Banner Ads Serving Up MyDoom

A chilling turn in the war against viruses appeared
over the weekend. It looks like viruses are now being
spread unsuspectingly through Web sites via compromised ad
servers.

The SANS Institute Internet Storm Center on Saturday
reported that a ‘high profile UK website’ was among those
that had been hit. On Sunday, The Register
confirmed on a note on its site that, “early on Saturday
morning some banner advertising served for The Register by
third-party ad serving company Falk AG became infected
with the Bofra/IFrame exploit.”

The UK publication suspended all ad serving from the ad
server in question after the problem was discovered. Falk eSolution AG serves
ads to many popular entertainment sites, including NBC
Universal, ATOM Shockwave, The Golf Channel and A&E
Networks.

Security firm LURHQ has reported two additional malicious
payloads that are being deployed across compromised
networks other than Bofra/MyDoom.af.

One of the pieces of malware is called Virtumonde Adware,
which is a browser hijack exploit. Such a hijack essentially takes control of a
compromised Web browser and shows pop-up ads and directs
users to different pages and searches than those they had
intended.

The other is Trojan.Agent.EC, which takes control of a user’s
PC through a back door. The compromised machine can then be used to upload and execute
whatever code the attacker wants.

According to LURHQ, “The sites above are being rotated
frequently and are not just small, unknown sites — one of
the hacked sites included a well-known Hollywood film
studio’s Web site.”

The viruses take advantage of certain
IFRAME vulnerabilities.
One of the exploits used to take advantage of the IFRAME issue involves the latest variant of MyDoom, which is also called Bofra.

The IFRAME exploit that Bofra/MyDoom.af takes advantage
of does not affect users with Windows XP running SP2.

However, users running XP without the latest service
pack upgrade, or running a non-XP Windows OS (such
as Windows 2000) are potentially at risk.