News Categories
(34)Malware (39)Malicious emails (11)Web 2.0 (24)Facebook (22)Social Networks (44)Spam (2)Defensio (1)Comment Spam (15)Phishing (9)Web spam (4)Click-jacking (38)Compromise (20)Analysis (38)Exploits (14)Research (3)Presentations (3)Conferences (4)security conference (9)Mass Injection (10)Rogue AV (4)Blackhat SEO (2)Neosploit (23)Targeted attacks (7)Video (14)Zeus (5)Microsoft (4)Monthly Reports (1)twitter (3)Google (18)Vulnerabilities (9)Adobe (12)Java (4)Mobile (4)Apple (1)hacked (1)TAB (1)Black Hat USA 2011 (1)Google+ (20)0-day (1)CVE-2010-2884 (1)CVE-2011-1255 (1)Worm (14)Blackhole exploit kit (1)Incognit Exploit kit (2)Tuesday Patch (6)APT (6)Typosquatting (3)Vulnerability Analysis (1)CVE-2011-3402 (4)Web Research (4)Predictions (3)Adult (5)News (3)Black Hat SEO (6)Data loss (8)Scam (1)QR codes (6)Twitter (1)CVE-2012-0003 (1)CVE-2011-3389 (1)CVE-2012-0004 (1)Phoenix Exploit Kit (1)CrimePack (3)Reverse Engineering (2)Captcha (1)Valentine's day (2)Kelihos (1)SC Magazine Award Winner (1)Wordpress (1)MS12-010 (1)CVE-2012-0002 (1)Infosec (2)CVE-2012-0507 (8)Toolkits (1)Skywiper (2)Flame (1)Flamer (2)Passwords (1)freedom of expression (1)censorship (2)Plugins (3)Malvertising (14)Exploit (1)CVE-2012-1723 (1)CSI (2)ThreatSeeker (2)Adventures in Spam (1)CVE-2012-4681 (1)LBS (2)RAT (1)module Apache/2 (1)Cyber Monday (1)Black Friday (1)Pastebin (4)CVE-2012-4792 (1)iPad (1)super bowl (1)iPhone (2)iOS (4)Spear Phishing (1)Threat Report (3)ThreatScope (1)Dynamic DNS (1)China (1)SSL (1)APT1 (2)DLP (3)Hack (1)CVE-2012-4969 (2)threat lifecycle (1)ThreatSeeker Network (1)ACE (10)exploit kit (1)blackhole (2)Black Hole (1)DNS poisoning (1)RedKit Exploit Kit (4)exploit kits (1)threat stages (1)Certificates (1)Topical (1)Waterhole (1)CVE-2013-2463 (1)Neutrino exploit kit (1)CVE-2013-2473 (1)CVE-2013-3893 (2)Collective Threat Intelligence (1)CVE-2013-3963 (1)Targeted Attack (3)Advanced Malware (1)CVE-2013-3897 (1)Tor (5)cyber-crime (1)Mevade (2)Ransomware (3)Social Engineering (1)CookieBomb (2)LinkedIn (1)CVE-2013-3906 (2)Pony (3)Cryptolocker (2)Upatre (1)application telemetry (1)meta-data (3)dr. watson (1)windows error reporting (1)big data (2)data theft prevention (1)DTP (1)telemetry (2)CVE-2014-0322 (2)MSIE 0-day (1)Deputy Dog (1)Ephemeral Hydra (1)CVE-2013-0074 (1)CVE-2013-3896 (1)Silverlight (2)crash reports (1)POS (1)anomaly detection (1)goon (4)angler (1)ru:8080 (1)magnitude (3)flash (1)CVE-2013-2465 (1)malicious iframes (1)FIESTA (1)Exploits Kit (1)iframe (3)CVE-2014-0160 (2)OpenSSL (3)Heartbleed (3)Citadel (2)CVE-2014-1776 (1)VGX.DLL (1)necrus (1)cutwail (2)gameover (3)vulnerability (3)zbot (1)control panel (1)carberp (1)zberp (1)Caphaw (2)Nuclear exploit kit (1)Shylock (1)Dragonfly (1)Zeus PIF (1)bitly (1)fraud (2)RIG Exploit Kit (1)POS malware (1)Point Of Sale Malware (1)Ukraine (1)Russia (1)Shellshock (1)CVE-2014-6271 (1)poodle (1)cve-2014-3566 (1)sslv3 (1)Ebola (1)CVE-2014-4114 (1)CPA (1)Regin (1)CVE-2015-0311 (1)CVE-2015-0235 (1)linux (1)GHOST (1)CVE-2015-0072 (1)Internet Explorer (1)XSS (1)IE (1)TorrentLocker (1)Product Information (1)Money Laundering (1)APSA10-05 (1)Skype spam
RSS Feed
News
Feb
3
Dotkachef Exploit Kit Comeback
Posted by Sindyan on 03 February 2014 03:00 PM

 

Websense® Security Labs™ researchers, using our Websense ThreatSeeker® Intelligence Cloud, discovered an interesting new malvertizing campaign that uses legitimate ad systems. The infection starts with a compromised advertisement URL hosted on a legitimate website and ultimately lures victims to the Dotkachef exploit kit.

Dotkachef is a new underdog exploit kit that first emerged in early 2013. Unlike the Magnitude and Neutrino exploit kits, which emerged in the same time period, Dotkachef did not get the attention or the coverage these other exploit kits got when they first surfaced. Dotkachef has come back with a very sneaky yet very effective scheme. It infects known advertising systems such as OpenX. The use of advertising systems has proven to be an extremely effective method of spreading malware through trusted legitimate ad chains. Websense Security Labs has encountered and covered similar attacks before with different types of exploit kits:

http://community.websense.com/blogs/securitylabs/archive/2012/06/29/cleartrip-com-compromised-malicious-ad-tactics-uncovered.aspx

 In this blog, we will analyze this new malicious campaign. The infection begins with:


 1-A legitimate compromised site hosting a malicious advertisement URL 

 

2-The infected URL is usually hosted on legitimate sites

 

3-The compromised advertisement URL contains obfuscated malicious code that lures victims eventually to the exploit kit page.

 

4-Deobfuscation of the code leads to a known Dotkachef redirector URL, such as hxxp://brins.biz.

 

5- This URL then redirects victims once more to another obfuscated URL hosted on a compromised site.

 

6-The deobfuscation results will finally lead victims to the exploit kit.

 

In conclusion, the Dotkachef exploit kit has found a new method to come back and compete with well-known exploit kits through the use of advertising systems and has managed to stay hidden and hard to spot by security vendors. Websense security solutions help guard against these kinds of exploit kits.


Read more »



Jul
6
Raising DNSchanger Malware Awareness
Posted by Mary Grace Timcang on 06 July 2012 01:12 AM

The cyber trenches are awash today with news of DNSchanger malware. This is to elevate previous efforts to alert the public about the possibility that they could lose their internet services this coming Monday, July 9. DNSchanger malware takes control of a user's DNS, which cyber criminals use to direct unsuspecting users to fraudulent sites or simply to interfere with a user's online activities. Inarguably, these infected servers are going to be taken down, spelling trouble for thousands of users who will lose their internet connections. The Trojan changes the DNS settings to IP addresses in the following IP ranges:

 

  • 85.255.112.0 through 85.255.127.255
  • 67.210.0.0 through 67.210.15.255
  • 93.188.160.0 through 93.188.167.255
  • 77.67.83.0 through 77.67.83.255
  • 213.109.64.0 through 213.109.79.255
  • 64.28.176.0 through 64.28.191.255

 

According to reports, the problem surfaced when an online advertising scam, operated by international hackers, took control of approximately 570,000 computers worldwide. The FBI estimates more than half of these machines are still infected; 60,000 or more are believed to be in the United States. Infected machines have their antivirus software disabled while users experience slowness when surfing the Web. Several ISPs and companies including Google, Facebook and Comcast, have released notifications to their customers about this event.The FBI got involved as well and has set up a website, http://www.dcwg.org, for consumers to check their DNS. More information on DNSchanger malware is available here.

 

Here's a screenshot of a machine infected by the DNSchanger malware:

 

Checking this DNS IP in http://www.dcwg.org confirms it's rogue:


We may also see malware, spam, or scam campaigns associated with news about the DNSchanger malware. As a precaution, be careful when clicking links in notification email claiming to be from your ISP or links in Facebook posing as information on DNSchanger malware. These may be spoofed email or links designed to download malware or take you to a malicious website.

 

Websense® security solutions protect against all known variants of the Trojan.

 


Read more »