The Stack Archive

Jamie Oliver site re-infected with ransomware

Fri 13 Mar 2015

The website of celebrity chef Jamie Oliver has been re-hacked with digitally-signed malware, according to the security investigators who found the original vulnerability nearly a month ago.

Over at MalwareBytes’ blog, Jérôme Segura writes today that the cockney cook’s highly popular website – ranked 535th in the UK – has now been compromised with the same injection as before, this time hidden in the HTML source code of the jamieoliver.com homepage:

mwbytes-oliver1[1]

The report admits that the team behind the website appeared to have eliminated the infection after the initial publicity, but that malware often has an additional array of re-infection resources: “Sadly, it appears as though the problem has returned,” writes Segura “or perhaps was not completely dealt with. It is indeed quite common for a hacked server to retain malicious shells or backdoors that keep on reinfecting the site,”

A quick look at the code of the site showed, presumably in an administrative response to the additional MalwareBytes report, that the offending tag had been ‘commented out’:

mwbytes-COMMENTED-OUT[1]

The malware that the persistent exploit is seeking to install is called Trojan.Dorkbot.ED, classified within a family of ransomware strains by MalwareBytes.

The new article notes that the malware users could be at risk of being infected by is digitally signed, though with an expired certificate:

mwbytes-SIGNED[1]

The Trojan.Dorkbot.ED ransomware will copy itself to Windows system files upon initial infection, and then create a registry entry intended to call itself at boot-time. The virus gathers and communicates local data to a C&C server, updates itself over the victim’s internet connection as necessary, and accepts commands from a remote attacker.

Tags:

cybercrime hacking malware news security
Send us a correction about this article Send us a news tip

Do NOT follow this link or you will be banned from the site!