Websense Security Labs Blog

Websense Security Labs discovers, investigates and reports on advanced Internet threats that traditional security
research methods miss.

Latest Blog Posts

View all posts > 

(February 2013) Posts

Honeyclient Evasion Techniques, Bible.org Case

Posted: 25 Feb 2013 03:55 AM | Elad Sharf | 1 comment(s)


Hot on the heels of the NBC.com hack last week, Websense® Security Labs™ researchers were alerted by SANS to another high profile website compromise on Friday: bible.org . It appears that the offending code has now been removed from the bible.org website. At first glance, this seemed to be a run-of-the-mill “compromise, redirect, exploit” chain; however, closer analysis revealed the use of an interesting Honeyclient evasion technique. Honeyclients allow the profiling of websites in a heuristic and automated way; more often, testing a website with a Honeyclient takes longer than signature-based solutions but the results are much more accurate, especially when new zero-day code or a new emerging threat needs to be flagged up and requires scrutiny. Usually, Honeyclients run on top of virtual machine sandboxes: evasion techniques allow malicious code to become more aware of its running environment and to check if it's in a virtual environment or likely to be an 'analysis' environment before actually running malicious code. This snippet of code is the entirety of the Honeyclient evasion attempt - as the method name suggests, the function ‘jsstatic’ will only be called once the eventhandler registers the movement of the user’s mouse over the document (page) – obviously, a primitive Honeyclient will have no mouse movement emulation, therefore the offending function that leads to exploit code will never be called and alerted on by the Honeyclient. Let’s take a closer look at the jsstatic function (click to enlarge): The first part of this function definition is simply a sentry variable, to stop the function being executed indefinitely with each new onmousemove event – the global variable astatf is defined as 0 in an earlier part of the script. The next part simply creates the iFrame, which is then executed as if it had just been injected into the page, as per a normal compromise. This technique is quite primitive and showcases the infancy of this type of Honeyclient evasion technique. The plethora of event handling methods available means this technique is not going to go away anytime soon, and is likely only going to get more complex and inventive. In summary: the use of such techniques ultimately aids malicious code in remaining undetected for longer periods of time and thus increases its chances of bypassing security products undetected. The technique described in this blog is simple and allows redirection to exploits only if a mouse movement is detected, an action that is often associated with an actual person interacting with a website and often not used by primitive Honeyclients. Why are the attackers using this technique instead of the normal drive-by type technique we usually see? probably because they wanted to make the attack more stealthy, as attacks like this wouldn't be picked up by automated behavioral analysis systems. That's why multiple layers of defense are needed...

Read more > 

Filed under: ,

NBC.com Compromised

Posted: 22 Feb 2013 01:05 AM | Patrik Runald | no comments


Earlier today the main website of NBC and some of their show websites (such as www.jaylenosgarage.com) were compromised and served malicious content to users. The malicious content was inserted as a one-line iframe tag on one of the JavaScripts that gets loaded every time a user visits the page: This one line of code forces the web browser of every visiting user to download content from the walterjeffers site, which, in turn, redirects the user to two other sites that eventually use an exploit kit to automatically install a malicious file onto the computer. During the few hours the attack was active, we saw several different URLs being used by the attackers. See the screenshot below for the sequence of events as recorded by our replay system that we have in Websense Security Labs. Two vulnerabilities were used to compromise the user’s computer. In the above example, we can see a PDF file, but the exploit will also try Java vulnerabilities. If either is successful, a malicious binary from the Citadel family is installed on the machine. This family of malware is a so-called banking Trojan, which is designed to help the cyber criminals steal money from online banking accounts. While the file has very bad coverage from antivirus solutions according to VirusTotal , our Websense ThreatScope technology was able to see it as suspicious and provide a lot of additional details about the behavior of the file. See here for the full report . Websense customers were proactively protected against the exploit code attack by our real-time analytics specifically designed to prevent exploit kits. NBC has since confirmed that their site has been cleaned up, and it's again safe to visit.

Read more > 

Filed under:

APT1: A Prevention Perspective

Posted: 20 Feb 2013 07:01 PM | Charles Renert | no comments


There's been increased interest in targeted attacks and advanced persistent threats in the news lately, from the intrusions on large media outlets and hacks on social networking sites to a recent detailed report of the tactics behind the infiltration of a sophisticated attack family dubbed "APT1". Much of the controversy swirling around these reports stems from the attempt to identify the perpetrators behind the attacks -- a decidedly difficult enterprise. While the balance of evidence presented for APT1 does appear to point toward authorship in China (after exhaustive analysis), sophisticated attacks are faceless at the moment of attempted compromise. Here are a few data points we've already put together from our own analysis of the ThreatSeeker Network: We have observed more than 2,000 unique cases of APT1 attacks since 2011 against all major industry segments. China has a disproportionately large share of web-based attack traffic in the United States. For example, in February 0.49 percent of all web requests from US manufacturing companies land on servers in China. 11.21 percent of all malicious web requests from US manufacturing companies land on servers in China. If you're looking at traffic patterns, that's more than a 20X traffic disparity toward malware. US news & media companies are also disproportionately driven to malware located in China: legitimate requests to China make up 7.47 percent of overall traffic, whereas China's portion of all malicious traffic goes up to 21.21 percent. As the APT1 report suggests, China currently has much less web-based attack traffic originating from the rest of the world at 0.76 percent. That may change. A more interesting question than authorship for us is: "How can you proactively stop targeted attacks like APT1?" Signatures are obviously not the answer. Here are some of the ways that we block APT1 along the kill chain without the need for signature updates: Full content scanning within SSL, including preventing rogue certificates and criminal encryption (as we blogged about previously) File sandboxing (find two examples of APT1's telltale behavior in ThreatScope reports here and here ) URL sandboxing in e-mails to prevent spear phishing Data loss prevention technology to fingerprint and identify legitimate data as it exits Dynamic DNS request interception Web reputation / destination awareness. Many domains, hosts, IP addresses, and even ASNs used by APT1 have been classified for years. Block known compromised hosts for the hops and the outbound C&C traffic. One trend that you can confidently predict: the attackers will continue to adapt and get smarter, and the techniques to thwart them will need to do the same.

Read more > 

Filed under: , , , , , ,

2013 Threat Report: More Than Scary Stats and Chilling Charts

Posted: 13 Feb 2013 08:30 AM | Carl Leonard | no comments


The 2013 Threat Report from the Websense® Security Labs™ is now available.

 

The report details mobile, social, email and web-based threats, and while it is full of ominous data points, it is a very interesting read. The report is designed to help security professionals keep current with threat trends and improve the effectiveness of existing security solutions. It can also be used to identify and prioritize security gaps that may require new approaches and more innovative strategies.

 

Creating the report began with the ThreatSeeker® Network, composed of big data clusters used by the WSL to collect and manage up to 5 billion inputs each day from 900 million global endpoints. Malware samples, mobile applications, email content, web links and other information were then passed through deep analysis processes including our Advanced Classification Engine (ACE), which applied over 10,000 different analytics.

 

...

Read more > 

Filed under: , , , , , , , , , , , , , ,

Battered Twitter, Phish but no Chips! [Updated]

Posted: 05 Feb 2013 04:47 PM | Carl Leonard | no comments


Hot on the heels of Friday’s announcement by Twitter that they ‘detected unusual access patterns that led to us identifying unauthorized access attempts to Twitter user data’ and subsequent confirmation that ‘attackers may have had access to limited user information’ for  ‘approximately 250,000 users’,  Websense® Security Labs™ are tracking a phishing campaign propagated via Twitter’s direct message functionality.

...

Read more > 

Filed under: , ,

The CVE-2012-4792 and the Spear-Phishing Rotary Domains (Part 2)

Posted: 05 Feb 2013 10:00 AM | Gianluca Giuliani | no comments


 

In the previous part of our report, we analyzed  the malicious content detected in the domain "rotary-eclubtw.com". We detected the exploitation code for the vulnerability CVE-2012-4792 and analyzed the Flash file which was used to contain the heap spray code and the shell code. In this part we are going to show some of the details that we extracted from the shell code and from behavioral analysis of the malware installed after a successful exploiting attempt. We have also added some details related to the domain name using the WHOIS records and internal data.

 

Why are waterhole attacks occurring? What is the attackers' objective, both here and in other cases? As we learned from this analysis, the malware is used to steal files from compromised computers, while also enabling monitoring of the user's emails and other activities. We also found suspicious ties to sites potentially targeting high technology suppliers, perhaps in Taiwan. Read on for details of the attack.

 

...

Read more > 

Filed under: ,

Super Bowl Sunday for iOS 6.1 Jailbreak [Updated]

Posted: 01 Feb 2013 05:31 AM | Elson Lai | no comments


February 3, 2013 not only marks the start of Super Bowl Sunday, it could also signify the arrival of a new untethered iOS jailbreak.

 

The newly formed hacking group, going by the name of evad3rs, is reportedly close to completing their latest iOS 6.1 jailbreak. More importantly this jailbreak works on the A5 and A6 chip architectures in the latest flagship iOS devices. 

 

Previous reports claiming that the group held back releasing the jailbreak, in the knowledge that Apple were to release the long awaited iOS 6.1 update which surfaced on Monday. The group claims that publishing the exploit earlier would allow Apple to develop a patch to counter-act their efforts. So, immediately after the iOS 6.1 release, some four and a half months after the original iOS 6 release, the group have said they are ready.

 

...

Read more > 

Filed under: , , , , , ,