Functions

• Automated analysis and detection of website malware.
• Detection for plenty of vulnerabilities.
• Log export supports HTML and TXT format.
• Ability to deeply analyze JavaScript.

You can download NSDECODER here:

nsdecoder_gui_v1.0.zip

Or you can read more here.

There have been quite a few security concerns with Facebook, especially with the amount of personal information it collects on it’s users.

Of course there is Koobface and it’s many variants which have been propagating all kinds of spam through Facebook wall posts and messages.

I’m glad someone is offering a solution for free, yes they benefit from it too by being able to gather data on Facebook activity and the quantity of malicious posts occurring on Facebook.

Security vendor Websense if offering Facebook users and businesses a new free ‘firewall’ service that monitors their pages for malicious posts, links and spam.

Defensio 2.0 checks all posts to Facebook in real time against Websense’s ThreatSeeker Network, a database of problem URLs, before deciding whether to categorise a post as malicious or unwanted. This also draws from data gathered by US ISP Radialpoint and URL shortening service bit.ly before performing further heuristic analysis as a final check.

If a bad post is detected, the system logs and informs the user who makes the final decision. As with the original Defensio system – acquired a year ago when Websense bought the company of the same name – it can also monitor web pages for rogue posting, pre-emptively blocking those it deems unwanted.

“We are seeing real threats to Facebook such as Koobface,” said Websense senior research manager, Carl Leonard.

It seems to work on a ‘moderation’ model so if the software detects any suspicious automated messages/links or other dodgy activity it will block the post/message and allow the user to approve/deny the request.

But then it’s only going to be effective if take-up is good amongst the non-tech savvy users where the problems tend to be a lot more common.

Sadly this seems highly unlikely as only people who read sites like this will know about it, unless it get’s heavily promoted on Facebook..but then you have to contend with ad-blindness problems.

According to Leonard, an advantage of Web 2.0 monitoring was that it gave security companies a way of following criminals inside the otherwise closed world of social media, something that many security vendors can’t yet do. “We can have visibility into threats on these social networks, and have a fantastic feed of information that can benefit all our customers,” he said.

Leonard was not able to say when or if the monitoring might be available other social media sites or feeds such as twitter, where rogue behaviour can be difficult to spot.

The service is free for anyone with fewer than 50,000 posts per month, and for companies with 15 employees of less. For professional sites or sites with larger volumes of posts, the service starts at $5 (£3) per month, per site.

It’s free for most people, I’d imagine very few companies are making 1500 posts per day! Even if you need to pay it’s pretty cheap.

I hope to see more initiatives from companies like this, and ideally someone working with Facebook themselves to increase pro-active security measures on the site.

Obviously that’s not their first priority and with the recent brouhaha about their new privacy terms and default settings..you should be concerned about what information of yours they intend to utilise.

Source: Network World

This looks like a fairly complex infection mechanism combining exploiting websites, injecting JavaScript code then attempted exploitation of host machines and failing that prompting a download for some fake malware.

The way they have it all setup is pretty clever too hiding behind common technologies so their infections don’t look out of place.

An obfuscated JavaScript meant to look like Google Analytics code? That’s smart.

A nasty infection that attempts to install a potent malware cocktail on the machines of end users has spread to about 30,000 websites run by businesses, government agencies and other organizations, researchers warned Friday.

The infection sneaks malicious javascript onto the front page of websites, most likely by exploiting a common application that leads to a SQL injection, said Stephan Chenette, manager for security research at security firm Websense. The injected code is designed to look like a Google Analytics script, and it uses obfuscated javascript, so it is hard to spot.

The malicious payload silently redirects visitors of infected sites to servers that analyze the end-user PC. Based on the results, it attempts to exploit one or more of about 10 different unpatched vulnerabilities on the visitor’s machine. If none exist, the webserver delivers a popup window that claims the PC is infected in an attempt to trick the person into installing rogue anti-virus software.

If you imagine 30,000 websites have been installed, how much traffic do these sites have in total? And out of that how many client computers have been infected.

The numbers could be quite huge.

The rogue anti-virus seems fairly intelligently designed too with polymorphic techniques to avoid signature scanning by real AV engines.

The rogue anti-virus software uses polymorphic techniques to constantly alter its digital signature, allowing it to evade detection by the vast majority of legitimate anti-virus programs. Because it uses obfuscation, the javascript is also hard to detect by antivirus programs and impossible to spot using Google searches that scour the web for a common string or variable.

“For the common user, it’s going to be possible but difficult to determine what the code is doing or if it’s indeed malicious,” Chenette told The Register. “We can see this quickly growing.”

The infection shares many similarities with a mass website malady that’s been dubbed Gumblar. It too injects obfuscated javascript into legitimate websites in an attempt to attack visitors. So far, it’s spread to about 60,000 sites, Websense estimates.

Several differences in the way the javascript behaves, however, have led Websense researchers to believe the two attacks are unrelated. The researchers have also noticed that the code, once it’s deobfuscated, points to web addresses that are misspellings of legitimate Google Analytics domains that many sites use to track visitor statistics. The RBN, or Russian Business Network, has used similar tactics in the past, and Websense is now working to determine whether those responsible for this latest attack have ties to that criminal outfit.

Seems like it could possibly be from Russia (the RBN) and it’s not related to Gumblar, even though they have quite a few similarities.

Interesting case to watch, and make sure any sites you run are up to date, secured and not open to SQL injection!

Source: The Register