Happy New Year and Unhappy New IE Zero-Day! (CVE-2012-4792)

First, welcome to 2013 and we trust that you had a happy holiday period. As is to be expected, holidays or not, there is no rest for the wicked (be that attacker or defender) and therefore we kick off our 2013 blog with details of CVE-2012-4792, an Internet Explorer zero-day vulnerability.

 

The Websense® ThreatSeeker® Network has already detected instances of this vulnerability being exploited in the wild, unsurprising given that the exploit is publicly available as a Metasploit module, and therefore it is likely that attacks will continue to gain traction.

 

Websense customers are protected from this threat by Websense ACE (Advanced Classification Engine).

 

The vulnerability, as recently announced in Microsoft Security Advisory 2794220, affects users of Microsoft Internet Explorer versions 6, 7, and 8 and could allow attackers to remotely execute code on vulnerable machines by simply having the victim visit a malicious website.

 

As seen countless times in the past, typical tactics for enticing victims to visit these malicious sites often include tricking them into clicking links in fake emails, or simply compromising legitimate websites to serve malicious payloads to their unsuspecting visitors.

 

This particular vulnerability is caused by how Internet Explorer accesses an object in memory that has been deleted or improperly allocated. Exploitation can then result in memory corruption, which in turn could allow an attacker’s own code to be executed within the context of the current user, or as if it was being run by that user.

 

At this time, Microsoft has not released a patch in order to address this vulnerability. However it has provided an easy one-click ‘Fix It’ solution. Internet Explorer versions 9 and 10 are listed as not being vulnerable.

 

Websense Security Labs™ are continuing to monitor this situation and, as a member of the Microsoft Active Protection Program (MAPP), are working with Microsoft in order to provide the best protection to our customers.

 

Update:

Microsoft has issued an Out Of Band update for CVE-2012-4792, which you can read about here.

Sharing the Experience of Deobfuscating a Trojan

Thanks to the Websense® ThreatSeeker® Network, we discovered another interesting case involving a malicious Web Trojan and analyzed it. Let’s share our deobfuscation experience. The first step was to identify the location of the mali…

Our Take on Blitzkrieg

At Websense® Security Labs™, we get many questions from our customers and partners about attacks. We’re asked about the details of big attacks, obscure attacks, and, of course, targeted attacks. There has been quite a bit of noise around an attack being dubbed “project Blitzkrieg,” which is targeting banks. The attack is said to be the brainchild of a Russian hacker in an underground forum. This hacker has called upon others in the forum to aide in attacking banks by siphoning large amounts of money out of these banks using a special Trojan dubbed “Prinimalka.”

 

Security Labs uses Websense ACE (Advanced Classification Engine) to classify the Prinimalka malware family, and, thanks to the Websense ThreatSeeker® Network, is also monitoring its spread as part of “project Blitzkrieg.” So far, few instances of the Prinimalka infection are being seen. We’re a little skeptical that Blitzkrieg will live up to the current hype, because it’s pretty rare for a successful attack to be pre-announced months ahead of time. Although the broad class of targeted attacks like this continues to be a growing concern, it’s far more likely that this specific attack, if spread further, will take an altogether different form.  

‘Jacked Frost’ Facebook Scam Goes Wild and Doubles Over the Weekend

Last week we wrote a blog about a specific Facebook scam that appeared to spread rather aggresively. We have decided to nickname the scam “Jacked frost”. The Websense® ThreatSeeker™ network detected that the scam has increased and multiplied over the weekend – particularly on Saturday where we saw the amount of unique URLs related to this scam double. This shows how cyber crooks time their attacks to times where users are more laid back and when the security community is less likely to alert users on this type of threat.

 

…(read more)

Christmas-Themed Facebook Scams: How Cybercrooks Kick it up a Notch and Piggyback on Big Brands

 

From time to time the Websense® ThreatSeeker™ Network detects high volume surges of badness rolling across Facebook. In the past 48 hours we’ve seen a rapid increase of a particular scam campaign that has aggressively spread through the world’s largest social networking site. 

 

With the holiday shopping season here, it appears that cyber crooks are going full throttle to attract Christmas shoppers by piggybacking on the reputation of well-known brands like Walmart, Asda, Visa, Best Buy, Apple, and more. In the attack that we’re about to describe, it appears that user accounts belonging to the free DNS service freedns.afraid.org were compromised and used as part of the cyber criminals’ scam infrastructure. Read on for details.

 

…(read more)

Pak Hack Attack: Pastebin Reveals Attacks

Websense® researchers monitor sites like Pastebin, Facebook, Twitter, Blogspot and others to keep our finger on the pulse of hacking and other malicious activities. Pastebin, in particular, has become a popular place for hackers to show off their latest exploits. 

 

Our researchers recently observed a significant increase in malicious links posted to Pastebin:

 

On Tuesday, November 20, we detected a spike in compromised URLs posted to the site. A Pastebin user named “PCA-Master” was responsible for posting 572 of these compromised URLs.

Each compromised URL showed a similar pattern:

 

These hosts were invaded with images like this:

 


 
In all cases, Websense customers were protected by the real-time analytics offered by Websense solutions.

According to its FAQ, “Pastebin.com is a website where you can store text for a certain period of time. The website is mainly used by programmers to store pieces of sources code or configuration information, but anyone is more than welcome to paste any type of text.”

Despite its Acceptable Use Policy that specifically prohibits posting email lists, login details, password lists and personal information (among other items), all of these are routinely posted to Pastebin.

 

The “Pakistan Cyber Army” has been around for some time and regularly compromises large numbers of hosts in various countries, including many Indian websites, especially government sites. According to the Pakistan Cyber Army site:
 
“Pakistan Cyber Army is not a hacking or cracking group or anything illegal to be, Pakistan Cyber Army is a symbol of all the Pakistani Security Expert’s who wanted to safegaurd Pakistan Cyber Space from hacking attack’s […] We mastered it and now we are here to announce that we are no longer blackhat’s, there was a time when we used to be but only for our country safegaurd and our nation pride.”
 
Pakistan Cyber Army images have recently plastered sites in many countries. According to HackRead, a website with news about hacking, most of the affected sites belonged to “small and local businesses, such as banks, chemical factories, TV channels, online gaming and automotive industry etc.”

While hackers pose a serious problem for many organizations, on a lighter note, students from HaBetzefer, an Israeli school of advertising and art, and ad agency McCann Digital Israel have produced a campaign called “If you can’t fight them, redesign them” to combat the plague of what students are calling “uninspired designs each time: black background, grotesque low-res images and unbearable amounts of text.” One of the traits associated with hackers is their lack of style, as evidenced by the Pakistan Cyber Army’s hack page.

The students sent cheerful redesigned hack pages back to hacker groups with the friendly message, “We would like to end all cyberwars, but in the meantime — if you must hack our sites, at least leave something beautiful.” So far, none of the hackers has taken them up on the offer, but it’s clearly their loss: