14 DAY TRIAL // Security researchers have detected a malvertizing attack launched from the home page of Yahoo! Philippines in order to infect users with a trojan.
Even more intriguing is the fact that the malicious advertisement was for Yahoo! Philippines' own Purple Hunt 2.0 competition.
The original Purple Hunt was held in 2009 and involved users looking for clues online and offline in order to win prizes.
The competition proved very popular so a second edition was organized for this year. The grand prize is a purple Hyundai i10 which is what the rogue ad displayed.
According to Maharlito Aquino, a threats analyst at Trend Micro who analyzed this latest attack, when clicked, the rogue ad served a file called com.com from randomly generated URLs.
COM is a binary executable format that dates back to the days of MS-DOS. It still works on many Windows systems today and has been used by malware pushers to trick users for a long time.
Trend Micro detects this particular threat as TSPY_PIRMINAY.A, a trojan that collects sensitive data from computers and modifies the Windows HOSTS file to block access to The Pirate Bay, Mininova and other sites associated with them.
According to Mr. Aquino, the malicious ad was designed to offer the file for download only once to every user. To achieve this it probably kept a history of IP addresses that accessed it.
Yahoo's ad security team was alerted and reacted quickly by blocking the malvertizement from infecting more users. However, the method used to put the rogue ad up on the site's home page in the first place, was not revealed.
One common technique is tricking ad vetting employees to accept the ads by impersonating a legit advertising company. Another way is to compromise the ad server and inject the ad directly.