Websense Security Labs Blog

Websense Security Labs discovers, investigates and reports on advanced Internet threats that traditional security
research methods miss.

Latest Blog Posts

View all posts > 

(November 2010) Posts

Facebook scam in the wild: "1 year old girl who carries twin sister inside belly"

Posted: 17 Nov 2010 09:04 PM | Jay Liew | no comments


The Websense ThreatSeeker Network has detected a bad URL quickly spreading through Facebook today. Our customers were protected proactively against this threat by ACE, our Advanced Classification Engine . This is a classic social-engineering attack. The lure is a Facebook wall post enticing users to click a link. The link leads to a Web site that attempts to gain permission to post on behalf of the victim on other Facebook pages. This scam is able to virally propagate by then posting itself on all the pages that have been 'liked' by the Facebook user. Always be cautious when clicking links inside of Facebook. In addition, if you have signed up for Websense's Facebook app , we can automatically delete such posts for you, or you can opt to receive an email notification that looks like this:

Read more > 

Filed under: ,

Instant Previews: A Pawn for Malicious Intent

Posted: 17 Nov 2010 06:08 PM | Mary Grace Timcang | no comments


Ever noticed a magnifying glass next to your Google search results lately? It is actually a new service that Google launched last week called Instant Previews . This service allows users to see what a page looks like before going to it by hovering or clicking the magnifying glass next to the Google search results. Simple? Yes. Secure? Not so much. Our research shows that the images shown in Instant Previews is not updated as frequently as anyone might assume. Therefore, we don't think this feature would help users as much in making an informed decision on judging whether a link is indeed malicious or not. On the other hand, Websense customers are protected from this attack by our ACE real-time analytics. We reported some Black Hat SEO'd websites from searches relating to Prince William's engagement yesterday. Using Google's Instant Preview on the malicious search results may lead users into believing that the links they're clicking on is actually safe when in fact it's not. Take the picture above for example. Instant Preview returns a very legitimate looking page, complete with pictures and relevant words. To unsuspecting eyes, it looks clean. Of course, when the user clicks the link, they will be redirected to the fake Firefox Update page. This tactic is also evident on Black Friday related search results. Other variations of images used by malware pushers in Instant Previews are the usual standard Google Search Page and a very simple "Preview not available."

Read more > 

Filed under: ,

Attackers using Prince William engagement for attacks

Posted: 16 Nov 2010 11:19 PM | Patrik Runald | no comments


It didn't take long for attackers to take advantage of the big news that Prince William and Kate Middleton are getting married . As we have explained before, attackers have the process down to a science. They monitor breaking news, trending topics, and buzz words, then automatically manipulate search results based on what's happening in the world. Websense customers are protected against this attack through our Advanced Classification Engine . As we discussed in our 2010 Threat Report , searching for news and buzz words is now more dangerous than searching for adult content, with approximately 22.4% of all searches for current news leading to malicious search results . And that's in the top 100 results! The result when clicking on one of the malicious links is exactly the same as with last week's Veteran's Day scams . As always, make sure you go to reputable sites when looking for news. Don't just do random searches.

Read more > 

Filed under:

This Month in the Threat Webscape - October 2010

Posted: 12 Nov 2010 07:30 PM | Jay Liew | no comments


Month of October 2010 Major Hits Websense Security Labs discovered that the official Web site of the Nobel Peace Prize was compromised by malicious hackers. The hackers inserted code that infects visitors using Mozilla Firefox. This zero day vulnerability has since been patched. The exploitation of vulnerabilities in Java has spiked dramatically , as brought to light by Holly Stewart from the Microsoft Malware Protection Center (see chart below). The attacks can largely be attributed to 3 vulnerabilities: CVE ID Attacks Computers Description CVE-2008-5353 3,560,669 1,196,480 A deserialization issue in vulnerable versions of JRE (Java Runtime Environment) allows remote code execution through Java-enabled browsers on multiple platforms, such as Microsoft Windows, Linux, and Apple Mac OS X. CVE-2009-3867 2,638,311 1,119,191 Another remote code execution, multi-platform issue caused by improper parsing of long file:// URL arguments. CVE-2010-0094 213,502 173,123 Another deserialization issue, very similar to CVE-2008-5353. (Image and stats from Microsoft ) Web 2 dot uh oh The Web site of the popular and perhaps most-used Facebook API Open Graph, opengraphprotocol.org , was compromised leading users to a standard Rogue AV landing page. The same malcode were seen on every single page of the Web site. Lindsay Lohan is the celebrity decoy of October's social engineering scheme. Fake Facebook invites enticed users to view sex tapes about the controversial actress. Links included in the invitations turn out to be a typical survey spam page at the time. Towards the end of the month, a cross-platform Facebook worm that mimics some Koobface qualities heated up the information security sphere. Facebook users received messages with links to a video. This worm, known as Boonana , lured users into installing a Java applet when the link enclosed with the message was clicked. When users allowed the installation, other malicious components downloaded. A closer look at the Boonana code sparked further interest since it contained codes indicating that it was targeting Mac OS X. A new zero-day vulnerability ( CVE-2010-3654 ) was discovered in Adobe Flash Player at the end of October. The vulnerability caused a crash and potentially allowed an attacker to take control of the affected system. Here are some details . A PDF file with an embedded flash file object exploited this vulnerability. And another zero-day vulnerability ( CVE-2010-3653 ) was found in Adobe Shockwave Player. Here, a remote attacker could exploit the vulnerability to execute arbitary code or cause a denial of service. This was done via a director movie with a crafted rcsl chunk. The exploit code is published here . Also a new mega patch for Adobe PDF Reader was released, and 23 security holes have been fixed. Mozilla released 9 bulletins in the middle of October, including 5 critical updates. The Noble Peace Prize's Web site was compromised , 0 day vulnerability ( CVE-2010-3765 ) in Firefox was...

Read more > 

Filed under:

Veteran's Day spurs Poisoned Search

Posted: 10 Nov 2010 11:58 PM | Mary Grace Timcang | no comments


Today is Veteran's Day and like any other holidays, black hat SEO and spam emails have been visible since Monday this week. Websense customers are protected against this attack through our Advanced Classification Engine . Search terms like veteran's day , veteran's day 2010 , veteran's day events , veteran's day california and veteran's day honolulu return poisoned web results. Earlier this week, the code found on the infected site is reminiscent of last week's Midterm Elections attack . In fact, the websites used in the the Midterm elections black hat SEO are also the ones used for Veteran's day black hat SEO. At the time, the redirection was not working although the URL specified is an active rogue AV site. As you can see below, the election term is replaced by veteran's day related search terms. Today, the poisoned results' redirection pages are up and running. If the user is using Firefox, they will be redirected to a fake Firefox update page, prompting them to download a file called firefox-update.exe , detected by 13/40 VT engines. For Internet Explorer, the ever so familiar Rogue AV page is where users are redirected. The only thing noticeable is that the rogue AV installer is not available for download, clicking on the "Remove all" button only prompts a warning box. The fact remains that there is more than one way to find something in the web. And so the malware pushers also decided to use poisoned image results too. Unlike the poisoned web search results, poisoned image results have been active since Monday. The payload is also browser-based today although it was serving up rogue AV regardless of the browser last Monday. Finally, spammers also want their share of the pie as well, so when you look at the results under videos, a slew of adult content is returned. Of course this is in addition to the spam emails spammers have been distributing since last week. To conclude, we have seen how business minded malware pushers are. One code used in two different events. As always, be cautious on clicking search results. It's not every time that the "This site may harm your computer." warning is there to save the day, especially in video and image search results. Moreover, keep in mind that malware pushers are diversifying their portfolio by including poisoned image search results more and more. UPDATE We are also seeing the same attack on search terms related in today's UK Remembrance Day. Do be cautious in searching for holocaust remembrance day 2010 and remembrance day 2010 .

Read more > 

Filed under: ,

Amnesty International Hong Kong Website Injected With Latest Internet Explorer 0-day

Posted: 10 Nov 2010 06:36 AM | uwang | no comments


Websense Security Labs™ ThreatSeeker™ Network has detected that the Hong Kong Website of human rights organization Amnesty International has been compromised by multiple exploits, including the most recent Microsoft Internet Explorer 0-day. In one attack, an iframe has been injected into the index page, resulting in a quiet redirection of any visitor to an exploit server controlled by the cyber criminals. Websense customers are protected from this exploit by our ACE real-time analytics. The exploit server is hosted in the United States. It combines several recent vulnerabilities in Adobe Flash, Adobe Shockwave, Apple QuickTime, and Internet Explorer. Every URL in the picture above hosts an exploit. Let's analyze each one: The index.htm (code snippet is below) hosts malcode that exploits a Flash vulnerability ( CVE-2010-2884 ). This vulnerability, discovered in September 2010, has already been patched by Adobe. The vulnerable SWF file triggers the embedded shellcode to download a malicious executable file from hxxp://www.[removed].org:9126/hha .exe. Because some of the bytes in the file have been xored with 0x95, the detection rate is very low (2/43) . The quicktime.html (code snippet is below) contains the code used to exploit a QuickTime vulnerability ( CVE-2010-1799 ). Discovered in August 2010, this vulnerability has been patched by Apple. The shellcode triggered by the vulnerability in the HTML page executes a trojan from hxxp://www.[removed].org:9126/qq.exe. This trojan belongs to the Hupigon family of notorious backdoor trojans from China. Here is the detection result . The ad.html is used to exploit a Shockwave vulnerability ( CVE-2010-3653 ), which was just discovered in October 2010 and already patched by Adobe. The page embeds a vulnerable Shockwave file and some highly obfuscated shellcode. Deobfuscation reveals that the shellcode downloads a trojan file from hxxp://www.[removed].org:9126/pdf.exe. The sample holds zero antivirus detection . The qqq.html does not return any content at the moment, but because the server is under the cyber criminals' control, anything malicious could be added at any time. And that's not all In a separate attack from the injected iframe just described, the Hong Kong Amnesty International Website has also been injected directly in one of its inner directories with code that exploits the latest 0-day vulnerability in Internet Explorer ( CVE-2010-3962 ). This vulnerability was found only a few days ago and has not yet been patched. The injected code resides at hxxp://www.amnesty.org.hk/schi/[removed]ox.html. Here is a snippet: Enabling Data Execution Prevention (DEP) and Protected Mode in Internet Explorer can mitigate this vulnerability.

Read more > 

Filed under:

New 0-day Vulnerability in Adobe Acrobat Reader

Posted: 08 Nov 2010 01:16 PM | Tamas Rudnai | 1 comment(s)


A new, potentially critical vulnerability in Adobe Acrobat Reader has come to our attention at Websense Security Labs. Quick analysis shows that malicious PDF documents invoke a function call to Doc.printSeps() to take advantage of the vulnerability. Proof of concept code plants shell code in memory using heap spraying to exploit the vulnerability. Websense Security Labs is monitoring the situation, and we will update this blog post as we discover more. It is possible that malicious hackers could set up rigged Web sites or insert malicious code into legitimate, compromised sites to infect visitors. The vulnerability could be used for remote code execution, but we are still investigating these claims. Websense customers are protected by our ACE real-time analytics. Adobe has published advice on how to avoid this vulnerability by blacklisting the vulnerable function call. The issue was unknown to Adobe PSIRT Team when Websense Security Labs informed them about it. Respecting their wish, we only disclosed the issue after their announcement. In the meantime, VUPEN also disclosed the issue. In our test, Adobe Acrobat Reader crashed when the proof of concept document was loaded. We will update this blog post with any interesting developments. Update 09-Nov-2010: The vulnerability is now registered as CVE-2010-4091 on mitre.org. Also Adobe mentions the issue in the security advisory as APSA10-05 . There is still no proof if this vulnerability was exploited in the wild.

Read more > 

Filed under: , , , ,

India's Popular Financial Web Site Moneycontrol.com Compromised

Posted: 08 Nov 2010 06:28 AM | Xue Yang | no comments


Websense Security Labs™ ThreatSeeker™ Network has detected that the main Indian site of moneycontrol.com was compromised and injected with malicious code on November 6th 2010. It was cleaned up the next day. Moneycontrol.com is India's number one financial portal. It's the official site for CNBC TV18, and it provides news, views, and analysis on the stock market and equity, commodities, personal finance, mutual funds, insurance, and loans. Snapshot of moneycontrol.com: Moneycontrol.com is ranked 673 in the world according to the three-month Alexa traffic rankings. The site also has attained a traffic rank of 36 among users in India, where approximately 93% of its audience is located. The injection code: Websense customers are being protected proactively from this type of attack by our Advanced Classification Engine (ACE).

Read more > 

Filed under: ,

Remote Code Execution Vulnerability in Internet Explorer (CVE-2010-3962)

Posted: 03 Nov 2010 08:52 PM | Jay Liew | 1 comment(s)


A new vulnerability has been discovered in Internet Explorer that is currently being used in limited attacks. Websense Security Labs is monitoring the situation and will update this blog post as we discover more. Malicious hackers could set up rigged Web sites or insert malicious code into legitimate, compromised sites to infect visitors. This vulnerability could be used for remote code execution. Websense customers are protected by our real-time analytics in ACE . Enabling DEP and Protected Mode in Internet Explorer can mitigate this vulnerability. For more information see: Microsoft Security Advisory ( 2458511 ), CVE-2010-3962 , US-CERT advisory

Read more > 

Filed under: ,