Yahoo Ad Network is Carrying the Malware - BestCyberNews: Online News Presenter in the present world

BestCyberNews: Online News Presenter in the present world

Start knowing

test banner

Breaking

Yahoo Ad Network is Carrying the Malware

Security researchers at Fox IT, a security firm based in the Netherlands say they've detected a malicious exploit kit among Yahoo's ad network active since December 30th. 


On January 3 they are detected and investigated the infection of clients after they visited yahoo.com. Clients visiting yahoo.com received advertisements served by ads.yahoo.com.

Some of the advertisements are malicious. Those malicious advertisements are iframes hosted on the following domains:

  • blistartoncom.org (192.133.137.59), registered on 1 Jan 2014
  • slaptonitkons.net (192.133.137.100), registered on 1 Jan 2014
  • original-filmsonline.com (192.133.137.63)
  • funnyboobsonline.org (192.133.137.247)
  • yagerass.org (192.133.137.56)

Fox IT says the malware exploits Java (not JavaScript) vulnerabilities, being delivered to up to 300,000 users per hour when it was discovered on Friday.

The delivery rate has since tapered off, probably a good sign that Yahoo is working to correct things, though the company hasn't commented yet. If nothing else, this event serves as a reminder that you should really, really disable the outmoded and no-longer-secure Java on your browser. 

Upon visiting the malicious advertisements users get redirected to a “Magnitude” exploit kit via a HTTP redirect to seemingly random subdomains of:

  • boxsdiscussing.net
  • crisisreverse.net
  • limitingbeyond.net
  • and others

This exploit kit exploits vulnerabilities in Java and installs a host of different malware including:

ZeuS
Andromeda
Dorkbot/Ngrbot
Advertisement clicking malware
Tinba/Zusy
Necurs

The malware targeted flaws in the Java programming environment is an important reminder that the software has become a security menace. 


When it was created almost two decades ago, the Java programming language was hailed as a way to make Web sites more interactive. But it has been largely superseded for this purpose by technologies like Flash and JavaScript.

It is not clear which specific group is behind this attack, but the attackers are clearly financially motivated and seem to offer services to other actors. The exploit kit bears similarities to the one used in the brief infection of php.net in October 2013.



Author Venkatesh Yalagandula Follow us Google + and Facebook and Twitter

No comments:

Post a Comment