Ads poisoning – JS:Prontexi
All avast! users with current virus databases are fully protected against this attack. We are blocking bad guys from accessing your computer. This allows us to count hits made on machines participating in “avast! community IQ”. The following graph shows the number of incidents we have counted in the last 6 days in 4-hour windows (The number of hits assigned to each service represent only the avast! users, absolute number of hits would be much greater in global scale).
Only 8 most infiltrated ad services/websites are shown using their own line. The most compromised services are yieldmanager.com (Yahoo) and fimserve.com (FOX Audience Network) which covers more than 50%. The list of the poisoned ad services is not limited to the “TOP 8” shown in the graph above. The following domains are compromised too:
- unanimis.co.uk 4593
- xtendmedia.com 4389
- doubleclick.net 4076
- vuze.com 3599
- openx.net 2978
- globaltakeoff.net 1915
- specificclick.net 1726
- bidsystem.com 1581
Almost all of the services above are targeted on advertising – at least one website you are reading uses one of these services. The actual files of JS:Prontexi are not hosted on single domain, the attack uses randomly generated domains. In some cases, it even tries to hide the domain by prefixing commonly known “google.analytics.com”. Following list contains JS:Prontexi domains we found in last 6 days (We decided to remove 3 characters to make them inaccessible):
aawzcamdf???.com, acdbxyba???.com, aczgefrmp???.com, ajirfmra???.com, annvx???.in, aqxqiloqd???.com, bbeockzx???.com, bfqcffdxw???.com, bguwoxufe???.com, bra???.in, btnqvbosi???.com, coudfind???.org, eabeejee???.com, ehwozbkik???.com, elifant???.ru, eliyisgt???.com, fejxwacus???.com, footbal???.ua, galvang???.com, geone???.com, globos???.in, gmkfizxev???.com, google.analytics.com.ckzqfrxax???.info, google.analytics.com.eliyisgt???.info, google.analytics.com.ezqaxnm???.info, google.analytics.com.fanqhpyz???.info, google.analytics.com.hnstetlse???.info, google.analytics.com.jgvsjnhmv???.info, google.analytics.com.kmpbfdtkn???.info, google.analytics.com.muhrlwuzy???.info, google.analytics.com.nbtislvi???.info, google.analytics.com.omvdbdckn???.info, google.analytics.com.qxixemv???.info, google.analytics.com.rmkbyklbh???.info, google.analytics.com.rxflhciir???.info, google.analytics.com.vgmhlwrix???.info, google.analytics.com.yggxvnwum???.info, google.analytics.com.zelhnalb???.info, google.analytics.com.zsvihgpks???.info, googlein???.in, hdewptwh???.com, her???.info, hfgtiith???.com, hkhdhbhmg???.com, inflbjwlm???.com, jseaiulm???.com, jxlywtdh???.com, mcybnjvd???.com, mda???.info, nzlvcxrqf???.com, ore???.info, ore???.info, ore???.info, pianwenp???.com, qefshhsq???.com, qmyz???.info, quisyg???.info, rcykjdw???.com, retnchigm???.com, rilsgzhmh???.com, rsqkszbn???.com, rsvqcnpk???.com, rtvzguny???.com, sdt???.info, sjafjcaqq???.com, slydir???.biz, ssuqlqnrs???.com, tdscli???.com, tdscount???.com, tdwvginb???.com, tgsytldfd???.com, thjgjcgt???.com, uefxrwxu???.com, ueoovs???.in, ujge???.in, user???.info, ustp???.info, vquvmkzms???.com, wbvdeetfl???.com, wdxbntaji???.com, wsjnsit???.com, xaxijfaqb???.com, xdfkycpa???.com, xgzkuqgu???.com
JS:Prontexi comes to life and brings BIG WARNING not only to AV vendors. Advertising services/providers should be more careful about the content they are distributing. Many people don’t like any type of advertising and what happens if ads will become the source of the infection of their machines?