Websense Security Labs Blog

Websense Security Labs discovers, investigates and reports on advanced Internet threats that traditional security
research methods miss.

Latest Blog Posts

View all posts > 

Adult tagged in these posts

Believe it or not—even MORE internet porn

Posted: 12 Jun 2012 05:19 PM | RM | no comments


In December of 2011, we blogged about the approval of the .xxx TLD (top-level domain) and discussed issues related to how these sites are categorized and how legitimate companies could avoid having their reputation damaged through an .xxx registration.


Under the banner "The Evolution of Online Responsibility," ICM Registry, the company behind .xxx, is now trying to establish .sex, .porn, and .adult to expand its online offerings. A company spokesman says it is prepared to battle for other sex-related TLDs in order to protect its turf, citing the firm's security and trademark protection practices, as well as its zero-tolerance policy toward child sex abuse.



Filed under:

Widespread malware abuses unsecured Geolocation Service of Adult Website

Posted: 03 May 2012 07:26 PM | Anonymous | no comments

While researching outbound malware communications to improve detections for our products, we recently made an interesting discovery. Thousands of samples running in our malware lab reached out to the URL promos.fling.com/geo/txt/city.php . At first we suspected this to be a command and control (C&C) server of botnet malware. However, Websense® categorization of the main Web page of the domain fling.com returned Adult, and visiting the page certainly confirmed this: The self-proclaimed "Hottest Place to Hook Up" suggested that we sign up to "Meet the Hottest Members in San Diego" (the location of the US Websense® Security Labs™). This is where the originally discovered URL promos.fling.com/geo/txt/city.php comes into play. Directly visiting the URL results in JavaScript code to print the geolocation of the visitor: So how is this unsecured geolocation service used by the malware? Using the network tool Wireshark to look at the malware network traffic contacting this service, we can see that more information is disclosed: In this example our malware sandbox was connected to the Internet through a proxy service in Canada. Apart from the JavaScript payload there are several HTTP cookies sent in the response header specifying the country, state, city, latitude and longitude. Our analysis systems identified other likely C&C connections in the outbound connections of the malware samples in question. Interestingly, these connections try to hide the malicious HTTP using a forged user-agent string: Looking at the geolocation service abused by the malware we can make the connection that the 'CA' part (country code for Canada) in this user-agent is used to disclose the geolocation of the infected machine to the botnet server. This information can be used by the botmaster for statistics or to give different commands to infected machines in certain countries. As of the time of writing this blog post, a total of 4,775 samples that ran in our malware lab show connections to the adult geolocation service in question. Websense customers are protected against known variants of this malware; we also have real-time coverage in place for the traffic between the malware and the C&C servers.


Filed under: ,

Let's be adult about it. xxx

Posted: 06 Dec 2011 03:31 PM | Elisabeth Olsen | no comments

On 12/6/2011 at 11 am EST, more than 100,000 Web sites are expected to go live with the new .xxx domain. XXX was approved as a "top-level domain" address last year by ICANN , and was set up to make it easier to identify adult sites. However, it has also had some unintended consequences. For example, if you own Acme Explosives and have operated acmeexplosives.com for years, you might want to register acmeexplosives.xxx too (just to make sure no one else registers it for a porn site, possibly besmirching your reputation with the demolition crowd). You could leave it as a null site, or you could redirect your new .XXX site to your standard .COM site. Therein lies the rub: Websense will automatically categorize all .XXX sites as “Sex”. But if you are Acme, you might prefer to have people redirected to your commercial site, rather than having them run into a block page. Have no fear. If you have registered a .XXX page that redirects to a non-adult site and would prefer to have it categorized to something that reflects the true content, just send your request to suggest@websense.com or use the online submission tool. Websense customers automatically protected A database download has been pushed out to all Websense customers, timed to take effect before the .XXX top-level domain goes live. Any product, from filtering to TRITON Enterprise, will have this domain categorized in their database as "Sex." We may have some folks out there using old, unsupported versions of Websense that may be in for a surprise, but it shouldn't affect any current customers.


Filed under: