Tuesday, January 31, 2012
Wednesday, January 25, 2012
|Zulu Launch Banner|
|Zulu User Interface|
|Zulu results for Zeus Related Malware|
- Content – Page content is scoured for the inclusion of potentially malicious code leveraging proprietary Zscaler algorithms, conducting heuristic tests and querying public sources.
- URL – The requested URL is tested against known suspicious/malicious patterns, public black/white lists, as well as historic risk assessments for subdomains, domain TLDs, file types, etc.
- Host – Historic reputations of the host IP address, Anonymous System Number (ASN) and geographic location are analyzed, along with suspicious behaviors displayed by the host in question.
Recently, I've seen several websites showing a fake warning for a missing plugin. The fake warning is designed to look the same as the real warning shown by Firefox when the page requires a plugin that is not installed: a yellow bar at the top of the page with a link to install the plugin on the right, and a blue icon on the left.
|Legitimate Firefox warning for a missing Adobe Shockwave plugin|
On allostreaming.biz (French language), the fake warning is for a "missing" VLC plugin. You can tell that the warning is part of the page, and not part of the browser, because the scroll bar goes to the top of the warning, whereas the real warning is above the scroll bar (see the image above).
|Fake warning for missing plugin|
|HTML code for the fake warning|
The spammers are using the same fake warning on all browsers, which is also a giveaway as browsers other than Firefox don't actually have the same warning for missing plugins. Anyway, the attack will likely fool users of other browsers into installing this adware/spyware.
Friday, January 20, 2012
Last week, I received a Google alert for "Zscaler Likejaking Prevention 1.1.2 for MAC keygen serial crack Apple registration code activation". Given that Zscaler Likejaking Prevention is a free tool that we provide, it certainly doesn't need a keygen utility!
The download link brings the user to firstclass-download.com. Downloading this specific file requires an account on firstclass-download.com which costs $1.99/month, plus a $69.95 one-time fee! At best, this money will allow you to download what is already available for free on multiple websites (Zscaler, Mozilla add-ons, Softpedia, etc.). At worst, users are paying to get a malware or spyware.
This is the same technique I described in an earlier post related to Blackhat spam SEO. There are a lot of websites similar to mycleverlab.com. A search for "Zscaler keygen" shows many sites using the same trick: wacky-wii.com, dwlfile.com, zengenix.com, cracksguru.com, zengenix.com, etc.
Always go to the official source to download any software. If you want "Zscaler Likejacking Prevention for MAC", go directly to Zscaler's website. No need to pay for what is already free!
Thursday, January 19, 2012
If you want a quick way of increasing traffic to your website - change or take down portions of your website in protest ... at least that is what we have gleaned from today's (1/18) Wikipedia protest against SOPA. There will likely be other blog posts and stats released on the results of this and other cyber protests - here is what we have seen from traffic thus far that has passed through one of Zscaler's clouds.
We can combine the two above graphs into a graph of transactions per unique visitor, and we see that this is much smaller today. This suggests that more people are flocking to Wikipedia today, but just to see the protest page and some details on SOPA. This behavior could be described as "online rubber necking".
From the above stats we are able to visually represent the Wikipedia protest and the Internet community's "rubber necking" behavior in which the number of visitors increase but the transactions per vistor decreases. While not the goal of Wikipedia's protest, from a media and public relations standpoint these types of Internet events can stand to be beneficial or even lucrative. This last graph shows a large volume of people checking out the protest page. However, there too was about a 365% increase (going from about 16% to 75% of the visits) in visits to their SOPA Initiative page and >77% increase (going from about 9% to 16% of the visits) across SOPA related page visits during the protest - this visually shows the success of Wikipedia's protest in which it is successfully spreading their message and educating visitors on SOPA. I would expect that this may be a sign of the times to come given the successful results of the protest on the Internet and that the message was received on Capitol Hill (reference on which Senators dropped support for SOPA).
Monday, January 16, 2012
The dominance of exploit kits like Blackhole, Incognito and others, continues to be seen in the wild. Attackers continue to use these exploit kits to generate malicious webpages and host them on various domains. These exploit kits usually targets browser and browser plugin vulnerabilities.
To increase the likelihood of a successful attack, exploit kits are commonly used to infect legitimate sites that already have significant traffic. Attackers achieve this by crafting scripts designed to identify sites with injection vulnerabilities, which allow for hidden iFrames to be written, which then point to the exploit kit URL. When users visit the infected sites and are redirected to the browser exploit kits, a known browser or plugin vulnerability is typically used to download and execute malicious content without user knowledge. You can visit this related blog for more information about iFrame injection in detail.
iFrame leading to Incognito exploit kit
The aforementioned obfuscated code was injected at the start of the webpage. Let’s deobfuscate the code to make sense of it.
You can see that the deobfuscated code generates a hidden iFrame with the ‘src’ attribute being assigned the exploit kit URL. Generally, the visibility of the iFrame is kept hidden and dimensions are kept to a minimum, which ensures that the iFrames don’t alter the look and feel of the page.
Exploit kit URL: hxxp://racingengines.osa.pl/showthread.php?t=63942072
After observing patterns in the exploit URL, one can determine that this URL belongs to the Incognito Exploit kit.
Suspicious URL Pattern: “/showthread.php?t=”
Search results for the above pattern at www.malwaresomainlist.com confirms that URL belongs to the well known Incognito exploit kit. The exploit kit URL is still active but currently not delivering the malicious code. Visit this blog on Incognito exploit kit for more details.
iFrame leading to Blackhole exploit kit
Exploit kit URL: hxxp://brighttz.com/main.php?page=dac9bd89165e2708
Suspicious URL pattern : “/main.php?page=”
Search results for the suspicious pattern at www.malwaredomainlist.com can be found here. The exploit kit URL is not currently active. We have been writing about the Blackhole exploit kit for some time. At present, this seems to be the favored exploit kit amongst attackers. You can find more information about the Blackhole exploit kit here.
Fortunately, the aforementioned exploit kit URLs have been blocked by Google Safe Browsing. A sample Google diagnostic report of the Incognito exploit kit URL can be found here. While conducting research I came across a number of such compromised websites on a daily basis. Attackers continually alter obfuscated code to ensure that it is not yet detected by popular AV/IPS/IDS vendors. This keeps them one step ahead in this ongoing game of cat and mouse.
To conclude, I would like to say,
“The growth in compromised websites is directly proportional to the growth in popularity of different exploit kits”.
Tuesday, January 10, 2012
Usually, these spam websites try to get the user to click on a specific area of the page where they have hidden one or more 'Like' buttons. Recently, we found a website where the hidden Facebook 'Like' button follows the mouse throughout the page. No matter where you click, you hit the Like button.
|Hidden Like widget follows the mouse|
The technique to hide the button, has however been seen previously. There are hidden DIV elements with the opacity set to 0.0.1, which makes them transparent, although they are in the foreground. The position is set to absolute so that it can move anywhere on the page.
Here is a video that explains how it works:
You can get the free Zscaler Likejacking Prevention extension for Firefox, Google Chrome, Safari and Opera on our website.
Tuesday, January 3, 2012
I found a suspicious ad in my Google Reader for a free FLV player. I've recently shown that this type of free software is regularly repackaged with adware/spyware for profit.
The ad leads to a download page for FoxTab FLV Player. There is a disclosure statement at the end of the page discussing the content of the bundle: "This product is totally free and offers the user additional bundle products that may include advertisement."
|FLV Player download page|
The adware/spyware is flagged by only 4 antivirus vendors out of 43. A behavioral analysis of the executable provided much more information about packages that were downloaded and ports open on the machine, etc.
Happy New Year 2012!