A few days ago, Websense® SecurityLabs™ detected a large-scale malware campaign mainly targeting WordPress pages. We have received many questions about who and which websites are in danger and how to protect against this attack. While many forum posts and comments speculate that outdated WordPress versions are at fault, unfortunately, we found that this is not true. We dug a bit into this subject and analyzed 30,000 domains to see what types and versions of CMS (Content Management System) have been compromised so far.

We checked several aspects of each of these compromised websites and concluded that most of them are served by Apache webserver and PHP environment. As you can see in the pie chart below, PHP dominates the server side:

Digging a little deepter, we were also able to examine which CMS were victims of the attack. Initially, when we discovered the attack, we found only WordPress sites, and after a week or so, the picture did not change that much. WordPress still serves the majority of the compromised websites; however, we did see a small amount of other CMS as well. We also noticed that an increasing number of Joomla sites are also affected, with all other content managers making up a tinier slice.

The big question still remains: Is my Website protected if I use the latest WordPress version? Checking all WordPress sites, we conclude that most of the compromised sites were in fact using the most recent version, which indicates that having the latest version of WordPress does not make you immune to this threat. 

So how can you protect yourself? Here are some of the dominant attack vectors that websites using the latest WordPress version are likely to be exploited through:

• Weak passwords / stolen credentials
• Vulnerable third-party modules used in WordPress
• Security holes in the underlying server infrastructure, such as in the database server or the server side scripting engine (PHP in this case)

Websense Security Labs strongly recommends that website owners perform security audits and fix all problems to keep attackers away from their sites. Websense customers are protected from injected websites with our Advanced Classification Engine, or ACE, which detects compromised websites in real time. 

The Websense® ThreatSeeker® Network has detected a new wave of mass-injections of a well-known rogue antivirus campaign that we've been following in Security Labs^TM for months. The majority of targets are Web sites hosted by the WordPress content management system. At the time of writing, more than 200,000 Web pages have been compromised, amounting to close to 30,000 unique Web sites (hosts). The injection hijacks visitors to the compromised sites and rediects them to rogue AV sites that attempt to trick them into downloading and installing a Trojan onto their computer. 

The injected code is very short and is placed at the bottom of the page, just before </body> tag.

After a three-level redirection chain, victims land on a fake AV site. In this example, the first chain is the ".rr.nu", and the landing site is the ".de.lv" top-level domain, but the landing site keeps changing. The rogue AV site appears to perform a scan on the computer and scares the user by displaying fake malware detections of various kinds of Trojans. The page looks like a Windows Explorer window with a "Windows Security Alert" dialogue box in it.  The fake scanning process looks like a normal Windows application, however, it is only a pop-up window within the browser. The fake antivirus then prompts visitors to download and run their "antivirus tool" to remove the supposedly found Trojans. The executable is itself the Trojan.

It is, we think, an interesting observation that more than 85% of the compromised sites are in the United States, while visitors to these web sites are more geographically dispersed. We think it's useful to note that while the attack is specific to the US, everyone is at risk when visiting these compromised pages.

Countries hosting compromised Web sites:

(Click image to enlarge)

Country of origin of visitors:

(Click image to enlarge)

Websense Security Labs continues to monitor the evolution of this campaign. Websense customers are protected with the Advanced Classification Engine, ACE, which detects compromised Web sites in real-time. 

Websense ThreatSeeker® Network has detected malicious email messages claiming that the late Apple founder and CEO, Steve Jobs, is still alive.  Websense Email Security and Websense Web Security protect against these blended attacks with ACE, our Advanced Classification Engine.

Some of the email subjects used in this attack include :

• Steve Jobs: Not Dead Yet!
• Steve Jobs Alive!
• Steve Jobs Not Dead

Screenshot 1 : Sample Email Messages

The email messages contain links to compromised web sites that redirect to Blackhole Exploit Kit and install Rogue AV malware.  The malicious file used in this attack is poorly detected by AV engines.

Screenshot 2 : Malicious Redirect

Screenshot 3 : Obfuscated Exploit Code

As always, don't click on links in emails you didn't expect to receive, they tend to be bad news.

Halloween is just around the corner, and, as expected, malware authors have already concocted a brew of early scares: blackhat SEO, fake Adobe Flash notification, and a malicious file download.

We start with the search term "halloween skeleton templates," which brings up a poisoned search result. The link redirects users to what appears to be a fake YouTube site.

The fake YouTube site uses nude images of celebrities like Emma Watson and Paris Hilton as a ploy. These, along with salacious captions, are meant to entice users into playing the apparent video.  When users click any of the links on the page, they are prompted to update Adobe Flash Player.

Users who fall for the trick are prompted to download a malicious file called scandsk.exe, identified by 15/43 VirusTotal engines.

Websense Web Security customers are protected against this attack through our Advanced Classification Engine.

By now, it has become somewhat of a cliché to mention how cyber-criminals try to exploit the latest hot topics to lure victims to malicious content. The recent hurricane scares, however, provided an example that we found interesting. A few weeks ago, Websense Security Labs™ and the Websense ThreatSeeker® Network came across an email campaign that redirected users to Web pages downloading rogue AV via the Blackhole exploit kit.

Websense Email Security and Websense Web Security protect against this kind of blended threat with ACE, our Advanced Classification Engine.

This post examines how various vectors (email and Web) lead to Blackhole exploit kits and rogue AV, all hosted on a single IP address. It also shows how some messages from the same email campaign, as well as similar variants, lead to pharmaceutical sites related to the "Yambo Family" group of Web sites.

EXPLOITED

The malicious mail reads as follows:

As you can see, the text references hurricanes Irene and Katia, names various, random people in the text, addresses the potential victim by his or her email user name, and suggests that the reader check out a link whose domain name looks, at first glance, to be related to meteorology.

In fact, the Web site had nothing to do with the weather, but it did host a malicious page that contained this code:

The metrologyservices.com site was cleaned the next day, and the offending page was removed.

If we check out the redirection target, we see that it shares an IP address, 91.228.133.74, with a host of other domains with names that that look equally suspicious:

But it's not just the names that are suspicious. These domains are all related to Blackhole exploit kit and/or rogue AV, and we've seen them being accessed through various vectors:

• Email campaigns, as shown above and below
• SEO poisoning using compromised WordPress pages -- in fact, searching for page linked in the hurricane email leads to:

http://wordpress.org/support/topic/plugin-add-link-to-facebook-links-are-hijacked-to-softwarepromoru

http://wordpress.org/support/topic/dashboard-virus

In these cases, the htaccess file has been hacked for SEO poisoning, as seen here:

If we look up the whois information for these domains, we find they were registered to one private person: ivan-sushkin[at]yandex[dot]ru.

Looking this up leads us to all sorts of interesting information about domains related to that email address, like last year's attacks against osCommerce sites:

http://blog.unmaskparasites.com/2010/10/14/htaccess-redirect-to-example-rudirindex-php-2/

http://blog.unmaskparasites.com/2010/11/19/update-on-htaccess-redirects-of-oscommerce-sites/

http://blog.unmaskparasites.com/2011/01/18/another-update-on-the-oscommerce-htaccess-hack/

http://blog.sucuri.net/2010/11/continuing-attacks-against-oscommerce-sites.html

Websense Security Labs'™ principal security researcher, Stephan Chenette, using his Fireshark tool, came across a CSS file on a popular sports fan site that was injected with malicious code also redirecting to the same IP address:

<compromised domain>/modules/mod_activitystream/style.css -> hxxp://protect-secure.ru/culture/index.php

It also alternated to other domains, like hxxp://protect-now.ru/upkeys/index.php, hxxp://yourprivacy.ru/product/index.php.

Here's an example one of our researchers, Armin Buescher, analyzed, using one of our proprietary tools:

 <compromised domain>/ modules/mod_activitystream/style.css (the compromised URL)
checkprivacy.ru / refresh / index.php (redirector)
yanquihkenu.monbe.be / main.php?page=ee87d5979969cea3 (Blackhole exploit kit)

Exploits or payloads hosted on the attack server included:

yanquihkenu.monbe.be / content/worms.jar
yanquihkenu.monbe.be / content/2fdp.php?f=26
yanquihkenu.monbe.be / w.php?f=26&e=4
yanquihkenu.monbe.be / w.php?f=26&e=6
yanquihkenu.monbe.be / GWeather.class

On September 8, detection of the malware payload on VirusTotal was at 5/44:
http://www.virustotal.com/file-scan/report.html?id=56742d301e1b7e62e831d13f6d1cdfd079a78be22c2bf0cbbc3b71eda18338a5-1315505246

A day later, detection climbed up to 18/44:
http://www.virustotal.com/file-scan/report.html?id=56742d301e1b7e62e831d13f6d1cdfd079a78be22c2bf0cbbc3b71eda18338a5-1315567566

 Another SEO poisoning example, this time just searching for the term "automobile" on Google, came up with this result at number 22:

hxxp://www.cheap-online-automobile-insurance.com/

On September 12, this site was redirecting to:

hxxp://privacy-check.ru/uptime/index.php (with the same IP address, of course 91.228.133.74).

The trending topics (email/SEO) are not the only lure the criminals try to use. Here's a later example that looks, at first, like a somewhat common "Secret Shopper" scam, suggesting you could be a Walmart evaluator:

It leads to this:

Blackhole exploit kit:

OK, I think everyone gets the idea. Whether it's topical emails or SEO poisoning, you are going to get served with something unpleasant from "Ivan Sushkin."

 SPAMMED

But wait! There's more!

Let's go back  to the hurricane scares for a minute. There are more of the same type of hurricane emails, sent at the same time, but with different links. These lead to pharmaceutical spam pages, like "US Drugs" (shown below):

And you think we'll leave you with that? No chance!

A few days later, what better topic to exploit than Labor Day. This time, it's with a little adult-themed lure, leading to Canadian Health & Care Mall and US Drugs. Notice how the email body also has random people's names, in an effort to give more credibility to the text:

For further reading about these two "distinguished" pharmaceutical establishments, see these entries in the spamtrackers.eu Wiki:

US Drugs

Canadian Health & Care Mall

Yambo Family

SUMMARY

What we see is that the use of hot topics to attract victims to cyber-criminals' sites is widespread and varied. It can be to exploit their computer, scare them into paying for rogue AV, and/or serve them a spam page (with all the monetary gain to the criminals that comes with the affiliate programs). We can also see how the various vectors are flexible enough to be used for spam or malicious purposes. At the same time, we get an underlying feeling that "the more things change, the more they stay the same." It was quite amusing for us to see how various, unrelated topics from different vectors all led to the same IP address, with domains all registered to the same name. But for a real user, replace the term "amusing" with frustrating, risky, or expensive. There's no guarantee that the victim will "just" get a pharmaceutical spam message, as it is quite common for redirection targets to change between malicious pages hosting exploit kits and more benign spam.

Besides the protection that Websense Email Security and Websense Web Security products offer, we can never emphasize enough how careful users should be when following any link related to current events, even if it seems to come from a known source. Of course, in this case, it's a good idea to block access to this particular IP address, but rest assured that the same gang will have other domains registered to other IP addresses. This is where the real-time protection of ACE, our Advanced Classification Engine, comes into play.

Over the last couple of months, the concern of whether Mac OS X has become a greater target for attackers has grown, and rightfully so. The Mac OS X market share has steadily increased, and is currently well above 10 percent.

From the attackers standpoint, what it always comes down to is dollars. At a certain point, if the user-base becomes large enough, then the profit margin to target and exploit these users becomes reasonable for attackers to invest in. Thus, tools, frameworks, and infrastructure are created and in many cases, much of what has already been built for the Windows platform can be reused. Only the malware and exploits have to change to target specific features of the Mac OS X operating system. This is because malware and exploits created for Windows operating systems will not work for Mac OS X.

The fact that Mac OS X hasn't been a major target up until only recently has given many users a false sense of security. It's not uncommon to hear rants from a Mac owner of the inherent security of their invulnerable Mac OS X. The truth is that Macs are as vulnerable as Windows, they just don't have the long running history of gaining the focus and attention of both blackhat and whitehat vulnerability researchers and malware authors. I might even go as far as to say Macs are more vulnerable than Windows, because Microsoft has been in the security game longer than Apple and has a very well-established product development life cycle where security testing plays a very large part in the testing process.

Mac OS X Vulnerabilities and Active Exploitation

There were only 34 vulnerabilities identified for the Mac in 2009; in 2010, that number rose to 175. This last month (June 2011), Apple released Java for Mac OS X 10.5 Update 10 and Java for Mac OS X 10.6 Update 5 to address multiple vulnerabilities. Apple also released Mac OS X 10.6.8 and Security Update 2011-004 to address multiple vulnerabilities. Many of these vulnerabilities allow for remote code execution. The numerous security updates indicate that the days of vulnerability researchers not paying attention to Macs is coming to an end. It's also interesting to note that in this year's CanSecWest's Pwn2Own contest, a fully patched Mac OS X 10.6.6 computer running Safari 5.0.3 was 0wned in less than 5 seconds.

DIY Crimeware Kits

You've probably heard of a few Do-It-Yourself (DIY) crimeware kits for Windows, such as Zeus and SpyEye. DIY crimeware kits are progams that can automatically create malware. Up until now we've only seen crimeware kits that build Windows malware, but this year the Danish IT security company, CSIS Security Group, blogged about Weyland-Yutani BOT, a DIY crimeware kit designed for PCs that is able to target the Mac OS X platform. The builder component of the kit runs on Windows machines and the user has the option of specifying whether they want the resulting malware to run on Mac OS X. The builder will then create a Mac OS X binary.

 
(Figure 1:   Weyland-Yutani BOT admin interface)

The Weyland-Yutani BOT DIY crimeware kit and it's ability to create Mac OS X malware is a first of it's kind and could mean we'll be seeing more auto-created Mac OS X malware in the future.

Mac OS X Malware

More and more malware is turning up targeting Mac OS X.  On average, about 5,000 new pieces of Mac OS X malware are received by security companies a day. This is still quite small compared to the 70,000 pieces of malware received targeting the Windows platform. We believe this number will increase by next year, due to the Mac OS X market share growing and the increase in underground interest in Mac OS X malware creation.

Mac OS X Rogue Antivirus

Rogue Antivirus is and has been a hugely successful technique by attackers to scare users into thinking they have been infected, when in reality they haven't been, and downloading what they think is antivirus software, paying for it, and installing it on their machine. The end result is that a user pays the attacker directly for installing fake software. This typically happens when a user goes to a legitimate site, which has been compromised and a window that looks much like the Windows Explorer window or desktop window pops up indicating that the machine has been infected:

(Figure 2: Windows Rogue Antivirus pop-up window)

In reality, the above screen is actually not Windows Explorer, it's a web page that's been created to look exactly like Windows Explorer, in order to scare you into thinking your operating system is telling you that your machine has been infected. By clicking through and continuing, you're then prompted with an option to download and install antivirus software that will remove all the infections. Once you download it and start the installation process, you're asked to pay for it. At this point, if you decide to pay for it, the attackers have accomplished their goal, they've tricked you into paying them directly for fake software; the software doesn't need to steal, or hide itself, it's done its job.

Attackers running these scams have the ability on a website to check what operating system you've had, and up until only recently tricked Windows users, since the graphics on these pages have been crafted to look like the Windows desktop. But attackers have started to target Mac users, and in the last few months, the same websites that used to only trick Windows users, have been tricking Mac OS X users. They started with poisoning Google Search Images to lead to rogue antivirus and then facebook viral scams. The screen will typically look like this for Mac OS X users:

(Figure 3: Mac OS X Rogue Antivirus pop-up window)

The screen above looks much like the Mac OS X Finder, the built-in file explorer, and if a user downloads and starts the install process, they, too, are promoted to pay a standard license fee to clean what they assume is an infected machine. The variants that have emerged are Mac Defender, Mac Protector, and Mac Security: 

(Figure 4: Mac Defender admin interface)

(Figure 5: Mac Protector admin interface)

(Figure 6: Mac Security admin interface)

All of these rogue antivirus variants accomplish the same thing: they trick the user into paying for security issues they never had. After installing, they each do slightly differently things, but the goals are all the same: pay the attackers.

Conclusion

So, yes, Mac OS X needs protection, at the moment mainly from its own users. Exploitation is still fairly minimal and common sense should help users avoid being socially engineered (tricked), into downloading, installing, and ultimately willingly handing over their credit card details and payment to the bad guys. 

Websense Security Labs is dedicated to keeping up with the latest emerging threats, be it for Windows, Macs, or any operating system. Our concern is the safety of our users. We continually deploy protection measures into ACE, our Advanced Classification Engine, to detect and block all web content that serves exploits and malware, regardless of what operating system it targets.

To protect yourself as a home user, try to follow the following best practices to protect yourself online:

• Do not download or open files from untrusted websites 
• Do not click on links from unknown or untrusted web sites or suspicious links from trusted sources
• Do not open e-mail attachments from unknown users or suspicious emails from trusted sources
• Apply appropriate patches to vulnerable systems immediately after appropriate testing
• Educate yourself on common threats so as to recognize them and avoid being tricked into falling victim to them

Please leave feedback or comments, so we can make sure to fully address any questions or concerns you have about Mac OS X security threats.

Thanks!

Stephan Chenette - Principal Security Researcher

Emails disguised as electronic cards have been used as bait over and over again for malicious intent. The fact that they are overused is a clear indicator that this lure indeed works.  Websense Security Labs™ and the Websense ThreatSeeker® Network recently came across an e-card themed email.  Our customers are protected from this threat by ACE, our Advanced Classification Engine.

Let us first look at the sample email.  The URLs used in the emails are either compromised sites or were only created barely two weeks ago.

Screen shot 1 : Sample email that the Websense Email Threat Team got hold of recently



Clicking the URL withing the email directs you to a site containing obfuscated code similar to the one shown on Screen shot 2. This code then creates an iframe containing another URL  which you can see on Screen shot 3.

Screen shot 2 : Obfuscated code of the URL that came with the email

Screen shot 3 : Deobfuscated code of the URL from the email.

The contents of the URL specified in the iframe contains another obfuscated script.  This script, which uses a strikingly similar redirection code in our recent blog, in turn drops the exploit code and runs a rogue AV on the victim's machine.

Screen shot 4 : Code snippet of the URL specified in the iframe used in redirection

Having the victim click on the link and then download an executable is usually the norm on these type of attacks. However, in this case, victims are exploited, and malware is downloaded and executed simply by clicking the URL link that came with the email.

Screen shot 5 : Snapshot of the malicious website used in the email

Websense Email Security and Websense Web Security protect against these kinds of blended attacks.

Google search results have traditionally been the target of black hat SEO campaigns. Websense® Security Labs™ has identified a new trend in which cyber criminals take advantage of Google Image search rankings to spread malware.

Websense Security Labs Threatseeker® network has detected that Google Image search returns poisoned pictures when searching on celebrity child "Presley Walker". We first found on Monday that all the image search results took users to a notorious exploit kit – Neosploit. Later, it changed to redirecting users to rogue AV sites. As we publish this blog, the search results are still poisoned and are leading to Neosploit again. Websense customers are protected from both types of attack by ACE, our Advanced Classification Engine.

The search results for "Presley Walker" through Google Image:

Let's take a look at the first attack case. When a user clicks the pictures on the top line, the user will be redirected to a Neosploit exploit page.

Below is one of the redirection chains used by this exploit kit:

From the chain, we see the third URL is the malicious site holding the exploit code. We found that all the exploited sites are hosted on the same IP 66.235.180.91, and interestingly, they constructed it with the same path named TF19, which looks like a pattern of this campaign. At last it will trigger appropriate vulnerabilities targeted by this exploit kit according to the user's operating system and browser. From the chain above we see it downloaded a PDF file that targeted three Adobe Reader vulnerabilities. This PDF file is heavily obfuscated and has a relatively low VirusTotal detection.

The list of URLs hosted on the IP, as shown from our Threatseeker network:

Neosploit is a well-known exploit kit in the black market. The authors reportedly stopped supporting and updating the exploit kit due to financial problems, but variants of Neosploit have been updated frequently. The variants may contain MDAC (CVE-2006-0003), ActiveX (CVE-2008-2463, CVE-2008-1898), and three Adobe Reader (Collab.getIcon, Util.Printf, Collab.collectEmailInfo) vulnerabilities, among others.

The second case is one of the common tricks black hat SEO campaigns always use: luring users to download fake antivirus software called InstallInternetProtectionXXX.exe. From the VirusTotal scan result, only 20% of antivirus engines detected this malware.

 The rogue AV page when using Firefox to surf the Web:

Ever noticed a magnifying glass next to your Google search results lately?  It is actually a new service that Google launched last week called Instant Previews.  This service allows users to see what a page looks like before going to it by hovering or clicking the magnifying glass next to the Google search results. 

Simple?  Yes.  Secure?  Not so much.  Our research shows that the images shown in Instant Previews is not updated as frequently as anyone might assume.  Therefore, we don't think this feature would help users as much in making an informed decision on judging whether a link is indeed malicious or not.  On the other hand, Websense customers are protected from this attack by our ACE real-time analytics.     

We reported some Black Hat SEO'd websites from searches relating to Prince William's engagement yesterday.  Using Google's Instant Preview on the malicious search results may lead users into believing that  the links they're clicking on is actually safe when in fact it's not. 

Take the picture above for example.  Instant Preview returns a very legitimate looking page, complete with pictures and relevant words.  To unsuspecting eyes, it looks clean.  Of course, when the user clicks the link, they will be redirected to the fake Firefox Update page.  This tactic is also evident on Black Friday related search results.

Other variations of images used by malware pushers in Instant Previews are the usual standard Google Search Page and a very simple "Preview not available."

It didn't take long for attackers to take advantage of the big news that Prince William and Kate Middleton are getting married. As we have explained before, attackers have the process down to a science. They monitor breaking news, trending topics, and buzz words, then automatically manipulate search results based on what's happening in the world. Websense customers are protected against this attack through our Advanced Classification Engine.

As we discussed in our 2010 Threat Report, searching for news and buzz words is now more dangerous than searching for adult content, with approximately 22.4% of all searches for current news leading to malicious search results. And that's in the top 100 results!

The result when clicking on one of the malicious links is exactly the same as with last week's Veteran's Day scams. As always, make sure you go to reputable sites when looking for news. Don't just do random searches.