Phishing Alerts - WebSense

This is an update to our previous alert on the DNS cache poisoning attacks.

The previously embargoed details of a critical DNS cache poisoning flaw have been correctly deduced, and are now public. In a webinar held just yesterday, Dan Kaminsky, the security researcher who discovered this flaw, confirmed that the vulnerability has been leaked.

More code to exploit this flaw has surfaced since our previous alert on this topic, and attacks have been spotted in the wild.

Major ISPs, including AT&T, Time Warner, and Bell Canada have yet to respond to this threat, leaving millions of subscribers at risk. Microsoft has issued a formal security advisory; Apple, whose Mac OS X servers are susceptible, have yet to issue a statement.

Websense® Security Labs™ strongly recommend that customers running their own DNS servers patch immediately. Customers who rely on an upstream DNS provider are urged to contact their provider to confirm that this issue has been addressed properly.

References:

http://www.doxpara.com/?p=1185

http://securitylabs.websense.com/content/Alerts/3139.aspx

http://isc.sans.org/diary.html?storyid=4777

http://www.microsoft.com/technet/security/advisory/956187.mspx

http://db.tidbits.com/article/9706

http://www.theregister.co.uk/2008/07/25/isps_slow_to_patch/

http://permalink.gmane.org/gmane.linux.redhat.fedora.general/306278

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1447

http://www.kb.cert.org/vuls/id/800113

http://w.on24.com/r.htm?e=114268&s=1&k=638307695FF31ED953EF9EC0DF969C02L

http://www.caughq.org/exploits/CAU-EX-2008-0002.txt

http://milw0rm.com/exploits/6130

http://milw0rm.com/exploits/6123

 

Websense® Security Labs™ has been closely following US-CERT Vulnerability #800113: “Multiple DNS implementations vulnerable to cache poisoning”, originally announced on July, 8th 2008. Many of the details regarding the vulnerability are being temporarily withheld by the security researcher who made the discovery, which has caused some confusion on the severity of the vulnerability. Recent investigations by the security community have revealed that there is at least one serious vulnerability in most existing DNS implementations. This vulnerability can lead to DNS cache poisoning which can allow attackers to redirect traffic to a destination under their control.

For complete protection, customers are advised to ensure their DNS implementations are resilient to this type of attack. Customers who do not implement an internal DNS infrastructure are advised to seek cooperation from their upstream DNS provider, typically their ISP. Contact your DNS vendor to verify that source port randomization is enabled on your DNS servers. In many situations, this may require the application of a patch.

At time of this alert, an exploit targeting this flaw has been added to Metasploit, an open source penetration testing tool that is free and publicly available.

The US-CERT advisory also makes the several important “DNS best practices” recommendations. Please reference the advisory for complete details. http://www.kb.cert.org/vuls/id/800113

Websense® Security Labs™ ThreatSeeker™ Network has discovered a new Storm Worm campaign around the theme of the U.S. credit crunch. We have detected a series of email subject lines used to entice users into downloading a Trojan. Here are a few examples of the subjects we have seen in this campaign:

• The new currency is coming
• Amero arrives
• Amero currency Union is now the reality
• The AMERO currency replacing the Dollar

We have previously seen the group behind the infamous Storm Worm use the tried and tested U.S. Independence Day theme and capitalize on global attention around fake World War III news.

Here is a screenshot of some of the newest spam messages:

Clicking the link in one of these messages directs users to a site laden with drive-by exploits inside of a script file named ind.php. The use of this script file name has been constant throughout this campaign. In typical Storm Worm fashion, infection success rate is highly dependant on the social engineering tactic employed and thus the malicious file in this campaign is appropriately named amero.exe .

Here is a screenshot of the templated malicious Web site:

Here is a screenshot of the malicious Web site's source:

Websense Messaging Security and Websense Web Security customers are protected against this attack.

If you think the trusted Web sites your employees are visiting are safe, think again. Attackers are increasingly targeting “trusted” Web sites, with good reputations, to circumvent traditional security measures and bypass much hyped “reputation-based” systems to increase attack effectiveness.

The latest Websense Security Labs™ research states that 75 percent of malicious Web sites are actually legitimate sites that have been compromised by attackers. This represents a dramatic increase of almost 50 percent in compromised sites—sites with seemingly good reputations—over the last six months.

Attackers are quickly changing their game—are you prepared?

Register today for an informative webcast featuring Stephan Chenette, Websense manager of security research, who will provide insightful details into the latest security trends and threats from the first half of 2008, including Web 2.0 security and new attack methods. Attendees will receive a complementary research report prepared by the Websense Security Labs team as well as an overview of how Websense messaging security products now integrate the new discoveries about Web and reputation data to deliver effective protection from today's blended threats.

Join us for the Webcast
Live, Tuesday, July 29
9:00 AM PT

Websense Security Labs — 1H08 Report Highlights:

• The pitfalls of relying on reputation alone
• The rise in targeted Web 2.0 attacks
• Spammers get sneaky with CAPTCHA-breaking software
• Enhancements to the ThreatSeeker™ Network

This is an update of our previous alert on the 4th of July Storm Worm outbreak.

Websense® Security Labs™ ThreatSeeker™ Network has discovered yet another peak in Storm Worm's spam campaign. This time the socially-engineered messages announce the start of World War III, indicating that U.S. forces just invaded Iran. The messages offer a video of this alleged recent drama.

Here is a screenshot of sampled spam messages:

The structure of the attack is similar to the 4th of July alert; initially, several exploits are delivered to the user’s browser under a script file named ind.php . The names of the socially-engineered executables in this attack are iran_occupation.exe and form.exe.

Here is a screenshot of the malicious Web site:

Here is a screenshot of the malicious Web site's source:

This discovery is also reported at:

• US-CERT: New Storm Worm Variant Spreading (July 9, 2008 at 09:03 am)
• ZDNet Zero Day: Storm Worm says the U.S have invaded Iran

Websense Messaging and Websense Web Security customers are protected against this attack.

Websense® Security Labs™ ThreatSeeker™ Network has discovered a new Storm worm campaign emerging. To tie in with the 4th of July Independence Day celebrations in the US, we have detected a series of email subject lines around this theme to entice users into downloading a Trojan.

We have just previously seen the group behind the infamous Storm worm utilize the tried and tested 'I love you' theme and then capitalizing on the global attention around the Olympics to be held in Beijing.

Here are some samples:

Clicking on the link in the email directs the user to a site laden with drive-by exploits inside of a script file named ind.php. The use of this script file name has been constant throughout this campaign. In a typical Storm worm fashion, its infection success rate is highly dependant on the social engineering tactic employed and thus the malicious file is appropriately named fireworks.exe.

Screenshot of malicious web site:

Here are a few examples of the varied subjects we have seen in this campaign:

Amazing firework 2008
America for You and Me
Celebrate Independence
Happy Fourth of July
Light up the sky
Stars and Strips forever
Super 4th!

Websense Messaging and Websense Web Security customers are protected against this attack.

Websense® Security Labs™ ThreatSeeker™ Network has discovered a substantial number of spam messages utilizing a social engineering tactic that lures users to download malicious software.

It is interesting to note and observe how quickly spammers react to the latest major online news updates, capitalizing on these events to achieve better success rates with their social engineering tactics. The recent media coverage discussing Osama Bin Laden seem to have prompted spammers to quickly recycle an old spam campaign.

The intercepted emails typically look like the following:

The messages include a link to a compromised site which contains an obfuscated JavaScript that tries to exploit a rather old vulnerability corresponding to Microsoft Data Access Component (MDAC). Here is the part of the de-obfuscated exploit code:

Regardless of whether the exploit succeeds or fails, the visitor is then redirected to a page showing a fake security warning encouraging users to download anti-spyware tools to repair their system. Spammers usually use this tactic to encourage users to install rogue applications. In this particular example, the malicious file installs itself as a service on the system.

Screenshot 1:

Screenshot 2:

We have seen the same malicious executable used throughout different spam campaigns bearing following email subjects lines:

Jennifer Aniston Interesting mp3!!!
Clara Morgane Shocking photo!!!
Kylie Minogue Interesting video without cowards!!!
Demi Moore New sexy songs!!!
Avril Lavigne Shocking porno dvd!!!
Nicole Richie Kick-up cd!!!
Beyonce Shocking sexy songs!!!
Keira Knightley Gallery photo!!!
Britney Spears Interesting cd!!!

Websense Messaging and Websense Web Security customers are protected against this attack.

Websense® Security Labs™ ThreatSeeker™ Network has discovered a substantial number of spam messages utilizing a reliable social engineering trick that lures users to download a Microsoft critical security update.

The intercepted emails typically look like the following:

The message uses an open redirect at the legitimate shopping site shopping.***.com; the redirect forwards users to a malicious URL offering to download a malicious executable. The malicious hostname is a lengthy one embedding 62 characters, and uses the sub-domain update.microsoft.com. Users who open this file will have their desktop infected with a Backdoor.

Here is what the redirect looks like inside the spam messages: hXXp://shopping.***.com/go.nhn?url=hXXp%3A%2F%2Fupdate%2Emicrosoft%2Ecom%2E<removed>%2Enet

An interesting trait of this particular attack is that the malicious top level domain is pointing to the government site of the United States Secret Service - The Electronic Crimes Tasks Forces Web site in an apparent attempt to work around IP reputation-based systems.

We have detected email lures containing links to this site spreading rapidly through our Websense Hosted Email Security and Websense Email Security products.

It is important to add that Microsoft never sends security update notifications through emails.

Websense Messaging and Websense Web Security customers are protected against this attack.

Websense® Security Labs™ has received reports that the official website of ICANN and IANA Domains have been hijacked by a Turkish group called “NetDevilz”. ICANN and IANA are responsible for the Internet Protocol (IP) address space allocation, protocol identifier assignment, generic (gTLD) and country code Top Level Domain Name System management, and root server system management functions. NetDevilz is the same group that has hijacked many other domains listed here: Zone-H Attack Archive.

The ICANN and IANA web sites were defaced and left the following message: “You think that you control the domains but you don’t! Everybody knows wrong. We control the domains including ICANN! Don’t you believe us? haha :) (Lovable Turkish hackers group)”

Zone-H Archived Defacement.

The following domains were hijacked, and some of them still return the defaced pages - http://icann.***; http://icann.^^^; http://iana-servers.@@@; http://internetassignednumbersauthority.!!!; http://iana.&&&. These sites are redirecting visitors to http://atspace.%%%. So far, none of these DNS hijacks served any malware or live exploits.

References:
http://securitylabs.websense.com/content/Blogs/3118.aspx
http://ddanchev.blogspot.com/2008/06/icann-and-ianas-domain-names-hijacked.html

Websense Messaging and Websense Web Security customers are protected against this attack.

Websense® Security Labs™ ThreatSeeker™ Network has detected an increase in spam targeting the current economic factors.

The tough economic times are hard on consumers, but spammers have not skipped a beat. They are now using economic factors like high gas prices, the credit crunch and housing costs to advertise their products and services. Today the Websense® Security Labs™ ThreatSeeker™ Network is reporting an increase in spam surrounding these themes. Additionally, with a growing number of people facing foreclosure and other financial distress, Websense researchers are also noticing an uptick in solicitations for credit cards, credit reporting services, and debt consolidation services.

Scammers have long used "pump and dump" spam stock investment schemes which attempt to boost the price of a company's stock through false and misleading promotions or highly exaggerated statements. As a sign of the times, with the stock market down, Websense researchers have also noticed fewer and fewer of these campaigns.

Here is an example of spam advertising a product which claims to lower your gas costs:

Here is an example of spam advertising a credit score lookup service:

Here is an example of spam advertising a service to obtain more credit:

Here is an example of spam from the folks behind the Nigerian 419 fraud:

Websense® Security Labs™ ThreatSeeker Network has detected a malicious email spam campaign that is targeting Latin America. The spam uses a social-engineering tactic that focuses on the hype around the upcoming Apple iPhone 3G launch, due for release in July.

Clicking on the email's links for a "presentation" or for "more information" trigger the download of a Trojan, innocently named "presentacion.mov.exe".

Email screen shot:



Websense Hosted Email Security and Websense Email Security have detected these malicious emails spreading rapidly.

Websense Messaging and Websense Web Security customers are protected against this attack.

Websense® Security Labs™ ThreatSeeker Network has discovered a new malicious spam social-engineering tactic that capitalizes on various high profile events/places/people to entice users into visiting a malicious Web site.

The emails that are received are very short and contain a link to a malicious Web site. The emails use catchy subject lines to highly entice victims into looking at the email. The email contents are just one line of some socially engineered text intended to entice the user even more. However, the email subject and the email content rarely have anything to do with each other.

Example Email:

Subject: Get star wars photo

Other example email subjects:

"Celtics Disqualified from NBA Title"
"Find out about Harry Potters last novel"
"Eiffel Tower damaged by massive earthquake"
"Osama Bin Laden caught finally"
"Latest Obama quits presidential race"

The URL in the emails always ends with /r.html and tries to look like a free porn video Web site. The title of the pages is always “PornTube: best movies collection.” The Web site is trying to get users to download and install a Trojan Downloader named video.exe that claims to be an ActiveX Object. A popup message prompts for installation. If you click cancel you are stuck in a loop of trying to cancel out of accepting the install. On top of trying to socially engineer the installation of the Trojan, the site also has a hidden iframe to a site in China that is hosting exploit code.

Screenshot of popups:

Websense Messaging and Websense Web Security customers are protected against this attack.

Websense® Security Labs™ ThreatSeeker Network has discovered a new Storm Worm social-engineering tactic, capitalizing on the recent global attention around 2 major events: the recent natural disaster in China and the upcoming Olympics, also to be held in China.

These malicious sites speculate that the upcoming Olympics in Beijing would be "under the threat of failure" because of the recent earthquake in China, and then tricks visitors to click on what looks like an embedded flash video player, that really leads to the download of a malicious executable. Users that open this file will have their desktop infected with a Trojan.

We have detected email lures containing links to these sites spreading rapidly through our Websense Hosted Email Security and Websense Email Security.

The US Computer Emergency Readiness Team (US-CERT) has also reported this on their web site: New Storm Worm Variant Spreading (June 19, 2008 at 11:23 am)

This is what the malicious page looks like:

Screenshot of the malicious web site's source code:

Here is a brief 5 min. video clip showing how we are handling this threat, including a sneak-peak into ThreatSeeker with commentary from Websense CTO, Dan Hubbard.

QuickTime .mov download (right-click, save as):

• High resolution 
• Low resolution 

Websense Messaging and Websense Web Security customers are protected against this attack.