Websense Security Labs ThreatSeeker network has determined that the popular online Pakistani newspaper Web site the ‘Daily Jang’ (at jang.com.pk) has been compromised.
The Web site has been injected with malicious code in several locations. The code redirects visitor browsers to exploit Web sites. At the time this writing, the exploit sites that the Daily Jang redirects to are active and serve malicious code.
The paper is one of the most popular and oldest newspapers in Pakistan. The Web site gets a lot of daily traffic from its many loyal readers, both within and outside Pakistan. It also links to many other Web sites (Alexa report). Some reports indicate an average of more than 40,000 unique visits to the Web site a month.
An infection can occur while visiting the main page of the site. The visiting user’s browser is redirected silently, in the background, to an exploit site loaded with an exploit kit called ‘g01pack’ . If one of the kit’s many exploit attempts is successful, a Trojan Backdoor file is dropped onto the user’s machine. The backdoor file currently holds a detection rate of 26%.
Injection Information
The site is injected in several places. The injection appears as an Iframe at the bottom of each injected page. A snapshot is provided below. You might think it ends here, but any security holes that leave the door open for attackers to inject malicious code may also be revealed by other attackers as well, this is the main reason why the Web site has another kind of malicious injection on many of its pages. In total there are two kinds of injections on jang.com.pk. The first appears as an Iframe, the second appears as obfuscated Javascript code that also silently redirects any browsing user to exploit sites; however, those exploit sites appear to be down at the time of writing of this post.
Infosec India 