Malware served through Yahoo advertisements

Dutch security firm Fox IT discovered an ongoing malware-based attack that hit thousands of Yahoo users via malicious ads. Users are alerted.

Since the December 30th Yahoo website is proposing a malicious ad that was serving a malware, the discovery was made by Dutch security firm Fox IT.

Visitors to the Yahoo website see the advertisements served up by ads.yahoo.com, but unfortunately hackers have exploitined it to serve malicious contents.

It is still unknown who is behind the attack, but the hackers are clearly financially motivated, according other investigator probably they are offering services to other criminal gangs selling victim’s credential on the black market  or renting infected host controlled by them.

Of course the impact of malware-based attacks via a so popular portal is considerable serious, Fox IT estimated that the website used for the attack was receiving nearly 300,000 visits per hour, visitors most affected are located in Romania, Great Britain and France.

“Given a typical infection rate of 9% this would result in around 27.000 infections every hour.”

The post on Fox IT reports that “Those malicious advertisements are iframes hosted on the following domains”:

• blistartoncom.org (192.133.137.59), registered on 1 Jan 2014
• slaptonitkons.net (192.133.137.100), registered on 1 Jan 2014
• original-filmsonline.com (192.133.137.63)
• funnyboobsonline.org (192.133.137.247)
• yagerass.org (192.133.137.56)

Upon visiting the malicious advertisements users get redirected to a “Magnitude” exploit kit via a HTTP redirect to seemingly random subdomains of:

• boxsdiscussing.net
• crisisreverse.net
• limitingbeyond.net
• and others

“All those domains are served from a single IP address: 193.169.245.78. This IP-address appears to be hosted in the Netherlands.” states Fox IT.

Magnitude exploit kit was very common, it was used for the recent attacks against PHP.net website and against the on-demand Internet streaming media NetFlix.

Magnitude kit exploits vulnerabilities in Java and serve on the victim’s machine any kind of malware including:

• ZeuS
• Andromeda
• Dorkbot/Ngrbot
• Advertisement clicking malware
• Tinba/Zusy
• Necurs

Yahoo is aware of the ongoing malware attack and is taking necessary countermeasures to stop it in fact traffic to the server hosting the malicious exploit is decreasing since Friday evening. The hope is that Yahoo in the future will be able to protect the entire data flaw also related to third parties sites that propose ads through its channel. Meantime users need to keep their systems updated and install defense mechanisms, only following this couple of suggestions they could reduce the risk to be infected by a malware.

Pierluigi Paganini

(Security Affairs – malware, Yahoo ads)