Public Alerts - from Websense Security Labs

Please update your RSS readers and bookmarks, we've moved to a new home!In addition to the new look-and-feel we have a few new things in place.

- We have merged the blog and alerts. If you subscribe to our Alerts you will still get emails when we see something that warrants an alert

- Added Categories to posts. This will make it much easier to find stories around the same topic

- Added Fliptop integration which makes it really easy to subscribe to this blog in different ways

We will add the ability to post Comments to the blog as well in the near future.

We hope you'll like it. Remember to update your RSS feeder address by clicking on "Subscribe" in the top-right corner as the old RSS feed will not be updated.

Do stop by to say hi to us at http://community.websense.com/blogs/securitylabs/

Websense Security Labs? has received several reports of a Zbot trojan campaign spreading via email. We have seen over 2200 messages so far.

Zbot (also known as Zeus) is an information stealing trojan (infostealer) collecting confidential data from each infected computer. The main vector for spreading Zbot is a spam campaign where recipients are tricked into opening infected attachments on their computer.

This new variant uses a malicious PDF file which contains the threat as an embedded file. When recipients open the PDF, it asks to save a PDF file called Royal_Mail_Delivery_Notice.pdf. The user falsely assumes that the file is just a PDF, and therefore safe to store on the local computer. The file, however, is really a Windows executable. The malicious PDF launches the dropped file, taking control of the computer. At time of writing this file has a 20% anti-virus detection rate (SHA1 : f1ff07104b7c6a08e06bededd57789e776098b1f).

The threat creates a subdirectory under %SYSTEM32% with the name "lowsec" and drops the "local.ds" and "user.ds" files. These are configuration files for the threat. It also copies itself into %SYSTEM32% as "sdra64.exe" and modifies the registry entry "%SOFTWARE%\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit" to launch itself during system startup. When it runs, it injects malicious code into the Winlogon.exe instance in memory. This Zbot variant connects to malicious remote sever in China using an IP address of 59.44.[removed].[removed]:6010.

Screen shot of the email message:

Saves the malicious embedded file

Adobe Acrobat Reader shows a warning about launching the file:

The problem lies deep inside the PDF file format. This technique is similar, but not the same, as explained in this blog post.

Update: In addition to the Royal Mail emails we have also seen emails that look like they are coming from Canada Post.  These are primarily being sent to email addresses in the .ca domain space.  See below for a screenshot.

Websense Messaging and Websense Web Security customers are protected against this attack.

Websense Security Labs? ThreatSeeker? Network has discovered that Apple's App Store has become the latest target for email attacks and spam. App Store is the service provided by Apple Inc. as a platform to purchase and download applications for iPhone®, iPod touch®, and iPad?. The attack comes in the form of a fake invoice email.

With Apple's App Store being one of the most popular shopping platforms for multimedia, this kind of App Store invoice email is familiar to users and tends to be received frequently. As demonstrated here, cyber-criminals clearly jump at a chance to spread their spam using any available means.

The content in this campaign resides on compromised Web sites and serves a combination of pharmaceutical spam along with exploits that are delivered in the background. Some of the messages serve only pharmaceutical spam and some combine spam with exploits. In the example below, clicking the link in the message redirects the user to a site with a single link labeled "visit". In the background, a known exploit pack called "Eleonore" is delivered to the user's machine. If the user clicks on the link, they are redirected to a "Canadian Pharmacy" Web site. In this particular attack instance the file dropped by the exploit pack has 29% detection rate.

Websense Messaging and Websense Web Security customers are protected against this attack.

Websense Security Labs? ThreatSeeker? Network has discovered a new wave of email attacks targeting the Skype Email Toolbar. Up to now, the amount of spam is not large, but we believe it will increase.

The spam email message contains a file attachment named SkypeToolbarForOutlook.zip, which could easily deceive users but is in fact a backdoor trojan that has a very low AV detection.

The spam email copies the look and feel of the legitimate application from Skype.

Screen shot of the email:

Websense® Messaging and Websense Web Security customers are protected against this attack.

Websense Security Labs? ThreatSeeker? Network has discovered that search terms related to Corey Haim have become the latest target for Blackhat SEO poisoning attacks.

Corey Haim, 1980s teen idol actor and a star of such famous movies as "The Lost Boys" and "License to Drive", was found dead in his Los Angeles apartment at the age of only 38 on Wednesday.

Whether it's a natural disaster or a death, Blackhats monitor and adapt to popular search trends. Not long after the sad news emerged, the search phrase "Corey Haim" became one of the hottest topics in Google trends.

Screenshot of the Google trend: 

Cybercriminals again jump at a chance to spread their rogue AVs. When users enter keywords such as "Corey Haim death" in Google, some of the results will lead them to download fake security software. The downloading FakeAV file has only 17% coverage from antivirus products.

Google searching results of "Corey Haim death" that lead to rogue AVs: 

Websense Messaging and Websense Web Security customers are protected against this attack.

Websense® Security Labs? ThreatSeeker? Network has discovered that the BBS of Sougou has been compromised.

The Sougou BBS home page and other pages on the site have been injected with a malicious script. The script creates an IFrame that redirects users to an exploit site: a 5-day old domain at [snip]ow.info. The latter performs some checks before delivering the exploits, in order to subvert any analysis attempts.

At the time of writing this alert, the BBS of Sougou is still injected with the malicious script, but the exploit site is down. This could change at any moment.

This is the injected code in the home page and its contents: 

 

 

Here is the exploit page: 

 

Websense Messaging and Websense Web Security customers are protected against this attack.

Over 13% of all searches on Google looking for popular and trending topics will lead to malicious links and searching for the latest news on the earthquake in Chile and the tsunami hitting Hawaii are no exception. Both are now used to lure people into downloading fake antivirus products.

Usually the links in the search results look like ordinary links pointing to regular web pages. This time the bad guys have changed tactics to make their search results look even more convincing, by tricking Google into thinking it's a PDF file.

As you can see above Google tells you the file format is PDF and not HTML. That's not true, it is infact a regular HTML page that when visited will redirect the user to a page that looks like this - just another rogue AV fake scanning page. This one, just like the majority or rogue AV sites we have seen this week, is in the .IN TLD which is the top-level domain for India.

By making the search result look like a PDF it gives the link more authenticity. Perhaps it's a research paper or at least a more well written article. The likelihood that a user will click on these type of links is probably higher than if it were just another random web link.

This is the first time we've seen the attackers use this approach but considering how aggressive the rogue AV gangs are, it's not a surprise that they continue to refine their techniques to get people to "buy" their products.

The Rogue AV file itself is currently detected by 26.20% of the antivirus engines used by VirusTotal.

Websense Security Labs? ThreatSeeker? Network has detected that the black hat Search Engine Optimization (SEO) techniques are abusing the name of an Olympic figure skater who is very popular in recent news.

Joannie Rochette is a Canadian figure skater and the 2009 world silver medallist. In the 2010 Winter Olympics in Vancouver, despite the loss of her mother just 48 hours before her competition, she delivered a sensational performance and qualified to compete for gold.

The bad guys still took advantage of this tragic incident and used it in the infamous Black SEO poisoning attacks. Searching for Joannie Rochette in reputable search engines leads to rogue AV.

This use of the Black SEO technique is even more pertinent now that the results have been announced, with Rochette receiving a bronze medal for her performance.

Once the victim clicks on the poisoned search results, he/she is redirected to the rogue AV page, and a fake Anti-virus executable asks for the victim's confirmation before being downloaded.

Related topics are 4th and 7th on Google's Hot Trends USA list. Joannie Rochette is currently the most popular search term on Google Canada at the time of writing:

This isn't the first time Black SEO attacks target events and figures related to the olympics this year.

Websense® Messaging and Websense Web Security customers are protected against this attack.

Websense Security Labs? ThreatSeeker? Network has detected that search terms related to the Bloom Energy and its Bloombox Fuel Cell have become the latest target for Blackhat SEO poisoning attacks.

Bloom Box is a breakthrough technology in the energy sector that could revolutionize the way electricity is generated today. As people become interested in finding more information on this technology, related search terms are currently gaining momentum, and as they do so Blackhat SEO attacks are starting to climb up the search result listings.

At the moment, according to the VirusTotal report only 10% of antivirus products are detecting the threat.

Video of the Bloom Box SEO in action:

Websense® Messaging and Websense Web Security customers are protected against this attack.

Websense Security Labs? ThreatSeeker? Network has detected that the ninemsn support Web site (ninemsn.com.au) has been compromised and injected with malicious code. The malicious code was identified to be part of the Gumblar mass injections, and the injected code is hidden deep within the ninemsn ad engine, served on request. The injected code leads to a site that has also been compromised by Gumblar. The compromised code is hidden specifically within the "Women's Weekly" banner script. Other ad banners are not affected.

Screenshot of the Web site:

Screenshot of the ad element:

At this time, the malicious code isn't available or reachable, but this could change at any time. An interesting implication is that this ad can be dynamically served on multiple Web pages within ninemsn. This is unlike a typical injection where Web sites are compromised in a single static page; in this case, the infected banner ad can be pulled to various locations within the site, serving its malicious purpose silently.

Ninemsn, a joint venture between PBL Media and Microsoft, is one of the most visited portal Web sites (Alexa traffic rank 573) delivering online and mobile content, news, information, entertainment, and social networking capabilities.

We contacted Microsoft when we discovered the attack and the ad banner has now been removed from the ninemsn support Web site.

Websense® Messaging and Websense Web Security customers are protected against this attack.