Banner Ads Serving Up MyDoom Banner Ads Susceptible to New MyDoom Variant Sean Michael Kerner
A chilling turn in the war against viruses appeared over the weekend. Viruses are now being spread unsuspectingly through Web sites via compromised ad
servers.
The SANS Institute Internet Storm Center on Saturday reported that a 'high profile UK website' was among those that had been hit. On Sunday, The Register confirmed on a note on its site that, "early on Saturday morning some banner advertising served for The Register by third-party ad serving company Falk AG became infected with the Bofra/IFrame exploit."
The UK publication suspended all ad serving from the ad server in question after the problem was discovered. Falk eSolution AG serves ads to many popular entertainment sites, including NBC Universal, ATOM Shockwave, The Golf Channel and A&E Networks.
Security firm LURHQ has reported two additional malicious payloads that are being deployed across compromised networks other than Bofra/MyDoom.af.
One of the pieces of malware is called Virtumonde Adware, which is a browser hijack exploit. Such a hijack essentially takes control of a compromised Web browser and shows pop-up ads that direct users to different pages and searches than those they had intended.
The other is Trojan.Agent.EC, which takes control of a user's PC through a back door. The compromised machine can then be used to upload and execute
whatever code the attacker wants.
According to LURHQ, "The sites above are being rotated frequently and are not just small, unknown sites — one of the hacked sites included a well-known Hollywood film studio's Web site."
The viruses take advantage of certain IFRAME vulnerabilities. One of the exploits used to take advantage of the IFRAME issue involves the latest variant of MyDoom, which is also called Bofra.
The IFRAME exploit that Bofra/MyDoom.af takes advantage of does not affect users with Windows XP running SP2.
However, users running XP without the latest service pack upgrade, or those running a non-XP Windows OS (such as Windows 2000) are potentially at risk.
