ToorCon 2008 Recap

09.30.2008 - 8:25 PM
ToorCon finished up its 10th conference in San Diego this past weekend. Both Dan Hubbard and Stephan Chenette gave their presentations on Sunday. We had a good turnout at ToorCon this year, although the late conference announcement may have contributed to a crowd size that was smaller than previous years.
Read more »

CAPTCHA Revisited: Microsoft's "Revised" CAPTCHA Busted By Spammers For Mass-Mailing Operations

09.30.2008 - 3:00 AM
Spammers are once again targeting Microsoft's Hotmail (Live Hotmail) services. We have discovered that spammers, in a recent aggressive move, have managed to create automated bots that can sign up for and create random Hotmail accounts, defeating Microsoft's latest, revised CAPTCHA system. The accounts are then used to send mass-mailings.
Read more »

How Malware Expands A Phishing Network

09.26.2008 - 5:10 PM
In the labs we like to go over URLs flagged as suspicious by ThreatSeeker. When we were going over those URLs last week we noticed an interesting file which came in through a spammed URL. As ThreatSeeker began quarantining the suspected messages, we decided to investigate the file that the suspected URL led to so we could see if it might be interesting in any way.
Read more »

Freezing Malware in Memory

09.25.2008 - 4:45 PM
[UPDATED] Our research on malicous files often includes looking at downloader programs. These programs connect to the Internet and grab other programs (binaries) that carry out malicous attacks on the targeted machine. One problem with investigating downloader programs is that sometimes, when we want to attach a debugger to view the program's memory, it terminates itself too quickly!
Read more »

Websense Researchers presenting at a conference near you

09.24.2008 - 2:15 PM
In the next two weeks, a few of us are speaking at various conferences in North America (Toorcon X and VB2008). I want to let everyone know so that hopefully, if you're interested in the work we've been doing and the blogs we've written, we can meet up to discuss them.
Read more »

WBSN True Phishing Stories - eBay Motors

09.17.2008 - 1:30 PM
Websense Security Labs routinely receives stories of phishing scams. We wanted to share the story with you as online auction phishing scam are a common occurrence and we hope you can learn from this victim’s mistake. This is a true story of a victim, hooked by an online eBay scam. The scam works as a “for sale” post on eBay and usedboats.com. This is a scam where victims are hooked and reeled into making a deal with the seller and involves a storyline that is almost too good to be true.
Read more »

Wget Denied

09.15.2008 - 5:56 PM
Lately we've been analyzing a lot of malicious Flash files. In a recent instance, I was investigating a situation where upon receiving a SWF linked URL in an email and clicking it, a user was automatically redirected to a spam Web site. When I used GNU's Wget utility to fetch the page, I got a "403 forbidden" response. I initially thought that either the attackers had blacklisted my location or they were being crafty and checking all HTTP header attributes.
Read more »

Robot Dog: Recovery Software Penetrating Virus

09.12.2008 - 5:33 PM
In the past few months, a virus called "Robot Dog" has been raging across networks in China. The primary purpose of the virus is to infect computers in Internet cafes. In China, most Internet cafes use recovery software to help protect computers from viruses. "Robot Dog" penetrates the recovery software to help achieve the goal of infecting the computer.
Read more »

Presidential Election (spam) Campaign

09.12.2008 - 3:30 PM
Spammers are taking note of the US elections and are now taking advantage. We are seeing different types of spam being sent out using subjects looking like headlines and including the names of each of the presidential candidates. The spam seen so far has been casino spam or malicious spam including this campaign of messages.
Read more »

This Month in the Threat Webscape

09.11.2008 - 1:30 PM
Continuing with our series of monthly recaps of what's hot and what's not in the wicked world of Web threats, here is a summary of what happened in the month of August, 2008. This month contained more incidents around notable world events such as the Olympics; and attacks carried out with the aid of big name reputable Web sites, such as MSN, Digg, Newsweek, and CNET. This pattern is consistent with what we have observed in our latest research report, also outlined below in this recap. Follow our This Month in the Threat Webscape series to stay informed of emerging Web threats.
Read more »

Patch Tuesday - GDI+ RLE Bitmap Decompression Integer Overflow

09.09.2008 - 5:00 PM
Today's Microsoft Security Bulletin Summary for September included 4 bulletins of critical severity. I decided to reverse engineer the GDI+ patch to see what was wrong with the GDI+ component already installed on my system. I noticed that Microsoft had patched the GdiPlus.dll module, so I fired up IDA Pro with the Bindiff plugin to see what had changed between the old, pre-patch module and the new, patched module. A quick look showed that Microsoft fixed more than one vulnerability, but I'll focus on just one of them in this blog: it deals with compressed RLE bitmaps.

Read more »

Spammer Multi-vector: Email, Web, and Web 2.0 Blended Attacks

09.08.2008 - 7:00 AM
Early this year (2008), as reported by Websense Security Labs, spammers on a worldwide basis demonstrated their adaptability by defeating a range of antispam services offered by security vendors. This was done by carrying out streamlined Anti-CAPTCHA operations on Microsoft’s Live Mail, Google’s Gmail, Microsoft’s Live Hotmail, Google’s Blogger, and Yahoo Mail (as reported by InformationWeek).  In this blog we shall describe how spammers are incorporating numerous aspects of the Web and Email space into their operations.
Read more »