Tuesday, January 31, 2012

MSUpdater Trojan and link to targeted attacks

This blog post is based on a joint report by Zscaler and Seculert (their blog post). Researchers from both companies separately identified attacks which used a remote access tool (RAT) malware that apparently targeted defense-related organizations. With joined forces, we analyzed the incidents that we observed and those published in the open-source to identify attack patterns and incidents from early 2009 to present.

Figure 1: Screenshot of Report Heading

The threat arrives in phishing emails with a PDF attachment, possibly related to conferences for the particular targeted industry. The PDF exploits a vulnerability within Adobe (for example, a 0-day exploit was used against CVE-2010-2883) which then drops a series of files to begin communicating with the command and control (C&C).

Figure 2: Screenshot of Example Conference PDF "Lure"

The malware dropped and launched from the PDF exploit has been seen to be virtual machine (VM) aware in order to prevent analysis within a sandbox. The Trojan functionality is decrypted at run-time, and includes expected functionality, such as, downloading, uploading, and executing files driven by commands from the C&C. Communication with the C&C is over HTTP but is encoded to evade detection. The Trojan file name (e.g., "msupdate.exe") and the HTTP paths used in the C&C (e.g., "/microsoftupdate/getupdate/default.aspx") are used to stay under the radar by appearing to be related to Microsoft Windows Update - hence the name given to this Trojan.

Correlating this information with open-source intelligence (OSINT), we were able to find other reports of this Trojan within past targeted incidents, as well as a link to other incidents and compromise indicators. Further details of this information can be read within our joint report. The mission of this report is to inform organizations and security executives about these threats, and assist them in detection and mitigation.

Wednesday, January 25, 2012

Introducing Project Zulu

I want to personally and publicly thank Julien, Pradeep and Mike for all of their hard work over the past several months, to make today's launch of Project Zulu a reality. Zulu is a completely free service, open to anyone, which allows people to determine the risk posed by a particular web resource.

Zulu Launch Banner
Our goal in building Zulu, was to provide a simple and straightforward interface accessible to anyone regardless of security knowledge, while still delivering granular results that are of value to those that are more security savvy. I believe we've achieved this by providing a UI that requires no additional input beyond the UI to be analyzed, while allowing a few necessary advanced options, (User-Agent and Referer) when encountering malware triggered only when certain input variables are met. Results also display an overall ranking of Benign, Suspicious or Malicious, but also include details of elements that went into the overall score.

Zulu User Interface
We were also determined not to deliver a 'me too' project as there are already a number of great security projects available. Services like VirusTotal, Anubis and Wepawet for example, are invaluable tools when running specific tests (multi-AV, JavaScript/PDF analysis and sandboxing respectively). However, most projects such as these tend to focus on a specific threat or type of analysis. With Zulu, we sought to combine our own proprietary scanning techniques, with the great open source intel. that is available, to provide a broad view of the overall risk posed by virtually any web resource. We also look not just at a specific aspect of the resource, but instead, separately focus on determining risk for the content, URL and host separately, which is then combined into an overall risk score. For each component, we employ the following approaches:

Zulu results for Zeus Related Malware

  • Content – Page content is scoured for the inclusion of potentially malicious code leveraging proprietary Zscaler algorithms, conducting heuristic tests and querying public sources.
  • URL – The requested URL is tested against known suspicious/malicious patterns, public black/white lists, as well as historic risk assessments for subdomains, domain TLDs, file types, etc.
  • Host – Historic reputations of the host IP address, Anonymous System Number (ASN) and geographic location are analyzed, along with suspicious behaviors displayed by the host in question.
A unique benefit of this approach is that we can deliver a risk score even when the page content is no longer available. While we can't access the page, we can still assess the URL and host and when they deliver a high risk score despite a lack of page content, one can often conclude the page was indeed malicious but has since been taken down. We also provide full access to historical scan results for the same resource. This can often uncover when a page first became infected and when it was subsequently cleaned up.

Why would Zscaler, a commercial entity, release a free tool? I'm sure that companies release free tools for a variety of reasons and ours are quite straightforward. Obviously Zulu provides a marketing benefit, but beyond this, it permits ThreatLabZ great freedom to experiment with new detection techniques. We plan to use Zulu as a proving ground for our great ideas (and yes, that makes you our guinea pigs). The benefit to you is that you're able to leverage some of our latest and greatest techniques. Moreover, you may well analyze a malicious web site that we haven't seen before. In the end, we hope that you find Zulu to be a valuable tool to combat web based threats and we certainly welcome your feedback at zulu[at]zscaler[dot]com.

One last thing. Why Zulu? Well, the Zulu warrior was a formidable foe, but more importantly, Zulu warriors represented a citizens army. Not a standing army, but one that came together and fought valiantly when faced with an impending threat to their society. We view our Zulu as a tool for for a citizen army combating malicious content. Everyone can use it and everyone benefits from historical results. Join the army!

- michael

Fake missing plugin warnings used for spam/spyware

A key element for a successful spam/malicious page is to establish trust with the visitor so that he will perform the requested actions. Users trust their browser, but not necessarily the content (i.e. web page) that it displays. A trick that I've blogged about earlier, is to fool the user into thinking that certain elements on the page are actually from the browser.

Recently, I've seen several websites showing a fake warning for a missing plugin. The fake warning is designed to look the same as the real warning shown by Firefox when the page requires a plugin that is not installed: a yellow bar at the top of the page with a link to install the plugin on the right, and a blue icon on the left.

Legitimate Firefox warning for a missing Adobe Shockwave plugin

On allostreaming.biz (French language), the fake warning is for a "missing" VLC plugin. You can tell that the warning is part of the page, and not part of the browser, because the scroll bar goes to the top of the warning, whereas the real warning is above the scroll bar (see the image above).

Fake warning for missing plugin
A look at the source code shows that the warning is indeed HTML from the page:

HTML code for the fake warning
The "VLC plugin" is the classic pay-per-install bundle, where the spammer gets paid for tricking the users into installing spyware/adware.

The spammers are using the same fake warning on all browsers, which is also a giveaway as browsers other than Firefox don't actually have the same warning for missing plugins. Anyway, the attack will likely fool users of other browsers into installing this adware/spyware.

Friday, January 20, 2012

Zscaler keygen: beware of what you are looking for

Some searches yield more dangerous results than others, for example, looking to buy software online has a 90% risk of bring you to a fake store and free software might not be free of adware/spyware. Looking for 'warez' is another risky query.

Last week, I received a Google alert for "Zscaler Likejaking Prevention 1.1.2 for MAC keygen serial crack Apple registration code activation". Given that Zscaler Likejaking Prevention is a free tool that we provide, it certainly doesn't need a keygen utility!


The download link brings the user to firstclass-download.com. Downloading this specific file requires an account on firstclass-download.com which costs $1.99/month, plus a $69.95 one-time fee! At best, this money will allow you to download what is already available for free on multiple websites (Zscaler, Mozilla add-ons, Softpedia, etc.). At worst, users are paying to get a malware or spyware.


This is the same technique I described in an earlier post related to Blackhat spam SEO. There are a lot of websites similar to mycleverlab.com. A search for "Zscaler keygen" shows many sites using the same trick: wacky-wii.com, dwlfile.com, zengenix.com, cracksguru.com, zengenix.com, etc.

Always go to the official source to download any software. If you want "Zscaler Likejacking Prevention for MAC", go directly to Zscaler's website. No need to pay for what is already free!

Thursday, January 19, 2012

SOPA Protest: Wikipedia Traffic Trend (updated)

Updated 1/19: we have updated charts and the narrative to reflect all of 1/18 (protest timeframe) data and the first 10 hours of today. The last graph shows about a 365% increase in visits to their SOPA Initiative page and >77% increase across SOPA related page visits during the protest - this visually shows the success of Wikipedia's protest in which it is successfully spreading their message and educating visitors on SOPA. The middle graphs visually show an increase in unique visitors, while the number of transactions per visitor decreases throughout the protest - a phenomena that we have called "online rubber necking," in which visitors are there to see the protest page and perhaps inform themselves about the issue but are not accessing the site in the "normal" manner in which many more pages/media files are accessed.

If you want a quick way of increasing traffic to your website - change or take down portions of your website in protest ... at least that is what we have gleaned from today's (1/18) Wikipedia protest against SOPA. There will likely be other blog posts and stats released on the results of this and other cyber protests - here is what we have seen from traffic thus far that has passed through one of Zscaler's clouds.

We observed a noticeable percentage increase in the unique visits (by client IP address) to Wikipedia comparing the protest timeframe to the surrounding dates:

However, these additional visitors are not incurring that much more bandwidth for Wikipedia - we have noticed only a slight percentage increase in Wikipedia web transactions today. See the chart below to see the slight increase in number of transactions per hour:

We can combine the two above graphs into a graph of transactions per unique visitor, and we see that this is much smaller today. This suggests that more people are flocking to Wikipedia today, but just to see the protest page and some details on SOPA. This behavior could be described as "online rubber necking".

We observed significantly more visits to Wikipedia's main page and SOPA Initiative page than the surrounding dates - further corroborating our above statements:

From the above stats we are able to visually represent the Wikipedia protest and the Internet community's "rubber necking" behavior in which the number of visitors increase but the transactions per vistor decreases. While not the goal of Wikipedia's protest, from a media and public relations standpoint these types of Internet events can stand to be beneficial or even lucrative. This last graph shows a large volume of people checking out the protest page. However, there too was about a 365% increase (going from about 16% to 75% of the visits) in visits to their SOPA Initiative page and >77% increase (going from about 9% to 16% of the visits) across SOPA related page visits during the protest - this visually shows the success of Wikipedia's protest in which it is successfully spreading their message and educating visitors on SOPA. I would expect that this may be a sign of the times to come given the successful results of the protest on the Internet and that the message was received on Capitol Hill (reference on which Senators dropped support for SOPA).

Monday, January 16, 2012

Popularity of Exploit kits leading to an increase in compromised websites

The dominance of exploit kits like Blackhole, Incognito and others, continues to be seen in the wild. Attackers continue to use these exploit kits to generate malicious webpages and host them on various domains. These exploit kits usually targets browser and browser plugin vulnerabilities.

To increase the likelihood of a successful attack, exploit kits are commonly used to infect legitimate sites that already have significant traffic. Attackers achieve this by crafting scripts designed to identify sites with injection vulnerabilities, which allow for hidden iFrames to be written, which then point to the exploit kit URL. When users visit the infected sites and are redirected to the browser exploit kits, a known browser or plugin vulnerability is typically used to download and execute malicious content without user knowledge. You can visit this related blog for more information about iFrame injection in detail.

Recently, I’ve seen a spike in such compromised sites, which lead to exploit kit URLs. In most cases, the JavaScript code containing the hidden iFrame is heavily obfuscated. Different exploit kits have their own techniques to obfuscate malicious code. Let’s take look at a couple of examples and their respective de-obfuscated code.

iFrame leading to Incognito exploit kit

Obfuscated code:

The aforementioned obfuscated code was injected at the start of the webpage. Let’s deobfuscate the code to make sense of it.

De-obfuscated code:

You can see that the deobfuscated code generates a hidden iFrame with the ‘src’ attribute being assigned the exploit kit URL. Generally, the visibility of the iFrame is kept hidden and dimensions are kept to a minimum, which ensures that the iFrames don’t alter the look and feel of the page.

Exploit kit URL: hxxp://racingengines.osa.pl/showthread.php?t=63942072

After observing patterns in the exploit URL, one can determine that this URL belongs to the Incognito Exploit kit.

Suspicious URL Pattern: “/showthread.php?t=”

Search results for the above pattern at www.malwaresomainlist.com confirms that URL belongs to the well known Incognito exploit kit. The exploit kit URL is still active but currently not delivering the malicious code. Visit this blog on Incognito exploit kit for more details.

iFrame leading to Blackhole exploit kit

Obfuscated code:

De-obfuscated code:

Exploit kit URL: hxxp://brighttz.com/main.php?page=dac9bd89165e2708

Suspicious URL pattern : /main.php?page=”

Search results for the suspicious pattern at www.malwaredomainlist.com can be found here. The exploit kit URL is not currently active. We have been writing about the Blackhole exploit kit for some time. At present, this seems to be the favored exploit kit amongst attackers. You can find more information about the Blackhole exploit kit here.

Fortunately, the aforementioned exploit kit URLs have been blocked by Google Safe Browsing. A sample Google diagnostic report of the Incognito exploit kit URL can be found here. While conducting research I came across a number of such compromised websites on a daily basis. Attackers continually alter obfuscated code to ensure that it is not yet detected by popular AV/IPS/IDS vendors. This keeps them one step ahead in this ongoing game of cat and mouse.

To conclude, I would like to say,

The growth in compromised websites is directly proportional to the growth in popularity of different exploit kits”.


Tuesday, January 10, 2012

An example of likejacking (Facebook clickjacking)

Last year, we released Zscaler Likejacking Prevention, a free browser extension to protect users from clickjacking leveraging Facebook widgets. Since then, I've seen many websites using Likejacking as their "business model" (i.e. this is how they get traffic to their spam site).

Usually, these spam websites try to get the user to click on a specific area of the page where they have hidden one or more 'Like' buttons. Recently, we found a website where the hidden Facebook 'Like' button follows the mouse throughout the page. No matter where you click, you hit the Like button.

Hidden Like widget follows the mouse

The technique to hide the button, has however been seen previously. There are hidden DIV elements with the opacity set to 0.0.1, which makes them transparent, although they are in the foreground. The position is set to absolute so that it can move anywhere on the page.

Here is a video that explains how it works:

You can get the free Zscaler Likejacking Prevention extension for Firefox, Google Chrome, Safari and Opera on our website.

Tuesday, January 3, 2012

Google serves ad for Adware/Spyware

Last year, we wrote about Bing and Yahoo! serving ads leading to malicious websites. This week, it was Google who inserted ads for adware/spyware.

I found a suspicious ad in my Google Reader for a free FLV player. I've recently shown that this type of free software is regularly repackaged with adware/spyware for profit.

The ad leads to a download page for FoxTab FLV Player. There is a disclosure statement at the end of the page discussing the content of the bundle: "This product is totally free and offers the user additional bundle products that may include advertisement."

FLV Player download page

The adware/spyware is flagged by only 4 antivirus vendors out of 43. A behavioral analysis of the executable provided much more information about packages that were downloaded and ports open on the machine, etc.

The ad was found on the RSS feed of a security company specialized in cleaning up infected websites. This highlights the fact that even reading content from otherwise legitimate resources can inadvertently lead users to unwanted applications when sites include third-party elements (JavaScript driven ads in this case, but also IFRAMES, widgets, etc.) that they do not not have control over. Even trusted third-parties like Google are apparently not succeeding in delivering 100% adware/spyware free content to users.

Happy New Year 2012!