The author of this page used a Korean JavaScript obfuscator in order to obfuscate a large block of code which hides the shellcode, as can be seen in the following code snippet. In particular, the obfuscated code, generated by this tool, changes itself several times during execution.

The code also ensures that it is being executed only in Internet Explorer because that’s the only browser where this exploitation will be successful. After de-obfuscating the JavaScript code, we can analyze the shellcode itself. The author uses a common evading technique: XOR encryption, with a decrypting loop at the prologue. This technique is usually very effective against signature based detection engines.

Then the shellcode imports and calls URLDownloadToFileA to download the payload which is a packed executable, saving it with an ambiguous name such as “a.exe”.

The executable is a downloader which fetches additional malware with rootkit capabilities. The author of the attack did a decent job obfuscating the executable file, as can be seen by a Virustotal analysis:

All M86 Secure Web Gateway customers are protected from this attack by default without need to install any security update.

Partial list of compromised WordPress websites

The malicious uploaded page

The exploit page is hosted in a Russian domain called horoshovsebudet which roughly translates as “Everything will be fine”, showing a certain sense of humor by these attackers.
The Phoenix Exploit Kit identifies the User Agent of the client machine and delivers a customized exploit Web page. The following obfuscated page was served when accessing with Internet Explorer 6:

The obfuscated Phoenix exploit page

Statistics on Phoenix Exploit Kit control panel

The attached zip file contains an executable file, which unsurprisingly is a Zbot malware variant. When extracted, the malicious executable uses no disguise. It uses no fake icons of Adobe Reader or Microsft Word, no double file extensions, or excessive use of space in the file name to hide the .EXE extension. The attached file is so dull that average users should easily spot that the file is suspicious.

The good news is that when this particular Zbot sample was run, it failed to communicate to its command and control (CnC) server at plantlunch[dot]ru which turns out to be currently offline.

In conclusion, bill notifications do not usually arrive with an executable file so emails like this should be treated with extreme suspicion. When you see these obvious signs of malware, just stop and delete the email. M86 MailMarshal customers were protected against this campaign from the moment it began.

This is why we, at M86 Security, weren’t surprised to see a malicious site which loads parts of its attack using AJAX (Asynchronous JavaScript and XML), a method for client-side code to asynchronously exchange data with web servers. The following attack was observed on a currently running server located in China, which is serving malware. So how does this work?

First, there’s a web-page, containing JavaScript code that fetches the other parts of the attack:

This code is very similar to code commonly used in so many web pages nowadays. The main difference is the extra parameters it accepts, which are used to “cut” certain parts from the accepted content, so it could be processed and executed as code later on.

Next, the returned code is used by the exploit. In this case, the code is shellcode:

It’s simple. Using the exact same technique, this web page can load various browser or plugin exploit attempts. In this specific case, the page loads a SWF file exploiting CVE-2010-1297. Other pages on this server are exploiting CVE-2010-0806 and CVE-2010-0249.

The main reason that malware authors use AJAX is the ability to write generic attack pages which look benign and become malicious only once the dynamic content is loaded. This provides an advantage which is also very useful for evading AV detection, since tiny bits of the attack can be loaded one at a time, thus making it very difficult to provide a signature.

Needless to say, M86 SWG customers are protected from such exploitation attempts.

Until recently, most of the vulnerabilities exploited by popular exploit kits were found last year or even earlier. Moreover, it would take authors at least a month to update their kits with the new exploits that had been discovered in the wild. However, in the past few weeks, authors released an updated version of their kits with a new recent exploit before a patch had been released.

First, a new version of the Blackhole exploit kit was released, version 1.2.1:

Live Phoenix Exploit Kit 3.0 control panel

Notice the red boxes in the screen shots above: A new exploit was added to those exploit kits, which is the reason for the upgrade.

A few weeks ago Michael ‘mihi’ Schierl described a design error in Java. Basically this vulnerability is similar to other Java vulnerabilities where an untrusted code is executed in elevated privileges. Rhino is a Javascript engine that runs under the JVM and can interact with Java applets. An attacker can bypass the scripting engine protection by generating an error object, using Rhino script, which runs in elevated privileges and executing code that disables the Security Manager. Once the Security Manager is disabled, the attacker can execute code with full permissions.

Not long after the discovery, an exploit module was published in Metasploit. First, the code binds a Rhino object with the applet:

The Java code executes a script that bypasses the Security Manager protection by using the “toString” method inside a script context:

The script throws an exception, and the rest of the code would be executed.

The vulnerability is cross-platform and doesn’t require heap spray or buffer overflow techniques. That makes it very effective and therefore authors of exploit kits rushed to add it to their kits. The concerning aspect is that the Blackhole exploit kit was updated even before a patch was released by the vendor.

Customers of all versions of M86 Secure Web Gateway are safe, as it provides zero-day protection against this vulnerability by default.

We highly encourage users to keep their Java updated, or remove it if it is not needed. A patch for this Java vulnerability is available by now: Look for Java 6 Update 29, or Java 7 Update 1.

This attack involves embedding a maliciously crafted Universal 3D (U3D) stream in a PDF file, one of several examples of attacks on embedded streams within PDF files, and represents a growing attack vector due to its ability to deal with defense mechanisms among which DEP and ASLR (two techniques meant to help prevent unauthorized code execution) using known techniques such as JIT Spraying.

According to Adobe’s blog post released alongside the advisory, Adobe is planning to release an update for Adobe Reader 9, the version targeted by this vulnerability, “no later than the week of December 12, 2011″. The rest of its supported versions will receive updates as part of their quarterly updates in January 2012.

M86 Secure Web Gateway, version 9.2 and above, provides zero-day protection against this attack, without requiring any further updates. Customers who wish to monitor the attack in their organization may look for attacks that are tagged with the “Adobe Universal 3D streams” block message.

We’re proud that our proactive rules block this new zero-day exploit and we’ll continue to work hard to provide this level of protection to our customers in the future.

The subject lines used in the Facebook spam campaign are similar to those in the image below. Notice that they use varying letter case and random Facebook profile names.

The message body may look like a legitimate Facebook notification. However, further inspection reveals the underlying link redirecting to a malicious webpage.

Another campaign spammed out by Cutwail claims to be a flight ticket order.  The spam can be easily spotted by its subject lines. It looks seemingly like a “forwarded” or “reply” email and uses the subject format shown in the image below.

Here is an example of the message:

There are two things you should notice about this particular spam campaign. Firstly, the visible URL shown does not conform to the URI naming scheme of not having a top level domain, a  clumsy mistake from the spammers. Other similar messages use “www.airlines.com” which is a parked domain. Secondly, “Airlines America” in the signature block is not a real airline company unless the spammers meant to imply American Airlines.

Two other spam campaigns resurfaced this week, namely the “Automated Clearing House (ACH)” and the “scanned document”.

The URL link in these campaigns points to a compromised web server that serves a small HTML file. The HTML file then contains a malicious iframe that opens up a Blackhole exploit kit landing page. This is the same exploit kit used in previous spam campaigns such as the Steve Jobs is Alive and fake LinkedIn notifications.

If you are a system administrator, you may want to block the following exploit kit landing pages.

• crredret[dot]ru/main.php
• www[dot]btredret[dot]ru/main.php
• bqredret[dot]ru/main.php

At the time of analysis, loading the exploit kit webpage downloaded SpyEye and the  Bobax spambot on to our vulnerable hosts.

In the known attacks, the installed malware is known as Duqu.
The Laboratory of Cryptography and System Security (CrySyS) at Budapest University
first reported these attacks and they were thoroughly investigated by that team
and by Symantec in the following article.

M86 Security Secure Web Gateway (SWG) can be deployed with
three possible antivirus scanners and they already released protection: Kaspersky,
McAfee and Sophos. No additional Security Update by M86 Security is required. In addition, we are
investigating adding more layers of protection in the future. Keep in mind,
these attacks currently are not delivered via web browser but that can obviously change
in the future.

We will continue to monitor the situation and update this blog post as necessary.

Steve Jobs Alive!

Steve Jobs Not Dead!

Steve Jobs: Not Dead Yet!

Is Steve Jobs Really Dead?

Sample of the Steve Jobs spam campaign

The URL links in the spam are many and varied. The websites that they point to all look to be hacked by the addition of obfuscated code that, after two layers of redirects, ultimately ends up at a BlackHole exploit kit landing page.

The HTML source code of the Blackhole Exploit kit landing page

The intermediary redirect URLs are random-looking domains, with a top level domain of .ms (Monserrat in case you didn’t know), here are some examples:

• hxxp://xnyiinobfb[dot]ce[dot]ms/index.php
• hxxp://derhvbq[dot]ce[dot]ms/index.php

The purpose of the exploit kit is to try and exploit vulnerabilities on the system and eventually download malicious executable files. At this stage, we are not sure what the ultimate payload is, as no files were actually downloaded on our test system.

Unfortunately, many people may find this spam campaign “click-worthy” given the icon that Steve Jobs was. The usual advice applies – avoid clicking links in unsolicited email. In this case, one simple click is all it takes to get compromised.

Google AdWords: You have a new alert.

Google Team: You have a new alert

Here is an example of the spam email posing as a notification email from Google AdWords.

If you notice in the sample email, the URL link that appears to be linking to your Adwords account looks dodgy. But if that obvious sign didn’t prevent you from clicking the link, you would have been redirected to a Google AdWords phishing webpage.

After entering a username and password, the webpage sends these credentials to the cyber-criminal’s webserver.

The HTTP POST request when the user enters their Google account credentials. It sends the username and password to the phisher's webpage.

Of course, once you enter your Google account credentials in the phishing page this will NOT just compromise your Google AdWords account but all your Google services like GMail or Google+ will be affected as well. When you receive these sorts of notification emails, always double check the URL before you click on them – if it looks suspicious, it probably is.