Thanks to Websense® ThreatSeeker® technology, it has been possible to detect a domain which we believe is involved in a spear phishing campaign against the users of a Rotary Club online service.  The Rotary Club (also called Rotary International) is an organization that provides humanitarian services, encourages high ethical standards in all vocations, and promotes charity actions. Since the Rotary Club is a worldwide organization, each country has a number of  local "clubs" for each region and they have also established an online service called  "Rotary eClub".  

Specifically, we discovered another attempt to exploit the Internet Explorer vulnerability CVE-2012-4792, which was discovered in a "water holing" attack against the USA Council of the Foreign Relations website (http://www.cfr.org). The results of our analysis were in accordance with those reported in this blog: apparently another worldwide campaign against several organizations which have in some way attracted the interest of the attackers due to the specific audiences for their sites. In this first part of the analysis, we will report our investigation into the obfuscated code and the exploit code detected. In the second part, we will present the analysis of the unusual mechanism implemented in the shellcode that runs the malware which is installed if the exploit is successful. We will also look at some details of the malware behavior and expose some details behind the involved domains and the infrastructure of this attack.  

The suspicious domain in our analysis is "rotary-eclubtw.com", which has apparently been registered to target the Taiwanese users of the Rotary eClub service as shown in the following screenshot:

To find more information about the Rotary eClub located in Taiwan , we used the regional "Club" locator available on the Rotary official Web site:

One of the interesting results from that research is as follows:

The comparison between the domain under investigation (hxxp://rotary-eclubtw.com) and the legitimate Web site http://www.rotaryeclub.org.tw appears to show a case of typo-squatting, and the maliciousness of that domain is confirmed by looking at the content, as shown below:

At first glance, the content seems to be split into two well-defined blocks. Further analysis confirms that the same page hosts the malicious script that is assigned to the JavaScript variable "c" as shown below, and an encoded stream assigned to the variable "THISISIT":

"THISISIT" is the container for a stream which at first glance seems to be a nonsense array of characters with a prefix "KKONG". In the next part of our analysis we will better understand the role of this specific "marker" and how it has been used by the attackers.

The main function which is called during the loading of the page is the function "download()" referenced in a HTML object named  "test":

By deobfuscating the value of the Javascript variable "c", we obtain the clear code and can see that the "download()" function is implemented in the first obfuscated block mentioned before. It uses the API XMLHttpRequest()  to detect the correct version of the Ajax dialect to use for dealing with the dynamic HTML modules of this exploitation mechanism:

We can also see the call to the function "callback()":

This is an Ajax convention to verify the availability of one file. The function callback() is called if available to gather information about the impacted system in order to guess the best pairs of parameters to start the exploitation process. For this reason, it is possible to detect the code used to guess the operating system version or, as reported below, for the detection of a Microsoft Office module available on Windows 7. This specific check is useful for the attackers because if one of the two ActiveX controls (SharePoint.OpenDocument.4 or SharePoint.OpenDocument.5) is present in the running operating system, they can use that to gain access to a specific DLL, distributed by default on Windows 7 systems, which permits the running of malicious code by bypassing memory randomization protection mechanisms such as ASLR:

To continue with the implementation of the "callback()" function, we notice a reference to another file named "DOITYOUR02.html" in each  "<object>" section:

The file DOITYOUR02.html looks like this:

which once decoded becomes:

The "load()" function is an Ajax function that loads data from a server and puts the returned data into the selected element. In this case the element is  "test": the same name as the HTML object mentioned before. This makes it as a unique HTML object used by all the dynamic HTML modules during the exploitation process. Following the code of the function "loader()", it is possible to detect the removal, through the regular expression, of the string "jj" from the obfuscated content stored in the file "DOITYOUR01.TXT". Following this step manually:

we obtained an hexadecimal stream:

which converted to ASCII became:

The code above is the exploit code which is responsible, due to an "user after free" bug, for triggering the Internet Explorer vulnerability (CVE-2012-4792). This vulnerability is also called "CButton IE 0day" and in the snippet of code above, the steps to reproduce the "user after free" bug are highlighted in red. By working backwards it is possible to see the big picture of the flow: if the conditions for exploiting this vulnerability are good, the Flash file named "logo229.swf" is executed, and in the meantime the exploitation code hosted using the HTML file "DOITYOUR02.html" is also executed as reported before. 

The SWF file contains the heapspray code which facilitates the arbitrary code execution if the exploit is successful. Looking into the SWF file, we can see that is not the real heapspray code that we expected, but just a loader of another SWF file created "in memory": 

The content above is the disassembled ActionScript code which, after Base64 decoding, created in memory and ran another SWF file. To obtain the original file we used this easy and dirty Python script:

From this SWF file, we finally got access to the ActionScript HeapSpray code as follows:

The call of the ActionScript class "ExternalInterface"  permits a straightforward communication between the ActionScript code executed by the FlashPlayer and the SWF container. In our case the container is the starting HTML which is provided when calling the suspicious Web site:

We can also see the use of the ID "test" as already highlighted several times. The value returned is assigned to the variable "_loc_3" and is used to detect the correct sequence of the ROP instructions and the shellcode to run. What follows is the use of the variable _loc_3 to select the best Windows7 conditions to run the malicious payload :

The malicious file to be executed is loaded by the shellcode looking in memory rather than for a file in the Web cache, as happened in the attack against the CIFR.ORG Web site. This is a interesting difference because it means that the chain of attack uses fewer files which can be detected by an AV for example. The shellcode has been extracted by the malicious SWF file obtained previously:

In the next part we will look at the shellcode and the dropped malware, discussing an interesting technique used in this attack to deliver malware using only the HTML content. This is a little bit different from the first attack where this Internet Explorer vulnerability was discovered, since for the cfr.org Web site attack, the malware was deployed on visitors' systems with a technique called "drive by cache", using a file with the extension ".jpg" (named "xsainfo.jpg") to contain the executed malware. In this case, it seems that the malicious file is retrieved from the rendered content in the memory of the initial HTML page. We will also look at exposing information and details about the infrastructure behind the involved hosts and domains. 

Websense customers are protected from these and other threats by Websense ACE (Advanced Classification Engine). 

The Websense® ThreatSeeker® network has uncovered a typosquat hive hosting hundreds of hosts targeting well-known brands.  This hive constantly moves around to evade detection.  Numerous popular brands are being abused – can you spot the difference between these scam URLs and the real ones?

Upon further analysis we discovered a connection between those hosts:

1. Most of them are hosted on the same IP address, 208.73.210.128.
2. They lead to scam survey websites and spam websites.
3. They attempt to circumvent detection and lie low by periodically shifting from serving threats to serving default parking pages without threats.

Let us take one of the example hosts to further illustrate how a victim can be taken from a typosquat in the hive to a scam site.  For example, typing in hxxp://youtibe.com/ redirects the user to a scam site hxxp://socialsurvey.chattycatty.com/. 

Multiple requests to the same host result in different landing pages including scam surveys, form filling, and spam sites. In one example (see the screenshots below) users are lured and redirected to a "Youtube" themed website to complete a survey which claims that upon completion, they will have the opportunity to receive one of the listed gifts:

After completing the "survey", the user is offered the option to sign up for a paid and automatically renewed monthly subscription service with an additional enticing gift at a low price. The user is then asked to enter their credit card details. The catch is in the "terms and conditions" section where evidently it's claimed that that the gift is accountable by a 3rd party and that no subscription refunds are allowed.

Fortunately Websense protects its users against such threats with Websense ACE (Advanced Classification Engine). If you have seen other typosquats, let us know in the comments.

Author: Samana Haider

“Red October” in the title of Tom Clancy’s bestselling novel referred to a Soviet submarine whose silent propulsion system made it undetectable to sonar. It’s a fitting name for the sophisticated cyber-espionage network that has recently been identified after collecting high-level data from governments, embassies and diplomatic networks, energy companies, and other sensitive systems for at least five years.

Red October begins as a series of spear phishing attacks with highly personalized emails for specific targets.  These emails include both malicious and "clean" Microsoft® Office attachments, and the attack proceeds as follows:

•    The unsuspecting user receives an email with an attached Microsoft Office file and opens the file.
•    The exploit drops and launches two files: a clean Microsoft Word or Microsoft Excel file and a malicious .EXE.
•    Microsoft Word or Microsoft Excel then crashes and exits while the malicious .EXE launches along with the clean document, so the user sees nothing amiss, as shown in these examples:

Java is another attack vector in the spear phishing campaign.  As with the Office based attack described above, Red October sends a spear phish email containing a link that loads a malicious Java applet when opened.

All known related C&C IPs and domains associated with the Red October attack are classified as “Bot Networks”. Websense® ThreatScope™ helps protect our customers by identifying all of the embedded files as Malicious, as shown in the following reports:

ThreatScope Report on Dropped File 1

ThreatScope Report on Dropped File 2

ThreatScope Report on Dropped File 3

The following CVE are reported to have been used as part of the Red October spear phishing attacks:

CVE-2009-3129 Excel

CVE-2010-3333 Word

CVE-2012-0158 Word

CVE-2011-3544 Java

Targeted attacks like Red October lower a victim's guard by appealing to his or her interests.  This social engineering aspect is what makes such attacks so successful. Therefore, it's essential to remain vigilant when opening emails with attachment or links, especially if they are unsolicited.  

Websense customers are protected by Websense ACE (Advanced Classification Engine), and we will continue to monitor this and other evolving security threats.

Websense Security Labs™ is following reports that a new Java zero day vulnerability (CVE-2013-0422) is being exploited in the wild by exploit kits. Early this morning, a researcher who goes by the handle Kafeine disclosed that he has started seeing exploits of a new Java vulnerability appearing in multiple exploit kits in the wild. Following up on his post, we have confirmed that we are protecting against the landing pages of these exploit kits with Websense ACE (Advanced Classification Engine) technology.  The landing page is the first thing that loads in an exploit-kit-based attack. It's used to scan clients for vulnerabilities and send the appropriate exploits. This is one of the seven stages of an attack that you can read about here. The kits identified as using this zero day code so far are Cool Exploit Kit, Blackhole Exploit Kit, Red Kit, and Nuclear Exploit Pack.

Snippet of POC code:

The fact that exploits of this vulnerability were found in the wild and in exploit kits is huge. It's common knowledge that exploit kit developers don't typically write exploits on their own. In fact, exploit kit authors typically copy and paste code to include exploits in their packs. Since this exploit is already in exploit kits, it could spread very rapidly to other kit authors who are anxious to get a zero day in their code.  A zero day in exploit kits means a higher success rate for "loads" of malicious binaries, and therefore adds lots of value to the kit. Because this vulnerability is in Java, there's also a possibility that it could be applied to client platforms like Mac OS and Linux, as well as Windows.

This makes two web-based vulnerabilities in the wild in less than a month. It's a dangerous time to be on the web.  We strongly encourage that Java be removed from client computers. If that's impossible due to proprietary applications, please use a separate browser with Java enabled for required applications only.  Your every day browser can handle web surfing just fine without Java enabled. As for the current IE zero day, there is a  "Fix It" solution available from Microsoft, however keep in mind that a fix it solution isn't going to be as strong as a full patch solution.

Update:

Oracle has pushed out an update for the Java vulnerability which is available here.

Microsoft has also published a Out Of Band patch for CVE-2012-4792, which you can read more about here.

As we welcome the New Year, we must be aware that the bad guys will use every opportunity to exploit events of a positive and negative nature. Yes, even the recent disastrous weather experienced on the east coast of the United States was exploited to try and obtain valuable information that could be used for identity and monetary theft from grief-stricken or worried families and friends.

The New Year and its first month brings with it the familiar drive of businesses trying to clear stock, slashing prices to entice us to part with our money and to snap up a bargain in the process. Our desire for a great bargain is something not unknown to the bad guys – they are very aware that we might just be tempted to go for that seemingly ‘too good to be true’ bargain. The associated costs to fraudulent websites are minimal compared to the numbers game the bad guys play; they cast a wide net and you may be the catch of the day.

Let us explore this further through an example. A Swarovski (the brand name of a popular crystal jewelry manufacturer) fraudulent site was detected by the Websense® ThreatSeeker® network. The site hxxp://www.swarovskisale.co/ purports to be selling discounted Swarovski jewelry. The first indicator that something may not be all that it seems is the Top Level Domain, .co. Proving popular among the bad guys due to its lexical relationship to the .com TLD, the .co TLD is assigned to Colombia.

The policies regulating the registration of the .co TLD allow for all persons or entities with no domicile in Colombia to register a .co domain. We searched our Websense Security Labs™ database to see if this brand name was being abused; a number of results were returned. Further investigations of the registrants' records revealed that a common thread among the results was that the sites are registered to a common entity.

The registration details appear to be random text, while the email address follows the theme seen here: louisvuitton563@hotmail.com. Using that information, a search of the Websense Whois DB revealed 1500+ websites following this pattern and/or including these same registration details.

Here are some examples:
mulberryorderonline.com
nikenfljerseyspro.com
nikenfloutlet.com
taschenlouisvuitton-de.info
uggbootssoutlettonline.com
prada-fr.info
abercrombies-fra.info
abercrombies-fre.info

At the time of writing this blog, the majority of the examples listed above were parked with GoDaddy and registered in October 2012. We can assume here that these sites will be used in the near future in spam or phishing campaigns.

In conclusion, the old adage of caveat emptor still applies even in the virtual shopping world. Be aware when online; if it sounds too good to be true it most probably is. Websense can help to protect you from these fraudulent sites. Security Labs researchers work constantly to conduct the type of research we have outlined here to protect our customers.

Author: Stephen Meyer.

First, welcome to 2013 and we trust that you had a happy holiday period. As is to be expected, holidays or not, there is no rest for the wicked (be that attacker or defender) and therefore we kick off our 2013 blog with details of CVE-2012-4792, an Internet Explorer zero-day vulnerability.

The Websense® ThreatSeeker® Network has already detected instances of this vulnerability being exploited in the wild, unsurprising given that the exploit is publicly available as a Metasploit module, and therefore it is likely that attacks will continue to gain traction.

Websense customers are protected from this threat by Websense ACE (Advanced Classification Engine).

The vulnerability, as recently announced in Microsoft Security Advisory 2794220, affects users of Microsoft Internet Explorer versions 6, 7, and 8 and could allow attackers to remotely execute code on vulnerable machines by simply having the victim visit a malicious website.

As seen countless times in the past, typical tactics for enticing victims to visit these malicious sites often include tricking them into clicking links in fake emails, or simply compromising legitimate websites to serve malicious payloads to their unsuspecting visitors.

This particular vulnerability is caused by how Internet Explorer accesses an object in memory that has been deleted or improperly allocated. Exploitation can then result in memory corruption, which in turn could allow an attacker's own code to be executed within the context of the current user, or as if it was being run by that user.

At this time, Microsoft has not released a patch in order to address this vulnerability. However it has provided an easy one-click 'Fix It' solution. Internet Explorer versions 9 and 10 are listed as not being vulnerable.

Websense Security Labs™ are continuing to monitor this situation and, as a member of the Microsoft Active Protection Program (MAPP), are working with Microsoft in order to provide the best protection to our customers.

Update:

Microsoft has issued an Out Of Band update for CVE-2012-4792, which you can read about here.