Websense Security Labs Blog

Websense Security Labs discovers, investigates and reports on advanced Internet threats that traditional security
research methods miss.

Latest Blog Posts

View all posts > 

(December 2012) Posts

Sharing the Experience of Deobfuscating a Trojan

Posted: 20 Dec 2012 09:34 AM | lli | no comments

Thanks to the Websense® ThreatSeeker® Network, we discovered another interesting case involving a malicious Web Trojan and analyzed it. Let’s share our deobfuscation experience. The first step was to identify the location of the malicious code, shown in the red pane of the following image...


Our Take on Blitzkrieg

Posted: 18 Dec 2012 12:48 PM | Chris Astacio | no comments

At Websense® Security Labs™, we get many questions from our customers and partners about attacks. We're asked about the details of big attacks, obscure attacks, and, of course, targeted attacks. There has been quite a bit of noise around an attack being dubbed "project Blitzkrieg,"...


Fake Virgin Blue Itinerary Email Soars With Malware

Posted: 13 Dec 2012 11:15 AM | Anonymous | no comments

Websense Security Labs™ ThreatSeeker™ Network detected a slew of fake Virgin Blue Itinerary emails.  The email contains a malicious zip attachment called Virgin-Itinerary.pdf.zip, which contains the malicious binary file Virgin-Itinerary.pdf.XXXXX.exe.



'Jacked Frost' Facebook Scam Goes Wild and Doubles Over the Weekend

Posted: 10 Dec 2012 11:51 AM | Elad Sharf | no comments

Last week we wrote a blog about a specific Facebook scam that appeared to spread rather aggresively. We have decided to nickname the scam "Jacked frost". The Websense® ThreatSeeker™ network detected that the scam has increased and multiplied over the weekend - particularly on Saturday where we saw the amount of unique URLs related to this scam double. This shows how cyber crooks time their attacks to times where users are more laid back and when the security community is less likely to alert users on this type of threat.




Christmas-Themed Facebook Scams: How Cybercrooks Kick it up a Notch and Piggyback on Big Brands

Posted: 07 Dec 2012 07:03 PM | Elad Sharf | 2 comment(s)


From time to time the Websense® ThreatSeeker™ Network detects high volume surges of badness rolling across Facebook. In the past 48 hours we've seen a rapid increase of a particular scam campaign that has aggressively spread through the world's largest social networking site. 


With the holiday shopping season here, it appears that cyber crooks are going full throttle to attract Christmas shoppers by piggybacking on the reputation of well-known brands like Walmart, Asda, Visa, Best Buy, Apple, and more. In the attack that we're about to describe, it appears that user accounts belonging to the free DNS service freedns.afraid.org were compromised and used as part of the cyber criminals' scam infrastructure. Read on for details.




Pak Hack Attack: Pastebin Reveals Attacks

Posted: 05 Dec 2012 09:30 AM | RM | no comments

Websense ® researchers monitor sites like Pastebin , Facebook, Twitter, Blogspot and others to keep our finger on the pulse of hacking and other malicious activities. Pastebin, in particular, has become a popular place for hackers to show off their latest exploits. Our researchers recently observed...


Malicious Email MMS Targets Mobile Phone Users

Posted: 02 Dec 2012 08:51 AM | Anonymous | no comments

The Websense® ThreatSeeker™ Network has detected a malicious spam campaign that tries to exploit customers of major mobile phone companies. Specifically, we have detected thousands of emails claiming users have received MMS content via email localized to Australian and German carriers late last week:



Because mobile phone use is an everyday activity, users could be tricked into opening and running attachments, especially those that appear to come from their carriers. Once the malware is launched, it connects to a list of remote servers to download more malicious binaries. What is interesting about these samples is that they are heavily encrypted and have many anti-debug tricks. Unlike other malware, this sample deploys several decryption phases before finally executing its malicious function. Even more interesting, it implements all its tricks, like decryption and patching, only in memory. 


The decryption process includes three phases. In the first phase, the malware copies itself as “C:\Documents and Settings\All Users\svchost.exe”, and registers itself as autorun by creating a Registry Key. As a result, when Windows boots up, the malware starts automatically. In one example:


Telstra-picture:656        “C:\Documents and Settings\All Users\svchost.exe"         Run\SunJavaUpdateSched         HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched


The malware then decrypts itself, and rewrites the memory image of itself. This way, the malware does not need to create a new PE file on the disk, and the original malware becomes a totally different one in memory, even the PE header and code entry point, thus leading us to the next phase. The phase two file is encrypted too, and implements many anti-debug tricks.


Read more >