Malicious advertisements served via Yahoo

[coolbyte]

Salut,

Detection of the infection

Fox-IT operates the shared Security Operations Center service ProtACT. This service monitors the networks of our clients for malicious activity. On January 3 we detected and investigated the infection of clients after they visited yahoo.com.

Infection

Clients visiting yahoo.com received advertisements served by ads.yahoo.com. Some of the advertisements are malicious. Those malicious advertisements are iframes hosted on the following domains:

blistartoncom.org (192.133.137.59), registered on 1 Jan 2014

slaptonitkons.net (192.133.137.100), registered on 1 Jan 2014

original-filmsonline.com (192.133.137.63)

funnyboobsonline.org (192.133.137.247)

yagerass.org (192.133.137.56)

Upon visiting the malicious advertisements users get redirected to a “Magnitude” exploit kit via a HTTP redirect to seemingly random subdomains of:

boxsdiscussing.net

crisisreverse.net

limitingbeyond.net

and others

All those domains are served from a single IP address: 193.169.245.78. This IP-address appears to be hosted in the Netherlands.

This exploit kit exploits vulnerabilities in Java and installs a host of different malware including:

ZeuS

Andromeda

Dorkbot/Ngrbot

Advertisement clicking malware

Tinba/Zusy

Necurs

The investigation showed that the earliest signs of infection were at December 30, 2013. Other reports suggest it might have started even earlier.

Schematically the exploit looks like this:

yahoo ads malware

Size

Based on a sample of traffic we estimate the number of visits to the malicious site to be around 300k/hr. Given a typical infection rate of 9% this would result in around 27.000 infections every hour. Based on the same sample, the countries most affected by the exploit kit are Romania, Great Brittain and France. At this time it’s unclear why those countries are most affected, it is likely due to the configuration of the malicious advertisements on Yahoo.

yahoo ad distribution

Motivation

It is unclear which specific group is behind this attack, but the attackers are clearly financially motivated and seem to offer services to other actors. The exploit kit bears similarities to the one used in the brief infection of php.net in October 2013.

Advice

Block access to the following IP-addresses of the malicious advertisement and the exploit kit:

Block the 192.133.137/24 subnet

Block the 193.169.245/24 subnet

Also closely inspect network traffic for signs of successful exploits for any of the dropped malware.

Yahoo is aware of the issue and looking into it.

Please watch this page for updates.

Sursa Malicious advertisements served via Yahoo | Fox-IT International blog

Din cate am vazut se raspandeste prin Java.

Intrebarea mea este daca folosesc Ubuntu 12.04 cu java oare pot sa stau linistit?

Multumesc

[aelius]

Acele aplicatii malware sunt destinate Windows-ului.

Pe linux oricum ai control mai mare: Rulezi aplicatiile sub un user cu privilegii restranse, poti vedea foarte usor procesele ce ruleaza si ai o gramada de scule pentru monitorizare si debugging. (tcpdump, iptraf, ps, pstree, lsof). Daca esti paranoic, poti face "daily md5sum" pe binare pentru a te asigura ca este totul ok. (poti instala chiar si un IDS sa monitorizeze fisiere, etc ..) (acum depinde si de experienta)

[carter2408]

Care sunt sansele sa ma infectat cu acesti virusi ?

Am intrat pe yahoo.ro zi de zi . Dar am avut bitdefender .

Am scanat pc si cu bitdefender si nod 32 si nu imi arata ca am virus

[bcman]

Oricine are ultima versiune de Firefox este protejat, pentru ca ultime versiune blocheaza by default Java. Valabil si pentru cei ce folosesc un AdBlocker (nici nu imi pot inchipui cum ar fi sa nu folosesti unul) sau daca nu ai Java instalat.

[Inf3cted]

din ''pacate'' sunt multe 0 day... nu trebuie sa se limiteze numai la Java ... mai e si adobe (flash,reader etc) si multe alte chestii ... in + degeaba ai update la zi , cel mai ok browser pana acum era Google chome si sunt vreo 6 7 modalitati deja sa treci de sandbox