Adservers compromised in latest Zbot push

Filed Under: SophosLabs

As we have commented before [2] when content served up from adservers is compromised, the effects can be far reaching, potentially exposing huge numbers of victims to the malicious code as they innocently browse legitimate sites. The problem is further complicated by the fact that legitimate ad content is often heavily obfuscated, in order to evade ad-blocking technology [3].

During the latter half of this week we have seen a whole batch of compromised adservers injected with malicious JavaScript to silently load malicious content from a remote site. A significant number of popular sites that load ads content from these servers have therefore been affected by this attack.

The injected malicious JavaScript can be seen at the top of the ads content:

Adstreams compromised in this way are being blocked by Sophos products as Mal/Iframe-F.

Readers may recognise the target domain, masquerading as a legitimate Google Analytics site. It was mentioned in the ISC handlers diary yesterday [4].

So what happens when the compromised ads are loaded by the browser?

  • 301 redirect from google-analitics dot net to a salefale dot com subdomain.
  • malicious script (detected as Mal/ObfJS-BP) which attempts to load further malicious Flash (Troj/SWFExp-N), Java (Troj/Clsldr-U) and PDF (Troj/PDFJs-B) content in order to deliver the payload.
  • payloads seen thus far have been Zbot (detected as Troj/Zbot-MU) and Bredo (detected as Mal/Bredo-E).

It would appear that salefale dot com is now inactive, though we can expect the attack to simply move to new sites.


You might like

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Fraser is one of the Principal Virus Researchers in SophosLabs. He has been working for Sophos since 2006, and his main interest is in web related threats.