Malicious Ads Infect 65 Websites, Drop ZeroAccess Trojan

As many as 65 websites have been compromised and are hosting malicious ads redirecting visitors to websites hosting the ZeroAccess Trojan.

As many as 65 websites have been compromised in an attack that has snared another Washington, D.C.-area media website as well as a number of travel and leisure sites.

While the sites aren’t topically related, they’re all hosting advertisements injected with malicious code hosted on googlecodehosting[.]com, googlecodehosting[.]org and googlecodehosting[.]net, all of which resolve to the same IP address, security company Zscaler said. The IP is currently offline.

The ads were delivered by openxadvertising[.]com, which Google SafeBrowsing is blocking, Zscaler said. The attacks are exploiting two Java vulnerabilities CVE-2013-1493 and CVE-2013-2423, both of which are being used to drop the ZeroAccess Trojan on affected machines, Zscaler said.

ZeroAccess is financial malware that deals in click-fraud, Bitcoin theft and includes rootkit capabilities that help it avoid detection from security software. It’s spread primarily through a number of botnets, including peer-to-peer botnets.

Government Security News reported this week that its site had been compromised and that Google was warning visitors of malware on the site. GSN covers government-related IT and physical security issues.

“At first, GSN thought we were a random victim of a cyber-attack with no specific target. Alternatively, we thought we might have been a specific target of what is sometimes called a “spear-fishing attack,” aimed at a single company or organization,” a post on the website said. “But during the course of Monday, June 17, we learned from a respected malware detection company that its cyber-attack technical experts had encountered the same attack several times in recent days, each aimed at a different media company. One attack was aimed at a radio station in Washington, DC; another was targeted at a public affairs-oriented news organization.”

Radio station WTOP and Federal News Radio, in addition to the Free Beacon website, have been compromised in attacks starting in early May. All of the attacks are similar in that malicious javascript is injected onto the site that redirects visitors to sites hosting more malware.

GSN said its site was clean by late Monday.

Zscaler said the previous attacks on media sites were hosted at dynamic DNS providers and the attacks are triggered only when it detects the user is visiting via Internet Explorer. Zscaler also identified three other media sites as compromised: The Christian Post, Real Clear Science and Real Clear Policy.

The attacks were tagged watering hole attacks by experts; in watering hole attacks, sites of common interest to the target are infected and visitors are redirected to malware. Some watering hole attacks against government websites or human rights organizations have led to malware that monitors a user’s activities online, while other attacks are financially motivated.

Suggested articles