OpenX ads leading to malware c/o 'BlackAdvertsPro'

Filed Under: Featured, Malware, SophosLabs

In recent weeks I have seen a number of ad servers running OpenX that have been compromised by attackers. In this blog post, I want to describe some attacks that I looked at this morning.

The starting point for these attacks is the legitimate site that loads the OpenX ad content. This is normally done by an iframe element embedded in the page:

When the page loads, this iframe element causes the browser to request the content from the ad server. Ordinarily, this content would just contain the relevant ads, but when the ad server has been compromised, it also contains a malicious JavaScript (highlighted with yellow background):

As you can see, the purpose of the malicious script is to add another iframe element to the page. Sophos products block this script as Troj/JSRedir-EF. This loads content from the traffic directing server (TDS), which appears to come from a group calling themselves 'BlackAdvertsPro'. This page contains yet another iframe element:

This iframe points to an exploit site, which proceeds to exploit client vulnerabilities and infect the user with malware.

I have not encountered them before, but I am going to speculate that 'BlackAdvertsPro' are some group that are in the business of compromising sites in order to direct web traffic to their TDS servers. They can they sell this traffic to others running exploit sites.

In one of the attacks I investigated this morning, my traffic was bounced on to an exploit site targeting Java vulnerabilities, with a simple landing page consisting of just an applet element:

Sophos products block this exploit site as Mal/ExpJS-AF. The Java content loaded exploited vulnerabilities to infect the machine with scareware, in this case Smart Fortress 2012:

Interestingly, 'BlackAdvertsPro' seem to be tracking IP addresses hitting their TDS servers. If you hit the site again, the iframe is modified to point to a clean site (Twitter, Statbrain etc).

This supports the theory that they are selling the traffic to others running the exploit sites. (Attackers have no interest in paying for the same machine getting redirected to their exploit site multiple times.)

This is not the first time that compromised OpenX ad servers have been used to infect users with malware. Poisoning ad content is a powerful way of controlling high volumes of web traffic, so very attractive for attackers.

The bottom line for site admins is that *any* content that their site loads from a 3rd party presents a risk. If the 3rd party gets hacked, then it is your site that ends up serving up malicious code, and redirecting your users to malicious sites.

Original OpenX logo courtesy of OpenX.

, , , ,

You might like

6 Responses to OpenX ads leading to malware c/o 'BlackAdvertsPro'

  1. http://xxx/showthread.php?t=xxx
    is the exploit site hosting incognition kit.
    The guys behind only use Java exploit now and there is no obfuscation. Quite interesting behavior.

    • Fraser Howard · 847 days ago

      Interesting, thanks! If this is Incognito then the landing page is quite different from previous versions (which had lots of obfu JS strings within HTML elements in the page).

  2. Lori G. · 847 days ago

    If you define the term "user" in this article to mean the general public's Internet users, perhaps you could cite an example of how it works so that the uninitiated might better understand how to avoid getting hit.

    For instance, could I be infected by clicking on an advertisement on Facebook pages?

    • Fraser Howard · 846 days ago

      Actually the situation is worse than that. There is no requirement for an individual to actually click on the affected ads within the page. Because the ads have been infected with malicious JavaScript, just viewing the web page that contains the ads is enough for you to get infected.

      There is no way you can "manually" avoid web pages that contain these infected ads. All you can do is ensure you have decent security to provide you with the layered protection you get from URL/IP filtering and content inspection. (Recent mainstream browsers will typically include some URL filtering capabilities which can help home users.)

  3. Dario · 796 days ago

    But why don't they clean their server?
    The code is still there, loaded by their open marketer iframe (from d1.openx.org) in the admin dashboard. Check it out:
    1) Login with chrome (enable the dashboard if its diabled), press F12 to open the devel tools, reload the dashboard
    2) Select resources tab and search for the word blackdomaingood . You’ll see the same iframe technique you are describing in your post.
    3) As you can see in the left pane, that iframe is loaded from afr.php which is served by d1.openx.org ( point the mouse on the folder above the file ).

  4. jay · 786 days ago

    Is there a sample website I could check, I need to prove that our java needs patching.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Fraser is one of the Principal Virus Researchers in SophosLabs. He has been working for Sophos since 2006, and his main interest is in web related threats.