November 22, 2004 3:50 PM PST

Attackers strike using Web ads

Online intruders breached the security of at least one server at advertising host Falk this weekend and used the computer to distribute an attack to the service's clients, including The Register, a technology news and opinion site.

Both Falk and The Register confirmed details of the attack, which infected some users' systems on Saturday morning. The problem was later corrected, Falk said. The attack used a recently discovered flaw in Microsoft's Internet Explorer 6 that has not yet been patched.

The attack used banner ads to infect victims' computers. According to security company Lurhq, the program, when viewed as an advertising banner, executes some fancy Internet footwork to jump to three other Web sites, further infecting the victim's computer at each step. Once compromised by the program, an infected system will allow an attacker to install additional programs.

"The attackers were not targeting...The Register," said Marcus Sachs, director of the Internet Storm Center, a network-monitoring group funded by the SANS Institute. "It just happens. If you did not have updated antivirus, you could have been hit by it."

The attack exposed, for the second time this year, the danger posed by insecure Web services. In June, an attack that similarly used a flaw in Internet Explorer was posted to several Russian sites. By exploiting a centralized advertising hosting service with insecure servers, the latest attack found a way to spread more widely.

Advertising hosts generally serve up banner advertisements to their Web site clients. What may seem like a banner, however, can easily contain malicious code, which is what happened when attackers breached the security of one of the servers at Falk, the company said.

"This attack made use of a weak point on this specific type of load balancer," Falk said in a statement. "The function of a load balancer is to evenly distribute requests to the multiple servers behind it. The system concerned was only used to handle a specific request type to our ad server and has now been investigated."

The attack is not a virus, because once it infects a user's system through Internet Explorer, the program will not spread further. However, many reports confuse the Internet Explorer vulnerability, referred to as the iFrame vulnerability, and the Bofra virus, which has used the flaw to spread. Bofra was originally referred to as a variant of the MyDoom virus. Security company Lurhq referred to the latest attack as Trojan.Agent.EC.

"The (program) was originally introduced to our European network, where it was first detected," Falk said in a statement. "As of 11:30 a.m. GMT (3:30 a.m. PST Saturday), the virus was removed from all Falk European and U.S. networks, and normal ad delivery was restored.

The Register blocked banner advertisements during the incident and said it does not plan to resume the service until Falk can make assurances regarding the security of its ads.

"We have asked Falk for an explanation and for further details of the incident, and pending this we do not intend to restart ad-serving via the company," The Register said in a statement. "Although the matter was beyond our direct control, we do not regard it as acceptable for any Register reader to be exposed in this way."

Microsoft pointed out that the attack will only infect PCs with Internet Explorer 6 installed, and which don't have the Service Pack 2 update.

"Microsoft is working to forensically analyze the malicious code in Bofra and will work with international law enforcement to identify and bring to justice those responsible for this malicious activity," the company said in response to the Falk attack. "Microsoft is taking this vulnerability very seriously; accordingly, an update to correct the vulnerability is currently in development."

A representative of Microsoft, which has offered rewards for leads on virus attacks in the past, would not comment on whether the company plans to offer a reward for the leads to Falk's attacker or those responsible for the Bofra virus.

4 comments

Join the conversation!
Add your comment
So, Non XP PCs are open to infection
Since only those having XP SP2 are protected, more than 50% of the world is open to infection right?

MS's answer? upgrade to Xp. No doubt.
My answer? Exit IE, Firefox here I come.
Posted by 203129769353146603573853850462 (97 comments )
Reply Link Flag
The problem with SP2
The problem with SP2 is that it breaks things. Too many things that work on non-SP2 IE stop working on SP2. Then perhaps one can get them to work by turning off some security things, but then you're not protected. As far as I see, SP2 only disabled some features by default and placed some intimidating notices saying you're taking a risk when using them.
Posted by hadaso (468 comments )
Link Flag
No doubt
<a class="jive-link-external" href="http://www.analogstereo.com/audi_s6_owners_manual.htm" target="_newWindow">http://www.analogstereo.com/audi_s6_owners_manual.htm</a>
Posted by Ubber geek (325 comments )
Link Flag
Banner bashing of browser
The real bad person here is not the hacker...its the browser builder who after years of having a product will not secure it for all users
Posted by Sonny Lyon (4 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.