2004年11月25日











IE Exploit Targets Banner Ad Servers
By Ryan Naraine,





The ubiquitous banner ad has become the latest delivery mechanism for exploit code
targeting a known flaw in Microsoft Corp.’s Internet Explorer browser.


During a 12-hour window over the weekend, hackers broke into a load balancing server
 that handles ad deliveries for Germany’s Falk eSolutions and successfully loaded
exploit code on banner advertising served on hundreds of Web sites.


“Users visiting Web sites that carry banner advertising delivered by our system were
periodically delivered a file from the compromised site. This file tries to execute
the IE-Exploit function on the users’ computer,” Falk eSolutions confirmed Monday.


The exploit (Bofra/IFrame) takes advantage of an IE vulnerability discovered and
reported to Microsoft earlier this month. It is a variant of the MyDoom virus that
launched zero-day attacks on vulnerable IE users two weeks ago.


PointerRead more here about the zero-day attacks.

The flaw, which does not affect IE users running Windows XP Service Pack 2 (SP2),
has not yet been patched.


Falk eSolutions said the affected AdSolution ad serving software is used by
more than 150 Web publishers, agencies and marketers worldwide, but it did not
say how many of those customers were affected.


Falk AdSolution clients include AtomShockwave, IDG, A&E Television Networks,
MediaCom and Universal McCann.


European tech publisher The Register was the first to notice that banner ads
served by Falk were launching exploit code to non-SP2 IE users.


“If you may have visited The Register between 6am and 12.30pm GMT on Saturday,
Nov 20 using any Windows platform bar XP SP2 we strongly advise you to check
your machine with up to date anti-virus software, to install SP2 if you are
running Windows XP, and to strongly consider running an alternative browser,
at least until Microsoft deals with the issue,” The Register said in a statement.


The site said it suspended ad serving by Falk eSolutions as soon as it discovered
the problem. At midday EST on Monday, The Register was still not serving banner ads.


PointerIE rival Mozilla Firefox 1.0 impresses eWEEK Labs. Read the review here.

In a brief note posted Monday, Falk said a virus found on its European network was “inadvertently redistributed” to a small number of users (calculated under 2 percent).


“As of 11:30 a.m. GMT, the virus was removed from all Falk European and U.S. networks,
and normal ad delivery was restored,” the company said.


Additional details on the network breach were provided to The Register, which posted
a
second notice outlining the problems with one of the ad server’s load balancers.


“This attack made use of a weak point on this specific type of load balancer. The
function of a load balancer is to evenly distribute requests to the multiple servers
behind it. The system concerned was only used to handle a specific request type to
our ad server and has now been investigated,” the note read.


“The use of a weak point in one of our load balancers led to user requests not being
passed to the ad servers. Instead the user requests were answered with a 302 redirect
to a compromised website. This happened with approximately every 30th request,”
the company added.



The SANS Internet Storm Center (ISC), which tracks malicious Internet activity,
said it was in the process of contacting other Falk customers in Sweden and the
Netherlands that may have also been compromised.


SANS ISC Director Marcus Sachs told eWEEK.com the fact that the ad servers were
used to distribute the exploit suggests that hundreds of sites, and possibly
millions of users, were affected.


Sachs said the Center is highly recommending that users ditch the affected IE
browser until Microsoft issues a fix.


eSeminarsTo learn about the latest IT security threats facing your organization and
what you can do to protect your systems, make sure to attend the Security Virtual Tradeshow.

“This is a strong candidate for an out-of-cycle Microsoft patch. There are real
exploits circulating with real security risks,” Sachs said, noting that the next
scheduled patch from Microsoft won’t be available until Dec. 14.


“The fact that this has already been fixed in SP2 suggests that Microsoft has
been aware of it for a very long time,” Sachs said, noting it was also very
possible that the vulnerability was fixed during the SP2 code rewrite.

The ISC is urging Web site operators that serve banner ads to verify the banners
do not contain the IFrame exploit code. “Or you might want to consider disabling
banner ads for a little while to minimize the risk of accidentally infecting your
users and propagating,” the Center said.


Because the vulnerability is easy to exploit, Sachs said it is very likely that
malware for this issue will emerge in many flavors and colors. In addition to the
possibility of becoming infected while surfing a Web site, there are e-mail
propagation vectors, he added.


PointerCheck out eWEEK.com’s Security Center for the latest security news, reviews
and analysis. And for insights on security coverage around the Web, take a look
at eWEEK.com Security Center Editor
Larry Seltzer’s Weblog.