Attackers target PDF, DirectShow flaws with malicious banner ads

Advertising networks DoubleClick, YieldManager and FastClick have supplied a series of malicious banner ads to several popular legitimate websites this week.

Security vendor ScanSafe says it has discovered a series of malicious banner ads appearing on popular websites, including drudgereport.com, horoscope.com and lyrics.com. While the discovery is far from groundbreaking, it supports the recent SANS Institute report showing legitimate websites increasingly being targeted by attackers.

Making it even more difficult for legitimate website owners is the third-party relationship they have with popular advertising networks. Let’s face it, advertising networks is what keeps many websites afloat. Without DoubleClick, YieldManager, FastClick and others many website owners wouldn’t be able to get a snapshot of their audience or provide relevant visitor data to potential advertisers. In this case it appears that the three ad networks I named inadvertently delivered the malicious ads.

From ScanSafe:

The malicious ads delivered PDF and DirectShow exploits engineered to silently install a Trojan downloader. The installed malware attempts to download further malware, intercepts and tampers with Web searches and can redirect the user to sites other than expected – including sites that can lead to further malware infestation.

The malicious ads appeared on the sites between Sept. 19-21. They took advantage of another rising concern highlighted in the SANS report – client applications not being fully patched. In this case, the attackers were targeting PDF and DirectShow flaws – updates that should have been applied to client machines.