NBC website hacked and distributes malware - here's what happened

Filed Under: Featured, Malware, Vulnerability

The latest high-profile organisation to fall victim to cybercriminals is the National Broadcasting Company (NBC), one of the so-called Big Three television networks in the USA.

NBC's website was "owned" and used as a go-between in a campaign to infect online visitors automatically.

Fortunately, the malevolent content on the site was up only briefly, limiting the harm that was done.

But researchers at Dutch security company SurfRight managed to grab samples of some of the malware on offer during this time.

→ The samples acquired during the NBC infection aren't necessarily a complete manifest of the malware that was disseminated. The crooks can vary what is served up by their attack sites based on many factors, such as browser type, operating system, your location, the time of day and more.

NBC’s home page and others were affected, including the pages of late night talk show hosts Jay Leno and Jimmy Fallon.

Here's roughly how the attack played out, and how NBC got sucked into the equation:

  • NBC's hacked pages were altered to add some malicious JavaScript that ran in your browser.
  • The JavaScript injected an additional HTML component known as an IFRAME (inline frame) into the web page.
  • The IFRAME sucked in further malicious content from websites infected with an exploit kit known as RedKit.
  • The exploit kit delivered one of two exploit files to try to take control over your browser via a Java vulnerability or a PDF bug.
  • If the exploit worked on your computer, financially-related crimeware from the Citadel or ZeroAccess families was installed.

This, of course, is an example of a dreaded drive-by download, where the crooks use a cascade of tricks to download, install and execute software without going through any of the warnings or confirmation dialogs you might expect.

This, in turn, means that even if you are a careful and well-informed user, you may end up in trouble, since there are no obvious signs that you are doing anything risky, or even unexpected.

Obviously, it's a big deal for anyone to redirect traffic from a high-profile site such as NBC.

However, fame is fleeting and NBC quickly took the affected pages offline, neutralising the part they played in the danger.

(NBC can't do much about the sites hosting the other parts of this attack, such as the exploit kit files and the final malware. Nevertheless, if everyone does their bit in disrupting one or more parts of the chain, we all win.)

Make no mistake, this was not a prank or defacement.

The Citadel and ZeroAccess malware families are outright crimeware, meaning that they are malware that is written by cybercriminals, for cybercriminals, to steal items of digital value from unsuspecting users.

→ SophosLabs has published a series of technical papers on these and other phenomena in the crimeware underground. These make fascinating and highly-recommended reading, covering the evolution of malware such as Zeus, also known as Zbot, Citadel and ZeroAccess.

Crimeware is typically available to buy or to rent, so that crooks without the necessary technical skills themselves aren't excluded from the lucrative business of stealing money, and more besides, online.

Simply put, NBC was unknowingly co-opted into a criminal operation.

If you run a web server, watch out lest you end up in similar straits yourself.

It's not a comfortable position to be in.

PS. If you would like to learn more about beefing up your web security, take a look at our Securing Websites technical paper. It's a free downoad (no registration required).

NB. Components seen by SophosLabs from various stages of this attack are detected as follows:

* Mal/ExpJS-AN and Troj/ExpJS-GW: exploit kit JavaScript code that pushes out the exploit components themselves (see below).

* Troj/JavaDI-UB: the Java-based exploit component.

* Troj/PDFEx-HZ: the PDF-based exploit component.

* Mal/Katusha-N: the Citadel-family malware.

* Troj/Mdrop-EVW: the ZeroAccess-family malware.

, , , , , , ,

You might like

11 Responses to NBC website hacked and distributes malware - here's what happened

  1. foo · 956 days ago

    People are under the false impression that, as long as they don't visit pr0n or pirate sites, they are safe from infection. People also believe that anti-virus and anti-malware programs provide perfect protection. People are wrong on both counts.

    Never go online in Windows -- period. Make friends with a geek. Switch to Linux, get a second computer, install Linux and use it for all online activity or, if you don't want to get a second computer and you need to continue to use Windows, set up dual boot between Windows and Linux. (It's a piece of cake with either Ubuntu or Linux Mint.)

    eBay is awash in $150-range laptops. If you can afford it, then consider a tablet instead. Do ANYTHING to stay off the Internet in Windows.

    • Who · 956 days ago

      Oh no. Not the "Linux/Apple is so secure you don't need AV, Windows is full of holes" rant again. How secure is Linux or IOS when the user has a belief that their OS is some how immune to all malware/viruses that they do not need AV or FW protection?

    • Nigel · 956 days ago

      "Never go online in Windows -- period."

      Did you actually expect the uncountable number of folks who use Windows to consider that to be helpful advice? Wow...

      Apart from the fact that Microsoft has been commendably responsive in making its software more secure in recent years, the truth is that there are many Windows users who know how to do so responsibly, without infecting themselves or others.

      For all the rest, a truly helpful approach would involve education, not scaremongering.

    • Deramin · 956 days ago

      It's not quite that dire. Windows (and Mac and Linux) users can do a lot to protect themselves.

      Add some security addons to your browser.
      * Adblockers like Adblock Plus (or Tracking Protection Lists for IE 9+) block a lot of known malicious domains along with ads (ethical debate aside), and since infected ad space is often used in drive by attacks, you're also blocking an attack vector.
      * Link safety scanners like Web of Trust can help double check that a link isn't known to be malicious before you click on it. Absolutely saved my bacon from zoning out and being stupid a couple times.

      Take things you don't need out of your browser
      * Disable Java from running in the browser if you don't need it
      * Uninstall any extensions or plugins you don't use
      * uninstall old versions of programs if you can and use an updater like Secunia or Ninite to help you keep everything up to date

      Filter your incoming traffic
      * Set the DNS servers on your router to a secure service like Open DNS
      * Turn an old computer into a UTM like Sophos, pfSense, or Untangle

      The really important thing is to use defenses that manage themselves and adapt to what's happening today without you dealing with them. That set above has kept myself and my extended family pretty well virus free for 7 or so years, PCs, Macs, and Linux boxes alike.

    • JJ KK · 956 days ago

      This is a highly uninformed and reactionary comment. The problem with many of the latest website compromises has been with browser plugins. Read above: "over your browser via a Java vulnerability or a PDF bug". These are OS-agnostic technologies widely used by most Internet users, including security professionals. Please make informed comments lest you instill irrational fears into less tech-saavy users.

    • bar · 956 days ago

      Couldn't help noticing paragraph two, sentence two: "Make friends with a geek." Dude, if you want friends, try cutting your hair, showering more than once a week and moving out of your parents basement.

      Telling people on an AV vendor's site to run Linux is an exercise in pointlessness. You think anyone here hasn't heard this line before? If we're not running it, there's a reason (e.g., I work for a business and I have a wife and children).

      In addition to all the other simple fixes mentioned here, You can just use a sandboxing program. Sandboxie or BufferZone Pro both have free versions, as do some of the free AV suites.

  2. Anon · 956 days ago

    Never go online in Windows? That seems a lot extreme and a pointless recommendation for the masses. Your mother does not want to use Linux. Install Firefox + noscript. Done.

  3. Shawn H · 956 days ago

    Just use Firefox with the No Script Add-On and you are fine 99% of the time.

  4. Caprica · 956 days ago

    Comment number 1 is a bit too harsh. While what they say is somewhat true your data is also in the "cloud" so to say. Your bank, your grocery store, your drugstore, even your movie rentals are all stored on computers that are somehow connected to the internet. Good luck securing your data there. What must come to pass is severe punishment to those who are performing these dastardly tasks. Jail terms and monetary terms are a necessity in prosecuting these criminals. While I'm sure NBC has highly trained technical personnel on-board (they are a partner with Microsoft), they must also cooperate with law enforcement (men in black) and help to catch these criminals. Hang out a honey pot for these people to stick their noses into. Then close the venus flytrap.

  5. TED · 955 days ago

    I would run Linux more, but I want easy program installs and a MASSIVE program choice list. I get that on a Mac and with Windows 8 in Bootcamp. While I know they have a rudimentary installer in Mint, I still want ease of use without going through hoops and the frustration of Linux program installs/uninstalls. Until Linux has program installers like Windows and the Mac, it will NEVER catch on.

    I really never got the big deal about the pride of NOT running AV. I see it over on Wilders all the time. Get a computer that has some power and load a well designed real-time scan AV and be done with it. It's not like you are crunching "SETI" code 24/7.

  6. Paul Ducklin · 954 days ago

    FYI, Sophos offers an on-access scanner for both Linux and Mac. The Mac one's available free for home users (no registration, no timeout) from:

    We've also got a free antivirus (plus security and privacy advisor) product for Android. Head to the Play Store and search for "Sophos".

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog