Jump to content
coolbyte

Malicious advertisements served via Yahoo

By coolbyte, in Stiri securitate

Recommended Posts

coolbyte Newbie

coolbyte

Posted
Posted

Salut,

Detection of the infection

Fox-IT operates the shared Security Operations Center service ProtACT. This service monitors the networks of our clients for malicious activity. On January 3 we detected and investigated the infection of clients after they visited yahoo.com.

Infection

Clients visiting yahoo.com received advertisements served by ads.yahoo.com. Some of the advertisements are malicious. Those malicious advertisements are iframes hosted on the following domains:

blistartoncom.org (192.133.137.59), registered on 1 Jan 2014

slaptonitkons.net (192.133.137.100), registered on 1 Jan 2014

original-filmsonline.com (192.133.137.63)

funnyboobsonline.org (192.133.137.247)

yagerass.org (192.133.137.56)

Upon visiting the malicious advertisements users get redirected to a “Magnitude” exploit kit via a HTTP redirect to seemingly random subdomains of:

boxsdiscussing.net

crisisreverse.net

limitingbeyond.net

and others

All those domains are served from a single IP address: 193.169.245.78. This IP-address appears to be hosted in the Netherlands.

This exploit kit exploits vulnerabilities in Java and installs a host of different malware including:

ZeuS

Andromeda

Dorkbot/Ngrbot

Advertisement clicking malware

Tinba/Zusy

Necurs

The investigation showed that the earliest signs of infection were at December 30, 2013. Other reports suggest it might have started even earlier.

Schematically the exploit looks like this:

yahoo ads malware

Size

Based on a sample of traffic we estimate the number of visits to the malicious site to be around 300k/hr. Given a typical infection rate of 9% this would result in around 27.000 infections every hour. Based on the same sample, the countries most affected by the exploit kit are Romania, Great Brittain and France. At this time it’s unclear why those countries are most affected, it is likely due to the configuration of the malicious advertisements on Yahoo.

yahoo ad distribution

Motivation

It is unclear which specific group is behind this attack, but the attackers are clearly financially motivated and seem to offer services to other actors. The exploit kit bears similarities to the one used in the brief infection of php.net in October 2013.

Advice

Block access to the following IP-addresses of the malicious advertisement and the exploit kit:

Block the 192.133.137/24 subnet

Block the 193.169.245/24 subnet

Also closely inspect network traffic for signs of successful exploits for any of the dropped malware.

Yahoo is aware of the issue and looking into it.

Please watch this page for updates.

Sursa Malicious advertisements served via Yahoo | Fox-IT International blog

Din cate am vazut se raspandeste prin Java.

Intrebarea mea este daca folosesc Ubuntu 12.04 cu java oare pot sa stau linistit?

Multumesc

Link to comment
Share on other sites
aelius Grand Master

aelius

Posted
Posted

Acele aplicatii malware sunt destinate Windows-ului.

Pe linux oricum ai control mai mare: Rulezi aplicatiile sub un user cu privilegii restranse, poti vedea foarte usor procesele ce ruleaza si ai o gramada de scule pentru monitorizare si debugging. (tcpdump, iptraf, ps, pstree, lsof). Daca esti paranoic, poti face "daily md5sum" pe binare pentru a te asigura ca este totul ok. (poti instala chiar si un IDS sa monitorizeze fisiere, etc ..) (acum depinde si de experienta)

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...