Yesterday we posted about a new strain of highly advanced malware (APT), dubbed Flame. It is potentially the most advanced malware to date, at least in terms of functionality combined with the ability to stay hidden over a long period of time. It’s also unusually large (20 MB), whereas most attacks contain small files (under 1MB). The file is so large because it incorporates a broad set of capabilities including recording audio, taking screenshots, compiling a list of nearby Bluetooth devices, and more. It even includes some rare techniques not commonly found in malware, such as using the LUA scripting language for some of its functions. The primary function of Flame is to collect and upload information.

While it really doesn't do anything we haven't seen before in other malware attacks—what’s really interesting is that it weaves multiple techniques together and dynamically applies them based on the capabilities of the infected system. Also, Flame has been operating under the radar for at least two years, which counter intuitively may partially be attributed to its large size.

Flame has been found mainly in the Middle East, specifically: Egypt, Iran, Israel, Lebanon, Palestine, Saudi Arabia, Sudan, and Syria. Based on historical APT patterns, the target region, and complexity/quality of the code, our guess is that Flame was created by one or more Western intelligence agencies. I don't think we'll see too many copycats of Flame, but we will see more targeted attacks against nations. This is following the trend we have been seeing of nation vs. nation web threats that go beyond off-the-shelf Remote Access Kits.

How effective Flame has been remains to be determined, as there still have only been a small number of infections discovered. While we have identified it in approximately eight countries, it is targeted and on only a select number of systems. We will be sure to keep our readers updated on our findings.

It’s also important to mention that our Websense Web Security Gateway (Anywhere), Cloud Web Security, Cloud Email Security, and Email Security Gateway (Anywhere) customers all have protection in place for known samples of Flame. All of these solutions leverage our ACE (Advanced Classification Engine) technology.

Do you have any questions on Flame? If so, leave a comment and we can discuss.

Yesterday, news broke that a new strain of highly advanced malware (APT), dubbed Flame (Flamer/Skywiper), has been identified. The variant was found to be prevalent in the Middle East. Recent well-known malware that was also found in the Middle East are Stuxnet and Duqu, both very advanced and ground-breaking. Flame has most likely been in circulation since 2010, but has just been identified. The primary function of Flame is to collect and upload information, which it does in several ways, including recording audio, taking screenshots, compiling a list of nearby Bluetooth devices, and more.

The malware has a total size of about 20 MB, which is huge compared to most malware, which is usually less than 1 MB. One of the main reasons for its relatively much larger size is its extensive embedded functionality. It consists of several modules, such as decompression libraries, a SQL database, and a LUA virtual machine. So far, known vulnerabilities used in this malware are: MS10-046 and MS10-061. Those were both used in Stuxnet and Duqu to maintain persistence and move laterally on infected networks.

Flame's main module name and some debugging data that suggests when that module was compiled:

Some runtime data in Flame at the infection stage: 

Does Websense protect customers?

Web Security Gateway (Anywhere), Cloud Web Security, Cloud Email Security and Email Security Gateway (Anywhere) and Websense Email Security all have protection in place for known samples of Flame.

More information

Analysis throughout the security industry is ongoing. This additional analysis is available right now at CrySys (PDF).

Between May 8 and 9, 2012, the Websense® ThreatSeeker® Network detected that the Amnesty International United Kingdom website was compromised. The website was apparently injected with malicious code for these 2 days. During that time, website users risked having sensitive data stolen and perhaps infecting other users in their network. However, the website owners rectified this issue after we advised them about the injection. In early 2009, we discovered this same site was compromised, and in 2010, we reported another injection of an Amnesty International website, this time the Hong Kong site.

In the most recent case, we noticed that the exploit vector used was the same Java exploit (detailed in CVE-2012-0507) that has been used worldwide, and which has become somewhat infamous as the cause of the recent massive Mac OS X infection with Flashback. 

Websense customers are protected from these threats by ACE, our Advanced Classification Engine.

The following is a screen shot of the detected code injection:

a

                                                                  (click on the picture to enlarge)

In the screen shot, we can see the similarities between this injection and the INSS injection we reported last week. This clearly shows the use of the Metasploit framework and the precise name of the Java class used. In addition, the associated JAR file is a well-known vector exploit for the CVE-2012-0507, as shown below:

                                                                 (click on the picture to enlarge)

Once the exploit is successful, a file download is initiated for an executable from this URL: "hxxxp://www.48groupclub.org/images/uploads/image/sethc.exe" - MD5 : 3EC4DE9EF2E158473208842F4631236A

Further analysis shows that when the "sethc.exe" file is executed on the compromised system, it creates a new binary file in the Windows system directory: C:\Program Files\...... 

The ruse appears credible because the executable file has been signed by a "valid" certificate authority (CA), as shown below:

Through further research we learn that this certificate has been in use for a while and does not appear to have been revoked at the time of this latest exploit activity.

Analyzing this low AV detected binary file, we recognize that this is a variant of the well-known Remote Administration Tool Gh0st RAT, which is used mainly in targeted attacks to gain complete control of infected systems. With this control, the remote administrator has access to a user's files, email, passwords, and other sensitive personal information. Following is the initial network capture with Wireshark between a compromised system and the remote administration center, which reveals the header information of the traffic (pay particular attention to the starting keyword "gh0st"), confirming the use of Gh0st RAT:

                                                     (clieck on the picture to enlarge)

The Remote Administration Center commands to the compromised system originate from this address: shell.xhhow4.com. At the time of this writing, the address is still active.

[Update]

Websense® ThreatSeeker® Network detected that the Amnesty International Hong Kong sister website was also compromised to serve Gh0st RAT over the weekend, and the malicious codes are still live and active. Below are some of the pages infected redirecting to the exploits. Websense Security Labs will continue to monitor and update any new changes to this attack.

Last May 2011, we conducted an analysis of Canada’s cyber security risk profile, which led to the discovery of a disturbing trend. Canada had become the newest breeding ground of cybercriminal activity.

In the hopes that things would get better, we conducted an exact comparison of the same cybersecurity stats one year later. And we were even more disturbed to see that in Q1 2012, hackers are still taking advantage of Canada’s “squeaky clean” cyber reputation and remotely controlling Canadian servers to carry out their criminal attacks.

Across the board, we’re seeing all types of malicious content coming out of the Great White North. For example:

• 170% Jump in Hosted Phishing Sites - Canada ranks #2 in the world for hosted phishing sites, jumping 170 percent in the last year. This is a significant increase and the country ranks ahead of some of the best known offenders like Egypt and Russia.
• 39% Increase in Bot Networks - Cybercriminals’ command and control centers are finding that Canadians make great hosts. In the past year, Canada saw a 39 percent increase in bot network activity.
• 239% Increase in Malicious Websites - The number of malicious URLs is also on the rise in Canada. Canadian computer users beware, Canada saw a 239 percent jump in malicious Canadian websites.

The bottom line is that things are getting worse, and it’s a worldwide trend. As we’ve stated in our 2012 Threat Report, in the past year alone, there has been a major increase in malicious sites and exploit kits and people are getting increasingly redirected to bad sites.

What’s going on in Canada is testament to the continuation of a very bad trend. In the past, malicious content has traditionally been hosted on servers in places like Europe. But, now the bad guys are shifting their infrastructures to sites that are hosted in countries that traditionally have had better reputations.

Even after last year’s discovery, we still have not seen any big takedowns of malicious sites in Canada. In fact, malicious sites seem to stay up longer than in other countries. The public and private sector need to work together to effectively make this happen. The question is, will they finally be able to do so moving forward?

Here's a map that shows the top countries hosting phishing sites for the first part of this year. You can clearly see that Canada now holds the number two position for hosting this type of malicious content.

There has been a lot of talk lately about Pinterest, the "virtual pinboard" that allows you to "organize and share all the beautiful things you find on the web."

Pinterest uses online social networking to extend the ways you can share your images. Its mission statement reads:  "Our goal is to connect everyone in the world through the 'things' they find interesting. We think that a favorite book, toy, or recipe can reveal a common link between two people. With millions of new pins added every week, Pinterest is connecting people all over the world based on shared tastes and interests."

How does it work?

Currently, the site is available by invitation only, but it’s quite easy to request an invitation either directly from the site or from a friend who’s already using it. Once you’re in, you create “pins”: images you want to post, including videos, along with any text captions you care to add. The “Pin It” button can be added to Firefox or your iPhone, allowing you to grab images anytime and anywhere.  It also adds a link to the source, automatically crediting the author and, presumably, avoiding copyright issues, which have sparked a lot of discussion.*

A collection of pins is called a “board,” which usually focuses on a theme or interest. By displaying images in a thematic board, Pinterest creates a visual collage which provides context and relationships for images in ways other social media sites do not.

It is precisely the social media elements that seem to be fueling Pinterest’s popularity.  Users can search pins, boards, or people. They can “like” other people’s pins, post comments, repin the images to their own boards, and even share them via Facebook and Twitter links, or via embedding in a blog or email. They can follow other users, see activity streams, and click through to the source of an image for more information, or to make a purchase. Collaboration with Flickr was just announced, which enables sharing in the user's Flickr account.

 Who uses it?

The number of unique visitors per month to Pinterest has jumped in just under one year from less than half a million to well over 18 million. Most (68.6%) are in the US, but all parts of the world are represented—and growing. Users tend to spend quite a bit of time on the site: more than 15 minutes per day, which is over 50% more than Twitter.

This explosion has created a huge buzz around the site, and at Websense we’ve learned that sites which attract lots of users also tend to attract lots of security concerns.

What could possibly go wrong?

Any site that attracts a lot of users and attention inevitably becomes a target for hackers and spammers. Spam and other types of objectionable content can be reported to Pinterest with the click of a button, which suggests the site relies on its users to spot problems and flag them for review. Malicious image files—where embedded malware is hidden in an image file—can be a particular threat on an image-based platform.

A while back we wrote a blog about inexpensive application toolkits on Facebook. This time around, it's Pinterest's turn.

Here are a few examples of  spamming toolkits that automatically generate massive amounts of traffic on a spammer's Pinterest account.  Tools may be purchased individually or in packages, and prices range from about $25 to almost $2000 depending on the number and functionality desired.

One tool creates automatic "likes" for pins, and sends an email to the pin creator saying you liked it, along with a link to your profile.

Another tool finds the most popular pins and re-submits them into the same board name and category on the spammer's account.

Websense researchers found many similar tools for sale, all of which generate unnatural traffic to the spammer's account in order to increase the popularity of a site or brand.  Of course, Pinterest may notice or be informed of the unusual traffic and block the account. A bigger risk is that spamming tools may actually contain viruses, malware, or other threats, making the would-be hacker into a hacking target. 

Pinterest was recently the target of injected JavaScript code (possibly created by such spamming tools) that changed many pins into ads. A recent Pinterest blog post about spam on the platform generated a fair number of user responses about fake followers and spam (comments are now closed). And the site is reportedly using CAPTCHA, at least on some accounts, to ensure that users are human beings.

Regardless of how Pinterest evolves, you can be sure that Websense will stay on top of any security risks, helping you use social media safely.

While researching outbound malware communications to improve detections for our products, we recently made an interesting discovery. Thousands of samples running in our malware lab reached out to the URL promos.fling.com/geo/txt/city.php. At first we suspected this to be a command and control (C&C) server of botnet malware. However,  Websense® categorization of the main Web page of the domain fling.com returned Adult, and visiting the page certainly confirmed this:

The self-proclaimed "Hottest Place to Hook Up" suggested that we sign up to "Meet the Hottest Members in San Diego" (the location of the US Websense® Security Labs™). This is where the originally discovered URL promos.fling.com/geo/txt/city.php comes into play. Directly visiting the URL results in JavaScript code to print the geolocation of the visitor:

So how is this unsecured geolocation service used by the malware? Using the network tool Wireshark to look at the malware network traffic contacting this service, we can see that more information is disclosed:

In this example our malware sandbox was connected to the Internet through a proxy service in Canada. Apart from the JavaScript payload there are several HTTP cookies sent in the response header specifying the country, state, city, latitude and longitude. Our analysis systems identified other likely C&C connections in the outbound connections of the malware samples in question. Interestingly, these connections try to hide the malicious HTTP using a forged user-agent string:

Looking at the geolocation service abused by the malware we can make the connection that the 'CA' part (country code for Canada) in this user-agent is used to disclose the geolocation of the infected machine to the botnet server. This information can be used by the botmaster for statistics or to give different commands to infected machines in certain countries.

As of the time of writing this blog post, a total of 4,775 samples that ran in our malware lab show connections to the adult geolocation service in question. Websense customers are protected against known variants of this malware; we also have real-time coverage in place for the traffic between the malware and the C&C servers.

The Websense® ThreatSeeker® Network has detected that the Institute for National Security Studies (INSS) website in Israel was injected with malicious code. INSS is described in its website as an independent academic institute that studies key issues relating to Israel's national security and Middle East affairs.

While we can't determine that the infection of this website with exploit code is part of a targeted attack, one could deduce that visitors to this type of site are likely to have an interest in national security or are occupied in this field. The website appears to be injected with malicious code for over a week now. (Websense' ACE provided protection against the type of injected malicious code since early 2009)

One of the interesting facts about this infection is that it uses the same Java exploit vector (CVE-2012-0507) that managed to infect around 600,000 Mac users in a massive scatter attack dubbed Flashback a few weeks ago.

It's also worth noting that in the last few months, Israeli websites have been under continuous cyber-based threats and attacks. We don't think that this latest infection is part of an organized mass infection campaign but is probably just part of that trend. We continue to look for additional websites leading to the exploit website.

We have contacted the Webmaster of the website and notified them on the issue and the location of the injected code on the website, so far, we haven't heard back from them.

Websense customers are protected proactively from these threats by ACE, our Advanced Classification Engine.

Here's how this exploit works: if users visit the home page of the INSS website, the injected malicious Javascript code loads a Java exploiter. The injected code shown below consists of a "document.write" function call that uses decimal-encoded string characters to hide the exploit URL. Once decoded, the destination page may be retrieved. This means that users are silently redirected to the exploit page while their browser loads the website's home page:

The obfuscated injected content on the INSS home page looks like this:

Here's the decoded content:

And the content of the out.htm web page:

By merely looking at the code snippet above, we can see that the applet class's name suggests its intentions: "msf.x.Exploit.class." After further investigation, we detected that "test.jar" holds the exploit of the well-known Java vulnerability CVE-2012-0507. The inner workings of the "test.jar" file reveal that it contains a rather large compressed text file called "abc.txt" that is filled with a huge number of "a" characters. Once decompressed, the file size is about 104 MB. We think that this is a technique that attempts to evade automated malware analysis technologies, since some of those systems typically avoid downloading the contents of big files, because malware tends to be small in size.

From analyzing the contents of the Jar file, it was evident that it was generated by the Metasploit toolkit, which, as we mentioned, holds the vulnerability CVE-2012-0507:

The binary associated with the exploit, "svchost.exe" (MD5: 52aa791a524b61b129344f10b4712f52), is automatically installed on the victim's computer if followed by a successful Java exploiting attempt. "svchost.exe" is a variant of Poison Ivy, a remote administration tool (RAT) that can be used, as its name suggests, to control a computer remotely. The tool is robust and mature and may be used for legitimate purposes, but is also widely used for malicious purposes. Once Poison Ivy installs on the system it connects to a Dynamic DNS command and control address at: ids.ns01.us