Malware found on Guardian article that asks if cybercrime is out of control

Guardian angler exploit kit

Security researchers have observed that a Guardian newspaper article exploring the various facets of cybercrime is redirecting visitors to a webpage hosting the Angler exploit kit.

FireEye's J. Gomez, Kenneth Hsu, Kenneth Johnson explain their findings in a post published on the firm's blog.

"FireEye Labs recently spotted a 2011 article on cybercrime from the news site theguardian[.]com that redirects users to the Angler Exploit Kit. Successful exploitation by Angler resulted in a malware infection for readers of the article."

As our readers might recall, Angler is just one of several exploit kits whose activity rose 75% in the third quarter of this year as compared to Q3 of 2014.

This is in spite of the fact that researchers with Cisco’s Talos Security Intelligence and Research Group disrupted part of the exploit kit's infrastructure earlier this fall.

Ironically (or perhaps not so much), the Guardian article redirecting to Angler is a piece by Misha Glenny entitled "Cybercrime: is it out of control?"

Guardian article

As if in direct response to the headline, a syndication link loaded in the background of the article eventually redirects visitors to a landing page for the Angler exploit kit using injected HTML.

In this particular attack, it would appear that Angler has a soft spot for older vulnerabilities. One of the bugs exploited is CVE-2014-6332, the Windows OLE Automation Array Remote Code Execution Vulnerability covered in Microsoft's MS14-064 patch around this time last year which affects Internet Explorer versions 3-11 and allows an attacker to bypass operating system security utilities and other protections.

A malicious actor can exploit this bug using VBScript via an impressive-sounding "GodMode" method to achieve out-of-bounds memory access in an array. This in turn allows for arbitrary code execution.

Angler also embeds a Flash object on the page at runtime and reserves the right to serve up an exploit targeting Adobe's software. Before it conducts any exploitation, however, the kit first scans for any anti-virus analysis tools and/or a malicious VBScript exploit, writes SC Magazine. If either is detected, Angler will modify its behavior and could terminate before any exploitation has taken place.

Code

According to The Register, folks at The Guardian are aware of FireEye's findings and are currently working to fix the hack.

News of this infection arrived just one day after Joseph C. Chen, a fraud researcher with Trend Micro, observed that blog pages at The Independent newspaper were also redirecting visitors to Angler. In this case, if users were running an out-of-date version of Adobe Flash Player, the exploit kit would download the TeslaCrypt 2.2.0 ransomware onto their PCs.

Independent blogs

As of the evening of December 9th, it was observed that The Independent's WordPress-running blog was redirecting all users to its main site which was not troubled by the infection.

These two incidents reveal how no one - not even news organizations - can consider themselves completely safe from malware.

And that means that internet users who catch up with the news online need to be careful too.

In both instances, Angler relies on old vulnerabilities to infect unpatched machines. This just goes to show how important it is to install all software patches as soon as they become available. Trust me. It could save you a massive headache in the future.

Tags: , , , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , , , , ,

2 Responses

  1. coyote

    December 11, 2015 at 10:34 pm #

    Yes it is ironic. Even if it isn't surprising to some (us ?) it is unexpected and certainly it is surprising to The Guardian (which is an ironic name, isn't it, when you consider they're doing a poor job of being a guardian… at least with computer security[1]).

    This is bad but it's also incredibly amusing (but I admittedly can find amusement in most everything). Hopefully The Guardian will have taken down any affected pages and then try to figure out what is wrong (at least if they're going to keep the site up they could try to isolate it [to an extent?] in some way). Hopefully they also do more than just fix the pages (it would be silly not to go beyond that but the way some organisations act… )

    [1] Since someone I just pointed this out to didn’t quite get it. It comes down to puns. No matter what some feel about puns they still can be found most everywhere. I.e. they aren’t being A guardian at all when it comes to protecting their visitors.

  2. Michael

    December 16, 2015 at 2:08 pm #

    Very interesting article David and I'd love to speak with you at some point as we see this issue everywhere and currently have the only solution to it. Traditional Firewalls, DNS, AV solutions cannot see/block this as it resides within the browser.

Leave a Reply