Falk AG said one of its ad networks was hacked and that for six hours on Saturday, some people visiting web sites that feature its banners would find their computers attacked via a Windows vulnerability for which no patch exists.
Sites including UK news site The Register and Dutch news site Nu.nl were affected. The attack was executed by about 2% of ad impressions that Falk served in Europe between 5.10am and 11.30am GMT on Saturday.
Anybody visiting the affected sites during that period with Internet Explorer 6 and a version of Windows prior to Windows XP Service Pack 2 would have a Trojan backdoor program installed on their computers.
The attack exploited a vulnerability in IE’s implementation of Iframe, an HTML tag that allows one page to invisibly nest another page. The vulnerability came to light October 24, and Microsoft Corp has not yet issued a fix.
Falk said that an attacker hacked a load balancer in its European data center in order to redirect visitors to exploit code hosted elsewhere, at search.comedycentral.com, a legitimate site that had also been compromised.
Joe Stewart, senior security research at managed security firm Lurhq Corp, said some aspects of Falk’s explanation did not tally with his own observations. He doubted a load balancer redirect was responsible for the problem.
Stewart said that while it was indeed possible Falk had been hacked, the banner ad with the first stage of the exploit came from a Falk IP address. Somebody had placed a banner in Falk’s database that pointed to the exploit, he said.
According to Stewart, the attack ad called exploit code from the compromised sites of Comedy Central, Lions Gate Films or beaded chair covering vendor PLAsia.com. This code ultimately caused the browser to download a Trojan program.
The Trojan does nothing but wait for the attacker to upload more code at a later time. Potentially, it could be used to install anything on the compromised machine, from a spam relay to a keystroke logger.
The Register wrote: If you may have visited the Register between 6am and 12.30pm GMT on Saturday, Nov 20 using any Windows platform bar XP SP2 we strongly advise you to check your machine with up to date anti-virus software, to install SP2 if you are running Windows XP, and to strongly consider running an alternative browser, at least until Microsoft deals with the issue.
According to Stewart, corporate users behind protection as straightforward as a NAT firewall would be protected against this final stage of compromise. Residential users are at more risk, he said.
The Iframe vulnerability is also currently being exploited by the Bofra family of email worms, a close relation of the MyDoom family. There is some speculation that a criminal gang is attempting to create a giant botnet for purposes unknown.
According to Lurhq, there was a second attack via ad networks that also used the Iframe exploit. Companies targeted included 24/7 RealMedia and Adwave.com, Stewart said. The second attack installs adware on PCs it compromises, he said.
