Websense® Security Labs(TM) ThreatSeeker(TM) Network has discovered a new replica wave of fake celebrity news being sent out via spam emails. Similar to previous attacks related to 'MSNBC.com Breaking News ' and 'Bogus CNN Custom Alerts ', these emails contain links to a malicious Web page on a compromised site, that is designed to encourage users to download a malicious application posing as a video codec. This malicious Web page also holds Iframes leading to an exploit site.

Over the last few days, the ThreatSeeker Network has seen huge volumes of spam wrapped up in CNN and MSNBC themed templates. Recently, email alerts listing different popular events and news articles also encouraged users to download a video codec, which was actually a malicious file.

The malicious payload is only accessed when the user clicks on! the 'READ FULL STORY' link, which takes them to a Web page on a compromised site named index97.html, which issues a pop-up encouraging users to download a 'missing' video codec, a file called video98.exe.

Here are a few examples of the varied subjects we have seen in this campaign:

Sensational news. Check the message. Breaking news! Be the first to know. Very important news. Astonishing Please take a look. Sensational information inside. Check this out. This is a bomb This is really great news. Please check.

Websense Messaging and Websense Web Security customers are protected against this attack.

To view the details of this alert Click here

Websense® Security Labs(TM) has received reports that the official website of ICANN and IANA Domains have been hijacked by a Turkish group called "NetDevilz". ICANN and IANA are responsible for the Internet Protocol (IP) address space allocation, protocol identifier assignment, generic (gTLD) and country code Top Level Domain Name System management, and root server system management functions. NetDevilz is the same group that has hijacked many other domains listed here: Zone-H Attack Archive.

The ICANN and IANA web sites were defaced and left the following message: "You think that you control the domains but you don't! Everybody knows wrong. We control the domains including ICANN! Don't you believe us? haha :) (Lovable Turkish hackers group)"

References:
http://securitylabs.websense.com/content/Blogs/3118.aspx
http://ddanchev.blogspot.com/2008/06/icann-and-ianas-domain-names-hijacked.html

To view the details of this alert Click here

Websense® Security Labs has been tracking a recent development of the malicious JavaScript injection that compromised thousands of domains at the start of this month, just 2-3 weeks ago. The attackers have now switched over to a new domain as their hub for hosting the malicious payload in this attack. We have no doubt that the two attacks are related as our brief analysis in our blog will detail. In the last few hours we have seen the number of compromised sites increase by a factor of ten.

This mass injection is remarkably similar to the attack we saw earlier this month. When a user browses to a compromised site, the injected JavaScript loads a file named 1.js which is hosted on http://www.nihao[removed].com The JavaScript code then redirects the user to 1.htm (also hosted on the same server). Once loaded, the file attempts 8 different exploits (the attack last April utilised 12). The exploits target Microsoft applications, specifically browsers not patched against the VML exploit MS07-004 as well as other applications. Ominously files named McAfee.htm and Yahoo.php are also called by 1.htm but are no longer active at the time of writing.

There are further similarities too between the two mass attacks. Resident on the latest malicious domain is a tool used in the execution of the attack. An analysis of that tool can be found in the ISC diary entry here. Mentioned in that diary entry is http://www.2117[removed].net. Our blog on that attack can be found here. It appears that same tool was used to orchestrate this attack too.

The number of sites affected is in the hundreds of thousands. Casualties of the previous attack include various US news web sites, a major Israeli shopping portal, and numerous travel sites.

Websense® security customers are protected from this attack.

Websense(R) Security Labs(TM) has discovered emails that claim to solicit humanitarian support for flood victims in the state of Tabasco, Mexico. If users click an embedded link, they are prompted to download a banker Trojan horse, disguised as an HTML file. The file is displayed with the blue Internet Explorer icon. When a user opens the file, the Trojan horse modifies the hosts file to replace the legitimate Banamex with the IP address of a host controlled by the attacker.

If users attempt to go to the Banamex site, they receive no visual indicators that they are not at a legitimate site. The phishing toolbars that were tested did not detect this fake site as a fraud. Neither the downloaded banker Trojan horse nor the subsequent executable that it drops (win32.exe) are detected as malicious by the 32 anti-virus products tested.
 Read More...

Websense® Security Labs(TM) has discovered a new email attack variant similar to attacks previously launched on the IRS and Better Business Bureau. The spoofed email claims to be from the United States Department of Justice (USDOJ). We have been tracking these attacks and have previously reported on them here and here.

The message claims that a complaint to the USDOJ has been filed against the recipient's company. The email informs the reader that a copy of the original complaint has been attached to the email. The attached "complaint" is a Trojan Downloader .scr file with an MD5 of aeb784bc17c4c7e6edc5f1faaa9ed24f.
 Read More...

Websense Security Labs ThreatSeeker has received reports of new malicious code that utilizes the YouTube brand to lure users into running the code.

The attack begins with an email lure written in html that invites users to view a video from YouTube. Upon connecting to the site, users are directed to a page that resembles the real YouTube site. The page then reports that the video cannot load and attempts to dupe users into downloading and installing a flash player.

In what could be a disturbing sign of things to come, the site is hosted on a server that has hosted more than one hundred Phishing sites over the last 4 months. This server is managed by the infamous "Rock Phish" group, which is the largest phishing gang on the Internet and which is responsible for the majority of Phishing URL's.
 Read More...