Sunday, September 20, 2009

Department of Arts and Malware

Google has a wonderful little tool called the "Safe Browsing Diagnostic", which notes the ocurrence of malware or viruses on web sites that it crawls. One such site that it reports is our own Department of Arts and Culture web site, www.dac.gov.za
According to the report, which can be viewed at http://www.google.com/safebrowsing/diagnostic?site=dac.gov.za/:
Of the 158 pages we tested on the site over the past 90 days, 32 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2009-09-15, and the last time suspicious content was found on this site was on 2009-08-10.
Malicious software includes 102 scripting exploit(s), 101 trojan(s), 98 exploit(s). Successful infection resulted in an average of 3 new process(es) on the target machine.
Malicious software is hosted on 6 domain(s), including game158.info/, a0v.org/, wowyesgo.info/.
2 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including a0v.org/, game158.info/.

Clearly the infection has since been removed, but the Windows Server hosting the site has not been properly configured. Here is an example of the kind of error message which would indicate a lack of best practise, shared by other web sites such as MTN, Internet Solutions and M-Web, who should all know better.
I would be interested in knowing whether the security lapse has been reported to the minister or the parliamentary committee. My guess is that it was covered up as quickly as possible, in the hopes that no one would find out, the way all government departments work.

2 comments:

Leslie Viljoen said...

Very many IIS sites will produce an error if you append this to their URL:

webresource.axd?d=moo

As far as I can google, this does not indicate an exploit. Can you point me to any information regarding this error indicating a security risk?

Donn Edwards said...

It indicates lack of best practice because the error message can divulge the version of IIS in use, etc. which is used by hackers to exploit known vulnerabilities in that particular server version.


Warning: The NSA and 4 million other sick weirdos with "security clearance" have intercepted this page and know that you are reading it.