concept document was loaded.

We will update this blog post with any interesting developments.

Update 09-Nov-2010:

The vulnerability is now registered as CVE-2010-4091 on mitre.org. Also Adobe mentions the issue in the security advisory as APSA10-05. There is still no proof if this vulnerability was exploited in the wild.

Websense Security Labs™ ThreatSeeker™ Network has detected that the main Indian site of moneycontrol.com was compromised and injected with malicious code on November 6th 2010. It was cleaned up the next day.   

Moneycontrol.com is India's number one financial portal. It's the official site for CNBC TV18, and it provides news, views, and analysis on the stock market and equity, commodities, personal finance, mutual funds, insurance, and loans.

Snapshot of moneycontrol.com:

Moneycontrol.com is ranked 673 in the world according to the three-month Alexa traffic rankings. The site also has attained a traffic rank of 36 among users in India, where approximately 93% of its audience is located.

The injection code:

 Websense customers are being protected proactively from this type of attack by our Advanced Classification Engine (ACE).

A new vulnerability has been discovered in Internet Explorer that is currently being used in limited attacks. Websense Security Labs is monitoring the situation and will update this blog post as we discover more. Malicious hackers could set up rigged Web sites or insert malicious code into legitimate, compromised sites to infect visitors. This vulnerability could be used for remote code execution. Websense customers are protected by our real-time analytics in ACE.

Enabling DEP and Protected Mode in Internet Explorer can mitigate this vulnerability.

For more information see: Microsoft Security Advisory (2458511), CVE-2010-3962, US-CERT advisory