Websense Security Labs Blog

Websense Security Labs discovers, investigates and reports on advanced Internet threats that traditional security
research methods miss.

View all posts > 

Filtered by : Rogue AV

Fake AV Asks for Subscription Renewals

Posted: 29 Jan 2014 03:00 PM | Mary Grace Timcang


Cleaning up and re-imaging machines infected with rogue AV continues to take precious man-hours from security teams already saddled with increasing responsibility. While fake antivirus software (AV) has yielded the security headlines to exploit kits, ransomware, and crime packs, active rogue AV campaigns continue to be an ongoing challenge to organizations attempting to keep their networks free from malware. Today, Websense® Security Labs™ researchers, using our Websense ThreatSeeker® Intelligence Cloud, have intercepted one such campaign using malicious emails coming from a fake AV called Anti-Virus Pro. The malicious emails use “PC Security - Renewal" as the subject. These malicious emails offer subscription renewals to unsuspecting customers who are then redirected to the fake AV site: hxxp://anti-virus-professional.com. The site prompts users to download a trial version of the malware. Websense® ThreatScope detects the fake AV as malicious , and shows that it drops and runs binaries in the filesystem directory of the user profile. Interestingly enough, this malware was first seen in Virus Total about a year and a half ago, yet only 40% of AV engines had detection at the time of this post. Intelligence gathered around this malicious campaign suggests that its focus is the manufacturing industry, as well as other service-oriented businesses. Geographically, the campaign originates in the US and United Kingdom. So far, we are seeing Belgium, the US, and the United Kingdom as the top countries affected. Historically, fake AV has been associated heavily with Black Hat SEO attacks. Now, fake AV is using emails to spread the campaign. This could signal a comeback of one of the most popular malicious campaigns of the past. Websense customers are protected from these and other threats by Websense ACE ( Advanced Classification Engine ).

Read more > 

Filed under: , , , ,

no comments

I have the latest WordPress version - is my Website protected?

Posted: 13 Mar 2012 04:00 AM | Tamas Rudnai


A few days ago, Websense® SecurityLabs™ detected a large-scale malware campaign mainly targeting WordPress pages. We have received many questions about who and which websites are in danger and how to protect against this attack. While many forum posts and comments speculate that outdated WordPress versions are at fault, unfortunately, we found that this is not true. We dug a bit into this subject and analyzed 30,000 domains to see what types and versions of CMS (Content Management System) have been compromised so far.

...

Read more > 

Filed under: , , ,

no comments

New Mass Injection Wave of WordPress Websites on the Prowl

Posted: 05 Mar 2012 08:00 AM | uwang


 

The Websense® ThreatSeeker® Network has detected a new wave of mass-injections of a well-known exploit that we've been following in Security LabsTM for months. The majority of targets are Web sites hosted by the WordPress content management system. At the time of writing, more than 200,000 Web pages have been compromised, amounting to close to 30,000 unique Web sites (hosts). The injection hijacks visitors to the compromised sites and rediects them to rogue AV sites that attempt to trick them into downloading and installing a Trojan onto their computer. 

 

The injected code is very short and is placed at the bottom of the page, just before </body> tag.

 

 

...

Read more > 

Filed under: , ,

13 comment(s)

What's More Scary, Hurricanes or Black Holes?

Posted: 20 Sep 2011 08:52 PM | Ran Mosessco


By now, it has become somewhat of a cliché to mention how cyber-criminals try to exploit the latest hot topics to lure victims to malicious content. The recent hurricane scares, however, provided an example that we found interesting. A few weeks ago, Websense Security Labs and the Websense ThreatSeeker® Network came across an email campaign that redirected users to Web pages downloading rogue AV via the Blackhole exploit kit.

Websense Email Security and Websense Web Security protect against this kind of blended threat with ACE, our Advanced Classification Engine.

This post examines how various vectors (email and Web) lead to Blackhole exploit kits and rogue AV, all hosted on a single IP address.

It also shows how some messages from the same email campaign, as well as similar variants, lead to pharmaceutical sites related to the "Yambo Family" group of Web sites.

...

Read more > 

Filed under: , , ,

no comments

Does Mac OS X Need Protection?

Posted: 07 Jul 2011 03:00 PM | Anonymous


Over the last couple of months, the concern of whether Mac OS X has become a greater target for attackers has grown, and rightfully so. The Mac OS X market share has steadily increased, and is currently well above 10 percent . From the attackers standpoint, what it always comes down to is dollars. At a certain point, if the user-base becomes large enough, then the profit margin to target and exploit these users becomes reasonable for attackers to invest in. Thus, tools, frameworks, and infrastructure are created and in many cases, much of what has already been built for the Windows platform can be reused. Only the malware and exploits have to change to target specific features of the Mac OS X operating system. This is because malware and exploits created for Windows operating systems will not work for Mac OS X. The fact that Mac OS X hasn't been a major target up until only recently has given many users a false sense of security. It's not uncommon to hear rants from a Mac owner of the inherent security of their invulnerable Mac OS X. The truth is that Macs are as vulnerable as Windows, they just don't have the long running history of gaining the focus and attention of both blackhat and whitehat vulnerability researchers and malware authors. I might even go as far as to say Macs are more vulnerable than Windows, because Microsoft has been in the security game longer than Apple and has a very well-established product development life cycle where security testing plays a very large part in the testing process. Mac OS X Vulnerabilities and Active Exploitation There were only 34 vulnerabilities identified for the Mac in 2009; in 2010, that number rose to 175. This last month (June 2011), Apple released Java for Mac OS X 10.5 Update 10 and Java for Mac OS X 10.6 Update 5 to address multiple vulnerabilities. Apple also released Mac OS X 10.6.8 and Security Update 2011-004 to address multiple vulnerabilities. Many of these vulnerabilities allow for remote code execution. The numerous security updates indicate that the days of vulnerability researchers not paying attention to Macs is coming to an end. It's also interesting to note that in this year's CanSecWest 's Pwn2Own contest, a fully patched Mac OS X 10.6.6 computer running Safari 5.0.3 was 0wned in less than 5 seconds. DIY Crimeware Kits You've probably heard of a few Do-It-Yourself (DIY) crimeware kits for Windows, such as Zeus and SpyEye. DIY crimeware kits are progams that can automatically create malware. Up until now we've only seen crimeware kits that build Windows malware, but this year the Danish IT security company, CSIS Security Group, blogged about Weyland-Yutani BOT, a DIY crimeware kit designed for PCs that is able to target the Mac OS X platform. The builder component of the kit runs on Windows machines and the user has the option of specifying whether they want the resulting malware to run on Mac OS X. The builder will then create a Mac OS X binary. (Figure...

Read more > 

Filed under: ,

3 comment(s)

Malicious E-Cards on the prowl

Posted: 26 Apr 2011 09:14 PM | Mary Grace Timcang


Emails disguised as electronic cards have been used as bait over and over again for malicious intent. The fact that they are overused is a clear indicator that this lure indeed works. Websense Security Labs™ and the Websense ThreatSeeker® Network recently came across an e-card themed email. Our customers are protected from this threat by ACE, our Advanced Classification Engine . Let us first look at the sample email. The URLs used in the emails are either compromised sites or were only created barely two weeks ago. Screen shot 1 : Sample email that the Websense Email Threat Team got hold of recently Clicking the URL withing the email directs you to a site containing obfuscated code similar to the one shown on Screen shot 2. This code then creates an iframe containing another URL which you can see on Screen shot 3. Screen shot 2 : Obfuscated code of the URL that came with the email Screen shot 3 : Deobfuscated code of the URL from the email. The contents of the URL specified in the iframe contains another obfuscated script. This script, which uses a strikingly similar redirection code in our recent blog , in turn drops the exploit code and runs a rogue AV on the victim's machine. Screen shot 4 : Code snippet of the URL specified in the iframe used in redirection Having the victim click on the link and then download an executable is usually the norm on these type of attacks. However, in this case, victims are exploited, and malware is downloaded and executed simply by clicking the URL link that came with the email. Screen shot 5 : Snapshot of the malicious website used in the email Websense Email Security and Websense Web Security protect against these kinds of blended attacks.

Read more > 

Filed under: , ,

no comments

Google Image Poisoning Leads to Exploit

Posted: 21 Apr 2011 09:12 AM | Xue Yang


Google search results have traditionally been the target of black hat SEO campaigns. Websense® Security Labs™ has identified a new trend in which cyber criminals take advantage of Google Image search rankings to spread malware. Websense Security Labs Threatseeker® network has detected that Google Image search returns poisoned pictures when searching on celebrity child "Presley Walker". We first found on Monday that all the image search results took users to a notorious exploit kit – Neosploit. Later, it changed to redirecting users to rogue AV sites. As we publish this blog, the search results are still poisoned and are leading to Neosploit again. Websense customers are protected from both types of attack by ACE, our Advanced Classification Engine . The search results for "Presley Walker" through Google Image: Let's take a look at the first attack case. When a user clicks the pictures on the top line, the user will be redirected to a Neosploit exploit page. Below is one of the redirection chains used by this exploit kit: From the chain, we see the third URL is the malicious site holding the exploit code. We found that all the exploited sites are hosted on the same IP 66.235.180.91, and interestingly, they constructed it with the same path named TF19, which looks like a pattern of this campaign. At last it will trigger appropriate vulnerabilities targeted by this exploit kit according to the user's operating system and browser. From the chain above we see it downloaded a PDF file that targeted three Adobe Reader vulnerabilities. This PDF file is heavily obfuscated and has a relatively low V irusTotal detection. The list of URLs hosted on the IP, as shown from our Threatseeker network: Neosploit is a well-known exploit kit in the black market. The authors reportedly stopped supporting and updating the exploit kit due to financial problems, but variants of Neosploit have been updated frequently. The variants may contain MDAC ( CVE-2006-0003 ), ActiveX ( CVE-2008-2463 , CVE-2008-1898 ), and three Adobe Reader ( Collab.getIcon , Util.Printf , Collab.collectEmailInfo ) vulnerabilities, among others. The second case is one of the common tricks black hat SEO campaigns always use: luring users to download fake antivirus software called InstallInternetProtectionXXX.exe . From the VirusTotal scan result, only 20% of antivirus engines detected this malware. The rogue AV page when using Firefox to surf the Web:

Read more > 

Filed under: , ,

1 comment(s)

Veteran's Day spurs Poisoned Search

Posted: 10 Nov 2010 11:58 PM | Mary Grace Timcang


Today is Veteran's Day and like any other holidays, black hat SEO and spam emails have been visible since Monday this week. Websense customers are protected against this attack through our Advanced Classification Engine . Search terms like veteran's day , veteran's day 2010 , veteran's day events , veteran's day california and veteran's day honolulu return poisoned web results. Earlier this week, the code found on the infected site is reminiscent of last week's Midterm Elections attack . In fact, the websites used in the the Midterm elections black hat SEO are also the ones used for Veteran's day black hat SEO. At the time, the redirection was not working although the URL specified is an active rogue AV site. As you can see below, the election term is replaced by veteran's day related search terms. Today, the poisoned results' redirection pages are up and running. If the user is using Firefox, they will be redirected to a fake Firefox update page, prompting them to download a file called firefox-update.exe , detected by 13/40 VT engines. For Internet Explorer, the ever so familiar Rogue AV page is where users are redirected. The only thing noticeable is that the rogue AV installer is not available for download, clicking on the "Remove all" button only prompts a warning box. The fact remains that there is more than one way to find something in the web. And so the malware pushers also decided to use poisoned image results too. Unlike the poisoned web search results, poisoned image results have been active since Monday. The payload is also browser-based today although it was serving up rogue AV regardless of the browser last Monday. Finally, spammers also want their share of the pie as well, so when you look at the results under videos, a slew of adult content is returned. Of course this is in addition to the spam emails spammers have been distributing since last week. To conclude, we have seen how business minded malware pushers are. One code used in two different events. As always, be cautious on clicking search results. It's not every time that the "This site may harm your computer." warning is there to save the day, especially in video and image search results. Moreover, keep in mind that malware pushers are diversifying their portfolio by including poisoned image search results more and more. UPDATE We are also seeing the same attack on search terms related in today's UK Remembrance Day. Do be cautious in searching for holocaust remembrance day 2010 and remembrance day 2010 .

Read more > 

Filed under: ,

no comments