Strategy, Threats, Malware

Drudge Report, others, serve malicious ads

September 24, 2009

Updated Thursday, Sept. 24, 2009 at 3:49 p.m. EST

A number of popular websites, including Drudge Report, Horoscope.com and Lyrics.com, inadvertently served users malicious banner advertisements crafted to infect users with a trojan downloader recently, according to security firm ScanSafe.

“The volume [of users who encountered the ad] was probably the highest I've ever seen with malicious advertising,” Mary Landesman, ScanSafe's senior security researcher, told SCMagazineUS.com on Thursday.

The advertisements seem to be delivered to Drudge Report and the other sites through multiple third-party ad networks or other services that are used to help manage the delivery of ads. The services involved in the attack are Google's DoubleClick, YieldManager and ValueClick's FastClick network, Landesman said.

Attackers were somehow able to inject the malicious ads into these systems, which subsequently caused the ads to be delivered to the popular sites, Landesman said.

When a user accessed one of the sites serving the ads, a malicious PDF was dynamically created to exploit known, patched vulnerabilities in Adobe Reader and Acrobat. If a user did not have Adobe Reader and Acrobat, the malicious ad attempted to exploit a known Active X vulnerability in Microsoft's video streaming software DirectShow.

Each PDF was formed differently as a means of avoiding signature detection, Landesman said. In this attack just three of the 41 leading signature virus scanners detected the malicious PDF, she added.

“When a user encountered this, it was a very silent, surreptitious attack,” Landesman said. “…There was no interaction required from the user; this was a silent drive-by download.”

The end goal was to install a variant the Win32/Alureon trojan, which was designed to download additional malware from the web, monitor browser use and manipulate search results by redirecting users to the sites of an attacker's choosing.

The malicious ads were delivered between last Saturday and Monday; attackers aborted the mission by Tuesday, Landesman said. Attackers tend to run malicious ads over the weekends because consumer-focused sites generally get heavier traffic then, she added.

A Google spokesperson maintained that DoubleClick is not an ad network but a platform for customers to manage their digital advertising operations; DoubleClick does not buy/sell ads, provide content, or determine what digital advertising appears on a website.

“With DoubleClick ad management, publishers are in control of what content they are serving and are therefore ultimately responsible for determining what advertising appears on their site,” the Google spokesperson told SCMagazineUS.com on Thursday. “As a result, we can't offer comment on individual cases.” 

YieldManager and FastClick did not respond to requests for comment made by SCMagazineUS.com on Thursday. Neither did representatives from Drudge Report, horoscope.com, or lyrics.com.

Just last week, it was revealed that the New York Times inadvertently sold advertising space to hackers, causing an ad for rogue anti-virus products to be served to some users. 

prestitial ad