Security Watch

Keeping Track of patches and hacks in the IT security world.

More .Gov Sites Boobytrapped

I had just finished writing up this story of a European country with a defense agency site that's got its database dangling out for all the world to play with, when Exploit Prevention Labs Chief Technology Officer Roger Thompson pointed to about a dozen poisoned government sites that are hosting pages serving malware and porn.

Thompson says that he expects there are many more, which wouldn't surprise me—a quick Google search yesterday turned up plenty.

EPL reports that the hacked .gov sites are dishing out malware via drive-by download and social engineering. The front pages give off no clues of having been compromised, but they're hosting pages that serve junk. EPL has identified city governments such as lasalle, il and frenchsettlement-la as being compromised.

They're small government sites, in other words. Should we care?

Thompson says yes. After all, this is government we're talking about, and who knows how much power these attackers have beyond injecting redirects to porno and malware?

"I think even though they're small government sites, everybody's entitled to think they're held to a higher standard," he told me. "If [attackers] had enough access to write stuff to those pages, who knows what else they read?"

Thompson says the hacked .gov sites are trying a few tricks: "First they try an exploit to install their malware, and if that doesn't work, they try to trick you into installing a fake codec, and if that doesn't work, they run a fake antispy scan, and try to convince you that your machine is already compromised, but their software can fix it ... just click the install button."

Sunbelt's Alex Eckleberry thinks unpatched systems and lousy security policies are at the heart of these problems. Thompson says it might not be as simple as all that. Sometimes these sites are living on Web farms. With PHP vulnerabilities being discovered every few days, any Web farm that doesn't keep up with patches is leaving the whole farm open to being compromised. Which, well, still amounts to unpatched systems, but the blame in such a case is outsourced.

One thing the hacked .gov sites exhibit is that clearly, finding vulnerable systems in an automated fashion is getting to be a common skill. "There's a battle going on for the Web now," Thompson said. "The bad guys are making money and they're more and more organized and looking for stuff all the time."

Indeed, the hacked .gov sites are probably dropping password sniffers, keyloggers or any number of other malware, he said.

EPL made a video of the hacked sites in action if you want to check it out.

At this point, it's happened, and the most important thing is to get these sites cleaned up.

Sounds easy, doesn't it? My phone calls to the U.S. consulate of the European no-defense country taught me how hard that can be. In this uber-connected world, we're still dealing with language barriers, with frontline, junior personnel who don't have a clue what you're talking about, and with getting blown off as a consequence.

EPL picked up on the hacked .gov sites because the users of their product have agreed to report this type of thing. The security firm scrubs logs every hour and puts up a report. What made this stand out in particular is the number of government sites that started turning up on one particular day.

The sheer number of hacked sites reflects the attackers MO, Thompson says: "They plant fake pages with lots of terms on them ... Over the next weeks, some will be cleaned up and some will still remain [hacked]."

The reason the attackers are planting malware this way: It's a great way to bypass firewalls. The Web session that's started on a browser opens a channel for malware to flow right through the firewall and onto the desktop.

Thompson has come up with a new acronym for it: GFBP -- Generic Firewall Bypass Protocol.

We could laugh if it weren't so painfully true.