Adservers compromised in latest Zbot push

As we have commented before [2] when content served up from adservers is compromised, the effects can be far reaching, potentially exposing huge numbers of victims to the malicious code as they innocently browse legitimate sites. The problem is further complicated by the fact that legitimate ad content is often heavily obfuscated, in order to evade ad-blocking technology [3].

During the latter half of this week we have seen a whole batch of compromised adservers injected with malicious JavaScript to silently load malicious content from a remote site. A significant number of popular sites that load ads content from these servers have therefore been affected by this attack.

The injected malicious JavaScript can be seen at the top of the ads content:

Adstreams compromised in this way are being blocked by Sophos products as Mal/Iframe-F.

Readers may recognise the target domain, masquerading as a legitimate Google Analytics site. It was mentioned in the ISC handlers diary yesterday [4].

So what happens when the compromised ads are loaded by the browser?

  • 301 redirect from google-analitics dot net to a salefale dot com subdomain.
  • malicious script (detected as Mal/ObfJS-BP) which attempts to load further malicious Flash (Troj/SWFExp-N), Java (Troj/Clsldr-U) and PDF (Troj/PDFJs-B) content in order to deliver the payload.
  • payloads seen thus far have been Zbot (detected as Troj/Zbot-MU) and Bredo (detected as Mal/Bredo-E).

It would appear that salefale dot com is now inactive, though we can expect the attack to simply move to new sites.