OpenX ads leading to malware c/o ‘BlackAdvertsPro’

OpenX ads leading to malware c/o 'BlackAdvertsPro'

In recent weeks I have seen a number of ad servers running OpenX that have been compromised by attackers. In this blog post, I want to describe some attacks that I looked at this morning.

The starting point for these attacks is the legitimate site that loads the OpenX ad content. This is normally done by an iframe element embedded in the page:

When the page loads, this iframe element causes the browser to request the content from the ad server. Ordinarily, this content would just contain the relevant ads, but when the ad server has been compromised, it also contains a malicious JavaScript (highlighted with yellow background):

As you can see, the purpose of the malicious script is to add another iframe element to the page. Sophos products block this script as Troj/JSRedir-EF. This loads content from the traffic directing server (TDS), which appears to come from a group calling themselves ‘BlackAdvertsPro’. This page contains yet another iframe element:

This iframe points to an exploit site, which proceeds to exploit client vulnerabilities and infect the user with malware.

I have not encountered them before, but I am going to speculate that ‘BlackAdvertsPro’ are some group that are in the business of compromising sites in order to direct web traffic to their TDS servers. They can they sell this traffic to others running exploit sites.

In one of the attacks I investigated this morning, my traffic was bounced on to an exploit site targeting Java vulnerabilities, with a simple landing page consisting of just an applet element:

Sophos products block this exploit site as Mal/ExpJS-AF. The Java content loaded exploited vulnerabilities to infect the machine with scareware, in this case Smart Fortress 2012:

Interestingly, ‘BlackAdvertsPro’ seem to be tracking IP addresses hitting their TDS servers. If you hit the site again, the iframe is modified to point to a clean site (Twitter, Statbrain etc).

This supports the theory that they are selling the traffic to others running the exploit sites. (Attackers have no interest in paying for the same machine getting redirected to their exploit site multiple times.)

This is not the first time that compromised OpenX ad servers have been used to infect users with malware. Poisoning ad content is a powerful way of controlling high volumes of web traffic, so very attractive for attackers.

The bottom line for site admins is that *any* content that their site loads from a 3rd party presents a risk. If the 3rd party gets hacked, then it is your site that ends up serving up malicious code, and redirecting your users to malicious sites.

Original OpenX logo courtesy of OpenX.