ISC Diary

Handler on Duty:
Manuel Humberto
Santander Pelaez
Contact Us

NBC site redirecting to Exploit kit

Published: 2013-02-21,
Last Updated: 2013-02-21 19:36:19 UTC
by Pedro Bueno (Version: 1)

We became aware that the NBC[.]com website is redirecting to malicious websites that contains exploitkit.

At this point it seems like most of the pages contains an iframe that is redirecting to the first stage of the RedKit exploit kit.

Some twitter users are already poiting out some of these bad pages.

Some of bad iframes public known are:

hxxp://www.jaylenosgarage[.]com/trucks/PHP/google.php

hxxp://toplineops[.]com/mtnk.html

hxxp://jaylenosgarage[.]com

The Redkit exploit kit will deploy the banking trojan Citadel.

We will update this diary when more info become available.

---------------------------

Pedro Bueno (pbueno /%%/ isc. sans. org)

Twitter: http://twitter.com/besecure

Keywords: citadel exploitkit hack nbc redkit

9 comment(s)

Top of page

Comments

New URL:

hxxp://nikweinstein[.]com/cl/google[.]php

posted by Hoax, Thu Feb 21 2013, 20:14

I'm not sure if these are related, but they showed up in my logs right after a coworker visited nbc[.]com

hxxp://walterjeffers[.]com/ctuk.html
hxxp://serwer-testowy[.]com/ctuk.htm
hxxp://nikweinstein[.]com/cl/google.php

posted by Justin, Thu Feb 21 2013, 20:19

Yes, they are related. Check those machines closely. The exploit kit will try to push a PDF or Java on most of times.

posted by Pedro, Thu Feb 21 2013, 20:33

Yes, and they have multiple issues going on. Some are embedded in javascript files, others are embedded directly in the pages EX: http://www.nbc.com/community/video/paranormal-parentage/n32778/ has the following on line 415:

http://umaiskhan[.]com/ztuj[.]html

And on view-source:http://www.nbc.com/1600-penn/video/at-the-monitors-bruce-campbell-pt-1/n31463/ line 411:

http://nikweinstein[.]com/cl/google[.]php

It's been reported to google and it appears that the malware warnings are starting to display.

posted by Scurit, Thu Feb 21 2013, 21:35

msn.com was serving up the same malware too:

http://walterjeffers[.]com/ckxi[.]html -301 "http://realestate.msn.com/biggest-billionaire-home-sales-of-the-past-year"

posted by haxtime, Thu Feb 21 2013, 21:48

NBC says NBC.com site is now safe to visit
- http://www.reuters.com/article/2013/02/21/us-nbc-virus-idUSBRE91K1DQ20130221
Feb 21, 2013 4:54pm EST - "... 'A problem was identified and it has been fixed,' an NBC Universal spokeswoman told Reuters. She declined to elaborate on the nature of the problem... NBC is controlled by Comcast Inc..."

Ahem...

posted by PC.Tech, Thu Feb 21 2013, 23:03

I wonder why there is no browser function to enable processing for URL's for the domain you are just visiting only.

Like the cookie rule I mean.
("Accept cookies only from the site I visit")

For example if i open "isc.sans.edu" this browser session only handle URL's with "isc.sans.edu\*".

posted by Rob, Fri Feb 22 2013, 15:56

> I wonder why there is no browser function to enable processing for URL's [only] for the domain you are just visiting ...

That would be nice -- if it would eliminate advertisements on the "top-edge" or "right-edge" of web-pages on some sites, because those advertisements usually originate from some other domain.

Oops! That blows-away the "revenue-model" for web-sites that inject advertisements along with the content that I want to see.. :-)

posted by Melvin, Fri Feb 22 2013, 16:49

Use Firefox with "NoScript" plugin, to allow or disallow URLs while browsing.

posted by Honey, Fri Feb 22 2013, 21:42

New Comments closed for all Diaries older than two(2) weeks
Please send your comments to our Contact Form