US Department of Labor website hacked, serves malware, now fixed

Update: [2013-05-07T13:15Z] The original version of this article suggested that the vulnerability used by the exploit described below was the already-patched CVE-​2012-​4792, and that a recently-updated Windows would therefore be immune.

It turns out that this is a similar vulnerability, now known as CVE-​2013-​1347, that is not fixed by the patch for CVE-​2012-​4792.

IE 8 on Windows XP, 2003, 7 and 2008 is vulnerable. Windows 8 and 2012 are immune; so are IE versions other than 8, including older releases. Microsoft’s EMET (threat mitigation tool) can be used to protect IE 8. Sophos products detect the malicious components as listed below.

Update: [2013-05-09T10:21Z] Microsoft has published a “Fix it” patch for the CVE-​2013-​1347 vulnerability.

Update: [2013-05-14T20:04Z] The May 2013 Patch Tuesday update provides an official, permanent fix.

You may have read about the US Department of Labor “getting hacked”.

It’s true, but fortunately the story is not quite as gory as it sounds in those two fateful words.

A subdomain of the Department’s main website, running off a separate server – what’s known colloquially as a microsite – was modified to serve up malware.

There’s a sort of double irony here, because news about the breach broke on May Day, which is Labour Day in much of the world, though not in the United States, where it is celebrated in September.

The affected microsite was, which is currently (2013-05-02T10:22Z) offline.

SEM stands for Site Exposure Matrices, but the “site” in the name refers not to websites but to worksites.

The SEM “is a repository of information on toxic substances present at Department of Energy sites and other locations where radiation exposure is a possible hazard.

We’ve already seen speculation that the radiation-related nature of the SEM site tells us that this is a targeted attack, and certainly the site is not one you would expect to draw a lot of traffic.

On the other hand, of course, it might just be that the site was attacked because it was vulnerable while other parts of the Department of Labor site were not.

→ Many organisations use microsites for special purposes, such as conducting one-off marketing campaigns or, as in this case, for presenting specialised data. Often, this is to avoid bothering the IT team with change requests for the main website, or in order to try something new. If you use microsites this way, make sure you don’t take any security shortcuts while you are “innovating”.

The attack used a malicious JavaScript file to get your browser to download a file called bookmark.png.

This sounds like an image file, but is in fact a Windows program with the first byte altered so that it can’t run by itself.

In theory, your browser shouldn’t do anything more than simply, and harmlessly, download the offending file.

But the malicious JavaScript then uses the function called helo() in the script above in an effort to trigger the CVE-2013-1347 remote code execution vulnerability in Internet Explorer 8.

The attackers hope that this will trick your browser into jumping over its security checks to modify and run the downloaded malware program without asking you.

The good news is that if you are using Internet Explorer 9 or 10 (or even version 6 or 7), you should be safe, since the exploit won’t work and the non-functional bookmark.png file will do you no harm.

→ Sophos security products block the drive-by-download exploit script as Troj/ExpJS-IT and the “payload” executable as Troj/Agent-ABOB.

The attack also uses a malicious script file that includes what are known as anti-anti-virus techniques.

This means that the attacker actively attempts to evade detection by interfering with the operation of one or more of the anti-virus tools you may be running.

If you’re using BitDefender, the script even tries to connect to the local web console to reconfigure the product on your behalf.

→ Sophos security products block this malicious script as Troj/ExpJS-IV.

To summarise:

  • Windows 8 and Server 2012 are immune.
  • Internet Explorer other than version 8 should be immune.
  • The hacked site is off the air and unlikely to reappear until it is clean and safe.
  • An up-to-date anti-virus ought to block the malicious files, even on an unpatched computer.

Oh, and one more thing.

If you use microsites for special-purpose content, take care to avoid introducing special purpose risks at the same time!