H.S. Tan, a friend of mine, sent me an email to me today. He said that he googled "tm online" and the first result he got pointed to www.tm.online.com.my (please be careful when navigating to this site). But there was a problem. Google reports "This site may harm your computer.". So he was concerned on whether the website got hijacked.

Telekom Malaysia (TM) is the biggest ISP in Malaysia, so it would be serious if there was something wrong on this website since lots of people would be visiting it. So I set about on figuring out why Google says this site is harmful. What I found is a bit shocking.

Below was my answer to him.

Yes, it is a malicious website :) No, really it is. Below is my brief analysis after looking at the site for a few minutes.

The thing is... on this website there is a an exploit that is being called Exploit.JS.Pdfka.lr. You might not see it, but whenever you visit the site, your browser will automatically and unexpectedly download a PDF. There is a big chunk of obfuscated javascript in the PDF. If you are on Windows and you are using Adobe Acrobat, this file might cause Acrobat to stall while it does its malicious tasks.

There are many versions of this PDF exploit already in the wild. I don't know what this particular version of the exploit does as there is very little information about it. There are versions that attempt to write files to your hard drive. There are also versions that put an extra task on your computer (if you view the Task Manager) and attempt to send out spam.

Adobe has released security updates for their software in response to these PDF exploits. So make sure you install Adobe's updates. Other PDF viewers should have similar security updates as well.

Some notes:

- If you are using Windows on a limited account, you are golden and it is a very wise decision. NoScript in Firefox and AdBlock or AdBlock Plus is good too. Having good anti-malware and anti-virus software installed will also help.

- I wonder what TM is trying to do on their website. Hmm...

- I would like to get the malicious code and deobfuscate it. I'm still wondering how I can do this. I need to study and do more research.

Update: I did more research. A part II is now available here.