NBC website hacked and distributes malware – here’s what happened

The latest high-profile organisation to fall victim to cybercriminals is the National Broadcasting Company (NBC), one of the so-called Big Three television networks in the USA.

NBC’s website was “owned” and used as a go-between in a campaign to infect online visitors automatically.

Fortunately, the malevolent content on the site was up only briefly, limiting the harm that was done.

But researchers at Dutch security company SurfRight managed to grab samples of some of the malware on offer during this time.

→ The samples acquired during the NBC infection aren’t necessarily a complete manifest of the malware that was disseminated. The crooks can vary what is served up by their attack sites based on many factors, such as browser type, operating system, your location, the time of day and more.

NBC’s home page and others were affected, including the pages of late night talk show hosts Jay Leno and Jimmy Fallon.

Here’s roughly how the attack played out, and how NBC got sucked into the equation:

  • NBC’s hacked pages were altered to add some malicious JavaScript that ran in your browser.
  • The JavaScript injected an additional HTML component known as an IFRAME (inline frame) into the web page.
  • The IFRAME sucked in further malicious content from websites infected with an exploit kit known as RedKit.
  • The exploit kit delivered one of two exploit files to try to take control over your browser via a Java vulnerability or a PDF bug.
  • If the exploit worked on your computer, financially-related crimeware from the Citadel or ZeroAccess families was installed.

This, of course, is an example of a dreaded drive-by download, where the crooks use a cascade of tricks to download, install and execute software without going through any of the warnings or confirmation dialogs you might expect.

This, in turn, means that even if you are a careful and well-informed user, you may end up in trouble, since there are no obvious signs that you are doing anything risky, or even unexpected.

Obviously, it’s a big deal for anyone to redirect traffic from a high-profile site such as NBC.

However, fame is fleeting and NBC quickly took the affected pages offline, neutralising the part they played in the danger.

(NBC can’t do much about the sites hosting the other parts of this attack, such as the exploit kit files and the final malware. Nevertheless, if everyone does their bit in disrupting one or more parts of the chain, we all win.)

Make no mistake, this was not a prank or defacement.

The Citadel and ZeroAccess malware families are outright crimeware, meaning that they are malware that is written by cybercriminals, for cybercriminals, to steal items of digital value from unsuspecting users.

→ SophosLabs has published a series of technical papers on these and other phenomena in the crimeware underground. These make fascinating and highly-recommended reading, covering the evolution of malware such as Zeus, also known as Zbot, Citadel and ZeroAccess.

Crimeware is typically available to buy or to rent, so that crooks without the necessary technical skills themselves aren’t excluded from the lucrative business of stealing money, and more besides, online.

Simply put, NBC was unknowingly co-opted into a criminal operation.

If you run a web server, watch out lest you end up in similar straits yourself.

It’s not a comfortable position to be in.

PS. If you would like to learn more about beefing up your web security, take a look at our Securing Websites technical paper. It’s a free downoad (no registration required).

NB. Components seen by SophosLabs from various stages of this attack are detected as follows:

* Mal/ExpJS-AN and Troj/ExpJS-GW: exploit kit JavaScript code that pushes out the exploit components themselves (see below).

* Troj/JavaDI-UB: the Java-based exploit component.

* Troj/PDFEx-HZ: the PDF-based exploit component.

* Mal/Katusha-N: the Citadel-family malware.

* Troj/Mdrop-EVW: the ZeroAccess-family malware.