Treasury websites compromised
A few of the US Treasury websites were compromised today and loaded a hidden iframe containing exploit code to anyone who visited the following three sites:
The code that was loaded can be seen in the screen shot below.
This iframe loads a page from gr[REMOVED]ad.com (hosted in Turkey) which in turn redirects to si[REMOVED]e-g.com/jobs/ (hosted in The Netherlands) which is where the exploits are hosted. In this case it's the Eleonore Exploit Kit that is used which has support for several vulnerabilities in Adobe Reader, Flash, Internet Explorer etc. In the video below you can see how the exploit kit pushes a malicious PDF to the user which exploits a vulnerability in Adobe Reader. At the time of writing only 20% of all AV vendors detected that file.
Our customers were protected against this proactively as we had real-time signatures available that blocked all the exploits.