Security Advisories

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Subject: TA13-141A: Washington, DC Radio Station Web Site Compromises
From: "US-CERT" <This email address is being protected from spambots. You need JavaScript enabled to view it.>
Date: Wed, 22 May 2013 06:48:53 -0500

Title: TA13-141A: Washington, DC Radio Station Web Site Compromises

US Computer Emergency Readiness Team banner graphic

National Cyber Awareness System:

TA13-141A: Washington, DC Radio Station Web Site Compromises

05/20/2013 05:59 PM EDT

Original release date: May 20, 2013 | Last revised: May 22, 2013

Systems Affected

Microsoft Windows systems running Adobe Reader, Acrobat, or Oracle Java

Overview

On May 16, 2013, US-CERT was notified that both www.federalnewsradio[.]com and www.wtop[.]com had been compromised to redirect Internet Explorer users to an exploit kit. As of May 17, 2013, US-CERT analysis confirms that no malicious code remains on either site.

Description

The compromised websites were modified to contain a hidden iframe referencing a _javascript_ file on a dynamic-DNS host. The file returned from this site was identified as the Fiesta Exploit Kit. The exploit kit script uses one of several known vulnerabilities to attempt to download an executable:

Any systems visiting running vulnerable versions of Adobe Reader or Acrobat or Oracle Java may have been compromised.

Impact

The exploit kit, once successful, delivers and executes a known variant of the ZeroAccess Trojan. Additionally, according to open source reporting, the malware also downloads and installs a variant of FakeAV/Kazy malware.

The ZeroAccess Trojan attempts to beacon to one of two hardcoded command-and-control addresses, 194[.]165[.]17[.]3 and 209[.]68[.]32[.]176. The beaconing occurs using an HTTP GET using the Opera/10 user-agent string.

After beaconing, the malware then downloads a custom Microsoft Cabinet file and the malware uses port UDP/16464 to connect to the peer-to-peer network. This cabinet file contains several lists of IP addresses, as well as a fake flash installer.

Solution

Apply Updates

Adobe has provided updates for these vulnerabilities in Adobe Security Bulletin APSB09-04 and APSB10-07.
Oracle has provided updates for this vulnerability in Oracle Security Alert for CVE-2013-0422.

Identify Infected Systems

Monitor activity to the following IPs as a potential indicator of infection where permitted and practical:

209.68.32.176
194.165.17.3

References

Revision History

Initial release

This product is provided subject to this Notification and this Privacy & Use policy.

OTHER RESOURCES:

STAY CONNECTED:

SUBSCRIBER SERVICES:
Manage Preferences | Unsubscribe | This email address is being protected from spambots. You need JavaScript enabled to view it.

This email was sent to This email address is being protected from spambots. You need JavaScript enabled to view it. using GovDelivery, on behalf of: United States Computer Emergency Readiness Team (US-CERT) · 245 Murray Lane SW Bldg 410 · Washington, DC 20598 · (703) 235-5110

MHonArc

CSIM Intranet

Using CSIM facilities