On May 2, 2013 US Department of Labor website hacked, serves malware, now fixed

09 May

You may have read about the US Department of Labor “getting hacked”.

It’s true, but fortunately the story is not quite as gory as it sounds in those two fateful words.

A subdomain of the Department’s main website, running off a separate server – what’s known colloquially as a microsite – was modified to serve up malware.

There’s a sort of double irony here, because news about the breach broke on May Day, which is Labour Day in much of the world, though not in the United States, where it is celebrated in September.

The affected microsite was, which is currently (2013-05-02T10:22Z) offline.

SEM stands for Site Exposure Matrices, but the “site” in the name refers not to websites but to worksites.

The SEM “is a repository of information on toxic substances present at Department of Energy sites and other locations where radiation exposure is a possible hazard.

We’ve already seen speculation that the radiation-related nature of the SEM site tells us that this is a targeted attack, and certainly the site is not one you would expect to draw a lot of traffic.

On the other hand, of course, it might just be that the site was attacked because it was vulnerable while other parts of the Department of Labor site were not.

→ Many organisations use microsites for special purposes, such as conducting one-off marketing campaigns or, as in this case, for presenting specialised data. Often, this is to avoid bothering the IT team with change requests for the main website, or in order to try something new. If you use microsites this way, make sure you don’t take any security shortcuts while you are “innovating”.

The attack used a malicious JavaScript file to get your browser to download a file called bookmark.png.

This sounds like an image file, but is in fact a Windows program with the first byte altered so that it can’t run by itself.

In theory, your browser shouldn’t do anything more than simply, and harmlessly, download the offending file.

But the malicious JavaScript then uses the function called helo() in the script above in an effort to trigger the CVE-2013-1347 remote code execution vulnerability in Internet Explorer 8.

The attackers hope that this will trick your browser into jumping over its security checks to modify and run the downloaded malware program without asking you.

The good news is that if you are using Internet Explorer 9 or 10 (or even version 6 or 7), you should be safe, since the exploit won’t work and the non-functional bookmark.png file will do you no harm.

→ Sophos security products block the drive-by-download exploit script asTroj/ExpJS-IT and the “payload” executable as Troj/Agent-ABOB.

The attack also uses a malicious script file that includes what are known asanti-anti-virus techniques.

This means that the attacker actively attempts to evade detection by interfering with the operation of one or more of the anti-virus tools you may be running.

If you’re using BitDefender, the script even tries to connect to the local web console to reconfigure the product on your behalf.

→ Sophos security products block this malicious script as Troj/ExpJS-IV.

To summarise:

  • Windows 8 and Server 2012 are immune.
  • Internet Explorer other than version 8 should be immune.
  • The hacked site is off the air and unlikely to reappear until it is clean and safe.
  • An up-to-date anti-virus ought to block the malicious files, even on an unpatched computer.

Oh, and one more thing.

If you use microsites for special-purpose content, take care to avoid introducing special purpose risks at the same time!


Posted by on May 9, 2013 in Uncategorized


22 responses to “On May 2, 2013 US Department of Labor website hacked, serves malware, now fixed

  1. Hack Twitter Accounts Free Tool

    May 10, 2013 at 2:49 am

    Greetings! Very helpful advice in this particular article!
    It’s the little changes that produce the most important changes. Many thanks for sharing!


    May 12, 2013 at 1:15 pm

    What’s up, everything is going perfectly here and ofcourse every one is sharing facts, that’s actually excellent, keep up


    May 15, 2013 at 4:00 am

    Thank you for the auspicious writeup. It if truth be told was
    once a entertainment account it. Glance complex to more added agreeable from
    you! By the way, how could we communicate?

  4. dragonvale dragon

    May 17, 2013 at 7:28 am

    I have been browsing online more than 4 hours today, yet I never found any interesting article like yours.
    It’s pretty worth enough for me. Personally, if all webmasters and bloggers made good content as you did, the web will be a lot more useful than ever before.

  5. Fail Compilation 2013

    May 19, 2013 at 9:23 am

    Hmm it appears like your site ate my first comment (it was super long) so I guess I’ll just sum it up what I had written and say, I’m thoroughly
    enjoying your blog. I too am an aspiring blog writer but I’m still new to everything. Do you have any recommendations for rookie blog writers? I’d
    definitely appreciate it.

  6. free minecraft Accounts

    May 19, 2013 at 10:33 pm

    It’s an awesome article in favor of all the web users; they will take benefit from it I am sure.

  7. free premium minecraft account

    May 25, 2013 at 6:31 pm

    You’re so interesting! I do not suppose I have read anything like this before. So wonderful to discover someone with a few original thoughts on this subject matter. Really.. thank you for starting this up. This site is something that’s needed on the web, someone with some originality!

  8. dragonvale cheat tool download

    May 25, 2013 at 10:56 pm

    Quality posts is the secret to attract the users to pay a visit
    the site, that’s what this website is providing.

  9. dragon vale hack tool

    May 29, 2013 at 2:38 am

    It’s great that you are getting ideas from this article as well as from our dialogue made at this place.

  10. Password Finder

    May 30, 2013 at 6:26 am

    Thanks a lot for sharing this with all folks you really understand what you are speaking approximately!
    Bookmarked. Kindly also visit my site =). We could have
    a hyperlink alternate arrangement between us

  11. vintage food art

    May 30, 2013 at 5:23 pm

    Hi, i think that i noticed you visited my weblog thus i came to
    return the desire?.I am trying to in finding things to enhance my site!
    I suppose its good enough to make use of some of your concepts!

  12. sharecash downloader 2012

    May 31, 2013 at 11:29 am

    Generally I don’t learn article on blogs, however I would like to say that this write-up very forced me to try and do so! Your writing style has been amazed me. Thanks, very nice post.

  13. free minecraft account

    June 1, 2013 at 10:59 am

    I am regular reader, how are you everybody? This paragraph posted at this site
    is genuinely nice.

  14. passwords

    June 2, 2013 at 3:26 pm

    hey there and thank you for your info – I’ve definitely picked up anything new from right here. I did however expertise a few technical issues using this website, since I experienced to reload the site a lot of times previous to I could get it to load properly. I had been wondering if your web hosting is OK? Not that I’m
    complaining, but slow loading instances times will very frequently affect your placement in google and could damage your quality
    score if advertising and marketing with Adwords. Well I
    am adding this RSS to my email and can look out for a lot more of your respective fascinating content.
    Make sure you update this again soon.

  15. reset password

    June 2, 2013 at 6:10 pm

    Tremendous issues here. I am very glad to see your post.
    Thank you a lot and I’m looking ahead to contact you. Will you please drop me a e-mail?

  16. Chassidy

    June 3, 2013 at 4:51 am

    If some one desires expert view regarding running a blog after that i suggest him/her to visit this website, Keep up
    the fastidious work.

  17. Tyrone

    June 3, 2013 at 7:08 am

    Hi to every one, it’s in fact a fastidious for me to visit this web page, it contains valuable Information.

  18. Sharecash bypass

    June 3, 2013 at 11:32 am

    I’m not sure where you are getting your info, but great topic. I needs to spend some time learning more or understanding more. Thanks for fantastic info I was looking for this information for my mission.

  19. make funny video with your face

    June 4, 2013 at 12:50 pm

    I like the helpful information you provide in your articles.
    I’ll bookmark your weblog and check again here frequently. I am quite certain I will learn plenty of new stuff right here! Best of luck for the next!

  20. dragonvale eggs

    June 12, 2013 at 6:05 pm

    Thank you a lot for sharing this with all people
    you really recognise what you’re speaking approximately! Bookmarked. Please also seek advice from my website =). We will have a hyperlink alternate arrangement among us

  21. HowTo Password Hack Twitter Account

    June 19, 2013 at 10:35 am

    Wow, this piece of writing is nice, my sister is analyzing these things, therefore I am going to let know her.

  22. Sharecash downloader 2013

    August 5, 2013 at 10:37 pm

    hello there and thanks on your info ? I’ve certainly picked up something new from proper here. I did alternatively experience several technical points the use of this web site, as I skilled to reload the web site a lot of instances prior to I may just get it to load properly. I had been thinking about if your web host is OK? Not that I’m complaining, but slow loading
    cases instances will sometimes affect your placement in google and can harm
    your high quality score if ads and marketing with Adwords.
    Well I’m adding this RSS to my e-mail and could glance out for a lot more of your respective interesting content. Ensure that you update this once more very soon..


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: