Hot on the heels of the NBC.com hack last week, Websense® Security Labs™ researchers were alerted by SANS to another high profile website compromise on Friday: bible.org. It appears that the offending code has now been removed from the bible.org website.  

At first glance, this seemed to be a run-of-the-mill “compromise, redirect, exploit” chain; however, closer analysis revealed the use of an interesting Honeyclient evasion technique. Honeyclients allow the profiling of websites in a heuristic and automated way; more often, testing a website with a Honeyclient takes longer than signature-based solutions but the results are much more accurate, especially when new zero-day code or a new emerging threat needs to be flagged up and requires scrutiny. Usually, Honeyclients run on top of virtual machine sandboxes: evasion techniques allow malicious code to become more aware of its running environment and to check if it's in a virtual environment or likely to be an 'analysis' environment before actually running malicious code. 

This snippet of code is the entirety of the Honeyclient evasion attempt - as the method name suggests, the function ‘jsstatic’ will only be called once the eventhandler registers the movement of the user’s mouse over the document (page) – obviously, a primitive Honeyclient will have no mouse movement emulation, therefore the offending function that leads to exploit code will never be called and alerted on by the Honeyclient.

Let’s take a closer look at the jsstatic function (click to enlarge):

The first part of this function definition is simply a sentry variable, to stop the function being executed indefinitely with each new onmousemove event – the global variable astatf is defined as 0 in an earlier part of the script. The next part simply creates the iFrame, which is then executed as if it had just been injected into the page, as per a normal compromise.

This technique is quite primitive and showcases the infancy of this type of Honeyclient evasion technique. The plethora of event handling methods available means this technique is not going to go away anytime soon, and is likely only going to get more complex and inventive. 

In summary: the use of such techniques ultimately aids malicious code in remaining undetected for longer periods of time and thus increases its chances of bypassing security products undetected. The technique described in this blog is simple and allows redirection to exploits only if a mouse movement is detected, an action that is often associated with an actual person interacting with a website and often not used by primitive Honeyclients. Why are the attackers using this technique instead of the normal drive-by type technique we usually see? probably because they wanted to make the attack more stealthy, as attacks like this wouldn't be picked up by automated behavioral analysis systems. That's why multiple layers of defense are needed for web-based attacks.

This discovery ties in to Websense Security Labs predictions that Cybercriminals will become more 'virtually aware' and find modern bypass methods to avoid security detection - see our Websense 2013  Security Predictions.

Author: Darrel Rendell 

Earlier today the main website of NBC and some of their show websites (such as www.jaylenosgarage.com) were compromised and served malicious content to users. The malicious content was inserted as a one-line iframe tag on one of the JavaScripts that gets loaded every time a user visits the page:

This one line of code forces the web browser of every visiting user to download content from the walterjeffers site, which, in turn, redirects the user to two other sites that eventually use an exploit kit to automatically install a malicious file onto the computer. During the few hours the attack was active, we saw several different URLs being used by the attackers. See the screenshot below for the sequence of events as recorded by our replay system that we have in Websense Security Labs.

Two vulnerabilities were used to compromise the user’s computer. In the above example, we can see a PDF file, but the exploit will also try Java vulnerabilities. If either is successful, a malicious binary from the Citadel family is installed on the machine. This family of malware is a so-called banking Trojan, which is designed to help the cyber criminals steal money from online banking accounts. While the file has very bad coverage from antivirus solutions according to VirusTotal, our Websense ThreatScope technology was able to see it as suspicious and provide a lot of additional details about the behavior of the file. See here for the full report.

Websense customers were proactively protected against the exploit code attack by our real-time analytics specifically designed to prevent exploit kits.

NBC has since confirmed that their site has been cleaned up, and it's again safe to visit.

There's been increased interest in targeted attacks and advanced persistent threats in the news lately, from the intrusions on large media outlets and hacks on social networking sites to a recent detailed report of the tactics behind the infiltration of a sophisticated attack family dubbed "APT1".  Much of the controversy swirling around these reports stems from the attempt to identify the perpetrators behind the attacks -- a decidedly difficult enterprise.  While the balance of evidence presented for APT1 does appear to point toward authorship in China (after exhaustive analysis), sophisticated attacks are faceless at the moment of attempted compromise.  

Here are a few data points we've already put together from our own analysis of the ThreatSeeker Network:

• We have observed more than 2,000 unique cases of APT1 attacks since 2011 against all major industry segments.
• China has a disproportionately large share of web-based attack traffic in the United States.  
  • For example, in February 0.49 percent of all web requests from US manufacturing companies land on servers in China.  11.21 percent of all malicious web requests from US manufacturing companies land on servers in China.  If you're looking at traffic patterns, that's more than a 20X traffic disparity toward malware.
  • US news & media companies are also disproportionately driven to malware located in China:   legitimate requests to China make up 7.47 percent of overall traffic, whereas China's portion of all malicious traffic goes up to 21.21 percent.

• As the APT1 report suggests, China currently has much less web-based attack traffic originating from the rest of the world at 0.76 percent.  That may change.

A more interesting question than authorship for us is: "How can you proactively stop targeted attacks like APT1?"  Signatures are obviously not the answer.  Here are some of the ways that we block APT1 along the kill chain without the need for signature updates:

• Full content scanning within SSL, including preventing rogue certificates and criminal encryption (as we blogged about previously) 
• File sandboxing (find two examples of APT1's telltale behavior in ThreatScope reports here and here)
• URL sandboxing in e-mails to prevent spear phishing
• Data loss prevention technology to fingerprint and identify legitimate data as it exits
• Dynamic DNS request interception
• Web reputation /  destination awareness. Many domains, hosts, IP addresses, and even ASNs used by APT1 have been classified for years. Block known compromised hosts for the hops and the outbound C&C traffic.

One trend that you can confidently predict: the attackers will continue to adapt and get smarter, and the techniques to thwart them will need to do the same.

The 2013 Threat Report from the Websense® Security Labs™ is now available.

The report details mobile, social, email and web-based threats, and while it is full of ominous data points, it is a very interesting read. The report is designed to help security professionals keep current with threat trends and improve the effectiveness of existing security solutions. It can also be used to identify and prioritize security gaps that may require new approaches and more innovative strategies.

Creating the report began with the Websense ThreatSeeker® Network, composed of big data clusters used by the WSL to collect and manage up to 5 billion inputs each day from 900 million global endpoints. Malware samples, mobile applications, email content, web links and other information were then passed through deep analysis processes including Websense ACE (Advanced Classification Engine), which applied over 10,000 different analytics.

Here is a sampling of key findings from this year's report:

1. Web Security. The web became significantly more malicious in 2012, both as an attack vector and as the primary support element of attacks originating through social media, mobile devices, and email. Researchers measured an alarming 600 percent increase in the use of malicious web links through all vectors.
2. The Social Web. Malicious content was hidden within social media behind shortened web links 32 percent of the time. Social media attacks took advantage of the confusion of new features, changing services and unsophisticated users.
3. Mobile Security. A study of last year's malicious apps revealed how they often abuse permissions; especially in the use of SMS communications, something very few legitimate apps do. Risks also increased as mobile devices were used for social media and web surfing more often than actually making a phone call.
4. Email Security. Only 1 in 5 emails sent were legitimate, as spam increased to 76 percent of email traffic, and 92% of spam included links to potentially malicious content. Phishing threats delivered via email also grew.
5. Malware Behavior. Forensic analysis identified that registry modification behavior in malware has declined to 7.7%. Once a key indicator of malicious behavior, malware has now become increasingly Internet-connected. Half of all malware that used the Internet for communications and downloaded additional malicious executables to extend their attack capabilities in the first 60 seconds.
6. Data Theft. Key changes in data theft targets and methods took place last year. Reports of intellectual property (IP) theft increased, and theft of credit card numbers and other Personally Identifiable Information (PII) continued to grow. Hacking, malware and other cyber-threats continued to be common methods of attack. However, some of the largest thefts involved physical penetration of security as well, often by willful employees.

Because today's attacks occur in multiple stages through numerous vectors, the report includes an appendix on The Seven Stages of Advanced Threats. This methodology for analyzing and classifying cyber-attacks provides a useful framework for organizations to assess their current defenses against their security profile, identify weaknesses and develop a more comprehensive strategy for withstanding next-generation attacks. A summary of the Websense 2013 Security Predictions report is also included for planning purposes.

Click for a video introduction or download a copy of the 2013 Threat Report.

Hot on the heels of Friday’s announcement by Twitter that they ‘detected unusual access patterns that led to us identifying unauthorized access attempts to Twitter user data’ and subsequent confirmation that ‘attackers may have had access to limited user information’ for  ‘approximately 250,000 users’,  Websense® Security Labs™ are tracking a phishing campaign propagated via Twitter’s direct message functionality.

Whilst no correlation between the two events can be drawn at this time, Twitter users should be on guard for signs of their own account being abused or compromised, as well for abnormal signs or unusual behavior (or perhaps in many cases, more unusual than normal) from those that they follow. Specifically, users should be cautious, as always, when following any links received from direct messages or Tweets particularly if the page you've been directed to is asking for your credentials or personal information.

Given the recent compromise, Websense Security Labs suggest that you regularly check your online accounts for signs of compromise and, as if anyone needs an excuse to do so, regularly update your suitably complex (and most definitely not your pet/team/town or dictionary word) password as well as reviewing the permissions granted to third-party applications that have access to your accounts (Twitter: How to Connect and Revoke Third-Party Applications). Should you have been unlucky enough to fall victim to this recent compromise, you'll have hopefully received a notification from Twitter that suggests these actions along with some general tips for account security:

Thankfully there are also suggestions, given this recent article on The Guardian’s Web site, that Twitter may be looking to implement two-factor authentication in the future as they are currently advertising a Product Security Software Engineer role in which the successful candidate would have the opportunity to work  with “user-facing security features, such as multifactor authentication”. The implementation of two-factor authentication would be a welcome addition to Twitter’s service which, based on figures released in 2012, has an estimated 500 million users, of which 200 million are estimated to be ‘active’.

The recent compromise is reported to impact 250,000 users, a mere 0.0005% of total users or 0.00125% of active users, and therefore may seem a somewhat small drop in the Twitter ocean. It is not unsurprising, therefore, that attackers are continuing to target Twitter users by dumping a barrel load of phish into this metaphorical ocean.

This recent phishing campaign, given the samples analyzed by Websense Security Labs so far in this incident, is using lures likely to elicit a click when received from a friend or associate, such as Did you see this pic of you? lol followed by a shortened URL.

Interestingly for us, and hopefully you, the use of Bitly’s URL shortening service allows us to append the URL with a plus ‘+’ and then view statistics for the shortened URL:

Whilst the click rate for the above example is low, we’ve seen numerous unique Bitly shortened URLs related to just one account, and would expect the perpetrators behind this campaign to rapidly cycle these in order to avoid detection and to increase the chances of catching more victims.

From all of the Bitly URLs analyzed, the statistics indicate that the victims are not confined to any one geographical area and that users are following the links. With regard to the small percentage of non-Twitter referrers, these could be Tweets or Direct Messages accessed via other applications or  indicative that the campaign is not limited to Twitter itself.

Once followed, the shortened URLs lead to what appears to be an intermediate and changing subdomain on hecro(.)ru which in turn redirects to active phishing sites hosted on a variety of typosquat-style domains:

The phishing URL in the above example, Tivtter(.)com (ACEInsight Report) appears at a glance to be legitimate and therefore is likely to dupe some unsuspecting victims into believing that they need to 're-login' to their expired Twitter session. The URL in this example also appears to cycle through an alphabetic sequence of folders containing the phishing page, perhaps in order to gather some statistics or to split the campaign in some way, as we've seen active examples from /a/verify/ upwards (/n/verify/ at the time of writing). Once the letter has cycled onto the next, any attempt to access the phishing page will be met with a standard  '404 - Page not found' error.

Should you fill in your account credentials, they'll be snaffled by those behind this nefarious scheme and you'll be presented with a fake '404' page not found error before being whisked back to the official Twitter Web site as if nothing happened:

As well as the URL above, we're also seeing other variations on the same Twitter typo theme including iftwtter(.)com (ACEInsight Report) and iwltter(.)com (ACEInsight Report).

Reassuringly, Bitly are flagging many of the shortened URLs as ‘potentially problematic’ although it is likely that for every one flagged another is sure to emerge.

Whilst Websense customers are protected from phishing and other threats by ACE, our Advanced Classification Engine, please do ensure that you check your personal accounts as well as sharing some basic security tips with your friends and family!

In the previous part of our report, we analyzed  the malicious content detected in the domain "rotary-eclubtw.com". We detected the exploitation code for the vulnerability CVE-2012-4792 and analyzed the Flash file which was used to contain the heap spray code and the shell code. In this part we are going to show some of the details that we extracted from the shell code and from behavioral analysis of the malware installed after a successful exploiting attempt. We have also added some details related to the domain name using the WHOIS records and internal data.

Why are waterhole attacks occurring? What is the attackers' objective, both here and in other cases? As we learned from this analysis, the malware is used to steal files from compromised computers, while also enabling monitoring of the user's emails and other activities. We also found suspicious ties to sites potentially targeting high technology suppliers, perhaps in Taiwan. Read on for details of the attack.

From the shellcode contained in the SWF file mentioned in the first part of this blog, we have extracted and disassembled, specifically, the Windows XP shellcode. To do this, we used the tool shell2exe which allowed us to obtain a consistent PE file by inputting the sequence of bytes of the shellcode. There is also an online version of this tool provided by sandsprite.org. In the following screenshot we can see the first stage which decrypts the remaining code using the XOR key "2Eh":

After this first stage the execution flow is passed to the code just decrypted, which, as its first action, tries to create a file in the operating system temp path named "dw20.exe":

Another interesting detail is the search in memory for the string "KONG" which as mentioned in the first part of our analysis, has been used as a prefix of the content of the variable "THISISIT" in the first HTML code from which we started this analysis. So, once this string is detected in memory, the file created previously, "dw20.exe", is filled up with the value of the array "THISISIT" stripped of the marker "KONGK":

Once the encoded file is detected in memory it is passed to another assembly routing which applies another XOR operation using the key "BFh":

Following the logic of the shell code, we had extracted the encoded stream and applied the XOR on it, obtaining a file with MD5: 1ad6afeec913f4c3a0ffce0093cddf21. At this time the file seems to have a low detection as reported here. We submitted this file to the Websense® ThreatScope™ service with the following result:

The full report is available here. The initial lookup of this .EXE file seems to produce some suspicious details. Firstly it is signed with an invalid certificate as shown below:

A suspicious resource section named  "DATA" was also detected, which is loaded and decrypted at runtime:

The code where this resource is referenced was found during the dynamic analysis, and is loaded afterwards by the function called at the address 0x00403f02:

Following the execution of this file, we noticed the creation of the file "ntshrui.dll"  and the use of the Windows system file: "wdmaud.drv": 

The file "ntshrui.dll" has been submitted to Virustotal and the report again shows a low detection of malware, but thanks to these two file names we located a Microsoft report, from which we can deduce that we are talking about the same family of malcode (named Fucobha.A). From the Microsoft analysis it is also possible to see that while this malware is used specifically to download files from the impacted systems, it also permits monitoring of emails and the user's activity. Also, the report shows that the same behavior is used in the persistence mechanism as an injection in a new instance of the process "explorer.exe" as shown here:

In the previous screenshot, it is possible to see unusual network activity in the process "explorer.exe" - in fact, once executed, the malware contacts the host "hxxp://www.rotary-eclub.com" ( IP address 118.212.64.23 TCP port 4356 ) to start sending information gathered from the impacted system as follows:

As is possible to see from the network traffic, the information exchanged between the impacted system and the C&C is encrypted:

The first message contains encrypted basic information (such as the operating system version, installed service pack, local IP address and so on) for the impacted system.  We tried to analyze the injected code in the process "explorer.exe" and discovered the parser that handles the commands once they are decrypted. Here we can see the check for two specific commands: "ptt" and "skc":

The WHOIS information for the C&C "hxxp://www.rotary-eclub.com" provides a strong link with the host "hxxp://www.rotary-eclubtw.com" as shown below:

Here is the WHOIS information for the C&C domain:

By googling for YOVOLE.COM, we found that this Chinese Service Provider has been reported as one of the most active for phishing related attacks as detailed in this report. Also, using our internal database we detected that the registrant "2207406762@qq.com" has recently registered other interesting domain names. Specifically:

From this it is possible to detect a weird coincidence: zhiaoit and zy-intl are keywords which on Google provide results related to high technology suppliers as shown below:

Still another note: using the location address gathered from the WHOIS information, we can see via Google Maps the geographical location where the C&C is hosted is actually just across from the island of Taiwan:

Websense customers are protected from these and other threats by Websense ACE (Advanced Classification Engine). 

February 3, 2013 not only marks the start of Super Bowl Sunday, it could also signify the arrival of a new untethered iOS jailbreak.

A newly formed hacking group, going by the name of evad3rs, is reportedly close to completing their latest iOS 6.1 jailbreak. More importantly this jailbreak works on the A5 and A6 chip architectures in the latest flagship iOS devices. 

Previous reports claimed that the group held back releasing the jailbreak in the knowledge that Apple would soon release the long awaited iOS 6.1 update that surfaced on Monday. The group has also stated that publishing the exploit earlier would allow Apple to develop a patch to counter-act their efforts. So, immediately after the iOS 6.1 release, some four and a half months after the original iOS 6 release, the group has said that they are ready.

Websense® Security Labs™ has seen companies try to use previous iOS device jailbreak activities in the corporate environment, with download and usage of redsn0w and absinthe hacks. In addition to these common tools, download of unauthorized iOS Apps outside of iTunes has also been very active. Websense ThreatSeeker® Network has shown the Bring Your Own Device (BYOD) phenomenon is alive and kicking in modern work places.

In the coming days, Websense Security Labs will keep a close eye on further developments with this new jailbreak.

[Update]

The 'evasi0n" jailbreak has been released overnight and made available to the public along with several download mirrors. The popularity has exceeded many of the mirror's account bandwidth limits causing slow and failed downloads. The jailbreak, namely evasi0n version 1.0, came as a standalone tool where you simply set and forget. It takes just a few minutes the iOS devices to be jailbroken.

Furthermore, Websense Security Labs has also located an increasing of newly registered websites taking on similar names as evasi0n.  Our Websense ACE (Advanced Classification Engine) analytics are treating them with appropriate suspicion.

Websense customers are protected by Websense ACE (Advanced Classification Engine).

Thanks to Websense® ThreatSeeker® technology, it has been possible to detect a domain which we believe is involved in a spear phishing campaign against the users of a Rotary Club online service.  The Rotary Club (also called Rotary International) is an organization that provides humanitarian services, encourages high ethical standards in all vocations, and promotes charity actions. Since the Rotary Club is a worldwide organization, each country has a number of  local "clubs" for each region and they have also established an online service called  "Rotary eClub".  

Specifically, we discovered another attempt to exploit the Internet Explorer vulnerability CVE-2012-4792, which was discovered in a "water holing" attack against the USA Council of the Foreign Relations website (http://www.cfr.org). The results of our analysis were in accordance with those reported in this blog: apparently another worldwide campaign against several organizations which have in some way attracted the interest of the attackers due to the specific audiences for their sites. In this first part of the analysis, we will report our investigation into the obfuscated code and the exploit code detected. In the second part, we will present the analysis of the unusual mechanism implemented in the shellcode that runs the malware which is installed if the exploit is successful. We will also look at some details of the malware behavior and expose some details behind the involved domains and the infrastructure of this attack.  

The suspicious domain in our analysis is "rotary-eclubtw.com", which has apparently been registered to target the Taiwanese users of the Rotary eClub service as shown in the following screenshot:

To find more information about the Rotary eClub located in Taiwan , we used the regional "Club" locator available on the Rotary official Web site:

One of the interesting results from that research is as follows:

The comparison between the domain under investigation (hxxp://rotary-eclubtw.com) and the legitimate Web site http://www.rotaryeclub.org.tw appears to show a case of typo-squatting, and the maliciousness of that domain is confirmed by looking at the content, as shown below:

At first glance, the content seems to be split into two well-defined blocks. Further analysis confirms that the same page hosts the malicious script that is assigned to the JavaScript variable "c" as shown below, and an encoded stream assigned to the variable "THISISIT":

"THISISIT" is the container for a stream which at first glance seems to be a nonsense array of characters with a prefix "KKONG". In the next part of our analysis we will better understand the role of this specific "marker" and how it has been used by the attackers.

The main function which is called during the loading of the page is the function "download()" referenced in a HTML object named  "test":

By deobfuscating the value of the Javascript variable "c", we obtain the clear code and can see that the "download()" function is implemented in the first obfuscated block mentioned before. It uses the API XMLHttpRequest()  to detect the correct version of the Ajax dialect to use for dealing with the dynamic HTML modules of this exploitation mechanism:

We can also see the call to the function "callback()":

This is an Ajax convention to verify the availability of one file. The function callback() is called if available to gather information about the impacted system in order to guess the best pairs of parameters to start the exploitation process. For this reason, it is possible to detect the code used to guess the operating system version or, as reported below, for the detection of a Microsoft Office module available on Windows 7. This specific check is useful for the attackers because if one of the two ActiveX controls (SharePoint.OpenDocument.4 or SharePoint.OpenDocument.5) is present in the running operating system, they can use that to gain access to a specific DLL, distributed by default on Windows 7 systems, which permits the running of malicious code by bypassing memory randomization protection mechanisms such as ASLR:

To continue with the implementation of the "callback()" function, we notice a reference to another file named "DOITYOUR02.html" in each  "<object>" section:

The file DOITYOUR02.html looks like this:

which once decoded becomes:

The "load()" function is an Ajax function that loads data from a server and puts the returned data into the selected element. In this case the element is  "test": the same name as the HTML object mentioned before. This makes it as a unique HTML object used by all the dynamic HTML modules during the exploitation process. Following the code of the function "loader()", it is possible to detect the removal, through the regular expression, of the string "jj" from the obfuscated content stored in the file "DOITYOUR01.TXT". Following this step manually:

we obtained an hexadecimal stream:

which converted to ASCII became:

The code above is the exploit code which is responsible, due to an "user after free" bug, for triggering the Internet Explorer vulnerability (CVE-2012-4792). This vulnerability is also called "CButton IE 0day" and in the snippet of code above, the steps to reproduce the "user after free" bug are highlighted in red. By working backwards it is possible to see the big picture of the flow: if the conditions for exploiting this vulnerability are good, the Flash file named "logo229.swf" is executed, and in the meantime the exploitation code hosted using the HTML file "DOITYOUR02.html" is also executed as reported before. 

The SWF file contains the heapspray code which facilitates the arbitrary code execution if the exploit is successful. Looking into the SWF file, we can see that is not the real heapspray code that we expected, but just a loader of another SWF file created "in memory": 

The content above is the disassembled ActionScript code which, after Base64 decoding, created in memory and ran another SWF file. To obtain the original file we used this easy and dirty Python script:

From this SWF file, we finally got access to the ActionScript HeapSpray code as follows:

The call of the ActionScript class "ExternalInterface"  permits a straightforward communication between the ActionScript code executed by the FlashPlayer and the SWF container. In our case the container is the starting HTML which is provided when calling the suspicious Web site:

We can also see the use of the ID "test" as already highlighted several times. The value returned is assigned to the variable "_loc_3" and is used to detect the correct sequence of the ROP instructions and the shellcode to run. What follows is the use of the variable _loc_3 to select the best Windows7 conditions to run the malicious payload :

The malicious file to be executed is loaded by the shellcode looking in memory rather than for a file in the Web cache, as happened in the attack against the CIFR.ORG Web site. This is a interesting difference because it means that the chain of attack uses fewer files which can be detected by an AV for example. The shellcode has been extracted by the malicious SWF file obtained previously:

In the next part we will look at the shellcode and the dropped malware, discussing an interesting technique used in this attack to deliver malware using only the HTML content. This is a little bit different from the first attack where this Internet Explorer vulnerability was discovered, since for the cfr.org Web site attack, the malware was deployed on visitors' systems with a technique called "drive by cache", using a file with the extension ".jpg" (named "xsainfo.jpg") to contain the executed malware. In this case, it seems that the malicious file is retrieved from the rendered content in the memory of the initial HTML page. We will also look at exposing information and details about the infrastructure behind the involved hosts and domains. 

Websense customers are protected from these and other threats by Websense ACE (Advanced Classification Engine). 

The Websense® ThreatSeeker® network has uncovered a typosquat hive hosting hundreds of hosts targeting well-known brands.  This hive constantly moves around to evade detection.  Numerous popular brands are being abused – can you spot the difference between these scam URLs and the real ones?

Upon further analysis we discovered a connection between those hosts:

1. Most of them are hosted on the same IP address, 208.73.210.128.
2. They lead to scam survey websites and spam websites.
3. They attempt to circumvent detection and lie low by periodically shifting from serving threats to serving default parking pages without threats.

Let us take one of the example hosts to further illustrate how a victim can be taken from a typosquat in the hive to a scam site.  For example, typing in hxxp://youtibe.com/ redirects the user to a scam site hxxp://socialsurvey.chattycatty.com/. 

Multiple requests to the same host result in different landing pages including scam surveys, form filling, and spam sites. In one example (see the screenshots below) users are lured and redirected to a "Youtube" themed website to complete a survey which claims that upon completion, they will have the opportunity to receive one of the listed gifts:

After completing the "survey", the user is offered the option to sign up for a paid and automatically renewed monthly subscription service with an additional enticing gift at a low price. The user is then asked to enter their credit card details. The catch is in the "terms and conditions" section where evidently it's claimed that that the gift is accountable by a 3rd party and that no subscription refunds are allowed.

Fortunately Websense protects its users against such threats with Websense ACE (Advanced Classification Engine). If you have seen other typosquats, let us know in the comments.

Author: Samana Haider

“Red October” in the title of Tom Clancy’s bestselling novel referred to a Soviet submarine whose silent propulsion system made it undetectable to sonar. It’s a fitting name for the sophisticated cyber-espionage network that has recently been identified after collecting high-level data from governments, embassies and diplomatic networks, energy companies, and other sensitive systems for at least five years.

Red October begins as a series of spear phishing attacks with highly personalized emails for specific targets.  These emails include both malicious and "clean" Microsoft® Office attachments, and the attack proceeds as follows:

•    The unsuspecting user receives an email with an attached Microsoft Office file and opens the file.
•    The exploit drops and launches two files: a clean Microsoft Word or Microsoft Excel file and a malicious .EXE.
•    Microsoft Word or Microsoft Excel then crashes and exits while the malicious .EXE launches along with the clean document, so the user sees nothing amiss, as shown in these examples:

Java is another attack vector in the spear phishing campaign.  As with the Office based attack described above, Red October sends a spear phish email containing a link that loads a malicious Java applet when opened.

All known related C&C IPs and domains associated with the Red October attack are classified as “Bot Networks”. Websense® ThreatScope™ helps protect our customers by identifying all of the embedded files as Malicious, as shown in the following reports:

ThreatScope Report on Dropped File 1

ThreatScope Report on Dropped File 2

ThreatScope Report on Dropped File 3

The following CVE are reported to have been used as part of the Red October spear phishing attacks:

CVE-2009-3129 Excel

CVE-2010-3333 Word

CVE-2012-0158 Word

CVE-2011-3544 Java

Targeted attacks like Red October lower a victim's guard by appealing to his or her interests.  This social engineering aspect is what makes such attacks so successful. Therefore, it's essential to remain vigilant when opening emails with attachment or links, especially if they are unsolicited.  

Websense customers are protected by Websense ACE (Advanced Classification Engine), and we will continue to monitor this and other evolving security threats.