Thanks to the Websense® ThreatSeeker® Network, we have discovered another interesting case of malicious web injection. This one tries to install a Java-based back door on visitors' systems. Its target is the pay-per-click company PocketCents, which has recently been targeted by two additional attacks. This company's business makes it a really interesting target for this type of attack. Given the intensive tracking they advertise in their mission statement, it seems likely that the attackers could be interested in customer information and user accounts. How better to get that information than with a backdoor installed on each visitor machine? 

The following screen capture shows the injection still active at the start of our analysis:

The first interesting thing here is that it is not the usual exploitation scheme: there are no Java vulnerabilities involved in this injection, just Java code. So the code is executed by the browser without any kind of exception or memory trick.

Running of this malicious applet during our investigation did, however, generate a lot of alerts, as shown below:

The URLs from which the Java applets are executed are hosted by dropbox.com:

The "ogi45r.jar" applet works as a dropper for the jRat_tiny.jar file, as shown below. It  also ensures that the Java context is running, using the "redir"  parameter defined in the applet section. The value of the "redir" parameter is "hxxp://rs-ps.org," which seems to be a website used to provide a platform for online, Java-based games:

The "jRat_tiny" JAR file loads the stored file with the code shown above. Here's a further look into the code of this JAR file:

In the code above, the first point of interest is the use of resources to hide information. In this case, the resources are used to store two files: "enc.dat" and "key.dat".  The first, "enc.dat," is an encrypted DES3 binary file. Once decrypted, it's executed by the Java RE command-line tool. It provides remote access to the systems with a list of commands worthy of the best RAT tools around. The second file, "key.dat," is a sort of configuration file. It's used along the initialization code, in which the first line the DES3 key is stored. The "key.dat" file is mapped on the "arrayOfStrings" array. The screenshot below shows the code snippet that, when given the DES3 key (stored in the first line of the file key.dat and referenced by the Java array "arrayofStrings[0]") and the encrypted stream , generates another Java applet. 

The "key.dat" file contains the following:

Except for the first value (the byte-based DES key), the content is encoded with the HEX values of the ASCII chars. Here's the decoded "key.dat" file:

Another interesting thing is that, due the multi-platform nature of this language, this RAT is able to detect the system on which it is running, and is totally platform-independent:

Above, we can see the attempts to detect the right command line for the environment in which "tiny_jRat.jar"  has been executed. The aim of this code is to locate the right Java interpreter path on the impacted systems, and to run the decrypted Java file stored in the resources. Due to strong evidence that the "enc.dat" file was encrypted with DES3, I decided to write a light Java decrypter based on the DES3 algorithm using the cryptographic APIs of the Java framework:

The result of this really light  DES3 decrypter (the code is available for other researchers, though it is not so complicated to write), when given the encrypted file and the Secret Keys retrieved by the configuration file as input, is to show that "key.dat" is a new JAR file which is the real RAT. Here is the code obtained from the new JAR file:

Again, it seems that we have a configuration file and an encryption key . This time, they use the AES algorithm, following implementation of Java class "L," which, thanks to the method "d," is able to decrypt the stream stored in the "config.dat" file, using the key stored in the "key.dat" file. The content of the key file is the following:

Here is a snippet of the AES decryption code:

With this information, it's possible to write an AES decrypter to get the configuration parameters. These include the C&C IP address and the TCP port used to contact the remote server owned by the RAT administrator to run the commands on the impacted systems, as well as other information. Looking around in the code, we can determine a lot of the features implemented by this RAT:

- DDOS routine

- command-line based commands

- remote process handling (kill , create new process, etc.)

- network commands, such as netstat

- injecting audio advice 

- download and upload  files from the impacted systems.

and so on.

The messages sent from remote systems by the RAT administrators seem to be handled in the Java class "B." For example, here is the code to list the running processes on the victim's system:

Here, the commands "KILLPROCESS"  and " GETFILE" exfiltrate files from the impacted system:

Here, the HTTP DOS engine is used for this kind of activities:

Here is a service feature used by the RAT administrator to receive the system logs file: 

A lot of other features and interesting details have also been detected. Although execution of this RAT is mitigated by Java protection when web browsers try to download and execute applets like this one, we think that this kind of platform-independent tool that doesn't require an exploitation chain could be a growing concern in the future. We have no idea how many users have been impacted by this injection. At this time, the dropbox.com JAR files have been removed.

Through our ThreatSeeker Network, we have detected that a lot of URLs are injected with the same threat:

Websense customers are protected from this and other threats by Websense ACE (Advanced Classification Engine).

The Websense® ThreatSeeker® Network has detected a spam campaign that tries to exploit recipients' interest in the current presidential campaign in the US.  Specifically, we have detected thousands of emails with this kind of content:

As noted recently, we are seeing an increasing number of spam campaigns with malicious links that lead to BlackHole exploit pages. This is also what happens with this campaign. If the recipient clicks on one of the links in the email, it starts a redirection flow which leads to URLs that host BlackHole exploit code. We simulated the recipient's experience with the support of the Fiddler tool, as shown below:

The pattern used strongly resembles the pattern used in other malicious, BlackHole-based spam campaigns, so we decided to investigate using a little set of samples from this campaign. The samples were chosen based on thousands of emails.

The links found in the spam emails usually has this kind of content:

The purpose of this flow as usual is to install a malicious files. In this malicious SPAM campaign, we noticed low detected PDF, JAR and EXE files (used to compromise the victim systems). During our simulated user exeperience we have found the following involved files:


PDF - MD5: 69e51d3794250e3f1478404a72c7a309 

JAR file - MD5: 03373056bb050c65c41196d3f2d68077

about.exe - MD5: 9223b428b28c7b8033edbb588968eaea 


More information on the behavior and activities of about.exe can be found in our Websense ThreatScope™ report:
http://aceinsight.websense.com/fileanalysisreport.aspx?rid=CD22C58FDA3E49FBBF1D41BD575ACAD3

Each URL shown above contains a redirection payload that leads the victim to a malicious website that hosts BlackHole exploit kit 2.0 obfuscated code. So far, we have detected thousands of emails blocked by our Cloud Email Security technology:

Websense customers are protected from this and other threats by Websense ACE (Advanced Classification Engine). 

Spear-phishing is a huge concern for today’s government and enterprises. While high profile attacks like last week’s spear-phishing attack against the White House and last year’s attack against Oak Ridge National Laboratory underscore the risk to government agencies, today’s businesses are also a primary victim. Hackers are increasingly looking to steal source code, intellectual property and financial information.

In light of these incidents, Websense® Security Labs™ collected data from the Websense ThreatSeeker® Network and analyzed it using Websense ACE (Advanced Classification Engine) to identify the top trends in phishing today. These include:

• Dramatic shifts in attack strategy
• New security evasion tactics
• An evolution of the targeted threat model

For all the details, head over to our Insights blog.

The Websense® ThreatSeeker® Network has detected a phishing campaign whose potential victims are holders of an Apple ID account. An Apple ID allows you to buy new apps, make a customer workshop reservation at an Apple Retail Store, or buy music and multimedia content from the iTunes Store. You can also buy applications for Mac OS X as well as mobile apps for iOS devices like the iPad and iPhone. All these fine services can also be accessed by unauthorized users if they can obtain your credentials. The phishing campaign begins with an email message like this one, informing the recipient of a "suspended" Apple ID:

The email itself does not display a nice "Apple" look and feel. However, the URL for "reactivating" the Apple ID account (hxxxxxp://apps.apple.com-account-cancel.shellbells.com.au/?/cgi-bin/WebObjects/MyAppleId.woa/) takes a user to a page that looks very much like the Apple style, as shown below:

As sometimes happens, the hosts that hold the phishing domains have an "open directory" (probably due to a configuration issue), which makes it possible to navigate the structure of the path (server side) used to deploy the phishing email, as shown here:

The URL is traced to IP address 116.0.23.225, where we have detected other phishing domains and hosts:

We have quarantined or rejected hundreds of these types of phishing email messages, which can potentially lead to Identity theft:

Websense customers are protected from this and other threats by Websense ACE (Advanced Classification Engine). 

Here at Websense® Security Labs™, we often blog about big malicious campaigns and how our products protect our customers from them. But what about smaller campaigns that are no less dangerous? 

Broad campaigns often spoof notifications from well-known businesses, establishments, organizations, and agencies, and are very widespread these days. However, smaller volume campaigns sometimes can be as (or even more) dangerous by bypassing the victim's defenses.

Last week, the Websense ThreatSeeker® Network intercepted one such campaign. This small-volume, malicious campaign targeted businesses with legitimate-looking email that refer to items like purchase orders, quotes, and supply information. All of these email had attachments that install variants of the popular Zeus malware on the victim's computer.

Websense Cloud Email Security quarantined these emails as containing a potential virus before most of the malicious attachments were detected by antivirus (AV) engines. Websense ACE (Advanced Classification Engine) provides the extra layers of protection that help Cloud Email Security protect customers against a wide array of threats. 

In many cases, AV signatures are behind the latest threats. But although ACE uses AV as one of its analytics, we found this example where AV was not detecting the threat. Other techniques such as using network behavior (volume vs. time) and reputation are very effective against big campaigns, but would not work in this case, since the volume was low. The content of these email messages looks benign most of the time, so traditional anti-spam rules would not work well either. This is where additional protection is needed. ACE can provide that protection and quarantine such suspicious messages by looking more deeply at their content and features, like the types of attachments, message attributes, web links in each message, and telltale patterns in the content body. 

The period of time between ACE detection and AV detection can potentially prevent a security breach at the most crucial time, averting having to "play catch-up." 

Let's take a closer look at the email that were intercepted.

The variant that was most common on September 27, 2012, had subject lines such as:

RE: NEW ORDER

RE: ATTACHED PO

Notice the email body looks quite benign:

There were other examples. See later in the text.

The most "popular" attachment was a file named "scan.rar," which carried the executable "scan.exe."

Here's a Websense ThreatScope™ analysis of this file, showing the malicious behavior:

http://aceinsight.websense.com/FileAnalysisReport.aspx?rid=65EA634D5A96460CB3489AAD8A840364

Compare this to the VirusTotal report at the time that Cloud Email Security detected the threat. Only 2 out of 43 vendors detected this file as malicious:

http://www.virustotal.com/file/2373c8cb97ba5bd2a9bd5451de02f872c4444c1689b8d4021a7fd3945835da7b/analysis/1348767164/

Of course, AV signatures eventually catch up, so the situation improved to 15/43 a few days later.

Cloud Email Security customers were protected regardless:

Based on the nature of the attachments and a few other key attributes in the messages, ACE determined that these email carried a potential virus and had them quarantined.

Some of the other variants were:

Subject: RE:quotation

Attachment: po.rar

Subject: Urgent Order.

Attachment: payment.zip

Subject: supply info

Attachment: payment.zip

Subject: New PI

Attachment: quote.exe

Subject: Order

Attachment: product details.zip

Subject: Please attend to my order

Attachment: quotation.zip

All of these were quarantined by Cloud Email Security based on the attributes of the message and the attachment.

Click on the file names below for ThreatScope reports that provide an analysis of some of the files contained in the various attachments:

list.exe

Not in VirusTotal at the moment.

Quote.exe

Was not in VirusTotal. After uploading the file, these were their results.

Notice the fake "quotation" PDF that opens with these files:

payment.exe

Not in VirusTotal at the moment.

PO.exe

Not in VirusTotal at the moment.

Quotation_pdf.exe

Here is the VirusTotal report for the above file.

Samples.scr

Was not in VirusTotal. After uploading the file, these were their results.

Finally, here are some additional screenshots of other email variants (these look a little more suspicious than the first example shown above):

Please let us know your thoughts. Are you more concerned about the low-volume attacks or the broad far-reaching high-volume attacks? Send in your comments using the box below.

Any new technology involves potential risks as well as potential benefits. Location-Based Services (LBS) are a case in point. Mobile apps using geolocation information are increasingly popular, offering people new ways to connect with nearby friends or find people with shared interests. Advertisers can tempt nearby customers with coupons and discounts, targeting people around the corner, and therefore more likely to stop in than those on the other side of world.

Many sites use visitors' IP addresses to do a geolocation lookup in order to serve local content and ads. These can range from perfectly legitimate local headlines to the all-too-familiar "Local girls in [your city here] want to meet you tonight!" Using a new, mobile twist on an old threat, LBS can also help phishing and other scammers find likely victims. As we noted in a previous post, scammers--like legitimate businesses--try to optimize their operations to avoid wasting time and resources on unproductive activities. LBS can help them do this in several ways.

Websense researchers have found many cases of LBS-based phishing attacks. Here we illustrate an example from MoMo, a Chinese LBS social networking app. To the right is a screenshot showing a message allegedly from a pretty girl just 124.78 km away from you. 

Along with an attractive picture, she says, “Hello! I just got here and want to meet people around. It’s a pleasure if we can be friends. Here is my blog site [URL deleted]. You can see my pictures and know me more from there first.”

The link leads to a phishing page that tries to steal the username and password of your account at QQ.com, a major Chinese portal that ranks 9th overall in the Alexa Internet ranking. The links could just as easily be spam or drive-by-downloads.

Why might this approach be more productive from the spammer's perspective than traditional email spam? First, a "local" contact may seem more trustworthy, encouraging you to lower your guard. Second, the attractive profile pics are very tempting bait. And finally, browsers on mobile devices can't show the full URL, so the part that victims see often looks legit.

This is just the latest wrinkle in concerns over LBS-based apps. Last year, a British security firm found that mobile check-ins via Facebook, Twitter, and other social media, are extensively used by burglars to target empty homes to rob. The average home robbery takes only ten minutes, which means you can easily be cleaned out while you're enjoying coffee at your favorite Starbucks (after announcing to the immediate world that you're there).

But it's not enough to simply keep quiet about where you are because some apps make the announcement for you.  Geotagging on cameras and phones, for example, automatically embeds GPS data into photos.

LBS can be a particular concern with children. On the one hand, geolocation can offer parents peace of mind, knowing their youngsters can be found quickly if they wander off. On the other hand, predators can easily target potential victims by inducing naive kids to reveal personal data, or just by using automated geolocation information. Kids and teens often share photos taken with their mobile phones, and anyone with some basic technical skills and an EXIF interpreter can extract embedded data to determine exactly where the photo was taken. Even if the phone's GPS is turned off, some apps include GPS-enabling permissions.

Websense will continue to monitor developments in this area to protect our customers, their data, and systems from new and evolving security threats.

The Websense® ThreatSeeker® Network has detected an unsolicited email campaign in which love-struck or curious recipients may have their appetites whetted by the thought of a secret admirer. Although Websense customers are protected from this and other threats by ACE™, our Advanced Classification Engine, this post provides an insight into the campaign, which appears to be on the increase today.

The messages, sent from various Yahoo.com accounts, suggest that the sender has "to let you know how [they] feel" and provide an enticing Facebook link to "View Your Ecard".

As displayed above, a valid short Facebook URL is used which, in this case, redirects to hxxp://www.facebook.com/pages/32942390324/536822983001617?sk=app_190322544333196. This particular page, which appears to have been created today (October 1, 2012), makes use of a third-party Facebook app 'Static HTML App.' This app embeds the following code:

The code sends a 'signedRequest' string (as seen in the highlighted URL above), which then requests the desired content for rendering in the victim's browser. In this case, a basic JavaScript is delivered:

The victim's browser is then directed to a fake ecard site hxxp://readyourecard.com/viewmessage/?a=vip36 which, according to Whois data, was registered on September 20, 2012 by 'Liu Hongmei' in China:

At this point, the aim of the campaign becomes clear: Every link on the fake ecard page redirects to an affiliate landing page on the Adult Dating website AdultFriendFinder.com and, with affiliate earnings of up to $1 per unique visitor, you can easily see how such a campaign could become very lucrative!

This campaign appears to be financially driven, but it is conceivable that the same techniques could be used to direct victims to malicious sites. Given that the redirection starts from an innocent-looking Facebook page, users should consider themselves warned to tame their curiosity and not click on unsolicited links!

The Websense ThreatSeeker Network has detected that the website hxxp://goeast(dot)wagamama(dot)com, associated with Wagamama (a Japanese and sushi restaurant chain), has been compromised and injected with malicious code, also known as a RunForestRun attack.

RunForestRun attack exploits vulnerability in Parallels Plesk to obtain user account credentials, then compromised accounts are used to modify JavaScript files.  As shown below, modification consists of obfuscated script.  When this script is run, it deobfuscates to an iframe with pseudo-random generated URLs(in this case based on date and time).  The resulting malicious URL will lead the user to a well-known and widely used tool in an underground community - Blackhole Exploit Kit.

Websense customers are protected from this threat with ACE, our Advanced Classification Engine.

Image 1: The site is injected with code which redirects to a .js file with obfuscated code.

Image 2: The /global.js java script file on goeast.wagamama.com includes injected code (marked with red).

When a visitor goes to the site, injected script deobfuscates into an iframe with a peudo-random URL, based on the date and time. The visitor is automatically redirected to a malicious site, which is currently down.

Image 3: The obfuscated script injected into the /global.js file looks like this.

Image 4: The injected code translates to an iframe that redirects to an exploit site without user interaction.

Image 5:  The randomly generated URL from October 1, listed in http://pastebin.com/iZWFrDPC (lsvdxjpwykxxvryd(dot)ru // Mon Oct 01 2012 01:00:00. entry 195).

Fortunately, this type of attack was discovered some time ago, so the generated URLs are proactively blocked.