Thousands of users were victims to a new malware attack according to Fox-IT Security Company that is based in Netherlands. The malware infects any user that is browsing a website contain Yahoo advertising banner.
The first investigation revealed that the cause of the infection is ads.yahoo.com which include frames and downloaded content from:
- blistartoncom.org (22.214.171.124), registered January 1, 2014
- slaptonitkons.net (126.96.36.199), registered January 1, 2014
- original-filmsonline.com (188.8.131.52)
- funnyboobsonline.org (184.108.40.206)
- yagerass.org (220.127.116.11)
The technique used by cybercriminals is that when victim open the webpage he will be directed to the banner page with a set of exploits, registered at one of sub-domains boxsdiscussing.net, crisisreverse.net, limitingbeyond.net etc. All these sites were located on a single IP- address 18.104.22.168.
The Java exploit will be executed on vulnerable web browser and install a bunch of malicious software including ZeuS, Andromeda, Dorkbot / Ngrbot , Tinba / Zusy and Necurs. After investigating the attack the first infection occurred December 30, 2013 while the attack last up to 3 January 2014 when the company removed the malicious banner.
The estimation of infected hosts by banner during this period is about 300 thousand per hour. Highest number of infections occurred in Romania, the UK and France.