This one line of code forces the web browser of every visiting user to download content from the walterjeffers site that in turn redirected the user to two other sites to eventually use an exploit kit to automatically install a malicious file onto the computer. During the few hours the attack was active we saw several different URLs being used by the attackers. See the screenshot below for the sequence of events as recorded by our replay system that we have in the labs.
Two vulnerabilities were used to compromise the user’s computer. In the above example we can see a PDF file but the exploit will also try Java vulnerabilities. If either is successful, a malicious binary from the Citadel family is installed on the machine. This family of malware is a so called banking trojan which is designed to help the cyber criminals steal money from online banking accounts. While the file has very bad coverage from anti-virus solutions according to VirusTotal, our ThreatScope technology was able to see it as suspicious and provide a lot of additional details about the behavior of the file. See here for the full report. Websense customers were proactively protected against the exploit code attack by our real-time analytics specifically designed to prevent exploit kits.
NBC has since confirmed that their site has been cleaned up and it's again safe to visit.
Leave a reply