Websense Security Labs Blog

Websense Security Labs discovers, investigates and reports on advanced Internet threats that traditional security
research methods miss.

Latest Blog Posts

View all posts > 

(January 2012) Posts

3-2-1 Wordpress vulnerability leads to possible new exploit kit

Posted: 30 Jan 2012 02:30 PM | Anonymous | no comments

This past weekend one compromised Web site in particular caught my attention. Based on my analysis, the site was compromised because it was running an old version of Wordpress (3.2.1) that is vulnerable to publicly available exploits [ 1 ] [ 2 ]. The Web site injection is only somewhat interesting. What is more interesting is the redirection chain and resulting exploit site, which might be a new or updated Exploit Kit to watch out for. * Update 2012/02/06: After obtaining access to logs and PHP files from compromised Web servers, further analysis indicates that most of the compromised Web sites were running older versions of WordPress, but they were not all running 3.2.1. The attackers’ exact point of entry is uncertain. At first, we suspected vulnerable WordPress plugins, because a subset of analyzed sites were running vulnerable versions of the same WordPress plugins. Now that we have access to data from several compromised Web servers, the logs show us that, in some cases, the point of entry was compromised FTP credentials. In several instances, once attackers had access, they scanned WordPress directories and injected specific files (e.g., index.php and wp-blog-header.php) with malicious PHP code. Our research indicates that whoever is behind the injection has infected other sites. From our analysis the number of infections is growing steadily (100+). The Injection The site was injected with the following code segment: The above code is a simple substitution cipher algorithm that applies a basic obfuscation technique, which when deobfuscated produces the following code: The code above instructs the Web browser to write an iframe to the document of the Web page: Once the iframe is written to the Web page, the code forces a connection to the malicious site, which downloads content to the user's machine (all without the user's permission or knowledge). The malicious Web site serves a page that we assume includes the Incognito Exploit Kit, because one of Incognito's characteristics is that it uses showthread.php as the Web page filename to serve user exploits. We are still not positive if this is Incognito 2.0 or a completely unknown exploit kit. Most kits, much like Incognito, test the user's browser and/or OS type and version and serve the user various exploits, e.g. PDF exploits, or browser specific bugs. But this Exploit Kit appears to serve only the below Java exploit: New or Updated Exploit Kit? The Java exploit being served is CVE-2011-3544 ( Oracle Java Applet Rhino Script Engine Remote Code Execution ), which most Exploit Kits adopted in December 2011 because it is cross-platform and exploits a design flaw. Normally, kits use a variety of exploits, but as can be seen in the screen shot below, regardless of what OS or browser we used for testing, this Exploit Kit attempted to exploit ONLY our Java Runtime Environment (JRE). It did not attempt any other exploit. Exploit and Dropped Malware The Java exploit that is used...


Trojan caught on camera shows CAPTCHA is still a security issue

Posted: 30 Jan 2012 02:00 AM | Elad Sharf | 2 comment(s)

In a series of blogs a few years back, we covered how malware could abuse and circumvent online services that use CAPTCHA tests as part of their security ( 1 2 ). In this blog, we take a look at a recent malware variant from the wild caught on camera that shows CAPTCHA tests used by some online services are still weak and can be broken by malware. The image below (Picture 1) shows this CAPTCHA breaking malware's ecosystem, which we'll describe step by step. Step 1: The starting point of an infection is a banking Trojan variant known as Cridex. This variant is propagated via malicious email messages that hold shortened links leading to exploit kits (see this example ), in our case the Blackhole exploit kit . Step 2: If the exploit is successful, the Cridex variant is downloaded to the machine. Step 3: Cridex runs on the machine. Step 4: Cridex is a data-stealing Trojan that is similar to Zeus in the way it operates: It logs content from Web sessions and alters them to harvest information from the infected user. The Cridex configuration file downloaded by this variant (safe to view and download and shortened here) shows which websites the variant monitors and steals data from, along with Web form injection points (data alteration injected into Web forms to harvest additional data like ATM PIN numbers). We have observed that Facebook, Twitter, and many banking services are targets. A partial list of targeted websites can be found here . Step 5: Any stolen data from the system is uploaded to a command and control server. Picture 1: The Cridex ecosystem: Step 6: One of the components downloaded by Cridex with the configuration file is a propagation module or spamming module that allows the botmaster to send spam/malicious emails to infect other systems and increase the bot size. The spamming module holds backdoor components that allow browsing activities in the name of the user. The module opens Web sessions to online mail services and registers new email accounts that are later used by the bot to send spam/malicious emails. As we know, online mail services hold security checks like CAPTCHA challenges to verify that a human is indeed behind any account registration. Step 7: According to our findings, CAPTCHA challenges in some cases can be broken with the help of a CAPTCHA-breaking server, which allows the bot to register a mail account or address after only a few attempts. This video documents the registration of an online mail account by the bot on an infected machine: Video: Click here to watch the video on Youtube The CAPTCHA-breaking process consists of posting CAPTCHA challenge images harvested from the online email registration form to a remote Web server (the CAPTCHA-breaking server). The request is an HTTP POST with an embedded CAPTCHA image posted to the CAPTCHA-breaking server. Once the server processes the image, it outputs a response in JSON format with the CAPTCHA text result that responds to the submitted image (see Picture 2). The...


Filed under: , , , ,

Phoenix, Phoenix, I need help!

Posted: 26 Jan 2012 03:30 AM | Gianluca Giuliani | no comments

The Websense® ThreatSeeker® Network has been tracking an ongoing malicious email campaign in which a recipient is asked to click a link to check a bill mistakenly received by another user.  We have been monitoring campaigns of thousands of emails similar to this one for a while now and notice that the Phoenix Exploit Kit is used. The campaign starts with the following email:



Filed under: ,

entrepreneur.com compromised with CrimePack

Posted: 25 Jan 2012 01:40 PM | Tamas Rudnai | no comments

Today, Websense® ThreatSeeker® Network alerted us that entrepreneur.com has been compromised by cyber criminals, resulting in potentially malicious content being downloaded to a user's machine. Entrepreneur.com is a very popular information and community resource for small businesses on the web (see Alexa rank).


Websense customers are protected from these threats by ACE™, our Advanced Classification Engine.


The attacker used the CrimePack exploit kit, which employs several different exploits to try to infect a user’s computer. We'll explain how this works in detail. Let's start by visiting the home page of entrepreneur.com where we notice an iframe injected into the page:




Filed under: , ,

Search for Google Chrome leads to Compromised Chrome Plugin Forum

Posted: 23 Jan 2012 11:00 PM | Anonymous | no comments

This morning Websense® ThreatSeeker® Network alerted us that if a user enters the term "Download Chrome" in Google Search, the 36th result would result in potentially malicious content being downloaded to the user's machine. I'll briefly describe the attack vector in which the content is sent to the user. Web Search Search for "Download Chrome": The 36th result leads to a compromised, unofficial Google Chrome plugin Web page: Compromised Web site The 36th result leads to to this website: The above site: is a legitimate, unofficial Google Chrome plugin forum Web page which is pulling in content from two malicious Web sites. We believe this Web page was compromised. One indicator that this is a compromised site, as opposed to a site set up for strictly malicious purposes, is that the whois registration information, which helps indicate the reputation, is registered in 2008. The registration details also seem to indicate that real information was provided. Again, this isn't a 100%, foolproof indication that the site was compromised, but it does help as circumstantial evidence . Redirection Looking at the source code of this Web page, we see that the page redirects the user's browser to two malicious Web sites: 1) pagead2.googlesyndlcation.com/pagead/show_ads.js (via JavaScript include - this is a Google AdSense typo-squatted URL!) 2) best-videogames.com (via iframe html tag include - results in a server 503 = Service unavailable) This redirection diagram shows the content the user is served by visiting the Chrome Plugin forum Web page. All this content is served to the user without the user having to click on anything at all (except for the link from Google search): Google AdSense Typo-Squatted URL The fake AdSense show_ads.js links to a typo-squatted URL where the whois record shows that it's clearly not a site owned by Google Inc. Notice the details: The real Google hosting server for show_ads.js is pagead2.googlesynd i cation.com (notice the letter "l" changed out for the letter "i" in the word "syndication"). I have archived a copy of the fake show_ads.js here in case you wish to research the compromised site a bit further. Websense customers are protected from these threats by ACE™, our Advanced Classification Engine . Stephan Chenette - Principal Security Researcher


The rise of a typosquatting army

Posted: 22 Jan 2012 03:30 AM | uwang | no comments

The week before we published a blog that discussed typosquatting of social web sites that lead visitors to spam survey sites with a high Alexa ranking. With our on-going research, we discovered that cyber-criminals are carrying out even more work, and the campaign is more widespread than we originally thought. Their targets are not limited to social web, but also include popular and frequently-visited registered typosquatting domains in all areas ranging from Google to Victoria's Secret, or Wikipedia to Craigslist; the list goes on. The attacker registers a network of typosquatting domains and redirects visitors of these mistyped sites to a spam survey site. The Websense® ThreatSeeker® Network has discovered over 7,000 typosquatting sites within this single network. These typosquatting sites redirect visitors to a suspicious URL via a URL shortening service. From there, they take them to a spam survey site (which we showed you in this blog). After visitors complete the spam survey, they are then taken to spam advertisement distributed sites where spam advertisements are displayed based on the their interests. An example of such advertisment is a free movie downloader as shown below. Currently, these spam advertisements are not spreading maliciously. However, if these networks are resold to underground groups, then the potential outcome could be even more damaging than the 0-day exploit security attacks. You'd surprised by the number of visitors who mistype popular domain names. These mistyped domains generate a huge amount of traffic (some sites even managed to reach the Alexa top 250 list). For the careless users who fill in the survey, the cyber-criminals obtained their sensitive data. All of this can be translated into profit. Based on online web site valuation tools such as worthofweb.com (as shown below), we expect that attackers are pulling in a substantial income from typosquatting campaigns. Websense Security Labs will continue monitor these campaigns and Websense customers are protected from these threats via ACE, our Advanced Classification Engine .


Filed under: ,

Trending Topic Search for "QuickTime" Leads to Phishing Site

Posted: 19 Jan 2012 10:09 PM | Anonymous | no comments

The Websense® ThreatSeeker® Network routinely monitors search results from Google trending topics. For example, if you were to search for the term "QuickTime" today, the 31st resulting entry would lead to a typosquatted URL, which pulls content from a phishing URL. Clicking this Google search entry sends you to a fake QuickTime download site. The "Download Now" button doesn't take you to the download page for QuickTime software. It directs you to a phishing site instead. This alleged music download site phishes your credit card information on the membership fee payment page. Be aware of the risks of using your credit card on random websites to avoid such phishing attacks. Websense customers are protected from these threats by ACE™, our Advanced Classification Engine . Ping Yan - Security Researcher & Stephan Chenette - Principal Security Researcher


My email address was shared on Twitter, but who cares?

Posted: 19 Jan 2012 02:11 AM | Elad Sharf | no comments

Websense Security Labs™ has found that thousands of businesses and consumers are putting themselves at risk each day by publicly revealing their email addresses on Twitter. We conducted research on how data that might be considered private is exposed via Twitter. The research focused on shared data, in particular email addresses, that can potentially be used against the one (or the organization) that shared it. During the research we monitored Twitter over a 24 hour period and found that users were publicly sharing email addresses connected with their inboxes, social media identities, and bank accounts. This leaves them open to advanced ‘social spear phishing’ attacks and spam campaigns. Social spear phishing sees criminals attacking harvested email addresses with information gleaned from monitoring users’ Twitter conversations. It's recommended that businesses update all acceptable use policies to warn employees of this risk. Our research found that thousands of Email addresses are publicly shared daily via Twitter: * More than 11,000 email addresses were shared worldwide [Research data was collected over a 24-hour period in January 2012 ] Gmail, Hotmail and many other free web-based email services are particularly under threat as cyber criminals can harvest social information on individuals via Twitter to break into these accounts. We realise that sometimes you need to share your email address. Here are some security tips on how to best avoid your shared data potentially being used against you: • Use direct messages (DMs) for sending email addresses to contacts on Twitter • Treat emails from friends linking you to other sites with caution • Never use passwords that can be inferred from publicly accessible information • Since email is an often used route into a company by cybercriminals, ensure your email security has superior malware protection against modern threats


Filed under: ,

Malicious email scam "Re: Scan from a Xerox W. Pro #XXXXXXX" returns with a new face

Posted: 18 Jan 2012 05:23 AM | Shi Linghang | no comments

About 6 months ago, a malicious email scam with the subject "Re: Scan from a Xerox W. Pro #XXXXXXX" went wild. This scam has returned – this time, with a new face! Instead of making you attach a .zip file, as it did in the past, it now prompts you to click a download link. You know you shouldn't click this link, right? The Websense® ThreatSeeker® Network has detected that the download URL link is actually a malicious URL. As shown in the screenshot below, we can see that there is an iframe in its payload. This redirects the link to a malicious site that hosts a Blackhole exploit kit . Once the iframe is loaded, content from the Blackhole exploit kit (which contains a highly obfuscated script ) site is also loaded. Upon decoding the code, we can now see that the actual code searches for vulnerable software, and uses an appropriate exploit. Successful exploitation executes a shellcode that triggers the download and execution of malware. The kit is currently widespread and popularly used by attackers. It offers users software-as-a-service (Saas) solution, where all they need to do is simply rent the kit. The domain registration, site configuration, and setup are handled by the author group. Another really interesting aspect of this kit, that uniquely differentiates it from its competitors, is that it provides administration options for smart phones! Users do not need to install any application; it is simply a Web-based interface optimized for smart phones. Furthermore, there is an administration option for this kit to use underground audio and video scanners for malware. This lets attackers tweak their malware samples to make them undetectable prior to launching their attack live. So far, the Websense® Triton® Hosted Security Message Center has detected more than 3,000 messages in this campaign. Websense customers are protected against this attack with ACE , our Advanced Classification Engine.


Filed under: ,

One critical and six important Microsoft patches to start 2012

Posted: 12 Jan 2012 02:43 PM | Tamas Rudnai | no comments

The start of the Olympic year of 2012 sees a quick release of 7 patches from Microsoft, including 1 that addresses a critical vulnerability that allows remote code execution when exploited. Websense® Security Labs strongly recommends that you update to the latest patches to avoid attacks from cyber criminals. Not surprisingly, Microsoft marked the recently discovered MIDI vulnerability ( CVE-2012-0003 ) as critical, as it received huge publicity in the beginning of the year and is likely to be seen in exploit kits in the near future. With this bug, an attacker can run arbitrary code on a remote computer using a specially crafted MIDI file. The executed code runs with the same privileges as the local user, so a well-defined user policy could prevent further damage on the computer. Another patch In this latest bulletin fixes the DirectShow remote code execution vulnerability ( CVE-2012-0004 ). With this one, an attacker can execute malicious code on a remote computer without user interaction using a specially crafted media file. The infamous BEAST (Browser Exploit Against SSL/TLS) vulnerability has also been fixed with the January Tuesday Patch . With this vulnerability (identified as CVE-2011-3389 in mitre.org), a cyber criminal can act as a "man-in-the-middle" and interfere with the SSL (Secure Sockets Layer) protocol. As a result, an attacker can obtain the HTTP header in plain text, allowing access to session cookies. Websense Security Labs and our ThreatSeeker™ Network are constantly monitoring for these threats occurring in the wild.


Filed under: , , ,