Wednesday, May 08, 2013

WTOP, Federal News Radio hacked with Trojan that might infect some visitors using Internet Explorer; both sites offer press releases; detailed investigation ongoing

The Washington Post is reporting that two mainstream news sites, WTOP and Federal News Radio, were hacked recently. Some users using some versions of Internet Explorer (probably older unpatched versions) may have been infected by visiting the sites earlier this week.
The infections would have included pop-ups that offer “fake anti-virus software” and a botnet program that tries to commadeer PC’s to simulate clicks on ad networks. 
The Washington Post story by Hayley Tsukayama appear on p. A11, link here.
As of early Wednesday afternoon, both sites were blocking access through Internet Explorer.  Both sites say that access through other browsers is OK.  It is unclear if the latest IE version with the latest security patches would be immune, or if Microsoft plans more security patches soon (which seems likely, meaning users should be using automated update). 
WTOP has an explanation here (recommend Chrome or Firefox or Safari) here

Federal News Radio has its press release here. Again, the site right now isn't accessible through IE.
Sophos (the anti-virus partner for Webroot) has an explanation of the Trojan called “Troj-FakeAV-GOJ” here
The site Invincea plans a webinar and announcement about “watering hole attacks” here.  There are more reports that the attack involved java and Adobe vulnerabilities as well as Microsoft. 
The John Dvoak blog site is mentioned as affected, and McAfee site advisor has it marked red.  (it’s  However John C. Dvorak has a detailed discussion in PC Mag that is more technical than I can follow in detail right now, but here it is.  He thinks that the “Don’t Be Evil” company has blacklisted, May 6 article  here.  

A few years ago, I received comments on blogs that offered fake software.  I do not get these anymore since they get automatically marked as spam, but I also moderate comments now.  On two or three occasions around 2008 or so, my older Dell 8300 desktop offered the fake ant-virus software on one or two sites, even in Chrome.  This probably caused infection.  But the harddrive for that computer failed and had to be replaced at the end of 2009.  (I have never tried to purchase fake software, but the mere execution of the pop-up block probably installs the trojan.)  

It was not yet clear how far law enforcement, particularly the FBI, has delved into this, or what kind of prosecution would be likely.

Watch for CERT to make an announcement from Carnegie-Mellon on Pittsburgh on this IE/Oracle/Adobe vulnerability, to determine if it is fully patched.  

No comments: