Malicious banner ads hit major websites

This week, ScanSafe researchers began noticing a major uptick in bogus banner ads being planted on heavily trafficked, user-generated websites, such as MySpace and Photobucket, which attempt to drop a trojan without any user interaction, Dan Nadir, ScanSafe's vice president of product strategy, told SCMagazineUS.com today.

PCs are susceptible if users failed to patch a Microsoft ActiveX vulnerability, disclosed in February, he said. ScanSafe estimates that some 12 million of these malicious ads may have been delivered through more than 70 ad servers. The trojan downloader is named VBS.Agent.n.

The reason for the success is that attackers have customised the ads to evade detection by the content scanning tools of Right Media, a leading ad exchange aggregator, Nadir said. The fictitious ads know to remove the malicious code if they detect the known IP addresses of the Right Media scanning servers.

The attack is particularly dangerous because users do not need to click on any malicious links to be infected, and most URL filters do not pick up the threat, Nadir said.

"In the past they had to drive you to the website," he said. "It's much easier to bring the threat directly to you on a popular site. You can imagine if this wasn't an old trojan from February, but was brand new and not detected. It could have been a lot worse."

Once ScanSafe began notifying affected sites, which also included Bebo and Ultimate Guitar, incidents significantly have declined, Nadir said.

A Right Media spokesperson did not immediately return a telephone call seeking comment.

MySpace Chief Security Officer Hemanshu "Hemu" Nigam told SC Magazine earlier this year that MySpace planned to increase efforts urging its ad partners to conduct security checks. Last summer, the popular social networking site suffered from flawed banner ads that hosted the previously patched Windows metafile vulnerability, permitting drive-by downloads.