10 Apr 2013 03:39 AM |
As the world remembers former British Prime Minister Margaret Thatcher, cyber attackers are participating too, but in their own tricky ways. Websense® Security Labs™ and the Websense ThreatSeeker® Intelligence Cloud have detected that attackers are sending malicious email spam with a topic referencing the death of Mrs. Thatcher. Actually, it is not new for an attacker to use a hot topic (like the death of Hugo Chavez ) to spread malware. In this case, the lure email is very simple, with just a few words related to Mrs. Thatcher, but it pretends to be from your friends by using the "Re: Fwd:" notation . Internet-savvy customers will know that it looks suspicious and should not be tempted to click the link in the email. When recipients click the malicious link, they are taken to a redirection page first, and then redirected to a Blackhole Exploit Kit landing page. The landing page detects the browser and plugin information in the client, and then serves the vulnerability file based on the plugin information. The final payload is a Cridex trojan, as seen in our ThreatScope™ report and in the VirusTotal report here . Cridex is known in breaking CAPTCHA codes and you can see this trojan in action on our previous blog here . Server-side polymorphic technology has been applied to evade traditional AV detection. It is not the first time we have seen the Blackhole malicious email campaign. It has evolved over time in combination with hot topics like the current crisis in Korea or major companies filing for bankruptcy. Please be careful about any email that contains 1 of the following subjects: Fwd: Dollar Bank bankruptcy Re: Shedding light on 'dark matter' Re: Why Washington is corrupt Re: Kissinger: Thatcher's strong beliefs Re: Tax havens busted Fwd: Re: First Citizens Bank bankruptcy Fwd: Re: Living large in Don Draper's New York Fwd: Re: Kissinger: Thatcher's strong beliefs Re: Fwd: California Bank & Trust bankruptcy Fwd: Re: Bank of America bankruptcy Fwd: Allowing knives on planes is 'insane' Fwd: Re: War with N. Korea Fwd: Air Canada goes 'Gangnam style' Fwd: Re: NASA plans to catch an asteroid Re: Fwd: Dollar Bank bankruptcy Fwd: Why Washington is corrupt Fwd: Blast kills 29 on bus in New-York Fwd: Shedding light on 'dark matter' Fwd: Re: Marikana massacre aftermath Re: Fwd: Kissinger: Thatcher's strong beliefs Fwd: Re: PNC Bank bankruptcy Re: Fwd: Bank Of The West bankruptcy Re: Fwd: M&I Bank bankruptcy Re: Bank Of The West bankruptcy Fwd: Bank Of The West bankruptcy Re: Fwd: PNC Bank bankruptcy Re: Bank of America bankruptcy Re: Fwd: War with N. Korea Re: California Bank & Trust bankruptcy Re: Blast kills 29 on bus in New-York Re: Fwd: Blast kills 29 on bus in New-York Re: Sending out SOS for 'America's flagship' Re: Fwd: Marikana massacre aftermath Re: Living large in Don Draper's New York Re: War with N. Korea Fwd: Re: Death penalty 'harms Bali's reputation' Re: Fwd: Death penalty 'harms Bali's reputation' Re: PNC Bank bankruptcy Re: NASA plans to catch an asteroid Re: Northern Trust Bank bankruptcy Fwd: Tax havens busted Re: Fwd: Why Washington is corrupt Re: Fwd: Tax havens busted Fwd: M&I Bank bankruptcy Re: Fwd: Fashion designer Lilly Pulitzer dies Re: First Citizens Bank bankruptcy Re: Fwd: Shedding light on 'dark matter' Re: Fwd: Living large in Don Draper's New York Re: Fwd: Northern Trust Bank bankruptcy Fwd: Re: California Bank & Trust bankruptcy Re: Air Canada goes 'Gangnam style' Re: Fashion designer Lilly Pulitzer dies Re: Dollar Bank bankruptcy Fwd: Sending out SOS for 'America's flagship' Websense technologies can protect customers in a multi-stage attack: Websense email security blocks the malicious email. Our Advanced Classification Engine ( ACE™ ) detects the malicious content both in redirection and in the exploit page with real-time intelligence. Vunlerability files and the payload trojan are detected by Websense Gateway products. Websense technologies can identify malicious droppers both statically and behaviorally (via Websense ThreatScope ).
Read more >
Filed under: Malware, Exploits, Malicious emails, Blackhole exploit kit, Captcha, exploit kit
30 Jan 2012 02:00 AM |
Elad Sharf |
In a series of blogs a few years back, we covered how malware could abuse and circumvent online services that use CAPTCHA tests as part of their security ( 1 2 ). In this blog, we take a look at a recent malware variant from the wild caught on camera that shows CAPTCHA tests used by some online services are still weak and can be broken by malware. The image below (Picture 1) shows this CAPTCHA breaking malware's ecosystem, which we'll describe step by step. Step 1: The starting point of an infection is a banking Trojan variant known as Cridex. This variant is propagated via malicious email messages that hold shortened links leading to exploit kits (see this example ), in our case the Blackhole exploit kit . Step 2: If the exploit is successful, the Cridex variant is downloaded to the machine. Step 3: Cridex runs on the machine. Step 4: Cridex is a data-stealing Trojan that is similar to Zeus in the way it operates: It logs content from Web sessions and alters them to harvest information from the infected user. The Cridex configuration file downloaded by this variant (safe to view and download and shortened here) shows which websites the variant monitors and steals data from, along with Web form injection points (data alteration injected into Web forms to harvest additional data like ATM PIN numbers). We have observed that Facebook, Twitter, and many banking services are targets. A partial list of targeted websites can be found here . Step 5: Any stolen data from the system is uploaded to a command and control server. Picture 1: The Cridex ecosystem: Step 6: One of the components downloaded by Cridex with the configuration file is a propagation module or spamming module that allows the botmaster to send spam/malicious emails to infect other systems and increase the bot size. The spamming module holds backdoor components that allow browsing activities in the name of the user. The module opens Web sessions to online mail services and registers new email accounts that are later used by the bot to send spam/malicious emails. As we know, online mail services hold security checks like CAPTCHA challenges to verify that a human is indeed behind any account registration. Step 7: According to our findings, CAPTCHA challenges in some cases can be broken with the help of a CAPTCHA-breaking server, which allows the bot to register a mail account or address after only a few attempts. This video documents the registration of an online mail account by the bot on an infected machine: Video: Click here to watch the video on Youtube The CAPTCHA-breaking process consists of posting CAPTCHA challenge images harvested from the online email registration form to a remote Web server (the CAPTCHA-breaking server). The request is an HTTP POST with an embedded CAPTCHA image posted to the CAPTCHA-breaking server. Once the server processes the image, it outputs a response in JSON format with the CAPTCHA text result that responds to the submitted image (see Picture 2). The backdoor component then tries to use that returned CAPTCHA text result in the online email account registration form. In case the CAPTCHA-breaking server output is wrong and does not correspond to the CAPTCHA image challenge, the process continues and the next CAPTCHA image challenge is submitted until the server manages to break the CAPTCHA. You can look at Picture 3 to see the images submitted to the CAPTCHA-breaking server and the corresponding results from the server. Not all the attempts succeed in breaking the CAPTCHA, but some do and in our example you see it took 6 attempts. The malware reports to the CAPTCHA-breaking server whether the result it got actually broke the CAPTCHA. Picture 4 shows HTTP requests that report back to the CAPTCHA-breaking server whether the CAPTCHA result the server gave in previous sessions was indeed successful in breaking the CAPTCHA. A successful CAPTCHA break is signed with the r parameter: If the parameter is 0 (&r=0), the CAPTCHA break attempt was unsuccessful, whereas if the parameter is 1 (&r=1), the CAPTCHA break attempt was a success. Picture 2: An HTTP POST request of an image to the CAPTCHA-breaking server and the response from the server Picture 3: The images posted to the CAPTCHA-breaking server and their corresponding results Picture 4: The malware reports to the CAPTCHA-breaking server if the CAPTCHA break attempt was successful Websense® customers are protected from these threats by ACE™, our Advanced Classification Engine .
Read more >
Filed under: Malware, Malicious emails, Video, Reverse Engineering, Captcha