This one line of code forces the web browser of every visiting user to download content from the walterjeffers site, which, in turn, redirects the user to two other sites that eventually use an exploit kit to automatically install a malicious file onto the computer. During the few hours the attack was active, we saw several different URLs being used by the attackers. See the screenshot below for the sequence of events as recorded by our replay system that we have in Websense Security Labs.
Two vulnerabilities were used to compromise the user’s computer. In the above example, we can see a PDF file, but the exploit will also try Java vulnerabilities. If either is successful, a malicious binary from the Citadel family is installed on the machine. This family of malware is a so-called banking Trojan, which is designed to help the cyber criminals steal money from online banking accounts. While the file has very bad coverage from antivirus solutions according to VirusTotal, our Websense ThreatScope technology was able to see it as suspicious and provide a lot of additional details about the behavior of the file. See here for the full report.
Websense customers were proactively protected against the exploit code attack by our real-time analytics specifically designed to prevent exploit kits.