Researchers at Invincea say they spotted National Journal still serving malware today, marking the second time in less than a month the news site was used to infect users.
The site is no longer serving malware at this moment. However, according to Invincea, the site was observed using a Java exploit to deliver a variant of the ZeroAccess rootkit and fake antivirus.
According to a report by MediaBistro.com, the initial compromise was detected Feb. 28, and is believed to have affected people who visited the site via major search engines between Feb. 18 and March 1.
“What we found…was somewhat surprising given the disclosure by The National Journal…that they were aware of this happening previously/had hired a third party to investigate and remediate,” blogged Anup Ghosh, CEO of Invincea.
A redirect was added to the top of the main index page that created an iframe pointing to an exploit pack landing page, he continued. After de-obfuscating the JavaScript, an iframe was revealed leading to an exploit pack. The exploit pack was the NeoSploit pack.
The Java exploit served via malicious archive (.jar) file. During their analysis, the company noticed that the landing page redirected users with a more recent version of Java to a serialized Java object hosted at koxhrcnr[.]myvnc[.]com. Java object serialization is implemented to bypass the interactive user access control implemented in Java 7 Update 11.
“Is The National Journal on an island in terms of being the only legitimate website to push malware? Hardly – NBC.Com, The Council on Foreign Relations, Speedtest.net all were used previously…and the list continues to grow,” blogged Ghosh. “What this tells us (as if we didn’t already know) is that the bad guys are increasingly going to the watering hole to attack their targets.”