Monday, March 22, 2010

Obfuscated URLs no match for eSoft SiteFilter

Researchers at Kaspersky labs have discovered a new banking malware campaign that uses an old trick to obfuscate malicious URLs. Rather than using a domain name or IP address for their malicious link the URL is converted to numerical bases such as octal or hexadecimal formats. These formats are supported by major browsers and serve the purpose of tricking users into following the link and infecting their machine.

The post goes on to speculate that URL filters would have difficulty detecting and blocking the obfuscated URLs, leaving users vulnerable to these attacks. While many web filtering vendors may be susceptible to this attack, eSoft customers are protected. eSoft SiteFilter provides full support for these obfuscated URLs, filtering sites in ALL categories.

Using the example of playboy.com, the URL can be expressed in many different ways including the few examples below.

http://216.163.137.68
http://3634596164
http://0xd8.0xa3.0x89.0x44
http://0xd8.0xa3.0x89.68
http://0330.0243.0211.0104
http://000000330.0xa3.137.0104
http://0xD8A38944
http://033050704504

As shown on the Test a Site portal, eSoft correctly interprets these encoded addresses and detects each of these URLs as Pornography/Sex, the same as the domain playboy.com.












 
With the example found by Kaspersky, vendors that do not accurately filter these URLs leave users vulnerable to dangerous banking Trojans and end-user evasions. Malicious campaigns using this technique have been seen in the past and due to their effectiveness will be used in the future.

eSoft’s web filtering technology and focus on security provides users with unsurpassed protection against the latest web threats, including these obfuscation techniques.

Sunday, March 21, 2010

Cinderella Story Leads to March Madness Malware

The first week of March Madness has brought about many compelling stories, with a good deal of upsets and bracket busters. The most newsworthy of these has been the University of Northern Iowa’s ousting of #1 overall seed Kansas. This ‘Cinderella’ story has deservedly gotten a great deal of press coverage. However, those looking for information on the web may get infected with malware rather than a great story.

The eSoft Threat Prevention Team has been tracking search results on the story, and the NCAA Basketball Tournament in general, uncovering a great number of poisoned search terms. Searches for UNI Basketball or star player Ali Farokhmanesh return dangerous results leading to malware.



7 out of the top 10 results for UNI Basketball link to malware including the second result. The rogue anti-virus payload has very low detection among anti-virus vendors.

eSoft proactively detects and blocks blackhat SEO and search attacks similar to these using its automated systems and in-depth web site analysis. Any sites found are flagged as Compromised or Malicious, protecting eSoft SiteFilter customers.

Thursday, March 4, 2010

Virus Alert! Twitter, Google, Hallmark and Others Subject To Attack

The eSoft Threat Prevention Team is warning customers today of a new email scam circulating very quickly.  These fraudulent emails claim to be from Google Staffing, Hallmark, Twitter as well as other social networks and legitimate businesses.

The email persuades the user to open the attached zip file to find out more information. Users that follow through and open the file infect their own system and become part of the threat.

The very legitimate looking email below is just one example of the scam.  The email uses the actual Google logo downloaded directly from their website and easily hooks you into opening the attached file to find out more.


In this case, the downloader infected the system with a bot which immediately begins spewing thousands more of infected emails including fake e-cards from Hallmark, and invitations from social networks like Twitter and Hi5. 

The Twitter email is also very well crafted to make the user believe they were invited by a friend and is legitimately from Twitter.  The from address is spoofed to invitations@twitter.com with a subject “Your friend invited you to Twitter!”.  The body of the message begs the user to open the attached file - “To join or see who invited you check the attachment”.  Using this clever social engineering tactic the scammers are able to peak interest in finding out who may have sent them the message.  The user is tricked into opening the attachment and infecting their system.

As always, be very cautious opening any attachments and especially cautious when they are unexpected.  When in doubt verify with the sender or do not open them.