Web Analyzer goes free

After some consideration I have decided to make the online Web Analyzer tool free. Development stopped over a year ago, but the tool is still useful. A link to the tool is found on the right hand at arbi.se.  Some minor modifications may occur, and there is a loose plan to hook it up to … Read more

Fifty shades of open source

To many, open source is black and white — software is either open or not. Jack Wallen sees the new world order in shades of gray and begs the open source community to be more open in their attitude.

Categories Uncategorized

The Hunt for Red October

“Red October” in the title of Tom Clancy’s bestselling novel referred to a Soviet submarine whose silent propulsion system made it undetectable to sonar. It’s a fitting name for the sophisticated cyber-espionage network that has recently been identified after collecting high-level data from governments, embassies and diplomatic networks, energy companies, and other sensitive systems for at least five years.

 

Red October begins as a series of spear phishing attacks with highly personalized emails for specific targets.  These emails include both malicious and “clean” Microsoft® Office attachments, and the attack proceeds as follows:

 

•    The unsuspecting user receives an email with an attached Microsoft Office file and opens the file.
•    The exploit drops and launches two files: a clean Microsoft Word or Microsoft Excel file and a malicious .EXE.
•    Microsoft Word or Microsoft Excel then crashes and exits while the malicious .EXE launches along with the clean document, so the user sees nothing amiss, as shown in these examples:

 

 

 

Java is another attack vector in the spear phishing campaign.  As with the Office based attack described above, Red October sends a spear phish email containing a link that loads a malicious Java applet when opened.

 

All known related C&C IPs and domains associated with the Red October attack are classified as “Bot Networks”. Websense® ThreatScope™ helps protect our customers by identifying all of the embedded files as Malicious, as shown in the following reports:


ThreatScope Report on Dropped File 1

ThreatScope Report on Dropped File 2

ThreatScope Report on Dropped File 3

 

The following CVE are reported to have been used as part of the Red October spear phishing attacks:

CVE-2009-3129 Excel

CVE-2010-3333 Word

CVE-2012-0158 Word

CVE-2011-3544 Java

 

Targeted attacks like Red October lower a victim’s guard by appealing to his or her interests.  This social engineering aspect is what makes such attacks so successful. Therefore, it’s essential to remain vigilant when opening emails with attachment or links, especially if they are unsolicited.  

 

Websense customers are protected by Websense ACE (Advanced Classification Engine), and we will continue to monitor this and other evolving security threats.

New Java Zero Day Used In Exploit Kits

Websense Security Labs™ is following reports that a new Java zero day vulnerability (CVE-2013-0422) is being exploited in the wild by exploit kits. Early this morning, a researcher who goes by the handle Kafeine disclosed that he has started seeing exploits of a new Java vulnerability appearing in multiple exploit kits in the wild. Following up on his post, we have confirmed that we are protecting against the landing pages of these exploit kits with Websense ACE (Advanced Classification Engine) technology.  The landing page is the first thing that loads in an exploit-kit-based attack. It’s used to scan clients for vulnerabilities and send the appropriate exploits. This is one of the seven stages of an attack that you can read about here. The kits identified as using this zero day code so far are Cool Exploit Kit, Blackhole Exploit Kit, Red Kit, and Nuclear Exploit Pack.

 

Snippet of POC code:

 

The fact that exploits of this vulnerability were found in the wild and in exploit kits is huge. It’s common knowledge that exploit kit developers don’t typically write exploits on their own. In fact, exploit kit authors typically copy and paste code to include exploits in their packs. Since this exploit is already in exploit kits, it could spread very rapidly to other kit authors who are anxious to get a zero day in their code.  A zero day in exploit kits means a higher success rate for “loads” of malicious binaries, and therefore adds lots of value to the kit. Because this vulnerability is in Java, there’s also a possibility that it could be applied to client platforms like Mac OS and Linux, as well as Windows.

 

This makes two web-based vulnerabilities in the wild in less than a month. It’s a dangerous time to be on the web.  We strongly encourage that Java be removed from client computers. If that’s impossible due to proprietary applications, please use a separate browser with Java enabled for required applications only.  Your every day browser can handle web surfing just fine without Java enabled. As for the current IE zero day, there is a  “Fix It” solution available from Microsoft, however keep in mind that a fix it solution isn’t going to be as strong as a full patch solution.

 

Update:

Oracle has pushed out an update for the Java vulnerability which is available here.

Microsoft has also published a Out Of Band patch for CVE-2012-4792, which you can read more about here.

Fraudulent e-Commerce Websites Exploit the Post-New Year’s Day Sales Drive

As we welcome the New Year, we must be aware that the bad guys will use every opportunity to exploit events of a positive and negative nature. Yes, even the recent disastrous weather experienced on the east coast of the United States was exploited to try and obtain valuable information that could be used for identity and monetary theft from grief-stricken or worried families and friends.

 

The New Year and its first month brings with it the familiar drive of businesses trying to clear stock, slashing prices to entice us to part with our money and to snap up a bargain in the process. Our desire for a great bargain is something not unknown to the bad guys – they are very aware that we might just be tempted to go for that seemingly ‘too good to be true’ bargain. The associated costs to fraudulent websites are minimal compared to the numbers game the bad guys play; they cast a wide net and you may be the catch of the day.

 

 

Let us explore this further through an example. A Swarovski (the brand name of a popular crystal jewelry manufacturer) fraudulent site was detected by the Websense® ThreatSeeker® network. The site hxxp://www.swarovskisale.co/ purports to be selling discounted Swarovski jewelry. The first indicator that something may not be all that it seems is the Top Level Domain, .co. Proving popular among the bad guys due to its lexical relationship to the .com TLD, the .co TLD is assigned to Colombia.

 

The policies regulating the registration of the .co TLD allow for all persons or entities with no domicile in Colombia to register a .co domain. We searched our Websense Security Labs™ database to see if this brand name was being abused; a number of results were returned. Further investigations of the registrants’ records revealed that a common thread among the results was that the sites are registered to a common entity.

 

The registration details appear to be random text, while the email address follows the theme seen here: louisvuitton563@hotmail.com. Using that information, a search of the Websense Whois DB revealed 1500+ websites following this pattern and/or including these same registration details.

 

 

Here are some examples:
mulberryorderonline.com
nikenfljerseyspro.com
nikenfloutlet.com
taschenlouisvuitton-de.info
uggbootssoutlettonline.com
prada-fr.info
abercrombies-fra.info
abercrombies-fre.info

 

At the time of writing this blog, the majority of the examples listed above were parked with GoDaddy and registered in October 2012. We can assume here that these sites will be used in the near future in spam or phishing campaigns.

 

In conclusion, the old adage of caveat emptor still applies even in the virtual shopping world. Be aware when online; if it sounds too good to be true it most probably is. Websense can help to protect you from these fraudulent sites. Security Labs researchers work constantly to conduct the type of research we have outlined here to protect our customers.

 

Author: Stephen Meyer.