Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus


February 18th, 2010

Ads poisoning – JS:Prontexi

The malware usually spreads through web infection placed on innocent, badly secured websites. The ad infiltration method is growing in popularity alongside with the website infections. Now we are facing probably the biggest ad poisoning ever made – all important ad services are affected. It means that users might get infected just by reading their favorite newspaper or by doing search on famous web indexers. User interaction is not needed in this attack – infection begins just after poisoned ad is loaded by the browser – it is not a type of social engineering. We named the source of this attack JS:Prontexi – JavaScript code which initiates infection on victims computer using various vulnerabilities including latest PDF exploits.

All avast! users with current virus databases are fully protected against this attack. We are blocking bad guys from accessing your computer. This allows us to count hits made on machines participating in “avast! community IQ”.  The following graph shows the number of incidents we have counted in the last 6 days in 4-hour windows  (The number of hits assigned to each service represent only the avast! users, absolute number of hits would be much greater in global scale).

JS:Prontexi distribution chart

JS:Prontexi distribution chart

Only 8 most infiltrated ad services/websites are shown using their own line. The most compromised services are yieldmanager.com (Yahoo) and fimserve.com (FOX Audience Network) which covers more than 50%. The list of the poisoned ad services is not limited to the “TOP 8” shown in the graph above. The following domains are compromised too:

  • unanimis.co.uk                4593
  • xtendmedia.com            4389
  • doubleclick.net               4076
  • vuze.com                           3599
  • openx.net                          2978
  • globaltakeoff.net             1915
  • specificclick.net              1726
  • bidsystem.com                1581

Almost all of the services above are targeted on advertising – at least one website you are reading uses one of these services. The actual files of JS:Prontexi are not hosted on single domain, the attack uses randomly generated domains. In some cases, it even tries to hide the domain by prefixing commonly known “google.analytics.com”. Following list contains JS:Prontexi domains we found in last 6 days (We decided to remove 3 characters to make them inaccessible):

aawzcamdf???.com, acdbxyba???.com, aczgefrmp???.com, ajirfmra???.com, annvx???.in, aqxqiloqd???.com, bbeockzx???.com, bfqcffdxw???.com, bguwoxufe???.com, bra???.in, btnqvbosi???.com, coudfind???.org, eabeejee???.com, ehwozbkik???.com, elifant???.ru, eliyisgt???.com, fejxwacus???.com, footbal???.ua, galvang???.com, geone???.com, globos???.in, gmkfizxev???.com, google.analytics.com.ckzqfrxax???.info, google.analytics.com.eliyisgt???.info, google.analytics.com.ezqaxnm???.info, google.analytics.com.fanqhpyz???.info, google.analytics.com.hnstetlse???.info, google.analytics.com.jgvsjnhmv???.info, google.analytics.com.kmpbfdtkn???.info, google.analytics.com.muhrlwuzy???.info, google.analytics.com.nbtislvi???.info, google.analytics.com.omvdbdckn???.info, google.analytics.com.qxixemv???.info, google.analytics.com.rmkbyklbh???.info, google.analytics.com.rxflhciir???.info, google.analytics.com.vgmhlwrix???.info, google.analytics.com.yggxvnwum???.info, google.analytics.com.zelhnalb???.info, google.analytics.com.zsvihgpks???.info, googlein???.in, hdewptwh???.com, her???.info, hfgtiith???.com, hkhdhbhmg???.com, inflbjwlm???.com, jseaiulm???.com, jxlywtdh???.com, mcybnjvd???.com, mda???.info, nzlvcxrqf???.com, ore???.info, ore???.info, ore???.info, pianwenp???.com, qefshhsq???.com, qmyz???.info, quisyg???.info, rcykjdw???.com, retnchigm???.com, rilsgzhmh???.com, rsqkszbn???.com, rsvqcnpk???.com, rtvzguny???.com, sdt???.info, sjafjcaqq???.com, slydir???.biz, ssuqlqnrs???.com, tdscli???.com, tdscount???.com, tdwvginb???.com, tgsytldfd???.com, thjgjcgt???.com, uefxrwxu???.com, ueoovs???.in, ujge???.in, user???.info, ustp???.info, vquvmkzms???.com, wbvdeetfl???.com, wdxbntaji???.com, wsjnsit???.com, xaxijfaqb???.com, xdfkycpa???.com, xgzkuqgu???.com

JavaScript code hosted on the servers uses strong encryption and obfuscation which make the scripts and exploit codes mostly undetected by other AV vendors.  Following links and images show detection of the malicious script and PDF exploit used to infect victim’s computer.

JS:Prontexi JavaScript detection

JS:Prontexi JavaScript detection

http://www.virustotal.com/analisis/4ee895ed5a88de46f2725dbb907d0c41457e010d68e24504f0db43ec4c5166d6-1266404229

JS:Prontexi PDF exploit detection

JS:Prontexi PDF exploit detection

http://www.virustotal.com/analisis/ff391d3c81d25dff32f3bb14cf7d86b230b7f7237e68ee9a63841c97382b7d30-1266404239

JS:Prontexi comes to life and brings BIG WARNING not only to AV vendors.  Advertising services/providers should be more careful about the content they are distributing. Many people don’t like any type of advertising and what happens if ads will become the source of the infection of their machines?

Categories: analyses, Virus Lab Tags: , ,
  • Dwarden

    very nasty and quite sad it seems to be so widely spreading
    (one wonder why the AD running companies not using some service framework to prevent this disease to spread)

    • http://www.avast.com Jiri Sejtko

      Hello, well there is no precedence probably – current situation shows the problem in its nature and each side must work on the solution (AV companies as well as Advertising services). The other problem could be “the profit” – each shown/transferred/clicked/etc … ad generates income, no matter if the content was infected, it’s still income. The bad guys must pay for their “ad space”. The last question goes to organizations offering their space to ads -> will they accept services delivering infections?

  • Dawn

    Do you need the web shield for this? I disabled that function because it worsened my surfing speed. I only use File System Shield and Behavior Shield.

    • http://www.avast.com Jiri Sejtko

      Avast! is complex product and each part of it is important to run properly. If you disable any feature, you are lowering the power of the whole product – you are lowering the ability to protect you. Your configuration may work, but my recommendation is “turn all the providers on”.

  • cbsmith

    Hi there guys. I actually work at Fox Audience Network. Could you contact me and share more details on the nature of this exploit? We’d like to do what we can to eliminate it.

    • http://www.avast.com Jiri Sejtko

      The email was sent – we should cooperate on this problem.

  • cbsmith

    @Jiri Sejtko

    Thanks. Got the e-mail. Looking forward to crushing this one.

  • DeLeMa1804

    You could mention to those of us with a bit less knowledge that you do not have to “click” the ad to activate the hidden code. My experience indicates one only has to roll the mouse pointer across the ad.

    • http://www.avast.com Jiri Sejtko

      You are right, JS:Prontexi attack doesn’t need any user interaction. Thank you for your hint.

  • Clint

    HI I would just like to say that someone who has been using avast for a couple of years now I like avast in that they are doing their best to protect their customers. I would just like to say to avast keep up the great work and keep protecting us free avast customers from threats.
    talk to you later.

  • http://n/a akama1

    hey thnx for the info it was quite surprising that antivir detected the first one with its heuristics but not the second one lol. most probably thay have not analyzed it yet and that virus should be very dangerous

    • http://www.avast.com Jiri Sejtko

      As you can see, nearly all the pdf detections are generic – very similar to heuristic detections. It is simpler (but not simple) to create generic/heuristic detections to specific format (PDF in this case) than heuristics targeted to general format like text files (html, scripts, etc).

  • rich

    Hello,

    Thanks for the alert. Can you explain how the exploit works:

    –> does the ad code redirect to a site with code for the PDF and other exploits? Is i-frame involved?

    –>or is that code that initiates the PDF exploit contained in the ad itself?

    thanks,

    rich

    • http://www.avast.com Jiri Sejtko

      Hello rich,

      I’m sorry about the response time. The ad code is redirecting to the randomly generated distribution domains -> payload itself is located out of the ad services.

  • Tom

    This was a very interesting blog. I posted a link to it over at the Wilders forum.

  • steve

    This is very interesting and I’m glad I ticked the Community box. I use AdMuncher to filter ads by the way.

  • http://www.ezaroorat.com/antivirus eZaroorat

    This seems to be the most dangerous type of virus attack as of now since user interaction is not required. It may make the traditional antiviruses totally obsolete if not updated.

  • http://? Kathy

    I have two computers and this morning one of them is having obvious virus problems, cannot see or get to top of pages – it rolls down automatically. Is this the virus you are talking about? I installed the Avasti on this computer and assumed it would cover both – obviously it has not. Have you any suggestions?

  • http://www.ppinfotek.com Yanto Chiang

    Kathy :
    I have two computers and this morning one of them is having obvious virus problems, cannot see or get to top of pages – it rolls down automatically. Is this the virus you are talking about? I installed the Avasti on this computer and assumed it would cover both – obviously it has not. Have you any suggestions?

    Hi Kathy,

    Have you do boot time scan?
    Because some virus or malware if you scan at Windows, some AV vendors doesn’t able to detect it but if you do boot time scan before each applications load into windows then it possibly will detected.

    Anyway, if you have any issue regarding to avast or virus/malware attacks then you may join with us at : http://forum.avast.com

    Cheers,
    yanto chiang

  • Jayson Messick

    Not to mention you now have a product that actually has third party software requirements for FULL functionality.

    BTW…do you guys actually send out the Support Center validation emails or is that just to make people think you might care?

    I know if I dont ‘coddle’ your forum team, they start to cry…

  • christopher

    I just wanted to say this a very good program and I give it a five star anytime. I been using this program about two or more years as long I can remember. I just got one question I been repairing allot of computers for allot of people and I been registering avast in my name, because some of the people don”t understand english and can”t read it either so they trust me. Will I get in trouble for that, I been promoting this product to everyone and they love this program. Anyway thank you and please write or send email and keep up the great work you guys a rock.

  • christopher

    Man I never see how many people complain about a product they use. If you know the product has a problem and they ain’t going to fix it then unistall the program and stop crying. This a very good Program and its free to people that can”t afford this and it work just is well as the one you pay for. Keep up the good work avast

  • mehran

    How are you?
    Avast team wanted to thank
    I already use antivirus node 32 felt
    But it was not satisfactory
    Additionally, I touch on Iran Comments

    With respect Mehran

  • Cherry Fairy

    I have just recieved a warning saying I have a trojan Horse JS: Prontexti-S
    Avast is recommending to move to chest however avsat is saying it can not access the file that it is being used by another process. My question is “What do I do now?” Is it in my computer? HELP!

  • Jason H

    Your blog needs to rework the URL system. Three hyphens in this one, another one was screwed up by pretty quotes…

    It makes it hard to send people to your quality articles.

    Cheers!

  • Pingback: Potential Massive Advertising Server Compromise/Socially Engineered « Trojaned Binaries

  • Blake

    Hi, I work at an online advertising company and we are obviously very concerned about possible exploits. Could you please get in touch with me so I could get a little more information about this so we can also protect ourselves/our clients? Thanks!

  • Darshan

    Hello!

    We’re quite concerned about this at our company and would like to protect our customers ASAP.

    I’d appreciate it, if you would share more detail with us.

    Thanks.

  • NiteRiderEVO

    Can i get a full charactered list so i can blacklist those domains on my router? the google.analytics.com ones are the only ones that are now blacklisted. i cannot blacklist the rest due to the missing characters.

  • Pingback: A tale of two "red alerts:" Which Windows warnings should you heed? | CHARGED's Digital Lifestyle at Work or Play

  • Pingback: A tale of two "red alerts:" Which Windows warnings should you heed? | CHARGED's Digital Lifestyle at Work or Play

  • Pingback: A tale of two "red alerts:" Which Windows warnings should you heed?

  • Chris Wacinski

    Does this virus have anything to do with Hotmail and the “vacation reply” virus/trojan/malware going around. My GF keeps having to turn the vacation reply off in hotmail. She is running the thorough scan with advast (long time free edition user.) But we can’t seem to get rid of it. Any ideas?
    Thanks