NBC network websites hacked: Distributing dangerous Citadel and ZeroAccess malware through exploits

  • February 21, 2013
  • 2 min read


The websites of the famous US broadcaster NBC as well as various popular NBC shows like “Late Night with Jimmy Fallon”, “Jay Leno’s Garage”, and possibly others have been hacked. Attackers managed to inject malicious iframes both inside the homepages as well as some JavaScript files that point to the RedKit exploit kit:

Malicious iframe inserted into the NBC main page

Malicious iframe inserted into the NBC main page

Malicious iframe inserted into one of the site's JavaScript files

Malicious iframe inserted into one of the NBC JavaScript files

Malicious iframe inserted into the Late Night with Jimmy Fallon main page

Malicious iframe inserted into the Late Night with Jimmy Fallon main page

Malicious iframe inserted into the Jay Leno's garage main page

Malicious iframe inserted into the Jay Leno’s Garage main page

Overall we observed the attackers use the following drop sites for their attack:

http://barbecuechickenrecipes.org/ctuk.htm
http://moi-npovye-sploett.com/qqqq/1.php
http://nikweinstein.com/cl/google.php
http://priceworldpublishing.com/aynk.html
http://toplineops.com/mtnk.html
http://umaiskhan.com/znzd.html
http://umaiskhan.com/ztuj.html
http://walterjeffers.com/ctuk.html
http://wordpresspluginsstudio.com/ctuk.html
http://www.jaylenosgarage.com/trucks/PHP/google.php

Once a user visits one of the affected NBC websites the RedKit exploit kit will scan the user’s PC for exploitable versions of various browser plugins like Adobe Acrobat or Java and send a viable exploit (for example CVE-2013-0422, CVE-2010-0188)  to the unsuspecting user’s browser. The exploit will then install the infamous Citadel or ZeroAccess malware on the user’s PC.

Citadel is the name of a a whole malware family that belongs into the category of “bots”. Once a system is infected with Citadel the attacker (usually referred to as “bot herder”) is able to take full control over the victim’s PC. Today Citadel is used mostly for banking fraud, espionage, as well as as a distribution network for other malware. At the moment the detection rate of the Citadel variants used for the attack are particularly low. Emsisoft users though are already protected as Citadel is picked up based on its behavior by the Emsisoft Anti-Malware behavior blocker:

Emsisoft Anti-Malware detecting the new Citadel variant used for the attack

Emsisoft Anti-Malware detecting the new Citadel variant used for the attack

ZeroAccess belongs into the category of bots as well. Unlike Citadel though ZeroAccess is commonly used for click fraud. The ZeroAccess malware will essentially cheat advertisement networks out of money by simulating clicks on advertisements or by redirecting search requests. As with the Citadel variants. detection rates of the ZeroAccess variant used by the hackers are quite bad:

Detection rates of the ZeroAccess variant used by the NBC attack according to VirusTotal

Detection rates of the ZeroAccess variant used by the NBC attack according to VirusTotal

Emsisoft Anti-Malware users though are protected as ZeroAccess, like Citadel, is picked up based on its behavior by the behavior blocker:

Emsisoft Enterprise Security + EDR

Robust and proven endpoint security solution for organizations of all sizes. Start free trial
Emsisoft Anti-Malware detecting the new ZeroAccess variant used for the attack

Emsisoft Anti-Malware detecting the new ZeroAccess variant used for the attack

In the mean time we have also issued signature updates to allow users affected by the hack to use our free Emsisoft Emergency Kit to find and clean any Citadel and ZeroAccess infections.

Sarah

Sarah

Malware analyst at Emsisoft. Cryptolocker hitting so many people in 2013 was what really piqued my interested in malware, and especially ransomware.

What to read next