Security researchers at Fox IT, a security firm based in the Netherlands say they've detected a malicious exploit kit among Yahoo's ad network active since December 30th.
On January 3 they are detected and investigated the infection of clients after they visited yahoo.com. Clients visiting yahoo.com received advertisements served by ads.yahoo.com.
Some of the advertisements are malicious. Those malicious advertisements are iframes hosted on the following domains:
Fox IT says the malware exploits Java (not JavaScript) vulnerabilities, being delivered to up to 300,000 users per hour when it was discovered on Friday.
The delivery rate has since tapered off, probably a good sign that Yahoo is working to correct things, though the company hasn't commented yet. If nothing else, this event serves as a reminder that you should really, really disable the outmoded and no-longer-secure Java on your browser.
Upon visiting the malicious advertisements users get redirected to a “Magnitude” exploit kit via a HTTP redirect to seemingly random subdomains of:
This exploit kit exploits vulnerabilities in Java and installs a host of different malware including:
ZeuS
Andromeda
Dorkbot/Ngrbot
Advertisement clicking malware
Tinba/Zusy
Necurs
The malware targeted flaws in the Java programming environment is an important reminder that the software has become a security menace.
When it was created almost two decades ago, the Java programming language was hailed as a way to make Web sites more interactive. But it has been largely superseded for this purpose by technologies like Flash and JavaScript.
It is not clear which specific group is behind this attack, but the attackers are clearly financially motivated and seem to offer services to other actors. The exploit kit bears similarities to the one used in the brief infection of php.net in October 2013.
On January 3 they are detected and investigated the infection of clients after they visited yahoo.com. Clients visiting yahoo.com received advertisements served by ads.yahoo.com.
Some of the advertisements are malicious. Those malicious advertisements are iframes hosted on the following domains:
- blistartoncom.org (192.133.137.59), registered on 1 Jan 2014
- slaptonitkons.net (192.133.137.100), registered on 1 Jan 2014
- original-filmsonline.com (192.133.137.63)
- funnyboobsonline.org (192.133.137.247)
- yagerass.org (192.133.137.56)
Fox IT says the malware exploits Java (not JavaScript) vulnerabilities, being delivered to up to 300,000 users per hour when it was discovered on Friday.
Upon visiting the malicious advertisements users get redirected to a “Magnitude” exploit kit via a HTTP redirect to seemingly random subdomains of:
- boxsdiscussing.net
- crisisreverse.net
- limitingbeyond.net
- and others
This exploit kit exploits vulnerabilities in Java and installs a host of different malware including:
ZeuS
Andromeda
Dorkbot/Ngrbot
Advertisement clicking malware
Tinba/Zusy
Necurs
The malware targeted flaws in the Java programming environment is an important reminder that the software has become a security menace.
When it was created almost two decades ago, the Java programming language was hailed as a way to make Web sites more interactive. But it has been largely superseded for this purpose by technologies like Flash and JavaScript.
It is not clear which specific group is behind this attack, but the attackers are clearly financially motivated and seem to offer services to other actors. The exploit kit bears similarities to the one used in the brief infection of php.net in October 2013.
No comments:
Post a Comment