Injecting malicious html code into legitimate Web sites has become commonplace in the past few years.  More often than not, the attackers inject a script or iframe tag in a legitimate site which is meant to redirect visitors to attack sites without their knowledge.  Last week, however, we discovered an outlier of that trend which was a malicious applet code injection.  The injected applet allows the code to work as a drive-by attack that downloads and then executes a malicious application.

Screen shot of injected page:

Reviewing the applet code, we can see that a 'Client.jar' file is downloaded.  This Client.jar file runs and uses some of the code found in the applet to create a .vbs file on the local system.  Reviewing the contents of Client.jar, we can see that it does this by getting the contents of the parameter "windows1". 

Screen shot of Client.jar:

Reviewing the applet code on the injected site, we can see a <param tag with name='windows1'.  The contents of the tag are actually one long command using  cmd.exe to create a .vbs file in %temp%/winconfig.vbs.  At the end of this command you can see that the .vbs file is executed to download a malicious file and place it on the local file system as %temp%/update.exe.  Notice the use of the tinyurl passed to winconfig.vbs, this is probably an attempt to make the code look a bit more legitimate as it doesn't look like it's downloading an executable file. 

Screen shot of the .vbs code:

The interesting thing about these injections is the social engineering aspect of the attack.  Remember that this applet code is being injected by attackers into legitimate pages, and the attack .jar file is hosted on the same infected domain.  This means that you may get a few warnings popped up by Java, but most people will simply click through and ignore them, especially if they are visiting a "trusted" page.  After all, who really reads warnings when they are visiting a page they have been to before?  Most people would think that if a warning is coming from a page which they have been to and trusted before, there must be a false positive situation occurring. 

Here is a quick video of this attack in action.

Websense Messaging and Websense Web Security customers are protected against this attack.

We managed to get our hands on the malicious Facebook application that we blogged about twice in the past few weeks. In the video below we're going to dive into it and see what's going on with this app:

For those of you that can't spare the time to watch the video, this is a brief summary of how it works.

1. The first part of the code contains Facebook-specific information such as API key, secret key etc.
2. It starts off by checking if the app has permissions to post on the user's wall. If it doesn't it will prompt the user to grant it permissions using Facebook APIs.
3. It then enumerates the list of friends, picks a random number (in this case it's hardcoded to be 10) and posts a message to the walls of the 10 randomly picked friends.
4. A message is then displayed asking the user to click "Continue" to watch the video.
5. Yet another page is displayed that loads a thumbnail of a video and overlays the image with a prompt saying that the "FLV Player" needs updating.
6. When the user clicks on "Continue", it loads the file videoplayer.php which does a simple redirect to http://www.flvpro.com/downloadfile.php?aff=3447_movies, where 3447_movies is the affiliate ID of the group/person behind the malicious app.

So far we have identified over 100 apps on Facebook that are all working the same way; the only difference is the API and secret keys that are used. In addition to them all working the same way, they also use the same Google Analytics UA ID to track visitor statistics.

Overall the app is very simple and relies fully on social engineering. The numbers from the two attacks we've seen so far prove that despite its slow propagation method (only sending the message to 10 users at a time) these types of attack unfortunately work very well.

May 26, 2010, Alexandria, Va. – National Credit Union Administration Chairman Debbie Matz issued the following statement regarding Federal Trade Commission approval of a rule mandating disclosures of insurance status by non-federally insured financial institutions, including credit unions.

May 25, 2010, Alexandria, Va. – The National Credit Union Administration (NCUA) Board today approved the charter for a new federal credit union.

May 25, 2010, Alexandria, Va. – The National Credit Union Administration (NCUA) is reporting recently simulated NCUA email boxes.

WASHINGTON (5/27/10, UPDATE 10 a.m. (ET))—Consumers could lose important card choices if the U.S. Congress allows government intervention in setting interchange fees, and CUNA and Independent Community Bankers of America urged House members to reject interchange provisions in a final financial regulatory reform bill.

With conferees for the upcoming congressional regulatory reform conference being announced this week, CUNA will again urge legislators to drop provisions, or at least modify the provisions found in the current Senate bill, because they would increase costs and reduce choice for consumers.

Community First CU will receive the check refunding unrelated business income taxes (UBIT) it paid the government in 2007. The refund was ordered by a Wisconsin court after the credit union’s landmark win in its challenge of the government’s assertion that UBIT applies to certain insurance products sold by credit unions.

The uncertainty across global markets from Europe’s debt problems and the tension between North and South Korea was reflected in Tuesday morning’s negative stock market numbers. But the effects of Europe’s debt won’t be devastating to the U.S. economy, CUNA senior economist Mike Schenk told TheStreet.com.