Web 2.0 - Abuse of Functionality

06.30.2008 - 9:00 AM
When users are given privileges such as directly editing HTML or uploading files, security issues are bound to arise. This power is being abused by phishers and malicious authors to steal personal information or compromise computers. Below we detail current abuses of Google properties such as Google Sites, Google Pages, and Blogger in terms of hosting malware and exploit code.
Read more »

ICANN approves new laissez-faire TLD addition process

06.27.2008 - 12:00 PM
Today marked the conclusion of ICANN's 32nd meeting in Paris. There were two notable developments that should be of interest to anyone concerned with Internet security. And, as a consumer of our blog, that probably includes you. Would you like the good news or the bad news first?
Read more »

Reverse Engineering the Embedded OpenType Decompression

06.25.2008 - 10:45 AM
As security researchers, we regularly analyze many different types of files. It's important that we take the time to teach ourselves about unusual file formats, so that we can be prepared when a malicious attack occurs with an uncommon file type. One unusual file type that we recently studied is the EOT file format. A quick definition from Wikipedia explains: "Embedded OpenType (EOT) fonts are a compact form of OpenType fonts designed by Microsoft for use as embedded fonts on Web pages. These files usually use the extension '.eot'." Basically, EOT files are custom font files meant for Web pages. The tools used to create these fonts have mechanisms that can be built into the EOT files, such as subsetting and tethering, so that copying and reversing is difficult (more on this later).

Firefox 3 Security Features

06.20.2008 - 5:31 PM
Firefox 3 was released a few days ago, breaking the record for the most software downloads in a 24 hour period, and currently sits at 12.5 million downloads. In this blog, we review some interesting security features of this release, and preview how these features work.
Read more »

JavaScripherTution in{j|f}ection

06.16.2008 - 5:00 PM
The injection of malicious <script src="malicious.js"> JavaScript tags on a massive scale into everyday popular and reputable Web sites, commonly visited by the casual surfer at home (and at work), has been the trend. Today, as my team and I here at Security Labs made our routine rounds around the block to spy on what the bad guys are up to next, we discovered a somewhat weak but interesting piece of malicious code, whose techniques date back to the early days of encryption - the substitution cipher.

RECON 2008

06.13.2008 - 3:51 PM
Hello from the 3rd RECON Conference which started today. It's a reverse engineering conference with a lot of technical presentations. The past 3 days have been very busy for me and 2 other trainers. Rolf Rolles gave a course on the static aspects of reverse engineering while Gerardo 'Gera' Richarte presented binary vulnerabilities and exploit writing. I gave a course on advanced reverse engineering techniques -- mostly on how one can unpack custom executable protections -- and malware analysis. We covered polymorphic viruses, driver “backdooring” malwares, and virtualization as a way to obfuscate code.
Read more »

Google Docs is being used to host spam

06.12.2008 - 1:03 PM
Websense Security Labs is constantly monitoring spam for new trends. In the past we have blogged about captcha breaking to gain access to popular free email services. Captcha breaking has allowed spammers to take advantage of the good reputations of services such as Google's Gmail and Microsoft's Live Mail. It has also allowed spammers to create a large number of spam sites on free, hosted services, including Google's Blogspot, and now, Google Docs. Google Docs is a popular Web site that allows users create documents, spreadsheets, and presentations online, and then easily share the documents among multiple Internet users.
Read more »

Malware & MySQL - Believe it!

06.03.2008 - 10:26 AM
Most malware tends to store stolen credentials and information in make-shift text files, which are then forwarded to the author via email or another protocol. However, the use of scalable and robust solutions is becoming more popular in the malware community. In fact, it is becoming increasingly popular for malware to parse remote text files to determine the locations of additional malicious modules to download. This gives the author some dynamic flexibility versus the typical approach of hardcoding executable locations. Today we will look at an example that has additional scalability in mind, as it actually uses a remote MySQL database to store its stolen information and retrieve additional malicious modules and script code.
Read more »