Thanks to the Websense® ThreatSeeker® Network, we discovered another interesting case involving a malicious Web Trojan and analyzed it. Let’s share our deobfuscation experience.
 
The first step was to identify the location of the malicious code, shown in the red pane of the following image. Then we deobfuscated the code.

Here are some interesting details that we uncovered about the code:

1.   The original code was converted into decimal codes, which could be analyzed by a browser in HTML. Then these decimal codes were changed into hexadecimal codes.
2.   The step length was configured as 10 characters, and a random special symbol was inserted into the hexadecimal code step by step.
3.   The hexadecimal codes with special symbols were then split into 90 parts and every part was given a name ID, such as “d0, d1, d2 … d89,”, sometimes in order from 0 to 89, and other times, completely out of order.
4.   The image below further reveals that the common JavaScript command for deobfuscating was split to avoid signature matching. The frequently used commands “getAttribute” and “parseInt” were also split in what appears as a big jumble.

5.   The code displayed in the preceding image was used to make the obfuscated code into the original code, which can be analyzed by a browser. It could convert the 90 parts of obfuscated code into a whole program by ID, in order from 0 to 89.

6.   The most useful original code is shown in the above image, hidden in the IFRAME tag content, it downloads a PDF file for exploiting. Before this malicious program can carry out its dirty deeds, perhaps it will perform other useless operations or insert some “identical equation” in the code that specifies that as statement is “TRUE,” “ if (12==022).”
 
We’re happy to share this deobfuscation experience with you.

At Websense® Security Labs™, we get many questions from our customers and partners about attacks. We're asked about the details of big attacks, obscure attacks, and, of course, targeted attacks. There has been quite a bit of noise around an attack being dubbed "project Blitzkrieg," which is targeting banks. The attack is said to be the brainchild of a Russian hacker in an underground forum. This hacker has called upon others in the forum to aide in attacking banks by siphoning large amounts of money out of these banks using a special Trojan dubbed "Prinimalka."

Security Labs uses Websense ACE (Advanced Classification Engine) to classify the Prinimalka malware family, and, thanks to the Websense ThreatSeeker® Network, is also monitoring its spread as part of “project Blitzkrieg.” So far, few instances of the Prinimalka infection are being seen. We’re a little skeptical that Blitzkrieg will live up to the current hype, because it’s pretty rare for a successful attack to be pre-announced months ahead of time. Although the broad class of targeted attacks like this continues to be a growing concern, it’s far more likely that this specific attack, if spread further, will take an altogether different form.  

The Websense® ThreatSeeker® Network detected a slew of fake Virgin Blue Itinerary emails.  The email contains a malicious zip attachment called Virgin-Itinerary.pdf.zip, which contains the malicious binary file Virgin-Itinerary.pdf.XXXXX.exe.

When clicked, the binary copies itself as svchost.exe in the c:\Documents and Settings\All Users directory and then adds a run registry key to run the sample at boot time.  More information on the behavior and activities of the malicious binary file Virgin-Itinerary.pdf.XXXXX.exe can be found in our ThreatScope report here.  

Virgin Australia issued an advisory on this incident earlier today on Twitter:  https://twitter.com/VirginAustralia

Websense customers are protected from these and other threats by Websense ACE (Advanced Classification Engine).

Special thanks to: Tamas Rudnai

Last week we wrote a blog about a Facebook scam that appeared to spread rather aggresively. We decided to nickname the scam "Jacked Frost." The Websense® ThreatSeeker® network detected that the scam has increased and multiplied over the weekend - particularly on Saturday where we saw the amount of unique URLs related to this scam double. This shows how cyber crooks time their attacks to times where users are more laid back and when the security community is less likely to alert users on this type of threat.

Here is the link to our blog that describes this in more detail. The scam spreads using click-jacking techniques and employs a mass number of varied scam hosts by using the infrastructure of the legitimate service at freedns.afraid.org.

 Websense customers are protected against this threat with Websense ACE (Advanced Classification Engine). 

A graph showing the volume of unique scam URLs vs. active URLs (available URLs) over the past few days:

Screenshot of the scam's main page:

How the scam looks like in Facebook's new feed. The scam uses varied sexual implied images and varied enticing wording to lure for user's clicks:

From time to time the Websense® ThreatSeeker® Network detects high volume surges of badness rolling across Facebook. In the past 48 hours we've seen a rapid increase of a particular scam campaign that has aggressively spread through the world's largest social networking site. 

With the holiday shopping season here, it appears that cybercrooks are going full throttle to attract Christmas shoppers by piggybacking on the reputation of well-known brands such as Walmart, Asda, Visa, Best Buy, Apple and others. In the attack that we're about to describe, it appears that user accounts belonging to the free DNS service freedns.afraid.org were used as part of the cybercriminals' scam infrastructure. Read on for details.

The scam varies in appearance, is geolocation aware, and serves content based on the location of the victim. Potential victims are enticed with videos and free shopping vouchers. Here are some examples of how it might look in a Facebook news feed:

The scam in a Facebook news feed 

What happens when a scam post is clicked?

When a scam link is clicked in the news feed, the victim is redirected to a fake Facebook page that hosts a fake video that pretends to show the "Fail Blog Daily Video." A clickjacking technique is employed on the page so that when the victim clicks on the video's play button, it results in one of two outcomes:

1. A browser popup is launched and the victim is asked to "Like" a certain scam post. This is done to propagate the scam further because liking it causes it to appear on the victim's news feed.
(Click here to see what it looks like; a new browser window will open.)

2. The victim is redirected to fake video page that uses the CPA advertising method to "unlock" what is supposedly a YouTube video.
(Click here to see what it looks like; a new browser window will open.)

This isn't the end, though. The page also has a timeout mechanism.  If the victim doesn't play the video they are greeted with a "Merry Christmas!" message and are redirected to a fake Facebook page offering some fake free vouchers.  In the following example, some fake Asda vouchers are offered:

 Christmas-themed congratulation:

The scam is geolocation aware:

Here is a scam page offering some free vouchers from Asda.  This particular page is desgined for UK-based visitors:

This scam page offers vouchers and rewards from Walmart, Best Buy and Visa.  This particular page is desgined for US-based visitors:

This scam page offers vouchers and rewards from Walmart and American Express.  This particular page is designed for US-based visitors:

As mentioned, the scam comes in many variations and piggybacks on the reputation of many well-known brands. Let's have a look at the example from above that piggybacks on Asda. The fake voucher page for Asda takes the victim through the scam step by step. First, in order to get the free voucher the victim has to share the voucher in their Facebook profile. Second, the victim must publish the comment "Thanks Asda!" to support the scam. Lastly, the user must click the Like button, which is a scam link.  

After the victim completes the steps, their Facebook news feed includes the fake voucher scam and they are redirected to a legitimate website at new.activeyou.co.uk that gives out prizes and supports an affiliate program. The way this works is that any user coming to the site --  thanks to a certain affiliate -- and who participates, earns the affiliate some money; there is no free voucher after all. The affiliate here obviously engages in illegal methods to advertise and generate traffic to a website that earns them money.  The affiliate ID is seen in the next image, marked in red in the URL where it states affid.

No free vouchers after all:

The scam infrastructure and intelligence: accounts on Afraid.org as doorways

Websense's partnership with Facebook alerts us and invites us to assist Facebook in mitigating such scams using Websense ACE. We released this blog because we saw a spike in our data feeds and a rather large number of different URLs that are used for scam purposes that have a relation to each other. We think that Facebook is doing a good job of cleaning up and removing posts related to this scam.

We spotted more than 3,000 unique URLs used for this scam on Facebook.  The high variation is used by cyber criminals to assure persistence and redundancy in case some URLs or domains get blacklisted.

The scam peak as seen by the ThreatSeeker Network. This plots the number of new hosts seen hosting the scam vs. the number of active hosts using this scam.

One of the most interesting findings is that most of the scam hosts used in the attack use the DNS servers of the free service at freedns.afraid.org. Essentially we found that all the name-server records used by websites involved in the attack use Afraid.org DNS server and point to ns1.afraid.org (see illustration below)

freedns.afraid.org is a free service that offers domain owners free DNS services. For example, a domain owner can use the DNS servers of freedns.afraid.org and have them point to their website's IP address. freedns.afraid.org also allows users to manage those free DNS services via an account. It allows account holders to add various subdomains to their main domain and optionally point those new websites to different IP addresses. For example, if John Doe owns johndoe.com on IP address x.x.x.x, he can go to freedns.afraid.org, create an account, and use their DNS servers to point to their website IP address at x.x.x.x. On top of that, John can easily add DNS records to subdomains of his main website (johndoe.com) via his account at freedns.afraid.org. At his option, John can have those subdomains (that essentially represent different web sites) point to different IP addresses. So, for example, John can use his DNS account with freedns.afraid.org to have johnsfriend.johndoe.com point to y.y.y.y.

Scam host example and its DNS record:  91037997396662norryyoutubecomplay10pegahihypupegahihypu.opbco.web74.net

In this attack, accounts/hosts on freedns.afraid.org have been used to serve scams URLs by pointing subdomains of legitimate hosts to the attackers' infrastructure. If we examine some of the scam hosts involved in the attack, we can see that they point to a different IP address than the one used at the host level. Websites at the host level vary in purpose and appear to be legitimate. We verified that this pattern is consistent with all of the approximately 3000 instances that we found involved in the attack. In the next example, we present an example scam URL that is used for the scam that is hosted on an IP address that cybercriminals are using to host the scam (213.152.170.193), while the host is hosted on a different IP address that hosts a legitimate website (65.96.116.101), in this case a personal cooking blog. Looking at other websites hosted on the offending 213.152.170.193 reveals more scam websites:

urbancooking.net appears to be a personal blog about cooking:

Exploring other websites hosted on the offending 213.152.170.193 reveals more scam websites:

 Here are some of the offending IP addresses found to be part of the scam infrastructure hosting the scam websites:

208.73.210.147
213.152.170.193
184.107.164.158
216.172.174.53
199.188.206.214
198.187.30.161
198.154.102.28
68.168.21.68
198.154.102.29
174.132.156.176
198.154.102.27
88.191.118.153
208.91.199.252

We believe that this attack is now under control and is being successfully mitigated by Facebook. We're seeing a gradual decline in incidences, but it's safe to say that while it's declining it's still going strong. We're going to keep an eye on events related to this attack and keep you in the loop.

Also, we would also like to take this opportunity to wish you a merry and cybersafe holiday season.

Websense^® researchers monitor sites like Pastebin, Facebook, Twitter, Blogspot and others to keep our finger on the pulse of hacking and other malicious activities. Pastebin, in particular, has become a popular place for hackers to show off their latest exploits. 

Our researchers recently observed a significant increase in malicious links posted to Pastebin:

On Tuesday, November 20, we detected a spike in compromised URLs posted to the site. A Pastebin user named “PCA-Master” was responsible for posting 572 of these compromised URLs.

Each compromised URL showed a similar pattern:

These hosts were invaded with images like this:

 
In all cases, Websense customers were protected by the real-time analytics offered by Websense solutions.

According to its FAQ, “Pastebin.com is a website where you can store text for a certain period of time. The website is mainly used by programmers to store pieces of sources code or configuration information, but anyone is more than welcome to paste any type of text.”

Despite its Acceptable Use Policy that specifically prohibits posting email lists, login details, password lists and personal information (among other items), all of these are routinely posted to Pastebin.

The "Pakistan Cyber Army" has been around for some time and regularly compromises large numbers of hosts in various countries, including many Indian websites, especially government sites. According to the Pakistan Cyber Army site:
 
"Pakistan Cyber Army is not a hacking or cracking group or anything illegal to be, Pakistan Cyber Army is a symbol of all the Pakistani Security Expert's who wanted to safegaurd Pakistan Cyber Space from hacking attack's […] We mastered it and now we are here to announce that we are no longer blackhat's, there was a time when we used to be but only for our country safegaurd and our nation pride."
 
Pakistan Cyber Army images have recently plastered sites in many countries. According to HackRead, a website with news about hacking, most of the affected sites belonged to “small and local businesses, such as banks, chemical factories, TV channels, online gaming and automotive industry etc."

While hackers pose a serious problem for many organizations, on a lighter note, students from HaBetzefer, an Israeli school of advertising and art, and ad agency McCann Digital Israel have produced a campaign called "If you can't fight them, redesign them" to combat the plague of what students are calling “uninspired designs each time: black background, grotesque low-res images and unbearable amounts of text." One of the traits associated with hackers is their lack of style, as evidenced by the Pakistan Cyber Army’s hack page.

The students sent cheerful redesigned hack pages back to hacker groups with the friendly message, “We would like to end all cyberwars, but in the meantime -- if you must hack our sites, at least leave something beautiful.” So far, none of the hackers has taken them up on the offer, but it’s clearly their loss:

The Websense® ThreatSeeker® Network has detected a malicious spam campaign that tries to exploit customers of major mobile phone companies. Specifically, we have detected thousands of emails claiming users have received MMS content via email localized to Australian and German carriers late last week:

Because mobile phone use is an everyday activity, users could be tricked into opening and running attachments, especially those that appear to come from their carriers. Once the malware is launched, it connects to a list of remote servers to download more malicious binaries. What is interesting about these samples is that they are heavily encrypted and have many anti-debug tricks. Unlike other malware, this sample deploys several decryption phases before finally executing its malicious function. Even more interesting, it implements all its tricks, like decryption and patching, only in memory. 

The decryption process includes three phases. In the first phase, the malware copies itself as “C:\Documents and Settings\All Users\svchost.exe”, and registers itself as autorun by creating a Registry Key. As a result, when Windows boots up, the malware starts automatically. In one example:

Telstra-picture:656        “C:\Documents and Settings\All Users\svchost.exe"         Run\SunJavaUpdateSched         HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched

The malware then decrypts itself, and rewrites the memory image of itself. This way, the malware does not need to create a new PE file on the disk, and the original malware becomes a totally different one in memory, even the PE header and code entry point, thus leading us to the next phase. The phase two file is encrypted too, and implements many anti-debug tricks.

Taking a dive into the anti-debug measures that modern malware uses, we see that this one detects all the running processes in the system, and tries to find “VmwareService.exe”, ”VmwareUser.exe”, ”wireshark.exe”, and other monitors or antivirus processes. It does not use plain text strings to find all the process names. Instead, it uses some self-defined hash algorithm to calculate the name of a process into a HEX string, which is commonly used in shellcode to locate all the needed APIs.

This sample also queries the registry value of “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\disk\enum”, checking this local disk value and whether the 8-12 character of disk name references “awmw” or “xobv” or “umeq”. In other words, the malware checks to see if it's been run under VMware, VirtualBox, and QEMU (an open source processor emulator). If it has, the malware stops infecting the computer. **Notice the malware creator's typo on "awmw"; it should be "awmv".

After carefully checking its environment, the malware continues to the next phase of decrypting itself. Instead of modifying the Windows Update Agent service “wuauclt.exe” file on the disk, or trying to find the process memory of “wuauclt.exe” and inject malicious code into it, the malware maps an image of "wuauclt.exe" into memory using the “Section” kernel object. It then injects all the malicious code into the memory page, and finally executes “wuauclt.exe”. 

Because the malware does not modify the Windows Update Agent on the hard disk and instead patches the process in memory using the “Section” kernel object, some monitors that hook APIs like “OpenFile” or “CreateFile” fail to catch this injection. Also, because the malware does not call “WriteProcessMemory”, it is hard for AV monitors to catch this memory injection.

This patched “wuauclt.exe” with the push-return above performs the real malicious function. It connects to several remote servers and downloads extra malicious binaries from some of them. Some of the website servers it connects to and many of the URLs are hosted at the same IP address:

It downloads malicious binaries from these remote servers:

During our analysis, some of the remote servers were still available, and the malicious binary files were still downloadable. Websense customers are protected from these and other threats by Websense ACE (Advanced Classification Engine) in multiple stages: from the very first arrival of the malicious emails to all the "phone home" C&C URLs and malicious binaries.

Don't miss our Websense® 2013 Security Predictions to read about this prediction, among others: Cybercriminals will become more "virtually aware" and find modern bypass methods to avoid detection.