You may have read about the US Department of Labor “getting hacked”.
It’s true, but fortunately the story is not quite as gory as it sounds in those two fateful words.
A subdomain of the Department’s main website, running off a separate server – what’s known colloquially as a microsite – was modified to serve up malware.
There’s a sort of double irony here, because news about the breach broke on May Day, which is Labour Day in much of the world, though not in the United States, where it is celebrated in September.
The affected microsite was www.sem.dol.gov, which is currently (2013-05-02T10:22Z) offline.
SEM stands for Site Exposure Matrices, but the “site” in the name refers not to websites but to worksites.
The SEM “is a repository of information on toxic substances present at Department of Energy sites and other locations where radiation exposure is a possible hazard.
We’ve already seen speculation that the radiation-related nature of the SEM site tells us that this is a targeted attack, and certainly the site is not one you would expect to draw a lot of traffic.
On the other hand, of course, it might just be that the site was attacked because it was vulnerable while other parts of the Department of Labour site were not.
→ Many organisations use microsites for special purposes, such as conducting one-off marketing campaigns or, as in this case, for presenting specialised data. Often, this is to avoid bothering the IT team with change requests for the main website, or in order to try something new. If you use microsites this way, make sure you don’t take any security shortcuts while you are “innovating”.
The attack used a malicious JavaScript file to get your browser to download a file called bookmark.png.
This sounds like an image file, but is in fact a Windows program with the first byte altered so that it can’t run by itself.
In theory, your browser shouldn’t do anything more than simply, and harmlessly, download the offending file.
But the malicious JavaScript then uses the function called helo() in the script above in an effort to trigger the CVE-2012-4792 remote code execution vulnerability in Internet Explorer.
The attackers hope that this will trick your browser into jumping over its security checks to modify and run the downloaded malware program without asking you.
The exploit seems to have borrowed both code and concept from a publicly-available Metasploit module that gives more detail (perhaps a little too much for some readers’ comfort) about this exploit.
The good news is that if you’ve patched Windows recently, or if you are using Internet Explorer 9 or 10, you should be safe, since the vulnerability will be fixed, the exploit won’t work and the non-functional bookmark.png file will do you no harm.
→ Sophos security products block the drive-by-download exploit script as Troj/ExpJS-IT and the “payload” executable as Troj/Agent-ABOB.
The attack also uses a malicious script file that includes what are known as anti-anti-virus techniques.
This means that the attacker actively attempts to evade detection by interfering with the operation of one or more of the anti-virus tools you may be running.
If you’re using BitDefender, the script even tries to connect to the local web console to reconfigure the product on your behalf.
→ Sophos security products block this malicious script as Troj/ExpJS-IV.
To summarise:
- A patched version of Windows should be immune to the exploit used in this attack.
- Internet Explorer later than version 8 should be immune.
- The hacked site is off the air and unlikely to reappear until it is clean and safe.
- An up-to-date anti-virus ought to block the malicious files, even on an unpatched computer.
Oh, and one more thing.
If you use microsites for special-purpose content, take care to avoid introducing special purpose risks at the same time!
Leave a reply
