Websense Security Labs Blog

Websense Security Labs discovers, investigates and reports on advanced Internet threats that traditional security
research methods miss.

Latest Blog Posts

View all posts > 

(April 2011) Posts

SOURCE Boston 2011 Conference RECAP

Posted: 27 Apr 2011 05:46 PM | Anonymous | no comments


I returned this past weekend from SOURCE Boston , where I presented the new features and architecture of Fireshark v2. I have had the opportunity to speak at many conferences before, but this was my first time doing so in my university town of Boston ( Northeastern ), and my first time speaking at SOURCE. SOURCE has conference locations in Seattle, Barcelona, and Boston, and attempts to bring security experts together to create a very positive mix of business needs and technology expertise. Boston is a bustling city with a number of technology companies and top universities. The location alone is worth the visit. That aside, I was impressed with some of the presentations I saw. Here are a few worth mentioning, which are available online at http://www.sourceconference.com/boston/speakers_2011.asp : On The Use of Prediction Markets in Information Security - Dan Geer, Alex Hutton, Greg Shannon The Exploit Intelligence Project - Dan Guido, iSEC Partners (great talk!) Incursion - From Internet To SCADA, Critical Systems Compromise Case Studies in Pictures - Val Smith, Attack Research, and Chris, SecureDNA Fuel for pwnage: Exploit kits - Vicente Diaz and Jorge Mieres, Kaspersky Lab Reverse Engineering Flash Files with SWFREtools - Sebastian Porst (Flash analysis tool released!) Reversing Obfuscation - Adam Meyers, SRA International Streamline Incident Types for Efficient Incident Response - Predrag Zivic and Mike Lecky, Canadian Tire (really interesting talk on identify tracking) Network Stream Hacking with Mallory - Raj Umadas, Jeremy Allen, The Intrepidus Group (Mallory is a tool worth checking out!) Adding another level of hell to reverse engineering - Ben Agre, Raytheon (Something as reverse engineers that we'll have to become acustomed to more and more: used junk code!) and finally... My presentation: Fireshark v2 - An Analysis Toolkit for Malicious Web Sites - Stephan Chenette, Principal Security Researcher, Websense Labs (to be publicly available on or before May 5) (Figure 1: Stephan Chenette introducing Fireshark v2, an analysis tool kit for malicious websites) I want to thank Stacy Thayer, SOURCE founder, the SOURCE advisory board and all attendees. (Figure 2: SOURCE founder, Stacy Thayer)

Read more > 

Filed under: , , , , , ,

Malicious E-Cards on the prowl

Posted: 26 Apr 2011 09:14 PM | Mary Grace Timcang | no comments


Emails disguised as electronic cards have been used as bait over and over again for malicious intent. The fact that they are overused is a clear indicator that this lure indeed works. Websense Security Labs™ and the Websense ThreatSeeker® Network recently came across an e-card themed email. Our customers are protected from this threat by ACE, our Advanced Classification Engine . Let us first look at the sample email. The URLs used in the emails are either compromised sites or were only created barely two weeks ago. Screen shot 1 : Sample email that the Websense Email Threat Team got hold of recently Clicking the URL withing the email directs you to a site containing obfuscated code similar to the one shown on Screen shot 2. This code then creates an iframe containing another URL which you can see on Screen shot 3. Screen shot 2 : Obfuscated code of the URL that came with the email Screen shot 3 : Deobfuscated code of the URL from the email. The contents of the URL specified in the iframe contains another obfuscated script. This script, which uses a strikingly similar redirection code in our recent blog , in turn drops the exploit code and runs a rogue AV on the victim's machine. Screen shot 4 : Code snippet of the URL specified in the iframe used in redirection Having the victim click on the link and then download an executable is usually the norm on these type of attacks. However, in this case, victims are exploited, and malware is downloaded and executed simply by clicking the URL link that came with the email. Screen shot 5 : Snapshot of the malicious website used in the email Websense Email Security and Websense Web Security protect against these kinds of blended attacks.

Read more > 

Filed under: , ,

Google Image Poisoning Leads to Exploit

Posted: 21 Apr 2011 09:12 AM | Xue Yang | 1 comment(s)


Google search results have traditionally been the target of black hat SEO campaigns. Websense® Security Labs™ has identified a new trend in which cyber criminals take advantage of Google Image search rankings to spread malware. Websense Security Labs Threatseeker® network has detected that Google Image search returns poisoned pictures when searching on celebrity child "Presley Walker". We first found on Monday that all the image search results took users to a notorious exploit kit – Neosploit. Later, it changed to redirecting users to rogue AV sites. As we publish this blog, the search results are still poisoned and are leading to Neosploit again. Websense customers are protected from both types of attack by ACE, our Advanced Classification Engine . The search results for "Presley Walker" through Google Image: Let's take a look at the first attack case. When a user clicks the pictures on the top line, the user will be redirected to a Neosploit exploit page. Below is one of the redirection chains used by this exploit kit: From the chain, we see the third URL is the malicious site holding the exploit code. We found that all the exploited sites are hosted on the same IP 66.235.180.91, and interestingly, they constructed it with the same path named TF19, which looks like a pattern of this campaign. At last it will trigger appropriate vulnerabilities targeted by this exploit kit according to the user's operating system and browser. From the chain above we see it downloaded a PDF file that targeted three Adobe Reader vulnerabilities. This PDF file is heavily obfuscated and has a relatively low V irusTotal detection. The list of URLs hosted on the IP, as shown from our Threatseeker network: Neosploit is a well-known exploit kit in the black market. The authors reportedly stopped supporting and updating the exploit kit due to financial problems, but variants of Neosploit have been updated frequently. The variants may contain MDAC ( CVE-2006-0003 ), ActiveX ( CVE-2008-2463 , CVE-2008-1898 ), and three Adobe Reader ( Collab.getIcon , Util.Printf , Collab.collectEmailInfo ) vulnerabilities, among others. The second case is one of the common tricks black hat SEO campaigns always use: luring users to download fake antivirus software called InstallInternetProtectionXXX.exe . From the VirusTotal scan result, only 20% of antivirus engines detected this malware. The rogue AV page when using Firefox to surf the Web:

Read more > 

Filed under: , ,

Facebook scam "My Top 10 stalkers" targets users in specific countries

Posted: 19 Apr 2011 07:08 PM | Anonymous | no comments


A new spam campaign, similar to campaigns we have seen in the past, is spreading on Facebook. This one, however, has some interesting twists to it. The core of the campaign involves a Facebook app that claims to know who your "Top 10 stalkers" are. Our customers are protected from this campaign by ACE, our Advanced Classification Engine . It works by creating an album - “My Top 10 stalkers” - with the description "Check who views your profile @," followed by a bit.ly URL-shortened link. It then automatically uploads a photo to the app and tries to mark all the user's friends in the photo. The bit.ly link redirects the user to a page that uses JavaScript to determine the geographical location of the computer based on its IP address. Depending on the location, the page then redirects users located in specific targeted countries to the Facebook App in an attempt to further spread the infected link. The campaign is targeted at Facebook users in the United States, Canada, United Kingdom (including a specific target for Great Britain), Saudi Arabia, Norway, Germany, Spain, Slovenia, Ireland, and United Arab Emirates. At the time of writing, hackers have switched to using a new app. The first illegitimate app was deleted by the Facebook security team. Both apps use exactly the same mechanism to post spam profile messages in Facebook. Regardless of whether the JavaScript redirects the browser to the Facebook app because of its origin, all users are ultimately redirected to a scam page that tries to lure them into completing several fake surveys. Hackers use this method to try to collect personal information such as the user's home address, e-mail address, or phone number. If the user tries to navigate away from the page or close the browser, a message appears asking them to stay and complete a "SPAM-free market research survey to gain access to this special content." Special it may sound, but it is definitely not spam-free! As always, if a page forces you to Like, Share, or install an application in order to view it, DON'T DO IT! Chances are, it's spam. Install Defensio, our free security app for Facebook, to prevent scams like this from ever appearing in your news feed.

Read more > 

Filed under: ,

Mass Injections Leading to g01pack Exploit Kit

Posted: 19 Apr 2011 01:07 AM | Chris Astacio | 1 comment(s)


Our ThreatSeeker® Network is constantly on the lookout to protect our customers from malicious attacks.  Recently it has detected a new injection attack which leads to an obscure web attack kit.  The injection has three phases which will be covered in this blog post. Websense customers are protected from this attack by ACE, our Advanced Classification Engine.

...

Read more > 

Filed under: , , ,

Boxes of Money !

Posted: 15 Apr 2011 02:27 AM | John Smith | no comments


Phishing and 419 scams have been around for a while now. However, sometimes they never cease to amaze when it comes to their tactics. We caught this most recent one in one of our Honeypots and thought we would share due to the “over-the-top” images sent.

 

Also note the horrific markup of the passport. 

 

-----------------------------------------------------------------------------

 

Email sent from: usermail.uni-ak.ac.at ([193.170.136.34]

Email Subject: urgent response

Email body:

Apologies for having to reach out to you like this, my name is Gideon Kerkula am from Liberia, I and my mother just arrived with 2 inherited trunk boxes which our late father kept in our under ground flat

...

Read more > 

Filed under:

This Month in the Threat Webscape - March 2011

Posted: 13 Apr 2011 02:12 PM | Ivan Sabo | 1 comment(s)


Major hits

March 17 of this year will be remembered very well for a long time - in fact, we should celebrate it as the BreachID Day from now on. RSA’s Executive Chairman Art Coviello wrote an open letter explaining a short background about the breach, which happened in their “kitchen” as an “extremely sophisticated cyber attack” that put their SecurID product at risk. Even though the breach probably did not disclose any very sensitive data, it pointed out just how fragile the security is.

Popular streaming service Spotify got compromised via third-party ads that served malicious content to all free users. Seems like free does come at a price after all.

Comodo, a cerificate vendor, informed us that nine bogus SSL certificates had been issued for several top Alexa domains. The certificates were revoked immediately. Well, once Comodo found out what had been going on. However, it happened again for two more and again and - in fact, who knows what else?

Are you using TripAdvisor when planning your holidays? You really should expect more spam in the future. The company announced a breach losing all members data. Fortunately, no credit card details - for this time at least.

...

Read more > 

Filed under:

One more Adobe 0-day vulnerability using Office files

Posted: 11 Apr 2011 04:44 PM | Patrik Runald | no comments


Today Adobe announced a new 0-day vulnerability (CVE-2011-0611) in Adobe Flash Player and Adobe Acrobat that, similar to the previous 0-day from less than a month ago, was found embedded in a Microsoft Office file. The vulnerability allows an attacker to execute malicious code on a computer and has been spotted in limited targeted attacks. Websense customers are protected against the known samples that use this vulnerability. Adobe says in their security advisory that Adobe Acrobat Reader X and its new Sandbox feature prevent the attack from exploiting the system when using PDF files. However, since the vulnerability exists in Flash, a machine can be exploited in other formats and applications that support flash, such as Web pages and Office documents. The vulnerability has only been seen used in very limited targeted attacks. Here is a VirusTotal report (1/43) of one reported attack file. Adobe hasn't announced when they will release a patched version of Adobe Flash and Adobe Reader/Acrobat but they did say that they won't fix this until June 14 in Adobe Reader X, as the Sandbox feature prevents the attack.

Read more > 

Filed under: ,

"The Hottest & Funniest Golf Course Video" scam has more than 200,000 likes on Facebook

Posted: 09 Apr 2011 05:53 PM | Patrik Runald | no comments


Right now there's a scam making its way across Facebook linking to a video titled "The Hottest & Funniest Golf Course Video - LOL" (example screen shot below). Websense customers are protected with by ACE, Advanced Classification Engine . During the 15 minutes it took to write this post over 7,000 new users liked the page so it's clear this is a successful campaign. This latest scam is very much like a lot of others we see on a regular basis on the world's most popular social networking site. But this one seems to be especially popular for some reason. When clicking on the link you're taken to the following page, tricking you into not only liking the page but also sharing it with your friends. It's doing this by using standard Facebook APIs. The page that you are tricked into liking has been liked by over 272,000 users and doesn't really have anything to do with the scam itself but is perhaps there to make it look more legitimate. The quote "<name>, are you scared? Of course I'm scared. I'm not Superman" is a quote by the actor Jackie Chan. After liking and sharing the page, and attempting to view the video, the user is taken to a typical CPA Survey scam so in the end there's no video at all. Note that the attackers haven't even bothered to change the title of the last payload site. The title still says "Look What Happens When a Father Catches her Daughter on Webcam" which is another scam that went around Facebook months ago. As always, if a video forces you to like, share, or install an app to view it, DON'T DO IT! And of course, install Defensio , our free security app for Facebook. It will keep scams like this from ever appearing on your news feed in the first place.

Read more > 

Filed under: