Network News

X My Profile
View More Activity

Porn & Spyware Found on Govt. and School Sites

It would be great if the compromised Web servers I wrote about last week at Lawrence Livermore National Labs were an aberration, but sadly they are not. Conducting a simple Google search for adult-themed search terms found in ".gov" domains produces some very interesting results, including pages serving up adult videos along with a generous helping of spyware.

Several pages on both the official Web sites for the State of Louisiana and the Virgin Islands Housing Finance Authority show up prominently in the search results for porn at dot-gov domains. A handful of pages on those sites feature a blank video player that prompts the visitor to install a special video "codec" in order to view the adult movie.

Visitors who agree to install the codec inadvertantly agree to also install a piece of spyware that modifies your browser's home page, produces security alert icons on your Windows desktop, and serves nagging pop-up ads to install bogus anti-virus and anti-spyware security software.

I submitted the codec for a scan at VirusTotal - a free service which uses the combined power of more than two dozen different anti-virus tools to test whether a file is malicious. The results were not encouraging: Only three anti-virus products flagged it as invasive, labeling it a variant of the Zlob Trojan.

According to Sunbelt Software, an anti-spyware and security company based in Clearwater, Fla., the fake codec scam is the number one method for downloading spyware onto victims' machines today.

Sunbelt researcher Adam Thomas said scam artists and spammers have mastered the art of seeding blogs and Web sites with links and other content that jacks up the Google search ranking of porn sites.

"Simply put - Google is not a porn friendly search engine," he said. "Scammers, spammers and criminals have done a great job obtaining top search engine position for virtually all adult related queries."

Government institutions are not alone. These attacks have also infiltrated K-12 schools, even though most U.S. school systems have filtering software in place to block access to porn and other objectionable content. But what happens when the school's site itself is serving up the porn?

I found some of the same Zlob spyware links in videos posted to several K-12 school sites. Searching for "porn sex free k12 site: .us" in Google brings up a long list of school Web sites that either include graphic images or link to porn sites. Be aware that it may not be safe for your computer (or your job if you're at work) to click on the returned links. Some of the results are just the usual porn site links inserted into guest book entries or comments on school blogs, but an increasing number of them feature pages full of graphic images, some of which appear to include very young girls.

The Web site for Gilbert Public Schools in Arizona is one such example. Clicking on pretty much any of the 2,700 posts in the site's user forum brings the visitor to an eye-popping page full of graphic images. Click on them and chances are you will be redirected to a video player page that then prompts you to install a special codec.

By Brian Krebs  |  August 29, 2007; 3:26 PM ET
Categories:  Latest Warnings  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Hacking Groceries: Internet Coupon Fraud
Next: Hit By Attack On


This is about as much of a discovery as the traffic on the various poker sites during business hours. It is an amazing thing to see.

The amount of risk and revenue which are squandered away by folks with no sense of obligation to anyone or anything is really a rampantly spreading virus more dangerous than any code will ever be.

Posted by: RetCombatVet | August 29, 2007 6:11 PM | Report abuse


'The amount of risk and revenue which are squandered away by folks with no sense of obligation to anyone or anything is really a rampantly spreading virus more dangerous than any code will ever be.'

What a great quote. But put blame as well on the vendors who sell substandard computer systems punters can't be expected to understand. As Bill Joy said, the atrocity was putting standalone systems on the Internet with no thought for security implications.

People are basically good. Yes they're lame but then again so are we all. Undermine someone's best interests with a computer that allows stuff like this and they look even worse.

Fortunately few computer systems are this bad - only the most popular one.

Posted by: Rick | August 29, 2007 7:37 PM | Report abuse

"Sunbelt researcher Adam Thomas said scam artists and spammers have mastered the art of seeding blogs and Web sites with links and other content that jacks up the Google search ranking of porn sites. "

This has been happening on the Post's own Capital Briefing blog for the past couple of weeks.

Posted by: Patrick Huss | August 29, 2007 9:19 PM | Report abuse

Patrick, this is entirely

Posted by: Alex Eckelberry | August 29, 2007 9:38 PM | Report abuse

"This has been happening on the Post's own Capital Briefing blog for the past couple of weeks."

Patrick, this is quite different. What Brian is reporting about is NOT comment spam (which seems to be confusing people. These are real web pages uploaded onto these schools and institutions which redirect people to other sites -- hosting malware, porn, etc.

Posted by: Alex Eckelberry | August 29, 2007 9:39 PM | Report abuse

I came to US as political refugee on human rights violations in former USSR
I am russian jew, and I got a lot of discrimination in USSR
My parents are Holocaust survivors.
But I got the worst thing in USA, never possible in communist country.
I was set up with my computer, convicted as a s..x offender for computer p..rn.
Now I do not have job and can hardly survive under police database
supervision, named s..x offender registration. Nobody want to hire me,
I think because of police database.
And I have family. Who cares? Dirty polititians are playing their
dirty games for more power.
I would like to send you some links to publications about my criminal
case. I was forced to confess to the
possession of internet digital pictures of p..rn in deleted clusters
of my computer hard drive. My browser was hijacked while I was
browsing the web. I was redirected to illegal sites against my will.
Some illegal pictures were found on my hard drive, recovering in
unallocated clusters, without dates of file creation/download.

I do not know how courts can widely press these charges on people to
convict them, while the whole Internet is a mess.
You can find all links to publications about my case here

Posted by: Fima Fimovich | August 29, 2007 10:22 PM | Report abuse


As I checked out Total Virus [] as suggested in this article, I also happened to see 's alleged virus checking site, namely,

IS THIS A LEGITIMATE SITE, or is it designed to download spyware since it wanted to modify several of my browsers???

Posted by: | August 29, 2007 11:31 PM | Report abuse

Sorry -- that was

Posted by: | August 29, 2007 11:33 PM | Report abuse

Porn on government websites? Well, of course, this is a Republican Administration. Everyone knows that the moral values GOPers are sexually repressed, therefore, psychos and perverts.

Posted by: Gatsby1 | August 29, 2007 11:38 PM | Report abuse

This article by the Washington Post clearly violates 18 USC 2252B(a) and (b), and the Post should be prosecuted for this violation. The Post has no business pretending the first amendment protects journalists who use the guise of their profession to show online how to access illegal materials, such an online illustration is in itself illegal.

Posted by: Concerned American | August 30, 2007 8:07 AM | Report abuse

@concerned american

Normally I'm better at resisting trolls, but...
1. By all means, if you think a violation has occurred, please swear out an affidavit and see if you can interest the federal authorities... of course then you can't be anonymous...

2. Did you read the law you cited? Because each provision requires a person to act "with the intent to deceive[.]" I'm sure you can explain in what manner there can possibly be deception in an article that takes pains to explain exactly what is found when the link is clicked - even to point of mentioning spyware that is loaded.

It really gets my goat when blogs like this one, that educate readers as to the dangers on the Net, and give constructive information on how to protect yourself, are the subject of misguided and/or ill-informed attacks.

Posted by: tjohn | August 30, 2007 3:32 PM | Report abuse

I've always found a multi-layered defense works best against this kind of stuff, part of which includes a blocking hosts file. For more info, see the following:

Blocking Unwanted Parasites with a Hosts File

and the related blog:

One can NOT rely on Antivirus ONLY any longer even if it is updated daily!

BTW. Another very important defense layer:

A non-admin account:

Using these techniques along with a wary eye has kept me clean for years!

Posted by: TJ | August 30, 2007 4:43 PM | Report abuse

The real problem here is webmasters and network admins are not securing their websites and webservers and properly. That's what allows them to be hacked in the first place. Also outdated server side scripts and web apps. Webserver spftware and web applications need to be kept updated and patched just like your PC's OS and applications. Otherwise, they are sitting ducks for hackers.

Brian, your virustotal link has expired. They are only good for a few hours. ;)

Posted by: suzi | August 30, 2007 8:14 PM | Report abuse

Forgot to mention another VERY important layer..... keep ALL software on a system patched.

As Suzi mentioned, the problem highlighted here is the failure of administrators to secure their websites. But, that doesn't mean we should ignore the need to secure our own systems to prevent a hacked website from compromising us. We all have a role to play in creating and maintaining a secure computing world.

Posted by: TJ | August 31, 2007 1:06 AM | Report abuse

Even as a reasonably sophisticated user with a local network, firewall, hardware router, virus and spam filters, etc. I still get snookered now and then into clicking on a URL that turns out to do a redirect to porn...

As a result, GOOGLE/YAHOO/etc. offers to send me to porn sites when I am searching for other things... It's just the way it is...
Any gov't spook who wants to accuse me of porn had better be ready to have his personal computor dragged into court by my experts...

Posted by: Dr. O | September 4, 2007 11:17 AM | Report abuse

you dont show nothing

Posted by: Anonymous | October 2, 2007 3:30 PM | Report abuse

Alex, What you describe in your remarkable response to my post is obviously a large part of what this article is about, however the fact that I am talking about something else mentioned in this article hardly means I didn't understand what the article was about. Thanks though, for the condescending reiteration of what I had already read. It always makes my heart warm and my humility tingle a bit when someone treats my like an idiot for no apparent reason.
That I might return the favor please allow me to re-quote the quote from my post "...mastered the art of seeding blogs and Web sites with LINKS...that jacks up the Google search ranking of porn sites". That is what was happening on Capital Briefing at the time I posted my response, this is what I was pointing out in my response, and this is indeed a quote from the article above. I capitalized the word 'links' on my own, to make it easier for you to make out.
I can't imagine what part of my post inspired you to conclude it would be appropriate to address me as if I were moron, I only hope I can avoid inadvertently insulting your obvious genius in the future.

Posted by: Patrick Huss | November 4, 2007 9:55 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company