Latest Alerts From Websense Security Labs

Malicious Web Site / Malicious Code: Searching for Corey Haim Leads to Rogue AV

Thu, 11 Mar 2010 12:00:00 AM GMT

Websense Security Labs™ ThreatSeeker™ Network has discovered that search terms related to Corey Haim have become the latest target for Blackhat SEO poisoning attacks.

Corey Haim, 1980s teen idol actor and a star of such famous movies as "The Lost Boys" and "License to Drive", was found dead in his Los Angeles apartment at the age of only 38 on Wednesday.

Whether it's a natural disaster or a death, Blackhats monitor and adapt to popular search trends. Not long after the sad news emerged, the search phrase "Corey Haim" became one of the hottest topics in Google trends.

Screenshot of the Google trend:

Cybercriminals again jump at a chance to spread their rogue AVs. When users enter keywords such as "Corey Haim death" in Google, some of the results will lead them to download fake security software. The downloading FakeAV file has only 17% coverage from antivirus products.

Google searching results of "Corey Haim death" that lead to rogue AVs:

Websense Messaging and Websense Web Security customers are protected against this attack.

Malicious Web Site / Malicious Code: BBS of Sougou Compromised

Tue, 2 Mar 2010 12:00:00 AM GMT

Websense® Security Labs™ ThreatSeeker™ Network has discovered that the BBS of Sougou has been compromised.

The Sougou BBS home page and other pages on the site have been injected with a malicious script. The script creates an IFrame that redirects users to an exploit site: a 5-day old domain at [snip]ow.info. The latter performs some checks before delivering the exploits, in order to subvert any analysis attempts.

At the time of writing this alert, the BBS of Sougou is still injected with the malicious script, but the exploit site is down. This could change at any moment.

This is the injected code in the home page and its contents:

Here is the exploit page:

Websense Messaging and Websense Web Security customers are protected against this attack.

Malicious Web Site / Malicious Code: Blackhat SEO turns to PDF with Chile and Hawaii disasters

Sun, 28 Feb 2010 12:00:00 AM GMT

Over 13% of all searches on Google looking for popular and trending topics will lead to malicious links and searching for the latest news on the earthquake in Chile and the tsunami hitting Hawaii are no exception. Both are now used to lure people into downloading fake antivirus products.

Usually the links in the search results look like ordinary links pointing to regular web pages. This time the bad guys have changed tactics to make their search results look even more convincing, by tricking Google into thinking it's a PDF file.

As you can see above Google tells you the file format is PDF and not HTML. That's not true, it is infact a regular HTML page that when visited will redirect the user to a page that looks like this - just another rogue AV fake scanning page. This one, just like the majority or rogue AV sites we have seen this week, is in the .IN TLD which is the top-level domain for India.

By making the search result look like a PDF it gives the link more authenticity. Perhaps it's a research paper or at least a more well written article. The likelihood that a user will click on these type of links is probably higher than if it were just another random web link.

This is the first time we've seen the attackers use this approach but considering how aggressive the rogue AV gangs are, it's not a surprise that they continue to refine their techniques to get people to "buy" their products.

The Rogue AV file itself is currently detected by 26.20% of the antivirus engines used by VirusTotal.

Websense® Messaging and Websense Web Security customers are protected against this attack.

Malicious Web Site / Malicious Code: Searching For Joannie Rochette Leads To Rogue AV

Fri, 26 Feb 2010 12:00:00 AM GMT

Websense Security Labs™ ThreatSeeker™ Network has detected that the black hat Search Engine Optimization (SEO) techniques are abusing the name of an Olympic figure skater who is very popular in recent news.

Joannie Rochette is a Canadian figure skater and the 2009 world silver medallist. In the 2010 Winter Olympics in Vancouver, despite the loss of her mother just 48 hours before her competition, she delivered a sensational performance and qualified to compete for gold.

The bad guys still took advantage of this tragic incident and used it in the infamous Black SEO poisoning attacks. Searching for Joannie Rochette in reputable search engines leads to rogue AV.

This use of the Black SEO technique is even more pertinent now that the results have been announced, with Rochette receiving a bronze medal for her performance.

Once the victim clicks on the poisoned search results, he/she is redirected to the rogue AV page, and a fake Anti-virus executable asks for the victim's confirmation before being downloaded.

Related topics are 4th and 7th on Google's Hot Trends USA list. Joannie Rochette is currently the most popular search term on Google Canada at the time of writing:

This isn't the first time Black SEO attacks target events and figures related to the olympics this year.

Websense® Messaging and Websense Web Security customers are protected against this attack.

Malicious Web Site / Malicious Code: Bloom Box Black SEO

Mon, 22 Feb 2010 12:00:00 AM GMT

Websense Security Labs™ ThreatSeeker™ Network has detected that search terms related to the Bloom Energy and its Bloombox Fuel Cell have become the latest target for Blackhat SEO poisoning attacks.

Bloom Box is a breakthrough technology in the energy sector that could revolutionize the way electricity is generated today. As people become interested in finding more information on this technology, related search terms are currently gaining momentum, and as they do so Blackhat SEO attacks are starting to climb up the search result listings.

At the moment, according to the VirusTotal report only 10% of antivirus products are detecting the threat.

Video of the Bloom Box SEO in action:

Websense® Messaging and Websense Web Security customers are protected against this attack.

Malicious Web Site / Malicious Code: Microsoft's Ninemsn Australia Web Site Compromised

Tue, 16 Feb 2010 12:00:00 AM GMT

Websense Security Labs™ ThreatSeeker™ Network has detected that the ninemsn support Web site (ninemsn.com.au) has been compromised and injected with malicious code. The malicious code was identified to be part of the Gumblar mass injections, and the injected code is hidden deep within the ninemsn ad engine, served on request. The injected code leads to a site that has also been compromised by Gumblar. The compromised code is hidden specifically within the "Women's Weekly" banner script. Other ad banners are not affected.

Screenshot of the Web site:

Screenshot of the ad element:

At this time, the malicious code isn't available or reachable, but this could change at any time. An interesting implication is that this ad can be dynamically served on multiple Web pages within ninemsn. This is unlike a typical injection where Web sites are compromised in a single static page; in this case, the infected banner ad can be pulled to various locations within the site, serving its malicious purpose silently.

Ninemsn, a joint venture between PBL Media and Microsoft, is one of the most visited portal Web sites (Alexa traffic rank 573) delivering online and mobile content, news, information, entertainment, and social networking capabilities.

We contacted Microsoft when we discovered the attack and the ad banner has now been removed from the ninemsn support Web site.

Websense® Messaging and Websense Web Security customers are protected against this attack.

Malicious Web Site / Malicious Code: Spammers already using Google Buzz

Thu, 11 Feb 2010 12:00:00 AM GMT

With all the buzz this week about Google Buzz, we were just waiting for malicious activity to show up on the newly launched service. We didn't quite expect it to happen this fast. Today we saw the first spam using Google Buzz to spread a message about smoking:

The spammer is already following 237 people, and we can only imagine that he or she has sent similar messages to all of them. This particular message leads to a site hosted on a free Web hosting service talking about how to quit smoking.

When Twitter was launched, it took a while before it was used to send spam and other malicious messages. In this case, it only took two days. It's clear that the bad guys have learned from their experience using social networks to distribute these type of messages.

We hope that Google is geared up for dealing with the volume of spam it's bound to see on the new service. Until then, we advise users to be careful, as usual, when clicking on unknown links.

Malicious Web Site / Malicious Code: Zeus targeted attacks continue

Thu, 11 Feb 2010 12:00:00 AM GMT

Websense Security Labs™ ThreatSeeker™ Network has discovered a follow up attack on Zeus campaign targeting government departments. Its research shows that once again the campaign is targeting workers from government and military departments globally.

Figure 1 - Zeus Campaign:

The Websense ThreatSeeker Network has seen thousands of emails pretending to be from a reputable figure within the Central Intelligence Agency (see Figure 2). The email subject is: "Russian spear phishing attack against .mil and .gov employees"

Figure 2 - Content of the email:

Jeffery Carr, the spoofed victim himself, has published a comment regarding this attack:

The spoofed emails capitalize on the last Zeus attack, and claim that installing the Windows update via the links provided will aid protection against Zeus attacks. The binary file downloaded from these links is identified as a Zeus bot and holds 35% AV detection rate. Once again URLs in the email messages lead to a malicious file hosted on a compromised host, and also on a popular file hosting service. Once installed, the bot has identical functionality to the one mentioned in the previous alert. After The Zeus Rootkit component is installed the C&C server at update[removed].com is contacted to download an encrypted configuration file. Another data stealing component gets downloaded and installed from the same C&C in the shape of a Win32 Perl script compiled with Perl2Exe - this data-stealing component has only a 5% AV detection rate. Then the bot starts to connect with a credential-based FTP server at pack[removed].com to upload stolen data. The Zeus bot is normally designed to steal banking credentials; however it has also been seen in targeted attacks to steal other sensitive data.

Websense® Messaging and Websense Web Security customers are protected against this attack.

Malicious Web Site / Malicious Code: Bollywood Hungama Web Site Compromised

Mon, 8 Feb 2010 12:00:00 AM GMT

Websense Security Labs™ ThreatSeeker™ Network has detected that the Web site of Bollywood Hungama (Bollywoodhungama.com) has been compromised and injected with malicious code. The malicious code was identified to be part of the Gumblar mass injections, and there are multiple injections at the site's path level. While the main page was injected, the malicious code has been removed. A number of pages at the path level, however, still remain injected. The injected code leads to a site that has also been compromised by Gumblar. At this time, the malicious code isn't available or reachable, but this could change at any time.

Bollywood Hungama is a leading entertainment Web site (Alexa rank 1,592). The site provides news related to the Indian film industry, emphasizing Bollywood, film reviews, and box office reports.

Screenshot of the Web site:

Screenshot of injected code in one of the pages:

Websense® Messaging and Websense Web Security customers are protected against this attack.

Malicious Web Site / Malicious Code: Zeus Campaign Targeted Government Departments

Mon, 8 Feb 2010 12:00:00 AM GMT

Websense Security Labs™ ThreatSeeker™ Network has discovered a new Zeus campaign (a banking data stealing Trojan) which is now targeting government departments. Our research shows that the campaign has especially targeted workers from government and military departments in the UK and US: we found most victims' email addresses end with .gov.

Figure 1 - Zeus Campaign:

Our ThreatSeeker™ Network has seen thousands of emails which pretend to be from the National Intelligence Council (see Figure 2). The email subjects include: "National Intelligence Council"
"RE: National Intelligence Council"
"Report of the National Intelligence Council"

Figure 2 - Content of the email:

The spoofed emails lure victims to download a document about the "2020 project"; this is actually a Zeus bot. The Web sites which host the bot look very trustworthy: one of them is a compromised organization Web site and the other is located on a popular file hosting service. The bot has rootkit capabilities and connects to C&C servers at update[removed].com and pack[removed].com to report back on a successful infection and to download some archives with DLLs, it also modifies the hosts file to prevent updates from popular anti-virus vendors.

Websense® Messaging and Websense Web Security customers are protected against this attack, however the anti-virus detection rate for this bot is currently at 26/40.