Comprimised OpenX Ad Servers Lead Users to Malware


March 29, 2012 By The Vigilant Application Owner

March 29, Softpedia – (International) Compromised OpenX ad servers lead users to malware. Sophos researchers discovered a number of OpenX ad servers were compromised and altered to redirect users to sites that push dangerous pieces of malware. Experts found that when the OpenX ad content is requested by the browser, an iframe is also loaded, executing a malicious JavaScript identified as Troj/JSRedirEF. The iframe added by the script loads content from a traffic directing server (TDS), controlled by a group called BlackAdvertsPro, which appears to be specializing in compromising Web sites to direct traffic to their own TDS. This traffic can be worth a lot of money if sold to criminals who run exploit sites. In one instance, the traffic was routed to an exploit site that served scareware called Smart Fortress 2012 (Mal/ExpJSAF) by exploiting Java vulnerabilities. The BlackAdvertsPro crew seems to be checking IP addresses to ensure each visitor is directed only once to the exploit sites. “This supports the theory that they are selling the traffic to others running the exploit sites. (Attackers have no interest in paying for the same machine getting redirected to their exploit site multiple times.)” a principal virus researcher said. Ad content poisoning is a very popular technique among cybercriminals because it allows them to control large amounts of traffic. As many administrators and security enthusiasts are aware, traffic, especially high volumes, has high value on the underground markets.

Source: http://news.softpedia.com/news/Compromised-OpenX-Ad-Servers-LeadUsers-to-Malware-261713.shtml