Jerusalem Post website serving malware

A couple of posts on Twitter brought to my attention earlier today that the website of the Jerusalem Post is serving up malware to unsuspecting visitors.

Initially, I suspected that the malware was loaded via a compromised advert stream or one of the popups from the site. However, upon further investigation there were the tell-tale signs of hackers at work on the main site.

SophosLabs is adding detection for this SCRIPT injection as Mal/Badsrc-C.

This particular malicious script would have attempted to load other scripts detected by Sophos as Mal/JSShell-B and Troj/ExpJS-N.

Ultimately, the attack tries to load an EXE (log.exe) detected as Mal/Behav-290.

Mal/Behav-290 includes functionality to:

  • run automatically
  • access the internet and communicate with a remote server via HTTP

Mal/Behav-290 communicates via HTTP with the following locations:
d .*******. us

When Mal/Behav-290 is installed it creates the file \Microsoft\smx4pnp.dll.

The following registry entry is created to run code exported by smx4pnp.dll on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run smx4pnp rundll32.exe “</user><user>\Microsoft\smx4pnp.dll”, Launch </user>

In the current climate some will assume that the site has been hacked by a politically motivated hacker. However, in my experience the majority of hacks like this are done via a scattergun approach and it was just bad luck (and bad website security) that meant that the Jerusalem Post was the victim.