Domain: websensesecuritylabs.com
Stories and comments across the archive that link to websensesecuritylabs.com.
Comments · 8
-
Re:so......Because it's a simple image. Who would think that an image can deliver such a nasty payload? It doesn't need any user interaction. This blows right through fully patched copies of windows, and IE opens and executes it automatically (video here - http://www.websensesecuritylabs.com/images/alerts
/ wmf-movie.wmv)Does your website have an image on it? It can be exploited that way. Does your email render html, even with scripting turned off? It can be exploited that way. A few trusted sites have been compromised with this exploit. Some seedier as networks (with hundreds or thousands of affiliates) are using this to generate cash. There is no patch for Windows ME, 98, or 95 and there will never be as these OSes are unsupported. These systems will ALWAYS have this vulnerability.
Imaginine if someone uploaded this to MySpace (http://www.alexa.com/data/details/traffic_detail
s ?q=&url=www.myspace.com/), as they allow full html formatting, embed, iframes and all kinds of crazy crap. One exploit on a popular blog will cause A LOT of damage. -
Re:Don't think so.
Ok, to calm your nerves, here is the screenshot version: http://www.websensesecuritylabs.com/alerts/alert.
p hp?AlertID=385 -
Re:Don't think so.
http://www.websensesecuritylabs.com/ is a reputable security provider that I have personally done business with as Director of Vendor Relations at SANS. I did not post that URL lightly.
-
Additional Resources
Internet Storm Center Coverage - Alert moved to yellow as of this morning. http://isc.sans.org/diary.php?rss&storyid=975
Also, take a look at this movie from websense: http://www.websensesecuritylabs.com/images/alerts/ wmf-movie.wmv it shows step-by-step what happens to a clean machine as it gets exploited by this new menace. -
Re:I call hoaxtry the websense website with more detailed information.
The original infection occurs when the user visits a malicious website that exploits a previous vulnerability in Microsoft Internet Explorer. This vulnerability allows applications to run without user intervention. The malicious website uses the Windows help subsystem and a CHM file to download and run a Trojan Horse (download-aag). The downloader then connects, via HTTP, to another malicious website. This website hosts the application that encodes files on the user's local hard disk and on any mapped drives on the machine. The malicious code also drops a message onto the system with instructions on how to buy the tool needed to decode the files. This message includes the email address of a third party to contact for instructions, and the user is directed to deposit money into an online E-Gold account.
-
More Information on the Issue
Here is some more reading on this extortion attack: http://www.websensesecuritylabs.com/alerts/alert.
p hp?AlertID=194 -
DetailsDetails are always nice when stories like this are run. I see they are somewhat lacking here. Let's make up for that a little, shall we:
---
It is particularily interesting to note that this is a browser vulnerability exploit rather than an actual virus.
---
Symantec description of the Trojan Horse encoder
A google search for PGPcoder will turn up lots more.
-
Of course, the article doesn't link to the reportHere it is http://www.websensesecuritylabs.com/resource/PDF/
A PWGPhishingActivityReportMarch2005.pdf
Notice that the article linked to in this topic doesn't mention who the Usual Suspect is that causes these keyloggers to be installed by just visiting a web site.
The article is garbage. It is pure sensationalism and doesn't bother to put the whole issue in perspective by including 1 simple href to the the actual report. (For those who don't RTFR above, you get 1 guess about which browser the report points at exclusively).
For instance, the actual report says things like "Over the last 2 months, Websense Security Labs has seen a dramatic increase in the volume of phishing-based malicious code attacks, in particular, code that targets the Portuguese language ". (emphasis mine).
It also says that 48% of the phishing links are ip addresses ONLY, . (So, ~half of them specifically target people who will click ANY link)
And, this quote from the actual report puts the last nail in article's coffin:
To date, Websense Security Labs have seen attacks from the following sources:
* Websites that host adult entertainment and shopping content which exploit Internet Explorer vulnerabilities to run code remotely without user interaction.
* Instant Messaging (IM) messages and IM worms which blast a message to users enticing them to visit a remote website and run code which is hosted on that site.
* IM messages which include attachments and entice users to run the code.
* Blasts of emails that have attachments enticing users to run the code.
* Blasts of emails that entice users to visit a remote website, and then lure users to run malicious code that is hosted on that site.
* Blasts of emails that entice users to visit a remote website, and then attempt to use an Internet Explorer vulnerability to download and run code without user interaction.