Websense Security Labs Blog

Websense Security Labs discovers, investigates and reports on advanced Internet threats that traditional security
research methods miss.

View all posts > 

Filtered by : ThreatScope

Fake AV Asks for Subscription Renewals

Posted: 29 Jan 2014 03:00 PM | Mary Grace Timcang

Cleaning up and re-imaging machines infected with rogue AV continues to take precious man-hours from security teams already saddled with increasing responsibility. While fake antivirus software (AV) has yielded the security headlines to exploit kits, ransomware, and crime packs, active rogue AV campaigns continue to be an ongoing challenge to organizations attempting to keep their networks free from malware. Today, Websense® Security Labs™ researchers, using our Websense ThreatSeeker® Intelligence Cloud, have intercepted one such campaign using malicious emails coming from a fake AV called Anti-Virus Pro. The malicious emails use “PC Security - Renewal" as the subject. These malicious emails offer subscription renewals to unsuspecting customers who are then redirected to the fake AV site: hxxp://anti-virus-professional.com. The site prompts users to download a trial version of the malware. Websense® ThreatScope detects the fake AV as malicious , and shows that it drops and runs binaries in the filesystem directory of the user profile. Interestingly enough, this malware was first seen in Virus Total about a year and a half ago, yet only 40% of AV engines had detection at the time of this post. Intelligence gathered around this malicious campaign suggests that its focus is the manufacturing industry, as well as other service-oriented businesses. Geographically, the campaign originates in the US and United Kingdom. So far, we are seeing Belgium, the US, and the United Kingdom as the top countries affected. Historically, fake AV has been associated heavily with Black Hat SEO attacks. Now, fake AV is using emails to spread the campaign. This could signal a comeback of one of the most popular malicious campaigns of the past. Websense customers are protected from these and other threats by Websense ACE ( Advanced Classification Engine ).


Filed under: , , , ,

no comments

Custom Attachment Names and Passwords for Trojans

Posted: 18 Jul 2013 11:00 AM | Ran Mosessco

Websense® Security Labs™ researchers, using our Websense ThreatSeeker® Intelligence Cloud , recently noticed an increased use of custom-generated attachment file names, and some use of password-protected ZIP files. Emails with banking/financial themes are being sent with executables packed in ZIP files, with file names matching the intended recipient. When the attachment runs on a victim's computer, a Trojan from the Zbot P2P family is downloaded via a Pony loader. Zbot is typically used to steal banking credentials as well as for the exfiltration of personally identifiable information (PII) and other confidential data for criminal gain. We saw such a campaign on July 15, 2013, featuring subjects like “IMPORTANT Docs - WellsFargo” and "IMPORTANT Documents - WellsFargo". Websense Cloud Email Security has detected and blocked over 80,000 instances of this campaign. We have proactively blocked similar cases since June 10. Just as we were getting ready to publish, we have noticed that Websense CES has proactively blocked another campaign, this time using fake emails pretending to be from Trusteer, trying to convince the victim to install an update for Trusteer Rapport software. Again, the attachment names are custom generated to match the recipient's user name (or the first recipient in the case of multiples). So far we have blocked more than 36,000 variants of this latest campaign. Let's take a look at the campaign from July 15 first: What's unique to these campaigns compared with others we have blocked in the past is the custom-generated attachment name. The cyber criminals seem to be trying to come up with incremental improvements to enhance their effectiveness. By automating file name creation and linking it to the intended recipient's email username, they are presumably trying to socially engineer the potential victims to feel a little more at ease about opening the attachment. They might also be hoping to get around rudimentary blocking based on attachment file name. In the examples we've seen, the packed executable was the same across the same campaign burst. The potential victim first sees the ZIP file with their own unique name, so a search for the attachment file name in a search engine might not show anything suspicious. A typical misleading icon (another common trait to malware used in email attacks) would cause the file attachment to look like this if the folder option "Hide extensions for known file types" is selected: Savvy users will display all file extensions, which will clue them to the suspicious nature of the attachment: If we analyze the behavior of the attachment using Websense ThreatScope™, we can see the Pony loader module communicates to: hxxp:// dharmaking.net/ponyb/ga te.php on which is an empty Post transaction in this case, since there was no information to exfiltrate. For the sake of curiosity, we can check out the admin login panel...


Filed under: , ,

no comments

APT1: A Prevention Perspective

Posted: 20 Feb 2013 07:01 PM | Charles Renert

There's been increased interest in targeted attacks and advanced persistent threats in the news lately, from the intrusions on large media outlets and hacks on social networking sites to a recent detailed report of the tactics behind the infiltration of a sophisticated attack family dubbed "APT1". Much of the controversy swirling around these reports stems from the attempt to identify the perpetrators behind the attacks -- a decidedly difficult enterprise. While the balance of evidence presented for APT1 does appear to point toward authorship in China (after exhaustive analysis), sophisticated attacks are faceless at the moment of attempted compromise. Here are a few data points we've already put together from our own analysis of the ThreatSeeker Network: We have observed more than 2,000 unique cases of APT1 attacks since 2011 against all major industry segments. China has a disproportionately large share of web-based attack traffic in the United States. For example, in February 0.49 percent of all web requests from US manufacturing companies land on servers in China. 11.21 percent of all malicious web requests from US manufacturing companies land on servers in China. If you're looking at traffic patterns, that's more than a 20X traffic disparity toward malware. US news & media companies are also disproportionately driven to malware located in China: legitimate requests to China make up 7.47 percent of overall traffic, whereas China's portion of all malicious traffic goes up to 21.21 percent. As the APT1 report suggests, China currently has much less web-based attack traffic originating from the rest of the world at 0.76 percent. That may change. A more interesting question than authorship for us is: "How can you proactively stop targeted attacks like APT1?" Signatures are obviously not the answer. Here are some of the ways that we block APT1 along the kill chain without the need for signature updates: Full content scanning within SSL, including preventing rogue certificates and criminal encryption (as we blogged about previously) File sandboxing (find two examples of APT1's telltale behavior in ThreatScope reports here and here ) URL sandboxing in e-mails to prevent spear phishing Data loss prevention technology to fingerprint and identify legitimate data as it exits Dynamic DNS request interception Web reputation / destination awareness. Many domains, hosts, IP addresses, and even ASNs used by APT1 have been classified for years. Block known compromised hosts for the hops and the outbound C&C traffic. One trend that you can confidently predict: the attackers will continue to adapt and get smarter, and the techniques to thwart them will need to do the same.


Filed under: , , , , , ,

no comments