Malicious Advertising Banners
Date : March 04, 2008
In early February, we issued a "Potential Danger" notice (CERT-IST/DG-2008.004: Malicious PDF files spreading - CVE-2007-5659) because a wave of attacks based on PDF files had been seen on Internet . In such situations we often discuss with other CERTs (especially with the French teams from the CERTA and from the Renater-CERT) to share our assessments on the threat level and the possible measures to reduce the risk of infection for our subscribers. The PDF issue made us work closely with the CERT-Renater on network logs which enabled us to identify how vulnerable computers have been infected.
Log analysis for the PDF attack
The logs of the attack we have been provided, clearly pointed out that the victim has been infected through a malicious advertising banner displayed while browsing a website. Here is an abstract of these logs:
[1] GET http:// adserver. 1. fm/ads_3/247rm120x600.htm
[2] GET http:// 85. 17. 221. 2/track
[3] GET http:// 85. 17. 221. 2/track/l.php?pl=Win32&ce=true&hb=2&av=7
[4] GET http:// 85. 17. 221. 2/track/1.pdf
Note: Additional spaces were added in the above URL to make them inactive.
First we can observe that the advertising banner (line [1]) redirects the user to a web site located at IP 85.17.221.2 (line [2]). The "Referer" field which is included in each log records, allows to link these two lines together. Then the logs show a sequence of web pages (lines [2] and [3]) that finally results in loading a file named "1.pdf" (line [4]).
This PDF file is malicious. It contains a JavaScript code which exploits a stack overflow vulnerability found in Adobe Reader (see the CERT-IST/AV-2008.048 advisory). This vulnerability allows the execution of arbitrary commands on the victim's computer. Although this is not shown in the above log snippet, these commands can lead to the downloading of a variant of the "Zonebac" Trojan.
A couple of additional details are worth mentioning for this attack:
- Typically, the web page sequence is automatically performed through "IFRAME" HTML tags (such a tag forces a web page to load another page). For example, the "1.pdf" file has been downloaded because the previous web page contained the following code:
<html><iframe src="1.pdf" height="0" width="0" hidden="true"/></html> - On line [3], some parameters ("pl = Win32", "this = true"…) are sent by the malicious pages to the IP address 85.17.221.2 . It is likely that the hosted web site takes them into account to produce a specially crafted response (the line [4]) aiming the target platform. If this target platform was not a Windows platform (Win32), the "IFRAME" tag would probably have used another crafted PDF file. The "1.pdf" seems to only target Windows platforms.
The cooperation with the CERT-Renater, allowed us through our respective analyses to define some patterns that could be found in web proxy traces, on a computer compromise. The following patterns were made available to the Cert-IST subscribers in the "Crisis Management Hub":
- Search for connections to the site of IP 85.17.221.2
- Search for the following URL : "/track /l.php" or "/track/1.pdf".
Malicious Advertising Banners
The fact that an advertising banner is able to attack the visitor's computer while he is browsing the web is really worrying. It is actually worrying because it can occur when visiting legitimate (trustworthy) web sites. These web sites turn out to be harmless, but can embed banners which might not. This happens because such a web site has no fine control on the advertising content they displays. Basically they blindly rent some space on their own web pages to an advertising company, to conduct an advertising campaigns.
Beside most advertising campaign are mostly harmless, it appears today that some of them can carry out malicious content. Cert-IST has already been aware of such an attack. Back to October 2007, we dealt with several complaints regarding intrusive advertisement contents broadcasted on the "laposte.net" site (the well know French postal company) without the knowledge of the latter. In the meantime, several online IT newsletters reported similar incidents (e.g. The Washington Post published an article in September 2007called "Banner Ad Trojan Served on MySpace, Photobucket"). It seems that this type of incident is increasing as shown by this blog which refers victimized sites.
The analyses published for this kind of attack show that they are often performed using malicious embedded components, such as Flash animations. An attacker can easily build a fake advertisement which will display most of the time a harmless message and all of a sudden trigger to an harmfull content. Typically it implements a redirection through an IFRAME tag, which drives the user to an attack script hosted on a malicious site. If the advertising company does not discover the attack hidden in the Flash message, it will broadcast it on its advertising network.
This attack model is very interesting for the attackers, because it is no longer necessary to drive the user to a malicious site (e.g. through SPAM messages), or to compromise hundreds of weakly protected third-party web sites. They "just" have to insert a malicious ad into the advertising network to reach a large audience. All affiliated websites will then propagate the attack.
The "PDF attack" case
The case of the attack PDF we reported about at the beginning of the article is amazingly efficient:
- First, a new flaw is discovered by hackers in the PDF reader (of course no patch exists yet to fix it). As the PDF reader is integrated (through plugins) within most of the web browsers (Internet Explorer, Firefox…), this flaw can attack anyone who browses on Internet.
- This flaw is then encapsulated in a malicious advertisement and injected into an advertisement network. This results in the attack to be distributed on a very large audience on the Internet.
The PDF attack wave has been discovered on February 9, 2008 (date of initial Cert-IST alert message to the subscribers of the 7/7 alert service), but we have evidence that it was active for at least the 1st of February (that date was found in the logs that we have analyzed). According to some sources, these attacks might even have started on January 20, 2008. This means that it was about 3 weeks between the first attacks and the outbreak of the alert (which led to the shutdown of the malicious web sites involved in the attack). This is a large vulnerability period, and during that period anyone who crossed this malicious advertising should have been infected….
It is still unclear whether advertising companies are aware of propagating this type of attack or if they are also victims . Do they know that malicious advertisements are running on their networks? A recent study published by Google Research (All Your iFRAMEs Point to Us) mentions that the ad networks most often involved in such attacks are those that work by syndication (several advertiser were grouped to form a joint advertising network). In that case it is obviously easier for a rogue partner to infiltrate the ad network.
See also for more information
- An article from "TheRegister": Rogue ads infiltrate Expedia and Rhapsody"
http://www.theregister.co.uk/2008/01/30/excite_and_rhapsody_rogue_ads
- Virus Bulletin - January 2008: "Inside rogue Flash Ads"
http://www.trustedsource.org/download/research_publications/SCJan08.pdf