Between Sep 19 and Sep 21, ScanSafe identified malicious banner ads served via multiple popular sites, including drudgereport.com, lyrics.com, horoscope.com and slacker.com. The ads delivered a trojan downloader using a variety of Adobe PDF exploits as well as the Microsoft ActiveX DirectShow exploit described in MS09-032. Detection of the malicious PDF is quite low, with only 3 out of 41 scanners detecting.
Today’s attackers typically dynamically generate the delivered PDF files on the fly, employing various compression algorithms/filters that cause just enough unique changes to the original such that signature detection is unable to detect it. ScanSafe Outbreak Intelligence employs a specialized PDF parser (breaks down components of PDF) which is able to overcome these mechanisms and successfully detect the exploits contained within the PDF regardless of the compression algorithm used.
PDF exploits were the most commonly encountered exploit via the Web in 2008 and continue to be the most prominently encountered exploit in 2009. This is due to a number of factors, including a large number of exploits for Adobe Reader/Acrobat, the ubiquitous use of PDF via the Web, and its ready integration into the browser. With dynamically constructed PDFs so easily able to bypass signature scanning, the combination has proved lethal for Web surfers.
The malware is a variant of Win32/Alureon, which attempts to download additional trojans via the Web. The malware also includes the ability to intercept and tamper with a user’s searches, including the ability to redirect them to websites other than they expected which can lead to further malware infestation.
A variety of malware domains were used in the attack. The domains were initially registered on Sep 19th and 20th, and abruptly ceased operation on Sep 22. The characteristics of the domains, including the naming conventions used and the abrupt cessation point to the likelihood that these domains were registered via free dynamic DNS hosts.
These hosts enable are particular attractive to attackers, as they enable the attacker to correlate the domain name of their choosing with a specific IP address. It also enables the attackers to dynamically change this correlation, thus it is likely the same malicious ads will soon be served again, perhaps via the same legitimate websites, with new malware hosts delivering the exploits and trojan.
The domain naming all followed the same convention: 3 random letters for the sub-domain, followed by 6-8 random letters for the primary domain, followed by .net. For example, ‘tqq.qyewea.net’, ‘wio.lkveoa.net’, ‘nzs.dtiuooa.net’,’zto.hvloqew.net’, etc.
Similarly styled attacks have been occurring since late July. Characteristics indicate these attacks are likely the work of the same person or group of persons.
In this latest wave, the attackers appear to have successfully infiltrated multiple legitimate advertising networks, which subsequently enabled the malware to be delivered via mainstream, popular websites. Ad networks which appear to have distributed the malicious advertisements include doubleclick, yieldmanager, and fastclick.