Details of hijacked 24/7 ad server emerge

by Gregg Keizer

October 22, 2007 —

Hackers have hijacked a server operated by Internet advertising company 24/7
Real Media Inc. and are using it to seed legitimate Web sites with ads carrying
attack code, Symantec Corp. said Friday.

Windows users who visited sites with the attacking ads were infected if they
browsed with Microsoft Corp.'s Internet Explorer and had RealNetworks Inc.'s
popular RealPlayer media player program installed on their PCs, Symantec said
in an analysis written by three company researchers. This is the first time
that malware has piggybacked on Internet ads served from a major advertising
firm.

The attack should be a warning to the Web, said Andrew Storms, director of
security operations at nCircle Network Security Inc. "So much of the content
we consume today comes from many syndication services," Storms said in
an e-mail interview. "We trust that the content provided to us by Internet
'blue chips' is safe from malware.

"This should be a wakeup call for sites which offer syndicated content,"
Storms said. "They need to take a more active role in ensuring the security
of [that] content."

Working off reports last week that RealPlayer
and Internet Explorer could be exploited to infect Windows computers, Symantec
researchers Aaron Adams, Raymond Ball and Anthony Roe used a compromised company
honeypot to trace an attack back to 24/7 Real Media's server. Although Symantec
didn't speculate on how the server was compromised, it did lay out the attack's
progression.

How the hack worked

After they'd gotten access to the server, the attackers added code that embedded
an IFrame in every advertisement. The invisible IFrame contained instructions
to redirect any browser that rendered the ad to another, unauthorized IP address.
In other words, users who surfed to a theoretically trustworthy site that contained
ads inserted by New York-based 24/7 were, in fact, secretly shunted to the second,
malicious site.

Script hosted on that second site sniffed users' machines to determine if they
were vulnerable to the unpatched RealPlayer vulnerability before actually launching
an attack, according to Symantec. "The script first tests the user-agent
supplied by the browser ensuring that it is Internet 6 or 7 and the system is
identified as NT 5.1 [Windows XP] or NT 5.0 [Windows 2000]," Adams, Ball
and Roe said in a report. Other sniff tests included one to identify the version
of RealPlayer on the vulnerable PC.

If the computer met the attack criteria, a second exploit script was executed,
which in turn downloaded and installed a Trojan horse to the PC. The Trojan
horse was a variation of "Zonebac," malware first detected last year
that disables a slew of security software and lowers Internet Explorer's security
settings, said the analysts. On Friday, Symantec called the original Zonebac
"fairly unsophisticated" but added that the variant in the RealPlayer
attack "retrieves information from numerous Web sites."

Symantec was not available over the weekend to answer questions about the nature
of that information or to provide any other details of the attack.

"What's most interesting about the exploit is where it is hosted,"
the three researchers said. "The compromise of an ad server can greatly
increase the effectiveness of the attack. It is so effective because it allows
an attacker to target victims that are browsing trusted or well-known Web sites."

In the specific attack that Symantec monitored, the advertisement -- which
was for job-hunting site Monster.com -- had been placed on a site hosted by
Tripod.com, a Web hosting service owned by Lycos Inc. that offers both free
and for-a-fee plans. "The Tripod.com Web site that triggered the breach
on the DeepSight honeypot was 'xxxxxxxxx.tripod.com,' containing [an] embedded
script ... which loaded the compromised advertisement and then in turn loaded
the exploit," said the Adams, Ball and Roe report. "To emphasize the
severity of this attack, [the ad script] is embedded and called in every Tripod.com
user Web page (URLs formatted like 'name.tripod.com') at least," they added.

Ground control to major mess

Tripod places ads on sites hosted under its free plan; customers who pay hosting
fees, however, do not have ads stuck on their sites' pages.

It's not known if the only sites served with ads containing the IFrame were
Tripod's. There were hints, however, that Tripod might not be the only tainted
domain. Last Wednesday, for example, NASA issued a warning to workers of a surge
in attacks on Windows PCs running Internet Explorer and RealPlayer. According
to the space agency's bulletin, the attacks had come from "well-known news
sites which may be hosting advertisements from ad servers that redirect the
users to malware hosting sites." Friday, NASA spokesman Mike Mewhinney
declined to name the news sites the agency suspected of displaying rogue ads.

Because 24/7 Real Media's ad research is significant, the IFrame-infected ads
may have been placed on a large number of Web sites. According to the most recent
data from Internet audience measurement firm comScore Inc., 24/7's ads reached
50% of all Americans online last month. The company's reach placed it at No.
15 on comScore's September Top 50.

24/7 Real Media did not respond to e-mails sent Friday and Sunday.

Symantec couldn't pin down the start date of the attack, but it did note that
the malicious site had hosted exploit code since at least Oct. 8. "There
is a possibility that this IP [has been] controlled by the same attackers for
quite some time and that they are using it to launch numerous low-key attacks,"
said Adams, Ball and Roe.

Late Friday, RealNetworks issued a patch for RealPlayer 10.5 and the RealPlayer
11 beta. It also urged users of earlier versions to first upgrade to 10.5 or
11, then apply the patch. Only Windows versions of RealPlayer are vulnerable,
RealNetworks said in its advisory; Mac and Linux versions are not at risk.

Computerworld