A California government site that was seeded with massive amounts of pornography and which caused the federal government to suspend the entire state governments Internet and e-mail service in early October is once again serving up malware, security researchers have found.
Sunbelt Software President Alex Eckelberry said in a post on the night of Nov. 29 that the site, hosted by the Transportation Authority of Marin, was serving up links that direct users to a page that pushes malware posing as a fake codec.
Eckelberry mistakenly thought, as of last night, that the site was cleaned up, but Paul Ferguson, network architect at Trend Micro, told eWEEK on Nov. 30 that all the garbage is still in place.
The TAMs main page as of Nov. 30 said it was under construction. But Ferguson checked out the subdirectories shown in a .JPEG that Eckleberry included in his post, inserting random numbers into the URLs. He was then redirected to a domain registered in Russia, with a hosting provider located in the Netherlands. Multiple numbers randomly inserted into subdirectory URLs immediately redirect to another server, he found.
Click here to read about how singer Alicia Keys Web site was repeatedly hacked.
The sites to which Ferguson was redirected were hosting fake codec downloads. When he clicked on a prompt to install either an ActiveX component or a fake codec with a “play” button, Ferguson was redirected to a server located in the Ukraine that tries to infect visitors with fake anti-spyware and the Zolob Trojan.
Security researchers suspect a DNS hack of the sites hosting provider may have taken place, given that such problems have been growing increasingly common, but the truth is that the way the GSA has set up government domains and restricted WhoIs queries, its hard to tell what exactly has happened and whos responsible, Ferguson said. WhoIs queries are supposed to provide reports on domain name ownership and related data.
“Its hard to tell if … somebody has hacked the DNS on the hosting provider,” he said. “GSA has made it basically impossible for any outsiders to do WhoIs on .gov domains. The GSA.gov WhoIs site, unless you have an established account there to do WhoIs to find out where name servers are, you cant figure it out. It makes it virtually impossible. You have to contact the people responsible for the site, to figure out whos doing their DNS hosting, just to get [a contact to inform]. You have to contact US-CERT to notify” the agency of the problem, he said.
Ferguson had alerted US-CERT to the issue shortly before getting on the phone with eWEEK.
TAM was unable to respond to queries by the time this article posted.
It is easy to blame the administrators of a site that has been seeded with malware, cleaned up, reseeded, cleaned up and polluted yet again. But it is, in fact, mostly small sites, including county Web sites and those belonging to small cities or government agencies as well as small businesses, that are suffering the attention of organized crime, both in the United States and throughout the world.
.Gov Site Seeded with Malware Again”>
The sites Sunbelt has seen seeded with malware include those for the U.S. Virgin Islands Housing Authority and for cities such as Plainsville or Sansford, Kansas. The list is extensive.
The problem is, Eckelberry told eWEEK, that in many cases these organizations have tight resources and are forced to outsource site hosting to a hosting provider.
A certain percentage of those hosting providers are increasingly asleep at the wheel, however. One provider that security researchers preferred to keep unnamed was exhibiting signs of DNS hacking as far back as September. Researchers can sniff out DNS attacks pretty easily: A mysterious sub domain will have been inserted into a URL, giving researchers the heads-up that a separate DNS entry has been created.
“The fundamental problem is there are real small shops” out there that are running sites, Eckelberry said. “There was a nice old lady [responsible for a site in Texas]. We said, You have porn on your system. She was so sweet. She said, Oh yes, weve heard about that. They have no idea [of the severity of the issue.”
The problem is, when small IT shops outsource to third-party providers, security can crack in many places—some of the errors are due to the sites creators, and some errors are due to the hosting provider.
Read more here about how hackers scam Internet users with bogus anti-spyware offers.
The errors Sunbelt sees on compromised sites most frequently include: stolen FTP credentials; unpatched (usually open-source) software, including poorly maintained LAMP stacks; the increasing use of collaborative, “Web 2.0” type software (wikis, tikis, etc.); DNS hacks; poorly written ASP code; sloppy PHP work; and SQL hacks.
“We believe in many, many places its the fault of the hosting provider,” Eckelberry said, although with problems such as poorly written ASP code, the buck would have to stop squarely on the desks of the sites owners.
“This is a problem that leaves you scratching your head: Why do these problems persist?” Ferguson said. “Were talking about the Transportation Authority of Marin County. Its these small county government sites; their IT budgets are probably chickenfeed.”
At this point, the whole framework in which .gov is set up probably needs to be re-examined, Ferguson said, given the large scale on which security researchers are seeing .gov sites poisoned.
“Ive said it before: you hire a third-party person to come in and put up a Web site and then he goes on his way; those days are long gone. All these platforms are not being maintained properly, and theyre ripe for the pickings. People need to do due diligence in maintaining their Web infrastructure.”
After all, Ferguson said, citizens, or customers of smaller businesses, are in danger. “People are jumping on a site for checking a bus schedule or the schedule for community meetings, and in process people” are getting hurt by malware attacks, he said.
Ferguson pointed to an updated set of guidelines from NIST on securing public Web servers as a good place to start to avoid situations like the recurrent problems of the TAM site.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.