Details of hijacked 24/7 ad server emerge
Hackers have hijacked a server operated by Internet advertising company 24/7
Real Media Inc. and are using it to seed legitimate Web sites with ads carrying
attack code, Symantec Corp. said Friday.
Windows users who visited sites with the attacking ads were infected if they
browsed with Microsoft Corp.'s Internet Explorer and had RealNetworks Inc.'s
popular RealPlayer media player program installed on their PCs, Symantec said
in an analysis written by three company researchers. This is the first time
that malware has piggybacked on Internet ads served from a major advertising
firm.
The attack should be a warning to the Web, said Andrew Storms, director of
security operations at nCircle Network Security Inc. "So much of the content
we consume today comes from many syndication services," Storms said in
an e-mail interview. "We trust that the content provided to us by Internet
'blue chips' is safe from malware.
"This should be a wakeup call for sites which offer syndicated content,"
Storms said. "They need to take a more active role in ensuring the security
of [that] content."
Working off reports last week that RealPlayer
and Internet Explorer could be exploited to infect Windows computers, Symantec
researchers Aaron Adams, Raymond Ball and Anthony Roe used a compromised company
honeypot to trace an attack back to 24/7 Real Media's server. Although Symantec
didn't speculate on how the server was compromised, it did lay out the attack's
progression.
How the hack worked
After they'd gotten access to the server, the attackers added code that embedded
an IFrame in every advertisement. The invisible IFrame contained instructions
to redirect any browser that rendered the ad to another, unauthorized IP address.
In other words, users who surfed to a theoretically trustworthy site that contained
ads inserted by New York-based 24/7 were, in fact, secretly shunted to the second,
malicious site.
Script hosted on that second site sniffed users' machines to determine if they
were vulnerable to the unpatched RealPlayer vulnerability before actually launching
an attack, according to Symantec. "The script first tests the user-agent
supplied by the browser ensuring that it is Internet 6 or 7 and the system is
identified as NT 5.1 [Windows XP] or NT 5.0 [Windows 2000]," Adams, Ball
and Roe said in a report. Other sniff tests included one to identify the version
of RealPlayer on the vulnerable PC.
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
Esther Schindler
If the comments are ugly, the code is ugly
claird
SVG a graphics format for 21st century
pasmith
Take Chrome OS for a test spin
Sandra Henry-Stocker
Solaris Tip: Have Your Files Changed Since Installation?
jfruh
Android fragments vs. the iPhone monolith
mikelgan
What Gizmodo missed about the Pro WX Wireless USB disk drive
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
