When Good Ads Go Bad

Earlier this week numerous groups at AVG began noticing a massive wave of detections of Blackhole Exploit Kit being reported by many of our users. By midnight of that day, 1.6 million detections had been reported in about 12 hours.

Some customers notified us that LinkScanner was detecting Facebook as a malicious site. However, the actual detections of Blackhole Exploit Kit Type 2314 were a result of malicious ads passed along by an advertising service which were appearing on Facebook pages and those of other Web sites. To further complicate the situation, the malicious operators who were using the ads designed some of their ads with graphical features, color and typefaces that imitated the Facebook look.

We received the detection reports through the AVG opt-in, automatic “report back” function that reports the detections of several million AVG users. So, about one percent of AVG users were blocked from potentially malicious content thanks to LinkScanner. That’s about 1.3 million detections in the first 6 or 7 hours.

The ad server supplying the ads apparently had been compromised by intruders who installed the Blackhole Exploit Kit malware. That code injects malicious JavaScript into pages served from the compromised Web server. Typically, JavaScript associated with Blackhole grabs other malicious scripting from yet another server in order to compromise the security of Web users visiting the site – a drive-by malware attack.

In this case, the compromised Web server, acting as an ad-server, provided the content of advertisements to various other Web sites, so pages were served off ox-d.served-now.com and into the advertising spaces of pages from those other Web sites.   . Following the compromise of the ad-server, the advertising pages it served contained the intended advertisements plus the Blackhole exploit script.

Ad server page injected with Blackhole:

In the image above, the HTML source highlighted in blue is the original, intended content of the advertisement while the non-highlighted text is the Blackhole script. Once deobfuscated, we see what that script is intended to do:

After testing for various features and versions of the Web browser visiting the site, this script’s main intention is to inject an Iframe into the current webpage. This is a bit convoluted, but it means that the contents of a Web page from the server banner.blawg.ch will be injected into a page, via ads from ox-d.served-now.com.

Note that you do not have to click on the ad, or interact with it in any way for the unintended functionality described from here on, to occur. Simply visiting a page where such ads are displayed is enough to trigger malicious code that could lead to credit card fraud, identity theft and various pieces of nasty software being installed on a Web user’s computer.

Continuing on this trail of digital breadcrumbs: the page from banner.blawg.ch looks like this:

The important information here is the part highlighted in blue. No script is involved in injecting it into the page any longer and hence no script obfuscation to undo – it just hangs everything out there in an Iframe which calls a URL from a-fetish-world.com.

The essential mechanism on this page is the call to PluginDetect at the end of the page, as seen in the blue highlighted text above. The value of the installed version of Java is assigned to a variable and then added to the parameters in a URL, also at a-fetish-world.com. PluginDetect can detect various browser plugins and add-ons and also report the installed versions.

That URL redirects to a page on yet another server – mcooking.info. This page calls a Java applet that is version-dependent (based on the earlier PluginDetect call) and exploits a suitable vulnerability in the browser’s installed version of Java to download and run several Windows executable programs. The URLs from which these programs are fetched are decoded by the Java applet from a parameter passed to it, as highlighted in the image below.

So, the initial script injection into the ad server’s advertisements eventually led to a drive-by malware attack via one of several Java exploits. The malware binaries included bots and backdoors, and something to make the bad guys more money – a Fake AV called Security Shield.

Below are some screen shots of just a few of the ads that users might have seen in legitimate Web pages that had been tampered with, as described above. They are not in the context of a Web page, where they would have been integrated with the other elements on the page.

The AVG Web Threats Research team investigated a similar incident in July in which LinkScanner detected a massive number of malicious ads on YouTube.

– Web Threats Research team