Websense Security Labs Blog

Websense Security Labs discovers, investigates and reports on advanced Internet threats that traditional security
research methods miss.

Latest Blog Posts

View all posts > 

(December 2010) Posts

In 2011, this exploit kit won't work

Posted: 30 Dec 2010 10:30 AM | Chris Astacio | 1 comment(s)

And some Web sites will be a lot safer! While reviewing incidents and deobfuscating a Web site today, I discovered an installation of a particular exploit kit that won't work after New Year's Eve.  The site I found caught my attention because the code simply looks like garbage.  As the saying goes, "One man's trash is another man's treasure."  So I started digging into the obfuscation of the code and found something that I thought would be topical considering today's date.  The code in this exploit kit will actually expire at midnight on New Year's Eve local time!  In this post, I'll cover how I came across this and show you how and why the exploit kit installations will expire.


Here is a screen shot of the code in the original state as I found it:



Filed under: , ,

Installation Protection Mechanisms of Phoenix Exploit's Kit

Posted: 27 Dec 2010 12:00 PM | Chris Astacio | 2 comment(s)

As part of my research within Websense Security Labs, I collaborate with a group of researchers tasked with profiling exploit kits.  This helps us refine the analytics used in ACE, our Advanced Classification Engine.  In this post I want to cover the installation of Phoenix Exploit's Kit.  I'm not going to tell you how to install and use it, but I will cover some of the more interesting aspects of installation.  Specifically, I want to cover how the developers protect their code from being reverse engineered and how the developers have attempted to keep researchers from poking around in installed kits. 



Filed under: , , ,

This Month in the Threat Webscape - November 2010

Posted: 13 Dec 2010 06:32 PM | Jay Liew | no comments

Month of November Major Hits Amnesty International's Web site in Hong Kong was compromised and was attempting to infect its visitors using various exploits for Adobe Flash, Adobe Shockwave, Apple Quicktime, and even the latest zero-day for Internet Explorer. In other parts of Asia, India's number 1 financial portal (moneycontrol.com) was also compromised and injected with a malicious iframe. Malicious hackers capitalized on important local and global events, such as midterm elections (US), Veteran's Day (US), and Prince William's engagement (UK), to infect more Web users via poisoned search engine results. This scam is of the usual garden variety: fake antivirus Web sites, or sites offering fake Adobe updates and fake Firefox updates , which prompt a user to download an .exe file that is really malware. Web 2 dot uh oh Google recently launched " Google Instant Previews ," a new service that aims to give Google-rs a bird's eye view of what the site they are about to visit looks like. This service should initially protect users against unwanted content, but our research proves that it could mislead users when snapshots used in the service are not as current as assumed. Social engineering is the game in Facebook this month. Our Defensio Facebook App spotted scam wall posts containing a link that attempts to post on the victim's behalf. Phishing messages claiming to be from Facebook Security warn that a user account will be deactivated unless it's reconfirmed. The phishing page itself is either loaded from within Facebook via iframe or redirected from the link provided in the message. Browser and friends Adobe released a security update for Adobe Flash Player in early November. Eighteen security holes have been patched, including vulnerability CVE-2010-3654 , which is a zero-day vulnerability in the wild found in October. Another zero-day vulnerability (CVE-2010-4091 ) has been identified in Adobe Reader 9.4 (and earlier versions) and Adobe Acrobat 9.4 (and earlier versions). A proof of concept has been published that it could lead to a Denial of Service, although that has not been demonstrated. Arbitrary code execution may be possible. Adobe patched the hole in 2 weeks; the security update is here . A vulnerability in Shockwave Player has been discovered. Successful exploitation allows the execution of arbitrary code, but a user must be tricked into opening the "Shockwave Settings" window when viewing a Web page. Google patched several high-risk vulnerabilities in Chrome 7.0.517.44. A $7500 award was paid out of Google's new vulnerability reward program. A Denial of Service vulnerability has been found in Firefox 3.6.12. The proof of concept is published here . The recent security update for Safari 5.0.3 and 4.1.3 contains 27 patched vulnerabilities. More than 40 vulnerabilities have been patched in iOS 4.2. Click here for details. Microsoft This month's round of "Black Tuesday" Microsoft...


Filed under: