K.I.A: The Washington Free Beacon Compromised to Serve Up Malware

Home/KIA/K.I.A: The Washington Free Beacon Compromised to Serve Up Malware
The-Washington-Free-Beacon-Compromised-to-Serve-Up-Malware

UPDATE (06/11/13) 12PM EST: The Washington Free Beacon has contacted Invincea to inform us that they have discovered a probable cause for the malicious code injections present on their site.  They are reporting that the issue has been addressed and the site is now safe to visit..

(6.10.13) Invincea discovered this morning that an article from The Washington Free Beacon on the breaking NSA Leaks story (freebeacon[.]com/nsa-leaker-surfaces-in-hong-kong/) linked to by the Drudge report  has been compromising readers with a Java-based exploit kit.  Following the recent mass-media compromises we previously reported on wtop.com, federalnewsradio.com, dvorak.org, and nationaljournal.com, that The Washington Free Beacon website has been compromised in a similar fashion.  In addition to the article on the NSA Leaks story that was compromised, Javascript has been injected onto several pages including the main index page for The Free Beacon that builds an iframe to redirect inbound user traffic to hxxp://<random>.myftp[.]biz /o8x792z/?4 as seen in the Invincea infection report below:

1

2

The malicious domain above appears to be hosting the same exploit kit (Fiesta EK) that we observed in the nationaljournal.com case which can be reviewed here. In other words, this exploit appears to be the same as used against other media sites to infect readers of these websites and part of a concerted campaign against media sites to infect their visitors by exploiting vulnerabilities in Java. The technical analysis below shows almost zero detection by the anti-virus vendors because while the toolkit and exploit method may be the same, the signatures are varied with each new campaign or iteration.

Invincea customers are protected by default without requiring any update or signatures because Invincea’s virtual container approach will block the malware from infecting the host by running the browser and its plug-ins within the container.

If you are not running Invincea (and why not?!?), then patching Java to the latest version (if you can) may be your only (temporary) protection. We provide signatures below as well as detection rules in the following technical analysis.

Technical Analysis

In our testing, we received a Java exploit with the following characteristics:

3

_h8stjrl.jar
MD5Sum: f550abb8244b7ecfdd4a4e7d6722ae91
Sha1Sum: 2e77057814ffaf73409be96c83d4507a8309718d
Current VT detection ratio: 3/47

Inside the Java archive are the following class files with MD5Sum’s and current detection ratios:

891fe736212897efd20f5bc5925d0e3d  auk.class – 0/47
d2874c83d213357685a5359f60059660  cee.class – 1/47
86c5ff92c07e8820fe0dc0fd0d81b5bf  feh.class – 0/47
88ff6773c349a07a150364c3c609c7da  ped.class – 0/47
d1a2b3452f3fafbba6ffe45eaf3a72ae  wigtic.class – 0/47

As in the other cases previously observed, the malware downloaded to the victim machine consists of the ZeroAccess rootkit in addition to a Fake AV variant:

ZeroAccess:

4

MD5Sum: 4fe33f4aa1a849c2f9a4e6aa1d57106e
Sha1Sum: e0e7c84a3a7ce70e96952463e52fb0a032c0f608
Current VT detection ratio: 19/47

FakeAV:

5

MD5Sum: 88768577e5f7d44b1dcfdb30266baca8
Sha1Sum: 5257e78acb312ba688dd74af05e14286fe20ea4d
Current VT detection ratio: 1/47

Name: ihdefender.exe
MD5Sum: 4bb5d63c5c30abeabd954eeeebb5e534
Sha1Sum: c4affff0534e82f74ec02df021f4aaebab9e7d58
Current VT detection ratio: 0/47

Pages: 1 2

Leave a Comment