Two major online ad networks–DoubleClick and MSN–were serving malware via drive-by download exploits over the last week, experts say, after a group of attackers was able to trick the networks into displaying their ads by impersonating an online advertising provider.
The scheme involved a group of attackers who registered a domain that was one letter away from that of ADShuffle.com, an online advertising technology firm. The attackers then used the fake domain–ADShufffle.com–to dupe the advertising networks into serving their malicious banner ads. The ads used various exploits to install malware on victims’ PCs through drive-by downloads, according to information compiled by security vendor Armorize.
The ad networks only served the malicious content for a short period of time, but the episode shows just how difficult the drive-by download problem can be to address.
“Users visit websites that incorporate banner ads from DoubleClick or
rad.msn.com, the malicious javascript is served from ADShufffle.com
(notice the three f’s), starts a drive-by download process and if
successful, HDD Plus and other malware are installed into the victim’s
machine, without having the need to trick the victim into doing anything
or clicking on anything. Simply visiting the page infects the visitors,” Armorize CTO Wayne Huang said in a blog post describing the scheme.
“Known sites affected: Sites that incorporate DoubleClick or rad.msn.com banners, including for example Scout.com (using DoubleClick), realestate.msn.com, msnbc.com (using both), and mail.live.com. We’d like to note here it’s very possible that multiple exchanges, besides those listed here, have been serving the fake ADShufffle’s ads.”
In some instances, the attackers used the notorious Eleonore exploit pack and the Neosploit package to accomplish the drive-by downloads. The attacks exploited a wide variety of vulnerabilities in browsers and Adobe Reader.
When a victim visited a site that was displaying one of the malicious banner ads, the user’s browser tries to render the malicious ad and contacts the back-end ad server. The server pulls in the malicious ad content from ADShufffle, which uses some malicious JavaScript to exploit one of a number of vulnerabilities. The JavaScript generated an iFrame that used the Eleonore exploit pack to finish the compromise and drop some malicious files on the PC.
It’s a classic drive-by download scenario, but in this case it’s made all the more troublesome by the broad reach of the legitimate ad networks that were victimized by the attack. Armorize researchers contacted officials at DoubleClick after discovering the scheme.
“We reached out to DoubleClick and in less than a few hours time they arranged a meeting with a group of their experts on anti-malvertising and incidence response. We were very surprised and impressed with the speed that DoubleClick acted. We provided details, and DoubleClick said they were already on top of the issue,” Huang said.
“At the same time, our CEO Caleb Sima received a private email indicating that mail.live.msn, together with other big websites, were serving drive-by downloads via malvertising. We started to investigate other ad exchanges, because it was apparent that ADShufffle.com was able to trick multiple ad exchanges into serving their malicious javascript.”
A spokesman for Google, which owns DoubleClick, told the IDG News Service that the malicious ads were only being served for a short amount of time, and that the company’s own malware filters detected the ads, as well.
