Latest Alerts From Websense Security Labs

Malicious Web Site / Malicious Code: Bollywood Hungama Web Site Compromised

Mon, 8 Feb 2010 12:00:00 AM GMT

Websense Security Labs™ ThreatSeeker™ Network has detected that the the Web site of Bollywood Hungama (Bollywoodhungama.com) has been compromised and injected with malicious code. The malicious code was identified to be part of the Gumblar mass injections, and there are multiple injections at the site's path level. While the main page was injected, the malicious code has been removed. A number of pages at the path level, however, still remain injected. The injected code leads to a site that has also been compromised by Gumblar. At this time, the malicious code isn't available or reachable, but this could change at any time.

Bollywood Hungama is a leading entertainment Web site (Alexa rank 1,592). The site provides news related to the Indian film industry, emphasizing Bollywood, film reviews, and box office reports.

Screenshot of the Web site:

Screenshot of injected code in one of the pages:

Websense® Messaging and Websense Web Security customers are protected against this attack.

Malicious Web Site / Malicious Code: Zeus Campaign Targeted Government Departments

Mon, 8 Feb 2010 12:00:00 AM GMT

Websense Security Labs™ ThreatSeeker™ Network has discovered a new Zeus campaign (a banking data stealing Trojan) which is now targeting government departments. Our research shows that the campaign has especially targeted workers from government and military departments in the UK and US: we found most victims' email addresses end with .gov.

Figure 1 - Zeus Campaign:

Our ThreatSeeker™ Network has seen thousands of emails which pretend to be from the National Intelligence Council (see Figure 2). The email subjects include: "National Intelligence Council"
"RE: National Intelligence Council"
"Report of the National Intelligence Council"

Figure 2 - Content of the email:

The spoofed emails lure victims to download a document about the "2020 project"; this is actually a Zeus bot. The Web sites which host the bot look very trustworthy: one of them is a compromised organization Web site and the other is located on a popular file hosting service. The bot has rootkit capabilities and connects to C&C servers at update*snip*.com and pack*snip*.com to report back on a successful infection and to download some archives with DLLs, it also modifies the hosts file to prevent updates from popular anti-virus vendors.

Websense® Messaging and Websense Web Security customers are protected against this attack, however the anti-virus detection rate for this bot is currently at 26/40.

Malicious Web Site / Malicious Code: Malicious Google Job Application Response

Mon, 1 Feb 2010 12:00:00 AM GMT

Websense Security Labs™ ThreatSeeker™ Network has discovered a new malicious spam campaign that spoofs Google job application responses. The messages look very well written and are so believable that they are probably scrapes from actual Google job application responses. Typically, spam has grammatical errors or spelling mistakes that make the messages obviously unofficial and act as red flags. The text of these messages, however, has no such mistakes, making them much more believable--especially if the target really has applied for a job with Google.

The From: address is even spoofed to fool victims into believing the message was sent by Google. The messages have an attached file called CV-20100120-112.zip that contains a malicious payload. This is where the message gets suspicious, because the contents of the .zip file have a double extension ending with .exe. The attackers attempt to hide the .exe extension by preceding it with .html or .pdf, followed by a number of spaces and then the .exe extension. The .exe file (SHA1:80366cde71b84606ce8ecf62b5bd2e459c54942e) has little AV coverage at the moment.

Websense Messaging and Websense Web Security customers are protected against this attack.

Malicious Web Site / Malicious Code: Oklahoma Tax Commission Site Compromised

Fri, 29 Jan 2010 12:00:00 AM GMT

Websense Security Labs™ ThreatSeeker™ Network has discovered that the home page of the Oklahoma Tax Commission Web site has been compromised with malicious script code. The heavily obfuscated code has been injected at the bottom of the page.

Here is what site visitors see when they visit the Oklahoma Tax Commission home page:

After the page is loaded, the browser executes the injected script in the background.

Below is a screen shot of the injected code:

The injected script code goes through a series of deobfuscation techniques that ultimately take the victim computer to an attack Web site without the victim's consent or knowledge.

At the time of this posting, the attack Web site is down, but it could come back up at anytime to carry out attacks against visitors to the Oklahoma Tax Commission home page.

Websense Messaging and Websense Web Security customers are protected against this attack.

Malicious Web Site / Malicious Code: Apple Tablet Announcement Black SEO

Wed, 27 Jan 2010 12:00:00 AM GMT

Websense Security Labs™ ThreatSeeker™ Network has discovered that search terms related to the forthcoming Apple Tablet announcment have already become the latest target for Blackhat SEO poisoning attacks.

In the lead up to Apple's official announcement which is scheduled to happen today, there has been a great deal of anticipation and speculation over the Internet. As people become interested in finding more information on the product, related search terms are currently gaining momentum, and as they do so Blackhat SEO attacks are starting to climb up the search result listings.

Below is a screenshot from Google Trends showing how one of the targeted phrases by Black SEO "apple tablet announcement" is starting to gain momentum:

Black SEO attacks start climbing up in search ranks, clicking on such result leads to a Rogue Antivirus site:

The file in the rogue AV site has 30% detection rate. If the file is installed it reports non-existent infections and disturbs the user with on going pop-ups. In order to "clean" the system the rogue program is offered for a price:

Websense® Messaging and Websense Web Security customers are protected against this attack.

Malicious Web Site / Malicious Code: Targeted Email Examples Relating to Microsoft Internet Explorer 0-day CVE-2010-0249

Thu, 21 Jan 2010 12:00:00 AM GMT

Websense® Security Labs™ has reports that emails linking to malicious web-based exploit code that utilizes the vulnerability CVE-2010-0249 have been sent to organizations in a targeted manner since December 2009, and the attack is still on-going. This same vulnerability was used to target Google, Adobe, and approximately 30 other companies in mid-December 2009. This is a development of the attack we have blogged about previously here.

Investigation has so far lead to the conclusion that these targeted attacks appear to have started during the week of 20 December 2009, and are on-going to government, defence, energy sectors and other organizations in the United States and United Kingdom.

Within the malicious emails the sender's domain is spoofed to match the recipient's domain making the targeted emails more convincing to the recipient. The malicious executables that are delivered by the exploit code include hxxp://cnn[removed]/US/20100119/update.exe or hxxp://usnews[removed]/svchost.exe. These exhibit traits of an information-stealing Trojan with Backdoor capabilities. As of today only 25% of AV vendors protect against the payload according to this VT report.

Example email subjects include:
"Helping You Serve Your Customers"
"Obama Slips in Polls as Crises Dominate First Year as President"
"2010 ***** Commercial SATCOM"
"The Twelve Days of Christmas"

Microsoft has released a patch to address the vulnerability on Thursday 21 January at 10am PST. See MS10-002 summary for details.

Screenshots of targeted emails:

Websense® Messaging and Websense Web Security customers are protected against this attack.

Malicious Web Site / Malicious Code: Black Hat SEO Causing Malicious Search Results For Recent Haiti Earthquake

Wed, 13 Jan 2010 12:00:00 AM GMT

Websense Security Labs™ ThreatSeeker™ Network has discovered that searches on terms related to the recent earthquake in Haiti return results leading to a rogue antivirus program. The earthquake, which happened on Tuesday near Port-au-Prince, had a magnitude of 7.0 and is said to be the most powerful earthquake to hit Haiti.

People around the world are searching the Internet to find the latest updates on this issue, wanting to know how to make charitable donations, trying to discover the extent of the calamity through photos or videos, and looking to see what their favorite artists and musicians are saying about the disaster. Unfortunately, the bad guys use major crises and events like this to spread their malicious code.

Maliciously engineered search results:

Screen shot showing the rogue antivirus software:

Malware sample 1:
20% AV coverage
SHA1 : e89ff91b9a279ac5e9e86c455f2150f2a0ffcf8f

Malware sample 2:
8% AV coverage
SHA-1: 4e58a12a9f722be0712517a0475fda60a8e94fdc

Malware sample 3:
20% AV coverage
SHA1 : ee6e18f8cfe65862e7fa0537ae4b95cb0fcb7ada

Websense® Messaging and Websense Web Security customers are protected against this attack.

Malicious Web Site / Malicious Code: Ice Skating Car Video Black Hat SEO

Mon, 11 Jan 2010 12:00:00 AM GMT

Websense Security Labs™ ThreatSeeker™ Network has discovered that a popular video called "Paignton Ice Skating for Cars" has been targeted by both SEO poisoning attacks as well as Web spam.

As a wave of icy weather is currently hitting large parts of Europe, the video has proved to be very popular, with currently more than 850,000 hits on Yahoo Video. A different uploaded version on YouTube has had more than 1 million views so far. Criminals have used the video's popularity as an opportunity to spread rogue anti-virus programs by poisoning the search results of major search engines. When the term "ice skating car" is searched via Google, nearly half of the search results on the first page redirect the user to rogue anti-virus sites. Clicking any of those links takes the user to a Web site with the message: "Your PC is at risk of virus and malware attack." That's an old trick used to lure unsuspecting users to download a fake anti-virus installer.

Here is the screenshot of the first page of a search for "Ice Skating Car" in Google:

This is the screenshot of the fake anti-virus site:

The black hat search results in Google redirect the user through several sites, most of which are hosted in Russia, before finally landing in the rogue anti-virus site. The criminals often change the second site in the redirection chain in order to make it harder to detect. The file has a relatively low AV detection rate.

Websense® Messaging and Websense Web Security customers are protected against this attack.

Malicious Web Site / Malicious Code: Office.Microsoft.Com Search Results Can Lead To Rogue Anti-Virus

Fri, 8 Jan 2010 12:00:00 AM GMT

Websense Security Labs™ ThreatSeeker™ Network has detected that search results on office.microsoft.com can lead users to a Rogue AV page.

Users looking for information related to help with Office products on Microsoft’s own site are being targeted. Users may be unaware that, when they type in search queries on the site, Microsoft scours its own Web site for results, but also pulls in results from the broader Web. As the URL for the search results begins with http://office.microsoft.com, this is particularly troubling for users who trust sites simply because of their reputation.

The malicious URL is a redirect to a very real-looking virus scan and warning page presented by a Rogue AV program (SHA1: 6489c54e30af18801a9e83a5855fa639f3bae0b8). The executable used in the exploit is currently recognized by 1 of the 41 AV engines on Virus Total.

We have contacted Microsoft's Security Response Center with the neccessary information.

Websense® Messaging and Websense Web Security customers are protected against this attack.

Malicious Web Site / Malicious Code: Binsservicesonline Scam Spreading on Facebook and SEO Poisoning

Tue, 5 Jan 2010 12:00:00 AM GMT

Websense Security Labs™ ThreatSeeker™ Network has discovered several spam messages on Facebook that trick the user into visiting BINSSERVICESONLINE(dot)INFO. When the link in the message is clicked, the Web site redirects the user to an online scam site similar to the one we published in the blog Google Scam Kits in mid-December. The use of Facebook to distribute links that lead to Google scam kits is fairly new, and is sure to trick some users into buying the kits.

A lot of users have apparently received this message, as it quickly became a popular search string on Google. As we've seen in the past, there are criminal groups monitoring the popular search terms on Google and other search engines to start their own malicious attacks, so it didn't take long until we started seeing Google search results for BINSSERVICESONLINE leading to rogue AV products.

Note that the two attacks are done by separate groups of criminals. One group started the spam attacks on Facebook and another started manipulating Google results.

We can see many messages spreading in Facebook, for example:

BINSSERVICESONLINE.INFO redirects to the following scam site:

Google search results for BINSSERVICESONLINE:

The Google Trend showing the hot CTR for BINSSERVICESONLINE:

Websense® Messaging and Websense Web Security customers are protected against this attack.