Between Sep 19-21, malicious banner ads were served via multiple popular sites, including drudgereport.com, lyrics.com, horoscope.com and slacker.com. The ads delivered a trojan downloader using a variety of Adobe PDF exploits as well as the Microsoft ActiveX DirectShow exploit described in MS09-032. Detection of the malicious PDF is quite low, with only 3 out of 41 scanners detecting, as seen in this VirusTotal report.

Why is the malicious PDF so difficult to detect?
Today's attackers typically dynamically generate the delivered PDF files on the fly, employing various algorithms/filters that cause just enough unique changes to the original such that signature detection is unable to detect it. ScanSafe Outbreak Intelligence is able to effectively parse these PDF files (i.e. break them down into their functional components) and thus detect the exploits contained within regardless of the algorithm/filter used.

What does the malware do?
The malware attempts to download additional trojans via the Web. The malware also includes the ability to intercept and tamper with a user's searches, including the ability to redirect them to websites other than they expected which can lead to further malware infestation. Detection of the trojan is low, as can be seen in this VirusTotal report.

What malware domains were used?
A variety of malware domains were used in the attack. The domains were initially registered on Sep 19th and 20th, and abruptly ceased operation on Sep 22nd. The characteristics of the domains, including the naming conventions used and the abrupt cessation point to the likelihood that these domains were registered via free dynamic, virtual DNS hosts. These hosts are particular attractive to attackers, as they enable the attacker to correlate the domain name of their choosing with a specific IP address - and at no cost. It also enables the attackers to dynamically change this correlation repeatedly over the course of an attack.

In this latest example of malvertising, the domain naming all followed the same convention: 3 random letters for the sub-domain, followed by 6-8 random letters for the primary domain, followed by .net. For example, 'tqq.qyewea.net', 'wio.lkveoa.net', 'nzs.dtiuooa.net','zto.hvloqew.net', etc.

Why Malvertise?
Attackers use online ads for the same reasons a legitimate company would do so. When an attacker can infiltrate an advertising network, it enables them to reach a broad number of websites within a chosen category. This provides the attacker with the same return on investment that it would a legitimate advertiser – broad exposure to the audience of their choosing. And since today's malware is criminally profit-motivated, the merging of malware with advertising is a natural fit.

For more on this topic, download our Web 2.0wned whitepaper which provides a historical overview of  Black Hat SEO techniques and its impact on the Web today.