How many clicks does it take to get to the malicious code of an infected website? Surprisingly, the answer is usually, just two.

In this Websense Insight we look at how most Internet users are only two clicks away from malicious content in one of three ways: from top sites, poisoned search results, and malicious links..

In the video, we use extensive data from analysis of thousands of links to illustrate that you may be in more danger from searching for items on the World Cup than you would in the "traditionally" dangerous "neighborhoods" of the "adult" or objectionable Web.

We also present some fascinating and surprising data on how close you are to malware and links to malware from some of the most highly trafficked and trusted sites on the Web.

To learn more about Websense Threat research in addition to this blog or view additional Websense Insights, please visit the Insights tab on http://community.websense.com/blogs/

To download the free Defensio application for free individual use, please visit defensio.com.

We'll have more analysis of these statistics and other Web Security findings in our upcoming "State of the Internet Report."

With millions of Tweets and Facebook postings flying around daily from personal and business users, have you ever wondered where the links in these postings go?

In this Websense Insight we have analyzed hundreds of thousands of social networking links to determine the ecosphere of links and the potential threat vectors of the social Web.  Some of the findings may truly surprise you.

For example, did you know that 40 percent of Facebook status posts contain a URL, and that 10 percent of those are either spam or malicious?

We also provide some top tips for avoiding the potential dangers of user generated content within an organization and on your own Facebook wall.

To learn more about Websense Threat research in addition to this blog or view additional Websense Insights, please visit the Insights tab on http://community.websense.com/blogs/

To download the free Defensio application for free individual use, please visit defensio.com.

We'll have more analysis of these statistics and other Web Security findings in our upcoming "State of the Internet Report."

Injecting malicious html code into legitimate Web sites has become commonplace in the past few years.  More often than not, the attackers inject a script or iframe tag in a legitimate site which is meant to redirect visitors to attack sites without their knowledge.  Last week, however, we discovered an outlier of that trend which was a malicious applet code injection.  The injected applet allows the code to work as a drive-by attack that downloads and then executes a malicious application.

Screen shot of injected page:

Reviewing the applet code, we can see that a 'Client.jar' file is downloaded.  This Client.jar file runs and uses some of the code found in the applet to create a .vbs file on the local system.  Reviewing the contents of Client.jar, we can see that it does this by getting the contents of the parameter "windows1". 

Screen shot of Client.jar:

Reviewing the applet code on the injected site, we can see a <param tag with name='windows1'.  The contents of the tag are actually one long command using  cmd.exe to create a .vbs file in %temp%/winconfig.vbs.  At the end of this command you can see that the .vbs file is executed to download a malicious file and place it on the local file system as %temp%/update.exe.  Notice the use of the tinyurl passed to winconfig.vbs, this is probably an attempt to make the code look a bit more legitimate as it doesn't look like it's downloading an executable file. 

Screen shot of the .vbs code:

The interesting thing about these injections is the social engineering aspect of the attack.  Remember that this applet code is being injected by attackers into legitimate pages, and the attack .jar file is hosted on the same infected domain.  This means that you may get a few warnings popped up by Java, but most people will simply click through and ignore them, especially if they are visiting a "trusted" page.  After all, who really reads warnings when they are visiting a page they have been to before?  Most people would think that if a warning is coming from a page which they have been to and trusted before, there must be a false positive situation occurring. 

Here is a quick video of this attack in action.

Websense Messaging and Websense Web Security customers are protected against this attack.

We managed to get our hands on the malicious Facebook application that we blogged about twice in the past few weeks. In the video below we're going to dive into it and see what's going on with this app:

For those of you that can't spare the time to watch the video, this is a brief summary of how it works.

1. The first part of the code contains Facebook-specific information such as API key, secret key etc.
2. It starts off by checking if the app has permissions to post on the user's wall. If it doesn't it will prompt the user to grant it permissions using Facebook APIs.
3. It then enumerates the list of friends, picks a random number (in this case it's hardcoded to be 10) and posts a message to the walls of the 10 randomly picked friends.
4. A message is then displayed asking the user to click "Continue" to watch the video.
5. Yet another page is displayed that loads a thumbnail of a video and overlays the image with a prompt saying that the "FLV Player" needs updating.
6. When the user clicks on "Continue", it loads the file videoplayer.php which does a simple redirect to http://www.flvpro.com/downloadfile.php?aff=3447_movies, where 3447_movies is the affiliate ID of the group/person behind the malicious app.

So far we have identified over 100 apps on Facebook that are all working the same way; the only difference is the API and secret keys that are used. In addition to them all working the same way, they also use the same Google Analytics UA ID to track visitor statistics.

Overall the app is very simple and relies fully on social engineering. The numbers from the two attacks we've seen so far prove that despite its slow propagation method (only sending the message to 10 users at a time) these types of attack unfortunately work very well.