Websense Security Labs Blog

Websense Security Labs discovers, investigates and reports on advanced Internet threats that traditional security
research methods miss.

BBC - 6 Music and 1xtra Web site Injected With Malicious iFrame

View all posts > 

BBC - 6 Music and 1xtra Web site Injected With Malicious iFrame

Posted: 15 Feb 2011 04:03 PM | Carl Leonard | 3 comment(s)


The BBC - 6 Music Web site has been injected with a malicious iframe, as have areas of the BBC 1Xtra radio station Web site.  At the time of writing this blog, the sites are still linking to an injected iframe.

 

Websense customers are protected with our Advanced Classification Engine analytics, our suite of technologies within TRITON.

 

Screenshot of injected malicious iframe:

 

The injected iframe occurs at the foot of the BBC 6 Music Web page, and loads code from a Web site in the .co.cc TLD.  The iFrame injected into the Radio 1Xtra Web page leads to the same malicious site.

 

If an unprotected user browsed to the site they would be faced with drive-by downloads, meaning that simply browsing to the page is enough to get infected with a malicious executable.

 

The payload is delivered to the end user only once, with the initial visit being logged by the malware authors.

 

The code that is delivered to end users utilizes exploits delivered by the Phoenix exploit kit. A malicious binary is ultimately delivered to the end user. The VirusTotal detection of this file is currently around 20%.

 

This attack is part of a current mass-injection targeting vulnerable Web sites.  We shall continue to investigate this threat and offer protection to our customers from this and similar attacks.


Filed under:

Comments

Graham Cluley, Sophos said on Wednesday, February 16, 2011 6:38 AM

Good blog post - but I'd just like to pick up one point.

Although the VirusTotal detection of this malware infection may be low, that doesn't mean that the detection by anti-virus products is necessarily poor.

VirusTotal itself covers this issue of their results being misinterpreted at www.virustotal.com/about.html

FWIW, Sophos's apparent lack of detection is because VirusTotal is not testing it in the context of a live webpage (for instance, when browsed).

Sophos has been blocking the malicious site pointed to by the script on the BBC's webpages as Troj/ExpJS-BO since at least 20:42 GMT on 9 February 2011 when we first saw it.  

In addition, we detect the malicious script on the BBC website as Mal/Iframe-F.

Why am I not surprised? said on Wednesday, February 16, 2011 7:16 AM

Cyber criminals are attacking more "known good" web sites because they want to infect more people. If your useless "Site Advisor" plugin puts a green check mark next to the site, then it's safe, right? Click away, my foolish friend.

To add insult to injury, detection by AV vendors is an outright lie these days. They can do NOTHING to stop most modern malware because they rely on signatures to detect the malware binaries. Well, the bad guys know this too, so they now create encrypted bundles of newly compiled code, sometimes as often as EVERY TIME THE PAYLOAD IS DOWNLOADED. What does that mean? It means your AV solution will NEVER detect it until after you are infected. AV products are now only good for the post-mortem on pwned PCs. By the time your AV detects the infection (if it ever does because now malware is compromising the AV suites during the infection) all your financial data, intellectual property, and customer information has already been shuttled off to Brazil, Russia, China, or wherever the attacker has set up shop.

If you are looking for protection, you'd better start looking elsewhere thatn the current AV providers. If you are looking to save $$, don't pay for ANY AV suite as the free ones are just as good, if not better, than the for-fee junk currently sold as protection.

Patrik Runald said on Monday, February 28, 2011 8:03 PM

@Graham It is true that VirusTotal simply provides a signature comparison of binaries (for most engines at least) and  doesn’t take into account other contextual data. That being said there is no other public interface that is as widely used as VirusTotal that still gives the same  functionality as an easy-to-use comparatives and information-sharing tool.

The simple fact is VirusTotal is used across the industry, but people who use it know the issues with it. Therefore, we do not name and shame vendors that do not have detection as shown in Virus Total. That is why we always try to say something like ‘this file has low detection, as shown by VirusTotal.'


Leave a Comment

(required)  

Email address: (required)