Federal News Radio suffers malicious cyber attack

Posted May 8, 2013, at 8:43 p.m.

The information below has been posted to help FederalNewsRadio.com and WTOP.com visitors check their computers for malware, in light of the recent cyber attack on our system.

  1. How do I know if my computer was infected?

    The malware attack targeted the Internet Explorer browser. If you accessed FederalNewsRadio.com or WTOP.com from Internet Explorer recently, you may have been infected. While other browsers may not have been directly infected, the malware still may have installed a cookie on your browser. We urge everyone to clear their cookies and browser cache no matter what browser they have been using to access FederalNewsRadio.com and WTOP.com, and to do a full virus scan on their machine (see instructions below).

    An infected machine may exhibit some or all of the following behavior:

    • Active programs will be shut down.
    • Fake virus scanner, often labeled “Internet Security,” will automatically open and run.
    • Inability to open or access any programs or applications. Attempting to do so may result in a fake virus warning.
    • Periodic pop-ups displaying a fake warning and/or prompting the user to purchase the full product.
    • The malware (often called amsecure.exe) resides in memory and adds itself to the list of startup programs.

    An infected machine will likely open numerous windows with an error message such as:

    • “Amsecure.exe warning! Application cannot be executed. The file cmd.exe is infected. Please activate your antivirus software.”
    • “Warning! Running Trial version!! The security of your computer has been compromised! Now running trial version of the software! Click here to purchase the full version of the software and get full protection for your PC!”
    • “Attention. Suspicious software activity is detected by Amsecure.exe on your computer. Please start system files scanning for details.”
    • “Amsecure.exe detects application that seems to be a key-logger. System information security is at risk. It is recommended to enable the security mode and run total System scanning.”
    • “Warning! Name: taskmgr.exe. Name: C:WINDOWStaskmgr.exe”

    You may also see error messages when trying to access the Internet, such as the ones below:

    • Iexplore caused an Invalid Page Fault in module3 (the number at the end can vary)
    • The web page you requested is not available offline
    • Explorer caused an exception C06D007EH in module Sens.dll

  2. What do I do if I was infected with malware?

    If you don’t already have an anti-virus program on your machine, download one. Some free possibilities are AVG or Avast. A removal tool, which may help, can be found here. The best practice for removing malware is to download the anti-virus program to a trusted, non- infected computer instead of the computer which you believe has the virus.

    If you have access to a trusted, non-infected computer:

    • Download the anti-virus program and save it to a CD or flash drive.
    • Reboot the infected computer.
    • As soon as you see the screen come on, begin tapping the F8 key.
    • You should soon see a menu of options. Use the arrow keys to move up and down the options list (your mouse won’t work) until the “Safe Mode” option is highlighted.
    • Press “Enter” to choose “Safe Mode”.
    • After the computer is done booting into safe mode, insert the CD or flash drive that contains the anti-virus program you downloaded earlier. Navigate to the drive that contains the program. Run the anti-virus program by double clicking on it.
    • Run a full scan on the computer and have it remove any infected files.
    • Restart the computer into its regular state.

    If you do not have access to a trusted, non-infected computer:

    • Reboot the infected computer.
    • As soon as you see the screen come on, begin tapping the F8 key.
    • You should soon see a menu of options. Use the arrow keys to move up and down the options list (your mouse won’t work) until the “Safe Mode with Networking” option is highlighted.
    • Press “Enter” to choose “Safe Mode with Networking”.
    • After the computer is done booting into safe mode, open a browser and download the removal tool from:

      http://www.sophos.com/en-us/threat- center/threat-analyses/viruses-and-spyware/Troj~FakeAV-GOJ.aspx

      Advertisement

    • Run a full scan on the computer and have it remove any infected files.
    • Restart the computer into its regular state.

Federal News Radio will provide more updates in this space as they become available.


Posted May 7, 2013, at 2:09 p.m.

FederalNewsRadio.com is currently dealing with a malicious cyber attack, which attempts to use our site to infect computers with malware when using the Internet Explorer (IE) browser.

To help protect our website visitors and prevent any further damage, we have blocked access to FederalNewsRadio.com from Internet Explorer. We believe Chrome, Firefox and Safari are safe alternatives, and suggest you use one of these browsers to access the Federal News Radio website.

Federal News Radio’s sister website, WTOP.com, was also affected by the attack in the same manner.

The cyber attack that compromised our web servers injected code into FederalNewsRadio.com and WTOP.com, redirecting vulnerable browsers to rogue websites, which spread the FakeAV malware or a variant of it.

If you have been on either site recently using IE, you should perform a malware scan to check for an infection and get it cleaned.

Additional information on the malware and a removal tool, which may help, can be found here.

Federal News Radio is still in the process of performing a thorough analysis to ensure our systems are free of malicious content. We will update readers and listeners with new information on the situation as soon as it is available.

“We take cybersecurity very seriously, and ensuring that our listeners and readers can safely come to our site is of the utmost importance,” said Lisa Wolfe, program director of Federal News Radio. “Federal News Radio has been and will continue to be the most trusted source of federal news for more than a decade.”

Federal News Radio is one of several media websites that “were compromised and redirecting user traffic to an Exploit Kit serving the same FakeAV malware variant…” according to a blog post by Eddie Mitchell, a security engineer with Invincea.

Mitchell wrote the attacks against Federal News Radio and its sister station, WTOP, are “likely an indicator of a larger more widespread attack against online media sites.”

If you have questions or wish to report any issues, please contact Lisa Wolfe via phone at (202) 895-5137 or email.