[Owasp-Malaysia] Vulnerable ad servers exploited to compromise sites

Mohd Fazli Azran mfazliazran at gmail.com
Tue May 11 08:35:47 EDT 2010

Several sites running the OpenX <http://www.openx.org/> free advertisement
server were compromised this week, leading to a tenfold increase in
malicious PDF exploit attempts detected by researchers at web security firm
Blue Coat.

All but one of the compromised sites were using an outdated and vulnerable
version of OpenX, which attackers exploited to host a piece of malicious
JavaScript code on the ad server, Tim Van Der Horst, malware engineer at
Blue Coat, told SCMagazineUS.com on Friday.

The malicious JavaScript creates an invisible IFRAME, which opens a
background connection to an attack site that silently tries to infect users
with a variety of exploits, including ones against Adobe Reader. Affected
sites include a Nigerian news outlet and others pertaining to Filipino
boxing, HTML tutorials, Venezuelan sports and Italian iPhones.

“Looking through yesterday's logs, there were 12 sites compromised this
way,” Van Der Horst said.

OpenX announced <http://blog.openx.org/12/security-matters-2/> in December
that a remote vulnerability exists in version 2.8.2 of its software and
provided an update to fix the issue. All affected sites except the Italian
iPhone site were running this vulnerable version, Blue Coat researchers

They believe the Italian iPhone site, currently using the latest version of
OpenX, likely also was compromised while using a previous version and failed
to clean up the attacker's code during the update process. Another scenario
is that there is a new, undiscovered vulnerability in OpenX 2.8.5, the
latest version of the ad server.

A spokesperson for OpenX did not respond to a request for comment made by
SCMagazineUS.com on Friday.

The malicious PDFs used in the attacks are detected by most traditional
anti-virus scanners, Chris Larsen, senior malware researcher at Blue Coat,
told SCMagazineUS.com on Friday. In addition, having an up-to-date version
of Adobe Reader should protect users.

The victim sites are likely still infected and will continue to send traffic
to the malware network until they're cleaned up by their administrators,
Larsen said. A typical website today has many different components, making
it hard for webmasters to keep track of everything.

Mohd Fazli Azran
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-malaysia/attachments/20100511/df306a16/attachment-0001.html 

More information about the Owasp-Malaysia mailing list