Video Screencast Help

Iowans, avoid for now......

Created: 01 Feb 2010 • Updated: 01 Nov 2010 | 5 comments

this just in (and for the 3rd time in a year!)

Bulletin – Website Malware


Date:  February 1, 2010




Recent reports indicate that visitors to the KCCI website may have been exposed to malware.  The KCCI website has been disabled by their service provider but cached copies of the site are still available.




·         State employees should NOT visit the KCCI website.

·         State employees should notify their IT staff if they notice unusual behavior or pop-ups on their computer.



Thank you,


DAS Information Security Office

Comments 5 CommentsJump to latest comment

snekul's picture

All right!  Good times.  While I don't know if this is the exact vector, the security community really needs target the ad-selling companies to increase their scruitiny and security.

Eric C. Lukens IT Security Policy and Risk Assessment Analyst University of Northern Iowa

teiva-boy's picture

 Website security at the perimeter is needed more and more now, and items like this only validate that need.

Web2.0 is a good reason a lot of threats are spreading.  Just because you are on a legitimate site, doesnt mean the ad's being served on it are from the same trusted site...

Of course for you WebServer Admin's, you need to install not just AV protection, but some sort of HIPS level protection to sandbox and isolate process and filesystems from malicious behavior.  This means a product that will not allow certain process from writing to a directory when it should never do that...  

There is an online portal, save yourself the long hold times. Create ticket online, then call in with ticket # in hand :-) "We backup data to restore, we don't backup data just to back it up."

TallTech's picture

That the site had a Flash ad that has now been removed.
I am still trying to determine exactly what Symantec flagged these potential issues as and tie it back to an increase in some downloader and Trojan.pidef.H activity seen today.

ShadowsPapa's picture

"That site", KCCI.COM/, has been a thorn in my side for a year!
They farm it out - have some eastern US company build and maintain the site like most TV stations do. I believe it's a template site, so it's the same for dozens of stations, the station just adds their own content, *I THINK*
In any case, the firm out east that builds and maintains the sites and adds the ads and such does NOT do a good job of keeping the sites secure. In short, their security is very poor.  They seem to toss in anything that makes them money with no concern for impact on the users.
If I was KCCI's general manager, I'd fire that firm in the next 24 hours and look elsewhere for a RESPONSIBLE web company.
This has been going on since I first discovered a threat on their site roughly a year ago. I contacted KCCI direct and they apoligized and contacted the web company and got it fixed. Then a few months later, again, then again, and now this.
Would your company keep a web contractor that kept doing this sort of thing?
I'd not want my good name associated with a provider that tossed in risky ads and didn't do scans and thorough background checks.
If I was not 100% sure it was safe, I'd not allow it on my site, and yet, they do.... Over and over............ and we have to keep warning our users, at times BLOCKING KCCI.COM via firewalls, etc.
We can't keep them blocked as they are a major Iowa TV/news site and there'd be an uproar from our users, but in a way, I'm hoping KCCI general management SEES MY POSTS here.
This is simply crazy. It's also irresponsible for the web creator.  There are tools.

((And it speaks to how bad Adobe is as well................... Reader, Flash, you name it, Adobe has holes, and nearly monthly.........))

ShadowsPapa's picture

I would hope and assume that indeed by now that site is fixed and at least for a short time, safe.
It was a risk just a couple short weeks ago or so, and prior to that, it was a risk just a couple of months back, as well as last spring.
So, here's hoping it's once again safe for all to use.
However, I would advise folks to make REALLY sure your computer is 150% current on all patches, your AV is 200% current on everything, you should update/upgrade your flash player or even disable flash there, and you don't click on any ads.
(I don't even allow flash on my notebook computers)