7:50 pm (UTC-7) | by Jonathan Leopando (Technical Communications)
A major website that has been compromised and is serving malware is bad news in itself. However, when that attack uses a previously undiscovered and unpatched zero-day vulnerability, the problem worsens.
The official website of the Nobel Peace Prize was compromised and used to serve an exploit targeting a zero-day vulnerability in Mozilla Firefox. On its blog, Mozilla has acknowledged the vulnerability and said that it will issue a patch as soon as this has been tested. The said vulnerability causes a drive-by download wherein a malicious file is downloaded and run without prompting the user as to what is happening.
The Nobel Peace Prize site appears to have been compromised with a malicious PHP Script Trend Micro detects as JS_NINDYA.A. However, for one reason or another, the cybercriminal behind this attack has chosen to limit the scope of the vulnerability. Using browser headers, the exploit checks both the Firefox version and the OS installed on the machine.
According to Mozilla, the underlying flaw is present in both Firefox 3.5 and 3.6 but only recent versions of 3.6 were targeted by JS_NINDYA.A. In addition, if the user runs new versions of Windows (e.g., Vista, Windows 7, Server 2008, and Server 2008 R2), the exploit will not be triggered either.
The exploit downloads a backdoor Trend Micro detects as BKDR_NINDYA.A onto infected systems. It connects to a remote malicious server that a cybercriminal uses to send out various commands to infected systems. These commands include shutting down and deleting all of the files on infected systems. Saying this may cause problems would be an understatement.
We detect both the script and the payload used in these attacks, as noted above. We also block the URLs that the backdoor uses in case this attack is used on other sites. As for the Firefox vulnerability, the latest Firefox 4 beta versions have been confirmed to be safe from this attack. Mozilla also recommends that users install the NoScript extension to mitigate future attacks until a patch has been issued.
Update as of October 27, 2010, 3:56 p.m. (UTC)
Upon checking, we found out that the Nobel Peace Prize site has been cleaned.
Share this article