Websense® Security Labs™ ThreatSeeker technology has detected malicious code hosted on China.com's game site. The malware is a variant of VBS/Redlof and is known to commonly infect files with the extension of "html", "htm", "php", "jsp", "htt", "vbs", and "asp".

This malicious download (MD5: e6df57ea75a77112e94036e5138bd063) is placed in a directory that appears to be reserved for game patch downloads. This virus attempts to spread itself by infecting all outbound emails sent by the victim with MS Outlook or Outlook Express.

Screenshot of site:



Screenshot of the malicious code:



More details on the Microsoft VM ActiveX component vulnerability (MS00-075)

Websense customers are protected from this attack. more >>

Websense® Security Labs has been tracking a recent development of the malicious JavaScript injection that compromised thousands of domains at the start of this month, just 2-3 weeks ago. The attackers have now switched over to a new domain as their hub for hosting the malicious payload in this attack. We have no doubt that the two attacks are related as our brief analysis below will explain. In the last few hours we have seen the number of compromised sites increase by a factor of ten.

This mass injection is remarkably similar to the attack we saw earlier this month. When a user browses to a compromised site, the injected JavaScript loads a file named 1.js which is hosted on http://www.nihao[removed].com The JavaScript code then redirects the user to 1.htm (also hosted on the same server). Once loaded, the file attempts 8 different exploits (the attack last April utilised 12). The exploits target Microsoft applications, specifically browsers not patched against the VML exploit MS07-004 as well as other applications. Ominously files named McAfee.htm and Yahoo.php are also called by 1.htm but are no longer active at the time of writing.

There are further similarities too between the two mass attacks. Resident on the latest malicious domain is a tool used in the execution of the attack. An analysis of that tool can be found in the ISC diary entry here. Mentioned in that diary entry is http://www.2117[removed].net. Our blog on that attack can be found here. It appears that same tool was used to orchestrate this attack too.

When we first started tracking the use of this domain, the malicious JavaScript was still making use of http://www.nmida[removed].com/:

Now the attackers are referring to a file hosted on the new domain of http://www.nihao[removed].com:

Sites of varying content have been infected including UK government sites, and a United Nations website as can be seen by the Google search results below.

The number of sites affected is in the hundreds of thousands:

Evidence of a compromise on a United Nations website:

Evidence of a compromise on a UK government website:

Evidence of a compromise on a Chinese tourism website:

Casualties of the previous attack included various US news web sites, a major Israeli shopping portal, and numerous travel sites.

Websense security customers are protected against this attack.

more >>

Websense® Security Labs™ has discovered that the official Web site of "Le Bernardin", a famous high end restaurant in New York, has been compromised with malicious code.

An obfuscated iframe has been inserted into the source of the Web site.

Visitors to the site execute the script, which redirects to a malicious website in order to infect visitors.

This is the unobfuscated code:

The malicious website hosting the iframe's content is currently unreachable.

Websense Security customers are protected from this attack.

 

more >>

Websense® Security Labs™ has received reports of a malicious Flash banner ad on USATODAY.com, a prominent news web site. The banner ad leads to the download of various spyware and ransomware, appearing as legit anti-virus scanners to the uninitiated.

Screenshot of banner ad from USATODAY:

Without any user interaction, the banner ad causes the browser to be minimized to the bottom right-most corner of the desktop, behind a fake warning popup dialog box. In the screenshot below, we clicked “cancel”.

Even prior to clicking “cancel”, we noticed that the desktop is already receiving data from the verified malicious host--all of this without any user interaction.

Clicking “cancel” still takes the visitor to a fake malware scanner site, which despite the subsequent of clicking “no” or “cancel” to all the popup dialog boxes, leads to a “free” fake scan, which then results in a fake anti-virus scan result page.

The machine we used in our tests were 100% free from malicious code, yet the fake page claimed 12 infections. O RLLY?

It then offers the usual malicious “solution” for download.

Websense security customers are protected from this attack.

More details about this malicious binary from Microsoft:

http://www.microsoft.com/security/encyclopedia/details.aspx?name=Win32%2fRenos

 

 

 

 

more >>

Websense® Security Labs™ has discovered that the official Web site of MSNBC Sports has been compromised with malicious code. This same attack has compromised dozens of other high-profile sites such as ZDNet, archive.org, wired.com, and history.com.

This attack has been discussed in our previous blog.

A link to a malicious JavaScript file has been inserted into the source of the Web site.

Visitors to the site execute the script, which attempts to gain access to the visitor's computer.

We have notified the owners of MSNBC of the malicious content on their site.

It is important to note that the hub site that is hosting the malicious JavaScript is currently down.

References:

Mass Attack JavaScript injection

http://ddanchev.blogspot.com/2008/03/zdnet-asia-and-torrentreactor-iframe-ed.html

more >>

Websense® Security Labs™ has received reports of a phishing attack that targets customers of First National Credit Union. The attack uses a spoofed email message that asks recipients to take a survey. Those who complete the survey are told that they can receive $100 USD for their participation, if they provide their account information.

This phishing site is hosted in the United States and was not up at the time of this alert.

Phishing screenshot:
 

more >>

Websense® Security Labs^TM has received reports of a phishing attack that claims to be from the popular Columbian news site, Eltiempo.com.

The report claims that the presidents of Colombia, Ecuador, and Venezuela, countries that have recently been in political conflict, have shaken hands. The email tries to lure recipients into clicking links that promise exclusive videos and photos, including footage of the presidents shaking hands.

The link leads to a Trojan Downloader executable hosted in Norway (MD5: 25039a99d27562a1707ac7320b77744d).

At the time of this alert, antivirus software was not providing adequate coverage for this attack.

Translation of the email body to English:

El Tiempo.

Handshake between the presidents of Colombia, Ecuador and Venezuela.
Taken from Internet.

At the Rio summit, after a long day of dialogue between Colombia, Ecuador, and Venezuela, the presidents were able to shake hands and agree to speak in a friendly way about political solutions to this conflict.

Download the complete video about the Rio summit.

Look for more photos and videos.

Astronauts in Colombia.
Four crew members from the recent Discovery mission to the International Space Station are visiting Colombia. On Monday, they spoke with children in Maloka.

These are the documents that tie Chávez and Ecuador with FARC, and that will be shown in OEA (PDF).


Screenshot of email:

more >>

Websense® Security Labs™ has received reports of a phishing attack that targets customers of Taobao, a large Chinese shopping site. Users receive a spoofed email message that attempts to trick them into going to a falsified version of the Taobao portal.

This phishing site is hosted in China and was up at the time of this alert.

Phishing screenshot:

more >>

Websense® Security Labs™ has discovered a high-risk zero-day vulnerability (MS08-014) within the widely-used Microsoft Office Excel.

This vulnerability, discovered by Websense in November 2007, requires minimal user interaction. Exploit code can be embedded within Microsoft Excel files and launched upon opening an excel document. This could be launched over email, through a website or another less common method. Upon discovery Websense responsibly disclosed this important vulnerability to Microsoft and has since been patched. (http://www.microsoft.com/technet/security/bulletin/ms08-mar.mspx)

 

Due to the fact that several targeted attacks have used Microsoft Office vulnerabilities in the past we recommend that users patch machines.

Websense ThreatSeeker™ technology is actively searching for in-the-wild exploits and Websense will automatically protect customers upon discovery.

Note: Microsoft Excel 2002 and earlier versions are affected.

To show how this vulnerability could potentially be used in the wild we’ve created a video, with a proof of concept exploit on a Windows XP machine running an unpatched version of excel. In this demo, the user receives an exploited Excel file via email. The user manually opens it, and is automatically exploited.

For the purpose of visualization, our exploit executes Solitaire, but obviously a malicious exploit could execute arbitrary code.

Proof of concept video: Link

References:
March 2008 bulletin summary

more >>

Websense® Security Labs has received reports of a phishing attack that claims to be from Univision, a major Hispanic TV network.

The report claims that Fidel Castro, who has been ill, suffered a sudden heart attack early yesterday and died. The email lures the recipients into clicking the links for exclusive videos and photos, including footage of Venezuela's President Hugo Chavez crying by Fidel's coffin.

The link leads to a Trojan Downloader .exe hosted in Korea (MD5: 58b7c7a3857c44c860992854397732b1).

 

At the time of this alert, anti-virus software was not providing adequate coverage for this attack.

Translation of the email body to English:

This morning, inside his residence in Laguito, the Cuban dictator Fidel Castro died.

Video of Hugo Chavez (Venezuela's President) crying next to his casket.
Image of Fidel Castro inside a casket.

Here are exclusive Images and Video.

According to official news, Cuban dictator Castro had been in critical condition for the past few days and suffered an unexpected heart attack.

Screenshot:


Websense Security customers are protected from this malicious site.

more >>