Rise in malicious advertising detected by ScanSafe as Adobe and Microsoft vulnerabilities exploited

A large rise in malicious advertising has been detected with Trojans exploiting PDF vulnerability.

Following the news about the New York Times being hit by a malicious advert that directed users to install fake anti-virus software two weeks ago, ScanSafe has detected a large number of infections of multiple sites.

Mary Landesman, senior security researcher at ScanSafe, claimed that between the 19th and 21st September, malicious banner ads were served via multiple popular sites, including drudgereport.com, lyrics.com, horoscope.com and slacker.com. These advertisements delivered a Trojan downloader using a variety of Adobe PDF and the Microsoft ActiveX DirectShow exploits.

It claimed that detection is quite low with only three out of 41 scanners detecting the malicious PDF. Landesman said: “The malware attempts to download additional Trojans via the web. The malware also includes the ability to intercept and tamper with a user's searches, including the ability to redirect them to websites other than they expected which can lead to further malware infestation.”

She also claimed that a variety of malware domains were used in the attack, as the domains were initially registered on 19th and 20th September, and abruptly ceased operation on 22nd September.

Landesman said: “The characteristics of the domains, including the naming conventions used and the abrupt cessation, point to the likelihood that these domains were registered via free dynamic, virtual DNS hosts.

“These hosts are particularly attractive to attackers, as they enable the attacker to correlate the domain name of their choosing with a specific IP address - and at no cost. It also enables the attackers to dynamically change this correlation repeatedly over the course of an attack.”

Landesman claimed that attackers are now using online advertisements for the same reasons that a legitimate company would do so, as if they can infiltrate an advertising network, it enables them to reach a broad number of websites within a chosen category.

“This provides the attacker with the same return on investment that it would a legitimate advertiser – broad exposure to the audience of their choosing. And since today's malware is criminally profit-motivated, the merging of malware with advertising is a natural fit,” said Landesman.

“Today's attackers typically dynamically generate the delivered PDF files on the fly, employing various algorithms/filters that cause just enough unique changes to the original such that signature detection is unable to detect it.”

Sign up to our newsletters