Drive-By Scareware Malvertizements Served by Large Ad Networks

Malware distributors have managed to trick two large ad networks into delivering malvertizements that silently infected the visitors of large websites with fake scareware programs.

The attacks started on December 3 and were picked up by a cloud-based malware scanning service called HackAlert and operated by Santa Clara-based security vendor Armorize Technologies.

HackAlert is used by VeriSign Trust Services, now a division of Symantec, for its daily VeriSign Trust Seal malware scans. So when several high profile websites started being tagged as infected, Armorize was asked to check its platform for possible bugs.

However, their investigation revealed that sites like realestate.msn.com, msnbc.com, scout.com or mail.live.com, were indeed inadvertently infecting their visitors with malware.

It appears that cyber criminals registered a domain called adshufffle.com (three "f"-s) and posed as a legit advertising company named AdShuffle.

They somehow managed to get their domain accepted on both the Google-owned DoubleClick network and rad.msn.com, the server used by Microsoft to deliver ads of various sites, including Hotmail and MSN.

The rogue ads served from this domain were not regular scareware malvertizements (malicious advertisements) that falsely claim visitors are infected and offer them a program to fix it.

They looked harmless, but loaded the Eleonore drive-by download toolkit in the background. This toolkit silently exploits vulnerabilities in outdated versions of popular applications like Java, Adobe Reader, Internet Explorer and even Windows.

“Users visit websites that incorporate banner ads from DoubleClick or rad.msn.com, the malicious javascript is served from ADShufffle.com (notice the three f's), starts a drive-by download process and if successful, HDD Plus and other malware are installed into the victim's machine, without having the need to trick the victim into doing anything or clicking on anything. Simply visiting the page infects the visitors,” notes Wayne Huang, chief technology officer at Armorize and member of the team who researched the attack.

HDD Plus is one of the recent pieces of scareware that pose as hard disk defragmentation utilities. The other malware downloaded by the malvertizements was a trojan downloader.