Oracle did what all of us were hoping they would do - release an out-of-band patch for the latest Java zero-day vulnerability. The new version of Java, 1.7.0_07 and 1.6.0_35, both fix the vulnerabilities mentioned in CVE-2012-4681 that we've blogged about here and here. We have tried the patch and verified that it works as designed.

If you need Java we recommend that you install this update immediately. If you have no need for Java we recommend that you uninstall Java all together instead if you haven't already done so. More information from Oracle about the vulnerability and patch is available in their security alert.

Earlier today we blogged about a new Java zero-day vulnerability (CVE-2012-4681) being used in a small number of attacks. That's about to change as exploit code for the Java vulnerability has been added to the most prevalent exploit kit out there; Blackhole.

Here's a snippet of the updated Blackhole code:

The Pre.jar file (VirusTotal link) will use the new vulnerability to install the malware (VirusTotal link) itself. In this particular attack it was a banking trojan as can be seen from our ThreatScope report. Websense customers using our Advanced Classification Engine (ACE) were proactively protected against the updated Blackhole kit by our real-time analytics.

Technically the new vulnerability is actually two separate vulnerabilities. A technical analysis of these two vulnerabilities is available at the blog Immunity Products in this post.

Websense® ThreatSeeker® Network intercepted a malicious email campaign posing as antivirus notifications that warn users that their accounts may be blocked. These fake messages state that the victim's email address has been sending infected email to the mail server, and that the situation may be remedied if the user clicks a URL to download a free removal tool. The "free tool" is, of course, a malicious executable that connects to malicious websites, and then drops more executables on the victim's computer.

This looks like a low-volume campaign, as we have seen (and blocked) approximately 2700 of this type of email yesterday and today.

Websense customers are protected from these threats by ACE™, our Advanced Classification Engine.

The email may contain a subject like this:

[Symantec] - Your e-mail account may be blocked.

The "from" address varies and may appear as:

scanner@symantec.com

scanonline@f-secure.com

symantec@verisign.com

scan@sophos.com

symantec@sophos.com

virscan@secureroot.com

noreply@verisign.com

Here's a sample:

Notice that the email text contains the phrase "Scanning sytem...", which is completely false. No scan is taking place. The victim is notified that the computer is infected with the worm W32.Swizzor.C-WORM and is urged to download the removal tool for protection.

Clicking the suggested link takes the victim to:

hxxp://www.protectedssl.net/removal/SymantecRemoval&2012&09.data=SwizzorC.php

Which prompts the user to download a file with the promising name "RemovalTool" from this location:

hxxp://www.protectedssl.net/RemovalTool.exe

You can see an AceInsight report for the first URL here:

 http://aceinsight.websense.com/report.aspx?g=18D3325A54C64DBA9B7ACC7702DF4748

ThreatScope analysis, which is a part of the Websense CSI service, identifies the file RemovalTool.exe as malicious due to its behavior:

1. HTTP traffic to server hosting malicious content

2. Drops executable file(s)

3. HTTP traffic to uncategorized server

4. Writes to the filesystem in a directory of the user profile often used by malware

The full ThreatScope report can be seen here.

At the time of this writing, only 3/42 AV vendors on Virustotal identified the file as malicious:

How does Websense protect against this threat?

Websense Email Security products block these messages as spam using a combination of network traffic, reputation, and spam rules.

For Websense Web Security products, the real-time analytics in Web Security Gateway, Web Security Gateway Anywhere, and Cloud Web Security block the landing URL, providing further protection.

Over the weekend, information started appearing that there was a new Java zero-day vulnerability (CVE-2012-4681) being used in a small number of attacks. We have analyzed samples from the attack and can confirm that Websense customers using products that have our Advanced Classification Engine (ACE) have been protected against this zero-day attack by real-time analytics dating back to early 2009.

We have confirmed that the exploit doesn't work on version 1.6.x of Java, but it does work on 1.7.0.5 and 1.7.0.6 (latest available versions). David at Errata Security has tried and verified that the same exploit works just as well on Linux and OS X including Mountain Lion 10.8.1. That's right folks, yet another cross-platform vulnerability in Java, and with the increasing amount of Mac malware that we're seeing, we wouldn't be surprised if this starts being used against Mac users shortly. 

Regardless of which browser and operating system that you use, make sure you disable or better yet, uninstall Java, unless you really need it. Brian Krebs has instructions on how to disable Java in browsers both on Windows and Mac. There's already a Metasploit module for the new vulnerability, which increases the risk of it being applied in attacks against a larger amount of targets.

The obfuscated JavaScript above will download a file called applet.jar (VirusTotal report), which, in turn, uses the vulnerability to download the payload hi.exe (VirusTotal report) that it saves as update.exe and executes on the system. The downloaded EXE file is a variant of Poison Ivy that tries to connect to a known malicious host in Singapore. See our ThreatScope report for more information about the file.

Websense® ThreatSeeker® Network intercepted a malware campaign targeting Blackberry customers.  These fake emails state that the recipient has successfully created a Blackberry ID.  The messages then continue, "To enjoy the full benefits of your BlackBerry ID, please follow the instructions in the attached file." That, of course, is an attempt to lure victims into running the attached malware.

The malicious email itself is a copy and paste of a legitimate email from Blackberry.  And though the attachment indeed raises suspicion, there's no malicious or compromised URL in it.  17/36 AV engines identify the malware in VirusTotal.

ThreatScope analysis, which is a part of the Websense CSI service, reports that running the attachment drops other executable files and modifies the system registry to automatically start these malware programs when the system starts. 

Websense customers are protected from these threats by ACE, our Advanced Classification Engine.

Today news broke that at least one organization in the energy sector was hit by malware named Shamoon or DistTrack. We’ve been looking at the related malware samples and can confirm that Websense products that have our Advanced Classification Engine (ACE) have had proactive detection in place since 13 December, 2010, more than 18 months prior to this attack.

Once enabled, the malware is very aggressive and destructive, something that is rarely seen in attacks. Most attacks are designed to be persistent on a system for a long period of time. Shamoon/DistTrack does the opposite in that it overwrites files on the hard-drive, after which it overwrites the master boot record (MBR), rendering the computer un-bootable.

The malware consists of three components:

• Dropper – This is the most essential component in that it installs the malware. It is also the file that ACE has been detecting.
• Wiper – This is the component that overwrites files and the MBR.
• Reporter – This module reports a list of found files to the C&C.

As mentioned earlier, the Dropper has been detected since 13 December, 2010. Detection for the Wiper and Reporter components was added this morning.

When the Dropper executes, it installs several files on the system, including a signed driver (not malicious) that is used to interact with the file system. We are not sure how the malware writers were able to sign the file using a 3rd party organization’s certificate. Most likely it was stolen in a previous attack.

Here are some MD5s of samples involved in this attack:

41f13811fa2d4c41b8002bfb2554a286

3b740cca401715985f3a0c28f851b60e

d214c717a357fe3a455610b197c390aa 

b14299fd4d1cbfb4cc7486d978398214 

We're continuing to monitor the situation.

We’ve previously blogged about Olympic ticket scams, phishing, malware designed to propagate through social networking, and other Olympic security concerns. 

We also know that hackers take advantage of people searching for breaking news and trending topics about the Olympics through various SEO poisoning techniques. When Georgian luger Nodar Kumaritashvilii died in a tragic training accident just before the Vancouver Olympics in 2010, multiple malware pages quickly appeared in the top search results. Clicking these links led to pages that included pop-up warnings telling the user to click a button to view a video or to clean up computer problems. Of course, clicking led to malware attacks.

SEO poisoning remains a problem, but Google seems to have a better handle on it where searches related to the London Olympics are concerned, at least in English. When we started using Russian search terms, however, things deteriorated quickly. Using the Russian translation for "watch 2012 Olympics online", we did a Google search and clicked on the second item:

While the domain itself is correctly categorized as sports, it's clear some objectionable content is popping up in the ads:

In addition, clicking on the page redirects to various questionable places, including information on how to control men:

In another investigation, Websense® researchers analyzed Twitter traffic based on popular Olympics-related terms, events, and athletes starting two days before the Opening Ceremony through August 8th. Not surprisingly, traffic peaked on the day the Games opened, and three days later when Olympians Tom Daley, Michael Phelps, Ruta Meilutyte, and Maria Sharapova topped the Google trends.

Looking more closely at the data, we found that a handful of Twitter feeds from certain athletes and teams were posting shortened URLs which redirected to Objectionable or Security categories, including Malicious Web Sites and Malicious Embedded Link:

We took a sample set of 3600 of these, unshortened them, and analyzed the category breakdown:

Websense customers are protected from these threats by our Advanced Classification Engine™ (ACE). 

The Websense® ThreatSeeker® Network has detected that two Nepalese government websites, the National Information Technology Center (NITC) and the Office of the Prime Minister and Council Minister (nitc.gov.np and opmcm.gov.np respectively), have been compromised and injected with malicious code that tries to exploit the Java vulnerability CVE-2012-0507. The aim of this injection is to install, through successfully exploiting that Java weakness, a backdoor that is also dubbed "Zegost" on the systems of visitors to these websites.

This vulnerability (CVE-2012-0507) was also used in the Amnesty International UK website compromise and in the INSS website compromise that we reported a few months back. It's interesting to note that all those compromises had injected code that was taken from the Metasploit framework, served in clear form, and not obfuscated. Although the use of code from the Metasploit framework doesn't necessarily indicate a link between all the compromises, we found further common characteristics between the compromises of the Amnesty UK website and the Nepalese government website by analyzing the backdoor C&C points when we noticed that they connected to the same domain in China. 

The backdoor variant in this attack is known to have been used in other targeted attacks that were aimed at Uyghurs, Tibetans, and others in that area.

Websense customers are protected from these threats by ACE, our Advanced Classification Engine.

Technical Analysis

According to Cyberwarnews, in early 2012, the websites of Nepalese institutions, such as the police, suffered two other types of attacks mainly in the form of defacements and data leakage. But it's not just Nepal that has been affected. This region has recently seen a sequence of targeted attacks and APTs.

Below is the content of the Nepalese National Information Technology Center (NITC) Web page along with the injected code marked in red: 

The main page was injected with a Java JAR file loader which once rendered by the Web browser is executed and attempts to exploit the CVE-2012-0507 vulnerability. The name used for the Java class name ("msf.x.Exploit.class") and the content of the file confirmed that the code was taken from the Metasploit framework. If the exploit code in the JAR file has been successfully executed, the exploit shellcode downloads and runs the executable file named "tools.exe" on the impacted system (MD5: 3c7b7124f84cc4d29aa067eca6110e2f).

The ThreatSeeker Network was able to connect that same executable file dropped from nitc.gov.np (National Information Technology Center) to another Nepalese government website, opmcm.gov.np (Office of the Prime Minister and Council Minister website), as shown below:

The red, boxed URL is the website of the Office of the Prime Minister and Council Minister. We found out that this particular website was compromised this year, at least from May 9-15, to serve this same backdoor executable (MD5: 3c7b7124f84cc4d29aa067eca6110e2f):

The content that was injected between these dates at the website of the Office of the Prime Minister and Council Minister was identical to the code injected at the National Information Technology Center website, confirming that the same attack vector was used for both:

We detected that the dropped backdoor "tools.exe" (MD5: 3c7b7124f84cc4d29aa067eca6110e2f) is a variant "AD" of the backdoor Zegost. This backdoor toolkit or remote administration tool (RAT) has also been involved in other targeted attacks in Asia, according to an analysis by AlienVault in their research blog.

Thanks to the Websense ThreatScope® sandbox service, the C&C address was detected at "who.xhhow4.com," as shown in the picture below (for the complete sandbox report, click here). 

The domain "hhow4.com" was also used as a C&C point for the dropped backdoor served at the compromised Amnesty  UK website, where that variant specifically connected to the address at "shell.xhhow4.com" (for the complete sandbox report, click here).

Both C&Cs are hosted at IP address 184.22.171.216:

The domain "xhhow4.com" is hosted in China by a Web hosting company known as Hichina Zhicheng Technology Co., Ltd. The next image shows a Robtex DNS names graph analysis for that domain:

Once the backdoor is installed on the impacted system, it initiates connections from local TCP port 1320. The destination address is to the C&C  at "who.xhhow4.com" and uses remote TCP port 53  (usually the port reserved for the DNS Zone transfer). However, it's important to note that the traffic wasn't DNS traffic but the proprietary protocol used by the backdoor for remote communications. Below is the first connection sequence between the backdoor and the C&C:

By decoding the TCP stream, it is possible to recognize that custom encryption was used to exchange information with the C&C. The network traffic starts also with a keyword, "URATU," as shown below: 

Once executed, the binary creates a Mutex named "microsoft.com" reported below:

The backdoor also uses common features like other common backdoors, such as keylogging, and supports the ability to accept and run commands remotely. As in other cases, we can see that this backdoor isn't highly complex at all, but it's certainly no less effective than other complex malware once executed on the target systems. Another interesting aspect of this backdoor file is that it's signed with what appears to be an invalid\fake certificate issued to 360.cn (a Chinese ISP) by VeriSign, as shown in the properties box:

The certificate contains the following details:

Having malicious code signed with certificates is a trend that we’ve seen in other targeted attacks that can reduce the effectiveness of human and automatic countermeasures. 

In this blog, we covered the compromise of Nepalese government websites in what appears to be a chain of targeted attacks. We managed to connect those attacks to a previously reported attack that took place in a different country: the compromise of the Amnesty International UK website. This shows that cyber warfare is trending and kicking and that there's certainly an effort by international players to stay dominant and persistent in that realm.

Security Researchers: Gianluca Giuliani, Elad Sharf.

Websense® ThreatSeeker® Network detected a massive phishing campaign targeting AT&T customers. More than 200,000 fake emails are masquerading as billing information from the giant American communication services provider. Each message claims that there is a bill of a few hundreds US dollars. 

In itself, the amount of money could be big enough to raise suspicion in most of us. Also, it is easy to see when the mouse cursor hovers over the link that the target Web address is different from the one displayed in the text of the message. Websense Security Labs highly recommends that you not click links in emails. Instead, manually type the legitimate domain name into your favorite browser and access the website that way.

Clicking on the link in the bogus message sends the user to a compromised Web server that redirects the browser to a Blackhole exploit kit. As a result, malware is downloaded onto the computer that is currently not detected by most antivirus products, according to VirusTotal. 

ThreatScope analysis, part of our CSI service, shows that the malware is part of the Cridex family. It drops files into the Application Data and Temp folders, and then injects code into other processes running on the computer, for example Internet Explorer and Adobe Reader. After this, it accesses a Bot network where the attacker can instruct the malware to take further actions. You can see the full report in our AceInsight portal.

Websense customers are protected by our Advanced Classification Engine (ACE).

Special thanks to: Mary Grace Timcang, Elad Sharf and Patrik Runald