Malware distributors somehow managed to deceive two large ad networks into sending malvertizements that stealthy infected the visitors of large websites with scareware applications.
These attacks began on December 3 and were spotted by a cloud-based malware scanning service called HackAlert and operated by Santa Clara-based security vendor Armorize Technologies. HackAlert is used by VeriSign Trust Services, now a division of Symantec, for its daily VeriSign Trust Seal malware scans. So when several high profile websites started being tagged as infected, Armorize was asked to check its platform for possible bugs. Armorize began to investigate the matter and revealed that sites like realestate.msn.com, msnbc.com, scout.com or mail.live.com, were indeed unwittingly infecting their visitors with the scareware applications.
Cyber criminals obtained and registered a domain called adshufffle.com , note the miss-spelling, and posed as the legitimate advertising company named AdShuffle.They managed to get their domain accepted on both the Google-owned DoubleClick network and rad.msn.com, the server used by Microsoft to sent ad's for various sites, including Hotmail and MSN.
The malicious ads served from this domain were not the normal scareware advertisements that falsely claim visitors are infected and offer them a program to fix it. These malvertizements loaded the Eleonore drive-by download toolkit in the background. This toolkit quietly exploits holes in outdated versions of popular applications like Java, Adobe Reader, Internet Explorer and even Windows.
“Users visit websites that incorporate banner ads from DoubleClick or rad.msn.com, the malicious javascript is served from ADShufffle.com (notice the three f's), starts a drive-by download process and if successful, HDD Plus and other malware are installed into the victim's machine, without having the need to trick the victim into doing anything or clicking on anything. Simply visiting the page infects the visitors,”
For more information read the article at the Armorize Blog, here:
"HDD Plus" malware spread through major ad networks, using malvertising and drive-by download
Most of the sites involved detected the malicious advertisements quickly and filtered them. So the chances of you being infected are slim. If you believe you may have visit one of these infected pages or ads, I suggest you run a full virus scan of your computer immediately. More info on doing that, if you are unsure of how to proceed or don't have AV software, can be found at the below page.
Staying Virus Free
About Black Knight
I am a computer repair technician with over 15 years experience and have been computer security and information privacy enthusiast for the last 4 years. I've helped literally thousands of individuals fix their issues by offering help through various blogs and Facebook pages. I like teaching myself and others new things, and believe in freely sharing knowledge.
No comments:
Post a Comment