Websense® Security Labs™ ThreatSeeker™ Network has discovered a new malicious social-engineering spam campaign masquerading as official emails sent by Google's Web 2.0 social networking site, Orkut. Orkut is one of the most popular social networking sites in Latin America and the second most visited site in India. The email is spoofed, appearing to be from the domain google.com for this fake notification which advises the user that their account has been subject to investigation and will be terminated within 72 hours unless they click through the hyperlink and follow the necessary instructions.

Websense quotes in the 2008 Threat Predictions report have been accurate. In our previous alerts, we have seen spammers and malware authors switching tactics to persevere with their attacks over a longer time, with an increased success rate through defeating antivirus vendors and content learning technologies. This attack is another instance of such tactics, which is an ongoing trend increasingly targeting Web 2.0 sites to carry out a wide range of attacks.

Screenshot of the message:

From the above screenshot, it can be seen that the links in the message actually lead to a malicious executable, a Trojan Downloader named "regulamento_orkut.exe" (SHA1: 8eb1366d580aeab38d00a5c32835006c3648b8f3).

This malicious executable has a very low AV detection.

When run, the malicious executable downloads another malicious file, "fox.exe" (SHA1: 8e1df3d55a778550affea7c5216e58a55beaf979), from the same site. The file copies itself to multiple locations on the infected machine with different names. It also adds itself to startup, and monitors browser activities with the intent to steal user information.

While malicious code is being downloaded a browser window will also popup with objectionable material on it.

Screenshot showing "fox.exe" downloaded onto infected machine:

Screenshot showing user's machine infected:

Websense Messaging and Websense Web Security customers are protected against these threats.

Websense® Security Labs™ ThreatSeeker™ Network has discovered that the Koobface social networking worm is again spreading on Facebook. Our HoneyJax systems picked up the following email this morning:

The email reveals that infected user accounts are being used to post messages to Facebook friends lists. The content was an enticing message with a link that used a Facebook open redirector. When recipients click the link, they are automatically redirected multiple times, finally reaching a site masquerading as YouTube that serves a malicious Trojan downloader.

1. The Facebook link directs to a malicious account hosted at Geocities.com.
2. The malicious Geocities account includes an obfuscated JavaScript link to http://lost[REMOVED]/js/js.js, which goes to http://off3[REMOVED]/go/fb.php
3. The .php file next redirects to either http://youtube-spyvi[REMOVED]/?schk=&keat= or http://youtube-x[REMOVED]/?ch=&ea=. These sites serve the malicious "flash_update.exe" (SHA1: 62689f89f1c5f6df10f4c7096772468d4c8e458a) file.

Screenshot of the malicious Web site serving the Trojan downloader:
 

Websense Messaging and Websense Web Security customers are protected against these threats.

Websense® Security Labs™ ThreatSeeker™ Network has discovered that malware authors are capitalizing on the recently announced results of the 2008 US Presidential election. Malicious email lures are being sent promising a video showing an interview with the advisors to the recently elected US President.

The email actually contains links to a file called 'BarackObama.exe' hosted on a compromised travel site at hxxp://*snip*.com/web/BarackObama.exe. This file is a Trojan Downloader with MD5 9720d70a5da9ca442ecf41e9269f5a27. Upon execution files called system.exe and firewall.exe are dropped into the system directory. A phishing kit is unpacked locally, and the dropped files are bound to startup. The hosts file is also modified.

Major anti-virus vendors are not detecting this Trojan Horse.

The malicious application:

Websense Messaging and Websense Web Security customers are protected against these threats.

Websense® Security Labs™ has received reports of a proof-of-concept (PoC) exploit code circulating in the wild, exploiting a vulnerability in Adobe Reader 8.1.2, and Adobe Acrobat 8.1.2.

The flaw is a stack buffer overflow that results when parsing specially crafted PDF files (CVE-2008-2992). Successful exploitation allows the attacker the same level of permission rights to the desktop as the victim who opened the PDF file.

We urge customers to update to the latest version of Adobe Reader and Adobe Acrobat. We will continue to monitor the development of this threat.

Screenshot of the PoC exploit's shellcode in memory: 
 

Screenshot of malicious JavaScript code used to spray the heap with the shellcode: 
 

Screenshot of a call to the vulnerable function util.printf() to trigger the error: 
 

References:

ADOBE READER JAVASCRIPT PRINTF BUFFER OVERFLOW (Core Security Technologies discovered this)

Security Update available for Adobe Reader 8 and Acrobat 8

Websense® Security Labs™ ThreatSeeker™ Network has discovered further activity from malware authors using the news of the U.S. Presidential campaign outcome as bait to attract users into executing malicious executables. So far we have over 25,000 emails through our systems that use the technique described below. In a very quick response to the outcome of the U.S. Presidential attacks we have now seen both localized and globalized attacks.

The email offers news of Barack Obama's speech, recorded the day after the election results were published. Clicking on the link leads the user to a purposely registered domain which advises the user that they need to install the latest version of Adobe Flash player before the video can be viewed. The malicious Web site actually links to a file called 'adobe_flash.exe' with MD5 47C86509A78DC1EDB42F2964BEA86306. This is a Trojan Downloader packed with ASPack. Upon execution, a RootKit is installed on the compromised machine, and data is sent to multiple command and control servers.

Screenshot of email lure:

Screenshot of malicious Web site:

Websense Messaging and Websense Web Security customers are protected against these threats.

Websense® Security Labs™ ThreatSeeker™ Network has discovered that the official Web site of the Brazil Embassy in India has been compromised and is infecting site visitors with malicious code. The Web site has been injected with obfuscated JavaScript, redirecting users to multiple, fake anti-virus removal software sites. These sites deliver malicious code.

The Embassy’s services include: issuing emergency passports, immigrant and non-immigrant visas; notarization and attestation; cultural exchange; consultant services for commercial ventures; representation of Brazilian citizens in dealings with local authorities; assistance in emergencies; and providing necessary tourist and local information for the needy.

Screen shot of infected site: 
 

Screen shot showing infected site source: 
 

Websense Messaging and Websense Web Security customers are protected against these threats.

The scam uses a phony Skype message to trick the victim into believing that he or she has won a large prize in a lottery. The message includes the address of a phishing Web site and the telephone number of a phony support center. When the victim calls the support number, the operator directs the victim to fill out the form on the phishing Web site, including bank account information. This scam combines Web-based phishing with telephone-based human interaction, a technique that is becoming more sophisticated and popular in China.

Here is how it works:

Step 1:
The victim receives a fake message from a phisher disguised as Skype representative. The message states that the recipient has won a large prize. The message includes a fake Web site, like "http://sky63.xxxxx.cn/", and a phone number, such as "0898-881-44xxx". Often the prize is as much as 100,000 RMB, plus a new car.

Here is a typical fake Skype message:


Step 2:
The victim calls the number and goes to the phishing Web site to enter personal and bank account information.

Here is the phishing Web site:


Step 3:
This is where the scammers get the victim's money. After filling out the form, the victim is directed to another Web page that informs the victim that he or she must pay a fee, in advance, to get the prize. The fee is often several hundred RMB.

The combination of the Skype message and the real phone number makes the lottery scam look real. The promise of a big prize--100,000 RMB and a car--makes the lure hard to resist. The victim happily pays the money. But the result is that the victim loses his or her money and, of course, there is no prize.

This page asks for a fee:

Websense Messaging and Websense Web Security customers are protected against these threats.

Websense® Security Labs™ ThreatSeeker™ Network has discovered that numerous Halloween-themed Web sites have been compromised as Halloween approaches and users are more likely to visit.

One particular example is a Web site selling Halloween costumes. The deobfuscation returned by ThreatSeeker shows that the JavaScript has multiple layers of obfuscation. The script contacts a malcious server in the .biz TLD. Within the ThreatSeeker network, we have seen almost ten thousand sites infected with the same obfuscation technique.

The infected Web site:

The injected code:

Another example is a US-based retailer using the Halloween theme to promote its products. This Web site is infected with a redirection that points to a gpack exploit kit. The ThreatSeeker network is currently tracking over thirteen-thousand sites infected with these patterns.

The injected Web site:

Not only malware authors take advantage of seasonal events. Numerous recently registered proxy Web sites are using the Halloween theme to allow users to bypass traditional URL filtering solutions. For example:

Websense Messaging and Websense Web Security customers are protected against these threats.