Malvertizing Oracle-Sun

Over the past couple months, some advertising networks have been distributing ads that redirect browsers to sites hosting exploits.

Spotify’s advertising network was most recently outed (note that it is the third party banner ads rotating through the client’s ad frames). Most of the redirections we have been been monitoring have sent users to a variety of servers in the .cc TLD. We have been working with providers to ensure the ads aren’t on their networks, but the groups have been active in rotating malvertizing banners through multiple networks.

The hits on these ads, for the most part, have redirected browsers to Java, Adobe and Microsoft HCP related exploits. We are detecting this exploit content with a variety of names: Exploit.Java.CVE-2010-0840.a-f, Trojan-Downloader.Java.Openconnection.dt, Trojan.Win32.FakeWarn.d, Exploit.HTML.CVE-2010-1885.aj, Exploit.Script.Generic, Exploit.JS.Pdfka.cwm, Exploit.JS.Pdfka.dhm and more. All are a part of the Blackhole Exploit kit. At some point, our broader solutions kick in and just block connections with the web pages altogether.

Most of the redirects that we saw early on were from unusual adult interest sites, but the distributors have become more aggressive and managed to rotate their ads through major IM, webtailers’ regional sites and webmail provider sites too. At least that group of ads seem to have been dealt with properly. However, unpatched and unprotected systems that are being successfully exploited and download a variety of malware from these sites, including FakeAv, the more serious TDSS rootkit, Papras and Zbot banking credential stealers, among others.

The Blackhole exploit kit may not have the largest install base online, but because its hosters are abusing some of the bigger advertising networks to co-ordinate redirection to their exploit pages on these .cc servers. Accordingly, detections for their Java, pdf and hcp exploits are very high. Every eight hours during higher activity, our KSN network counts the prevention of a very high volume of attacks from .cc domains.