Wednesday, June 29, 2011

IRS, NACHA, etc. mal-spam

I posted a few of these mal-spam incidents on our Scrapbook blog ... this sort of mal-spam has been on-going, but there has been a recent uptick since early June. The NACHA, Federal Reserve, and now IRS mal-spam sites have all favored the MelbourneIT/Yahoo netblocks/domain services.

This is one of those cases of using Uncle-Sam, which relates to any US citizen, for social engineering spam recipients into falling victim to an attack.

Recently the straight up spam-to-malicious URL exe scenario changed to a more complex multi-stage, multi-pronged attack scenario: spam to URL shortener which redirects to another URL shortener and/or site containing an exploit kit (Blackhole) and drop or social network to malicious Zeus-ish malicious executable to sites like:


Fortunately, the IRS and security researchers alike were all over this to have these sites removed as quickly as possible. Regardless the spam was widespread through the Cutwail/Pushdo botnet and impacted a lot of Internet users. Here are a few of the details (posted with permission from co-handler of this incident)...

Here is an example of one of the shorteners:

Here is an example of one of the second-stage shorteners:

All-in-all a handful of shortener services were abused for this campaign to the tune of thousands of shortened URLs (perhaps a different shortened URL per spam message to avoid detection from groups like SURBL). Some of the services abused include:,,,,,, as well as the previously mentioned and services.

From my example, the second-stage shortener linked to content that was pretty well obfuscated ... it "abused" JavaScript (such that my command-line interpreter, CLI, couldn't render) and it also did the standard leveraging of HTML DOM objects: specifically through, getElementsByTagName, innerHTML, as well as some creative uses of document creation with createTextNode, appendChild, and related. Because of these, it made the second-stage redirect a bit challenging to deobfuscate ... in the end, it helped to modify the script to suite what my CLI JS could understand. All of the obfuscated content was numbers within HTML div tags that was looped through with this (modified) JS:

Deobfuscating the content, returns the exploit scripts as well as redirects to the previously mentioned irs-report site.

Example drop:

MD5 : 8a5bf0dd71a1b8ea8155963b252e2105
V/T report: 13/42 now (seen <6 detects in some cases)

Remember the IRS does not contact the taxpayer through email! (reference)

Tuesday, June 21, 2011

Patching Flash - CVE-2011-2110 post-mortem

Last week I blogged about the CVE-2011-2110 Adobe Flash vulnerability being actively exploited in the wild. Adobe released its patch exactly a week ago (Tuesday, June 14) ... I wanted to do a follow up to identify the patch rate within our enterprise customers.

Within our last "State of the Web" quarterly report - we identified that only 4.5% of our customers running Flash were running an outdated, vulnerable version. (Java was the most out of date with 51.32% - good reason why this has become a favorite client-side application for attackers to exploit). Running the numbers for the week prior to and the week following the patch shows:

Week prior to CVE-2011-2110 patch:

About 93.43% of clients accessing the web through our cloud during this period had Flash installed. Of the clients that had Flash installed, 7.88% were running an out of date / vulnerable version.

Week following CVE-2011-2110 patch:

About 94.19% of the clients accessing the web through our cloud during this period had Flash installed. Of the clients that had Flash installed, 10.15% were running an out of date / vulnerable version - about a 28.81% percentage increase of vulnerable Flash instances. The overall vulnerable percentage rate is also more than double the rate that we noticed for Q1 2011 - showing that client-side application patching within the enterprise remains a problem. This is in spite of Adobe's auto-updating feature - which still requires action from the weakest-link (the user). "Windows users and users of Adobe Flash Player or later for Macintosh can install the update via the auto-update mechanism within the product when prompted."

Monday, June 20, 2011

Zscaler Safe Shopping available for Opera

Zscaler Safe Shopping is already available for Firefox, Firefox Mobile (aka Fennec) and Google Chrome. Now, you can also download the extension for your Opera 11 browser. A version for Safari will be available soon as well.

Zscaler Safe Shopping extension for Opera

For those not familiar with the extensions, Zscaler Safe Shopping shows a warning when users visit fake or compromised online stores. You can refer to previous posts for further details. You can also find other security extensions and tools from Zscaler on our Research Tools page.

Zscaler Safe Shopping warning for a fake store

You can download the extension on the official Opera Extensions site.

Extension creation

Building an extension for Google Chrome, Opera and Safari is very similar. The Zscaler Safe Shopping source code for these three browsers is about 90% identical. The differences are due primarily to the way that extensions are packaged, in oder to be distributed and in the way that scripts communicate between the browser and the page.

Basically, Zscaler Safe Shopping for these three browsers is separated into two parts:
  • The background process which is used to download the blacklist, to do the domain matching and to handle options
  • A script injected on each page/frame to interact with the HTML document: get the page URL, insert a warning, etc.
The page script and the background process can communicate together. The background process has access to the browser as a whole (UI, API, etc.), but not to the tab content. The injected script has access to content on individual tabs. Both scripts can communicate with one another to give the extension full access to the page and browser.

Extension approval

If you want to write your first add-on, Google Chrome is probably the easiest browser to start with. It has good documentation, good tools to test with and package extensions. Google is also the only vendor that does not require any approval to publish extensions to their official store. This is nice for the developers, but users could end up installing unstable, incomplete or dangerous plug-ins. All other vendors require a manual review.

Zscaler Safe Shopping approved on the Opera Extensions site

Opera reviewed our plugin within 24 hours. Firefox took several weeks (the extension is actually not approved yet), but the review process seems much more thorough than the other vendors. This might be due to the fact that their plug-in framework is much more powerful than the other browsers, allowing developers to potentially do a a lot more harm to the security of their entire computer.

The approval for Safari seems to be very opaque. I submitted the plugin more than a week ago and haven't yet received an update. The publishing process is also somewhat strange. For example, they force the developers to host their add-on on their own website. There is no option to upload the extension directly to an Apple owned site.

-- Julien 

Friday, June 17, 2011

The "Dad walks in on Daughter.. EMBARRASSING!" Facebook scams

The "Dad walks in on Daughter.. EMBARRASSING!" Facebook scams have become very prevalent. I listed a few examples on our new blog, Zscaler Analyst Scrapbook. I'll go into more detail in this post.

A Google search for "Dad walks in on Daughter.. EMBARRASSING!" shows hundreds of spam pages. They are mostly new domains, set up just for the purpose of scamming users.

Google search shows spam pages

Some of the domains identified are:
Links can also be found by searching directly on Facebook:
Facebook users should remember that Facebook applications are not necessary reviewed by the Facebook staff, and can be harmful.

Besides being wide spread, this spam is interesting because it shows the wide variety of scams and spam associated with Facebook. Here are a few.


A very common technique used with Facebook spam involves likejacking. The spammer entices users to click on a link or image, often on the premise of watching a funny video. However, the page contains a hidden Like button that is unknowingly triggered by the user. The Like button is placed in a hidden iFrame or hidden DIV tag that follows the mouse.

This technique is used to spread the spam page via Facebook profiles to get more users to visit the page. This likejacking technique can be found, for example, on or

Fake video layer hiding a Like button

On these pages, the likejacking technique used is somewhat unique: 23 Like Buttons are placed in the center of the video, below what looks like the play button. The opacity is set to 0, meaning these buttons are totally transparent and cannot be seen. When a user believes he is clicking on the play button, he is actually clicking on one of the like buttons.

Like buttons rendered visible

You can check the details in this video:

Script injection

This second example is much more harmful. The attackers ask users to copy and paste Javascript code into their Browser URL bar. The Javavascript has full access to contents in the open browser tab. It can grab the user session cookie and send it to the attacker. This gives the attacker full access to and control of your Facebook account.

Script injection
In the example, the attackers didn't try very hard to hide their intentions. They load the malicious Javascript from a page called owned.php!

These types of script injection used to be done through cross-site scripting (XSS), or other vulnerabilities. Now unfortunately, attackers are finding that they can bypass security protections as users are willing to do anything, including willingly executing malicious code!


Instead of using a Like button to spread a page, spammers can also use comments. On hxxp://, the user is asked to enter a captcha to access the video. The result is actually entered into a Facebook comment box (you can see the "comment" button).

User asked for a Captcha
Similar to the "Like" button, this adds content to the victim's Facebook profile and shows up in his friend's News page.

Spam link on my user profile after visiting hxxp://

Survey, Software Installation

Getting the spam page hosted in a victim's Facebook profile is only the first step for a scammer. Ultimately, they want to make a few bucks from each visitor. A common technique used involves asking visitors to fill out a survey, install software, or to click on advertising to verify that they are in fact a human and not an automated script. The spammers get paid for each action.

After getting 5 spam pages added to my profile, filling out 3 surveys and getting my Facebook account stolen, I was still not able to watch this video :-)

-- Julien

Oh Flash! CVE-2011-2110 0-Day

This past Tuesday, June 14, a vulnerability (CVE-2011-2110) in the Adobe Flash Player was patched. This vulnerability is actively being exploited in the wild - prior to the patch, the earliest exploitation that we have seen in our logs thus far, dates back to early last Thursday (June 9th).

Attackers have/are embedding redirects into compromised legitimate websites (including an Indian government site, a US airport site, and an aerospace site, among others). The redirects direct user's web-browsers to access the flash exploit - once the victim machine is exploited it downloads, decodes, and executes malcode.

Working with Steven from Shadowserver we were able to collectively share information to benefit the community and a public, detailed report was subsequently released on their website. Their report lists the sites/servers that we helped identify that have hosted the malicious content, as well as provides guidance for handling this threat. Among the recommended guidance:
  • Patch! Flash Player older than (or for Android) is vulnerable. You can check your version here.
  • Block the identified malicious servers/pages/binaries - this has already been done for customers using our cloud.
  • Block/monitor for additional sites using the same attack pattern - this has already been done for customers using our cloud. Shadowserver released a Snort signature in their report to assist with identifying this pattern as well.
A special thanks to Steven from Shadowserver.

Wednesday, June 15, 2011, a heaven for phishing pages

Phishers, scammers and other attackers love free hosting services. They constantly need to set up plenty of malicious sites as their old ones are taken down or blacklisted. Fake AV authors loved, a free DNS service that allows them to redirect users to sites such as They then used a similar service from, etc. . was used to redirect users to malware. Free hosting service Ripway is still full of phishing sites.

The ultimate dream of a phisher it to be able to set up thousands of phishing sites freely, anonymously, and quickly. Luckily for them, offers a service which empowers them to do just that. It is a "Free anonymous web hosting" site, which allows anyone to create any page with a simple POST request. home page
To be clear, like many other free services, PasteHtml was not designed to host malicious content. They have many legitimate pages, but they are also used to host many Phishing pages. Try searches on the site for terms such as " facebook login" or " paypal", Most of the pages are malicious.

PasteHtml seems to take phishing seriously. A lot of these phishing pages were taken down, and warnings are shown for potentially dangerous pages (see hxxp://

Warning from PasteHtml
Here are a some of the phishing/spam/scam pages I've found that are not (yet) blocked:
  • Facebook: hxxp:// (update: now blocked)
  • Zynga: hxxp://
  • Pharma spam: hxxp:// (there are many similar pages)
Facebook phishing page

It is so easy, and so quick, to create new malicious pages using services such as PasteHtml, that even their intentions may be good, they are bound to be vastly abused.

-- Julien

Tuesday, June 14, 2011

Incognito exploit kit

Exploit kits are becoming an increasingly popular means of spreading attacks. Umesh recently blogged about seeing a spike in the usage of the Blackhole exploit kit. This exploit kit targets multiple known vulnerabilities present in a victim's browser, increasing the probability of a successful compromise. Various exploit kits differ in the way they are packaged, designed and implemented. The most distinguishing factor among different exploit kits is how exploits are obfuscated, in order to bypass various security controls.

Recently, I have noticed a significant increase in the usage of the Incognito exploit kit. Similar to the Blackhole exploit kit, Incognito also targets vulnerabilities in Java and Adobe products. Another item that stands out to differentiate among these exploit kits is the URL patterns used. Most of the time, the URL pattern remains same within a given exploit kit. A quick look at malwaredomainlist shows the usage of common patterns used in URLs associated with Incognito.

Common URL patterns for Incognito:

Code obfuscation (Formatted for good view),

De-obfuscation of the aforementioned JavaScript, shows the exploit kit carrying out different attack vectors. Let’s analyze different pieces of the de-obfuscated code.

Object Initializations and other functions,

Iframe Injection:

Google safe browsing reports this URL to be malicious. Visiting the above link redirects you to fake search portal delivering ads hxxp://

Step 0: This is the entry point of the malicious code. It completes required initializations of objects for vulnerable ActiveX controls. Upon the successful creation of objects, it launches the first attack vector by calling function 'gr', which injects a malicious file. The code then moves on to Step 1.

Vulnerability Details:
CVE : CVE-2006-4704
Name : Microsoft Visual Studio 2005 WMI Object Broker Remote Code Execution Vulnerability

My previous blog post describes a different version of obfuscated JavaScript targeting this vulnerability.

Step 1 : This code targets the “Java Deployment Toolkit”.

Vulnerability Details:
CVE : CVE-2010-1423
Name : Java Deployment Toolkit insufficient argument validation

Step 2 : This creates Iframe tags for malicious PDFs.

This example illustrates how the multi-level attacks targeted by exploit kits are becoming a favored choice of attackers these days. More importantly, the creation of automated tools to deliver these exploits, provides attackers with the opportunity to launch campaigns on a frequent basis, with limited technical knowledge.


Saturday, June 11, 2011 domains serving heavily obfuscated malicious code

Following a previous post on a malicious Google News search, we identified additional domains related to this attack, also serving malicious code. The method of infection remains the same by injecting a malicious script, which will redirect victims to one of several malicious domains. You will only be redirected to the malicious domains if certain conditions are met, such as a match on the referrer string in the HTTP header. For most domains, the attack requires that the Referrer be Here is what the obfuscated malicious script looks like:

The malicious script is inserted just ahead of the opening HTML tag and decodes to any of the following domains which will ultimately deliver exploit code after multiple redirections,

All above mentioned domains are hosted on the same IP address ( is whois information for the IP:


Friday, June 10, 2011

Zscaler Analyst Scrapbook

Introducing our sister blog: Zscaler Analyst Scrapbook

Very often while we're conducting log analysis across our cloud in order to add security protections (signatures, black listing, reputation scoring, etc.) we find interesting scraps of information. While this information may not be interesting to the masses - it may help those working in security operations centers (SOCs) or other roles to add similar protections for their users. will remain our primary blog with polished posts focused on security research and "new" threats, while the blog will be reserved for quick mini-posts, focusing on things that we uncover during our daily data mining and analytics. The hope is that by sharing this additional information, others in the security community can use this information to better protect themselves and their users. We encourage feedback from our readers on work that they may be doing on similar topics so that we can publicly collaborate on emerging threats. Welcome!

Google news search results for Laurence Fishburne leading to malicious sites

One of our blog readers, Mr. Jon Leathery informed me yesterday about a link in a Google News search leading to a malicious website. “Laurence Fishburne leaving CSI”, was a popular topic recently and was being taken advantage of to spread malware. Here is the screenshot of a Google news search with that term:

Look at the highlighted news in the image above. If a user clicks on that link, it will redirect them to a malicious website containing heavily obfuscated JavaScript, which will download additional malware onto their system. The user will be only redirected to the malicious website if they are coming from Google News based on HTTP referrer header, a common technique that we see to further obfuscate the attack. Let’s look at the news page:

The above news site contains the malicious obfuscated JavaScript code at the top of the page. Here is a screenshot of the source code:

Remember, the malicious JavaScript code is only inserted when the referrer is the Google News site. If you visit this website directly, the malicious code will not be loaded. Here is what the obfuscated JavaScript looks like:

Once decoded, it will reveal a script tag, pointing to a malicious website. Here is the decoded content:
The above malicious link then redirects the victim multiple times, finally loading a page containing heavily obfuscated JavaScript code. Here is what the final exploit code looks like:

The above code is highly obfuscated with every string randomized. Automated analysis tools failed to decode it and manual analysis was required, which I will explain in a separate blog. The above malicious exploit code exploits various known vulnerabilities to download additional malware on the system. Here is the Fiddler capture of the malicious requests:

The exploit code downloads multiple malicious JAR files on the system after exploitation. The VirusTotal results remains very poor for one of the malicious JAR files, with only 2 out of 43 Antivirus triggering on it. Fake Antivirus pages also commonly use the technique of checking referrer strings before loading page content. The malicious content is only loaded if the victim is coming from a Google search page. The trust that people place in Google search results is being abused to social engineer victims into believing that malicious search result links are safe. Unfortunately, nothing could be further from the truth.

Be Safe

Tuesday, June 7, 2011

Blackhat spam SEO leading directly to a virus download

Attackers usually use some form of social engineering technique to fool users into downloading and executing a malicious executable - they scare users with a fake antivirus page, they present users with a video that requires a new software or codec update, they claim the user's browser or Flash version is out of date, etc.
Last week, I found several Google search results for popular terms leading directly to a virus download. The following 6 domains were hijacked by attackers:
When users click on one of these domains in a Google search result page, they are redirected to another domain. This new page ensures that the request has been received from a live user with a web browser. This is accomplished by looking at the user agent and at the Referer value (does the user come from Google?). If the test is successful, the user is then redirected to or

These 2 domains serve an executable with the name It is detected as malicious by only 5 AV vendors out of 42.
Virustotal result page
All the redirections are done through HTTP 302 redirections, so no new page is shown to the user. As a result, users may think the file download was done from Google, because it does not appear that they left the Google search result page. This is the "trick" the attackers rely on to ensure that users trust the executable file, in addition to the name which looks like a domain name rather than a file name.
Malicious file download attempt

Once again, the best protection, and often the only one, is to educate users to not download and install any file unless they fully trust its origin, and explicitly requested the download.
-- Julien

Saturday, June 4, 2011

Buying software online is getting more and more risky

Google searches for popular software (Windows, Microsoft Office, etc.) often contain links to fake online stores since at least December 2010. Google has done very little to clean up the search results.

Only 1 of these results is legitimate!

The situation is actually getting worse. More and more of these malicious search results redirect users to malicious pages containing malware, generally a fake AV page. About 8% of the links redirected to a malware pages in May compared to fewer than 1% in January.

Some of the malicious domains seen in May were,,, etc.

Top 1,000 hijacked domains

The most popular domains used by hijackers in May were (,, (, (, and notably (, which ranks #158 by Alexa.

Only 5% of the malicious links in Google were flagged, but the number of malware sites overall (fake AV, browser exploits, malicious applets, etc.) have been going down since January.

Be very careful if you need to buy software online - use trusted websites only, and do not believe any website offering bigger discounts than usual.

-- Julien