Hackers’ Attack Via OpenX Servers

Researchers at Sophos caution that cyber criminals hijack obsolete OpenX servers to deliver malevolent advertisements on other Internet sites. The most recent assault uses a cocktail of exploits so that visitors can be contaminated with malware, as reported by SoftPedia on July 1, 2010.

The term OpenX is referred to an open medium server for advertising. People wishing to post advertisements can download, establish and run it by themselves. The researchers state that users who've the required means may be attracted to maintaining this kind of server for selling services of advertisement placements.

But in terms of security, the installation of this kind of server can prove extremely risky if it isn't routinely updated. Criminals hijack any OpenX server immediately because it allows a hacker to plant malware on all sites uploading advertisements from it, thereby putting numerous users at risk.

In the new attack, the malevolent ads are injected with a harmful and obfuscated JavaScript inserted into the Hyper Text Markup Language (HTML) and subsequently delivered via the hijacked servers.

Once the JavaScript is de-obfuscated, the script introduces an iFrame so that the infected web-page loads one more harmful script. This results in another obfuscated script that subsequently diverts visitors to still another.

This final code comes from an attack toolkit that initially checks several times for determining the nature of software loaded on the PC of a visitor. Thereafter, it installs malevolent JavaScript along with PDF file(s) to exploit client-side security flaws for dropping the payload on the victim's system.

According to Fraser Howard (senior virus researcher at Sophos), the new attack engages malevolent class files, abusing the HsbParser.getSoundBank security flaw (CVE-2009-3867) along with an old privilege acceleration flaw resulting from handling ZoneInfo objects at the time of de-serialization (CVE-2008-5353), as reported by Sophos on July 1, 2010.

The corrupted advertisements and each script have been detected as Mal/ObfJS-CR at Sophos. The harmful JavaScripts are Troj/Clsldr-U and Troj/BytVrfy-C, the malevolent PDF -Troj/PDFJs-LE, while the payload -Mal/TDSSPack-Z.

Meanwhile, the security researchers concluded that the attack signifies how intermediary applications/software should be used during web-content development.

Related article: Hackers Redirect Windows Live Search to Malicious Sites

» SPAMfighter News - 7/10/2010