Banner Ads Serving Up MyDoom By Sean Michael Kerner http://www.internetnews.com/security/article.php/3439011
A chilling turn in the war against viruses appeared over the weekend. It looks like viruses are now being spread unsuspectingly through Web sites via compromised ad servers. The SANS Institute Internet Storm Center on Saturday reported that a 'high profile UK website' was among those that had been hit. On Sunday, The Register confirmed on a note on its site that, "early on Saturday morning some banner advertising served for The Register by third-party ad serving company Falk AG became infected with the Bofra/IFrame exploit." The UK publication suspended all ad serving from the ad server in question after the problem was discovered. Falk eSolution AG serves ads to many popular entertainment sites, including NBC Universal, ATOM Shockwave, The Golf Channel and A&E Networks. Security firm LURHQ has reported two additional malicious payloads that are being deployed across compromised networks other than Bofra/MyDoom.af. One of the pieces of malware is called Virtumonde Adware, which is a browser hijack exploit. Such a hijack essentially takes control of a compromised Web browser and shows pop-up ads and directs users to different pages and searches than those they had intended. The other is Trojan.Agent.EC, which takes control of a user's PC through a back door. The compromised machine can then be used to upload and execute whatever code the attacker wants. According to LURHQ, "The sites above are being rotated frequently and are not just small, unknown sites -- one of the hacked sites included a well-known Hollywood film studio's Web site." The viruses take advantage of certain IFRAME vulnerabilities. One of the exploits used to take advantage of the IFRAME issue involves the latest variant of MyDoom, which is also called Bofra. The IFRAME exploit that Bofra/MyDoom.af takes advantage of does not affect users with Windows XP running SP2. However, users running XP without the latest service pack upgrade, or running a non-XP Windows OS (such as Windows 2000) are potentially at risk. You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
