ScanSafe

Client Login | International Users
Search


Trojan Drive-By-Install Hits High Profile Websites Including the Sun, MySpace, Bebo, PhotoBucket and UltimateGuitar


Trojan Downloader.VBS.Agent.N Distributed in Fake Ads Linked to by a Network of over 70 Ad Servers


High profile sites including TheSun.co.uk, MySpace.com, Bebo.com, PhotoBucket.com and UltimateGuitar.com all unknowingly hosted ads infected with Trojan-Dowloader.VBS.Agent.n in recent weeks. ScanSafe saw a surge in blocks of the Trojan beginning August 8 and continuing until early September.

 

"Once again, the widespread nature of this threat just shows that relying on a historical URL crawler for security is like playing Russian roulette with your network," said Eldar Tuvey, CEO, ScanSafe.

 

The malware is hidden within phony ads and requires no user interaction for infection to take place, making it particularly dangerous.   ScanSafe estimates that up to 12 million ads may have been delivered exposing a large number of users to the Trojan. Research has shown as much as 30 percent of vulnerable operating systems are insufficiently patched, leaving many users open to infection by malware such asTrojan-Downloader.VBS.Agent.n. 

 

“This is another example of how legitimate ‘trusted’ websites can unknowingly host malware,” said Dan Nadir, vice president product strategy, ScanSafe.  “Online ads have become a primary target for malware authors because they offer a stealthy way to distribute malware to a wide audience. In many instances, including this one, the malware perpetrator can leverage the distributed nature of online advertising and the decentralization of website content to spread malware to hundreds of sites.  It makes detecting the hacker very difficult and underscores the importance of scanning URLs in real-time in order to detect malware.” 

 

The Trojan is being distributed by a compromised network of ad servers.   Over 70 ad servers, including those from the popular websites mentioned link to ads—including legitimate ads as well as the infected ads—as part of an online ad exchange network run by RightMedia, the industry's largest emerging online advertising exchange.  RightMedia is not responsible for content of the ad or the malware.

 

These ad servers deliver ad code that cycle thru various ads.  Among the ads is a 'phony' ad, in Italian (see example below), that delivers a flash file that generates an invisible iFrame.  The iFrame links to an IP address containing obfuscated visual basic script that leverages the well known MDAC exploit (see http://www.microsoft.com/technet/security/Bulletin/MS07-009.mspx) to download a Trojan executable.

 

Scansafe believes the malicious script inside the flash ad avoided detection by RightMedia because of the clever use of a referrer check so the ad only becomes active when delivered by a particular ad server.

 

This Trojan downloads other programs via the Internet and launches them on the victim’s machine without the user’s knowledge or consent. Ad infected with Trojan-Downlader.VBS.Agent.n

 

ScanSafe customers using the company’s Malware Scanning service have been completely protected from the attack.

 

In recent months, several well known sites including TomsHardware.com, have unwittingly hosted malware that was inserted via infected online ads.