In late September, advertisements appearing on a host of popular news and entertainment sites began serving up malicious code, infecting some visitors’ computers with a backdoor program designed to gather information on their systems and install additional malicious code.

The attack affected visitors to The Jerusalem Post, The Times of Israel, The Hindustan Times, Internet music service, and India-focused movie portal Bollywood Hungama, among other popular sites. At the center of the malware campaign: the compromise of San Francisco-based Internet advertising network Zedo, an advertising provider for the sites, whose network was then used to distribute malicious ads.

For ten days, the company investigated multiple malware reports, retracing the attacker’s digital footsteps to identify the malicious files and shut the backdoor to its systems.

“Our system is now clean,” Francine Hardaway, marketing director, said in an e-mail exchange with Ars on September 29.

The incident highlights the dangers posed by attackers’ increasing use of advertising networks as a platform from which to target victims and distribute malware. Known as malvertising, the attack technique can be a fairly inexpensive way to infect systems and is often difficult to detect because the malicious advertisement is one of many delivered to visitors.

In the original attacks on visitors to The Jerusalem Post, The Times of Israel and, for example, only every third advertisement included the malicious code, according to Malwarebytes, the security firm that originally detected the attacks coming from Zedo’s network on September 18. Often the rates of malware are much lower, with, for example, every 100th advertisement serving up malware.

“There is typically a rotation of ads,” Jerome Segura, senior security researcher at Malwarebytes Labs, told Ars Technica. “When you refresh the page, you will get different ads. We were not getting hit every single time.”

Responding to Malwarebytes’ reports and given impetus by Google’s shutdown of the advertising campaign, Zedo began investigating in earnest on September 19. The advertising provider first focused on its content delivery network after noticing that the malicious ads were still being delivered after deleting them from its internal systems.

“ZEDO has taken immediate action to detect and eliminate the malicious code that caused malware to be delivered inadvertently to some customers last week,” the company said in a statement announcing it was investigating the attacks on September 26.

On Sunday, however, another security firm, Barracuda Networks, detected continued attacks emanating from Zedo’s network and appearing on the websites of The Hindustan Times, India-focused movie portal Bollywood Hungama, and, among others. The attacks showed signs of technical sophistication, limiting malicious functionality and using forged or stolen code signatures to appear legitimate, Daniel Peck, principal research scientist at Barracuda Labs, told Ars.

The techniques made it much harder to detect the attack initially and likely made this particular malvertising campaign more expensive for the attackers, he said.

“They essentially create a trap, where they will show benign ads to create a sense of trust and then they will turn malicious at the appropriate time to try to infect as many systems as possible and recoup that investment,” Peck said.

The countermeasures made detecting the malware that much harder.

After focusing on the content distribution network, Zedo’s continued investigation discovered that one of the online tools that it provides to advertisers had a vulnerability, allowing the attacker to infiltrate the company’s network.

“Attacker has uploaded PHP code which was capable of scanning system and getting access to some of the internal machines,” the network engineer responding to the incident wrote in a synopsis provided to Ars.

Zedo is not alone in being targeted by attackers. On September 30, Malwarebytes planned to publish an analysis of another attack involving Google’s Doubleclick, the OpenX ad exchange and First Impression ad services. It’s unclear where in the chain of advertising services that the malvertisement was introduced. The Examiner is among the sites impacted by the malvertising campaign, according to Malwarebytes.

“Upon our discovery we immediately notified Google, and, although they are not directly responsible, the publisher is trusting them to only allow ‘clean’ ads,” the company wrote in the analysis.

In Zedo’s case, the company believes that, this time, it has shut down the attacker’s access to its network. The company will continue to monitor its network for signs of intrusion, according to Zedo’s Hardaway.

“This compromise has been thoroughly researched and fixed … we’re on it 24:7,” she said.

Listing image by Courtesy of Malwarebytes