Google’s doubleclick ad servers and Zedo serve millions an aggressive malware
Cyber Criminals have exploited the power of two biggest online advertising networks, Google’s DoubleClick and Zedo ad agency, to deliver malicious ads to millions of internet users that could install malware on a user’s computer.
Malwarebytes researchers encountered some strange behavior popping up on sites such as Last.fm, The Times of Israel as well as The Jerusalem Post. Researchers commented that the highly unusual ad activity on those sites was very aggressive, setting off anti-virus warnings and raising flags in a number of Malwarebytes systems.
Malvertising is not any new technique used by cyber criminals, but Jerome Segura, a senior security researcher with Malwarebytes, wrote in a blog post that his company “rarely see attacks on a large scale like this.”
“It was active but not too visible for a number of weeks until we started seeing popular sites getting flagged in our honeypots,” Segura wrote. “That’s when we thought, something is going on.”
The first impressions came in late August, and by now millions of computers have likely been exposed to Zemot, although only those with outdated antivirus protection were actually infected.
According to Segura, the malicious advertisements lead users to websites containing Nuclear exploit kit, which looks for an unpatched version of Adobe Flash Player or Internet Explorer running on victim’s system. If found one, it downloads the Zemot malware, which then communicate it to a remote server and downloads a wave of other malicious applications.
However, by the time the malware was spotted, millions of computer machines may already have been exposed to Zemot, the researcher said, but at the mean time he also added that only those users with out-of-date antivirus software protection were actually infected by the malware.
The Zemot malware was identified by Microsoft earlier this month. According to Microsoft, Zemot is usually distributed not only by the Nuclear exploit kit but also by the Magnitude exploit kit and spambot malware Kuluoz. The malware focuses on computers running Windows XP, although it can also infect more modern operating systems running on x86 and 64 bit machines.
The malware can easily bypass the security softwares installed in the system before infecting computers with additional malware, therefore it is difficult to identify the attack it poses on a system.
A Google representative has confirmed the breach, and said that the team was aware of the breach and has since shut down all the affected servers which were redirecting malicious code, and have disabled the ads that delivered malware to user’s computers.