Storm Worm and Botnet Analysis

10.31.2008 - 1:52 PM
A few months ago, we wrote a paper that dissects the inner workings of a Storm Worm sample.

In the paper, Jun Zhang explains:

• The custom packer and encryption used in the executable
• The rootkit techniques
• The peer-to-peer botnet and spamming component

Read more »

Spammers Abusing Microsoft Services

10.27.2008 - 9:00 AM
Spammers' efforts to reach their prospective customers continue today with increased creativity and complexity. From a spammer's perspective, it is a challenge to figure out the ways to defeat security mechanisms that are being used and constantly improved by service providers to combat abuse of their services. This is clearly a long-term battle between service providers and spammers which we have been aware of for quite some time.
Read more »

VB2008 - Ottawa

10.20.2008 - 10:25 AM
Virus Bulletin 2008 was held in early October in Ottawa. I am finally done catching up with work after my trip. Both Dan Hubbard and I (Nicolas Brulez) gave a last-minute talk on 2nd October.
Read more »

Malicious Only For Blogspot

10.17.2008 - 3:30 PM
Here at Websense Security Labs, we have recently seen a new technique for redirection from Blogspot.com pages. Authors of malicious code use external JavaScript references disguised as Google ad scripts to serve malicious content when the referrer is a specific Blogspot.com page.
Read more »

Patch Tuesday - October 2008

10.16.2008 - 6:40 PM
Microsoft recently published its monthly security bulletin for October '08. Here's a quick overview of what this means to the Web's landscape, i.e., the threats posed to the Webscape. Microsoft has patched vulnerabilities all over the place in their product line, ranging from Internet Explorer, MS Office, Active Directory, SMB (the protocol), to the Windows kernel. Let's take a look at the vulnerabilities that can be exploited over the Web.
Read more »

Malicious JavaScript using HTML Elements to Store Content

10.15.2008 - 12:00 PM
Here at Websense Security Labs, we have recently started to see a new trend in malicious JavaScript: Web pages using form elements to store obfuscated malicious code. This fairly new tactic is increasingly being used by authors of malicious code. As an aside, it has also been included in the My Poly Sploits v.1.0 exploit toolkit.
Read more »

Reverse Engineering with OllySocketTrace

10.12.2008 - 1:35 PM
Today I would like to share with you a really great plugin for OllyDbg (a 32-bit assembler-level, analyzing debugger for Windows). The plugin is OllySocketTrace from Harmony Security. Its job is to trace the socket operations performed by a process. It records all buffers sent and received. It also records all parameters and return values, and the trace is highlighted with a unique color for each socket being traced.
Read more »

Exploit Action with PDF OpenAction

10.12.2008 - 1:15 PM
We have noticed that the latest PDF exploit is becoming a hot topic and more people are talking about it. When users open an maliciously crafted PDF document, the payload automatically executes and downloads another malicious file from Internet, which is then executed. Actually, the payload is not triggered by a vulnerability used in the exploit directly but a tag in PDF called OpenAction which can specify an action to be performed when the document is opened.
Read more »

Low Volume Under-the-radar Malicious LinkedIn Spam

10.12.2008 - 12:33 PM
Last week here the in labs, we started to receive a small amount of email that caught my eye. The Threatseeker network saw less than 40 of these messages on the same day. This number of messages was tiny, but there is a good reason for malware authors to send so few messages: it keeps their efforts under the radar, which may help them succeed in their ultimate goal.
Read more »

Spammers Abusing Google’s Web 2.0 services

10.03.2008 - 9:43 PM
Web 2.0 aims to enhance user creativity, information sharing, collaboration and functionality of the Web. These features enable social networking, video sharing, blogs, Web publishing, plus other popular methods of information and content creation, editing, sharing and distribution. This power is being abused by spammers and malware authors to carry out various attacks, which pose a threat to Web 2.0 functionality.
Read more »

This Month in the Threat Webscape

10.03.2008 - 9:30 PM
September showed us that highly visible sites like BusinessWeek.com and BillOreilly.com are not immune to serious web attacks. BusinessWeek.com learned the hard way that they can unknowingly serve up exploits to themselves and their visitors. Other highly visible sites, like The New York Times, are also vulnerable. While Microsoft works determinedly to patch vulnerabilities that can be exploited over the web, the Web Application Security Consortium reports that 97% of sites it studied continue to have significant vulnerabilities. What's more, results reported in various studies released this month indicate that most people can't tell good sites from bad, and even the aware and informed fall prey.
Read more »

The Ultimate Deobfuscator

10.03.2008 - 9:05 PM
I gave a talk last weekend on JavaScript deobfuscation, and I promised the crowd a follow-up blog and code to be released, so here it is. Basically the presentation was another solution, other than creating a Browser simulator, to deobfuscate JavaScript. Below is an example of obfuscated malicious Web content.
Read more »