Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus

February 18th, 2010

Ads poisoning – JS:Prontexi

The malware usually spreads through web infection placed on innocent, badly secured websites. The ad infiltration method is growing in popularity alongside with the website infections. Now we are facing probably the biggest ad poisoning ever made – all important ad services are affected. It means that users might get infected just by reading their favorite newspaper or by doing search on famous web indexers. User interaction is not needed in this attack – infection begins just after poisoned ad is loaded by the browser – it is not a type of social engineering. We named the source of this attack JS:Prontexi – JavaScript code which initiates infection on victims computer using various vulnerabilities including latest PDF exploits.

All avast! users with current virus databases are fully protected against this attack. We are blocking bad guys from accessing your computer. This allows us to count hits made on machines participating in “avast! community IQ”.  The following graph shows the number of incidents we have counted in the last 6 days in 4-hour windows  (The number of hits assigned to each service represent only the avast! users, absolute number of hits would be much greater in global scale).

JS:Prontexi distribution chart

JS:Prontexi distribution chart

Only 8 most infiltrated ad services/websites are shown using their own line. The most compromised services are yieldmanager.com (Yahoo) and fimserve.com (FOX Audience Network) which covers more than 50%. The list of the poisoned ad services is not limited to the “TOP 8” shown in the graph above. The following domains are compromised too:

  • unanimis.co.uk                4593
  • xtendmedia.com            4389
  • doubleclick.net               4076
  • vuze.com                           3599
  • openx.net                          2978
  • globaltakeoff.net             1915
  • specificclick.net              1726
  • bidsystem.com                1581

Almost all of the services above are targeted on advertising – at least one website you are reading uses one of these services. The actual files of JS:Prontexi are not hosted on single domain, the attack uses randomly generated domains. In some cases, it even tries to hide the domain by prefixing commonly known “google.analytics.com”. Following list contains JS:Prontexi domains we found in last 6 days (We decided to remove 3 characters to make them inaccessible):

aawzcamdf???.com, acdbxyba???.com, aczgefrmp???.com, ajirfmra???.com, annvx???.in, aqxqiloqd???.com, bbeockzx???.com, bfqcffdxw???.com, bguwoxufe???.com, bra???.in, btnqvbosi???.com, coudfind???.org, eabeejee???.com, ehwozbkik???.com, elifant???.ru, eliyisgt???.com, fejxwacus???.com, footbal???.ua, galvang???.com, geone???.com, globos???.in, gmkfizxev???.com, google.analytics.com.ckzqfrxax???.info, google.analytics.com.eliyisgt???.info, google.analytics.com.ezqaxnm???.info, google.analytics.com.fanqhpyz???.info, google.analytics.com.hnstetlse???.info, google.analytics.com.jgvsjnhmv???.info, google.analytics.com.kmpbfdtkn???.info, google.analytics.com.muhrlwuzy???.info, google.analytics.com.nbtislvi???.info, google.analytics.com.omvdbdckn???.info, google.analytics.com.qxixemv???.info, google.analytics.com.rmkbyklbh???.info, google.analytics.com.rxflhciir???.info, google.analytics.com.vgmhlwrix???.info, google.analytics.com.yggxvnwum???.info, google.analytics.com.zelhnalb???.info, google.analytics.com.zsvihgpks???.info, googlein???.in, hdewptwh???.com, her???.info, hfgtiith???.com, hkhdhbhmg???.com, inflbjwlm???.com, jseaiulm???.com, jxlywtdh???.com, mcybnjvd???.com, mda???.info, nzlvcxrqf???.com, ore???.info, ore???.info, ore???.info, pianwenp???.com, qefshhsq???.com, qmyz???.info, quisyg???.info, rcykjdw???.com, retnchigm???.com, rilsgzhmh???.com, rsqkszbn???.com, rsvqcnpk???.com, rtvzguny???.com, sdt???.info, sjafjcaqq???.com, slydir???.biz, ssuqlqnrs???.com, tdscli???.com, tdscount???.com, tdwvginb???.com, tgsytldfd???.com, thjgjcgt???.com, uefxrwxu???.com, ueoovs???.in, ujge???.in, user???.info, ustp???.info, vquvmkzms???.com, wbvdeetfl???.com, wdxbntaji???.com, wsjnsit???.com, xaxijfaqb???.com, xdfkycpa???.com, xgzkuqgu???.com

JavaScript code hosted on the servers uses strong encryption and obfuscation which make the scripts and exploit codes mostly undetected by other AV vendors.  Following links and images show detection of the malicious script and PDF exploit used to infect victim’s computer.

JS:Prontexi JavaScript detection

JS:Prontexi JavaScript detection

http://www.virustotal.com/analisis/4ee895ed5a88de46f2725dbb907d0c41457e010d68e24504f0db43ec4c5166d6-1266404229

JS:Prontexi PDF exploit detection

JS:Prontexi PDF exploit detection

http://www.virustotal.com/analisis/ff391d3c81d25dff32f3bb14cf7d86b230b7f7237e68ee9a63841c97382b7d30-1266404239

JS:Prontexi comes to life and brings BIG WARNING not only to AV vendors.  Advertising services/providers should be more careful about the content they are distributing. Many people don’t like any type of advertising and what happens if ads will become the source of the infection of their machines?

Categories: analyses, Virus Lab Tags: , ,
  1. Dwarden
    February 18th, 2010 at 16:44 | #1

    very nasty and quite sad it seems to be so widely spreading
    (one wonder why the AD running companies not using some service framework to prevent this disease to spread)

    • February 18th, 2010 at 22:09 | #2

      Hello, well there is no precedence probably – current situation shows the problem in its nature and each side must work on the solution (AV companies as well as Advertising services). The other problem could be “the profit” – each shown/transferred/clicked/etc … ad generates income, no matter if the content was infected, it’s still income. The bad guys must pay for their “ad space”. The last question goes to organizations offering their space to ads -> will they accept services delivering infections?

  2. Dawn
    February 18th, 2010 at 19:05 | #3

    Do you need the web shield for this? I disabled that function because it worsened my surfing speed. I only use File System Shield and Behavior Shield.

    • February 18th, 2010 at 22:18 | #4

      Avast! is complex product and each part of it is important to run properly. If you disable any feature, you are lowering the power of the whole product – you are lowering the ability to protect you. Your configuration may work, but my recommendation is “turn all the providers on”.

  3. cbsmith
    February 18th, 2010 at 20:53 | #5

    Hi there guys. I actually work at Fox Audience Network. Could you contact me and share more details on the nature of this exploit? We’d like to do what we can to eliminate it.

  4. cbsmith
    February 18th, 2010 at 22:48 | #7

    @Jiri Sejtko

    Thanks. Got the e-mail. Looking forward to crushing this one.

  5. DeLeMa1804
    February 19th, 2010 at 01:22 | #8

    You could mention to those of us with a bit less knowledge that you do not have to “click” the ad to activate the hidden code. My experience indicates one only has to roll the mouse pointer across the ad.

    • February 19th, 2010 at 14:03 | #9

      You are right, JS:Prontexi attack doesn’t need any user interaction. Thank you for your hint.

  6. Clint
    February 19th, 2010 at 08:55 | #10

    HI I would just like to say that someone who has been using avast for a couple of years now I like avast in that they are doing their best to protect their customers. I would just like to say to avast keep up the great work and keep protecting us free avast customers from threats.
    talk to you later.

  7. February 19th, 2010 at 12:57 | #11

    hey thnx for the info it was quite surprising that antivir detected the first one with its heuristics but not the second one lol. most probably thay have not analyzed it yet and that virus should be very dangerous

    • February 19th, 2010 at 14:13 | #12

      As you can see, nearly all the pdf detections are generic – very similar to heuristic detections. It is simpler (but not simple) to create generic/heuristic detections to specific format (PDF in this case) than heuristics targeted to general format like text files (html, scripts, etc).

  8. rich
    February 20th, 2010 at 00:54 | #13

    Hello,

    Thanks for the alert. Can you explain how the exploit works:

    –> does the ad code redirect to a site with code for the PDF and other exploits? Is i-frame involved?

    –>or is that code that initiates the PDF exploit contained in the ad itself?

    thanks,

    rich

    • February 21st, 2010 at 14:14 | #14

      Hello rich,

      I’m sorry about the response time. The ad code is redirecting to the randomly generated distribution domains -> payload itself is located out of the ad services.

  9. Tom
    February 20th, 2010 at 02:32 | #15

    This was a very interesting blog. I posted a link to it over at the Wilders forum.

  10. steve
    February 22nd, 2010 at 12:17 | #16

    This is very interesting and I’m glad I ticked the Community box. I use AdMuncher to filter ads by the way.

  11. February 22nd, 2010 at 13:47 | #17

    This seems to be the most dangerous type of virus attack as of now since user interaction is not required. It may make the traditional antiviruses totally obsolete if not updated.

  12. February 23rd, 2010 at 14:45 | #18

    I have two computers and this morning one of them is having obvious virus problems, cannot see or get to top of pages – it rolls down automatically. Is this the virus you are talking about? I installed the Avasti on this computer and assumed it would cover both – obviously it has not. Have you any suggestions?

  13. February 24th, 2010 at 06:06 | #19

    Kathy :
    I have two computers and this morning one of them is having obvious virus problems, cannot see or get to top of pages – it rolls down automatically. Is this the virus you are talking about? I installed the Avasti on this computer and assumed it would cover both – obviously it has not. Have you any suggestions?

    Hi Kathy,

    Have you do boot time scan?
    Because some virus or malware if you scan at Windows, some AV vendors doesn’t able to detect it but if you do boot time scan before each applications load into windows then it possibly will detected.

    Anyway, if you have any issue regarding to avast or virus/malware attacks then you may join with us at : http://forum.avast.com

    Cheers,
    yanto chiang

  14. Jayson Messick
    February 24th, 2010 at 06:07 | #20

    Not to mention you now have a product that actually has third party software requirements for FULL functionality.

    BTW…do you guys actually send out the Support Center validation emails or is that just to make people think you might care?

    I know if I dont ‘coddle’ your forum team, they start to cry…

  15. christopher
    February 27th, 2010 at 01:15 | #21

    I just wanted to say this a very good program and I give it a five star anytime. I been using this program about two or more years as long I can remember. I just got one question I been repairing allot of computers for allot of people and I been registering avast in my name, because some of the people don”t understand english and can”t read it either so they trust me. Will I get in trouble for that, I been promoting this product to everyone and they love this program. Anyway thank you and please write or send email and keep up the great work you guys a rock.

  16. christopher
    February 27th, 2010 at 01:22 | #22

    Man I never see how many people complain about a product they use. If you know the product has a problem and they ain’t going to fix it then unistall the program and stop crying. This a very good Program and its free to people that can”t afford this and it work just is well as the one you pay for. Keep up the good work avast

  17. mehran
    February 27th, 2010 at 16:37 | #23

    How are you?
    Avast team wanted to thank
    I already use antivirus node 32 felt
    But it was not satisfactory
    Additionally, I touch on Iran Comments

    With respect Mehran

  18. Cherry Fairy
    March 2nd, 2010 at 03:25 | #24

    I have just recieved a warning saying I have a trojan Horse JS: Prontexti-S
    Avast is recommending to move to chest however avsat is saying it can not access the file that it is being used by another process. My question is “What do I do now?” Is it in my computer? HELP!

  19. Jason H
    March 3rd, 2010 at 15:29 | #25

    Your blog needs to rework the URL system. Three hyphens in this one, another one was screwed up by pretty quotes…

    It makes it hard to send people to your quality articles.

    Cheers!

  20. Blake
    March 5th, 2010 at 18:27 | #26

    Hi, I work at an online advertising company and we are obviously very concerned about possible exploits. Could you please get in touch with me so I could get a little more information about this so we can also protect ourselves/our clients? Thanks!

  21. Darshan
    March 18th, 2010 at 13:54 | #27

    Hello!

    We’re quite concerned about this at our company and would like to protect our customers ASAP.

    I’d appreciate it, if you would share more detail with us.

    Thanks.

  22. NiteRiderEVO
    March 18th, 2010 at 16:07 | #28

    Can i get a full charactered list so i can blacklist those domains on my router? the google.analytics.com ones are the only ones that are now blacklisted. i cannot blacklist the rest due to the missing characters.

  23. Chris Wacinski
    March 20th, 2010 at 06:58 | #29

    Does this virus have anything to do with Hotmail and the “vacation reply” virus/trojan/malware going around. My GF keeps having to turn the vacation reply off in hotmail. She is running the thorough scan with advast (long time free edition user.) But we can’t seem to get rid of it. Any ideas?
    Thanks

Comments are closed.