Convenient, browser-based management of remote servers is possible with a free open source tool called KeyBox. Marco Fioretti explains how to install and use it.
While the world recoils in shock at the horrifying events at Monday’s Boston Marathon, cybercriminals are actively seeking to exploit people’s thirst for information and eagerness to help those affected by the attacks.
The Websense ThreatSeeker® Intelligence Cloud is currently detecting and blocking multiple email-borne campaigns that attempt to lure unsuspecting recipients to malicious websites in order to exploit their machines for criminal gains.
Let’s follow this campaign through the 7 Stages of Advanced Threats (as explained in our whitepaper) to see how cyber-criminals attempt to dupe and compromise users and their machines. We’ll also show that breaking any one link in the chain can protect potential victims.
Stage 1: Reconnaissance
This campaign, like many other topical or event-based campaigns, attempts to propagate as widely as possible, rather than being directed at specific individuals or organizations. Given this, those behind the nefarious campaign simply have to identify a news story with global appeal (in this case, Monday’s events), and then propagate their lure to as many people as possible.
Stage 2: Lure
Preying on human curiosity, in particular after a significant event, the lure is designed to get as many victims onto the hook as possible. In the email campaigns being monitored by Websense® Security Labs™, the email subjects have been designed to suggest that the message contains information or news regarding the events:
- 2 Explosions at Boston Marathon
- Aftermath to explosion at Boston Marathon
- Boston Explosion Caught on Video
- BREAKING – Boston Marathon Explosion
- Explosion at the Boston Marathon
- Explosions at Boston Marathon
- Explosions at the Boston Marathon
- Runner captures. Marathon Explosion
- Video of Explosion at the Boston Marathon
The message body itself, in most cases, contains a single URL in the format http://<IP Address>/news.html or http://<IP Address>/boston.html with no further detail or information. At this point, the recipient is lured to click on the malicious link, which ushers them on to stage 3.
Stage 3: Redirect
Having clicked the link, the unwitting victim is presented with a page containing YouTube videos of the horrific events (intentionally obscured below) while an iframe redirects them to an exploit page.
Stage 4 – Exploit Kit
Based on an analysis of a sample set of the malicious URLs seen in this campaign so far, the RedKit Exploit Kit has been used to, in our case, exploit an Oracle Java 7 Security Manager Bypass vulnerability (CVE-2013-0422) in order to deliver a file onto our analysis machine.
Stage 5 – Dropper File
Rather than using a dropper file, which contains the malicious code within itself and often packed to prevent detection by antivirus signatures, this campaign uses a downloader belonging to the Win32/Waledac family which is used to download further malicious binaries. In this case, two bots named Win32/Kelihos and Troj/Zbot are downloaded and installed on the compromised machine in order to join it to the cyber-criminals’ bot network.
Stage 6 – Call Home / Stage 7 – Data Theft
Once the compromised machine is under the control of the cyber-criminal, the bots call home, which allows remote commands to be issued and for data to be sent and received. Common abuses of a compromised machine include data collection and exfiltration, such as the theft of financial and personal information. Other abuses include the sending of unsolicited email or the unwilling participation in Distributed Denial of Service attacks.
Websense customers are protected by ACE™, our Advanced Classification Engine, against cyber threats of this nature. In addition to blocking lures at stage 2 before they reach end-users, access to malicious destinations throughout stages 3 through 6 are denied which, combined with data loss controls to protect against stage 7, help to ensure that your data stays where it belongs and not in the hands of an attacker.
Our thoughts are with the victims and their families at this time. While these cyber abuses are minor by comparison, users can help protect themselves by sourcing the news directly from reputable news agencies. Should you want to donate (be that blood to local hospitals or money to assisting organizations), be sure to visit official websites rather than following links that appear in your mailbox.
Thursday, April 18, 2013:
The campaign quickly evolved to match the latest news from the Texas fertilizer plant explosion.
The emails are similar, but use texas.html instead of boston.html path.
Subjects lines include:
- Texas Plant Explosion
- Raw: Texas Explosion Injures Dozens
- Texas Explosion Injures Dozens
- CAUGHT ON CAMERA: Fertilizer Plant Explosion
- Waco Explosion HD
- Video footage of Texas explosion
- Plant Explosion Near Waco, Texas
- West Tx Explosion
The lure pages have updated titles, but the rest is similar:
Websense Security Labs will continue to monitor this campaign.
Although the Unity Smart Scopes project has been delayed until the Ubuntu 13.10 release, it is still an amazing tool. Jack Wallen shows you how to get the Unity Smart Scopes installed on your…
The Websense® ThreatSeeker® Intelligence Cloud has detected that a DNS poisoning attack is happening in Kenya, with local big name websites in information technology targeted including Google, Bing, and LinkedIn. Although DN…
The Websense ThreatSeeker® Network has detected that a DNS poisoning attack is happening in Kenya, with local big name websites in information technology targeted including Google, Bing, and LinkedIn. Although DNS records p…
As the world remembers former British Prime Minister Margaret Thatcher, cyber attackers are participating too, but in their own tricky ways. Websense® Security Labs™ and the Websense ThreatSeeker® Intelligence Cloud have detected that attackers are sending malicious email spam with a topic referencing the death of Mrs. Thatcher. Actually, it is not new for an attacker to use a hot topic (like the death of Hugo Chavez) to spread malware. In this case, the lure email is very simple, with just a few words related to Mrs. Thatcher, but it pretends to be from your friends by using the “Re:
Fwd:” notation. Internet-savvy customers will know that it looks suspicious and should not be tempted to click the link in the email.
When recipients click the malicious link, they are taken to a redirection page first, and then redirected to a Blackhole Exploit Kit landing page. The landing page detects the browser and plugin information in the client, and then serves the vulnerability file based on the plugin information. The final payload is a Cridex trojan, as seen in our ThreatScope™ report and in the VirusTotal report here. Cridex is known in breaking CAPTCHA codes and you can see this trojan in action on our previous blog here.
Server-side polymorphic technology has been applied to evade traditional AV detection.
It is not the first time we have seen the Blackhole malicious email campaign. It has evolved over time in combination with hot topics like the current crisis in Korea or major companies filing for bankruptcy. Please be careful about any email that contains 1 of the following subjects:
Fwd: Dollar Bank bankruptcy
Re: Shedding light on ‘dark matter’
Re: Why Washington is corrupt
Re: Kissinger: Thatcher’s strong beliefs
Re: Tax havens busted
Fwd: Re: First Citizens Bank bankruptcy
Fwd: Re: Living large in Don Draper’s New York
Fwd: Re: Kissinger: Thatcher’s strong beliefs
Re: Fwd: California Bank & Trust bankruptcy
Fwd: Re: Bank of America bankruptcy
Fwd: Allowing knives on planes is ‘insane’
Fwd: Re: War with N. Korea
Fwd: Air Canada goes ‘Gangnam style’
Fwd: Re: NASA plans to catch an asteroid
Re: Fwd: Dollar Bank bankruptcy
Fwd: Why Washington is corrupt
Fwd: Blast kills 29 on bus in New-York
Fwd: Shedding light on ‘dark matter’
Fwd: Re: Marikana massacre aftermath
Re: Fwd: Kissinger: Thatcher’s strong beliefs
Fwd: Re: PNC Bank bankruptcy
Re: Fwd: Bank Of The West bankruptcy
Re: Fwd: M&I Bank bankruptcy
Re: Bank Of The West bankruptcy
Fwd: Bank Of The West bankruptcy
Re: Fwd: PNC Bank bankruptcy
Re: Bank of America bankruptcy
Re: Fwd: War with N. Korea
Re: California Bank & Trust bankruptcy
Re: Blast kills 29 on bus in New-York
Re: Fwd: Blast kills 29 on bus in New-York
Re: Sending out SOS for ‘America’s flagship’
Re: Fwd: Marikana massacre aftermath
Re: Living large in Don Draper’s New York
Re: War with N. Korea
Fwd: Re: Death penalty ‘harms Bali’s reputation’
Re: Fwd: Death penalty ‘harms Bali’s reputation’
Re: PNC Bank bankruptcy
Re: NASA plans to catch an asteroid
Re: Northern Trust Bank bankruptcy
Fwd: Tax havens busted
Re: Fwd: Why Washington is corrupt
Re: Fwd: Tax havens busted
Fwd: M&I Bank bankruptcy
Re: Fwd: Fashion designer Lilly Pulitzer dies
Re: First Citizens Bank bankruptcy
Re: Fwd: Shedding light on ‘dark matter’
Re: Fwd: Living large in Don Draper’s New York
Re: Fwd: Northern Trust Bank bankruptcy
Fwd: Re: California Bank & Trust bankruptcy
Re: Air Canada goes ‘Gangnam style’
Re: Fashion designer Lilly Pulitzer dies
Re: Dollar Bank bankruptcy
Fwd: Sending out SOS for ‘America’s flagship’
Websense technologies can protect customers in a multi-stage attack:
- Websense email security blocks the malicious email.
- Our Advanced Classification Engine (ACE™) detects the malicious content both in redirection and in the exploit page with real-time intelligence.
- Vunlerability files and the payload trojan are detected by Websense Gateway products.
- Websense technologies can identify malicious droppers both statically and behaviorally (via Websense ThreatScope).
Is the Linux desktop really a “mess” as some pundits call it? Jack Wallen takes issue with this claim and explains why he thinks the desktop is getting a bad rap.