Google DoubleClick Unknowingly Served Up Malicious Ad
JavaScript-based drive-by attack automatically infected website visitors with fake antivirus
Major online ad network Google DoubleClick this month inadvertently posted a malicious advertisement on websites that infected users visiting sites running the ad.
This was no typical malvertising campaign attack, says Wayne Huang, CTO and researcher at Armorize, who discovered the threat. The ad automatically installs a rogue antivirus program on the victim's computer and holds it for ransom until the user purchases software to "fix" it.
"It's a JavaScript program that tries to exploit multiple vulnerabilities in your browser. It will succeed and then a malicious program is installed without the website or malicious ad tricking you to" install it," Huang says.
The malicious program includes both a backdoor Trojan and the fake AV. "It's a real Windows program, and if you try to execute another program, it won't let you do anything. It tells you your hard disk is failing," he says.
The malware in question is HDD Plus, which has been mysteriously spreading around the Internet during the past few days, including via msn.com, according to Armorize. "A lot of people were talking about it, but no one said one of the means it was spreading was through DoubleClick," Huang says.
The attackers used a name similar to the legitimate AdShuffle online ad firm, but with an extra letter "f," just enough to fool DoubleClick into posting the ad on websites. The ads first appeared around Dec. 4, and DoubleClick had caught and removed the malicious ad, which featured greeting cards as well as other items, by Dec. 8, according to Huang, who says he doesn't know how many users might have been infected.
The malware targets Internet Explorer, but it also uses exploits that go after PDF plug-in flaws in other types of browsers. Huang says most AV packages should detect the malware now. The attack demonstrates just how easy malvertising attacks can be executed, he says.
"You don't need to compromise a website, just submit an ad on an exchange," he says. "It's as easy as registering a similar domain name as an existing advertiser."
Huang is posting a blog here today with more details on the attacks.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.
About the Author
You May Also Like