Now is tourist season when lots of people are using online services to book hotels or flights. The Websense® ThreatSeeker® Network has detected spammers who are using fake booking.com email addresses to send hotel reservation confirmations with malware to unsuspecting users.

Here's what the spam email looks like:

The sample email consists of a fake confirmation letter from "booking.com," which includes random arrival and departure dates and some other information. Attached to it is a .zip file:

Decompressing the .zip file exposes a malicious executable file, Hotel-Electronic-Reservation.exe. If users click on the file to run it, malware is installed. The Websense ThreatScope Analysis Report  shows the specific behavior of this malware:

When running, the malware tries to connect to the internet to download other malware files.

It also drop files into special folders and runs them automatically:

Websense customers are protected proactively against this compromise by ACE, our Advanced Classification Engine. Our real-time analytics also proactively identify several variants of this threat, and with the ThreatSeeker Network, we receive feedback in our email solutions that blocks messages containing these URLs and malicious files. 

The Opening Ceremony of the 2012 Olympic Games is exactly 1 week away and Websense Security Labs researchers are already seeing data-stealing malware that aims to capitalize on the Games. Malware piggybacks on the buzz surrounding current, high profile events like the Olympics in order to steal personal data. Olympics-themed content armed with malware is introduced mainly through social engineering-based attacks. The cyber criminals behind the themed attacks know that they have a better chance of enticing potential victims by appearing current and relevant to a hot topic. That gets clicks, and the chance to spread their data-stealing creations further.

We have been following with interest an advisory released by the Polish Computing Emerging Response Team (CERT) which analyzed an interesting sample of data-stealing malware. This malware, once executed, has the ability to interact with social channels like Facebook, Skype, and Microsoft Live Messenger. This particular variant spreads malicious URLs through those channels and the victim's contact list. To be precise, it employs a socially engineered attack accompanied by a malicious URL that ultimately leads to a malware file that is part of a bot network. Since the sample analyzed has tried to take advantage of the buzz around the start of this year's Olympic Games, we decided it was timely to write this blog post.

Technical Analysis

Our analysis is based on a sample (MD5:  3E50B76C0066C314D224F4FD4CBF14D5 ) of the same malware family reported by the CERT.PL advisory. It is also detected as Pushbot, which is known to be a data-stealing malware variant. After a first look, when the binary file is executed on the affected system, it creates a new process of itself in memory with core functionality. When we open it with a debugger and try to debug, it appears that the binary is protected using some anti-debugging techniques. Specifically, we recognize the use of TLS functions (Thread Local Storage) without a clear TlsCallback function. The use of TLS functions makes the reverse engineering a bit trickier, since some of the core routines are already executed when the sample is debugged, thanks to the TLS use.

Likely, the authors of the loader have obfuscated the TlsCallBack function. This function is usually executed just before the main entry point function when the binary is run. If we can detect the Thread Local Storage callback address function, it would be possible to retrieve the Relative Virtual Addresses list, which is useful to map the address of the imported function from the system DLLs. In the TLS handler code section it was possible retrieve the use of FlsSetValue() and other Flsxxxx functions introduced in the Microsoft Vista operating system:

This snippet of code could also probably be used to detect if the impacted system is a Windows XP operating system or a Windows Vista/ Windows 7 operating system. To avoid spending time to obtain a proper PE file, we opted to dump the process directly from memory. This allows to start to debug the process at runtime. Basically, we have a dumped and non-compliant PE file, but it has all the information needed to start a dynamic behavior analysis of the malware by attaching our stub (the dumped file) to the runtime process:

In the screenshot above, it is possible to see the different sizes between the dumped process and the original malicious PE file. At this point, the stub has been opened through the debugger, resulting in a clean strings list. This includes a list of shortener domains called by the malware in the initial sequence using the Windows DNS Resolver to be saved in the local DNS Cache. This means the malware is not forced to create another DNS request, rendering detection strategies less easy to implement:

From the strings list, we can also find the list of processes that the malware checks to choose the communication channel used to spread itself. Specifically, the malware looks in memory for these processes: opera.exe, firefox.exe, iexplore.exe, skype.exe, and msnmsgr.exe. When it uses a web browser, the malware changes the starting page to redirect user HTTP sessions to malicious websites. In the case of Skype or Microsoft Live Messenger, the malicious process is able to forge HTTP requests with malicious payloads to users in the victim's contacts list. We have also detected a Facebook URL forger used to build proper HTTP requests and send them to the Facebook server. In this way, if there is an active Facebook session, the malware can send malicious messages to the victim's Facebook friends list. This is seen also when we decrypt the configuration file retrieved by the C&C, as shown here in its encrypted form as originally sent by the C&C server:

The C&C URL requested in this sample is hxxxp://tintiurl.net/query.php, which is also involved in the so called "Alcatraz" botnet.  The domain seems to be tied to three different IP addresses, as shown below (from Robtex result):

The IP addresses so far are: 46.220.203.212, 89.63.178.149, and  39.54.215.205. After decrypting the configuration file, we could see a clear 2012 Olympic Games theme:

The screenshot below shows the result of the decoding routine (the same routine reported by the CERT PL advisory). Basically, the configuration parameters and the values are Xored with the hexadecimal value 0x66 as shown in the following disassembled code: 

After the decoding cycle, a sort of configuration parser is executed (it starts in the second box above). Going back at the content of the configuration file, we now have the configuration file of the malware decrypted:

The "hp" parameter is used to set the home page of the web browser on infected systems. In this case, the host hxxp://domredi.com/1/ lead to hxxp://www.easynetseek.com is used. This is a custom Google search page, as shown below:

The parameter "MSN" is valued with the shortener hxxp://goo.gl/Ub99F. This URL is sent to users in the Microsoft IM client contacts list. We can also see that the configuration file apparently updates this bot to infect only MSN users, since the parameters related to Facebook and Skype are not valued with any URL. The Google short URL redirects to a domain registered 3 days ago ("hxxp://urilsfotosnica.com/images.php?=" ), which, according to our ThreatSeeker network, still appears to be inactive:

                                                                                               (click to enlarge)

The pattern ("/images.php?" ) used in the URL above is also a common pattern used by the RedKit Exploit Kit. Below is the source URL of the sample we analyzed in this blog: 

                                                                                                (click to enlarge)

The URL hxxp://lokralbumsgens.com/pictures.php?pic=google is still active, and the domain was registered 20 days ago.

Although this malware is already detected very well, we have focused our attention on how the malware authors are ready to exploit the interest in this worldwide event and succeed better in compromising systems throughout the world. Websense customers are protected from these threats by ACE, our Advanced Classification Engine.

You've almost certainly received an email similar to the one below.

Despite being well-known and transparent, the Nigerian email scam (also known as the 419 scam, a reference to the article of the Nigerian Criminal Code that such activities violate) retains its place on the list of top ten internet/email scams for 2012, and still results in millions of dollars of financial loss--and sometimes worse--for its victims. We've already blogged about a particularly amusing example caught in one of our honeypots, and a variant that adds phishing to the risks.

How does an obvious fraud continue to reel people in? And since the scammers want to find a likely mark and make some easy money, shouldn't they use a more credible and plausible email as bait?

Recent research from Microsoft suggests that email messages full of misspellings, grammar mistakes, and outrageous stories may actually work in the scammers' favor. Although it may appear counter-intuitive, it seems that the more implausible the bait, the better the chances the scammer has of actually collecting some money.Of course, most people will immediately delete an email like the one shown here (which includes an ironic warning against email scams), leaving the less savvy as easy prey for the scammers, which is exactly what they are looking for. In this way, they weed out the skeptical and cautious and reduce the pool of potential victims to those who are more likely to produce revenue. Because the scam and its Nigerian connection are so well known, there are even reports that non-Nigerian scammers may claim to be Nigerian--again, a means of weeding out the suspicious and homing in on the easy to fleece. Like legitimate businesses, scammers are also looking to optimize their operations, and don't want to waste time on unproductive activities.

Scambaiters are out to make them do just that, and look ridiculous into the bargain.  One site dedicated to this "cybersport" explains the game: "You enter into a dialogue with scammers, simply to waste their time and resources. Whilst you are doing this, you will be helping to keep the scammers away from real potential victims and [messing] around with the minds of deserving thieves."

In addition, the site notes:

"For the most part these criminals are not 'poor people trying to scratch a living', but are indeed very prosperous compared to their law-abiding countrymen, and many operate in highly organised and highly successful criminal gangs.  Millions of dollars are stolen on a DAILY basis, with absolutely no thought given to victims, who are losing vast amounts of money, homes, relatives, jobs and worse."

Scambaiters pose as potential victims and lead scammers in a merry dance. Some pretend to misunderstand the scammer's instructions, leading to repeated communications from increasingly frustrated scammers, while others send receipts for non-existent airline tickets to prove they are on their way to Africa with the money. Their only concern now is recognizing their contact at the airport arrivals hall. "Could you kindly send a photo of yourself holding a sign with my name [insert name with humorous or indelicate double meaning] to ensure we are able to meet?" They can and they do.

If you're thinking that the scammers' tales of woe sound like Victorian melodrama, you wouldn't be far off. Snail mail variants of the scam predate the internet by almost 200 years, dating back to the 18th and 19th centuries. Nostalgic for the good old days? In July 2012, police busted an old-fashioned lottery mail scam in Spain that has claimed over 500 victims since the beginning of the year, which means that not having an email address is no guarantee of scam protection.

Websense customers are protected by our Advanced Classification Engine (ACE). Of course, a healthy dose of common sense helps, too.

Here in Websense's own backyard, the 2012 San Diego Comic-Con has just folded up its superhero cape after four days of workshops, film screenings, panel discussions, and collectible exhibits. Beginning in 1970 with a one-day event and 145 attendees, Comic-Con now caps attendance at about 130,000 and brings in about $162.8 million to our local economy.

Judging by some of the costumed attendees we spotted downtown over the weekend (at least we hope that's what they were), zombies are an increasingly popular theme. As we observed the undead shuffling around near the Convention Center in search of human brains, we couldn't help but reflect on some obvious parallels between the zombie apocalypse and the security threats we face down every day here at Websense.

Night of the Living Bots! Compromised hosts as digital zombies! 

Think about it:

• Zombies eat brains; in the security world, “brains” are confidential/proprietary data, customer data, and secrets.
• Zombies take over their hosts, so do bot networks.
• Zombies attack in hordes, just like huge scale SPAM and DoS attacks.

Coincidence?  We think not.

Fortunately, the world has been dealing with the zombie threat long enough to have established some Best Practices from the movie "Zombieland" to help survive an attack. These also have parallels in the security arena.

• Rule No. 1:  Cardio.  "Zombies lead a very active lifestyle. So should you." The fitter you are, the better your chances of outrunning the undead. Websense pumps it up with up-to-the-millisecond proactive classification in real-time, keeping you a step ahead of security threats--always the safest place to be.
• Rule No. 2:  The Double Tap.  "Just because the zombie is down is no reason not to finish it off." The Websense double tap is to classify and block both outbound malicious traffic and outbound proprietary data. Threats are down and OUT.
• Rule No. 3:  Beware of Bathrooms. "Zombies smell when you are at your most vulnerable." Websense classifies and blocks cesspool websites based on poor web reputations, keeping you, your systems and your data clean and minty fresh.
• Rule No. 4:  Avoid Strip Clubs. "Hang out in sleazy places, and bad things are likely to happen."  Websense goes there so you don't have to, hanging out where malware does in order to classify objectionable content before it finds you.
• Rule No. 5:  The Buddy System. "Why don’t zombies attack each other? Possibly a herd instinct keeps them safe and you should do the same." The ThreatSeeker network has your back.

Beyond the established and internationally-recognized canon of zombie fighting rules, we've added a few new wrinkles. Bona fide professional zombie hunters Columbus, Tallahassee, Wichita, and Little Rock are available through Websense CSI to help you determine if you are under a zombie attack, and more important, to help you fight back and survive. ThreatScope, our very own version of Pacific Playland, lures the zombies out to play and reveals their true flesh-eating colors. Check out a sample report that helped avert a zombie apocalypse! 

Another essential rule is "Get a ...gnarly... partner," and nobody fills that bill better than Websense.

In early July, an update has been issued to the Blackhole exploit kit targeting Java vulnerability CVE-2012-1723. The vulnerability could evade the JRE (Java Runtime Environment) sandbox and load additional Java classes in order to perform malicious actions. Details about the vulnerability are here. A lot of the websites used with this attack, at the moment, that are detected by the Websense® ThreatSeeker® Network are newly registered websites.

Websense customers are protected from this threat with our Advanced Classification Engine - ACE that employs multiple methods to detect exploit kits generically and specifically in real time.

Looking at the past three years, the Java platform has been one of the most popular one targeted by attackers. Java was designed to be portable, meaning it works on virtually all computer operating systems like Windows, Mac, and Linux. We still remember the Mac OS malware Flashback that infected over 600,000 Apple computers worldwide in April 2012 using Java vulnerability CVE-2012-0507. Even now, we still see a lot of exploit kits that use CVE-2012-0507. Here are the Java platform vulnerabilities used in the wild since 2010:

• CVE-2010-0094
• CVE-2010-0094
• CVE-2010-0840
• CVE-2010-0842
• CVE-2010-0844
• CVE-2010-3552
• CVE-2010-0886
• CVE-2010-4452
• CVE-2011-3521
• CVE-2011-3554
• CVE-2012-0507
• CVE-2012-1723

Although Oracle released a patch in June for the latest vulnerability, cyber criminals are targeting machines that have not yet updated their platforms. We recommend to update the Java platform, if you have one installed, as soon as possible. Also, consider disabling the Java Plugin in your Web browser to reduce the risk if you are not using it a lot.

The cyber trenches are awash today with news of DNSchanger malware. This is to elevate previous efforts to alert the public about the possibility that they could lose their internet services this coming Monday, July 9. DNSchanger malware takes control of a user's DNS, which cyber criminals use to direct unsuspecting users to fraudulent sites or simply to interfere with a user's online activities. Inarguably, these infected servers are going to be taken down, spelling trouble for thousands of users who will lose their internet connections. The Trojan changes the DNS settings to IP addresses in the following IP ranges:

• 85.255.112.0 through 85.255.127.255
• 67.210.0.0 through 67.210.15.255
• 93.188.160.0 through 93.188.167.255
• 77.67.83.0 through 77.67.83.255
• 213.109.64.0 through 213.109.79.255
• 64.28.176.0 through 64.28.191.255

According to reports, the problem surfaced when an online advertising scam, operated by international hackers, took control of approximately 570,000 computers worldwide. The FBI estimates more than half of these machines are still infected; 60,000 or more are believed to be in the United States. Infected machines have their antivirus software disabled while users experience slowness when surfing the Web. Several ISPs and companies including Google, Facebook and Comcast, have released notifications to their customers about this event.The FBI got involved as well and has set up a website, http://www.dcwg.org, for consumers to check their DNS. More information on DNSchanger malware is available here.

Here's a screenshot of a machine infected by the DNSchanger malware:

Checking this DNS IP in http://www.dcwg.org confirms it's rogue:

We may also see malware, spam, or scam campaigns associated with news about the DNSchanger malware. As a precaution, be careful when clicking links in notification email claiming to be from your ISP or links in Facebook posing as information on DNSchanger malware. These may be spoofed email or links designed to download malware or take you to a malicious website.

Websense^® security solutions protect against all known variants of the Trojan.

The Websense® ThreatSeeker® Network has detected that the official website of GoPro (at gopro.com), the popular brand for "wearable" cameras, has been compromised and injected with malicious code.  We have contacted GoPro and let them know about the compromise but to date, we have not heard back from them.

Update: gopro.com and all the other GoPro affected websites we mentioned in this post are now clean from this injection and no longer serve this malicious content.

Websense customers are protected from this threat with ACE our Advanced Classification Engine.

The injected code is resident in multiple locations on the main page. This injection is part of mass injection that is known to us and that is doing its rounds over the web at the moment (see image 2 marked in red). Our ThreatSeeker network also spotted that hosts of localized versions of GoPro.com are injected with malicious code as well; for example the local website of GoPro France at fr.gopro.com. Other local versions include: 

de.gopro.com

es.gopro.com

fr.gopro.com

it.gopro.com

jp.gopro.com

pt.gopro.com

Image 1: The official Website of gopro.com - the main page

Image 2: The injected code marked with red on the official website of GoPro (at gopro.com)

Once a user visits gopro.com the injected code (marked in red) gets translated to an Iframe that leads the user automatically and without any interaction to a malicious redirector at ad.fourtytwo.proadvertise.net (see image 3 for full URL). The malicious redirector at ad.fourtytwo.proadvertise.net further redirects the user to an exploit Website loaded with the Blackhole exploit kit located at ad.banchoath.com. On the exploit website several exploits are sent to the user's browser and on successful exploitation the user's machine is infected with malware, at the time of the post that malware has ~9% antivirus detection rate, according to virustotal.com. The malicious file is an ad-clicker that generates large amounts of traffic to legitimate ad websites from a list of instructions it downloads from a designated server. The malicious file also launches the local browser from time to time to show advertisements. 

Image 3: The injected code translates to an Iframe that takes without user interaction the visitor to an exploit Website

Image 4: The exploit Website is loaded with the infamous Blackhole Exploit Kit

We shall update the blog with additional information as it comes to light.