Popular Media Websites Compromised to Deliver Malware to Visitors

Several media sites, including two Washington, DC-based radio stations, have been compromised to infect unsuspecting visitors’ systems with fake antivirus software. 

The Christian Post, Real Clear Science, and Real Clear Policy appear to also have been compromised, according to researchers at Zscaler ThreatLabz. Invincea researchers said the exploit kit served up the same fake antivirus, which infected visitors to dvorak.org, belonging to popular blogger John Dvorak, over the weekend.

Users who have visited WTOP.com using Internet Explorer in the past 36 hours may have been affected, according to a statement from WTOP. Visitors using other Web browsers such as Chrome, Firefox, or Safari, should not be affected.

“We are working diligently to contain and stop the attack, and apologize for any inconvenience this has caused,” WTOP said.

Internet Explorer users are currently being blocked from seeing WTOP “to help protect you and prevent any further damage,” according to the statement. The same measures appear to be in place at FederalNewsRadio.com.

As of this morning, WTOP was still serving up the malware. “Do not browse to this site until further notice,” wrote Eddie Mitchell, a security engineer at Invincea, in the company’s analysis of the attack.

Shortly after visiting the site that had been compromised, Internet Explorer attempts to launch a Java application from a suspicious URL, Invincea researchers found. After the process executes, it creates a shortcut on the Desktop named “Internet Security 2013” to point users to a popular fake antivirus scam.

The malicious code relied on exploits targeting vulnerabilities in Java and Adobe Reader to install the fake antivirus, Mitchell said.

The flaws have all been patched a while ago (Oracle has released several other updates since its January patch), so users should make sure to download and install patches in a timely manner.

Oracle patched the Java 7 flaw, namely a security manager bypass vulnerability affecting the Java Runtime Environment (CVE-2013-0422) back in January. The input validation issues (CVE-2009-0927) and the other vulnerability which can cause a denial of service condition (CVE-2010-0188) affected Adobe Reader and Acrobat 9 and earlier.

Users who may have been infected should run a scan on their computers using a legitimate security tool as soon as possible.

The malicious code was injected into the wp-config.php file for the WordPress content management system on dvorak.org, Mitchell said. It is not known how the sites were initially compromised, or where the malicious code was injected on WTOP and Federal News Radio sites.

Mass compromises are “now the norm,” Zscaler’s security resaercher Chris Mannon wrote in the company’s write up of the attack. Attackers comb the Web looking for popular sites with a specific application vulnerability and then exploit the flaw in order to inject malicious code. The legitimate, but compromised, site now can infect all users visiting the site.

In the case of Federal News Radio and WTOP, the malicious code executed and redirected to a malicious IFRAME only when the visitor was using Internet Explorer, Mannon said. WTOP and FederalNewsRadio delivered fake antivirus scams and ZeroAccess Trojans to victims, Mannon said.

“This is likely an indicator of a larger more widespread attack against online media sites,” Invincea’s Mitchell said. While Dvorak.org may have just been an opportunistic attack and not specifically targeting the site’s users, Federal News Radio’s target audience happens to be federal employees. Compromising FederalNewsRadio.com may be part of a watering hole attack, Mitchell said.