You don’t always have to break into someone’s web server to get them to deliver your malware for you.
You may be able to implant malware onto a site from which your victim fetches third-party content, and thus serve up your malware one step removed.
You compromise the third party’s servers; they pass on the compromise to their customers; and those customers pass the compromised files onto users as they browse.
As you can probably imagine, ad servers are a prime target for this sort of indirect compromise: their whole purpose is to take content they didn’t originate themselves and to push it out as widely as they can.
→ Malware foisted on you by an ad server can also be harder to track down and analyse because ads on a site are deliberately varied from visitor to visitor, and from visit to visit. So a URL reported as malicious by a user might have no (or different) malware when visited again later.
Like running a self-hosted blog site, operating your own ad server is not an undertaking to be entered into lightly, not least because you represent potentially serious ill-gotten profits to a Malware-as-a-Service cybercrook.
So it was no surprise to see the Federal Office of Information Security in Germany (BSI, or Bundesamt für Sicherheit in der Informationstechnik), pushing out warnings about poisoned online adverts in January and in April 2013.
Once again, the BSI pointed the finger at OpenX installations:
In the past few days, online criminals have again carried out large-scale compromises of OpenX servers delivering advertising banners. The BSI already warned about this problem in January of this year.
Then, two days ago, the BSI issued another press release on this topic that may help to explain the prevalence of OpenX in reports about poisoned ads:
The BSI is reporting a backdoor in the current version of (2.8.10) of the OpenX ad server...The backdoor gives an attacker remote code execution of PHP programs.
If fact, it looks as though the Trojanised content was hidden in the OpenX distribution back in November 2012, ten months ago.
Update: OpenX emailed us at 2013-08-07T22:12Z to say that 2.8.11 is out, fixing the problem. Details of how to see if you were affected are on the OpenX forum.
What the Trojanised content looks like
I don’t have a complete set of malicious files to show you – happily, 2.8.10 has been pulled from the OpenX download site.
With the comments chopped out, the PHP remaining reads like this:
And this boils down to a short but bitter payload:
This takes anything that attacker posts, via a form field called vastPlayer, reverses it, rot13s it [*], and finally submits it to the PHP engine for execution via the eval() function.
This implies that an OpenX server installed from the compromised 2.8.10 sources may very well have been pre-owned, ready for cybcercrooks to wade in and take over as soon as you made it live.
OpenX doesn’t seem to have made any public announcement so far; indeed, the 2.8.10 version is still listed as the current official download from the OpenX servers:
However, as mentioned above, the files have been removed:
Suggestions for mitigation
Since embedded PHP code appears between the delimiters <?php and ?>, looking for the opening delimiter is a good start:
$ grep -i '<\?php' $(find /your/openx/tree -name '*.js')
If you have 2.8.10, reports are (and the infected file I received suggests this) that the malicious PHP remote code execution fragment is in a file named:
plugins/ deliveryLog/ vastServeVideoPlayer/ flowplayer/ 3.1.1/ flowplayer-3.1.1.min.js
This file was unchanged from OpenX 2.8.9, so you can replace it from the 2.8.9 download if you like.
(The vastServeVideoPlayer is found inside the openXVideoAds.zip file in the etc/plugins directory.)
I hope this helps, and I hope even more that OpenX comes up soon with some official statements that will help OpenX users determine whether they were affected by this hole.
Sophos Anti-Virus on all platforms detects and blocks this malware as Troj/PHP-M.