TA13-141A: Washington, DC Radio Station Web Site Compromises

22/05/13, TA13-141A: Washington, DC Radio Station Web Site Compromises
From: "US-CERT" <US-CERT@public.govdelivery.com>

Generated by MHonArc

CSIM Logo WelcomeCourses
Faculty, Student, Staff
Projects and reports
Conferences, workshop and seminars
Laboratories and reasearch facilities
Information related to CSIM
Information non-related to CSIM
Address, map, phone, etc.
Search

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


To: on@cs.ait.ac.th
Subject: TA13-141A: Washington, DC Radio Station Web Site Compromises
From: "US-CERT" <US-CERT@public.govdelivery.com>
Date: Wed, 22 May 2013 11:12:47 -0500
Authentication-results: mail.cs.ait.ac.th (amavisd-new); dkim=pass (2048-bit key) header.d=public.govdelivery.com
Delivered-to: on@cs.ait.ac.th
Dkim-signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=public.govdelivery.com; s=13q2; i=@public.govdelivery.com; h=Content-Transfer-Encoding: Content-Type:x-subscriber:X-AccountCode:Errors-To:Reply-To: MIME-Version:Message-ID:Subject:Date:To:From; bh=REpiGLhju8qev1A I9Dmf+Xn8bo8=; b=c2a5M1x3UmwwZrplBgogGU5N7gMGqO+l5pob6dYU0lO0oXK UHpbrFbLI9edvxipOeTZJhu00cs0LJsGzVeus9D4nPv0RO5t6EISYCPNNM2aeToz T5/CcqIL5yRm4eMTo0DotWrBRafvkfhQ/Zom/o0mpTy6faF2j5mhB/RUf+sEh5Ea HPTLE9TFwYy89hrLkX98ckNfn7tnon+d5fHNfqnd8qKJPAcZBKKB45UVRs7u+59q i/D9TGI+cZYUXT8nrHsOdJZT7X8GcwPhQlqW6O/oBpi+g5hMddpqbVh/7wRTMFiF 95uxSLKUi3NB6ojbWcRVCIibef9xM7gl9dx1dkw==
Reply-to: US-CERT@public.govdelivery.com

Title: TA13-141A: Washington, DC Radio Station Web Site Compromises

US Computer Emergency Readiness Team banner graphic

National Cyber Awareness System:

05/20/2013 05:59 PM EDT

Original release date: May 20, 2013 | Last revised: May 22, 2013

Systems Affected

  • Microsoft Windows systems running Adobe Reader, Acrobat, or Oracle Java

Overview

On May 16, 2013, US-CERT was notified that both www.federalnewsradio[.]com and www.wtop[.]com had been compromised to redirect Internet Explorer users to an exploit kit. As of May 17, 2013, US-CERT analysis confirms that no malicious code remains on either site.

Description

The compromised websites were modified to contain a hidden iframe referencing a _javascript_ file on a dynamic-DNS host. The file returned from this site was identified as the Fiesta exploit kit. The kit uses one of several known vulnerabilities to attempt to download an executable:

Any systems visiting running vulnerable versions of Adobe Reader or Acrobat or Oracle Java may have been compromised.

Impact

The exploit kit, once successful, delivers and executes a known variant of the ZeroAccess Trojan. Additionally, according to open source reporting, the malware also downloads and installs a variant of FakeAV/Kazy malware.

The ZeroAccess Trojan attempts to beacon to one of two hardcoded command-and-control addresses, 194[.]165[.]17[.]3 and 209[.]68[.]32[.]176. The beaconing occurs using an HTTP GET using the Opera/10 user-agent string.

After beaconing, the malware then downloads a custom Microsoft Cabinet file and the malware uses port 16464/udp to connect to the peer-to-peer network. This cabinet file contains several lists of IP addresses, as well as a fake flash installer.

Solution

Apply Updates

Updated software that addresses the vulnerabilities referenced in this incident has been available for years. It is imperative to apply current security updates to software that is commonly targeted by attackers.

In order to defend against additional vulnerabilities, install the most recent versions of Adobe Reader, Acrobat, and Oracle Java. At the time of publication, Adobe Security Bulletin APSB13-15 documents current security updates for Adobe Reader and Acrobat, and Oracle Java SE Critical Patch Update Advisory - April 2013 documents vulnerabilities addressed by Java 7 Update 21.

Identify Compromised Systems

Monitor activity to the following IP addresses as a potential indicator of compromise where permitted and practical:

  • 209[.]68[.]32[.]176
  • 194[.]165[.]17[.]3

References

Revision History

  • Initial release
  • Updated Solution section

This product is provided subject to this Notification and this Privacy & Use policy.


This email was sent to on@cs.ait.ac.th using GovDelivery, on behalf of: United States Computer Emergency Readiness Team (US-CERT) · 245 Murray Lane SW Bldg 410 · Washington, DC 20598 · (703) 235-5110 Powered by GovDelivery

Previous message sorted by date: TA13-141A: Washington, DC Radio Station Web Site Compromises
Next message sorted by date: TA13-168A: Microsoft Updates for Multiple Vulnerabilities
Previous message sorted by thread: TA13-141A: Washington, DC Radio Station Web Site Compromises
Next message by thread: TA13-168A: Microsoft Updates for Multiple Vulnerabilities
Main Index
Thread Index

CSIM home pageWMailAccount managementCSIM LibraryNetwork test toolsSearch CSIM directories
Contact us: Olivier Nicole CSIM    SET    AIT Last update: Jun 2013