Articles

And now… the Malvertising Virus

Avast Antivirus is reporting a virus that targets display advertisement. Javascript code in the malware runs as soon as the ad displays on your screen and does not require you to click on the ad. Dubbed a malvertising virus, the ‘JS:Prontexti’ malware may have already infected the big ad services such as Google, Yahoo and Fox.

[ via BizReport ]


(PRAGUE, Czech Republic, March 16) Researchers at ALWIL Software, providers of the avast! antivirus program, have discovered a widespread campaign to infect website advertisements served up on leading online advertising services.

The attack infects advertisements served up by a number of online advertisers, helping place malware on the computers of people visiting leading websites such as Google and Yahoo.

The most compromised services are yieldmanager.com (Yahoo) and fimserve.com (FOX Audience Network) which cover more than 50% of online ads. The list of poisoned ad services is extensive and includes advertangel.com, bannerimg.com, jambovideonework.com, myspace.com, vestraff.com and zedo.com. Doubleclick.com, an advertising server affiliated with Google, is ranked fifth in the avast! Virus Lab list of infected servers by rate of infection.

“The poison ad infiltration method is growing in popularity because it does not require users to click on anything,” explains Jiri Sejtko, avast! Senior Virus Analyst. “Users can get infected just by reading their favorite newspaper or by doing a search on popular topics; the infection begins just after the poisoned ad is loaded by the browser.”

Avast! Virus Labs have named this attack vector JS:Prontexi. It is a JavaScript code which acts as a channel for malware attacks on vulnerable software such as Adobe and a range of zero-day exploits.

“JS:Prontexi highlights the lack of care shown by advertising services providers to actively screen the content they are distributing,” comments Sejtko, “Serving up infected content like this is a double hazard for advertising companies. In addition to reducing consumer trust in their services, they run the risk of being flagged or even blocked by antivirus programs as a source of malware.”

“Consumers shouldn’t immediately accuse their antivirus program of a false positive when a familiar site gets blocked. There can be a real danger,” explains Sejtko. “avast! and Kaspersky Labs, a competing antivirus product, both blocked yieldmanager earlier this year because of these attacks. If these advertising services get too infected, the easiest way to protect our users is to block them completely.”

Since the surge of JS:Prontexi in February, avast! has updated its virus databases to fully protect against this attack vector. avast! sensors in individual computers detect the malicious JavaScript and block it, preventing users from receiving the infection. Much of the data gathered on the spread and prevalence of this poisoned ad phenomenon has been collected by users participating in the “avast! Community IQ”, the firm’s own “cloud” of 100 million endpoints that report on web dangers, helping the avast! experts build better protection schemes.

More information on the technical aspects of ad poisoning can be found here:
http://blog.avast.com/2010/02/18/ads-poisoning-%E2%80%93-jsprontexi/