Websense Security Labs Blog

Websense Security Labs discovers, investigates and reports on advanced Internet threats that traditional security
research methods miss.

Latest Blog Posts

View all posts > 

(May 2012) Posts

Malware Traditions on Fire: What you need to know about Flame

Posted: 30 May 2012 11:47 PM | Patrik Runald | no comments


Yesterday we posted about a new strain of highly advanced malware (APT), dubbed Flame . It is potentially the most advanced malware to date, at least in terms of functionality combined with the ability to stay hidden over a long period of time. It’s also unusually large (20 MB), whereas most attacks contain small files (under 1MB). The file is so large because it incorporates a broad set of capabilities including recording audio, taking screenshots, compiling a list of nearby Bluetooth devices, and more. It even includes some rare techniques not commonly found in malware, such as using the LUA scripting language for some of its functions. The primary function of Flame is to collect and upload information. While it really doesn't do anything we haven't seen before in other malware attacks—what’s really interesting is that it weaves multiple techniques together and dynamically applies them based on the capabilities of the infected system. Also, Flame has been operating under the radar for at least two years, which counter intuitively may partially be attributed to its large size. Flame has been found mainly in the Middle East, specifically: Egypt, Iran, Israel, Lebanon, Palestine, Saudi Arabia, Sudan, and Syria. Based on historical APT patterns, the target region, and complexity/quality of the code, our guess is that Flame was created by one or more Western intelligence agencies. I don't think we'll see too many copycats of Flame, but we will see more targeted attacks against nations. This is following the trend we have been seeing of nation vs. nation web threats that go beyond off-the-shelf Remote Access Kits. How effective Flame has been remains to be determined, as there still have only been a small number of infections discovered. While we have identified it in approximately eight countries, it is targeted and on only a select number of systems. We will be sure to keep our readers updated on our findings. It’s also important to mention that our Websense Web Security Gateway (Anywhere), Cloud Web Security, Cloud Email Security, and Email Security Gateway (Anywhere) customers all have protection in place for known samples of Flame. All of these solutions leverage our ACE (Advanced Classification Engine) technology. Do you have any questions on Flame? If so, leave a comment and we can discuss.

Read more > 

Filed under: , ,

Flame/Flamer/Skywiper - one of the most advanced malware found yet

Posted: 29 May 2012 03:21 PM | Elad Sharf | no comments


Yesterday, news broke that a new strain of highly advanced malware (APT), dubbed Flame (Flamer/ Skywiper), has been identified. The variant was found to be prevalent in the Middle East. Recent well-known malware that was also found in the Middle East are Stuxnet and Duqu , both very advanced and ground-breaking. Flame has most likely been in circulation since 2010, but has just been identified. The primary function of Flame is to collect and upload information, which it does in several ways, including recording audio, taking screenshots, compiling a list of nearby Bluetooth devices, and more. The malware has a total size of about 20 MB, which is huge compared to most malware, which is usually less than 1 MB. One of the main reasons for its relatively much larger size is its extensive embedded functionality. It consists of several modules, such as decompression libraries, a SQL database, and a LUA virtual machine. So far, known vulnerabilities used in this malware are: MS10-046 and MS10-061 . Those were both used in Stuxnet and Duqu to maintain persistence and move laterally on infected networks. Flame's main module name and some debugging data that suggests when that module was compiled: Some runtime data in Flame at the infection stage: Does Websense protect customers? Web Security Gateway (Anywhere), Cloud Web Security, Cloud Email Security and Email Security Gateway (Anywhere) and Websense Email Security all have protection in place for known samples of Flame. More information Analysis throughout the security industry is ongoing. This additional analysis is available right now at CrySys (PDF).

Read more > 

Filed under: , , ,

The Amnesty International UK website was compromised to serve Gh0st RAT [Update]

Posted: 11 May 2012 01:29 AM | Anonymous | no comments


Between May 8 and 9, 2012, the Websense® ThreatSeeker® Network detected that the Amnesty International United Kingdom website was compromised. The website was apparently injected with malicious code for these 2 days. During that time, website users risked having sensitive data stolen and perhaps infecting other users in their network. However, the website owners rectified this issue after we advised them about the injection. In early 2009, we discovered this same site was compromised, and in2010, we reported another injection of an Amnesty International website, this time the Hong Kong site.

...

Read more > 

Filed under: , , , ,

Canada’s Cybercrime Report Card: Better or Worse in 2012?

Posted: 10 May 2012 09:39 PM | Patrik Runald | no comments


Last May 2011 , we conducted an analysis of Canada’s cyber security risk profile, which led to the discovery of a disturbing trend. Canada had become the newest breeding ground of cybercriminal activity. In the hopes that things would get better, we conducted an exact comparison of the same cybersecurity stats one year later. And we were even more disturbed to see that in Q1 2012, hackers are still taking advantage of Canada’s “squeaky clean” cyber reputation and remotely controlling Canadian servers to carry out their criminal attacks. Across the board, we’re seeing all types of malicious content coming out of the Great White North. For example: 170% Jump in Hosted Phishing Sites - Canada ranks #2 in the world for hosted phishing sites, jumping 170 percent in the last year. This is a significant increase and the country ranks ahead of some of the best known offenders like Egypt and Russia. 39% Increase in Bot Networks - Cybercriminals’ command and control centers are finding that Canadians make great hosts. In the past year, Canada saw a 39 percent increase in bot network activity. 239% Increase in Malicious Websites - The number of malicious URLs is also on the rise in Canada. Canadian computer users beware, Canada saw a 239 percent jump in malicious Canadian websites. The bottom line is that things are getting worse, and it’s a worldwide trend. As we’ve stated in our 2012 Threat Report, in the past year alone , there has been a major increase in malicious sites and exploit kits and people are getting increasingly redirected to bad sites. What’s going on in Canada is testament to the continuation of a very bad trend. In the past, malicious content has traditionally been hosted on servers in places like Europe. But, now the bad guys are shifting their infrastructures to sites that are hosted in countries that traditionally have had better reputations. Even after last year’s discovery, we still have not seen any big takedowns of malicious sites in Canada. In fact, malicious sites seem to stay up longer than in other countries. The public and private sector need to work together to effectively make this happen. The question is, will they finally be able to do so moving forward? Here's a map that shows the top countries hosting phishing sites for the first part of this year. You can clearly see that Canada now holds the number two position for hosting this type of malicious content.

Read more > 

Pinning Down Pinterest

Posted: 04 May 2012 08:08 PM | RM | 1 comment(s)


There has been a lot of talk lately about Pinterest, the "virtual pinboard" that allows you to "organize and share all the beautiful things you find on the web." Pinterest uses online social networking to extend the ways you can share your images. Its mission statement reads: "Our goal is to connect everyone in the world through the 'things' they find interesting. We think that a favorite book, toy, or recipe can reveal a common link between two people. With millions of new pins added every week, Pinterest is connecting people all over the world based on shared tastes and interests." How does it work? Currently, the site is available by invitation only, but it’s quite easy to request an invitation either directly from the site or from a friend who’s already using it. Once you’re in, you create “pins”: images you want to post, including videos, along with any text captions you care to add. The “Pin It” button can be added to Firefox or your iPhone, allowing you to grab images anytime and anywhere. It also adds a link to the source, automatically crediting the author and, presumably, avoiding copyright issues, which have sparked a lot of discussion.* A collection of pins is called a “board,” which usually focuses on a theme or interest. By displaying images in a thematic board, Pinterest creates a visual collage which provides context and relationships for images in ways other social media sites do not. It is precisely the social media elements that seem to be fueling Pinterest’s popularity. Users can search pins, boards, or people. They can “like” other people’s pins, post comments, repin the images to their own boards, and even share them via Facebook and Twitter links, or via embedding in a blog or email. They can follow other users, see activity streams, and click through to the source of an image for more information, or to make a purchase. Collaboration with Flickr was just announced, which enables sharing in the user's Flickr account. Who uses it? The number of unique visitors per month to Pinterest has jumped in just under one year from less than half a million to well over 18 million. Most (68.6%) are in the US, but all parts of the world are represented—and growing. Users tend to spend quite a bit of time on the site: more than 15 minutes per day, which is over 50% more than Twitter. This explosion has created a huge buzz around the site, and at Websense we’ve learned that sites which attract lots of users also tend to attract lots of security concerns. What could possibly go wrong? Any site that attracts a lot of users and attention inevitably becomes a target for hackers and spammers . Spam and other types of objectionable content can be reported to Pinterest with the click of a button, which suggests the site relies on its users to spot problems and flag them for review. Malicious image files—where embedded...

Read more > 

Filed under: , ,

Widespread malware abuses unsecured Geolocation Service of Adult Website

Posted: 03 May 2012 07:26 PM | Anonymous | no comments


While researching outbound malware communications to improve detections for our products, we recently made an interesting discovery. Thousands of samples running in our malware lab reached out to the URL promos.fling.com/geo/txt/city.php . At first we suspected this to be a command and control (C&C) server of botnet malware. However, Websense® categorization of the main Web page of the domain fling.com returned Adult, and visiting the page certainly confirmed this: The self-proclaimed "Hottest Place to Hook Up" suggested that we sign up to "Meet the Hottest Members in San Diego" (the location of the US Websense® Security Labs™). This is where the originally discovered URL promos.fling.com/geo/txt/city.php comes into play. Directly visiting the URL results in JavaScript code to print the geolocation of the visitor: So how is this unsecured geolocation service used by the malware? Using the network tool Wireshark to look at the malware network traffic contacting this service, we can see that more information is disclosed: In this example our malware sandbox was connected to the Internet through a proxy service in Canada. Apart from the JavaScript payload there are several HTTP cookies sent in the response header specifying the country, state, city, latitude and longitude. Our analysis systems identified other likely C&C connections in the outbound connections of the malware samples in question. Interestingly, these connections try to hide the malicious HTTP using a forged user-agent string: Looking at the geolocation service abused by the malware we can make the connection that the 'CA' part (country code for Canada) in this user-agent is used to disclose the geolocation of the infected machine to the botnet server. This information can be used by the botmaster for statistics or to give different commands to infected machines in certain countries. As of the time of writing this blog post, a total of 4,775 samples that ran in our malware lab show connections to the adult geolocation service in question. Websense customers are protected against known variants of this malware; we also have real-time coverage in place for the traffic between the malware and the C&C servers.

Read more > 

Filed under: ,

The Institute for National Security Studies (Israel) falls prey to Poison Ivy infection

Posted: 02 May 2012 01:06 AM | Anonymous | no comments


The Websense® ThreatSeeker® Network has detected that the Institute for National Security Studies (INSS) website in Israel was injected with malicious code. INSS is described in its website as an independent academic institute that studies key issues relating to Israel's national security and Middle East affairs.

 

While we can't determine that the infection of this website with exploit code is part of a targeted attack, one could deduce that visitors to this type of site are likely to have an interest in national security or are occupied in this field. The website appears to be injected with malicious code for over a week now. (Websense' ACE provided protection against the type of injected malicious code since early 2009)

 

One of the interesting facts about this infection is that it uses the same Java exploit vector (CVE-2012-0507) that managed to infect around 600,000 Mac users in a massive scatter attack dubbed Flashback a few weeks ago.

 

...

Read more > 

Filed under: , , ,