TechCrunch hacked to distribute Zeus Trojan via JavaScript file

Technology blog TechCrunch was flagged by malware-detections yesterday after it was infected by a variant of the Zeus Trojan.

It was initially detected by security blogger The Harmony Guy, who asked on Twitter if anyone else was getting malicious PDFs from pages at TechCrunch Europe and later claimed that a JavaScript file he identified had "some mangled code at the start which loads an iframe from virtuellvorun.org".

Graham Cluley, senior technology consultant at Sophos, with whom the Harmony Guy conversed about the detection, said that the website appeared to have fallen victim to hackers who planted a malicious script on their site that was designed to infect unsuspecting visitors.

Cluley said that the JavaScript file is used by the site as part of its WordPress infrastructure. He said: “The problem appears to have been present on TechCrunch Europe's website for some time, and yet there's been no obvious warning to visitors posted on its site nor - seemingly - no attempt to remove the malicious script or block users from visiting the infected pages.”

TechCrunch Europe initially used its Twitter feed to say that it was "aware of the (annoying) malware warning" and was trying to fix it. Andy Brett, an engineer working for TechCrunch in California, contacted Cluley via Twitter to say that TechCrunch had removed the offending JavaScript file and was waiting on Google to re-examine and remove the flag.

Rik Ferguson, senior security advisor at Trend Micro, said: “The code redirects to a host which is serving up malicious PDF files. The PDFs are designed to exploit a vulnerability which leads to the download of that Poison Ivy of the criminal underworld, Zeus. The malicious server is hosted by Netdirect over in Frankfurt, Germany, a provider with a relatively colourful history of their own.

“The file itself has very low detection rates at present and only serves to underline the need for a security solution that considers the threat as a whole instead of focusing on one aspect of the threat.”

Cluley said: “Ideally TechCrunch will post a message on its site (on the TechCrunch Europe site, at least) informing users about the incident and advising that they check their PCs with an up-to-date anti-virus. I don't see any message to that effect yet on that site - but I'm hopeful.

“Yes, some firms are embarrassed when their websites become infected - and it's not the kind of event that we would wish upon anyone. But let's not forget that TechCrunch is the victim of a criminal act, and although in an ideal world their site would not have been compromised in this way they are not - ultimately - the ones to blame for the wrongdoing.

“What they can do, as a responsible member of the internet community, is advise anyone who might have visited the site while it was infected to double-check their computer systems. That's the kind of behaviour that we would expect of any website that suffered a security problem - and is, indeed, the kind of behaviour that technology media websites like TechCrunch would expect from others too.”

See original article on scmagazineus.com