How did I get a virus, I don’t visit porn sites?!?!?!

02May 2013 by nathan

Cyber Tech Cafe

How did I get a virus, I don’t visit porn sites?!?!?!

Ok, so I just saw this on the wire and wanted to take an opportunity to a) warn folks about the hack on the DOL website and b) use it as an example of how easy it is for someone to get a virus from otherwise legitimate websites.  I’ll try to be brief, but, well, you know how I tend to get on this stuff.

First, the news.  According to this article, one of the U.S. Department of Labor’s websites has been ‘hacked’ and is now redirecting users to malicious code.  Translation, if you visit the site, you stand a very good chance of getting a virus.

Now, on to the good stuff.  According to the article, visitors to the site are being redirected to http://dol.ns01.us:8081 (link intentionally broken) where a small piece of code runs to check your version of Flash, Java, what Operating System you’re running, what antivirus you have (and attempts to disable it), what version of MS Office you’re running (if any), etc. and creates a sortof report.  After the malicious site ‘analyzes’ the report, it attempts to install a virus on your computer (currently) using an exploit that was patched earlier this year.  If your computer has the patch installed, as of right now, you’ll likely see an error and that will be the end of it.  If you didn’t install the patch, the virus will be installed.

Some important things to note about this:

  • This attack completes within seconds and, if successful, is transparent to the end user.  If it fails, then you will likely see an error (the script failing or your antivirus warning you that something awful almost happened).  
  • This isn’t some targeted attack like we see in Hollywood movies where the ‘evil hacker’ is soaring through some 3D virtualized version of hyperspace but is a trap that’s been laid in an otherwise legitimate website that’s just waiting for unwitting victims to ‘view’ (e.g., no open, not execute, not run, not play, etc., just view) the content.  You look, you cook, it’s as simple as that unless you’ve got the update to the vulnerability and / or good, up-to-date antivirus.
  • This virus is delivered via an otherwise perfectly legitimate website.  This isn’t a porn site or a warez site, etc., so not surfing porn or stealing software is not going to save you.
  • Currently, the malicious site is looking for a specific vulnerability in Internet Explorer but is collecting information about a lot more (Flash, Java, Operating System, Office, etc.).  It’s not a stretch to think that this same attack will be used against other vulnerabilities (e.g., in Flash, Java, Operating Systems, Office, etc.) in very short order.  Looking at the attack, it would be very easy to modify quickly to exploit another vulnerability.
  • The attack is looking for several specific antivirus products and, if it is, disables it.  If you’re running something that’s not on that list, you stand a much better chance of surviving the attack unscathed.