Several banner ads containing Trojan horse programs that can compromise a user's computer have been running on some high-traffic Web sites for the past several weeks, including MySpace.com and Photobucket.com, Security Fix has learned.
Web security company ScanSafe said it first spotted the tainted banner ads on Aug. 8, and estimates that the hostile ads ran several million times for the next three weeks. Other sites that ran the ads included Bebo.com, TheSun.co.uk, and UltimateGuitar.com, officials at ScanSafe said. All a visitor to one of these sites needed to do to infect their machines was to browse a page that featured the ads with a version of Internet Explorer that was not equipped with the latest security updates from Microsoft.
This is hardly the first time malicious software has shown up in banner ads. A little over a year ago, I wrote about a similar banner ad attack that installed spyware on machines of more than a million MySpace.com users. This latest attack won't be the last either: Hacked banner ads are a very efficient way to distribute malware because they end up running on sites that most people trust:
The banner ads in question were traced back to an ad network exchange run by a company called RightMedia, which was recently bought by Yahoo!. The ads were being delivered to RightMedia's network from a third-party ad server. According to ScanSafe, those third-party servers included in their rotation several malicious ads that used Macromedia Flash files to load an invisible "iFrame" (used to insert content from another Web site into the current Web page).
The malicious iFrame in turn pulled down code that leveraged a security hole in Microsoft's Internet Explorer browser (a flaw Microsoft patched in February) to install a generic Trojan horse program.
A RightMedia spokesperson said the ads have been identified and banned from the exchange. "However, we cannot control what happens elsewhere on the Net. We continue to enhance our protective tools and are committed to finding ways of keeping this type of activity away from consumers and publishers."
RightMedia explains on its blog the processes it has in place for weeding out potentially hostile banner ads. The company's "MediaGuard" system runs each ad uploaded to its servers through a series of ten tests to determine whether the ad contains any malicious code. "Some of those tests are run through international proxy servers to imitate users outside of the US. If any malicious activity is detected, the creative is flagged and the advertiser notified."
But according to ScanSafe, the attackers code inserted into the hostile ads was designed to recognize the difference between one of their ads served to a regular Web site visitor and RightMedia's scanning servers. If the visitor was RightMedia, no malicious code would be served with the ad, said Dan Nadir, ScanSafe's vice president of product strategy.
Tools like the "noscript" add-on for Firefox can help users block powerful programming languages like Flash and Javascript from running automatically when a user visits a Web site. However, noscript may do little to prevent these types of attacks if the visitor has previously instructed "noscript" to trust the site permanently.
Another key takeaway here is the importance of Windows users keeping their systems up to date with the latest security patches, particularly those issued by Microsoft to plug holes in IE and other vital system components.
No comments:
Post a Comment