At Websense® Security Labs™ we recently spotted an interesting case of a phishing domain related to the imminent release of the Apple iOS7 Operating System.  

As gossips circulate news in the wild about iOS7 after the D11 conference presented by Apple CEO Tim Cook, cybercriminals are setting up a foundation for phishing and malicious activities. The domain name was registered about 22 days ago (from the date of this analysis), as also reported by our ThreatSeeker® Intelligence Cloud:

At first glance, the host has no content other than an open directory, where we detected some interesting binary files:

While browsing through the content above, we opened the directory named "vl" and were immediately interested in the following result:

This is the control panel for the ransomware toolkit called "Silence Locker". In this case, we are viewing version 5, which is one of the latest released in 2013. As a ransomware toolkit, Silence Locker can generate a malicious file associated with familiar police enforcement pictures, based on the country of the potential victims. For example, in the following page the fake FBI Cyber Squad Investigation team is bound with a binary file that has been uploaded:

The other files hosted on the same directory are all detected by our ThreatSeeker Intelligence Cloud as follows:

After a brief analysis of the binaries above, we noticed that the AutoIT tool was used to package the malware. This conforms to the current trend of packaging malware to make detection more difficult. We continued our investigation by gathering some telemetry about the IP address that hosts this domain (ios7news.net). From what we discovered, it seems that this IP address is also used for other phishing domains, using the infrastructure below:

The domain "hxxp://gamingdaily.us" is most likely a phishing domain for a gaming news website that is also used to host  the exploit kit BleedingLife. Here are some details:

In the first row, it's easy to spot the URL parameters that provide a malicious PDF file that exploits one of the most often-used PDF vulnerabilities (CVE-2010-0188).

It's also possible to detect other vulnerabilities used by this exploit kit, just by looking into the content:

The two red boxes show the java script code used to provide the optimal exploit, based on the victim's system configuration. The list of CVEs used by this exploit kit is reported here.  For worldwide events, both IT news and rumors could be used by the attackers to leverage people's curiosity, as was done here.  In this case, we can suppose (due to details such as the open directory access) that the attackers are going to use and configure that domain for malicious activities based on ransomware. 

As the world remembers former British Prime Minister Margaret Thatcher, cyber attackers are participating too, but in their own tricky ways. Websense® Security Labs™ and the Websense ThreatSeeker® Intelligence Cloud have detected that attackers are sending malicious email spam with a topic referencing the death of Mrs. Thatcher. Actually, it is not new for an attacker to use a hot topic (like the death of Hugo Chavez) to spread malware. In this case, the lure email is very simple, with just a few words related to Mrs. Thatcher, but it pretends to be from your friends by using the "Re: Fwd:" notation. Internet-savvy customers will know that it looks suspicious and should not be tempted to click the link in the email.

When recipients click the malicious link, they are taken to a redirection page first, and then redirected to a Blackhole Exploit Kit landing page. The landing page detects the browser and plugin information in the client, and then serves the vulnerability file based on the plugin information. The final payload is a Cridex trojan, as seen in our ThreatScope™ report and in the VirusTotal report here.  Cridex is known in breaking CAPTCHA codes and you can see this trojan in action on our previous blog here.

Server-side polymorphic technology has been applied to evade traditional AV detection. 

It is not the first time we have seen the Blackhole malicious email campaign. It has evolved over time in combination with hot topics like the current crisis in Korea or major companies filing for bankruptcy. Please be careful about any email that contains 1 of  the following subjects:

Fwd: Dollar Bank bankruptcy

Re: Shedding light on 'dark matter'

Re: Why Washington is corrupt

Re: Kissinger: Thatcher's strong beliefs

Re: Tax havens busted

Fwd: Re: First Citizens Bank bankruptcy

Fwd: Re: Living large in Don Draper's New York

Fwd: Re: Kissinger: Thatcher's strong beliefs

Re: Fwd: California Bank & Trust bankruptcy

Fwd: Re: Bank of America bankruptcy

Fwd: Allowing knives on planes is 'insane'

Fwd: Re: War with N. Korea

Fwd: Air Canada goes 'Gangnam style'

Fwd: Re: NASA plans to catch an asteroid

Re: Fwd: Dollar Bank bankruptcy

Fwd: Why Washington is corrupt

Fwd: Blast kills 29 on bus in New-York

Fwd: Shedding light on 'dark matter'

Fwd: Re: Marikana massacre aftermath

Re: Fwd: Kissinger: Thatcher's strong beliefs

Fwd: Re: PNC Bank bankruptcy

Re: Fwd: Bank Of The West bankruptcy

Re: Fwd: M&I Bank bankruptcy

Re: Bank Of The West bankruptcy

Fwd: Bank Of The West bankruptcy

Re: Fwd: PNC Bank bankruptcy

Re: Bank of America bankruptcy

Re: Fwd: War with N. Korea

Re: California Bank & Trust bankruptcy

Re: Blast kills 29 on bus in New-York

Re: Fwd: Blast kills 29 on bus in New-York

Re: Sending out SOS for 'America's flagship'

Re: Fwd: Marikana massacre aftermath

Re: Living large in Don Draper's New York

Re: War with N. Korea

Fwd: Re: Death penalty 'harms Bali's reputation'

Re: Fwd: Death penalty 'harms Bali's reputation'

Re: PNC Bank bankruptcy

Re: NASA plans to catch an asteroid

Re: Northern Trust Bank bankruptcy

Fwd: Tax havens busted

Re: Fwd: Why Washington is corrupt

Re: Fwd: Tax havens busted

Fwd: M&I Bank bankruptcy

Re: Fwd: Fashion designer Lilly Pulitzer dies

Re: First Citizens Bank bankruptcy

Re: Fwd: Shedding light on 'dark matter'

Re: Fwd: Living large in Don Draper's New York

Re: Fwd: Northern Trust Bank bankruptcy

Fwd: Re: California Bank & Trust bankruptcy

Re: Air Canada goes 'Gangnam style'

Re: Fashion designer Lilly Pulitzer dies

Re: Dollar Bank bankruptcy

Fwd: Sending out SOS for 'America's flagship'

Websense technologies can protect customers in a multi-stage attack:

• Websense email security blocks the malicious email.
• Our Advanced Classification Engine (ACE™) detects the malicious content both in redirection and in the exploit page with real-time intelligence.
• Vunlerability files and the payload trojan are detected by Websense Gateway products.
• Websense technologies can identify malicious droppers both statically and behaviorally (via Websense ThreatScope).

The 2013 Threat Report from the Websense® Security Labs™ is now available.

The report details mobile, social, email and web-based threats, and while it is full of ominous data points, it is a very interesting read. The report is designed to help security professionals keep current with threat trends and improve the effectiveness of existing security solutions. It can also be used to identify and prioritize security gaps that may require new approaches and more innovative strategies.

Creating the report began with the Websense ThreatSeeker® Network, composed of big data clusters used by the WSL to collect and manage up to 5 billion inputs each day from 900 million global endpoints. Malware samples, mobile applications, email content, web links and other information were then passed through deep analysis processes including Websense ACE (Advanced Classification Engine), which applied over 10,000 different analytics.

Here is a sampling of key findings from this year's report:

1. Web Security. The web became significantly more malicious in 2012, both as an attack vector and as the primary support element of attacks originating through social media, mobile devices, and email. Researchers measured an alarming 600 percent increase in the use of malicious web links through all vectors.
2. The Social Web. Malicious content was hidden within social media behind shortened web links 32 percent of the time. Social media attacks took advantage of the confusion of new features, changing services and unsophisticated users.
3. Mobile Security. A study of last year's malicious apps revealed how they often abuse permissions; especially in the use of SMS communications, something very few legitimate apps do. Risks also increased as mobile devices were used for social media and web surfing more often than actually making a phone call.
4. Email Security. Only 1 in 5 emails sent were legitimate, as spam increased to 76 percent of email traffic, and 92% of spam included links to potentially malicious content. Phishing threats delivered via email also grew.
5. Malware Behavior. Forensic analysis identified that registry modification behavior in malware has declined to 7.7%. Once a key indicator of malicious behavior, malware has now become increasingly Internet-connected. Half of all malware that used the Internet for communications and downloaded additional malicious executables to extend their attack capabilities in the first 60 seconds.
6. Data Theft. Key changes in data theft targets and methods took place last year. Reports of intellectual property (IP) theft increased, and theft of credit card numbers and other Personally Identifiable Information (PII) continued to grow. Hacking, malware and other cyber-threats continued to be common methods of attack. However, some of the largest thefts involved physical penetration of security as well, often by willful employees.

Because today's attacks occur in multiple stages through numerous vectors, the report includes an appendix on The Seven Stages of Advanced Threats. This methodology for analyzing and classifying cyber-attacks provides a useful framework for organizations to assess their current defenses against their security profile, identify weaknesses and develop a more comprehensive strategy for withstanding next-generation attacks. A summary of the Websense 2013 Security Predictions report is also included for planning purposes.

Click for a video introduction or download a copy of the 2013 Threat Report.

“Red October” in the title of Tom Clancy’s bestselling novel referred to a Soviet submarine whose silent propulsion system made it undetectable to sonar. It’s a fitting name for the sophisticated cyber-espionage network that has recently been identified after collecting high-level data from governments, embassies and diplomatic networks, energy companies, and other sensitive systems for at least five years.

Red October begins as a series of spear phishing attacks with highly personalized emails for specific targets.  These emails include both malicious and "clean" Microsoft® Office attachments, and the attack proceeds as follows:

•    The unsuspecting user receives an email with an attached Microsoft Office file and opens the file.
•    The exploit drops and launches two files: a clean Microsoft Word or Microsoft Excel file and a malicious .EXE.
•    Microsoft Word or Microsoft Excel then crashes and exits while the malicious .EXE launches along with the clean document, so the user sees nothing amiss, as shown in these examples:

Java is another attack vector in the spear phishing campaign.  As with the Office based attack described above, Red October sends a spear phish email containing a link that loads a malicious Java applet when opened.

All known related C&C IPs and domains associated with the Red October attack are classified as “Bot Networks”. Websense® ThreatScope™ helps protect our customers by identifying all of the embedded files as Malicious, as shown in the following reports:

ThreatScope Report on Dropped File 1

ThreatScope Report on Dropped File 2

ThreatScope Report on Dropped File 3

The following CVE are reported to have been used as part of the Red October spear phishing attacks:

CVE-2009-3129 Excel

CVE-2010-3333 Word

CVE-2012-0158 Word

CVE-2011-3544 Java

Targeted attacks like Red October lower a victim's guard by appealing to his or her interests.  This social engineering aspect is what makes such attacks so successful. Therefore, it's essential to remain vigilant when opening emails with attachment or links, especially if they are unsolicited.  

Websense customers are protected by Websense ACE (Advanced Classification Engine), and we will continue to monitor this and other evolving security threats.

The Websense® ThreatSeeker® Network detected a slew of fake Virgin Blue Itinerary emails.  The email contains a malicious zip attachment called Virgin-Itinerary.pdf.zip, which contains the malicious binary file Virgin-Itinerary.pdf.XXXXX.exe.

When clicked, the binary copies itself as svchost.exe in the c:\Documents and Settings\All Users directory and then adds a run registry key to run the sample at boot time.  More information on the behavior and activities of the malicious binary file Virgin-Itinerary.pdf.XXXXX.exe can be found in our ThreatScope report here.  

Virgin Australia issued an advisory on this incident earlier today on Twitter:  https://twitter.com/VirginAustralia

Websense customers are protected from these and other threats by Websense ACE (Advanced Classification Engine).

Special thanks to: Tamas Rudnai

Websense® ThreatSeeker® Network intercepted a malware campaign targeting Blackberry customers.  These fake emails state that the recipient has successfully created a Blackberry ID.  The messages then continue, "To enjoy the full benefits of your BlackBerry ID, please follow the instructions in the attached file." That, of course, is an attempt to lure victims into running the attached malware.

The malicious email itself is a copy and paste of a legitimate email from Blackberry.  And though the attachment indeed raises suspicion, there's no malicious or compromised URL in it.  17/36 AV engines identify the malware in VirusTotal.

ThreatScope analysis, which is a part of the Websense CSI service, reports that running the attachment drops other executable files and modifies the system registry to automatically start these malware programs when the system starts. 

Websense customers are protected from these threats by ACE, our Advanced Classification Engine.

Today news broke that at least one organization in the energy sector was hit by malware named Shamoon or DistTrack. We’ve been looking at the related malware samples and can confirm that Websense products that have our Advanced Classification Engine (ACE) have had proactive detection in place since 13 December, 2010, more than 18 months prior to this attack.

Once enabled, the malware is very aggressive and destructive, something that is rarely seen in attacks. Most attacks are designed to be persistent on a system for a long period of time. Shamoon/DistTrack does the opposite in that it overwrites files on the hard-drive, after which it overwrites the master boot record (MBR), rendering the computer un-bootable.

The malware consists of three components:

• Dropper – This is the most essential component in that it installs the malware. It is also the file that ACE has been detecting.
• Wiper – This is the component that overwrites files and the MBR.
• Reporter – This module reports a list of found files to the C&C.

As mentioned earlier, the Dropper has been detected since 13 December, 2010. Detection for the Wiper and Reporter components was added this morning.

When the Dropper executes, it installs several files on the system, including a signed driver (not malicious) that is used to interact with the file system. We are not sure how the malware writers were able to sign the file using a 3rd party organization’s certificate. Most likely it was stolen in a previous attack.

Here are some MD5s of samples involved in this attack:

41f13811fa2d4c41b8002bfb2554a286

3b740cca401715985f3a0c28f851b60e

d214c717a357fe3a455610b197c390aa 

b14299fd4d1cbfb4cc7486d978398214 

We're continuing to monitor the situation.

The Opening Ceremony of the 2012 Olympic Games is exactly 1 week away and Websense Security Labs researchers are already seeing data-stealing malware that aims to capitalize on the Games. Malware piggybacks on the buzz surrounding current, high profile events like the Olympics in order to steal personal data. Olympics-themed content armed with malware is introduced mainly through social engineering-based attacks. The cyber criminals behind the themed attacks know that they have a better chance of enticing potential victims by appearing current and relevant to a hot topic. That gets clicks, and the chance to spread their data-stealing creations further.

We have been following with interest an advisory released by the Polish Computing Emerging Response Team (CERT) which analyzed an interesting sample of data-stealing malware. This malware, once executed, has the ability to interact with social channels like Facebook, Skype, and Microsoft Live Messenger. This particular variant spreads malicious URLs through those channels and the victim's contact list. To be precise, it employs a socially engineered attack accompanied by a malicious URL that ultimately leads to a malware file that is part of a bot network. Since the sample analyzed has tried to take advantage of the buzz around the start of this year's Olympic Games, we decided it was timely to write this blog post.

Technical Analysis

Our analysis is based on a sample (MD5:  3E50B76C0066C314D224F4FD4CBF14D5 ) of the same malware family reported by the CERT.PL advisory. It is also detected as Pushbot, which is known to be a data-stealing malware variant. After a first look, when the binary file is executed on the affected system, it creates a new process of itself in memory with core functionality. When we open it with a debugger and try to debug, it appears that the binary is protected using some anti-debugging techniques. Specifically, we recognize the use of TLS functions (Thread Local Storage) without a clear TlsCallback function. The use of TLS functions makes the reverse engineering a bit trickier, since some of the core routines are already executed when the sample is debugged, thanks to the TLS use.

Likely, the authors of the loader have obfuscated the TlsCallBack function. This function is usually executed just before the main entry point function when the binary is run. If we can detect the Thread Local Storage callback address function, it would be possible to retrieve the Relative Virtual Addresses list, which is useful to map the address of the imported function from the system DLLs. In the TLS handler code section it was possible retrieve the use of FlsSetValue() and other Flsxxxx functions introduced in the Microsoft Vista operating system:

This snippet of code could also probably be used to detect if the impacted system is a Windows XP operating system or a Windows Vista/ Windows 7 operating system. To avoid spending time to obtain a proper PE file, we opted to dump the process directly from memory. This allows to start to debug the process at runtime. Basically, we have a dumped and non-compliant PE file, but it has all the information needed to start a dynamic behavior analysis of the malware by attaching our stub (the dumped file) to the runtime process:

In the screenshot above, it is possible to see the different sizes between the dumped process and the original malicious PE file. At this point, the stub has been opened through the debugger, resulting in a clean strings list. This includes a list of shortener domains called by the malware in the initial sequence using the Windows DNS Resolver to be saved in the local DNS Cache. This means the malware is not forced to create another DNS request, rendering detection strategies less easy to implement:

From the strings list, we can also find the list of processes that the malware checks to choose the communication channel used to spread itself. Specifically, the malware looks in memory for these processes: opera.exe, firefox.exe, iexplore.exe, skype.exe, and msnmsgr.exe. When it uses a web browser, the malware changes the starting page to redirect user HTTP sessions to malicious websites. In the case of Skype or Microsoft Live Messenger, the malicious process is able to forge HTTP requests with malicious payloads to users in the victim's contacts list. We have also detected a Facebook URL forger used to build proper HTTP requests and send them to the Facebook server. In this way, if there is an active Facebook session, the malware can send malicious messages to the victim's Facebook friends list. This is seen also when we decrypt the configuration file retrieved by the C&C, as shown here in its encrypted form as originally sent by the C&C server:

The C&C URL requested in this sample is hxxxp://tintiurl.net/query.php, which is also involved in the so called "Alcatraz" botnet.  The domain seems to be tied to three different IP addresses, as shown below (from Robtex result):

The IP addresses so far are: 46.220.203.212, 89.63.178.149, and  39.54.215.205. After decrypting the configuration file, we could see a clear 2012 Olympic Games theme:

The screenshot below shows the result of the decoding routine (the same routine reported by the CERT PL advisory). Basically, the configuration parameters and the values are Xored with the hexadecimal value 0x66 as shown in the following disassembled code: 

After the decoding cycle, a sort of configuration parser is executed (it starts in the second box above). Going back at the content of the configuration file, we now have the configuration file of the malware decrypted:

The "hp" parameter is used to set the home page of the web browser on infected systems. In this case, the host hxxp://domredi.com/1/ lead to hxxp://www.easynetseek.com is used. This is a custom Google search page, as shown below:

The parameter "MSN" is valued with the shortener hxxp://goo.gl/Ub99F. This URL is sent to users in the Microsoft IM client contacts list. We can also see that the configuration file apparently updates this bot to infect only MSN users, since the parameters related to Facebook and Skype are not valued with any URL. The Google short URL redirects to a domain registered 3 days ago ("hxxp://urilsfotosnica.com/images.php?=" ), which, according to our ThreatSeeker network, still appears to be inactive:

                                                                                               (click to enlarge)

The pattern ("/images.php?" ) used in the URL above is also a common pattern used by the RedKit Exploit Kit. Below is the source URL of the sample we analyzed in this blog: 

                                                                                                (click to enlarge)

The URL hxxp://lokralbumsgens.com/pictures.php?pic=google is still active, and the domain was registered 20 days ago.

Although this malware is already detected very well, we have focused our attention on how the malware authors are ready to exploit the interest in this worldwide event and succeed better in compromising systems throughout the world. Websense customers are protected from these threats by ACE, our Advanced Classification Engine.

The cyber trenches are awash today with news of DNSchanger malware. This is to elevate previous efforts to alert the public about the possibility that they could lose their internet services this coming Monday, July 9. DNSchanger malware takes control of a user's DNS, which cyber criminals use to direct unsuspecting users to fraudulent sites or simply to interfere with a user's online activities. Inarguably, these infected servers are going to be taken down, spelling trouble for thousands of users who will lose their internet connections. The Trojan changes the DNS settings to IP addresses in the following IP ranges:

• 85.255.112.0 through 85.255.127.255
• 67.210.0.0 through 67.210.15.255
• 93.188.160.0 through 93.188.167.255
• 77.67.83.0 through 77.67.83.255
• 213.109.64.0 through 213.109.79.255
• 64.28.176.0 through 64.28.191.255

According to reports, the problem surfaced when an online advertising scam, operated by international hackers, took control of approximately 570,000 computers worldwide. The FBI estimates more than half of these machines are still infected; 60,000 or more are believed to be in the United States. Infected machines have their antivirus software disabled while users experience slowness when surfing the Web. Several ISPs and companies including Google, Facebook and Comcast, have released notifications to their customers about this event.The FBI got involved as well and has set up a website, http://www.dcwg.org, for consumers to check their DNS. More information on DNSchanger malware is available here.

Here's a screenshot of a machine infected by the DNSchanger malware:

Checking this DNS IP in http://www.dcwg.org confirms it's rogue:

We may also see malware, spam, or scam campaigns associated with news about the DNSchanger malware. As a precaution, be careful when clicking links in notification email claiming to be from your ISP or links in Facebook posing as information on DNSchanger malware. These may be spoofed email or links designed to download malware or take you to a malicious website.

Websense^® security solutions protect against all known variants of the Trojan.

The 2012 Summer Olympic Games in London, England (July 27 to August 12) will mark the third time the city has hosted this event. When previous London Olympics were held in 1908 and 1948, cyberattacks weren't even the stuff of science fiction. This time around, they are a real concern. Hackers are already taking advantage of the huge explosion in search engine requests, ticket sales, online streaming, and social media postings that will occur as a result of this 17-day sports event. 

The 2008 Beijing Olympics were the target of about 12 million cybersecurity incidents per day. In February, we blogged about Olympic ticket scams associated with the 2012 London games, but that was only the beginning. Ticket scams are a major security concern due to the money involved; four years ago, tickets to the Beijing Opening Ceremony were sold on the black market for $26,000 each.

The U.K. government is preparing for all kinds of attacks, from actual terrorism to computer threats. Cabinet Office minister Francis Maude said, "We have rightly been preparing for some time--a dedicated unit will help guard the London Olympics against cyberattacks. We are determined to have a safe and secure Games." He added that an essential element of security is keeping updated on emerging threats: "Our responses have to be fast and flexible. What works one day is unlikely to work a matter of months or even weeks later."

The event has been called "the first social Olympics," and organizers anticipate social media will be more important than ever, which means online security is more of a concern than ever. Records will be broken not only on the track and in pools, but also in internet traffic. Ofcom, the U.K. telecom regulator, anticipates the wireless spectrum demand to double in London during the games.  Websense® will help administrators control bandwidth consumption by using our Advanced Classification Engine™ (ACE) to classify streaming media and internet video from the Olympics into the Special Events category.

Games organizers have set up an Olympic Athletes' Hub to encourage connection among competitors and fans, but at the same time, have imposed some very strict limits on how they can use social media. We first heard back in January from a friend who is one of the 70,000 Games Makers volunteers that she and her colleagues were warned their social media use might compromise the reputation and security of the event.

Ticket purchasers are also being told that they may not "license, broadcast or publish video and/or sound recordings, including on social networking websites and the internet more generally, and may not exploit images, video and/or sound recordings for commercial purposes under any circumstances, whether on the internet or otherwise, or make them available to third parties for commercial purposes."

Whether any of this will or even can be enforced remains to be seen. The official IOC guidelines apply (in theory) only to "participants and other accredited persons," but there is a great deal of confusion and concern about what can and can't be shared, and by whom.  U.K. legal consultant Rachel Boothroyd provides a useful overview, guidelines, and summary primarily for social media professionals.

Anyone can be targeted by email scams abusing the "London 2012" name, claiming the recipient has won tickets or a large amount of money from a nonexistent "Olympics lottery." The recipient is given a claim number and told to contact a claim agent—and of course, advised to keep the information confidential until the prize is claimed, to avoid spreading the word about the scam. As we have seen in many previous email scams, victims are told they have to make some kind of payment to claim their prize. An official lottery will pay you right away and will not require payment to release your winnings. Email scams often give themselves away through poor use of English, misspellings, U.K. phone numbers starting with 070, and personal email accounts like Gmail or Hotmail accounts. 

Common sense may keep you safe in most situations, but hackers and spammers are quickly coming up with new ideas on how to attract and take advantage of new victims. 

Websense is protecting our customers from scams and other security problems by ACE, our Advanced Classification Engine.