The Channel logo

News

By | John Leyden 15th March 2016 17:19

Millions menaced as ransomware-smuggling ads pollute top websites

msn.com, nytimes.com, aol.com et al hit by malware-injecting banners

Top-flight US online publishers are serving up adverts that attempt to install ransomware and other malware on victims' PCs.

Websites visited by millions of people daily – msn.com, nytimes.com, aol.com, nfl.com, theweathernetwork.com, thehill.com, zerohedge.com and more – are accidentally pushing out booby-trapped adverts via ad networks, warn infosec researchers.

The adverts are built from exploit kits, which as the name suggests, are toolkits of code that exploit security vulnerabilities in browsers and plugins to gain control of computers.

Jérôme Segura, a senior security researcher at Malwarebytes, said that the malvertising campaign began slowly before ratcheting up into top gear on Sunday.

“The first couple of days before this campaign went big, we observed a few hits on smaller publishers that were pushing the RIG exploit kit,” Segura blogged. "On Sunday, when the attack really expanded, the Angler exploit kit was then used.”

The Angler EK exploits a recently patched Silverlight vulnerability as well as more standard Flash and JavaScript vulnerabilities in order to push malware onto the Windows PCs of surfers served with tainted ads.

Trend Micro reported on the same attack on Monday. The exploit kit downloads a variant of the Bedep backdoor which, in turn, drops a trojan, according to Trend Micro, which reckons “tens of thousands of users” have been affected by the attack.

"It's important to note that while these popular sites are involved in the infection process they are, much like infected clients, victim of malvertising," blogged Trustwave's SpiderLabs Research. "The only 'crime' here is being popular and having high volumes of traffic going through their sites daily."

SpiderLabs has de-obfuscated the malware's code, and found that it checks to see if any antivirus and security products are installed, and if not: it pulls in Angler using a HTML iframe.

Patching regularly, uninstalling Silverlight or setting plugins such as Flash to click-to-play, will defend against attacks from dodgy banner adverts. ®

comment icon Read 114 comments on this article or post a comment alert Send corrections

Opinion

Baby looks taken aback/shocked/affronted. Photo by Shutterstock

Kat Hall

Plans for 2 million FTTP connections in next four years 'not enough'
Microsoft CEO Satya Nadella
Stranded_ships

Chris Mellor

Thousands of layoffs announced as spinning rust enters its death spiral

Features

STRASBOURG, JUNE 29, 2016: The seat of the European Parliament. by Marco Aprile for shutterstock. EDITORIAL USE ONLY
Plan b, image via Shutterstock
EU workers, new markets: post-Brexit pressure on May & Co
Tough question, pic via Shutterstock
Honest mistake with your licensing? Audit police look at it on a 'case by case basis'