On March 15, a working Proof of Concept (PoC) for MS12-020 that attempts to exploit CVE-2012-0002 was published by a Chinese hacker group named Silic Group Hacker Army. The original code was written in Ruby and Python, and an executable file was uploaded to a free online storage service, 115 netdisk.

Luigi Auriemma, the first to find this vulnerability, said the pre-built packets used in this PoC were the same as the ones he submitted to the HP TippingPoint Zero Day Initiative (ZDI, a partner of Microsoft) as part of the verification process to obtain his bug bounty in August 2011. Microsoft TechNet Blog has also confirmed that the details of the PoC code appear to match the vulnerability information shared with Microsoft Active Protections Program (MAPP) partners.

MS12-020 patches a pair of bugs in Windows Remote Desktop Protocol (RDP), a component that lets users remotely access a PC or server. A vulnerable function called HandleAttachUserReq() in rdpwd.sys could be exploited by special RDP packages. The leaked POC code could start a denial of service attack (DoS) on the internet that targets systems running Windows with the RDP service enabled, resulting in the blue screen shown here:

Customers who have deployed MS12-020 are protected from attempts to exploit CVE-2012-0002. Websense works with Microsoft and is an active member of Microsoft MAPP.

We will continue to monitor this situation to see if the exploit evolves to allow remote code execution.

A few days ago, Websense® SecurityLabs™ detected a large-scale malware campaign mainly targeting WordPress pages. We have received many questions about who and which websites are in danger and how to protect against this attack. While many forum posts and comments speculate that outdated WordPress versions are at fault, unfortunately, we found that this is not true. We dug a bit into this subject and analyzed 30,000 domains to see what types and versions of CMS (Content Management System) have been compromised so far.

We checked several aspects of each of these compromised websites and concluded that most of them are served by Apache webserver and PHP environment. As you can see in the pie chart below, PHP dominates the server side:

Digging a little deepter, we were also able to examine which CMS were victims of the attack. Initially, when we discovered the attack, we found only WordPress sites, and after a week or so, the picture did not change that much. WordPress still serves the majority of the compromised websites; however, we did see a small amount of other CMS as well. We also noticed that an increasing number of Joomla sites are also affected, with all other content managers making up a tinier slice.

The big question still remains: Is my Website protected if I use the latest WordPress version? Checking all WordPress sites, we conclude that most of the compromised sites were in fact using the most recent version, which indicates that having the latest version of WordPress does not make you immune to this threat. 

So how can you protect yourself? Here are some of the dominant attack vectors that websites using the latest WordPress version are likely to be exploited through:

• Weak passwords / stolen credentials
• Vulnerable third-party modules used in WordPress
• Security holes in the underlying server infrastructure, such as in the database server or the server side scripting engine (PHP in this case)

Websense Security Labs strongly recommends that website owners perform security audits and fix all problems to keep attackers away from their sites. Websense customers are protected from injected websites with our Advanced Classification Engine, or ACE, which detects compromised websites in real time. 

The Websense® ThreatSeeker® Network has detected a new wave of mass-injections of a well-known rogue antivirus campaign that we've been following in Security Labs^TM for months. The majority of targets are Web sites hosted by the WordPress content management system. At the time of writing, more than 200,000 Web pages have been compromised, amounting to close to 30,000 unique Web sites (hosts). The injection hijacks visitors to the compromised sites and rediects them to rogue AV sites that attempt to trick them into downloading and installing a Trojan onto their computer. 

The injected code is very short and is placed at the bottom of the page, just before </body> tag.

After a three-level redirection chain, victims land on a fake AV site. In this example, the first chain is the ".rr.nu", and the landing site is the ".de.lv" top-level domain, but the landing site keeps changing. The rogue AV site appears to perform a scan on the computer and scares the user by displaying fake malware detections of various kinds of Trojans. The page looks like a Windows Explorer window with a "Windows Security Alert" dialogue box in it.  The fake scanning process looks like a normal Windows application, however, it is only a pop-up window within the browser. The fake antivirus then prompts visitors to download and run their "antivirus tool" to remove the supposedly found Trojans. The executable is itself the Trojan.

It is, we think, an interesting observation that more than 85% of the compromised sites are in the United States, while visitors to these web sites are more geographically dispersed. We think it's useful to note that while the attack is specific to the US, everyone is at risk when visiting these compromised pages.

Countries hosting compromised Web sites:

(Click image to enlarge)

Country of origin of visitors:

(Click image to enlarge)

Websense Security Labs continues to monitor the evolution of this campaign. Websense customers are protected with the Advanced Classification Engine, ACE, which detects compromised Web sites in real-time. 

We are very pleased to announce that our Websense® Security Labs™ Blog has won the coveted "Best Corporate Security Blog" award at the SC Magazine 2012 Awards.

The awards were announced at the RSA Conference in San Francisco.

We wish to send a thank you to our readers for voting for us.  Thank you for your continued support and your comments. We read them all.

We look forward to working on more innovative research and keeping you up-to-date with the latest threats.

Websense also took home two other awards at the SC Magazine Awards ceremony: "Best Enterprise Security Solution" and "Reader’s Trust Award for Websense Web Security Gateway."  You can read all about it here.

Thank you from all of us on the Websense Security Labs team.

As announced by our Security Predictions for 2012, the imminent start of the Olympic Games 2012 is a good worldwide event for phishing authors as well as malicious bots. They will most likely begin utilizing this vector to spread their attempts at masquerading as legitimate sites, organizations, or services to trick users into divulging information. Websense® Security Labs^TM and the Websense ThreatSeeker® Network have detected and tracked a significant number of these kinds of Olympic phishing messages whose goal is to entice users to submit their personal information.

The phishing theme used in the following example is the well-known "National Lottery"-type scam, where the targeted users are tricked into believing they are winners of some sort of local lottery. We detected email like the one below:

Once the user opens the Microsoft Word document,  the sender informs the user that he or she is the lucky "winner" of £200,00.00 GBP, and then requests that the user provide personal information, such as full name, address, nationality, occupation, and mobile number to help process the claim. 

Although this email attachment is not malicious, it is clear that the sender has some other questionable activity in mind by asking for and collecting personal information. This could range from email spam using the victim's email address and mobile phone number to other rogue promotional messages that could potentially have web links leading to malicious websites. Threats like these Olympics scams are also known as advanced-fee fraud in which victims are asked to contact a claims agent. They may then be asked to pay "processing fees" to receive their money, which never happens. Here's another example that confirms this hypothesis:

This is also a good way to collect, with social engineering techniques, mobile phone numbers and to start other kinds of fraudulent activities like asking for details about mobile banking accounts.Websense customers are protected from these threats by ACE, our Advanced Classification Engine.