Visitors to famous American broadcaster NBC’s websites are in danger of having their PCs infected with malicious software. A hitherto unknown organization has obtained access to the NBC webservers. The attackers managed to inject malicious iframes into the website’s source codes. Using these and with the aid of the RedKit exploit kit, the attack attempts to infect unprotected computers with variants of the widely spread Citadel and ZeroAccess bots.
NBC belongs to the most visited TV and news portals worldwide. Now, unknown attackers have succeeded in hacking NBC.com and various subpages. The security experts at Emsisoft were alerted to this incident thanks to accumulating alerts in their own cloud service, Anti-Malware Network. Initial analysis shows that the attack attempts to install either Citadel or ZeroAccess malware on visitor’s computers by using different exploits. The attack appears to target an older version of Adobe Reader, and once again, the Java Runtime Environment.
The attack started on the main portal NBC.com and was taken down a few hours later. But the assault is not over yet as at this time the subsidiary websites latenightwithjimmyfallon.com and jaylenosgarage.com are still spreading malware.
Here is an example of the two malicious manipulations of the web code of NBC.com that the experts at Emsisoft have discovered. This tricky iframe was injected directly into the main page:
Additionally another malicious iframe is used in one of the JavaScript files:
Both of the exploits used in the attack (CVE-2013-0422 and CVE-2010-0188) are known and fixed in the latest versions of Java and Adobe Reader. The exact method can be changed at any time however, and such exploit kits typically only deliver attacks tailored specifically to the software on the victim’s system.
Emsisoft therefore recommends that people refrain from visiting NBC.com and subsidiary websites until further notice and to ensure that all programs on their computer are up to date. The security solution Emsisoft Anti-Malware detects all generic infection attempts with the Emsisoft Behavior Blocker. New signatures are currently being created to make cleaning already infected computers possible.
Emsisoft therefore recommends that people refrain from visiting NBC.com and subsidiary websites until further notice and to ensure that all programs on their computer are up to date. The security solution Emsisoft Anti-Malware detects all generic infection attempts with the Emsisoft Behavior Blocker. New signatures are currently being created to make cleaning already infected computers possible.
Constantly updated blog entry: http://blog.emsisoft.com/2013/02/21/nbc-website-hacked-distributing-dangerous-citadel-malware-through-exploits/
Information about the Emsisoft Behavior Blocker:
http://www.emsisoft.com/en/kb/articles/tec121016
Security guide: http://www.emsisoft.com/en/kb/articles/tec120101/
(Sources: CDM and Emsisoft)