Friday, February 27, 2009

Update on compromised adservers serving malware (eWeek/other Ziff Davis Enterprise sites)

Websense reports the recent eWeek PDF attack via adservers took no user interaction. is the online version of the popular business computing magazine.

When users browse to the home page of eWeek, a malvertisement hosted on the DoubleClick advertisement network performs a redirect to a malicious Web site through a series of iframes. This causes a redirect to one of two files on hxxp://[removed]

Either a pdf document containing exploit code is served, or index.php redirects to the rogue ad-server.

With no user interaction, a file named "winratit.exe" (MD5: A12DA1D62B7335CBE6D6EA270247BBC1) is installed in the user's temporary files folder. Two additional files are dropped onto the user's machine and are bound to startup. The host file is also modified so that if the user tries to browse to popular software download sites to remedy the infected machine, s/he is instead directed to a malicious Web site offering further rogue AV downloads.

The name of the rogue AV application is Anti-Virus-1. If the user chooses to register the rogue AV, a connection is made to hxxp://[removed] which has been setup to collect payment details.

Security4all says this isn't the recent 0-day Adobe Reader PDF exploit also served by compromised adservers, but a previous one reported last November. This attack hit eWeek and other Ziff Davis Enterprise site ad servers this week. The goal of this attack is to install fake antivirus software.

Labels: , , ,


Post a Comment

<< Home