California .Gov Site Seeded with Malware Again

A hacked California site that caused the GSA to suspend the state's Web service is again serving up malware.

A California government site that was seeded with massive amounts of pornography and which caused the federal government to suspend the entire state governments Internet and e-mail service in early October is once again serving up malware, security researchers have found.

Sunbelt Software President Alex Eckelberry said in a post on the night of Nov. 29 that the site, hosted by the Transportation Authority of Marin, was serving up links that direct users to a page that pushes malware posing as a fake codec.

Eckelberry mistakenly thought, as of last night, that the site was cleaned up, but Paul Ferguson, network architect at Trend Micro, told eWEEK on Nov. 30 that all the garbage is still in place.

The TAMs main page as of Nov. 30 said it was under construction. But Ferguson checked out the subdirectories shown in a .JPEG that Eckleberry included in his post, inserting random numbers into the URLs. He was then redirected to a domain registered in Russia, with a hosting provider located in the Netherlands. Multiple numbers randomly inserted into subdirectory URLs immediately redirect to another server, he found.


Click here to read about how singer Alicia Keys Web site was repeatedly hacked.

The sites to which Ferguson was redirected were hosting fake codec downloads. When he clicked on a prompt to install either an ActiveX component or a fake codec with a "play" button, Ferguson was redirected to a server located in the Ukraine that tries to infect visitors with fake anti-spyware and the Zolob Trojan.

Security researchers suspect a DNS hack of the sites hosting provider may have taken place, given that such problems have been growing increasingly common, but the truth is that the way the GSA has set up government domains and restricted WhoIs queries, its hard to tell what exactly has happened and whos responsible, Ferguson said. WhoIs queries are supposed to provide reports on domain name ownership and related data.

"Its hard to tell if … somebody has hacked the DNS on the hosting provider," he said. "GSA has made it basically impossible for any outsiders to do WhoIs on .gov domains. The WhoIs site, unless you have an established account there to do WhoIs to find out where name servers are, you cant figure it out. It makes it virtually impossible. You have to contact the people responsible for the site, to figure out whos doing their DNS hosting, just to get [a contact to inform]. You have to contact US-CERT to notify" the agency of the problem, he said.

Ferguson had alerted US-CERT to the issue shortly before getting on the phone with eWEEK.

TAM was unable to respond to queries by the time this article posted.

It is easy to blame the administrators of a site that has been seeded with malware, cleaned up, reseeded, cleaned up and polluted yet again. But it is, in fact, mostly small sites, including county Web sites and those belonging to small cities or government agencies as well as small businesses, that are suffering the attention of organized crime, both in the United States and throughout the world.

Page 2: California .Gov Site Seeded with Malware Again