Two major online ad networks, Google's advertising subsidiary DoubleClick and Microsoft's MSN ads service, were found to be serving malware via drive-by download exploits over the last week. A group of attackers tricked the networks into displaying their ads by impersonating ADShuffle.com, an online advertising technology firm.
"Users visit websites that incorporate banner ads from DoubleClick or rad.msn.com, the malicious javascript is served from ADShufffle.com (notice the three f's), starts a drive-by download process and if successful, HDD Plus and other malware are installed into the victim's machine, without having the need to trick the victim into doing anything or clicking on anything," according to security vendor Armorize. "Simply visiting the page infects the visitors."
Once the advertising networks were duped, the malicious banner ads used various exploits to install malware on victims' PCs via drive-by downloads. When a victim visited a site that was displaying one of the malicious banner ads, the user's browser contacted the ad server and pulled in the malicious ad content from ADShufffle. The malicious ad then used JavaScript to exploit one of a number of security flaws and install malicious files on the user's PC. The attacks exploited a wide variety of vulnerabilities in browsers and Adobe Reader.
It's a little worrying that adding a single letter was enough to get the ads past Microsoft's and Google's systems. Thankfully, the ad networks only served the malicious content for a short period of time.