BBC Music site hacked, dispenses malware

According to Websense, a company that makes web filtering software, BBC 6 Music and BBC 1Xtra radio had their websites hacked recently. The malicious code is executed when you load the page.

The injected iframe occurs at the foot of the BBC 6 Music Web page, and loads code from a Web site in the .co.cc TLD.  The iFrame injected into the Radio 1Xtra Web page leads to the same malicious site. If an unprotected user browsed to the site they would be faced with drive-by downloads, meaning that simply browsing to the page is enough to get infected with a malicious executable.

The hackers used a utility called the 'Phoenix Exploit Kit' (PEK) to execute their code on unsuspecting users. Only around 20% of anti-virus software tested against this vulnerability actually detected it according to VirusTotal, Kasperksy, NOD32 and Trend Micro were some of the notable software able to detect the virus. Avast, AVG, Microsoft, Sophos and Symantec all failed to detect the virus in tests by VirustTotal.

Though it wasn't stated what the malicious software did to the end users computer it is suspected that this hack was part of a larger attack. There is currently a group attacking vulnerable sites and inserting malicious code around the net.

Report a problem with article
Previous Story

Microsoft planning IE9 announcement on March 14, launch imminent?

Next Story

HBGary goes silent after Anonymous attack

22 Comments

Commenting is disabled on this article.

How, exactly, was the attack able to inject an IFRAME? Was bad web development responsible for the vulnerability?

I don't know which frameworks the BBC are using on these websites, it wouldn't surprise me if they had built their own framework. They are well-funded by the "licence fee" tax.

I personally use Microsoft's web platform, and out of the box that automatically blocks allow IFRAME injection.

Typical BBC fail.

Does anybody know which platform(s) the affected websites are running on, and which vulnerability(ies) were exploited?

Both affected websites are on the BBC domain which is running Apache server on the Linux OS, and the HTTP headers show that pages on those websites are served by Apache.

Java is the leading exploit vector for a variety of exploit packs. PEK 2.5 was updated to include at least three additional Java exploits.

That's a little worrying considering I switched from NOD32 to AVG once the license ran out. Perhaps I should be going back to NOD32. I did prefer it, after all. It's disappointing when the biggest anti-virus products cannot deal with things that lesser-used products can. In any case, I'll definitely make sure to avoid the BBC radio webpages for some time.

I use Avast on most of my computers (It doesn't bug me with ads like AVG and Avira) and now I think "?", should I".
I would use Microsoft Security Essentials but it slows Windows XP down. I do use Microsoft Security Essentials on my laptop with Windows 7.

wahoospa said,
I use Avast on most of my computers (It doesn't bug me with ads like AVG and Avira) and now I think "?", should I".
I would use Microsoft Security Essentials but it slows Windows XP down. I do use Microsoft Security Essentials on my laptop with Windows 7.

Simply disable run-rights on avnotify.exe and it should kill all ads for Avira. I would recommend Avira to anyone who can't use MSE due to its bug.

Reacon said,

Simply disable run-rights on avnotify.exe and it should kill all ads for Avira. I would recommend Avira to anyone who can't use MSE due to its bug.

what bug?

wahoospa said,
I use Avast on most of my computers (It doesn't bug me with ads like AVG and Avira) and now I think "?", should I".
I would use Microsoft Security Essentials but it slows Windows XP down. I do use Microsoft Security Essentials on my laptop with Windows 7.

If you switch AVs each time someone says "this virus isn't detected by product A, B and C" you're going to use them all multiple times...

cork1958 said,
So, I'm assuming it's cleaned up now as I just went to the site a little while ago and haven't noticed anything?

Were you using one of these?
Avast, AVG, Microsoft, Sophos or Symantec.

nub said,
Do we really need frames anymore?

An iframe is the easiest way to insert in a page from another site and not worry about parsing issues when the code grabs the query.

I gave Avast a go once. I scanned a zip, clean. Opened the zip...hard disk starts clicking...*thinks uh-oh*...*PC Pauses*...*Play "TROJAN HORSE DETECTED" x 8 in my ear*. To which my pc was then savaged by something nasty. I will never use Avast again and I will NEVER recommend it to anyone.

Subject Delta said,

The fact that Avast did not detect it is pretty disturbing as an Avast user.

Yea. I've had Avast miss one recently that MSSE picked up fine. Avast has been getting pretty bad lately and I used to be an advocate of theirs.

Subject Delta said,
The fact that Avast did not detect it is pretty disturbing as an Avast user.

No product has 100% detection.
Anyway, maybe the products failing at finding the JS exploit are successfully blocking the malware itself...you can't really draw conclusions from a VT scan.

Aethec said,

No product has 100% detection.
Anyway, maybe the products failing at finding the JS exploit are successfully blocking the malware itself...you can't really draw conclusions from a VT scan.

Quite right...I'm surprised at all these people who are switching because of one sample. There are thousands (or millions) of different malware programs in the wild...and some switch because of one?

Anyway, don't use only an antivirus. That is a old, outdated technology. Comodo Internet Security and its Defense+ HIPS and great firewall are quite good, and along with the partial sandbox and antivirus....very secure. And guess what? It is free.

eder00 said,
Kasperksy still good.

As far as detection is concerned yes but the problem with Kaspersky these days is it has got bloated and resource hogging, a shame. MSE is far quicker and efficient.