Yahoo Serves Malicious Ads

Thousands of users were victims to a new malware attack according to Fox-IT Security Company that is based in Netherlands. The malware infects any user that is browsing a website contain Yahoo advertising banner.

The first investigation revealed that the cause of the infection is ads.yahoo.com which include frames and downloaded content from:

  • blistartoncom.org (192.133.137.59), registered January 1, 2014
  • slaptonitkons.net (192.133.137.100), registered January 1, 2014
  • original-filmsonline.com (192.133.137.63)
  • funnyboobsonline.org (192.133.137.247)
  • yagerass.org (192.133.137.56)

The technique used by cybercriminals is that when victim open the webpage he will be directed to the banner page with a set of exploits, registered at one of sub-domains boxsdiscussing.net, crisisreverse.net, limitingbeyond.net etc. All these sites were located on a single IP- address 193.169.245.78.

The Java exploit will be executed on vulnerable web browser and install a bunch of malicious software including ZeuS, Andromeda, Dorkbot / Ngrbot , Tinba / Zusy and Necurs. After investigating the attack the first infection occurred December 30, 2013 while the attack last up to 3 January 2014 when the company removed the malicious banner.

yahoo-ad-distributionInfection by country according to Fox-IT

The estimation of infected hosts by banner during this period is about 300 thousand per hour. Highest number of infections occurred in Romania, the UK and France.

Share