ISC.org hacked and users may have been infected with Angler Exploit Kit malware through redirected websites
After ICANN got hit in mid November, it is now the website of Internet Systems Consortium which has been hacked by unknown attackers. The problem with the hack attack on ISC.org is that the attackers redirected the visitors of ISC.org to a malware laden website serving Angler Exploit Kit.
In a blog report published on 22nd December, 2014, Cyphort Labs warned about the possible malware infection to ISC.org authorities.
Cyphort Labs detected an infection at the website of ISC (Internet Systems Consortium, Inc.). ISC was notified by email of the infection on Dec 22, and on Dec 23 their website was cleaned up from infection and replaced by a static page below.
Internet Systems Consortium
Internet Systems Consortium, Inc. which operates the website as ISC.org, is a Delaware-registered non-profit organisation that supports the infrastructure of the universal, self-organizing Internet by developing and maintaining core production-quality software, protocols, and operations. ISC is the developer of internet tools BIND, ISC DHCP, OpenReg, ISC AFTR etc.
ISC also operates one of the 13 global authoritative DNS root servers, F-root. ISC is also operational in projects such as NetBSD, XFree86, kernel.org, SNS for more than 50 top-level domains, and a DNS OARC (Operations, Analysis and Research Center) for monitoring and reporting of the Internet’s DNS.
Considering the tools provided by ISC.org and that it stores vital data on its servers is a cause for worry though ISC has confirmed that the hack was due to a WordPress plugin issue and its network servers are uninfected.
This is a WordPress issue, ftp.isc.org, kb.isc.org and our other network resources are unaffected. We have not had any reports of any client machines that have been infected from our website.
ISC has also asked all users who visited it recently to get their PC’s check for malwares, and inform ISC at firstname.lastname@example.org in addition to removing the malware.
Experts believe that a plugin in the WordPress CMS used by ISC.org was compromised and the attackers booby trapped ISC.org with Angler Exploit Kit to infect users visiting ISC.org via redirects. Cyphort says that that visitors were lead to following redirects :
- snail0compilacion.localamatuergolf.com (18.104.22.168)
- symbolology-rumperis.prairievillage.info (22.214.171.124)
- zapalny.placerosemere-ideescadeaux.ca (126.96.36.199)
- chambouler.mygiftback.com (188.8.131.52)
The Angler Exploit Kit exploits the vulnerabilities in Internet Explorer, Adobe Flash Player and Microsoft Silverlight. In October, a week after Adobe released its monthly patch update, researchers saw Angler exploiting an integer overflow in Flash that had just been patched.
Once infected, the malware remotely executes codes, downloads more malware files into the system and decrypts the files into DLL system files to run them in the Windows memory. It is one of the most powerful exploit kits available now.
Enigma Software gives the following description for Angler Exploit Kit malware.
Angler Exploit Kit is a hacking tool that is produced to search for Java and Flash Player vulnerabilities on the attacked PC and use them with the aim to distribute malware infections. Angler Exploit Kit commonly checks to see if the PC it is proliferating to has Java or Flash. If Angler Exploit Kit can’t exploit Java or Flash, it delivers a remote control exploit (CVE-2013-0074) that affects Silverlight 5. Silverlight is a plug-in of Microsoft, which is the same as Adobe Flash, for streaming media on Web browsers, and is most likely most known for being used in a streaming video service of Netflix. This attack of Angler Exploit Kit could pose a serious security risk to the infected computer.
It gives following solutions for users infected with Angler Exploit Kit malware
- Use an alternative browser. Malware may disable your browser. If you’re using IE, for example, and having problems downloading the malware scanning software, you should open Firefox, Chrome or Safari browser instead.
- Use a removable media. Download the malware scanning software on another clean computer, burn it to a USB flash drive, DVD/CD, or any preferred removable media, then install it on your infected computer and run the malware scanning software
- Start Windows in Safe Mode. If you can not access your Window’s desktop, reboot your computer in ‘Safe Mode with Networking’ and install the malware scanning software in Safe Mode.
- IE Users: Disable proxy server for Internet Explorer to browse the web with Internet Explorer or update your anti-spyware program. Malware modifies your Windows settings to use a proxy server to prevent you from browsing the web with IE.