«
»

PBS Website Compromised, Used to Serve Exploits

Posted by: Barracuda Labs

On Monday of this week, Purewire’s Malicious Javascript Detection (MJD) engine identified malicious activity originating from a page that belongs to the popular website pbs.org. Specifically, attempts to access certain PBS website pages yielded javascript that serves exploits from a malicious domain via an iframe.

A forensic analysis of this attack revealed that the user requested the following:

hxxp://www.pbs.org/parents/curiousgeorge

which in turn requested:

hxxp://dipsy.pbs.org/parents/ptframe/images/bground-leaderboard.jpg

instead of:

hxxp://www.pbs.org/parents/ptframe/images/bground-leaderboard.jpg

Accessing the image off of dipsy.pbs.org requires login credentials, as shown in the following screenshot.

PBS Login Prompt

If correct credentials are not provided, dipsy.bps.org serves an error page that looks normal:

… until you look under the hood. The end of the error page’s source:

contains obfuscated javascript placed there by a malicious third party. Deobfuscated, this code writes an iframe that loads malicious javascript from the following malicious URL:

hxxp://qxfcuc.info/f.cgi?jzo

The above URL serves exploits that target a variety of software vulnerabilities, including those in Acrobat Reader (CVE-2008-2992, CVE-2009-0927, and CVE-2007-5659), AOL Radio AmpX (CVE-2007-6250), AOL SuperBuddy (CVE-2006-5820) and Apple QuickTime (CVE-2007-0015).

The domain qxfcuc.info is part of a malware campaign that includes tens of similar websites hosted off of a handful of common IP addresses. Similar exploit code was served from most of these domains, although a handful (e.g., yyoqny.info) display a message that suggests the criminal behind this campaign is compromising systems to build a botnet he will likely later lease. Translated from Russian, that message tells prospective leasers to “Send a message to ICQ #559156803; stats available under ststst02.

Users of the PWSS are protected from this campaign.

Update, Sep 18, 2:49PM ET: PBS has notified Purewire that the malicious javascript has been removed from its site.

Share

This entry was posted on Wednesday, September 16, 2009 at 6:22 pm and is filed under Research. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

2 Responses to “PBS Website Compromised, Used to Serve Exploits”

  1. Rob Bergin says:
    September 21, 2009 at 2:38 pm

    great write up – any idea on root cause on how the malware got there?

  2. Nidhi Shah says:
    September 22, 2009 at 2:38 pm

    Thanks Rob! PBS did not give any details about root cause of the attack, except that “There was possibly a vulnerability in the site.” We suspect there could have been an FTP account compromise or Privilege escalation/SQL Injection attack.

Leave a Reply

Spam Protection by WP-SpamFree