by Paul Royal, Research Consultant
Beginning in early May 2012 and persisting over a period of ten days, Herald Media's primary news portal (heraldm.com) was compromised and used to serve drive-by download exploits. Based in Seoul, South Korea, Herald Media's publications include The Korea Herald and The Business Herald.
These URLs gathered plugin information and loaded one of several Java exploits, such as an exploit that targets CVE-2012-0507. If successful, the exploits install password-stealing malware on the compromised system. At the time of this writing, AhnLab, which has 65% of the South Korean security software market, does not detect the Java exploits or Windows executable as malicious.
The Herald Media website is an Alexa top 5,000 domain; in South Korea, it is one of the 100 most-viewed sites. Due to the longevity of the compromise and popularity of the domain, Barracuda conservatively estimates that over 740,000 users were served malicious content. Based on the exploits employed, at least 115,000 systems were successfully infected.
Additional information about recurring maliciousness in popular domains will be available in Barracuda's upcoming May 2012 report on Alexa top-ranked websites.