On Monday of this week, Purewire’s Malicious Javascript Detection (MJD) engine identified malicious activity originating from a page that belongs to the popular website pbs.org. Specifically, attempts to access certain PBS website pages yielded javascript that serves exploits from a malicious domain via an iframe.
A forensic analysis of this attack revealed that the user requested the following:
hxxp://www.pbs.org/parents/curiousgeorge
which in turn requested:
hxxp://dipsy.pbs.org/parents/ptframe/images/bground-leaderboard.jpg
instead of:
hxxp://www.pbs.org/parents/ptframe/images/bground-leaderboard.jpg
Accessing the image off of dipsy.pbs.org requires login credentials.
PBS Login Prompt
If correct credentials are not provided, dipsy.bps.org serves an error page that looks normal.
… until you look under the hood. The end of the error page’s source.
contains obfuscated javascript placed there by a malicious third party. Deobfuscated, this code writes an iframe that loads malicious javascript from the following malicious URL:
hxxp://qxfcuc.info/f.cgi?jzo
The above URL serves exploits that target a variety of software vulnerabilities, including those in Acrobat Reader (CVE-2008-2992, CVE-2009-0927, and CVE-2007-5659), AOL Radio AmpX (CVE-2007-6250), AOL SuperBuddy (CVE-2006-5820) and Apple QuickTime (CVE-2007-0015).
The domain qxfcuc.info is part of a malware campaign that includes tens of similar websites hosted off of a handful of common IP addresses. Similar exploit code was served from most of these domains, although a handful (e.g., yyoqny.info) display a message that suggests the criminal behind this campaign is compromising systems to build a botnet he will likely later lease. Translated from Russian, that message tells prospective leasers to “Send a message to ICQ #559156803; stats available under ststst02.“
Users of the PWSS are protected from this campaign.
Update, Sep 18, 2:49PM ET: PBS has notified Purewire that the malicious javascript has been removed from its site.