Security Labs

The Amnesty International UK website was compromised to serve Gh0st RAT [Update]

Gianluca Giuliani — Fri, 11 May 2012 00:29:00 GMT

Between May 8 and 9, 2012, the Websense® ThreatSeeker® Network detected that the Amnesty International United Kingdom website was compromised. The website was apparently injected with malicious code for these 2 days. During that time, website users risked having sensitive data stolen and perhaps infecting other users in their network. However, the website owners rectified this issue after we advised them about the injection. In early 2009, we discovered this same site was compromised, and in 2010, we reported another injection of an Amnesty International website, this time the Hong Kong site.

In the most recent case, we noticed that the exploit vector used was the same Java exploit (detailed in CVE-2012-0507) that has been used worldwide, and which has become somewhat infamous as the cause of the recent massive Mac OS X infection with Flashback.

Websense customers are protected from these threats by ACE, our Advanced Classification Engine.

The following is a screen shot of the detected code injection:

(click on the picture to enlarge)

In the screen shot, we can see the similarities between this injection and the INSS injection we reported last week. This clearly shows the use of the Metasploit framework and the precise name of the Java class used. In addition, the associated JAR file is a well-known vector exploit for the CVE-2012-0507, as shown below:

(click on the picture to enlarge)

Once the exploit is successful, a file download is initiated for an executable from this URL: "hxxxp://www.48groupclub.org/images/uploads/image/sethc.exe" - MD5 : 3EC4DE9EF2E158473208842F4631236A

Further analysis shows that when the "sethc.exe" file is executed on the compromised system, it creates a new binary file in the Windows system directory: C:\Program Files\......

The ruse appears credible because the executable file has been signed by a "valid" certificate authority (CA), as shown below:

Through further research we learn that this certificate has been in use for a while and does not appear to have been revoked at the time of this latest exploit activity.

Analyzing this low AV detected binary file, we recognize that this is a variant of the well-known Remote Administration Tool Gh0st RAT, which is used mainly in targeted attacks to gain complete control of infected systems. With this control, the remote administrator has access to a user's files, email, passwords, and other sensitive personal information. Following is the initial network capture with Wireshark between a compromised system and the remote administration center, which reveals the header information of the traffic (pay particular attention to the starting keyword "gh0st"), confirming the use of Gh0st RAT:

(clieck on the picture to enlarge)

The Remote Administration Center commands to the compromised system originate from this address: shell.xhhow4.com. At the time of this writing, the address is still active.

[Update]

Websense® ThreatSeeker® Network detected that the Amnesty International Hong Kong sister website was also compromised to serve Gh0st RAT over the weekend, and the malicious codes are still live and active. Below are some of the pages infected redirecting to the exploits. Websense Security Labs will continue to monitor and update any new changes to this attack.

Canada’s Cybercrime Report Card: Better or Worse in 2012?

Patrik Runald — Thu, 10 May 2012 20:39:00 GMT

Last May 2011, we conducted an analysis of Canada’s cyber security risk profile, which led to the discovery of a disturbing trend. Canada had become the newest breeding ground of cybercriminal activity.

In the hopes that things would get better, we conducted an exact comparison of the same cybersecurity stats one year later. And we were even more disturbed to see that in Q1 2012, hackers are still taking advantage of Canada’s “squeaky clean” cyber reputation and remotely controlling Canadian servers to carry out their criminal attacks.

Across the board, we’re seeing all types of malicious content coming out of the Great White North. For example:

170% Jump in Hosted Phishing Sites - Canada ranks #2 in the world for hosted phishing sites, jumping 170 percent in the last year. This is a significant increase and the country ranks ahead of some of the best known offenders like Egypt and Russia.
39% Increase in Bot Networks - Cybercriminals’ command and control centers are finding that Canadians make great hosts. In the past year, Canada saw a 39 percent increase in bot network activity.
239% Increase in Malicious Websites - The number of malicious URLs is also on the rise in Canada. Canadian computer users beware, Canada saw a 239 percent jump in malicious Canadian websites.

The bottom line is that things are getting worse, and it’s a worldwide trend. As we’ve stated in our 2012 Threat Report, in the past year alone, there has been a major increase in malicious sites and exploit kits and people are getting increasingly redirected to bad sites.

What’s going on in Canada is testament to the continuation of a very bad trend. In the past, malicious content has traditionally been hosted on servers in places like Europe. But, now the bad guys are shifting their infrastructures to sites that are hosted in countries that traditionally have had better reputations.

Even after last year’s discovery, we still have not seen any big takedowns of malicious sites in Canada. In fact, malicious sites seem to stay up longer than in other countries. The public and private sector need to work together to effectively make this happen. The question is, will they finally be able to do so moving forward?

Here's a map that shows the top countries hosting phishing sites for the first part of this year. You can clearly see that Canada now holds the number two position for hosting this type of malicious content.

Pinning Down Pinterest

RM — Fri, 04 May 2012 19:08:00 GMT

There has been a lot of talk lately about Pinterest, the "virtual pinboard" that allows you to "organize and share all the beautiful things you find on the web."

Pinterest uses online social networking to extend the ways you can share your images. Its mission statement reads: "Our goal is to connect everyone in the world through the 'things' they find interesting. We think that a favorite book, toy, or recipe can reveal a common link between two people. With millions of new pins added every week, Pinterest is connecting people all over the world based on shared tastes and interests."

How does it work?

Currently, the site is available by invitation only, but it’s quite easy to request an invitation either directly from the site or from a friend who’s already using it. Once you’re in, you create “pins”: images you want to post, including videos, along with any text captions you care to add. The “Pin It” button can be added to Firefox or your iPhone, allowing you to grab images anytime and anywhere. It also adds a link to the source, automatically crediting the author and, presumably, avoiding copyright issues, which have sparked a lot of discussion.*

A collection of pins is called a “board,” which usually focuses on a theme or interest. By displaying images in a thematic board, Pinterest creates a visual collage which provides context and relationships for images in ways other social media sites do not.

It is precisely the social media elements that seem to be fueling Pinterest’s popularity. Users can search pins, boards, or people. They can “like” other people’s pins, post comments, repin the images to their own boards, and even share them via Facebook and Twitter links, or via embedding in a blog or email. They can follow other users, see activity streams, and click through to the source of an image for more information, or to make a purchase. Collaboration with Flickr was just announced, which enables sharing in the user's Flickr account.

Who uses it?

The number of unique visitors per month to Pinterest has jumped in just under one year from less than half a million to well over 18 million. Most (68.6%) are in the US, but all parts of the world are represented—and growing. Users tend to spend quite a bit of time on the site: more than 15 minutes per day, which is over 50% more than Twitter.

This explosion has created a huge buzz around the site, and at Websense we’ve learned that sites which attract lots of users also tend to attract lots of security concerns.

What could possibly go wrong?

Any site that attracts a lot of users and attention inevitably becomes a target for hackers and spammers. Spam and other types of objectionable content can be reported to Pinterest with the click of a button, which suggests the site relies on its users to spot problems and flag them for review. Malicious image files—where embedded malware is hidden in an image file—can be a particular threat on an image-based platform.

A while back we wrote a blog about inexpensive application toolkits on Facebook. This time around, it's Pinterest's turn.

Here are a few examples of spamming toolkits that automatically generate massive amounts of traffic on a spammer's Pinterest account. Tools may be purchased individually or in packages, and prices range from about $25 to almost $2000 depending on the number and functionality desired.

One tool creates automatic "likes" for pins, and sends an email to the pin creator saying you liked it, along with a link to your profile.

Another tool finds the most popular pins and re-submits them into the same board name and category on the spammer's account.

Websense researchers found many similar tools for sale, all of which generate unnatural traffic to the spammer's account in order to increase the popularity of a site or brand. Of course, Pinterest may notice or be informed of the unusual traffic and block the account. A bigger risk is that spamming tools may actually contain viruses, malware, or other threats, making the would-be hacker into a hacking target.

Pinterest was recently the target of injected JavaScript code (possibly created by such spamming tools) that changed many pins into ads. A recent Pinterest blog post about spam on the platform generated a fair number of user responses about fake followers and spam (comments are now closed). And the site is reportedly using CAPTCHA, at least on some accounts, to ensure that users are human beings.

Regardless of how Pinterest evolves, you can be sure that Websense will stay on top of any security risks, helping you use social media safely.

* Because pinning something actually creates a copy (as opposed to simply “liking” a pin), there has been a great deal of controversy and confusion around Pinterest and copyright. The personal blog of a copyright librarian provides some useful discussion.

Widespread malware abuses unsecured Geolocation Service of Adult Website

Armin Buescher — Thu, 03 May 2012 18:26:00 GMT

While researching outbound malware communications to improve detections for our products, we recently made an interesting discovery. Thousands of samples running in our malware lab reached out to the URL promos.fling.com/geo/txt/city.php. At first we suspected this to be a command and control (C&C) server of botnet malware. However, Websense® categorization of the main Web page of the domain fling.com returned Adult, and visiting the page certainly confirmed this:

The self-proclaimed "Hottest Place to Hook Up" suggested that we sign up to "Meet the Hottest Members in San Diego" (the location of the US Websense® Security Labs™). This is where the originally discovered URL promos.fling.com/geo/txt/city.php comes into play. Directly visiting the URL results in JavaScript code to print the geolocation of the visitor:

So how is this unsecured geolocation service used by the malware? Using the network tool Wireshark to look at the malware network traffic contacting this service, we can see that more information is disclosed:

In this example our malware sandbox was connected to the Internet through a proxy service in Canada. Apart from the JavaScript payload there are several HTTP cookies sent in the response header specifying the country, state, city, latitude and longitude. Our analysis systems identified other likely C&C connections in the outbound connections of the malware samples in question. Interestingly, these connections try to hide the malicious HTTP using a forged user-agent string:

Looking at the geolocation service abused by the malware we can make the connection that the 'CA' part (country code for Canada) in this user-agent is used to disclose the geolocation of the infected machine to the botnet server. This information can be used by the botmaster for statistics or to give different commands to infected machines in certain countries.

As of the time of writing this blog post, a total of 4,775 samples that ran in our malware lab show connections to the adult geolocation service in question. Websense customers are protected against known variants of this malware; we also have real-time coverage in place for the traffic between the malware and the C&C servers.

The Institute for National Security Studies (Israel) falls prey to Poison Ivy infection

Gianluca Giuliani — Wed, 02 May 2012 00:06:00 GMT

The Websense® ThreatSeeker® Network has detected that the Institute for National Security Studies (INSS) website in Israel was injected with malicious code. INSS is described in its website as an independent academic institute that studies key issues relating to Israel's national security and Middle East affairs.

While we can't determine that the infection of this website with exploit code is part of a targeted attack, one could deduce that visitors to this type of site are likely to have an interest in national security or are occupied in this field. The website appears to be injected with malicious code for over a week now. (Websense' ACE provided protection against the type of injected malicious code since early 2009)

One of the interesting facts about this infection is that it uses the same Java exploit vector (CVE-2012-0507) that managed to infect around 600,000 Mac users in a massive scatter attack dubbed Flashback a few weeks ago.

...(read more)

Websense Security Labs at Infosec2012

Artem Gololobov — Mon, 30 Apr 2012 10:00:00 GMT

Last week, Websense® Security Labs™ team members attended the Infosec2012 conference at Earls Court in London. It was quite busy and exciting for us, as we assisted Sales Engineers and Sales teams to work with customers at the Websense booth. We also attended workshops and chapter meetings for (ISC)² (International Information Systems Security Certification Consortium) and ISACA (Information Systems Audit and Control Association).

The Infosec conference presents high-level security information, such as security product demonstrations, rather than technical talks on topics like exploits and vulnerabilities. So we expected to hear presentations and general discussions about enterprise security and issues of concern to our customers.

...(read more)

Weibo Accounts Compromised to Spread Phishing Campaign

uwang — Wed, 25 Apr 2012 02:00:00 GMT

The Websense® ThreatSeeker® Network has detected a wave of phishing campaigns spreading on the Chinese social network "Sina Weibo". Sina Weibo is a Chinese microblog website, like a hybrid of Twitter and Facebook, that has more than 300 million registered users as of February 2012.

...(read more)

Is CVE-2012-0507 the best toolkit to exploit Mac OS X?

Gianluca Giuliani — Mon, 16 Apr 2012 09:23:00 GMT

The recent advent of flashback malware that includes exploit code for CVE-2012-0507 has been creating waves and quickly adopted by various other attackers as Websense® Security Labs™ has shown. This blog post detail some of the aspects of CVE-2012-0507 and how this exploit has been used in the wild.

The Java code first starts with the excerpt below:

The string "sobj" contains a stream of characters that trigger the vulnerability and force Java to render something which it usually wouldn't be allowed to. The string "8BCA ..." is obfuscated with an XOR key of 0x27 shown below:

After this string is de-obfuscated, it looks something like the image below:

We compared the exploit code used in the flashback campaign (above) with another instance in the wild that surfaced recently. Apparently, the attacker is using the exploit code provided by the metasploit framework.

The only difference between the flashback exploit code and the one used by metasploit is the bytecode array, where one is a signed byte array while the other is unsigned, as revealed below:

In our flashback sample, the string that triggers the vulnerability is "XOR-ed" with 0x27, while the string seen in the metasploit sample uses a signed byte array.

Lastly, the payload used by the flashback malware is a dropped Mach-O binary executable, while the metasploit exploit opens a listening TCP port shell pipe depending on what operating system the victim is on (This highlights the beauty of a design flaw as opposed to a vulnerability that corrupts memory). The code excerpt is shown below:

Websense security solutions protect users from these kinds of exploits.

Flashback Mac malware

Patrik Runald — Thu, 12 Apr 2012 22:48:00 GMT

We in Websense® Security Labs™ have been following the developments of the Flashback trojan for Mac that has infected over 600,000 Apple computers worldwide. The number of infected computers seems to be dropping steadily now and will continue to do so as Apple yesterday released a removal tool as part of their Software Update:

...(read more)

The Android "GoldDream" Malware Server is Still Alive

uwang — Thu, 12 Apr 2012 00:05:00 GMT

Many anti-virus vendors have reported on and dissected the suspicious and malicious Android "GoldDream" malware threat. The C&C server (lebar.gicp.net), which hosts this malware, has been revealed in many articles. But, to our surprise, this C&C server is still alive after several months and is still serving users with "GoldDream" malware. Currently, only Websense® ThreatSeeker® Network has blocked the malware server sites, out of the 19 vendors listed by VirusTotal!

...(read more)