Monday, June 22, 2009

Ad servers being used to spread exploits

Tonight I went to look at Blue's News to see what's up in gaming today. Firefox popped up a dialog wanting to save a file called 941.pdf. It's not the first time this has happened, but this time I decided, sure, since I'm on Ubuntu, let's have a look at the thing.
> ls -l 941.pdf
-rw-r--r-- 1 uid gid 14720 2009-06-22 20:14 941.pdf
> file 941.pdf
941.pdf: PDF document, version 1.1
> evince 941.pdf
Error: PDF file is damaged - attempting to reconstruct xref table...
Sure looks fishy.

Running 'strings -a' showed some Javascript that included a long string containing the payload. Next I looked into the machine that served up the file.
> host has address has address has address
> host domain name pointer
> host domain name pointer
> host domain name pointer
Searching on didn't turn up much, but a search on led to this blog from April 9th, Another virus infection, courtesy of Yahoo News which opens:
Major web sites like and are infecting thousands, if not hundred thousands of computers with trojans, back doors, and other viruses, through some of their ad service providers. When will the people in charge of these web sites wake up and start screening the ads that they are serving?
Apparently the blogger over there was infected, and after cleaning up he traced his infection back to good old

So after two and a half months, this advertising outfit is still spreading exploits in addition to the ads. Why is such an irresponsible company still in business?

No comments:

Post a Comment