US Department of Labor website hacked, serves malware, now fixed

Filed Under: Featured, Malware, Security threats, Vulnerability

Update: [2013-05-07T13:15Z] The original version of this article suggested that the vulnerability used by the exploit described below was the already-patched CVE-​2012-​4792, and that a recently-updated Windows would therefore be immune.

It turns out that this is a similar vulnerability, now known as CVE-​2013-​1347, that is not fixed by the patch for CVE-​2012-​4792.

IE 8 on Windows XP, 2003, 7 and 2008 is vulnerable. Windows 8 and 2012 are immune; so are IE versions other than 8, including older releases. Microsoft's EMET (threat mitigation tool) can be used to protect IE 8. Sophos products detect the malicious components as listed below.

Update: [2013-05-09T10:21Z] Microsoft has published a "Fix it" patch for the CVE-​2013-​1347 vulnerability.

Update: [2013-05-14T20:04Z] The May 2013 Patch Tuesday update provides an official, permanent fix.

You may have read about the US Department of Labor "getting hacked".

It's true, but fortunately the story is not quite as gory as it sounds in those two fateful words.

A subdomain of the Department's main website, running off a separate server - what's known colloquially as a microsite - was modified to serve up malware.

There's a sort of double irony here, because news about the breach broke on May Day, which is Labour Day in much of the world, though not in the United States, where it is celebrated in September.

The affected microsite was, which is currently (2013-05-02T10:22Z) offline.

SEM stands for Site Exposure Matrices, but the "site" in the name refers not to websites but to worksites.

The SEM "is a repository of information on toxic substances present at Department of Energy sites and other locations where radiation exposure is a possible hazard.

We've already seen speculation that the radiation-related nature of the SEM site tells us that this is a targeted attack, and certainly the site is not one you would expect to draw a lot of traffic.

On the other hand, of course, it might just be that the site was attacked because it was vulnerable while other parts of the Department of Labor site were not.

→ Many organisations use microsites for special purposes, such as conducting one-off marketing campaigns or, as in this case, for presenting specialised data. Often, this is to avoid bothering the IT team with change requests for the main website, or in order to try something new. If you use microsites this way, make sure you don't take any security shortcuts while you are "innovating".

The attack used a malicious JavaScript file to get your browser to download a file called bookmark.png.

This sounds like an image file, but is in fact a Windows program with the first byte altered so that it can't run by itself.

In theory, your browser shouldn't do anything more than simply, and harmlessly, download the offending file.

But the malicious JavaScript then uses the function called helo() in the script above in an effort to trigger the CVE-2013-1347 remote code execution vulnerability in Internet Explorer 8.

The attackers hope that this will trick your browser into jumping over its security checks to modify and run the downloaded malware program without asking you.

The good news is that if you are using Internet Explorer 9 or 10 (or even version 6 or 7), you should be safe, since the exploit won't work and the non-functional bookmark.png file will do you no harm.

→ Sophos security products block the drive-by-download exploit script as Troj/ExpJS-IT and the "payload" executable as Troj/Agent-ABOB.

The attack also uses a malicious script file that includes what are known as anti-anti-virus techniques.

This means that the attacker actively attempts to evade detection by interfering with the operation of one or more of the anti-virus tools you may be running.

If you're using BitDefender, the script even tries to connect to the local web console to reconfigure the product on your behalf.

→ Sophos security products block this malicious script as Troj/ExpJS-IV.

To summarise:

  • Windows 8 and Server 2012 are immune.
  • Internet Explorer other than version 8 should be immune.
  • The hacked site is off the air and unlikely to reappear until it is clean and safe.
  • An up-to-date anti-virus ought to block the malicious files, even on an unpatched computer.

Oh, and one more thing.

If you use microsites for special-purpose content, take care to avoid introducing special purpose risks at the same time!

, , , , ,

You might like

5 Responses to US Department of Labor website hacked, serves malware, now fixed

  1. Bob Stromberg · 887 days ago

    Question: If you are using Internet Explorer on a fully patched Windows XP computer, are you safe from this exploit? Note that Win XP does not support IE 9 or later. I recommend that Windows XP users set up Firefox or Chrome as their default browser (and do everyday computing tasks using a "restricted" account, not an "administrator" account.

    And, when they can afford it, migrate to Windows 7 or 8. Assuming they can't afford the expense and migration effort of switching to Mac OS X.

  2. Uh, guys - the advice on this blog post is totally wrong. It's not a patched vulnerability.

    It's a new one:

    Microsoft are working on a patch:

    • Paul Ducklin · 882 days ago

      I was updating the page as you posted this comment :-)

      ("Totally wrong" may be a *bit* harsh, because the advice about IE 9 and 10 stands; the Dept of Labor site was never reinfected, as far as I'm aware; some versions of Windows are immune; and the anti-virus detection information is exact.)

      Nevertheless, I fell on my sword at the top of the article: just patching Windows is not enough to protect against this one. At least, not yet [2013-05-07T14:02Z].

      According to MS (at the link you quote) the company's Enhanced Mitigation Experience Toolkit (EMET), which is a sort-of sandbox wrapper for software that doesn't do sandboxing of its own, *does* protect against this one, so there is at least an official Microsoft workaround if you're worried.

      Apologies for the incorrect presumptions in the original writeup.

      • Word, cheers. It might have been a bit (lot) too harsh, but I just want to make sure people know this one is real and out there - I've spotted a total of 10 other sites which are serving the exploit code (so far). This one will catch out corps as Internet Explorer 8 is the last supported release for Windows XP - and there's a lot of XP shops still out there - and antivirus isn't a total answer as it relies on definitions being available to pick up all variants of the exploit.

        • Paul Ducklin · 880 days ago

          No worries. It *was* worth pointing out...thanks!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog