Supertoxic Site Infects eWeek.com
Page 1 of 1
A toxic stew of malware varieties, helped by a common browser exploit, hit the home page of tech news publication eWeek this week. Internet security product vendor Websense (NASDAQ: WBSN) discovered the exploit Tuesday morning. Staff for eWeek.com addressed the infection within a few hours.
All told, security researchers found 16 forms of malware infecting banner ads on eWeek.com, Stephan Chenette, manager of security research at Websense, told InternetNews.com.
The researchers said a "malvertisement" hosted on the DoubleClick advertisement network would perform a redirect to a malicious Web site through a series of iframes.
IFrames are HTML elements that let users embed HTML documents inside other HTML documents. These would automatically take site visitors to the toxic server, which was housed in the eastern European nation of Latvia, without their having to click on anything, Chenette said.
IFrames exploits are very common and behind many site infections. In the summer of 2007, an IFrame attack compromised more than 10,000 servers, mostly in Europe.
Ad networks are a huge threat because there is little online sites can do to protect against them, according to Chenette. "The sites don't have control over what ads are being placed on their pages," he explained.
Attacks on ad networks are attractive because they are cheap to pull off and the attackers can preserve their anonymity, Chenette said. Some organizations using ad networks have had their accounts compromised, and attackers used them to deliver their messages, according to Chenette. "I'm sure we'll see more and more attackers using ad networks again."
Stephen Wellman, director of community and content for Ziff Davis Enterprise, which owns eWeek.com, referred queries to eWeek.com's article explaining the problem. The post said the exploit did not impact ZDE's other Web sites.
The article said eWeek.com removed the exploit within hours of Websense's alert. It involved a bug affecting Adobe (NASDAQ: ADBE) Reader and Adobe Acrobat, but this bug is not related to the Adobe flaw reported last week, the article said.
Google had not responded to requests for comment by press time.
Lots of toxic stuff
Chenette said the server in Latvia hosted 16 types of exploits for PCs, Macs, Internet Explorer (IE) and Firefox and Adobe Flash. Some of the malware was months old, others were newer. It also included an attack against the IE 7 vulnerability for which Microsoft (NASDAQ: MSFT) brought out the MS09-002 patch February 10.
"They were very much trying to exploit the latest browser vulnerabilities," he said. That attack hit the week after Microsoft released its monthly patches on Patch Tuesday earlier this month.
The malware server also redirected users to a "scareware" server, which is fake malware that pretends to scan a victim's computer and then says the computer is infected, urging the victim to pay for antivirus protection. Microsoft has declared war on scareware vendors, and teamed up with the Attorney-General of Washington State in that effort.
Scareware was hugely successful for hackers last year and continues to pay off for them. "It's one of the biggest things we saw in '08, and we thought it would slow down this year but it isn't," Chenette said. "Attackers are using it and social engineering almost more than they're using exploits because users are clicking when prompted to download a supposed antivirus package."
The site in Latvia is only about 50 days old, is very complex, and was put together by very savvy criminals, according to Chenette. It bears out security experts' warnings that malware authors are becoming very professional.
"There's a small group of really smart guys who know how to do things like malvertising, which is the kind of attack that hit Ziff Davis," Roger Thompson, chief research officer at antivirus vendor AVG told InternetNews.com. "They keep coming up with new innovations and have a deep understanding of how Internet commerce works." Malvertising refers to infected ads.
What can online sites do to protect themselves? Mistrust and verify everything posted by third parties, Chenette said. "You have to scan links and images posted on the site."