Sneaky New Virus Spreads Via Ads

[Peaches]

Sneaky New Virus Spreads via Ads

Brennon Slattery

Hackers infiltrated popular tech business site eWeek.com yesterday using Google's DoubleClick banner ads as a vehicle. Websense caught the malicious coding and published its results, which spurred eWeek to scour its code and remove all phony advertisements.

The pest, named Anti-Virus-1, is complicated and smart. The advertisements are for antivirus software, and when a user clicked on them, the ads redirect to a pornography Website through a series of iframes. Then a PDF pops up loaded with evil code, exploiting a weakness currently festering in the Adobe systems; or the file index.php redirects to the rogue ad server. The server places a file named "winratit.exe" into the user's temporary files folder and stays there without any user interaction.

If the user tries to cleanse the computer by visiting any of several popular software downloading sites, the hack has a twist of the blade waiting: the host file is modified to redirect to even more malicious Websites offering further rogue downloads.

eWeek may not be the first popular Website to be attacked. "Given DoubleClick's tremendous reach, it's possible the rogue ads have shown up on Websites other than eWeek," Websense Vice President of Security Research Dan Hubbard told The Register.

As always, exercise caution when following advertisements.

PC World article and screenshots: http://www.pcworld.com/article/160171/snea...ds_via_ads.html

[Peaches]

More on this topic ...............

25 February 2009, 16:01

Malicious advertising banners distributed by eWeek

eWeek, an online magazine, has become the victim of an advertising campaign that sends users malicious code, instead of the expected colourful advertising images. According to security expert Websense, an advertising banner, distributed via eweek.com yesterday (Tuesday) tried to install the Anti-Virus-1 scareware on visitors' computers using a malformed PDF document. The software reportedly pretends it has found a system infection to trick users into buying a full commercial version of the program.

eWeek has now responded and stopped the malicious advertising campaign. In a statement regarding the incident, eWeek said that not only eweek.com, but other web sites, within the Ziff Davis network, deployed the malicious banner. According to the statement, the attackers targeted an old security hole in Adobe Reader rather than the, as yet unresolved, security issue recently found in Adobe products.

Heise security for full story: http://www.h-online.com/security/Malicious...k--/news/112721

[Peaches]

And some more on this topic ....

eWeek Web Site Leads Users to Rogue Anti-Virus (AV) Application

Date:02.24.2009

Threat Type: Malicious Web Site / Malicious Code

Websense Security Labsâ„¢ ThreatSeekerâ„¢ Network has discovered that the eWeek.com Web site is serving malicious advertisements (malvertisements) to visitors.

Update 2/24/09 - eWeek has informed us that the problem has been rectified. We have verified that the Web site is now safe.

eWeek.com is the online version of the popular business computing magazine.

When users browse to the home page of eWeek, a malvertisement hosted on the DoubleClick advertisement network performs a redirect to a malicious Web site through a series of iframes. This causes a redirect to one of two files on hxxp://[removed]inside.com/

Either a pdf document containing exploit code is served, or index.php redirects to the rogue ad-server.

With no user interaction, a file named "winratit.exe" (MD5: A12DA1D62B7335CBE6D6EA270247BBC1) is installed in the user's temporary files folder. Two additional files are dropped onto the user's machine and are bound to startup. The host file is also modified so that if the user tries to browse to popular software download sites to remedy the infected machine, s/he is instead directed to a malicious Web site offering further rogue AV downloads.

The name of the rogue AV application is Anti-Virus-1. If the user chooses to register the rogue AV, a connection is made to hxxp://[removed]-site.info/ which has been setup to collect payment details.

Websense® Security Labs has let eWeek know about the problem and they are working to fix it.

Heise security full story & screenshots: http://securitylabs.websense.com/content/Alerts/3310.aspx