Attackers strike using Web ads

Online intruders hit a server owned by advertising host Falk and use it to distribute a destructive program via banner ads.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
3 min read
Online intruders breached the security of at least one server at advertising host Falk this weekend and used the computer to distribute an attack to the service's clients, including The Register, a technology news and opinion site.

Both Falk and The Register confirmed details of the attack, which infected some users' systems on Saturday morning. The problem was later corrected, Falk said. The attack used a recently discovered flaw in Microsoft's Internet Explorer 6 that has not yet been patched.

The attack used banner ads to infect victims' computers. According to security company Lurhq, the program, when viewed as an advertising banner, executes some fancy Internet footwork to jump to three other Web sites, further infecting the victim's computer at each step. Once compromised by the program, an infected system will allow an attacker to install additional programs.

"The attackers were not targeting...The Register," said Marcus Sachs, director of the Internet Storm Center, a network-monitoring group funded by the SANS Institute. "It just happens. If you did not have updated antivirus, you could have been hit by it."

The attack exposed, for the second time this year, the danger posed by insecure Web services. In June, an attack that similarly used a flaw in Internet Explorer was posted to several Russian sites. By exploiting a centralized advertising hosting service with insecure servers, the latest attack found a way to spread more widely.

Advertising hosts generally serve up banner advertisements to their Web site clients. What may seem like a banner, however, can easily contain malicious code, which is what happened when attackers breached the security of one of the servers at Falk, the company said.

"This attack made use of a weak point on this specific type of load balancer," Falk said in a statement. "The function of a load balancer is to evenly distribute requests to the multiple servers behind it. The system concerned was only used to handle a specific request type to our ad server and has now been investigated."

The attack is not a virus, because once it infects a user's system through Internet Explorer, the program will not spread further. However, many reports confuse the Internet Explorer vulnerability, referred to as the iFrame vulnerability, and the Bofra virus, which has used the flaw to spread. Bofra was originally referred to as a variant of the MyDoom virus. Security company Lurhq referred to the latest attack as Trojan.Agent.EC.

"The (program) was originally introduced to our European network, where it was first detected," Falk said in a statement. "As of 11:30 a.m. GMT (3:30 a.m. PST Saturday), the virus was removed from all Falk European and U.S. networks, and normal ad delivery was restored.

The Register blocked banner advertisements during the incident and said it does not plan to resume the service until Falk can make assurances regarding the security of its ads.

"We have asked Falk for an explanation and for further details of the incident, and pending this we do not intend to restart ad-serving via the company," The Register said in a statement. "Although the matter was beyond our direct control, we do not regard it as acceptable for any Register reader to be exposed in this way."

Microsoft pointed out that the attack will only infect PCs with Internet Explorer 6 installed, and which don't have the Service Pack 2 update.

"Microsoft is working to forensically analyze the malicious code in Bofra and will work with international law enforcement to identify and bring to justice those responsible for this malicious activity," the company said in response to the Falk attack. "Microsoft is taking this vulnerability very seriously; accordingly, an update to correct the vulnerability is currently in development."

A representative of Microsoft, which has offered rewards for leads on virus attacks in the past, would not comment on whether the company plans to offer a reward for the leads to Falk's attacker or those responsible for the Bofra virus.