As we have commented before  when content served up from adservers is compromised, the effects can be far reaching, potentially exposing huge numbers of victims to the malicious code as they innocently browse legitimate sites. The problem is further complicated by the fact that legitimate ad content is often heavily obfuscated, in order to evade ad-blocking technology .
Adstreams compromised in this way are being blocked by Sophos products as Mal/Iframe-F.
Readers may recognise the target domain, masquerading as a legitimate Google Analytics site. It was mentioned in the ISC handlers diary yesterday .
So what happens when the compromised ads are loaded by the browser?
- 301 redirect from google-analitics dot net to a salefale dot com subdomain.
- malicious script (detected as Mal/ObfJS-BP) which attempts to load further malicious Flash (Troj/SWFExp-N), Java (Troj/Clsldr-U) and PDF (Troj/PDFJs-B) content in order to deliver the payload.
- payloads seen thus far have been Zbot (detected as Troj/Zbot-MU) and Bredo (detected as Mal/Bredo-E).
It would appear that salefale dot com is now inactive, though we can expect the attack to simply move to new sites.