Websense Security Labs Blog

Websense Security Labs discovers, investigates and reports on advanced Internet threats that traditional security
research methods miss.

Latest Blog Posts

View all posts > 

(December 2012) Posts

Sharing the Experience of Deobfuscating a Trojan

Posted: 20 Dec 2012 09:34 AM | lli | no comments


Thanks to the Websense® ThreatSeeker® Network, we discovered another interesting case involving a malicious Web Trojan and analyzed it. Let’s share our deobfuscation experience. The first step was to identify the location of the malicious code, shown in the red pane of the following image...

Read more > 

Filed under:

Our Take on Blitzkrieg

Posted: 18 Dec 2012 12:48 PM | Chris Astacio | no comments


At Websense® Security Labs™, we get many questions from our customers and partners about attacks. We're asked about the details of big attacks, obscure attacks, and, of course, targeted attacks. There has been quite a bit of noise around an attack being dubbed "project Blitzkrieg,"...

Read more > 

'Jacked Frost' Facebook Scam Goes Wild and Doubles Over the Weekend

Posted: 10 Dec 2012 11:51 AM | Elad Sharf | no comments


Last week we wrote a blog about a specific Facebook scam that appeared to spread rather aggresively. We have decided to nickname the scam "Jacked frost". The Websense® ThreatSeeker™ network detected that the scam has increased and multiplied over the weekend - particularly on Saturday where we saw the amount of unique URLs related to this scam double. This shows how cyber crooks time their attacks to times where users are more laid back and when the security community is less likely to alert users on this type of threat.

 

...

Read more > 

Filed under: , , ,

Christmas-Themed Facebook Scams: How Cybercrooks Kick it up a Notch and Piggyback on Big Brands

Posted: 07 Dec 2012 07:03 PM | Elad Sharf | 2 comment(s)


 

From time to time the Websense® ThreatSeeker™ Network detects high volume surges of badness rolling across Facebook. In the past 48 hours we've seen a rapid increase of a particular scam campaign that has aggressively spread through the world's largest social networking site. 

 

With the holiday shopping season here, it appears that cyber crooks are going full throttle to attract Christmas shoppers by piggybacking on the reputation of well-known brands like Walmart, Asda, Visa, Best Buy, Apple, and more. In the attack that we're about to describe, it appears that user accounts belonging to the free DNS service freedns.afraid.org were compromised and used as part of the cyber criminals' scam infrastructure. Read on for details.

 

...

Read more > 

Filed under: , ,

Pak Hack Attack: Pastebin Reveals Attacks

Posted: 05 Dec 2012 09:30 AM | RM | no comments


Websense ® researchers monitor sites like Pastebin , Facebook, Twitter, Blogspot and others to keep our finger on the pulse of hacking and other malicious activities. Pastebin, in particular, has become a popular place for hackers to show off their latest exploits. Our researchers recently observed...

Read more > 

Filed under:

Malicious Email MMS Targets Mobile Phone Users

Posted: 02 Dec 2012 08:51 AM | Elson Lai | no comments


The Websense® ThreatSeeker™ Network has detected a malicious spam campaign that tries to exploit customers of major mobile phone companies. Specifically, we have detected thousands of emails claiming users have received MMS content via email localized to Australian and German carriers late last week:

 

 

Because mobile phone use is an everyday activity, users could be tricked into opening and running attachments, especially those that appear to come from their carriers. Once the malware is launched, it connects to a list of remote servers to download more malicious binaries. What is interesting about these samples is that they are heavily encrypted and have many anti-debug tricks. Unlike other malware, this sample deploys several decryption phases before finally executing its malicious function. Even more interesting, it implements all its tricks, like decryption and patching, only in memory. 

 

The decryption process includes three phases. In the first phase, the malware copies itself as “C:\Documents and Settings\All Users\svchost.exe”, and registers itself as autorun by creating a Registry Key. As a result, when Windows boots up, the malware starts automatically. In one example:

 

Telstra-picture:656        “C:\Documents and Settings\All Users\svchost.exe"         Run\SunJavaUpdateSched         HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched

 

The malware then decrypts itself, and rewrites the memory image of itself. This way, the malware does not need to create a new PE file on the disk, and the original malware becomes a totally different one in memory, even the PE header and code entry point, thus leading us to the next phase. The phase two file is encrypted too, and implements many anti-debug tricks.

...

Read more >