[SECURITY-L] Fwd:[US-CERT] TA13-141A: Washington, DC Radio Station Web Site Compromise

CSIRT - UNICAMP security em unicamp.br
Ter Maio 21 15:23:41 -03 2013 

-------- Original Message --------
Subject: 	TA13-141A: Washington, DC Radio Station Web Site Compromises
Date: 	Tue, 21 May 2013 11:13:20 -0500
From: 	US-CERT <US-CERT em public.govdelivery.com>
Reply-To: 	US-CERT em public.govdelivery.com



TA13-141A: Washington, DC Radio Station Web Site Compromises

US Computer Emergency Readiness Team banner graphic

National Cyber Awareness System:

TA13-141A: Washington, DC Radio Station Web Site Compromises
<http://links.govdelivery.com:80/track?type=click&enid=ZWFzPTEmbWFpbGluZ2lkPTIwMTMwNTIxLjE5MDIxMTgxJm1lc3NhZ2VpZD1NREItUFJELUJVTC0yMDEzMDUyMS4xOTAyMTE4MSZkYXRhYmFzZWlkPTEwMDEmc2VyaWFsPTE3MTMxMDMxJmVtYWlsaWQ9ZGFuaWVsYUBjY3VlYy51bmljYW1wLmJyJnVzZXJpZD1kYW5pZWxhQGNjdWVjLnVuaWNhbXAuYnImZmw9JmV4dHJhPU11bHRpdmFyaWF0ZUlkPSYmJg==&&&100&&&https://www.us-cert.gov/ncas/alerts/TA13-141A>
05/20/2013 05:59 PM EDT

Original release date: May 20, 2013 | Last revised: May 21, 2013


      Systems Affected

  * Microsoft Windows systems running Adobe Reader, Acrobat, or Oracle Java


      Overview

On May 16, 2013, US-CERT was notified that both
www.federalnewsradio[.]com and www.wtop[.]com had been compromised to
redirect Internet Explorer users to an exploit kit. As of May 17, 2013,
US-CERT analysis confirms that no malicious code remains on either site.


      Description

The compromised websites were modified to contain a hidden iframe
referencing a JavaScript file on a dynamic-DNS host. The file returned
from this site was identified as the Fiesta Exploit Kit. The exploit kit
script uses one of several known vulnerabilities to attempt to download
an executable:

  *

    CVE-2009-0927: Stack-based buffer overflow in Adobe Reader and Adobe
    Acrobat
    <http://links.govdelivery.com:80/track?type=click&enid=ZWFzPTEmbWFpbGluZ2lkPTIwMTMwNTIxLjE5MDIxMTgxJm1lc3NhZ2VpZD1NREItUFJELUJVTC0yMDEzMDUyMS4xOTAyMTE4MSZkYXRhYmFzZWlkPTEwMDEmc2VyaWFsPTE3MTMxMDMxJmVtYWlsaWQ9ZGFuaWVsYUBjY3VlYy51bmljYW1wLmJyJnVzZXJpZD1kYW5pZWxhQGNjdWVjLnVuaWNhbXAuYnImZmw9JmV4dHJhPU11bHRpdmFyaWF0ZUlkPSYmJg==&&&101&&&http://www.adobe.com/support/security/bulletins/apsb09-04.html>

  *

    CVE-2010-0188: Unspecified vulnerability in Adobe Reader and Acrobat
    <http://links.govdelivery.com:80/track?type=click&enid=ZWFzPTEmbWFpbGluZ2lkPTIwMTMwNTIxLjE5MDIxMTgxJm1lc3NhZ2VpZD1NREItUFJELUJVTC0yMDEzMDUyMS4xOTAyMTE4MSZkYXRhYmFzZWlkPTEwMDEmc2VyaWFsPTE3MTMxMDMxJmVtYWlsaWQ9ZGFuaWVsYUBjY3VlYy51bmljYW1wLmJyJnVzZXJpZD1kYW5pZWxhQGNjdWVjLnVuaWNhbXAuYnImZmw9JmV4dHJhPU11bHRpdmFyaWF0ZUlkPSYmJg==&&&102&&&http://www.adobe.com/support/security/bulletins/apsb10-07.html>

  *

    CVE-2013-0422: Multiple vulnerabilities in Oracle Java 7 before
    Update 11
    <http://links.govdelivery.com:80/track?type=click&enid=ZWFzPTEmbWFpbGluZ2lkPTIwMTMwNTIxLjE5MDIxMTgxJm1lc3NhZ2VpZD1NREItUFJELUJVTC0yMDEzMDUyMS4xOTAyMTE4MSZkYXRhYmFzZWlkPTEwMDEmc2VyaWFsPTE3MTMxMDMxJmVtYWlsaWQ9ZGFuaWVsYUBjY3VlYy51bmljYW1wLmJyJnVzZXJpZD1kYW5pZWxhQGNjdWVjLnVuaWNhbXAuYnImZmw9JmV4dHJhPU11bHRpdmFyaWF0ZUlkPSYmJg==&&&103&&&http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html>

Any systems visiting running vulnerable versions of Adobe Reader or
Acrobat or Oracle Java may have been compromised.


      Impact

The exploit kit, once successful, delivers and executes a known variant
of the ZeroAccess Trojan. Additionally, according to open source
reporting
<http://links.govdelivery.com:80/track?type=click&enid=ZWFzPTEmbWFpbGluZ2lkPTIwMTMwNTIxLjE5MDIxMTgxJm1lc3NhZ2VpZD1NREItUFJELUJVTC0yMDEzMDUyMS4xOTAyMTE4MSZkYXRhYmFzZWlkPTEwMDEmc2VyaWFsPTE3MTMxMDMxJmVtYWlsaWQ9ZGFuaWVsYUBjY3VlYy51bmljYW1wLmJyJnVzZXJpZD1kYW5pZWxhQGNjdWVjLnVuaWNhbXAuYnImZmw9JmV4dHJhPU11bHRpdmFyaWF0ZUlkPSYmJg==&&&104&&&http://www.invincea.com/2013/05/k-i-a-wtop-com-fednewsradio-and-tech-blogger-john-dvorak-blog-site-hijacked-exploits-java-and-adobe-to-distribute-fake-av-2/>,
the malware also downloads and installs a variant of FakeAV/Kazy malware.

The ZeroAccess Trojan attempts to beacon to one of two hardcoded
command-and-control addresses, 194[.]165[.]17[.]3 and
209[.]68[.]32[.]176. The beaconing occurs using an HTTP GET using the
Opera/10 user-agent string.

After beaconing, the malware then downloads a custom Microsoft Cabinet
file and the malware uses port UDP/16464 to connect to the peer-to-peer
network. This cabinet file contains several lists of IP addresses, as
well as a fake flash installer.


      Solution

Apply Updates

  * Adobe has provided updates for these vulnerabilities in Adobe
    Security Bulletin APSB09-04
    <http://links.govdelivery.com:80/track?type=click&enid=ZWFzPTEmbWFpbGluZ2lkPTIwMTMwNTIxLjE5MDIxMTgxJm1lc3NhZ2VpZD1NREItUFJELUJVTC0yMDEzMDUyMS4xOTAyMTE4MSZkYXRhYmFzZWlkPTEwMDEmc2VyaWFsPTE3MTMxMDMxJmVtYWlsaWQ9ZGFuaWVsYUBjY3VlYy51bmljYW1wLmJyJnVzZXJpZD1kYW5pZWxhQGNjdWVjLnVuaWNhbXAuYnImZmw9JmV4dHJhPU11bHRpdmFyaWF0ZUlkPSYmJg==&&&105&&&https://www.adobe.com/support/security/bulletins/apsb09-04.html>
    and APSB10-07
    <http://links.govdelivery.com:80/track?type=click&enid=ZWFzPTEmbWFpbGluZ2lkPTIwMTMwNTIxLjE5MDIxMTgxJm1lc3NhZ2VpZD1NREItUFJELUJVTC0yMDEzMDUyMS4xOTAyMTE4MSZkYXRhYmFzZWlkPTEwMDEmc2VyaWFsPTE3MTMxMDMxJmVtYWlsaWQ9ZGFuaWVsYUBjY3VlYy51bmljYW1wLmJyJnVzZXJpZD1kYW5pZWxhQGNjdWVjLnVuaWNhbXAuYnImZmw9JmV4dHJhPU11bHRpdmFyaWF0ZUlkPSYmJg==&&&102&&&http://www.adobe.com/support/security/bulletins/apsb10-07.html>.
  * Oracle has provided updates for this vulnerability in Oracle
    Security Alert for CVE-2013-0422
    <http://links.govdelivery.com:80/track?type=click&enid=ZWFzPTEmbWFpbGluZ2lkPTIwMTMwNTIxLjE5MDIxMTgxJm1lc3NhZ2VpZD1NREItUFJELUJVTC0yMDEzMDUyMS4xOTAyMTE4MSZkYXRhYmFzZWlkPTEwMDEmc2VyaWFsPTE3MTMxMDMxJmVtYWlsaWQ9ZGFuaWVsYUBjY3VlYy51bmljYW1wLmJyJnVzZXJpZD1kYW5pZWxhQGNjdWVjLnVuaWNhbXAuYnImZmw9JmV4dHJhPU11bHRpdmFyaWF0ZUlkPSYmJg==&&&103&&&http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html>.

Identify Infected Systems

Monitor activity to the following IPs as a potential indicator of
infection where permitted and practical:

  * 209.68.32.176
  * 194.165.17.3


      References

  * WTOP and Federal News Radio Websites Back After Cyber Attack
    <http://links.govdelivery.com:80/track?type=click&enid=ZWFzPTEmbWFpbGluZ2lkPTIwMTMwNTIxLjE5MDIxMTgxJm1lc3NhZ2VpZD1NREItUFJELUJVTC0yMDEzMDUyMS4xOTAyMTE4MSZkYXRhYmFzZWlkPTEwMDEmc2VyaWFsPTE3MTMxMDMxJmVtYWlsaWQ9ZGFuaWVsYUBjY3VlYy51bmljYW1wLmJyJnVzZXJpZD1kYW5pZWxhQGNjdWVjLnVuaWNhbXAuYnImZmw9JmV4dHJhPU11bHRpdmFyaWF0ZUlkPSYmJg==&&&106&&&http://wtop.com/41/3319697/WTOP-and-Federal-News-Radio-Websites-Back-After-Cyber-Attack/>
  * APSB09-04
    <http://links.govdelivery.com:80/track?type=click&enid=ZWFzPTEmbWFpbGluZ2lkPTIwMTMwNTIxLjE5MDIxMTgxJm1lc3NhZ2VpZD1NREItUFJELUJVTC0yMDEzMDUyMS4xOTAyMTE4MSZkYXRhYmFzZWlkPTEwMDEmc2VyaWFsPTE3MTMxMDMxJmVtYWlsaWQ9ZGFuaWVsYUBjY3VlYy51bmljYW1wLmJyJnVzZXJpZD1kYW5pZWxhQGNjdWVjLnVuaWNhbXAuYnImZmw9JmV4dHJhPU11bHRpdmFyaWF0ZUlkPSYmJg==&&&101&&&http://www.adobe.com/support/security/bulletins/apsb09-04.html>
  * Stack-based buffer overflow in Adobe Reader and Adobe Acrobat
    <http://links.govdelivery.com:80/track?type=click&enid=ZWFzPTEmbWFpbGluZ2lkPTIwMTMwNTIxLjE5MDIxMTgxJm1lc3NhZ2VpZD1NREItUFJELUJVTC0yMDEzMDUyMS4xOTAyMTE4MSZkYXRhYmFzZWlkPTEwMDEmc2VyaWFsPTE3MTMxMDMxJmVtYWlsaWQ9ZGFuaWVsYUBjY3VlYy51bmljYW1wLmJyJnVzZXJpZD1kYW5pZWxhQGNjdWVjLnVuaWNhbXAuYnImZmw9JmV4dHJhPU11bHRpdmFyaWF0ZUlkPSYmJg==&&&107&&&https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0927>
  * APSB10-07
    <http://links.govdelivery.com:80/track?type=click&enid=ZWFzPTEmbWFpbGluZ2lkPTIwMTMwNTIxLjE5MDIxMTgxJm1lc3NhZ2VpZD1NREItUFJELUJVTC0yMDEzMDUyMS4xOTAyMTE4MSZkYXRhYmFzZWlkPTEwMDEmc2VyaWFsPTE3MTMxMDMxJmVtYWlsaWQ9ZGFuaWVsYUBjY3VlYy51bmljYW1wLmJyJnVzZXJpZD1kYW5pZWxhQGNjdWVjLnVuaWNhbXAuYnImZmw9JmV4dHJhPU11bHRpdmFyaWF0ZUlkPSYmJg==&&&102&&&http://www.adobe.com/support/security/bulletins/apsb10-07.html>
  * Unspecified vulnerability in Adobe Reader and Acrobat
    <http://links.govdelivery.com:80/track?type=click&enid=ZWFzPTEmbWFpbGluZ2lkPTIwMTMwNTIxLjE5MDIxMTgxJm1lc3NhZ2VpZD1NREItUFJELUJVTC0yMDEzMDUyMS4xOTAyMTE4MSZkYXRhYmFzZWlkPTEwMDEmc2VyaWFsPTE3MTMxMDMxJmVtYWlsaWQ9ZGFuaWVsYUBjY3VlYy51bmljYW1wLmJyJnVzZXJpZD1kYW5pZWxhQGNjdWVjLnVuaWNhbXAuYnImZmw9JmV4dHJhPU11bHRpdmFyaWF0ZUlkPSYmJg==&&&108&&&https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0188>
  * Multiple vulnerabilities in Oracle Java 7 before Update 11
    <http://links.govdelivery.com:80/track?type=click&enid=ZWFzPTEmbWFpbGluZ2lkPTIwMTMwNTIxLjE5MDIxMTgxJm1lc3NhZ2VpZD1NREItUFJELUJVTC0yMDEzMDUyMS4xOTAyMTE4MSZkYXRhYmFzZWlkPTEwMDEmc2VyaWFsPTE3MTMxMDMxJmVtYWlsaWQ9ZGFuaWVsYUBjY3VlYy51bmljYW1wLmJyJnVzZXJpZD1kYW5pZWxhQGNjdWVjLnVuaWNhbXAuYnImZmw9JmV4dHJhPU11bHRpdmFyaWF0ZUlkPSYmJg==&&&109&&&https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0422>
  * Oracle Security Alert for CVE-2013-0422
    <http://links.govdelivery.com:80/track?type=click&enid=ZWFzPTEmbWFpbGluZ2lkPTIwMTMwNTIxLjE5MDIxMTgxJm1lc3NhZ2VpZD1NREItUFJELUJVTC0yMDEzMDUyMS4xOTAyMTE4MSZkYXRhYmFzZWlkPTEwMDEmc2VyaWFsPTE3MTMxMDMxJmVtYWlsaWQ9ZGFuaWVsYUBjY3VlYy51bmljYW1wLmJyJnVzZXJpZD1kYW5pZWxhQGNjdWVjLnVuaWNhbXAuYnImZmw9JmV4dHJhPU11bHRpdmFyaWF0ZUlkPSYmJg==&&&103&&&http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html>
  * K.I.A. ??? WTOP.com, FedNewsRadio and Tech Blogger John Dvorak Blog
    Site Hijacked ??? Exploits Java and Adobe to Distribute Fake A/V
    <http://links.govdelivery.com:80/track?type=click&enid=ZWFzPTEmbWFpbGluZ2lkPTIwMTMwNTIxLjE5MDIxMTgxJm1lc3NhZ2VpZD1NREItUFJELUJVTC0yMDEzMDUyMS4xOTAyMTE4MSZkYXRhYmFzZWlkPTEwMDEmc2VyaWFsPTE3MTMxMDMxJmVtYWlsaWQ9ZGFuaWVsYUBjY3VlYy51bmljYW1wLmJyJnVzZXJpZD1kYW5pZWxhQGNjdWVjLnVuaWNhbXAuYnImZmw9JmV4dHJhPU11bHRpdmFyaWF0ZUlkPSYmJg==&&&104&&&http://www.invincea.com/2013/05/k-i-a-wtop-com-fednewsradio-and-tech-blogger-john-dvorak-blog-site-hijacked-exploits-java-and-adobe-to-distribute-fake-av-2/>


      Revision History

  * Initial release

------------------------------------------------------------------------

This product is provided subject to this Notification
<http://links.govdelivery.com:80/track?type=click&enid=ZWFzPTEmbWFpbGluZ2lkPTIwMTMwNTIxLjE5MDIxMTgxJm1lc3NhZ2VpZD1NREItUFJELUJVTC0yMDEzMDUyMS4xOTAyMTE4MSZkYXRhYmFzZWlkPTEwMDEmc2VyaWFsPTE3MTMxMDMxJmVtYWlsaWQ9ZGFuaWVsYUBjY3VlYy51bmljYW1wLmJyJnVzZXJpZD1kYW5pZWxhQGNjdWVjLnVuaWNhbXAuYnImZmw9JmV4dHJhPU11bHRpdmFyaWF0ZUlkPSYmJg==&&&110&&&http://www.us-cert.gov/privacy/notification>
and this Privacy & Use
<http://links.govdelivery.com:80/track?type=click&enid=ZWFzPTEmbWFpbGluZ2lkPTIwMTMwNTIxLjE5MDIxMTgxJm1lc3NhZ2VpZD1NREItUFJELUJVTC0yMDEzMDUyMS4xOTAyMTE4MSZkYXRhYmFzZWlkPTEwMDEmc2VyaWFsPTE3MTMxMDMxJmVtYWlsaWQ9ZGFuaWVsYUBjY3VlYy51bmljYW1wLmJyJnVzZXJpZD1kYW5pZWxhQGNjdWVjLnVuaWNhbXAuYnImZmw9JmV4dHJhPU11bHRpdmFyaWF0ZUlkPSYmJg==&&&111&&&http://www.us-cert.gov/privacy/>
policy.

------------------------------------------------------------------------
OTHER RESOURCES:
Contact Us
<http://links.govdelivery.com:80/track?type=click&enid=ZWFzPTEmbWFpbGluZ2lkPTIwMTMwNTIxLjE5MDIxMTgxJm1lc3NhZ2VpZD1NREItUFJELUJVTC0yMDEzMDUyMS4xOTAyMTE4MSZkYXRhYmFzZWlkPTEwMDEmc2VyaWFsPTE3MTMxMDMxJmVtYWlsaWQ9ZGFuaWVsYUBjY3VlYy51bmljYW1wLmJyJnVzZXJpZD1kYW5pZWxhQGNjdWVjLnVuaWNhbXAuYnImZmw9JmV4dHJhPU11bHRpdmFyaWF0ZUlkPSYmJg==&&&112&&&http://www.us-cert.gov/contact-us/>
| Security Publications
<http://links.govdelivery.com:80/track?type=click&enid=ZWFzPTEmbWFpbGluZ2lkPTIwMTMwNTIxLjE5MDIxMTgxJm1lc3NhZ2VpZD1NREItUFJELUJVTC0yMDEzMDUyMS4xOTAyMTE4MSZkYXRhYmFzZWlkPTEwMDEmc2VyaWFsPTE3MTMxMDMxJmVtYWlsaWQ9ZGFuaWVsYUBjY3VlYy51bmljYW1wLmJyJnVzZXJpZD1kYW5pZWxhQGNjdWVjLnVuaWNhbXAuYnImZmw9JmV4dHJhPU11bHRpdmFyaWF0ZUlkPSYmJg==&&&113&&&http://www.us-cert.gov/security-publications>
| Alerts and Tips
<http://links.govdelivery.com:80/track?type=click&enid=ZWFzPTEmbWFpbGluZ2lkPTIwMTMwNTIxLjE5MDIxMTgxJm1lc3NhZ2VpZD1NREItUFJELUJVTC0yMDEzMDUyMS4xOTAyMTE4MSZkYXRhYmFzZWlkPTEwMDEmc2VyaWFsPTE3MTMxMDMxJmVtYWlsaWQ9ZGFuaWVsYUBjY3VlYy51bmljYW1wLmJyJnVzZXJpZD1kYW5pZWxhQGNjdWVjLnVuaWNhbXAuYnImZmw9JmV4dHJhPU11bHRpdmFyaWF0ZUlkPSYmJg==&&&114&&&http://www.us-cert.gov/ncas>
| Related Resources
<http://links.govdelivery.com:80/track?type=click&enid=ZWFzPTEmbWFpbGluZ2lkPTIwMTMwNTIxLjE5MDIxMTgxJm1lc3NhZ2VpZD1NREItUFJELUJVTC0yMDEzMDUyMS4xOTAyMTE4MSZkYXRhYmFzZWlkPTEwMDEmc2VyaWFsPTE3MTMxMDMxJmVtYWlsaWQ9ZGFuaWVsYUBjY3VlYy51bmljYW1wLmJyJnVzZXJpZD1kYW5pZWxhQGNjdWVjLnVuaWNhbXAuYnImZmw9JmV4dHJhPU11bHRpdmFyaWF0ZUlkPSYmJg==&&&115&&&http://www.us-cert.gov/related-resources>


STAY CONNECTED:
Sign up for email updates
<http://links.govdelivery.com:80/track?type=click&enid=ZWFzPTEmbWFpbGluZ2lkPTIwMTMwNTIxLjE5MDIxMTgxJm1lc3NhZ2VpZD1NREItUFJELUJVTC0yMDEzMDUyMS4xOTAyMTE4MSZkYXRhYmFzZWlkPTEwMDEmc2VyaWFsPTE3MTMxMDMxJmVtYWlsaWQ9ZGFuaWVsYUBjY3VlYy51bmljYW1wLmJyJnVzZXJpZD1kYW5pZWxhQGNjdWVjLnVuaWNhbXAuYnImZmw9JmV4dHJhPU11bHRpdmFyaWF0ZUlkPSYmJg==&&&116&&&http://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new>


SUBSCRIBER SERVICES:
Manage Preferences
<http://links.govdelivery.com:80/track?type=click&enid=ZWFzPTEmbWFpbGluZ2lkPTIwMTMwNTIxLjE5MDIxMTgxJm1lc3NhZ2VpZD1NREItUFJELUJVTC0yMDEzMDUyMS4xOTAyMTE4MSZkYXRhYmFzZWlkPTEwMDEmc2VyaWFsPTE3MTMxMDMxJmVtYWlsaWQ9ZGFuaWVsYUBjY3VlYy51bmljYW1wLmJyJnVzZXJpZD1kYW5pZWxhQGNjdWVjLnVuaWNhbXAuYnImZmw9JmV4dHJhPU11bHRpdmFyaWF0ZUlkPSYmJg==&&&117&&&http://public.govdelivery.com/accounts/USDHSUSCERT/subscribers/new?preferences=true>  |  Unsubscribe
<http://links.govdelivery.com:80/track?type=click&enid=ZWFzPTEmbWFpbGluZ2lkPTIwMTMwNTIxLjE5MDIxMTgxJm1lc3NhZ2VpZD1NREItUFJELUJVTC0yMDEzMDUyMS4xOTAyMTE4MSZkYXRhYmFzZWlkPTEwMDEmc2VyaWFsPTE3MTMxMDMxJmVtYWlsaWQ9ZGFuaWVsYUBjY3VlYy51bmljYW1wLmJyJnVzZXJpZD1kYW5pZWxhQGNjdWVjLnVuaWNhbXAuYnImZmw9JmV4dHJhPU11bHRpdmFyaWF0ZUlkPSYmJg==&&&118&&&https://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/one_click_unsubscribe?verification=5.7c8ce4d3117305e79fd4ab8b330b9e90&destination=daniela@ccuec.unicamp.br>  |  Help
<mailto:support em govdelivery.com>

Mais detalhes sobre a lista de discussão SECURITY-L