Banner Ads Serving Up MyDoom
Page 1 of 1
A chilling turn in the war against viruses appeared over the weekend. It looks like viruses are now being spread unsuspectingly through Web sites via compromised ad servers.
The SANS Institute Internet Storm Center on Saturday reported that a 'high profile UK website' was among those that had been hit. On Sunday, The Register confirmed on a note on its site that, "early on Saturday morning some banner advertising served for The Register by third-party ad serving company Falk AG became infected with the Bofra/IFrame exploit."
The UK publication suspended all ad serving from the ad server in question after the problem was discovered. Falk eSolution AG serves ads to many popular entertainment sites, including NBC Universal, ATOM Shockwave, The Golf Channel and A&E Networks.
Security firm LURHQ has reported two additional malicious payloads that are being deployed across compromised networks other than Bofra/MyDoom.af.
One of the pieces of malware is called Virtumonde Adware, which is a browser hijack exploit. Such a hijack essentially takes control of a compromised Web browser and shows pop-up ads and directs users to different pages and searches than those they had intended.
The other is Trojan.Agent.EC, which takes control of a user's PC through a back door. The compromised machine can then be used to upload and execute whatever code the attacker wants.
According to LURHQ, "The sites above are being rotated frequently and are not just small, unknown sites -- one of the hacked sites included a well-known Hollywood film studio's Web site."
The IFRAME exploit that Bofra/MyDoom.af takes advantage of does not affect users with Windows XP running SP2.
However, users running XP without the latest service pack upgrade, or running a non-XP Windows OS (such as Windows 2000) are potentially at risk.