Skip to main content
Customer Support Customer Support

The hacking continues; NBC websites briefly compromised with RedKit malware

  • February 21, 2013
  • 2 replies
  • 6 views
YegorP
  • YegorP
  • Retired Webrooter
  • 448 replies
Here we go again....
 
From Apple headquarter computers to the Twitter profiles of big-name corporations, this week has been full of hacks. Today is no different.
 
According to a ZDNet report, around 12PM PST, NBC.com along with a few other NBC websites were compromised and served malware for a few hours due to the RedKit exploit. To serve the malware, RedKit deployed a banking trojan called Citadel, which is a version of the Zeus Trojan.
 
"RedKit was first publicly identified last year in May as an exploit kit that contains an API that generates new host-site URLs every hour. RedKit malware targets vulnerabilities in applications such as Java and Adobe Reader."
 

(Source: Huffingtonpost)

 
The pages have since been swapped and are most likely safe to visit. However, the hackers likely still have access to the sites. The great news for Webroot users? While SecureAnywhere doesn't prevent the exploit itself from working, it targets the payload (Citadel), thus protecting users from this Zeus-variant malware.
--Yegor P-- Social Media Content Coordinator New to the Community? Sign up for FREE today.

    2 replies

    explanoit
    Silver VIP
    Forum|alt.badge.img+6
    • explanoit
    • Silver VIP
    • 580 replies
    • February 23, 2013
    Why doesn't WSA detect the exploit? There is a "Zero Day Shield" in the program, that doesn't do anything to detect this? What does it do then?
    ---------------------------------------- Business Products Sr. Community Leader and Expert Advisor - WSA-Enterprise administrator over 2000 clients First company to 1000+ WSA endpoints | Power User / Business Ambassador / WSA-C and WSA-E Beta tester Find me on Twitter!
    JimM
    • JimM
    • Retired Webrooter
    • 1581 replies
    • February 23, 2013
    The exploit he's referencing is server-side and targets a Java vulnerability.  The vulnerability itself exists squarely on the server side, while WSA exists on an endpoint that might connect to that server.  Now the package it drops on the other hand - Citadel - it targets an endpoint computer, and that WSA does protect against.  So while WSA can't reach out to the server and kick Redkit off NBC's site for them, it protects your computer from being infected by the thing the infected site tries to drop on it.
     
    WSA actually does very well against Citadel and its variants.  That kind of banking trojan is really nothing new.  The Realtime Shield protects against known Bad variants.  The Behavioral and Zero Day Shields protect against Unknowns that are attempting to perform malicious actions.  And the Identity Shield is the icing on the cake, because even if a malicious unknowns somehow makes it through the other shields, the Identity Shield blocks information-stealing activities generically.
    /// JimM /// /// Former Community Manager - Now Humble Internet Citizen/// /// Also Formerly a Technical Support Escalations Engineer ///

    Reply


    Terms & Conditions