This past weekend one compromised Web site in particular caught my attention. Based on my analysis, the site was compromised because it was running an old version of Wordpress (3.2.1) that is vulnerable to publicly available exploits [1] [2]. The Web site injection is only somewhat interesting. What is more interesting is the redirection chain and resulting exploit site, which might be a new or updated Exploit Kit to watch out for.

* Update 2012/02/06: After obtaining access to logs and PHP files from compromised Web servers, further analysis indicates that most of the compromised Web sites were running older versions of WordPress, but they were not all running 3.2.1. The attackers’ exact point of entry is uncertain. At first, we suspected vulnerable WordPress plugins, because a subset of analyzed sites were running vulnerable versions of the same WordPress plugins. Now that we have access to data from several compromised Web servers, the logs show us that, in some cases, the point of entry was compromised FTP credentials. In several instances, once attackers had access, they scanned WordPress directories and injected specific files (e.g., index.php and wp-blog-header.php) with malicious PHP code.

Our research indicates that whoever is behind the injection has infected other sites. From our analysis the number of infections is growing steadily (100+). 

The Injection

The site was injected with the following code segment:

The above code is a simple substitution cipher algorithm that applies a basic obfuscation technique, which when deobfuscated produces the following code:

The code above instructs the Web browser to write an iframe to the document of the Web page:

Once the iframe is written to the Web page, the code forces a connection to the malicious site, which downloads content to the user's machine (all without the user's permission or knowledge). The malicious Web site serves a page that we assume includes the Incognito Exploit Kit, because one of Incognito's characteristics is that it uses showthread.php as the Web page filename to serve user exploits. We are still not positive if this is Incognito 2.0 or a completely unknown exploit kit. Most kits, much like Incognito, test the user's browser and/or OS type and version and serve the user various exploits, e.g. PDF exploits, or browser specific bugs. But this Exploit Kit appears to serve only the below Java exploit:

New or Updated Exploit Kit?

The Java exploit being served is CVE-2011-3544 (Oracle Java Applet Rhino Script Engine Remote Code Execution), which most Exploit Kits adopted in December 2011 because it is cross-platform and exploits a design flaw. Normally, kits use a variety of exploits, but as can be seen in the screen shot below, regardless of what OS or browser we used for testing, this Exploit Kit attempted to exploit ONLY our Java Runtime Environment (JRE). It did not attempt any other exploit.

Exploit and Dropped Malware

The Java exploit that is used isn't a traditional buffer overflow, it takes advantage of a  design flaw within Rhino, the JavaScript engine that runs under the JVM and interacts with Java applets

An attacker can bypass the Rhino scripting engine protection by generating an error object, which runs in elevated privileges and executes code that disables the Security Manager. Once the Security Manager is disabled, the attacker can execute code with full permissions.

If the user isn't patched and is therefore vulnerable to CVE-2011-3544 (see patch details here), two Java files (VirusTotal links [1] [2]) drop Tdss (Virus Total link [1] = 9/43). The Tdss rootkit is one of the stealthiest rootkits in the wild. Its goal is to acquire total control of infected PCs and use them as zombies for its botnet.

Prevalence of Injection Campaign

Since we started tracking this infection this past weekend, we have discovered that this is an infection campaign. The Websense® ThreatSeeker® Network has found 100+ compromised Web sites, all with similar infection characteristics. The compromised Web sites all share these traits:

• Running WordPress 3.2.1
• Force a drive by download via iframe to the same malicious set of domains hosting a PHP Web page in the form of: [subdomain].osa.pl/showthread.php?t=.*
• Attempt exploitation using CVE-2011-3544
• If exploitation is successful, installation of the Tdss rootkit on the user's machine

Here is an example listing of sites that have been infected:

The number of Web pages running the vulnerable, targeted version of Word Press 3.2.1 is in the hundreds of thousands. It is unknown at this time how the attackers are choosing which sites to infect.

What To Do If You Are Running WordPress 3.2.1

If you're running WordPress 3.2.1, we recommend that:

1. You upgrade to the latest stable version of WordPress.
2. Check the source code of all your Web pages to see if you've been infected (see the code above). If you have been infected, be sure to upgrade WordPress while simultaneously removing the injected code so that your Web pages aren't simply being reinfected after being cleaned.

Notifying Compromised Web site owners

As a matter of practice, we attempt to notify certain sites of their infection. First we use the email address that appears in the "Contact Us" section of the site, and then we use the email address in the whois registration database. If those attempts are unsuccessful, we attempt to notify a site owner through their facebook page (we have had very good success with this technique). Our recommendation when attempting to take down malicious URLs is to follow the best practices described in a document published by StopBadWare.org (found here).

Websense customers are protected from these threats by ACE^TM, our Advanced Classification Engine.

* Update 2012/02/01: If you realize after reading this blog that your Web site has been compromised, leave a comment (it won't be published) with your contact details, and we will contact you

Thanks,

Stephan Chenette - Principal Security Researcher

In a series of blogs a few years back, we covered how malware could abuse and circumvent online services that use CAPTCHA tests as part of their security (1 2). In this blog, we take a look at a recent malware variant from the wild caught on camera that shows CAPTCHA tests used by some online services are still weak and can be broken by malware.

The image below (Picture 1) shows this CAPTCHA breaking malware's ecosystem, which we'll describe step by step. Step 1: The starting point of an infection is a banking Trojan variant known as Cridex. This variant is propagated via malicious email messages that hold shortened links leading to exploit kits (see this example), in our case the Blackhole exploit kit. Step 2: If the exploit is successful, the Cridex variant is downloaded to the machine. Step 3: Cridex runs on the machine. Step 4: Cridex is a data-stealing Trojan that is similar to Zeus in the way it operates: It logs content from Web sessions and alters them to harvest information from the infected user. The Cridex configuration file downloaded by this variant (safe to view and download and shortened here) shows which websites the variant monitors and steals data from, along with Web form injection points (data alteration injected into Web forms to harvest additional data like ATM PIN numbers). We have observed that Facebook, Twitter, and many banking services are targets. A partial list of targeted websites can be found here. Step 5: Any stolen data from the system is uploaded to a command and control server.

Picture 1: The Cridex ecosystem:

Step 6: One of the components downloaded by Cridex with the configuration file is a propagation module or spamming module that allows the botmaster to send spam/malicious emails to infect other systems and increase the bot size. The spamming module holds backdoor components that allow browsing activities in the name of the user. The module opens Web sessions to online mail services and registers new email accounts that are later used by the bot to send spam/malicious emails. As we know, online mail services hold security checks like CAPTCHA challenges to verify that a human is indeed behind any account registration. Step 7: According to our findings, CAPTCHA challenges in some cases can be broken with the help of a CAPTCHA-breaking server, which allows the bot to register a mail account or address after only a few attempts. This video documents the registration of an online mail account by the bot on an infected machine:

Video:

Click here to watch the video on Youtube

The CAPTCHA-breaking process consists of posting CAPTCHA challenge images harvested from the online email registration form to a remote Web server (the CAPTCHA-breaking server). The request is an HTTP POST with an embedded CAPTCHA image posted to the CAPTCHA-breaking server. Once the server processes the image, it outputs a response in JSON format with the CAPTCHA text result that responds to the submitted image (see Picture 2). The backdoor component then tries to use that returned CAPTCHA text result in the online email account registration form. In case the CAPTCHA-breaking server output is wrong and does not correspond to the CAPTCHA image challenge, the process continues and the next CAPTCHA image challenge is submitted until the server manages to break the CAPTCHA. You can look at Picture 3 to see the images submitted to the CAPTCHA-breaking server and the corresponding results from the server. Not all the attempts succeed in breaking the CAPTCHA, but some do and in our example you see it took 6 attempts.

The malware reports to the CAPTCHA-breaking server whether the result it got actually broke the CAPTCHA. Picture 4 shows HTTP requests that report back to the CAPTCHA-breaking server whether the CAPTCHA result the server gave in previous sessions was indeed successful in breaking the CAPTCHA. A successful CAPTCHA break is signed with the r parameter: If the parameter is 0 (&r=0), the CAPTCHA break attempt was unsuccessful, whereas if the parameter is 1 (&r=1), the CAPTCHA break attempt was a success.

Picture 2: An HTTP POST request of an image to the CAPTCHA-breaking server and the response from the server

Picture 3: The images posted to the CAPTCHA-breaking server and their corresponding results

Picture 4: The malware reports to the CAPTCHA-breaking server if the CAPTCHA break attempt was successful

Websense® customers are protected from these threats by ACE™, our Advanced Classification Engine.

The Websense® ThreatSeeker® Network has been tracking an ongoing malicious email campaign in which a recipient is asked to click a link to check a bill mistakenly received by another user.  We have been monitoring campaigns of thousands of emails similar to this one for a while now and notice that the Phoenix Exploit Kit is used. The campaign starts with the following email:

An analysis of the embedded link leads to a URL with the content shown below:

This obfuscation leads to a Phoenix Exploit Kit infrastructure. We can confirm that the past few days have seen an increase in the use of the Phoenix Exploit Kit, following a period of widespread activities based on the Black Hole Exploit Kit. By de-obfuscating the JavaScript code above we can retrieve the landing page for the web site to which a user is redirected:

The code pictured above de-obfuscates to the following URL:

hxxxp://monikabestolucci.ru:8801/html/yveveqduclirb1.php

The Websense ThreatSeeker Network has also detected this URL as a domain used in a Fast Flux botnet.

The proof that this is a Fast Flux botnet can be found by retrieving the DNS record of the domain monikabestolucci.ru, which our analysis reveals is associated with the following IP addresses:

These IP addresses are located in the following countries:

When we analyze the malicious files generated by the above URL code, we recognize the exploiting vectors used in the Phoenix Exploit Kit. Specifically, we detect a SWF file with the exploit code for the CVE-2011-0611 vulnerability and a Java archive file containing the code for the widespread CVE-2011-3544 Java vulnerability.

Our analysis also shows that the Phoenix Exploit Kit has been used to spread a variant of the Trojan infostealer Cridex.B (MD5 7231d781cd29a086dc4d06fd5d72b6f3).

Websense customers are protected from these threats by ACE^TM, our Advanced Classification Engine.

Today, Websense® ThreatSeeker® Network alerted us that entrepreneur.com has been compromised by cyber criminals, resulting in potentially malicious content being downloaded to a user's machine. Entrepreneur.com is a very popular information and community resource for small businesses on the web (see Alexa rank).

Websense customers are protected from these threats by ACE™, our Advanced Classification Engine.

Update: We have contacted entrepreneur.com to notify that their site was compromised and by the time this blog was published the issue had been fixed.

Analysis:

The attacker used the CrimePack exploit kit, which employs several different exploits to try to infect a user’s computer. We'll explain how this works in detail. Let's start by visiting the home page of entrepreneur.com where we notice an iframe injected into the page:

Picture 1: Hidden iframe injected into the home page of entrepreneur.com

We know this is an invisible iframe since its height is zero. This is suspicious enough to make us analyze the content of the target URL. Our analysis reveals that it contains a highly obfuscated JavaScript code (Picture 2).

We need to de-obfuscate it to see if this is malicious or not. On the first layer of de-obfuscation, we immediately notice that something is not quite right. The code tries to access the Java engine in various ways and loads a module named "cpack," which we surmise could be the CrimePack-generated code (Picture 3).

To confirm our suspicions, we need to de-obfuscate the second level, too, to get a clear overview of what redirections have been utilized during visits to this page. After de-obfuscating the second level, we see that the code creates another iframe that loads the "bof.php" file from the malicious server (Picture 4).

From its source code (Picture 5), we ascertain that this "bof.php" file is part of the CrimePack exploitation module.

If we take a second look at the index.php, we notice that it loads another JavaScript code called “detect.js” (Picture 6). This is a module that helps determine which plugins are installed in the browser. The exploit kit then uses this information to create a vulnerability matrix that describes what type of exploit can be successfully used in a user’s particular environment (Picture 7). 

Picture Gallery: 

Picture 2: Highly obfuscated JavaScript code on the malicious site

Picture 3: Various modules are loaded from the first layer of de-obfuscated code

Picture 4: Java classes and iframes injected from the second layer of obfuscated code

Picture 5: CrimePack delivers Java exploit code to a user’s browser

Picture 6: A malware helper module uses a legitimate “Dean Edwards” obfuscation method

Picture 7: The helper module checks what plugins are installed on the browser enabling CrimePack to  build a vulnerability matrix

This morning Websense® ThreatSeeker® Network alerted us that if a user enters the term "Download Chrome" in Google Search, the 36th result would result in potentially malicious content being downloaded to the user's machine.

I'll briefly describe the attack vector in which the content is sent to the user.

Web Search

Search for "Download Chrome":

The 36th result leads to a compromised, unofficial Google Chrome plugin Web page:

Compromised Web site

The 36th result leads to to this website:

The above site:

is a legitimate, unofficial Google Chrome plugin forum Web page which is pulling in content from two malicious Web sites. We believe this Web page was compromised.

One indicator that this is a compromised site, as opposed to a site set up for strictly malicious purposes, is that the whois registration information, which helps indicate the reputation, is registered in 2008. The registration details also seem to indicate that real information was provided. Again, this isn't a 100%, foolproof indication that the site was compromised, but it does help as circumstantial evidence.

Redirection

Looking at the source code of this Web page, we see that the page redirects the user's browser to two malicious Web sites:

1)  pagead2.googlesyndlcation.com/pagead/show_ads.js (via JavaScript include - this is a Google AdSense typo-squatted URL!)

2)  best-videogames.com (via iframe html tag include - results in a server 503 = Service unavailable)

This redirection diagram shows the content the user is served by visiting the Chrome Plugin forum Web page. All this content is served to the user without the user having to click on anything at all (except for the link from Google search):

Google AdSense Typo-Squatted URL

The fake AdSense show_ads.js links to a typo-squatted URL where the whois record shows that it's clearly not a site owned by Google Inc.

Notice the details:

The real Google hosting server for show_ads.js is pagead2.googlesyndication.com (notice the letter "l" changed out for the letter "i" in the word "syndication").

I have archived a copy of the fake show_ads.js here in case you wish to research the compromised site a bit further.

Websense customers are protected from these threats by ACE™, our Advanced Classification Engine.

Stephan Chenette - Principal Security Researcher

The week before we published a blog that discussed typosquatting of social web sites that lead visitors to spam survey sites with a high Alexa ranking. With our on-going research, we discovered that cyber-criminals are carrying out even more work, and the campaign is more widespread than we originally thought. Their targets are not limited to social web, but also include popular and frequently-visited registered typosquatting domains in all areas ranging from Google to Victoria's Secret, or Wikipedia to Craigslist; the list goes on. The attacker registers a network of typosquatting domains and redirects visitors of these mistyped sites to a spam survey site. The Websense® ThreatSeeker® Network has discovered over 7,000 typosquatting sites within this single network.

These typosquatting sites redirect visitors to a suspicious URL via a URL shortening service. From there, they take them to a spam survey site (which we showed you in this blog). After visitors complete the spam survey, they are then taken to spam advertisement distributed sites where spam advertisements are displayed based on the their interests. An example of such advertisment is a free movie downloader as shown below. Currently, these spam advertisements are not spreading maliciously. However, if these networks are resold to underground groups, then the potential outcome could be even more damaging than the 0-day exploit security attacks.

You'd surprised by the number of visitors who mistype popular domain names. These mistyped domains generate a huge amount of traffic (some sites even managed to reach the Alexa top 250 list). For the careless users who fill in the survey, the cyber-criminals obtained their sensitive data. All of this can be translated into profit. Based on online web site valuation tools such as worthofweb.com (as shown below), we expect that attackers are pulling in a substantial income from typosquatting campaigns.

Websense Security Labs will continue monitor these campaigns and Websense customers are protected from these threats via ACE, our Advanced Classification Engine.

The Websense® ThreatSeeker® Network routinely monitors search results from Google trending topics. For example, if you were to search for the term "QuickTime" today, the 31st resulting entry would lead to a typosquatted URL, which pulls content from a phishing URL.

Clicking this Google search entry sends you to a fake QuickTime download site.

The "Download Now" button doesn't take you to the download page for QuickTime software. It directs you to a phishing site instead. This alleged music download site phishes your credit card information on the membership fee payment page. Be aware of the risks of using your credit card on random websites to avoid such phishing attacks.  

Websense customers are protected from these threats by ACE™, our Advanced Classification Engine. 

Ping Yan - Security Researcher & Stephan Chenette - Principal Security Researcher

Websense Security Labs™ has found that thousands of businesses and consumers are putting themselves at risk each day by publicly revealing their email addresses on Twitter.

We conducted research on how data that might be considered private is exposed via Twitter. The research focused on shared data, in particular email addresses, that can potentially be used against the one (or the organization) that shared it. During the research we monitored Twitter over a 24 hour period and found that users were publicly sharing email addresses connected with their inboxes, social media identities, and bank accounts. This leaves them open to advanced ‘social spear phishing’ attacks and spam campaigns.

Social spear phishing sees criminals attacking harvested email addresses with information gleaned from monitoring users’ Twitter conversations.  It's recommended that businesses update all acceptable use policies to warn employees of this risk.

Our research found that thousands of Email addresses are publicly shared daily via Twitter:

* More than 11,000 email addresses were shared worldwide

[Research data was collected over a 24-hour period in January 2012]

Gmail, Hotmail and many other free web-based email services are particularly under threat as cyber criminals can harvest social information on individuals via Twitter to break into these accounts.

We realise that sometimes you need to share your email address. Here are some security tips on how to best avoid your shared data potentially being used against you:

• Use direct messages (DMs) for sending email addresses to contacts on Twitter

• Treat emails from friends linking you to other sites with caution

• Never use passwords that can be inferred from publicly accessible information

• Since email is an often used route into a company by cybercriminals, ensure your email security has superior malware protection against modern threats  

About 6 months ago, a malicious email scam with the subject "Re: Scan from a Xerox W. Pro #XXXXXXX" went wild. This scam has returned – this time, with a new face! Instead of making you attach a .zip file, as it did in the past, it now prompts you to click a download link. You know you shouldn't click this link, right?

The Websense® ThreatSeeker® Network has detected that the download URL link is actually a malicious URL.

As shown in the screenshot below, we can see that there is an iframe in its payload. This redirects the link to a malicious site that hosts a Blackhole exploit kit. Once the iframe is loaded, content from the Blackhole exploit kit (which contains a highly obfuscated script ) site is also loaded. Upon decoding the code, we can now see that the actual code searches for vulnerable software, and uses an appropriate exploit. Successful exploitation executes a shellcode that triggers the download and execution of malware.

The kit is currently widespread and popularly used by attackers. It offers users software-as-a-service (Saas) solution, where all they need to do is simply rent the kit. The domain registration, site configuration, and setup are handled by the author group.  Another really interesting aspect of this kit, that uniquely differentiates it from its competitors, is that it provides administration options for smart phones!  Users do not need to install any application; it is simply a Web-based interface optimized for smart phones.  Furthermore, there is an administration option for this kit to use underground audio and video scanners for malware. This lets attackers tweak their malware samples to make them undetectable prior to launching their attack live.

So far, the Websense® Triton® Hosted Security Message Center has detected more than 3,000 messages in this campaign.

Websense customers are protected against this attack with ACE, our Advanced Classification Engine.

The start of the Olympic year of 2012 sees a quick release of 7 patches from Microsoft, including 1 that addresses a critical vulnerability that allows remote code execution when exploited. Websense® Security Labs strongly recommends that you update to the latest patches to avoid attacks from cyber criminals.

Not surprisingly, Microsoft marked the recently discovered MIDI vulnerability (CVE-2012-0003) as critical, as it received huge publicity in the beginning of the year and is likely to be seen in exploit kits in the near future. With this bug, an attacker can run arbitrary code on a remote computer using a specially crafted MIDI file. The executed code runs with the same privileges as the local user, so a well-defined user policy could prevent further damage on the computer. Another patch In this latest bulletin fixes the DirectShow remote code execution vulnerability (CVE-2012-0004). With this one, an attacker can execute malicious code on a remote computer without user interaction using a specially crafted media file.

The infamous BEAST (Browser Exploit Against SSL/TLS) vulnerability has also been fixed with the January Tuesday Patch. With this vulnerability (identified as CVE-2011-3389 in mitre.org), a cyber criminal can act as a "man-in-the-middle" and interfere with the SSL (Secure Sockets Layer) protocol. As a result, an attacker can obtain the HTTP header in plain text, allowing access to session cookies.

Websense Security Labs and our ThreatSeeker™ Network are constantly monitoring for these threats occurring in the wild.