UPDATE (06/11/13) 12PM EST: The Washington Free Beacon has contacted Invincea to inform us that they have discovered a probable cause for the malicious code injections present on their site. They are reporting that the issue has been addressed and the site is now safe to visit..
The malicious domain above appears to be hosting the same exploit kit (Fiesta EK) that we observed in the nationaljournal.com case which can be reviewed here. In other words, this exploit appears to be the same as used against other media sites to infect readers of these websites and part of a concerted campaign against media sites to infect their visitors by exploiting vulnerabilities in Java. The technical analysis below shows almost zero detection by the anti-virus vendors because while the toolkit and exploit method may be the same, the signatures are varied with each new campaign or iteration.
Invincea customers are protected by default without requiring any update or signatures because Invincea’s virtual container approach will block the malware from infecting the host by running the browser and its plug-ins within the container.
If you are not running Invincea (and why not?!?), then patching Java to the latest version (if you can) may be your only (temporary) protection. We provide signatures below as well as detection rules in the following technical analysis.
In our testing, we received a Java exploit with the following characteristics:
Current VT detection ratio: 3/47
Inside the Java archive are the following class files with MD5Sum’s and current detection ratios:
891fe736212897efd20f5bc5925d0e3d auk.class – 0/47
d2874c83d213357685a5359f60059660 cee.class – 1/47
86c5ff92c07e8820fe0dc0fd0d81b5bf feh.class – 0/47
88ff6773c349a07a150364c3c609c7da ped.class – 0/47
d1a2b3452f3fafbba6ffe45eaf3a72ae wigtic.class – 0/47
As in the other cases previously observed, the malware downloaded to the victim machine consists of the ZeroAccess rootkit in addition to a Fake AV variant:
Current VT detection ratio: 19/47
Current VT detection ratio: 1/47
Current VT detection ratio: 0/47