The infected ad, for a company named DeckOutYourDeck.com, has been found by security researchers to be running on several popular networking and file-sharing sites, ideal trolling grounds for the often-innocent “lure” sites used by exploit distribution networks to acquire new victims. The DeckOutYourDeck.com site itself is clean; only the ad was being used as an infection vector.
The exploit takes advantage of a Windows Metafile vulnerability that was first identified in December of last year. According to the exploit’s originating distribution server in Russia, the ad’s silent payload of adware has been deposited onto more than a million computers.
“Microsoft issued a patch for this exploit in early January, but clearly there are many unpatched machines out there,” said Roger Thompson, CTO of Exploit Prevention Labs. “This level of infection from a relatively old exploit shows how important it is for users to protect their systems. It’s one of the key reasons we developed SocketShield — to provide an effective, proactive defense against drive-by downloads and other exploit-driven infections until users get around to patching.”