Monday, January 07, 2008

Security Vendor's Site Gets Hacked

Nothing quite so embarrassing as when a security vendor's site gets hacked, but that happened to CA (formerly Computer Associates) early last week.

While researching the RealPlayer vulnerability reported by SANS earlier, I noted a reference to uc8010.com, which has been hosting malware since late December, which said:
While you're at it, consider blocking access to uc8010-dot-com. If you do a Google Search for this domain, you'll understand why: Lots of injecting of a mailicious 0.js from this domain is currently going on, plenty of web sites seem to contain this booby trap.

I recommend that our readers check to see if their site shows any references to uc8010 via google. Alternatively, look on their webservers to see if there are any unauthorized change to webpages in the past week.
While Googling I noticed that CA.com has a few entries with uc8010.com in them (see above), and I also found this PC World article. According to that article, CA.com had far more links to that malware site earlier in the week, as evidenced by this search of cached pages. However, while the article said the site had been cleaned up, it looks like there are still remnants hiding in the site, at least at the time of this writing.

According to Marcus Sachs, director of the SANS Internet Storm Center, CA may not even host the press release section of its site, as that job is often outsourced to a third party. "When you outsource, you've got to be just as (demanding) about security as you are with your own site," Sachs said.

Still, there's only one word for this: ironic.

BTW, that same SANS note above also suggests blocking ucmal.com, another site hosting malware - where else - in China.


No comments: