The Channel logo


By | John Leyden 15th March 2016 17:19

Millions menaced as ransomware-smuggling ads pollute top websites,, et al hit by malware-injecting banners

Top-flight US online publishers are serving up adverts that attempt to install ransomware and other malware on victims' PCs.

Websites visited by millions of people daily –,,,,,, and more – are accidentally pushing out booby-trapped adverts via ad networks, warn infosec researchers.

The adverts are built from exploit kits, which as the name suggests, are toolkits of code that exploit security vulnerabilities in browsers and plugins to gain control of computers.

Jérôme Segura, a senior security researcher at Malwarebytes, said that the malvertising campaign began slowly before ratcheting up into top gear on Sunday.

“The first couple of days before this campaign went big, we observed a few hits on smaller publishers that were pushing the RIG exploit kit,” Segura blogged. "On Sunday, when the attack really expanded, the Angler exploit kit was then used.”

The Angler EK exploits a recently patched Silverlight vulnerability as well as more standard Flash and JavaScript vulnerabilities in order to push malware onto the Windows PCs of surfers served with tainted ads.

Trend Micro reported on the same attack on Monday. The exploit kit downloads a variant of the Bedep backdoor which, in turn, drops a trojan, according to Trend Micro, which reckons “tens of thousands of users” have been affected by the attack.

"It's important to note that while these popular sites are involved in the infection process they are, much like infected clients, victim of malvertising," blogged Trustwave's SpiderLabs Research. "The only 'crime' here is being popular and having high volumes of traffic going through their sites daily."

SpiderLabs has de-obfuscated the malware's code, and found that it checks to see if any antivirus and security products are installed, and if not: it pulls in Angler using a HTML iframe.

Patching regularly, uninstalling Silverlight or setting plugins such as Flash to click-to-play, will defend against attacks from dodgy banner adverts. ®

comment icon Read 114 comments on this article or post a comment alert Send corrections


Frank Jennings

What do you do? Use manual typwriters or live in a Scottish croft? Our man advises
A rusty petrol pump at an abandoned gas station. Pic by Silvia B. Jakiello via shutterstock

Trevor Pott

Among other things, Active Directory needs an overhaul
Baby looks taken aback/shocked/affronted. Photo by Shutterstock

Kat Hall

Plans for 2 million FTTP connections in next four years 'not enough'
Microsoft CEO Satya Nadella


League of gentlemen poster - Tubbs and Edward at the local shop. Copyright BBC
One reselling man tells his tale of woe