Evolution of the CookieBomb toolkit

An ongoing, large-scale injection campaign has been raging for the
last 6 months. This campaign utilises a toolkit, dubbed CookieBomb (due
to its signature use of cookies), which is fascinating not only in its
apathy toward a particular platform, but also the code used in the
injections, and way in which it has evolved to escape and evade
traditional AV platforms and structures. This blog will:

  • describe the evolution of not only the raw code involved in these
    attacks, but also the delivery mechanisms with which users are lured to
    infected, or outright malicious, pages
  • implicitly highlight the interaction between, and quid pro quo nature of, major threat-actors within the malware ecosphere
  • describe the use of session Cookies and the etymology of the toolkit name: CookieBomb
  • outline the use of CookieBomb to drive traffic toward EK infrastructure, directly or via TDS systems
  • cover the migration from  BHEK to competing EKs in light of the BHEK author’s arrest
  • detail the point at which the campaign forked into two distinct entities

…(read more)

PHP.net compromised, serving up obfuscated content

The Websense® ThreatSeeker® Intelligence Cloud has alerted us regarding content deployed on the web developer’s web site hxxp://php.net/.

Internet users may know that Google Safe Browsing has also alerted users to a possible infection or compromise of php.net, a site currently ranked 220 on the Alexa ranking system. A member of Google’s staff has posted on a number of forums (examples here and here) to confirm that this is, in fact, a true positive, as confirmed by our telemetry. Members of the same forums quickly compared versions of the script, identifying the following code as appended to at least 4 .js scripts within the hxxp://php.net/ domain:



The following screen shot shows the decoded obfuscation:


When we look at the resulting JavaScript, we can identify a URL in the .uk TLD space:

The iFrame source was hosted on a VPS owned by hxxp://webfusion.co.uk/, which should be applauded for swiftly taking the site down, soon after this compromise came to light. Before the takedown, the URL returned one of two types of content: a basic plugin detection script, or the simple string “not ready”, as shown below:


The code was served just once per IP and was dependent upon correct Referer and UA strings.


The ultimate goal of this injection was to redirect users to the Magnitude Exploit Kit (MEK), which attempts to exploit Adobe and Java platforms, among others, in order to serve up generic Ransomware.


Websense customers were, as always, protected against this type of attack by ACE™, our Advanced Classification Engine

Of the 7 Stages of Advanced Threats, Websense offered protection at the following stages:

  • Redirection stage
  • Exploit Kits stage
  • Command and Control URLs


Update (at the time of this blog posting): The malicious code has been removed from hxxp://php.net/.

Twitter Adopt 2FA; Here Is What You Can Do

In the wake of recent account compromises, including Associated Press and the rampant breaches orchestrated by the “Syrian Electronic Army“, Twitter have recently released
2FA (2 Factor Authentication), which is a most welcome addition to
bolster users’ security. It is not, however, the be-all and end-all:
users are still responsible for choosing strong, hard-to-guess
passwords. If your password is compromised, control of your account may
be lost to malicious actors.


While it’s true that, given enough time and resources, all passwords
are crackable regardless of their complexity – a pass-string of 200
random characters is ultimately just as vulnerable to brute forcing as a
password containing just one character – the aim of a complex
pass-string  is to make an attack chronologically infeasible. Let’s
first take a look at the total number of possible combinations for a
given base of elements:




…(read more)